1. Administering Oracle Database Exadata Cloud Service (OCI-C)
  2. Configuring Database Features, Database Options, and Companion Products
  3. Using Oracle Multitenant in Exadata Cloud Service

Using Oracle Multitenant in Exadata Cloud Service

By default, an Oracle Multitenant environment is created when you create an Oracle Database Exadata Cloud Service database deployment that uses Oracle Database 12c, or later.

The multitenant architecture enables an Oracle database to function as a multitenant container database (CDB) that includes zero, one, or many pluggable databases (PDBs). A PDB is a portable collection of schemas, schema objects, and non-schema objects that appears to an Oracle Net Services client as a non-CDB. All Oracle databases before Oracle Database 12c were non-CDBs.

Topics

Creating and Activating a Master Encryption Key for a PDB

To use Oracle Transparent Data Encryption (TDE) in a pluggable database (PDB), you must create and activate a master encryption key for the PDB.

In a multitenant environment, each PDB has its own master encryption key which is stored in a single keystore used by all containers.

To determine whether you need to create and activate an encryption key for the PDB, perform the following steps:

  1. Invoke SQL*Plus and log in to the database as the SYS user with SYSDBA privileges.

  2. Set the container to the PDB:

    SQL> ALTER SESSION SET CONTAINER = pdb;

  3. Query V$ENCRYPTION_WALLET as follows: 

    SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;

    If the STATUS column contains a value of OPEN_NO_MASTER_KEY you need to create and activate the master encryption key.

To create and activate the master encryption key in a PDB, perform the following steps:

  1. Set the container to the PDB:

    SQL> ALTER SESSION SET CONTAINER = pdb;

  2. Create and activate a master encryption key in the PDB by executing the following command:

    SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'tag' FORCE KEYSTORE IDENTIFIED BY keystore-password WITH BACKUP USING 'backup_identifier';

    In the above command:

    • keystore-password is the keystore password. By default, the keystore password is set to the value of the administration password that is specified when the database deployment is created.

    • The optional USING TAG 'tag' clause can be used to associate a tag with the new master encryption key.

    • The WITH BACKUP clause, and the optional USING 'backup_identifier' clause, can be used to create a backup of the keystore before the new master encryption key is created.

    See also ADMINISTER KEY MANAGEMENT in Oracle Database SQL Language Reference for Release 18 or 12.2.

    Note:

    To enable key management operations while the keystore is in use, Oracle Database 12c Release 2, and later, includes the FORCE KEYSTORE option to the ADMINISTER KEY MANAGEMENT command. This option is also available for Oracle Database 12c Release 1 with the October 2017, or later, bundle patch.

    If your Oracle Database 12c Release 1 deployment does not have the October 2017, or later, bundle patch installed, you can perform the following alternative steps:

    • Close the keystore.

    • Open the password-based keystore.

    • Create and activate a master encryption key in the PDB by using ADMINISTER KEY MANAGEMENT without the FORCE KEYSTORE option.

    • Update the auto-login keystore by using ADMINISTER KEY MANAGEMENT with the CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE option.

  3. Query V$ENCRYPTION_WALLET again to verify that the STATUS column is set to OPEN: 

    SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;

  4. Query V$INSTANCE and take note of the value in the HOST_NAME column, which identifies the database server that contains the newly updated keystore files: 

    SQL> SELECT host_name FROM v$instance;

  5. Copy the updated keystore files to all of the other database servers.

    To distribute the updated keystore you must perform the following actions on each database server that does not contain the updated keystore files:

    1. Connect to the root container and query V$ENCRYPTION_WALLET. Take note of the keystore location contained in the WRL_PARAMETER column: 

      SQL> SELECT wrl_parameter, status FROM v$encryption_wallet;

    2. Copy the updated keystore files.

      You must copy all of the updated keystore files from a database server that is already been updated. Use the keystore location observed in the WRL_PARAMETER column of V$ENCRYPTION_WALLET.

    3. Open the updated keystore: 

      SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE open FORCE KEYSTORE IDENTIFIED BY keystore-password CONTAINER=all;

      Note:

      To enable key management operations while the keystore is in use, Oracle Database 12c Release 2, and later, includes the FORCE KEYSTORE option to the ADMINISTER KEY MANAGEMENT command. This option is also available for Oracle Database 12c Release 1 with the October 2017, or later, bundle patch.

      If your Oracle Database 12c Release 1 deployment does not have the October 2017, or later, bundle patch installed, you can perform the following alternative steps:

      • Close the keystore before copying the updated keystore files.

      • Copy the updated keystore files.

      • Open the updated keystore by using ADMINISTER KEY MANAGEMENT without the FORCE KEYSTORE option.

  6. Query GV$ENCRYPTION_WALLET to verify that the STATUS column is set to OPEN across all of the database instances: 

    SQL> SELECT wrl_parameter, status, wallet_type FROM gv$encryption_wallet;

Exporting and Importing a Master Encryption Key for a PDB

You must export and import the master encryption key for any encrypted PDBs you plug into your database deployment.

If your source PDB is encrypted, you must export the master encryption key and then import it. In a multitenant environment, each PDB has its own master encryption key which is stored in a single keystore used by all containers.

You can export and import all of the TDE master encryption keys that belong to the PDB by exporting and importing the TDE master encryption keys from within a PDB. Export and import of TDE master encryption keys support the PDB unplug and plug operations. During a PDB unplug and plug, all of the TDE master encryption keys that belong to a PDB, as well as the metadata, are involved.

See "Exporting and Importing TDE Master Encryption Keys for a PDB" in Oracle Database Advanced Security Guide for Release 18, 12.2 or 12.1.

See "ADMINISTER KEY MANAGEMENT" in Oracle Database SQL Language Reference for Release 18, 12.2 or 12.1.

To export the master encryption keys, perform the following steps:

  1. Invoke SQL*Plus and log in to the PDB.

  2. Export the master encryption key by executing the following command:

    SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "secret" TO 'filename' IDENTIFIED BY keystore-password;

To import the master encryption key perform the following steps:

  1. Invoke SQL*Plus and log in to the PDB.
  2. Export the master encryption key by executing the following command: 
    SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "secret" FROM 'filename' IDENTIFIED BY keystore-password;