Migrating TDE Enabled Database to Oracle Cloud Using PeopleSoft Cloud Manager
Transparent Data Encryption (TDE) enables customers to encrypt sensitive data, such as Personally Identifiable Information (PII), that are stored in tables and tablespaces.
After the data is encrypted, this data is transparently decrypted for authorized users or applications when they access this data. TDE helps protect data stored on media (also called data at rest) in the event that the storage media or data file is compromised.
This is a graphical representation of the Transparent Data Encryption for Cloud Manager.
Prerequisites
Below requirements must be satisfied to successfully migrate a TDE enabled database.
Database being migrated must have TDE enabled and required tablespaces already encrypted.
Follow the support guidelines for PeopleSoft PeopleTools and PeopleSoft applications on My Oracle Support Certifications and on the PeopleSoft Cloud Manager Home Page, My Oracle Support, Doc ID 2231255.2.
Database must be an Oracle 19c or later container database.
Must be a Unicode, non-RAC and non-ASM database.
Must have a subscription to OCI DBaaS.
Migration to Compute instance is not supported.
Remote lift is not supported on TDE.
After the lift process is completed, DPKs are created and the TDE Encryption Keys are exported to a file. This exported file must be securely stored and later provided as input when deploying the lifted DPKs.
Download the latest lift utility.
Copy and extract the utility on the on-premises environment.
Run the lift utility to package database and middle-tier environment into DPKs. The Lift utility when triggered on a TDE Enabled Database prompts for TDE Keystore (Wallet) Password.
This example illustrates the Lift Utility for TDE enabled database which prompts for the TDE Keystore (Wallet) password.
Lift utility uploads the DPKs to Oracle Cloud Infrastructure Object Storage.
The TDE encryption wallet directory will be packaged on the on-premises system in a zip file under /<LIFT_UTILITY_PATH>/data/masterkey.zip. The lift log file will have the path to the zip file as shown in the example below. This zip file must be backed up and available when shifting.
Lift Log File (/<Lift_Utility>/data/psft_lift_session_<PDBNAME>_<SESSIONID>_<PID>.log)
After the lifted DPKs are uploaded to Oracle Cloud Infrastructure Object Storage, navigate to the Lift and Shift page in Cloud Manager and click the button to ‘List Object Store Items’ to refresh the list. Follow below steps to deploy the lifted DPKs.
Securely copy the TDE encryption key export file (masterkey.zip, this should be accessible for psadm2 users) to Cloud Manager instance using your favorite SCP tool.
Note: The length of the path to the zip file must be less than 30 characters.
Identify the lifted DPK that must be shifted and initiate shift process by selecting ‘Create Environment’ in the Actions menu.
Provide all the New Environment Information and click Next.
In Advanced Options, the Target Database On option is set to DBaaS. Compute option is not supported when migrating a TDE encrypted database. Select the PeopleTools patch version and click Next.
This example illustrates the fields and controls on the Lift and Shift – Advanced Options page.
In Custom Attributes page, TDE related inputs are listed under DB Systems > Credentials. Provide the path to the masterkey.zip file from step 1 as input to TDE Master Key file location and the secret password. Provide all other required inputs and click Next.
Note: User is only prompted for TDE Wallet password during Lift, however during Shift the user will be prompted for both TDE Wallet and Master Key secret passwords. Master key secret password is user specific with no restrictions.
This example illustrates the fields and controls on the TDE Specific Fields in Custom Attributes Page.
Finally, review all inputs and submit the request to start provisioning the lifted DPKs.