Bug: trouble with pipe character in Oracle TDE keystore password

Posted on by

by Brian Fitzgerald

Introduction

Using the pipe character (“|”) in an Oracle TDE keystore password leads to an unrecoverable state. This, apparently, is an Oracle bug.

Demonstration

Version 19.22.0.0.0 on Linux. First:

administer key management 
alter keystore password 
force keystore 
identified by "asdf1234WXYZ$" 
set "qwer5678|" with backup;

keystore altered.

Next, try to use the password:

administer key management 
set keystore open force keystore 
identified by "qwer5678|";
*
ERROR at line 1:
ORA-28353: failed to open wallet

From here, you can’t change the password back to the original.

administer key management 
alter keystore password 
force keystore 
identified by "qwer5678|" 
set "asdf1234WXYZ$" with backup;
*
ERROR at line 1:
ORA-28353: failed to open wallet

No other printable ASCII characters give trouble, except that I did not test double quote, single quote, or ampersand. (“, ‘. &).

Solution attempt 1 re-point alias

The wallet is now inaccessible. The wallet with the known password should still be in ASM. In this example, the wallet was created on Nov 29.

$ asmcmd ls -l +DATA1/PTDE/tde
Type Redund Striped Time Sys Name
AUTOLOGIN_KEY_STORE UNPROT COARSE JAN 27 17:00:00 N cwallet.sso => +DATA1/PTDE/AUTOLOGIN_KEY_STORE/cwallet.287.1154126305
KEY_STORE UNPROT COARSE JAN 27 09:00:00 N ewallet.p12 => +DATA1/PTDE/KEY_STORE/ewallet.259.1154126305
KEY_STORE UNPROT COARSE NOV 28 22:00:00 N ewallet_2023112903382447.p12 => +DATA1/PTDE/KEY_STORE/ewallet.296.1154126307
KEY_STORE UNPROT COARSE JAN 27 08:00:00 N ewallet_2024012713401060.p12 => +DATA1/PTDE/KEY_STORE/ewallet.295.1159346411
KEY_STORE UNPROT COARSE JAN 27 08:00:00 N ewallet_2024012713542108.p12 => +DATA1/PTDE/KEY_STORE/ewallet.285.1159347261
etc.

Notice date “20231129” in the good wallet alias name. Make careful note of where that alias points to: +DATA1/PTDE/KEY_STORE/ewallet.296.1154126307

You can re-point ewallet.p12 to the good wallet:

$ asmcmd rmalias +DATA1/PTDE/tde/ewallet.p12
$ asmcmd rmalias +DATA1/PTDE/tde/ewallet_2023112903382447.p12
$ asmcmd mkalias +DATA1/PTDE/KEY_STORE/ewallet.296.1154126307 +DATA1/PTDE/tde/ewallet.p12

Check:

administer key management
2 set
3 keystore open
4 force keystore
5 identified by "old-password";

keystore altered.

Everything seems to work now. Opening the database, backup the keystore, Data Guard managed recovery.

Solution attempt 2 restore wallet

Suppose you have a good wallet backup in a folder created Nov 29th:

/u03/tde/lib/dba/backup/hostname/ptde/20231129.224025

SQL> shutdown abort
ORACLE instance shut down.
$ asmcmd rm -rf +DATA1/PTDE/KEY_STORE/
$ asmcmd rm -rf +DATA1/PTDE/AUTOLOGIN_KEY_STORE/
SQL> startup nomount
ORACLE instance started.

administer key management
create
keystore
identified by "old-password";

keystore altered.

administer key management
set keystore open
identified by "old-password";

keystore altered.

administer key management
merge keystore '/u03/tde/lib/dba/backup/hostname/ptde/20231129.224025'
identified by "old-password"
into existing
keystore '+DATA1/PTDE/tde'
identified by "old-password"
with backup;

keystore altered.

administer key management
create local auto_login keystore from
keystore identified by "old-password";

keystore altered.

SQL> alter database mount;

Database altered.

SQL> alter database open;

Database altered.

Unsuccessful

There are issues:

2024-01-28T11:31:30.934368-05:00
WARNING: the following master key for tablespace 4 (file # 7) does not exist in the current keystore.
Please check if the master key is successfully imported from the source keystore.
2024-01-28T11:31:30.934406-05:00
kcbtse_populate_tbske_pga: ena 4 flag 2f mkloc 1
encrypted key 7f54d9fb1f800a7a4b0b8b48e450a72149534caef97a161f3267094abf140ba2
mkid 2e30a453ade64f7cbfb326e680302282
SQL> create table ttde (n number) segment creation immediate tablespace USERS;
create table ttde (n number) segment creation immediate tablespace USERS
*
ERROR at line 1:
ORA-28374: typed master key not found in wallet
RMAN> backup tablespace users;

RMAN-03009: failure of backup command on ORA_DISK_1 channel at 01/28/2024 11:31:31
ORA-19914: unable to encrypt backup
ORA-28361: master key not yet set

The problem is that once the password was set with the pipe characater, the new master password in the database is out of sync with the wallet.

You could restore an earlier database and wallet backup.

Conclusion

Do not use “|” in an Oracle TDE keystore password.

Have a tde wallet recovery strategy.

Leave a Reply