emcli_tde
Performs TDE operations on a given target database.
Format
emcli tde -target_name="target_name" -target_type="target_type" -operation="operation" -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "DBNamedCreds:unamedcreds" or "DBCredsOwner:ucredsowner;DBNamedCreds:unamedcreds" [-wallet_password="wallet_password"] [-wallet_new_password="new_wallet_password"] [-wallet_location="wallet_location"] [-keystore_type ="HSM"] [-keystore_status ="open"] [-tablespace="tablespace"] [-backup_id="new_backup_101"] [-backup_location="\scratch\oracle\wallet\"] [-algorithm="algorithm"] [-master_key_tag="NEW MASTER KEY"] [-keep="yes/no" default "no" ] [-encrypted="yes/no" default "no" ] [-validate_only="yes/no" default "no"] [ ] indicates that the parameter is optional.
Options
-
target_name
The name of the target.
-
target_type
The type of the target. The default value for this argument is oracle_database. The possible values are: oracle_database and rac_database.
-
operation
The name of the tde operation. It is case sensitive. The following operations are supported in tde: rekey, open_keystore, close_keystore, make_tablespace_offline, make_tablespace_online, encrypt_tablespace_online, decrypt_tablespace_online, rekey_tablespace_online, finish_tablespace_online, encrypt_tablespace_offline, and decrypt_tablespace_offline.
-
master_key_tag
From 12.1 database version, the administrator can provide tag to identify the master key with rekey operation. This is an optional parameter, by default "NEW MASTER KEY" would be used as the TAG.
-
connect_as
This option enables the user to change the password of a different user without logging in as that user. It should be specified in any of following formats:
-- "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]"
and-- "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds".
If this is not specified, the password will be changed by self. -
wallet_password
In the context of rekey, close, and open operation, wallet password is required to perform the TDE wallet management operation.
-
wallet_new_password
In the context of change password operation, new wallet password is required to change password.
-
wallet_location
In the context of TDE wallet management operation, wallet location is required to identify the wallet.
-
keystore_type
In the context of list_databases operation, keystore_type option can be used to filter the result.
-
keystore_status
In the context of list_databases operation, keystore_status option can be used to filter the result.
-
backup_location
In the context of TDE keystore backup operation, backup keystore location is optional, if this input is not provided, then the current keystore location would be used to store the backed up keystore file.
-
backup_id
In the context of TDE keystore backup operation, backup keystore id is optional, if this input is not provided, then the current server timestamp would be used as the backup id.
-
tablespace
In the context of TDE operation, Tablespace name is required to perform encrypt, decrypt, and rekey on given tablespace name.
-
algorithm
In the context of TDE operation, the encryption algorithm is required to perform encryption and rekey on the given tablespace.
-
keep
Indicates whether to keep the old datafiles post tablespace encryption/decryption/rekey operation. The possible values:-
Yes- Keep the old datafiles.
-
No- do not keep the old datafiles.
Note:
On execution (Wallet Management operations: rekey, open, and close), you will be prompted to enter the wallet_password in non-echo mode. -
Examples
Example 1
The following example tries to close the TDE wallet target tdeEnabledDatabase:
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=close -wallet_password=Testing_1234 -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 2
The following example tries to open the TDE wallet target tdeEnabledDatabase:
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=open -wallet_password=Testing_1234 -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 3
The following example tries to rekey the master key on target tdeEnabledDatabase:
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=rekey -master_key_tag="new_rekey_101" -wallet_password=Testing_1234 -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 4
The following example tries to backup the keystore. Backup ID and location are optional arguments. By default the backup location of the keystore would be in the current keystore location and the backup id would be the current server timestamp. The backup_keystore operation is supported starting from 12.1 database version.
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=backup_keystore -backup_id="new_backup_101" -backup_location="\scratch\oracle\wallet\" -wallet_password=Testing_1234 -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 5
The following example tries to change keystore password. The change_keystore_password operation is supported starting from 12.1 database version.
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=change_keystore_password -wallet_password=Testing_1234 -wallet_new_password=Testing#4321 -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 6
The following example fetch keystore details for the given target.
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=keystore_details -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 7
The following example make the tablespace go online on the target tdeEnabledDatabase:
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=make_tablespace_online -tablespace=EXAMPLE_TS_1 -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 8
The following example encrypt tablespace using online feature on the target tdeEnabledDatabase:
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=encrypt_tablespace_online -tablespace=EXAMPLE_TS_1 -algorithm=AES256 -keep=yes -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 9
The following example rekey tablespace using online feature on the target tdeEnabledDatabase:
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=rekey_tablespace_online -tablespace=EXAMPLE_TS_1 -algorithm=AES192 -keep=yes -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 10
The following example decrypt tablespace using online feature on the target tdeEnabledDatabase:
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=decrypt_tablespace_online -tablespace=EXAMPLE_TS_1 -keep=yes -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 11
The following example uses finish operation to finish the previously run online tablespace operation that has run into issues:
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=finish_tablespace_online -tablespace=EXAMPLE_TS_1 -algorithm=AES192 -keep=yes -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Note:
Offline feature is supported only on target database version 11.2.0.4, 12.1, and 12.2.Example 12
The following example make the tablespace go offline on the target tdeEnabledDatabase:
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=make_tablespace_offline -tablespace=EXAMPLE_TS_1 -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 13
The following example encrypt tablespace using offline feature on the target tdeEnabledDatabase.
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=encrypt_tablespace_offline -tablespace=EXAMPLE_TS_1 -algorithm=AES256 -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 14
The following example decrypt tablespace using offline feature on the target tdeEnabledDatabase:
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=decrypt_tablespace_offline -tablespace=EXAMPLE_TS_1 -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 15
The following example list tablespaces for a given target.
emcli tde -target_name=tdeEnabledDatabase -target_type=oracle_database -operation=list_tablespaces -encrypted=yes/no -connect_as= "DBUserName:uname;DBPassword:upassword[;DBRole:SYSDBA]" or "[DBCredsOwner:ucredsowner;]DBNamedCreds:unamedcreds"
Example 16
The following example list databases with TDE details. Target name, target type, keystore type, and keystore status are the optional filter arguments that can be used to further refine the result.
emcli tde -target_name=TargetDBName -target_type=oracle_database -operation=list_databases -keystore_type=HSM/WALLET/OKV -keystore_status=open/closed/unknown/not_configured