X

Best Practices from Oracle Development's A‑Team

How to reset TDE wallet password when original password is lost

Sebastian Binek
Consulting Solutions Architect

Using Oracle Cloud Infrastructure Database services with Transparent Data Encryption (TDE) provides a high level of security and protection for customer data. The common issue related to TDE observed by many customers is simply related to the TDE password. Users creating new services change the sys password and are not aware what the TDE password is and they are therefore not able to create new master keys or rekey current environments. 

 

What can they do then? 

 

All Database services in OCI-C and OCI are configured with TDE and AUTOLOGIN wallet. This mean the TDE wallet will be opened automatically when the database/PDB is started. The password is stored in secure format in cwallet.sso file in the TDE location. To set a new password for the current wallet we can create a new wallet with known password and then merge both wallets into the new one. The merge command will be able to view content of old ewallet.p12 file using cwallet.sso. When the new wallet is created the old wallet can be replaced and the new wallet password will be in use.

 

  1. Prerequisites

 

The wallet has to be in auto-login otherwise it is not possible to recreate wallet and set a new password.

 

  1. Verify database and PDB violations before executing this process. 

 

SQL > select name, open_mode from v$database;

SQL > show pdbs

SQL > select time, name, CAUSE, status, MESSAGE from pdb_plug_in_violations;

NOTE: This information will be used will be used for comparison at the end of the process to ensure the database status for TDE is the same.  

NOTE: The PDBs should be open in READ WRITE and all TDE key have to be available.

 

  1. Create directory for TDE wallet backups

 

$ mkdir -p /home/oracle/TDE/backup

 

NOTE: If you are using RAC and wallet is on shared filesystem then you can backup it only on one node. If your wallet is on non-shared environment you have to Backup wallets on all nodes in the cluster used by your database.

 

  1. Identify wallet location using below query

 

SQL > select * from V$ENCRYPTION_WALLET;

 

  1. Copy wallets to backup directory

 

$ cp /u02/app/oracle/admin/sbtest/tde_wallet/* /home/oracle/TDE/backup

 

  1. Verify wallet ewallet.p12 file is the same and contains the same key on all nodes in the cluster:

 

$ orapki wallet display -wallet /u02/app/oracle/admin/sbtest/tde_wallet/

 

NOTE: The wallet content should be displayed without password as it using auto-login cwallet.sso file.

NOTE: The wallet content should be same across all nodes in the cluster. If the wallet content differs between the nodes an additional wallet merge will be required to ensure all keys are available.

 

  1. Create additional directories on node 1

 

$ mkdir -p /home/oracle/TDE/source

$ mkdir -p /home/oracle/TDE/new

 

NOTE: There directories will be used for new wallet and old wallet during merge operation.

 

  1. Copy ewallet.p12 and cwallet.sso file to /home/oracle/TDE/source

 

$ cp /u02/app/oracle/admin/sbtest/tde_wallet/ /home/oracle/TDE/source

 

  1. Connect as sysdba to your database and create new wallet in /home/oracle/TDE/new and specify new password

 

SQL > ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/home/oracle/TDE/new' IDENTIFIED BY <newTDEpassword>;

 

  1. Display content of the wallets

 

orapki wallet display -wallet /home/oracle/TDE/source

$ orapki wallet display -wallet /home/oracle/TDE/new

 

NOTE: The source wallet will be displayed without password but new empty wallet will require password to view content.

  1. Connect as sysdba to your database and merge your wallets

 

SQL > ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '/home/oracle/TDE/source'

INTO EXISTING KEYSTORE '/home/oracle/TDE/new'

IDENTIFIED BY <newTDEpassword> WITH BACKUP;

 

  1. Connect as sysdba and generate auto-login file for your new wallet

 

SQL > ADMINISTER KEY MANAGEMENT

     CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/home/oracle/TDE/new'

     IDENTIFIED BY <newTDEpassword>;

 

  1. Display wallet content and verify if both wallets match

 

$ orapki wallet display -wallet /home/oracle/TDE/source

$ orapki wallet display -wallet /home/oracle/TDE/new

 

NOTE: The new wallet has to contain all keys from source wallet and it should be displayed without password.

 

  1. Connect as sysdba and close the wallet on the database

 

SQL > administer key management set keystore close  CONTAINER = ALL;

 

NOTE: When you close the wallet and replace it, the keys will be not available so there might be issues with accessing encrypted objects at that time. 

NOTE: If possible you can shutdown database for the time of wallet replacement. 

 

  1. Rename current ewallet.p12 and cwallet.sso file to other name in default wallet location for you database (execute on all nodes)

 

$ mv /u02/app/oracle/admin/sbtest/tde_wallet/ewallet.p12 /u02/app/oracle/admin/sbtest/tde_wallet/ewallet.p12.sbbkp

$ mv /u02/app/oracle/admin/sbtest/tde_wallet/cwallet.sso /u02/app/oracle/admin/sbtest/tde_wallet/cwallet.sso.sbbkp

 

NOTE: Execute on other nodes when wallets are on non-shared location and database is RAC

 

  1. Replace the wallet in the directory used by your target database

 

$ cp /home/oracle/TDE/new/ewallet.p12 /u02/app/oracle/admin/sbtest/tde_wallet/

$ cp /home/oracle/TDE/new/cwallet.sso /u02/app/oracle/admin/sbtest/tde_wallet/

 

NOTE: Execute on other nodes when wallets are on non-shared location and database is RAC

 

  1. Connect as sysdba and check wallet status

 

SQL > select * from V$ENCRYPTION_WALLET;

 

NOTE: The wallet should be automatically open as it is AUTOLOGIN

 

  1. Verify database status and PDB to confirm all is working correctly and compare with output from step 1

 

SQL > select name, open_mode from v$database;

SQL > show pdbs

SQL > select time, name, CAUSE, status, MESSAGE from pdb_plug_in_violations;

 

  1. Verify database alert log and confirm there is no TDE related errors.

     

  2. References:

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha