by Alexandre Nestor<\/p>\n\n\n\n
Other blogs that I wrote on OKV subject: <\/p>\n\n\n\n
The aim of this new post is to describe how to: <\/p>\n\n\n\n
All steps are executed from the database server, using RESTfull API commands, so no connection to Oracle Key vault interface. <\/p>\n\n\n\n
As prerequisite, I assume that the Oracle Key Vault is installed, and the RESTfull API is enabled at OKV server, otherwise all commands will fail. <\/p>\n\n\n\n
By scripting all commands, this method can be used to full configure a new database server. <\/p>\n\n\n\n
Oracle Key Vault server is named okvsrv.oracle.com<\/p>\n\n\n\n
SADMIN is the System Admin user defined at Oracle Key Vault level. <\/p>\n\n\n\n
All commands are made at database server level as The database server is a Oracle Linux 8 and the database version is 19.20. <\/p>\n\n\n\n The database SID is DBTDEOKV.<\/p>\n\n\n\n The RESTfull API is installed in To make the life easier I create an env file to keep all used variables: <\/p>\n\n\n Uncomment line For logging change the line For more log traces you can chenge the level of traces, in the same file, to Finally update And create the autologin wallet to avoid to enter all the time the The endpoint is the database server itself. Enrolling the endpoint, give the ability to this server (endpoint) to make calls (get TDE keys) from Oracle Key Vault. <\/p>\n\n\n\n An endpoint type Create directories ( At OKV level we are going to set the endpoint name using the database name ( First the endpoint is created:<\/p>\n\n\n Then is enrolled:<\/p>\n\n\n The The word “ Finally, create an profile, I called it Let’s create a wallet for this endpoint. The wallet is an virtual wallet as it is located in OKV and not locally on disk. The wallet name will be For commodity, I create a simple script to list the status of the encryption. <\/p>\n\n\n The database is a pluggable database and the TDE will be configured in The PDB wallet root path will be Remember the I choose the second method for simplicity, so I create a database link from Configure the CDB$ROOT database for TDE: <\/p>\n\n\n Configure the PDB for TDE. Applying the TDE configuration at PDB level will automatically switch to Check if the keys are accessible at OKV level: <\/p>\n\n\n Make a full restart to validate the whole:<\/p>\n\n\n The autologin file has the status Even it seems complicated, all the described procedure can be easily scripted and implemented as a post script, for a database server deployment.<\/p>\n\n\n\n Using OKV to keep the keys is one of the best solution. Otherwise you have to do it by your own, as you cannot user Oracle tools like RMAN to backup them. <\/p>\n\n\n\n OKV will keep the track of all keys and theyr dates even if in case of rekey process. <\/p>\n\n\n\n Loosing keys leads to database lost. Even Oracle cannot help.<\/p>\n","protected":false},"excerpt":{"rendered":" Configure Oracle Database Server and it’s Database with OKV using RESTfull API <\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[59],"tags":[],"type_dbi":[],"class_list":["post-29389","post","type-post","status-publish","format-standard","hentry","category-oracle"],"acf":[],"yoast_head":"\noracle<\/code> user (which is in the shell prompt).There is only one command executer as root<\/code>. <\/p>\n\n\n\nDownload the RESTfull API from OKV server<\/h3>\n\n\n\n
\/home\/oracle\/okvrestcli<\/code> directory.<\/p>\n\n\n\n[oracle@ ~]$ mkdir -p $HOME\/okvrestcli\/log\n\n[oracle@ ~]$ mkdir $HOME\/okvrestcli\/wallet\n\n[oracle@ ~]$ curl -k -O https:\/\/okvsrv.oracle.com:5695\/okvrestclipackage.zip\n\n[oracle@ ~]$ unzip okvrestclipackage.zip -d okvrestcli\nArchive: okvrestclipackage.zip\n creating: okvrestcli\/lib\/\n creating: okvrestcli\/bin\/\n inflating: okvrestcli\/bin\/okv\n inflating: okvrestcli\/bin\/okv.bat\n creating: okvrestcli\/conf\/\n inflating: okvrestcli\/conf\/okvrestcli.ini\n inflating: okvrestcli\/conf\/okvrestcli_logging.properties\n inflating: okvrestcli\/lib\/okvrestcli.jar\n<\/pre><\/div>\n\n\n
\n[oracle@ ~]$ echo 'export OKV_REST_CLI_CONFIG=$HOME\/okvrestcli\/conf' > $HOME\/okvrestcli\/set_okv_rest_api_env.sh\n\n[oracle@ ~]$ echo "export JAVA_HOME=\/u01\/app\/oracle\/product\/19.0.0.0\/dbhome_5\/jdk" > $HOME\/okvrestcli\/set_okv_rest_api_env.sh\n\n[oracle@ ~]$ echo 'export PATH=$PATH:$HOME\/okvrestcli\/bin' >> $HOME\/okvrestcli\/set_okv_rest_api_env.sh\n\n[oracle@ ~]$ source $HOME\/okvrestcli\/set_okv_rest_api_env.sh\n<\/pre><\/div>\n\n\n
Configure the RESTfull API <\/h3>\n\n\n\n
export OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR\/conf\/okvrestcli.ini<\/code> in $HOME\/okvrestcli\/bin\/okv<\/code> shell. <\/p>\n\n\n\njava.util.logging.FileHandler.pattern = $HOME\/okvrestcli\/log\/okv%u.log <\/code>in $HOME\/okvrestcli\/conf\/okvrestcli_logging.properties<\/code> file.<\/p>\n\n\n\nALL<\/code>.<\/p>\n\n\n\n$HOME\/okvrestcli\/conf\/okvrestcli.ini<\/code><\/p>\n\n\n\n[Default]\nlog_property=\/home\/oracle\/okvrestcli\/conf\/okvrestcli_logging.properties\nserver=okvsrv.oracle.com\n#okv_client_config=.\/conf\/okvclient.ora\nuser=sadmin\nclient_wallet=\/home\/oracle\/okvrestcli\/wallet\n<\/pre><\/div>\n\n\n
sadmin<\/code> user password. <\/p>\n\n\n\n[oracle@ ~]$ okv admin client-wallet add --client-wallet $HOME\/okvrestcli\/wallet --wallet-user sadmin\nPassword:\n{\n "result" : "Success"\n}\n<\/pre><\/div>\n\n\nCreate and enroll the endpoint<\/h2>\n\n\n\n
ORACLE_DB<\/code> need some directories and variables to be set: <\/p>\n\n\n\n\n
WALLET_ROOT<\/code> parameter must be set and and endpoint scripts from OKV will be installed in WALLET_ROOT\/okv<\/code><\/li>\n\n\n\nWALLET_ROOT\/tde<\/code> directory will not contain the physical wallet (as the keys are stored in OKV) but in case of auto_login, the cwallet.sso need to be present in this directory. <\/li>\n\n\n\n$ORACLE_HOME<\/code> and $ORACLE_BASE<\/code> variables must be defined at the moment of endpoint enrolment. <\/li>\n<\/ul>\n\n\n\n\/u01\/app\/oracle\/tde_wallet\/DBTDEOKV<\/code> path will be the WALLET_ROOT<\/code> at the database level) <\/p>\n\n\n\n[oracle@ ~]$ mkdir \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\n\n[oracle@ ~]$ mkdir \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv\n\n[oracle@ ~]$ mkdir \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/tde\n\n[oracle@ ~]$ mkdir \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/tde_seps\n<\/pre><\/div>\n\n\n
DBTDEOKV_DB<\/code>). <\/p>\n\n\n\n\n[oracle@ ~]$ okv admin endpoint create --generate-json > \/tmp\/t.json\n\n[oracle@ ~]$ cat \/tmp\/t.json\n{\n "service" : {\n "category" : "admin",\n "resource" : "endpoint",\n "action" : "create",\n "options" : {\n "endpoint" : "DBTDEOKV_DB",\n "description" : "DBTDEOKV database",\n "platform" : "LINUX64"\n "type" : "ORACLE_DB",\n "subgroup" : "NO SUBGROUP",\n "strictIpCheck" : "FALSE",\n }\n }\n}\n\n[oracle@ ~]$ okv admin endpoint create --from-json \/tmp\/t.json\n{\n "result" : "Success",\n "value" : {\n "status" : "PENDING",\n "locatorID" : "3DCA30C0-D7DC-42F7-AA1D-07B3A62523A4"\n }\n}\n<\/pre><\/div>\n\n\n\n[oracle@ ~]$ echo $ORACLE_HOME\n\/u01\/app\/odaorahome\/oracle\/product\/19.0.0.0\/dbhome_5\n[oracle@ ~]$ echo $ORACLE_BASE\n\/u01\/app\/odaorabase\/oracle\n[oracle@ ~]$ echo $ORACLE_SID\nDBTDEOKV\n\n[oracle@ ~]$ okv admin endpoint provision --generate-json > \/tmp\/t.json\n[oracle@ ~]$ cat \/tmp\/t.json\n{\n "service" : {\n "category" : "admin",\n "resource" : "endpoint",\n "action" : "provision",\n "options" : {\n "endpoint" : "DBTDEOKV_DB",\n "location" : "\/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv",\n "autoLogin" : "FALSE"\n }\n }\n}\n\n[oracle@ ~]$ okv admin endpoint provision --from-json \/tmp\/t.json\nEnter Oracle Key Vault endpoint password: enpoint_password\n{\n "result" : "Success"\n}\n<\/pre><\/div>\n\n\nokvclient.jar<\/code> was downloaded in the \"location\" : \"\/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv\"<\/code> path. This is an archive which need to be extracted. At the end the file okvclient.jar <\/code>will be erased so if you need to reinstall the endopoint or you will need to enroll it again. <\/p>\n\n\n\nenpoint_password<\/code>” means the password used for this endpoint. <\/p>\n\n\n\n[oracle@ ~]$ ls \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv\nokvclient.jar\n\n[oracle@ ~]$ $ORACLE_HOME\/jdk\/bin\/java -jar \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv\/okvclient.jar -d \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv -v\nDetected JAVA_HOME: \/u01\/app\/odaorahome\/oracle\/product\/19.0.0.0\/dbhome_5\/jdk\nDetected ORACLE_HOME: \/u01\/app\/odaorahome\/oracle\/product\/19.0.0.0\/dbhome_5\nDetected ORACLE_BASE: \/u01\/app\/odaorabase\/oracle\nUsing OKV_HOME: \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv\nPlease set environment variables ORACLE_HOME, ORACLE_BASE, and OKV_HOME\nconsistently across processes.\nEnter new Key Vault endpoint password (<enter> for auto-login): enpoint_password\nConfirm new Key Vault endpoint password: enpoint_password\nThe endpoint software for Oracle Key Vault installed successfully.\nDeleted the file : \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv\/okvclient.jar\n\n[oracle@ ~]$ ls \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv\/\nbin conf csdk jlib lib log ssl\n\n# execute as root \n[root@ ~]# \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv\/bin\/root.sh\n<\/pre><\/div>\n\n\n
DBTDEOKV<\/code>, for this endpoint in the RESTfull API, in case when we have several endpoints on the same server. From this moment we can use the parameter –profile to all RESTfull API calls. If this is the only endpoint on the server we cans use the DEFAULT profile. <\/p>\n\n\n\n-- create the profile, DBTDEOKV, for REST api for this database \n[oracle@ ~]$ cat $HOME\/okvrestcli\/conf\/okvrestcli.ini\n#Provide absolute path for log_property, okv_client_config properties\n[Default]\nlog_property=\/home\/oracle\/okvrestcli\/conf\/okvrestcli_logging.properties\nserver=160.210.31.85\nuser=sadmin\nclient_wallet=\/home\/oracle\/okvrestcli\/wallet\n\n[DBTDEOKV]\nokv_client_config=\/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv\/conf\/okvclient.ora\n\n\n-- list endpoints \n[oracle@ ~]$ okv admin endpoint list --profile DBTDEOKV\n{\n "result" : "Success",\n "value" : {\n "endpoints" : [ {\n "commonNameOfCertificateIssuer" : "CA",\n "clusterSubgroup" : "No Cluster Subgroup",\n "createdBy" : "SADMIN",\n "creatorNode" : "okvsrv.oracle.com",\n "creationTime" : "2023-11-14 09:40:10",\n "defaultWallet" : "",\n "description" : "DBTDEOKV database",\n "endpoint" : "DBTDEOKV_DB",\n "endpointCertificateExpiration" : "2024-11-13 09:40:18",\n "enrollmentToken" : "",\n "ipAddress" : "160.210.32.20",\n "nameStatus" : "ACTIVE",\n "platform" : "Linux",\n "status" : "Enrolled",\n "type" : "Oracle Database"\n.....\n\n<\/pre><\/div>\n\n\nCreate a wallet for the endpoint<\/h3>\n\n\n\n
DBTDEOKV_DB_WALLET<\/code>.<\/p>\n\n\n\n# add a wallet for this endpoint\n[oracle@ ~]$ okv manage-access wallet create --generate-json-input > \/tmp\/t.json\n[oracle@ ~]$ cat \/tmp\/t.json\n{\n "service" : {\n "category" : "manage-access",\n "resource" : "wallet",\n "action" : "create",\n "options" : {\n "wallet" : "DBTDEOKV_db_wallet",\n "description" : "wallet for DBTDEOKV database"\n }\n }\n}\n[oracle@ ~]$ okv manage-access wallet create --from-json \/tmp\/t.json\n{\n "result" : "Success",\n "value" : {\n "status" : "PENDING",\n "locatorID" : "71025B76-7773-4F2E-9383-BC3E672AF867"\n }\n}\n\n# grant access for endpoint to manage the wallet\n[oracle@ ~]$ okv manage-access wallet add-access --generate-json-input > \/tmp\/t.json\n[oracle@ ~]$ cat \/tmp\/t.json\n{\n "service" : {\n "category" : "manage-access",\n "resource" : "wallet",\n "action" : "add-access",\n "options" : {\n "wallet" : "DBTDEOKV_db_wallet",\n "endpoint" : "DBTDEOKV_DB",\n "access" : "RM_MW"\n }\n }\n}\n[oracle@ ~]$ okv manage-access wallet add-access --from-json \/tmp\/t.json\n{\n "result" : "Success"\n}\n<\/pre><\/div>\n\n\nConfigure the encryption on the database to use OKV<\/h3>\n\n\n\n
\n-- create the script tde.sql for easy usage of the query \n[oracle@ ~]$ cat tde.sql\nset pages 200\nset line 300\ncol WRL_PARAMETER format a50\ncol status forma a10\ncol pdb_name format a20\nselect pdb_id, pdb_name, guid from dba_pdbs;\nselect * from v$encryption_wallet where con_id != 2;\n<\/pre><\/div>\n\n\n
ISOLATED<\/code> mode (each PDB will have it’s own encryption key).<\/p>\n\n\n\nWALLET_ROOT\/<\/code><pdbguid><\/code>. <\/p>\n\n\n\nokv<\/code> endpoint software was installed in WALLET_ROOT\/okv<\/code>. The PDB will search the the okv endpoint software in WALLET_ROOT\/<pdbguid>\/okv<\/code> path. We have two choices:<\/p>\n\n\n\n\n
WALLET_ROOT\/<pdbguid>\/okv<\/code> path.<\/li>\n\n\n\nokv<\/code> endpoint software. <\/li>\n<\/ul>\n\n\n\nWALLET_ROOT\/okv<\/code> to WALLET_ROOT\/<pdbguid>\/okv<\/code> <\/p>\n\n\n\nSQL> select pdb_id, pdb_name, guid from dba_pdbs;\n\n PDB_ID PDB_NAME GUID\n---------- -------------------- --------------------------------\n 3 PDB1 0887FBD2D436F52AE0631420D5B4B292\n 2 PDB$SEED 0887DD6BF35FA66EE0631420D5B48934\n\n[oracle@ ~]$ mkdir\/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/0887FBD2D436F52AE0631420D5B4B292\n\n[oracle@ DBTDEOKV]$ mkdir \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/0887FBD2D436F52AE0631420D5B4B292\/tde\n\n[oracle@ ~]$ cd \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/0887FBD2D436F52AE0631420D5B4B292\/\n\n[oracle@ 0887FBD2D436F52AE0631420D5B4B292]$ ln -s \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv .\n<\/pre><\/div>\n\n\n
\n-- some usefull best practice parameters for TDE\nSQL> alter system set encrypt_new_tablespaces='ALWAYS' scope=spfile;\n\nSQL> alter system set tablespace_encryption='AUTO_ENABLE' scope=spfile;\n\n-- configure the WALLET_ROOT\nSQL> alter system set wallet_root='\/u01\/app\/oracle\/tde_wallet\/DBTDEOKV' scope=spfile;\n\nSystem altered.\n\n-- restart the database\nSQL> shutdown immediate;\n\nSQL> startup;\n\n-- configure the TDE to use OKV for keys and local FILE for autologin\nSQL> alter system set tde_configuration="KEYSTORE_CONFIGURATION=OKV|FILE" scope=both;\n\n-- at this level no keystore open \nSQL> @tde.sql\n\nWRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID\n---------- ---------------------------------------- ---------- -------------------- --------- -------- --------- ----------\nFILE \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/tde\/ NOT_AVAILA UNKNOWN SINGLE NONE UNDEFINED 1\n BLE\n\nOKV CLOSED UNKNOWN SINGLE NONE UNDEFINED 1\nFILE NOT_AVAILA UNKNOWN SINGLE UNITED UNDEFINED 3\n BLE\n\nOKV CLOSED UNKNOWN SINGLE UNITED UNDEFINED 3\n\n-- open the keystore => goes to state OPEN_NO_MASTER_KEY\nSQL> administer key management set keystore open identified by "enpoint_password";\n\nSQL> @tde.sql\n\nWRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID\n---------- ---------------------------------------- ---------- -------------------- --------- -------- --------- ----------\nFILE \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/tde\/ NOT_AVAILA UNKNOWN SINGLE NONE UNDEFINED 1\n BLE\n\nOKV OPEN_NO_MA OKV SINGLE NONE UNDEFINED 1\n STER_KEY\n\nFILE NOT_AVAILA UNKNOWN SINGLE UNITED UNDEFINED 3\n BLE\n\nOKV CLOSED UNKNOWN SINGLE UNITED UNDEFINED 3\n\n-- create the MEK (Master Encryption Key). Use tag is a best practice\nSQL> administer key management set key using tag "CDB:DBTDEOKV MEK first" identified by "enpoint_password";\nSQL> @tde.sql\n\nWRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID\n---------- ---------------------------------------- ---------- -------------------- --------- -------- --------- ----------\nFILE \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/tde\/ NOT_AVAILA UNKNOWN SINGLE NONE UNDEFINED 1\n BLE\n\nOKV OPEN OKV SINGLE NONE UNDEFINED 1\nFILE NOT_AVAILA UNKNOWN SINGLE UNITED UNDEFINED 3\n BLE\n\nOKV CLOSED UNKNOWN SINGLE UNITED UNDEFINED 3\n\n--configure the autologin \nSQL> administer key management add secret 'enpoint_password' for client 'OKV_PASSWORD' to local auto_login keystore '\/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/tde'\n\n-- check \nSQL> !ls \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/tde\ncwallet.sso\n<\/pre><\/div>\n\n\n
ISOLTAED<\/code> mode. <\/p>\n\n\n\nSQL> alter session set container=pdb1;\n\nSQL> alter system set tde_configuration="KEYSTORE_CONFIGURATION=OKV|FILE" scope=both;\nSQL> @tde\n\nWRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID\n---------- ---------------------------------------- ---------- -------------------- --------- -------- --------- ----------\nFILE \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/0887 OPEN_NO_MA LOCAL_AUTOLOGIN SINGLE ISOLATED UNDEFINED 3\n FBD2D436F52AE0631420D5B4B292\/tde\/ STER_KEY\n\nOKV OPEN_NO_MA OKV SINGLE ISOLATED UNDEFINED 3\n STER_KEY\n\nSQL> administer key management set key using tag "CDB:DBTDEOKV:PDB1 MEK first" identified by "enpoint_password";\n\nSQL> @tde\n\nWRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID\n---------- ---------------------------------------- ---------- -------------------- --------- -------- --------- ----------\nFILE \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/0887 NOT_AVAILA UNKNOWN SINGLE ISOLATED UNDEFINED 3\n FBD2D436F52AE0631420D5B4B292\/tde\/ BLE\n\nOKV OPEN OKV SINGLE ISOLATED UNDEFINED 3\n\n-- configure autologin the client name must be OKV_PASSWORD \nSQL> administer key management add secret 'enpoint_password' for client 'OKV_PASSWORD' to local auto_login keystore '\/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/0887FBD2D436F52AE0631420D5B4B292\/tde';\n\n-- check\nSQL> !ls \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/0887FBD2D436F52AE0631420D5B4B292\/tde\/\ncwallet.sso\n\n-- reastart to validate\nSQL> shutdown immediate;\nPluggable Database closed.\nSQL> startup;\nPluggable Database opened.\nSQL> @tde\n\nRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID\n---------- ---------------------------------------- ---------- -------------------- --------- -------- --------- ----------\nFILE \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/0887 NOT_AVAILA UNKNOWN SINGLE ISOLATED UNDEFINED 3\n FBD2D436F52AE0631420D5B4B292\/tde\/ BLE\n\nOKV OPEN OKV SINGLE ISOLATED UNDEFINED 3\n\n<\/pre><\/div>\n\n\n
\n[oracle@ ~]$ \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/okv\/bin\/okvutil list\nEnter Oracle Key Vault endpoint password:\nUnique ID Type Identifier\n2E1A81B8-E8DA-4FA6-BF6F-28F48B274A7E Symmetric Key TDE Master Encryption Key: TAG CDB:DBTDEOKV MEK first\n6010F986-4A55-4F8D-BF22-891DF4DAD290 Symmetric Key TDE Master Encryption Key: TAG CDB:DBTDEOKV:PDB1 MEK first\n<\/pre><\/div>\n\n\n
\nSQL> startup force\n\nSQL> @tde\n\nWRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID\n---------- ---------------------------------------- ---------- -------------------- --------- -------- --------- ----------\nFILE \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/tde\/ OPEN_NO_MA LOCAL_AUTOLOGIN SINGLE NONE UNDEFINED 1\n STER_KEY\n\nOKV OPEN OKV SINGLE NONE UNDEFINED 1\nFILE \/u01\/app\/oracle\/tde_wallet\/DBTDEOKV\/0887 OPEN_NO_MA LOCAL_AUTOLOGIN SINGLE ISOLATED UNDEFINED 3\n FBD2D436F52AE0631420D5B4B292\/tde\/ STER_KEY\n\nOKV OPEN OKV SINGLE ISOLATED UNDEFINED \n<\/pre><\/div>\n\n\n
OPEN_NO_MASTER_KEY<\/code>. This can be explained by the fact that autologin cwallet.sso<\/code> file is locally and the key on on OKV server. I cannot say if this is a normall behaviur or is a display bug. <\/p>\n\n\n\nConclusion<\/h2>\n\n\n\n