PRGZ-3630 : Active master key ID not found in TDE wallet for database
Ingeniero informático, Oracle ACE, DBA y Arquitecto OCI, con más de 15 años de experiencia en plataformas Oracle. Certificado en OCI Certified Architect Professional y OCI Migration and Integration Certified Professional.
Este error que arroja el ZDM, puede ser por dos motivos:
A la hora de activar el TDE en origen se hizo de manera incompleta dejando sin informar la V$ENCRYPTION_KEYS.
Se perdió la wallet que había original y con ello las diferentes claves.
En este caso fue la segunda opción, el TDE se hizo correctamente pero se genero una nueva wallet y con ello se perdieron las claves de origen.
En este caso tuvimos suerte y había copia, con lo que solamente me toco mergear la wallet actual con la antigua y así tenemos una única wallet con todas las claves. Así que vamos al lío.
Lo primero que tenemos que hacer para mergear wallet es lo siguientes pasos:
Definimos una carpeta con el nombre XXXX donde tendremos una copia de la wallet actual.
Eliminamos el archivo ewallet.p12
Mergeamos
Primero vamos a ver que contiene la wallet original y la antigua mediante el comando mkstore, al igual que la v$encryption_keys
SQL> select key_id, keystore_type, origin from v$encryption_keys;
KEY_ID KEYSTORE_TYPE ORIGIN
------------------------------------------------------------------------------ ----------------- -----------------------------------------
ASRecEWh/k8yv8yEjmYY1cwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SOFTWARE KEYSTORE LOCAL
Información de la wallet original
SQL> ! pwd
/oracle/product/admin/XXXXX/wallet/tde
SQL> ! mkstore -wrl . -list
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
Subject: CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.ASRecEWh/k8yv8yEjmYY1cwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.ASRecEWh/k8yv8yEjmYY1cwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:
Información de la wallet anterior
SQL> ! mkstore -wrl old/ -list
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.AcHeEplCEU/8v0rzp23jgQ4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AQp4sqH4T08Ov8O9qS+tMiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AWLLoFvQq0/Cv5zuPFF5CcMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.AcHeEplCEU/8v0rzp23jgQ4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AQp4sqH4T08Ov8O9qS+tMiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AWLLoFvQq0/Cv5zuPFF5CcMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
La nueva wallet tendrá que tener las claves anteriores. Mergeamos las claves desde sqlplus
SQL> ADMINISTER KEY MANAGEMENT MERGE
KEYSTORE '/oracle/product/admin/XXXXX/wallet/tde/original' IDENTIFIED BY "XXXXXXX" AND
KEYSTORE '/oracle/product/admin/XXXXX/wallet/tde/tde/old' IDENTIFIED BY "XXXXXXX"
INTO NEW KEYSTORE '/oracle/product/admin/XXXXX/wallet/tde' IDENTIFIED BY "XXXXXXX";
Listo, consultamos la nueva wallet para verificar que tiene las claves de ambas wallet
SQL> !mkstore -wrl . -list
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.AcHeEplCEU/8v0rzp23jgQ4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AQp4sqH4T08Ov8O9qS+tMiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.ASRecEWh/k8yv8yEjmYY1cwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AWLLoFvQq0/Cv5zuPFF5CcMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.AcHeEplCEU/8v0rzp23jgQ4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AQp4sqH4T08Ov8O9qS+tMiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.ASRecEWh/k8yv8yEjmYY1cwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AWLLoFvQq0/Cv5zuPFF5CcMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Consultamos de nuevo la vista v$encryption_keys
SQL> select key_id, keystore_type, origin from v$encryption_keys;
KEY_ID KEYSTORE_TYPE ORIGIN
------------------------------------------------------------------------------ ----------------- -----------------------------------------
AQp4sqH4T08Ov8O9qS+tMiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SOFTWARE KEYSTORE LOCAL
AcHeEplCEU/8v0rzp23jgQ4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA SOFTWARE KEYSTORE LOCAL
AWLLoFvQq0/Cv5zuPFF5CcMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SOFTWARE KEYSTORE LOCAL
ASRecEWh/k8yv8yEjmYY1cwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SOFTWARE KEYSTORE LOCAL
Listo, ya podemos continuar usando ZDM. ¡Espero que os sirva!
![[26ai] Limpieza de objetos obsoletos en desuso](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F65605419d28f19cc44df7ef1%2F93181086-1008-4184-8454-33b7367ebedb.png&w=3840&q=75)
![[26ai] Hybrid Read-Only Mode PDB](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F65605419d28f19cc44df7ef1%2Fde208bd2-5e24-4fd3-acf7-8e5394d95283.png&w=3840&q=75)
![[26ai] ALERT_LOG_MAX_SIZE](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F65605419d28f19cc44df7ef1%2Fcbb365d0-4428-4a41-930d-516ce59e3355.jpg&w=3840&q=75)
![[26ai] ConnStr Tool](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F65605419d28f19cc44df7ef1%2F5005f06e-946c-49ba-bfe8-7fe18d1075d9.png&w=3840&q=75)
![[26ai] Instalación de Oracle26ai en Linux 9](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F65605419d28f19cc44df7ef1%2Fd9a6ba10-eb2d-4fee-8a0c-f4957cbdc676.png&w=3840&q=75)