7 Appendices

The following appendices contain information that you may need to complete the requirements in the previous topics.

• Setting Up the Transparent Data Encryption Wallet
  For Oracle Database 12c Release 2 and later, if the source database does not have TDE enabled, then it is mandatory that you configure the TDE wallet before migration begins. Enabling TDE on Oracle Database 11g Release 2 (11.2.0.4) and Oracle Database 12c Release 1 is not required.
• Generating a Private SSH Key Without a Passphrase
  If, on the Zero Downtime Migration service host, source database server, or target database server, the authentication key pairs are not available without a passphrase for the Zero Downtime Migration software installed user, you can generate a new SSH key using the following procedure.
• Prechecks Verification
  
• List Migration Job Phases
  
• Migration Job Output
  

7.1 Setting Up the Transparent Data Encryption Wallet

For Oracle Database 12c Release 2 and later, if the source database does not have TDE enabled, then it is mandatory that you configure the TDE wallet before migration begins. Enabling TDE on Oracle Database 11g Release 2 (11.2.0.4) and Oracle Database 12c Release 1 is not required.

If Transparent Data Encryption (TDE) is not already configured as required on the source and target databases, use the following instructions to set up the (TDE) wallet. TDE should be enabled, the WALLET status on both source and target databases must be set to OPEN, and the WALLET_TYPE must be set to AUTOLOGIN.

1. Set ENCRYPTION_WALLET_LOCATION in $ORACLE_HOME/network/admin/sqlnet.ora file.

   $ cat /u01/app/oracle/product/12.2.0.1/dbhome_2/network/admin/sqlnet.ora 
   
   ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)
     (METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/12.2.0.1/dbhome_2/network/admin/)))
   

2. Connect to the database and configure the keystore.

   $ sqlplus "/as sysdba"
   SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/product/12.2.0.1/dbhome_2/network/admin'
    identified by **********;
   keystore altered.

   For a non-CDB environment, run the following command.

   SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY **********;
   keystore altered.

   For a CDB environment, run the following command.

   SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY ********** container = ALL;

   For a non-CDB environment, run the following command.

   SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY ********** with backup;
   keystore altered.

   For a CDB environment, run the following command.

   SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY ********** with backup container = ALL;

   Then run,

   
   SQL> select * FROM v$encryption_keys;
   

3. Set up autologin.

   SQL> SELECT * FROM v$encryption_wallet;
   
   WRL_TYPE	WRL_PARAMETER
   --------------------	--------------------------------------------------------------------------------
   STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC	CON_ID
   ------------------------------ -------------------- --------- ---------			----------
   FILE		/u01/app/oracle/product/12.2.0.1/dbhome_2/network/admin/
   OPEN                           PASSWORD             SINGLE    NO         0
   
   SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE
    '/u01/app/oracle/product/12.2.0.1/dbhome_2/network/admin/' IDENTIFIED BY **********;
   keystore altered.
   

   If you are using an Oracle RAC database, copy the files below to the same location on each cluster node, or to a shared file system.

   /u01/app/oracle/product/12.2.0.1/dbhome_2/network/admin/ew* 
   /u01/app/oracle/product/12.2.0.1/dbhome_2/network/admin/cw*   
   
   SQL> SELECT * FROM v$encryption_wallet;
   WRL_TYPE	WRL_PARAMETER
   --------------------	--------------------------------------------------------------------------------
   STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC	    CON_ID
   ------------------------------ -------------------- --------- ---------			----------
   FILE		/u01/app/oracle/product/12.2.0.1/dbhome_2/network/admin/
   OPEN                           PASSWORD             SINGLE    NO	         	0
   

   At this stage, the PASSWORD based wallet is enabled. To enable an AUTOLOGIN based wallet, complete the remaining steps in this procedure.

   Close the password wallet.

   SQL> administer key management set keystore close identified by **********;
   keystore altered.

   Then verify that autologin is configured. Set TDE WALLET status to OPEN and WALLET_TYPE to AUTOLOGIN, otherwise the wallet configuration is not correctly set up.

   $ sqlplus "/as sysdba"
   SQL> SELECT * FROM v$encryption_wallet;
   WRL_TYPE WRL_PARAMETER
   -------------------- --------------------------------------------------------------------------------
   STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID
   ------------------------------ -------------------- --------- --------- ---------
   FILE /u01/app/oracle/product/12.2.0.1/dbhome_2/network/admin/
   OPEN AUTOLOGIN SINGLE NO 

Upon migration of your Oracle Database to the Oracle Cloud, bear in mind that Oracle databases in the Oracle Cloud are TDE enabled by default. Zero Downtime Migration will take care of the encryption of your target database, even if your source Oracle Database is not TDE enabled by default. However, once the switchover phase of the migration has taken place, the redo logs that the new primary database in the Oracle Cloud sends to the new standby database on your premises will be encrypted. Therefore, if you decide to switch back and role swap again making the on-premises database the primary again and the database in the Oracle Cloud the standby, the on-premises database will not be able to read the newly encrypted changed blocks applied by the redo logs unless TDE is enabled on-premises. 

In order to avoid post migration conflict, prior to performing the original switchover as part of the migration process, the recommended best practice is to perform appropriate testing and validation. There are options outside of Zero Downtime Migration for testing with a snapshot standby database, and once you are ready to proceed, delete the snapshot standby database and instruct Zero Downtime Migration to perform the switchover and finalize the migration process.

7.2 Generating a Private SSH Key Without a Passphrase

If, on the Zero Downtime Migration service host, source database server, or target database server, the authentication key pairs are not available without a passphrase for the Zero Downtime Migration software installed user, you can generate a new SSH key using the following procedure.

SSH connectivity during Zero Downtime Migration operations requires direct, non-interactive access between the Zero Downtime Migration service host and the source and target database servers, and also between the source and target database servers, without the need to enter a passphrase.

Note:

The following steps show examples for generating a private SSH key for the software installed user. You can also use these steps for the opc user.

Run the following command as the Zero Downtime Migration software installed user on the Zero Downtime Migration service host.

zdmuser> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/opc/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/opc/.ssh/id_rsa.
Your public key has been saved in /home/opc/.ssh/id_rsa.pub.
The key fingerprint is:
c7:ed:fa:2c:5b:bb:91:4b:73:93:c1:33:3f:23:3b:30 opc@rhost1
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                 |
|         . . .   |
|        S o . =  |
|         . E . * |
|            X.+o.|
|          .= Bo.o|
|          o+*o.  |
+-----------------+

This command generates the id_rsa and id_rsa.pub files in the zdmuser home, for example, /home/zdmuser/.ssh.

You can add the public key (for example, /home/zdmuser/.ssh/id_rsa.pub) to the source and target database servers using the Oracle Cloud Infrastructure Console, or you can add it manually to the authorized_keys file on those servers, as shown below.

Add the contents of the Zero Downtime Migration service host /home/zdmuser/.ssh/id_rsa.pub file to the Oracle Cloud Infrastructure server opc user /home/opc/.ssh/authorized_keys file, as shown here.

[opc@rptest.ssh]$ export PS1='$PWD>'
/home/opc/.ssh>ls
authorized_keys  authorized_keys.bkp  id_rsa  id_rsa.pub  known_hosts  zdmkey
/home/opc/.ssh>cat id_rsa.pub >> authorized_keys

You should save the private key in a separate, secure file, and use it to connect to the source and target database servers. For example, create a zdm_service_node.ppk file with permissions set to 600, and put the private key file into it on the Zero Downtime Migration service host software installed user home/.ssh to connect source and target database servers.

7.3 Prechecks Verification

$ZDM_HOME/bin/zdmcli query job -jobid 5
rachu3dom.hu.oracle.com: Audit ID: 79
Job ID: 5
User: zdmuser
Client: rachu3dom
Scheduled job command: "zdmcli migrate database -sourcedb ZDM12201_phx1sp
 -sourcenode zdm122011 -srcauth zdmauth -srcarg1 user:opc
 -srcarg2 identity_file:/home/zdmuser/.ssh/zdm_service_host.ppk
 -srcarg3 sudo_location:/usr/bin/sudo -targetnode ocitarget1
 -targethome /u02/app/oracle/product/12.2.0/dbhome_3
 -backupuser backup_user@example.com
 -rsp /u01/app/zdmhome/rhp/zdm/template/zdm_template_ZDM12201.rsp
 -tgtauth zdmauth -tgtarg1 user:opc
 -tgtarg2 identity_file:/home/zdmuser/.ssh/zdm_service_host.ppk
 -tgtarg3 sudo_location:/usr/bin/sudo -ignore ALL -eval"
Scheduled job execution start time: 2019-07-31T13:21:39+02.
 Equivalent local time: 2019-07-31 13:21:39
Current status: SUCCEEDED
Result file path:
 "/u01/app/zdmbase/chkbase/scheduled/job-5-2019-07-31-13:21:39.log"
Job execution start time: 2019-07-31 13:21:39
Job execution end time: 2019-07-31 13:35:20
Job execution elapsed time: 13 minutes 40 seconds
ZDM_GET_SRC_INFO .......... COMPLETED
ZDM_GET_TGT_INFO .......... COMPLETED
ZDM_SETUP_SRC ............. COMPLETED
ZDM_SETUP_TGT ............. COMPLETED
ZDM_GEN_RMAN_PASSWD ....... COMPLETED
ZDM_PREUSERACTIONS ........ COMPLETED
ZDM_PREUSERACTIONS_TGT .... COMPLETED
ZDM_VALIDATE_SRC .......... COMPLETED
ZDM_VALIDATE_TGT .......... COMPLETED

7.4 List Migration Job Phases

$ZDM_HOME/bin/zdmcli migrate database -sourcedb ZDM12201_phx1sp
 -sourcenode zdm122011 -srcauth zdmauth -srcarg1 user:opc
 -srcarg2 identity_file:/home/zdmuser/.ssh/zdm_service_host.ppk
 -srcarg3 sudo_location:/usr/bin/sudo -targetnode ocitarget1
 -targethome /u02/app/oracle/product/12.2.0/dbhome_3
 -backupuser backup_user@example.com
 -rsp /u01/app/zdmhome/rhp/zdm/template/zdm_template_ZDM12201.rsp
 -tgtauth zdmauth -tgtarg1 user:opc
 -tgtarg2 identity_file:/home/zdmuser/.ssh/zdm_service_host.ppk
 -tgtarg3 sudo_location:/usr/bin/sudo -listphases
rachu3dom.hu.oracle.com: Processing response file ...
pause and resume capable phases for this operation: "
ZDM_GET_SRC_INFO
ZDM_GET_TGT_INFO
ZDM_SETUP_SRC
ZDM_SETUP_TGT
ZDM_GEN_RMAN_PASSWD
ZDM_PREUSERACTIONS
ZDM_PREUSERACTIONS_TGT
ZDM_VALIDATE_SRC
ZDM_VALIDATE_TGT
ZDM_OBC_INST_SRC
ZDM_OBC_INST_TGT
ZDM_BACKUP_FULL_SRC
ZDM_BACKUP_INCREMENTAL_SRC
ZDM_DISCOVER_SRC
ZDM_COPYFILES
ZDM_PREPARE_TGT
ZDM_SETUP_TDE_TGT
ZDM_CLONE_TGT
ZDM_FINALIZE_TGT
ZDM_CONFIGURE_DG_SRC
ZDM_SWITCHOVER_SRC
ZDM_SWITCHOVER_TGT
ZDM_MANIFEST_TO_CLOUD
ZDM_NONCDBTOPDB_PRECHECK
ZDM_NONCDBTOPDB_CONVERSION
ZDM_POSTUSERACTIONS
ZDM_POSTUSERACTIONS_TGT
ZDM_CLEANUP_SRC
ZDM_CLEANUP_TGT"

7.5 Migration Job Output

$ZDM_HOME/bin/zdmcli query job -jobid 6
rachu3dom.hu.oracle.com: Audit ID: 80
Job ID: 6
User: zdmuser
Client: rachu3dom
Scheduled job command: "zdmcli migrate database -sourcedb ZDM12201_phx1sp
 -sourcenode zdm122011 -srcauth zdmauth -srcarg1 user:opc
 -srcarg2 identity_file:/home/zdmuser/.ssh/zdm_service_host.ppk
 -srcarg3 sudo_location:/usr/bin/sudo -targetnode exacstarget1
 -targethome /u02/app/oracle/product/12.2.0/dbhome_3
 -backupuser backup_user@example.com
 -rsp /u01/app/zdmhome/rhp/zdm/template/zdm_template_ZDM12201.rsp
 -tgtauth zdmauth -tgtarg1 user:opc
 -tgtarg2 identity_file:/home/zdmuser/.ssh/zdm_service_host.ppk
 -tgtarg3 sudo_location:/usr/bin/sudo -ignore ALL"
Scheduled job execution start time: 2019-07-31T13:47:27+02. Equivalent
 local time: 2019-07-31 13:47:27
Current status: SUCCEEDED
Result file path:
 "/u01/app/zdmbase/chkbase/scheduled/job-6-2019-07-31-13:47:39.log"
Job execution start time: 2019-07-31 21:37:13
Job execution end time: 2019-07-31 21:40:18
Job execution elapsed time: 23 minutes 5 seconds
ZDM_GET_SRC_INFO .............. COMPLETED
ZDM_GET_TGT_INFO .............. COMPLETED
ZDM_SETUP_SRC ................. COMPLETED
ZDM_SETUP_TGT ................. COMPLETED
ZDM_GEN_RMAN_PASSWD ........... COMPLETED
ZDM_PREUSERACTIONS ............ COMPLETED
ZDM_PREUSERACTIONS_TGT ........ COMPLETED
ZDM_VALIDATE_SRC .............. COMPLETED
ZDM_VALIDATE_TGT .............. COMPLETED
ZDM_OBC_INST_SRC .............. COMPLETED
ZDM_OBC_INST_TGT .............. COMPLETED
ZDM_BACKUP_FULL_SRC ........... COMPLETED
ZDM_BACKUP_INCREMENTAL_SRC .... COMPLETED
ZDM_DISCOVER_SRC .............. COMPLETED
ZDM_COPYFILES ................. COMPLETED
ZDM_PREPARE_TGT ............... COMPLETED
ZDM_SETUP_TDE_TGT ............. COMPLETED
ZDM_CLONE_TGT ................. COMPLETED
ZDM_FINALIZE_TGT .............. COMPLETED
ZDM_CONFIGURE_DG_SRC .......... COMPLETED
ZDM_SWITCHOVER_SRC ............ COMPLETED
ZDM_SWITCHOVER_TGT ............ COMPLETED
ZDM_MANIFEST_TO_CLOUD ......... COMPLETED
ZDM_NONCDBTOPDB_PRECHECK ...... COMPLETED
ZDM_NONCDBTOPDB_CONVERSION .... COMPLETED
ZDM_POSTUSERACTIONS ........... COMPLETED
ZDM_POSTUSERACTIONS_TGT ....... COMPLETED
ZDM_CLEANUP_SRC ............... COMPLETED
ZDM_CLEANUP_TGT ............... COMPLETED