TDE misconfigured and ORA-28353: failed to open wallet

This entry was posted in Oracle Oracle 19c Oracle 23ai Security TDE on by

I did script the TDE wallet configuration for my client.

  • Script 1 – Set the static parameters TABLESPACE_ENCRYPTION and WALLET_ROOT in the spfile.
  • Script 2 – Restart the database
  • Script 3 – Create the wallet, open the wallet, set the Masterkey, create the autologin wallet.

When running this 3rd script on a database it failed on the second command:

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY  "wallet_password";
keystore altered.

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "wallet_password";
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "wallet_password"
*
ERROR at line 1:
ORA-28353: failed to open wallet
(more…)

Recover missing Masterkey – the famous ORA-28374

This entry was posted in Oracle Oracle 19c Oracle 23ai Security on by

The client plugged a non-encrypted PDB into a CDB with TDE Encryption Wallet enabled. All works fine, we can read the data. However when trying to create a tablespace we get:

CDB1 SQL> create tablespace TBS_NEW;
Error starting at line : 1 in command -
create tablespace t1
Error report -
ORA-28374: typed master key not found in wallet
28374. 0000 -  "typed master key not found in wallet"
*Cause:    You attempted to access encrypted tablespace or redo logs with a typed master key not existing in the wallet.
*Action:   Copy the correct Oracle Wallet from the instance where the tablespace was created.

What is wrong?

(more…)

Encrypt the whole Oracle database online with TDE

This entry was posted in Oracle Oracle 19c Security on by

Some programs are part of Oracle ISV – Independent Software Vendors – program and include various types of Oracle licenses. This allows to install the application database in various Oracle configurations. At my customer, the software includes Advance Security Option Oracle license. This was the reason we decided, even before moving to the cloud, to encrypt the database.

Here is a summary on how to perform full online encryption (TDE) of a database. The process is quite simple, but there are known surprises you might want to avoid.

(more…)

Configuring Hybrid Dataguard and have standby on OCI without the need of advanced security license

This entry was posted in Cloud DataGuard OCI Oracle Security and tagged OCI tde on by

Hybrid Dataguard is a relatively new 19c feature that allows to have one side of a Dataguard configuration not encrypted. This is particularly useful when having a primary on premises and standby on a OCI, where tablespaces need to be encrypted. The main point is that it allows to spare a Advanced Security licenses on premises site.

Usages of Hybrid Dataguard can be during migration to the cloud or just as a high availability solution, when we have a small on-premises data center.

In the tutorial below I assume to have a primary database on premises without TDE, a we will create a standby in OCI with encryption enabled. The connection between on-premises and OCI is already configured and not explained.

(more…)

Oracle TDE – the basic information you need to know when encrypting the whole database

This entry was posted in Cloud Engineering Systems ExaCC Exadata OCI Oracle Oracle 19c and tagged OCI oracle 19c tde on by

TDE – Transparent Data Encryption – is the Oracle solution for protecting data at rest. This refers, protecting data that is stored in one file or one disk. This data will be encrypted. Only after the database is open and the wallet password is given, you can query the data and see it.

Recently I’ve been working more with ExaCC and migrating databases from on-premises to the Cloud. Took quite some days to get into TDE and sometimes confusing terms used in the documentation and on the web.

This post summarizes all the concepts to have in mind when working with Oracle encrypted databases, which is the default in the Cloud and Exadata systems.

(more…)

DataGuard in RAC and redo apply performance in consolidated environments

This entry was posted in DataGuard Oracle 19c on by

My customer has five standby databases in the same 2-node RAC cluster. Today, after an ASM data diskgroup full, several databases had to recover quite some archivelogs.

The load on the first node immediately went to the roof when I restarted the redo apply, after adding space to the diskgroup.

This because, by default, the redo apply starts on the first available instance of the RAC cluster, which in this case was the first instance for all DBs.

Two things I learned:

(more…)

Commvault backup timeout and too many objects in Oracle recycle bin

This entry was posted in Oracle on by

Since a few weeks there was an error during backups of one of my clients databases. They use Commvault to trigger the backups.

In the background, for some reason, Commvault asks the primary instance for some information about the free space in the tablespaces, using the following query:

SELECT 'D,' || c.NAME || ':' || t.NAME || ':' || c.dbId  || ',' || d.STATUS || ',' || d.ENABLED || ',' || TO_CHAR(d.BYTES) || ',' || TO_CHAR(d.BYTES - NVL(ff.fbytes,0)) || ',' || TRIM(' ' FROM d.NAME) || ',' || TRIM(' ' FROM d.FILE#) AS PDB_TS_DF 
FROM v$datafile d, v$tablespace t, v$CONTAINERS c, (SELECT f.CON_ID CON_ID, f.file_id file_id, SUM(f.bytes) fbytes FROM CDB_FREE_SPACE f GROUP BY f.file_id,f.CON_ID) ff 
WHERE c.CON_ID = d.CON_ID and d.CON_ID = t.CON_ID and d.TS#=t.TS# AND ff.file_id (+)= d.FILE#  
ORDER BY PDB_TS_DF;

The important part is this one:

(more…)

New mandatory unified audit policy on 19.26

This entry was posted in Audit Oracle Oracle 19c Oracle 23ai on by

This feature was just backported from Oracle 23ai. The new ORA$MANDATORY audit policy was added with the Oracle 19.26 RU. This policy is not visible at UNIFIED_AUDIT_POLICIES or AUDIT_UNIFIED_ENABLED_POLICIES.

After patching the database to 19.26, then you see entries on UNIFIED_AUDIT_TRAIL:

SYS@CDB2.CDB$ROOT> select EVENT_TIMESTMAP, SYSTEM_PRIVILEGE_USED, ACTION_NAME 
from UNIFIED_AUDIT_TRAIL 
where UNIFIED_AUDIT_POLICIES='ORA$MANDATORY' 
order by EVENT_TIMESTMAP;

                  EVENT_TIMESTAMP     SYSTEM_PRIVILEGE_USED       ACTION_NAME
_________________________________ _________________________ _________________
02-FEB-2025 21:54:56.192982000    SYSDBA                    LOGON
02-FEB-2025 21:54:56.216549000    SYSDBA                    SELECT
02-FEB-2025 21:55:00.381577000    SYSDBA, ALTER DATABASE    ALTER DATABASE
02-FEB-2025 21:55:00.393882000    SYSDBA                    LOGOFF
...

The actions that are audited by ORA$MANDATORY policy are described on Oracle 23ai documentation.

What I find interesting, is that the “ALTER DATABASE MOUNT” during startup is audited, so we can have a good history of database startups.

(more…)

How to change Goldengate Adminclient default editor permanently

This entry was posted in GoldenGate on by

Goldengate Microservices architecture replaced the “ggsci” tool with “adminclient”. This new client has few limitations and does not work well with “rlwrap” – my favorite tool to have history between sessions.

The Adminclient provides some options you can easily change after starting the tool:

$ ./adminclient
...
OGG (not connected) 1> show
Current directory: /home/oracle
COLOR            : OFF
DEBUG            : OFF
EDITOR           : vi
PAGER            : more
VERBOSE          : OFF

OGG (not connected) 2> set color ON
OGG (not connected) 3> set pager less

OGG (not connected) 4> show

Current directory: /home/oracle
COLOR            : ON
DEBUG            : OFF
EDITOR           : vi
PAGER            : less
VERBOSE          : OFF

However to keep the settings across sessions it is not very straight forward. The way to do it is to set variables:

$ export ADMINCLIENT_COLOR=ON  # ON, OFF in uppercase!

And ADMINCLIENT_DEBUG and ADMINCLIENT_VERBOSE for DEBUG and VERBOSE respectively

For the editor and pager, the variables are simply:

export EDITOR=nano
export PAGER=less

Attention that the variable EDITOR is used also by other clients, like sqlplus “edit” command.

So the way I do it, is to set everything within an alias:

alias gg="cd $OGG_HOME/bin; EDITOR=nano PAGER=less ADMINCLIENT_COLOR=ON $RLWRAP ./adminclient ; cd -"

And inside .bash_profile or something that sets the environment:

RLWRAP="$(command -v rlwrap)" && RLWRAP="${RLWRAP} -c"

export OGG_HOME="/u00/app/oracle/product/ogg/21.15"
alias gg="cd $OGG_HOME/bin; EDITOR=nano PAGER=less ADMINCLIENT_COLOR=ON $RLWRAP ./adminclient ; cd -"