10 Managing TDE-Enabled Oracle Databases
Manage TDE-enabled Oracle databases on your Oracle Database Appliance.
- About Transparent Database Encryption (TDE) in Oracle Database Appliance
Transparent Data Encryption (TDE) enables you to encrypt sensitive data that you store in tables and tablespaces. - About Oracle Key Vault
Oracle Key Vault is a fault-tolerant, highly available, and scalable, secure and standards-compliant key and secrets management appliance, where you can store, manage, and share your security objects. - Creating TDE-Enabled Databases With User Credentials
Understand how you can create TDE-enabled databases on Oracle Database Appliance using the credentials of a user in Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems. - Creating TDE-Enabled Databases Using Oracle Key Vault With Endpoints in Oracle Key Vault
Understand how you can create TDE-enabled databases on Oracle Database Appliance using endpoints and wallets already in Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems. - Managing Oracle Key Vault Server Configuration Operations Using ODACLI Commands
Understand how you can manage Oracle Key Vault server configuration operations on Oracle Database Appliance on bare metal and DB systems. - Managing Database Operations on TDE-enabled Databases with TDE keys stored on Oracle Key Vault
Understand how you can manage TDE-enabled databases with TDE keys stored on Oracle Key Vault on Oracle Database Appliance on bare metal and DB systems. - Creating a User in Oracle Key Vault Using BUI
Create a user with Oracle Key Vault server configuration entitlement on a multi-user access enabled Oracle Database Appliance. - Updating Oracle Key Vault Endpoints for Databases
Understand how you can update the Oracle Key Vault client on Oracle Database Appliance when the Oracle Key Vault server is updated to the latest release or when certificates are regenerated on the Oracle Key Vault server. - Registering TDE-enabled Databases Configured with Oracle Key Vault
You can now register TDE-enabled databases that use Oracle Key Vault keystore but were not created using Oracle Database Appliance tooling. After registering these databases with Oracle Database Appliance, you can use Oracle Database Appliance commands for managing the databases. - Restoring an Oracle Key Vault TDE Database using RMAN and Registering the Database
Understand how you can register a TDE-enabled database that uses Oracle Key Vault to store TDE keys. - Restoring a Software Keystore TDE database using RMAN and Registering the Database
Understand how you can register a TDE-enabled database that uses software wallet to store TDE keys. - Creating Oracle Key Vault Server Configuration Object Using the BUI
Understand how you can create TDE-enabled database on Oracle Database Appliance with TDE keys stored in Oracle Key Vault on bare metal and DB systems using the BUI. - Granting and Revoking Access on Oracle Key Vault Server Configuration Using BUI
Understand how you can grant and revoke access to Oracle Key Vault server configuration on Oracle Database Appliance on bare metal and DB systems using BUI. - Managing Oracle Key Vault Server Configuration Operations Using BUI
Understand how you can manage Oracle Key Vault server configuration operations on Oracle Database Appliance on bare metal and DB systems. - Migrating Tablespaces from a TDE-enabled Oracle Database with Software Keystore to another TDE-enabled Database with Oracle Key Vault Keystore
Understand how you can migrate tablespaces with the expdp/impdp transportable tablespaces feature from TDE-enabled database using software keystore to use Oracle Key Vault as keystore. - Manually Migrating from Software Keystore to Oracle Key Vault Keystore on Oracle Database Appliance
Understand how you can migrate tablespaces from software keystore to Oracle Key Vault keystore for databases created on Oracle Database Appliance - Manual Migration and Encryption of Data into TDE-Enabled Database
Understand how you can migrate transportable tablespaces to TDE-enabled database on Oracle Database Appliance.
About Transparent Database Encryption (TDE) in Oracle Database Appliance
Transparent Data Encryption (TDE) enables you to encrypt sensitive data that you store in tables and tablespaces.
After the data is encrypted, this data is transparently decrypted for authorized users or applications when they access this data. TDE helps protect data stored on media (also called data at rest) in the event that the storage media or data file is stolen.
Oracle Database uses authentication, authorization, and auditing mechanisms to secure data in the database, but not in the operating system data files where data is stored. To protect these data files, Oracle Database provides Transparent Data Encryption (TDE).
TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database, called a keystore.
Oracle Database Appliance enables creation and lifecycle management of TDE-enabled databases with ODACLI commands or through the BUI. You can create TDE-enabled single-instance, Oracle RAC or Oracle RAC One Node databases with ODACLI commands or BUI. You can also change TDE passwords and re-key the database using ODACLI commands or BUI. When you use software keystore, you can also backup the TDE wallets along with the database. You can also recover the TDE software wallet and restore the database as a new copy with the odacli irestore-database command.
Based on the keystore used, TDE on Oracle Database Appliance can be
configured as any of the following types:
- TDE keys stored in software keystore: In this type of TDE method, the TDE keys are stored in a wallet on Oracle Database Appliance.
- TDE keys stored in a wallet on Oracle Key Vault: In this type
of TDE method, the TDE keys are stored in a wallet on Oracle Key Vault. Note
that if you do not want to provide the credentials of users in Oracle Key Vault,
you can use endpoints already created on Oracle Key Vault, and directly specify
the endpoints when you create or restore the database on Oracle Database
Appliance. Otherwise, you can create Oracle Key Vault server configuration on
Oracle Database Appliance with the Oracle Key Vault user details and use these
user credentials to create and restore the database on Oracle Database
Appliance.
You can configure TDE keys with Oracle Key Vault keystore in one of the following ways:
- Using credentials of a user in Oracle Key Vault: In this configuration, the TDE keys are stored in a wallet on Oracle Key Vault and accessed through Oracle Key Vault user credentials.
- Using endpoints and wallet already created on Oracle Key Vault: In this configuration, the TDE keys are stored in a wallet on Oracle Key Vault and accessed through Oracle Key Vault end points.
Note:
To enable Transparent Data Encryption (TDE), you must deploy Oracle Database Enterprise Edition with Oracle Database 19c or later. Transparent Data Encryption (TDE) is an Advanced Security Option (ASO) available with Oracle Database Enterprise Edition.See Also:
Using Transparent Data Encryption in the Oracle Database Advanced Security GuideCaution:
When you enable TDE on databases, either with software keystore or with Oracle Key Vault keystore using endpoints and wallet already created on Oracle Key Vault, you are prompted to set a password for the TDE wallet. Provide a strong password for security compliance. Set the password carefully, and ensure that this password is available to you at all times for database management operations. Failure to provide the TDE wallet password when prompted, results in not being able to access the database tables.Parent topic: Managing TDE-Enabled Oracle Databases
About Oracle Key Vault
Oracle Key Vault is a fault-tolerant, highly available, and scalable, secure and standards-compliant key and secrets management appliance, where you can store, manage, and share your security objects.
For detailed information about Oracle Key Vault, see the Oracle Key Vault documentation at https://docs.oracle.com/en/database/oracle/key-vault/21.10/okvag/okv_intro.html#GUID-1C565FBE-BC21-4E76-B2A6-88A17F6649D7.
Terminology used when storing TDE keys on Oracle Key Vault for TDE-enabled databases on Oracle Database Appliance
Understand these concepts about using Oracle Key Vault server with
databases on Oracle Database Appliance:
- Role separation: Oracle recommends that you assign different users for database administration and TDE key operations. You must not provide the user who has the database administration role with the credentials of the Oracle Key Vault server. This ensures the database user with data file access cannot open the database without knowing TDE wallet passwords. You can set up this role separation by enabling multi-user access feature on Oracle Database Appliance. For more information about configuring multi-user access, see the topic Implementing Multi-User Access on Oracle Database Appliance. On Oracle Database Appliance, the credentials of Oracle Key Vault user need not be shared with the ODA-DB user. The ODA-Adminstrator grants the resource, that is, the Oracle Key Vault server configuration, access to the intended DB user and the DB user can use the Oracle Key Vault server configuration when creating the TDE-enabled database to store the TDE keys on the Oracle Key Vault server.
- Oracle Key Vault server configuration: The term refers
to an Oracle Database Appliance resource that stores the metadata of the
Oracle Key Vault. The Oracle Key Vault server configuration has details such
as the name of the user created to manage the TDE keys on the Oracle Key
Vault server and the IP address or host name of the Oracle Key Vault server.
The Oracle Key Vault server configuration on Oracle Database Appliance is
identified by a name, to differentiate Oracle Key Vault server
configurations. This name is unique within the Oracle Database Appliance
system and the value is case-sensitive. When creating the Oracle Key Vault
server configuration, you must provide the credentials of the user on Oracle
Key Vault server. It is recommended that this user is a least privileged
user with only
Create Endpointprivilege. The user name and password you specify when you create the Oracle Key vault server configuration correspond to the user on the Oracle Key vault server. The password you provide during creation of this object is not stored on Oracle Database Appliance. The Oracle Key Vault client auto-login wallet is created using these credentials and all requests to the Oracle Key Vault server use this client auto-login wallet. The database automatically reads the auto-login wallet for the required ADMINISTER KEY MANAGEMENT SQL commands. - A user with ODA-DB role: A user with ODA-DB role in a multi-user access-enabled or multi-user access-enabled passwordless environment can create and maintain the database. This user, is granted the ODA-DB role and is entitled to perform all database related operations such as creation, patching, modification, deletion, backup, and recovery. These operations are restricted to the database that belongs to the user. For more details, see the chapter Implementing Multi-User Access on Oracle Database Appliance in this guide.
- Oracle Key Vault user: The Oracle Key Vault user name and password that you provide when you create the Oracle Key Vault server configuration must correspond to an existing user and the password on the Oracle Key Vault server. Otherwise, there can be failures in accessing Oracle Key Vault. This user can also perform create, delete, describe, and list operations on the Oracle Key Vault server configuration objects that they create.
- Virtual Wallet: A virtual wallet, created on Oracle Key Vault, is a container for objects that must be stored securely. For TDE-enabled databases on Oracle Database Appliance that use Oracle Key Vault as the keystore, the TDE keys of the database are stored inside this virtual wallet.
Requirements for configuring TDE-enabled databases with keys stored in Oracle Key Vault
- The Oracle Key Vault server version must be 21.10.0 or later.
- It is recommended that you set up Network Time Protocol on Oracle Database Appliance. The database operations interacting with Oracle Key Vault fails if the clock on Oracle Database Appliance and Oracle Key Vault server are not synchronized. You must ensure that the time is consistent across the servers or use Network Time Protocol on Oracle Database Appliance.
- You cannot create a starter database with TDE configured using Oracle Key Vault when you provision Oracle Database Appliance on bare metal systems and select to create a starter database. This is because creation of TDE database that uses Oracle Key Vault to store TDE keys requires Oracle Key Vault server configuration to already exist. To create a database with TDE configured using Oracle Key Vault on DB system, first create a DB system without a starter database and then create the database with TDE configured using Oracle Key Vault as described in the topic Creating TDE-Enabled Database on Oracle Database Appliance Using Oracle Key Vault.
- For configuring TDE-enabled databases with keys stored in Oracle Key
Vault with the credentials of a user in Oracle Key Vault, on multi-user
access-enabled systems, you must create a new user with the
ODA-OKVCONFIGADMINrole which has the entitlementsODA-OKVCONFIGVIEWMGMTandODA-OKVCONFIGMODIFYMGMT. TheODA-OKVCONFIGVIEWMGMTentitlement enables you to perform operations such as Describe and List on the Oracle Key Vault server configuration object. TheODA-OKVCONFIGMODIFYMGMTentitlement enables you to perform operations such as Create and Delete on the Oracle Key Vault server configuration object. TheODA-OKVCONFIGVIEWMGMTentitlement is included in theODA-DBrole, and any DB user with theODA-DBrole can list and describe the Oracle Key Vault server configuration object and select the required Oracle Key Vault server configuration object to create the database. For non-multi user access-enabled systems, there is no need to create a new user.
Creating TDE-Enabled Databases With User Credentials
Understand how you can create TDE-enabled databases on Oracle Database Appliance using the credentials of a user in Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems.
Follow these steps to create a TDE-enabled database with TDE keys
stored on Oracle Key Vault on Oracle Database Appliance bare metal and DB systems:
Step 1: Create the user on Oracle Database Appliance corresponding to the user on Oracle Key Vault. This step applies to multi-user access-enabled systems only.
If the user with the ODA-OKVCONFIGADMIN role does not exist, or if
you want to assign a different user for the database you are creating, then create
the user.
- Create a new user with the
ODA-OKVCONFIGADMINrole. For example:odacli create-user -u okvuser1 -r ODA-OKVCONFIGADMINThe user is created and assigned a temporary password.
- After the user is created successfully, the
okvuser1can log into the appliance with the temporary password. - The
okvuser1is in theInactivestate. If the appliance is configured with multi-user access enabled, then activate the user with the following command. Note that if the appliance is configured with passwordless multi-user access, then you do not need to activate the user. For more information about configuring multi-user access, the topic Implementing Multi-User Access on Oracle Database Appliance.odacli activate-userYou are prompted to change the password. Enter the temporary password, the new password, and confirm the new password.
- Use the new password to connect by SSH into the appliance and run ODACLI commands or connect to the Browser User Interface.
Step 2: Create an Oracle Key Vault server configuration
- The Oracle Key Vault user that creates the Oracle Key Vault
server configuration must be a user with the least privilege of
Create Endpointon the Oracle Key Vault server. - For multi-user access-enabled systems, log in as the user with
the
ODA-OKVCONFIGADMINrole, for example, theokvuser1. For non-multi user access enabled systems, log in as therootuser. - The Oracle Key Vault password prompt displays twice, to accept
and confirm the Oracle Key Vault password. Specify the password of the
Oracle Key Vault user on the Oracle Key Vault server, which enables the user
to log into the Oracle Key Vault server. Specify the user name with the
-uoption in theodacli create-okvserverconfigcommand. The name of the Oracle Key Vault server configuration is case-sensitive and no two Oracle Key Vault server configurations can have same name on Oracle Database Appliance. The length of the Oracle Key Vault server configuration cannot exceed 128 characters.odacli create-okvserverconfig -n okvobj1 -u epokvusr1 -ip xxx.xx.xxx.xxx Enter OKV user password : Retype OKV user password : Job details ---------------------------------------------------------------- ID: 730d2469-6efa-4ed1-8386-513e97c866ea Description: Create OKV Server Config: okvobj1 Status: Created Created: October 20, 2024 11:28:39 AM PDT Message: Create OKV Server Config. Task Name Start Time End Time Status ---------------------------------------- ---------------------------------------- ---------------------------------------- ---------------- odacli describe-job -i 730d2469-6efa-4ed1-8386-513e97c866ea Job details ---------------------------------------------------------------- ID: 730d2469-6efa-4ed1-8386-513e97c866ea Description: Create OKV Server Config: okvobj1 Status: Success Created: October 20, 2024 11:28:39 AM PDT Message: Create OKV Server Config. Task Name Node Name Start Time End Time Status ---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ---------------- OKV Password Store creation n1 October 20, 2024 11:28:39 AM PDT October 20, 2024 11:29:04 AM PDT Success Download of OKV REST package n1 October 20, 2024 11:28:42 AM PDT October 20, 2024 11:28:44 AM PDT Success Edit of OKV REST package n1 October 20, 2024 11:28:44 AM PDT October 20, 2024 11:28:45 AM PDT Success Generate OKV client wallets n1 October 20, 2024 11:28:45 AM PDT October 20, 2024 11:28:47 AM PDT SuccessThe command creates an Oracle Key Vault server configuration
okvobj1for the Oracle Key Vault server userepokvusr1on the specified server.
Step 3: Share Oracle Key Vault server configuration for multi user access-enabled systems only
- For multi-user access-enabled systems, the DB user who creates
the database using the Oracle Key Vault server configuration must have
shared access to the Oracle Key Vault server configuration created by the
Oracle Key Vault user. The
odaadminuser must share the Oracle Key Vault server configuration with the DB user using theodacli grant-resource-accesscommand. The DB user can then create the database with the Oracle Key Vault server configuration. An example where theodaadminuser shares theokvobj1resource with DB userdbusr1is as follows:
To get the resource ID of the Oracle Key Vault server configuration, run thesu odaadmin odacli grant-resource-access -ri d017d35a-0757-460a-98f0-9f8d0944c872 -u dbusr1 Shared access of resource granted to user successfully...odacli list-okvserverconfigscommand. For example:odacli list-okvserverconfigs ID Name User Name IP address Host Name Description ---------------------------------------- -------------------- ---------------- ------------------- -------------------- ------------------- d017d35a-0757-460a-98f0-9f8d0944c872 okvobj1 epadmin xxx.xx.xx.xxx Null OKV Server for sales databases
Step 4: Create the database
For multi-user access-enabled systems, log in as the DB user and use theodacli create-database command with the options
-t, -osc and -kt to create a
database with TDE configured using Oracle Key Vault server. For non-multi user
access-enabled systems, you can run the same command as root user.
Determine the Oracle Key Vault server you want to store the TDE keys on
and provide the value with the
-osc option in the odacli
create-database command. The DB user can select the required Oracle Key
Vault server configuration from the list of Oracle Key Vault server configurations
displayed with the odacli list-okvserverconfigs command. For
non-multi user access enabled systems, run the odacli
list-okvserverconfigs command as root user.
- The option
-tindicates that the database must be configured with TDE, using the Oracle Key Vault credentials represented by the Oracle Key Vault server configuration specified using the-oscoption. - The option
-ktspecifies the the type of kesytore used in TDE configuration. The value of the keystore can be eithersoftwareorokv. The default issoftware. The values are case-insensitive. TheOKVServerConfigNameattribute of the database is set to the name of the Oracle Key Vault server configuration specified in the create database request. - The password for TDE wallet is randomly generated by the system, and you do not need to specify it.
WARNING:
The password is stored in a wallet on Oracle Key Vault. Loss of that wallet results in not being able to access the database tables. So, do not delete the wallet on Oracle Key Vault.kokvdb2 which uses Oracle Key Vault
credentials represented by Oracle Key Vault server configuration
kovobj1 is as
follows:
odacli create-database -n kokvdb2 -t -kt OKV -osc kovobj1
Enter SYS and SYSTEM user password:
Retype SYS and SYSTEM user password:
Job details
----------------------------------------------------------------
ID: 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8
Description: Database service creation with DB name: kokvdb2
Status: Created
Created: July 15, 2024 3:00:53 PM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
odacli describe-job -i 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8
Job details
----------------------------------------------------------------
ID: 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8
Description: Database service creation with DB name: kokvdb2
Status: Success
Created: July 15, 2024 3:00:53 PM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Validating dbHome available space July 15, 2024 3:01:19 PM CST July 15, 2024 3:01:19 PM CST Success
...
TDE configuration using OKV July 15, 2024 3:17:37 PM CST July 15, 2024 3:20:36 PM CST Success
TDE Wallet directory creation July 15, 2024 3:17:38 PM CST July 15, 2024 3:17:46 PM CST Success
Setting Database parameter for OKV July 15, 2024 3:17:46 PM CST July 15, 2024 3:19:07 PM CST Success
Auto login TDE Wallet creation July 15, 2024 3:19:07 PM CST July 15, 2024 3:19:09 PM CST Success
OKV TDE Wallet creation July 15, 2024 3:19:09 PM CST July 15, 2024 3:19:12 PM CST Success
OKV Endpoint configuration July 15, 2024 3:19:12 PM CST July 15, 2024 3:19:43 PM CST Success
Setting TDE Master Encryption Key July 15, 2024 3:19:43 PM CST July 15, 2024 3:20:13 PM CST Success
Create Users tablespace July 15, 2024 3:20:36 PM CST July 15, 2024 3:20:39 PM CST Success
Clear all listeners from Database July 15, 2024 3:20:39 PM CST July 15, 2024 3:20:40 PM CST Success
Copy Pwfile to Shared Storage July 15, 2024 3:20:43 PM CST July 15, 2024 3:20:47 PM CST Success On successful database creation, the Oracle Key Vault client software
is installed in the /etc/OKV/db_unique_name/okv directory.
The ownership of all the files is set to db_user:oinstall
and the permission is set to 750. The autologin TDE wallets are created in the
/etc/OKV/db_unique_name/tde and
/etc/OKV/db_unique_name/tde_seps directories. The
ownership of these directories is recursively set to
db_user:oinstall and the permission to 750.
Creating TDE-Enabled Databases Using Oracle Key Vault With Endpoints in Oracle Key Vault
Understand how you can create TDE-enabled databases on Oracle Database Appliance using endpoints and wallets already in Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems.
Note:
In this Oracle Database Appliance release, this feature is supported on Oracle RAC and Oracle single-instance databases only. This feature is not available with Oracle RAC One Node databases and Oracle single-instance database with high-availability enabled.To create a TDE-enabled database using Oracle Key Vault with endpoints
in Oracle Key Vault, you must complete the following tasks:
- Log into Oracle Key Vault and create virtual TDE wallet corresponding to a database.
- Create endpoints corresponding to each instance. For a single instance database, you must create one endpoint and for Oracle RAC database, create two endpoints.
- Set the default wallet for the created endpoint.
- Download the
okvclient.jarfile corresponding to each endpoint. For single instance database, download one file, and for Oracle RAC database, there are two files available for download, one per instance..
Step 1: Obtain the
okvclient.jar file using Oracle Key Vault REST commands
You can create the okvclient.jar file either through Oracle Key
Vault REST commands or Oracle Key Vault server user interface.
To obtain the
okvclient.jar file using Oracle Key Vault
REST commands, log in as the oracle user, and then follow these
steps:
- Create working directories, such as
/tmp/workand/tmp/work/client_wallet. Navigate to the/tmp/workdirectory and download and unzip the RESTful Service utility from the Oracle Key Vault server. When you unzip the utility, you can observer three directoriesbin,lib, andconf.mkdir /tmp/work/ mkdir /tmp/work/client_wallet cd /tmp/work curl -Ok https://okv_server_ip:5695/okvrestclipackage.zip % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3750k 100 3750k 0 0 2500k 0 0:00:01 0:00:01 --:--:-- 2500k - Unzip
okvrestclipackage.zip. Editconf/okvrestcli.iniand add the Oracle Key Vault server IP address, user name, and path to the directory where the client autologin wallets are created. In the following example,/tmp/work/client_walletis the directory path where client autologin wallets are created.#Provide absolute path for log_property, okv_client_config properties [Default] log_property=./conf/okvrestcli_logging.properties server=okv_server_ip okv_client_config=./conf/okvclient.ora user=okv_user client_wallet=/tmp/work/client_wallet - Edit the
bin/okvfile and uncomment the lineexport OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR/conf/okvrestcli.iniand also set theJAVA_HOMEvariable:#!/bin/bash export OKV_RESTCLI_DIR=$(dirname "${0}")/.. export OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR/conf/okvrestcli.ini export JAVA_HOME=/opt/oracle/dcs/java/1.8.0_xxx if [ -z "$JAVA_HOME" ] then echo "JAVA_HOME environment variable is not set." exit 1 fi if [ -z "$OKV_RESTCLI_CONFIG" ] then echo "OKV_RESTCLI_CONFIG environment variable is not set." exit 1 fi export OKV_RESTCLI_JAR=$OKV_RESTCLI_DIR/lib/okvrestcli.jar $JAVA_HOME/bin/java -jar $OKV_RESTCLI_JAR "$@" - Generate client auto login wallets. You are prompted to provide
the Oracle Key Vault user
password.
/tmp/work/bin/okv admin client-wallet add --client-wallet /tmp/work/client_wallet --wallet-user okv_user Password: - Create the TDE wallet corresponding to the database, if the TDE
wallet is not already created using the Oracle Key Vault user interface.
/tmp/work/bin/okv manage-access wallet create --wallet wallet_name --unique FALSE - Create the endpoint corresponding to the wallet. For Oracle RAC
database, create two endpoints. Create the endpoint only if it is not
already created using the Oracle Key Vault user interface.
/tmp/work/bin/okv admin endpoint create --endpoint endpoint_name --type ORACLE_DB --platform LINUX64 --strict-ip-check TRUE - Set the default wallet for the endpoint. For Oracle RAC
database, the default wallet for both endpoints must be the same TDE wallet.
Set the default wallet only if it is not already set using the Oracle Key
Vault user interface.
/tmp/work/bin/okv manage-access wallet set-default --wallet wallet_name --endpoint endpoint_name - Download the
okvclient.jarcommand. For Oracle RAC database, you must download theokvclient.jarcorresponding to both the endpoints. After the download is complete, copy theokvclient.jarcorresponding to the remote instance to the remote node./tmp/work/bin/okv admin endpoint download --endpoint <endpoint_name> --location <location> - While downloading the endpoint, if the
Endpoint token is already consumedmessage is observed as below, then re-enroll the endpoint./tmp/work/bin/okv admin endpoint download --endpoint endpoint_name --location location /tmp/work/log/okv0.log.0 (Permission denied) { "result" : "Failure", "message" : "Endpoint token is already consumed" } /tmp/work/bin/okv admin endpoint re-enroll --endpoint <endpoint_name> /tmp/work/log/okv0.log.0 (Permission denied) { "result" : "Success" }
Step 2: Create the database
- For multi user access-enabled and multi user access
passwordless systems, log in as the DB user and run the
odacli create-databasecommand. For non-multi user access-enabled systems, log in as therootuser and run theodacli create-databasecommand.The option
--enable-tde/-tindicates that the database must be configured with TDE. The option--keystore-type/-ktspecifies the the type of keystore to use in TDE configuration. The option--okvclient-path/-ocpspecifies the absolute path to theokvclient.jarfile corresponding to the endpoint.For single-instance database, the option
--okvclient-path/-ocptakes only one value. For Oracle RAC database, the option--okvclient-path/-ocptakes two values corresponding to each instance. The values must be comma-separated. The first path corresponds to the local instance whereas the second path corresponds to the remote instance. You are prompted to provide the TDE password.On successful database creation, the Oracle Key Vault client software is installed in the
An example to create a single-instance database named/etc/OKV/db_unique_name/okvdirectory. The local auto login TDE wallets are created in the/etc/OKV/db_unique_name/tdedirectory. Theokvclient.jarfile in the source location is deleted.okvdbwithout using the Oracle Key Vault server configuration object, is as follows:
An example to create an Oracle RAC database namedodacli create-database -n okvdb -y SI -t -kt OKV -ocp /tmp/okvclient.jar Enter SYS and SYSTEM user password: Retype SYS and SYSTEM user password: Enter TDE wallet password: Retype TDE wallet password: Job details ---------------------------------------------------------------- ID: 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8 Description: Database service creation with DB name: okvdb Status: Created Created: July 15, 2024 3:00:53 PM CST Message: Task Name Start Time End Time Status ---------------------------------------- ---------------------------------------- ---------------------------------------- ---------------- odacli describe-job -i 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8 Job details ---------------------------------------------------------------- ID: 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8 Description: Database service creation with DB name: okvdb Status: Success Created: July 15, 2024 3:00:53 PM CST Message: Task Name Start Time End Time Status ---------------------------------------- ---------------------------------------- ---------------------------------------- ---------------- Validating dbHome available space July 15, 2024 3:01:19 PM CST July 15, 2024 3:01:19 PM CST Success ... TDE configuration using OKV July 15, 2024 3:17:37 PM CST July 15, 2024 3:20:36 PM CST Success TDE Wallet directory creation July 15, 2024 3:17:38 PM CST July 15, 2024 3:17:46 PM CST Success Setting Database parameter for OKV July 15, 2024 3:17:46 PM CST July 15, 2024 3:19:07 PM CST Success Auto login TDE Wallet creation July 15, 2024 3:19:07 PM CST July 15, 2024 3:19:09 PM CST Success Installing the OKV client software July 15, 2024 3:19:09 PM CST July 15, 2024 3:19:42 PM CST Success Setting TDE Master Encryption Key July 15, 2024 3:19:43 PM CST July 15, 2024 3:20:13 PM CST Success Create Users tablespace July 15, 2024 3:20:36 PM CST July 15, 2024 3:20:39 PM CST Success Clear all listeners from Database July 15, 2024 3:20:39 PM CST July 15, 2024 3:20:40 PM CST Success Copy Pwfile to Shared Storage July 15, 2024 3:20:43 PM CST July 15, 2024 3:20:47 PM CST Successokvdbracwithout using the Oracle Key Vault server configuration object, is as follows. Specify the path to theokvclient.jarfile for the local database instance first, followed by the path to theokvclient.jarfile for the remote database instance in the request.odacli create-database -n okvdb -y RAC -t -kt OKV -ocp /tmp/dir1/okvclient.jar,/tmp/dir2/okvclient.jar Enter SYS and SYSTEM user password: Retype SYS and SYSTEM user password: Enter TDE wallet password: Retype TDE wallet password: Job details ---------------------------------------------------------------- ID: cb611ec2-ff87-44f9-a79b-3ab1a290644f Description: Database service creation with DB name: okvdbrac Status: Created Created: October 20, 2024 6:13:28 AM PDT Message: Task Name Start Time End Time Status ---------------------------------------- ---------------------------------------- ---------------------------------------- ---------------- odacli describe-job -i cb611ec2-ff87-44f9-a79b-3ab1a290644f Job details ---------------------------------------------------------------- ID: cb611ec2-ff87-44f9-a79b-3ab1a290644f Description: Database service creation with DB name: okvdbrac Status: Success Created: October 20, 2024 6:13:28 AM PDT Message: Task Name Node Name Start Time End Time Status ---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ---------------- Validating dbHome available space n1 October 20, 2024 6:13:49 AM PDT October 20, 2024 6:13:49 AM PDT Success Validating dbHome available space n2 October 20, 2024 6:13:49 AM PDT October 20, 2024 6:13:49 AM PDT Success Setting up SSH equivalence n1 October 20, 2024 6:13:51 AM PDT October 20, 2024 6:13:54 AM PDT Success Setting up SSH equivalence n1 October 20, 2024 6:13:54 AM PDT October 20, 2024 6:13:57 AM PDT Success Creating ACFS database home n1 October 20, 2024 6:13:58 AM PDT October 20, 2024 6:13:58 AM PDT Success Validating dbHome available space n1 October 20, 2024 6:13:59 AM PDT October 20, 2024 6:13:59 AM PDT Success . . . Setting TDE Master Encryption Key n1 October 20, 2024 6:34:15 AM PDT October 20, 2024 6:34:56 AM PDT Success Create Users tablespace n1 October 20, 2024 6:34:57 AM PDT October 20, 2024 6:34:59 AM PDT Success Clear all listeners from Database n1 October 20, 2024 6:35:00 AM PDT October 20, 2024 6:35:01 AM PDT Success Deleting OKV Client Software Jar n1 October 20, 2024 6:35:03 AM PDT October 20, 2024 6:35:04 AM PDT Success Deleting OKV Client Software Jar n2 October 20, 2024 6:35:04 AM PDT October 20, 2024 6:35:04 AM PDT Success Encrypt all Tablespaces n1 October 20, 2024 6:35:04 AM PDT October 20, 2024 6:36:15 AM PDT Success
Managing Oracle Key Vault Server Configuration Operations Using ODACLI Commands
Understand how you can manage Oracle Key Vault server configuration operations on Oracle Database Appliance on bare metal and DB systems.
You can create, list, delete, and describe Oracle Key Vault server
configuration on Oracle Database Appliance bare metal and DB systems. Note that you run
these operations only when you create TDE-enabled databases that allow Oracle Database
Appliance to store the user credentials of the Oracle Key Vault user, described in the
Creating TDE-Enabled Databases With User Credentials topic.
Listing Oracle Key Vault server configurations:
Use the
odacli list-okvserverconfigs command to view all
the Oracle Key Vault server
configurations.odacli list-okvserverconfigs
ID Name User Name IP address Host Name Description
---------------------------------------- -------------------- ---------------- ------------------- -------------------- -------------------
d017d35a-0757-460a-98f0-9f8d0944c872 okvobj1 epadmin xxx.xx.xx.xxx Null OKV server for Sales database
b6336173-666b-4d81-88bd-5ae384419114 okvobj2 epadmin2 xxx.xx.xx.xxx Null OKV server for Sales databaseDescribing an Oracle Key Vault server configuration:
Use the odacli describe-okvserverconfig command to view
a Oracle Key Vault server configuration.
For
example:
odacli describe-okvserverconfig -n dokvobj1
OKV Server Config details
----------------------------------------------------------------
ID: c196bd0a-4a42-43a6-8578-9929ceb28525
Name: dokvobj1
UserName: user1
IP Address: xxx.xxx.xx.xxx
Host Name:
Description: OKV server config for Sales
CreatedTime: October 4, 2024 9:41:43 AM HKT
UpdatedTime: October 4, 2024 9:42:10 AM HKT
State: CONFIGUREDDeleting Oracle Key Vault server configuration:
Use the
odacli delete-okvserverconfig command to delete
Oracle Key Vault server configuration. You can delete the Oracle Key Vault server
configuration only if all databases that used the Oracle Key Vault server
configuration are already
deleted.odacli delete-okvserverconfig -n okvobj1
Job details
----------------------------------------------------------------
ID: 7446c9b4-a927-431f-8e0b-099eec8116e7
Description: Delete OKV Server Config: dokvobj1
Status: Running
Created: October 4, 2024 9:44:29 AM HKT
Message: Delete OKV Server Config
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
OKV Password Store deletion October 4, 2024 9:44:29 AM HKT Running
odacli describe-job -i 7446c9b4-a927-431f-8e0b-099eec8116e7
Job details
----------------------------------------------------------------
ID: 7446c9b4-a927-431f-8e0b-099eec8116e7
Description: Delete OKV Server Config: dokvobj1
Status: Success
Created: October 4, 2024 9:44:29 AM HKT
Message: Delete OKV Server Config
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
OKV Password Store deletion oda1 October 4, 2024 9:44:29 AM HKT October 4, 2024 9:44:45 AM HKT Success
OKV Server Config directory deletion oda1 October 4, 2024 9:44:45 AM HKT October 4, 2024 9:44:45 AM HKT Success
OKV Server Config deletion oda1 October 4, 2024 9:44:45 AM HKT October 4, 2024 9:44:46 AM HKT SuccessManaging Database Operations on TDE-enabled Databases with TDE keys stored on Oracle Key Vault
Understand how you can manage TDE-enabled databases with TDE keys stored on Oracle Key Vault on Oracle Database Appliance on bare metal and DB systems.
You can re-key TDE master encryption key or restore, delete, perform database backup and recovery, and configure Oracle Data Guard on TDE-enabled database on Oracle Key Vault on Oracle Database Appliance bare metal and DB systems.
- Changing the Password for TDE-enabled Databases
Understand how you can change the password of TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys. - Re-keying TDE Master Encryption Key for TDE-Enabled Databases
Understand how you can re-key TDE master encryption key of TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys. - Performing Backup and Recovery of TDE-enabled Databases
Understand how you can back up and recover TDE-enabled database with TDE keys stored on Oracle Key Vault on Oracle Database Appliance on bare metal and DB systems. - Restoring TDE-Enabled Databases Using Oracle Key Vault User Credentials
Understand how you can restore TDE-enabled databases using database backups, on Oracle Database Appliance bare metal and DB systems, with credentials of a user on Oracle Key Vault. - Restoring TDE-Enabled Databases With Endpoints and Wallet Manually Created in Oracle Key Vault
Understand how you can restore TDE-enabled databases on Oracle Database Appliance using the endpoints and wallets created manually on Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems. - Deleting TDE-enabled Databases
Understand how you can delete a TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys.
Parent topic: Managing TDE-Enabled Oracle Databases
Changing the Password for TDE-enabled Databases
Understand how you can change the password of TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys.
Changing the password of TDE-enabled databases on Oracle Database Appliance that use the credentials of a user in Oracle Key Vault
Use the
odacli modify-database command with the option
--change-tde-password,-ctp for TDE-enabled
databases on Oracle Database Appliance that use the credentials of a
user in Oracle Key Vault. The new password is randomly generated and
stored securely on the Oracle Key Vault server replacing the old TDE
password. For
example:odacli modify-database -n db3 -ctp
Job details
----------------------------------------------------------------
ID: b6d0f4c2-976a-42b3-a32d-6cfc7848375d
Description: Modify database: db3
Status: Success
Created: February 24, 2025 08:50:08 UTC
Message: Modify database
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Re-enroll and Provision of Endpoint n1 February 24, 2025 08:50:14 UTC February 24, 2025 08:50:30 UTC Success
Save the new TDE password using a n1 February 24, 2025 08:50:30 UTC February 24, 2025 08:50:35 UTC Success
temporary custom attribute on OKV
TDE Wallet closure n1 February 24, 2025 08:50:35 UTC February 24, 2025 08:50:43 UTC Success
TDE Wallet closure n2 February 24, 2025 08:50:43 UTC February 24, 2025 08:50:45 UTC Success
Change the TDE password in local wallet n1 February 24, 2025 08:50:45 UTC February 24, 2025 08:51:06 UTC Success
Auto login TDE Wallet creation n1 February 24, 2025 08:51:06 UTC February 24, 2025 08:51:12 UTC Success
Re-enroll and Provision of Endpoint n2 February 24, 2025 08:51:12 UTC February 24, 2025 08:51:29 UTC Success
Change the TDE password in local wallet n2 February 24, 2025 08:51:29 UTC February 24, 2025 08:51:49 UTC Success
Auto login TDE Wallet creation n1 February 24, 2025 08:51:49 UTC February 24, 2025 08:51:54 UTC Success
Save new TDE password on OKV n2 February 24, 2025 08:51:54 UTC February 24, 2025 08:52:04 UTC Success
Delete the temporary custom attribute n2 February 24, 2025 08:52:04 UTC February 24, 2025 08:52:07 UTC Success
on OKV
Deleting OKV Client Software Jar n2 February 24, 2025 08:52:08 UTC February 24, 2025 08:52:08 UTC Success
Database stop (Srvctl) n1 February 24, 2025 08:52:08 UTC February 24, 2025 08:52:48 UTC Success
Database start (Srvctl) n1 February 24, 2025 08:52:48 UTC February 24, 2025 08:53:56 UTC Success
Checking the TDE wallet status n1 February 24, 2025 08:53:56 UTC February 24, 2025 08:53:59 UTC SuccessChanging the password of TDE-enabled databases on Oracle Database Appliance that use endpoints and wallets already in Oracle Key Vault
Use the
odacli modify-database command with the option
--change-tde-password,-ctp. For TDE-enabled
databases on Oracle Database Appliance that use endpoints and
wallets already in Oracle Key Vault, you are prompted to specify the
password during the password change operation. For example, for
Oracle RAC
database:odacli modify-database -n db14 -ctp
Enter the current TDE password:
Enter the new TDE password:
Re-enter the new TDE password:
Job details
----------------------------------------------------------------
ID: aa2a90db-ab9d-4b10-b9cb-4e23fb38844a
Description: Modify database: okvdb22
Status: Success
Created: May 15, 2025 17:29:24 UTC
Message: Modify database
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
TDE Wallet closure n1 May 15, 2025 17:29:28 UTC May 15, 2025 17:29:30 UTC Success
Change the TDE password in local wallet n1 May 15, 2025 17:29:30 UTC May 15, 2025 17:29:31 UTC Success
TDE Wallet closure n2 May 15, 2025 17:29:30 UTC May 15, 2025 17:29:30 UTC Success
Auto login TDE Wallet creation n1 May 15, 2025 17:29:31 UTC May 15, 2025 17:29:31 UTC Success
Change the TDE password in local wallet n2 May 15, 2025 17:29:31 UTC May 15, 2025 17:29:32 UTC Success
Auto login TDE Wallet creation n1 May 15, 2025 17:29:32 UTC May 15, 2025 17:29:32 UTC Success
Database stop (Srvctl) n1 May 15, 2025 17:29:32 UTC May 15, 2025 17:30:15 UTC Success
Database start (Srvctl) n1 May 15, 2025 17:30:15 UTC May 15, 2025 17:30:48 UTC Success
Checking the TDE wallet status n1 May 15, 2025 17:30:48 UTC May 15, 2025 17:30:48 UTC SuccessRe-keying TDE Master Encryption Key for TDE-Enabled Databases
Understand how you can re-key TDE master encryption key of TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys.
Use the
odacli modify-database command to perform re-key
of TDE master encryption key with the option -rkt. For TDE
configured using Oracle Key Vault, you are prompted to specify the password during
the re-key operation. For
example:odacli modify-database -n kokvdb2 -rkt
{
"jobId" : "dbedf89d-b60f-4209-bbcf-0db61e4eb350",
"status" : "Created",
"message" : "Modify database",
"reports" : [ ],
"createTimestamp" : "July 15, 2024 15:56:01 PM CST",
"resourceList" : [ {
"resourceId" : "7a1c996b-ee8d-49bc-8759-cbbfcee3bcce",
"resourceType" : null,
"resourceNewType" : "Db",
"jobId" : "dbedf89d-b60f-4209-bbcf-0db61e4eb350",
"updatedTime" : null
} ],
"description" : "Modify database: kokvdb2",
"updatedTime" : "July 15, 2024 15:56:01 PM CST",
"jobType" : null
}
odacli describe-job -i dbedf89d-b60f-4209-bbcf-0db61e4eb350
Job details
----------------------------------------------------------------
ID: dbedf89d-b60f-4209-bbcf-0db61e4eb350
Description: Modify database: kokvdb2
Status: Success
Created: July 15, 2024 3:56:01 PM CST
Message: Modify database
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
TDE Wallet Re-Key July 15, 2024 3:56:04 PM CST July 15, 2024 3:56:12 PM CST Success Performing Backup and Recovery of TDE-enabled Databases
Understand how you can back up and recover TDE-enabled database with TDE keys stored on Oracle Key Vault on Oracle Database Appliance on bare metal and DB systems.
Performing backup of TDE-enabled database with TDE keys stored on Oracle Key Vault
Use the
odacli create-backup command to back up
TDE-enabled database with TDE keys stored on Oracle Key Vault. The TDE wallet is not
present on Oracle Database Appliance, but resides in Oracle Key Vault server, and
hence it is not backed up with the database backup. As a result, the value of TDE
wallet backup location attribute of the database backup report is set to null.
[odaadmin@oda1 bin]$ odacli describe-job -i be94d1f7-ad6e-48a5-94a3-f0a52578048b
Job details
----------------------------------------------------------------
ID: be94d1f7-ad6e-48a5-94a3-f0a52578048b
Description: Create Regular-L0 Backup[TAG:auto][Db:db15][NFS:/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15]
Status: Success
Created: March 26, 2024 4:14:19 AM PDT
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------ ---------------------------------------- -------------------------------- ------
Validate backup config oda1 March 26, 2024 4:14:21 AM PDT March 26, 2024 4:14:21 AM PDT Success
NFS location existence validation oda1 March 26, 2024 4:14:21 AM PDT March 26, 2024 4:14:22 AM PDT Success
Recovery Window validation oda1 March 26, 2024 4:14:22 AM PDT March 26, 2024 4:14:24 AM PDT Success
Archivelog deletion policy configuration oda1 March 26, 2024 4:14:24 AM PDT March 26, 2024 4:14:26 AM PDT Success
Database backup oda1 March 26, 2024 4:14:26 AM PDT March 26, 2024 4:15:21 AM PDT Success[odaadmin@oda1 bin]$ odacli describe-backupreport -i d2326683-9766-4933-bee1-a2b59c9d7e9e
{
"id" : "d2326683-9766-4933-bee1-a2b59c9d7e9e",
"dbResId" : "96a98156-b657-403e-a87c-357c2069c285",
"tag" : "auto",
"dbId" : "1851419729",
"dbName" : "db15",
"dbUniqueName" : "db15",
"backupType" : "Regular-L0",
"keepDays" : null,
"backupLocation" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/db",
"cfBackupHandle" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/db/c-1851419729-20240326-03",
"spfBackupHandle" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/db/c-1851419729-20240326-03",
"pitrTimeStamp" : "March 26, 2024 04:15:06 AM PDT",
"pitrSCN" : "1675444",
"resetLogsTimeStamp" : "March 26, 2024 03:01:39 AM PDT",
"resetLogsSCN" : "1575481",
"oraHomeVersion" : "19.23.0.0.240116",
"sqlPatches" : "35926646,34774667,35943157",
"backupLogLoc" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/rmanlog/2024-03-26/rman_backup_auto_2024-03-26_04-14-29.0478.log",
"tdeWalletLoc" : null,
"dbConfigLoc" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/dbconfig/2024-03-26/DBCONFIG_auto_2024-03-26_04-15-19.0472.tar.gz",
"name" : "Backup_Report_db15",
"createTime" : "March 26, 2024 04:14:26 AM PDT",
"state" : {
"status" : "CONFIGURED"
},
"updatedTime" : "March 26, 2024 04:14:26 AM PDT",
"backupReportLogDetail" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/rmandetaillogreport/2024-03-26/rman_list_backup_detail_auto_2024-03-26_04-15-16.0129.log",
"dbInfo" : {
"dbClass" : "OLTP",
"dbType" : "RAC",
"dbShape" : "odb2",
"dbEdition" : "EE",
"dbStorage" : "ASM",
"dbRedundancy" : null,
"pdbName" : null,
"isCdb" : false
},
"dbDataSize" : "2441M",
"dbRedoSize" : "16403M",
"rmanBackupPieces" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/backuppieces/2024-03-26/backupPieces_auto_96a98156-b657-403e-a87c-357c2069c285_20240326041518.json",
"compressionAlgo" : "BASIC",
"cpuPool" : null,
"numberOfCores" : null,
"keystoreType" : "OKV",
}Note that since TDE wallet backup is not supported, if the keystore type
is
OKV, if you specify the component as tdewallet
in the odacli create-backup command, an error is
encountered.[odaadmin@oda1 bin]$ odacli create-backup -n db15 -c tdewallet
DCS-10144:TDE wallet backup operation is not supported for TDE databases with OKV keystore type.Performing recovery of database with TDE configured using Oracle Key Vault with credentials of Oracle Key Vault user
Use the
odacli recover-database command to recover a
database with TDE configured using Oracle Key Vault. For example, to recover a
database kokvdb2, run the following
command:odacli recover-database -n kokvdb2 -t latest
{
"jobId" : "8a50d65f-2269-41ff-b030-51fe4ecc82b5",
"status" : "Created",
"message" : null,
"reports" : [ ],
"createTimestamp" : "July 15, 2024 18:26:26 PM CST",
"resourceList" : [ ],
"description" : "Create recovery-latest for DB : kokvdb2",
"updatedTime" : "July 15, 2024 18:26:26 PM CST",
"jobType" : null
}
odacli describe-job -i 8a50d65f-2269-41ff-b030-51fe4ecc82b5
Job details
----------------------------------------------------------------
ID: 8a50d65f-2269-41ff-b030-51fe4ecc82b5
Description: Create recovery-latest for DB : kokvdb2
Status: Success
Created: July 15, 2024 6:26:26 PM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Database recovery validation July 15, 2024 6:26:30 PM CST July 15, 2024 6:27:50 PM CST Success
Database recovery July 15, 2024 6:27:50 PM CST July 15, 2024 6:30:07 PM CST Success
Enable block change tracking July 15, 2024 6:30:07 PM CST July 15, 2024 6:30:12 PM CST Success
Database opening July 15, 2024 6:30:12 PM CST July 15, 2024 6:30:15 PM CST Success
Database restart July 15, 2024 6:30:15 PM CST July 15, 2024 6:31:31 PM CST Success
Recovery metadata persistence July 15, 2024 6:31:31 PM CST July 15, 2024 6:31:31 PM CST Success The TDE wallets are stored on the Oracle Key Vault server and not on
Oracle Database Appliance, and so, ODACLI commands cannot be used for restore and
recovery operations. If the keystore type is
OKV, and you specify
the component as tdewallet in the odacli
recover-database command, an error is
encountered.[odaadmin@oda1 bin]$ odacli recover-database -n db15 -tl /nfs_backup/ewallet.p12 -t latest
DCS-10045:Validation error encountered: Usage of TDE wallet related parameters is not allowed for a TDE database with OKV keystore type.
[odaadmin@oda1 bin]$ odacli restore-tdewallet -n db15
Enter TDE wallet password:
DCS-10144:Restore TDE wallet operation is not supported for TDE databases with OKV keystore type.Performing recovery of database with TDE configured using Oracle Key Vault with endpoints in Oracle Key Vault
The
odacli recover-database command prompts for the TDE password.
Before database recovery, the local auto-login wallet is regenerated using the
Administer Key Management command. You must specify the TDE password for database
recovery.
odacli recover-database -n kokvdb2 -t latest
Enter the TDE password:
odacli describe-job -i 8a50d65f-2269-41ff-b030-51fe4ecc82b5
Job details
----------------------------------------------------------------
ID: 8a50d65f-2269-41ff-b030-51fe4ecc82b5
Description: Create recovery-latest for DB : kokvdb2
Status: Success
Created: July 15, 2024 6:26:26 PM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Auto login TDE Wallet creation July 15, 2024 6:26:30 PM CST July 15, 2024 6:27:50 PM CST
Database recovery validation July 15, 2024 6:26:30 PM CST July 15, 2024 6:27:50 PM CST Success
Database recovery July 15, 2024 6:27:50 PM CST July 15, 2024 6:30:07 PM CST Success
Enable block change tracking July 15, 2024 6:30:07 PM CST July 15, 2024 6:30:12 PM CST Success
Database opening July 15, 2024 6:30:12 PM CST July 15, 2024 6:30:15 PM CST Success
Database restart July 15, 2024 6:30:15 PM CST July 15, 2024 6:31:31 PM CST Success
Recovery metadata persistance July 15, 2024 6:31:31 PM CST July 15, 2024 6:31:31 PM CST SuccessErrors during database recovery
The TDE wallets are stored on the Oracle Key Vault server and not on
Oracle Database Appliance, and so, ODACLI commands cannot be used for restore and
recovery operations. If the keystore type is
OKV, and you specify
the component as tdewallet in the odacli
recover-database command, an error is
encountered.[odaadmin@oda1 bin]$ odacli recover-database -n db15 -tl /nfs_backup/ewallet.p12 -t latest
DCS-10045:Validation error encountered: Usage of TDE wallet related parameters is not allowed for a TDE database with OKV keystore type.
[odaadmin@oda1 bin]$ odacli restore-tdewallet -n db15
Enter TDE wallet password:
DCS-10144:Restore TDE wallet operation is not supported for TDE databases with OKV keystore type.Restoring TDE-Enabled Databases Using Oracle Key Vault User Credentials
Understand how you can restore TDE-enabled databases using database backups, on Oracle Database Appliance bare metal and DB systems, with credentials of a user on Oracle Key Vault.
Prerequisites
- To restore a database with primary role in an Oracle Data Guard configuration, TDE wallet for the target database must be created on the Oracle Key Vault server before you run the restore command. This TDE wallet is a copy of the wallet of the source database.
- To restore a database with a standby role in an Oracle Data Guard configuration, the TDE wallet copy must not be created. The TDE wallet of the primary database must be used for the standby database.
Step 1: Create the Oracle Key Vault user. This step applies to multi-user access-enabled systems only.
If the user with the ODA-OKVCONFIGADMIN role does not exist, or if
you want to assign a different user for the database you are restoring, then create
the user.
- Create a new user with the
ODA-OKVCONFIGADMINrole. For example:odacli create-user -u okvuser1 -r ODA-OKVCONFIGADMINThe user is created and assigned a temporary password.
- After the user is created successfully, the
okvuser1can log into the appliance with the temporary password. - The
okvuser1is in theInactivestate. If the appliance is configured with multi-user access enabled, then activate the user with the following command. Note that if the appliance is configured with passwordless multi-user access, then you do not need to activate the user. For more information about configuring multi-user access, the topic Implementing Multi-User Access on Oracle Database Appliance.odacli activate-userYou are prompted to change the password. Enter the temporary password, the new password, and confirm the new password.
- Use the new password to connect by SSH into the appliance and run ODACLI commands or connect to the Browser User Interface.
Step 2: Create an Oracle Key Vault server configuration
Create an Oracle Key Vault server configuration for the target database. Create a new Oracle Key Vault server configuration only if an Oracle Key Vault server configuration for the same Oracle Key Vault server does not already exist. If a configuration already exists, then use the existing configuration.
- The Oracle Key Vault user that creates the Oracle Key Vault
server configuration must be a user with atleast the privilege of
Create Endpointon the Oracle Key Vault server. - For multi-user access-enabled systems, log in as the user with
the
ODA-OKVCONFIGADMINrole, for example, theokvuser1. For non-multi user access enabled systems, log in as therootuser. - Oracle Key Vault password prompt displays twice, to accept and
confirm the Oracle Key Vault password. This is the password of the Oracle
Key Vault user on the Oracle Key Vault server, which enables the user to log
into the Oracle Key Vault server. Specify the user name with the
-uoption in theodacli create-okvserverconfigcommand. The name of the Oracle Key Vault server configuration is case-sensitive and no two Oracle Key Vault server configurations can have same name on Oracle Database Appliance. The length of the Oracle Key Vault server configuration cannot exceed 128 characters.odacli create-okvserverconfig -n okvobj1 -u epokvusr1 -ip xxx.xx.xxx.xxx Enter OKV user password : Retype OKV user password : Job details ---------------------------------------------------------------- ID: 8878fc02-3d64-4519-bf52-fcb50839f89f Description: Create OKV Server Config: okvcfg5 Status: Success Created: October 14, 2024 14:04:29 UTC Message: Create OKV Server Config. Task Name Node Name Start Time End Time Status ---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ---------------- OKV Password Store creation oda1 October 14, 2024 14:04:29 UTC October 14, 2024 14:04:56 UTC Success Download of OKV REST package oda1 October 14, 2024 14:04:31 UTC October 14, 2024 14:04:32 UTC Success Edit of OKV REST package oda1 October 14, 2024 14:04:32 UTC October 14, 2024 14:04:32 UTC Success Generate OKV client wallets oda1 October 14, 2024 14:04:32 UTC October 14, 2024 14:04:35 UTC SuccessThe command creates an Oracle Key Vault server configuration
okvobj1for the Oracle Key Vault server userepokvusr1on the specified server.
Step 3: Copy TDE keys from source wallet to target wallet on Oracle Key Vault server using ODACLI commands
Use the odacli copy-okvtdewallet command to copy the
TDE wallet to the Oracle Key Vault server. Specify the source wallet name
(--source-wallet-name | -swn), target wallet Oracle Key Vault
server configuration object name (--target-okvserverconfig |
-tosc), and the target wallet name (--target-wallet-name |
-twn) in the command. A new wallet with the name specified for the
target wallet name (--target-wallet-name | -twn) parameter is
created in the target Oracle Key Vault server. This wallet contains the TDE keys
copied from the source wallet.
If the source wallet is on a different Oracle Key Vault server than the
target wallet, then specify the source wallet Oracle Key Vault server details such
as the host name (--source-hostname | -shn) or the IP address
(--source-ip | -sip) of the server and the name of the user
that owns the wallet on the Oracle Key Vault server (--source-username |
-su). You must provide a password when prompted in this case. This is
the password of the Oracle Key Vault user that owns the source wallet on the Oracle
Key Vault server. For multi-user access enabled systems, run this command as the
Oracle Key Vault user on Oracle Database Appliance.
There are three scenarios when you copy the TDE wallet:
Scenario 1: Copy the TDE wallet on the same Oracle Key Vault server with the same Oracle Key Vault user
In this case, the source TDE wallet and the target TDE wallet are on the
same Oracle Key Vault server, and both are owned by the same user on the OKV server.
For example:
odacli copy-okvtdewallet -swn tdeokv_on_oda8m013-c -tosc okvobj1 -twn tdeokvss
Job details
----------------------------------------------------------------
ID: 50df7dcc-8e17-48db-9206-879c44e57c20
Description: Copy wallet in OKV server
Status: Success
Created: June 20, 2024 2:56:02 AM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Creating a TDE wallet copy in the OKV June 20, 2024 2:56:03 AM CST June 20, 2024 2:57:17 AM CST Success
serverScenario 2: Copy the TDE wallet on the same Oracle Key Vault server but using a different Oracle Key Vault user
In this case, the source and the target wallet are on the same Oracle Key Vault server but are owned by different users on the Oracle Key Vault server. The owner of the source wallet in the Oracle Key Vault must provide read and manage access permissions on the wallet to the owner of the target wallet on Oracle Key Vault before running the ODACLI command to copy the wallet.
Follow these steps to provide read and manage wallet permissions to the
target wallet Oracle Key Vault user:
- Log into the Oracle Key Vault server as the source wallet Oracle Key Vault user.
- Navigate to the Keys and Wallets tab. Select the source wallet checkbox and click the Edit icon.
- Navigate to the Wallet Access Settings section and click Add.
- In the dropdown list for Type, select Users, and then select the checkbox for the target wallet Oracle Key Vault user.
- In the Access Level section, select Read Only and Manage Wallet.
- Click Save.
After you provide the required permissions to the target wallet user, run
the
odacli copy-okvtdewallet
command.odacli copy-okvtdewallet -swn tdeokv_on_oda8m013-c -tosc okvobj2 -twn tdeokvdu
Job details
----------------------------------------------------------------
ID: 50df7dcc-8e17-48db-9206-879c44e57c20
Description: Copy wallet in OKV server
Status: Success
Created: June 20, 2024 2:56:02 AM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Creating a TDE wallet copy in the OKV June 20, 2024 2:56:03 AM CST June 20, 2024 2:57:17 AM CST Success
serverScenario 3: Copy the TDE wallet to a different Oracle Key Vault server
In this case, the source wallet and the target wallet are on different
Oracle Key Vault servers. Specify the source wallet Oracle Key Vault server details
in the
odacli copy-okvtdewallet command. Specify the password of
the source wallet Oracle Key Vault user when prompted. For
example:odacli copy-okvtdewallet -swn tdeokv_on_oda8m013-c -sip xxx.xx.x.xxx -su epokvusr1 -tosc okvobj3 -twn tdeokvds
Enter OKV user password:
Retype OKV user password:
Job details
----------------------------------------------------------------
ID: 50df7dcc-8e17-48db-9206-879c44e57c20
Description: Copy wallet in OKV server
Status: Success
Created: June 20, 2024 2:56:02 AM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Creating a TDE wallet copy in the OKV June 20, 2024 2:56:03 AM CST June 20, 2024 2:57:17 AM CST Success
serverAlternate method for Step 3: Copying the TDE keys from the source database wallet to the target database wallet using the Oracle Key Vault user interface
Instead of using ODACLI commands, you can create a new wallet for the
target database in the Oracle Key Vault server and copy the TDE keys of the source
database to the wallet using the Oracle Key Vault user interface as follows:
- Log into the Oracle Key Vault server.
- Navigate to the Keys & Wallets tab.
- The Oracle Key Vault user must be provided read, write, and manage wallet permissions from the Access Settings section of the source database wallet.
- To create a new wallet, click Create.
- Specify the new name for the wallet of the target database.
- Copy the TDE keys of the source database when creating the new wallet. Search for the name of the source database in the Add Wallet Contents section. When the keys are displayed, select all TDE Master Encryption Key checkboxes for the database.
- To save the wallet, click Save.
- Run this step only if the Oracle Key Vault administrator has
created the wallet for the Oracle Key Vault user. Ensure that the
administrator provides read-write and manage-wallet access for the wallet to
the user after creation.
- Log into the Oracle Key Vault server as the Oracle Key Vault administrator.
- In the Keys & Wallets tab, select the checkbox for the newly-created wallet and click on the Edit option for the wallet.
- In the Wallet Access Settings, click Add.
- In the Select Endpoint/User Group section, select Users from the dropdown list.
- Select the checkbox for the Oracle Key Vault user to be provided access to the wallet.
- In the Access Level section, select Read and Modify and Manage Wallet options.
- To save the access settings for the wallet, click Save.
Step 4: Restoring TDE-enabled databases with TDE keys stored on Oracle Key Vault
Use the odacli irestore-database command to restore a
TDE-enabled database with TDE keys stored on Oracle Key Vault. Specify the options
--enable-tde, --okv-server-config,
--okv-wallet-name, and keystore-type in the
command.
The option --enable-tde,-t indicates that the restored
database must be configured with TDE, using the Oracle Key Vault server
configuration specified in the --okv-server-config option. The
keystore of such irestored database is set to OKV. The
okvServerConfigName attribute of the restored database object
is set to the name of the Oracle Key Vault server configuration specified in the
irestore request. Specify the wallet name for the target database with the
--okv-wallet-name parameter. This wallet must be present in the
Oracle Key Vault server and the TDE keys must be copied to the wallet before running
the irestore operation.
Since the wallet is already created in the Oracle Key Vault server,
specify the name of the wallet, the Oracle Key Vault server configuration where the
wallet is created, and the keystore type as
OKV in this case in the
odacli irestore-database
command:odacli irestore-database -r /tmp/db1Backupreport.json -t -osc okvobj1 -kt OKV -own db2_wallet -n okvdb15
Enter SYS and SYSTEM user password:
Enter SYS and SYSTEM user password:
Job details
----------------------------------------------------------------
ID: dc44f3f0-5af3-4402-ad23-e923e1446371
Description: Database service recovery with DB name: okvdb15
Status: Success
Created: July 5, 2024 6:54:00 AM EDT
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Check if cluster ware is running oda1 July 5, 2024 6:54:23 AM EDT July 5, 2024 6:54:23 AM EDT Success
Check if cluster ware is running oda2 July 5, 2024 6:54:23 AM EDT July 5, 2024 6:54:24 AM EDT Success
Creating DbStorage for DbRestore oda1 July 5, 2024 6:54:25 AM EDT July 5, 2024 6:54:42 AM EDT Success
Validating DiskSpace for DATA oda1 July 5, 2024 6:54:25 AM EDT July 5, 2024 6:54:27 AM EDT Success
Setting up SSH equivalence oda1 July 5, 2024 6:54:27 AM EDT July 5, 2024 6:54:34 AM EDT Success
Configuring user access to ACFS oda1 July 5, 2024 6:54:38 AM EDT July 5, 2024 6:54:39 AM EDT Success
filesystems for okvdb15
Audit directory creation oda1 July 5, 2024 6:54:40 AM EDT July 5, 2024 6:54:40 AM EDT Success
Audit directory creation oda2 July 5, 2024 6:54:41 AM EDT July 5, 2024 6:54:41 AM EDT Success
Configure TDE for RestoreDb TaskFlow oda1 July 5, 2024 6:54:46 AM EDT July 5, 2024 6:56:07 AM EDT Success
Auxiliary Instance Creation oda1 July 5, 2024 6:54:50 AM EDT July 5, 2024 6:55:30 AM EDT Success
TDE Wallet directory creation oda1 July 5, 2024 6:55:30 AM EDT July 5, 2024 6:55:31 AM EDT Success
OKV Endpoint configuration oda1 July 5, 2024 6:55:31 AM EDT July 5, 2024 6:56:02 AM EDT Success
Auto login TDE Wallet creation oda1 July 5, 2024 6:56:02 AM EDT July 5, 2024 6:56:04 AM EDT Success
Password based TDE Wallet open oda1 July 5, 2024 6:56:04 AM EDT July 5, 2024 6:56:07 AM EDT Success
Create pfile for Auxiliary Instance oda1 July 5, 2024 6:56:07 AM EDT July 5, 2024 6:56:08 AM EDT Success
Rman duplicate oda1 July 5, 2024 6:56:08 AM EDT July 5, 2024 7:01:22 AM EDT Success
Creating pfile from spfile oda1 July 5, 2024 7:01:23 AM EDT July 5, 2024 7:01:24 AM EDT Success
Set PFile Ownership oda1 July 5, 2024 7:01:24 AM EDT July 5, 2024 7:01:24 AM EDT Success
Customize Db Parameters oda1 July 5, 2024 7:01:25 AM EDT July 5, 2024 7:01:36 AM EDT Success
Shutdown And Start database oda1 July 5, 2024 7:01:36 AM EDT July 5, 2024 7:06:51 AM EDT Success
Create spfile for restore db oda1 July 5, 2024 7:06:51 AM EDT July 5, 2024 7:06:53 AM EDT Success
Set PFile Ownership oda1 July 5, 2024 7:06:53 AM EDT July 5, 2024 7:06:53 AM EDT Success
Shutdown And Mount database oda1 July 5, 2024 7:06:54 AM EDT July 5, 2024 7:08:22 AM EDT Success
Re-Create control file oda1 July 5, 2024 7:08:23 AM EDT July 5, 2024 7:09:21 AM EDT Success
Removing Disabled Redo Threads oda1 July 5, 2024 7:09:21 AM EDT July 5, 2024 7:09:23 AM EDT Success
Updating DB attributes oda1 July 5, 2024 7:09:23 AM EDT July 5, 2024 7:09:25 AM EDT Success
Register Database taskflow oda1 July 5, 2024 7:09:30 AM EDT July 5, 2024 7:14:51 AM EDT Success
Create SPFile in shared loc oda1 July 5, 2024 7:09:30 AM EDT July 5, 2024 7:09:40 AM EDT Success
Delete Local Spfile oda1 July 5, 2024 7:09:40 AM EDT July 5, 2024 7:09:41 AM EDT Success
Register DB with clusterware oda1 July 5, 2024 7:09:41 AM EDT July 5, 2024 7:11:19 AM EDT Success
Add Startup Trigger to Open all PDBS oda1 July 5, 2024 7:11:20 AM EDT July 5, 2024 7:11:20 AM EDT Success
Set SysPassword and Create PwFile oda1 July 5, 2024 7:11:21 AM EDT July 5, 2024 7:11:24 AM EDT Success
Enable block change tracking oda1 July 5, 2024 7:11:25 AM EDT July 5, 2024 7:11:37 AM EDT Success
Creating pfile oda1 July 5, 2024 7:11:37 AM EDT July 5, 2024 7:11:39 AM EDT Success
Updating db env oda1 July 5, 2024 7:11:39 AM EDT July 5, 2024 7:11:40 AM EDT Success
Enable DbSizing Template oda1 July 5, 2024 7:11:40 AM EDT July 5, 2024 7:13:14 AM EDT Success
Update Database Global Name oda1 July 5, 2024 7:13:14 AM EDT July 5, 2024 7:13:17 AM EDT Success
Create tns entry oda1 July 5, 2024 7:13:18 AM EDT July 5, 2024 7:13:19 AM EDT Success
Create tns entry oda2 July 5, 2024 7:13:19 AM EDT July 5, 2024 7:13:21 AM EDT Success
Running datapatch oda1 July 5, 2024 7:13:21 AM EDT July 5, 2024 7:13:52 AM EDT Success
Set CPU pool oda1 July 5, 2024 7:13:52 AM EDT July 5, 2024 7:13:52 AM EDT Success
Reset Associated Networks for Database oda1 July 5, 2024 7:14:54 AM EDT July 5, 2024 7:15:00 AM EDT Success
Reset Associated Networks oda2 July 5, 2024 7:15:00 AM EDT July 5, 2024 7:15:01 AM EDT Success
Set log_archive_dest for Database oda1 July 5, 2024 7:15:01 AM EDT July 5, 2024 7:15:07 AM EDT Success
Setting Database parameter for OKV oda1 July 5, 2024 7:15:07 AM EDT July 5, 2024 7:16:43 AM EDT Success
Enable New Tablespace Encryption oda1 July 5, 2024 7:16:45 AM EDT July 5, 2024 7:16:47 AM EDT Success
Copy Pwfile to Shared Storage oda1 July 5, 2024 7:16:47 AM EDT July 5, 2024 7:16:58 AM EDT Success
Configure All Candidate Nodes oda1 July 5, 2024 7:16:58 AM EDT July 5, 2024 7:17:01 AM EDT SuccessRestore the database by copying the wallet using ODACLI commands and
providing the wallet name to the command. After copying the TDE keys of the wallet
of the source database with the
odacli copy-okvtdewallet command,
specify the target Oracle Key Vault wallet name in the odacli
irestore-database command.
odacli irestore-database -r /tmp/db1Backupreport.json -t -osc okvobj1 -kt OKV -own db2_wallet
Enter SYS and SYSTEM user password:
Enter SYS and SYSTEM user password:Restoring TDE-Enabled Databases With Endpoints and Wallet Manually Created in Oracle Key Vault
Understand how you can restore TDE-enabled databases on Oracle Database Appliance using the endpoints and wallets created manually on Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems.
Prerequisites
- To restore a database with primary role in an Oracle Data Guard configuration, TDE wallet for the target database must be created on the Oracle Key Vault server before you run the restore command. This TDE wallet is a copy of the wallet of the source database.
- To restore a database with a standby role in an Oracle Data Guard configuration, the TDE wallet copy must not be created. The TDE wallet of the primary database must be used for the standby database.
- The TDE wallet created must be set as the default wallet for the endpoints created.
- The
okvclient.jarfile corresponding to each endpoint must be downloaded and copied to the Oracle Database Appliance node on which you submit the database restore request.
Step 1: Copying the TDE keys from the source database wallet to the target database wallet using the Oracle Key Vault user interface
Create a new wallet for the target database in the Oracle Key Vault
server and copy the TDE keys of the source database to the wallet as follows:
- Log into the Oracle Key Vault server.
- Navigate to the Keys & Wallets tab.
- The Oracle Key Vault user must be provided read, write, and manage wallet permissions from the Access Settings section of the source database wallet.
- To create a new wallet, click Create.
- Specify the new name for the wallet of the target database.
- Copy the TDE keys of the source database when creating the new wallet. Search for the name of the source database in the Add Wallet Contents section. When the keys are displayed, select all TDE Master Encryption Key checkboxes for the database.
- To save the wallet, click Save.
- Run this step only if the Oracle Key Vault administrator has
created the wallet for the Oracle Key Vault user. Ensure that the
administrator provides read-write and manage-wallet access for the wallet to
the user after creation.
- Log into the Oracle Key Vault server as the Oracle Key Vault administrator.
- In the Keys & Wallets tab, select the checkbox for the newly-created wallet and click on the Edit option for the wallet.
- In the Wallet Access Settings, click Add.
- In the Select Endpoint/User Group section, select Users from the dropdown list.
- Select the checkbox for the Oracle Key Vault user to be provided access to the wallet.
- In the Access Level section, select Read and Modify and Manage Wallet options.
- To save the access settings for the wallet, click Save.
Step 2: Creating endpoints and setting the default wallet
Follow these steps:
- Create endpoints corresponding to each instance. For Oracle RAC
database, create two endpoints corresponding to two instances. For
single-instance database, create one endpoint corresponding to one instance.
- In the Oracle Key Vault home page, navigate to the Endpoints tab and click Add.
- Specify the Endpoint Name. Select the Type as Oracle Database, Platform as Linux, and click Register.
- In the Default Wallet page, click Choose Wallet and set the default wallet for the created endpoints.
Step 3: Downloading the TDE wallet to Oracle Key Vault server using Oracle Key Vault commands
For multi user access-enabled and multi user access passwordless
systems, log in as the Oracle Key Vault server user. For non-multi user
access-enabled systems, log in as the
oracle user and then follow
these steps:
- Create working directories such as
/tmp/workand/tmp/work/client_wallet. Navigate to the/tmp/workdirectory. Download and extract the RESTful Service Utility from Oracle Key Vault server. You can view three directoriesbin,lib, andconf.mkdir /tmp/work/ mkdir /tmp/work/client_wallet cd /tmp/work curl -Ok https://okv_server_ip:5695/okvrestclipackage.zip % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3750k 100 3750k 0 0 2500k 0 0:00:01 0:00:01 --:--:-- 2500k - Extract the contents of
okvrestclipackage.zipfile. Edit theconf/okvrestcli.inifile and add the Oracle Key Vault server IP address, user name, and path to the directory where the client auto login wallets are created. In the following example, the client auto login wallets are created in the/tmp/work/client_walletdirectory.#Provide absolute path for log_property, okv_client_config properties [Default] log_property=./conf/okvrestcli_logging.properties server=<okv_server_ip> okv_client_config=./conf/okvclient.ora user=<okv_user> client_wallet=/tmp/work/client_wallet - Edit the
bin/okvfile and uncomment the lineexport OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR/conf/okvrestcli.inifile. SetJAVA_HOMEas follows:#!/bin/bash export OKV_RESTCLI_DIR=$(dirname "${0}")/.. export OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR/conf/okvrestcli.ini export JAVA_HOME=/opt/oracle/dcs/java/1.8.0_xxx if [ -z "$JAVA_HOME" ] then echo "JAVA_HOME environment variable is not set." exit 1 fi if [ -z "$OKV_RESTCLI_CONFIG" ] then echo "OKV_RESTCLI_CONFIG environment variable is not set." exit 1 fi export OKV_RESTCLI_JAR=$OKV_RESTCLI_DIR/lib/okvrestcli.jar $JAVA_HOME/bin/java -jar $OKV_RESTCLI_JAR "$@" - Generate the client auto login wallets. Specify the Oracle Key
Vault password when
prompted.
/tmp/work/bin/okv admin client-wallet add --client-wallet /tmp/work/client_wallet --wallet-user okv_user Password: - Create the endpoint corresponding to the wallet. For Oracle RAC
database, you must create two endpoints specific to each database instance.
Run this step only if the endpoints are not already created using the Oracle
Key Vault Server user interface.
/tmp/work/bin/okv admin endpoint create --endpoint endpoint_name --type ORACLE_DB --platform LINUX64 --strict-ip-check TRUE - Set the wallet created in Step 1 as the default wallet for the
endpoints. For Oracle RAC database, the default wallet for both the
endpoints must be same TDE wallet. Run this step only if the TDE wallet is
not already set as the default wallet for the endpoints using the Oracle Key
Vault Server user interface.
/tmp/work/bin/okv manage-access wallet set-default --wallet <wallet_name> --endpoint <endpoint_name> - Download the
okvclient.jarfile. For Oracle RAC database, download theokvclient.jarfile corresponding to both endpoints. After downloading the files, copy theokvclient.jarcorresponding to the remote instance to the remote node./tmp/work/bin/okv admin endpoint download --endpoint <endpoint_name> --location <location>When you download the endpoints, if you encounter a message such asEndpoint token is already consumed, then you must enroll the endpoint again as follows:/tmp/work/bin/okv admin endpoint download --endpoint endpoint_name --location location /tmp/work/log/okv0.log.0 (Permission denied) { "result" : "Failure", "message" : "Endpoint token is already consumed" } /tmp/work/bin/okv admin endpoint re-enroll --endpoint <endpoint_name> /tmp/work/log/okv0.log.0 (Permission denied) { "result" : "Success" } }
Step 4: Restoring TDE-enabled databases with TDE keys stored on Oracle Key Vault
For multi-user access-enabled systems, log in as database user. For
non-multi user access enabled systems, log in as the root user. Use
the odacli irestore-database command to restore a TDE-enabled
database with TDE keys stored on Oracle Key Vault. Specify the options
--enable-tde, --okvclient-path, and
keystore-type in the command.
The option --enable-tde,-t indicates that the restored
database must be configured with TDE. Use the option
--keystore-type,-kt to specify the type of keystore for the TDE
configuration. Use the option --okvclient-path,-ocp to specify the
absolute path to the okvclient.jar file corresponding to the
database endpoint. For single-instance database, you can specify one value in the
--okvclient-path,-ocp option, whereas for Oracle RAC database,
you can specify two values. Provide the TDE password when you are prompted. After
the restore operation of the database is successful, the Oracle Key Vault endpoint
software is installed in the /etc/OKV/db_unique_name/okv
location. The local auto login TDE wallets are created in the
/etc/OKV/db_unique_name/tde location.
To restore a single-instance database
okvdb without
using the Oracle Key Vault server configuration object, run the odacli
irestore-database command as
follows:odacli irestore-database -r /tmp/bkpreport.json -n okvdb8 -y SI -t -kt OKV -ocp /tmp/okvclient.jar
Enter SYS and SYSTEM user password:
Retype SYS and SYSTEM user password:
Enter TDE wallet password:
Job details
----------------------------------------------------------------
ID: dce7bde6-7fc4-48ec-891b-649525f1ce4f
Description: Database service recovery with DB name: okvdb8
Status: Success
Created: August 28, 2024 2:50:46 PM CST
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Restore Database scaoda10ha13c2n1 August 28, 2024 2:51:09 PM CST August 28, 2024 2:58:11 PM CST Failure
Restore Database scaoda10ha13c2n1 August 28, 2024 2:51:10 PM CST August 28, 2024 2:58:10 PM CST Failure
Check if cluster ware is running scaoda10ha13c2n1 August 28, 2024 2:51:14 PM CST August 28, 2024 2:51:14 PM CST Success
Check if cluster ware is running scaoda10ha13c2n2 August 28, 2024 2:51:14 PM CST August 28, 2024 2:51:14 PM CST Success
Creating DbStorage for DbRestore scaoda10ha13c2n1 August 28, 2024 2:51:14 PM CST August 28, 2024 2:51:21 PM CST Success
Validating DiskSpace for DATA scaoda10ha13c2n1 August 28, 2024 2:51:14 PM CST August 28, 2024 2:51:15 PM CST Success
Setting up SSH equivalence scaoda10ha13c2n1 August 28, 2024 2:51:15 PM CST August 28, 2024 2:51:19 PM CST Success
Configuring user access to ACFS scaoda10ha13c2n1 August 28, 2024 2:51:20 PM CST August 28, 2024 2:51:20 PM CST Success
filesystems for okvdb8st
Audit directory creation scaoda10ha13c2n1 August 28, 2024 2:51:20 PM CST August 28, 2024 2:51:21 PM CST Success
Audit directory creation scaoda10ha13c2n2 August 28, 2024 2:51:21 PM CST August 28, 2024 2:51:21 PM CST Success
Configure TDE for RestoreDb TaskFlow scaoda10ha13c2n1 August 28, 2024 2:51:22 PM CST August 28, 2024 2:51:39 PM CST Success
Auxiliary Instance Creation scaoda10ha13c2n2 August 28, 2024 2:51:24 PM CST August 28, 2024 2:51:36 PM CST Success
TDE Wallet directory creation scaoda10ha13c2n1 August 28, 2024 2:51:36 PM CST August 28, 2024 2:51:36 PM CST Success
Installing OKV Client Software scaoda10ha13c2n2 August 28, 2024 2:51:36 PM CST August 28, 2024 2:51:37 PM CST Success
Auto login TDE Wallet creation scaoda10ha13c2n1 August 28, 2024 2:51:37 PM CST August 28, 2024 2:51:38 PM CST Success
Password based TDE Wallet open scaoda10ha13c2n1 August 28, 2024 2:51:38 PM CST August 28, 2024 2:51:39 PM CST Success
Install Object Store Swift module scaoda10ha13c2n2 August 28, 2024 2:51:58 PM CST August 28, 2024 2:52:16 PM CST Success
Restoring Spfile From Casper scaoda10ha13c2n2 August 28, 2024 2:52:16 PM CST August 28, 2024 2:52:38 PM CST Success
Customize Db Parameters scaoda10ha13c2n2 August 28, 2024 2:52:38 PM CST August 28, 2024 2:52:47 PM CST Success
Create spfile for restore db scaoda10ha13c2n2 August 28, 2024 2:52:47 PM CST August 28, 2024 2:52:48 PM CST Success
Restoring control file scaoda10ha13c2n2 August 28, 2024 2:52:48 PM CST August 28, 2024 2:53:11 PM CST Success
Mounting db scaoda10ha13c2n2 August 28, 2024 2:53:11 PM CST August 28, 2024 2:53:35 PM CST Success
Validating backup for RestoreDB scaoda10ha13c2n2 August 28, 2024 2:53:35 PM CST August 28, 2024 2:53:41 PM CST Success
Restoring DB for migration scaoda10ha13c2n2 August 28, 2024 2:53:41 PM CST August 28, 2024 2:54:26 PM CST Success
Change DBID and/or DBName scaoda10ha13c2n2 August 28, 2024 2:54:27 PM CST August 28, 2024 2:54:28 PM CST Success
Register Database taskflow scaoda10ha13c2n1 August 28, 2024 2:54:31 PM CST August 28, 2024 2:57:08 PM CST Success
Create SPFile in shared loc scaoda10ha13c2n2 August 28, 2024 2:54:31 PM CST August 28, 2024 2:54:37 PM CST Success
Delete Local Spfile scaoda10ha13c2n2 August 28, 2024 2:54:37 PM CST August 28, 2024 2:54:37 PM CST Success
Register DB with clusterware scaoda10ha13c2n2 August 28, 2024 2:54:37 PM CST August 28, 2024 2:55:23 PM CST Success
Set SysPassword and Create PwFile scaoda10ha13c2n1 August 28, 2024 2:55:23 PM CST August 28, 2024 2:55:25 PM CST Success
Enable block change tracking scaoda10ha13c2n2 August 28, 2024 2:55:26 PM CST August 28, 2024 2:55:28 PM CST Success
Creating pfile scaoda10ha13c2n2 August 28, 2024 2:55:28 PM CST August 28, 2024 2:55:29 PM CST Success
Updating db env scaoda10ha13c2n2 August 28, 2024 2:55:29 PM CST August 28, 2024 2:55:30 PM CST Success
Enable DbSizing Template scaoda10ha13c2n2 August 28, 2024 2:55:30 PM CST August 28, 2024 2:56:20 PM CST Success
Create tns entry scaoda10ha13c2n1 August 28, 2024 2:56:20 PM CST August 28, 2024 2:56:21 PM CST Success
Create tns entry scaoda10ha13c2n2 August 28, 2024 2:56:21 PM CST August 28, 2024 2:56:22 PM CST Success
Running datapatch scaoda10ha13c2n2 August 28, 2024 2:56:22 PM CST August 28, 2024 2:56:23 PM CST Success
Set CPU pool scaoda10ha13c2n1 August 28, 2024 2:56:23 PM CST August 28, 2024 2:56:23 PM CST Success
Reset Associated Networks for Database scaoda10ha13c2n2 August 28, 2024 2:57:10 PM CST August 28, 2024 2:57:13 PM CST Success
Reset Associated Networks scaoda10ha13c2n1 August 28, 2024 2:57:13 PM CST August 28, 2024 2:57:14 PM CST Success
Set log_archive_dest for Database scaoda10ha13c2n2 August 28, 2024 2:57:14 PM CST August 28, 2024 2:57:18 PM CST Success
Setting Database parameter for OKV scaoda10ha13c2n1 August 28, 2024 2:57:18 PM CST August 28, 2024 2:58:05 PM CST Success
Enable New Tablespace Encryption scaoda10ha13c2n2 August 28, 2024 2:58:07 PM CST August 28, 2024 2:58:08 PM CST Success
Deleting OKV Client Software Jar scaoda10ha13c2n2 August 28, 2024 2:58:09 PM CST August 28, 2024 2:58:09 PM CST Success
Copy Pwfile to Shared Storage scaoda10ha13c2n1 August 28, 2024 2:58:09 PM CST August 28, 2024 2:58:10 PM CST SuccessTo restore an Oracle RAC database, run the
odacli
irestore-database command as follows. Specify the
okvclient.jar file for the local database instance first,
followed by the path to the okvclient.jar file for the remote
database instance in the request. In the following example, the
okvclient.jar file in the /tmp/dir1 location
belongs to the local node and the okvclient.jar file in the
/tmp/dir2 location belongs to the remote
node.odacli irestore-database -r /tmp/bkpreport.json -n okvdb7 -y RAC -t -kt OKV -ocp /tmp/dir1/okvclient.jar,/tmp/dir2/okvclient.jar
Enter SYS and SYSTEM user password:
Retype SYS and SYSTEM user password:
Enter TDE wallet password:
Job details
----------------------------------------------------------------
ID: 79b2d96c-0156-444b-b965-185b311f5110
Description: Database service recovery with DB name: okvdb7
Status: Success
Created: August 28, 2024 12:58:39 AM CST
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Check if cluster ware is running scaoda10ha13c2n1 August 28, 2024 12:59:07 AM CST August 28, 2024 12:59:07 AM CST Success
Check if cluster ware is running scaoda10ha13c2n2 August 28, 2024 12:59:07 AM CST August 28, 2024 12:59:07 AM CST Success
Creating DbStorage for DbRestore scaoda10ha13c2n1 August 28, 2024 12:59:07 AM CST August 28, 2024 12:59:14 AM CST Success
Validating DiskSpace for DATA scaoda10ha13c2n1 August 28, 2024 12:59:08 AM CST August 28, 2024 12:59:08 AM CST Success
Setting up SSH equivalence scaoda10ha13c2n1 August 28, 2024 12:59:09 AM CST August 28, 2024 12:59:12 AM CST Success
Configuring user access to ACFS scaoda10ha13c2n1 August 28, 2024 12:59:13 AM CST August 28, 2024 12:59:13 AM CST Success
filesystems for okvdb7
Audit directory creation scaoda10ha13c2n1 August 28, 2024 12:59:14 AM CST August 28, 2024 12:59:14 AM CST Success
Audit directory creation scaoda10ha13c2n2 August 28, 2024 12:59:14 AM CST August 28, 2024 12:59:14 AM CST Success
Configure TDE for RestoreDb TaskFlow scaoda10ha13c2n1 August 28, 2024 12:59:15 AM CST August 28, 2024 12:59:32 AM CST Success
Auxiliary Instance Creation scaoda10ha13c2n1 August 28, 2024 12:59:17 AM CST August 28, 2024 12:59:28 AM CST Success
TDE Wallet directory creation scaoda10ha13c2n1 August 28, 2024 12:59:28 AM CST August 28, 2024 12:59:28 AM CST Success
Installing OKV Client Software scaoda10ha13c2n1 August 28, 2024 12:59:28 AM CST August 28, 2024 12:59:29 AM CST Success
Installing OKV Client Software scaoda10ha13c2n2 August 28, 2024 12:59:30 AM CST August 28, 2024 12:59:31 AM CST Success
Auto login TDE Wallet creation scaoda10ha13c2n1 August 28, 2024 12:59:31 AM CST August 28, 2024 12:59:32 AM CST Success
Password based TDE Wallet open scaoda10ha13c2n1 August 28, 2024 12:59:32 AM CST August 28, 2024 12:59:32 AM CST Success
Install Object Store Swift module scaoda10ha13c2n2 August 28, 2024 12:59:51 AM CST August 28, 2024 1:00:09 AM CST Success
Restoring Spfile From Casper scaoda10ha13c2n1 August 28, 2024 1:00:09 AM CST August 28, 2024 1:00:28 AM CST Success
Customize Db Parameters scaoda10ha13c2n1 August 28, 2024 1:00:28 AM CST August 28, 2024 1:00:34 AM CST Success
Create spfile for restore db scaoda10ha13c2n1 August 28, 2024 1:00:34 AM CST August 28, 2024 1:00:35 AM CST Success
Restoring control file scaoda10ha13c2n1 August 28, 2024 1:00:35 AM CST August 28, 2024 1:00:58 AM CST Success
Mounting db scaoda10ha13c2n1 August 28, 2024 1:00:58 AM CST August 28, 2024 1:01:23 AM CST Success
Validating backup for RestoreDB scaoda10ha13c2n1 August 28, 2024 1:01:23 AM CST August 28, 2024 1:01:29 AM CST Success
Restoring DB for migration scaoda10ha13c2n1 August 28, 2024 1:01:29 AM CST August 28, 2024 1:10:54 AM CST Success
Re-Create control file scaoda10ha13c2n1 August 28, 2024 1:10:54 AM CST August 28, 2024 1:11:36 AM CST Success
Change DBID and/or DBName scaoda10ha13c2n1 August 28, 2024 1:11:36 AM CST August 28, 2024 1:14:34 AM CST Success
Removing Disabled Redo Threads scaoda10ha13c2n1 August 28, 2024 1:14:34 AM CST August 28, 2024 1:14:36 AM CST Success
Updating DB attributes scaoda10ha13c2n1 August 28, 2024 1:14:36 AM CST August 28, 2024 1:14:37 AM CST Success
Customize DB for Type RAC/RacOne scaoda10ha13c2n1 August 28, 2024 1:14:37 AM CST August 28, 2024 1:14:44 AM CST Success
Enable cluster ware for rac/racone db scaoda10ha13c2n1 August 28, 2024 1:14:45 AM CST August 28, 2024 1:14:45 AM CST Success
Building Cluster DB Views for Rac and scaoda10ha13c2n1 August 28, 2024 1:14:45 AM CST August 28, 2024 1:14:56 AM CST Success
RacOne
Register Database taskflow scaoda10ha13c2n1 August 28, 2024 1:14:58 AM CST August 28, 2024 1:20:24 AM CST Success
Create SPFile in shared loc scaoda10ha13c2n1 August 28, 2024 1:14:59 AM CST August 28, 2024 1:15:05 AM CST Success
Delete Local Spfile scaoda10ha13c2n1 August 28, 2024 1:15:05 AM CST August 28, 2024 1:15:05 AM CST Success
Register DB with clusterware scaoda10ha13c2n1 August 28, 2024 1:15:05 AM CST August 28, 2024 1:16:33 AM CST Success
Add Startup Trigger to Open all PDBS scaoda10ha13c2n1 August 28, 2024 1:16:33 AM CST August 28, 2024 1:16:33 AM CST Success
Set SysPassword and Create PwFile scaoda10ha13c2n1 August 28, 2024 1:16:34 AM CST August 28, 2024 1:16:38 AM CST Success
Enable block change tracking scaoda10ha13c2n1 August 28, 2024 1:16:38 AM CST August 28, 2024 1:16:54 AM CST Success
Creating pfile scaoda10ha13c2n1 August 28, 2024 1:16:55 AM CST August 28, 2024 1:16:56 AM CST Success
Updating db env scaoda10ha13c2n1 August 28, 2024 1:16:56 AM CST August 28, 2024 1:16:56 AM CST Success
Enable DbSizing Template scaoda10ha13c2n1 August 28, 2024 1:16:56 AM CST August 28, 2024 1:18:38 AM CST Success
Update Database Global Name scaoda10ha13c2n1 August 28, 2024 1:18:39 AM CST August 28, 2024 1:18:40 AM CST Success
Create tns entry scaoda10ha13c2n1 August 28, 2024 1:18:40 AM CST August 28, 2024 1:18:42 AM CST Success
Create tns entry scaoda10ha13c2n2 August 28, 2024 1:18:42 AM CST August 28, 2024 1:18:43 AM CST Success
Running datapatch scaoda10ha13c2n1 August 28, 2024 1:18:43 AM CST August 28, 2024 1:19:19 AM CST Success
Set CPU pool scaoda10ha13c2n1 August 28, 2024 1:19:19 AM CST August 28, 2024 1:19:19 AM CST Success
Reset Associated Networks for Database scaoda10ha13c2n1 August 28, 2024 1:20:26 AM CST August 28, 2024 1:20:30 AM CST Success
Reset Associated Networks scaoda10ha13c2n2 August 28, 2024 1:20:30 AM CST August 28, 2024 1:20:31 AM CST Success
Set log_archive_dest for Database scaoda10ha13c2n1 August 28, 2024 1:20:31 AM CST August 28, 2024 1:20:34 AM CST Success
Auto login TDE Wallet creation scaoda10ha13c2n1 August 28, 2024 1:20:34 AM CST August 28, 2024 1:20:36 AM CST Success
Setting Database parameter for OKV scaoda10ha13c2n1 August 28, 2024 1:20:36 AM CST August 28, 2024 1:22:17 AM CST Success
Enable New Tablespace Encryption scaoda10ha13c2n1 August 28, 2024 1:22:19 AM CST August 28, 2024 1:22:20 AM CST Success
Deleting OKV Client Software Jar scaoda10ha13c2n1 August 28, 2024 1:22:20 AM CST August 28, 2024 1:22:20 AM CST Success
Deleting OKV Client Software Jar scaoda10ha13c2n2 August 28, 2024 1:22:20 AM CST August 28, 2024 1:22:20 AM CST SuccessDeleting TDE-enabled Databases
Understand how you can delete a TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys.
Use the
odacli delete-database command to delete
TDE-enabled database with TDE keys stored on Oracle Key Vault. Use the
-n option to specify the name of the database to be
deleted.odacli delete-database -n kokvdb1
{
"jobId" : "6f001840-5002-43ee-9067-e22930e36d58",
"status" : "Running",
"message" : null,
"reports" : [ {
"taskId" : "TaskDcsJsonRpcExt_2259",
"taskName" : "Validate DB 9aeeeb5f-afc5-4051-8bd1-00c62048ca01 for deletion",
"nodeName" : "scaoda6m006",
"taskResult" : "",
"startTime" : "July 15, 2024 15:40:50 PM CST",
"endTime" : "July 15, 2024 15:40:50 PM CST",
"duration" : "00:00:00.13",
"status" : "Success",
"taskDescription" : null,
"parentTaskId" : "TaskSequential_2257",
"jobId" : "6f001840-5002-43ee-9067-e22930e36d58",
"tags" : [ ],
"reportLevel" : "Info",
"updatedTime" : "July 15, 2024 15:40:50 PM CST"
} ],
"createTimestamp" : "July 15, 2024 15:40:49 PM CST",
"resourceList" : [ ],
"description" : "Database service deletion with DB name: kokvdb1 with ID : 9aeeeb5f-afc5-4051-8bd1-00c62048ca01",
"updatedTime" : "July 15, 2024 15:40:50 PM CST",
"jobType" : null
}
odacli describe-job -i 6f001840-5002-43ee-9067-e22930e36d58
Job details
----------------------------------------------------------------
ID: 6f001840-5002-43ee-9067-e22930e36d58
Description: Database service deletion with DB name: kokvdb1 with ID : 9aeeeb5f-afc5-4051-8bd1-00c62048ca01
Status: Success
Created: July 15, 2024 3:40:49 PM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Validate DB July 15, 2024 3:40:50 PM CST July 15, 2024 3:40:50 PM CST Success
9aeeeb5f-afc5-4051-8bd1-00c62048ca01
for deletion
Deleting the RMAN logs July 15, 2024 3:40:50 PM CST July 15, 2024 3:40:51 PM CST Success
OKV Endpoint deletion July 15, 2024 3:40:51 PM CST July 15, 2024 3:40:56 PM CST Success
OKV Wallet deletion July 15, 2024 3:40:56 PM CST July 15, 2024 3:41:05 PM CST Success
OKV Files deletion July 15, 2024 3:41:05 PM CST July 15, 2024 3:41:05 PM CST Success
Database Deletion By RHP July 15, 2024 3:41:05 PM CST July 15, 2024 3:42:37 PM CST Success
Unregister DB From Cluster July 15, 2024 3:42:37 PM CST July 15, 2024 3:42:37 PM CST Success
Kill PMON Process July 15, 2024 3:42:37 PM CST July 15, 2024 3:42:37 PM CST Success
Database Files Deletion July 15, 2024 3:42:37 PM CST July 15, 2024 3:42:49 PM CST Success
Delete File Groups of Database kokvdb1 July 15, 2024 3:42:49 PM CST July 15, 2024 3:42:58 PM CST SuccessCreating a User in Oracle Key Vault Using BUI
Create a user with Oracle Key Vault server configuration entitlement on a multi-user access enabled Oracle Database Appliance.
Creating an Oracle Key Vault User with Browser User Interface
- Log into the Browser User Interface as the
odaadminuser:https://host-ip-address:7093/mgmt/index.html - Click the Multi-User Access tab.
- Click the Users link on the left-hand pane.
- Click Create User.
- In the Create User page, provide the User
ID, specify the Role as
ODA-OKVCONFIGADMIN, and provide the ODA Password for this user. Note that the same user credentials work for login for BUI and ODACLI commands. - Click Create.
- The job is submitted and a confirmation page appears with a link to the job. Click the link to view the job progress, tasks, and status. After you close the Job confirmation page, you can click the Activity tab to monitor the job progress. Click the job number to view the tasks and status details. Click Refresh to refresh the page.
- The account is created with Inactive state. Log into the BUI with the user credentials. You are prompted to change the password. Change the password and log into the BUI with the new password.
Updating Oracle Key Vault Endpoints for Databases
Understand how you can update the Oracle Key Vault client on Oracle Database Appliance when the Oracle Key Vault server is updated to the latest release or when certificates are regenerated on the Oracle Key Vault server.
When you update the Oracle Key Vault endpoints software, all the features available
on the updated Oracle Key Vault server are available to the Oracle Key Vault endpoints.
When you update Oracle Key Vault server to the latest release, you
update the following:
- Oracle Key Vault endpoint software corresponding to each Oracle Key
Vault TDE database instance, present in the
/etc/OKV/db_unique_name/okvlocation. - Oracle Key Vault PKCS library liborapkcs.so, common to all Oracle
Key Vault TDE databases, present in the
/opt/oracle/extapi/64/hsm/oracle/1.0.0/location. - Oracle Key Vault REST client jar
okvrestcli.jar, corresponding to each Oracle Key Vault server configuration object, present in the/etc/OKV/okv_server_config_name/lib/location.
When you update only the certificates corresponding to the endpoints,
you update only the Oracle Key Vault endpoint software corresponding to each Oracle Key
Vault TDE database instance, present in the
/etc/OKV/db_unique_name/okv location.
Updating Oracle Key Vault
endpoints software with the odacli update-okvendpoints
command
Use the
odacli update-okvendpoints command to update the Oracle Key
Vault endpoint software.
- The
--endpoint-software,-esoption specifies that theodacli update-okvendpointscommand must update the Oracle Key Vault endpoint software of databases that is specified in the Oracle Key Vault client JSON file.This is a boolean option, to be used with the
--okvclient-json, ojoption. When specified, the Oracle Key Vault endpoint software corresponding to each database mentioned in the Oracle Key Vault client JSON is updated. You must specify the JSON file that contains the absolute path to theokvclient.jarfile in the option. The default value isfalse.To update the endpoint software of the database that did not use Oracle Key Vault user credentials, instead, used
okvclient.jar, during its creation, the absolute path tookvclient.jarfile, corresponding to each database instance of such database must be specified in the Oracle Key Vault client JSON file.[ { "dbName" : "racdb1", "node1" : "/tmp/racdb11/okvclient.jar", "node2" : "/tmp/racdb12/okvclient.jar" }, { "dbName" : "sidb1", "node1" : "/tmp/sidb1/okvclient.jar", } ]To update the endpoint software of the database that used Oracle Key Vault user credentials, that is, used Oracle Key Vault server configuration, during its creation, specifying its name in the Oracle Key Vault client JSON file is sufficient.[ { "dbName" : "mydb" } ]In a multi-user access-enabled or multi-user access-enabled passwordless environment, the endpoint software of only the Oracle Key Vault TDE-enabled databases that belong to the
DB userrunning this request are updated. In a non-multi-user access enabled environment, the endpoint software of all Oracle Key Vault TDE-enabled databases can be updated, as there is no separateDB userand all databases are created by a single user. - Specify the
--okvclient-path-json,-ojoption with the--endpoint-software,-esoption to update TDE-enabled databases using Oracle Key Vault with endpoints in Oracle Key Vault.This option specifies the absolute path to the JSON file, which contains the database name and the absolute path to the
okvclient.jarfile corresponding to each instance of the database. The JSON file must be present on the appliance from which you run this command.For Oracle RAC databases, the absolute path to the
okvclient.jarfile corresponding to both instances must be specified. For single-instance Oracle databases, the absolute path to theokvclient.jarfile corresponding to the instance must be specified and must be present on the node where the instance is running. - Specify the
--library,-liboption to update the Oracle Key Vault PKCS library and Oracle Key Vault REST client jar file corresponding to each Oracle Key Vault server configuration object present in the system. The default value isfalse. Use this option only after updating the endpoints of all databases that uses Oracle Key Vault to store TDE keys. To update the endpoints, use the option--endpoint-software, -esand--okvclient-path-json, -oj. Then, use the option--library, -libto update the Oracle Key Vault PKCS library and OKV REST client jar. Since the Oracle Key Vault PKCS library is common to all databases, it requires the endpoints of all database to be updated first. However, if only certificates are updated on the Oracle Key Vault server, then updating the endpoints of databases is enough and does not require the library to be updated.Do not use this option with the
--endpoint-software,-esor--okvclient-path-json,-ojoptions.In a multi-user access-enabled or multi-user access-enabled passwordless environment, the
odaadminuser must specify this option.When you update the Oracle Key Vault PKCS library, the database is restarted.
An example to update the endpoint software of databases that used Oracle
Key Vault user credentials is as follows. In the following example,
racdb1 is an Oracle RAC database and sidb1 is
a single-instance
database.odacli update-okvendpoints -es -oj /tmp/okvclient.json
Enter TDE password of 'racdb1' database:
Enter TDE password of 'sidb1' database:
Job details
----------------------------------------------------------------
ID: 64ae75d4-6435-4842-b507-8adcd12bd4bd
Description: Update all databases endpoints, OKV PKCS library and all OKV REST clients
Status: Created
Created: May 29, 2025 19:24:55 PDT
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
odacli describe-job -i 64ae75d4-6435-4842-b507-8adcd12bd4bd
Job details
----------------------------------------------------------------
ID: 64ae75d4-6435-4842-b507-8adcd12bd4bd
Description: Update all databases endpoints, OKV PKCS library and all OKV REST clients
Status: Success
Created: May 29, 2025 19:24:55 PDT
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Endpoint update : racdb1 n1 May 29, 2025 19:24:58 PDT May 29, 2025 19:24:59 PDT Success
Endpoint update : racdb1 scaoda806c1n2 May 29, 2025 19:24:59 PDT May 29, 2025 19:25:01 PDT Success
Endpoint update : sidb1 n1 May 29, 2025 19:25:05 PDT May 29, 2025 19:25:06 PDT Success
An example to update endpoint software of databases that had not used
Oracle Key Vault user credential is as follows, where
mydb is a
single-instance
database.cat /tmp/okvclient_2.json
[
{
"dbName" : "mydb"
}
]
odacli update-okvendpoints -es -oj /tmp/okvclient_2.json
Job details
----------------------------------------------------------------
ID: 245a2d23-4a6a-4fe8-943f-9a81e1059fe7
Description: Update all databases endpoints, OKV PKCS library and all OKV REST clients
Status: Created
Created: May 29, 2025 19:26:57 PDT
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
odacli describe-job -i 245a2d23-4a6a-4fe8-943f-9a81e1059fe7
Job details
----------------------------------------------------------------
ID: 245a2d23-4a6a-4fe8-943f-9a81e1059fe7
Description: Update all databases endpoints, OKV PKCS library and all OKV REST clients
Status: Success
Created: May 29, 2025 19:26:57 PDT
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Endpoint update : mydb n1 May 29, 2025 19:27:53 PDT May 29, 2025 19:28:47 PDT Success Sample command to update the Oracle Key Vault PKCS library is as
follows:
odacli update-okvendpoints -lib
Databases [racdb1, sidb1, mydb] will be restarted during library update. Want to proceed? (Y/N): y
Job details
----------------------------------------------------------------
ID: f5f6a0f4-061b-4ab1-9656-51beaa381438
Description: Update all databases endpoints, OKV PKCS library and all OKV REST clients
Status: Created
Created: May 29, 2025 19:42:07 PDT
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
odacli describe-job -i f5f6a0f4-061b-4ab1-9656-51beaa381438
Job details
----------------------------------------------------------------
ID: f5f6a0f4-061b-4ab1-9656-51beaa381438
Description: Update all databases endpoints, OKV PKCS library and all OKV REST clients
Status: Success
Created: May 29, 2025 19:42:07 PDT
Message:
Task Name Node Name Start Time End Time Status
-------------------------------------------------------------------------------------------------------------------------------
Okvobj1 : OKV client library update n1 May 29, 2025 19:42:20 PDT May 29, 2025 19:42:22 PDT Success
dharm: Racdb1:Database stop (Srvctl) n1 May 29, 2025 19:42:22 PDT May 29, 2025 19:42:55 PDT Success
Sidb1:Database stop (Srvctl) n1 May 29, 2025 19:42:55 PDT May 29, 2025 19:43:21 PDT Success
Mydb:Database stop (Srvctl) n1 May 29, 2025 19:43:21 PDT May 29, 2025 19:43:44 PDT Success
Database start (Srvctl) n1 May 29, 2025 19:43:44 PDT May 29, 2025 19:44:21 PDT Success
OKV PKCS library update n1 May 29, 2025 19:43:44 PDT May 29, 2025 19:43:44 PDT Success
Database start (Srvctl) n1 May 29, 2025 19:44:22 PDT May 29, 2025 19:44:53 PDT Success
Database start (Srvctl) n1 May 29, 2025 19:44:53 PDT May 29, 2025 19:45:28 PDT Success Registering TDE-enabled Databases Configured with Oracle Key Vault
You can now register TDE-enabled databases that use Oracle Key Vault keystore but were not created using Oracle Database Appliance tooling. After registering these databases with Oracle Database Appliance, you can use Oracle Database Appliance commands for managing the databases.
When you register TDE-enabled databases with Oracle Database
Appliance, you can choose whether Oracle Database Appliance manages the TDE password or
not. When you register the database, if Oracle Key Vault server configuration is used,
then the current TDE password is set to a new random TDE password that Oracle Database
Appliance manages, and is not known to you. When you register the database, if Oracle
Key Vault server configuration is not used, then you manage the TDE password, not Oracle
Database Appliance. When TDE password is not managed by Oracle Database Appliance
tooling, TDE password must be provided explicitly to operations such as database
recovery, re-key and change of TDE password.
Note:
Oracle Database Appliance release 19.27 does not support enabling of high availability for single-instance databases when registered in a high availability deployment.WARNING:
The password is stored in a wallet on Oracle Key Vault. Loss of that wallet results in not being able to access the database tables. So, do not delete the wallet on Oracle Key Vault.Following are the prerequisites to register a database that uses Oracle Key Vault
to store the TDE master encryption keys:
- The
wallet_rootdatabase initialization parameter must be used to configure TDE and must be set to the/etc/OKV/db_unique_namevalue. - The
TDE_CONFIGURATIONinitialization parameter must be used to configure TDE and must be set to theKEYSTORE_CONFIGURATION=OKV|FILEvalue. - The endpoint software must be installed in the
/etc/OKV/db_unique_name/okvlocation.- For Oracle RAC and Oracle RAC One Node databases, the endpoint software corresponding to two instances must be installed on both nodes.
- For single-instance databases. the endpoint software must be installed on the node where the database is running.
- Autologin TDE wallet
cwallet.ssomust be created in the/etc/OKV/db_unique_name/tdelocation. For Oracle RAC and Oracle RAC One Node databases, the autologin TDE wallet must be created on both nodes. - The name of the endpoints on Oracle Key Vault server must be in following
format:
- Single-instance database:
db_name_db_running_node_num_on_cluster_name. For example:
myokvdb3_0_on_scaodaxxx-c - Oracle RAC database: Endpoint name corresponding to instance 1:
db_name1_on_cluster_name. For example:
myokvdb31_on_scaodaxxx-c - Oracle RAC database: Endpoint name corresponding to instance 2:
db_name2_on_cluster_name. For example:
myokvdb32_on_scaodaxxx-c - Oracle RAC One Node database: Endpoint name corresponding to active
instance: db_name_1_on_cluster_name. For example:
myokvdb3_1_on_scaodaxxx-c - Oracle RAC One Node database: Endpoint name corresponding to inactive
instance: db_name_2_on_cluster_name. For example:
myokvdb3_2_on_scaodaxxx-c
- Single-instance database:
db_name_db_running_node_num_on_cluster_name. For example:
- The name of the wallet on Oracle Key Vault server must be in the format
db_unique_name_on_cluster_name. For example:
myokvdb3_on_scaodaxx-c
Registering Oracle Key Vault TDE-enabled databases without using Oracle Key Vault server configuration
After registering the database, the
KeystoreType
attribute of database is set to OKV. The
OKVServerConfigName attribute of the database is set to
NONE.
odacli register-database -sn example.com --dbclass OLTP --dbshape odb2
Enter SYS, SYSTEM and PDB Admin user password:
Retype SYS, SYSTEM and PDB Admin user password:
{
"jobId" : "f82172e2-c4c1-4a77-ba41-c3d241127325",
"status" : "Created",
"message" : "",
"reports" : [ ],
"createTimestamp" : "May 07, 2025 08:54:50 PDT",
"resourceList" : [ ],
"description" : "Database service registration with DB service name: aokv1.us.oracle.com",
"updatedTime" : "May 07, 2025 08:54:50 PDT",
"jobType" : null,
"cpsMetadata" : null
}
odacli describe-job -i f82172e2-c4c1-4a77-ba41-c3d241127325
Job details
----------------------------------------------------------------
ID: f82172e2-c4c1-4a77-ba41-c3d241127325
Description: Database service registration with DB service name: aokv1.us.oracle.com
Status: Success
Created: May 07, 2025 08:54:50 PDT
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Setting Database parameter for OKV n1 May 07, 2025 08:54:53 PDT May 07, 2025 08:56:29 PDT Success
Validate Hugepages For Register DB n1 May 07, 2025 08:56:29 PDT May 07, 2025 08:56:29 PDT Success
Enable OMF parameters n1 May 07, 2025 08:56:33 PDT May 07, 2025 08:56:33 PDT Success
Setting DB character set n1 May 07, 2025 08:56:33 PDT May 07, 2025 08:56:34 PDT Success
Move Spfile to right location n1 May 07, 2025 08:56:34 PDT May 07, 2025 08:56:42 PDT Success
Enable DbSizing Template n1 May 07, 2025 08:58:23 PDT May 07, 2025 09:00:41 PDT Success
Add Startup Trigger to Open all PDBS n1 May 07, 2025 09:00:42 PDT May 07, 2025 09:00:43 PDT Success
Running DataPatch n1 May 07, 2025 09:00:43 PDT May 07, 2025 09:01:37 PDT Success
Reset Associated Networks for Database n1 May 07, 2025 09:01:38 PDT May 07, 2025 09:01:41 PDT Success
Reset Associated Networks n2 May 07, 2025 09:01:41 PDT May 07, 2025 09:01:41 PDT Success Registering Oracle Key Vault TDE-enabled databases using Oracle Key Vault server configuration
After registering the database, the KeystoreType
attribute of database is set to OKV. The
OKVServerConfigName attribute of the database is set to
okv_server_config_name. In a multi-user
access-enabled or multi-user access-enabled passwordless environment, the DB user
who is registering the database must have access to the Oracle Key Vault server
configuration resource. The current TDE password of the database is changed to a new
random password by Oracle Database Appliance tooling. This new random password is
stored on a wallet on the Oracle Key Vault server. The name of the wallet which
stores the random password will be of the format
db_name_pass_on_cluster_name. Ensure that
this wallet is not deleted on the Oracle Key Vault server if the database
exists.
Following is the example of a register-database job which uses Oracle Key Vault server configuration.
odacli register-database -sn example.com --dbclass OLTP --dbshape odb2 -osc okvobj1
Enter SYS, SYSTEM and PDB Admin user password:
Retype SYS, SYSTEM and PDB Admin user password:
Enter TDE wallet password:
Retype TDE wallet password:
{
"jobId" : "37cb49bb-6129-4c49-a44e-6ee4b5c97e98",
"status" : "Created",
"message" : "",
"reports" : [ ],
"createTimestamp" : "May 07, 2025 02:16:42 PDT",
"resourceList" : [ ],
"description" : "Database service registration with DB service name: sokv10.us.oracle.com",
"updatedTime" : "May 07, 2025 02:16:42 PDT",
"jobType" : null,
"cpsMetadata" : null
}
odacli describe-job -i 37cb49bb-6129-4c49-a44e-6ee4b5c97e98
Job details
----------------------------------------------------------------
ID: 37cb49bb-6129-4c49-a44e-6ee4b5c97e98
Description: Database service registration with DB service name: sokv10.us.oracle.com
Status: Success
Created: May 07, 2025 02:16:42 PDT
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Setting Database parameter for OKV n1 May 07, 2025 02:16:51 PDT May 07, 2025 02:17:59 PDT Success
External Store Autologin wallet creation n1 May 07, 2025 02:17:59 PDT May 07, 2025 02:18:09 PDT Success
Shutdown database n1 May 07, 2025 02:18:09 PDT May 07, 2025 02:19:19 PDT Success
Mount database using SQL n2 May 07, 2025 02:19:19 PDT May 07, 2025 02:19:46 PDT Success
External Store Autologin wallet creation n1 May 07, 2025 02:19:46 PDT May 07, 2025 02:19:57 PDT Success
Shutdown database n2 May 07, 2025 02:19:57 PDT May 07, 2025 02:20:18 PDT Success
Startup database using SQL n1 May 07, 2025 02:20:19 PDT May 07, 2025 02:20:49 PDT Success
Re-enroll and Provision of Endpoint n1 May 07, 2025 02:20:50 PDT May 07, 2025 02:21:31 PDT Success
Save the new TDE password using a n1 May 07, 2025 02:21:31 PDT May 07, 2025 02:21:39 PDT Success
temporary custom attribute on OKV
TDE Wallet closure n1 May 07, 2025 02:21:39 PDT May 07, 2025 02:21:40 PDT Success
Change the TDE password in local wallet n1 May 07, 2025 02:21:41 PDT May 07, 2025 02:21:57 PDT Success
Auto login TDE Wallet creation n1 May 07, 2025 02:21:57 PDT May 07, 2025 02:22:01 PDT Success
Shutdown database n1 May 07, 2025 02:22:01 PDT May 07, 2025 02:22:35 PDT Success
Mount database using SQL n2 May 07, 2025 02:22:35 PDT May 07, 2025 02:23:01 PDT Success
Re-enroll and Provision of Endpoint n2 May 07, 2025 02:23:01 PDT May 07, 2025 02:23:43 PDT Success
Change the TDE password in local wallet n2 May 07, 2025 02:23:43 PDT May 07, 2025 02:23:55 PDT Success
Auto login TDE Wallet creation n1 May 07, 2025 02:23:56 PDT May 07, 2025 02:24:00 PDT Success
Shutdown database n2 May 07, 2025 02:24:00 PDT May 07, 2025 02:24:22 PDT Success
Startup database using SQL n1 May 07, 2025 02:24:22 PDT May 07, 2025 02:24:53 PDT Success
Save new TDE password on OKV n2 May 07, 2025 02:24:53 PDT May 07, 2025 02:24:59 PDT Success
Delete the temporary custom attribute n2 May 07, 2025 02:24:59 PDT May 07, 2025 02:25:03 PDT Success
on OKV
Database stop (Srvctl) n1 May 07, 2025 02:25:04 PDT May 07, 2025 02:26:04 PDT Success
Deleting OKV Client Software Jar n2 May 07, 2025 02:25:04 PDT May 07, 2025 02:25:04 PDT Success
Database start (Srvctl) n1 May 07, 2025 02:26:04 PDT May 07, 2025 02:26:36 PDT Success
Checking the TDE wallet status n1 May 07, 2025 02:26:36 PDT May 07, 2025 02:26:40 PDT Success
Validate Hugepages For Register DB n1 May 07, 2025 02:26:41 PDT May 07, 2025 02:26:42 PDT Success
Enable OMF parameters n1 May 07, 2025 02:26:45 PDT May 07, 2025 02:26:46 PDT Success
Move Spfile to right location n1 May 07, 2025 02:26:46 PDT May 07, 2025 02:26:54 PDT Success
Setting DB character set n1 May 07, 2025 02:26:46 PDT May 07, 2025 02:26:46 PDT Success
Restart RACOne database n1 May 07, 2025 02:26:54 PDT May 07, 2025 02:28:29 PDT Success
Enable DbSizing Template n1 May 07, 2025 02:28:29 PDT May 07, 2025 02:30:04 PDT Success
Running DataPatch n1 May 07, 2025 02:30:05 PDT May 07, 2025 02:30:41 PDT Success
Reset Associated Networks for Database n1 May 07, 2025 02:30:42 PDT May 07, 2025 02:30:45 PDT Success
Reset Associated Networks n2 May 07, 2025 02:30:45 PDT May 07, 2025 02:30:45 PDT SuccessRestoring an Oracle Key Vault TDE Database using RMAN and Registering the Database
Understand how you can register a TDE-enabled database that uses Oracle Key Vault to store TDE keys.
Prerequisites:
- A Regular-L0 or Longterm backup of the database to a NFS location must be available.
- The SYS password and TDE password of the source database must be known.
- The
okvclient.jarcorresponding to each endpoint of the database must be known. - The name of the endpoints on Oracle Key Vault server must be in following
format:
- Single-instance database:
db_name_db_running_node_num_on_cluster_name. For example:
myokvdb3_0_on_scaodaxxx-c - Oracle RAC database: Endpoint name corresponding to instance 1:
db_name1_on_cluster_name. For example:
myokvdb31_on_scaodaxxx-c - Oracle RAC database: Endpoint name corresponding to instance 2:
db_name2_on_cluster_name. For example:
myokvdb32_on_scaodaxxx-c - Oracle RAC One Node database: Endpoint name corresponding to active
instance: db_name_1_on_cluster_name. For example:
myokvdb3_1_on_scaodaxxx-c - Oracle RAC One Node database: Endpoint name corresponding to inactive
instance: db_name_2_on_cluster_name. For example:
myokvdb3_2_on_scaodaxxx-c
- Single-instance database:
db_name_db_running_node_num_on_cluster_name. For example:
- The name of the wallet on Oracle Key Vault server must be in the format
db_unique_name_on_cluster_name. For example:
myokvdb3_on_scaodaxx-c
WARNING:
The password is stored in a wallet on Oracle Key Vault. Loss of that wallet results in not being able to access the database tables. So, do not delete the wallet on Oracle Key Vault.Follow these steps:
- Create required directories as
rootuser. For Oracle RAC and Oracle RAC One Node databases, create the following directories on both the nodes.mkdir /etc/OKV/db_unique_name mkdir /etc/OKV/db_unique_name/tde mkdir /etc/OKV/db_unique_name/okv chmod -R 700 /etc/OKV/db_unique_name/ chown -R db_user:group /etc/OKV/db_unique_name/In a multi-user access-enabled or multi-user access-enabled passwordless environment,
db_useris the primary owner of the database and the group isdcsagent. For non-multi user access-enabled systems, thedb_useris theoracleuser and the group isoinstall. - The endpoints corresponding to the database instance must be
re-enrolled with the Oracle Key Vault server. For Oracle RAC and Oracle RAC
One Node databases, the endpoints corresponding to both the instances must
be re-enrolled. After re-enrollment, download the
okvclient.jarcorresponding to the instance on the node where the instance is running. - Install the
okvclient.jarin the/etc/OKV/db_unique_name/okvlocation using the TDE password of the source database.switch to db_user $ORACLE_HOME/jdk/jre/bin/java -jar okvclient.jar - Create a database instance and start it in nomount
stage.
For single-instance database:
Switch to db_user . oraenv ORACLE_SID = [dbusr1] ? myokvdb3 ORACLE_HOME = [/home/oracle] ? /u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_1 cat $ORACLE_HOME/dbs/initmyokvdb3.ora db_name=myokvdb3 db_unique_name=myokvdb3 wallet_root=/etc/OKV/myokvdb3 TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=OKV|FILE" orapwd file=$ORACLE_HOME/dbs/orapwmyokvdb3 password=<tde_password_used_during_db_create> entries=5 sqlplus / as sysdba SQL> startup nomountFor Oracle RAC database, on node 1:. oraenv ORACLE_SID = [dbusr1] ? myokvdb31 ORACLE_HOME = [/home/oracle] ? /u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_1 cat $ORACLE_HOME/dbs/initmyokvdb31.ora db_name=myokvdb3 db_unique_name=myokvdb3 wallet_root=/etc/OKV/myokvdb3 TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=OKV|FILE" instance_number=1 instance_name=myokvdb31 sqlplus / as sysdba SQL> startup nomount - Create autologin TDE wallet using the same TDE password as the
one used when creating the database.
For single-instance database:
SQL> administer key management add secret 'tde_password'for client 'OKV_PASSWORD' to local auto_login keystore '/etc/OKV/myokvdb3/tde';For Oracle RAC database:SQL> administer key management add secret 'tde_password'for client 'OKV_PASSWORD' to local auto_login keystore '/etc/OKV/myokvdb3/tde'; - Create the database storage correspondng to the database being
restored.
odacli create-dbstorage -n db_name -r asm - Restore the database using RMAN duplicate and specify the NFS
backup location.
Switch to db_userFor single-instance database:
. oraenv ORACLE_SID = [dbusr1] ? myokvdb3 ORACLE_HOME = [/home/oracle] ? /u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_1 rman auxiliary / run { allocate auxiliary channel ch1 type disk; duplicate target database to myokvdb3 spfile set db_unique_name='myokvdb3' set db_name='myokvdb3' BACKUP LOCATION 'nfs_backup_location'; }For Oracle RAC database:. oraenv ORACLE_SID = [dbusr1] ? myokvdb31 ORACLE_HOME = [/home/oracle] ? /u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_1 rman auxiliary / run { allocate auxiliary channel ch1 type disk; duplicate target database to myokvdb3 spfile set db_unique_name='myokvdb3' set db_name='myokvdb3' set cluster_database='false' set instance_number='1' set instance_name='myokvdb31' BACKUP LOCATION 'nfs_backup_location' ; } - For Oracle RAC databases, set the
cluster_databaseparameter and move the spfile to shared location. For single-instance database, this step is not required.On Node 1:
SQL> alter system set cluster_database=TRUE scope=spfile ; SQL> create pfile='/u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_1/dbs/pfile_myokvdb3.ora' from spfile; File created. SQL> create spfile='+DATA' from pfile='/u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_1/dbs/pfile_myokvdb3.ora'; File created. orapwd file='+DATA' password=<tde_password_used_during_db_create> entries=5 dbuniquename='myokvdb3' - Add the database service. For Oracle RAC database, find the
spfile name using the
SQL>show parameter spfilecommand and use it as follows:For single-instance database:
srvctl add database -db myokvdb3 -oraclehome /u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_1 -dbtype Single -spfile /u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_1/dbs/spfilesdokv3.ora -pwfile /u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_1/dbs/orapwsdokv3 -node node_nameFor Oracle RAC and Oracle RAC One Node databases:
srvctl add database -db myokvdb3 -oraclehome /u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_1 -dbtype RAC -spfile +DATA/myokvdb3/PARAMETERFILE/spfile.xxxxxxx srvctl add instance -d myokvdb3 -i myokvdb31 -n node_1_name srvctl add instance -d myokvdb3 -i myokvdb32 -n node_2_name - Run the
shutdown abortcommand on the database using SQL*Plus. - For Oracle RAC database, create Autologin TDE wallet on Node 2.
Switch to db_user . oraenv ORACLE_SID = [dbusr1] ? myokvdb32 ORACLE_HOME = [/home/oracle] ? /u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_1 sqlplus / as sysdba SQL> startup nomount SQL> administer key management add secret 'tde_password' for client 'OKV_PASSWORD' to local auto_login keystore '/etc/OKV/myokvdb3/tde'; - Start the database using the
srvctl start database -db myokvdb3command. After the database starts, on Oracle RAC database, verify that the pmon process corresponding to the instance is running on the respective node. - If the DB name and DB unique name of the source database are in
upper case, then this step is not required. If the DB name and DB unique
name of the source database are not in upper case, then restoring the
database from RMAN backup will change the DB name and DB unique name to
upper case. Hence after restoring the database, the case of the DB name and
DB unique name must be restored to the same case as the source database.
- Delete the initfile in
db_home/dbs/initoracle_sid.ora, if it already exist. - Create the pfile from
spfile.
SQL> create pfile='db_home/dbs/initoracle_sid.ora' from spfile; - Edit the
db_home/dbs/initoracle_sid.orafile and update thedb_nameanddb_unique_namewith the same case as the source database. - Shut down the
database.
SQL> shutdown immediate - Start up the database using the edited pfile.
SQL> startup pfile='<db_home>/dbs/initoracle_sid.ora' - Delete spfile, if it already exists and create spfile from
pfile.
SQL> create spfile='db_home/dbs/spfileoracle_sid.ora' from pfile='db_home/dbs/initoracle_sid.ora'; - Restart the
database.
SQL> shutdown immediate SQL> startup - Confirm whether the DB name and DB unique name is updated with the
same case as the source database.
SQL> show parameter db_name; SQL> show parameter db_unique_name;
- Delete the initfile in
- Register the database without using Oracle Key Vault server
configuration:
odacli register-database -sn myokvdb3.us.oracle.com --dbclass OLTP --dbshape odb2 Enter SYS, SYSTEM and PDB Admin user password: Retype SYS, SYSTEM and PDB Admin user password:To register the database with Oracle Key Vault server configuration:odacli register-database -sn example.com --dbclass OLTP --dbshape odb2 -osc okv_obj_name Enter SYS, SYSTEM and PDB Admin user password: Retype SYS, SYSTEM and PDB Admin user password: Enter TDE wallet password: Retype TDE wallet password:
Restoring a Software Keystore TDE database using RMAN and Registering the Database
Understand how you can register a TDE-enabled database that uses software wallet to store TDE keys.
Prerequisites:
- A Regular-L0 or Longterm backup of the database to a NFS location must be available.
- The SYS password and TDE password must be known.
- Backup of the password-protected TDE wallet
(
ewallet.p12) and autologin TDE wallet (cwallet.sso) must be available.
Follow these steps:
- Create the database storage with the same storage type as the
source database being restored.
odacli create-dbstorage -n db_name -r asm|acfs - Create the init file corresponding to the database in the
$ORACLE_HOMElocation.cat $ORACLE_HOME/dbs/initoracle_sid.ora db_name=db_name db_unique_name=db_unique_name wallet_root=source_database_location TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" - Generate the password file corresponding to the
database.
orapwd file=$ORACLE_HOME/dbs/orapworacle_sid password=sys_password entries=5 - Copy the password-protected TDE wallet (ewallet.p12) to the
wallet_root/tdepath. - Connect to the database and start the database with the
nomountoption.export ORACLE_SID=oracle_sid export ORACLE_UNQNAME=db_unique_name export ORACLE_HOME=db_home_location sqlplus / as sysdba SQL> startup nomount - Generate the local autologin wallet using the following
command:
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE 'wallet_root/tde' IDENTIFIED BY "tde_password"; - Connect to RMAN auxiliary and run the RMAN duplicate command.
For single-instance Oracle Database:
rman auxiliary / run { allocate auxiliary channel ch1 type disk; duplicate target database to db_name spfile set db_unique_name='db_unique_name' set db_name='db_name' BACKUP LOCATION 'nfs_location_pointing_to_backup_pieces; }For Oracle RAC and Oracle RAC One Node databases:
rman auxiliary / run { allocate auxiliary channel ch1 type disk; duplicate target database to db_name spfile set db_unique_name='db_unique_name' set db_name='db_name' set cluster_database='false' BACKUP LOCATION 'nfs_location_pointing_to_backup_pieces; } - Add the restored database to the database service.
For single-instance Oracle Database:
srvctl add database -db db_unique_name -oraclehome $ORACLE_HOME -dbtype Single -spfile $ORACLE_HOME/dbs/spfileoracle_sid.ora -pwfile $ORACLE_HOME/dbs/orapworacle_sid -node node_nameFor Oracle RAC databases:
srvctl add database -db db_unique_name -oraclehome $ORACLE_HOME -dbtype RAC -spfile $ORACLE_HOME/dbs/spfileoracle_sid.ora -pwfile $ORACLE_HOME/dbs/orapworacle_sid srvctl add instance -d db_unique_name -i oracle_sid1 -n node_1_name srvctl add instance -d db_unique_name -i oracle_sid2 -n node_2_nameFor Oracle RAC One Node databases:
srvctl add database -db <db_unique_name>db_unique_name -oraclehome $ORACLE_HOME -dbtype RACOne -spfile $ORACLE_HOME/dbs/spfileoracle_sid.ora -pwfile $ORACLE_HOME/dbs/orapworacle_sid srvctl add instance -d db_unique_name -i oracle_sid_1 -n node_1_name srvctl add instance -d db_unique_name -i oracle_sid_2 -n node_2_name - Shut down tthe database and start the database as
follows:
SQL> shutdown immediate srvctl start database -db db_unique_nameFor Oracle RAC database, run the following command:SQL> alter system set cluster_database=TRUE scope=spfile ; - If the DB name and DB unique name of the source database are in upper case,
then this step can be skipped. If the DB name and DB unique name of the
source database are not in upper case, then restoring the database from RMAN
backup changes the DB name and DB unique name to upper case. Hence after
restoring, the case of the DB name and DB unique name must be restored back
same as the source database.
- Delete the
initfileindb_home/dbs/initoracle_sid.ora, if it already exists. - Create
pfilefrom spfile.SQL> create pfile='db_home/dbs/initoracle_sid.ora' from spfile; - Edit the
db_home/dbs/initoracle_sid.orafile and update thedb_nameanddb_unique_namewith the same case as the source database. - Shut down the
database.
SQL> shutdown immediate - Start the database using the edited
pfile.
SQL> startup pfile='db_home/dbs/initoracle_sid.ora' - Delete spfile, if it already exists and create spfile from
pfile.
SQL> create spfile='db_home/dbs/spfileoracle_sid.ora' from pfile='db_home/dbs/initoracle_sid.ora'; - Restart the
database.
SQL> shutdown immediate SQL> startup - Confirm that the DB name and DB unique name are updated with same
case as the source database.
SQL> show parameter db_name; SQL> show parameter db_unique_name;
- Delete the
- If the wallet_root parameter is not set to the
DATA_LOCATIONof the restored database, then create the/opt/oracle/dcs/commonstore/wallets/tde/dbunique_namedirectory as thedb_user. Copy the password-protected TDE wallet ewallet.p12 to the/opt/oracle/dcs/commonstore/wallets/tde/dbunique_namelocation. For DB systems, set the wallet_root to theDATA_LOCATION. - Register the password of the database using the same SYS
password and TDE password as the source database.
odacli register-database -sn service_name --dbclass db_class --dbshape db_shape -tp
Creating Oracle Key Vault Server Configuration Object Using the BUI
Understand how you can create TDE-enabled database on Oracle Database Appliance with TDE keys stored in Oracle Key Vault on bare metal and DB systems using the BUI.
Follow these steps to create a TDE-enabled database with TDE keys
stored on Oracle Key Vault on Oracle Database Appliance bare metal and DB systems:
- Log into the Browser User Interface:
https://host-ip-address:7093/mgmt/index.html - Click Credential Store, then click Oracle Key Vault Server Config.
- The existing Oracle Key Vault server configurations are displayed.
- Click Create and create an Oracle Key Vault server configuration.
- In the Create OKV Server Config page, specify the OKV Server Config Name, OKV Server Host, OKV Server IP address, OKV User Name, and Password.
- Click Create.
- Confirm the creation request job and verify that the job completed successfully.
Granting and Revoking Access on Oracle Key Vault Server Configuration Using BUI
Understand how you can grant and revoke access to Oracle Key Vault server configuration on Oracle Database Appliance on bare metal and DB systems using BUI.
Granting and Revoking Access to Oracle Key Vault server configurations
Follow these steps:
- Log into the Browser User Interface:
https://host-ip-address:7093/mgmt/index.html - Click Credential Store, then click Oracle Key Vault Server Config.
- You can view all existing Oracle Key Vault server configurations.
- To grant access to an existing Oracle Key Vault server configuration, select the Oracle Key Vault server configuration, and from the Actions drop-down list, select Grant Access.
- In the Grant Resource Access page, select the User Name to whom you want to grant access to the resource.
- Click Grant.
- Click Yes to confirm the action.
- To revoke access to an existing Oracle Key Vault server configuration, select the Oracle Key Vault server configuration, and from the Actions drop-down list, select Revoke Access.
- In the Revoke Resource Access page, select the User Name from whom you want to revoke access to the resource.
- Click Revoke.
- Click Yes to confirm the action.
Managing Oracle Key Vault Server Configuration Operations Using BUI
Understand how you can manage Oracle Key Vault server configuration operations on Oracle Database Appliance on bare metal and DB systems.
You can create, list, delete, and describe Oracle Key Vault server
configuration on Oracle Database Appliance bare metal and DB systems using the Browser
User Interface (BUI).
Listing and Deleting Oracle Key Vault server configurations:
Follow these steps:
- Log into the Browser User Interface:
https://host-ip-address:7093/mgmt/index.html - Click Credential Store, then click Oracle Key Vault Tasks.
- You can view all existing Oracle Key Vault server configurations.
- To delete an existing Oracle Key Vault server configuration, select the Oracle Key Vault server configuration, and from the Actions drop-down list, select Delete.
Migrating Tablespaces from a TDE-enabled Oracle Database with Software Keystore to another TDE-enabled Database with Oracle Key Vault Keystore
Understand how you can migrate tablespaces with the expdp/impdp transportable tablespaces feature from TDE-enabled database using software keystore to use Oracle Key Vault as keystore.
Following are the use cases for the migration:
- Migrating Tablespaces from a TDE-enabled Oracle ACFS Database with Software Keystore to another TDE-enabled Database with Oracle Key Vault Keystore
Understand how you can migrate tablespaces from Oracle ACFS database software keystore to Oracle Key Vault on Oracle Database Appliance. - Migrating Tablespaces from a TDE-enabled Oracle ASM Database with Software Keystore to another TDE-enabled Database with Oracle Key Vault Keystore
Understand how you can migrate tablespaces from a TDE-enabled Oracle ASM database with software keystore to another TDE-enabled database with Oracle Key Vault keystore. - Migrating Tablespaces from TDE-enabled Oracle ACFS Database with Software Keystore to another TDE-enabled Multitenant Database with Oracle Key Vault Keystore
Understand how you can migrate tablespaces from TDE-enabled Oracle ACFS database with software keystore to another TDE-enabled multitenant database with Oracle Key Vault keystore. - Migrating Tablespaces from TDE-enabled Oracle ASM Database with Software Keystore to another TDE-enabled Multitenant Database with Oracle Key Vault Keystore
Understand how you can migrate tablespaces from TDE-enabled Oracle ASM database with software keystore to another TDE-enabled multitenant database with Oracle Key Vault keystore.
Parent topic: Managing TDE-Enabled Oracle Databases
Migrating Tablespaces from a TDE-enabled Oracle ACFS Database with Software Keystore to another TDE-enabled Database with Oracle Key Vault Keystore
Understand how you can migrate tablespaces from Oracle ACFS database software keystore to Oracle Key Vault on Oracle Database Appliance.
Ensure that there is a source and destination database. The two
databases must be on different Oracle Database Appliance servers. The source database
must be a software keystore TDE-enabled database, either an Oracle Database Appliance
database or any Oracle database with compatible Endian. The destination database must be
on Oracle Database Appliance, must be a TDE enabled database using Oracle Key Vault, and
must be created with ODACLI commands.
Step 1: Export the tablespace from the source database
- Consider that the source database has a tablespace TBS01 to be
migrated to the destination database. Provide information about the
tablespace.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba Connected. SQL> select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME ENC ------------------------------ --- SYSTEM YES SYSAUX YES UNDOTBS1 YES USERS YES TEMP_ENC YES TBS01 YES SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- /u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_mz3gfyj0_.dbf ### ### Make sure the set of tablespaces are self-contained. The following PL/SQL command must execute successfully ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed. SQL> exit; - Create the database directory in the source database DBTDE to
be used for the
export.
### ### login as Oracle user and run the following ### # su - oracle $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory '/u01/app/odaorabase0/oracle/dpdump' mkdir: created directory '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir' ### ### Connect to database using SQLPLUS as sysdba user and run the following ### $ sqlplus /nolog SQL> connect / as sysdba Connected. SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL> exit; - Export the TBS01 tablespace from source database DBTDE. First,
set the tablespace to be copied in READ ONLY mode. Next, run
expdpon the designated tablespace. Note that the warningORA-39396is displayed because expdp does not useENCRYPTION_PASSWORDandimpdpdoes not use this option as well. You can ignore this warning. Transfer the TDE software wallet to the destination Oracle Key Vault database server and upload to the corresponding Oracle Key Vault wallet before you runimpdpon the destination database. Review the log files forexpdpstored under the database directoryttsps_dir.### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba Connected. SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. SQL> exit; ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps_dbtde.dmp Export: Release 19.0.0.0.0 - Production on Mon Apr 7 11:08:49 2025 Version 19.27.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps_dbtde.dmp ORA-39396: Warning: exporting encrypted data using transportable option without password Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/STATISTICS/MARKER Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps_dbtde.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: /u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_mz3gfyj0_.dbf Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" completed with 1 error(s) at Mon Apr 7 11:09:15 2025 elapsed 0 00:00:20 - Copy datafiles, TDE wallet,
expdp dmpfiles to the destination database server and alter the status of the data file in the source database DBTDE toREAD WRITE. Copy the datafile/u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_mz3gfyj0_.dbfto the location where datafiles are stored in the destination database. In the following example,/u02/app/oracle/oradata/okvdb/OKVDB/datafile/is the location of the target database OKVDB. Copy the export file from/u01/app/odaorabase0/oracle/dpdump/ttsps_dirto the target database server in the/u01/app/odaorabase0/oracle/dpdump/ttsps_dirdirectory. Also, copy the wallet to the temporary/tmp/dbtde/tdedirectory in the destination.### ### login as Oracle user and run the following ### # su - oracle $ scp /u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_mz3gfyj0_.dbf oracle@target_server:/u02/app/oracle/oradata/okvdb/OKVDB/datafile/ ### Copy the expdp dump file to the destination server location. $ scp /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps_dbtde.dmp oracle@target_server:/location $ cp /u02/app/oracle/oradata/dbtde/tde/ewallet.p12 oracle@target_server:/tmp/dbtde/tde ### ### In source database, set the tablespace back to read write mode ### Connect to database using SQLPLUS as sysdba user and run the following ### $ sqlplus /nolog SQL> connect / as sysdba Connected. SQL> ALTER TABLESPACE TBS01 READ WRITE; SQL> exit;
Step 2: Import the tablespaces into an Oracle Key Vault-enabled database
- Ensure that a TDE-enabled database with Oracle Key Vault, OKVDB
as the destination database exists. For
example:
# odacli create-database -n okvdb -t -kt okv -ocp /tmp/okvdb_on_server_name/okvclient.jar -dh 265412be-2b21-4cc4-adc7-c845bf9e3e3a -r ACFS Enter SYS and SYSTEM user password: Retype SYS and SYSTEM user password: Enter TDE wallet password: Retype TDE wallet password: # odacli describe-database -n okvdb Database details ---------------------------------------------------------------- ID: b0d137c0-31fa-453b-82e4-d6a364bca4df Description: okvdb DB Name: okvdb DB Type: SI CDB: false Storage: ACFS Home ID: 265412be-2b21-4cc4-adc7-c845bf9e3e3a TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV okvServerConfigName : NONE - Create the database directory in the Oracle Key Vault-enabled
destination database for the import operation. The source database expdp
dump file and output for impdp is stored in the database directory object.
Copy the expdp dump file from the source database server to this server, and
use the impdp dump file to add tablespace metadata to destination
database.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL> exit; - Upload the wallet keys from source database to OKVDB wallet in the
destination
database.
### ### login as Oracle user ### Upload the software keystore wallet entries to OKV server wallet. Notice the directory name /etc/OKV/<db_unique_name>/okv/bin ### $ cd /etc/OKV/okvdb/okv/bin $ ./okvutil list Enter Oracle Key Vault endpoint password: Unique ID Type Identifier 3D433A6C-F7B0-433D-91B3-0ADABBDB7509 Template Default template for OKVDB_ON_<SERVER-NAME> FC6AA1F6-C816-4771-A9B6-0D4EC3F4B015 Symmetric Key TDE Master Encryption Key: TAG okvdb $ ./okvutil upload -t WALLET -l /tmp/dbtde/tde -g okvdb_on_<server_name>-c -v 4 -o okvutil version 21.10.0.0.0 Endpoint type: Oracle Database Configuration file: /etc/OKV/okvdb/okv/conf/okvclient.ora Server: 100.70.126.204:5696 Standby Servers: Uploading from /tmp/dbtde/tde Enter source wallet password: No auto-login wallet found, password needed Enter Oracle Key Vault endpoint password: ORACLE.SECURITY.ID.ENCRYPTION. Trying to connect to 100.70.126.204:5696 ... Connected to 100.70.126.204:5696. ORACLE.SECURITY.KB.ENCRYPTION. ORACLE.SECURITY.KT.ENCRYPTION.ASivkc8tqE9mv6RX0F9nYzsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.KM.ENCRYPTION.ASivkc8tqE9mv6RX0F9nYzsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.ASivkc8tqE9mv6RX0F9nYzsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY Uploaded 1 TDE keys Uploaded 0 SEPS entries Uploaded 0 other secrets Uploaded 3 opaque objects Uploading private key Uploading certificate request Uploading trust points Uploaded 1 private keys Uploaded 1 certificate requests Uploaded 0 user certificates Uploaded 0 trust points Upload succeeded ### ### Comparing the output of 'okvutil list' shows that TDE Wallet Keys were uploaded to OKV wallet ### $ ./okvutil list Enter Oracle Key Vault endpoint password: Unique ID Type Identifier 17D6044D-F777-4E6F-9B0A-F08D653354F2 Opaque Object Certificate Request 3D433A6C-F7B0-433D-91B3-0ADABBDB7509 Template Default template for OKVDB_ON_<SERVER-NAME> 54FA58D4-B429-4A38-911F-8F2245D3B90F Opaque Object TDE Wallet Metadata 9D509C97-231E-43E9-98C8-637DECF13ECD Opaque Object TDE Wallet Metadata A7168F0B-2023-5141-B720-EC771F9B23A1 Symmetric Key TDE Master Encryption Key: TAG set_master_key E63A4B3D-3B84-4BEF-96BF-18CC844EB041 Opaque Object TDE Wallet Metadata E727B9E3-8803-499B-8DAF-20C08ED587EA Private Key - FC6AA1F6-C816-4771-A9B6-0D4EC3F4B015 Symmetric Key TDE Master Encryption Key: TAG okvdb $ rm -rf /tmp/dbtde - Import the TBS01 tablespace to the destination database
OKVDB.
### ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ impdp system TRANSPORT_DATAFILES=\'/u02/app/oracle/oradata/okvdb/OKVDB/datafile/o1_mf_tbs01_mz3gfyj0_.dbf' DIRECTORY=ttsps_dir dumpfile=expttps.dmp Import: Release 19.0.0.0.0 - Production on Mon Nov 6 12:53:37 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/******** TRANSPORT_DATAFILES='/u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf' DIRECTORY=ttsps_dir dumpfile=expttps.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed at Mon Nov 6 12:53:46 2023 elapsed 0 00:00:03 - Change tablespace status and test encryption on the destination
Oracle Key Vault-enabled database. Set the imported tablespace to READ
WRITE.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES USERS ONLINE YES TEMP_ENC ONLINE YES TBS01 READ ONLY YES SQL> alter tablespace TBS01 read write ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES USERS ONLINE YES TEMP_ENC ONLINE YES TBS01 ONLINE YES ### ### Retrieve the data from TAB1. Consider that TAB1 was created using tablespace TBS01 and can now be queried. ### SQL> select OWNER, table_name from tab1 where rownum < 3; OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$
Migrating Tablespaces from a TDE-enabled Oracle ASM Database with Software Keystore to another TDE-enabled Database with Oracle Key Vault Keystore
Understand how you can migrate tablespaces from a TDE-enabled Oracle ASM database with software keystore to another TDE-enabled database with Oracle Key Vault keystore.
Ensure that there is a source and destination database. The two
databases must be on different servers. The source database must be a software keystore
TDE-enabled database, either an Oracle Database Appliance database or any Oracle
database with compatible Endian. The destination database must be on Oracle Database
Appliance, must be a TDE enabled database using Oracle Key Vault, and must be created
with ODACLI commands.
Step 1: Export the tablespace from the source database
- Consider that the source database has a tablespace TBS01 to be
migrated to the destination database. Provide information about the
tablespace.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba Connected. SQL> select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME ENC ------------------------------ --- SYSTEM YES SYSAUX YES UNDOTBS1 YES USERS YES TEMP_ENC YES TBS01 YES SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- +DATA/DBASM/DATAFILE/tbs01.268.1197828959 ### ### Make sure the set of tablespaces are self-contained. The following PL/SQL command must execute successfully ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed. SQL> exit; - Export the TBS01 tablespace from the source database DBASM.
First, set the tablespace to be copied in READ ONLY mode. Next, run
expdpfor the tablespace that must be migrated. Review the dump files forexpdpstored under the database directoryttsps_dir.### ### Set the tablespaces that you need to be exported in read-only mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following # su - oracle $ sqlplus /nolog SQL> connect / as sysdba SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. SQL> exit; ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps_dbasm.dmp Export: Release 19.0.0.0.0 - Production on Mon Apr 7 18:19:28 2025 Version 19.27.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps_dbasm.dmp ORA-39396: Warning: exporting encrypted data using transportable option without password Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps_dbasm.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: +DATA/DBASM/DATAFILE/tbs01.268.1197828959 Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" completed with 1 error(s) at Mon Apr 7 18:19:52 2025 elapsed 0 00:00:18 - Copy the datafile from Oracle ASM to file system, then move the
datafile to destination database server. Then, move the data file to the
destination database server and and copy the file to Oracle ASM. Then, alter
the status of the tablespace to
READ WRITE.### ### login to grid user ### Copy datafile from ASM to filesystem ### # su - grid $ asmcmd cp +DATA/DBASM/DATAFILE/tbs01.278.1197745689 /home/grid/tbs01.dbf copying +DATA/DBASM/DATAFILE/tbs01.278.1197745689 -> /home/grid/tbs01.dbf ### ### In source database, set the tablespace back to read write mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba SQL> ALTER TABLESPACE TBS01 READ WRITE; SQL> exit; - Copy the software keystore wallet of the source database to the
file system on the target
server.
$ mkdir -pv /tmp/DBASM/tde mkdir: created directory '/tmp/DBASM' mkdir: created directory '/tmp/DBASM/tde' SQL> administer key management create keystore '/tmp/DBASM/tde' identified by "<password>"; keystore altered. SQL> administer key management merge keystore '+DATA/DBASM/tde' identified by "<password>" into existing keystore '/tmp/DBASM/tde' identified by "<password>" with backup ; keystore altered. - Copy the
expdpdump files from/u01/app/odaorabase0/oracle/dpdump/ttsps_dirto the destination server, and copy the datafile from/home/grid/tbs01.dbfto the target database server.The expdp and impdp directory is the same in this case, so, no copy is necessary, for remote copy dumpfile using similar this command $ scp /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps_dbasm.dmp oracle@target_server:/location
Step 2: Import the tablespaces into an Oracle Key Vault-enabled database
- Ensure there exists a TDE-enabled database with Oracle Key
Vault, OKVASM as the destination database. Copy the datafile and tablespace
of the source database to this database using
expdpandimpdp. Create the database on an Oracle Database Appliance using the Browser User Interface (BUI) or ODACLI commands. For example:# odacli create-database -n okvasm -t -kt okv -ocp /tmp/okvasm_on_<server_name>/okvclient.jar -dh 265412be-2b21-4cc4-adc7-c845bf9e3e3a -r ASM Enter SYS and SYSTEM user password: Retype SYS and SYSTEM user password: Enter TDE wallet password: Retype TDE wallet password: # odacli describe-database -n okvasm Database details ---------------------------------------------------------------- ID: 19ce57f8-6f10-4e15-a403-4ded6ac0084b Description: okvasm DB Name: okvasm DB Type: SI CDB: false Storage: ASM Home ID: 265412be-2b21-4cc4-adc7-c845bf9e3e3a TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV okvServerConfigName : NONE - Copy the datafiles from file system to the destination Oracle
ASM location of OKVASM and change the datafiles
permissions.
### ### login to grid user ### Copy datafile from from filesystem to ASM ### # su - grid $ asmcmd cp /home/grid/tbs01.dbf +DATA/OKVASM//DATAFILE/tbs01 --dest_dbname OKVASM copying /home/grid/tbs01.dbf -> +DATA/OKVASM//DATAFILE/tbs01 ASMCMD> cd +DATA/OKVASM//DATAFILE ASMCMD> ls --permission User Group Permission Name oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASM_CDB$ROOT rw------- SYSAUX.290.1197813993 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASM_CDB$ROOT rw------- SYSTEM.315.1197813987 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASM_CDB$ROOT rw------- UNDOTBS1.309.1197814001 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASM_CDB$ROOT rw------- USERS.313.1197813977 grid@3fe6130d68b04fc6ffab5b96ff256f8e rw------- tbs01 => +DATA/OKVASM/DATAFILE/tbs01.318.1197830121 grid@3fe6130d68b04fc6ffab5b96ff256f8e rw------- tbs01.318.1197830121 ASMCMD> ASMCMD> chown oracle@3fe6130d68b04fc6ffab5b96ff256f8e:OKVASM_CDB$ROOT tbs01 ASMCMD> ls --permission User Group Permission Name oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASM_CDB$ROOT rw------- SYSAUX.290.1197813993 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASM_CDB$ROOT rw------- SYSTEM.315.1197813987 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASM_CDB$ROOT rw------- UNDOTBS1.309.1197814001 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASM_CDB$ROOT rw------- USERS.313.1197813977 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASM_CDB$ROOT rw------- tbs01 => +DATA/OKVASM/DATAFILE/tbs01.318.1197830121 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASM_CDB$ROOT rw------- tbs01.318.1197830121 ASMCMD> - Create the database directory in the OKVASM database for
import.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL> exit; - Upload the wallet keys from the source wallet to the OKVASM OKV
wallet in the destination.
### ### login as Oracle user ### Upload the software keystore wallet entries to OKV server wallet ### $ cd /etc/OKV/okvasm/okv/bin $ ./okvutil list Enter Oracle Key Vault endpoint password: Unique ID Type Identifier 4E58C724-E704-4245-A131-D357E1A7762A Template Default template for OKVASM_ON_<SERVER-NAME> C839BE56-9688-48C6-8C16-F2E34A304847 Symmetric Key TDE Master Encryption Key: TAG okvasm $ ./okvutil upload -t WALLET -l /tmp/DBASM/tde -g okvasm_on_<server_name>-c -v 4 -o okvutil version 21.10.0.0.0 Endpoint type: Oracle Database Configuration file: /etc/OKV/okvasm/okv/conf/okvclient.ora Server: 100.70.126.204:5696 Standby Servers: Uploading from /tmp/DBASM/tde Enter source wallet password: No auto-login wallet found, password needed Enter Oracle Key Vault endpoint password: ORACLE.SECURITY.KB.ENCRYPTION. Trying to connect to 100.70.126.204:5696 ... Connected to 100.70.126.204:5696. ORACLE.SECURITY.ID.ENCRYPTION. ORACLE.SECURITY.KT.ENCRYPTION.Aeb4ZXoXJU9/v0wdUBJyfMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.KM.ENCRYPTION.Aeb4ZXoXJU9/v0wdUBJyfMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.Aeb4ZXoXJU9/v0wdUBJyfMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY Uploaded 1 TDE keys Uploaded 0 SEPS entries Uploaded 0 other secrets Uploaded 3 opaque objects Uploading private key Uploading certificate request Uploading trust points Uploaded 1 private keys Uploaded 1 certificate requests Uploaded 0 user certificates Uploaded 0 trust points Upload succeeded ### ### Comparing the output of 'okvutil list' shows that TDE Wallet Keys were uploaded to OKV wallet ### $ ./okvutil list Enter Oracle Key Vault endpoint password: Unique ID Type Identifier 2FF42EBA-AB07-456C-BBC1-5AFEC1CCB544 Opaque Object TDE Wallet Metadata 4E58C724-E704-4245-A131-D357E1A7762A Template Default template for OKVASM_ON_<SERVER-NAME> 6403E441-2624-4360-BB55-E0C35709CDA6 Opaque Object Certificate Request 949A121D-B76A-448C-91EF-856BFD54DC1F Private Key - A726D77A-09C1-5CD5-9650-3FDCB6BD0738 Symmetric Key TDE Master Encryption Key: TAG set_master_key C81832F9-E5E9-4050-8A52-160705EC71BF Opaque Object TDE Wallet Metadata C839BE56-9688-48C6-8C16-F2E34A304847 Symmetric Key TDE Master Encryption Key: TAG okvasm E860114F-A374-4534-8717-98DB92499E1A Opaque Object TDE Wallet Metadata $ rm -rf /tmp/DBASM/tde - Import the TBS01 tablespace to the destination database OKVASM.
TRANSPORT_DATAFILES references the location of the data file in the
destination
database.
### ### login as Oracle user ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### # su - oracle $ impdp system TRANSPORT_DATAFILES=\'+DATA/OKVASM/DATAFILE/tbs01\' DIRECTORY=ttsps_dir dumpfile=expttps_dbasm.dmp Import: Release 19.0.0.0.0 - Production on Mon Apr 7 18:43:53 2025 Version 19.27.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/******** TRANSPORT_DATAFILES='+DATA/OKVASM/DATAFILE/tbs01' DIRECTORY=ttsps_dir dumpfile=expttps_dbasm.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed at Mon Apr 7 18:44:05 2025 elapsed 0 00:00:04 - Change the tablespace status and test encryption on the
destination OKVASM
database.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES USERS ONLINE YES TEMP_ENC ONLINE YES TBS01 READ ONLY YES 6 rows selected. SQL> alter tablespace TBS01 read write ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES USERS ONLINE YES TEMP_ENC ONLINE YES TBS01 ONLINE YES ### ### Retrieve the data from TAB1 ### SQL> select OWNER, table_name from tab1 where rownum < 3; OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$
Migrating Tablespaces from TDE-enabled Oracle ACFS Database with Software Keystore to another TDE-enabled Multitenant Database with Oracle Key Vault Keystore
Understand how you can migrate tablespaces from TDE-enabled Oracle ACFS database with software keystore to another TDE-enabled multitenant database with Oracle Key Vault keystore.
Ensure that there is a source and destination database. The two
databases can be on one Oracle Database Appliance server or on different servers. The
source database must be a software keystore TDE-enabled database, either an Oracle
Database Appliance database or any Oracle database with compatible Endian. The
destination database must be an Oracle Database Appliance Oracle Key Vault
enabled-database created with ODACLI commands.
Step 1: Export the tablespace from the source database
- Consider that the source database has a tablespace TBS01 to be
migrated to the destination database. Provide information about the
tablespace.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba Connected. SQL> select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME ENC ------------------------------ --- SYSTEM YES SYSAUX YES UNDOTBS1 YES USERS YES TEMP_ENC YES TBS01 YES SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- /u02/app/oracle/oradata/dbtdec/DBTDEC/321537BF1BE47143E063E730850AA965/datafile/o1_mf_tbs01_mz69cvrf_.dbf ### ### Make sure the set of tablespaces are self-contained. The following PL/SQL command must execute successfully ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed. SQL> exit; - Create the database directory in the source database DBTDEC to
be used for the export. Create a database directory object in the
destination database to be used by
expdp.### ### login as Oracle user and run the following ### # su - oracle $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory '/u01/app/odaorabase0/oracle/dpdump' mkdir: created directory '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir' ### ### Connect to database using SQLPLUS as sysdba user and run the following ### $ sqlplus /nolog SQL> connect / as sysdba Connected. SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL> exit; - Export the TBS01 tablespace from source database DBTDEC. First,
set the tablespace to be copied in READ ONLY mode. Next, run
expdpon the designated tablespace. Note that the warningORA-39396is displayed because expdp does not useENCRYPTION_PASSWORDandimpdpdoes not use this option as well. Transfer the TDE software wallet to the destination Oracle Key Vault database server and upload to the corresponding Oracle Key Vault wallet before you runimpdpon the destination database. Review the log files forexpdpstored under the database directoryttsps_dir.### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba Connected. SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. SQL> exit; ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps_dbtde.dmp Export: Release 19.0.0.0.0 - Production on Mon Apr 7 11:08:49 2025 Version 19.27.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps_dbtde.dmp ORA-39396: Warning: exporting encrypted data using transportable option without password Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/STATISTICS/MARKER Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps_dbtde.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: /u02/app/oracle/oradata/dbtdec/DBTDEC/321537BF1BE47143E063E730850AA965/datafile/o1_mf_tbs01_mz69cvrf_.dbf Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" completed with 1 error(s) at Mon Apr 7 11:09:15 2025 elapsed 0 00:00:20 - Copy datafiles, TDE wallet, and
expdp dmpfiles to the destination database server and edit the status of the data file in the source database DBTDE toREAD WRITE. Copy the datafile/u02/app/oracle/oradata/dbtdec/DBTDEC/321537BF1BE47143E063E730850AA965/datafile/o1_mf_tbs01_mz69cvrf_.dbfto the Oracle Key Vault database server in the PDB location/u02/app/oracle/oradata/okvdbc/OKVDBC/323B892160327BC5E063E730850A8FEA/datafile/.### ### login as Oracle user and run the following ### # su - oracle $ scp /u02/app/oracle/oradata/dbtdec/DBTDEC/321537BF1BE47143E063E730850AA965/datafile/o1_mf_tbs01_mz69cvrf_.dbf oracle@target_server:/u02/app/oracle/oradata/okvdbc/OKVDBC/323B892160327BC5E063E730850A8FEA/datafile/ ### Copy the expdp dump file to the destination server location. $ scp /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps.dmp oracle@<target_server>:/<location> cp /u02/app/oracle/oradata/dbtdec/tde/ewallet.p12 oracle@target_server:/tmp/dbtdec/tde ### ### In source database, set the tablespace back to read write mode ### Connect to database using SQLPLUS as sysdba user and run the following ### $ sqlplus /nolog SQL> connect / as sysdba SQL> alter session set container=pdb ; Session altered. SQL> ALTER TABLESPACE TBS01 READ WRITE; SQL> exit;
Step 2: Import the tablespaces into an Oracle Key Vault-enabled database
- Ensure there exists a TDE-enabled database with Oracle Key
Vault, OKVDBC as the destination database. Copy the data file and tablespace
of the source database to this database using
expdpandimpdp. Create the database on an Oracle Database Appliance using the Browser User Interface (BUI) or ODACLI commands. For example:# odacli create-database -n okvdbc -t -kt okv -ocp /tmp/okvdbc_on_<server_name>/okvclient.jar -dh 265412be-2b21-4cc4-adc7-c845bf9e3e3a -r ACFS --cdb -d pdbadmin -p pdb # odacli describe-database -n okvdbc Database details ---------------------------------------------------------------- ID: 045c22d6-96ed-47d7-95b9-7c9923d94fd9 Description: okvdbc DB Name: okvdbc DB Type: SI CDB: true PDB Name: pdb PDB Admin User Name: pdbadmin Storage: ACFS Home ID: 265412be-2b21-4cc4-adc7-c845bf9e3e3a TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV ### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### Take a note of PDB GUID which helps to determine the path of PDB datafile ### $ sqlplus /nolog SQL> connect / as sysdba SQL> col PDB_NAME for a20 SQL> select PDB_NAME,GUID from dba_pdbs ; PDB_NAME GUID -------------------- -------------------------------- PDB 323B892160327BC5E063E730850A8FEA PDB$SEED 323B5ABA63C6340CE063E730850A4161 SQL> exit; - Create the service and TNS name for the
PDB.
### ### Create service for PDB database and add TNS alias for PDB to $ORACLE_HOME/network/admin/tnsnames.ora ### $ srvctl add service -db okvdbc -service okvdbc_pdb -pdb pdb -role PRIMARY -policy AUTOMATIC $ srvctl start service -db okvdbc -service okvdbc_pdb OKVDBC_PDB = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = <server-name>)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = okvdbcpdb.servicename) - Create the database directory in the PDB for the
import.
### ### login as Oracle user and run the following ### # su - oracle $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user and run the following ### $ sqlplus /nolog SQL> connect / as sysdba SQL> ALTER SESSION SET CONTAINER=PDB ; SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL> exit; - Upload the wallet keys from the source to the OKVDBC wallet in
the destination database. For impdp to recognize the tablespace, upload the
software keystore wallet content to the destination database with Oracle Key
Vault enabled. Copy the wallet to e destination server, create a temporary
endpoint for the wallet, upload the wallet content, and delete the temporary
endpoint and the source database wallet.
### ### login as Oracle user ### Upload the software keystore wallet entries to OKV server wallet ### $ cd /etc/OKV/okvdbc/okv/bin/ $ ./okvutil list Enter Oracle Key Vault endpoint password: Unique ID Type Identifier 2299AD61-915F-4568-82EA-2E07FDF8F129 Symmetric Key TDE Master Encryption Key: TAG okvdbc 51EA3595-433A-4FE8-BCAA-A2FBB768F88A Symmetric Key TDE Master Encryption Key: TAG okvdbc A7A80EB2-899F-47B3-8050-3A8C76ED449B Symmetric Key TDE Master Encryption Key: TAG okvdbc_pdb A7C3463B-B8AD-45A3-A31C-E8BABAB1289F Template Default template for OKVDBC_ON_<SERVER-NAME> $ ./okvutil upload -t WALLET -l /tmp/dbtdec/tde -g okvdbc_on_<server_name>-c -v 4 -o okvutil version 21.10.0.0.0 Endpoint type: Oracle Database Configuration file: /etc/OKV/okvdbc/okv/conf/okvclient.ora Server: 100.70.126.204:5696 Standby Servers: Uploading from /tmp/dbtdec/tde Enter source wallet password: No auto-login wallet found, password needed Enter Oracle Key Vault endpoint password: ORACLE.SECURITY.ID.ENCRYPTION. Trying to connect to 100.70.126.204:5696 ... Connected to 100.70.126.204:5696. ORACLE.SECURITY.KB.ENCRYPTION. ORACLE.SECURITY.KT.ENCRYPTION.AecOmWLewk8dv1z3KsizxucAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.KM.ENCRYPTION.AecOmWLewk8dv1z3KsizxucAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.AecOmWLewk8dv1z3KsizxucAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.KT.ENCRYPTION.AV35lc5etE+Av4EsIkDeWjsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.KM.ENCRYPTION.AV35lc5etE+Av4EsIkDeWjsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.AV35lc5etE+Av4EsIkDeWjsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.321537BF1BE47143E063E730850AA965 ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY Uploaded 2 TDE keys Uploaded 0 SEPS entries Uploaded 0 other secrets Uploaded 4 opaque objects Uploading private key Uploading certificate request Uploading trust points Uploaded 1 private keys Uploaded 1 certificate requests Uploaded 0 user certificates Uploaded 0 trust points Upload succeeded ### ### Comparing the output of 'okvutil list' shows that TDE Wallet Keys were uploaded to OKV wallet ### $ ./okvutil list Enter Oracle Key Vault endpoint password: Unique ID Type Identifier 0CDCC93D-EEEA-4760-848F-2162D0074B20 Opaque Object TDE Wallet Metadata 2299AD61-915F-4568-82EA-2E07FDF8F129 Symmetric Key TDE Master Encryption Key: TAG okvdbc 3616D7C9-1025-4093-BEC4-1DD2BAC8047C Opaque Object TDE Wallet Metadata 3F716086-2740-4688-82C3-428B6DA55720 Private Key - 5130AEF7-AA35-57B1-8EB7-88A297867B7F Symmetric Key TDE Master Encryption Key: TAG set_master_key 51EA3595-433A-4FE8-BCAA-A2FBB768F88A Symmetric Key TDE Master Encryption Key: TAG okvdbc 60769770-17A6-4D77-B5AF-80E870B3E95E Opaque Object TDE Wallet Metadata 75E9B037-2FA4-45DD-A4D1-FA1A07102602 Opaque Object TDE Wallet Metadata 9B72895D-8551-5792-B3E5-90DC76BE1EBA Symmetric Key TDE Master Encryption Key: TAG set_master_key A7A80EB2-899F-47B3-8050-3A8C76ED449B Symmetric Key TDE Master Encryption Key: TAG okvdbc_pdb A7C3463B-B8AD-45A3-A31C-E8BABAB1289F Template Default template for OKVDBC_ON_<SERVER-NAME> DDF529BA-348A-4FF3-8F31-73C170749956 Opaque Object Certificate Request $ rm -rf /tmp/dbtdec/tde - Import TBS01 tablespace to the destination database PDB
container on OKVDBC. impdp uses the dump file that was copied earlier to add
tablespace metadata to the destination database. TRANSPORT_DATAFILES
references the location of the datafile in the destination
database.
### ### login as Oracle user ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### # su - oracle $ impdp system@okvdbc_pdb TRANSPORT_DATAFILES=\'/u02/app/oracle/oradata/okvdbc/OKVDBC/323B892160327BC5E063E730850A8FEA/datafile/o1_mf_tbs01_mz69cvrf_.dbf\' DIRECTORY=ttsps_dir dumpfile=expttps_dbtdec.dmp Import: Release 19.0.0.0.0 - Production on Mon Apr 7 20:49:35 2025 Version 19.27.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/********@okvdbc_pdb TRANSPORT_DATAFILES='/u02/app/oracle/oradata/okvdbc/OKVDBC/323B892160327BC5E063E730850A8FEA/datafile/o1_mf_tbs01_mz69cvrf_.dbf' DIRECTORY=ttsps_dir dumpfile=expttps_dbtdec.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/STATISTICS/MARKER Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed at Mon Apr 7 20:50:06 2025 elapsed 0 00:00:16 - Change tablespace status and test tablespace encryption on the
destination OKVDBC database
PDB.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba SQL> alter session set container=pdb ; Session altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES USERS ONLINE YES TEMP_ENC ONLINE YES TBS01 READ ONLY YES SQL> alter tablespace TBS01 read write ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES USERS ONLINE YES TEMP_ENC ONLINE YES TBS01 ONLINE YES SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME ------------------------------------------------------------------------------------------------------------------------------------ /u02/app/oracle/oradata/okvdbc/OKVDBC/323B892160327BC5E063E730850A8FEA/datafile/o1_mf_tbs01_mz69cvrf_.dbf ### ### Retrieve the data from TAB1 ### SQL> select OWNER, table_name from tab1 where rownum < 3 OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$
Migrating Tablespaces from TDE-enabled Oracle ASM Database with Software Keystore to another TDE-enabled Multitenant Database with Oracle Key Vault Keystore
Understand how you can migrate tablespaces from TDE-enabled Oracle ASM database with software keystore to another TDE-enabled multitenant database with Oracle Key Vault keystore.
Ensure that there is a source and destination database. The two
databases can be on one Oracle Database Appliance server or on different servers. The
source database must be a software keystore TDE-enabled database, either an Oracle
Database Appliance database or any Oracle database with compatible Endian. The
destination database must be an Oracle Database Appliance Oracle Key Vault
enabled-database created with ODACLI commands.
Step 1: Export the tablespace from the source database
- Consider that the source database has a tablespace TBS01 to be
migrated to the destination database. Provide information about the
tablespace.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba Connected. SQL> select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME ENC ------------------------------ --- SYSTEM YES SYSAUX YES UNDOTBS1 YES USERS YES TEMP_ENC YES TBS01 YES SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- +DATA/DBASMC/DATAFILE/tbs01.268.1197828959 ### ### Make sure the set of tablespaces are self-contained. The following PL/SQL command must execute successfully ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed. SQL> exit; - Export the TBS01 tablespace from the source database DBASMC.
First, set the tablespace to be copied in READ ONLY mode. Next, run
expdpon the designated tablespace. Review the dump files forexpdpstored under the database directoryttsps_dir.### ### Set the tablespaces that you need to be exported in read-only mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following # su - oracle $ sqlplus /nolog SQL> connect / as sysdba SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. SQL> exit; ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps_dbasm.dmp Export: Release 19.0.0.0.0 - Production on Mon Apr 7 18:19:28 2025 Version 19.27.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps_dbasm.dmp ORA-39396: Warning: exporting encrypted data using transportable option without password Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps_dbasm.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: +DATA/DBASMC/DATAFILE/tbs01.268.1197828959 Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" completed with 1 error(s) at Mon Apr 7 18:19:52 2025 elapsed 0 00:00:18 - Copy the datafile from Oracle ASM to the file system on the
source server. Then, alter the status of the tablespace to
READ WRITE.### ### login to grid user ### Copy datafile from ASM to filesystem ### # su - grid $ asmcmd cp DATA/DBASMC/DATAFILE/tbs01.268.1197828959 copying DATA/DBASMC/DATAFILE/tbs01.268.1197828959 -> /home/grid/tbs01.dbf ### ### In source database, set the tablespace back to read write mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba SQL> ALTER TABLESPACE TBS01 READ WRITE; SQL> exit; - Copy the software keystore wallet of the source database to the
file system on the target
server.
SQL> administer key management create keystore '/tmp/DBASMC/tde' identified by "<password>"; keystore altered. SQL> administer key management merge keystore '+DATA/DBASMC/tde' identified by "<password>" into existing keystore '/tmp/DBASMC/tde' identified by "<password>" with backup ; keystore altered. - Copy the
expdpdump files to the destination database server. Copy the data file from/u01/app/odaorabase0/oracle/dpdump/ttsps_dirto the target database server.The expdp and impdp directory is the same in this case, so, no copy is necessary, for remote copy dumpfile using similar this command $ scp /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps_dbasm.dmp oracle@target_server:/location
Step 2: Import the tablespaces into an Oracle Key Vault-enabled database
- Ensure there exists a TDE-enabled database with Oracle Key
Vault, OKVASMC as the destination database. Copy the data file and
tablespace of the source database to this database using
expdpandimpdp. Create the database on an Oracle Database Appliance using the Browser User Interface (BUI) or ODACLI commands. For example:# odacli create-database -n okvasmc -t -kt okv -ocp /tmp/okvasmc_on_<server_name>/okvclient.jar -dh 265412be-2b21-4cc4-adc7-c845bf9e3e3a -r ASM --cdb -d pdbadmin -p pdb # odacli describe-database -n okvasmc Database details ---------------------------------------------------------------- ID: dc9f9d7b-7e22-4997-bb20-4a3adcc764a4 Description: okvasmc DB Name: okvasmc DB Type: SI CDB: true PDB Name: pdb PDB Admin User Name: pdbadmin Storage: ASM Home ID: 265412be-2b21-4cc4-adc7-c845bf9e3e3a TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV ### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba SQL> col PDB_NAME for a20 SQL> select PDB_NAME,GUID from dba_pdbs ; PDB_NAME GUID -------------------- -------------------------------- PDB 3247726469554039E063E730850A5A00 PDB$SEED 324743827B457329E063E730850A27E7 SQL> exit ; - Copy the data files from file system to the destination Oracle
ASM location of OKVASMC and set the permissions correctly after copying the
data
files.
### ### login to grid user ### # su - grid $ asmcmd cp /home/grid/tbs01.dbf +DATA/OKVASMC/3247726469554039E063E730850A5A00/DATAFILE/tbs01 --dest_dbname OKVASMC copying /home/grid/tbs01.dbf -> +DATA/OKVASMC/3247726469554039E063E730850A5A00/DATAFILE/tbs01 $ asmcmd ASMCMD> pwd +DATA/OKVASMC/3247726469554039E063E730850A5A00/DATAFILE ASMCMD> ls --permission User Group Permission Name oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASMC_PDB rw------- SYSAUX.337.1197886103 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASMC_PDB rw------- SYSTEM.330.1197886099 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASMC_PDB rw------- UNDOTBS1.338.1197886107 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASMC_PDB rw------- USERS.336.1197886111 grid@3fe6130d68b04fc6ffab5b96ff256f8e rw------- tbs01 => +DATA/OKVASMC/DATAFILE/tbs01.339.1197886535 ASMCMD> chown oracle@3fe6130d68b04fc6ffab5b96ff256f8e:OKVASMC_PDB tbs01 ASMCMD> ASMCMD> ls --permission User Group Permission Name oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASMC_PDB rw------- SYSAUX.337.1197886103 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASMC_PDB rw------- SYSTEM.330.1197886099 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASMC_PDB rw------- UNDOTBS1.338.1197886107 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASMC_PDB rw------- USERS.336.1197886111 oracle@3fe6130d68b04fc6ffab5b96ff256f8e OKVASMC_PDB rw------- tbs01 => +DATA/OKVASMC/DATAFILE/tbs01.339.1197886535 - Create the service and TNS name for the
PDB.
### ### Create service for PDB database and add TNS alias for PDB to $ORACLE_HOME/network/admin/tnsnames.ora ### $ srvctl add service -db okvasmc -service okvasmc_pdb -pdb pdb -role PRIMARY -policy AUTOMATIC $ srvctl start service -db okvasmc -service okvasmc_pdb OKVASMC_PDB = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = <server-name>)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = okvasmc_pdb.service) - Create the database directory in the PDB for the
import.
### ### login as Oracle user and run the following ### # su - oracle $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user and run the following ### $ sqlplus /nolog SQL> connect / as sysdba SQL> ALTER SESSION SET CONTAINER=PDB ; SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL> exit; - Upload the wallet keys from the source to the OKVASMC Oracle
Key Vault wallet in the destination database. For impdp to recognize the
tablespace, upload the software keystore wallet content to the destination
database with Oracle Key Vault enabled.
### ### login as Oracle user ### Upload the software keystore wallet entries to OKV server wallet ### $ cd /etc/OKV/okvasmc/okv/bin/ $ ./okvutil list Enter Oracle Key Vault endpoint password: Unique ID Type Identifier 20D37B20-78C2-4679-8B56-B50F184B5D61 Symmetric Key TDE Master Encryption Key: TAG okvasmc 40A3C0F2-CED1-497F-8C70-13A6E69AC0F7 Symmetric Key TDE Master Encryption Key: TAG okvasmc_pdb 9E0B4E98-2249-4159-9B12-04A60980D25E Template Default template for OKVASMC_ON_<SERVER-NAME> B4569785-465C-4906-8C82-3736A15ED3E7 Symmetric Key TDE Master Encryption Key: TAG okvasmc $ ./okvutil upload -t WALLET -l /tmp/DBASMC/tde -g okvasmc_on_<server_name>-c -v 4 -o okvutil version 21.10.0.0.0 Endpoint type: Oracle Database Configuration file: /etc/OKV/okvasmc/okv/conf/okvclient.ora Server: 100.70.126.204:5696 Standby Servers: Uploading from /tmp/DBASMC/tde Enter source wallet password: No auto-login wallet found, password needed Enter Oracle Key Vault endpoint password: ORACLE.SECURITY.KB.ENCRYPTION. Trying to connect to 100.70.126.204:5696 ... Connected to 100.70.126.204:5696. ORACLE.SECURITY.ID.ENCRYPTION. ORACLE.SECURITY.KT.ENCRYPTION.AYGo9jtJAk+JvwRLClz4E7wAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.KM.ENCRYPTION.AYGo9jtJAk+JvwRLClz4E7wAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.AYGo9jtJAk+JvwRLClz4E7wAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.KT.ENCRYPTION.Afk3edvpTU8yv82U/FM99CoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.KM.ENCRYPTION.Afk3edvpTU8yv82U/FM99CoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.Afk3edvpTU8yv82U/FM99CoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.3215781D91701754E063E730850A04B1 ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY Uploaded 2 TDE keys Uploaded 0 SEPS entries Uploaded 0 other secrets Uploaded 4 opaque objects Uploading private key Uploading certificate request Uploading trust points Uploaded 1 private keys Uploaded 1 certificate requests Uploaded 0 user certificates Uploaded 0 trust points Upload succeeded ### ### Comparing the output of 'okvutil list' shows that TDE Wallet Keys were uploaded to OKV wallet ### $ ./okvutil list Enter Oracle Key Vault endpoint password: Unique ID Type Identifier 1D4F6104-FAFE-42C5-AE3E-F9B46BCA51CA Opaque Object Certificate Request 20D37B20-78C2-4679-8B56-B50F184B5D61 Symmetric Key TDE Master Encryption Key: TAG okvasmc 2F4FCE20-A679-415A-B2E9-F4F80A28576A Opaque Object TDE Wallet Metadata 40A3C0F2-CED1-497F-8C70-13A6E69AC0F7 Symmetric Key TDE Master Encryption Key: TAG okvasmc_pdb 41B0D244-BAC0-5311-A624-3BB0496C8BE9 Symmetric Key TDE Master Encryption Key: TAG set_master_key 74A196AC-3C9E-49B5-A10B-19F2DFB3D27B Opaque Object TDE Wallet Metadata 87793E99-E79C-4855-8CF1-5C463DCFCE60 Opaque Object TDE Wallet Metadata 9E0B4E98-2249-4159-9B12-04A60980D25E Template Default template for OKVASMC_ON_<SERVER-NAME> B4569785-465C-4906-8C82-3736A15ED3E7 Symmetric Key TDE Master Encryption Key: TAG okvasmc E31121D2-5A43-4D1A-882B-26881FB1D3A2 Private Key - E885E79C-AF01-5856-A066-7292198BF650 Symmetric Key TDE Master Encryption Key: TAG set_master_key F0834140-19A5-4E2F-9AB6-CC4026A0FC62 Opaque Object TDE Wallet Metadata $ rm -rf /tmp/DBASMC/tde - Import the TBS01 tablespace to the destination database OKVASMC.
TRANSPORT_DATAFILES references the location of the data file in the
destination
database.
### ### login as Oracle user ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### # su - oracle $ impdp system@okvasmc_pdb TRANSPORT_DATAFILES=\'+DATA/OKVASMC/3247726469554039E063E730850A5A00/DATAFILE/tbs01\' DIRECTORY=ttsps_dir dumpfile=expttps_dbasmc.dmp Import: Release 19.0.0.0.0 - Production on Tue Apr 8 10:30:00 2025 Version 19.27.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/********@okvasmc_pdb TRANSPORT_DATAFILES='+DATA/OKVASMC/3247726469554039E063E730850A5A00/DATAFILE/tbs01' DIRECTORY=ttsps_dir dumpfile=expttps_dbasmc.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/STATISTICS/MARKER Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed at Tue Apr 8 10:30:25 2025 elapsed 0 00:00:17 - Change the tablespace status and test encryption on the
destination Oracle Key Vault
database.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user and run the following ### # su - oracle $ sqlplus /nolog SQL> connect / as sysdba SQL> alter session set container=pdb ; Session altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES USERS ONLINE YES TEMP_ENC ONLINE YES TBS01 READ ONLY YES SQL> alter tablespace TBS01 read write ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES USERS ONLINE YES TEMP_ENC ONLINE YES TBS01 ONLINE YES ### ### Retrieve the data from TAB1 ### SQL> select OWNER, table_name from tab1 where rownum < 3 ; OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS IND$ SYS CDEF$
Manually Migrating from Software Keystore to Oracle Key Vault Keystore on Oracle Database Appliance
Understand how you can migrate tablespaces from software keystore to Oracle Key Vault keystore for databases created on Oracle Database Appliance
For the migration, a TDE wallet, set as the default wallet, and
endpoints must exist on the Oracle Key Vault server. Ensure that the
okvclient.jar file specific to the endpoints is available on Oracle
Database Appliance.
- Log into Oracle Key Vault and create the virtual TDE wallet corresponding to a database.
- Create endpoints corresponding to each instance. For a single instance database, you must create one endpoint and for Oracle RAC, Oracle RAC One, and single-instance databases with high-availability enabled, create two endpoints.
- Set the default wallet for the created endpoint.
- Download the
okvclient.jarfile corresponding to each endpoint. For single instance database, download one file, and for Oracle RAC database, there are two files available for download, one per instance.
Before migration, the TDE keys are present in a file-based wallet on Oracle ASM
storage in the database. After migration, all the current TDE keys are migrated to the
Oracle Key Vault keystore.
- As the database owner, for example,
oracle, connect to SQL*Plus and configure the newWALLET_ROOTinitialization parameter for the database.# su - oracle $. oraenv ORACLE_SID = [oracle] ? enter the database SID ORACLE_HOME = [/home/oracle] ? enter the database home path $ sqlplus / as sysdba SQL> ALTER SYSTEM SET WALLET_ROOT='/etc/OKV/dbUniqueName' scope=spfile sid='*'; System altered. - Create the wallet root and TDE directories. Run this step on
both nodes for Oracle RAC, Oracle RAC One Node, and Oracle Database
Enterprise Edition High Availability databases.
$ mkdir /etc/OKV/dbUniqueName/ $ mkdir /etc/OKV/dbUniqueName/okv $ mkdir /etc/OKV/dbUniqueName/tde - Copy the software keystore (ewallet.p12) file from the
+DATA/dbUniqueName/tdelocation to the/etc/OKV/dbname/tdelocation.For Oracle ASM databases, copy the file from the
+DATA/dbUniqueName/tdeOracle ASM location.$. oraenv ORACLE_SID = [oracle] ? enter the database SID ORACLE_HOME = [/home/oracle] ? enter the database home path $ sqlplus / as sysdba SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/OKV/dbUniqueName/tde' identified by "current TDE password"; keystore altered. SQL> ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '+DATA/dbUniqueName/tde' identified by "current TDE password" INTO EXISTING KEYSTORE '/etc/OKV/<dbUniqueName>/tde' identified by "current TDE password" WITH BACKUP USING "delete"; keystore altered.For Oracle ACFS databases, copy the file from the/u02/app/oracle/oradata/dbUniqueName/tdelocation.cp /u02/app/oracle/oradata/dbUniqueName/tde/ewallet.p12 /etc/OKV/dbUniqueName/tde - Install the Oracle Key Vault endpoint software. Two endpoints
must be created for Oracle RAC, Oracle RAC One Node, and Oracle Database
Enterprise Edition High Availability databases specific to each instance and
must be installed on each node, so run this step on both nodes for these
databases. Use the Java binary from the database home location. On
successful installation, the files listed in step 4c must be present in the
/etc/OKV/dbUniqueName/okv/location.- Find the database home location with the
odacli describe-databasecommand and make a note of theHome ID.# odacli describe-database -n dbName Database details ---------------------------------------------------------------- ID: 783e9aeb-334d-40d0-8c7a-cb6c343b4b34 Description: dbName DB Name: dbName . . Home ID: b5791c68-9a47-42db-bedc-9c22137a8efd . . CPU Pool Name: - List the database homes present in the environment and
save the
Home Locationcorresponding to the ID copied in step a.# odacli list-dbhomes ID Name DB Version DB Edition Home Location Status ---------------------------------------- -------------------- -------------------- ---------- -------------------------------------------------------- ---------- b5791c68-9a47-42db-bedc-9c22137a8efd OraDB19000_home2 19.27.0.0.250415 EE /u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_2 CONFIGURED - Install the
okvclient.jarspecific to the endpoint created for the database instance using the Java binary from the database home location saved from step 4b.$ DatabaseHomeLocation/jdk/bin/java -jar okvclient.jar path -d /etc/OKV/dbUniqueName/okv/ Detected JAVA_HOME: /u01/app/odaorahome/oracle/product/19.0.0.0/dbhome_2/jdk/jre Enter new Key Vault endpoint password (enter for auto-login): current TDE password Confirm new Key Vault endpoint password: current TDE password The endpoint software for Oracle Key Vault installed successfully. Deleted the file :<okvclient.jar path - Verify that the
okvclient.jaris installed successfully by listing the files from the/etc/OKV/dbUniqueName/okvlocation.$ ls -ltR /etc/OKV/dbUniqueName/okv/ /etc/OKV/dbUniqueName/okv/: total 28 drwxr-x--- 2 oracle oinstall 4096 Mar 28 12:18 log drwxr-x--- 2 oracle oinstall 4096 Mar 28 12:18 conf drwxr-x--- 2 oracle oinstall 4096 Mar 28 12:18 ssl drwxr-x--- 2 oracle oinstall 4096 Mar 28 12:18 bin drwxr-x--- 2 oracle oinstall 4096 Mar 28 12:18 lib drwxr-x--- 3 oracle oinstall 4096 Mar 28 12:18 csdk drwxr-x--- 2 oracle oinstall 4096 Mar 28 12:18 jlib /etc/OKV/dbUniqueName/okv/log: total 4 -rw-r----- 1 oracle oinstall 2162 Mar 28 12:18 okvutil.deploy.log /etc/OKV/dbUniqueName/okv/conf: total 12 -rw-r----- 1 oracle oinstall 450 Mar 28 12:18 logging.properties -rw-r----- 1 oracle oinstall 882 Mar 28 12:18 okvclient.ora -rw-r----- 1 oracle oinstall 0 Mar 28 12:18 okvclient.lck -rwx------ 1 oracle oinstall 1009 Mar 28 12:09 okvsshendpoint.conf /etc/OKV/dbUniqueName/okv/ssl: total 8 -rw------- 1 oracle oinstall 4361 Mar 28 12:18 ewallet.p12 /etc/OKV/dbUniqueName/okv/bin: total 8548 -rwxr-x--- 1 oracle oinstall 18108 Mar 28 12:09 ep_healthcheck.sh -rwxr-x--- 1 oracle oinstall 8682112 Mar 28 12:09 okveps.x64 -rwxr-x--- 1 oracle oinstall 29651 Mar 28 12:09 okv_ssh_ep_lookup_authorized_keys -rwxr-x--- 1 oracle oinstall 7721 Mar 28 12:09 okvutil -rwxr-x--- 1 oracle oinstall 5030 Mar 28 12:09 root.sh /etc/OKV/dbUniqueName/okv/lib: total 8708 -rwxr-x--- 1 oracle oinstall 8913371 Mar 28 12:09 liborapkcs.so /etc/OKV/dbUniqueName/okv/csdk: total 4 drwxr-x--- 2 oracle oinstall 4096 Mar 28 12:18 lib /etc/OKV/dbUniqueName/okv/csdk/lib: total 8748 -rwxr-x--- 1 oracle oinstall 8954149 Mar 28 12:09 liborasdk.so /etc/OKV/dbUniqueName/okv/jlib: total 72 -rw-r----- 1 oracle oinstall 71387 Mar 14 2024 okvutil.jar
- Find the database home location with the
- As the
rootuser, run theroot.shscript to install the PKCS library. For Oracle RAC, Oracle RAC One Node, and Oracle Database Enterprise Edition High Availability databases, run this step on both nodes.# id -a uid=0(root) gid=0(root) groups=0(root) # /etc/OKV/dbUniqueName/okv/bin/root.sh Creating directory: /opt/oracle/extapi/64/hsm/oracle/1.0.0/ Copying PKCS library to /opt/oracle/extapi/64/hsm/oracle/1.0.0/ Setting PKCS library file permissions Installation successful.After the command runs successfully, verify that the library is installed.# id -a uid=0(root) gid=0(root) groups=0(root) # ls -ltr /opt/oracle/extapi/64/hsm/oracle/1.0.0/ total 8708 -rwxr-xr-x 1 root root 8913371 Mar 28 12:33 liborapkcs.so - Run steps 6 to 13 as the database owner, for example,
oracle. Upload the software keystoreewallet.p12to the Oracle Key Vault server.# su - oracle $ /etc/OKV/dbUniqueName/okv/bin/okvutil upload -l /etc/OKV/dbUniqueName/tde -t wallet -g wallet name Enter source wallet password: current TDE password Enter Oracle Key Vault endpoint password: current TDE password Upload succeededVerify that the TDE keys are uploaded to the wallet on the Oracle Key Vault server with theokvutil listcommand:$ /etc/OKV/dbUniqueName/okv/bin/okvutil list Enter Oracle Key Vault endpoint password: Unique ID Type Identifier 8D938C3D-8434-45A4-B6F3-A9405C26B0C5 Opaque Object TDE Wallet Metadata A816E0FB-5CF2-48FF-A29F-5EC7282B4035 Opaque Object TDE Wallet Metadata 121AC7F1-44AC-5537-A705-52BB7DAEDDAA Symmetric Key TDE Master Encryption Key: TAG set_master_key 3977568B-A800-5532-96DB-C196AEA75C2E Symmetric Key TDE Master Encryption Key: TAG set_master_key 3DC733BF-4977-42E0-92E6-D436BBFA206F Opaque Object TDE Wallet Metadata 0640B156-1D2A-4CE4-9608-CDDA004938E2 Opaque Object TDE Wallet Metadata 051ED678-68D2-4DF5-8CE2-41DBAB000003 Private Key - 2E7D00F6-9AC2-4543-B308-0697D9A401CF Opaque Object Certificate Request 4585DCAE-EDD1-4BAA-AD8F-E1FC8AD5E763 Template Default template for TDEDB_707EP1 - Create the local autologin wallet for the database on the local
node.
$. oraenv ORACLE_SID = [oracle] ? enter the SID of the local database instance ORACLE_HOME = [/home/oracle] ? enter the database home path $ sqlplus / as sysdba SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'current TDE password' FOR CLIENT 'OKV_PASSWORD' TO LOCAL AUTO_LOGIN KEYSTORE '/etc/OKV/dbUniqueName/tde'; keystore altered.For Oracle RAC databases, create the local and external store autologin wallet for the remote instance on the remote node.$. oraenv ORACLE_SID = [oracle] ? enter the SID of the remote database instance ORACLE_HOME = [/home/oracle] ? enter the database home path $ sqlplus / as sysdba SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'current TDE password' FOR CLIENT 'OKV_PASSWORD' TO LOCAL AUTO_LOGIN KEYSTORE '/etc/OKV/dbUniqueName/tde'; keystore altered.For Oracle RAC One Node and single-instance databases with high-availability enabled, follow these steps on the remote node:
- Shut down the instance on the local
node.
$. oraenv ORACLE_SID = [oracle] ? <enter the SID of the local database instance> ORACLE_HOME = [/home/oracle] ? <enter the database home path> $ sqlplus / as sysdba SQL> shutdown immediate; - Mount the instance on the remote
node.
$. oraenv ORACLE_SID = [oracle] ? enter the SID of the remote database instance ORACLE_HOME = [/home/oracle] ? enter the database home path $ sqlplus / as sysdba SQL> startup nomount; - Create the local autologin wallet.
$. oraenv ORACLE_SID = [oracle] ? enter the SID of the remote database instance ORACLE_HOME = [/home/oracle] ? enter the database home path $ sqlplus / as sysdba SQL> ADMINISTER KEY MANAGEMENT ADD SECRET 'current TDE password' FOR CLIENT 'OKV_PASSWORD' TO LOCAL AUTO_LOGIN KEYSTORE '/etc/OKV/dbUniqueName/tde'; keystore altered. - Shut down the instance on the remote
node.
$. oraenv ORACLE_SID = [oracle] ? enter the SID of the remote database instance ORACLE_HOME = [/home/oracle] ? enter the database home path $ sqlplus / as sysdba SQL> shutdown; - Mount the instance on the local
node.
$. oraenv ORACLE_SID = [oracle] ? enter the SID of the local database instance ORACLE_HOME = [/home/oracle] ? enter the database home path $ sqlplus / as sysdba SQL> startup;
- Shut down the instance on the local
node.
- Connect to SQL*Plus and set the
tde_configurationinitialization parameter for the database.$ sqlplus / as sysdba SQL> ALTER SYSTEM SET TDE_CONFIGURATION = "KEYSTORE_CONFIGURATION=OKV|FILE" SCOPE = BOTH sid='*'; System altered. - Restart the database to apply the database initialization parameters set in
step 8.
$ srvctl stop database -d dbUniqueName $ srvctl start database -d dbUniqueName - Connect to SQL*Plus and run the command to migrate the TDE keys
to
OKV.
$ sqlplus / as sysdba SQL> ADMINISTER KEY MANAGEMENT set key identified by "current TDE password" force keystore migrate using "current TDE password"; keystore altered. - Delete the file based wallet ewallet.p12 files from the
/etc/OKV/dbUniqueName/tdelocation.$ rm -f /etc/OKV/dbUniqueName/tde/ewallet* - Restart the database again to apply the keystore migration performed in step
10.
$ srvctl stop database -d dbUniqueName $ srvctl start database -d dbUniqueName - Connect to SQL*Plus and run the query to check the status of the wallet. It
must be in the Open state. If it is not in the Open state, restart the
database to verify that the communication with Oracle Key Vault is fine.
$ sqlplus / as sysdba SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC ------------------------------ -------------------- --------- -------- --------- CON_ID ---------- FILE /etc/OKV/dbUniqueName/tde/ OPEN_NO_MASTER_KEY LOCAL_AUTOLOGIN SECONDARY NONE UNDEFINED 1 WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC ------------------------------ -------------------- --------- -------- --------- CON_ID ---------- OKV OPEN OKV PRIMARY NONE UNDEFINED 1 WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC ------------------------------ -------------------- --------- -------- --------- CON_ID ---------- FILE OPEN_NO_MASTER_KEY LOCAL_AUTOLOGIN SINGLE UNITED UNDEFINED 2 WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC ------------------------------ -------------------- --------- -------- --------- CON_ID ---------- OKV OPEN OKV SINGLE UNITED UNDEFINED 2 WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC ------------------------------ -------------------- --------- -------- --------- CON_ID ---------- FILE OPEN_NO_MASTER_KEY LOCAL_AUTOLOGIN SECONDARY UNITED UNDEFINED 3 WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC ------------------------------ -------------------- --------- -------- --------- CON_ID ---------- OKV OPEN OKV PRIMARY UNITED UNDEFINED 3 - As the
griduser, delete the software keystore and the autologin wallet. Connect to ASMCMD and delete the+DATA/dbUniqueName/tdefolder.# su - grid $ asmcmd ASMCMD> cd +DATA/dbUniqueName ASMCMD> rm -rf tde/ - Update the
KeystoreTypeparameter in the DCS metadata for the database. For Oracle Database Appliance release 19.27, use theodacli register-databasecommand to update the MySQL metadata for the database.$ odacli register-database -sn database service name -c database class -s database shapeTo register the database using Oracle Key Vault server configuration, run the following command:$ odacli register-database -sn database service name -c database class -s database shape -osc OKVServerConfigName - Verify that the
keystoreTypeparameter for the database is set toOKV. Run theodacli describe-database -n dbName -jcommand and check thekeystoreTypeparameter in the command output. For the databases registered using Oracle Key Vault server configuration, theokvServerConfigNameparameter in theodacli describe-databasecommand output displays the Oracle Key Vault server configuration name used by the database.$ odacli describe-database -n dbName -j $ odacli describe-database -n tdedb -j { . "name" : "tdedb", "dbName" : "tdedb", "databaseUniqueName" : "tdedb", . . "enableTDE" : true, "tdePassword" : "**********", "tdeWalletManagement" : "ODA", "dbType" : "RAC", "dbRole" : "PRIMARY", "dbTargetNodeNumber" : null, "dbClass" : "OLTP", "dbShape" : "odb1", "dbStorage" : "ASM", . . "keystoreType" : "OKV", "okvServerConfigName" : "NONE" }
Manual Migration and Encryption of Data into TDE-Enabled Database
Understand how you can migrate transportable tablespaces to TDE-enabled database on Oracle Database Appliance.
- Migrating Tablespaces from Non-TDE Oracle ACFS Database to Oracle ACFS Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ACFS database to Oracle ACFS database with Oracle Key Vault enabled on Oracle Database Appliance. - Migrating Tablespaces from Non-TDE Oracle ASM Database to Oracle ASM Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ASM database to Oracle ASM database with Oracle Key Vault enabled on Oracle Database Appliance. - Migrating Tablespaces from Non-TDE Oracle ACFS Database to Oracle ACFS CDB Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ACFS database to Oracle ACFS CDB database with Oracle Key Vault enabled on Oracle Database Appliance. - Migrating Tablespaces from Non-TDE Oracle ASM Database to Oracle ASM CDB Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ASM database to Oracle ASM CDB database with Oracle Key Vault enabled on Oracle Database Appliance.
Parent topic: Managing TDE-Enabled Oracle Databases
Migrating Tablespaces from Non-TDE Oracle ACFS Database to Oracle ACFS Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ACFS database to Oracle ACFS database with Oracle Key Vault enabled on Oracle Database Appliance.
Ensure that there is a source and destination database. The two
databases can be on one Oracle Database Appliance server or on different servers. The
source database must be an non TDE-enabled database, either an Oracle Database Appliance
database or any Oracle database with compatible Endian. The destination database must be
an Oracle Database Appliance database created with ODACLI commands.
Step 1: Export the tablespace from the source database
- Consider that the source database has a tablespace TBS01 to be
migrated to the destination database. Provide information about the
tablespace.
SQL> select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ----------------- --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 ONLINE NO SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- /u02/app/oracle/oradata/dbnotde/DBNOTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf SQL> ### ### Make sure the set of tablespaces are self-contained. The following PL/SQL command must run successfully ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed. SQL> exit; - Create the database directory in the source database DBNOTDE
to be used for the export. Create a database directory object in the
destination database to be used by
expdp.### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL> - Export the TBS01 tablespace from souce database DBNOTDE. First,
set the tablespace to be copied in READ ONLY mode. Next, run
expdpon the designated tablespace. Review the log files forexpdpstored under the database directoryttsps_dir.### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps.dmp Export: Release 19.0.0.0.0 - Production on Mon Nov 6 12:47:00 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps.dmp Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: /u02/app/oracle/oradata/dbnotde/DBNOTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully completed at Mon Nov 6 12:47:19 2023 elapsed 0 00:00:14 - Move data files to the destination database server and edit the status of
the data file in the source database DBNOTDE to
READ WRITE. Move the data file to the TDE-enabled database server in the location/u02/app/oracle/oradata/dbtde/DBTDE/datafile.### ### login as oracle user ### $ cp /u02/app/oracle/oradata/dbnotde/DBNOTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf /u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf ### ### In source database, set the tablespace back to read write mode ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ WRITE;
Step 2: Import the tablespaces into a TDE-enabled database
- Create a TDE-enabled database with Oracle Key Vault, DBTDE as
the destination database, as described in the earlier procedure. Copy the
data file and tablespace of the source database to this database using
expdpandimpdp. Create the database on an Oracle Database Appliance using the Browser User Interface (BUI) or ODACLI commands. For example:# odacli create-database -n dbtde -t -kt okv -osc adminobj1 -dh e2a65596-6435-4410-9e8d-6b21a6005779 -r ACFS # odacli describe-database -n dbtde Database details ---------------------------------------------------------------- ID: e261b9f8-8212-499b-840e-eb6ea3e09447 Description: dbtde DB Name: dbtde DB Type: SI CDB: false Storage: ACFS Home ID: e2a65596-6435-4410-9e8d-6b21a6005779 TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV - Create the database directory in the Oracle Key Vault-enabled
destination database for the import operation. The source database expdp
dump file and output for impdp is stored in the database directory object.
Copy the expdp dump file from the source database server to this server, and
use the impdp dump file to add tablespace metadata to destination
database.
### ### login as sysdba user and run the following: ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. - Import the TBS01 tablespace to the destination database DBTDE.
Copy the
expdpdump file of the source database to the database directoryttsps_dir. Theimpdpuses the dump file to add tablespace metadata to destination database. TRANSPORT_DATAFILES references the location of the data file in the destination database.### ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ impdp system TRANSPORT_DATAFILES=\'/u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf\' DIRECTORY=ttsps_dir dumpfile=expttps.dmp Import: Release 19.0.0.0.0 - Production on Mon Nov 6 12:53:37 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/******** TRANSPORT_DATAFILES='/u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf' DIRECTORY=ttsps_dir dumpfile=expttps.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed at Mon Nov 6 12:53:46 2023 elapsed 0 00:00:03 - Enable and test encryption on the destination Oracle Key
Vault-enabled
database.
### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES TEMP ONLINE YES USERS ONLINE YES TBS01 READ ONLY NO SQL> alter tablespace TBS01 read write ; Tablespace altered. ### encrypt TBS01. In case encrypt operation is interrupted , run 'alter tablespace TBS01 encryption online finish encrypt ;' SQL> alter tablespace TBS01 encryption online encrypt ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES TEMP ONLINE YES USERS ONLINE YES TBS01 ONLINE YES ### ### Retrieve the data from TAB1 ### SQL> select OWNER, table_name from tab1 where rownum < 3; OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$ ### ### When the wallet is closed or unavailable, same SQL does not retrieve data ### To simulate wallet absence rename the cwallet.sso wallet under <wallet_root>/tde to some other name like cwallet.sso.orig ### and close the wallet. To return auto-login wallet , rename file back to cwallet.sso and run the SQL again. ### SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- wallet_root string /etc/OKV/dbtde
Migrating Tablespaces from Non-TDE Oracle ASM Database to Oracle ASM Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ASM database to Oracle ASM database with Oracle Key Vault enabled on Oracle Database Appliance.
Ensure that there is a source and destination database. The two
databases can be on one Oracle Database Appliance server or on different servers. The
source database must be an non TDE-enabled database, either an Oracle Database Appliance
database or any Oracle database with compatible Endian. The destination database must be
an Oracle Database Appliance database created with ODACLI commands and with Oracle Key
Vault enabled on it.
Step 1: Export the tablespace from the source database
- Consider that the source database has a tablespace TBS01 to be
migrated to the destination database. Provide information about the
tablespace.
SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 ONLINE NO SQL> SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- +DATA/ASMNOTDE/DATAFILE/tbs01.374.1152267015 ### ### Checks if a set of tablespaces (to be transported) is self-contained ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed. - Create the database directory in the source database ASMNOTDE
to use for the export. Create a database directory object in the destination
database for
expdp.### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. - Export the TBS01 tablespace from the souce database ASMNOTDE.
First, set the tablespace to be copied in READ ONLY mode. Next, run
expdpon the designated tablespace. Review the dump files forexpdpstored under the database directoryttsps_dir.### ### Set the tablespaces that you need to be exported in read-only mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. SQL> ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttpsasm.dmp Export: Release 19.0.0.0.0 - Production on Tue Nov 7 10:12:19 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttpsasm.dmp Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttpsasm.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: +DATA/ASMNOTDE/DATAFILE/tbs01.374.1152267015 Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully completed at Tue Nov 7 10:12:49 2023 elapsed 0 00:00:20 - Move data files to the destination database server and edit the
status of the data file in the source database ASMNOTDE to
READ WRITE.### ### login to grid user ### Copying datafiles from ASM to filesystem ### $ asmcmd cp +DATA/ASMNOTDE/DATAFILE/tbs01.295.1165369089 /home/grid/tbs01.dbf copying +DATA/ASMNOTDE/DATAFILE/tbs01.295.1165369089 -> /home/grid/tbs01.dbf ### ### In source database, set the tablespace back to read write mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ WRITE;
Step 2: Import the tablespaces into a TDE-enabled database
- Create a TDE-enabled database with Oracle Key Vault, ASMTDE as
the destination database. Copy the data file and tablespace of the source
database to this database using
expdpandimpdp. Create the database on an Oracle Database Appliance using the Browser User Interface (BUI) or ODACLI commands. For example:# odacli create-database -n asmtde -t -kt okv -osc adminobj1 -dh e2a65596-6435-4410-9e8d-6b21a6005779 -r ASM # odacli describe-database -n asmtde Database details ---------------------------------------------------------------- ID: 5dfa97d9-d774-4a4a-93a2-d21a36faf283 Description: asmtde DB Name: asmtde DB Type: SI CDB: false Storage: ASM Home ID: e2a65596-6435-4410-9e8d-6b21a6005779 TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV - Copy the data file from file system to the destination Oracle
ASM location of
ASMTDE.
### ### login to grid user ### $ asmcmd cp /home/grid/tbs01.dbf +DATA/ASMTDE/DATAFILE/tbs01 --dest_dbname ASMTDE copying /home/grid/tbs01.dbf -> +DATA/ASMTDE/DATAFILE/tbs01 ASMCMD> ls --permission User Group Permission Name dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- SYSAUX.292.1165368127 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- SYSTEM.279.1165368093 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- UNDOTBS1.290.1165368143 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- USERS.288.1165368875 grid@66d5786e6a057fd3bfa6ca745d993aef rw------- tbs01 => +DATA/ASMTDE/DATAFILE/tbs01.294.1165425531 grid@66d5786e6a057fd3bfa6ca745d993aef rw------- tbs01.294.1165425531 ASMCMD> chown dbusr1@66d5786e6a057fd3bfa6ca745d993aef tbs01 ASMCMD> ls --permission User Group Permission Name dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- SYSAUX.292.1165368127 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- SYSTEM.279.1165368093 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- UNDOTBS1.290.1165368143 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- USERS.288.1165368875 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- tbs01 => +DATA/OKVDB2/DATAFILE/tbs012.294.1165425531 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- tbs01.294.1165425531 - Create the database directory in the ASMTDE database for the
import.
### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. - Import the TBS01 tablespace to the destination database ASMTDE.
Copy the
expdpdump file of the source database to the database directoryttsps_dir. Theimpdpuses the dump file to add tablespace metadata to destination database. TRANSPORT_DATAFILES references the location of the data file in the destination database.### ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ impdp system TRANSPORT_DATAFILES=\'/u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf\' DIRECTORY=ttsps_dir dumpfile=expttps.dmp Import: Release 19.0.0.0.0 - Production on Mon Nov 6 12:53:37 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/******** TRANSPORT_DATAFILES='/u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf' DIRECTORY=ttsps_dir dumpfile=expttps.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed - Enable and test encryption on the destination Oracle Key
Vault-enabled
database.
### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE YES TBS01 READ ONLY NO 6 rows selected. SQL> alter tablespace TBS01 read write ; Tablespace altered. ### encrypt TBS01. In case encrypt operation is interrupted , run 'alter tablespace TBS01 encryption online finish encrypt ;' SQL> alter tablespace TBS01 encryption online encrypt ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE YES TBS01 ONLINE YES 6 rows selected. ### ### Retrieve the data from TAB1 ### SQL> select OWNER, table_name from tab1 where rownum < 3 OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$ ### ### When the wallet is closed or unavailable, same SQL does not retrieve data ### To simulate wallet absence rename the cwallet.sso wallet under <wallet_root>/tde to some other name like cwallet.sso.orig ### and close the wallet. To return auto-login wallet , rename file back to cwallet.sso and run the SQL again. ### SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- wallet_root string /etc/OKV/asmtde
Migrating Tablespaces from Non-TDE Oracle ACFS Database to Oracle ACFS CDB Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ACFS database to Oracle ACFS CDB database with Oracle Key Vault enabled on Oracle Database Appliance.
Ensure that there is a source and destination database. The two
databases can be on one Oracle Database Appliance server or on different servers. The
source database must be an non TDE-enabled database, either an Oracle Database Appliance
database or any Oracle database with compatible Endian. The destination database must be
an Oracle Database Appliance database created with ODACLI commands and with Oracle Key
Vault enabled on it.
Step 1: Export the tablespace from the source database
- Ensure that the source database has a tablespace TBS01 to be
migrated to the destination database. Find the information about the
tablespace.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 ONLINE NO SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- /u02/app/oracle/oradata/dbnotde/DBNOTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf SQL> ### ### Checks if a set of tablespaces (to be transported) is self-contained ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed. - Create the database directory in the source database DBNOTDE
to be used for the export. Create a database directory object in the
destination database to be used by
expdp.### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL> - Export the TBS01 tablespace from souce database DBNOTDE. First,
set the tablespace to be copied in READ ONLY mode. Next, run
expdpon the designated tablespace. Review the log files forexpdpstored under the database directoryttsps_dir.### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps.dmp Export: Release 19.0.0.0.0 - Production on Mon Nov 6 12:47:00 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps.dmp Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: /u02/app/oracle/oradata/dbnotde/DBNOTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully completed at Mon Nov 6 12:47:19 2023 elapsed 0 00:00:14 - Move data files to the destination database server and edit the
status of the data file in the source database DBNOTDE to
READ WRITE. Move the data file to the TDE-enabled database server in the PDB2 data files location.### ### login as oracle user ### $ cp /u02/app/oracle/oradata/dbnotde/DBNOTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf /u02/app/oracle/oradata/cdbtde/CDBTDE/092546916A493FE5E063E730850AF5BE/datafile/ ### ### In source database, set the tablespace back to read write mode ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ WRITE;
Step 2: Import the tablespaces into a TDE-enabled database
- Create a TDE-enabled database with Oracle Key Vault, CDBTDE as
the destination database. Copy the data file and tablespace of the source
database to this database using
expdpandimpdp. Create the database on an Oracle Database Appliance using the Browser User Interface (BUI) or ODACLI commands. For example:# odacli create-database -n okvdb2 -t -kt okv -osc adminobj1 -dh e2a65596-6435-4410-9e8d-6b21a6005779 -r ACFS --cdb -d pdbadmin -p pdb2 # odacli describe-database -n cdbtde Database details ---------------------------------------------------------------- ID: c1ba7c6a-2808-4a20-bf23-e35cb62c3fd0 Description: cdbtde DB Name: cdbtde DB Type: SI CDB: true PDB Name: PDB2 PDB Admin User Name: pdbadmin Storage: ACFS Home ID: e2a65596-6435-4410-9e8d-6b21a6005779 TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV ### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### Take a note of PDB2 GUID which helps to determine the path of PDB2 datafiles ### SQL> col PDB_NAME for a20 SQL> select PDB_NAME,GUID from dba_pdbs ; PDB_NAME GUID -------------------- -------------------------------- PDB2 092546916A493FE5E063E730850AF5BE PDB$SEED 15998A6665985353E063BE6B1F0A494A - Create tnsnames service for
PDB2.
### ### Edit the file $ORACLE_HOME/network/admin/tnsnames.ora with the following content ### $ srvctl add service -db cdbtde -service cdbtde_pdb2 -pdb pdb2 -role PRIMARY -policy AUTOMATIC $ srvctl start service -db cdbtde -service cdbtde_pdb2 CDBTDE_PDB2 = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = <server-name>)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = cdbtde_pdb2.test) - Create directory in PDB2 for the
import.
### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER SESSION SET CONTAINER=PDB2 ; SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL> - Import the TBS01 tablespace to the destination database PDB2
container on CDBTDE. Copy the
expdpdump file of the source database to the database directoryttsps_dir. Theimpdpuses the dump file to add tablespace metadata to destination database. TRANSPORT_DATAFILES references the location of the data file in the destination database.### ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ impdp system@pdb2 TRANSPORT_DATAFILES=\'/u02/app/oracle/oradata/cdbtde/CDBTDE/092546916A493FE5E063E730850AF5BE/datafile/o1_mf_tbs01_lnlgn65j_.dbf\' DIRECTORY=ttsps_dir dumpfile=exp1.dmp Import: Release 19.0.0.0.0 - Production on Thu Nov 9 21:42:25 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/********@pdb2 TRANSPORT_DATAFILES='/u02/app/oracle/oradata/cdbtde/CDBTDE/092546916A493FE5E063E730850AF5BE/datafile/o1_mf_tbs01_lnlgn65j_.dbf' DIRECTORY=ttsps_dir dumpfile=exp1.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/STATISTICS/MARKER Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed at Thu Nov 9 21:42:52 2023 elapsed 0 00:00:19 - Enable and test encryption on the destination Oracle Key
Vault-enabled database
PDB1.
### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> alter session set container=pdb2 ; Session altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 READ ONLY NO SQL> alter tablespace TBS01 read write ; Tablespace altered. ### encrypt TBS01. In case encrypt operation is interrupted , run 'alter tablespace TBS01 encryption online finish encrypt ;' SQL> alter tablespace TBS01 encryption online encrypt ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 ONLINE YES SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- /u02/app/oracle/oradata/cdbtde/CDBTDE/092546916A493FE5E063E730850AF5BE/datafile/ o1_mf_tbs01_lnx8h50f_.dbf ### ### Retrieve the data from TAB1 ### SQL> select OWNER, table_name from tab1 where rownum < 3 OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$ ### ### When the wallet is closed or unavailable, same SQL does not retrieve data ### To simulate wallet absence rename the cwallet.sso wallet under <wallet_root>/tde to some other name like cwallet.sso.orig ### and close the wallet. To return auto-login wallet , rename file back to cwallet.sso and run the SQL again. ### SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- wallet_root string /etc/OKV/cdbtde
Migrating Tablespaces from Non-TDE Oracle ASM Database to Oracle ASM CDB Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ASM database to Oracle ASM CDB database with Oracle Key Vault enabled on Oracle Database Appliance.
Ensure that there is a source and destination database. The two
databases can be on one Oracle Database Appliance server or on different servers. The
source database must be an non TDE-enabled database, either an Oracle Database Appliance
database or any Oracle database with compatible Endian. The destination database must be
an Oracle Database Appliance database created with ODACLI commands and with Oracle Key
Vault enabled on it.
Step 1: Export the tablespace from the source database
- Ensure that the source database has a tablespace TBS01 to be
migrated to the destination database. Find the information about the
tablespace.
SQL> SQL> select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ----------------- --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 ONLINE NO SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- +DATA/ASMNOTDE/DATAFILE/tbs01.374.1152267015 ### ### Checks if a set of tablespaces (to be transported) is self-contained ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed. - Create the database directory in the source database ASMNOTDE
to use for the export. Create a database directory object in the destination
database for
expdp.### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. - Export the TBS01 tablespace from the souce database ASMNOTDE.
First, set the tablespace to be copied in READ ONLY mode. Next, run
expdpon the designated tablespace. Review the dump files forexpdpstored under the database directoryttsps_dir.### ### Set the tablespaces that you need to be exported in read-only mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. SQL> ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttpsasm.dmp Export: Release 19.0.0.0.0 - Production on Tue Nov 7 10:12:19 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttpsasm.dmp Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttpsasm.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: +DATA/ASMNOTDE/DATAFILE/tbs01.374.1152267015 Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully completed at Tue Nov 7 10:12:49 2023 elapsed 0 00:00:20 - Move data files to the destination database server and edit the
status of the data file in the source database ASMNOTDE to
READ WRITE.### ### login to grid user ### Copying datafiles from ASM to filesystem ### $ asmcmd cp +DATA/ASMNOTDE/DATAFILE/tbs01.374.1152267015 /home/grid/tbs01.dbf copying +DATA/ASMNOTDE/DATAFILE/tbs01.374.1152267015 -> /home/grid/tbs01.dbf ### ### In source database, set the tablespace back to read write mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ WRITE;
Step 2: Import the tablespaces into a TDE-enabled database
- Create a TDE-enabled database with Oracle Key Vault, ASMTDE as
the destination database. Copy the data file and tablespace of the source
database to this database using
expdpandimpdp. Create the database on an Oracle Database Appliance using the Browser User Interface (BUI) or ODACLI commands. For example:# odacli create-database -n asmtde -t -kt okv -osc adminobj1 -dh e2a65596-6435-4410-9e8d-6b21a6005779 -r ASM --cdb -d pdbadmin -p pdb1 # odacli describe-database -n asmtde Database details ---------------------------------------------------------------- ID: 5dfa97d9-d774-4a4a-93a2-d21a36faf283 Description: asmtde DB Name: asmtde DB Type: SI CDB: true PDB Name: PDB1 PDB Admin User Name: pdbadmin Storage: ASM Home ID: e2a65596-6435-4410-9e8d-6b21a6005779 TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV ### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> col PDB_NAME for a20 SQL> select PDB_NAME,GUID from dba_pdbs ; PDB_NAME GUID -------------------- -------------------------------- PDB1 1599A96E256A8B99E063BE6B1F0AC02B PDB$SEED 15998A6665985353E063BE6B1F0A494A - Copy the data file from file system to the destination Oracle
ASM location of ASMTDE. Ensure that you set the relevant permissions after
copying the
file.
### ### login to grid user ### $ asmcmd cp /home/grid/tbs01.dbf +DATA/ASMTDE/1599A96E256A8B99E063BE6B1F0AC02B/DATAFILE/tbs01 --dest_dbname ASMTDE copying /home/grid/tbs01.dbf -> +DATA/ASMTDE/1599A96E256A8B99E063BE6B1F0AC02B/DATAFILE/tbs01 $ asmcmd ASMCMD> pwd +DATA/ASMTDE/1599A96E256A8B99E063BE6B1F0AC02B/DATAFILE ASMCMD> ls --permission User Group Permission Name dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- SYSAUX.332.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- SYSTEM.333.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- UNDOTBS1.331.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- USERS.335.1165769685 grid@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- tbs01 => +DATA/ASMTDE/DATAFILE/tbs01.338.1165770781 ASMCMD> chown dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 tbs01 ASMCMD> ASMCMD> ls --permission User Group Permission Name dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- SYSAUX.332.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- SYSTEM.333.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- UNDOTBS1.331.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- USERS.335.1165769685 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- tbs01 => +DATA/ASMTDE/DATAFILE/tbs01.338.1165770781 - Create tnsnames service for
PDB1.
### ### Edit the file $ORACLE_HOME/network/admin/tnsnames.ora with the following content ### $ srvctl add service -db asmtde -service asmtde_pdb1 -pdb pdb1 -role PRIMARY -policy AUTOMATIC $ srvctl start service -db asmtde -service asmtde_pdb1 ASMTDE_PDB1 = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = <server-name>)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = asmtde_pdb1.test) - Create the directory in PDB1 for the
import.
### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER SESSION SET CONTAINER=PDB1 ; SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL> - Import the tablespace to PDB1. Copy the
expdpdump file of the source database to the database directoryttsps_dir. Theimpdpuses the dump file to add tablespace metadata to destination database. TRANSPORT_DATAFILES references the location of the data file in the destination database.### ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ impdp system@asmtde_pdb1 TRANSPORT_DATAFILES=\'+DATA/ASMTDE/1599A96E256A8B99E063BE6B1F0AC02B/DATAFILE/tbs01\' DIRECTORY=ttsps_dir dumpfile=expttpsasm.dmp Import: Release 19.0.0.0.0 - Production on Mon Apr 8 17:52:09 2024 Version 19.23.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/********@pdb1 TRANSPORT_DATAFILES='+DATA/ASMTDE/1599A96E256A8B99E063BE6B1F0AC02B/DATAFILE/tbs01' DIRECTORY=ttsps_dir dumpfile=expttpsasm.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed at Mon Apr 8 17:52:18 2024 elapsed 0 00:00:03 - Enable and test encryption on the destination Oracle Key
Vault-enabled database
PDB1.
### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> alter session set container=pdb1 ; Session altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 READ ONLY NO 6 rows selected. SQL> alter tablespace TBS01 read write ; Tablespace altered. ### encrypt TBS01. In case encrypt operation is interrupted , run 'alter tablespace TBS01 encryption online finish encrypt ;' SQL> alter tablespace TBS01 encryption online encrypt ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 ONLINE YES 6 rows selected. ### ### Retrieve the data from TAB1 ### SQL> select OWNER, table_name from tab1 where rownum < 3 2 ; OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$ ### ### When the wallet is closed or unavailable, same SQL does not retrieve data ### To simulate wallet absence rename the cwallet.sso wallet under <wallet_root>/tde to some other name like cwallet.sso.orig ### and close the wallet. To return auto-login wallet , rename file back to cwallet.sso and run the SQL again. ### SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- wallet_root string /etc/OKV/asmtde