Configuring Oracle Wallet Manager

Sno Description Inst

anc
e
1 Install the database ETS
2 Configure the Net Configuration ETS
3 Archive log enabled ETS

4 configure the sqlnet.ora frile under $TNS_ADMIN ETS

5 creates and opens the wallet with Auto Login Option ETS

6
 Wallets must be reopened after an instance restart and can be closed to
7 prevent access to encrypted data ETS

8 Create the Script for auto login ETS

9 check the autologin is working or not ETS
10 Create Test User ETS

11 Grant permissions to Test ETS

12 Create Tablespace ETS

13 assign the user to the encrypted tablespace; ETS
14 check the tablespace encrypted or not ETS

15 to check the encrypted columns are created or not ETS

16 Check the Status of the Encrypted Key ETS

17 Create table and index ETS

18 insert data into the table ETS
19 check the data file ETS

20 Export the data from ETS ETS

21 Delete the records from ets_test table ETS

22 Import the data from ETS ETS

23 check the data ETS
24 Check the encrypted tablespace ETS

25 Create Normal Tablespace without encryption ETS

26 Create user and assign the Normal tablespace ETS

27 Create table, index data into the new table imptest ETS

28 Export the data from Encrypted to Normal Tablespace ETS

29 Import the data from Encrypted to Normal Tablespace ETS

30 Export the data from Normal to Encrypted Tablespace ETS

31 Import the data from Normal to Encrypted Tablespace ETS

Important queries

SQL statement lists all encrypted tablespaces with their encryption algorithm
and corresponding, encrypted, data files:

SQL statement lists the table owner, tables within encrypted tablespaces,
and the encryption algorithm:
find out the location of Wallet and file type
Find the objects belongs to which tablespace
 Commands Bugs Report

install the database on 11.2.0.1

through net manager
Archive Enabled

Configure with the following parameter

ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=D:\OraHomeR2\app\admin\ETS\wallet\)))

Auto-login wallet is automatically opened at the first

DDL/DML operation on an encrypted column. If it is
important to have the wallet status "OPEN" in
v$encryption_wallet then create a startup trigger that will
access an encrypted table. Check the metalink id
1295713.1
orapki wallet create -wallet D:\OraHomeR2\app\admin\ETS\wallet\
-pwd abcd1234 -auto_login_local

CONN sys/password@db11g AS SYSDBA

ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "abcd1234";
ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "abcd1234";

ALTER SYSTEM SET WALLET CLOSE;

follow the Note How to Open the Encryption Wallet Automatically When
the Database Starts. [ID 460293.1]
restart the database and system
create user test identified by test;

CREATE USER test identified by test;

GRANT CONNECT,RESOURCE TO test;
GRANT CREATE SESSION TO test;
GRANT CREATE TABLE TO test;

CREATE TABLESPACE encrypted_ts DATAFILE

'D:\OraHomeR2\app\oradata\ETS\encrypted_ts01.dbf' SIZE 128K
AUTOEXTEND ON NEXT 64K ENCRYPTION USING 'AES256' DEFAULT
STORAGE(ENCRYPT);
ALTER USER test QUOTA UNLIMITED ON encrypted_ts;
SELECT tablespace_name, encrypted FROM dba_tablespaces;

select owner,table_name, column_name from dba_encrypted_columns;

select status from v$encryption_wallet;

CONN test/test

CREATE TABLE ets_test (id NUMBER(10),data VARCHAR2(50))

TABLESPACE encrypted_ts;

CREATE INDEX ets_test_idx ON ets_test(data) TABLESPACE encrypted_ts;

 INSERT INTO ets_test (id, data) VALUES (1, 'This is a secret!1');
INSERT INTO ets_test (id, data) VALUES (2, 'This is a secret!2');
INSERT INTO ets_test (id, data) VALUES (3, 'This is a secret!3');
INSERT INTO ets_test (id, data) VALUES (4, 'This is a secret!4');
INSERT INTO ets_test (id, data) VALUES (5, 'This is a secret!5');
commit;

check the datafile by viewing the Encrypted data file

CREATE DIRECTORY expdp_dir AS

'D:\OraHomeR2\app\admin\ETS\dpdump';

grant read,write on directory D30 to system,test;

expdp test/test TABLES=ets_test DIRECTORY=expdp_dir

DUMPFILE=etsexp.dmp ENCRYPTION=ENCRYPTED_COLUMNS_ONLY
ENCRYPTION_PASSWORD=abcd1234

Drop the table ets_test;

impdp test/test TABLES=ets_test DIRECTORY=expdp_dir
DUMPFILE=etsexp.dmp ENCRYPTION_PASSWORD=abcd1234
select * from ets_Test;
check the datafile by viewing the Encrypted data file

CREATE TABLESPACE normal DATAFILE

'D:\OraHomeR2\app\oradata\ETS\Normal_ts01.dbf' SIZE 128K
AUTOEXTEND ON NEXT 64K;

create user imptest identified by imptest;

GRANT CONNECT,RESOURCE TO imptest;
GRANT CREATE SESSION TO imptest;
GRANT CREATE TABLE TO imptest;
ALTER USER imptest QUOTA UNLIMITED ON NORMAL;
CONN imptest/imptest

CREATE TABLE ntest (id NUMBER(10),data VARCHAR2(50)) TABLESPACE

NORMAL;
CREATE INDEX ntest_idx ON ntest(data) TABLESPACE NORMAL;

INSERT INTO ntest (id, data) VALUES (1, 'This is a secret!1');

INSERT INTO ntest (id, data) VALUES (2, 'This is a secret!2');
INSERT INTO ntest (id, data) VALUES (3, 'This is a secret!3');
INSERT INTO ntest (id, data) VALUES (4, 'This is a secret!4');
INSERT INTO ntest (id, data) VALUES (5, 'This is a secret!5');
commit;

Export parfile example (expdp_ets_tables.par):

USERID='/ as sysdba'
TABLES=(test.ETS_TEST)
DUMPFILE=expdp_dir
LOGFILE=expdp_tables.log
-- Run the expdp command
#expdp parfile=expdp_ets_tables.par

Import parfile example (impdp_ets_tables.par):

USERID='/ as sysdba'
TABLES=(test.ETS_TEST)
REMAP_SCHEMA=test:imptest
REMAP_TABLESPACE=encrypted_ts:NORMAL
DUMPFILE=expdp_dir
LOGFILE=impdp_ets_tables
-- Run the impdp command
#impdp parfile=impdp_ets_tables.par
Export parfile example (expdp_n-e.par):
USERID='/ as sysdba'
TABLES=(imptest.ntest)
DUMPFILE=expdp_dir
LOGFILE=expdp_n-e.log
-- Run the expdp command
#expdp parfile=expdp_n-e.par

Import parfile example (impdp_n-e.par):

USERID='/ as sysdba'
TABLES=(imptest.ntest)
REMAP_SCHEMA=imptest:test
REMAP_TABLESPACE=NORMAL:encrypted_ts
DUMPFILE=expdp_dir
LOGFILE=impdp_n-e.log
-- Run the impdp command
#impdp parfile=impdp_n-e.par

SELECT t.name “TSName”, e.encryptionalg “Algorithm”, d.file_name “File

Name” FROM v$tablespace t, v$encrypted_tablespaces e,
dba_data_files d WHERE t.ts# = e.ts# and t.name = d.tablespace_name;

SELECT a.owner “Owner”, a.table_name “Table Name”, e.encryptionalg

“Algorithm” FROM dba_tables a, v$encrypted_tablespaces e
WHERE a.tablespace_name in (select t.name from v$tablespace
t,v$encrypted_tablespaces e where t.ts# = e.ts#);

select * from gv$encryption_wallet;

SELECT SEGMENT_NAME,OWNER FROM DBA_SEGMENTS WHERE
TABLESPACE_NAME ='ENCRYPTED_TS';
 Remarks/Issues
done
done
done

1) After creation of this key I got the file permission error on wallet key, for that
I changed the permission to the folder and restarted the machine. After
restarting I tried to check the auto login is open or not by querying 7th point,
but it is not open, i tried once again reboot the system, same issue.
2) to open a wallet i need to run
the "ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "abcd1234";" , now the
wallet is open and try to know the status by running the query "SQL> select
status from v$encryption_wallet;

STATUS
------------------
OPEN_NO_MASTER_KEY

surprise the status is open_no_master_key. Again i shutdown the database and

startup and checked the above key same issue, then i issued this query "ALTER
SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "abcd1234";" and select the
status it shows OPEN.

DONE
DONE

done
Working fine
DONE

DONE

DONE
DONE
DONE

No rows selected
open

done
done
done

Export done successfully

done

Import done successfully

done
 Configuring RMAN on Encrypted Tablespace

Sno Description Instance

Take backup of Encrypted Tablespace, Archives and

1 Controlfiles ETS
2 Offline Tablespace ETS

3 Generate changes in Database ETS

4 Flush Archivelog ETS
5 Move tablespace to new location ETS
6 Shutdown the database ETS

7 Startup In Mount stage recover the Encrypted tablespace ETS

8 Check the tables belongs to encrypted tablespace ETS
9 Check the wallet is open or not. ETS
10 Check the tablespace encrypted or not ETS
11
Commands

rman TARGET SYS/aman NOCATALOG

RUN {
ALLOCATE CHANNEL d1 DEVICE TYPE DISK;
#CONFIGURE ENCRYPTION FOR TABLESPACE encrypted_ts OFF;
BACKUP TABLESPACE encrypted_ts;
backup current controlfile FORMAT 'D:\OraHomeR2\backup\ctrl1.ctl';
BACKUP ARCHIVELOG ALL;
release channel d1;
}
ALTER TABLESPACE encrypted_ts OFFLINE;

sqlplus "/as sysdba"

create table test_rest(name varchar2(20));
insert into test_rest values('&name'); commit;
alter system switch logfile;
changed the datafile name
Shutdown immediate

rman TARGET SYS/aman NOCATALOG

STARTUP MOUNT;
RUN{
ALLOCATE CHANNEL d1 DEVICE TYPE DISK;
RESTORE TABLESPACE encrypted_ts;
RECOVER TABLESPACE encrypted_ts;
SQL 'Alter database open';
SQL 'ALTER TABLESPACE encrypted_ts ONLINE';
}
select * from test.ets_test;
select status from v$encryption_wallet;
SELECT tablespace_name, encrypted FROM dba_tablespaces;
Bugs Report
Remarks/Issues

done
done

done
done
done
done

done
done
done
done