Infrastructure at your Service

Pierre Sicot

Oracle 18c clone PDB and Transparent Data Encryption

Let’s do some tests with the Oracle 18c new feature in creating PDB clone with DBCA. Unfortunately, this feature does not work when you have TDE enabled.

Just to remember, with Oracle 12.2 we had the possibility to create PDBs with dbca just from PDBseed to from unplugged PDBs:

psi1

Now in version 18c we can create PDBs from existing PDBs as follows (for this test TDE is disabled):

psi2

You can choose the Pluggable Database you want to clone.

psi3

You select the name of your cloned PDB, and in less than 1 minute your original PDB is cloned:

oracle@localhost:/u00/app/oracle/oradata/PSI/ [DB18] sq
SQL*Plus: Release 18.0.0.0.0 Production on Mon Apr 30 12:55:54 2018
Version 18.1.0.0.0
Copyright (c) 1982, 2017, Oracle.  All rights reserved.
Connected to:
Oracle Database 18c Enterprise Edition Release 18.0.0.0.0 - Production
Version 18.1.0.0.0

SQL> show pdbs
   CON_ID CON_NAME         OPEN MODE  RESTRICTED

      2   PDB$SEED         READ ONLY      NO

      3   PDB1             READ WRITE     NO

      5   PDBNEW           READ WRITE     NO

 Let’s make some tests with PDBs and TDE.

In Oracle 18c, it is no more mandatory to configure the sqlnet.ora file, we only have to define wallet_root and tde_configuration as follows:

SQL> alter system set wallet_root='/u00/app/oracle/admin/DB18/wallet_cdb' scope=spfile;
SQL> startup force;
ORACLE instance started.
 Total System Global Area 1677717664 bytes
Fixed Size          8896672 bytes
Variable Size         520093696 bytes
Database Buffers     1140850688 bytes
Redo Buffers            7876608 bytes
Database mounted.
Database opened.

SQL> alter system set tde_configuration="keystore_configuration=file" scope=both;
System altered.

We create a management key in the CDB

SQL> administer key management create keystore identified by manager_cdb;
keystore altered.

The wallet file is created:

SQL> !ls /u00/app/oracle/admin/DB18/wallet_cdb/tde
ewallet.p12

We open the keystore for the CDB and the PDBs:

SQL> administer key management set keystore open identified by manager_cdb 
container=all;
keystore altered.

We check in the pluggable database:

SQL> alter session set container=pdb1;
Session altered.
SQL> select  status from v$encryption_wallet;
STATUS
OPEN_NO_MASTER_KEY

But we receive open_no_master_key …

We return to the CDB:

SQL> connect / as sysdba
Connected.
SQL> administer key management set key identified by manager_cdb with backup;
keystore altered.

In the PDB:

SQL> alter session set container=pdb1;
 
Session altered.
 
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY manager_cdb with backup;
 
keystore altered.
 
SQL> select status from v$encryption_wallet;
 
STATUS
 
OPEN

The keystore is now opened in the PDB, we can encrypt the data. With Oracle 18c there are two modes: united (the CDB owns the keystore for itself and the PDBs) or isolated (the PDB has its own keystore). In our case we are in united mode, let’s see if we can clone the PDB.

SQL> SELECT KEYSTORE_MODE FROM V$ENCRYPTION_WALLET;

KEYSTORE

UNITED

We do the same operations as previously, but the assistant is asking us for the keystore password:

psi4

By looking at oracle error messages, we can find a similar error on PDB switchover : “Metalink Note 2378945.1: “We only support this with auto login wallet”

So I decided to implement auto login in my configuration and try to clone my PDB:

SQL> administer key management create local auto_login keystore from keystore '/u00/app/oracle/admin/DB18/wallet_cdb/tde' identified by manager_cdb;

SQL> startup force;
ORACLE instance started.

Total System Global Area 1677717664 bytes
Fixed Size		    8896672 bytes
Variable Size		  520093696 bytes
Database Buffers	 1140850688 bytes
Redo Buffers		    7876608 bytes
Database mounted.
Database opened.

My PDB TDE configuration is in auto login mode:

SQL> select wrl_type,status, wallet_type from v$encryption_wallet;

WRL_TYPE	     STATUS			    WALLET_TYPE
FILE		     OPEN			    LOCAL_AUTOLOGIN

But even if TDE is implemented in auto login mode, the PDB clone operation fails with the same ORA-46697 error message.

We also encounter this bad behavior with the 18c new features about PDBs snapshot, which allows to create PDBs snapshots manually or automatically:

SQL> create pluggable database snap_pdb1 from pdb1
  2  file_name_convert = ('snap_pdb1', 'pdb1')
  3* snapshot mode every 60 minutes
create pluggable database snap_pdb1 from pdb1
*
ERROR at line 1:
ORA-46697: Keystore password required.

Cloning PDBs is a very useful tool in order to realize mass deployment to development teams, it should be nice to make it work with TDE enabled.


Leave a Reply

Pierre Sicot
Pierre Sicot

Senior Consultant