Losing the Oracle Wallet for Enterprise User Security

Having a reliable backup solution for your Transparent Data Encryption (TDE) or Enterprise User Security (EUS) Wallets, is beyond discussion. Nevertheless it can happen that you lose or corrupt the Oracle Wallet. With Transparent Data Encryption (TDE), this is really bad luck, because you can not access your encrypted data. Losing an EUS wallet is on the other side not really an issue. You can remove the database from your EUS LDAP directory (Oracle Unified Directory OUD or Oracle Internet Directory OID) and re-register the database. Although this is the fastest solution, it has some constraints. Un-register and re-register the database, means losing the EUS mappings. Alternatively you can manually create a new empty Oracle Wallet and reset the Database password using dbca.

Ok, first lets create a new empty wallet using mkstore:

oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -create
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter password:               
   
Enter password again:

Alternatively you can use orapki to create an empty wallet. orapki is easier to use in scripts and supports auto login local wallets with -auto_login_local:

oracle@urania:/u00/app/oracle/ [TDB11A] orapki wallet create -wallet $ORACLE_BASE/admin/TDB11A/wallet/ -pwd <password> -auto_login
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Create an entry for the Database distinguished names (DN). This step is somehow necessary because dbca -regenerateDBPassword just creates the password entry but no new dn entry:

oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -createEntry ORACLE.SECURITY.DN cn=TDB11A_SITE1,cn=OracleContext,dc=postgasse,dc=org
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Create an entry for the database password:

oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -createEntry ORACLE.SECURITY.PASSWORD manager
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Recreate the database registration password using dbca: 

oracle@urania:/u00/app/oracle/ [TDB11A] dbca -silent -configureDatabase -sourceDB TDB11A \
> -sysDBAUserName sys -sysDBAPassword </password><password> \
> -regenerateDBPassword true \
> -dirServiceUserName cn=orcladmin -dirServicePassword </password><password> \
> -walletPassword </password><password>
Preparing to Configure Database
6% complete
13% complete
66% complete
Completing Database Configuration
100% complete
Look at the log file "/u00/app/oracle/cfgtoollogs/dbca/TDB11A_SITE1/TDB11A11.log" for further details.

Verify the new password in the Oracle Wallet:

oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -viewEntry ORACLE.SECURITY.PASSWORD
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:               
   
ORACLE.SECURITY.PASSWORD = S6usUGSNb#P1

This password can now be used to verify the LDAP Bind with ldapsearch using the database DN and the password:

oracle@urania:/u00/app/oracle/ [TDB11A] ldapsearch -h localhost -p 1389  \
> -D 'cn=TDB11A_SITE1,cn=OracleContext,dc=postgasse,dc=org' -w S6usUGSNb#P1 \
> -b 'cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=postgasse,dc=org' '(objectclass=*)'
cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=postgasse,dc=org
orclVersion=102000
objectClass=top
objectClass=orclContainer
objectClass=orclDBSecConfig
objectClass=orclDBSecConfig10i
orclDBVersionCompatibility=90000
cn=OracleDBSecurity
orclDBOIDAuthentication=PASSWORD

...

Or finally check login via SQLPlus as EUS user:

oracle@urania:/u00/app/oracle/ [TDB11A] sqh

SQL*Plus: Release 11.2.0.4.0 Production on Wed Sep 14 10:22:28 2016

Copyright (c) 1982, 2013, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options

SQL> conn soe
Enter password: 
Connected.
SQL> @sousrinf
Database Information
--------------------
- DB_NAME		: TDB11A
- DB_DOMAIN		: postgasse.org
- INSTANCE		: 1
- INSTANCE_NAME 	: TDB11A
- SERVER_HOST		: urania
-
Authentification Information
----------------------------
- SESSION_USER		: EUS_USER
- PROXY_USER		:
- AUTHENTICATION_METHOD : PASSWORD
- IDENTIFICATION_TYPE	: GLOBAL SHARED
- NETWORK_PROTOCOL	:
- OS_USER		: oracle
- AUTHENTICATED_IDENTITY: SOE
- ENTERPRISE_IDENTITY	: cn=soe,cn=People,dc=postgasse,dc=org
-
Other Information
-----------------
- ISDBA 		: FALSE
- CLIENT_INFO		:
- PROGRAM		: sqlplus@urania.postgasse.org (TNS V1-V3)
- MODULE		: SQL*Plus
- IP_ADDRESS		:
- SID			: 410
- SERIAL#		: 925
- SERVER		: DEDICATED
- TERMINAL		: pts/2

PL/SQL procedure successfully completed.

Depending on your Oracle Directory it may happen, that you run into ORA-28030. This can happen, if you password profile on the directory server has Reset Password on Next Login defined. To work around this issue you have to temporarily disable Reset Password on Next Login in the password profile. This issue is also discussed in the MOS Note 558119.1 ORA-28030 After Regenerating Wallet Password Using dbca.

5 thoughts on “Losing the Oracle Wallet for Enterprise User Security

  1. PamC

    Thank you for this! This is extremely helpful!

    Is the manager password used in step 3 just a place holder until the dbca command regenerates the database password?

  2. Stefan Post author

    Hi

    Yes somehow. Instead of un- and registering the database in the directory, I just do a regenerate password. But regenerate password requires, that a DN is already in the wallet. With -createEntry I just create the correct DN entry for the database with a dummy entry for the password. dbca regenerateDBPassword will then set the correct password in the directory as well in the wallet.

    Cheers
    Stefan

  3. IDAM_Learner

    Great Post.

    So , -regenerateDBPassword is generating password on Database and pushing it to Directory?
    How can we extend the length of password being generated?

  4. Stefan Post author

    Hi

    No -regenerateDBPassword does not create a new password in the DB it rather creates a new password for the DB Service account in the directory. This service account is used by database when it looks up the EUS information in the directory. The account is in the directory and the credentials are stored in the Oracle wallet. Password length is controlled by the password profile in the LDAP directory respectively generated by DBCA.

    Regards
    Stefan

  5. IDAM_Learner

    Hi Stefan, Is it possible to extend length of that password being generated? I mean ORACLE.SECURITY.PASSWORD value?

Comments are closed.