3-30 Oracle Database Advanced Security Administrator’s Guide
Create an Encrypted Tablespace
Tablespace encryption enables you to encrypt an entire tablespace. All data stored in the tablespace is encrypted by default. Thus, if you create any table in an encrypted tablespace, it is encrypted by default. You do not need to perform a granular analysis of each table column to determine the columns that need encryption.
Let us create an encrypted tablespace to store encrypted tables. The following command creates an encrypted tablespace called securespace:
SQL> CREATE TABLESPACE securespace
2 DATAFILE '/home/oracle/oracle3/product/11.1.0/db_1/secure01.dbf' 3 SIZE 150M
4 ENCRYPTION
5 DEFAULT STORAGE(ENCRYPT); Tablespace created.
Create a Table in an Encrypted Tablespace
If we create a table in an encrypted tablespace, then all data in the table is stored in encrypted form on the disk. The following command creates a table called,
customer_info_payment in an encrypted tablespace called, securespace. SQL> CREATE TABLE customer_payment_info
2 (first_name VARCHAR2(11), 3 last_name VARCHAR2(10), 4 order_number NUMBER(5),
5 credit_card_number VARCHAR2(16),
6 active_card VARCHAR2(3))TABLESPACE securespace; Table created.
Troubleshooting Transparent Data Encryption
This section lists common error messages that you may encounter while configuring and using transparent data encryption. It also lists the common causes of these error messages and possible solutions for them.
ORA-28330: encryption is not allowed for this data type Cause: Data type was not supported for column encryption. Action: None
ORA-28331: encrypted column size too long for its data type
Cause: column was encrypted and for VARCHAR2, the length specified was > 3932; for CHAR, the length specified was > 1932; for NVARCHAR2, the length specified was > 1966; for NCHAR, the length specified was > 966;
Action: Reduce the column size.
ORA-28332: cannot have more than one password for the encryption key Cause: More than one password was specified in the user command. Action: None
ORA-28333: column is not encrypted
Cause: An attempt was made to rekey or decrypt an unencrypted column. Action: None
Troubleshooting Transparent Data Encryption
Transparent Data Encryption 3-31 ORA-28334: column is already encrypted
Cause: An attempt was made to encrypt an encrypted column. Action: None
ORA-28335: referenced or referencing FK constraint column cannot be encrypted Cause: encrypted columns were involved in the referential constraint
Action: None
ORA-28336: cannot encrypt SYS owned objects
Cause: An attempt was made to encrypt columns in a table owned by SYS. Action: None
ORA-28337: the specified index may not be defined on an encrypted column Cause: Index column was either a functional, domain, or join index. Action: None
ORA-28338: cannot encrypt indexed column(s) with salt
Cause: An attempt was made to encrypt index column with salt. Action: Alter the table and specify column encrypting without salt. ORA-28339: missing or invalid encryption algorithm
Cause: Encryption algorithm was missing or invalid in the user command. Action: Must specify a valid algorithm.
ORA-28340: a different encryption algorithm has been chosen for the table Cause: Existing encrypted columns were associated with a different algorithm. Action: No need to specify an algorithm, or specify the same one for the existing encrypted columns.
ORA-28341: cannot encrypt constraint column(s) with salt
Cause: An attempt was made to encrypt constraint columns with salt. Action: Encrypt the constraint columns without salt.
ORA-28342: integrity check fails on column key
Cause: Encryption metadata may have been improperly altered. Action: None
ORA-28343: fails to encrypt data
Cause: data or encryption metadata may have been improperly altered or the security module may not have been properly setup
Action: None
ORA-28344: fails to decrypt data
Cause: data or encryption metadata may have been improperly altered or the security module may not have been properly setup
Action: None
ORA-28345: cannot downgrade because there exists encrypted column Cause: An attempt was made to downgrade when there was an encrypted column in the system.
Troubleshooting Transparent Data Encryption
3-32 Oracle Database Advanced Security Administrator’s Guide
ORA-28346: an encrypted column cannot serve as a partitioning column Cause: An attempt was made to encrypt a partitioning key column or create partitioning index with encrypted columns.
Action: The column must be decrypted. ORA-28347: encryption properties mismatch
Cause: An attempt was made to issue an ALTER TABLE EXCHANGE PARTITION | SUBPARTITION command, but encryption properties were mismatched.
Action: Make sure encrytion algorithms and columns keys are identical. The corresponding columns must be encrypted on both tables with the same salt and non-salt flavor.
ORA-28348: index defined on the specified column cannot be encrypted
Cause: An attempt was made to encrypt a column which is in a functional index, domain index, or join index.
Action: drop the index
ORA-28349: cannot encrypt the specified column recorded in the materialized view log
Cause: An attempt was made to encrypt a column which is already recorded in the materialized view log.
Action: drop the materialized view log
ORA-28350: cannot encrypt the specified column recorded in CDC synchronized change table
Cause: An attempt was made to encrypt a column which is already recorded in CDC synchronized change table.
Action: drop the synchronized change table
ORA-28351: cannot encrypt the column of a cluster key
Cause: An attempt was made to encrypt a column of the cluster key. A column of the cluster key in a clustered table cannot be encrypted.
Action: None
ORA-28353: failed to open wallet
Cause: The database was unable to open the security module wallet due to an incorrect wallet path or password It is also possible that a wallet has not been created. Type mkwallet from command line for instructions.
Action: Execute the command again using the correct wallet password or verfying a wallet exists in the specified directory. If necessary, create a new wallet and initialize it.
ORA-28354: wallet already open
Cause: The security module wallet has already been opened. Action: None
ORA-28356: invalid open wallet syntax
Cause: The command to open the wallet contained improper spelling or syntax. Action: If attempting to open the wallet, verify the spelling and syntax and execute the command again.
Troubleshooting Transparent Data Encryption
Transparent Data Encryption 3-33 ORA-28357: password required to open the wallet
Cause: A password was not provided when executing the open wallet command. Action: Retry the command with a valid password.
ORA-28358: improper set key syntax
Cause: The command to set the master key contained improper spelling or syntax.
Action: If attempting to set the master key for Transparent Database Encryption, verify the spelling and syntax and execute the command again.
ORA-28359: invalid certificate identifier
Cause: The certificate specified did not exist in the wallet.
Action: Query the V$WALLET fixed view to find the proper certificate identifier for certificate to be used.
ORA-28361: master key not yet set
Cause: The master key for the instance was not set.
Action: Execute the ALTER SYSTEM SET KEY command to set a master key for the database instance.
ORA-28362: master key not found
Cause: The required master key required could not be located. This may be casued by the use of an invalid or incorrect wallet.
Action: Check wallet location parameters to see if they specify the correct wallet. Also, verify that an SSO wallet is not being used when an encrypted wallet is intended.
ORA-28363: buffer provided not large enough for output
Cause: A provided output buffer is too small to contain the output.
Action: Check the size of the output buffer to make sure it is initialized to the proper size.
ORA-28364: invalid wallet operation
Cause: The command to operate the wallet contained improper spelling or syntax. Action: Verify the spelling and syntax and execute the command again.
ORA-28365: wallet is not open
Cause: The security module wallet has not been opened. Action: Open the wallet.
ORA-28366: invalid database encryption operation
Cause: The command for database encryption contained improper spelling or syntax.
Action: Verify the spelling and syntax and execute the command again. ORA-28367: wallet does not exist
Cause: The Oracle wallet has not been created or the wallet location parameters in sqlnet.ora specifies an invalid wallet path.
Action: Verify that the WALLET_LOCATION or the
ENCRYPTION_WALLET_LOCATION parameter is correct and that a valid wallet exists in the path specified.
Troubleshooting Transparent Data Encryption
3-34 Oracle Database Advanced Security Administrator’s Guide ORA-28368: cannot auto-create wallet
Cause: The database failed to auto create an Oracle wallet. The Oracle process may not have proper file permissions or a wallet may already exist.
Action: Confirm that proper directory permissions are granted to the Oracle user and that neither an encrypted or obfuscated wallet exists in the specified wallet location and try again.
ORA-28369: cannot add files to encryption-ready tablespace when offline
Cause: You attempted to add files to an encryption-ready tablespace when all the files in the tablespace were offline.
Action: Bring the tablespace online and try again ORA-28370: ENCRYPT storage option not allowed
Cause: You attempted to specify the ENCRYPT storage option. This option may only be specified during CREATE TABLESPACE.
Action: Remove this option and retry the statement.
ORA-28371: ENCRYPTION clause and/or ENCRYPT storage option not allowed Cause: You attempted to specify the ENCRYPTION clause or ENCRYPT storage option for creating TEMP or UNDO tablespaces.
Action: Remove these options and retry the statement.
ORA-28372: missing ENCRYPT storage option for encrypted tablespace Cause: You attempted to specify ENCRYPTION property for CREATE TABLESPACE without specifying ENCRYPT storage option to encrypt the tablepsace.
Action: Add ENCRYPT storage option and retry the statement. ORA-28373: missing ENCRYPTION clause for encrypted tablespace
Cause: You attempted to specify storage option ENCRYPT in CREATE TABLESPACE without specifying ENCRYPTION property to encrypt the tablepsace.
Action: Add ENCRYPTION clause and retry the statement. ORA-28374: typed master key not found in wallet
Cause: You attempted to access encrypted tablespace or redo logs with a typed master key not existing in the wallet.
Action: Copy the correct Oracle Wallet from the instance where the tablespace was created.
ORA-28375: cannot perform cross-endianism conversion on encrypted tablespace Cause: You attempted to perform cross-endianism conversion on encrypted tablespace.
Action: Cross-endianism conversion on encrypted tablespace is not supported. ORA-28376: cannot find PKCS11 library
Cause: The HSM vendor"s library cannot be found.
Action: Place the HSM vendor"s library in the following directory structure: For Unix like system:
/opt/oracle/extapi/[32,64]/hsm/{VENDOR}/{VERSION}/lib<apiname>.<ext> For Windows systems:
Transparent Data Encryption Reference Information
Transparent Data Encryption 3-35 pin// ame>.<ext> [32, 64] - refers to 32bit or 64bit binary. {VENDOR} - The name of the vendor supplying the library. {VERSION} - Version of the library, perferably in num#.num#.num# for// mat.
ORA-28377: No need to migrate from wallet to HSM
Cause: There are either no encrypted columns or all column keys are already encrypted with the HSM master key.
Action: No action required.
ORA-28378: Wallet not open after setting the Master Key
Cause: The Master Key has been set or reset. However, wallet could not be reopened successfully.
Action: Reopen the wallet.