Monday, March 28, 2011

Encryption Wallet for TDE: can not change password

Today, I set up Transparent Data Encryption (TDE) on an 11gR2 test environment. The steps are well documented and not at all hard to do, so there was no problem in the initial setup:

1. Edit the sqlnet.ora file and include the following:
  ENCRYPTION_WALLET_LOCATION=
    (SOURCE=(METHOD=FILE)(METHOD_DATA=
      (DIRECTORY=/home/oracle/app/oracle/product/11.2.0/dbhome_2/dbs)))

2. Create the encryption wallet from SQL*plus (sqlplus / as sysdba)
  SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY oracle;

3. Create a table with an encrypted column, or create an encrypted tablespace
  SQL> CREATE TABLE employees (name varchar2(30), salary number encrypt);
  SQL> CREATE TABLESPACE encrypted
  2 DATAFILE '/u01/oradata/encrypted01.dbf' SIZE 100M
  3 ENCRYPTION DEFAULT STORAGE (ENCRYPT);

This works fine, as expected. However, I would like to change the password for the wallet, as "oracle" isn't that strong a password after all...

Using Oracle Wallet manager (OWM) from the (Linux) command line, I try to open the wallet. It asks for the password, and the message OWM gives me after providing the password "oracle" is "The password is incorrect. Try again?". After retrying the password, I suddenly think about the double quotes that should enclose the password. Because I did not enclose the password, the actual password that got stored is ORACLE, and not oracle. This can be seen by trying the following in SQL*Plus:

  SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle";
  alter system set encryption key identified by "oracle"
  * ERROR at line 1:
  ORA-28353: failed to open wallet

  SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "ORACLE";
  
  System altered

So, I should use ORACLE as a password for OWM. However, this too gives me the message "The password is incorrect. Try again?".



After searching for quite a while, I discovered that this message is NOT about the password being invalid as such, but more about the password not adhering to the password criteria for OWM:



I managed to change the password using orapki:

  orapki wallet change_pwd
    -wallet /home/oracle/app/oracle/product/11.2.0/dbhome_2/dbs
    -oldpwd ORACLE -newpwd Oracle.01

This statement returns without error and after that, the wallet can be maintained succesfully using OWM (with the new password). Should you provide a password that doesn't conform to the OWM standards, you will get an "PKI-01002: Invalid password." error from orapki. This is because of the NEW password. If you misspelled the old password, you would get "PKI-02003: Unable to load the wallet ...".

In OWM:



So, be carefull when choosing your password when creating the TDE wallet, because if it is not a strong enough password, you will not be able to open and maintain the wallet with OWM, which can lead to much confusion.
Posted by Erik Sekeris at 10:02 PM

2 comments:

  1. AnonymousMay 11, 2011 at 12:27 PM

    Thanks alot. I got the same problem and troubleshoot for half day until I google and found your findings.
    - John

    ReplyDelete
  2. AnonymousMay 2, 2017 at 4:34 AM

    Thanks a lot. I got the same problem. Followed your instructions. Finally resolved.

    ReplyDelete

Subscribe to: Post Comments (Atom)