TDE Master Key Creation Fails With ORA-600 [kzthsmgtmk: c_generatekey] For A Cloned Database

(Doc ID 1245164.1)

Last updated on NOVEMBER 18, 2011

Applies to:

Advanced Networking Option - Version: 11.1.0.7 to 11.2.0.1 - Release: 11.1 to 11.2
Information in this document applies to any platform.

Symptoms


Consider two databases which were copies of each other (one of them renamed using CREATE CONTROLFILE command or NID command), before the creation of the HSM TDE Wallet. 

While trying to generate a master key for a cloned database the following error occurs:


SQL> alter system set encryption key identified by "oracle:oracle";
ERROR at line 1:
ORA-03113: end-of-file on communication channel
Process ID: 18655
Session ID: 97 Serial number: 563


The original database was configured for TDE successfully. During the second database wallet setup, 'alter system set encryption key' command fails with ORA-3113. The internal error associated with the foreground error is :


ORA-600 [kzthsmgtmk: C_GenerateKey]


The two databases use two different HSM users. The master key for the original database was directly configure in the HSM device( it was not migrated from a oracle software wallet). 

The following error message is reported in the HSM activity log while creating the master key for the second database:
 
[2010-04-29 20:18:39] ERROR 172.22.44.13 [-] apd1_dev2_hsm 200002 KeyGen 
ORACLE.TSE.HSM.MK.0708CFC5588284CD45141A32872D84F7E00203 [AES 256] 1422 [Key already exists] [-]


Even though 'alter system set encryption key' command fails with ORA-600, it succeeds creating the column TDE master key successfully and fails while creating the tablespace TDE master key.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms