Oracle - KeyStore Management in PDB

I am testing to use wallet to encrypt the rman backup. It is a little hard to manage wallet in PDB environment with password. Auto_login is easier.
-- wallet
$ cat /opt/oracle/product/12.2/dbhome_1/network/admin/sqlnet.ora 
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
  (METHOD=FILE)
  (METHOD_DATA=(DIRECTORY=/opt/oracle/product/12.2/dbhome_1/owm/wallet))
)

WALLET_LOCATION =
(SOURCE =
  (METHOD = FILE)
  (METHOD_DATA=(DIRECTORY=/opt/oracle/product/12.2/dbhome_1/network/wallet))
)

SQLNET.WALLET_OVERRIDE=TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0

-- I have pdb$seed and 1 more pdb
SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         3 HR                             READ WRITE NO 

SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
NOT_AVAILABLE

-- create wallet         
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/opt/oracle/product/12.2/dbhome_1/owm/wallet' IDENTIFIED BY "oracle123";

keystore altered.

-- only p12 file, no sso file, which means it is password managed wallet.
[oracle@testenv wallet]$ ls -l
total 4
-rw-------. 1 oracle oinstall 2408 Mar 22 07:49 ewallet.p12

-- the status is CLOSED, we need to open it.
SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
CLOSED

SQL> administer key management set keystore open identified by "oracle123" CONTAINER=all;

keystore altered.

-- There is no master key inside, so encrypted backup is not working until now
SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
OPEN_NO_MASTER_KEY

SQL> alter session set container=hr;

Session altered.

SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
OPEN_NO_MASTER_KEY

SQL>  alter session set container=pdb$seed;

Session altered.

-- the keystore of PDB$SEED cannot be opened
SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
CLOSED

-- open it separately 
SQL> administer key management set keystore open identified by "oracle123";                    

keystore altered.

SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
OPEN_NO_MASTER_KEY

-- go back to CDB to create master key.
SQL> alter session set container=CDB$ROOT;

Session altered.

-- An error reported, not all PDB has been set the master key.
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "oracle123" WITH BACKUP CONTAINER=ALL;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "oracle123" WITH BACKUP CONTAINER=ALL
*
ERROR at line 1:
ORA-46665: master keys not activated for all PDBs during REKEY

-- CDB has master key
SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
OPEN

-- but PDB hr doesn’t have.
SQL> alter session set container=hr;

Session altered.

SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
OPEN_NO_MASTER_KEY

-- Set master key, an error reported but the key has been set.
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "oracle123" WITH BACKUP;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "oracle123" WITH BACKUP
*
ERROR at line 1:
ORA-28374: typed master key not found in wallet


SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
OPEN

-- PDB$SEED is OK
SQL> alter session set container=pdb$seed;

Session altered.

SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
OPEN

-- Now schedule a backup, it is successful.

-- after restart database, the wallet cannot be open automatically.
SQL> startup force;
ORACLE instance started.

Total System Global Area 1073741824 bytes
Fixed Size                  8801008 bytes
Variable Size             373294352 bytes
Database Buffers          683671552 bytes
Redo Buffers                7974912 bytes
Database mounted.
Database opened.

SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
CLOSED

-- open the wallet
SQL> administer key management set keystore open identified by "oracle123" CONTAINER=all;

keystore altered.

SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
OPEN

SQL> alter session set container=hr;

Session altered.

SQL>  select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
OPEN

-- CDB and PDB hr is open, but PDB$SEED isn’t.
SQL> alter session set container=pdb$seed;

Session altered.

SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
CLOSED

-- open it
SQL> administer key management set keystore open identified by "oracle123";

keystore altered.

SQL> select STATUS from V$ENCRYPTION_WALLET;

STATUS
------------------------------
OPEN


-- switch to auto_login
SQL> alter session set container=cdb$root;

Session altered.

SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/opt/oracle/product/12.2/dbhome_1/owm/wallet' IDENTIFIED BY "oracle123";

keystore altered.

SQL> select status, WALLET_TYPE from V$ENCRYPTION_WALLET;

STATUS                         WALLET_TYPE
------------------------------ --------------------
OPEN                           PASSWORD

-- The key is cached, we need to close it until it is opened next time automatically.
SQL> administer key management set keystore close identified by "oracle123"  CONTAINER=all;

keystore altered.

-- start a backup, we can see the wallet is opened automatically.
SQL> select status, WALLET_TYPE from V$ENCRYPTION_WALLET;

STATUS                         WALLET_TYPE
------------------------------ --------------------
OPEN                           AUTOLOGIN

-- for auto login wallet, even orapki doesn’t need password.
[oracle@testenv wallet]$ orapki wallet display -wallet . 
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
Subject:        CN=oracle
User Certificates:
Oracle Secret Store entries: 
ORACLE.SECURITY.DB.ENCRYPTION.AfOsN1J/RU+ev9oKzlrKAq4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.ART74BrBKU9kv8HSwg86xa8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AVQR9Olj2U98v0vzbiE1Q/gAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.82BCD64B5E077D62E05329101053F341
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.AfOsN1J/RU+ev9oKzlrKAq4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.ART74BrBKU9kv8HSwg86xa8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AVQR9Olj2U98v0vzbiE1Q/gAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:
If you need to switch backup to password mode, refer this document.
How to convert Local Autologin/Autologin Keystore to Password based Keystore (Doc ID 2061244.1)
ORA-4031

A Chinese DBA in the United States

Oracle - KeyStore Management in PDB

About Me

Recent Posts

Categories

Tags

Blogroll

Archives
