Having a reliable backup solution for your Transparent Data Encryption (TDE) or Enterprise User Security (EUS) Wallets, is beyond discussion. Nevertheless it can happen that you lose or corrupt the Oracle Wallet. With Transparent Data Encryption (TDE), this is really bad luck, because you can not access your encrypted data. Losing an EUS wallet is on the other side not really an issue. You can remove the database from your EUS LDAP directory (Oracle Unified Directory OUD or Oracle Internet Directory OID) and re-register the database. Although this is the fastest solution, it has some constraints. Un-register and re-register the database, means losing the EUS mappings. Alternatively you can manually create a new empty Oracle Wallet and reset the Database password using dbca.
Ok, first lets create a new empty wallet using mkstore:
oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -create Oracle Secret Store Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Enter password: Enter password again:
Alternatively you can use orapki to create an empty wallet. orapki is easier to use in scripts and supports auto login local wallets with -auto_login_local:
oracle@urania:/u00/app/oracle/ [TDB11A] orapki wallet create -wallet $ORACLE_BASE/admin/TDB11A/wallet/ -pwd <password> -auto_login Oracle PKI Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
Create an entry for the Database distinguished names (DN). This step is somehow necessary because dbca -regenerateDBPassword just creates the password entry but no new dn entry:
oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -createEntry ORACLE.SECURITY.DN cn=TDB11A_SITE1,cn=OracleContext,dc=postgasse,dc=org Oracle Secret Store Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Enter wallet password:
Create an entry for the database password:
oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -createEntry ORACLE.SECURITY.PASSWORD manager Oracle Secret Store Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Enter wallet password:
Recreate the database registration password using dbca:
oracle@urania:/u00/app/oracle/ [TDB11A] dbca -silent -configureDatabase -sourceDB TDB11A \ > -sysDBAUserName sys -sysDBAPassword </password><password> \ > -regenerateDBPassword true \ > -dirServiceUserName cn=orcladmin -dirServicePassword </password><password> \ > -walletPassword </password><password> Preparing to Configure Database 6% complete 13% complete 66% complete Completing Database Configuration 100% complete Look at the log file "/u00/app/oracle/cfgtoollogs/dbca/TDB11A_SITE1/TDB11A11.log" for further details.
Verify the new password in the Oracle Wallet:
oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -viewEntry ORACLE.SECURITY.PASSWORD Oracle Secret Store Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Enter wallet password: ORACLE.SECURITY.PASSWORD = S6usUGSNb#P1
This password can now be used to verify the LDAP Bind with ldapsearch using the database DN and the password:
oracle@urania:/u00/app/oracle/ [TDB11A] ldapsearch -h localhost -p 1389 \ > -D 'cn=TDB11A_SITE1,cn=OracleContext,dc=postgasse,dc=org' -w S6usUGSNb#P1 \ > -b 'cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=postgasse,dc=org' '(objectclass=*)' cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=postgasse,dc=org orclVersion=102000 objectClass=top objectClass=orclContainer objectClass=orclDBSecConfig objectClass=orclDBSecConfig10i orclDBVersionCompatibility=90000 cn=OracleDBSecurity orclDBOIDAuthentication=PASSWORD ...
Or finally check login via SQLPlus as EUS user:
oracle@urania:/u00/app/oracle/ [TDB11A] sqh SQL*Plus: Release 11.2.0.4.0 Production on Wed Sep 14 10:22:28 2016 Copyright (c) 1982, 2013, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining, Oracle Database Vault and Real Application Testing options SQL> conn soe Enter password: Connected. SQL> @sousrinf Database Information -------------------- - DB_NAME : TDB11A - DB_DOMAIN : postgasse.org - INSTANCE : 1 - INSTANCE_NAME : TDB11A - SERVER_HOST : urania - Authentification Information ---------------------------- - SESSION_USER : EUS_USER - PROXY_USER : - AUTHENTICATION_METHOD : PASSWORD - IDENTIFICATION_TYPE : GLOBAL SHARED - NETWORK_PROTOCOL : - OS_USER : oracle - AUTHENTICATED_IDENTITY: SOE - ENTERPRISE_IDENTITY : cn=soe,cn=People,dc=postgasse,dc=org - Other Information ----------------- - ISDBA : FALSE - CLIENT_INFO : - PROGRAM : sqlplus@urania.postgasse.org (TNS V1-V3) - MODULE : SQL*Plus - IP_ADDRESS : - SID : 410 - SERIAL# : 925 - SERVER : DEDICATED - TERMINAL : pts/2 PL/SQL procedure successfully completed.
Depending on your Oracle Directory it may happen, that you run into ORA-28030. This can happen, if you password profile on the directory server has Reset Password on Next Login defined. To work around this issue you have to temporarily disable Reset Password on Next Login in the password profile. This issue is also discussed in the MOS Note 558119.1 ORA-28030 After Regenerating Wallet Password Using dbca.