Error
Error Code: ORA-28367

Oracle ORA-28367: Missing Wallet

📦 Oracle Database
📋

Description

The ORA-28367 error indicates that the Oracle wallet, used for storing security credentials, cannot be found. This typically occurs when the wallet hasn't been created or the `sqlnet.ora` file points to an incorrect wallet location.
💬

Error Message

ORA-28367: wallet does not exist
🔍

Known Causes

3 known causes
⚠️
Wallet Not Created
The Oracle wallet required for encryption or authentication has not been created using the `mkstore` or `orapki` utility.
⚠️
Incorrect Wallet Path
The `WALLET_LOCATION` or `ENCRYPTION_WALLET_LOCATION` parameter in the `sqlnet.ora` file specifies an invalid path to the wallet directory.
⚠️
Configuration File Error
There is a syntax error or typo in the `sqlnet.ora` file affecting the wallet location parameters.
🛠️

Solutions

4 solutions available

1. Verify and Locate the Oracle Wallet easy

Confirm the wallet's existence and its correct location as configured in the database.

1
Identify the wallet location specified in your Oracle database configuration. This is typically found in the `sqlnet.ora` file on the database server. Look for the `WALLET_LOCATION` parameter.
cat $ORACLE_HOME/network/admin/sqlnet.ora | grep WALLET_LOCATION
2
Navigate to the directory specified by `WALLET_LOCATION` on the database server.
cd /path/to/your/wallet
3
Check if the wallet directory and its contents (e.g., `cwallet.sso` or `ewallet.p12`) exist. If they are missing, proceed to Solution 2.
ls -l

2. Recreate or Restore the Oracle Wallet medium

If the wallet is confirmed missing, recreate it or restore it from a backup.

1
If you have a backup of the wallet, restore it to the location specified in `sqlnet.ora`.
cp /path/to/backup/cwallet.sso /path/to/your/wallet/
2
If no backup is available, you will need to recreate the wallet. This typically involves using `orapki` (Oracle PKI Tool). The exact command depends on whether you are using a password-based wallet (`cwallet.sso`) or a PKCS#12 wallet (`ewallet.p12`).

For a password-based wallet (most common):
orapki wallet create -wallet /path/to/your/wallet -auto_login
3
If you are using a PKCS#12 wallet, you'll need to provide a password during creation:
orapki wallet create -wallet /path/to/your/wallet -password your_wallet_password
4
After recreating the wallet, ensure the `sqlnet.ora` file correctly points to the recreated wallet location. Restart the database listener and the database instance if necessary.
sqlnet.ora content should look like:
WALLET_LOCATION = (
  DIRECTORY = /path/to/your/wallet
)

3. Configure TNSNAMES.ORA for Wallet Usage easy

Ensure TNSNAMES.ORA entries correctly reference the service using encryption that requires a wallet.

1
Examine your `tnsnames.ora` file for entries that use encryption or integrity methods that rely on the Oracle Wallet (e.g., `SQLNET.ENCRYPTION_CLIENT`, `SQLNET.CRYPTO_CHECKSUM_CLIENT`).
cat $ORACLE_HOME/network/admin/tnsnames.ora
2
Verify that the `SQLNET.AUTHENTICATION_SERVICES` parameter in the client's `sqlnet.ora` is correctly configured to use the wallet for authentication if applicable.
client_sqlnet.ora content:
SQLNET.AUTHENTICATION_SERVICES = (NTS, KERBEROS5, BEQ, ...)  # Ensure wallet-related services are listed if used
3
If the `tnsnames.ora` entry is attempting to use a service that requires a wallet and the wallet is not properly configured or accessible, the ORA-28367 error can occur. Adjust the `tnsnames.ora` entry or ensure the client has access to the wallet.
Example TNS entry that might require a wallet:
MYDB_SECURE = 
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = myhost)(PORT = 1521))
    (CONNECT_DATA =
      (SERVICE_NAME = mydb.example.com)
    )
    (SECURITY = (
      ENCRYPTION_LOGIN = REQUIRED
    ))
  )

4. Check Database Listener Configuration for Wallet medium

Ensure the database listener is correctly configured to use the wallet if it's involved in secure connections.

1
Locate the `listener.ora` file on the database server.
cat $ORACLE_HOME/network/admin/listener.ora
2
Check for any parameters within the listener configuration that might require or reference an Oracle Wallet, especially if you are using features like Transparent Data Encryption (TDE) or specific authentication methods that rely on the wallet.
listener.ora example snippet (less common for direct wallet reference, but possible in advanced setups):
(ENCRYPTION_TYPES_CLIENT_listener = (AES256, AES192, AES128))
3
If your listener is configured to use a wallet for specific security features, ensure the `sqlnet.ora` on the server correctly points to that wallet location and that the wallet exists and is accessible.
Ensure WALLET_LOCATION in sqlnet.ora is correct and the wallet files are present.
4
Restart the listener after any changes to `listener.ora` or `sqlnet.ora` to apply the new configuration.
lsnrctl reload