Wednesday, August 12, 2015

Change Oracle Wallet Keys

1. Backup the current P12 to archive


a. Oracle Wallet keys are stored in ACFS, a cluster file system on top of ASM. On Unix, access to the wallet is be limited to the 'oracle:oinstall' user:group, using proper directory (700) and file permissions (600). 
b. Its back up after each master-rekey operation or changes to a encrypted network drive. (Kee-Pass)
c. The backups are stored away from database backups.

2. Use orapki wallet display -wallet to see master key list and validate the password


[TEST-DB]/ora/wallets/test-db> orapki wallet display -wallet /ora/wallets/test-db/
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:  
Requested Certificates:
User Certificates:
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Trusted Certificates:
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

3. Change Oracle Wallet Password


[test-db1]/ora/wallets/test-db> orapki wallet change_pwd -wallet /ora/wallets/test-db/
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:  
New password:
Enter wallet password:  
[test-db1]/ora/wallets/test-db>

4. Use orapki wallet display -wallet to see that a new master key has been added


[test-db1]/ora/wallets/test-db/client> orapki wallet display -wallet /ora/wallets/test-db/
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:  
PKI-02002: Unable to open the wallet. Check password.
[test-db1]/ora/wallets/test-db/client> orapki wallet display -wallet /ora/wallets/test-db/
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:  
Requested Certificates:
User Certificates:
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Trusted Certificates:
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
[test-db1]/ora/wallets/test-db/client>

5. Backup the new P12 to archive and the Kee-Pass


6. Close the wallet and reopen


SQL> alter system set encryption wallet open identified by "";
alter system set encryption wallet open identified by ""
*
ERROR at line 1:
ORA-28353: failed to open wallet
SQL> alter system set encryption wallet open identified by "";
System altered.
SQL> exit

7. Run a query that touches TDE encrypted data


--When the wallet is closed
select * from encrypted_table;
ORA-28365: wallet is not open
28365. 0000 -  "wallet is not open"
*Cause:    The security module wallet has not been opened.
*Action:   Open the wallet.
--Opening the wallet
select count(*) from encrypted_table;
17981
Posted by at No comments:
Labels:

Tuesday, August 11, 2015

Generate DDL of Oracle Schema Using Expdp

1. Login to Oracle db


expdp "'"/ as sysdba"'" schemas=schema_name1,schema_name2 dumpfile=dumpfile.dmp content=METADATA_ONLY LOGFILE=expdp.log


2. Use sqlfile option with impdp

impdp "'"/ as sysdba"'" dumpfile=dumpfile.dmp sqlfile=ddl.sql


3. The output ddl.sql will contain the schema DDL of the mentioned schemas.
Posted by at No comments:
Labels:

Relink Oracle Home and Grid Home after OS upgrade in Oracle RAC



1. Shutdown Oracle RAC crs and asm. Node wise if needed for zero downtime.

2. Perform OS Upgrade.

3. Upgrade ASMlib

Download from here.
http://www.oracle.com/technetwork/server-storage/linux/downloads/rhel5-084877.html
http://www.oracle.com/technetwork/topics/linux/asmlib/index-101839.html
http://www.oracle.com/technetwork/server-storage/linux/asmlib/ol6-1709075.html

# rpm -Uvh oracleasm-support-xxx
# rpm -Uvh oracleasm-2.6.xxx
# rpm -Uvh oracleasmlib-xxx

# /etc/init.d/oracleasm enable
# /etc/init.d/oracleasm listdisks

4. Relink RDBMS ORACLE_HOME Binary

Use oracle
$ /bin/relink all

5. Relink grid home Binary
Note: complete full steps in onde node, then proceed to next
As UNIX/Linux “root”:
# cd /u01/app/11.2.0/grid/crs/install
# ./rootcrs.pl -unlock

Use oracle
$ cd /bin
$ ./relink all


Use root
# cd /rdbms/install
# ./rootadd_rdbms.sh
# cd /crs/install
# ./rootcrs.pl -patch


6. -- Check Log location
[grid@test-db]$ pwd
/u01/app/11.2.0/grid/log/test-db


7.  Startup CRS nodewise using root
# /bin/crsctl start crs

Start the database instance if needed.
--Startup one node instance
srvctl start instance -d DB_NAME -i INST_NAME

Check if the instances are online.
$ crsctl stat res -t



++++++++++++++++++
References
++++++++++++++++++
How to Check Whether Oracle Binary/Instance is RAC Enabled and Relink Oracle Binary in RAC (Doc ID 284785.1)

Posted by at No comments:
Labels:

Shutdown and Startup one Oracle Rac Node

+++++++++++++++++++++++++++
Shutdown one node:
+++++++++++++++++++++++++++

--Shutdown Instance
srvctl stop instance -d DB_NAME -i INST_NAME -o transactional

--Login as Root and shutdown crs
[root@test-db ~]# cd /u01/app/11.2.0/grid/bin
[root@test-db bin]# ./crsctl stat res -t
[root@test-db bin]# ./crsctl stop crs

+++++++++++++++++++++++++++
Startup one node:
+++++++++++++++++++++++++++

--Login as Root and start crs
[root@test-db ~]# cd /u01/app/11.2.0/grid/bin
crsctl start crs
crsctl check crs

--Startup one node instance
srvctl start instance -d DB_NAME -i INST_NAME
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)