Issue:

The wallet status for newly created PDB shows “OPEN_NO_MASTER_KEY”

SQL> select * from v$encryption_wallet;

WRL_TYPE     WRL_PARAMETER                                 STATUS                             WALLET_TYPE    WALLET_OR     FULLY_BAC     CON_ID
————-  —————————————————  ———————————-  —————— ——————-   ————–   ———
FILE           /u01/app/oracle/admin/ORCL/tde_wallet/    OPEN_NO_MASTER_KEY  AUTOLOGIN      SINGLE            UNDEFINED        0

 

Cause :

you must create and activate a master encryption key for the PDB. In a multitenant environment, each PDB has its own master encryption key which is stored in a single keystore used by all containers.

Solution :

After a new pluggable database is created, it is expected to create and activate a master encryption key for the PDB. Follow the below steps to create and activate the key for PDB:

1. Verify the wallet status in container database:
SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;

By default, the wallet status is open and it is Auto-login.

  1. Disable the Auto-login option by moving cwallet.sso from TDE wallet directory.

  Example:
$ cd /u01/app/oracle/admin/ORCL/tde_wallet
$ mkdir bak_cwallet
$ mv cwallet.sso bak_cwallet/

Verify there is no cwallet.sso file in /u01/app/oracle/admin/ORCL/tde_wallet.

  1. Close and reopen the wallet in container database:
    SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE close;

    Verify the wallet status is closed:
    SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;

    Reopen the wallet using password:
    SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE open IDENTIFIED BY  <wallet password>;

  2. Switch to the newly created container to set the key and verify the wallet status:
    SQL> alter session set container=<new pdb name>;
    SQL>  ADMINISTER KEY MANAGEMENT SET KEYSTORE open IDENTIFIED BY  <password of wallet>;
    SQL> administer key management set key identified by <password of wallet> with backup;

    Verify the wallet status of pdb:
    SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;

  3. Switch to container database to enable autologin:
    SQL> alter session set container=CDB$ROOT;
    SQL> administer key management create AUTO_LOGIN keystore from keystore ‘<TDE Wallet Location>’ identified by <password of wallet> ;

    Restart the database for changes to take effect:
    SQL> shut immediate
    SQL> startup

Recent Posts

Start typing and press Enter to search