Intro
We are living in a data era. Every organization invests in a colossal sum of money to secure its IT infrastructure environment. protecting data is really important because all businesses are now driven by analyzing the data. Oracle came up with a technology called TDE to protect data from ransomware. TDE is part of the Oracle Advance license feature. But in the Cloud, this comes as default. Whatever database you are creating in the cloud should have TDE.
After creating a new 12.1 environment in the cloud we faced an issue while creating a tablespace.
Error :
When creating tablespace, tablespace creation failed due to ORA-28374.
SQL> create tablespace test datafile '/u02/app/oracle/oradata/CMITEST/datafile/test.dbf' size 50m;
create tablespace test datafile '/u02/app/oracle/oradata/CMITEST/datafile/test.dbf' size 50m
*
ERROR at line 1:
ORA-28374: typed master key not found in wallet
To get a better understanding of the issue, We reviewed the database and the alert log. This is what we found in the alert log.
2023-11-15T09:51:58.200799-05:00 create tablespace test datafile '/u02/app/oracle/oradata/CMITEST/datafile/test.dbf' size 50m 2023-11-15T09:51:58.200863-05:00 Force tablespace TEST to be encrypted with AES128 ORA-28374 signalled during: create tablespace test datafile '/u02/app/oracle/oradata/CMITEST/datafile/test.dbf' size 50m... 2023-11-15T10:00:09.981590-05:00
Solution :
We found the same issue from oracle meta link note :
OCI DB SYSTEM:Createtablespace error "ORA-28361: Master Key Not Yet Set"
on migrated database (Doc ID 2716604.1).Before making any changes to wallet key let's backup the wallet keys wallet files
(cwallet.sso and ewallet.p12) from ENCRYPTION_WALLET_LOCATION.Get the key location :
SET LINESIZE 200 COLUMN wrl_parameter FORMAT A50 SELECT * FROM v$encryption_wallet;
How to Backup keys:
[oracle@local-host ~]$ cd /opt/oracle/dcs/commonstore/wallets/tde/CMITEST/ [oracle@local-host]$ ls -ltr total 24 -rw------- 1 oracle oinstall 2555 Oct 12 11:36 ewallet_2023101215360517.p12 -rw------- 1 oracle oinstall 3995 Oct 12 11:37 ewallet_2023101215372466.p12 -rw------- 1 oracle oinstall 5467 Oct 12 11:37 ewallet.p12 -rw------- 1 oracle oinstall 5512 Oct 12 11:37 cwallet.sso -- Backup Keys [oracle@local-host]$ cp -p -r CMITEST CMITEST_BKP
NOTE:keystore-password is the keystore password. By default, the keystore password is setto the value of the administration password that is specified when the database deploymentis created from cloud console.Login to database as sysdba and set keystore for CDB usingADMINISTER KEY MANAGEMENT SET KEY USING TAG 'rotate_key'FORCE KEYSTORE IDENTIFIED BY keystore-password WITH BACKUP USING'backup_key';
SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'rotate_key' FORCE KEYSTORE IDENTIFIED BY Welcome123#_ WITH BACKUP USING 'backup_key'; keystore altered.
Now let's try to create tablespace
SQL> create tablespace test datafile '/u02/app/oracle/oradata/CMITEST/datafile/test.dbf' size 50m; Tablespace created.
Conclusion
In the Oracle cloud environment, TDE is available in the default configuration. Key management and rotation are critical when organizations host critical data in the cloud environment. Next Article I will illustrate how you can configure TDE and back the keys using Oracle Vault.
No comments:
Post a Comment