Forum Stats

  • 3,824,872 Users
  • 2,260,435 Discussions
  • 7,896,336 Comments

Discussions

ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)

James Su
James Su Member Posts: 1,152 Gold Trophy
edited Aug 6, 2019 3:35PM in Database Security - General

hi experts,

I have 12c R2 installed on my windows 10 laptop, and I have this setting in my sqlnet.ora:

ENCRYPTION_WALLET_LOCATION =

(SOURCE = (METHOD = FILE)

(METHOD_DATA =

  (DIRECTORY = C:\oracle\admin\jsu12c\wallet)

)

)

When I try to run the below command I always get an error:

[email protected]>  alter system set encryption key identified by "password123";

alter system set encryption key identified by "password123"

*

ERROR at line 1:

ORA-28368: cannot auto-create wallet

However I do see a file ewallet.p12 created in the above folder.

I tried other commands like:

[email protected]> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\oracle\admin\jsu12c\wallet\' IDENTIFIED BY "password123";

ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\oracle\admin\jsu12c\wallet\' IDENTIFIED BY "password123"

*

ERROR at line 1:

ORA-46630: keystore cannot be created at the specified location

[email protected]> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "password123";

ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "password123"

*

ERROR at line 1:

ORA-28367: wallet does not exist

[email protected]> select * from V$ENCRYPTION_WALLET;

WRL_TYPE

--------------------

WRL_PARAMETER

----------------------------------------------------------------------------------------------

STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID

------------------------------ -------------------- --------- --------- ----------

FILE

C:\ORACLE\ADMIN\JSU12C\WALLET\

CLOSED                         UNKNOWN              SINGLE    UNDEFINED          1

Could you please let me know what's wrong here? Thanks!

«1

Answers

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Jul 30, 2019 10:50PM

    Primary issue is at the first command in 12c which throws error while creating the keystore.

    ORA-46630: keystore cannot be created at the specified location

    Other commands after that is bound to fail since the keystore is not existing.

    1) Try to put the ENCRYPTION_WALLET_LOCATION parameter in a single line in the sqlnet.ora file

    2) Try to open the cmd with Admin privileges and check if that works.

  • James Su
    James Su Member Posts: 1,152 Gold Trophy
    edited Jul 31, 2019 10:44AM

    Thank you for your response. I changed sqlnet.ora to put everything into one line, then I restarted the DB, and I still got this error:

    [email protected]> alter system set encryption key identified by "password123";

    alter system set encryption key identified by "password123"

    *

    ERROR at line 1:

    ORA-28368: cannot auto-create wallet

    Why do I need to open cmd since all commands are run in sqlplus? Do you mean I need to delete the ewallet.p12 file in windows cmd?

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Jul 31, 2019 12:31PM

    Please try that ADMINISTER KEY MANAGEMENT command and Not with ALTER SYSTEM command since this is a 12c database.

  • James Su
    James Su Member Posts: 1,152 Gold Trophy
    edited Jul 31, 2019 2:05PM

    Just tried it, no luck:

    [email protected]> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\oracle\admin\jsu12c\wallet\' IDENTIFIED BY "password123";

    ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\oracle\admin\jsu12c\wallet\' IDENTIFIED BY "password123"

    *

    ERROR at line 1:

    ORA-46630: keystore cannot be created at the specified location

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Aug 1, 2019 12:57AM

    You will need to check the permission on the directory or the command needs privilege of Admin/Domain user.

    I just did the test case in my 12c Windows in-house lab and it does work fine.

    Test Case: Works fine in my Local Windows 2016 Server:

    DB Home: 12.1.0.2

    -----------------------

    D:\psft\db\oracle-server\admin\CDBCRM\WALLET>sqlplus "/ as sysdba"

    SQL*Plus: Release 12.1.0.2.0 Production on Thu May 16 20:19:34 2019

    Copyright (c) 1982, 2017, Oracle.  All rights reserved.

    Connected to:

    Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

    With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

    SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'D:\psft\db\oracle-server\admin\CDBCRM\WALLET' IDENTIFIED BY "Welcome1";

    keystore altered.

    SQL> select * from v$encryption_wallet;

    WRL_TYPE

    --------------------

    WRL_PARAMETER

    --------------------------------------------------------------------------------

    STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC

    ------------------------------ -------------------- --------- ---------

       CON_ID

    ----------

    FILE

    D:\PSFT\DB\ORACLE-SERVER\ADMIN\CDBCRM\WALLET

    CLOSED                         UNKNOWN              SINGLE    UNDEFINED

            0

    SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Welcome1";

    keystore altered.

    SQL> select * from v$encryption_wallet;

    WRL_TYPE

    --------------------

    WRL_PARAMETER

    --------------------------------------------------------------------------------

    STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC

    ------------------------------ -------------------- --------- ---------

       CON_ID

    ----------

    FILE

    D:\PSFT\DB\ORACLE-SERVER\ADMIN\CDBCRM\WALLET

    OPEN_NO_MASTER_KEY             PASSWORD             SINGLE    UNDEFINED

            0

           

    SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "Welcome1" WITH BACKUP;

    keystore altered.       

    SQL> select * from v$encryption_wallet;

    WRL_TYPE

    --------------------

    WRL_PARAMETER

    --------------------------------------------------------------------------------

    STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC

    ------------------------------ -------------------- --------- ---------

       CON_ID

    ----------

    FILE

    D:\PSFT\DB\ORACLE-SERVER\ADMIN\CDBCRM\WALLET

    OPEN             PASSWORD             SINGLE    UNDEFINED

            0

  • James Su
    James Su Member Posts: 1,152 Gold Trophy
    edited Aug 1, 2019 10:09AM

    I created a new folder c:\wallet and give access privilege to "everyone". Then I changed sqlnet.ora and restarted db. I do see the path is changed in v$encryption_wallet:

    [email protected]> select * from v$encryption_wallet;

    WRL_TYPE

    --------------------

    WRL_PARAMETER

    ---------------------------------------------------------------------------------------------------

    STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID

    ------------------------------ -------------------- --------- --------- ----------

    FILE

    C:\WALLET\

    CLOSED                         UNKNOWN              SINGLE    UNDEFINED          1

    But I still got the same error:

    [email protected]>  alter system set encryption key identified by "password123";

    alter system set encryption key identified by "password123"

    *

    ERROR at line 1:

    ORA-28368: cannot auto-create wallet

    [email protected]> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\wallet' IDENTIFIED BY "password123";

    ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\wallet' IDENTIFIED BY "password123"

    *

    ERROR at line 1:

    ORA-46630: keystore cannot be created at the specified location

    I am connecting as sysdba so I think I have all the needed privileges right?

  • Emad Al-Mousa
    Emad Al-Mousa Member Posts: 716 Bronze Trophy
    edited Aug 1, 2019 1:10PM

    For your reference: https://geodatamaster.com/2017/05/03/tde-transparent-data-encryption-tablespace-live-conversion-in-oracle-12cr2/

    i don't think you set the permissions in the right way , right click on "wallet" folder under C: drive make sure the Oracle Account used by your windows service has FULL permission on it  and try again

    Regards,

    Emad

  • James Su
    James Su Member Posts: 1,152 Gold Trophy
    edited Aug 1, 2019 2:55PM

    Thank you, I have give full control to "everyone" shouldn't that include oracle accounts already?

    Anyway I created another folder c:\ora_wallet and gave full control to the accounts that I think relative:

    ORA_DBSVCACCTS

    ORA_OraDB12Home1_SVCACCTS

    ORA_OraDB12Home1_SYSKM

    Then I edit sqlnet.ora and restarted db. This time I got these errors:

    [email protected]> alter system set encryption key identified by "password123";

    alter system set encryption key identified by "password123"

    *

    ERROR at line 1:

    ORA-28353: failed to open wallet

    [email protected]> select * from v$encryption_wallet;

    WRL_TYPE

    --------------------

    WRL_PARAMETER

    ---------------------------------------------------------------------------------------------------------

    STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID

    ------------------------------ -------------------- --------- --------- ----------

    FILE

    C:\ORA_WALLET\

    CLOSED                         UNKNOWN              SINGLE    UNDEFINED          1

    [email protected]> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\wallet' IDENTIFIED BY "password123";

    ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\wallet' IDENTIFIED BY "password123"

    *

    ERROR at line 1:

    ORA-46630: keystore cannot be created at the specified location

    I noticed a file ewallet.p12 got created under that folder as soon as I executed the first "alter system" command (which reported an error).

    Then I decided to follow your URL and created another folder C:\oracle\product\12.2.0\dbhome_1\key_store. This folder is automatically fully accessible by account  ORA_OraDB12Home1_SVCACCTS

    I did not run "alter system" this time, and here's what I got:

    [email protected]>  ALTER SYSTEM SET COMPATIBLE = '12.2.0.0' SCOPE = SPFILE;

    System altered.

    [email protected]> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\oracle\product\12.2.0\dbhome_1\key_store' IDENTIFIED BY "password123";

    keystore altered.

    [email protected]> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "password123";

    ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "password123"

    *

    ERROR at line 1:

    ORA-28367: wallet does not exist

    According to the article in that URL, the wallet should be automatically created. What did I do wrong here?

  • Gaurav Kamal - Oracle-Oracle
    Gaurav Kamal - Oracle-Oracle Member Posts: 27
    edited Aug 2, 2019 10:06PM

    What does the below show:

    SQL> select * from v$encryption_wallet;

    Is that reading the correct sqlnet.ora file and the same wallet location?

  • James Su
    James Su Member Posts: 1,152 Gold Trophy
    edited Aug 6, 2019 3:35PM

    [email protected]> select * from v$encryption_wallet;

    WRL_TYPE

    --------------------

    WRL_PARAMETER

    ------------------------------------------------------------------------------------------------------

    STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID

    ------------------------------ -------------------- --------- --------- ----------

    FILE

    C:\ORACLE\PRODUCT\12.2.0\DBHOME_1\KEY_STORE\

    CLOSED                         UNKNOWN              SINGLE    UNDEFINED          1

    Yes, the location does match what I put in sqlnet.ora. Each time when I change sqlnet.ora, this result always changes with a matching value.