For how many years have you been working
with physical servers that are starving your database of the memory
necessary to deploy important new performance features such as the Result
Cache, Memoptimize Pool, In-Memory Aggregation, In-Memory Column Store, and
Full Database Caching? Too long? Contact me to learn how to improve all
queries ... not just some queries.
Secure storage of encryption keys and certificates
Data Dictionary Objects
CDB_WALLET_ACES
GV$ENCRYPTION_WALLET
NACL$_WALLET_EXP_TBL
CDB_WALLET_ACLS
GV$WALLET
USER_WALLET_ACES
DBA_WALLET_ACES
NACL$_WALLET
V$ENCRYPTION_WALLET
DBA_WALLET_ACLS
NACL$_WALLET_EXP
V$WALLET
Exceptions
Error Code
Reason
ORA-28353
Wallet did not open
ORA-28354
Encryption wallet, auto login wallet, or HSM is already open
ORA-28368
Can not autocreate wallet
ORA-28390
Auto login wallet not open but encryption wallet may be open
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '<keystore_location>'
IDENTIFIED BY <keystore_password>;
Create Autologin Keystore
ADMINISTER KEY MANAGEMENT CREATE [LOCAL] AUTOLOGIN KEYSTORE' <keystore_location>'
IDENTIFIED BY <keystore_password>;
Open Keystore
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <keystore_password>
[CONTAINER = <ALL | CURRENT>];
Close Keystore
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE
[IDENTIFIED BY <keystore_password>]
[CONTAINER = <ALL | CURRENT>];
Backup Keystore
ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE [USING '<backup_identifier>']
[IDENTIFIED BY <keystore_password>]
TO '<keystore_location>';
Alter Keystore Password
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD [IDENTIFIED BY <old_keystore_password>]
SET <new_keystore_password>]
[WITH BACKUP [USING '<backup_identifier>']];
Merge Into New Keystore
ADMINISTER KEY MANAGEMENT MERGE KEYSTORE
'<keystore1_location>' [IDENTIFIED BY <keystore1_password>]
ADD KEYSTORE '<keystore2_location>' [IDENTIFIED BY <keystore2_password>]
INTO NEW KEYSTORE '<keystore3_location>' [IDENTIFIED BY <keystore3_password>];
Merge Into Existing Keystore
ADMINISTER KEY MANAGEMENT MERGE KEYSTORE
'<keystore1_location>' [IDENTIFIED BY <keystore1_password>]
INTO EXISTING KEYSTORE '<keystore2_location>' [IDENTIFIED BY <keystore2_password>]
[WITH BACKUP [USING '<backup_identifier>']];
Administer Key Management Syntax
ADMINISTER KEY MANAGEMENT <key_management_clauses>
Administer Key Management Syntax
ADMINISTER KEY MANAGEMENT <secret_management_clauses>
Create Keystore Administrator for
containers 1 and 3
SQL> CREATE USER c##sec_admin IDENTIFIED BY "N0Way!";
User created.
SQL> GRANT create session TO c##sec_admin;
Grant succeeded.
SQL> GRANT syskm TO c##sec_admin;
Grant succeeded.
-- also grant create session
SQL> conn sys@pdbdev as sysdba
Enter password:
Connected.
SQL> GRANT create session TO c##sec_admin;
Grant succeeded.
Create Keystore
ADMINISTER KEY MANAGEMENT CREATE [LOCAL] [AUTO_LOGIN] KEYSTORE <'keystore_path_and_location'>
IDENTIFIED BY <password>;
conn / as sysdba
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'c:\app\oracle\admin\orabase\wallet' IDENTIFIED BY "N0Way!";
Open Keystore
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <password> [CONTAINER = <ALL | CURRENT>];
conn / as sysdba
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "N0Way!";
-- log in to container 3
SQL> conn sys@pdbdev as sysdba
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "N0Way!";
SQL> SELECT * FROM v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
--------- -------------- ------------------ ----------- --------- --------- ------
FILE OPEN_NO_MASTER_KEY PASSWORD SINGLE UNDEFINED 3
Set a Master Key
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY '<keystore_password>']
[WITH BACKUP USING '<backup_name>'
[CONTAINER = <ALL | CURRENT>;
SQL> conn c##sec_admin/"N0Way!"
password:
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "N0WayIn!" WITH BACKUP USING 'tde_key_backup';
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "N0Access!" WITH BACKUP USING 'tde_key_backup'
*
ERROR at line 1:
ORA-46671: master key not set in root container
SQL> conn c##sec_admin/"N0Way!"
Connected.
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "N0WayIn!" WITH BACKUP USING 'tde_key_backup';
keystore altered.
SQL> SELECT * FROM v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
--------- ------------------------------------ ------- ----------- --------- --------- ------
FILE C:\APP\ORACLE\ADMIN\ORABASE\WALLET\ OPEN PASSWORD SINGLE NO 1
Close Keystore
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE
[IDENTIFIED BY '<keystore_password>']
[CONTAINER = <ALL | CURRENT>;
SQL> ADMINISTER
KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "N0Access!";
keystore altered.
Drop Keystore
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE
[IDENTIFIED BY '<keystore_password>']
[CONTAINER = <ALL | CURRENT>;
SQL> ADMINISTER
KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "N0Access!";