Troubleshoot KMIP secrets engine with Oracle TDE

21min
|
Vault

Introduction

When you integrate Vault's KMIP secrets engine with Oracle Database Transparent Data Encryption (TDE), you can meet with issues which prevent the solution from functioning.

Most of the issues you can experience have root causes which fall into 4 main categories:

File access: Vault integration with Oracle Database TDE involves installing a PKCS#11 library file. Issues can arise around the path, permissions, or with Linux security systems such as SELinux or AppArmor.
Network communication: Typical network issues including connectivity between Vault and Oracle Database, network port availability, and firewall configuration can all contribute to problems with the integration.
KMIP certificates: Common issues include problems with the certificate format, certificate chain of trust, or registration.
Misconfiguration: Problems with Vault configuration, Oracle Database PKCS#11 HCL configuration file, or the sqlnet.ora file.

This guidance can help you to identify the root cause of a problem with your KMIP secrets engine integration, and resolve the problem.

Essential resources

If you are not familiar with troubleshooting the Vault server or secrets engines, review Troubleshoot Vault for general Vault troubleshooting guidance before exploring the issues and resolutions.

About the command examples

The command examples in this resource are illustrative starting points, and might not function for you as-is. You need to update the commands, and replace critical example values like file names, paths, addresses, host names, and other values specific to your deployment with your actual values.

Troubleshoot KMIP secrets engine

If you run into trouble integrating the Vault KMIP secrets engine with Oracle TDE, use these Vault observability resources to help you troubleshoot the secrets engine.

Vault operational log output is commonly collected by the systemd journal on Linux servers, and you can typically find these logs in your organization's log aggregation solution. You can retrieve errors directly from the journal with a command like this example.
```
$ journalctl -xe -u vault
```
Be aware that as of version 1.13.0, Vault also supports logging to a static file, so you might need to check the Vault server configuration to determine if your deployment uses this file instead of the systemd journal.
Note
Vault log output defaults to the "info" level, which might not capture sufficient detail to help find an issue root cause. You can increase the log verbosity levels as described in the server documentation.
Vault API or CLI error messages: when you enable and configure the KMIP secrets engine with the Vault API or CLI, Vault emits helpful warning and error messages when problems occur. Use these messages in combination with Vault server operational log messages to isolate and resolve the issue root cause.
You can further enhance your troubleshooting efforts by enabling some helpful debug options.

If you operate Vault on Linux with systemd, you can enable any or all debug options by adding these environment variables to /etc/vault.d/vault.env followed by a restart of the Vault service:

KMIP_CONNECTION_DEBUGGING=1 enables debug output for connectivity related operations.
KMIP_REQUEST_DEBUGGING=1 enables debug output for requests.
KMIP_RESPONSE_DEBUGGING=1 enables debug output for responses.
KMIP_DECODING_DEBUGGING=1 enables debug output for operations related to decoding messages.
KMIP_INDEX_DEBUGGING=1 enables debug output for message processing and indexing operations.
KMIP_DUMP_BYTE_VALUES=1 enables debug output containing raw byte values.

If your Vault deployment is not on a systemd based Linux, you can export the necessary environment variables in the process manager or shell that Vault starts from. Here are examples for every debug variable:

KMIP_CONNECTION_DEBUGGING=1
KMIP_REQUEST_DEBUGGING=1
KMIP_RESPONSE_DEBUGGING=1
KMIP_DECODING_DEBUGGING=1
KMIP_INDEX_DEBUGGING=1
KMIP_DUMP_BYTE_VALUES=1

Troubleshoot Oracle Database

You can find indicators of issues as warnings or errors emitted from the following resources for Oracle Database.

The Oracle Database client emits messages in with a related code in the format: ORA-NNNNN Message text.
The Oracle Database alert log file in $ORACLE_BASE/diag/rdbms/<DB_NAME>/<INSTANCE>/trace/alert_<INSTANCE>.log
The Oracle Database trace files in $ORACLE_BASE/diag/rdbms/<DB_NAME>/<INSTANCE>/trace/

Check these log file sources for PKCS or wallet errors.

Use this reference of Oracle Database error codes related to issues which can arise when integrating the Wallet and Vault KMIP secrets engine.

Error Code	Description	Common Causes
ORA-28365	Wallet is not open	Wallet not opened, auto-login failed, PKCS#11 library not accessible
ORA-46633	Cannot create Master Key	Vault KMIP secrets engine server unreachable, authentication failed, insufficient permissions
ORA-46658	Could not activate Master Key	Key not found in Vault, key ID mismatch
ORA-46693	PKCS#11 library not found	Incorrect path in sqlnet.ora, library file missing
ORA-46694	Cannot load PKCS#11 library	Permission issues, wrong architecture, missing dependencies
ORA-46695	PKCS#11 module returned error	Generic PKCS#11 error, check library logs and Vault audit logs
ORA-46696	PKCS#11 configuration file invalid	vault-pkcs11.hcl syntax error, certificate format issues
ORA-28374	Typed master key not found	Key mismatch between Oracle and Vault, key rotation issue

Explore common issues and resolutions

Use the general troubleshooting workflows and resources to narrow the issue scope to a given category of issue. After narrowing the issue scope, you can use the details in each corresponding tab to learn more about specific issue scenarios, along with their troubleshooting and resolution steps.

These are common issues with Oracle Database access the Vault PKCS#11 provider file, and their resolution steps.

Note

Ensure that you update the path shown in the example commands to match the path to the library file in your Oracle Database deployment.

Library file not found

If Oracle Database cannot find the library file, the result is errors from Oracle Database or the OS.

Oracle Database error messages

ORA-28365: wallet is not open
ORA-46693: The PKCS#11 library specified in the external security module configuration is not found

Root cause

Oracle cannot locate the Vault PKCS#11 library file specified in sqlnet.ora, or the library path is not correct.

Resolution steps

Verify that the library exists.

$ ls -la /opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so

Check if the file is a symbolic link pointing to the correct file location.
```
$ file /opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so
```

Update sqlnet.ora with the correct path.

ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=PKCS11)
(METHOD_DATA=
    (DIRECTORY=/opt/oracle/wallet)
    (PKCS11_LIBRARY=/opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so)))

Verify Oracle user has read access to the directory path.

Library file ownership or permissions

Ownership or permission issues on the PKCS#11 library file result in errors from Oracle Database or the OS.

Oracle Database error message

ORA-46694: The PKCS#11 library cannot be loaded

OS error message

Permission denied

Root cause

Insufficient file ownership, permissions, or security restrictions preventing Oracle Database from loading the library.

Troubleshooting steps

Confirm that the Oracle Database user (default: 'oracle') is the owner, and has read and execute permissions (-rwxr-xr-x or 0755) on the library file.

$ stat /opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so
    File: /opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so
    Size: 26917768        Blocks: 52576      IO Block: 4096   regular file
Device: 29h/41d Inode: 1067402     Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (54321/  oracle)   Gid: (54321/oinstall)
Access: 2024-10-03 19:12:45.000000000 +0000
Modify: 2024-10-03 19:12:45.000000000 +0000
Change: 2025-10-08 15:01:06.170653846 +0000
    Birth: 2025-10-08 14:52:35.921493613 +0000

If you use SELinux, check for appropriate Oracle context on the library file.

$ ls -Z /opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so

Resolution steps

Set correct ownership.

$ chown oracle:oinstall /opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so

Set correct permissions.

$ chmod 755 /opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so

If you use SELinux, check if it is enforcing. If SELinux is enforcing, check that the appropriate Oracle context is present for the library file or consider adding a permanent policy for the file. Instructions for this step are dependent on your installation. You must review the examples shown here before you apply changes based on your deployment.
Check if SELinux is enforcing.
```
$ getenforce
```
Set appropriate context on the file.
```
$ chcon -t textrel_shlib_t /opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so
```
Add a permanent policy for the file.
```
$ semanage fcontext -a -t textrel_shlib_t \
    "/opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so"
```
Restore default contexts on file.
```
$ restorecon -v /opt/vault/lib/libvault-kmip.so
```

If you use AppArmor, you may need to add an exception to Oracle's AppArmor profile.

Check AppArmor status:

$ aa-status

Edit /etc/apparmor.d/local/oracle and add:

/opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so r,
/opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so m,

Reload AppArmor:

$ systemctl reload apparmor

Library missing dependencies

Oracle Database error message

ORA-46694: The PKCS#11 library cannot be loaded

OS error message

error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file

Root cause

The PKCS#11 library has dependencies not found in the system's library path.

Resolution steps

Check library dependencies, and look for any "not found" entries.

$ ldd /opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so
    linux-vdso.so.1 (0x000073d73cbd5000)
    libdl.so.2 => /lib64/libdl.so.2 (0x000073d73b074000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x000073d73ae54000)
    libresolv.so.2 => /lib64/libresolv.so.2 (0x000073d73ac3c000)
    libc.so.6 => /lib64/libc.so.6 (0x000073d73a865000)
    /lib64/ld-linux-x86-64.so.2 (0x000073d73c800000)

Install any missing dependencies using the OS package manager.
Update the LD_LIBRARY_PATH environment variable if necessary to add the path to the library file or create a library configuration file.

Wrong library file architecture or OS

If the PKCS#11 library file does not match the system architecture or OS, the result is errors from Oracle Database or the OS.

Oracle Database error message

ORA-46694: The PKCS#11 library cannot be loaded

OS error message

wrong ELF class: ELFCLASS32

Root cause

These issues result from architecture or OS mismatch between the library file and the host system.

Resolution steps

Verify Oracle Database host system architecture.

$ uname -a
Linux f8f6a2d69670 6.14.0-1014-gcp #15~24.04.1-Ubuntu SMP Fri Jul 25 23:26:08 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Verify that the library architecture matches the host architecture.

$ file /opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so
libvault-pkcs11.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4240b9491a1fb466f31b91bda11ea9740cfe1abc, with debug_info, not stripped

Download and use the correct library file version.

Network issues caused by configuration of Vault KMIP server listener, Oracle Database, or firewall rules between the two servers can prevent the integration from functioning.

Note

Ensure that you update the network addresses and port numbers in the example commands to match those used in your deployment.

Connection timeouts

If Oracle Database cannot connect to the Vault KMIP server, the result is errors from Oracle Database.

Oracle Database error message

ORA-46695: PKCS#11 module returned CKR_DEVICE_ERROR

Root cause

Network connectivity issues between Oracle database server and Vault KMIP server.

Troubleshooting steps

Use common network tools like nc or telnet to test basic connectivity between Oracle Database host and Vault KMIP server.
```
$ nc -zv vault-kmip-host.example.com 5696
```
Use the appropriate tools for any firewall rules between Oracle Database server and Vault KMIP server host to inspect their rules, and ensure allowed connectivity.
Use tools like netstat or ss to verify that Vault KMIP server is running, and listening on the expected port.
```
$ netstat -tlnp | grep 5696
```

Resolution steps

Ensure that the required port for the Vault KMIP server is open and reachable.
Verify the Vault KMIP server configuration.
```
$ vault read kmip/config
```

Configure the Vault KMIP server if necessary.

$ vault write kmip/config \
    listen_addrs=0.0.0.0:5696 \
    server_hostnames=vault.example.com \
    server_ips=10.0.1.100

TLS handshake failures

Oracle Database error message

ORA-46695: PKCS#11 module returned CKR_DEVICE_ERROR

Root cause

Certificate validation issues between Oracle PKCS#11 client and Vault KMIP server listener.

Troubleshooting steps

Manually test TLS connection.

$ openssl s_client -connect vault.example.com:5696 \
    -cert /opt/oracle/wallet/client-cert.pem \
    -key /opt/oracle/wallet/client-key.pem \
    -CAfile /opt/oracle/wallet/ca.pem

Check client certificate expiration.

$ openssl x509 -in /opt/oracle/wallet/client-cert.pem -noout -dates

Check the CA certificate expiration.

$ openssl x509 -in /opt/oracle/wallet/ca.pem -noout -dates

Verify certificate chain.

$ openssl verify -CAfile /opt/oracle/wallet/ca.pem \
    /opt/oracle/wallet/client-cert.pem

Resolution steps

Update certificates as necessary based on findings from troubleshooting steps.

Issues with certificates, private keys, or certificate authority chains can prevent Oracle Database from communicating with the Vault KMIP secrets engine server.

Note

Ensure that you update the paths and file names shown in the example commands to match the actual values in your deployment.

Client certificate not recognized

Oracle Database error message

ORA-46695: PKCS#11 module returned CKR_USER_NOT_LOGGED_IN

Root cause

The client certificate is not registered with Vault's KMIP scope or the certificate does not match the registered identity.

Resolution steps

Create KMIP scope if necessary.

$ vault write kmip/scope/oracle-tde -force

Create KMIP role.

$ vault write kmip/scope/oracle-tde/role/oracle-db \
    operation_all=true

Generate client certificate.

$ vault write -format=json \
kmip/scope/oracle-tde/role/oracle-db/credential/generate \
format=pem > kmip-cert.json

Extract certificates and key into PEM files.

Create client certificate.

$cat kmip-cert.json | jq -r .data.certificate > client-cert.pem

Create the client key.

$ cat kmip-cert.json | jq -r .data.private_key > client-key.pem

Create the certificate authority chain.

$ cat kmip-cert.json | jq -r .data.ca_chain[0] > ca.pem

Verify certificate generation.

$ vault list kmip/scope/oracle-tde/role/oracle-db/credential

Certificate format issues

If your client certificate, certificate authority certificate, or certificate chain is not valid, the result is errors from Oracle Database.

Oracle Database error message

ORA-46696: PKCS#11 configuration file is invalid

Root cause

Certificate files are not in the expected format or contain extra whitespace or characters.

Resolution steps

Verify certificate validity and format; use openssl to display details and reveal potential issues.

$ openssl x509 -in client-cert.pem -text -noout
# Should display certificate details without errors

Check for proper PEM format.

$ head -1 client-cert.pem && tail -1 client-cert.pem
# Should start with -----BEGIN CERTIFICATE-----
# Should end with -----END CERTIFICATE-----

Verify private key format.
Verify an RSA private key.
```
$ openssl rsa -in client-key.pem -check
```
Verify an elliptic curve private key.
```
$ openssl ec -in client-key.pem -check
```

CA certificate trust issues

Error messages

You might notice PKCS#11 errors in the Vault server operational log related to the KMIP server listener, containing text like these examples.

http: TLS handshake error ... remote error: tls: bad certificate

You can also find related errors from the Oracle Database KMIP client side.

tls: failed to verify certificate: x509: "kmip-client-role" certificate is not trusted

Root cause

The CA certificate is not trusted or the certificate chain is incomplete.

Resolution steps

Ensure complete certificate chain.

$ openssl crl2pkcs7 -nocrl -certfile ca.pem | \
    openssl pkcs7 -print_certs -noout

Build complete chain if needed.
If you have intermediate CA certificates, concatenate them in this order into a chain file.
```
$ cat intermediate-ca.pem root-ca.pem > ca-chain.pem
```
Verify the chain.
```
$ openssl verify -CAfile ca-chain.pem client-cert.pem
```
Update Oracle PKCS#11 configuration for Vault, ensuring that the ca_path value points to the complete chain.
Note
The configuration file is commonly created at /opt/oracle/vault/vault-pkcs11.hcl, but the path and filename can differ. The files format is HCL and resembles the example shown.
```
slot {
server = "vault.example.com:5696"
tls_cert_path = "/etc/cert.pem"
ca_path = "/etc/ca.pem"
scope = "my-service"
}
```

One area where you can meet with issues integrating the KMIP secrets engine with Oracle Database is when enabling and configuring the Wallet feature.

The following are common integration issues related to the Wallet, with the issue root cause, troubleshooting steps, and resolution steps.

Note

Ensure that you update the paths and file names shown in the example commands to match the actual values in your deployment.

Wallet creation failures

If you're unable to create a wallet, Oracle Database will log related error messages like the following examples.

Oracle Database error messages

ORA-46633: The master key cannot be created
ORA-46695: PKCS#11 module returned CKR_GENERAL_ERROR

Root cause

Issues with external keystore configuration or PKCS#11 initialization.

Resolution steps

Verify sqlnet.ora configuration is valid, and has the correct path to the PKCS#11 library file. The following is a valid example, but note that your paths could be different.

ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=PKCS11)
(METHOD_DATA=
    (DIRECTORY=/opt/oracle/wallet)
    (PKCS11_LIBRARY=/opt/oracle/extapi/64/hsm/vault/0.2.1/libvault-pkcs11.so)))

If necessary, create the wallet directory with correct ownership and permissions.

$ mkdir -p /opt/oracle/wallet && \
    chown oracle:oinstall /opt/oracle/wallet && \
    chmod 755 /opt/oracle/wallet

If necessary, connect to the database as SYSDBA, and initialize the wallet with its password.
```
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "C0ff33_1s@great!";
```

Check the Oracle Database alert log for detailed errors.

$ tail -100 $ORACLE_BASE/diag/rdbms/orcl/orcl/trace/alert_orcl.log

Wallet status issues

If the wallet exists, but you cannot use it, there could be an issue with the wallet status.

Oracle Database error messages

ORA-28365: wallet is not open
ORA-28374: typed master key not found in wallet

Troubleshooting steps

Access the Oracle Database as SYSDBA, and check the wallet status with a query like this example.

SELECT * FROM V$ENCRYPTION_WALLET;

Expected output for external keystore:

WRL_TYPE    WALLET_TYPE        STATUS        WALLET_ORDER
----------- ------------------ ------------- -------------
PKCS#11     EXTERNAL_KEYSTORE  OPEN          SINGLE

Resolution steps

Access the Oracle Database as SYSDBA, and manually open the wallet with a query like this example.
```
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "C0ff33_1s@great!";
```
While connected to Oracle Database as SYSDBA, verify the keystore configuration, with a query like this example.
```
SELECT * FROM V$CLIENT_SECRETS_CONFIGURED;
```
List files in wallet directory, to check wallet integrity.
```
$ ls -la /opt/oracle/wallet/
```
Output must include the Vault KMIP HCL configuration file, and the certificate PEM files.

Auto-login wallets with external keystores (PKCS#11) have specific requirements and limitations.

Oracle Database error messages

ORA-46658: The master key could not be activated
ORA-28374: typed master key not found in wallet

Important notes

Auto-login behavior with PKCS#11 has nuances you must be aware of.

Specifically, traditional auto-login (using cwallet.sso) is not used with PKCS#11. Instead, the wallet uses certificate-based authentication. The wallet appears to be always open because certificate based authentication does not require a password.

Resolution steps

Ensure that your configuration is correct.
Ensure that the private key used for auto-login has no passphrase set.
Enable both

Check configuration

The following is a certificate-based auto-login sqlnet.ora configuration example for your reference.

ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=PKCS11)
   (METHOD_DATA=
     (DIRECTORY=/opt/oracle/wallet)
     (PKCS11_LIBRARY=/opt/vault/lib/libvault-kmip.so)))

Note

When you use PKCS#11, the configuration does not require an ENCRYPTION_WALLET_TYPE parameter.

Validate that the Oracle Database PKCS#11 configuration HCL file has correct content and syntax. The configuration file is commonly created at /opt/oracle/vault/vault-pkcs11.hcl, but the path and filename can differ. The files format is HCL and resembles the example shown.

slot {
server = "vault.example.com:5696"
tls_cert_path = "/etc/cert.pem"
ca_path = "/etc/ca.pem"
scope = "my-service"
}

If necessary, remove the passphrase from the private key.

Check if key uses a passphrase; if it prompts you for a passphrase, then a passphrase protects the key, and you need to remove it for the wallet auto-login feature.
```
$ openssl rsa -in client-key.pem -check
```

If necessary, remove passphrase from key.

$ openssl rsa -in client-key.pem -out client-key-nopass.pem

Update vault-kmip.conf to use client-key-nopass.pem.

Set correct ownership and permissions on wallet files

Ensure that the Oracle Database process user owns the wallet file content.

$ chown oracle:oinstall /opt/oracle/wallet/*

Ensure that the permissions are correct.

chmod 600 /opt/oracle/wallet/client-key.pem && \
chmod 644 /opt/oracle/wallet/client-cert.pem \
    /opt/oracle/wallet/ca.pem \ 
    /opt/oracle/wallet/vault-kmip.conf

Enable file and HSM authorization

Wallet auto-login with Vault KMIP secrets engine, requires that the wallet authorize both file and HSM.

Create a wallet in "file" mode that results in a ewallet.p12 file.
Add auto-login configuration for the new file based wallet with a cwallet.sso file.
Update the auto-login wallet to authorize both file and external HSM for the Vault KMIP secrets engine.

Tip

The third step is crucial for enabling wallet auto-login with Vault's KMIP secrets engine.

Multiple master keys

Oracle Database error messages

ORA-28374: typed master key not found in wallet
ORA-46658: The master key could not be activated

Root cause

Oracle Database needs a specific key ID that does not exist in Vault or a mismatch between Oracle Database expectation's and Vault's key storage exists.

Troubleshooting steps

Check Vault server's audit device logs and server operational logs for information during the time frames when the wallet is attempting key access with Vault for warnings, errors, and additional details which can reveal the exact root cause.
Access the Oracle Database as SYSDBA, and check the encryption keys view.
```
SELECT * FROM V$ENCRYPTION_KEYS;
```
If necessary, when accessing the Oracle Database as SYSDBA, recreate the master key, replacing the example values with your actual values.
```
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "C0ff33_1s@great!"
WITH BACKUP USING 'backup_key_20250101';
```
Read the Vault scope to verify details.
```
$ vault read kmip/scope/oracle-tde
```

Functional end-to-end test workflow

This is a basic functional test workflow to check for a problem free integration of the KMIP secrets engine with Oracle Database.

Test network connectivity from the Oracle Database host to the Vault KMIP server listener host with a tool like netcat (nc).
```
$ nc -zv vault.example.com 5696
```

Test TLS handshake from Oracle Database server to Vault KMIP server listener host with openssl.

$ openssl s_client -connect vault.example.com:5696 \
    -cert /opt/oracle/wallet/client-cert.pem \
    -key /opt/oracle/wallet/client-key.pem \
    -CAfile /opt/oracle/wallet/ca.pem \
    -showcerts

Expected output snippet:

...snip...
SSL handshake has read ... bytes
SSL handshake has sent ... bytes
Verify return code: 0 (ok)
...snip...

Verify Oracle Database can load the PKCS#11 client library with a database query like this example.
```
SELECT * FROM V$ENCRYPTION_WALLET;
```

Test key creation with this database query.

ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "C0ff33_1s@great!";

Encrypt a test tablespace.

CREATE TABLESPACE encrypted_ts
DATAFILE '/u01/app/oracle/oradata/orcl/encrypted01.dbf'
SIZE 100M
ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT);

Troubleshooting checklist

When you define a checklist or runbook to handle issues, you benefit from having a focused set of steps with outcomes you can use to help resolve issues.

You can use this checklist as a starting point for defining your own integration troubleshooting steps.

Checked	Component	Condition
	Vault server	KMIP secrets engine running and listening on port TCP/5696
	Vault server	KMIP scope and role properly configured
	PKCS#11	Library file exists at the specified path
	PKCS#11	Library file has correct ownership and permissions
	PKCS#11	Library file is for the correct architecture and OS
	PKCS#11	AppArmor or SELinux permits access to library file
	Oracle Database	Connectivity to Vault server on port TCP/5696
	Oracle Database	Wallet directory exists with correct ownership and permissions
	Oracle Database	Oracle process user can read certificate files specified in PKCS#11 HCL configuration
	Oracle Database	PKCS#11 HCL configuration file is valid
	Oracle Database	PKCS#11 HCL configuration file specifies correct certificate paths
	Certificates	Client certificate is valid and not expired
	Certificates	Client certificate registered in correct Vault KMIP role scope
	Certificates	Client certificate files in correct (PEM) format
	Certificates	Certificate Authority certificate chain is valid and complete
	Certificates	If using wallet auto-login feature, ensure client certificate's private key has no password set.

Summary

You learned about troubleshooting the Vault KMIP secrets engine integration with Oracle Database TDE through a wide range of examples. The examples represent most common types of issues along with their troubleshooting and resolution steps.

You now have resources, and tools like common error codes and a troubleshooting checklist starter to enhance your troubleshooting workflows.

Help and reference

Troubleshoot irrevocable leases

Recover from lost quorum