1. Exascale User's Guide
  2. Using Exascale with Oracle Grid Infrastructure and Oracle Database
  3. Copying a TDE Keystore Between a File System and Exascale Storage

4.9 Copying a TDE Keystore Between a File System and Exascale Storage

You cannot use the XSH cp command or the ESCLI putfile or getfile commands to successfully copy an Oracle Transparent Database Encryption (TDE) keystore (wallet) file in either direction between a file system and Exascale storage. If you copy a TDE keystore between a file system and an Exascale vault using XSH or ESCLI, Oracle Database cannot open the resulting file.

The examples in the following procedure shows how to copy a TDE keystore from a file system to an Exascale vault. By appropriately modifying the keystore locations, you can also use the same approach to copy a TDE keystore from Exascale storage to a file system location.

  1. Configure Oracle Database to use the desired target location for the TDE keystore.

    Set the WALLET_ROOT database parameter to the desired target keystore location. If you want to copy the TDE keystore into Exascale, specify a location in an Exascale vault.

    For example:

    SQL> ALTER SYSTEM SET WALLET_ROOT=@MYVAULT/mydb/TDEWALLET SCOPE=SPFILE;
  2. Restart the database to use the new keystore location.
  3. Create a new (empty) keystore for the database.

    For example:

    SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY 'newKeystorePassword';
  4. Note the location of the newly created keystore.

    For example:

    SQL> SELECT wrl_parameter FROM v$encryption_wallet;

WRL_PARAMETER
--------------------------------------------------------------------------------
@MYVAULT/mydb/TDEWALLET/tde/
  5. Merge the contents of the source keystore into the newly created (empty) keystore.

    In the following example, the source keystore is on file system storage (at /u01/app/oracle/admin/mydb/wallet/) and the newly created keystore is on Exascale storage at the location identified in the previous step. 

    SQL> ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '/u01/app/oracle/admin/mydb/wallet/'
         IDENTIFIED BY 'originalKeystorePassword'
       INTO EXISTING KEYSTORE '@MYVAULT/mydb/TDEWALLET/tde/'
         IDENTIFIED BY 'newKeystorePassword'
       WITH BACKUP;
  6. Open the new keystore.

    For example:

    SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY 'newKeystorePassword';

Parent topic: Using Exascale with Oracle Grid Infrastructure and Oracle Database