Known TDE Wallet Issues (Doc ID 1301365.1)

Last updated on MAY 22, 2017

Applies to:

Oracle Security Service - Version 10.2.0.1 to 11.2.0.2 [Release 10.2 to 11.2]
Information in this document applies to any platform.

Goal

This note is dedicated to the problems that have surfaced with the TDE wallet.

1. Deleting and recreating the wallet in 11.2.0.1 fails with ORA-28374 even if no object is created.

This issue affects only the 11.2.0.1 release
After this procedure:
1. create wallet using
alter system set encryption key identified by "password"
2. manually remove the wallet.
3. a subsequent attempt to recreate the wallet fails with: ORA-28374.

2. If deleting the wallet after creating TDE encrypted data (using column or tablespace encryption), the wallet can't be recreated.

To permanently remove TDE from a database, the procedure is:
1. decrypt all encrypted objects if needed.
2. drop the encrypted objects.
3. close the wallet.
4. perform a full log switch rotation and a checkpoint.
5. remove the wallet.
A subsequent attempt to recreate the wallet would raise this error:
ORA-28362: master key not found
The wallet could be created. Trying to create new encrypted objects would raise:
ORA-28374: typed master key not found in wallet
This issue affects only the 11.2 release

3. Modifying the wallet with OWM or orapki leads to various errors: ORA-600 [ZTSMSTORE FAILED], ORA-28368, ORA-28367, ORA-28362

It is sometimes needed to modify the TDE wallet manually, using OWM or orapki, in order to change the wallet password or to make it auto login.
As a result, subsequent wallet access would fail with one of the errors
ORA-600 [ZTSMSTORE FAILED], ORA-28368, ORA-28367, ORA-28362
The issue affects all Oracle releases using TDE.

4. Opening the wallet on one of the RAC nodes closes it on the other node(s).

When attempting to open the Transparent Data Encryption wallet on one of the RAC nodes the operation succeeds, however, on the other nodes the wallet is being closed.

5. PKI based master key wallets cannot be opened.

If trying to use a PKI based master key in release 11g, the v$wallet view does not display anything and it is not possible to open the wallet for TDE usage.
The CERT_ID value from v$wallet is needed to open the wallet in such a configuration using:
alter system set encryption key "<CERT_ID value>" identified by "<wallet password>";

6. After the upgrade to 11gR2, ORA-28374 is raised for TDE operations

The database is upgraded to 11gR2 and trying to create a new encrypted object fails with:
ORA-28374 "typed master key not found in wallet"

7. ORA-28374 raised for encrypted tablespace creation, 11gR1 specific (not occurring in 11gR2).

Trying to create an encrypted tablespace in 11gR1 crashes with ORA-28374

8. Cannot access wallets stored on NFS

OWM, orapki, mkstore fails to access/open the TDE wallet stored on NFS shared location.
The error is:

PKI-02002: Unable to open the wallet. Check password.

9. RAC: After a node crash, the wallet is not open after node restart.

RAC with non-shared wallets.
If one RAC node is crashes, the recovery is made properly on the other nodes, as expected.
Crashed node instance is restarted and goes correctly into open mode, but trying to access the encrypted data on this node fails with ORA-28365.
The wallet should be opened automatically due to the fact it is open on the other node.

10. Regenerating the master key using the wrong wallet can corrupt the database (Tablespace encryption only).

If a database with tablespace encryption is opened using an incorrect wallet and if the regeneration of the masterkey is attempted, the operation succeeds .
This has two negative effects:
1. corruption of blocks in buffer cache.
2. change of master key ID within the database dictionary.
Reopening the database with the correct wallet would not solve the problem because the new master key ID in the dictionary is not present in the proper wallet.

11. Changing the wallet password using orapki with an associated auto-login wallet file cwallet.sso set read-only, the ewallet.p12 file will be erased.

This problem happens if cwallet.sso is read-only (chmod 440), a password change using orapki will erase the ewallet.p12

chmod 440 cwallet.sso
orapki wallet change_pwd -wallet . -oldpwd welcome1 -newpwd welcome2
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

PKI-02003: Unable to load the wallet at: .
total 8

ls -l
-r--r----- 1 oracle dba 3589 Mar 18 15:34 cwallet.sso
-rw------- 1 oracle dba    0 Mar 18 15:34 ewallet.p12

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms