Skip to content

Changing SYS Password, Wallet Password, TDE Keystore Password, and SYS Password in Oracle Wallet

Kwame Bonsu May 2, 2023 7:45:00 AM
Changing SYS Password, Wallet Password, TDE Keystore Password, and SYS Password in Oracle Wallet – Eclipsys
12:25

Introduction:

In this piece, I will walk you through a real-life scenario recently faced with a client where I had to change the SYS password, wallet password, TDE keystore password, and SYS password stored in the encryption wallet of an Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 container DB without any PDBs present. This was done on an Oracle Exadata Cloud in the Customer environment.

Below, I will provide a log of the steps I followed and explain the steps/commands along the way.

 

1. Set the Environment Variables:  

[root@test-vm oracle]# . TESTDB.env

[root@test-vm oracle]# echo $ORACLE_HOME

/u02/app/oracle/product/19.0.0.0/dbhome_2

[root@test-vm oracle]# echo $ORACLE_SID

TESTDB1

[root@test-vm oracle]# cd

First, we set the environment variables to make sure we are working with the correct Oracle               Home and Oracle SID.

 

2. Verify the PMON Process is Running:

[root@test-vm ~]# ps -ef | grep pmon

grid      42122      1  0 Apr02 ?        00:01:45 asm_pmon_+ASM1

grid      50781      1  0 Apr02 ?        00:01:45 apx_pmon_+APX1

oracle   318201      1  0 15:31 ?        00:00:00 ora_pmon_TESTDB1

We checked the PMON process to ensure the database instance is running.

 

3. Change the SYS Password:

[root@test-vm ~]# dbaascli database changepassword --dbname TESTDB 
DBAAS CLI version 23.1.1.0.1
Executing command database changepassword
Job id: 2bb5b757-db93-42yg-b306-a098c5daeac1
Session log: /var/opt/oracle/log/TESTDB/database/changePassword/dbaastools_2023-04-24_04-22-44-PM_176968.log
Enter username whose password change is required:
sys
Enter new password:

Enter new password (reconfirmation):

Loading PILOT...
Session ID of the current execution is: 1354
Log file location: /var/opt/oracle/log/TESTDB/database/changePassword/pilot_2023-04-24_04-22-58-PM_180400
-----------------
Running Plugin_initialization job
Enter username whose password change is required
Enter new password
*****************
Completed Plugin_initialization job
-----------------
Running DB_change_password_prechecks job
Completed DB_change_password_prechecks job
-----------------
Running Extract_blob_in_standby job
Skipping. Job is detected as not applicable.
-----------------
Running Copy_blob_contents_in_standby job
Skipping. Job is detected as not applicable.
-----------------
Running Change_password job
Completed Change_password job
-----------------
Running Update_db_wallet job
Completed Update_db_wallet job
-----------------
Running Prepare_blob_for_standby_in_primary job
Skipping. Job is detected as not applicable.
dbaascli execution completed
[root@test-vm ~]#

We used the dbaascli utility to change the SYS password. The tool guides you through the process and prompts you for the necessary information.

 

4. Connect to the Database and Check the Wallet Status:

[root@test-vm ~]# su - oracle 
Last login: Mon Apr 24 16:23:34 ADT 2023

[oracle@test-vm ~]$ . TESTDB.env
[oracle@test-vm ~]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Mon Apr 24 16:24:33 2023
Version 19.17.0.0.0

Copyright (c) 1982, 2022, Oracle. All rights reserved.

Connected to:
Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production
Version 19.17.0.0.0

SQL> set linesize 200
SQL> col WRL_PARAMETER for a60
SQL> col status for a45
SQL> SELECT * FROM v$encryption_wallet;

WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
-------------------- ------------------------------------------------------------ --------------------------------------------- -------------------- --------- -------- --------- ----------
FILE /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde/ OPEN AUTOLOGIN SINGLE NONE NO 1
FILE OPEN AUTOLOGIN SINGLE NONE NO 2

SQL> quit
Disconnected from Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production
Version 19.17.0.0.0

We connected to the database using SQL*Plus and checked the wallet status using the v$encryption_wallet view.

 

5. List and Manage Wallet Credentials

[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde/ -listCredential 
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
List credential (index: connect_string username)

The above output indicates that there are no credentials in the wallet for the “SYS” user or any other user for that matter

The following command lists the entries stored in the wallet including encryption keys and other security-related data.

[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde/ -list 
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.Ae56789jkhgfddfyguiopoiuytuiAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AX567890KLJHGFDSFGHJKL89765467890-KJHGHJKLJHG76
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.RETYUIOP89765467890876578OIUYGFHJKLJHGF
ORACLE.SECURITY.ID.ENCRYPTION. ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.34567890-LKJHGFDSDFGHJKL;KJHGFHJKL;987654567890YTRFGH
ORACLE.SECURITY.KM.ENCRYPTION.4567890-98765GHJKLJHGFDGHJKL;KJHGFRTYUIO6546789UYTYUIOUYTGHJ

As shown below there are no present credentials for the sys user

[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde -viewEntry oracle.security.client.connect_string1 
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Secret Store error occurred: oracle.security.pki.OracleSecretStoreException: PKI-03002: No entry found for the alias: oracle.security.client.connect_string1

[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde/ -viewEntry oracle.security.client.username1
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Secret Store error occurred: oracle.security.pki.OracleSecretStoreException: PKI-03002: No entry found for the alias: oracle.security.client.username1

 

6. Modify Wallet Entries:

We updated the wallet entries as required, including creating and modifying the TDE keystore password entry and setting up the required credentials for the “sys” user

[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde/ -createCredential TESTDB sys 
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line
Enter your secret/Password:
Re-enter your secret/Password:
Enter wallet password:

[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde/ -viewEntry oracle.security.client.username1
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
oracle.security.client.username1 = sys
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde -viewEntry oracle.security.client.connect_string1 
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
oracle.security.client.connect_string1 = TESTDB
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde -viewEntry oracle.security.client.password1
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
oracle.security.client.password1 = B@nkuL!ze

Now we create “tde_ks_passwd” since from the output below it is not present

[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde/ -viewEntry tde_ks_passwd 
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Secret Store error occurred: oracle.security.pki.OracleSecretStoreException: PKI-03002: No entry found for the alias: tde_ks_passwd

[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde/ -createEntry tde_ks_passwd
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line
Enter your secret/Password:
Re-enter your secret/Password:
Enter wallet password:
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/wallet_root/tde/ -viewEntry tde_ks_passwd
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
tde_ks_passwd = B@nkuL!ze

 

7. Change the TDE Keystore Password:

[oracle@test-vm ~]$ sqlplus / as sysdba 
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Apr 24 16:42:26 2023
Version 19.17.0.0.0
Copyright (c) 1982, 2022, Oracle. All rights reserved.

Connected to:
Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production
Version 19.17.0.0.0

SQL> show pdbs

CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO

SQL> ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD FORCE KEYSTORE IDENTIFIED BY old_password SET new_password WITH BACKUP;

keystore altered.

SQL> quit
Disconnected from Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production
Version 19.17.0.0.0

Finally, we used the ADMINISTER KEY MANAGEMENT SQL command to change the TDE keystore password.

 

Conclusion:

In this piece, we walked through the steps required to change the SYS password, wallet password, TDE keystore password, and SYS password stored in the encryption wallet of an Oracle Database 19c container DB. This process was performed on an Oracle Exadata Cloud in a Customer environment. Remember to back up your wallets and keys before making any changes.

 

References:

https://eclipsys.ca/how-to-change-sys-password-on-exacc-gen-2/

Leave a Comment