Exporting A Keystore From ASM To A Target Host For Oracle TDE Provisioning
Exporting A Keystore From ASM To A Target Host For Oracle TDE Provisioning
Table of contents
KBA
KBA# 8286
This did not solve
Prerequisites
It is expected that the source database already has a keystore configured and has encrypted tables, however
the steps for configuring this are provided below as an example only. These steps should only be performed
in a lab environment or after consultation with your DBA team or Oracle.
1. Configure sqlnet.ora, this must be done on all nodes in the case of RAC.
WRL_PARAMETER STATUS
----------------------------- ------------------------------
+DATA/DBOMSRE7B249/ CLOSED
keystore altered.
WRL_PARAMETER STATUS
------------------------------- ------------------------------
+DATA/DBOMSRE7B249/ OPEN_NO_MASTER_KEY
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY abc123 WITH BACKUP;
WRL_PARAMETER STATUS
------------------------------ ------------------------------
+DATA/DBOMSRE7B249/ OPEN
A backup will now be created in the keystore location, along with the existing keystore.
ASMCMD> ls ewallet*
ewallet.p12
ewallet_2021102504065896.p12
6. Now that the keystore and key are configured, TDE tablespaces can be created.
1 row created.
SQL> commit;
Commit complete.
7. With the tablespace encrypted, the database can now be linked to Delphix or a new snapshot taken to
capture the encrypted tablespace.
1. Create an empty keystore on source filesystem to merge source keys into using sqlplus
keystore altered.
SQL>
2. Merge the source keystore on ASM into the file based keystore on disk using sqlplus
keystore altered.
3. Copy the file based keystore to the target host. In this example it is copied to a temporary location,
however it could be copied directly to the final destination show later in this document.
At this point, no further action is required on the source host/database. All further steps are performed
on the target host.
4. Create a minimum init file to allow an instance to be started to manage the keystore.
cat $ORACLE_HOME/dbs/initTDE.ora
db_name=TDE
[oracle@tde-tgt dbs]$ export ORACLE_SID=TDE
keystore altered.
7. Copy the created wallet/sso file to the target wallet location. in this case, we will be provisioning a VDB
called "MYVDB".
This step will need to be performed before provisioning for any VDB being provisioned to this host.
Provisioning should now be successful. Once the provision is complete, you can confirm by logging into the
target VDB and checking v$encryption_wallet and v$encryption_key.
Which should be as follows..
SQL>
SQL> select key_id from v$encryption_keys;
KEY_ID
------------------------------------------------------------------------------
AWmSDN32h08ovyehfgfV73IAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
The key_id shown here should match the key_id from the source database.
Related Articles
The following articles may provide more information or related information to this article:
Yes No
Recommended articles
Provisioning a RAC TDE Enabled VPDB Fails SnapSync Failing with RMAN-03009, ORA-
Reporting ORA-46637: Cannot Add First 15113 (KBA1840)
Keystore to the Target Keystore (KBA9302)
Performing Oracle Transparent Data ORA-28311 Error After Refreshing an
Encryption Master Key Rotation in Delphix Encrypted VDB (KBA9615)
Virtual Databases (KBA6398) Attempts to access a newly encrypted tablespace
in a VDB fails due to the following error: ERROR
at line 1: ORA-28311: Oracle encrypted data
block no...
Why Delphix
Case Studies
Resources
Support
Glossary ∨