Blogs

OCI Tablespace Creation Error – ORA-28361: Master Key not yet set for CREATE TABLESPACE in OCI DBCS

Introduction

We are living in a data era. Every organization invests in a colossal sum of money to secure its IT infrastructure environment. protecting data is really important because all businesses are now driven by analyzing the data. Oracle came up with a technology called TDE to protect data from ransomware. TDE is part of the Oracle Advance license feature. But in the Cloud, this comes as default. Whatever database you are creating in the cloud should have TDE.  

After creating a new 12.1 environment in the cloud we faced an issue while creating a tablespace. 

 

Error: 

When creating tablespace, tablespace creation failed due to ORA-28374.

SQL> create tablespace test datafile '/u02/app/oracle/oradata/CMITEST/datafile/test.dbf' size 50m;
create tablespace test datafile '/u02/app/oracle/oradata/CMITEST/datafile/test.dbf' size 50m
*
ERROR at line 1:
ORA-28374: typed master key not found in wallet

 

To get a better understanding of the issue, We reviewed the database and the alert log. This is what we found in the alert log.

2023-11-15T09:51:58.200799-05:00
create tablespace test datafile '/u02/app/oracle/oradata/CMITEST/datafile/test.dbf' size 50m
2023-11-15T09:51:58.200863-05:00
Force tablespace TEST to be encrypted with AES128
ORA-28374 signalled during: create tablespace test datafile '/u02/app/oracle/oradata/CMITEST/datafile/test.dbf' size 50m...
2023-11-15T10:00:09.981590-05:00

 

Solution: 

We found the same issue from oracle meta link note : 
OCI DB SYSTEM:Createtablespace error "ORA-28361: Master Key Not Yet Set" 
on migrated database (Doc ID 2716604.1).

Before making any changes to the wallet key let’s backup the wallet key wallet files
(cwallet.sso and ewallet.p12) from ENCRYPTION_WALLET_LOCATION.

 

Get the Key Location:

SET LINESIZE 200
COLUMN wrl_parameter FORMAT A50
SELECT * FROM v$encryption_wallet;

 

How to Backup Keys:

[oracle@local-host ~]$ cd /opt/oracle/dcs/commonstore/wallets/tde/CMITEST/

[oracle@local-host]$ ls -ltr
total 24
-rw------- 1 oracle oinstall 2555 Oct 12 11:36 ewallet_2023101215360517.p12
-rw------- 1 oracle oinstall 3995 Oct 12 11:37 ewallet_2023101215372466.p12
-rw------- 1 oracle oinstall 5467 Oct 12 11:37 ewallet.p12
-rw------- 1 oracle oinstall 5512 Oct 12 11:37 cwallet.sso
-- Backup Keys 

[oracle@local-host]$ cp -p -r CMITEST CMITEST_BKP

 

NOTE: keystore-password is the keystore password. By default, the keystore password is set to the value of the administration password that is specified when the database deployment is created from the cloud console.

Login to the database as sysdba and set keystore for CDB using
ADMINISTER KEY MANAGEMENT SET KEY USING TAG ‘rotate_key’
FORCE KEYSTORE IDENTIFIED BY keystore-password WITH BACKUP USING
‘backup_key’;

SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'rotate_key' FORCE KEYSTORE IDENTIFIED BY Welcome123#_ WITH BACKUP USING 'backup_key';
keystore altered.

 

Now let’s try to create a Tablespace

SQL> create tablespace test datafile '/u02/app/oracle/oradata/CMITEST/datafile/test.dbf' size 50m;
Tablespace created.

 

Conclusion

In the Oracle cloud environment, TDE is available in the default configuration. Key management and rotation are critical when organizations host critical data in the cloud environment. Next Article I will illustrate how you can configure TDE and back the keys using Oracle Vault.

More from this Author