Thursday, March 30, 2017

ORA-46630: keystore cannot be created at the specified location

This error comes while creating a keystore at a location where there is already a keystore exists and you can see ewallet.p12 file already present there.
To solve the problem, use a different location to create a keystore (use ENCRYPTION_WALLET_LOCATION in sqlnet.ora file to specify the keystore location), or move this ewallet.p12 file to some other location.
Please note that Oracle does not recommend deleting keystore file (ewallet.p12) that belongs to a database. If you have multiple keystores, you can choose to merge them rather than deleting either of them.


Related Articles
TDE Related Error Messages

Wednesday, March 22, 2017

ORA-46633: creation of a password-based keystore failed

You can face this error while creating a keystore but you have specified a wrong keystore location while executing the statement.
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\APP\ORACLE\ADMIN\WALLET\SALMAN12C\WALLET' IDENTIFIED BY salman12;
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\APP\ORACLE\ADMIN\SALMAN12C\WALLET' IDENTIFIED BY salman12
*
ERROR at line 1:
ORA-46633: creation of a password-based keystore failed

Solution:
1. Check if you have properly set keystore location in SQLNET.ORA file by using “ENCRYPTION_WALLET_LOCATION” parameter.
ENCRYPTION_WALLET_LOCATION=
               (SOURCE=
               (METHOD=FILE)(METHOD_DATA=(DIRECTORY=C:\APP\ORACLE\ADMIN\WALLET\SALMAN12C))
               )

2. Check if destination directory for keystore exists. For this example, the location is “C:\APP\ORACLE\ADMIN\WALLET\SALMAN12C“ as specified in sqlnet.ora file.

3. Check if you have specified keystore destination directory correctly in the statement being executed to create the keystore.
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'C:\APP\ORACLE\ADMIN\WALLET\WALLET\SQLMAN12C' IDENTIFIED BY salman12;

Wednesday, March 15, 2017

ORA-46658: keystore not open in the container

You may face this error when database needs to access the keystore and keystore is not open. For example, while changing keystore password, or while creating/rotating master encryption key. In the following example, I faced this error while creating master encryption key.

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY salman12 WITH BACKUP USING 'initial_backup' CONTAINER = ALL ;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY salman12 WITH BACKUP USING 'initial_backup' CONTAINER = ALL
*
ERROR at line 1:
ORA-46658: keystore not open in the container

This error means that keystore is not open that is required before creation of the master encryption key. Open the keystore and re-execute the statement to create master encryption key.
SQL> SELECT WRL_PARAMETER, STATUS, WALLET_TYPE FROM V$ENCRYPTION_WALLET;

WRL_PARAMETER                                                        STATUS                         WALLET_TYPE
---------------------------------------- ------------------------------ -------------------- -----------------------------
C:\APP\ORACLE\ADMIN\SALMAN12C\WALLET     CLOSED                         UNKNOWN

SQL> administer key management set keystore open identified by salman12 container=all;

keystore altered.

SQL> SELECT WRL_PARAMETER, STATUS, WALLET_TYPE FROM V$ENCRYPTION_WALLET;

WRL_PARAMETER                                                        STATUS                                            WALLET_TYPE
---------------------------------------- ------------------------------ -------------------- ------------------------------------------
C:\APP\ORACLE\ADMIN\SALMAN12C\WALLET     OPEN_NO_MASTER_KEY             PASSWORD

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY salman12 WITH BACKUP USING 'initial_backup' CONTAINER = ALL ;

If you are using auto-login (or local auto-login) keystore, you still need to open password-based keystore before creating master encryption key, and in that scenario, you will receive
ORA-28417 instead of ORA-46658



Related Articles
TDE Related Error Messages

Thursday, March 2, 2017

ORA-28417: password-based keystore is not open

You may face this error while creating a master encryption key while having/using auto-login (or local auto-login) keyswtore, but your password-based keystore is still closed which is required to be open before you can create master encryption key.
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY salman12 WITH BACKUP USING 'initial_backup' CONTAINER = ALL ;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY salman12 WITH BACKUP USING 'initial_backup' CONTAINER = ALL
*
ERROR at line 1:
ORA-28417: password-based keystore is not open

Open the password based keystore and create the master encryption key as follows

SQL> administer key management set keystore open identified by salman12;

keystore altered.

-- Now create the keystore.

SQL> SELECT WRL_PARAMETER, STATUS, WALLET_TYPE FROM V$ENCRYPTION_WALLET;

WRL_PARAMETER                                                        STATUS                                            WALLET_TYPE
---------------------------------------- ------------------------------ -------------------- ------------------------------------------
C:\APP\ORACLE\ADMIN\SALMAN12C\WALLET     OPEN_NO_MASTER_KEY             PASSWORD

SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY salman12 WITH BACKUP USING 'initial_backup' CONTAINER = ALL ;