Wallet closing in TDE

Similar Messages

• Oracle TDE - Can multiple databases use the same Oracle wallet?

  Oracle Advanced Security Transparent Data Encryption
  I will have 2 or more databases running under the same Oracle 11.2 home. According to Oracle's documentation, it is preferred to reference the wallet via the sqlnet.ora file. That's fine. My question is if I want to use encryption in each of those databases, then I have no choice but to use the shared wallet then, correct.
  I need to confirm that I have not missed something.
  From Oracle's documentation:
  Specifying a Wallet Location for Transparent Data Encryption
  If you wish to use a wallet specifically for TDE, then you must specify a wallet location in the sqlnet.ora file by using the ENCRYPTION_WALLET_LOCATION parameter.
  Oracle recommends that you use the ENCRYPTION_WALLET_LOCATION parameter to specify a wallet location for TDE.
  http://docs.oracle.com/cd/E18283_01/network.112/e10746/asoappa.htm#i634447
  Oracle Advanced Security Transparent Data Encryption
  ENCRYPTION_WALLET_LOCATION = (SOURCE =
  (METHOD = FILE)
  (METHOD_DATA =
  (DIRECTORY =
  /etc/ORACLE/WALLETS/oracle)))
  thanks!

  Do not do this, follow this http://www.youtube.com/watch?v=Z9odSZxdoGU instead!
  Best, Peter

• [kde-unstable] - ... exists in both 'kdeaccessibility-iconthemes' and

  Hi,
  I've just tried to install the kde-meta package, and I'm getting errors about files existing in both kdeaccessibility-iconthemes and kdeartwork-iconthemes:
  /usr/share/icons/mono/scalable/status/dialog-warning.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/mail-attachment.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/mail-task.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/object-locked.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/object-unlocked.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/security-high.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/security-low.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/security-medium.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/user-away.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/user-offline.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/user-online.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/user-trash-full.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/wallet-closed.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  /usr/share/icons/mono/scalable/status/wallet-open.svgz exists in both 'kdeaccessibility-iconthemes' and 'kdeartwork-iconthemes'
  Is this a packaging issue? Or if not, any way to work around this?
  Cheers,
  Victor

  please use the appropriate thread for [kde-unstable].
  There is no kdeaccessibility-iconthemes in [kde-unstable], how are you installing KDE? Did you read the wiki page?

• TDE Wallets & Multiple Databases on same Host

  The Oracle TDE Best Practices (doc ID 130696) states this:
  Multiple databases on the same host
  If there are multiple Oracle Databases installed on the same server, they
  must access their own individual TDE wallet. Sharing the same wallet between independent instances is not supported
  and can potentially lead to the loss of encrypted data.
  If the databases share the same ORACLE_HOME, they also share the same
  sqlnet.ora file in $TNS_ADMIN . In order to access their individual wallet, the
  DIRECTORY entry for the ENCRYPTION_WALLET_LOCATION
  needs to point each database to its own wallet location:
  DIRECTORY= /etc/ORACLE/WALLETS/$ORACLE_UNQNAME
  The names of the subdirectories under /etc/ORACLE/WALLETS/ reflect
  the ORACLE_UNQNAME names of the individual databases.
  If the databases do not share the same ORACLE_HOME, they will also have their individual sqlnet.ora
  files that have to point to the individual subdirectories.
  What is the correct sqlnet.ora syntax to do this?  I currently have what is below but it doesn't seem to be correct:
  ENCRYPTION_WALLET_LOCATION =
    (SOURCE = (METHOD = FILE)
    (METHOD_DATA =
    (DIRECTORY = /local/oracle/admin/wallet/DB#1)
    (DIRECTORY = /local/oracle/admin/wallet/DB#2)

  Hi,
  You can check this :Setting ENCRYPTION_WALLET_LOCATION For Wallets Of Multiple Instances Sharing The Same Oracle Home (Doc ID 1504783.1)
  i haven't done this for multiple database, but as per Doc you can use the syntex like
  ENCRYPTION_WALLET_LOCATION =
    (SOURCE = (METHOD = FILE)
    (METHOD_DATA =
    (DIRECTORY = /local/oracle/admin/wallet/$ORACLE_UNQNAME)
  Whenever you set the Environmnet with
  export $ORACLE_UNQNAME=DB#1 
  it will choose the file from respective directory like  /local/oracle/admin/wallet/DB#1
  HTH

• Can we create wallet at User Level to implement TDE in Oracle 10g

  Hi
  I am going to use a Oracle 10g TDE security feature for data security.I have gone through with lots document.Everywhere there is mention to open or close a Wallet at system level.I mean ALTER SYSTEM..that means except DBA no one can see the encrypted column.
  But my requirement is bit different,I want to encrypt the column based on user.
  lets take example- Suppose we have one table TEST with C1,C2,C3,C4,C5,C6 column and there is U1,U2,U3 user.I want to encrypt C1 and C3 for U1 , C2 and C5 for U2 , C4 and C6 for U3 and U1,U2 and U3 can see only all columns except encrypted column.
  My question is Can we apply TDE at User level rather than system level.
  Any ideas or thought would be appreciable.
  Thanks in advance.
  ANwar

  The idea of TDE is to provide data protection on storage media, so when your backup tapes drop from the truck or the hard disk of a stolen laptop is sold online, encrypted data remains encrypted and can't be read by anyone.
  It seems to me as if you try to achieve access control by encryption, which you don't need: If users have sufficient privileges or the business need to see data, then they should be granted access and see the data de-crypted. Otherwise, access control mechanisms (roles, views, VPD, OLS) should kick in and hide the rows from them.
  So, for day-to-day business of your database, the wallet needs to be open, so that the database can de-crypt data for users who have been granted to see credit card numbers etc., but then limit access to credit card numbers they are not allowed to see with other measures. There is a little hands-on for TDE and VPD here:
  http://www.oracle.com/technology/obe/10gr2_db_vmware/security/tde/tde.htm
  Hope this helps,
  Peter

• TDE wallet: Multiple databases

  Hi,
  Looking at setting up TDE on an 11R1 database.
  How does TDE and the wallet work on multiple databases. I assume you can have one wallet, being used by multiple databases on the same server?
  If I issue a change password:
  ALTER SYSTEM SET ENCRYPTED KEY IDENTIFIED BY "welcome1";
  Will it change my key for all databases on that server, or only the database I'm on at the itme?
  I apprecaite the help,
  Happy Holidays to all!

  As long as the databases are non-replicated, sharing wallets and sqlnet.ora among them is not supported. PLease have a look at the fiollowing link,
  http://download.oracle.com/docs/cd/E11882_01/network.112/e10744/configur.htm#DBIMI257
  HTH
  Aman....

• Can't find my Wallet in TDE

  Hi all,
  I am experiencing a very strange issue.
  I have created a wallet using the Wallet Manager that comes with Oracle 11g for Win2008 and saved it in a location on the File System.
  I have setup the ENCRYPTION_WALLET_LOCATION in my sqlnet.ora file, using the EM GUI, following this Guide.
  In the EM, as I login as System User, I can see the wallet as closed, but when I insert the wallet password it keeps saying "The wallet does not exist"!
  How is that possible?
  If it sees it as closed, it should not complain that it does not exist!!!
  I'm sure I'm missing something really stupid.
  Thanks for your help :)
  EDIT: I have manually deleted the wallet ant the EM said "OPEN" :o
  How can it be OPEN if there is no actual wallet in the system?!?!
  I generated a new wallet and said "CLOSED" again!
  I feel like hunting ghosts!

  oradba wrote:
  .... and saved it in a location on the File System.I guess in a non-default location, default location is %ORACLE_BASE\admin\<SID>\wallet.No, it was default location.
  The issue was that I should not have created the wallet by Wallet Manager, but manually by EM setting a password.
  Please don't ask me why.
  I would not be able to respond.....

• Dual control system in TDE wallet

  Dear,
  We use TDE in our tablespace in prod db. The wallet is protected by password. For PCIDSS, we have to impose dual control access system to access keys in wallet. Can any one suggested me how to do this??? Pleasee
  Regards,

  Can you detail where in the PCI DSS rules "dual control" is required? I think the relevant paragraph of the  Requirements And Security Assessment Procedures v3 doc is para 3.5.2, and TDE conforms to this:
  3.5.2
  Store secret and private keys
  used to encrypt/decrypt cardholder
  data in one (or more) of the following
  forms at all times:
  Encrypted with a key encrypting
  key that is at least as strong as the
  data encrypting key, and that is
  stored separately from the data
  encrypting key
  Within a secure cryptographic
  device (such as a host security
  module (HSM) or PTS approved
  point of interaction device)
  As at least two full
  length key components or key shares, in
  accordance with an industry accepted method

• Confused about TDE wallet location !!!

  due to
  http://www.oracle.com/technology/oramag/oracle/05-sep/o55security.html
  I suppose to add the following lines to sqlnet.ora if i wanted to change the default Wallet Location to orawall folder :
  ENCRYPTION_WALLET_LOCATION =
  (SOURCE=
  (METHOD=file)
  (METHOD_DATA=
  (DIRECTORY=/orawall)))
  i just confused from the last line that describe the wallet path ....... i mean i don't understand where suppose this location */orawall* exist on my computer , why he didn't write the full path ?

  That is the full path to the wallet. I assume Arup's example is using some flavor of Unix, so he presumably created a directory ORAWALL directly off the root.
  You can store the wallet in whatever directory you chose. Conventionally, you would choose $ORACLE_BASE/admin/$ORACLE_SID/wallet. On my Windows machine where I have a database with the SID jcave11gr1, that would be
  ENCRYPTION_WALLET_LOCATION =
    (SOURCE =
      (METHOD = FILE)
      (METHOD_DATA =
        (DIRECTORY = c:/oracle/admin/jcave11gr1/wallet)
    )Justin

• 2 instances,same box,different results while trying to create a TDE wallet

  The command I'm executing is:
  alter system set encryption key authenticated by "xxx";
  There are 2 instances, using the same Oracle home. 1 instance can create a wallet, another yields ORA-28353: failed to open wallet.
  I modified sqlnet.ora file to alter the path for the wallet
  ENCRYPTION_WALLET_LOCATION =
  (SOURCE=
  (METHOD=file)
  (METHOD_DATA=
  (DIRECTORY=/wallets)))
  The first instance creates a wallet there, the second doesn't.
  I looked up the v$parameters view - instances seem to be almost identical in their setup.
  What else could be causing such a strange failure?

  Oracle version = 10.2.0.3
  There is the directory /wallets (777 permissions), otherwise the first instance couldn't successfully create a wallet there.
  I fail to understand why the first instance is able to generate the wallet, and the second is not.
  Also, if I create the wallet using instance 1, instance 2 still can't open it.
  alter system set encryption wallet open authenticated by "xxx";ORA-28353: failed to open wallet
  I can't create a wallet in the standard directory either, even though the directory exists.
  ${ORACLE_BASE}/admin/${ORACLE_SID}/wallet

• Oracle wallet implementation sanity check

  We're taking the plunge into TDE with the ASO and cutover will be coming up soon. I'm going through my backup and recovery testing and in doing so started to think of all the "gotchas" that might come up because once you've turned that key and encrypted your database, there's no looking back. One of the thoughts that popped into my mind was if the following is a true statement: once a wallet is created, the password/key/etc DOES NOT EXPIRE. We're using the wallet for our RAC db for TDE encryption, and a second, separate wallet at the grid/clusterware level to overcome the TNS Poisoning bug revealed last April. We are not using any kind of hardware key management.
  I would hate to get these all installed and one day find out my data had closed or instances couldn't register because something had expired. Everything I've read indicates this doesn't occur, but before go-live, I thought I'd ask the community to make sure I was interpreting and understanding things correctly, and that I hadn't missed a detail. I understand I can reset the keys if I want to, though this is discouraged for reasons in the documentation. The passphrase used to create the wallets is kept in a safe place as well.

  Wallets are external files - not database objects. As such, you cannot drop a wallet via a SQL command.
  You would need to step outside Oracle and into the file system to remove the physical wallet file.
  Why would you want to do this anyway from inside Oracle? Wallets contains credentials and forms an important part of robust security - adhoc deletes (or creates) of wallets are not exactly a sound approach in my view.

• Logical Database:: TDE implementation in Logical

  Hi, I have to implement TDE in production database and have to make sure Logical doesnt break up.
  I implemented TDE in my test databases( both Trans and Logical) and saw new records are not getting applied in Logical database.
  I have created wallet in both database and also apply process running fine. I dont see any error as well.
  Do you guys have any input ?? Thanks

  I see a message in event log.
  ORA-16233: The table PRADEEP.TEST_ABC is unsupported now
  16-AUG-2010 12:31:29 16-AUG-10 12.31.28.550366 2548880 2548883 4 12 1057
  ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY ********** 16226

• ORA-28374: typed master key not found in wallet (no ORACLE.SECURITY.TS.ENCR

  Good afternoon! I have a problem with creating a wallet for TDE.
  Oracle Version 11.2.0.2.0.
  SQLNET.ORA is :
  NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
  ADR_BASE = /app/oracle
  # TO SWITCH OFF ORACLE ADR FEATURE
  # DIAG_ADR_ENABLED=off
  DIAG_SIGHANDLER_ENABLED=FALSE
  DIAG_RESTRICTED=TRUE
  TRACE_LEVEL_SERVER=admin
  TRACE_LEVEL_CLIENT=admin
  TRACE_DIRECTORY_SERVER=/app/oracle/product/11.2.0/db_1/network/log
  TRACE_DIRECTORY_CLIENT=/app/oracle/product/11.2.0/db_1/network/log
  TRACE_FILE_CLIENT=cli
  TRACE_FILE_SERVER=srv
  TRACE_UNIQUE_CLIENT=off
  SQLNET.EXPIRE_TIME = 10
  SQLNET.INBOUND_CONNECT_TIMEOUT = 20
  SQLNET.ENCRYPTION_SERVER = REQUESTED
  SQLNET.ENCRYPTION_CLIENT = REQUESTED
  SQLNET.CRYPTO_SEED = 'KakdlkLAKMXM0000sdsdsadadeffdmsdmdkmdv'
  SQLNET.ENCRYPTION_TYPES_SERVER= (AES256,RC4_256,3DES112,DES)
  SQLNET.CRYPTO_CHECKSUM_SERVER = REQUESTED
  SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1,MD5)
  ENCRYPTION_WALLET_LOCATION =
  (SOURCE=
  (METHOD=file)
  (METHOD_DATA=
  (DIRECTORY=/app/oracle/admin/orcl/wallet)
  I've creted wallet by command :
  alter system set encryption key identified by "sdsdsdsds";
  After that i can close and reopen this wallet , it's ok. But i can't create crypted tablaspace :
  CREATE TABLESPACE RMD DATAFILE '/oradata/orcl/TDE.dbf' SIZE 600M
  AUTOEXTEND ON NEXT 100M MAXSIZE 2000M
  EXTENT MANAGEMENT LOCAL UNIFORM SIZE 64K ENCRYPTION USING 'AES256' DEFAULT STORAGE (ENCRYPT);
  i've got an error ORA-28374: typed master key not found in wallet
  My wallet looks like :
  Requested Certificates:
  Subject: CN=oracle
  User Certificates:
  Oracle Secret Store entries:
  ORACLE.SECURITY.DB.ENCRYPTION.ASSSDSeFDX08Evy6Mco2yhXsAsdsdsdsdsdefdfdfdfddfddfdfdfAAAA
  ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
  Trusted Certificates:
  As i uderstood there should be also entry like ORACLE.SECURITY.TS.ENCRYPTION. But why this didn't created into wallet by command : alter system set encryption key identified by "sdsdsdsds" ?
  Thanks!
  Edited by: user5819915 on 13-Jan-2012 03:25

  Hi there,
  first, "SQLNET.CRYPTO_SEED = 'KakdlkLAKMXM0000sdsdsadadeffdmsdmdkmdv" is no longer needed, the DB creates a seed itself and ignores this string.
  Then, on to TDE ...: These things happen if you had a wallet before, and that wallet was deleted; now if you create a new wallet, the TS MK is missing. Looks like you didn't encrypt any data yet. You might see if you get https://updates.oracle.com/download/8682102.html for your DB version; apply the patch, decrypt all data, cycle through all log files and then create a new wallet. That might work, but I can't promise.
  Peter

• The data does not encrypt using Wallet!

  Hi All,
  I've created a wallet to encrypt/decrypt the data, but when I change any column to be ecrypted by this command:
  alter table accounts modify (ssn encrypt); --accounts is the table containing ssn column to be ecrypted.
  and then inserting data on it, the data does not appear in encrypted format it appears in it's truth format!
  how to make the data ecrypted?

  Dev. Musbah wrote:
  Hi All,
  I've created a wallet to encrypt/decrypt the data, but when I change any column to be ecrypted by this command:
  alter table accounts modify (ssn encrypt); --accounts is the table containing ssn column to be ecrypted.
  and then inserting data on it, the data does not appear in encrypted format it appears in it's truth format!
  how to make the data ecrypted?Did you go back and read that what does TDE(transparent data encryption) actually does? It does NOT make your column look encrypted but makes the physically stored data in teh datafile as encrypted which otherwise can be reverse engineered by someone and can be read. In your case, whatever is happening is the right thing.
  For your unmentioned version, here is the link for the same,
  http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asotrans.htm#ASOAG10137
  HTH
  Aman....

• How can I switch from auto_login wallet to password-protected encryption wallet in 12c  ?

  How can I switch from auto_login wallet to password-protected encryption wallet in 12c
  --Now the autologin wallet is in effect
  SQL> select * from v$encryption_wallet
    2  ;
  WRL_TYPE
  WRL_PARAMETER
  STATUS       WALLET_TYPE    WALLET_OR FULLY_BAC
      CON_ID
  FILE
  /acfs3/wallet
  OPEN       AUTOLOGIN    SINGLE    NO
    0
  --I need to export the keys and it informs me to use password-based keystore
  SQL> ADMINISTER KEY MANAGEMENT export KEYS with secret tde_1234 to '/home/oracle/dumpdir/orapdba.wallet' IDENTIFIED BY "tde_1234";
  ADMINISTER KEY MANAGEMENT export KEYS with secret tde_1234 to '/home/oracle/dumpdir/orapdba.wallet' IDENTIFIED BY "tde_1234"
  ERROR at line 1:
  ORA-28417: password-based keystore is not open
  --So I try to close the autologin keystore and open the password-based keystore, but the autologin keystore cannot be closed
  SQL>  administer key management set keystore close;
  administer key management set keystore close
  ERROR at line 1:
  ORA-28365: wallet is not open
  SQL> administer key management set keystore open identified by "tde_1234";
  administer key management set keystore open identified by "tde_1234"
  ERROR at line 1:
  ORA-28354: Encryption wallet, auto login wallet, or HSM is already open
  So My question is
  How to switch from auto_login keystore to password-protected keystore ?

  Remove the cwallet.sso file and check the wallet status in v$encryption_wallet.
  If it is not opened, try to open it with administer key statement.
  Check the status again.