Error
Error Code: ORA-28393

Oracle ORA-28393: Wallet Password Missing

📦 Oracle Database
📋

Description

This error, ORA-28393, occurs in Oracle Database when attempting to close an Oracle Wallet without providing the necessary password. Oracle Wallets store security credentials, and closing them requires authentication.
💬

Error Message

ORA-28393: password required to close the wallet
🔍

Known Causes

2 known causes
⚠️
Missing Password Argument
The `close wallet` command was executed without including the password argument or specifying a password file.
⚠️
Incorrect Command Syntax
The command syntax used to close the wallet is incorrect, leading to the password not being recognized.
🛠️

Solutions

4 solutions available

1. Provide Wallet Password During Connection easy

Supply the wallet password directly when establishing a database connection that requires it.

1
When using SQL*Plus or other Oracle client tools, you will typically be prompted for the wallet password if the connection requires it (e.g., for Transparent Data Encryption (TDE) operations). Ensure you enter the correct password when prompted.
2
If you are connecting programmatically (e.g., from Java, Python, .NET), the connection string or configuration will need to include the wallet password. The exact syntax depends on the driver and language.
Example for JDBC (Java):
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=your_host)(PORT=your_port))(CONNECT_DATA=(SERVICE_NAME=your_service_name)))

When using TDE, you might need to specify the wallet location and password in the connection properties or through environment variables depending on the driver's capabilities. For instance, some drivers might support a `oracle.net.wallet_password` property or similar.
3
For SQL*Net connections, the `sqlnet.ora` file might be configured to use a wallet. If the wallet is password-protected, the client will attempt to prompt for it. If automated, ensure the password is correctly provided via environment variables or configuration.
Example sqlnet.ora snippet:
WALLET_LOCATION = (
  METHOD = TUC
  METHOD_DATA = (
    DIRECTORY = /path/to/your/wallet
  )
)

If this wallet is password protected, the client will need a mechanism to provide that password. This is often handled by the application or through OS-level credential management if supported.

2. Configure `sqlnet.ora` for Auto-Login Wallet medium

Set up the wallet to automatically log in, eliminating the need for a password prompt.

1
Locate the `sqlnet.ora` file in your Oracle client or server's network configuration directory (e.g., `$ORACLE_HOME/network/admin` or `$ORACLE_HOME/sqlnet.ora`).
text
# Example path for Linux/Unix
export ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1
cat $ORACLE_HOME/network/admin/sqlnet.ora
2
Ensure the `WALLET_LOCATION` parameter is correctly set to point to your wallet directory.
text
WALLET_LOCATION = (
  METHOD = TUC
  METHOD_DATA = (
    DIRECTORY = /path/to/your/wallet
  )
)
3
To enable auto-login, add or modify the `AUTOMATIC_IPC` parameter and set it to `ON` if your wallet is password-protected and you want to avoid password prompts for local connections. For remote connections, you might need to use a different approach or ensure the password is provided by the client application.
text
# For local connections where you want to avoid password prompts:
AUTOMATIC_IPC = ON

# If you are using a password-protected wallet and want it to be accessible without a password prompt for certain operations,
# you might need to use the 'pwd.sh' utility (on Linux/Unix) or 'pwd.bat' (on Windows) to create an encrypted password file.
# This is often done when setting up TDE with Oracle Key Vault or a local wallet.
4
If you are using a password-protected wallet and want to avoid manual password entry, Oracle recommends using the `pwd.sh` (Linux/Unix) or `pwd.bat` (Windows) utility to generate an encrypted password file. This file is then used by the wallet to authenticate without user intervention. Consult Oracle documentation for the exact steps to use `pwd.sh` or `pwd.bat` with your specific wallet type and version.

3. Manage Wallet Password with `orapki` Utility medium

Use the `orapki` utility to manage wallet passwords, including setting or changing them.

1
Open a command prompt or terminal and navigate to your Oracle home's `bin` directory.
text
# Example for Linux/Unix
cd $ORACLE_HOME/bin

# Example for Windows
cd %ORACLE_HOME%\bin
2
To change the password of an existing wallet, use the `orapki wallet change_pwd` command. You will need to provide the wallet location, the old password (if any), and the new password.
bash
./orapki wallet change_pwd -wallet "/path/to/your/wallet" -old_pwd "old_password" -new_pwd "new_password"

# If the wallet was not password protected and you want to set a password:
./orapki wallet change_pwd -wallet "/path/to/your/wallet" -new_pwd "new_password"
3
If the wallet was created without a password and you want to add one, you can also use the `change_pwd` command. If the wallet is password protected and you've lost the password, you might need to create a new wallet and migrate the certificates/keys, which is a more involved process.
bash
# To set a password for a wallet that was previously un-password protected
./orapki wallet change_pwd -wallet "/path/to/your/wallet" -new_pwd "your_chosen_password"
4
After changing the password, ensure that any applications or connections referencing this wallet are updated to use the new password or are configured to use auto-login if applicable.

4. Verify Wallet Configuration and Permissions medium

Ensure the wallet directory and its contents have correct permissions and that the wallet is properly initialized.

1
Confirm that the Oracle user running the database or client process has read and write permissions to the wallet directory and its contents.
bash
# Example for Linux/Unix
ls -ld /path/to/your/wallet
chmod 700 /path/to/your/wallet
chown oracle:oinstall /path/to/your/wallet

# Ensure files within the wallet also have appropriate permissions (e.g., 600 for sensitive files)
2
Verify that the wallet directory specified in `sqlnet.ora` actually exists and contains the expected wallet files (e.g., `cwallet.sso`, `ewallet.p12`, or other certificate/key files).
bash
ls -l /path/to/your/wallet
3
If you suspect the wallet itself is corrupted or incorrectly initialized, you might need to re-create it. This involves backing up existing certificates/keys, creating a new wallet using `orapki`, and then importing the backed-up items.
bash
# Example: Creating a new password-protected wallet
./orapki wallet create -wallet "/path/to/new/wallet" -pwd "new_wallet_password"

# After creation, you would then import certificates/keys as needed using orapki commands like:
# ./orapki wallet add_certificate ...
# ./orapki wallet add_private_key ...