I did script the TDE wallet configuration for my client.
- Script 1 – Set the static parameters
TABLESPACE_ENCRYPTIONandWALLET_ROOTin the spfile. - Script 2 – Restart the database
- Script 3 – Create the wallet, open the wallet, set the Masterkey, create the autologin wallet.
When running this 3rd script on a database it failed on the second command:
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "wallet_password";
keystore altered.
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "wallet_password";
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "wallet_password"
*
ERROR at line 1:
ORA-28353: failed to open wallet
What a heck! The file was correctly created, at the right location (meaning that the WALLET_ROOT is correct):
SQL> ! ls -l /u00/app/oracle/wallet_root/tde/
total 4
-rw-------. 1 oracle dba 2553 Aug 25 18:07 ewallet.p12
In the alertlog the messages are helpless:
2025-08-25T18:07:34.499182+02:00
KZTDE: Attempting TDE operation in PDB#=1: ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY *
2025-08-25T18:07:44.104699+02:00
KZTDE: Attempting TDE operation in PDB#=1: ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY *
There is a trace file created with the following:
KZTDE:kztsmOpenWallet: Keystore Open failed with error 28771
But ORA-28771 is something else:
$ oerr ORA 28771
28771, 00000, "Data source not yet initialized."
Google and MOS do not have any information. The problem is on the user (me!): I did not set the TDE_CONFIGURATION parameter!
SQL> alter system set tde_configuration='KEYSTORE_CONFIGURATION=FILE';
System altered.
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "wallet_password";
keystore altered.
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "wallet_password";
keystore altered.
Sometimes I wished Oracle error messages were a bit clearer.