Skip to main content

Provisioning a RAC TDE Enabled VPDB Fails Reporting ORA-46637: Cannot Add First Keystore to the Target Keystore (KBA9302)




KBA# 9302



During the provisioning of an Oracle RAC Virtual Pluggable Database (VPDB), Delphix fails the provision reporting the following error:

Failed to merge keystore at "/mnt/tde/tdekeystores/ractde1" and "/home/delphix/+OCR/WALLET/RACTDE2/tde" into the new keystore at "/mnt/tde/tdekeystores/oracle_tde_keystores/auxiliary_cdb_keystores/CvrpdbtdtNzr/tde".

Delphix currently does not support the use of ASM based keystores during VPDB TDE provisioning.


The environment as it exists during the provisioning process:

  • An Oracle RAC PDB has been successfully linked as the dSource to the Delphix Engine and a snapshot of this captured.
  • An Oracle RAC Container Database (CDB) has been discovered by the Delphix Engine and is to be used as the destination for RAC VPDB provisions.
  • The Oracle RAC CDB to be provisioned into has Transparent Data Encryption (TDE) enabled, a wallet/keystore configured, and this keystore is stored in an Oracle ASM diskgroup.
  • An attempt has been made to provision a VPDB into the Oracle RAC CDB where the keystore is held in ASM.
  • Delphix Virtualization Engine version or higher is being used for provisioning.


Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases


Relocate the target Oracle RAC CDB keystore from Oracle ASM based storage to a shared file system accessible to all cluster nodes, like NFS.

This will require the keystore be recreated outside of Oracle ASM using the process detailed in:

Delphix Knowledge Base article - Exporting a Keystore from ASM to a Target Host for Oracle TDE Provisioning ( KBA8286 )


Oracle MOS note - How to Manage a TDE wallet created in ASM on primary and to copy on Standby in ASM (Doc ID 2251874.1)


ASM based keystores cannot be copied out of ASM using asmcmd cp commands.  This is detailed in Oracle MOS note: Cannot open wallet from local filesystem after cp from ASM with asmcmd (Doc ID 2085607.1).



The Delphix error displayed as a result of the provision failure will resemble the following:

Failed to merge keystore at "/mnt/tde/tdekeystores/ractde1" and "/home/delphix/+OCR/WALLET/RACTDE2/tde" into the new keystore at "/mnt/tde/tdekeystores/oracle_tde_keystores/auxiliary_cdb_keystores/CvrpdbtdtNzr/tde".

Error Code
Suggested Action
Make sure that the parent TDE keystore password and/or target TDE keystore password are correct. Review error output for more details and retry the operation.

Command Output
 StatementCallback; uncategorized SQLException for SQL [ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '/mnt/tde/tdekeystores/ractde1' IDENTIFIED BY **** AND KEYSTORE '/home/delphix/+OCR/WALLET/RACTDE2/tde' IDENTIFIED BY **** INTO NEW KEYSTORE '/mnt/tde/tdekeystores/oracle_tde_keystores/auxiliary_cdb_keystores/CvrpdbtdtNzr/tde' IDENTIFIED BY ****]; SQL state [99999]; error code [46637]; ORA-46637: cannot add first keystore to the target keystore
; nested exception is java.sql.SQLException: ORA-46637: cannot add first keystore to the target keystore

The key to the problem is the ASM path seen in the administer key management command syntax.

This path is malformed '/home/delphix/+OCR/WALLET/RACTDE2/tde' and does not reflect the true location of the keystore belonging to the target CDB.