Introduction

In this blog post I will show you a step by step for revert the TDE configuration from Oracle Key Vault to Local Wallet in a database server. This procedure was tested and used during a POC of OKV, where the database was configured to use OKV, but at the end it was needed to convert the configuration to Local wallet before detinstall the OKV Server.

I’m writing this post because I have found a lot of examples showing how to configure the wallet with OKV, but very limited resources showing how to revert this, at least with a clear and direct forward steps.

Step by step

1) Identifiy the current directory where the Oracle database expects the TDE Wallet:

select con_id, wrl_parameter from v$encryption_wallet where wrl_parameter is not null;

2) Check if this directory exists in the database server:

! ls -l /u01/app/oracle/admin/CDBSEC/wallet/tde/

3) If the directory doens’t exists, create it now:

ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "<wallet_password>";

4) Change the tde_configuration parameter using ‘FILE|OKV’ value:

alter system set tde_configuration = "KEYSTORE_CONFIGURATION=FILE|OKV" scope=both;

5) Now it is time to execute the REVERSE MIGRATE, this command will migrate the TDE from OKV Wallet to the local file wallet:

ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY
IDENTIFIED BY "<LOCAL_wallet_password>" FORCE KEYSTORE -- keystore password
REVERSE MIGRATE USING "<OKV_wallet_password>" -- okv passowrd
WITH BACKUP;

6) Since the TDE keys were migrated to local wallet, we can change the tde_configuration parameter using only the ‘FILE‘ option, so the Oracle database will not look for the OKV anymore.

alter system set tde_configuration = "KEYSTORE_CONFIGURATION=FILE" scope=both;

7) This is optional, but very useful. Configure the wallet with AUTO_LOGIN option:

ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE 
FROM KEYSTORE '/u01/app/oracle/admin/CDBSEC/wallet/tde' 
IDENTIFIED BY "<wallet_password>";

8) To start using the wallet with AUTOLOGIN, close the wallet using the password, the database instance shoud pick up the AUTOLOGIN automatically:

administer key management set keystore close identified by "wallet_password" container=all;

9) Check the status and make sure the status is OPEN and wallet type is AUTOLOGIN:

SELECT con_id, status, wallet_type FROM v$encryption_wallet;

Conclusion

At this point you should be able to deinstall the OKV client installation if no one database in the server still using it.