Ora-25319 In The Alert Log and References to kcbztek_get_tbskey and/or kcrf_decrypt_redokey When Starting Up The Database (Doc ID 1363137.1)

To BottomTo Bottom

In this Document

  Symptoms
  Changes
  Cause
  Solution
  References

 

APPLIES TO:

Advanced Networking Option - Version 11.2.0.2 and later
Information in this document applies to any platform.
Checked for relevance on 08-MAR-2013

SYMPTOMS

You are seeing errors like the following in the alert.log (details may differ):
 

SMON: enabling tx recovery
Database Characterset is WE8MSWIN1252
kcbztek_get_tbskey: decrypting encrypted key for tablespace 0 without opening the wallet
Errors in file /opt/u01/app/oracle/diag/rdbms/dbname/dbname/trace/dbname_smon_12345.trc:
ORA-01595: error freeing extent (171) of rollback segment (1))
ORA-28365: wallet is not open
No Resource Manager plan active
replication_dependency_tracking turned off (no async multimaster replication found)
ARC3: Archival started
ARC0: STARTING ARCH PROCESSES COMPLETE
kcbztek_get_tbskey: decrypting encrypted key for tablespace 6 without opening the wallet
Errors in file /opt/u01/app/oracle/diag/rdbms/dbname/dbname/trace/dbname_ora_12824.trc (incident=22963):
ORA-25319: Queue table repartitioning aborted
Incident details in: /opt/u01/app/oracle/diag/rdbms/dbname/dbname/incident/incdir_22963/dbname_ora_12824_i22963.trc
kcrf_decrypt_redokey: wallet is not opened..
Errors in file /opt/u01/app/oracle/diag/rdbms/dbname/dbname/incident/incdir_22963/dbname_ora_12824_i22963.trc:
ORA-28365: wallet is not open
ORA-25319: Queue table repartitioning aborted
Fri Sep 23 12:53:38 2011
kcrf_decrypt_redokey: wallet is not opened..
Errors in file /opt/u01/app/oracle/diag/rdbms/dbname/dbname/incident/incdir_22963/dbname_ora_12824_i22963.trc:
ORA-28365: wallet is not open
ORA-25319: Queue table repartitioning aborted


<continues with similar errors>

CHANGES

You have configured TDE with an encrypted tablespace or some encrypted columns.

CAUSE


The encryption wallet was not open during startup and subsequent instance recovery, when startup / recovery procedures need to access encrypted data in either data blocks, redo or undo (rollback) the master key is needed to decrypt the data, so the wallet must be open.

SOLUTION

The following two alternatives will make sure the master key is available during startup:

1) Start the db using the following sequence:
 

startup nomount
alter system set wallet open identified by "&wallet_password";
alter database mount;
alter database open;



2) create an auto-open wallet:

orapki wallet create -wallet <wallet location> -auto_login -pwd <wallet password>

This will create the cwallet.sso next to the existing wallet file ewallet.p12, this will cause the wallet to be opened automatically when TDE data is accessed for the first time, please note this is not a replacement, the files must be kept together.

REFERENCES

NOTE:1228046.1 - Master Note For Transparent Data Encryption ( TDE )
NOTE:1251597.1 - Quick TDE Setup and FAQ
NOTE:1073237.1 - Database With Encrypted Tablespaces Cannot Be Opened If The TDE Wallet Is Not Accessible