Learn more about why Eclipsys has been named the 2023 Best Workplaces in Technology and Ontario, Certified as a Great Place to Work in Canada and named Canada’s Top SME Employer!
Learn more!
In this piece, I will walk you through a real-life scenario recently faced with a client where I had to change an Oracle 12c SYS and Wallet Password to one that does not meet ExaCC password verification function guidelines. This was done on an Oracle Exadata Cloud-at-Customer Environment.
Below, I will provide a log of my steps and explain the actions/commands along the way.
[oracle@test-vm ~]$ . TESTDB.env [oracle@test-vm ~]$ echo $ORACLE_HOME /u02/app/oracle/product/12.2.0/dbhome_2 [oracle@test-vm ~]$ echo $ORACLE_SID TESTDB1
First, we set the environment variables to make sure we are working with the correct Oracle
Home and Oracle SID.
[root@test-vm ~]# ps -ef | grep pmon grid 42122 1 0 Apr02 ? 00:01:45 asm_pmon_+ASM1 grid 50781 1 0 Apr02 ? 00:01:45 apx_pmon_+APX1 oracle 318201 1 0 15:31 ? 00:00:00 ora_pmon_TESTDB1
We checked the PMON process to ensure the database instance is running.
SQL> alter profile default limit password_verify_function null; Profile altered.
SQL> alter user sys identified by "PASSWORD";
Enable the password to verify function as it was before:
SQL> alter profile default limit password_verify_function DBAAS_VERIFY_FUNCTION; Profile altered.
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -listCredential Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Enter Wallet Password: List credential (index: connect_string username)
The above output indicates that there are no credentials in the wallet for the “SYS” user or any other user for that matter
The following command lists the entries stored in the wallet including encryption keys and other security-related data.
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -list Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Oracle Secret Store entries: ORACLE.SECURITY.DB.ENCRYPTION.8786543wertyuiytrMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY ORACLE.SECURITY.ID.ENCRYPTION. ORACLE.SECURITY.KB.ENCRYPTION. ORACLE.SECURITY.KM.ENCRYPTION.iuytrewrt6789876543567890iuyhgfAAAAAAAAAAAAAAAAAGH
As shown below there are no present credentials for the sys user
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -viewEntry oracle.security.client.connect_string1 Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Secret Store error occurred: oracle.security.pki.OracleSecretStoreException: PKI-03002: No entry found for the alias: oracle.security.client.connect_string1
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -viewEntry oracle.security.client.username1 Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Secret Store error occurred: oracle.security.pki.OracleSecretStoreException: PKI-03002: No entry found for the alias: oracle.security.client.username1 J
We updated the wallet entries as required, including creating and modifying the TDE keystore password entry and setting up the required credentials for the “sys” user
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -createCredential TESTDB sys Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Your secret/Password is missing in the Command Line Enter your secret/Password: Re-enter your secret/Password: Enter wallet password: [oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -viewEntry oracle.security.client.username1 Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Enter Wallet Password: oracle.security.client.username1 = sys
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -viewEntry oracle.security.client.password1 Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Enter Wallet Password: oracle.security.client.password1 = PASSWORD
Now we create “tde_ks_passwd” since from the output below it is not present
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -createEntry tde_ks_passwd Oracle Secret Store Tool : Version 12.2.0.1.0 Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. Your secret/Password is missing in the command line Enter your secret/Password: Re-enter your secret/Password: Enter wallet password:
[oracle@test-vm ~]$ sqlplus / as sysdba SQL*Plus: Release 12.2.0.1.0 Production on Thu May 25 00:30:00 2023 Copyright (c) 1982, 2016, Oracle. All rights reserved. Connected to: Oracle Database 12c EE Extreme Perf Release 12.2.0.1.0 - 64bit Production SQL> ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD FORCE KEYSTORE IDENTIFIED BY CURRENT_PASSWORD SET NEW_PASSWORD with backup; keystore altered.
Finally, we used the ADMINISTER KEY MANAGEMENT SQL command to change the TDE keystore password.
In this piece, we walked through the steps required to change the SYS Password, Wallet Password, TDE Keystore Password, and SYS Password stored in the encryption wallet of an Oracle Database 12c DB. This process was performed on an Oracle Exadata Cloud-at-Customer Environment. Remember to back up your wallets and keys before making any changes.
References:
https://eclipsys.ca/how-to-change-sys-password-on-exacc-gen-2/
Encountering errors can often lead us down a rabbit hole of troubleshooting and investigative work. Recently, a scenario encountered highlighted the ... Read More
Introduction: Creating a clone of a remote pluggable database across a database link can be a powerful tool for managing and replicating data across ... Read More
