I did script the TDE wallet configuration for my client.<\/p>\n\n\n\n
TABLESPACE_ENCRYPTION <\/code>and WALLET_ROOT<\/code> in the spfile.<\/li>\n\n\n\n- Script 2 – Restart the database<\/li>\n\n\n\n
- Script 3 – Create the wallet, open the wallet, set the Masterkey, create the autologin wallet.<\/li>\n<\/ul>\n\n\n\n
When running this 3rd script on a database it failed on the second command:<\/p>\n\n\n
\nSQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "wallet_password";\nkeystore altered.\n\nSQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "wallet_password";\nADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "wallet_password"\n*\nERROR at line 1:\nORA-28353: failed to open wallet\n<\/pre><\/div>\n\n\n\n\n\n\nWhat a heck! The file was correctly created, at the right location (meaning that the WALLET_ROOT is correct):<\/p>\n\n\n
\nSQL> ! ls -l \/u00\/app\/oracle\/wallet_root\/tde\/\ntotal 4\n-rw-------. 1 oracle dba 2553 Aug 25 18:07 ewallet.p12\n<\/pre><\/div>\n\n\nIn the alertlog the messages are helpless:<\/p>\n\n\n
\n2025-08-25T18:07:34.499182+02:00\nKZTDE: Attempting TDE operation in PDB#=1: ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY *\n2025-08-25T18:07:44.104699+02:00\nKZTDE: Attempting TDE operation in PDB#=1: ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY *\n<\/pre><\/div>\n\n\nThere is a trace file created with the following:<\/p>\n\n\n
\nKZTDE:kztsmOpenWallet: Keystore Open failed with error 28771\n<\/pre><\/div>\n\n\nBut ORA-28771 is something else:<\/p>\n\n\n
\n$ oerr ORA 28771\n28771, 00000, "Data source not yet initialized."\n<\/pre><\/div>\n\n\nGoogle and MOS do not have any information. The problem is on the user (me!): I did not set the TDE_CONFIGURATION <\/code>parameter! <\/p>\n\n\n\nSQL> alter system set tde_configuration='KEYSTORE_CONFIGURATION=FILE';\nSystem altered.\n\nSQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "wallet_password";\nkeystore altered.\n\nSQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "wallet_password";\nkeystore altered.\n<\/pre><\/div>\n\n\nSometimes I wished Oracle error messages were a bit clearer. <\/p>\n","protected":false},"excerpt":{"rendered":"
I did script the TDE wallet configuration for my client. When running this 3rd script on a database it failed on the second command:<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,39,81,9,86],"tags":[],"class_list":{"0":"post-1046","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-oracle","7":"category-oracle-19c","8":"category-oracle-23ai","9":"category-security","10":"category-tde","11":"czr-hentry"},"_links":{"self":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/comments?post=1046"}],"version-history":[{"count":3,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1046\/revisions"}],"predecessor-version":[{"id":1049,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1046\/revisions\/1049"}],"wp:attachment":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/media?parent=1046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/categories?post=1046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/tags?post=1046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}