{"id":2185,"date":"2016-09-14T10:40:55","date_gmt":"2016-09-14T08:40:55","guid":{"rendered":"http:\/\/www.oradba.ch\/?p=2185"},"modified":"2016-09-14T11:25:18","modified_gmt":"2016-09-14T09:25:18","slug":"losing-the-oracle-wallet-for-enterprise-user-security","status":"publish","type":"post","link":"https:\/\/www.oradba.ch\/wordpress\/2016\/09\/losing-the-oracle-wallet-for-enterprise-user-security\/","title":{"rendered":"Losing the Oracle Wallet for Enterprise User Security"},"content":{"rendered":"

Having a reliable backup solution for your Transparent Data Encryption (TDE) or Enterprise User Security (EUS) Wallets, is beyond discussion. Nevertheless it can happen that you lose or corrupt the Oracle Wallet. With Transparent Data Encryption (TDE), this is really bad luck, because you can not access your encrypted data. Losing an EUS wallet is on the other side not really an issue. You can remove the database from your EUS LDAP directory (Oracle Unified Directory OUD or Oracle Internet Directory OID) and re-register the database. Although this is the fastest solution, it has some constraints. Un-register and re-register the database, means losing the EUS mappings. Alternatively you can manually create a new empty Oracle Wallet and reset the Database password using dbca<\/code>.<\/p>\n

Ok, first lets create a new empty wallet using mkstore<\/code>:<\/p>\n

\noracle@urania:\/u00\/app\/oracle\/ [TDB11A] mkstore -wrl $ORACLE_BASE\/admin\/TDB11A\/wallet -create\nOracle Secret Store Tool : Version 11.2.0.4.0 - Production\nCopyright (c) 2004, 2013, Oracle and\/or its affiliates. All rights reserved.\n\nEnter password:               \n   \nEnter password again:               \n\n<\/pre>\n
Alternatively you can use orapki<\/code> to create an empty wallet. orapki<\/code> is easier to use in scripts and supports auto login local wallets with -auto_login_local<\/code>:<\/p>\n
oracle@urania:\/u00\/app\/oracle\/ [TDB11A] orapki wallet create -wallet $ORACLE_BASE\/admin\/TDB11A\/wallet\/ -pwd <password> -auto_login\nOracle PKI Tool : Version 11.2.0.4.0 - Production\nCopyright (c) 2004, 2013, Oracle and\/or its affiliates. All rights reserved.\n\n<\/pre>\n
Create an entry for the Database distinguished names (DN). This step is somehow necessary because dbca -regenerateDBPassword<\/code> just creates the password entry but no new dn entry:<\/p>\n
\noracle@urania:\/u00\/app\/oracle\/ [TDB11A] mkstore -wrl $ORACLE_BASE\/admin\/TDB11A\/wallet -createEntry ORACLE.SECURITY.DN cn=TDB11A_SITE1,cn=OracleContext,dc=postgasse,dc=org\nOracle Secret Store Tool : Version 11.2.0.4.0 - Production\nCopyright (c) 2004, 2013, Oracle and\/or its affiliates. All rights reserved.\n\nEnter wallet password:               \n\n<\/pre>\n
Create an entry for the database password:<\/p>\n
\noracle@urania:\/u00\/app\/oracle\/ [TDB11A] mkstore -wrl $ORACLE_BASE\/admin\/TDB11A\/wallet -createEntry ORACLE.SECURITY.PASSWORD manager\nOracle Secret Store Tool : Version 11.2.0.4.0 - Production\nCopyright (c) 2004, 2013, Oracle and\/or its affiliates. All rights reserved.\n\nEnter wallet password:               \n   \n<\/pre>\n
Recreate the database registration password using dbca<\/code>: <\/p>\n
\noracle@urania:\/u00\/app\/oracle\/ [TDB11A] dbca -silent -configureDatabase -sourceDB TDB11A \\\n> -sysDBAUserName sys -sysDBAPassword <\/password><password> \\\n> -regenerateDBPassword true \\\n> -dirServiceUserName cn=orcladmin -dirServicePassword <\/password><password> \\\n> -walletPassword <\/password><password>\nPreparing to Configure Database\n6% complete\n13% complete\n66% complete\nCompleting Database Configuration\n100% complete\nLook at the log file "\/u00\/app\/oracle\/cfgtoollogs\/dbca\/TDB11A_SITE1\/TDB11A11.log" for further details.\n<\/pre>\n
Verify the new password in the Oracle Wallet:<\/p>\n
\noracle@urania:\/u00\/app\/oracle\/ [TDB11A] mkstore -wrl $ORACLE_BASE\/admin\/TDB11A\/wallet -viewEntry ORACLE.SECURITY.PASSWORD\nOracle Secret Store Tool : Version 11.2.0.4.0 - Production\nCopyright (c) 2004, 2013, Oracle and\/or its affiliates. All rights reserved.\n\nEnter wallet password:               \n   \nORACLE.SECURITY.PASSWORD = S6usUGSNb#P1\n<\/pre>\n
This password can now be used to verify the LDAP Bind with ldapsearch<\/code> using the database DN and the password:<\/p>\n
\noracle@urania:\/u00\/app\/oracle\/ [TDB11A] ldapsearch -h localhost -p 1389  \\\n> -D 'cn=TDB11A_SITE1,cn=OracleContext,dc=postgasse,dc=org' -w S6usUGSNb#P1 \\\n> -b 'cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=postgasse,dc=org' '(objectclass=*)'\ncn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=postgasse,dc=org\norclVersion=102000\nobjectClass=top\nobjectClass=orclContainer\nobjectClass=orclDBSecConfig\nobjectClass=orclDBSecConfig10i\norclDBVersionCompatibility=90000\ncn=OracleDBSecurity\norclDBOIDAuthentication=PASSWORD\n\n...\n<\/pre>\n
Or finally check login via SQLPlus as EUS user:<\/p>\n
\noracle@urania:\/u00\/app\/oracle\/ [TDB11A] sqh\n\nSQL*Plus: Release 11.2.0.4.0 Production on Wed Sep 14 10:22:28 2016\n\nCopyright (c) 1982, 2013, Oracle.  All rights reserved.\n\n\nConnected to:\nOracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production\nWith the Partitioning, Oracle Label Security, OLAP, Data Mining,\nOracle Database Vault and Real Application Testing options\n\nSQL> conn soe\nEnter password: \nConnected.\nSQL> @sousrinf\nDatabase Information\n--------------------\n- DB_NAME\t\t: TDB11A\n- DB_DOMAIN\t\t: postgasse.org\n- INSTANCE\t\t: 1\n- INSTANCE_NAME \t: TDB11A\n- SERVER_HOST\t\t: urania\n-\nAuthentification Information\n----------------------------\n- SESSION_USER\t\t: EUS_USER\n- PROXY_USER\t\t:\n- AUTHENTICATION_METHOD : PASSWORD\n- IDENTIFICATION_TYPE\t: GLOBAL SHARED\n- NETWORK_PROTOCOL\t:\n- OS_USER\t\t: oracle\n- AUTHENTICATED_IDENTITY: SOE\n- ENTERPRISE_IDENTITY\t: cn=soe,cn=People,dc=postgasse,dc=org\n-\nOther Information\n-----------------\n- ISDBA \t\t: FALSE\n- CLIENT_INFO\t\t:\n- PROGRAM\t\t: sqlplus@urania.postgasse.org (TNS V1-V3)\n- MODULE\t\t: SQL*Plus\n- IP_ADDRESS\t\t:\n- SID\t\t\t: 410\n- SERIAL#\t\t: 925\n- SERVER\t\t: DEDICATED\n- TERMINAL\t\t: pts\/2\n\nPL\/SQL procedure successfully completed.<\/pre>\n
Depending on your Oracle Directory it may happen, that you run into ORA-28030. This can happen, if you password profile on the directory server has Reset Password on Next Login<\/em> defined. To work around this issue you have to temporarily disable Reset Password on Next Login<\/em> in the password profile. This issue is also discussed in the MOS Note 558119.1<\/a> ORA-28030 After Regenerating Wallet Password Using dbca<\/em>.<\/password>\n","protected":false},"excerpt":{"rendered":"
Having a reliable backup solution for your Transparent Data Encryption (TDE) or Enterprise User Security (EUS) Wallets, is beyond discussion. Nevertheless it can happen that you lose or corrupt the Oracle Wallet. With Transparent Data Encryption (TDE), this is really bad luck, because you can not access your encrypted data. Losing an EUS wallet is […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"Losing the Oracle Wallet for Enterprise User Security #OracleEUS #Trivadis","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[8,83,154,5,11],"tags":[148,111,90,146],"class_list":["post-2185","post","type-post","status-publish","format-standard","hentry","category-11gr2","category-12cr1","category-enterprise-user-security","category-oracle-database","category-security","tag-enterprise-user-security","tag-tvdsecexpert","tag-troubleshooting","tag-wallet"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1aErb-zf","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":2053,"url":"https:\/\/www.oradba.ch\/wordpress\/2015\/10\/wallet_location-in-sqlnet-ora-for-container-databases\/","url_meta":{"origin":2185,"position":0},"title":"WALLET_LOCATION in sqlnet.ora for Container Databases","author":"Stefan","date":"31. October 2015","format":false,"excerpt":"Recently I've setup Oracle Enterprise User Security (EUS) with Oracle Unified Directory (OUD) on my favorite linux test system. Among regular 11.2.0.4 and 12.1.0.2 databases I do also have a 12.1.0.2 Container Database. EUS work like a charm on the regular databases but not on the PDB. [cc lang=\"sql\"] SQL>\u2026","rel":"","context":"In "12cR1"","block_context":{"text":"12cR1","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/12cr1\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1836,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/07\/secure-external-password-store-for-rman\/","url_meta":{"origin":2185,"position":1},"title":"Secure External Password Store for RMAN","author":"Stefan","date":"22. July 2014","format":false,"excerpt":"The draft version of this blog post is lying around for some time in my inbox. I've never found time to finish it. But due to a task in a project it's about time to finish my notes on Oracle's Secure External Password Store. Ludovico, a work colleague has already\u2026","rel":"","context":"In "11gR2"","block_context":{"text":"11gR2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/11gr2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7707,"url":"https:\/\/www.oradba.ch\/wordpress\/2020\/11\/oracle-security-eus-snippets-setup-proxy-user-privileges\/","url_meta":{"origin":2185,"position":2},"title":"Oracle Security EUS Snippets – Setup Proxy User Privileges","author":"Stefan","date":"5. November 2020","format":false,"excerpt":"Since I'm always short of time for a longer blog post, I'll just try a short one. Intended as a mini-series, I will show different configuration examples for Oracle Enterprise User Security. Today I\u2019ll start with the configuration of EUS based proxy privileges. The environment I use is DOE, my\u2026","rel":"","context":"In "12R2"","block_context":{"text":"12R2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/12r2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2921,"url":"https:\/\/www.oradba.ch\/wordpress\/2019\/02\/oud-12c-sslhandshakeexception-with-no-cipher-suites-in-common\/","url_meta":{"origin":2185,"position":3},"title":"OUD 12c – SSLHandshakeException with “no cipher suites in common”","author":"Stefan","date":"22. February 2019","format":false,"excerpt":"Recently I've update the java installation of my Oracle Unified Directory (OUD) 12.2.1.0.3 to the latest release. Java 1.8.0 update 202 to be exact (p28916775_180202_Linux-x86-64.zip). Actually a piece of cake, I've done this a few times in the past. My Enterprise User Security (EUS) test environment is running in Docker.\u2026","rel":"","context":"In "18c"","block_context":{"text":"18c","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/18c\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2799,"url":"https:\/\/www.oradba.ch\/wordpress\/2018\/09\/oracle-security-at-trivadis-techevent-fall-2018\/","url_meta":{"origin":2185,"position":4},"title":"Oracle Security at Trivadis TechEvent Fall 2018","author":"Stefan","date":"26. September 2018","format":false,"excerpt":"A few days ago the semi-annual Trivadis TechEvent took place. As always, it was a great IT event where Trivadis employees and customers had the opportunity to exchange and discuss a variety of topics. I had the pleasure to give one lecture about Oracle 18c New Security Features as well\u2026","rel":"","context":"In "12cR2"","block_context":{"text":"12cR2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/12cr2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2943,"url":"https:\/\/www.oradba.ch\/wordpress\/2019\/03\/configure-oracle-eusm-to-use-ldaps\/","url_meta":{"origin":2185,"position":5},"title":"Configure Oracle EUSM to use LDAPS","author":"Stefan","date":"1. March 2019","format":false,"excerpt":"With the introduction of Oracle 18c, [cci]eusm[\/cci] is officially designated as an Enterprise User Security Utility. It is now officially documented of the Enterprise User Security Administrator's Guide. Before we had to be content with the somewhat sparse MOS note 1085065.1 EUSM, Command Line Tool For EUS Administration and Some\u2026","rel":"","context":"In "18c"","block_context":{"text":"18c","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/18c\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/2185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/comments?post=2185"}],"version-history":[{"count":4,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/2185\/revisions"}],"predecessor-version":[{"id":2189,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/2185\/revisions\/2189"}],"wp:attachment":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/media?parent=2185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/categories?post=2185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/tags?post=2185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}