8 Administering United Mode
Administering united mode means managing the keystores, master encryption keys, and general Transparent Database Encryption (TDE) functionality.
- Administering Keystores and Master Encryption Keys in United Mode
After you configure a keystore and master encryption key for use in united mode, you can perform tasks such as rekeying TDE master encryption keys. - Administering Transparent Data Encryption in United Mode
You can perform general administrative tasks with Transparent Data Encryption in united mode.
Parent topic: Using Transparent Data Encryption
8.1 Administering Keystores and Master Encryption Keys in United Mode
After you configure a keystore and master encryption key for use in united mode, you can perform tasks such as rekeying TDE master encryption keys.
- Changing the Keystore Password in United Mode
You can change the password of either a TDE wallet or an external keystore only in the CDB root. - Backing Up a Password-Protected TDE Wallet in United Mode
TheBACKUP KEYSTORE
clause of theADMINISTER KEY MANAGEMENT
statement backs up a password-protected TDE wallet. - Closing Keystores in United Mode
You can close both TDE wallet and external keystores in united mode, unless the system tablespace is encrypted. - Creating TDE Master Encryption Keys for Later Use in United Mode
You can create a TDE master encryption key that can be activated at a later date. - Example: Creating a Master Encryption Key in All PDBs
You can use theADMINISTER KEY MANAGEMENT CREATE KEY USING TAG
statement to create a TDE master encryption key in all PDBs. - Activating TDE Master Encryption Keys in United Mode
After you activate a TDE master encryption key, it can be used. - Creating User-Defined TDE Master Encryption Keys
You can create a user-defined TDE master encryption key outside the database by generating a TDE master encryption key ID. - Rekeying the TDE Master Encryption Key in United Mode
You can use theADMINISTER KEY MANAGEMENT
statement with theSET KEY
clause to rekey a TDE master encryption key. - Finding the TDE Master Encryption Key That Is in Use in United Mode
A TDE master encryption key that is in use is the key that was activated most recently for the database. - Creating a Custom Attribute Tag in United Mode
To create a custom attribute tag in united mode, you must use theSET TAG
clause of theADMINISTER KEY MANAGEMENT
statement. - Moving TDE Master Encryption Keys into a New Keystore in United Mode
You can move an existing TDE master encryption key into a new keystore from an existing password-protected keystore. - Automatically Removing Inactive TDE Master Encryption Keys in United Mode
In united mode, theREMOVE_INACTIVE_STANDBY_TDE_MASTER_KEY
initialization parameter can configure the automatic removal of inactive TDE master encryption keys. - Isolating a Pluggable Database Keystore
Isolating a PDB keystore moves the master encryption key from the CDB root keystore into an isolated mode keystore in the a PDB.
Parent topic: Administering United Mode
8.1.1 Changing the Keystore Password in United Mode
You can change the password of either a TDE wallet or an external keystore only in the CDB root.
- Changing the Password-Protected TDE Wallet Password in United Mode
To change the password of a password-protected TDE wallet in united mode, you must use theADMINISTER KEY MANAGEMENT
statement in the CDB root. - Changing the Password of an External Keystore in United Mode
To change the password of an external keystore, you must close the external keystore and then change the password from the external keystore management interface.
8.1.1.1 Changing the Password-Protected TDE Wallet Password in United Mode
To change the password of a password-protected TDE wallet in united mode, you must use the ADMINISTER KEY MANAGEMENT
statement in the CDB root.
WITH BACKUP
clause, and thus forced to make a backup of the current TDE wallet. During the password change operation, Transparent Data Encryption operations such as encryption and decryption will continue to work normally. You can change this password at any time. You should change this password if you think it was compromised.
Related Topics
Parent topic: Changing the Keystore Password in United Mode
8.1.1.2 Changing the Password of an External Keystore in United Mode
To change the password of an external keystore, you must close the external keystore and then change the password from the external keystore management interface.
Related Topics
Parent topic: Changing the Keystore Password in United Mode
8.1.2 Backing Up a Password-Protected TDE Wallet in United Mode
The BACKUP KEYSTORE
clause of the ADMINISTER KEY MANAGEMENT
statement backs up a password-protected TDE wallet.
Related Topics
8.1.3 Closing Keystores in United Mode
You can close both TDE wallet and external keystores in united mode, unless the system tablespace is encrypted.
- About Closing Keystores
After you open a keystore, it remains open until you shut down the database instance. - Closing a TDE Wallet in United Mode
You can close password-protected TDE wallets, auto-login TDE wallets, and local auto-login TDE wallets in united mode. - Closing an External Keystore in United Mode
To close an external keystore, you must use theADMINISTER KEY MANAGEMENT
statement with theSET KEYSTORE CLOSE
clause.
8.1.3.1 About Closing Keystores
After you open a keystore, it remains open until you shut down the database instance.
When you restart the database instance, then auto-login and local auto-login TDE wallets automatically open when required (that is, when the TDE master encryption key must be accessed). However, TDE wallet password-based and external keystores do not automatically open. You must manually open them again before you can use them.
When you close a TDE wallet or an external keystore, you disable all of the encryption and decryption operations on the database. Hence, a database user or application cannot perform any operation involving encrypted data until the TDE wallet or keystore is reopened.
When you re-open a TDE wallet keystore after closing it, its contents are reloaded back into the database. Thus, if the contents had been modified (such as during a migration), the database will have the latest TDE wallet or keystore contents.
When you run the ALTER PLUGGABLE DATABASE CLOSE
statement or the SHUTDOWN
command for a PDB, a keystore in the OPEN
state for the PDB remains open until a user who has the SYSKM
administrative privilege manually closes it with the ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE
statement.
You can check if a TDE wallet or keystore is closed by querying the STATUS
column of the V$ENCRYPTION_WALLET
view.
The following data operations will fail if the TDE wallet or keystore is not accessible:
-
SELECT
data from an encrypted column -
INSERT
data into on an encrypted column -
CREATE
a table with encrypted columns -
CREATE
an encrypted tablespace
Parent topic: Closing Keystores in United Mode
8.1.3.2 Closing a TDE Wallet in United Mode
You can close password-protected TDE wallets, auto-login TDE wallets, and local auto-login TDE wallets in united mode.
- Connect to the CDB root as a common user who has been granted the
ADMINISTER KEY MANAGEMENT
orSYSKM
privilege. - Use the
ADMINISTER KEY MANAGEMENT
statement to close the TDE wallet.- For a password-protected TDE wallet, use the following syntax if you are in the CDB root:
ADMINISTER KEY MANAGEMENT SET | FORCE KEYSTORE CLOSE [IDENTIFIED BY [EXTERNAL STORE | TDE_wallet_password]] [CONTAINER = ALL | CURRENT];
Use the
SET
clause to close the TDE wallet without force. If there is a dependent TDE wallet that is open (for example, an isolated mode PDB TDE wallet and you are trying to close the CDB root TDE wallet), then anORA-46692 cannot close wallet
error appears. If this happens, then use theFORCE
clause instead ofSET
to temporarily close the dependent TDE wallet during the close operation. TheSTATUS
column of theV$ENCRYPTION_WALLET
view shows if a TDE wallet is open.If you are in the united mode PDB, then either omit the
CONTAINER
clause or set it toCURRENT
. - For an auto-login or local auto-login TDE wallet, use this syntax if you are in the CDB root:
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE [CONTAINER = ALL | CURRENT];
- For a password-protected TDE wallet, use the following syntax if you are in the CDB root:
Parent topic: Closing Keystores in United Mode
8.1.3.3 Closing an External Keystore in United Mode
To close an external keystore, you must use the ADMINISTER KEY MANAGEMENT
statement with the SET KEYSTORE CLOSE
clause.
Parent topic: Closing Keystores in United Mode
8.1.4 Creating TDE Master Encryption Keys for Later Use in United Mode
You can create a TDE master encryption key that can be activated at a later date.
- About Creating a TDE Master Encryption Key for Later Use
TheCREATE KEY
clause of theADMINISTER KEY MANAGEMENT
statement can create a TDE master encryption key to be activated at a later date. - Creating a TDE Master Encryption Key for Later Use in United Mode
A TDE wallet must be opened before you can create a TDE master encryption key for use later on in united mode.
8.1.4.1 About Creating a TDE Master Encryption Key for Later Use
The CREATE KEY
clause of the ADMINISTER KEY MANAGEMENT
statement can create a TDE master encryption key to be activated at a later date.
You then can activate this key on the same database or export it to another database and activate it there.
This method of TDE master encryption key creation is useful in a multitenant environment when you must re-create the TDE master encryption keys. The CREATE KEY
clause enables you to use a single SQL statement to generate a new TDE master encryption key for all of the PDBs within a multitenant environment. The creation time of the new TDE master encryption key is later than the activation of the TDE master encryption key that is currently in use. Hence, the creation time can serve as a reminder to all of the PDBs to activate the most recently created TDE master encryption key as soon as possible.
8.1.5 Example: Creating a Master Encryption Key in All PDBs
You can use the ADMINISTER KEY MANAGEMENT CREATE KEY USING TAG
statement to create a TDE master encryption key in all PDBs.
Example 8-1 shows how to create a master encryption key in all of the PDBs in a multitenant environment. It uses the FORCE KEYSTORE
clause in the event that the auto-login keystore in the CDB root is open. The password is stored externally, so the EXTERNAL STORE
setting is used for the IDENTIFIED BY
clause. After you run this statement, a master encryption key is created in each PDB. You can find the identifiers for these keys as follows:
-
Log in to the PDB and then query the
TAG
column of theV$ENCRYPTION_KEYS
view. -
Log in to the CDB root and then query the
INST_ID
andTAG
columns of theGV$ENCRYPTION_KEYS
view.
You also can check the CREATION_TIME
column of these views to find the most recently created key, which would be the key that you created from this statement. After you create the keys, you can individually activate the keys in each of the PDBs.
Example 8-1 Creating a Master Encryption Key in All of the PDBs
ADMINISTER KEY MANAGEMENT CREATE KEY USING TAG 'scope:all pdbs;description:Create Key for ALL PDBS' FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE WITH BACKUP CONTAINER = ALL; keystore altered.
8.1.6 Activating TDE Master Encryption Keys in United Mode
After you activate a TDE master encryption key, it can be used.
- About Activating TDE Master Encryption Keys
You can activate a previously created or imported TDE master encryption key by using theUSE KEY
clause ofADMINISTER KEY MANAGEMENT
. - Activating a TDE Master Encryption Key in United Mode
To activate a TDE master encryption key in united mode, you must open the keystore and useADMINISTER KEY MANAGEMENT
with theUSE KEY
clause. - Example: Activating a TDE Master Encryption Key
You can use the ADMINISTER KEY MANAGEMENT SQL statement to activate a TDE master encryption key.
8.1.6.1 About Activating TDE Master Encryption Keys
You can activate a previously created or imported TDE master encryption key by using the USE KEY
clause of ADMINISTER KEY MANAGEMENT
.
After you activate the master encryption key, it is used to encrypt all data encryption keys in your database. The key will be used to protect all of the column keys and all of the tablespace encryption keys. If you have deployed a logical standby database, then you must export the TDE master encryption keys after recreating them, and then import them into the standby database. You can have the TDE master encryption key in use on both the primary and the standby databases. To do so, you must activate the TDE master encryption key after you import it to the logical standby database.
Parent topic: Activating TDE Master Encryption Keys in United Mode
8.1.6.2 Activating a TDE Master Encryption Key in United Mode
To activate a TDE master encryption key in united mode, you must open the keystore and use ADMINISTER KEY MANAGEMENT
with the USE KEY
clause.
Parent topic: Activating TDE Master Encryption Keys in United Mode
8.1.6.3 Example: Activating a TDE Master Encryption Key
You can use the ADMINISTER KEY MANAGEMENT SQL statement to activate a TDE master encryption key.
Example 8-2 shows how to activate a previously imported TDE master encryption key and then update its tag. This key is activated with the current database time stamp and time zone.
Example 8-2 Activating a TDE Master Encryption Key
ADMINISTER KEY MANAGEMENT USE KEY
'ARaHD762tUkkvyLgPzAi6hMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
USING TAG 'quarter:second;description:Activate Key on standby'
IDENTIFIED BY password WITH BACKUP;
keystore altered.
In this version of the same operation, the FORCE KEYSTORE
clause is added in the event that the auto-login keystore is in use, or if the keystore is closed. The password of the keystore is stored externally, so the EXTERNAL STORE
setting is used for the IDENTIFIED BY
clause.
ADMINISTER KEY MANAGEMENT USE KEY 'ARaHD762tUkkvyLgPzAi6hMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' USING TAG 'quarter:second;description:Activate Key on standby' FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE WITH BACKUP; keystore altered.
Parent topic: Activating TDE Master Encryption Keys in United Mode
8.1.7 Creating User-Defined TDE Master Encryption Keys
You can create a user-defined TDE master encryption key outside the database by generating a TDE master encryption key ID.
- About User-Defined TDE Master Encryption Keys
A TDE master encryption key that is outside the database has its own user-generated ID, which tracks the use of the TDE master encryption key. - Creating a User-Defined TDE Master Encryption Key in United Mode
To create a user-defined TDE master encryption key, use theADMINISTER KEY MANAGEMENT
statement with theSET | CREATE [ENCRYPTION] KEY
clause.
8.1.7.1 About User-Defined TDE Master Encryption Keys
A TDE master encryption key that is outside the database has its own user-generated ID, which tracks the use of the TDE master encryption key.
You can use the ADMINISTER KEY MANAGEMENT
to create and set user-defined TDE master encryption key IDs. After you generate the TDE master encryption key, you can bring this key into the database. Optionally, you can specify the TDE master encryption key ID in various ADMINISTER KEY MANAGEMENT
statements.
This type of configuration benefits Oracle Fusion SaaS Cloud environments in that it enables you to generate a TDE master encryption key this complies with your site’s requirements. This key that you generate supports the current encryption algorithms and can be used for TDE wallets.
After you generate the TDE master encryption key ID, you can encrypt your data as you normally would.
The TDE master encryption key and its corresponding ID will not be captured by any auditing logs.
Parent topic: Creating User-Defined TDE Master Encryption Keys
8.1.7.2 Creating a User-Defined TDE Master Encryption Key in United Mode
To create a user-defined TDE master encryption key, use the ADMINISTER KEY MANAGEMENT
statement with the SET | CREATE [ENCRYPTION] KEY
clause.
Related Topics
Parent topic: Creating User-Defined TDE Master Encryption Keys
8.1.8 Rekeying the TDE Master Encryption Key in United Mode
You can use the ADMINISTER KEY MANAGEMENT
statement with the SET KEY
clause to rekey a TDE master encryption key.
Related Topics
8.1.9 Finding the TDE Master Encryption Key That Is in Use in United Mode
A TDE master encryption key that is in use is the key that was activated most recently for the database.
8.1.10 Creating a Custom Attribute Tag in United Mode
To create a custom attribute tag in united mode, you must use the SET TAG
clause of the ADMINISTER KEY MANAGEMENT
statement.
Related Topics
8.1.11 Moving TDE Master Encryption Keys into a New Keystore in United Mode
You can move an existing TDE master encryption key into a new keystore from an existing password-protected keystore.
- About Moving TDE Master Encryption Keys into a New Keystore
You can move an unused (and safely archived) TDE master encryption key into a new keystore. - Moving a TDE Master Encryption Key into a New Keystore in United Mode
In united mode, you can move an existing TDE master encryption key into a new keystore from an existing password-based TDE wallet.
8.1.11.1 About Moving TDE Master Encryption Keys into a New Keystore
You can move an unused (and safely archived) TDE master encryption key into a new keystore.
Use great caution when you decide to run ADMINISTER KEY MANAGEMENT MOVE KEYS
. Even though this statement will not move an active master encryption key, it can still affect keys that are necessary for a range of database features. If you have deleted a key, then the data that was encrypted by that key is rendered permanently inaccessible (equivalent to deleting the data) for these features to be used. See Related Topics at the end of this topic for more information about features that are affected by deleted keystores.
Therefore, before you move the keystore, it is very important that you safely archive it. Delete the keystore only after a period of time has passed, to ensure that the keystore is no longer really useful.
To move a TDE master encryption key into a new keystore, you use the ADMINISTER KEY MANAGEMENT MOVE KEYS
statement. This statement does not move the active TDE master encryption key (that is, the key that is currently in use at the time that ADMINISTER KEY MANAGEMENT MOVE KEYS
is issued) because the database is currently using it.
If you mistakenly use the ADMINISTER KEY MANAGEMENT MOVE KEYS
statement instead of ADMINISTER KEY MANAGEMENT MERGE KEYSTORE
when you are configuring a new TDE keystore (for example, when you are changing the TDE keystore configuration from one where the TDE wallet is located in the operating system's file system to one where the TDE wallet is located in Oracle Automatic Storage Management (Oracle ASM)), then the following symptoms may help you to identify the TDE misconfiguration that was introduced by the use of the wrong key management command:
- When you open the TDE keystore that was the target of the earlier
ADMINISTER KEY MANAGEMENT MOVE KEYS
operation, anORA-28374: typed master key not found in wallet
error is seen, because the active TDE master encryption key was not moved to that keystore. - The value shown in the
STATUS
column of theV$ENCRYPTION_WALLET
view isOPEN_NO_MASTER_KEY
after you open the new keystore. TheOPEN_NO_MASTER_KEY
status is expected, because the new TDE keystore that was mistakenly populated by means of theADMINISTER KEY MANAGEMENT MOVE KEYS
statement does not contain the active TDE master encryption key.
8.1.11.2 Moving a TDE Master Encryption Key into a New Keystore in United Mode
In united mode, you can move an existing TDE master encryption key into a new keystore from an existing password-based TDE wallet.
Related Topics
8.1.12 Automatically Removing Inactive TDE Master Encryption Keys in United Mode
In united mode, the REMOVE_INACTIVE_STANDBY_TDE_MASTER_KEY
initialization parameter can configure the automatic removal of inactive TDE master encryption keys.
8.1.13 Isolating a Pluggable Database Keystore
Isolating a PDB keystore moves the master encryption key from the CDB root keystore into an isolated mode keystore in the a PDB.
ADMINISTER KEY MANAGEMENT
privilege for the PDB can manage the keystore.
8.2 Administering Transparent Data Encryption in United Mode
You can perform general administrative tasks with Transparent Data Encryption in united mode.
- Moving PDBs from One CDB to Another in United Mode
You can clone or relocate encrypted PDBs within the same container database, or across container databases. - Unplugging and Plugging a PDB with Encrypted Data in a CDB in United Mode
In united mode, for a PDB that has encrypted data, you can plug it into a CDB. Conversely, you can unplug this PDB from the CDB. - Managing Cloned PDBs with Encrypted Data in United Mode
In united mode, you can clone a PDB that has encrypted data in a CDB. - How Keystore Open and Close Operations Work in United Mode
You should be aware of how keystore open and close operations work in united mode. - Finding the Keystore Status for All of the PDBs in United Mode
You can create a convenience function that uses theV$ENCRYPTION_WALLET
view to find the status for keystores in all PDBs in a CDB.
Parent topic: Administering United Mode
8.2.1 Moving PDBs from One CDB to Another in United Mode
You can clone or relocate encrypted PDBs within the same container database, or across container databases.
If you are trying to move a non-CDB or a PDB in which the SYSTEM
, SYSAUX
, UNDO
, or TEMP
tablespace is encrypted, and using the manual export or import of keys, then you must first import the keys for the non-CDB or PDB in the target database's CDB$ROOT
before you create the PDB. Import of the keys are again required inside the PDB to associate the keys to the PDB.
Related Topics
Parent topic: Administering Transparent Data Encryption in United Mode
8.2.2 Unplugging and Plugging a PDB with Encrypted Data in a CDB in United Mode
In united mode, for a PDB that has encrypted data, you can plug it into a CDB. Conversely, you can unplug this PDB from the CDB.
- Unplugging a PDB That Has Encrypted Data in United Mode
In united mode, you can unplug a PDB with encrypted data and export it into an XML file or an archive file. - Plugging a PDB That Has Encrypted Data into a CDB in United Mode
To plug a PDB that has encrypted data into a CDB, you first plug in the PDB and then you create a master encryption key for the PDB. - Unplugging a PDB That Has Master Encryption Keys Stored in an External Keystore in United Mode
You can unplug a PDB from one CDB that has been configured with an external keystore and then plug it into another CDB also configured with an external keystore. - Plugging a PDB That Has Master Encryption Keys Stored in an External Keystore in United Mode
TheADMINISTER KEY MANAGEMENT
statement can import a TDE master encryption key from an external keystore to a PDB that has been moved to another CDB.
Parent topic: Administering Transparent Data Encryption in United Mode
8.2.2.1 Unplugging a PDB That Has Encrypted Data in United Mode
In united mode, you can unplug a PDB with encrypted data and export it into an XML file or an archive file.
STATUS
column of the DBA_PDBS
data dictionary view.
8.2.2.2 Plugging a PDB That Has Encrypted Data into a CDB in United Mode
To plug a PDB that has encrypted data into a CDB, you first plug in the PDB and then you create a master encryption key for the PDB.
0
because this operation invalidates the history of the previous keys. You can check the key version by querying the KEY_VERSION
column of the V$ENCRYPTED_TABLESPACES
dynamic view. Similarly, if a control file is lost and recreated, then the previous history of the keys is reset to 0
. You can check if a PDB has already been plugged in by querying the STATUS
column of the DBA_PDBS
data dictionary view.
8.2.2.3 Unplugging a PDB That Has Master Encryption Keys Stored in an External Keystore in United Mode
You can unplug a PDB from one CDB that has been configured with an external keystore and then plug it into another CDB also configured with an external keystore.
Related Topics
8.2.3 Managing Cloned PDBs with Encrypted Data in United Mode
In united mode, you can clone a PDB that has encrypted data in a CDB.
- About Managing Cloned PDBs That Have Encrypted Data in United Mode
When you clone a PDB, you must make the master encryption key of the source PDB available to cloned PDB. - Cloning a PDB with Encrypted Data in a CDB in United Mode
TheCREATE PLUGGABLE DATABASE
statement with theKEYSTORE IDENTIFIED BY
clause can clone a PDB that has encrypted data. - Remotely Clone an Encrypted PDB in United Mode
TheCREATE PLUGGABLE DATABASE
statement with theKEYSTORE IDENTIFIED BY
clause can remotely clone a PDB that has encrypted data. - Relocating an Encrypted PDB in United Mode
TheCREATE PLUGGABLE DATABASE
statement with theKEYSTORE IDENTIFIED BY
clause can relocate a PDB with encrypted data across CDBs.
Parent topic: Administering Transparent Data Encryption in United Mode
8.2.3.1 About Managing Cloned PDBs That Have Encrypted Data in United Mode
When you clone a PDB, you must make the master encryption key of the source PDB available to cloned PDB.
This allows a cloned PDB to operate on the encrypted data. To perform the clone, you do not need to export and import the keys because Oracle Database transports the keys for you even if the cloned PDB is in a remote CDB. However, you will need to provide the keystore password of the CDB where you are creating the clone.
If the PDBs have encrypted data, then you can perform remote clone operations on PDBs between CDBs, and relocate PDBs across CDBs.
Parent topic: Managing Cloned PDBs with Encrypted Data in United Mode
8.2.3.2 Cloning a PDB with Encrypted Data in a CDB in United Mode
The CREATE PLUGGABLE DATABASE
statement with the KEYSTORE IDENTIFIED BY
clause can clone a PDB that has encrypted data.
Related Topics
Parent topic: Managing Cloned PDBs with Encrypted Data in United Mode
8.2.3.3 Remotely Clone an Encrypted PDB in United Mode
The CREATE PLUGGABLE DATABASE
statement with the KEYSTORE IDENTIFIED BY
clause can remotely clone a PDB that has encrypted data.
8.2.4 How Keystore Open and Close Operations Work in United Mode
You should be aware of how keystore open and close operations work in united mode.
For each PDB in united mode, you must explicitly open the password-protected TDE wallet or external keystore in the PDB to enable the Transparent Data Encryption operations to proceed. (Auto-login and local auto-login TDE wallets open automatically.) Closing a keystore on a PDB blocks all of the Transparent Data Encryption operations on that PDB.
The open and close keystore operations in a PDB depend on the open and close status of the keystore in the CDB root.
Note the following:
-
You can create a separate keystore password for each PDB in united mode.
-
Before you can manually open a password-protected TDE wallet or an external keystore in an individual PDB, you must open the wallet or keystore in the CDB root.
-
If an auto-login TDE wallet is in use, or if the keystore is closed, then include the
FORCE KEYSTORE
clause in theADMINISTER KEY MANAGEMENT
statement when you open the wallet. -
If the keystore is a password-protected TDE wallet that uses an external store for passwords, then replace the password in the
IDENTIFIED BY
clause withEXTERNAL STORE
. -
Before you can set a TDE master encryption key in an individual PDB, you must set the key in the CDB root. Oracle highly recommends that you include the
USING TAG
clause when you set keys in PDBs. For example:SELECT ' ADMINISTER KEY MANAGEMENT SET KEY USING TAG '''||SYS_CONTEXT('USERENV', 'CON_NAME')||' '||TO_CHAR (SYSDATE, 'YYYY-MM-DD HH24:MI:SS')||''' FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE WITH BACKUP CONTAINER = CURRENT;' AS "SET KEY COMMAND" FROM DUAL;
Including the
USING TAG
clause enables you to quickly and easily identify the keys that belong to a certain PDB, and when they were created. -
Auto-login and local auto-login TDE wallets open automatically. You do not need to manually open these from the CDB root first, or from the PDB.
-
If you close the keystore in the CDB root, then the keystores in the dependent PDBs also close. A keystore close operation in the root is the equivalent of performing a keystore close operation with the
CONTAINER
clause set toALL
. -
If you perform an
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
statement in the CDB root and set theCONTAINER
clause toALL
, then the keystore will only be opened in each open PDB that is configured in united mode. Keystores for any PDBs that are configured in isolated mode are not opened.
Parent topic: Administering Transparent Data Encryption in United Mode
8.2.5 Finding the Keystore Status for All of the PDBs in United Mode
You can create a convenience function that uses the V$ENCRYPTION_WALLET
view to find the status for keystores in all PDBs in a CDB.
The V$ENCRYPTION_WALLET
view displays the status of the keystore in a PDB, whether it is open, closed, uses a software or an external keystore, and so on.
-
To create a function that uses the
V$ENCRYPTION_WALLET
view to find the keystore status, use theCREATE PROCEDURE
PL/SQL statement.
Example 8-3 shows how to create this function.
Example 8-3 Function to Find the Keystore Status of All of the PDBs in a CDB
CREATE OR REPLACE PROCEDURE all_pdb_v$encryption_wallet IS err_occ BOOLEAN; curr_pdb VARCHAR2(30); pdb_name VARCHAR2(30); wrl_type VARCHAR2(20); status VARCHAR2(30); wallet_type VARCHAR2(20); wallet_order VARCHAR2(12); fully_backed_up VARCHAR2(15); wrl_parameter VARCHAR2(4000); cursor sel_pdbs IS SELECT NAME FROM V$CONTAINERS WHERE NAME <> 'PDB$SEED' order by con_id desc; BEGIN -- Store the original PDB name SELECT sys_context('userenv', 'con_name') INTO curr_pdb FROM DUAL; IF curr_pdb <> 'CDB$ROOT' THEN dbms_output.put_line('Operation valid in ROOT only'); END IF; err_occ := FALSE; dbms_output.put_line('---'); dbms_output.put_line('PDB_NAME WRL_TYPE STATUS '); dbms_output.put_line('------------------------------ -------- ------------------------------'); dbms_output.put_line('WALLET_TYPE WALLET_ORDER FULLY_BACKED_UP'); dbms_output.put_line('-------------------- ------------ ---------------'); dbms_output.put_line('WRL_PARAMETER'); dbms_output.put_line('--------------------------------------------------------------------------'); FOR pdbinfo IN sel_pdbs LOOP pdb_name := DBMS_ASSERT.ENQUOTE_NAME(pdbinfo.name, FALSE); EXECUTE IMMEDIATE 'ALTER SESSION SET CONTAINER = ' || pdb_name; BEGIN pdb_name := rpad(substr(pdb_name,1,30), 30, ' '); EXECUTE IMMEDIATE 'SELECT wrl_type from V$ENCRYPTION_WALLET' into wrl_type; wrl_type := rpad(substr(wrl_type,1,8), 8, ' '); EXECUTE IMMEDIATE 'SELECT status from V$ENCRYPTION_WALLET' into status; status := rpad(substr(status,1,30), 30, ' '); EXECUTE IMMEDIATE 'SELECT wallet_type from V$ENCRYPTION_WALLET' into wallet_type; wallet_type := rpad(substr(wallet_type,1,20), 20, ' '); EXECUTE IMMEDIATE 'SELECT wallet_order from V$ENCRYPTION_WALLET' into wallet_order; wallet_order := rpad(substr(wallet_order,1,9), 12, ' '); EXECUTE IMMEDIATE 'SELECT fully_backed_up from V$ENCRYPTION_WALLET' into fully_backed_up; fully_backed_up := rpad(substr(fully_backed_up,1,9), 15, ' '); EXECUTE IMMEDIATE 'SELECT wrl_parameter from V$ENCRYPTION_WALLET' into wrl_parameter; wrl_parameter := rpad(substr(wrl_parameter,1,79), 79, ' '); dbms_output.put_line(pdb_name || ' ' || wrl_type || ' ' || status); dbms_output.put_line(wallet_type || ' ' || wallet_order || ' ' || fully_backed_up); dbms_output.put_line(wrl_parameter); EXCEPTION WHEN OTHERS THEN err_occ := TRUE; END; END LOOP; IF err_occ = TRUE THEN dbms_output.put_line('One or more PDB resulted in an error'); END IF; END; . / set serveroutput on exec all_pdb_v$encryption_wallet;
Parent topic: Administering Transparent Data Encryption in United Mode