Oracle 参数 WALLET_ROOT 官方解释,作用,如何配置最优化建议
本站中文解释
ORACLE客户端以及服务器都有参数WALLET_ROOT,该参数是指定Oracle的数据加密的一个文件夹路径,默认位置为:$ORACLE_BASE/admin//wallet。客户端和服务器端需要设定一个相同的WALLET_ROOT。
正确设置Oracle参数WALLET_ROOT方法如下:
1.登录SQL*Plus(位于$ORACLE_HOME/bin),连接到数据库:
SQL> CONNECT username/password@tnsname
2.运行以下语句,将参数WALLET_ROOT属性更改为指定文件夹。
SQL> alter system set WALLET_ROOT=location scope=both;
该参数在服务器端可以通过以下语句来查看:
SQL> show parameters WALLET_ROOT
3.保存修改:
SQL> commit;
官方英文解释
WALLET_ROOT
specifies the path to the root of a directory tree containing a subdirectory for each pluggable database (PDB), under which a directory structure similar to the Oracle ASM wallet storage directory structure is used to store the various wallets associated with the PDB.
Property | Description |
---|---|
Parameter type |
String |
Syntax |
|
Default value |
There is no default value. |
Modifiable |
No |
Modifiable in a PDB |
No |
Basic |
No |
Oracle RAC |
Different values can be used on different Oracle RAC instances. |
The name of the various wallet files is always the same, regardless of the component they are associated with. The wallets for each component are stored under each PDB GUID directory within the WALLET_ROOT
directory structure in a directory whose name is based on the component name. For example, for the TDE component, the subdirectory name is tde
.
If the WALLET_ROOT
parameter is not set, the SQLNET.ENCRYPTION_WALLET_LOCATION
parameter is used (as in Oracle Database releases prior to Oracle Database 18c), but no isolated keystore can be used unless the WALLET_ROOT
parameter is set. The TDE_CONFIGURATION
initialization parameter cannot be used to configure any PDB to run in isolated mode unless the WALLET_ROOT
parameter is also set.
Note:
The SQLNET.ENCRYPTION_WALLET_LOCATION
parameter is deprecated in Oracle Database 18c.
For example, the contents of the directory at the location specified by the WALLET_ROOT
initialization parameter could look as follows, where wallet-root is the directory specified by the WALLET_ROOT
parameter:
wallet-root/eus/ewallet.p12
wallet-root/tde/ewallet.p12
wallet-root/tde/ewallet_2016120918333644.p12
wallet-root/tde_seps/cwallet.sso
wallet-root/tls/ewallet.p12
wallet-root/xdb_wallet/ewallet.p12
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tde/ewallet.p12
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tde/ewallet_2016110918331622.p12
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tde/ewallet_2016110918332363.p12
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tde_seps/cwallet.sso
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tls/cwallet.sso
wallet-root/3FD1C95B48205D0FE053C5A0E40AEF8C/tls/ewallet.p12
When the WALLET_ROOT
parameter is set, you can omit the path from some ADMINISTER KEY MANAGEMENT
commands.
The WALLET_ROOT
value can include references to environment variables. The following example uses the value of the ORACLE_BASE
environment variable to set the root of the wallet directory hierarchy:
WALLET_ROOT=$ORACLE_BASE/admin/orcl/wallet
If the ORACLE_BASE
environment variable had the value /app/oracle
, then the WALLET_ROOT
path used by TDE resulting from the above setting of the WALLET_ROOT
instance initialization parameter would be /app/oracle/admin/orcl/wallet
.
Note:
The normalized length of the wallet-root-directory-name
that is specified with the WALLET_ROOT
parameter cannot exceed 255 characters, otherwise one of the following sets of error messages is displayed:
ORA-46693: The WALLET_ROOT location is missing or invalid.
ORA-32021: parameter value longer than 255 characters
ORA-01078: failure in processing system parameters
ORA-46693: The WALLET_ROOT location is missing or invalid.
ORA-07204: sltln: name translation failed due to lack of output buffer space.
ORA-01078: failure in processing system parameters
The normalized length includes the length of expanded environment variables specified with the WALLET_ROOT
parameter. The values of the environment variables of the user who starts the instance are used in the normalization of the WALLET_ROOT
parameter.
The SHOW PARAMETER WALLET_ROOT
command always displays the normalized value (with all the environment variables expanded).
For non-ASM file systems, the PDB GUID-extended paths for the TDE component are created automatically under the directory specified by the WALLET_ROOT
parameter when any Transparent Data Encryption (TDE) wallet is created for a PDB.
Enabling Automatic Creation of Directories Under WALLET_ROOT
By using the specific configuration of WALLET_ROOT
described in each of the following sub-sections, Oracle Database can be configured to automatically create the necessary pdb-guid and component name directories under the WALLET_ROOT
directory path. Other settings of WALLET_ROOT
are allowed, but would not result in the automatic creation of the necessary sub-directories by the ASM OMF layer.
Required setting to enable auto-directory creation for a database not using Oracle ASM
For a database not using Oracle ASM filesystems, the WALLET_ROOT
parameter needs to be set as follows:
WALLET_ROOT=wallet-root-directory-path
This sets the root of the wallet directory hierarchy to the directory specified by wallet-root-directory-path
:
wallet-root-directory-path
When this is done, Oracle Database automatically creates the directory for the TDE wallet of a CDB$ROOT at the following location (where wallet-root is the directory specified by the WALLET_ROOT
parameter):
wallet-root/tde
For PDBs, the directories that Oracle Database automatically creates for holding the TDE wallets of PDBs will include the pdb-guid:
wallet-root/pdb-guid/tde
Required setting to enable auto-directory creation for a non-CDB using Oracle ASM with Oracle Managed Files
For a non-CDB using ASM with OMF, the WALLET_ROOT
parameter needs to begin with a plus sign followed by a disk group name and the value of the DB_UNIQUE_NAME
initialization parameter. In the example below, disk-group-name is the name of a disk group and db-unique-name is the value of the DB_UNIQUE_NAME
initialization parameter:
WALLET_ROOT=+disk-group-name/db-unique-name
When this is done, Oracle Database automatically creates the necessary directory within the ASM filesystem at the following location when the ADMINISTER
KEY
MANAGEMENT
CREATE
KEYSTORE
command is run:
+disk-group-name/db-unique-name/tde
Required setting for a CDB using Oracle ASM with Oracle Managed Files
For a CDB using ASM with OMF, the WALLET_ROOT
parameter needs to begin with a plus sign followed by a disk group name and the value of the DB_UNIQUE_NAME
initialization parameter. In the example below, disk-group-name is the name of a disk group and db-unique-name is the value of the DB_UNIQUE_NAME
initialization parameter:
WALLET_ROOT=+disk-group-name/db-unique-name
In other words, the WALLET_ROOT
parameter needs to start with a plus sign, followed by a disk group name and the value of the DB_UNIQUE_NAME
instance initialization parameter.
When this is done, Oracle Database automatically creates the directory for the TDE wallet of a CDB$ROOT at the following location when the ADMINISTER
KEY
MANAGEMENT
CREATE
KEYSTORE
command is run:
+disk-group-name/db-unique-name/tde
For PDBs, the directories that Oracle Database automatically creates for holding the TDE wallets of PDBs will include the pdb-guid:
+disk-group-name/db-unique-name/pdb-guid/tde
See Also:
“TDE_CONFIGURATION”