Let’s do some tests with the Oracle 18c new feature in creating PDB clone with DBCA. Unfortunately, this feature does not work when you have TDE enabled.
Just to remember, with Oracle 12.2 we had the possibility to create PDBs with dbca just from PDBseed to from unplugged PDBs:
Now in version 18c we can create PDBs from existing PDBs as follows (for this test TDE is disabled):
You can choose the Pluggable Database you want to clone.
You select the name of your cloned PDB, and in less than 1 minute your original PDB is cloned:
[email protected]:/u00/app/oracle/oradata/PSI/ [DB18] sq SQL*Plus: Release 184.108.40.206.0 Production on Mon Apr 30 12:55:54 2018 Version 220.127.116.11.0 Copyright (c) 1982, 2017, Oracle. All rights reserved. Connected to: Oracle Database 18c Enterprise Edition Release 18.104.22.168.0 - Production Version 22.214.171.124.0 SQL> show pdbs CON_ID CON_NAME OPEN MODE RESTRICTED 2 PDB$SEED READ ONLY NO 3 PDB1 READ WRITE NO 5 PDBNEW READ WRITE NO
Let’s make some tests with PDBs and TDE.
In Oracle 18c, it is no more mandatory to configure the sqlnet.ora file, we only have to define wallet_root and tde_configuration as follows:
SQL> alter system set wallet_root='/u00/app/oracle/admin/DB18/wallet_cdb' scope=spfile; SQL> startup force; ORACLE instance started. Total System Global Area 1677717664 bytes Fixed Size 8896672 bytes Variable Size 520093696 bytes Database Buffers 1140850688 bytes Redo Buffers 7876608 bytes Database mounted. Database opened. SQL> alter system set tde_configuration="keystore_configuration=file" scope=both; System altered.
We create a management key in the CDB
SQL> administer key management create keystore identified by manager_cdb; keystore altered.
The wallet file is created:
SQL> !ls /u00/app/oracle/admin/DB18/wallet_cdb/tde ewallet.p12
We open the keystore for the CDB and the PDBs:
SQL> administer key management set keystore open identified by manager_cdb container=all; keystore altered.
We check in the pluggable database:
SQL> alter session set container=pdb1; Session altered. SQL> select status from v$encryption_wallet; STATUS OPEN_NO_MASTER_KEY
But we receive open_no_master_key …
We return to the CDB:
SQL> connect / as sysdba Connected. SQL> administer key management set key identified by manager_cdb with backup; keystore altered.
In the PDB:
SQL> alter session set container=pdb1; Session altered. SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY manager_cdb with backup; keystore altered. SQL> select status from v$encryption_wallet; STATUS OPEN
The keystore is now opened in the PDB, we can encrypt the data. With Oracle 18c there are two modes: united (the CDB owns the keystore for itself and the PDBs) or isolated (the PDB has its own keystore). In our case we are in united mode, let’s see if we can clone the PDB.
SQL> SELECT KEYSTORE_MODE FROM V$ENCRYPTION_WALLET; KEYSTORE UNITED
We do the same operations as previously, but the assistant is asking us for the keystore password:
By looking at oracle error messages, we can find a similar error on PDB switchover : “Metalink Note 2378945.1: “We only support this with auto login wallet”
So I decided to implement auto login in my configuration and try to clone my PDB:
SQL> administer key management create local auto_login keystore from keystore '/u00/app/oracle/admin/DB18/wallet_cdb/tde' identified by manager_cdb; SQL> startup force; ORACLE instance started. Total System Global Area 1677717664 bytes Fixed Size 8896672 bytes Variable Size 520093696 bytes Database Buffers 1140850688 bytes Redo Buffers 7876608 bytes Database mounted. Database opened.
My PDB TDE configuration is in auto login mode:
SQL> select wrl_type,status, wallet_type from v$encryption_wallet; WRL_TYPE STATUS WALLET_TYPE FILE OPEN LOCAL_AUTOLOGIN
But even if TDE is implemented in auto login mode, the PDB clone operation fails with the same ORA-46697 error message.
We also encounter this bad behavior with the 18c new features about PDBs snapshot, which allows to create PDBs snapshots manually or automatically:
SQL> create pluggable database snap_pdb1 from pdb1 2 file_name_convert = ('snap_pdb1', 'pdb1') 3* snapshot mode every 60 minutes create pluggable database snap_pdb1 from pdb1 * ERROR at line 1: ORA-46697: Keystore password required.
Cloning PDBs is a very useful tool in order to realize mass deployment to development teams, it should be nice to make it work with TDE enabled.