Enclose this path in single quotation marks (' '). Keystore1_location is the directory location of the first keystore, which will be left unchanged after the merge. IDENTIFIED BY software_keystore3_password Remember that you must reopen the keystore if you are using the newly created keystore as the keystore for the database at the location configured by the sqlnet.ora file.ĪDMINISTER KEY MANAGEMENT MERGE KEYSTORE ' keystore1_location' However, the merged keystore can be used as the new configured database keystore if you want. The ADMINISTER KEY MANAGEMENT merge statement has no bearing on the configured keystore that is in use. If you merge Keystore 1 into Keystore 2, then the common key in Keystore 2 is not overwritten. For example, if you merge Keystore 1 and Keystore 2 to create Keystore 3, then the key in Keystore 1 is added to Keystore 3. Whether a common key from two source keystores is added or overwritten to a merged keystore depends on how you write the ADMINISTER KEY MANAGEMENT merge statement. To use the merged keystore, you must explicitly open the merged keystore after you create it, even if one of the constituent keystores was already open before the merge.
However, the merged keystore must be a password-based software keystore, and it can have a password that is different from the constituent keystores. You can merge any combination of the software keystores. p12 file (for example, ewallet_ time-stamp _hr.emp_keystore.p12) appears in the keystore location. The following example backs up a software keystore in the same location as the source keystore: ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'hr.emp_keystore' IDENTIFIED BYĪfter you run this statement, an ewallet_ identifier. Enclose this location in single quotation marks (' '). If you do not specify the keystore_location, then the backup is created in the same directory as the original keystore. Keystore_location is the path at which the backup keystore is stored. Software_keystore_password is the password for the keystore. This identifier is appended to the named keystore file (for example, ewallet_ time-stamp _emp_key_backup.p12). Enclose this identifier in single quotation marks (' '). USING backup_identifier is an optional string that you can provide to identify the backup. IDENTIFIED BY software_keystore_password Run the following SQL statement: ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE
( Step 4: Set the Software TDE Master Encryption Key shows an example of how to accomplish this.) This both backs up the keystore and creates the TDE master encryption key. If you have not yet backed up the keystore, then you can include the BACKUP clause in the ADMINISTER KEY MANAGEMENT statement when you create the TDE master encryption key. The information in these keystores is only read and hence there is no need for a backup. No new keys can be added to them directly through the ADMINISTER KEY MANAGEMENT statement operations.
You cannot back up auto-login or local auto-login software keystores. You can check the status of keys querying the V$ENCRYPTION_WALLET data dictionary view. If you provide an identifier string, then this string is inserted between the time stamp and keystore name.Īfter you complete the backup operation, the keys in the original keystore are marked as "backed up". Oracle Database prefixes the backup keystore with the creation time stamp (UTC). You must back up password-based software keystores, as per the security policy and requirements of your site.Ī backup of the keystore contains all of the keys contained in the original keystore. Old_password SET new_password WITH BACKUP USING 'pwd_change' The following example backs up the current keystore and then changes the password for the keystore: ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY This identifier is appended to the named keystore file (for example, ewallet_ time_stamp _emp_key_pwd_change.p12). Enclose backup_identifier in single quotation marks (' '). The backup_identifier is added to the name of the backup file. You must include this clause.īackup_identifier specifies an optional identifier string for the backup that is created. WITH BACKUP creates a backup of the current keystore before the password is changed. New_password is the new password that you set for the keystore. Old_password is the current keystore password that you want to change. Run the following SQL statement: ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY For example: sqlplus c#sec_admin as syskm In a multitenant environment, log in to the root. Log in to the database instance as a user who has been granted the ADMINISTER KEY MANAGEMENT or SYSKM privilege.