Life, the Universe and Everything Oracle: March 2011

Monday, March 28, 2011

Encryption Wallet for TDE: can not change password

Today, I set up Transparent Data Encryption (TDE) on an 11gR2 test environment. The steps are well documented and not at all hard to do, so there was no problem in the initial setup:

1. Edit the sqlnet.ora file and include the following:
  ENCRYPTION_WALLET_LOCATION=
    (SOURCE=(METHOD=FILE)(METHOD_DATA=
      (DIRECTORY=/home/oracle/app/oracle/product/11.2.0/dbhome_2/dbs)))

2. Create the encryption wallet from SQL*plus (sqlplus / as sysdba)
  SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY oracle;

3. Create a table with an encrypted column, or create an encrypted tablespace
  SQL> CREATE TABLE employees (name varchar2(30), salary number encrypt);
  SQL> CREATE TABLESPACE encrypted
  2 DATAFILE '/u01/oradata/encrypted01.dbf' SIZE 100M
  3 ENCRYPTION DEFAULT STORAGE (ENCRYPT);

This works fine, as expected. However, I would like to change the password for the wallet, as "oracle" isn't that strong a password after all...

Using Oracle Wallet manager (OWM) from the (Linux) command line, I try to open the wallet. It asks for the password, and the message OWM gives me after providing the password "oracle" is "The password is incorrect. Try again?". After retrying the password, I suddenly think about the double quotes that should enclose the password. Because I did not enclose the password, the actual password that got stored is ORACLE, and not oracle. This can be seen by trying the following in SQL*Plus:

  SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "oracle";
  alter system set encryption key identified by "oracle"
  * ERROR at line 1:
  ORA-28353: failed to open wallet

  SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "ORACLE";

  System altered

So, I should use ORACLE as a password for OWM. However, this too gives me the message "The password is incorrect. Try again?".

After searching for quite a while, I discovered that this message is NOT about the password being invalid as such, but more about the password not adhering to the password criteria for OWM:

I managed to change the password using orapki:

  orapki wallet change_pwd
    -wallet /home/oracle/app/oracle/product/11.2.0/dbhome_2/dbs
    -oldpwd ORACLE -newpwd Oracle.01

This statement returns without error and after that, the wallet can be maintained succesfully using OWM (with the new password). Should you provide a password that doesn't conform to the OWM standards, you will get an "PKI-01002: Invalid password." error from orapki. This is because of the NEW password. If you misspelled the old password, you would get "PKI-02003: Unable to load the wallet ...".

In OWM:

So, be carefull when choosing your password when creating the TDE wallet, because if it is not a strong enough password, you will not be able to open and maintain the wallet with OWM, which can lead to much confusion.

Monday, March 14, 2011

Oracle Easy Connect - no password in the commandline

When using Oracle's Easy Connect feature, I (re)discovered some strange behaviour. The easy connect does not always translate the easy connect string to the right connect descriptor.

I set up Easy Connect by modifying my sqlnet.ora file on the client. Modifying the line with the directory_path in it should be enough:

  names.directory_path = (TNSNAMES,EZCONNECT)

After that, I tried to connect using easy connect:

  sqlplus myuser@myhost:1521/myservice

This returned an ORA-12541 Error: "TNS:listener does not currently know of service requested in connect descriptor". At first, I looked this up in the sqlnet.log file to see what he was trying to do:

  Fatal NI connect error 12514, connecting to:
   (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=myhost)(CID=(PROGRAM=sqlplus@myclient)(HOST=myclient)(USER=myuser)))(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=1521)))

So, it just messes up the entire connect string and tries to connect to a service called "myhost". This all disappears when you connect using a password on the commandline:

  sqlplus myuser/mypassword@myhost:1521/myservice

According to the documentation, this should not be a problem, but when searching for this on Oracle support, I came across Note 274757.1, which states that without specifying a password, you must enclose the connect descriptor in double quotes (and depending on the OS escaping these with \):

  sqlplus myuser@"myhost:1521/myservice"

And after that, SQL*Plus asks for the password as expected. In this case, I think the documentation could use an update, specifying this behaviour...