Forum Stats

  • 3,741,767 Users
  • 2,248,474 Discussions
  • 7,861,979 Comments

Discussions

Getting "ORA-28374: typed master key not found in wallet" on v. 12.1.0.2 with most recent 2019 PSU

Vict0r
Vict0r Member Posts: 4 Red Ribbon
edited Jul 9, 2019 12:03PM in Database Security - General

Steps taken on clean single node, non-pdb 12.1.0.2 DB install with restore of a couple schemas with data to test converting tablespace/datafiles to encrypted TS.

Notice I am not using auto login Keystore. As I understand in 12.1 we must first create the TDE Master Encryption Key before we enable auto login.

ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/opt/bt/oracledb-12c/fi4423dv/wallet' IDENTIFIED BY ********* ;

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracledbe;

--* Verify gv$encryption_wallet:

   INST_ID WRL_TYPE        WRL_PARAMETER                                 STATUS          WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID

---------- --------------- --------------------------------------------- --------------- -------------------- --------- --------- ----------

         1 FILE            /opt/bt/grid-12c/base/admin/FI4423DV/wallet   OPEN            PASSWORD             SINGLE    NO                 0

ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'ActvKeyDT: 190726.1740; ActvKeyBy: VAcevedo' IDENTIFIED BY ********* WITH BACKUP ;

*

ERROR at line 1:

ORA-28374: typed master key not found in wallet

--* Verify gv$encryption_keys

   INST_ID KEY_ID                                                  TAG                                                CREATION_TIME                            ACTIVATION_TIME                          CREATOR    USER       KEY_USE    KEYSTORE_TYPE                 CON_ID ORIGIN     BACKED_UP

---------- ------------------------------------------------------- -------------------------------------------------- ---------------------------------------- ---------------------------------------- ---------- ---------- ---------- ------------------------- ---------- ---------- ---------

         1 AdS0gXgiC08Wv6LWCkigDAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA    ActvKeyDT: 190726.1740; ActvKeyBy: VAcevedo        26-JUN-19 05.37.32.137505000 PM -04:00   26-JUN-19 05.37.32.137508000 PM -04:00   SYS        SYS        TDE        SOFTWARE KEYSTORE                  0 LOCAL      NO      

This is happening from the very first attempt at configuring TDE and if I attempt something as simple as creating a small tablespace encrypted I get same error as above. I have already tried removing the wallet and started from scratch after bouncing DB. I continue to get the error.

If anyone here has encountered this situation and have any suggestion for me I will really appreciate any feedback.

Thank you.

Victor

Answers

  • Vict0r
    Vict0r Member Posts: 4 Red Ribbon
    edited Jul 2, 2019 2:19AM

    Yes Sir. The path has been checked and sqlnet.ora entry validated correct with matching path. Syntax has also been validated according to oracle documentation to be correct. Please note that I am working with Oracle version 12.1.0.2 on Linux, not 12cR2 as per article you shared.

    Thank you for your feedback.

    Best regards,

    Victor

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Jul 3, 2019 3:07AM

    V$encryption_keys shows that the key was created on JUN-19.

    Was the TDE already implemented before?

    Was the TDE wallet recreated after that?

    Please note that TDE once implemented, should never be deleted or recreated, else Master keys related errors are expected.

    You can check the wallet file if the Master key in the comntrolfile , system tablespaces matches with the one in the Wallet file?

    1)

    cd < TDE wallet location>

    orapki wallet display -wallet <TDE wallet location>

    2)

    set linesize 150

    column name format a40

    column masterkeyid_base64 format a60

    select  name,utl_raw.cast_to_varchar2( utl_encode.base64_encode('01'||substr(mkeyid,1,4))) || utl_raw.cast_to_varchar2( utl_encode.base64_encode(substr(mkeyid,5,length(mkeyid)))) masterkeyid_base64  FROM (select t.name, RAWTOHEX(x.mkid) mkeyid from v$tablespace t, x$kcbtek x where t.ts#=x.ts#);

    3)

    select  utl_raw.cast_to_varchar2( utl_encode.base64_encode('01'||substr(mkeyid,1,4))) || utl_raw.cast_to_varchar2( utl_encode.base64_encode(substr(mkeyid,5,length(mkeyid)))) masterkeyid_base64  FROM (select RAWTOHEX(mkid) mkeyid from x$kcbdbk);

    Provide the alert log details and the level 4 trace file for the ORA-28374.

  • Vict0r
    Vict0r Member Posts: 4 Red Ribbon
    edited Jul 3, 2019 10:45AM

    Thank you Gaurav,

    You have pointed me in the right direction. Based on the info you have provided I have found that this DB was a restore from backup. However the original DB had a keystore/wallet setup.

    The DBA who setup this DB for me to work on, thought that as a restore it would not bring the wallet or anything related to it. So I created a new wallet, thinking I was starting from scratch - in the new instance server the wallet directory did not exist, sqlnet.ora did not have encryption wallet location and as such, the encryption views indicated no wallet or TDE master key configured.

    I will now request a clean DB instance be created and import the schemas I need to validate the db datafile encryption process.

    Thanks again for your feedback.

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Jul 3, 2019 1:12PM

    If the source database was a TDE enabled ever in the past, it will look for the Wallet, thus you need to make sure wallet is always kept in a safe place and is accessible.

    Let me know it works.

  • Vict0r
    Vict0r Member Posts: 4 Red Ribbon
    edited Jul 9, 2019 11:33AM

    Hello Gourav,

    I have learned quite a lot about keystore (aka wallet) and TDE over the past 8 months. One key lesson learned is that the keystore is tightly integrated with sys/system objects. As such, although a restore from backup onto a new server may appear as clean and withouth keystore anywhere, the DB will continue to look for the original Keystore.

    Locally thanks to another DBA we reached out to, I learned about "_db_discard_lost_masterkey". By setting this parameter temporarily we were able to create a new TDE master encryption key and were able to convert our tablespaces from non-encrypted to encrypted.

    And just as a way of sharing information (seen very little about how long would it take to do a tablespace conversion), in our [limited] dev environment, converting a 766G tablespace took ~2:30 hours.

    Thank you again for your help and feedback.

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Jul 9, 2019 12:03PM

    Hello Victor,

    Setting the undocumented parameter "_db_discard_lost_masterkey" is not recommended or suggested as we have seen ORA-600 and some after effect of this parameter and thus it is hidden and undocumented for a reason.

    As per the email-conversation with Dev, this parameter is just for information and shouldn't be used in live-environment.

    Is it Possible to Remove/Disable TDE? (Doc ID 2488898.1)

    For the other question, tablespace conversion to encrypted ones highly depends on your system resources (CPU / Memory and DB load).

    The performance effect of encrypting all the tablespaces in a database depends on the workload and platform. Many modern CPUs provide built-in hardware acceleration, which results in a minimal performance impact.

    Check the FAQ:
    https://docs.oracle.com/en/database/oracle/oracle-database/12.2/asoag/configuring-transparent-data-encryption.html#GUID-…

Sign In or Register to comment.