Troubleshoot fix ORA-28368: cannot auto-create wallet ORA-28353: failed to open wallet


Problem description:

Alter system set encryption key indentified by <password> command failing with Ora-28368 error.
ERROR at line 1:
ORA-28368: cannot auto-create wallet

Solution Description:

Add following entry which is marked in RED color below to the sqlnet.ora and restart the database. Create the wallet directory under $ORACLE_HOME/$ORACLE_SID/wallet.


The sample sqlnet.ora file looks like this

cd $ORACLE_HOME/network/admin
vi sqlnet.ora
automatic_ipc = ON               # Set to OFF for PC's
trace_level_client = OFF         # Set to 16 if tracing is required
sqlnet.expire_time = 0           # Idle time in minutes
sqlnet.authentication_services = (ALL)
names.directory_lookup = (TNSNAMES,ONAMES)

Database needs to be restarted. It is mandatory because during the restart oracle will check the sqlnet.ora parameters (ENCRYPTION_WALLET_LOCATION) whether it is valid or not.

SQL> connect / as sysdba
Connected to an idle instance.
SQL> startup
ORACLE instance started.

Total System Global Area 282352256 bytes
Fixed Size                  2132856 bytes
Variable Size            1644174848 bytes
Database Buffers         1140850688 bytes
Redo Buffers               36388864 bytes
Database mounted.
Database opened.

SQL> alter system set encryption key authenticated BY "welcome1";

System altered.

Verify the wallet directory whether the file is created or not.

$ cd /data/oracle/admin/prod9/wallet
oracle@prodserv(4105) prod9 /data/oracle/admin/prod9/wallet
$ ls -ltr
total 4
-rw-r--r--   1 oracle   dba         1573 Jul 15 21:26 ewallet.p12

Additional info From Oracle
On some 64-bit platforms the default wallet location may not work as documented, this was ultimately identified as a porting issue and it has been fixed in RDBMS version 11g, and in patch set (and higher).
Therefore, and also because it is best practice to know and determine the wallet location deliberately (since it is a pretty important file), please consider to always set the ENCRYPTION_WALLET_LOCATION in the sqlnet.ora file.

Comment: If you have specified an ENCRYPTION_WALLET_LOCATION in your sqlnet.ora file you should not have the problem writing to any default location, in that case check for the proper format and indentation of your sqlnet.ora file.

Reason For error
The location for the ewallet.p12 file can be any of the following :
Comment: In a RAC system there is a difference between the Oracle database name and the ORACLE_SID, it will use the $ORACLE_BASE/admin/<database name>/WALLET as a default location.

Solution Description:
1. Set in sqlnet.ora one of the following entries :



In each case make sure the directory exists on the filesystem and is accessible by the oracle software owner.

2. Create the wallet file and set the encryption key :
SQL> alter system set encryption key authenticated by "abcde";
Sytem altered.

SQL> ! ls -l admin/WALLET
total 8
-rw------- 1 oracle dba 1309 Oct 13 10:31 ewallet.p12 

When you have more than one database on the server, especially if they share the same $ORACLE_HOME, then they will by default share the same sqlnet.ora file and be pointed to the same wallet. This can be overcome by using a TNS_ADMIN variable to allow each database to look at a different directory, but it also requires additional effort to maintain separate tnsnames.ora and listener.ora files.



Post a Comment Copyright 2011-17 All Rights Reserved | Site Map | Contact | Disclaimer | Google