In this piece, I will walk you through a real-life scenario recently faced with a client where I had to change an Oracle 12c SYS and Wallet Password to one that does not meet ExaCC password verification function guidelines. This was done on an Oracle Exadata Cloud-at-Customer Environment.
Below, I will provide a log of my steps and explain the actions/commands along the way.
1. Set the Environment Variables:
[oracle@test-vm ~]$ . TESTDB.env
[oracle@test-vm ~]$ echo $ORACLE_HOME
/u02/app/oracle/product/12.2.0/dbhome_2
[oracle@test-vm ~]$ echo $ORACLE_SID
TESTDB1
First, we set the environment variables to make sure we are working with the correct Oracle
Home and Oracle SID.
2. Verify the PMON Process is Running:
[root@test-vm ~]# ps -ef | grep pmon
grid 42122 1 0 Apr02 ? 00:01:45 asm_pmon_+ASM1
grid 50781 1 0 Apr02 ? 00:01:45 apx_pmon_+APX1
oracle 318201 1 0 15:31 ? 00:00:00 ora_pmon_TESTDB1
We checked the PMON process to ensure the database instance is running.
3. Disable the Password Verify Function for the Default Profile:
SQL> alter profile default limit password_verify_function null;
Profile altered.
4. Change SYS Password to Preferred-Value (Not meeting DBAAS_VERIFY_FUNCTION Guidelines)
SQL> alter user sys identified by "PASSWORD";
Enable the password to verify the function as it was before:
SQL> alter profile default limit password_verify_function DBAAS_VERIFY_FUNCTION;
Profile altered.
5. List and Manage Wallet Credentials
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -listCredential
Oracle Secret Store Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Enter Wallet Password:
List credential (index: connect_string username)
The above output indicates that there are no credentials in the wallet for the “SYS” user or any other user for that matter
The following command lists the entries stored in the wallet including encryption keys and other security-related data.
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -list
Oracle Secret Store Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.8786543wertyuiytrMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.iuytrewrt6789876543567890iuyhgfAAAAAAAAAAAAAAAAAGH
As shown below there are no present credentials for the sys user
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -viewEntry oracle.security.client.connect_string1
Oracle Secret Store Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Secret Store error occurred: oracle.security.pki.OracleSecretStoreException: PKI-03002: No entry found for the alias: oracle.security.client.connect_string1
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -viewEntry oracle.security.client.username1
Oracle Secret Store Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Secret Store error occurred: oracle.security.pki.OracleSecretStoreException: PKI-03002: No entry found for the alias: oracle.security.client.username1
J
6. Modify Wallet Entries:
We updated the wallet entries as required, including creating and modifying the TDE keystore password entry and setting up the required credentials for the “sys” user
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -createCredential TESTDB sys
Oracle Secret Store Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Your secret/Password is missing in the Command Line
Enter your secret/Password:
Re-enter your secret/Password:
Enter wallet password:
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -viewEntry oracle.security.client.username1
Oracle Secret Store Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Enter Wallet Password:
oracle.security.client.username1 = sys
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -viewEntry oracle.security.client.password1
Oracle Secret Store Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Enter Wallet Password:
oracle.security.client.password1 = PASSWORD
Now we create “tde_ks_passwd” since from the output below it is not present
[oracle@test-vm ~]$ mkstore -wrl /var/opt/oracle/dbaas_acfs/TESTDB/tde_wallet/ -createEntry tde_ks_passwd
Oracle Secret Store Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
Your secret/Password is missing in the command line
Enter your secret/Password:
Re-enter your secret/Password:
Enter wallet password:
7. Change the TDE Keystore Password:
[oracle@test-vm ~]$ sqlplus / as sysdba
SQL*Plus: Release 12.2.0.1.0 Production on Thu May 25 00:30:00 2023
Copyright (c) 1982, 2016, Oracle. All rights reserved.
Connected to:
Oracle Database 12c EE Extreme Perf Release 12.2.0.1.0 - 64bit Production
SQL> ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD FORCE KEYSTORE IDENTIFIED BY CURRENT_PASSWORD SET NEW_PASSWORD with backup;
keystore altered.
Finally, we used the ADMINISTER KEY MANAGEMENT SQL command to change the TDE keystore password.
Conclusion:
In this piece, we walked through the steps required to change the SYS Password, Wallet Password, TDE Keystore Password, and SYS Password stored in the encryption wallet of an Oracle Database 12c DB. This process was performed on an Oracle Exadata Cloud-at-Customer Environment. Remember to back up your wallets and keys before making any changes.
References:
https://eclipsys.ca/how-to-change-sys-password-on-exacc-gen-2/