10 Replies Latest reply on Aug 6, 2019 7:35 PM by James Su

    ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)

    James Su

      hi experts,

      I have 12c R2 installed on my windows 10 laptop, and I have this setting in my sqlnet.ora:

      ENCRYPTION_WALLET_LOCATION =

      (SOURCE = (METHOD = FILE)

      (METHOD_DATA =

        (DIRECTORY = C:\oracle\admin\jsu12c\wallet)

      )

      )

       

      When I try to run the below command I always get an error:

      sys@JSU12C>  alter system set encryption key identified by "password123";

      alter system set encryption key identified by "password123"

      *

      ERROR at line 1:

      ORA-28368: cannot auto-create wallet

       

      However I do see a file ewallet.p12 created in the above folder.

       

      I tried other commands like:

      sys@JSU12C> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\oracle\admin\jsu12c\wallet\' IDENTIFIED BY "password123";

      ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\oracle\admin\jsu12c\wallet\' IDENTIFIED BY "password123"

      *

      ERROR at line 1:

      ORA-46630: keystore cannot be created at the specified location

       

      sys@JSU12C> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "password123";

      ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "password123"

      *

      ERROR at line 1:

      ORA-28367: wallet does not exist

       

       

      sys@JSU12C> select * from V$ENCRYPTION_WALLET;

       

       

      WRL_TYPE

      --------------------

      WRL_PARAMETER

      ----------------------------------------------------------------------------------------------

      STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID

      ------------------------------ -------------------- --------- --------- ----------

      FILE

      C:\ORACLE\ADMIN\JSU12C\WALLET\

      CLOSED                         UNKNOWN              SINGLE    UNDEFINED          1

       

      Could you please let me know what's wrong here? Thanks!

        • 1. Re: ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)
          Gaurav Kamal - Oracle-Oracle

          Primary issue is at the first command in 12c which throws error while creating the keystore.

           

          ORA-46630: keystore cannot be created at the specified location

          Other commands after that is bound to fail since the keystore is not existing.

           

          1) Try to put the ENCRYPTION_WALLET_LOCATION parameter in a single line in the sqlnet.ora file

          2) Try to open the cmd with Admin privileges and check if that works.

          • 2. Re: ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)
            James Su

            Thank you for your response. I changed sqlnet.ora to put everything into one line, then I restarted the DB, and I still got this error:

            sys@JSU12C> alter system set encryption key identified by "password123";

            alter system set encryption key identified by "password123"

            *

            ERROR at line 1:

            ORA-28368: cannot auto-create wallet

             

            Why do I need to open cmd since all commands are run in sqlplus? Do you mean I need to delete the ewallet.p12 file in windows cmd?

            • 3. Re: ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)
              Gaurav Kamal - Oracle-Oracle

              Please try that ADMINISTER KEY MANAGEMENT command and Not with ALTER SYSTEM command since this is a 12c database.

              • 4. Re: ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)
                James Su

                Just tried it, no luck:

                 

                sys@JSU12C> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\oracle\admin\jsu12c\wallet\' IDENTIFIED BY "password123";

                ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\oracle\admin\jsu12c\wallet\' IDENTIFIED BY "password123"

                *

                ERROR at line 1:

                ORA-46630: keystore cannot be created at the specified location

                • 5. Re: ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)
                  Gaurav Kamal - Oracle-Oracle

                  You will need to check the permission on the directory or the command needs privilege of Admin/Domain user.

                  I just did the test case in my 12c Windows in-house lab and it does work fine.

                   

                  Test Case: Works fine in my Local Windows 2016 Server:

                  DB Home: 12.1.0.2

                  -----------------------

                   

                  D:\psft\db\oracle-server\admin\CDBCRM\WALLET>sqlplus "/ as sysdba"

                  SQL*Plus: Release 12.1.0.2.0 Production on Thu May 16 20:19:34 2019

                  Copyright (c) 1982, 2017, Oracle.  All rights reserved.

                  Connected to:

                  Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

                  With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

                   

                  SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'D:\psft\db\oracle-server\admin\CDBCRM\WALLET' IDENTIFIED BY "Welcome1";

                  keystore altered.

                   

                  SQL> select * from v$encryption_wallet;

                  WRL_TYPE

                  --------------------

                  WRL_PARAMETER

                  --------------------------------------------------------------------------------

                  STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC

                  ------------------------------ -------------------- --------- ---------

                     CON_ID

                  ----------

                  FILE

                  D:\PSFT\DB\ORACLE-SERVER\ADMIN\CDBCRM\WALLET

                  CLOSED                         UNKNOWN              SINGLE    UNDEFINED

                          0

                   

                   

                  SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "Welcome1";

                  keystore altered.

                   

                  SQL> select * from v$encryption_wallet;

                  WRL_TYPE

                  --------------------

                  WRL_PARAMETER

                  --------------------------------------------------------------------------------

                  STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC

                  ------------------------------ -------------------- --------- ---------

                     CON_ID

                  ----------

                  FILE

                  D:\PSFT\DB\ORACLE-SERVER\ADMIN\CDBCRM\WALLET

                  OPEN_NO_MASTER_KEY             PASSWORD             SINGLE    UNDEFINED

                          0

                         

                  SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "Welcome1" WITH BACKUP;

                  keystore altered.       

                   

                  SQL> select * from v$encryption_wallet;

                  WRL_TYPE

                  --------------------

                  WRL_PARAMETER

                  --------------------------------------------------------------------------------

                  STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC

                  ------------------------------ -------------------- --------- ---------

                     CON_ID

                  ----------

                  FILE

                  D:\PSFT\DB\ORACLE-SERVER\ADMIN\CDBCRM\WALLET

                  OPEN             PASSWORD             SINGLE    UNDEFINED

                          0

                  • 6. Re: ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)
                    James Su

                    I created a new folder c:\wallet and give access privilege to "everyone". Then I changed sqlnet.ora and restarted db. I do see the path is changed in v$encryption_wallet:

                    sys@JSU12C> select * from v$encryption_wallet;

                     

                     

                    WRL_TYPE

                    --------------------

                    WRL_PARAMETER

                    ---------------------------------------------------------------------------------------------------

                    STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID

                    ------------------------------ -------------------- --------- --------- ----------

                    FILE

                    C:\WALLET\

                    CLOSED                         UNKNOWN              SINGLE    UNDEFINED          1

                     

                     

                    But I still got the same error:

                    sys@JSU12C>  alter system set encryption key identified by "password123";

                    alter system set encryption key identified by "password123"

                    *

                    ERROR at line 1:

                    ORA-28368: cannot auto-create wallet

                     

                    sys@JSU12C> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\wallet' IDENTIFIED BY "password123";

                    ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\wallet' IDENTIFIED BY "password123"

                    *

                    ERROR at line 1:

                    ORA-46630: keystore cannot be created at the specified location

                     

                     

                    I am connecting as sysdba so I think I have all the needed privileges right?

                    • 7. Re: ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)
                      Emad Al-Mousa

                      For your reference: https://geodatamaster.com/2017/05/03/tde-transparent-data-encryption-tablespace-live-conversion-in-oracle-12cr2/

                       

                      i don't think you set the permissions in the right way , right click on "wallet" folder under C: drive make sure the Oracle Account used by your windows service has FULL permission on it  and try again

                       

                       

                      Regards,

                      Emad

                      • 8. Re: ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)
                        James Su

                        Thank you, I have give full control to "everyone" shouldn't that include oracle accounts already?

                        Anyway I created another folder c:\ora_wallet and gave full control to the accounts that I think relative:

                        ORA_DBSVCACCTS

                        ORA_OraDB12Home1_SVCACCTS

                        ORA_OraDB12Home1_SYSKM

                        Then I edit sqlnet.ora and restarted db. This time I got these errors:

                        sys@JSU12C> alter system set encryption key identified by "password123";

                        alter system set encryption key identified by "password123"

                        *

                        ERROR at line 1:

                        ORA-28353: failed to open wallet

                         

                         

                         

                        sys@JSU12C> select * from v$encryption_wallet;

                         

                         

                        WRL_TYPE

                        --------------------

                        WRL_PARAMETER

                        ---------------------------------------------------------------------------------------------------------

                        STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID

                        ------------------------------ -------------------- --------- --------- ----------

                        FILE

                        C:\ORA_WALLET\

                        CLOSED                         UNKNOWN              SINGLE    UNDEFINED          1

                         

                        sys@JSU12C> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\wallet' IDENTIFIED BY "password123";

                        ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\wallet' IDENTIFIED BY "password123"

                        *

                        ERROR at line 1:

                        ORA-46630: keystore cannot be created at the specified location

                         

                        I noticed a file ewallet.p12 got created under that folder as soon as I executed the first "alter system" command (which reported an error).

                         

                        Then I decided to follow your URL and created another folder C:\oracle\product\12.2.0\dbhome_1\key_store. This folder is automatically fully accessible by account  ORA_OraDB12Home1_SVCACCTS

                         

                        I did not run "alter system" this time, and here's what I got:

                         

                        sys@JSU12C>  ALTER SYSTEM SET COMPATIBLE = '12.2.0.0' SCOPE = SPFILE;

                         

                        System altered.

                         

                        sys@JSU12C> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\oracle\product\12.2.0\dbhome_1\key_store' IDENTIFIED BY "password123";

                         

                        keystore altered.

                         

                        sys@JSU12C> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "password123";

                        ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "password123"

                        *

                        ERROR at line 1:

                        ORA-28367: wallet does not exist

                         

                        According to the article in that URL, the wallet should be automatically created. What did I do wrong here?

                        • 9. Re: ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)
                          Gaurav Kamal - Oracle-Oracle

                          What does the below show:

                          SQL> select * from v$encryption_wallet;

                           

                          Is that reading the correct sqlnet.ora file and the same wallet location?

                          • 10. Re: ORA-28368: cannot auto-create wallet (ewallet.p12 has been created)
                            James Su

                            sys@JSU12C> select * from v$encryption_wallet;

                             

                             

                            WRL_TYPE

                            --------------------

                            WRL_PARAMETER

                            ------------------------------------------------------------------------------------------------------

                            STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID

                            ------------------------------ -------------------- --------- --------- ----------

                            FILE

                            C:\ORACLE\PRODUCT\12.2.0\DBHOME_1\KEY_STORE\

                            CLOSED                         UNKNOWN              SINGLE    UNDEFINED          1

                             

                             

                            Yes, the location does match what I put in sqlnet.ora. Each time when I change sqlnet.ora, this result always changes with a matching value.