Using Oracle Multitenant in Exadata Cloud Service
By default, an Oracle Multitenant environment is created when you create an Oracle Database Exadata Cloud Service database deployment that uses Oracle Database 12c, or later.
The multitenant architecture enables an Oracle database to function as a multitenant container database (CDB) that includes zero, one, or many pluggable databases (PDBs). A PDB is a portable collection of schemas, schema objects, and non-schema objects that appears to an Oracle Net Services client as a non-CDB. All Oracle databases before Oracle Database 12c were non-CDBs.
Creating and Activating a Master Encryption Key for a PDB
To use Oracle Transparent Data Encryption (TDE) in a pluggable database (PDB), you must create and activate a master encryption key for the PDB.
In a multitenant environment, each PDB has its own master encryption key which is stored in a single keystore used by all containers.
-
Invoke SQL*Plus and log in to the database as the
SYS
user withSYSDBA
privileges. -
Set the container to the PDB:
SQL> ALTER SESSION SET CONTAINER = pdb;
-
Query
V$ENCRYPTION_WALLET
as follows:SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;
If the
STATUS
column contains a value ofOPEN_NO_MASTER_KEY
you need to create and activate the master encryption key.
To create and activate the master encryption key in a PDB, perform the following steps:
-
Set the container to the PDB:
SQL> ALTER SESSION SET CONTAINER = pdb;
-
Create and activate a master encryption key in the PDB by executing the following command:
SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'tag' FORCE KEYSTORE IDENTIFIED BY keystore-password WITH BACKUP USING 'backup_identifier';
In the above command:
-
keystore-password
is the keystore password. By default, the keystore password is set to the value of the administration password that is specified when the database deployment is created. -
The optional
USING TAG 'tag'
clause can be used to associate a tag with the new master encryption key. -
The
WITH BACKUP
clause, and the optionalUSING 'backup_identifier'
clause, can be used to create a backup of the keystore before the new master encryption key is created.
See also
ADMINISTER KEY MANAGEMENT
in Oracle Database SQL Language Reference for Release 18 or 12.2.Note:
To enable key management operations while the keystore is in use, Oracle Database 12c Release 2, and later, includes the
FORCE KEYSTORE
option to theADMINISTER KEY MANAGEMENT
command. This option is also available for Oracle Database 12c Release 1 with the October 2017, or later, bundle patch.If your Oracle Database 12c Release 1 deployment does not have the October 2017, or later, bundle patch installed, you can perform the following alternative steps:
-
Close the keystore.
-
Open the password-based keystore.
-
Create and activate a master encryption key in the PDB by using
ADMINISTER KEY MANAGEMENT
without theFORCE KEYSTORE
option. -
Update the auto-login keystore by using
ADMINISTER KEY MANAGEMENT
with theCREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE
option.
-
-
Query
V$ENCRYPTION_WALLET
again to verify that theSTATUS
column is set toOPEN
:SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;
-
Query
V$INSTANCE
and take note of the value in theHOST_NAME
column, which identifies the database server that contains the newly updated keystore files:SQL> SELECT host_name FROM v$instance;
-
Copy the updated keystore files to all of the other database servers.
To distribute the updated keystore you must perform the following actions on each database server that does not contain the updated keystore files:
-
Connect to the root container and query
V$ENCRYPTION_WALLET
. Take note of the keystore location contained in theWRL_PARAMETER
column:SQL> SELECT wrl_parameter, status FROM v$encryption_wallet;
-
Copy the updated keystore files.
You must copy all of the updated keystore files from a database server that is already been updated. Use the keystore location observed in the
WRL_PARAMETER
column ofV$ENCRYPTION_WALLET
. -
Open the updated keystore:
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE open FORCE KEYSTORE IDENTIFIED BY keystore-password CONTAINER=all;
Note:
To enable key management operations while the keystore is in use, Oracle Database 12c Release 2, and later, includes the
FORCE KEYSTORE
option to theADMINISTER KEY MANAGEMENT
command. This option is also available for Oracle Database 12c Release 1 with the October 2017, or later, bundle patch.If your Oracle Database 12c Release 1 deployment does not have the October 2017, or later, bundle patch installed, you can perform the following alternative steps:
-
Close the keystore before copying the updated keystore files.
-
Copy the updated keystore files.
-
Open the updated keystore by using
ADMINISTER KEY MANAGEMENT
without theFORCE KEYSTORE
option.
-
-
-
Query
GV$ENCRYPTION_WALLET
to verify that theSTATUS
column is set toOPEN
across all of the database instances:SQL> SELECT wrl_parameter, status, wallet_type FROM gv$encryption_wallet;
Exporting and Importing a Master Encryption Key for a PDB
You must export and import the master encryption key for any encrypted PDBs you plug into your database deployment.
If your source PDB is encrypted, you must export the master encryption key and then import it. In a multitenant environment, each PDB has its own master encryption key which is stored in a single keystore used by all containers.
You can export and import all of the TDE master encryption keys that belong to the PDB by exporting and importing the TDE master encryption keys from within a PDB. Export and import of TDE master encryption keys support the PDB unplug and plug operations. During a PDB unplug and plug, all of the TDE master encryption keys that belong to a PDB, as well as the metadata, are involved.
See "Exporting and Importing TDE Master Encryption Keys for a PDB" in Oracle Database Advanced Security Guide for Release 18, 12.2 or 12.1.
See "ADMINISTER KEY MANAGEMENT" in Oracle Database SQL Language Reference for Release 18, 12.2 or 12.1.
-
Invoke SQL*Plus and log in to the PDB.
-
Export the master encryption key by executing the following command:
SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "secret" TO 'filename' IDENTIFIED BY keystore-password;
To import the master encryption key perform the following steps: