ODA X8-2M crossrestore with TDE wallet fails with: DCS-10001:Internal error encountered: failed to open the tde password based wallet



  • We are trying to crossrestore a TDE encrypted Oracle Database 19.12 on a new ODA X8-2M. TDE wallet has been successfully backedup (odacli create-backup -in CDBET015 -c TDEWallet) and transferred to the new ODA to the filesystem (not ASM).

    [oracle@oda-host tdewallet]$ ls -ltr
    total 72
    -rwxrwxrwx 1 oracle oinstall  341 Feb 25 13:23 logfile.log
    -rwxrwxrwx 1 oracle oinstall 5835 Feb 25 13:23 ewallet_202202241425400934_CDBET015.p12
    

    Crossrestore with SBT-Tape was successful and RMAN completed the restore and the recovery. However the odacli register-database was not yet started. We tried to restore the wallet first, because it is not part of the rman crossrestore.

    odacli restore-tdewallet -in CDBET015 -tl /u01/NFS_TDE/backup/CDBET015/tdewallet/ewallet.p12
    

    The restore of the TDE wallet fails because the new ODA does not know the new database. The ODA need to register the newly restored Database first. This fails because it does not have the wallet.

    odacli register-database -c OLTP -s odb1 -sn CDBET015 -t SI –tp
    Enter SYS, SYSTEM and PDB Admin user password:
    Retype SYS, SYSTEM and PDB Admin user password:
    Enter TDE wallet password:
    Retype TDE wallet password:
    

    Job details:

    odacli describe-job   -i "7e60dc6f-0c69-4bb8-8205-bee6f6276b19"
    

    Job details

                     ID:  7e60dc6f-0c69-4bb8-8205-bee6f6276b19
            Description:  Database service registration with db service name: CDBET015
                 Status:  Failure
                Created:  February 25, 2022 4:04:21 PM CET
                Message:  DCS-10001:Internal error encountered: failed to open the tde password based wallet for database : CDBET015.ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN identified by ******** container=all
    

    ERROR at line 1:
    ORA-28367: wallet does not exist

    Task Name Start Time End Time Status


    database Service registration February 25, 2022 4:04:22 PM CET February 25, 2022 4:05:54 PM CET Failure
    database Service registration February 25, 2022 4:04:22 PM CET February 25, 2022 4:05:54 PM CET Failure
    TDE parameter validate at destination February 25, 2022 4:04:22 PM CET February 25, 2022 4:04:22 PM CET Success
    Enable OMF parameters February 25, 2022 4:04:23 PM CET February 25, 2022 4:04:23 PM CET Success
    Setting db character set February 25, 2022 4:04:23 PM CET February 25, 2022 4:04:24 PM CET Success
    Move Spfile to right location February 25, 2022 4:04:24 PM CET February 25, 2022 4:04:33 PM CET Success
    Enable DbSizing Template February 25, 2022 4:04:33 PM CET February 25, 2022 4:05:32 PM CET Success
    Copy Pwfile to Shared Storage February 25, 2022 4:05:32 PM CET February 25, 2022 4:05:39 PM CET Success
    Add Startup Trigger to Open all PDBS February 25, 2022 4:05:39 PM CET February 25, 2022 4:05:40 PM CET Success
    Running DataPatch February 25, 2022 4:05:40 PM CET February 25, 2022 4:05:53 PM CET Success
    configuring TDE February 25, 2022 4:05:53 PM CET February 25, 2022 4:05:54 PM CET Failure
    Opening wallet February 25, 2022 4:05:53 PM CET February 25, 2022 4:05:54 PM CET Failure

    How to make the wallet accessible to the database/ODA?



  • A workround could be:

    alter system set wallet_root='/stage/backup/wallet/orabackups/etaxxxxx/database/3205039394/CDBET015/tdewallet/' scope=spfile;
    

    SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE open IDENTIFIED BY "xxxxx";

    keystore altered.

    SQL> administer key management set key identified by "xxxxx" with backup;

    keystore altered.

    SQL> administer key management create AUTO_LOGIN keystore from keystore '/stage/backup/wallet/orabackups/etaxxxxxc/database/3205039394/CDBET015/tdewallet/tde' identified by xxxxxxx;

    keystore altered.

    Startup force

    SQL> select * from v$encryption_wallet;

    WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID


    FILE /stage/backup/wallet/orabackup OPEN AUTOLOGIN SINGLE NONE NO 1
    s/etabonxadbs00-c/database/320
    5039394/CDBET015/tdewallet//td
    e/

    FILE OPEN AUTOLOGIN SINGLE UNITED NO 2
    FILE OPEN AUTOLOGIN SINGLE UNITED NO

    3

    odacli register-database -c OLTP -s odb1 -sn CDBET015 -t SI -tp
    Enter SYS, SYSTEM and PDB Admin user password:
    Retype SYS, SYSTEM and PDB Admin user password:
    Enter TDE wallet password:
    Retype TDE wallet password:

    odacli describe-job "110a5246-f239-4fab-aad2-c001ae68c2e7"

    Job details

                     ID:  110a5246-f239-4fab-aad2-c001ae68c2e7
            Description:  Database service registration with db service name: CDBET015
                 Status:  Success
                Created:  March 2, 2022 12:01:50 PM CET
                Message:
    

    Task Name Start Time End Time Status


    TDE parameter validate at destination March 2, 2022 12:01:55 PM CET March 2, 2022 12:01:55 PM CET Success
    Enable OMF parameters March 2, 2022 12:01:56 PM CET March 2, 2022 12:01:56 PM CET Success
    Setting db character set March 2, 2022 12:01:56 PM CET March 2, 2022 12:01:56 PM CET Success
    Move Spfile to right location March 2, 2022 12:01:56 PM CET March 2, 2022 12:02:05 PM CET Success
    Enable DbSizing Template March 2, 2022 12:02:05 PM CET March 2, 2022 12:02:08 PM CET Success
    Copy Pwfile to Shared Storage March 2, 2022 12:02:08 PM CET March 2, 2022 12:02:09 PM CET Success
    Add Startup Trigger to Open all PDBS March 2, 2022 12:02:09 PM CET March 2, 2022 12:02:10 PM CET Success
    Running DataPatch March 2, 2022 12:02:10 PM CET March 2, 2022 12:02:23 PM CET Success
    configuring TDE March 2, 2022 12:02:23 PM CET March 2, 2022 12:02:25 PM CET Success
    Reset Associated Networks March 2, 2022 12:02:26 PM CET March 2, 2022 12:02:28 PM CET Success

    However this causes the TDE Wallet Management to be "EXTERNAL".

    odacli describe-database -in CDBET015
    …
      TDE Wallet Management: EXTERNAL
                TDE Enabled: true
    …
    



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2