Symptom:
There are 2 wallet types status in oracle DB view v$encryption_wallet. One is AUTOLOGIN and the other is PASSWORD.
When you wallet type is AUTOLOGIN, we can't export and import keys in the wallet for migration. So we need to swap wallet to PASSWORD before we export/import keys.
Solution:
NOTE: This process will cause an outage on the database as you will have to close and re-open the instances and wallet. (Below are based on 12c DB)
Shutdown Instance 2 of the database if there is one.
SQL> select wrl_parameter, wallet_type from v$encryption_wallet;
WRL_PARAMETER---------------------------------------------
WALLET_TYPE--------------------------------------------------
WALLET_TYPE--------------------------------------------------
/etc/oracle/wallets/TDE/TESTDB/
AUTOLOGIN
Shutdown instance 1 of the database
cd /etc/oracle/wallets/TDE/TESTDB/
mv cwallet.sso cwallet.sso.'DATE'
Startup Instance 1 of the database
SQL> select status, wallet_type from v$encyption_wallet;
STATUS------------------------------------------------------------
WALLET_TYPE--------------------------------------------------
CLOSED
UNKNOWN
SQL> administer key management set keystore open identified by "password";
SQL> select status, wallet_type from v$encryption_wallet;
STATUS-------------------------------------------------
WALLET_TYPE--------------------------------------
OPEN
PASSWORD
You can then export/import the Keys on PDB level
To recreate the AUTOLOGIN wallet
administer key management create auto_login keystore from keystore '/etc/oracle/wallets/TDE/TESTDB/' identified by "password";
Restart Instance 2 if there is one
No comments:
Post a Comment