1.358 WALLET_ROOT

WALLET_ROOT specifies the path to the root of a directory tree containing a subdirectory for each pluggable database (PDB), under which a directory structure similar to the Oracle ASM wallet storage directory structure is used to store the various wallets associated with the PDB.

Property Description

Parameter type

String

Syntax

WALLET_ROOT = wallet-root-directory-path

Default value

There is no default value.

Modifiable

No

Modifiable in a PDB

No

Basic

No

Oracle RAC

Different values can be used on different Oracle RAC instances.

The name of the various wallet files is always the same, regardless of the component they are associated with. The wallets for each component are stored under each PDB GUID directory within the WALLET_ROOT directory structure in a directory whose name is based on the component name. For example, for the TDE component, the subdirectory name is tde.

If the WALLET_ROOT parameter is not set, the SQLNET.ENCRYPTION_WALLET_LOCATION parameter is used (as in Oracle Database releases prior to Oracle Database 18c), but no isolated keystore can be used unless the WALLET_ROOT parameter is set. The TDE_CONFIGURATION initialization parameter cannot be used to configure any PDB to run in isolated mode unless the WALLET_ROOT parameter is also set.

Note:

The SQLNET.ENCRYPTION_WALLET_LOCATION parameter is deprecated in Oracle Database 18c.

For example, the contents of the directory at the location specified by the WALLET_ROOT initialization parameter could look as follows, where wallet-root is the directory specified by the WALLET_ROOT parameter:

wallet-root/eus/ewallet.p12
wallet-root/tde/ewallet.p12
wallet-root/tde/ewallet_2016120918333644.p12
wallet-root/tde_seps/cwallet.sso
wallet-root/tls/ewallet.p12
wallet-root/xdb_wallet/ewallet.p12
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tde/ewallet.p12
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tde/ewallet_2016110918331622.p12
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tde/ewallet_2016110918332363.p12
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tde_seps/cwallet.sso
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tls/cwallet.sso
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tls/ewallet.p12

When the WALLET_ROOT parameter is set, you can omit the path from some ADMINISTER KEY MANAGEMENT commands.

The WALLET_ROOT value can include references to environment variables. The following example uses the value of the ORACLE_BASE environment variable to set the root of the wallet directory hierarchy:

WALLET_ROOT=$ORACLE_BASE/admin/orcl/wallet

If the ORACLE_BASE environment variable had the value /app/oracle, then the WALLET_ROOT path used by TDE resulting from the above setting of the WALLET_ROOT instance initialization parameter would be /app/oracle/admin/orcl/wallet.

Note:

The normalized length of the wallet-root-directory-name that is specified with the WALLET_ROOT parameter cannot exceed 255 characters, otherwise one of the following sets of error messages is displayed:

ORA-46693: The WALLET_ROOT location is missing or invalid.
ORA-32021: parameter value longer than 255 characters
ORA-01078: failure in processing system parameters
ORA-46693: The WALLET_ROOT location is missing or invalid.
ORA-07204: sltln: name translation failed due to lack of output buffer space.
ORA-01078: failure in processing system parameters

The normalized length includes the length of expanded environment variables specified with the WALLET_ROOT parameter. The values of the environment variables of the user who starts the instance are used in the normalization of the WALLET_ROOT parameter.

The SHOW PARAMETER WALLET_ROOT command always displays the normalized value (with all the environment variables expanded).

For non-ASM file systems, the PDB GUID-extended paths for the TDE component are created automatically under the directory specified by the WALLET_ROOT parameter when any Transparent Data Encryption (TDE) wallet is created for a PDB.

Enabling Automatic Creation of Directories Under WALLET_ROOT

By using the specific configuration of WALLET_ROOT described in each of the following sub-sections, Oracle Database can be configured to automatically create the necessary pdb-guid and component name directories under the WALLET_ROOT directory path. Other settings of WALLET_ROOT are allowed, but would not result in the automatic creation of the necessary sub-directories by the ASM OMF layer.

Required setting to enable auto-directory creation for a database not using Oracle ASM

For a database not using Oracle ASM filesystems, the WALLET_ROOT parameter needs to be set as follows:

WALLET_ROOT=wallet-root-directory-path

This sets the root of the wallet directory hierarchy to the directory specified by wallet-root-directory-path:

wallet-root-directory-path

When this is done, Oracle Database automatically creates the directory for the TDE wallet of a CDB$ROOT at the following location (where wallet-root is the directory specified by the WALLET_ROOT parameter):

wallet-root/tde

For PDBs, the directories that Oracle Database automatically creates for holding the TDE wallets of PDBs will include the pdb-guid:

wallet-root/pdb-guid/tde

Required setting to enable auto-directory creation for a non-CDB using Oracle ASM with Oracle Managed Files

For a non-CDB using ASM with OMF, the WALLET_ROOT parameter needs to begin with a plus sign followed by a disk group name and the value of the DB_UNIQUE_NAME initialization parameter. In the example below, disk-group-name is the name of a disk group and db-unique-name is the value of the DB_UNIQUE_NAME initialization parameter:

WALLET_ROOT=+disk-group-name/db-unique-name

When this is done, Oracle Database automatically creates the necessary directory within the ASM filesystem at the following location when the ADMINISTER KEY MANAGEMENT CREATE KEYSTORE command is run:

 +disk-group-name/db-unique-name/tde

Required setting for a CDB using Oracle ASM with Oracle Managed Files

For a CDB using ASM with OMF, the WALLET_ROOT parameter needs to begin with a plus sign followed by a disk group name and the value of the DB_UNIQUE_NAME initialization parameter. In the example below, disk-group-name is the name of a disk group and db-unique-name is the value of the DB_UNIQUE_NAME initialization parameter:

WALLET_ROOT=+disk-group-name/db-unique-name

In other words, the WALLET_ROOT parameter needs to start with a plus sign, followed by a disk group name and the value of the DB_UNIQUE_NAME instance initialization parameter.

When this is done, Oracle Database automatically creates the directory for the TDE wallet of a CDB$ROOT at the following location when the ADMINISTER KEY MANAGEMENT CREATE KEYSTORE command is run:

+disk-group-name/db-unique-name/tde

For PDBs, the directories that Oracle Database automatically creates for holding the TDE wallets of PDBs will include the pdb-guid:

+disk-group-name/db-unique-name/pdb-guid/tde

See Also:

"TDE_CONFIGURATION"