Oracle secure external password store allows storing of password needed for database connection in a client side Oracle wallet. It allows password-less connection to the database and useful in running scripts without having to put the password in them. A secure external password store could be setup as below.
Create a wallet (usually in TNS_ADMIN but could be different location as well)
During further investigation of the issue following observations were made.
1. The problem doesn't happen when both grid home and oracle home are installed under one user (usually as oracle user).
2. Problem doesn't happen in RAC environments even if grid home and oracle home are installed as different users (grid home as grid user and oracle home as oracle user)
3. Problem only happens in single instance environments (tested on 12c and 11.2.0.4) where grid home is owned by grid user and oracle home is owned by oracle user.
Looking at the trace file shows that srvctl fails to connect to idle instance to start the database
So the solution in this case was to create an empty wallet as grid user and set permission to 750.
Why the auto_login_local fails this way in Oracle restart with role separation is still under SR.
Useful metalink notes
Using a Secure External Password Store with the JDBC Thin Driver [ID 1441745.1]
Using The Secure External Password Store [ID 340559.1]
How To Avoid Expdp And Impdp Passwords Being Visible By "ps" Unix Command? [ID 869825.1]
How To Prevent The Secure Password Store Wallet From Being Moved to Another Host [ID 1114599.1]
Oracle Cluster failed to start with ASM instance getting ORA-00443 [ID 2000868.1]
Database Failed To Start [ID 1922401.1]
Oracle Restart: srvctl fails to start database with error CRS-5010 if RDBMS and Grid under different users [ID 1335607.1]
How to configure SEPS for the pluggable databases [ID 1980698.1]
Bug 11706168 - ORA-00000 during STARTUP with SQLNET.WALLET_OVERRIDE=TRUE [ID 11706168.8]
How To Configure The Secure External Password Store To Allow The Connection To RMAN Catalog? [ID 1383938.1]
ORA-15055 and ORA-12578 on database startup with external wallet store [ID 1612712.1]
How To Check Whether The Wallet Is A Local Auto Login Wallet [ID 1505040.1]
Create a wallet (usually in TNS_ADMIN but could be different location as well)
cd $ORACLE_HOME/network/admin/The option "auto_login_local" prevents the wallet being moved to another host and used (1114599.1). It also ties the wallet to the operating system user preventing other users in the same host using the wallet as well (1505040.1). Create a credential, in this case std11g2 is a TNS entry that exists in tnsnames.ora file and asanga and asa are username and password
orapki wallet create -wallet . -pwd "welcome1" -auto_login_local
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
[oracle@rhel7 admin]$ ls
cwallet.sso ewallet.p12 samples shrept.lst tnsnames.ora
mkstore -wrl . -createCredential std11g2 asanga asaAdd the wallet location to sqlnet.ora file and set WALLET_OVERRIDE to true which makes user names and passwords from the wallet to be used for authentication.
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Create credential oracle.security.client.connect_string1
more sqlnet.oraThe existing credentials could be listed with the following command
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY = /opt/app/oracle/product/11.2.0/dbhome_4/network/admin))
)
SQLNET.WALLET_OVERRIDE = TRUE
mkstore -wrl . -listCredentialWith the external secure password store now setup, one could connected to the database without specifying the password as show below
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
List credential (index: connect_string username)
1: std11g2 asanga
[oracle@rhel7 orawallet]$ sqlplus /@std11g2Problem is that when secure external password store is setup for a Oracle restart (Single instance with ASM) database that has role separation (GI installed grid user and DB installed as oracle), the database fails to start during restarts and when srvctl is used. Below for a 11.2.0.4 setup
SQL> show user
USER is "ASANGA"
srvctl start database -d std11g2Below for a 12.1.0.2 setup
PRCR-1079 : Failed to start resource ora.std11g2.db
CRS-5017: The resource action "ora.std11g2.db start" encountered the following error:
ORA-01078: failure in processing system parameters
. For details refer to "(:CLSN00107:)" in "/opt/app/oracle/product/11.2.0/grid_4/log/rhel6m1/agent/ohasd/oraagent_grid//oraagent_grid.log".
CRS-2674: Start of 'ora.std11g2.db' on 'rhel6m1' failed
srvctl start database -d se2dbMOS notes 1612712.1,1383938.1 says to set the permission to 750 for this issue but it didn't work.
PRCR-1079 : Failed to start resource ora.se2db.db
CRS-5017: The resource action "ora.se2db.db start" encountered the following error:
ORA-01078: failure in processing system parameters
ORA-01565: error in identifying file '+DATA/se2db/spfilese2db.ora'
ORA-17503: ksfdopn:10 Failed to open file +DATA/se2db/spfilese2db.ora
ORA-12578: TNS:wallet open failed
. For details refer to "(:CLSN00107:)" in "/opt/app/oracle/diag/crs/rhel7/crs/trace/ohasd_oraagent_grid.trc".
CRS-2674: Start of 'ora.se2db.db' on 'rhel7' failed
During further investigation of the issue following observations were made.
1. The problem doesn't happen when both grid home and oracle home are installed under one user (usually as oracle user).
2. Problem doesn't happen in RAC environments even if grid home and oracle home are installed as different users (grid home as grid user and oracle home as oracle user)
3. Problem only happens in single instance environments (tested on 12c and 11.2.0.4) where grid home is owned by grid user and oracle home is owned by oracle user.
Looking at the trace file shows that srvctl fails to connect to idle instance to start the database
2016-03-30 11:11:12.474778 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] clsnInstConnection::makeConnectStr UsrOraEnv ,ORACLE_BASE= m_oracleHome /opt/app/oracle/product/12.1.0/dbhome_2 Crshome /opt/app/oracle/product/12.1.0/grid
2016-03-30 11:11:12.474822 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] makeConnectStr = (DESCRIPTION=(ADDRESS=(PROTOCOL=beq)(PROGRAM=/opt/app/oracle/product/12.1.0/dbhome_2/bin/oracle)(ARGV0=oraclese2db)(ENVS='ORACLE_HOME=/opt/app/oracle/product/12.1.0/dbhome_2,ORACLE_SID=se2db,LD_LIBRARY_PATH=,ORACLE_BASE=')(ARGS='(DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=beq)))')(CONNECT_DATA=(SID=se2db))))
2016-03-30 11:11:12.475460 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstAgent::stop non pool pConnxn 1 9434f9e0
2016-03-30 11:11:12.475519 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection::connectInt: server not attached
2016-03-30 11:11:13.498240 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection:connectInt connected
2016-03-30 11:11:13.498315 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection::shutdown mode 4
2016-03-30 11:11:13.499364 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0
2016-03-30 11:11:13.499453 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection::disassociateEdition OCI error 1034Then the start of the database was tested a wallet created without the "local" option. As mentioned earlier local option prevents wallet being used in another host and is tied to the OS user. On 11.2.0.4orapki wallet create -wallet . -pwd "welcome1"-auto_loginOn 12.1.0.2
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
srvctl start database -d std11g2
srvctl status database -d std11g2
Database is running.
orapki wallet create -wallet . -pwd "welcome1" -auto_loginSo it appears the problem seem to be use of auto_login_local since there's no issue when using auto_login. Since wallet wasn't moved to a different server, the only reason that could prevent DB from starting with a wallet created with auto_login_local option is if the starting command is executed by a user other than the user tied to the wallet. Right now the wallet has been created as Oracle user and srvctl start was executed as oracle user. So it appears that grid user gets involved in starting the DB even when srvctl is run as oracle user (why the same is not happening in RAC role separated config is under SR)
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
srvctl start database -d se2db
srvctl status database -d se2db
Database is running.
So the solution in this case was to create an empty wallet as grid user and set permission to 750.
[grid@rhel7 wallet]$ orapki wallet create -wallet . -pwd "welcome1" -auto_login_localNo credentials are added to this wallet as such nothing to list
[grid@rhel7 wallet]$ chmod 750 cwallet.sso ewallet.p12
[grid@rhel7 wallet]$ ls -lrt
-rw-rw-rw-. 1 grid oinstall 0 Apr 15 17:35 ewallet.p12.lck
-rwxr-x---. 1 grid oinstall 75 Apr 15 17:35 ewallet.p12
-rw-rw-rw-. 1 grid oinstall 0 Apr 15 17:35 cwallet.sso.lck
-rwxr-x---. 1 grid oinstall 120 Apr 15 17:35 cwallet.sso
[grid@rhel7 wallet]$ mkstore -wrl . -listCredentialUsed a non-default location to this wallet file and this was added to $ORACLE_HOME/network/admin/sqlnet.ora file(not to $GI_HOME/network/admin/sqlnet.ora)
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
List credential (index: connect_string username)
pwdWith this setup in place srvctl works fine and database get started automatically after restarts. However password-less access fails as the wallet is owned by grid user
/opt/app/oracle/product/12.1.0/dbhome_2/network/admin
more sqlnet.ora
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY = /usr/local/wallet))
)
SQLNET.WALLET_OVERRIDE = TRUE
[oracle@rhel7 orawallet]$ sqlplus /@se2dbTo fix this, create another wallet at a different location as Oracle user.
ERROR:
ORA-12578: TNS:wallet open failed
ls /usr/local/wallet/orawalletCreate another sqlnet.ora file in the same directory (orawallet). Add this directory path as the wallet location
-rwxrwx---. 1 oracle oinstall 528 Apr 15 17:20 ewallet.p12
-rwxrwx---. 1 oracle oinstall 573 Apr 15 17:20 cwallet.sso
WALLET_LOCATION =Whenever password-less access using external password store is needed export this location as the TNS_ADMIN and connect.
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY = /usr/local/wallet/orawallet))
)
SQLNET.WALLET_OVERRIDE = TRUE
export TNS_ADMIN=/usr/local/wallet/orawalletIf any database scripts require password-less access before running export the TNS_ADMIN to location where second sqlnet.ora file was set.
sqlplus /@se2db
SQL> show user
USER is "ASANGA"
Why the auto_login_local fails this way in Oracle restart with role separation is still under SR.
Useful metalink notes
Using a Secure External Password Store with the JDBC Thin Driver [ID 1441745.1]
Using The Secure External Password Store [ID 340559.1]
How To Avoid Expdp And Impdp Passwords Being Visible By "ps" Unix Command? [ID 869825.1]
How To Prevent The Secure Password Store Wallet From Being Moved to Another Host [ID 1114599.1]
Oracle Cluster failed to start with ASM instance getting ORA-00443 [ID 2000868.1]
Database Failed To Start [ID 1922401.1]
Oracle Restart: srvctl fails to start database with error CRS-5010 if RDBMS and Grid under different users [ID 1335607.1]
How to configure SEPS for the pluggable databases [ID 1980698.1]
Bug 11706168 - ORA-00000 during STARTUP with SQLNET.WALLET_OVERRIDE=TRUE [ID 11706168.8]
How To Configure The Secure External Password Store To Allow The Connection To RMAN Catalog? [ID 1383938.1]
ORA-15055 and ORA-12578 on database startup with external wallet store [ID 1612712.1]
How To Check Whether The Wallet Is A Local Auto Login Wallet [ID 1505040.1]