9 Managing Oracle Databases
Manage the Oracle Databases on your Oracle Database Appliance.
- About Administrative Groups and Users on Oracle Database Appliance
Oracle Database Appliance Browser User Interface deployment creates operating system groups and users whose members are granted system administration privileges on the appliance. - About Data Migration Options for Oracle Database Appliance
Oracle Database Appliance supports the use of standard Oracle Database loading and migration tools. - About Creating Database Homes on Oracle ACFS Storage
When you create new Oracle Database homes, they are created on Oracle ACFS file system which are stored on Oracle Database Appliance storage disks. You can create new Oracle Database homes using theodacli create-database
orodacli create-dbhome
commands, or when you patch an existing database home. - About Standard Edition High Availability for Oracle Database Appliance
Oracle Database Appliance supports Standard Edition High Availability solution with Oracle Grid Infrastructure that provides cluster-based failover for Oracle Database 19c Standard Edition. - About Enterprise Edition High Availability for Oracle Database Appliance
Oracle Database Appliance supports Enterprise Edition High Availability solution with Oracle Grid Infrastructure that provides cluster-based failover for Oracle Database Enterprise Edition. - About Transparent Database Encryption (TDE) in Oracle Database Appliance
Transparent Data Encryption (TDE) enables you to encrypt sensitive data that you store in tables and tablespaces. - Storing Transparent Database Encryption Keys on Oracle Key Vault Server
Understand how you can create Transparent Database Encryption (TDE) enabled databases on Oracle Database Appliance and store the TDE keys on Oracle Key Vault server. - Working with Databases
Use the Browser User Interface to display a list of databases, database details, and create and delete databases. You can use CLI commands to manage your databases. - Working with Database Homes
Use the Browser User Interface to display a list of database homes, details, and create and delete database homes. - Migrating Databases
Review these topics to learn how to prepare for and migrate an entire database to your Oracle Database Appliance. - About Registering a TDE-Enabled Database
Understand the process to register Transparent Data Encryption (TDE) enabled databases. - About Managing Multiple Database Instances Using Instance Caging
Use instance caging to manage your system resources on Oracle Database Appliance. - Oracle EM Express and DB Console
You can use Oracle Enterprise Manager Database Express (EM Express), or the Database Control Console (DB Console) to manage your database.
About Administrative Groups and Users on Oracle Database Appliance
Oracle Database Appliance Browser User Interface deployment creates operating system groups and users whose members are granted system administration privileges on the appliance.
During configuration, two administrative accounts are created for Oracle Database Appliance: the user grid
, with a user ID (UID) of 1001, and the user oracle
, with a UID of 1000. The user grid
is the Oracle Grid Infrastructure installation owner. The user oracle
is the Oracle Database installation owner, and the owner of all Oracle Database homes (Oracle homes). By default, these users are members of operating system groups whose members are granted privileges to start up and administer Oracle Database and Oracle Automatic Storage Management.
The following table describes the Oracle system privileges groups, and information about the operating system authentication groups:
Table 9-1 Operating System Groups and Users on Oracle Database Appliance
Oracle System Privileges | Group Name | Group ID (GID) | grid is a member | oracle is a member |
---|---|---|---|---|
Oracle Inventory group (OINSTALL) |
|
1001 |
yes (primary group) |
yes (primary group) |
OSOPER for dbaoper group |
|
1002 |
yes |
yes |
OSDBA group |
|
1003 |
no |
yes |
OSASM group for Oracle ASM |
|
1004 |
yes |
no |
OSOPER for ASM group |
|
1005 |
yes |
no |
OSDBA for ASM group |
|
1006 |
yes |
yes |
To change the Group Name and GID from the default values on Oracle Database Appliance bare metal platforms, change the default values from the Browser User Interface during the deployment. If you create an initial database during deployment, then the password for the SYS and SYSTEM users is the password that you set in the Browser User Interface.
To change the Group Name and GID from the default values on the Oracle Database
Appliance Virtualized Platform, use the -advance
parameter with the
command oakcli deploy
. If you create an initial database
during deployment, then the password for the SYS and SYSTEM users is the ROOT password
from the Configurator.
Note:
Change the password for both users as soon as possible after configuration to prevent unauthorized access to your database using these privileged accounts.Parent topic: Managing Oracle Databases
About Data Migration Options for Oracle Database Appliance
Oracle Database Appliance supports the use of standard Oracle Database loading and migration tools.
If you are loading data or migrating data from an existing database to Oracle Database Appliance, then you can use the standard Oracle Database loading and migration tools. These tools include the following:
-
Oracle GoldenGate
-
SQL*Loader
-
Oracle Data Pump
-
transportable tablespaces
-
RMAN
You can also use the RMAN utility to back up and recover databases on Oracle Database Appliance.
Parent topic: Managing Oracle Databases
About Creating Database Homes on Oracle ACFS Storage
When you create new Oracle Database homes, they are created on Oracle ACFS
file system which are stored on Oracle Database Appliance storage disks. You can create new
Oracle Database homes using the odacli create-database
or odacli
create-dbhome
commands, or when you patch an existing database
home.
Oracle Database homes are created on an Oracle ACFS-managed file system. For a
database user oracle
, the new database homes are created under
/u01/app/odaorahome/oracle/
.
The mount /u01/app/odaorahome
is a shared file system for a
high-availability system. On a high-availability system,
/u01/app/odaorahome/
is a shared ORACLE_HOME between the nodes.
Existing database homes continue to remain on the local disks.
The ORACLE_BASE location has also changed to an Oracle ACFS-based file
system. On high-availability system, the ORACLE_BASE is not shared between the nodes.
Each node has its own Oracle ACFS file system for ORACLE_BASE. The new ORACLE_BASE for
the database homes are created under the mount /u01/app/odaorabase/
.
The disk space for the Oracle ACFS file system is located in the DATA or RECO
disk group. You must specify the disk group for the Oracle ACFS file system. For Oracle
Database Appliance X8-2 hardware model and single-node systems, the Oracle ACFS file
system must be located in the DATA disk group. You can specify the initial size of the
ORACLE_HOME volume. The default value is 80 GB. You can set a value from 25 GB to 1024
GB. The initial volume size for ORACLE_BASE is fixed at 10GB. Note that for these
volumes, AUTOEXTEND is off. You can extend the volume size with the odacli
modify-dbhome-storage
command.
Changes When Provisioning Oracle Database Appliance Release 19.26
"sysOraHomeStorage" : {
"diskgroup" : "DATA",
"volumeSize" : "80"
},
DCS-10045:Validation error encountered: Missing argument : sysOraHomeStorage
DCS-10024:Input parameter 'Disk Group' contains unacceptable value 'DATAL'. Allowed values are '[DATA, RECO]'. (case insensitive)
DCS-10045:Validation error encountered: Required volumeSize value in sysOraHomeStorage should be in the range of 25GB to 1024GB.
Changes When Patching to Oracle Database Appliance Release 19.26
odacli
configure-dbhome-storage
command before creating a new database
home. Otherwise, the following error is displayed when creating a new database
home:# odacli create-dbhome -v 19.8.0.0.200714
DCS-10601:The system is not set up to create database homes on ACFS.
Once the disk group for the volumes are setup, new database homes are created on the Oracle ACFS file system.
About Standard Edition High Availability for Oracle Database Appliance
Oracle Database Appliance supports Standard Edition High Availability solution with Oracle Grid Infrastructure that provides cluster-based failover for Oracle Database 19c Standard Edition.
About Standard Edition High Availability for Oracle Database 19c
With Standard Edition High Availability, when there is an instance or a node failure, the database automatically fails over to the other node, after attempting to restart on the local node. The database is restarted on the surviving node, thereby providing high availability for Oracle Standard Edition databases.
If your Oracle Database deployment contains Standard Edition 2 Oracle Real Application Cluster (Oracle RAC) databases of releases earlier than 19c, then they must be converted to a Standard Edition High Availability configuration as part of the upgrade to Oracle Database 19c.
For more details about this feature, refer to the Oracle Database Documentation Library at https://docs.oracle.com/en/database/oracle/oracle-database/index.html.
About Standard Edition High Availability for Oracle Database Appliance Release 19.26
Standard Edition High Availability for Oracle Database 19c is supported on Oracle Database Appliance for high availability deployments, that is, deployments that have two server nodes, shared storage, and server interconnects.
Oracle Database Appliance enables automatic configuration for failover at deployment time for Oracle Database 19c Standard Edition single-instance databases. Both nodes have Oracle Homes for Standard Edition single-instance databases.
Single-instance Oracle Database 19c Standard Edition databases created using the ODACLI commands or the Browser User Interface (BUI) have Standard Edition High Availability enabled by default. You can also choose to disable the High Availability option. To enable Standard Edition High Availability for existing Standard Edition Oracle RAC databases of releases earlier than 19c, you must convert these Oracle RAC or Oracle One Node databases to single-instance databases, and then upgrade to single-instance Oracle Database 19c Standard Edition database with Standard Edition High Availability enabled by default.About Provisioning, Upgrading, and Relocating Standard Edition High Availability Oracle Database
To create a single-instance Oracle Database 19c with Standard Edition High Availability, use the following command:
odacli create-database -u db_unique_name -n db_name -dh db_home -y SI -g target_node
To upgrade a Standard Edition Oracle RAC Database to Oracle Database 19c Standard Edition, convert the Oracle RAC Database to a single-instance Oracle Database:
odacli modify-database -in db_name -y single-instance
Then, upgrade the single-instance database to Oracle Database 19c with Standard Edition High Availability as follows:
odacli upgrade-database -i db_id -to destination_dbhome -ha
To relocate a Standard Edition High Availability Oracle Database from one node to another outside of a failover, use the following command, specifying either the target node or the target host in the command:
odacli modify-database -in db_name -g target_node
or:
odacli modify-database -in db_name -th target_host
For detailed information about these ODACLI command options, see the Oracle Database Appliance Command Line Reference chapter in this guide.
About Enterprise Edition High Availability for Oracle Database Appliance
Oracle Database Appliance supports Enterprise Edition High Availability solution with Oracle Grid Infrastructure that provides cluster-based failover for Oracle Database Enterprise Edition.
About Enterprise Edition High Availability for Oracle Database
With Enterprise Edition High Availability, when there is an instance or a node failure, the database automatically fails over to the other node, after attempting to restart on the local node. The database is restarted on the surviving node, thereby providing high availability for Oracle Enterprise Edition databases.
For more details about this feature, refer to the Oracle Database Documentation Library at https://docs.oracle.com/en/database/oracle/oracle-database/index.html.
About Enterprise Edition High Availability for Oracle Database Appliance Release 19.26
Enterprise Edition High Availability for Oracle Database 19.26 is supported on Oracle Database Appliance for high availability deployments, that is, deployments that have two server nodes, shared storage, and server interconnects.
Oracle Database Appliance enables automatic configuration for failover at deployment time for Oracle Database 19.26 Enterprise Edition single-instance databases. Both nodes have Oracle Homes for Enterprise Edition single-instance databases.
To enable Enterprise Edition High Availability for existing Enterprise Edition Oracle RAC databases of release 19.26, you must convert these Oracle RAC databases to single-instance databases, and then upgrade to single-instance Oracle Database 19.26 Enterprise Edition database with Enterprise Edition High Availability enabled by default.About Provisioning, Upgrading, and Relocating Enterprise Edition High Availability Oracle Database
To create a single-instance Oracle Database 19.26 with Enterprise Edition High Availability, use the following command:
odacli create-database -u db_unique_name -n db_name -dh db_home -y SI -g target_node -ha
To upgrade an Enterprise Edition Oracle RAC Database to Oracle Database 19.26 Enterprise Edition, convert the Oracle RAC Database to a single-instance Oracle Database:
odacli modify-database -in db_name -y single-instance
Then, upgrade the single-instance database to Oracle Database 19.26 with Enterprise Edition High Availability as follows:
odacli upgrade-database -i db_id -to destination_dbhome -ha
To relocate an Enterprise Edition High Availability Oracle Database from one node to another outside of a failover, use the following command, specifying either the target node or the target host in the command:
odacli modify-database -in db_name -g target_node
or:
odacli modify-database -in db_name -th target_host
For detailed information about these ODACLI command options, see the Oracle Database Appliance Command Line Reference chapter in this guide.
About Transparent Database Encryption (TDE) in Oracle Database Appliance
Transparent Data Encryption (TDE) enables you to encrypt sensitive data that you store in tables and tablespaces.
After the data is encrypted, this data is transparently decrypted for authorized users or applications when they access this data. TDE helps protect data stored on media (also called data at rest) in the event that the storage media or data file is stolen.
Oracle Database uses authentication, authorization, and auditing mechanisms to secure data in the database, but not in the operating system data files where data is stored. To protect these data files, Oracle Database provides Transparent Data Encryption (TDE).
TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database, called a keystore.
Oracle Database Appliance enables creation and lifecycle management of TDE-enabled databases with ODACLI commands or through the BUI. You can create TDE-enabled single-instance, Oracle RAC or Oracle RAC One Node databases with ODACLI commands or BUI. You can also change TDE passwords and re-key the database using ODACLI commands or BUI. When you use software keystore, you can also backup the TDE wallets along with the database. You can also recover the TDE software wallet and restore the database as a new copy with the odacli irestore-database command.
- TDE keys stored in software keystore: In this type of TDE method, the TDE keys are stored in a wallet on Oracle Database Appliance.
- TDE keys stored in a wallet on Oracle Key Vault: In this type
of TDE method, the TDE keys are stored in a wallet on Oracle Key Vault. Note
that if you do not want to provide the credentials of users in Oracle Key Vault,
you can use endpoints already created on Oracle Key Vault, and directly specify
the endpoints when you create or restore the database on Oracle Database
Appliance. Otherwise, you can create Oracle Key Vault server configuration on
Oracle Database Appliance with the Oracle Key Vault user details and use these
user credentials to create and restore the database on Oracle Database
Appliance.
You can configure TDE keys with Oracle Key Vault keystore in one of the following ways:
- Using credentials of a user in Oracle Key Vault: In this configuration, the TDE keys are stored in a wallet on Oracle Key Vault and accessed through Oracle Key Vault user credentials.
- Using endpoints and wallet already created on Oracle Key Vault: In this configuration, the TDE keys are stored in a wallet on Oracle Key Vault and accessed through Oracle Key Vault end points.
Note:
To enable Transparent Data Encryption (TDE), you must deploy Oracle Database Enterprise Edition with Oracle Database 19c or later. Transparent Data Encryption (TDE) is an Advanced Security Option (ASO) available with Oracle Database Enterprise Edition.See Also:
Using Transparent Data Encryption in the Oracle Database Advanced Security GuideCaution:
When you enable TDE on databases, either with software keystore or with Oracle Key Vault keystore using endpoints and wallet already created on Oracle Key Vault, you are prompted to set a password for the TDE wallet. Provide a strong password for security compliance. Set the password carefully, and ensure that this password is available to you at all times for database management operations. Failure to provide the TDE wallet password when prompted, results in not being able to access the database tables.Parent topic: Managing Oracle Databases
Storing Transparent Database Encryption Keys on Oracle Key Vault Server
Understand how you can create Transparent Database Encryption (TDE) enabled databases on Oracle Database Appliance and store the TDE keys on Oracle Key Vault server.
- About Oracle Key Vault
Oracle Key Vault is a fault-tolerant, highly available, and scalable, secure and standards-compliant key and secrets management appliance, where you can store, manage, and share your security objects. - Creating TDE-Enabled Databases With User Credentials
Understand how you can create TDE-enabled databases on Oracle Database Appliance using the credentials of a user in Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems. - Creating TDE-Enabled Databases Using Oracle Key Vault With Endpoints in Oracle Key Vault
Understand how you can create TDE-enabled databases on Oracle Database Appliance using endpoints and wallets already in Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems. - Managing Oracle Key Vault Server Configuration Operations Using ODACLI Commands
Understand how you can manage Oracle Key Vault server configuration operations on Oracle Database Appliance on bare metal and DB systems. - Managing Database Operations on TDE-enabled Databases with TDE keys stored on Oracle Key Vault
Understand how you can manage TDE-enabled databases with TDE keys stored on Oracle Key Vault on Oracle Database Appliance on bare metal and DB systems. - Creating an Oracle Key Vault User Using BUI
Create a user with Oracle Key Vault server configuration entitlement on a multi-user access enabled Oracle Database Appliance. - Creating Oracle Key Vault Server Configuration Object Using the BUI
Understand how you can create TDE-enabled database on Oracle Database Appliance with TDE keys stored in Oracle Key Vault on bare metal and DB systems using the BUI. - Granting and Revoking Access on Oracle Key Vault Server Configuration Using BUI
Understand how you can grant and revoke access to Oracle Key Vault server configuration on Oracle Database Appliance on bare metal and DB systems using BUI. - Managing Oracle Key Vault Server Configuration Operations Using BUI
Understand how you can manage Oracle Key Vault server configuration operations on Oracle Database Appliance on bare metal and DB systems. - Manual Migration and Encryption of Data into TDE-Enabled Database
Understand how you can migrate transportable tablespaces to TDE-enabled database on Oracle Database Appliance.
Parent topic: Managing Oracle Databases
About Oracle Key Vault
Oracle Key Vault is a fault-tolerant, highly available, and scalable, secure and standards-compliant key and secrets management appliance, where you can store, manage, and share your security objects.
For detailed information about Oracle Key Vault, see the Oracle Key Vault documentation at https://docs.oracle.com/en/database/oracle/key-vault/21.10/okvag/okv_intro.html#GUID-1C565FBE-BC21-4E76-B2A6-88A17F6649D7.
Terminology used when storing TDE keys on Oracle Key Vault for TDE-enabled databases on Oracle Database Appliance
- Role separation: Oracle recommends that you assign different users for database administration and TDE key operations. You must not provide the user who has the database administration role with the credentials of the Oracle Key Vault server. This ensures the database user with data file access cannot open the database without knowing TDE wallet passwords. You can set up this role separation by enabling multi-user access feature on Oracle Database Appliance. For more information about configuring multi-user access, see the topic Implementing Multi-User Access on Oracle Database Appliance. On Oracle Database Appliance, the credentials of Oracle Key Vault user need not be shared with the ODA-DB user. The ODA-Adminstrator grants the resource, that is, the Oracle Key Vault server configuration, access to the intended DB user and the DB user can use the Oracle Key Vault server configuration when creating the TDE-enabled database to store the TDE keys on the Oracle Key Vault server.
- Oracle Key Vault server configuration: The term refers
to an Oracle Database Appliance resource that stores the metadata of the
Oracle Key Vault. The Oracle Key Vault server configuration has details such
as the name of the user created to manage the TDE keys on the Oracle Key
Vault server and the IP address or host name of the Oracle Key Vault server.
The Oracle Key Vault server configuration on Oracle Database Appliance is
identified by a name, to differentiate Oracle Key Vault server
configurations. This name is unique within the Oracle Database Appliance
system and the value is case-sensitive. When creating the Oracle Key Vault
server configuration, you must provide the credentials of the user on Oracle
Key Vault server. It is recommended that this user is a least privileged
user with only
Create Endpoint
privilege. The user name and password you specify when you create the Oracle Key vault server configuration correspond to the user on the Oracle Key vault server. The password you provide during creation of this object is not stored on Oracle Database Appliance. The Oracle Key Vault client auto-login wallet is created using these credentials and all requests to the Oracle Key Vault server use this client auto-login wallet. The database automatically reads the auto-login wallet for the required ADMINISTER KEY MANAGEMENT SQL commands. - A user with ODA-DB role: A user with ODA-DB role in a multi-user access-enabled or multi-user access-enabled passwordless environment can create and maintain the database. This user, is granted the ODA-DB role and is entitled to perform all database related operations such as creation, patching, modification, deletion, backup, and recovery. These operations are restricted to the database that belongs to the user. For more details, see the chapter Implementing Multi-User Access on Oracle Database Appliance in this guide.
- Oracle Key Vault user: The Oracle Key Vault user name and password that you provide when you create the Oracle Key Vault server configuration must correspond to an existing user and the password on the Oracle Key Vault server. Otherwise, there can be failures in accessing Oracle Key Vault. This user can also perform create, delete, describe, and list operations on the Oracle Key Vault server configuration objects that they create.
- Virtual Wallet: A virtual wallet, created on Oracle Key Vault, is a container for objects that must be stored securely. For TDE-enabled databases on Oracle Database Appliance that use Oracle Key Vault as the keystore, the TDE keys of the database are stored inside this virtual wallet.
Requirements for configuring TDE-enabled databases with keys stored in Oracle Key Vault
- The Oracle Key Vault server version must be 21.9.0 or later.
- It is recommended that you set up Network Time Protocol on Oracle Database Appliance. The database operations interacting with Oracle Key Vault fails if the clock on Oracle Database Appliance and Oracle Key Vault server are not synchronized. You must ensure that the time is consistent across the servers or use Network Time Protocol on Oracle Database Appliance.
- You cannot create a starter database with TDE configured using Oracle Key Vault when you provision Oracle Database Appliance on bare metal systems and select to create a starter database. This is because creation of TDE database that uses Oracle Key Vault to store TDE keys requires Oracle Key Vault server configuration to already exist. To create a database with TDE configured using Oracle Key Vault on DB system, first create a DB system without a starter database and then create the database with TDE configured using Oracle Key Vault as described in the topic Creating TDE-Enabled Database on Oracle Database Appliance Using Oracle Key Vault.
- For configuring TDE-enabled databases with keys stored in Oracle Key
Vault with the credentials of a user in Oracle Key Vault, on multi-user
access-enabled systems, you must create a new user with the
ODA-OKVCONFIGADMIN
role which has the entitlementsODA-OKVCONFIGVIEWMGMT
andODA-OKVCONFIGMODIFYMGMT
. TheODA-OKVCONFIGVIEWMGMT
entitlement enables you to perform operations such as Describe and List on the Oracle Key Vault server configuration object. TheODA-OKVCONFIGMODIFYMGMT
entitlement enables you to perform operations such as Create and Delete on the Oracle Key Vault server configuration object. TheODA-OKVCONFIGVIEWMGMT
entitlement is included in theODA-DB
role, and any DB user with theODA-DB
role can list and describe the Oracle Key Vault server configuration object and select the required Oracle Key Vault server configuration object to create the database. For non-multi user access-enabled systems, there is no need to create a new user.
Creating TDE-Enabled Databases With User Credentials
Understand how you can create TDE-enabled databases on Oracle Database Appliance using the credentials of a user in Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems.
Step 1: Create the user on Oracle Database Appliance corresponding to the user on Oracle Key Vault. This step applies to multi-user access-enabled systems only.
If the user with the ODA-OKVCONFIGADMIN
role does not exist, or if
you want to assign a different user for the database you are creating, then create
the user.
- Create a new user with the
ODA-OKVCONFIGADMIN
role. For example:odacli create-user -u okvuser1 -r ODA-OKVCONFIGADMIN
The user is created and assigned a temporary password.
- After the user is created successfully, the
okvuser1
can log into the appliance with the temporary password. - The
okvuser1
is in theInactive
state. If the appliance is configured with multi-user access enabled, then activate the user with the following command. Note that if the appliance is configured with passwordless multi-user access, then you do not need to activate the user. For more information about configuring multi-user access, the topic Implementing Multi-User Access on Oracle Database Appliance.odacli activate-user
You are prompted to change the password. Enter the temporary password, the new password, and confirm the new password.
- Use the new password to connect by SSH into the appliance and run ODACLI commands or connect to the Browser User Interface.
Step 2: Create an Oracle Key Vault server configuration
- The Oracle Key Vault user that creates the Oracle Key Vault
server configuration must be a user with the least privilege of
Create Endpoint
on the Oracle Key Vault server. - For multi-user access-enabled systems, log in as the user with
the
ODA-OKVCONFIGADMIN
role, for example, theokvuser1
. For non-multi user access enabled systems, log in as theroot
user. - The Oracle Key Vault password prompt displays twice, to accept
and confirm the Oracle Key Vault password. Specify the password of the
Oracle Key Vault user on the Oracle Key Vault server, which enables the user
to log into the Oracle Key Vault server. Specify the user name with the
-u
option in theodacli create-okvserverconfig
command. The name of the Oracle Key Vault server configuration is case-sensitive and no two Oracle Key Vault server configurations can have same name on Oracle Database Appliance. The length of the Oracle Key Vault server configuration cannot exceed 128 characters.odacli create-okvserverconfig -n okvobj1 -u epokvusr1 -ip xxx.xx.xxx.xxx Enter OKV user password : Retype OKV user password : Job details ---------------------------------------------------------------- ID: 730d2469-6efa-4ed1-8386-513e97c866ea Description: Create OKV Server Config: okvobj1 Status: Created Created: October 20, 2024 11:28:39 AM PDT Message: Create OKV Server Config. Task Name Start Time End Time Status ---------------------------------------- ---------------------------------------- ---------------------------------------- ---------------- odacli describe-job -i 730d2469-6efa-4ed1-8386-513e97c866ea Job details ---------------------------------------------------------------- ID: 730d2469-6efa-4ed1-8386-513e97c866ea Description: Create OKV Server Config: okvobj1 Status: Success Created: October 20, 2024 11:28:39 AM PDT Message: Create OKV Server Config. Task Name Node Name Start Time End Time Status ---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ---------------- OKV Password Store creation n1 October 20, 2024 11:28:39 AM PDT October 20, 2024 11:29:04 AM PDT Success Download of OKV REST package n1 October 20, 2024 11:28:42 AM PDT October 20, 2024 11:28:44 AM PDT Success Edit of OKV REST package n1 October 20, 2024 11:28:44 AM PDT October 20, 2024 11:28:45 AM PDT Success Generate OKV client wallets n1 October 20, 2024 11:28:45 AM PDT October 20, 2024 11:28:47 AM PDT Success
The command creates an Oracle Key Vault server configuration
okvobj1
for the Oracle Key Vault server userepokvusr1
on the specified server.
Step 3: Share Oracle Key Vault server configuration for multi user access-enabled systems only
- For multi-user access-enabled systems, the DB user who creates
the database using the Oracle Key Vault server configuration must have
shared access to the Oracle Key Vault server configuration created by the
Oracle Key Vault user. The
odaadmin
user must share the Oracle Key Vault server configuration with the DB user using theodacli grant-resource-access
command. The DB user can then create the database with the Oracle Key Vault server configuration. An example where theodaadmin
user shares theokvobj1
resource with DB userdbusr1
is as follows:
To get the resource ID of the Oracle Key Vault server configuration, run thesu odaadmin odacli grant-resource-access -ri d017d35a-0757-460a-98f0-9f8d0944c872 -u dbusr1 Shared access of resource granted to user successfully...
odacli list-okvserverconfigs
command. For example:odacli list-okvserverconfigs ID Name User Name IP address Host Name Description ---------------------------------------- -------------------- ---------------- ------------------- -------------------- ------------------- d017d35a-0757-460a-98f0-9f8d0944c872 okvobj1 epadmin xxx.xx.xx.xxx Null OKV Server for sales databases
Step 4: Create the database
For multi-user access-enabled systems, log in as the DB user and use theodacli create-database
command with the options
-t
, -osc
and -kt
to create a
database with TDE configured using Oracle Key Vault server. For non-multi user
access-enabled systems, you can run the same command as root
user.
-osc
option in the odacli
create-database
command. The DB user can select the required Oracle Key
Vault server configuration from the list of Oracle Key Vault server configurations
displayed with the odacli list-okvserverconfigs
command. For
non-multi user access enabled systems, run the odacli
list-okvserverconfigs
command as root
user.
- The option
-t
indicates that the database must be configured with TDE, using the Oracle Key Vault credentials represented by the Oracle Key Vault server configuration specified using the-osc
option. - The option
-kt
specifies the the type of kesytore used in TDE configuration. The value of the keystore can be eithersoftware
orokv
. The default issoftware
. The values are case-insensitive. TheOKVServerConfigName
attribute of the database is set to the name of the Oracle Key Vault server configuration specified in the create database request. - The password for TDE wallet is randomly generated by the system, and you do not need to specify it.
An example to create a database kokvdb2
which uses Oracle Key Vault credentials represented by Oracle Key Vault server
configuration kovobj1
is as
follows:
odacli create-database -n kokvdb2 -t -kt OKV -osc kovobj1
Enter SYS and SYSTEM user password:
Retype SYS and SYSTEM user password:
Job details
----------------------------------------------------------------
ID: 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8
Description: Database service creation with DB name: kokvdb2
Status: Created
Created: July 15, 2024 3:00:53 PM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
odacli describe-job -i 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8
Job details
----------------------------------------------------------------
ID: 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8
Description: Database service creation with DB name: kokvdb2
Status: Success
Created: July 15, 2024 3:00:53 PM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Validating dbHome available space July 15, 2024 3:01:19 PM CST July 15, 2024 3:01:19 PM CST Success
...
TDE configuration using OKV July 15, 2024 3:17:37 PM CST July 15, 2024 3:20:36 PM CST Success
TDE Wallet directory creation July 15, 2024 3:17:38 PM CST July 15, 2024 3:17:46 PM CST Success
Setting Database parameter for OKV July 15, 2024 3:17:46 PM CST July 15, 2024 3:19:07 PM CST Success
Auto login TDE Wallet creation July 15, 2024 3:19:07 PM CST July 15, 2024 3:19:09 PM CST Success
OKV TDE Wallet creation July 15, 2024 3:19:09 PM CST July 15, 2024 3:19:12 PM CST Success
OKV Endpoint configuration July 15, 2024 3:19:12 PM CST July 15, 2024 3:19:43 PM CST Success
Setting TDE Master Encryption Key July 15, 2024 3:19:43 PM CST July 15, 2024 3:20:13 PM CST Success
Create Users tablespace July 15, 2024 3:20:36 PM CST July 15, 2024 3:20:39 PM CST Success
Clear all listeners from Database July 15, 2024 3:20:39 PM CST July 15, 2024 3:20:40 PM CST Success
Copy Pwfile to Shared Storage July 15, 2024 3:20:43 PM CST July 15, 2024 3:20:47 PM CST Success
On successful database creation, the Oracle Key Vault client software
is installed in the /etc/OKV/db_unique_name/okv
directory.
The ownership of all the files is set to db_user:oinstall
and the permission is set to 750. The autologin TDE wallets are created in the
/etc/OKV/db_unique_name/tde
and
/etc/OKV/db_unique_name/tde_seps
directories. The
ownership of these directories is recursively set to
db_user:oinstall
and the permission to 750.
Creating TDE-Enabled Databases Using Oracle Key Vault With Endpoints in Oracle Key Vault
Understand how you can create TDE-enabled databases on Oracle Database Appliance using endpoints and wallets already in Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems.
Note:
In this Oracle Database Appliance release, this feature is supported on Oracle RAC and Oracle single-instance databases only. This feature is not available with Oracle RAC One Node databases and Oracle single-instance database with high-availability enabled.- Log into Oracle Key Vault and create virtual TDE wallet corresponding to a database.
- Create endpoints corresponding to each instance. For a single instance database, you must create one endpoint and for Oracle RAC database, create two endpoints.
- Set the default wallet for the created endpoint.
- Download the
okvclient.jar
file corresponding to each endpoint. For single instance database, download one file, and for Oracle RAC database, there are two files available for download, one per instance..
Step 1: Obtain the
okvclient.jar
file using Oracle Key Vault REST commands
You can create the okvclient.jar
file either through Oracle Key
Vault REST commands or Oracle Key Vault server user interface.
okvclient.jar
file using Oracle Key Vault
REST commands, log in as the oracle
user, and then follow these
steps:
- Create working directories, such as
/tmp/work
and/tmp/work/client_wallet
. Navigate to the/tmp/work
directory and download and unzip the RESTful Service utility from the Oracle Key Vault server. When you unzip the utility, you can observer three directoriesbin
,lib
, andconf
.mkdir /tmp/work/ mkdir /tmp/work/client_wallet cd /tmp/work curl -Ok https://okv_server_ip:5695/okvrestclipackage.zip % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3750k 100 3750k 0 0 2500k 0 0:00:01 0:00:01 --:--:-- 2500k
- Unzip
okvrestclipackage.zip
. Editconf/okvrestcli.ini
and add the Oracle Key Vault server IP address, user name, and path to the directory where the client autologin wallets are created. In the following example,/tmp/work/client_wallet
is the directory path where client autologin wallets are created.#Provide absolute path for log_property, okv_client_config properties [Default] log_property=./conf/okvrestcli_logging.properties server=okv_server_ip okv_client_config=./conf/okvclient.ora user=okv_user client_wallet=/tmp/work/client_wallet
- Edit the
bin/okv
file and uncomment the lineexport OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR/conf/okvrestcli.ini
and also set theJAVA_HOME
variable:#!/bin/bash export OKV_RESTCLI_DIR=$(dirname "${0}")/.. export OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR/conf/okvrestcli.ini export JAVA_HOME=/opt/oracle/dcs/java/1.8.0_xxx if [ -z "$JAVA_HOME" ] then echo "JAVA_HOME environment variable is not set." exit 1 fi if [ -z "$OKV_RESTCLI_CONFIG" ] then echo "OKV_RESTCLI_CONFIG environment variable is not set." exit 1 fi export OKV_RESTCLI_JAR=$OKV_RESTCLI_DIR/lib/okvrestcli.jar $JAVA_HOME/bin/java -jar $OKV_RESTCLI_JAR "$@"
- Generate client auto login wallets. You are prompted to provide
the Oracle Key Vault user
password.
/tmp/work/bin/okv admin client-wallet add --client-wallet /tmp/work/client_wallet --wallet-user okv_user Password:
- Create the TDE wallet corresponding to the database, if the TDE
wallet is not already created using the Oracle Key Vault user interface.
/tmp/work/bin/okv manage-access wallet create --wallet wallet_name --unique FALSE
- Create the endpoint corresponding to the wallet. For Oracle RAC
database, create two endpoints. Create the endpoint only if it is not
already created using the Oracle Key Vault user interface.
/tmp/work/bin/okv admin endpoint create --endpoint endpoint_name --type ORACLE_DB --platform LINUX64 --strict-ip-check TRUE
- Set the default wallet for the endpoint. For Oracle RAC
database, the default wallet for both endpoints must be the same TDE wallet.
Set the default wallet only if it is not already set using the Oracle Key
Vault user interface.
/tmp/work/bin/okv manage-access wallet set-default --wallet wallet_name --endpoint endpoint_name
- Download the
okvclient.jar
command. For Oracle RAC database, you must download theokvclient.jar
corresponding to both the endpoints. After the download is complete, copy theokvclient.jar
corresponding to the remote instance to the remote node./tmp/work/bin/okv admin endpoint download --endpoint <endpoint_name> --location <location>
- While downloading the endpoint, if the
Endpoint token is already consumed
message is observed as below, then re-enroll the endpoint./tmp/work/bin/okv admin endpoint download --endpoint endpoint_name --location location /tmp/work/log/okv0.log.0 (Permission denied) { "result" : "Failure", "message" : "Endpoint token is already consumed" } /tmp/work/bin/okv admin endpoint re-enroll --endpoint <endpoint_name> /tmp/work/log/okv0.log.0 (Permission denied) { "result" : "Success" }
Step 2: Create the database
- For multi user access-enabled and multi user access
passwordless systems, log in as the DB user and run the
odacli create-database
command. For non-multi user access-enabled systems, log in as theroot
user and run theodacli create-database
command.The option
--enable-tde/-t
indicates that the database must be configured with TDE. The option--keystore-type/-kt
specifies the the type of keystore to use in TDE configuration. The option--okvclient-path/-ocp
specifies the absolute path to theokvclient.jar
file corresponding to the endpoint.For single-instance database, the option
--okvclient-path/-ocp
takes only one value. For Oracle RAC database, the option--okvclient-path/-ocp
takes two values corresponding to each instance. The values must be comma-separated. The first path corresponds to the local instance whereas the second path corresponds to the remote instance. You are prompted to provide the TDE password.On successful database creation, the Oracle Key Vault client software is installed in the
An example to create a single-instance database named/etc/OKV/db_unique_name/okv
directory. The local auto login TDE wallets are created in the/etc/OKV/db_unique_name/tde
directory. Theokvclient.jar
file in the source location is deleted.okvdb
without using the Oracle Key Vault server configuration object, is as follows:
An example to create an Oracle RAC database namedodacli create-database -n okvdb -y SI -t -kt OKV -ocp /tmp/okvclient.jar Enter SYS and SYSTEM user password: Retype SYS and SYSTEM user password: Enter TDE wallet password: Retype TDE wallet password: Job details ---------------------------------------------------------------- ID: 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8 Description: Database service creation with DB name: okvdb Status: Created Created: July 15, 2024 3:00:53 PM CST Message: Task Name Start Time End Time Status ---------------------------------------- ---------------------------------------- ---------------------------------------- ---------------- odacli describe-job -i 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8 Job details ---------------------------------------------------------------- ID: 94a51f1a-2d4c-4eac-b0c2-7871d88c0df8 Description: Database service creation with DB name: okvdb Status: Success Created: July 15, 2024 3:00:53 PM CST Message: Task Name Start Time End Time Status ---------------------------------------- ---------------------------------------- ---------------------------------------- ---------------- Validating dbHome available space July 15, 2024 3:01:19 PM CST July 15, 2024 3:01:19 PM CST Success ... TDE configuration using OKV July 15, 2024 3:17:37 PM CST July 15, 2024 3:20:36 PM CST Success TDE Wallet directory creation July 15, 2024 3:17:38 PM CST July 15, 2024 3:17:46 PM CST Success Setting Database parameter for OKV July 15, 2024 3:17:46 PM CST July 15, 2024 3:19:07 PM CST Success Auto login TDE Wallet creation July 15, 2024 3:19:07 PM CST July 15, 2024 3:19:09 PM CST Success Installing the OKV client software July 15, 2024 3:19:09 PM CST July 15, 2024 3:19:42 PM CST Success Setting TDE Master Encryption Key July 15, 2024 3:19:43 PM CST July 15, 2024 3:20:13 PM CST Success Create Users tablespace July 15, 2024 3:20:36 PM CST July 15, 2024 3:20:39 PM CST Success Clear all listeners from Database July 15, 2024 3:20:39 PM CST July 15, 2024 3:20:40 PM CST Success Copy Pwfile to Shared Storage July 15, 2024 3:20:43 PM CST July 15, 2024 3:20:47 PM CST Success
okvdbrac
without using the Oracle Key Vault server configuration object, is as follows. Specify the path to theokvclient.jar
file for the local database instance first, followed by the path to theokvclient.jar
file for the remote database instance in the request.odacli create-database -n okvdb -y RAC -t -kt OKV -ocp /tmp/dir1/okvclient.jar,/tmp/dir2/okvclient.jar Enter SYS and SYSTEM user password: Retype SYS and SYSTEM user password: Enter TDE wallet password: Retype TDE wallet password: Job details ---------------------------------------------------------------- ID: cb611ec2-ff87-44f9-a79b-3ab1a290644f Description: Database service creation with DB name: okvdbrac Status: Created Created: October 20, 2024 6:13:28 AM PDT Message: Task Name Start Time End Time Status ---------------------------------------- ---------------------------------------- ---------------------------------------- ---------------- odacli describe-job -i cb611ec2-ff87-44f9-a79b-3ab1a290644f Job details ---------------------------------------------------------------- ID: cb611ec2-ff87-44f9-a79b-3ab1a290644f Description: Database service creation with DB name: okvdbrac Status: Success Created: October 20, 2024 6:13:28 AM PDT Message: Task Name Node Name Start Time End Time Status ---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ---------------- Validating dbHome available space n1 October 20, 2024 6:13:49 AM PDT October 20, 2024 6:13:49 AM PDT Success Validating dbHome available space n2 October 20, 2024 6:13:49 AM PDT October 20, 2024 6:13:49 AM PDT Success Setting up SSH equivalence n1 October 20, 2024 6:13:51 AM PDT October 20, 2024 6:13:54 AM PDT Success Setting up SSH equivalence n1 October 20, 2024 6:13:54 AM PDT October 20, 2024 6:13:57 AM PDT Success Creating ACFS database home n1 October 20, 2024 6:13:58 AM PDT October 20, 2024 6:13:58 AM PDT Success Validating dbHome available space n1 October 20, 2024 6:13:59 AM PDT October 20, 2024 6:13:59 AM PDT Success . . . Setting TDE Master Encryption Key n1 October 20, 2024 6:34:15 AM PDT October 20, 2024 6:34:56 AM PDT Success Create Users tablespace n1 October 20, 2024 6:34:57 AM PDT October 20, 2024 6:34:59 AM PDT Success Clear all listeners from Database n1 October 20, 2024 6:35:00 AM PDT October 20, 2024 6:35:01 AM PDT Success Deleting OKV Client Software Jar n1 October 20, 2024 6:35:03 AM PDT October 20, 2024 6:35:04 AM PDT Success Deleting OKV Client Software Jar n2 October 20, 2024 6:35:04 AM PDT October 20, 2024 6:35:04 AM PDT Success Encrypt all Tablespaces n1 October 20, 2024 6:35:04 AM PDT October 20, 2024 6:36:15 AM PDT Success
Managing Oracle Key Vault Server Configuration Operations Using ODACLI Commands
Understand how you can manage Oracle Key Vault server configuration operations on Oracle Database Appliance on bare metal and DB systems.
Listing Oracle Key Vault server configurations:
odacli list-okvserverconfigs
command to view all
the Oracle Key Vault server
configurations.odacli list-okvserverconfigs
ID Name User Name IP address Host Name Description
---------------------------------------- -------------------- ---------------- ------------------- -------------------- -------------------
d017d35a-0757-460a-98f0-9f8d0944c872 okvobj1 epadmin xxx.xx.xx.xxx Null OKV server for Sales database
b6336173-666b-4d81-88bd-5ae384419114 okvobj2 epadmin2 xxx.xx.xx.xxx Null OKV server for Sales database
Describing an Oracle Key Vault server configuration:
Use the odacli describe-okvserverconfig
command to view
a Oracle Key Vault server configuration.
odacli describe-okvserverconfig -n dokvobj1
OKV Server Config details
----------------------------------------------------------------
ID: c196bd0a-4a42-43a6-8578-9929ceb28525
Name: dokvobj1
UserName: user1
IP Address: xxx.xxx.xx.xxx
Host Name:
Description: OKV server config for Sales
CreatedTime: October 4, 2024 9:41:43 AM HKT
UpdatedTime: October 4, 2024 9:42:10 AM HKT
State: CONFIGURED
Deleting Oracle Key Vault server configuration:
odacli delete-okvserverconfig
command to delete
Oracle Key Vault server configuration. You can delete the Oracle Key Vault server
configuration only if all databases that used the Oracle Key Vault server
configuration are already
deleted.odacli delete-okvserverconfig -n okvobj1
Job details
----------------------------------------------------------------
ID: 7446c9b4-a927-431f-8e0b-099eec8116e7
Description: Delete OKV Server Config: dokvobj1
Status: Running
Created: October 4, 2024 9:44:29 AM HKT
Message: Delete OKV Server Config
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
OKV Password Store deletion October 4, 2024 9:44:29 AM HKT Running
odacli describe-job -i 7446c9b4-a927-431f-8e0b-099eec8116e7
Job details
----------------------------------------------------------------
ID: 7446c9b4-a927-431f-8e0b-099eec8116e7
Description: Delete OKV Server Config: dokvobj1
Status: Success
Created: October 4, 2024 9:44:29 AM HKT
Message: Delete OKV Server Config
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
OKV Password Store deletion oda1 October 4, 2024 9:44:29 AM HKT October 4, 2024 9:44:45 AM HKT Success
OKV Server Config directory deletion oda1 October 4, 2024 9:44:45 AM HKT October 4, 2024 9:44:45 AM HKT Success
OKV Server Config deletion oda1 October 4, 2024 9:44:45 AM HKT October 4, 2024 9:44:46 AM HKT Success
Managing Database Operations on TDE-enabled Databases with TDE keys stored on Oracle Key Vault
Understand how you can manage TDE-enabled databases with TDE keys stored on Oracle Key Vault on Oracle Database Appliance on bare metal and DB systems.
You can re-key TDE master encryption key or restore, delete, perform database backup and recovery, and configure Oracle Data Guard on TDE-enabled database on Oracle Key Vault on Oracle Database Appliance bare metal and DB systems.
- Changing the Password for TDE-enabled Databases
Understand how you can change the password of TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys. - Re-keying TDE Master Encryption Key for TDE-Enabled Databases
Understand how you can re-key TDE master encryption key of TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys. - Performing Backup and Recovery of TDE-enabled Databases
Understand how you can back up and recover TDE-enabled database with TDE keys stored on Oracle Key Vault on Oracle Database Appliance on bare metal and DB systems. - Restoring TDE-Enabled Databases Using Oracle Key Vault User Credentials
Understand how you can restore TDE-enabled databases using database backups, on Oracle Database Appliance bare metal and DB systems, with credentials of a user on Oracle Key Vault. - Restoring TDE-Enabled Databases With Endpoints and Wallet Manually Created in Oracle Key Vault
Understand how you can restore TDE-enabled databases on Oracle Database Appliance using the endpoints and wallets created manually on Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems. - Deleting TDE-enabled Databases
Understand how you can delete a TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys.
Changing the Password for TDE-enabled Databases
Understand how you can change the password of TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys.
Changing the password of TDE-enabled databases on Oracle Database Appliance that use the credentials of a user in Oracle Key Vault
odacli modify-database
command with the option
--change-tde-password,-ctp
for TDE-enabled databases on Oracle
Database Appliance that use the credentials of a user in Oracle Key Vault. The new
password is randomly generated and stored securely on the Oracle Key Vault server
replacing the old TDE password. For
example:odacli modify-database -n kokvdb2 -ctp
Job details
----------------------------------------------------------------
ID: 5d77eb72-909e-42b8-a65a-fcc61689346b
Description: Modify database: db6
Status: Success
Created: January 28, 2025 16:07:01 UTC
Message: Modify database
Task Name Node Name Start Time End Time Status
---------------------------------------- --------------------------------------------------------------------------------------------------------- ----------------
Re-enroll and Provision of Endpoint n1 January 28,2025 16:07:05 UTC January 28, 2025 16:07:19 UTC Success
Save the new TDE password using a n1 January 28,2025 16:07:20 UTC January 28, 2025 16:07:23 UTC Success
temporary custom attribute on OKV
Change the TDE password in local wallet n1 January 28,2025 16:07:23 UTC January 28, 2025 16:07:41 UTC Success
Auto login TDE Wallet creation n1 January 28,2025 16:07:41 UTC January 28, 2025 16:07:45 UTC Success
Re-enroll and Provision of Endpoint n2 January 28,2025 16:07:45 UTC January 28, 2025 16:08:01 UTC Success
Change the TDE password in local wallet n2 January 28,2025 16:08:01 UTC January 28, 2025 16:08:17 UTC Success
Auto login TDE Wallet creation n1 January 28,2025 16:08:17 UTC January 28, 2025 16:08:21 UTC Success
Save new TDE password on OKV n2 January 28,2025 16:08:22 UTC January 28, 2025 16:08:29 UTC Success
Delete the temporary custom attribute n2 January 28,2025 16:08:29 UTC January 28, 2025 16:08:32 UTC Success
on OKV
Deleting OKV Client Software Jar n2 January 28,2025 16:08:32 UTC January 28, 2025 16:08:33 UTC Success
Changing the password of TDE-enabled databases on Oracle Database Appliance that use endpoints and wallets already in Oracle Key Vault
odacli modify-database
command with the option
--change-tde-password,-ctp
. For TDE-enabled databases on Oracle
Database Appliance that use endpoints and wallets already in Oracle Key Vault, you
are prompted to specify the password during the password change operation. For
example:odacli modify-database -n kokvdb2 -ctp
Enter the current TDE password:
Enter the new TDE password:
Re-enter the new TDE password:
Job details
----------------------------------------------------------------
ID: 84633eef-7cf5-474e-aaed-559444d5cb2c
Description: Modify database: db14
Status: Success
Created: January 31, 2025 09:23:39 UTC
Message: Modify database
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Change the TDE password in local wallet n1 January 31, 2025 09:23:49 UTC January 31, 2025 09:23:49 UTC Success
Auto login TDE Wallet creation n1 January 31, 2025 09:23:49 UTC January 31, 2025 09:23:50 UTC Success
Change the TDE password in local wallet n2 January 31, 2025 09:23:50 UTC January 31, 2025 09:23:51 UTC Success
Auto login TDE Wallet creation n1 January 31, 2025 09:23:51 UTC January 31, 2025 09:23:53 UTC Success
Re-keying TDE Master Encryption Key for TDE-Enabled Databases
Understand how you can re-key TDE master encryption key of TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys.
odacli modify-database
command to perform re-key
of TDE master encryption key with the option -rkt
. For TDE
configured using Oracle Key Vault, you are prompted to specify the password during
the re-key operation. For
example:odacli modify-database -n kokvdb2 -rkt
{
"jobId" : "dbedf89d-b60f-4209-bbcf-0db61e4eb350",
"status" : "Created",
"message" : "Modify database",
"reports" : [ ],
"createTimestamp" : "July 15, 2024 15:56:01 PM CST",
"resourceList" : [ {
"resourceId" : "7a1c996b-ee8d-49bc-8759-cbbfcee3bcce",
"resourceType" : null,
"resourceNewType" : "Db",
"jobId" : "dbedf89d-b60f-4209-bbcf-0db61e4eb350",
"updatedTime" : null
} ],
"description" : "Modify database: kokvdb2",
"updatedTime" : "July 15, 2024 15:56:01 PM CST",
"jobType" : null
}
odacli describe-job -i dbedf89d-b60f-4209-bbcf-0db61e4eb350
Job details
----------------------------------------------------------------
ID: dbedf89d-b60f-4209-bbcf-0db61e4eb350
Description: Modify database: kokvdb2
Status: Success
Created: July 15, 2024 3:56:01 PM CST
Message: Modify database
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
TDE Wallet Re-Key July 15, 2024 3:56:04 PM CST July 15, 2024 3:56:12 PM CST Success
Performing Backup and Recovery of TDE-enabled Databases
Understand how you can back up and recover TDE-enabled database with TDE keys stored on Oracle Key Vault on Oracle Database Appliance on bare metal and DB systems.
Performing backup of TDE-enabled database with TDE keys stored on Oracle Key Vault
odacli create-backup
command to back up
TDE-enabled database with TDE keys stored on Oracle Key Vault. The TDE wallet is not
present on Oracle Database Appliance, but resides in Oracle Key Vault server, and
hence it is not backed up with the database backup. As a result, the value of TDE
wallet backup location attribute of the database backup report is set to null.
[odaadmin@oda1 bin]$ odacli describe-job -i be94d1f7-ad6e-48a5-94a3-f0a52578048b
Job details
----------------------------------------------------------------
ID: be94d1f7-ad6e-48a5-94a3-f0a52578048b
Description: Create Regular-L0 Backup[TAG:auto][Db:db15][NFS:/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15]
Status: Success
Created: March 26, 2024 4:14:19 AM PDT
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------ ---------------------------------------- -------------------------------- ------
Validate backup config oda1 March 26, 2024 4:14:21 AM PDT March 26, 2024 4:14:21 AM PDT Success
NFS location existence validation oda1 March 26, 2024 4:14:21 AM PDT March 26, 2024 4:14:22 AM PDT Success
Recovery Window validation oda1 March 26, 2024 4:14:22 AM PDT March 26, 2024 4:14:24 AM PDT Success
Archivelog deletion policy configuration oda1 March 26, 2024 4:14:24 AM PDT March 26, 2024 4:14:26 AM PDT Success
Database backup oda1 March 26, 2024 4:14:26 AM PDT March 26, 2024 4:15:21 AM PDT Success
[odaadmin@oda1 bin]$ odacli describe-backupreport -i d2326683-9766-4933-bee1-a2b59c9d7e9e
{
"id" : "d2326683-9766-4933-bee1-a2b59c9d7e9e",
"dbResId" : "96a98156-b657-403e-a87c-357c2069c285",
"tag" : "auto",
"dbId" : "1851419729",
"dbName" : "db15",
"dbUniqueName" : "db15",
"backupType" : "Regular-L0",
"keepDays" : null,
"backupLocation" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/db",
"cfBackupHandle" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/db/c-1851419729-20240326-03",
"spfBackupHandle" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/db/c-1851419729-20240326-03",
"pitrTimeStamp" : "March 26, 2024 04:15:06 AM PDT",
"pitrSCN" : "1675444",
"resetLogsTimeStamp" : "March 26, 2024 03:01:39 AM PDT",
"resetLogsSCN" : "1575481",
"oraHomeVersion" : "19.23.0.0.240116",
"sqlPatches" : "35926646,34774667,35943157",
"backupLogLoc" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/rmanlog/2024-03-26/rman_backup_auto_2024-03-26_04-14-29.0478.log",
"tdeWalletLoc" : null,
"dbConfigLoc" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/dbconfig/2024-03-26/DBCONFIG_auto_2024-03-26_04-15-19.0472.tar.gz",
"name" : "Backup_Report_db15",
"createTime" : "March 26, 2024 04:14:26 AM PDT",
"state" : {
"status" : "CONFIGURED"
},
"updatedTime" : "March 26, 2024 04:14:26 AM PDT",
"backupReportLogDetail" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/rmandetaillogreport/2024-03-26/rman_list_backup_detail_auto_2024-03-26_04-15-16.0129.log",
"dbInfo" : {
"dbClass" : "OLTP",
"dbType" : "RAC",
"dbShape" : "odb2",
"dbEdition" : "EE",
"dbStorage" : "ASM",
"dbRedundancy" : null,
"pdbName" : null,
"isCdb" : false
},
"dbDataSize" : "2441M",
"dbRedoSize" : "16403M",
"rmanBackupPieces" : "/nfs_backup/orabackups/dbsfb225975e/database/1851419729/db15/backuppieces/2024-03-26/backupPieces_auto_96a98156-b657-403e-a87c-357c2069c285_20240326041518.json",
"compressionAlgo" : "BASIC",
"cpuPool" : null,
"numberOfCores" : null,
"keystoreType" : "OKV",
}
OKV
, if you specify the component as tdewallet
in the odacli create-backup
command, an error is
encountered.[odaadmin@oda1 bin]$ odacli create-backup -n db15 -c tdewallet
DCS-10144:TDE wallet backup operation is not supported for TDE databases with OKV keystore type.
Performing recovery of database with TDE configured using Oracle Key Vault with credentials of Oracle Key Vault user
odacli recover-database
command to recover a
database with TDE configured using Oracle Key Vault. For example, to recover a
database kokvdb2
, run the following
command:odacli recover-database -n kokvdb2 -t latest
{
"jobId" : "8a50d65f-2269-41ff-b030-51fe4ecc82b5",
"status" : "Created",
"message" : null,
"reports" : [ ],
"createTimestamp" : "July 15, 2024 18:26:26 PM CST",
"resourceList" : [ ],
"description" : "Create recovery-latest for DB : kokvdb2",
"updatedTime" : "July 15, 2024 18:26:26 PM CST",
"jobType" : null
}
odacli describe-job -i 8a50d65f-2269-41ff-b030-51fe4ecc82b5
Job details
----------------------------------------------------------------
ID: 8a50d65f-2269-41ff-b030-51fe4ecc82b5
Description: Create recovery-latest for DB : kokvdb2
Status: Success
Created: July 15, 2024 6:26:26 PM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Database recovery validation July 15, 2024 6:26:30 PM CST July 15, 2024 6:27:50 PM CST Success
Database recovery July 15, 2024 6:27:50 PM CST July 15, 2024 6:30:07 PM CST Success
Enable block change tracking July 15, 2024 6:30:07 PM CST July 15, 2024 6:30:12 PM CST Success
Database opening July 15, 2024 6:30:12 PM CST July 15, 2024 6:30:15 PM CST Success
Database restart July 15, 2024 6:30:15 PM CST July 15, 2024 6:31:31 PM CST Success
Recovery metadata persistence July 15, 2024 6:31:31 PM CST July 15, 2024 6:31:31 PM CST Success
OKV
, and you specify
the component as tdewallet
in the odacli
recover-database
command, an error is
encountered.[odaadmin@oda1 bin]$ odacli recover-database -n db15 -tl /nfs_backup/ewallet.p12 -t latest
DCS-10045:Validation error encountered: Usage of TDE wallet related parameters is not allowed for a TDE database with OKV keystore type.
[odaadmin@oda1 bin]$ odacli restore-tdewallet -n db15
Enter TDE wallet password:
DCS-10144:Restore TDE wallet operation is not supported for TDE databases with OKV keystore type.
Performing recovery of database with TDE configured using Oracle Key Vault with endpoints in Oracle Key Vault
odacli recover-database
command prompts for the TDE password.
Before database recovery, the local auto-login wallet is regenerated using the
Administer Key Management command. You must specify the TDE password for database
recovery.
odacli recover-database -n kokvdb2 -t latest
Enter the TDE password:
odacli describe-job -i 8a50d65f-2269-41ff-b030-51fe4ecc82b5
Job details
----------------------------------------------------------------
ID: 8a50d65f-2269-41ff-b030-51fe4ecc82b5
Description: Create recovery-latest for DB : kokvdb2
Status: Success
Created: July 15, 2024 6:26:26 PM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Auto login TDE Wallet creation July 15, 2024 6:26:30 PM CST July 15, 2024 6:27:50 PM CST
Database recovery validation July 15, 2024 6:26:30 PM CST July 15, 2024 6:27:50 PM CST Success
Database recovery July 15, 2024 6:27:50 PM CST July 15, 2024 6:30:07 PM CST Success
Enable block change tracking July 15, 2024 6:30:07 PM CST July 15, 2024 6:30:12 PM CST Success
Database opening July 15, 2024 6:30:12 PM CST July 15, 2024 6:30:15 PM CST Success
Database restart July 15, 2024 6:30:15 PM CST July 15, 2024 6:31:31 PM CST Success
Recovery metadata persistance July 15, 2024 6:31:31 PM CST July 15, 2024 6:31:31 PM CST Success
Errors during database recovery
OKV
, and you specify
the component as tdewallet
in the odacli
recover-database
command, an error is
encountered.[odaadmin@oda1 bin]$ odacli recover-database -n db15 -tl /nfs_backup/ewallet.p12 -t latest
DCS-10045:Validation error encountered: Usage of TDE wallet related parameters is not allowed for a TDE database with OKV keystore type.
[odaadmin@oda1 bin]$ odacli restore-tdewallet -n db15
Enter TDE wallet password:
DCS-10144:Restore TDE wallet operation is not supported for TDE databases with OKV keystore type.
Restoring TDE-Enabled Databases Using Oracle Key Vault User Credentials
Understand how you can restore TDE-enabled databases using database backups, on Oracle Database Appliance bare metal and DB systems, with credentials of a user on Oracle Key Vault.
Prerequisites
- To restore a database with primary role in an Oracle Data Guard configuration, TDE wallet for the target database must be created on the Oracle Key Vault server before you run the restore command. This TDE wallet is a copy of the wallet of the source database.
- To restore a database with a standby role in an Oracle Data Guard configuration, the TDE wallet copy must not be created. The TDE wallet of the primary database must be used for the standby database.
Step 1: Create the Oracle Key Vault user. This step applies to multi-user access-enabled systems only.
If the user with the ODA-OKVCONFIGADMIN
role does not exist, or if
you want to assign a different user for the database you are restoring, then create
the user.
- Create a new user with the
ODA-OKVCONFIGADMIN
role. For example:odacli create-user -u okvuser1 -r ODA-OKVCONFIGADMIN
The user is created and assigned a temporary password.
- After the user is created successfully, the
okvuser1
can log into the appliance with the temporary password. - The
okvuser1
is in theInactive
state. If the appliance is configured with multi-user access enabled, then activate the user with the following command. Note that if the appliance is configured with passwordless multi-user access, then you do not need to activate the user. For more information about configuring multi-user access, the topic Implementing Multi-User Access on Oracle Database Appliance.odacli activate-user
You are prompted to change the password. Enter the temporary password, the new password, and confirm the new password.
- Use the new password to connect by SSH into the appliance and run ODACLI commands or connect to the Browser User Interface.
Step 2: Create an Oracle Key Vault server configuration
Create an Oracle Key Vault server configuration for the target database. Create a new Oracle Key Vault server configuration only if an Oracle Key Vault server configuration for the same Oracle Key Vault server does not already exist. If a configuration already exists, then use the existing configuration.
- The Oracle Key Vault user that creates the Oracle Key Vault
server configuration must be a user with atleast the privilege of
Create Endpoint
on the Oracle Key Vault server. - For multi-user access-enabled systems, log in as the user with
the
ODA-OKVCONFIGADMIN
role, for example, theokvuser1
. For non-multi user access enabled systems, log in as theroot
user. - Oracle Key Vault password prompt displays twice, to accept and
confirm the Oracle Key Vault password. This is the password of the Oracle
Key Vault user on the Oracle Key Vault server, which enables the user to log
into the Oracle Key Vault server. Specify the user name with the
-u
option in theodacli create-okvserverconfig
command. The name of the Oracle Key Vault server configuration is case-sensitive and no two Oracle Key Vault server configurations can have same name on Oracle Database Appliance. The length of the Oracle Key Vault server configuration cannot exceed 128 characters.odacli create-okvserverconfig -n okvobj1 -u epokvusr1 -ip xxx.xx.xxx.xxx Enter OKV user password : Retype OKV user password : Job details ---------------------------------------------------------------- ID: 8878fc02-3d64-4519-bf52-fcb50839f89f Description: Create OKV Server Config: okvcfg5 Status: Success Created: October 14, 2024 14:04:29 UTC Message: Create OKV Server Config. Task Name Node Name Start Time End Time Status ---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ---------------- OKV Password Store creation oda1 October 14, 2024 14:04:29 UTC October 14, 2024 14:04:56 UTC Success Download of OKV REST package oda1 October 14, 2024 14:04:31 UTC October 14, 2024 14:04:32 UTC Success Edit of OKV REST package oda1 October 14, 2024 14:04:32 UTC October 14, 2024 14:04:32 UTC Success Generate OKV client wallets oda1 October 14, 2024 14:04:32 UTC October 14, 2024 14:04:35 UTC Success
The command creates an Oracle Key Vault server configuration
okvobj1
for the Oracle Key Vault server userepokvusr1
on the specified server.
Step 3: Copy TDE keys from source wallet to target wallet on Oracle Key Vault server using ODACLI commands
Use the odacli copy-okvtdewallet
command to copy the
TDE wallet to the Oracle Key Vault server. Specify the source wallet name
(--source-wallet-name | -swn
), target wallet Oracle Key Vault
server configuration object name (--target-okvserverconfig |
-tosc
), and the target wallet name (--target-wallet-name |
-twn
) in the command. A new wallet with the name specified for the
target wallet name (--target-wallet-name | -twn
) parameter is
created in the target Oracle Key Vault server. This wallet contains the TDE keys
copied from the source wallet.
If the source wallet is on a different Oracle Key Vault server than the
target wallet, then specify the source wallet Oracle Key Vault server details such
as the host name (--source-hostname | -shn
) or the IP address
(--source-ip | -sip
) of the server and the name of the user
that owns the wallet on the Oracle Key Vault server (--source-username |
-su
). You must provide a password when prompted in this case. This is
the password of the Oracle Key Vault user that owns the source wallet on the Oracle
Key Vault server. For multi-user access enabled systems, run this command as the
Oracle Key Vault user on Oracle Database Appliance.
There are three scenarios when you copy the TDE wallet:
Scenario 1: Copy the TDE wallet on the same Oracle Key Vault server with the same Oracle Key Vault user
odacli copy-okvtdewallet -swn tdeokv_on_oda8m013-c -tosc okvobj1 -twn tdeokvss
Job details
----------------------------------------------------------------
ID: 50df7dcc-8e17-48db-9206-879c44e57c20
Description: Copy wallet in OKV server
Status: Success
Created: June 20, 2024 2:56:02 AM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Creating a TDE wallet copy in the OKV June 20, 2024 2:56:03 AM CST June 20, 2024 2:57:17 AM CST Success
server
Scenario 2: Copy the TDE wallet on the same Oracle Key Vault server but using a different Oracle Key Vault user
In this case, the source and the target wallet are on the same Oracle Key Vault server but are owned by different users on the Oracle Key Vault server. The owner of the source wallet in the Oracle Key Vault must provide read and manage access permissions on the wallet to the owner of the target wallet on Oracle Key Vault before running the ODACLI command to copy the wallet.
- Log into the Oracle Key Vault server as the source wallet Oracle Key Vault user.
- Navigate to the Keys and Wallets tab. Select the source wallet checkbox and click the Edit icon.
- Navigate to the Wallet Access Settings section and click Add.
- In the dropdown list for Type, select Users, and then select the checkbox for the target wallet Oracle Key Vault user.
- In the Access Level section, select Read Only and Manage Wallet.
- Click Save.
odacli copy-okvtdewallet
command.odacli copy-okvtdewallet -swn tdeokv_on_oda8m013-c -tosc okvobj2 -twn tdeokvdu
Job details
----------------------------------------------------------------
ID: 50df7dcc-8e17-48db-9206-879c44e57c20
Description: Copy wallet in OKV server
Status: Success
Created: June 20, 2024 2:56:02 AM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Creating a TDE wallet copy in the OKV June 20, 2024 2:56:03 AM CST June 20, 2024 2:57:17 AM CST Success
server
Scenario 3: Copy the TDE wallet to a different Oracle Key Vault server
odacli copy-okvtdewallet
command. Specify the password of
the source wallet Oracle Key Vault user when prompted. For
example:odacli copy-okvtdewallet -swn tdeokv_on_oda8m013-c -sip xxx.xx.x.xxx -su epokvusr1 -tosc okvobj3 -twn tdeokvds
Enter OKV user password:
Retype OKV user password:
Job details
----------------------------------------------------------------
ID: 50df7dcc-8e17-48db-9206-879c44e57c20
Description: Copy wallet in OKV server
Status: Success
Created: June 20, 2024 2:56:02 AM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Creating a TDE wallet copy in the OKV June 20, 2024 2:56:03 AM CST June 20, 2024 2:57:17 AM CST Success
server
Alternate method for Step 3: Copying the TDE keys from the source database wallet to the target database wallet using the Oracle Key Vault user interface
- Log into the Oracle Key Vault server.
- Navigate to the Keys & Wallets tab.
- The Oracle Key Vault user must be provided read, write, and manage wallet permissions from the Access Settings section of the source database wallet.
- To create a new wallet, click Create.
- Specify the new name for the wallet of the target database.
- Copy the TDE keys of the source database when creating the new wallet. Search for the name of the source database in the Add Wallet Contents section. When the keys are displayed, select all TDE Master Encryption Key checkboxes for the database.
- To save the wallet, click Save.
- Run this step only if the Oracle Key Vault administrator has
created the wallet for the Oracle Key Vault user. Ensure that the
administrator provides read-write and manage-wallet access for the wallet to
the user after creation.
- Log into the Oracle Key Vault server as the Oracle Key Vault administrator.
- In the Keys & Wallets tab, select the checkbox for the newly-created wallet and click on the Edit option for the wallet.
- In the Wallet Access Settings, click Add.
- In the Select Endpoint/User Group section, select Users from the dropdown list.
- Select the checkbox for the Oracle Key Vault user to be provided access to the wallet.
- In the Access Level section, select Read and Modify and Manage Wallet options.
- To save the access settings for the wallet, click Save.
Step 4: Restoring TDE-enabled databases with TDE keys stored on Oracle Key Vault
Use the odacli irestore-database
command to restore a
TDE-enabled database with TDE keys stored on Oracle Key Vault. Specify the options
--enable-tde
, --okv-server-config
,
--okv-wallet-name
, and keystore-type
in the
command.
The option --enable-tde,-t
indicates that the restored
database must be configured with TDE, using the Oracle Key Vault server
configuration specified in the --okv-server-config
option. The
keystore of such irestored database is set to OKV
. The
okvServerConfigName
attribute of the restored database object
is set to the name of the Oracle Key Vault server configuration specified in the
irestore request. Specify the wallet name for the target database with the
--okv-wallet-name
parameter. This wallet must be present in the
Oracle Key Vault server and the TDE keys must be copied to the wallet before running
the irestore operation.
OKV
in this case in the
odacli irestore-database
command:odacli irestore-database -r /tmp/db1Backupreport.json -t -osc okvobj1 -kt OKV -own db2_wallet -n okvdb15
Enter SYS and SYSTEM user password:
Enter SYS and SYSTEM user password:
Job details
----------------------------------------------------------------
ID: dc44f3f0-5af3-4402-ad23-e923e1446371
Description: Database service recovery with DB name: okvdb15
Status: Success
Created: July 5, 2024 6:54:00 AM EDT
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Check if cluster ware is running oda1 July 5, 2024 6:54:23 AM EDT July 5, 2024 6:54:23 AM EDT Success
Check if cluster ware is running oda2 July 5, 2024 6:54:23 AM EDT July 5, 2024 6:54:24 AM EDT Success
Creating DbStorage for DbRestore oda1 July 5, 2024 6:54:25 AM EDT July 5, 2024 6:54:42 AM EDT Success
Validating DiskSpace for DATA oda1 July 5, 2024 6:54:25 AM EDT July 5, 2024 6:54:27 AM EDT Success
Setting up SSH equivalence oda1 July 5, 2024 6:54:27 AM EDT July 5, 2024 6:54:34 AM EDT Success
Configuring user access to ACFS oda1 July 5, 2024 6:54:38 AM EDT July 5, 2024 6:54:39 AM EDT Success
filesystems for okvdb15
Audit directory creation oda1 July 5, 2024 6:54:40 AM EDT July 5, 2024 6:54:40 AM EDT Success
Audit directory creation oda2 July 5, 2024 6:54:41 AM EDT July 5, 2024 6:54:41 AM EDT Success
Configure TDE for RestoreDb TaskFlow oda1 July 5, 2024 6:54:46 AM EDT July 5, 2024 6:56:07 AM EDT Success
Auxiliary Instance Creation oda1 July 5, 2024 6:54:50 AM EDT July 5, 2024 6:55:30 AM EDT Success
TDE Wallet directory creation oda1 July 5, 2024 6:55:30 AM EDT July 5, 2024 6:55:31 AM EDT Success
OKV Endpoint configuration oda1 July 5, 2024 6:55:31 AM EDT July 5, 2024 6:56:02 AM EDT Success
Auto login TDE Wallet creation oda1 July 5, 2024 6:56:02 AM EDT July 5, 2024 6:56:04 AM EDT Success
Password based TDE Wallet open oda1 July 5, 2024 6:56:04 AM EDT July 5, 2024 6:56:07 AM EDT Success
Create pfile for Auxiliary Instance oda1 July 5, 2024 6:56:07 AM EDT July 5, 2024 6:56:08 AM EDT Success
Rman duplicate oda1 July 5, 2024 6:56:08 AM EDT July 5, 2024 7:01:22 AM EDT Success
Creating pfile from spfile oda1 July 5, 2024 7:01:23 AM EDT July 5, 2024 7:01:24 AM EDT Success
Set PFile Ownership oda1 July 5, 2024 7:01:24 AM EDT July 5, 2024 7:01:24 AM EDT Success
Customize Db Parameters oda1 July 5, 2024 7:01:25 AM EDT July 5, 2024 7:01:36 AM EDT Success
Shutdown And Start database oda1 July 5, 2024 7:01:36 AM EDT July 5, 2024 7:06:51 AM EDT Success
Create spfile for restore db oda1 July 5, 2024 7:06:51 AM EDT July 5, 2024 7:06:53 AM EDT Success
Set PFile Ownership oda1 July 5, 2024 7:06:53 AM EDT July 5, 2024 7:06:53 AM EDT Success
Shutdown And Mount database oda1 July 5, 2024 7:06:54 AM EDT July 5, 2024 7:08:22 AM EDT Success
Re-Create control file oda1 July 5, 2024 7:08:23 AM EDT July 5, 2024 7:09:21 AM EDT Success
Removing Disabled Redo Threads oda1 July 5, 2024 7:09:21 AM EDT July 5, 2024 7:09:23 AM EDT Success
Updating DB attributes oda1 July 5, 2024 7:09:23 AM EDT July 5, 2024 7:09:25 AM EDT Success
Register Database taskflow oda1 July 5, 2024 7:09:30 AM EDT July 5, 2024 7:14:51 AM EDT Success
Create SPFile in shared loc oda1 July 5, 2024 7:09:30 AM EDT July 5, 2024 7:09:40 AM EDT Success
Delete Local Spfile oda1 July 5, 2024 7:09:40 AM EDT July 5, 2024 7:09:41 AM EDT Success
Register DB with clusterware oda1 July 5, 2024 7:09:41 AM EDT July 5, 2024 7:11:19 AM EDT Success
Add Startup Trigger to Open all PDBS oda1 July 5, 2024 7:11:20 AM EDT July 5, 2024 7:11:20 AM EDT Success
Set SysPassword and Create PwFile oda1 July 5, 2024 7:11:21 AM EDT July 5, 2024 7:11:24 AM EDT Success
Enable block change tracking oda1 July 5, 2024 7:11:25 AM EDT July 5, 2024 7:11:37 AM EDT Success
Creating pfile oda1 July 5, 2024 7:11:37 AM EDT July 5, 2024 7:11:39 AM EDT Success
Updating db env oda1 July 5, 2024 7:11:39 AM EDT July 5, 2024 7:11:40 AM EDT Success
Enable DbSizing Template oda1 July 5, 2024 7:11:40 AM EDT July 5, 2024 7:13:14 AM EDT Success
Update Database Global Name oda1 July 5, 2024 7:13:14 AM EDT July 5, 2024 7:13:17 AM EDT Success
Create tns entry oda1 July 5, 2024 7:13:18 AM EDT July 5, 2024 7:13:19 AM EDT Success
Create tns entry oda2 July 5, 2024 7:13:19 AM EDT July 5, 2024 7:13:21 AM EDT Success
Running datapatch oda1 July 5, 2024 7:13:21 AM EDT July 5, 2024 7:13:52 AM EDT Success
Set CPU pool oda1 July 5, 2024 7:13:52 AM EDT July 5, 2024 7:13:52 AM EDT Success
Reset Associated Networks for Database oda1 July 5, 2024 7:14:54 AM EDT July 5, 2024 7:15:00 AM EDT Success
Reset Associated Networks oda2 July 5, 2024 7:15:00 AM EDT July 5, 2024 7:15:01 AM EDT Success
Set log_archive_dest for Database oda1 July 5, 2024 7:15:01 AM EDT July 5, 2024 7:15:07 AM EDT Success
Setting Database parameter for OKV oda1 July 5, 2024 7:15:07 AM EDT July 5, 2024 7:16:43 AM EDT Success
Enable New Tablespace Encryption oda1 July 5, 2024 7:16:45 AM EDT July 5, 2024 7:16:47 AM EDT Success
Copy Pwfile to Shared Storage oda1 July 5, 2024 7:16:47 AM EDT July 5, 2024 7:16:58 AM EDT Success
Configure All Candidate Nodes oda1 July 5, 2024 7:16:58 AM EDT July 5, 2024 7:17:01 AM EDT Success
odacli copy-okvtdewallet
command,
specify the target Oracle Key Vault wallet name in the odacli
irestore-database
command.
odacli irestore-database -r /tmp/db1Backupreport.json -t -osc okvobj1 -kt OKV -own db2_wallet
Enter SYS and SYSTEM user password:
Enter SYS and SYSTEM user password:
Restoring TDE-Enabled Databases With Endpoints and Wallet Manually Created in Oracle Key Vault
Understand how you can restore TDE-enabled databases on Oracle Database Appliance using the endpoints and wallets created manually on Oracle Key Vault. This method supports creation of TDE-enabled databases on bare metal and DB systems.
Prerequisites
- To restore a database with primary role in an Oracle Data Guard configuration, TDE wallet for the target database must be created on the Oracle Key Vault server before you run the restore command. This TDE wallet is a copy of the wallet of the source database.
- To restore a database with a standby role in an Oracle Data Guard configuration, the TDE wallet copy must not be created. The TDE wallet of the primary database must be used for the standby database.
- The TDE wallet created must be set as the default wallet for the endpoints created.
- The
okvclient.jar
file corresponding to each endpoint must be downloaded and copied to the Oracle Database Appliance node on which you submit the database restore request.
Step 1: Copying the TDE keys from the source database wallet to the target database wallet using the Oracle Key Vault user interface
- Log into the Oracle Key Vault server.
- Navigate to the Keys & Wallets tab.
- The Oracle Key Vault user must be provided read, write, and manage wallet permissions from the Access Settings section of the source database wallet.
- To create a new wallet, click Create.
- Specify the new name for the wallet of the target database.
- Copy the TDE keys of the source database when creating the new wallet. Search for the name of the source database in the Add Wallet Contents section. When the keys are displayed, select all TDE Master Encryption Key checkboxes for the database.
- To save the wallet, click Save.
- Run this step only if the Oracle Key Vault administrator has
created the wallet for the Oracle Key Vault user. Ensure that the
administrator provides read-write and manage-wallet access for the wallet to
the user after creation.
- Log into the Oracle Key Vault server as the Oracle Key Vault administrator.
- In the Keys & Wallets tab, select the checkbox for the newly-created wallet and click on the Edit option for the wallet.
- In the Wallet Access Settings, click Add.
- In the Select Endpoint/User Group section, select Users from the dropdown list.
- Select the checkbox for the Oracle Key Vault user to be provided access to the wallet.
- In the Access Level section, select Read and Modify and Manage Wallet options.
- To save the access settings for the wallet, click Save.
Step 2: Creating endpoints and setting the default wallet
- Create endpoints corresponding to each instance. For Oracle RAC
database, create two endpoints corresponding to two instances. For
single-instance database, create one endpoint corresponding to one instance.
- In the Oracle Key Vault home page, navigate to the Endpoints tab and click Add.
- Specify the Endpoint Name. Select the Type as Oracle Database, Platform as Linux, and click Register.
- In the Default Wallet page, click Choose Wallet and set the default wallet for the created endpoints.
Step 3: Downloading the TDE wallet to Oracle Key Vault server using Oracle Key Vault commands
oracle
user and then follow
these steps:
- Create working directories such as
/tmp/work
and/tmp/work/client_wallet
. Navigate to the/tmp/work
directory. Download and extract the RESTful Service Utility from Oracle Key Vault server. You can view three directoriesbin
,lib
, andconf
.mkdir /tmp/work/ mkdir /tmp/work/client_wallet cd /tmp/work curl -Ok https://okv_server_ip:5695/okvrestclipackage.zip % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3750k 100 3750k 0 0 2500k 0 0:00:01 0:00:01 --:--:-- 2500k
- Extract the contents of
okvrestclipackage.zip
file. Edit theconf/okvrestcli.ini
file and add the Oracle Key Vault server IP address, user name, and path to the directory where the client auto login wallets are created. In the following example, the client auto login wallets are created in the/tmp/work/client_wallet
directory.#Provide absolute path for log_property, okv_client_config properties [Default] log_property=./conf/okvrestcli_logging.properties server=<okv_server_ip> okv_client_config=./conf/okvclient.ora user=<okv_user> client_wallet=/tmp/work/client_wallet
- Edit the
bin/okv
file and uncomment the lineexport OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR/conf/okvrestcli.ini
file. SetJAVA_HOME
as follows:#!/bin/bash export OKV_RESTCLI_DIR=$(dirname "${0}")/.. export OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR/conf/okvrestcli.ini export JAVA_HOME=/opt/oracle/dcs/java/1.8.0_xxx if [ -z "$JAVA_HOME" ] then echo "JAVA_HOME environment variable is not set." exit 1 fi if [ -z "$OKV_RESTCLI_CONFIG" ] then echo "OKV_RESTCLI_CONFIG environment variable is not set." exit 1 fi export OKV_RESTCLI_JAR=$OKV_RESTCLI_DIR/lib/okvrestcli.jar $JAVA_HOME/bin/java -jar $OKV_RESTCLI_JAR "$@"
- Generate the client auto login wallets. Specify the Oracle Key
Vault password when
prompted.
/tmp/work/bin/okv admin client-wallet add --client-wallet /tmp/work/client_wallet --wallet-user okv_user Password:
- Create the endpoint corresponding to the wallet. For Oracle RAC
database, you must create two endpoints specific to each database instance.
Run this step only if the endpoints are not already created using the Oracle
Key Vault Server user interface.
/tmp/work/bin/okv admin endpoint create --endpoint endpoint_name --type ORACLE_DB --platform LINUX64 --strict-ip-check TRUE
- Set the wallet created in Step 1 as the default wallet for the
endpoints. For Oracle RAC database, the default wallet for both the
endpoints must be same TDE wallet. Run this step only if the TDE wallet is
not already set as the default wallet for the endpoints using the Oracle Key
Vault Server user interface.
/tmp/work/bin/okv manage-access wallet set-default --wallet <wallet_name> --endpoint <endpoint_name>
- Download the
okvclient.jar
file. For Oracle RAC database, download theokvclient.jar
file corresponding to both endpoints. After downloading the files, copy theokvclient.jar
corresponding to the remote instance to the remote node./tmp/work/bin/okv admin endpoint download --endpoint <endpoint_name> --location <location>
When you download the endpoints, if you encounter a message such asEndpoint token is already consumed
, then you must enroll the endpoint again as follows:/tmp/work/bin/okv admin endpoint download --endpoint endpoint_name --location location /tmp/work/log/okv0.log.0 (Permission denied) { "result" : "Failure", "message" : "Endpoint token is already consumed" } /tmp/work/bin/okv admin endpoint re-enroll --endpoint <endpoint_name> /tmp/work/log/okv0.log.0 (Permission denied) { "result" : "Success" } }
Step 4: Restoring TDE-enabled databases with TDE keys stored on Oracle Key Vault
For multi-user access-enabled systems, log in as database user. For
non-multi user access enabled systems, log in as the root
user. Use
the odacli irestore-database
command to restore a TDE-enabled
database with TDE keys stored on Oracle Key Vault. Specify the options
--enable-tde
, --okvclient-path
, and
keystore-type
in the command.
The option --enable-tde,-t
indicates that the restored
database must be configured with TDE. Use the option
--keystore-type,-kt
to specify the type of keystore for the TDE
configuration. Use the option --okvclient-path,-ocp
to specify the
absolute path to the okvclient.jar
file corresponding to the
database endpoint. For single-instance database, you can specify one value in the
--okvclient-path,-ocp
option, whereas for Oracle RAC database,
you can specify two values. Provide the TDE password when you are prompted. After
the restore operation of the database is successful, the Oracle Key Vault endpoint
software is installed in the /etc/OKV/db_unique_name/okv
location. The local auto login TDE wallets are created in the
/etc/OKV/db_unique_name/tde
location.
okvdb
without
using the Oracle Key Vault server configuration object, run the odacli
irestore-database
command as
follows:odacli irestore-database -r /tmp/bkpreport.json -n okvdb8 -y SI -t -kt OKV -ocp /tmp/okvclient.jar
Enter SYS and SYSTEM user password:
Retype SYS and SYSTEM user password:
Enter TDE wallet password:
Job details
----------------------------------------------------------------
ID: dce7bde6-7fc4-48ec-891b-649525f1ce4f
Description: Database service recovery with DB name: okvdb8
Status: Success
Created: August 28, 2024 2:50:46 PM CST
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Restore Database scaoda10ha13c2n1 August 28, 2024 2:51:09 PM CST August 28, 2024 2:58:11 PM CST Failure
Restore Database scaoda10ha13c2n1 August 28, 2024 2:51:10 PM CST August 28, 2024 2:58:10 PM CST Failure
Check if cluster ware is running scaoda10ha13c2n1 August 28, 2024 2:51:14 PM CST August 28, 2024 2:51:14 PM CST Success
Check if cluster ware is running scaoda10ha13c2n2 August 28, 2024 2:51:14 PM CST August 28, 2024 2:51:14 PM CST Success
Creating DbStorage for DbRestore scaoda10ha13c2n1 August 28, 2024 2:51:14 PM CST August 28, 2024 2:51:21 PM CST Success
Validating DiskSpace for DATA scaoda10ha13c2n1 August 28, 2024 2:51:14 PM CST August 28, 2024 2:51:15 PM CST Success
Setting up SSH equivalence scaoda10ha13c2n1 August 28, 2024 2:51:15 PM CST August 28, 2024 2:51:19 PM CST Success
Configuring user access to ACFS scaoda10ha13c2n1 August 28, 2024 2:51:20 PM CST August 28, 2024 2:51:20 PM CST Success
filesystems for okvdb8st
Audit directory creation scaoda10ha13c2n1 August 28, 2024 2:51:20 PM CST August 28, 2024 2:51:21 PM CST Success
Audit directory creation scaoda10ha13c2n2 August 28, 2024 2:51:21 PM CST August 28, 2024 2:51:21 PM CST Success
Configure TDE for RestoreDb TaskFlow scaoda10ha13c2n1 August 28, 2024 2:51:22 PM CST August 28, 2024 2:51:39 PM CST Success
Auxiliary Instance Creation scaoda10ha13c2n2 August 28, 2024 2:51:24 PM CST August 28, 2024 2:51:36 PM CST Success
TDE Wallet directory creation scaoda10ha13c2n1 August 28, 2024 2:51:36 PM CST August 28, 2024 2:51:36 PM CST Success
Installing OKV Client Software scaoda10ha13c2n2 August 28, 2024 2:51:36 PM CST August 28, 2024 2:51:37 PM CST Success
Auto login TDE Wallet creation scaoda10ha13c2n1 August 28, 2024 2:51:37 PM CST August 28, 2024 2:51:38 PM CST Success
Password based TDE Wallet open scaoda10ha13c2n1 August 28, 2024 2:51:38 PM CST August 28, 2024 2:51:39 PM CST Success
Install Object Store Swift module scaoda10ha13c2n2 August 28, 2024 2:51:58 PM CST August 28, 2024 2:52:16 PM CST Success
Restoring Spfile From Casper scaoda10ha13c2n2 August 28, 2024 2:52:16 PM CST August 28, 2024 2:52:38 PM CST Success
Customize Db Parameters scaoda10ha13c2n2 August 28, 2024 2:52:38 PM CST August 28, 2024 2:52:47 PM CST Success
Create spfile for restore db scaoda10ha13c2n2 August 28, 2024 2:52:47 PM CST August 28, 2024 2:52:48 PM CST Success
Restoring control file scaoda10ha13c2n2 August 28, 2024 2:52:48 PM CST August 28, 2024 2:53:11 PM CST Success
Mounting db scaoda10ha13c2n2 August 28, 2024 2:53:11 PM CST August 28, 2024 2:53:35 PM CST Success
Validating backup for RestoreDB scaoda10ha13c2n2 August 28, 2024 2:53:35 PM CST August 28, 2024 2:53:41 PM CST Success
Restoring DB for migration scaoda10ha13c2n2 August 28, 2024 2:53:41 PM CST August 28, 2024 2:54:26 PM CST Success
Change DBID and/or DBName scaoda10ha13c2n2 August 28, 2024 2:54:27 PM CST August 28, 2024 2:54:28 PM CST Success
Register Database taskflow scaoda10ha13c2n1 August 28, 2024 2:54:31 PM CST August 28, 2024 2:57:08 PM CST Success
Create SPFile in shared loc scaoda10ha13c2n2 August 28, 2024 2:54:31 PM CST August 28, 2024 2:54:37 PM CST Success
Delete Local Spfile scaoda10ha13c2n2 August 28, 2024 2:54:37 PM CST August 28, 2024 2:54:37 PM CST Success
Register DB with clusterware scaoda10ha13c2n2 August 28, 2024 2:54:37 PM CST August 28, 2024 2:55:23 PM CST Success
Set SysPassword and Create PwFile scaoda10ha13c2n1 August 28, 2024 2:55:23 PM CST August 28, 2024 2:55:25 PM CST Success
Enable block change tracking scaoda10ha13c2n2 August 28, 2024 2:55:26 PM CST August 28, 2024 2:55:28 PM CST Success
Creating pfile scaoda10ha13c2n2 August 28, 2024 2:55:28 PM CST August 28, 2024 2:55:29 PM CST Success
Updating db env scaoda10ha13c2n2 August 28, 2024 2:55:29 PM CST August 28, 2024 2:55:30 PM CST Success
Enable DbSizing Template scaoda10ha13c2n2 August 28, 2024 2:55:30 PM CST August 28, 2024 2:56:20 PM CST Success
Create tns entry scaoda10ha13c2n1 August 28, 2024 2:56:20 PM CST August 28, 2024 2:56:21 PM CST Success
Create tns entry scaoda10ha13c2n2 August 28, 2024 2:56:21 PM CST August 28, 2024 2:56:22 PM CST Success
Running datapatch scaoda10ha13c2n2 August 28, 2024 2:56:22 PM CST August 28, 2024 2:56:23 PM CST Success
Set CPU pool scaoda10ha13c2n1 August 28, 2024 2:56:23 PM CST August 28, 2024 2:56:23 PM CST Success
Reset Associated Networks for Database scaoda10ha13c2n2 August 28, 2024 2:57:10 PM CST August 28, 2024 2:57:13 PM CST Success
Reset Associated Networks scaoda10ha13c2n1 August 28, 2024 2:57:13 PM CST August 28, 2024 2:57:14 PM CST Success
Set log_archive_dest for Database scaoda10ha13c2n2 August 28, 2024 2:57:14 PM CST August 28, 2024 2:57:18 PM CST Success
Setting Database parameter for OKV scaoda10ha13c2n1 August 28, 2024 2:57:18 PM CST August 28, 2024 2:58:05 PM CST Success
Enable New Tablespace Encryption scaoda10ha13c2n2 August 28, 2024 2:58:07 PM CST August 28, 2024 2:58:08 PM CST Success
Deleting OKV Client Software Jar scaoda10ha13c2n2 August 28, 2024 2:58:09 PM CST August 28, 2024 2:58:09 PM CST Success
Copy Pwfile to Shared Storage scaoda10ha13c2n1 August 28, 2024 2:58:09 PM CST August 28, 2024 2:58:10 PM CST Success
odacli
irestore-database
command as follows. Specify the
okvclient.jar
file for the local database instance first,
followed by the path to the okvclient.jar
file for the remote
database instance in the request. In the following example, the
okvclient.jar
file in the /tmp/dir1
location
belongs to the local node and the okvclient.jar
file in the
/tmp/dir2
location belongs to the remote
node.odacli irestore-database -r /tmp/bkpreport.json -n okvdb7 -y RAC -t -kt OKV -ocp /tmp/dir1/okvclient.jar,/tmp/dir2/okvclient.jar
Enter SYS and SYSTEM user password:
Retype SYS and SYSTEM user password:
Enter TDE wallet password:
Job details
----------------------------------------------------------------
ID: 79b2d96c-0156-444b-b965-185b311f5110
Description: Database service recovery with DB name: okvdb7
Status: Success
Created: August 28, 2024 12:58:39 AM CST
Message:
Task Name Node Name Start Time End Time Status
---------------------------------------- ------------------------- ---------------------------------------- ---------------------------------------- ----------------
Check if cluster ware is running scaoda10ha13c2n1 August 28, 2024 12:59:07 AM CST August 28, 2024 12:59:07 AM CST Success
Check if cluster ware is running scaoda10ha13c2n2 August 28, 2024 12:59:07 AM CST August 28, 2024 12:59:07 AM CST Success
Creating DbStorage for DbRestore scaoda10ha13c2n1 August 28, 2024 12:59:07 AM CST August 28, 2024 12:59:14 AM CST Success
Validating DiskSpace for DATA scaoda10ha13c2n1 August 28, 2024 12:59:08 AM CST August 28, 2024 12:59:08 AM CST Success
Setting up SSH equivalence scaoda10ha13c2n1 August 28, 2024 12:59:09 AM CST August 28, 2024 12:59:12 AM CST Success
Configuring user access to ACFS scaoda10ha13c2n1 August 28, 2024 12:59:13 AM CST August 28, 2024 12:59:13 AM CST Success
filesystems for okvdb7
Audit directory creation scaoda10ha13c2n1 August 28, 2024 12:59:14 AM CST August 28, 2024 12:59:14 AM CST Success
Audit directory creation scaoda10ha13c2n2 August 28, 2024 12:59:14 AM CST August 28, 2024 12:59:14 AM CST Success
Configure TDE for RestoreDb TaskFlow scaoda10ha13c2n1 August 28, 2024 12:59:15 AM CST August 28, 2024 12:59:32 AM CST Success
Auxiliary Instance Creation scaoda10ha13c2n1 August 28, 2024 12:59:17 AM CST August 28, 2024 12:59:28 AM CST Success
TDE Wallet directory creation scaoda10ha13c2n1 August 28, 2024 12:59:28 AM CST August 28, 2024 12:59:28 AM CST Success
Installing OKV Client Software scaoda10ha13c2n1 August 28, 2024 12:59:28 AM CST August 28, 2024 12:59:29 AM CST Success
Installing OKV Client Software scaoda10ha13c2n2 August 28, 2024 12:59:30 AM CST August 28, 2024 12:59:31 AM CST Success
Auto login TDE Wallet creation scaoda10ha13c2n1 August 28, 2024 12:59:31 AM CST August 28, 2024 12:59:32 AM CST Success
Password based TDE Wallet open scaoda10ha13c2n1 August 28, 2024 12:59:32 AM CST August 28, 2024 12:59:32 AM CST Success
Install Object Store Swift module scaoda10ha13c2n2 August 28, 2024 12:59:51 AM CST August 28, 2024 1:00:09 AM CST Success
Restoring Spfile From Casper scaoda10ha13c2n1 August 28, 2024 1:00:09 AM CST August 28, 2024 1:00:28 AM CST Success
Customize Db Parameters scaoda10ha13c2n1 August 28, 2024 1:00:28 AM CST August 28, 2024 1:00:34 AM CST Success
Create spfile for restore db scaoda10ha13c2n1 August 28, 2024 1:00:34 AM CST August 28, 2024 1:00:35 AM CST Success
Restoring control file scaoda10ha13c2n1 August 28, 2024 1:00:35 AM CST August 28, 2024 1:00:58 AM CST Success
Mounting db scaoda10ha13c2n1 August 28, 2024 1:00:58 AM CST August 28, 2024 1:01:23 AM CST Success
Validating backup for RestoreDB scaoda10ha13c2n1 August 28, 2024 1:01:23 AM CST August 28, 2024 1:01:29 AM CST Success
Restoring DB for migration scaoda10ha13c2n1 August 28, 2024 1:01:29 AM CST August 28, 2024 1:10:54 AM CST Success
Re-Create control file scaoda10ha13c2n1 August 28, 2024 1:10:54 AM CST August 28, 2024 1:11:36 AM CST Success
Change DBID and/or DBName scaoda10ha13c2n1 August 28, 2024 1:11:36 AM CST August 28, 2024 1:14:34 AM CST Success
Removing Disabled Redo Threads scaoda10ha13c2n1 August 28, 2024 1:14:34 AM CST August 28, 2024 1:14:36 AM CST Success
Updating DB attributes scaoda10ha13c2n1 August 28, 2024 1:14:36 AM CST August 28, 2024 1:14:37 AM CST Success
Customize DB for Type RAC/RacOne scaoda10ha13c2n1 August 28, 2024 1:14:37 AM CST August 28, 2024 1:14:44 AM CST Success
Enable cluster ware for rac/racone db scaoda10ha13c2n1 August 28, 2024 1:14:45 AM CST August 28, 2024 1:14:45 AM CST Success
Building Cluster DB Views for Rac and scaoda10ha13c2n1 August 28, 2024 1:14:45 AM CST August 28, 2024 1:14:56 AM CST Success
RacOne
Register Database taskflow scaoda10ha13c2n1 August 28, 2024 1:14:58 AM CST August 28, 2024 1:20:24 AM CST Success
Create SPFile in shared loc scaoda10ha13c2n1 August 28, 2024 1:14:59 AM CST August 28, 2024 1:15:05 AM CST Success
Delete Local Spfile scaoda10ha13c2n1 August 28, 2024 1:15:05 AM CST August 28, 2024 1:15:05 AM CST Success
Register DB with clusterware scaoda10ha13c2n1 August 28, 2024 1:15:05 AM CST August 28, 2024 1:16:33 AM CST Success
Add Startup Trigger to Open all PDBS scaoda10ha13c2n1 August 28, 2024 1:16:33 AM CST August 28, 2024 1:16:33 AM CST Success
Set SysPassword and Create PwFile scaoda10ha13c2n1 August 28, 2024 1:16:34 AM CST August 28, 2024 1:16:38 AM CST Success
Enable block change tracking scaoda10ha13c2n1 August 28, 2024 1:16:38 AM CST August 28, 2024 1:16:54 AM CST Success
Creating pfile scaoda10ha13c2n1 August 28, 2024 1:16:55 AM CST August 28, 2024 1:16:56 AM CST Success
Updating db env scaoda10ha13c2n1 August 28, 2024 1:16:56 AM CST August 28, 2024 1:16:56 AM CST Success
Enable DbSizing Template scaoda10ha13c2n1 August 28, 2024 1:16:56 AM CST August 28, 2024 1:18:38 AM CST Success
Update Database Global Name scaoda10ha13c2n1 August 28, 2024 1:18:39 AM CST August 28, 2024 1:18:40 AM CST Success
Create tns entry scaoda10ha13c2n1 August 28, 2024 1:18:40 AM CST August 28, 2024 1:18:42 AM CST Success
Create tns entry scaoda10ha13c2n2 August 28, 2024 1:18:42 AM CST August 28, 2024 1:18:43 AM CST Success
Running datapatch scaoda10ha13c2n1 August 28, 2024 1:18:43 AM CST August 28, 2024 1:19:19 AM CST Success
Set CPU pool scaoda10ha13c2n1 August 28, 2024 1:19:19 AM CST August 28, 2024 1:19:19 AM CST Success
Reset Associated Networks for Database scaoda10ha13c2n1 August 28, 2024 1:20:26 AM CST August 28, 2024 1:20:30 AM CST Success
Reset Associated Networks scaoda10ha13c2n2 August 28, 2024 1:20:30 AM CST August 28, 2024 1:20:31 AM CST Success
Set log_archive_dest for Database scaoda10ha13c2n1 August 28, 2024 1:20:31 AM CST August 28, 2024 1:20:34 AM CST Success
Auto login TDE Wallet creation scaoda10ha13c2n1 August 28, 2024 1:20:34 AM CST August 28, 2024 1:20:36 AM CST Success
Setting Database parameter for OKV scaoda10ha13c2n1 August 28, 2024 1:20:36 AM CST August 28, 2024 1:22:17 AM CST Success
Enable New Tablespace Encryption scaoda10ha13c2n1 August 28, 2024 1:22:19 AM CST August 28, 2024 1:22:20 AM CST Success
Deleting OKV Client Software Jar scaoda10ha13c2n1 August 28, 2024 1:22:20 AM CST August 28, 2024 1:22:20 AM CST Success
Deleting OKV Client Software Jar scaoda10ha13c2n2 August 28, 2024 1:22:20 AM CST August 28, 2024 1:22:20 AM CST Success
Deleting TDE-enabled Databases
Understand how you can delete a TDE-enabled database on Oracle Database Appliance on bare metal and DB systems, that uses Oracle Key Vault to store TDE keys.
odacli delete-database
command to delete
TDE-enabled database with TDE keys stored on Oracle Key Vault. Use the
-n
option to specify the name of the database to be
deleted.odacli delete-database -n kokvdb1
{
"jobId" : "6f001840-5002-43ee-9067-e22930e36d58",
"status" : "Running",
"message" : null,
"reports" : [ {
"taskId" : "TaskDcsJsonRpcExt_2259",
"taskName" : "Validate DB 9aeeeb5f-afc5-4051-8bd1-00c62048ca01 for deletion",
"nodeName" : "scaoda6m006",
"taskResult" : "",
"startTime" : "July 15, 2024 15:40:50 PM CST",
"endTime" : "July 15, 2024 15:40:50 PM CST",
"duration" : "00:00:00.13",
"status" : "Success",
"taskDescription" : null,
"parentTaskId" : "TaskSequential_2257",
"jobId" : "6f001840-5002-43ee-9067-e22930e36d58",
"tags" : [ ],
"reportLevel" : "Info",
"updatedTime" : "July 15, 2024 15:40:50 PM CST"
} ],
"createTimestamp" : "July 15, 2024 15:40:49 PM CST",
"resourceList" : [ ],
"description" : "Database service deletion with DB name: kokvdb1 with ID : 9aeeeb5f-afc5-4051-8bd1-00c62048ca01",
"updatedTime" : "July 15, 2024 15:40:50 PM CST",
"jobType" : null
}
odacli describe-job -i 6f001840-5002-43ee-9067-e22930e36d58
Job details
----------------------------------------------------------------
ID: 6f001840-5002-43ee-9067-e22930e36d58
Description: Database service deletion with DB name: kokvdb1 with ID : 9aeeeb5f-afc5-4051-8bd1-00c62048ca01
Status: Success
Created: July 15, 2024 3:40:49 PM CST
Message:
Task Name Start Time End Time Status
---------------------------------------- ---------------------------------------- ---------------------------------------- ----------------
Validate DB July 15, 2024 3:40:50 PM CST July 15, 2024 3:40:50 PM CST Success
9aeeeb5f-afc5-4051-8bd1-00c62048ca01
for deletion
Deleting the RMAN logs July 15, 2024 3:40:50 PM CST July 15, 2024 3:40:51 PM CST Success
OKV Endpoint deletion July 15, 2024 3:40:51 PM CST July 15, 2024 3:40:56 PM CST Success
OKV Wallet deletion July 15, 2024 3:40:56 PM CST July 15, 2024 3:41:05 PM CST Success
OKV Files deletion July 15, 2024 3:41:05 PM CST July 15, 2024 3:41:05 PM CST Success
Database Deletion By RHP July 15, 2024 3:41:05 PM CST July 15, 2024 3:42:37 PM CST Success
Unregister DB From Cluster July 15, 2024 3:42:37 PM CST July 15, 2024 3:42:37 PM CST Success
Kill PMON Process July 15, 2024 3:42:37 PM CST July 15, 2024 3:42:37 PM CST Success
Database Files Deletion July 15, 2024 3:42:37 PM CST July 15, 2024 3:42:49 PM CST Success
Delete File Groups of Database kokvdb1 July 15, 2024 3:42:49 PM CST July 15, 2024 3:42:58 PM CST Success
Creating an Oracle Key Vault User Using BUI
Create a user with Oracle Key Vault server configuration entitlement on a multi-user access enabled Oracle Database Appliance.
Creating an Oracle Key Vault User with Browser User Interface
- Log into the Browser User Interface as the
odaadmin
user:https://host-ip-address:7093/mgmt/index.html
- Click the Multi-User Access tab.
- Click the Users link on the left-hand pane.
- Click Create User.
- In the Create User page, provide the User
ID, specify the Role as
ODA-OKVCONFIGADMIN
, and provide the ODA Password for this user. Note that the same user credentials work for login for BUI and ODACLI commands. - Click Create.
- The job is submitted and a confirmation page appears with a link to the job. Click the link to view the job progress, tasks, and status. After you close the Job confirmation page, you can click the Activity tab to monitor the job progress. Click the job number to view the tasks and status details. Click Refresh to refresh the page.
- The account is created with Inactive state. Log into the BUI with the user credentials. You are prompted to change the password. Change the password and log into the BUI with the new password.
Creating Oracle Key Vault Server Configuration Object Using the BUI
Understand how you can create TDE-enabled database on Oracle Database Appliance with TDE keys stored in Oracle Key Vault on bare metal and DB systems using the BUI.
- Log into the Browser User Interface:
https://host-ip-address:7093/mgmt/index.html
- Click Credential Store, then click Oracle Key Vault Server Config.
- The existing Oracle Key Vault server configurations are displayed.
- Click Create and create an Oracle Key Vault server configuration.
- In the Create OKV Server Config page, specify the OKV Server Config Name, OKV Server Host, OKV Server IP address, OKV User Name, and Password.
- Click Create.
- Confirm the creation request job and verify that the job completed successfully.
Granting and Revoking Access on Oracle Key Vault Server Configuration Using BUI
Understand how you can grant and revoke access to Oracle Key Vault server configuration on Oracle Database Appliance on bare metal and DB systems using BUI.
Granting and Revoking Access to Oracle Key Vault server configurations
Follow these steps:
- Log into the Browser User Interface:
https://host-ip-address:7093/mgmt/index.html
- Click Credential Store, then click Oracle Key Vault Server Config.
- You can view all existing Oracle Key Vault server configurations.
- To grant access to an existing Oracle Key Vault server configuration, select the Oracle Key Vault server configuration, and from the Actions drop-down list, select Grant Access.
- In the Grant Resource Access page, select the User Name to whom you want to grant access to the resource.
- Click Grant.
- Click Yes to confirm the action.
- To revoke access to an existing Oracle Key Vault server configuration, select the Oracle Key Vault server configuration, and from the Actions drop-down list, select Revoke Access.
- In the Revoke Resource Access page, select the User Name from whom you want to revoke access to the resource.
- Click Revoke.
- Click Yes to confirm the action.
Managing Oracle Key Vault Server Configuration Operations Using BUI
Understand how you can manage Oracle Key Vault server configuration operations on Oracle Database Appliance on bare metal and DB systems.
Listing and Deleting Oracle Key Vault server configurations:
Follow these steps:
- Log into the Browser User Interface:
https://host-ip-address:7093/mgmt/index.html
- Click Credential Store, then click Oracle Key Vault Tasks.
- You can view all existing Oracle Key Vault server configurations.
- To delete an existing Oracle Key Vault server configuration, select the Oracle Key Vault server configuration, and from the Actions drop-down list, select Delete.
Manual Migration and Encryption of Data into TDE-Enabled Database
Understand how you can migrate transportable tablespaces to TDE-enabled database on Oracle Database Appliance.
- Migrating Tablespaces from Non-TDE Oracle ACFS Database to Oracle ACFS Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ACFS database to Oracle ACFS database with Oracle Key Vault enabled on Oracle Database Appliance. - Migrating Tablespaces from Non-TDE Oracle ASM Database to Oracle ASM Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ASM database to Oracle ASM database with Oracle Key Vault enabled on Oracle Database Appliance. - Migrating Tablespaces from Non-TDE Oracle ASM Database to Oracle ASM CDB Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ASM database to Oracle ASM CDB database with Oracle Key Vault enabled on Oracle Database Appliance. - Migrating Tablespaces from Non-TDE Oracle ACFS Database to Oracle ACFS CDB Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ACFS database to Oracle ACFS CDB database with Oracle Key Vault enabled on Oracle Database Appliance.
Migrating Tablespaces from Non-TDE Oracle ACFS Database to Oracle ACFS Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ACFS database to Oracle ACFS database with Oracle Key Vault enabled on Oracle Database Appliance.
Step 1: Export the tablespace from the source database
- Create a tablespace TBS01 and table TAB1 on source database
DBNOTDE Create an extra tablespace TBS01 on the source database, and then,
create table TAB1 on the new tablespace.
SQL> select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO ### ### Checks if a set of tablespaces (to be transported) is self-contained ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed.
- Create the database directory in the source database DBNOTDE
to be used for the export. Create a database directory object in the
destination database to be used by
expdp
.### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL>
- Export the TBS01 tablespace from souce database DBNOTDE. First,
set the tablespace to be copied in READ ONLY mode. Next, run
expdp
on the designated tablespace. Review the log files forexpdp
stored under the database directoryttsps_dir
.### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps.dmp Export: Release 19.0.0.0.0 - Production on Mon Nov 6 12:47:00 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps.dmp Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: /u02/app/oracle/oradata/dbnotde/DBNOTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully completed at Mon Nov 6 12:47:19 2023 elapsed 0 00:00:14
- Move data files to the destination database server and edit the status of
the data file in the source database DBNOTDE to
READ WRITE
. Move the data file to the TDE-enabled database server in the location/u02/app/oracle/oradata/dbtde/DBTDE/datafile
.### ### login as oracle user ### $ cp /u02/app/oracle/oradata/dbnotde/DBNOTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf /u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf ### ### In source database, set the tablespace back to read write mode ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ WRITE;
Step 2: Import the tablespaces into a TDE-enabled database
- Create a TDE-enabled database with Oracle Key Vault, DBTDE as
the destination database, as described in the earlier procedure. Copy the
data file and tablespace of the source database to this database using
expdp
andimpdp
. Create the database on an Oracle Database Appliance using the Browser User Interface (BUI) or ODACLI commands. For example:# odacli create-database -n dbtde -t -kt okv -osc adminobj1 -dh e2a65596-6435-4410-9e8d-6b21a6005779 -r ACFS # odacli describe-database -n dbtde Database details ---------------------------------------------------------------- ID: e261b9f8-8212-499b-840e-eb6ea3e09447 Description: dbtde DB Name: dbtde DB Type: SI CDB: false Storage: ACFS Home ID: e2a65596-6435-4410-9e8d-6b21a6005779 TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV
- Create the database directory in the Oracle Key Vault-enabled
destination database for the import operation. The source database expdp
dump file and output for impdp is stored in the database directory object.
Copy the expdp dump file from the source database server to this server, and
use the impdp dump file to add tablespace metadata to destination
database.
### ### login as sysdba user and run the following: ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created.
- Import the TBS01 tablespace to the destination database DBTDE.
Copy the
expdp
dump file of the source database to the database directoryttsps_dir
. Theimpdp
uses the dump file to add tablespace metadata to destination database. TRANSPORT_DATAFILES references the location of the data file in the destination database.### ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ impdp system TRANSPORT_DATAFILES=\'/u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf\' DIRECTORY=ttsps_dir dumpfile=expttps.dmp Import: Release 19.0.0.0.0 - Production on Mon Nov 6 12:53:37 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/******** TRANSPORT_DATAFILES='/u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf' DIRECTORY=ttsps_dir dumpfile=expttps.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed at Mon Nov 6 12:53:46 2023 elapsed 0 00:00:03
- Enable and test encryption on the destination Oracle Key
Vault-enabled
database.
### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES TEMP ONLINE YES USERS ONLINE YES TBS01 READ ONLY NO SQL> alter tablespace TBS01 read write ; Tablespace altered. SQL> alter tablespace TBS01 encryption online encrypt ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE YES SYSAUX ONLINE YES UNDOTBS1 ONLINE YES TEMP ONLINE YES USERS ONLINE YES TBS01 ONLINE YES ### ### Retrieve the data from TAB1 ### SQL> select OWNER, table_name from tab1 where rownum < 3; OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$ ### ### When the wallet is closed or unavailable, same SQL does not retrieve data ### To simulate wallet absence rename the cwallet.sso wallet under <wallet_root>/tde to some other name like cwallet.sso.orig ### and close the wallet. To return auto-login wallet , rename file back to cwallet.sso and run the SQL again. ### SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ wallet_root string /etc/OKV/dbtde SQL> ! mv /etc/OKV/dbtde/tde/cwallet.sso /etc/OKV/dbtde/tde/cwallet.sso.orig SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE ; SQL> select OWNER, table_name from tab1 where rownum < 3; select OWNER, table_name from tab1 where rownum < 3 * ERROR at line 1: ORA-28365: wallet is not open SQL> ! mv /etc/OKV/dbtde/tde/cwallet.sso.orig /etc/OKV/dbtde/tde/cwallet.sso SQL> select OWNER, table_name from tab1 where rownum < 3 2 ; OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$
Migrating Tablespaces from Non-TDE Oracle ASM Database to Oracle ASM Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ASM database to Oracle ASM database with Oracle Key Vault enabled on Oracle Database Appliance.
Step 1: Export the tablespace from the source database
- Create a tablespace TBS01 and table TAB1 on source database
ASMNOTDE Create an extra tablespace TBS01 on the source database, and then,
create table TAB1 on the new tablespace.
SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 ONLINE NO SQL> SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- +DATA/ASMNOTDE/DATAFILE/tbs01.374.1152267015 ### ### Checks if a set of tablespaces (to be transported) is self-contained ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed.
- Create the database directory in the source database ASMNOTDE
to use for the export. Create a database directory object in the destination
database for
expdp
.### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created.
- Export the TBS01 tablespace from the souce database ASMNOTDE.
First, set the tablespace to be copied in READ ONLY mode. Next, run
expdp
on the designated tablespace. Review the dump files forexpdp
stored under the database directoryttsps_dir
.### ### Set the tablespaces that you need to be exported in read-only mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. SQL> ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttpsasm.dmp Export: Release 19.0.0.0.0 - Production on Tue Nov 7 10:12:19 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttpsasm.dmp Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttpsasm.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: +DATA/ASMNOTDE/DATAFILE/tbs01.374.1152267015 Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully completed at Tue Nov 7 10:12:49 2023 elapsed 0 00:00:20
- Move data files to the destination database server and edit the
status of the data file in the source database ASMNOTDE to
READ WRITE
.### ### login to grid user ### Copying datafiles from ASM to filesystem ### $ asmcmd cp +DATA/ASMNOTDE/DATAFILE/tbs01.295.1165369089 /home/grid/tbs01.dbf copying +DATA/ASMNOTDE/DATAFILE/tbs01.295.1165369089 -> /home/grid/tbs01.dbf ### ### In source database, set the tablespace back to read write mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ WRITE;
Step 2: Import the tablespaces into a TDE-enabled database
- Create a TDE-enabled database with Oracle Key Vault, ASMTDE as
the destination database. Copy the data file and tablespace of the source
database to this database using
expdp
andimpdp
. Create the database on an Oracle Database Appliance using the Browser User Interface (BUI) or ODACLI commands. For example:# odacli create-database -n asmtde -t -kt okv -osc adminobj1 -dh e2a65596-6435-4410-9e8d-6b21a6005779 -r ASM # odacli describe-database -n asmtde Database details ---------------------------------------------------------------- ID: 5dfa97d9-d774-4a4a-93a2-d21a36faf283 Description: asmtde DB Name: asmtde DB Type: SI CDB: false Storage: ASM Home ID: e2a65596-6435-4410-9e8d-6b21a6005779 TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV
- Copy the data file from file system to the destination Oracle
ASM location of
ASMTDE.
### ### login to grid user ### $ asmcmd cp /home/grid/tbs01.dbf +DATA/ASMTDE/DATAFILE/tbs01 --dest_dbname ASMTDE copying /home/grid/tbs01.dbf -> +DATA/ASMTDE/DATAFILE/tbs01 ASMCMD> ls --permission User Group Permission Name dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- SYSAUX.292.1165368127 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- SYSTEM.279.1165368093 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- UNDOTBS1.290.1165368143 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- USERS.288.1165368875 grid@66d5786e6a057fd3bfa6ca745d993aef rw------- tbs01 => +DATA/ASMTDE/DATAFILE/tbs01.294.1165425531 grid@66d5786e6a057fd3bfa6ca745d993aef rw------- tbs01.294.1165425531 ASMCMD> chown dbusr1@66d5786e6a057fd3bfa6ca745d993aef tbs01 ASMCMD> ls --permission User Group Permission Name dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- SYSAUX.292.1165368127 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- SYSTEM.279.1165368093 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- UNDOTBS1.290.1165368143 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- USERS.288.1165368875 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- tbs01 => +DATA/OKVDB2/DATAFILE/tbs012.294.1165425531 dbusr1@66d5786e6a057fd3bfa6ca745d993aef rw------- tbs01.294.1165425531
- Create the database directory in the ASMTDE database for the
import.
### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created.
- Import the TBS01 tablespace to the destination database ASMTDE.
Copy the
expdp
dump file of the source database to the database directoryttsps_dir
. Theimpdp
uses the dump file to add tablespace metadata to destination database. TRANSPORT_DATAFILES references the location of the data file in the destination database.### ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ impdp system TRANSPORT_DATAFILES=\'/u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf\' DIRECTORY=ttsps_dir dumpfile=expttps.dmp Import: Release 19.0.0.0.0 - Production on Mon Nov 6 12:53:37 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/******** TRANSPORT_DATAFILES='/u02/app/oracle/oradata/dbtde/DBTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf' DIRECTORY=ttsps_dir dumpfile=expttps.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed
- Enable and test encryption on the destination Oracle Key
Vault-enabled
database.
### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE YES TBS01 READ ONLY NO 6 rows selected. SQL> alter tablespace TBS01 read write ; Tablespace altered. SQL> alter tablespace TBS01 encryption online encrypt ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE YES TBS01 ONLINE YES 6 rows selected. ### ### Retrieve the data from TAB1 ### SQL> select OWNER, table_name from tab1 where rownum < 3 OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$ ### ### When the wallet is closed or unavailable, same SQL does not retrieve data ### To simulate wallet absence rename the cwallet.sso wallet under <wallet_root>/tde to some other name like cwallet.sso.orig ### and close the wallet. To return auto-login wallet , rename file back to cwallet.sso and run the SQL again. ### SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ wallet_root string /etc/OKV/asmtde SQL> ! mv /etc/OKV/asmtde/tde/cwallet.sso /etc/OKV/asmtde/tde/cwallet.sso.orig SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE ; SQL> select OWNER, table_name from tab1 where rownum < 3; select OWNER, table_name from tab1 where rownum < 3 * ERROR at line 1: ORA-28365: wallet is not open SQL> ! mv /etc/OKV/asmtde/tde/cwallet.sso.orig /etc/OKV/asmtde/tde/cwallet.sso SQL> select OWNER, table_name from tab1 where rownum < 3 2 ; OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$
Migrating Tablespaces from Non-TDE Oracle ASM Database to Oracle ASM CDB Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ASM database to Oracle ASM CDB database with Oracle Key Vault enabled on Oracle Database Appliance.
Step 1: Export the tablespace from the source database
- Create a tablespace TBS01 and table TAB1 on source database
ASMNOTDE Create an extra tablespace TBS01 on the source database, and then,
create table TAB1 on the new tablespace.
SQL> SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- +DATA/ASMNOTDE/DATAFILE/tbs01.374.1152267015 ### ### Checks if a set of tablespaces (to be transported) is self-contained ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed.
- Create the database directory in the source database ASMNOTDE
to use for the export. Create a database directory object in the destination
database for
expdp
.### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created.
- Export the TBS01 tablespace from the souce database ASMNOTDE.
First, set the tablespace to be copied in READ ONLY mode. Next, run
expdp
on the designated tablespace. Review the dump files forexpdp
stored under the database directoryttsps_dir
.### ### Set the tablespaces that you need to be exported in read-only mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. SQL> ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttpsasm.dmp Export: Release 19.0.0.0.0 - Production on Tue Nov 7 10:12:19 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttpsasm.dmp Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttpsasm.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: +DATA/ASMNOTDE/DATAFILE/tbs01.374.1152267015 Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully completed at Tue Nov 7 10:12:49 2023 elapsed 0 00:00:20
- Move data files to the destination database server and edit the
status of the data file in the source database ASMNOTDE to
READ WRITE
.### ### login to grid user ### Copying datafiles from ASM to filesystem ### $ asmcmd cp +DATA/ASMNOTDE/DATAFILE/tbs01.295.1165369089 /home/grid/tbs01.dbf copying +DATA/ASMNOTDE/DATAFILE/tbs01.295.1165369089 -> /home/grid/tbs01.dbf ### ### In source database, set the tablespace back to read write mode ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ WRITE;
Step 2: Import the tablespaces into a TDE-enabled database
- Create a TDE-enabled database with Oracle Key Vault, ASMTDE as
the destination database. Copy the data file and tablespace of the source
database to this database using
expdp
andimpdp
. Create the database on an Oracle Database Appliance using the Browser User Interface (BUI) or ODACLI commands. For example:# odacli create-database -n asmtde -t -kt okv -osc adminobj1 -dh e2a65596-6435-4410-9e8d-6b21a6005779 -r ASM --cdb -d pdbadmin -p pdb1 # odacli describe-database -n asmtde Database details ---------------------------------------------------------------- ID: 5dfa97d9-d774-4a4a-93a2-d21a36faf283 Description: asmtde DB Name: asmtde DB Type: SI CDB: true PDB Name: PDB2 PDB Admin User Name: pdbadmin Storage: ASM Home ID: e2a65596-6435-4410-9e8d-6b21a6005779 TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV ### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> col PDB_NAME for a20 SQL> select PDB_NAME,GUID from dba_pdbs ; PDB_NAME GUID -------------------- -------------------------------- PDB1 1599A96E256A8B99E063BE6B1F0AC02B PDB$SEED 15998A6665985353E063BE6B1F0A494A
- Copy the data file from file system to the destination Oracle
ASM location of ASMTDE. Ensure that you set the relevant permissions after
copying the
file.
### ### login to grid user ### $ asmcmd cp /home/grid/tbs01.dbf +DATA/ASMTDE/1599A96E256A8B99E063BE6B1F0AC02B/DATAFILE/tbs01 --dest_dbname ASMTDE copying /home/grid/tbs01.dbf -> +DATA/ASMTDE/1599A96E256A8B99E063BE6B1F0AC02B/DATAFILE/tbs01 $ asmcmd ASMCMD> pwd +DATA/ASMTDE/1599A96E256A8B99E063BE6B1F0AC02B/DATAFILE ASMCMD> ls --permission User Group Permission Name dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- SYSAUX.332.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- SYSTEM.333.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- UNDOTBS1.331.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- USERS.335.1165769685 grid@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- tbs01 => +DATA/ASMTDE/DATAFILE/tbs01.338.1165770781 ASMCMD> chown dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 tbs01 ASMCMD> ASMCMD> ls --permission User Group Permission Name dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- SYSAUX.332.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- SYSTEM.333.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- UNDOTBS1.331.1165769683 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- USERS.335.1165769685 dbusr1@00eea686ffb0ff1bbf28c0b8362cccf6 rw------- tbs01 => +DATA/ASMTDE/DATAFILE/tbs01.338.1165770781
- Create tnsnames service for
PDB1.
### ### Edit the file $ORACLE_HOME/network/admin/tnsnames.ora with the following content ### PDB1 = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = <server-name>)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = pdb1.test)
- Create the directory in PDB1 for the
import.
### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER SESSION SET CONTAINER=PDB1 ; SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL>
- Import the tablespace to PDB1. Copy the
expdp
dump file of the source database to the database directoryttsps_dir
. Theimpdp
uses the dump file to add tablespace metadata to destination database. TRANSPORT_DATAFILES references the location of the data file in the destination database.### ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ impdp system@pdb1 TRANSPORT_DATAFILES=\'+DATA/ASMTDE/1599A96E256A8B99E063BE6B1F0AC02B/DATAFILE/tbs01\' DIRECTORY=ttsps_dir dumpfile=expttpsasm.dmp Import: Release 19.0.0.0.0 - Production on Mon Apr 8 17:52:09 2024 Version 19.23.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/********@pdb1 TRANSPORT_DATAFILES='+DATA/ASMTDE/1599A96E256A8B99E063BE6B1F0AC02B/DATAFILE/tbs01' DIRECTORY=ttsps_dir dumpfile=expttpsasm.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed at Mon Apr 8 17:52:18 2024 elapsed 0 00:00:03
- Enable and test encryption on the destination Oracle Key
Vault-enabled database
PDB1.
### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> alter session set container=pdb1 ; Session altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 READ ONLY NO 6 rows selected. SQL> alter tablespace TBS01 read write ; Tablespace altered. SQL> alter tablespace TBS01 encryption online encrypt ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 ONLINE YES 6 rows selected. ### ### Retrieve the data from TAB1 ### SQL> select OWNER, table_name from tab1 where rownum < 3 2 ; OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$ ### ### When the wallet is closed or unavailable, same SQL does not retrieve data ### To simulate wallet absence rename the cwallet.sso wallet under <wallet_root>/tde to some other name like cwallet.sso.orig ### and close the wallet. To return auto-login wallet , rename file back to cwallet.sso and run the SQL again. ### SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ wallet_root string /etc/OKV/asmtde SQL> ! mv /etc/OKV/asmtde/tde/cwallet.sso /etc/OKV/asmtde/tde/cwallet.sso.orig SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE ; SQL> select OWNER, table_name from tab1 where rownum < 3; select OWNER, table_name from tab1 where rownum < 3 * ERROR at line 1: ORA-28365: wallet is not open SQL> ! mv /etc/OKV/asmtde/tde/cwallet.sso.orig /etc/OKV/asmtde/tde/cwallet.sso SQL> select OWNER, table_name from tab1 where rownum < 3 2 ; OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$
Migrating Tablespaces from Non-TDE Oracle ACFS Database to Oracle ACFS CDB Database on Oracle Database Appliance
Understand how you can migrate tablespaces from non-TDE Oracle ACFS database to Oracle ACFS CDB database with Oracle Key Vault enabled on Oracle Database Appliance.
Step 1: Export the tablespace from the source database
- Create a tablespace TBS01 and table TAB1 on source database
DBNOTDE Create an extra tablespace TBS01 on the source database, and then,
create table TAB1 on the new tablespace.
### ### login as Oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO SQL> create tablespace TBS01 datafile size 10g ; Tablespace created. SQL> SQL> create table tab1 tablespace TBS01 as select a.* from dba_tables a ,dba_users b, dba_users c ; Table created. SQL> select count(*) from tab1 ; COUNT(*) ---------- 3028228 SQL> SQL> select TABLESPACE_NAME, ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 ONLINE NO SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- /u02/app/oracle/oradata/dbnotde/DBNOTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf SQL> ### ### Checks if a set of tablespaces (to be transported) is self-contained ### SQL> EXECUTE DBMS_TTS.TRANSPORT_SET_CHECK('tbs01',true) ; PL/SQL procedure successfully completed.
- Create the database directory in the source database DBNOTDE
to be used for the export. Create a database directory object in the
destination database to be used by
expdp
.### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL>
- Export the TBS01 tablespace from souce database DBNOTDE. First,
set the tablespace to be copied in READ ONLY mode. Next, run
expdp
on the designated tablespace. Review the log files forexpdp
stored under the database directoryttsps_dir
.### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ ONLY; Tablespace altered. ### ### Run expdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ expdp system TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps.dmp Export: Release 19.0.0.0.0 - Production on Mon Nov 6 12:47:00 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Starting "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01": system/******** TRANSPORT_TABLESPACES=TBS01 TRANSPORT_FULL_CHECK=YES DIRECTORY=ttsps_dir DUMPFILE=expttps.dmp Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Master table "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded ****************************************************************************** Dump file set for SYSTEM.SYS_EXPORT_TRANSPORTABLE_01 is: /u01/app/odaorabase0/oracle/dpdump/ttsps_dir/expttps.dmp ****************************************************************************** Datafiles required for transportable tablespace TBS01: /u02/app/oracle/oradata/dbnotde/DBNOTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf Job "SYSTEM"."SYS_EXPORT_TRANSPORTABLE_01" successfully completed at Mon Nov 6 12:47:19 2023 elapsed 0 00:00:14
- Move data files to the destination database server and edit the
status of the data file in the source database DBNOTDE to
READ WRITE
. Move the data file to the TDE-enabled database server in the PDB2 data files location.### ### login as oracle user ### $ cp /u02/app/oracle/oradata/dbnotde/DBNOTDE/datafile/o1_mf_tbs01_lnlgn65j_.dbf /u02/app/oracle/oradata/cdbtde/CDBTDE/092546916A493FE5E063E730850AF5BE/datafile/ ### ### In source database, set the tablespace back to read write mode ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER TABLESPACE TBS01 READ WRITE;
Step 2: Import the tablespaces into a TDE-enabled database
- Create a TDE-enabled database with Oracle Key Vault, CDBTDE as
the destination database. Copy the data file and tablespace of the source
database to this database using
expdp
andimpdp
. Create the database on an Oracle Database Appliance using the Browser User Interface (BUI) or ODACLI commands. For example:# odacli create-database -n okvdb2 -t -kt okv -osc adminobj1 -dh e2a65596-6435-4410-9e8d-6b21a6005779 -r ACFS --cdb -d pdbadmin -p pdb2 # odacli describe-database -n cdbtde Database details ---------------------------------------------------------------- ID: c1ba7c6a-2808-4a20-bf23-e35cb62c3fd0 Description: cdbtde DB Name: cdbtde DB Type: SI CDB: true PDB Name: PDB2 PDB Admin User Name: pdbadmin Storage: ACFS Home ID: e2a65596-6435-4410-9e8d-6b21a6005779 TDE Wallet Management: ODA TDE Enabled: true KeystoreType : OKV ### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### Take a note of PDB2 GUID which helps to determine the path of PDB2 datafiles ### SQL> col PDB_NAME for a20 SQL> select PDB_NAME,GUID from dba_pdbs ; PDB_NAME GUID -------------------- -------------------------------- PDB2 092546916A493FE5E063E730850AF5BE PDB$SEED 15998A6665985353E063BE6B1F0A494A
- Create tnsnames service for
PDB2.
### ### Edit the file $ORACLE_HOME/network/admin/tnsnames.ora with the following content ### PDB2 = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = <server-name>)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = pdb2.test)
- Create directory in PDB2 for the
import.
### ### login as oracle user ### $ mkdir -pv /u01/app/odaorabase0/oracle/dpdump/ttsps_dir mkdir: created directory ‘/u01/app/odaorabase0/oracle/dpdump/ttsps_dir’ ### ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> ALTER SESSION SET CONTAINER=PDB2 ; SQL> CREATE DIRECTORY ttsps_dir AS '/u01/app/odaorabase0/oracle/dpdump/ttsps_dir'; Directory created. SQL>
- Import the TBS01 tablespace to the destination database PDB2
container on CDBTDE. Copy the
expdp
dump file of the source database to the database directoryttsps_dir
. Theimpdp
uses the dump file to add tablespace metadata to destination database. TRANSPORT_DATAFILES references the location of the data file in the destination database.### ### Run impdb as SYSTEM user, password for SYSTEM need to be entered when prompted ### $ impdp system@pdb2 TRANSPORT_DATAFILES=\'/u02/app/oracle/oradata/cdbtde/CDBTDE/092546916A493FE5E063E730850AF5BE/datafile/o1_mf_tbs01_lnlgn65j_.dbf\' DIRECTORY=ttsps_dir dumpfile=exp1.dmp Import: Release 19.0.0.0.0 - Production on Thu Nov 9 21:42:25 2023 Version 19.25.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Password: Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Master table "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully loaded/unloaded Starting "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01": system/********@pdb2 TRANSPORT_DATAFILES='/u02/app/oracle/oradata/cdbtde/CDBTDE/092546916A493FE5E063E730850AF5BE/datafile/o1_mf_tbs01_lnlgn65j_.dbf' DIRECTORY=ttsps_dir dumpfile=exp1.dmp Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK Processing object type TRANSPORTABLE_EXPORT/TABLE Processing object type TRANSPORTABLE_EXPORT/STATISTICS/TABLE_STATISTICS Processing object type TRANSPORTABLE_EXPORT/STATISTICS/MARKER Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK Job "SYSTEM"."SYS_IMPORT_TRANSPORTABLE_01" successfully completed at Thu Nov 9 21:42:52 2023 elapsed 0 00:00:19
- Enable and test encryption on the destination Oracle Key
Vault-enabled database
PDB1.
### ### login as oracle user ### Connect to database using SQLPLUS as sysdba user ( sqlplus / as sysdba ) and run the following ### SQL> alter session set container=pdb2 ; Session altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 READ ONLY NO SQL> alter tablespace TBS01 read write ; Tablespace altered. SQL> alter tablespace TBS01 encryption online encrypt ; Tablespace altered. SQL> select TABLESPACE_NAME, STATUS , ENCRYPTED from dba_tablespaces ; TABLESPACE_NAME STATUS ENC ------------------------------ --------- --- SYSTEM ONLINE NO SYSAUX ONLINE NO UNDOTBS1 ONLINE NO TEMP ONLINE NO USERS ONLINE NO TBS01 ONLINE YES SQL> select FILE_NAME from dba_data_files where TABLESPACE_NAME='TBS01' ; FILE_NAME -------------------------------------------------------------------------------- /u02/app/oracle/oradata/cdbtde/CDBTDE/092546916A493FE5E063E730850AF5BE/datafile/ o1_mf_tbs01_lnx8h50f_.dbf ### ### Retrieve the data from TAB1 ### SQL> select OWNER, table_name from tab1 where rownum < 3 OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$ ### ### When the wallet is closed or unavailable, same SQL does not retrieve data ### To simulate wallet absence rename the cwallet.sso wallet under <wallet_root>/tde to some other name like cwallet.sso.orig ### and close the wallet. To return auto-login wallet , rename file back to cwallet.sso and run the SQL again. ### SQL> show parameter wallet_root NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ wallet_root string /etc/OKV/cdbtde SQL> ! mv /etc/OKV/cdbtde/tde/cwallet.sso /etc/OKV/cdbtde/tde/cwallet.sso.orig SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE ; SQL> select OWNER, table_name from tab1 where rownum < 3; select OWNER, table_name from tab1 where rownum < 3 * ERROR at line 1: ORA-28365: wallet is not open SQL> ! mv /etc/OKV/cdbtde/tde/cwallet.sso.orig /etc/OKV/cdbtde/tde/cwallet.sso SQL> select OWNER, table_name from tab1 where rownum < 3 2 ; OWNER -------------------------------------------------------------------------------- TABLE_NAME -------------------------------------------------------------------------------- SYS TS$ SYS ICOL$
Working with Databases
Use the Browser User Interface to display a list of databases, database details, and create and delete databases. You can use CLI commands to manage your databases.
Note:
Oracle Database Appliance enables unified auditing for databases created in new database homes. Unified audit trail captures audit information and places them in one location and in one format. This consolidated view enables auditors to co-relate audit information from different components. Having a single audit trail also improves management and security of the audit trail. For more information about unified audit trail for Oracle Database, see Oracle Database Security Guide.- Viewing Databases
Use the Oracle Appliance Manager Browser User Interface to display a list of Oracle databases and database details, create, upgrade, and delete a database in Oracle Database Appliance. - Creating a Database Using the Browser User Interface
Use the Oracle Appliance Manager Browser User Interface to create a database in Oracle Database Appliance. - Managing Database Homes on Oracle ACFS Storage
Use the Oracle Appliance Manager Browser User Interface or ODACLI commands to manage database home storage in Oracle Database Appliance. - Creating a Database Using ODACLI Commands
Create a database from the command-line interface. - Cloning a Database from Backup
Use the Browser User Interface to clone a database from a backup. - Cloning an Oracle ACFS Database
Create a database from an existing Oracle ACFS database using ODACLI commands or BUI. - Modifying a Database
Use the Oracle Appliance Manager Browser User Interface or ODACLI commands to modify a database in Oracle Database Appliance. - Moving a Database from One Oracle Home to Another
Use the Oracle Appliance Manager Browser User Interface or ODACLI commands to move a database from one Oracle home to another of the same database version. - Upgrading a Database
Use the Oracle Appliance Manager Browser User Interface to upgrade an Oracle database to a different database home version. - Upgrading a Database Manually Using AutoUpgrade
Use AutoUpgrade to manually upgrade an earlier release of Oracle database on Oracle Database Appliance. - Deleting a Database
Use the Oracle Appliance Manager Browser User Interface to delete an Oracle database.
Parent topic: Managing Oracle Databases
Viewing Databases
Use the Oracle Appliance Manager Browser User Interface to display a list of Oracle databases and database details, create, upgrade, and delete a database in Oracle Database Appliance.
Parent topic: Working with Databases
Creating a Database Using the Browser User Interface
Use the Oracle Appliance Manager Browser User Interface to create a database in Oracle Database Appliance.
Note:
For Standard Edition Oracle Database 19c or later, you cannot create Oracle RAC or Oracle RAC One Node Database. You can only create single-instance Oracle Database. For Standard Edition Oracle Database 19.6 or later, you can choose to enable high availability for single-instance database. For Enterprise Edition Oracle Database 19.15 or later or Oracle Database 21.6 or later, you can choose to enable high availability for single-instance databases.The Browser User Interface provides a quick and easy method of creating new databases. The Create New Database page in the Browser User Interface is populated with default options for most of the configuration options. Drop-down lists enable you to quickly view and select from a list of available options. You can use the drop-down list to create a new database Oracle Database Home (ORACLE_HOME) for the database or select an existing ORACLE_HOME that you created earlier.
Oracle Database 19.26 is
supported on both Oracle Automatic Storage Management (Oracle ASM) and Oracle ASM
Cluster file system (Oracle ACFS). When databases are created in Oracle ACFS, each
database is configured with its own Oracle ACFS file system for the datafiles and
uses the following naming convention: /u02/app/db
user/oradata/db unique
name
. The default size of this mount point is 100 GB.
Follow these steps to create a database:
After you close the Job confirmation page, you can click the Activity tab to monitor the job progress. Click the job number to view the tasks and status details. Click Refresh to refresh the page.
Parent topic: Working with Databases
Managing Database Homes on Oracle ACFS Storage
Use the Oracle Appliance Manager Browser User Interface or ODACLI commands to manage database home storage in Oracle Database Appliance.
Managing Database Home Storage Using the Browser User Interface
- Log into the Browser User Interface:
https://host-ip-address:7093/mgmt/index.html
- Click the Database tab.
- Click Database Home Storage on the left pane.
- If Database Home Storage is not configured, then click on the Configure Database Home Storage button.
- Select the Disk Group Name and specify the Size in GB.
- Click Create. When prompted, click Yes to confirm that you want to start the job to configure the database home storage.
- You can also view a list of all Database Home storages from the Database tab and view details for each database.
- To modify Database Home Storage, select Modify in the Actions drop down list.
Managing Database Home Storage Using ODACLI Commands
- Use the
odacli configure-dbhome-storage
command to configure the database home storage:# odacli configure-dbhome-storage -dg DATA
- Use the
odacli list-dbhome-storages
command to list the database home storages:# odacli list-dbhome-storages
- Use the
odacli describe-dbhome-storages
command to describe a database home storage:odacli describe-dbhome-storage -i 67622ce6-0a00-4fec-b948-7a0ba7922311
For more information about these command options, see the Oracle Database Appliance Command Line Reference chapter in this guide.
Creating a Database Using ODACLI Commands
Create a database from the command-line interface.
Note:
If you provisioned the appliance without creating an initial database, then you must create a Oracle home. If the version of the database home is different from the migrated database, create a database home for the migrated database. You might want to create a database home specifically for the migrated database.Caution:
When you enable Transparent Data Encryption (TDE) on databases, with software keystore or Oracle Key Vault keystore with endpoints in Oracle Key Vault, you are prompted to set a password for the TDE wallet. Provide a strong password for security compliance. Enter this password carefully when setting it for the first time, and ensure that this password is available to you at all times for database management operations. Failure to provide the TDE wallet password when prompted, will cause an error in accessing encrypted data.This example creates a new database named PRODDB
with database
version 19.26, and a new database home, if a database
home does not exist.
Parent topic: Working with Databases
Cloning a Database from Backup
Use the Browser User Interface to clone a database from a backup.
-
The source database backup location must be Object Store or External FRA (Network File System).
-
If you use Object Store backup location, then obtain Object Store Credentials for the host.
-
If you use an External FRA (Network File System) backup location, then obtain the Network File System (NFS) mount point location.
-
Create a backup policy using the object store credentials or NFS mount point as the backup destination.
-
Attach the backup policy to the database that you want to backup. If the source database does not have TDE enabled, then providing the Backup Encryption password is mandatory when attaching Objectstore backup policy. However, the Backup Encryption password is optional when attaching the NFS backup policy. If the source database has TDE enabled, then you need not specify the Backup Encryption password, irrespective of backup destination.
-
Create a manual backup of the database and save the backup report generated when the backup completes.
Parent topic: Working with Databases
Cloning an Oracle ACFS Database
Create a database from an existing Oracle ACFS database using ODACLI commands or BUI.
-
Create a database from another database without bringing down the source database
-
Create multiple databases from a gold image, thus ensuring standardized mass deployments
-
Optimize space utilization, by use of Oracle ACFS snapshots in cloning
-
Create different types of databases, from a single source database type. For example, you can create single-instance databases, Oracle RAC databases, or Oracle RAC One Node databases from any type of source database
-
Depending on the available memory and CPU cores, specify a supported database shape such as
odb1s
,odb2
, and so on, to create any class of database from any source database. - Create clone databases on a standby system. Since standby systems are not production systems, they are a better choice for seeding test or development environments.
- Run clone database from a database home that is different from that of the source database.
- Create clone database from a read-only source database.
- Create read-only clone database from any source database.
-
Ensure that Oracle Clusterware is running on all nodes, and the source database is up and running.
-
The source database must use Oracle ACFS storage.
-
The source database must not be a multitenant container database (CDB).
- The source database must be opened in either read-write mode, or read-only mode if it is a primary database. A standby database can be in mounted or read-only open mode.
-
The source database must not be in backup mode.
-
The source database must be in archive mode.
- All data files of the source database must be in the same Oracle ACFS directory.
Note:
For Standard Edition Oracle Database 19c or later, you cannot clone Oracle RAC or Oracle RAC One Node Database. You can only clone a single-instance Oracle Database. For Standard Edition Oracle Database 19.6 or later, you can choose to enable high-availability for single-instance database.Cloning an Oracle ACFS Database Using Command Line Interface
- Run the
odacli clone-database
command.odacli clone-database --databaseUniqueName --dbname --dbshape --dbtype --sourcedbname --associated-networks --cpupool --dbhomeid --disable-ha --enable-ha --newhome --read-only --tdepassword--json
For cloning, you can create a new database home or select an existing database home. To create a new database home, specify the
--newhome
option. To use an existing database home, specify the--dbhomeid
. Specify the unique name of the database, the name for the new database, the database shape, the type of database, and the source database name. For TDE-enabled database, also specify the--tdepassword
option. The TDE password of the new database must be the same as the TDE password of the source database.For information about all the command options, see the ODACLI Command Reference chapter.
Cloning an Oracle ACFS Database Using the Browser User Interface
Related Topics
Parent topic: Working with Databases
Modifying a Database
Use the Oracle Appliance Manager Browser User Interface or ODACLI commands to modify a database in Oracle Database Appliance.
Modifying a Database Using the Browser User Interface
- Log into the Browser User Interface:
https://host-ip-address:7093/mgmt/index.html
- Click the Database tab.
- For the database that you want to modify, select Modify in the Actions drop down list.
- In the Modify Database page, you can attach or detach associated
networks and backup policy, and modify database shape and class. You can also
change TDE wallet management from
EXTERNAL
toODA
for Oracle Database 19c and later databases. - To modify the Database Class or Database Shape, select the new value in the drop down list.
- To attach or detach networks, modify the values in the Attach Networks and Detach Networks fields.
- To remove the associated backup policy from the database, do not select any value in the Select Back up Policy drop down list.
- If you configured Oracle Flex disk group when you created the database, you can also modify the database redundancy. If the database you are modifying is an Oracle ACFS Database, then the database redundancy for all cloned Oracle ACFS databases is modified.
- You can choose to change the Backup Encryption Password. If the database has TDE enabled, then the RMAN Backup Encryption password is not used.
- Note that if the database uses Oracle Key Vault server configuration, then you cannot modify any TDE options.
- Select the Specify TDE Option to perform these
operations:
- Select Re-key TDE Master Encryption Key to re-key the TDE master encryption key of the database. Specify the Current TDE Wallet password.
- Select Change Password for TDE Wallet and specify the Current TDE Password and the New TDE Password.
- If the TDE wallet management is set to
EXTERNAL
, then you can view and select the Change TDE Wallet Management option, and set it toODA
.
- For Enterprise Edition Oracle Database 19.15 or later or Oracle Database 21.6 or later, you can choose to Enable High Availability for single-instance databases.
- For Standard Edition Oracle Database 19.6 or later, you can choose to Enable High Availability for single-instance databases.
- Click Modify. When prompted, click Yes to confirm that you want to start the job to modify the database.
Modifying a Database Using ODACLI Commands
- Use the
odacli modify-database
command to modify the configuration of a database, such as backup configuration, database class, database type, TDE key, or to change the TDE wallet management fromEXTERNAL
toODA
.# odacli modify-database -s database_shape -cl database_class -i dbid
For example:# odacli modify-database -i 1941d594-c777-4eca-9fce-18b778d5c153 -s odb2 -cl DSS
For example, the following command re-keys the TDE master encryption key of the database after accepting the current TDE Wallet password.
# odacli modify-database -n testdb -rkt Enter TDE wallet password:
For more information about the
odacli modify-database
command options, see the Oracle Database Appliance Command Line Reference chapter in this guide.
Related Topics
Parent topic: Working with Databases
Moving a Database from One Oracle Home to Another
Use the Oracle Appliance Manager Browser User Interface or ODACLI commands to move a database from one Oracle home to another of the same database version.
Moving a Database Using the Browser User Interface
- Log into the Browser User Interface:
https://host-ip-address:7093/mgmt/index.html
- Click the Database tab.
- For the database that you want to modify, select Move in the Actions drop down list.
- Select the Destination Database Home where you want to move the database. The destination database home must be of the same base version. Select Ignore Missing Patches to ignore missing patches. For high-availability environment, you can select the Non-Rolling check box to perform non-rolling move of the database home.
- Click Move. When prompted, click Yes to confirm that you want to start the job to move the database.
Moving a Database Using ODACLI Commands
- Use the
odacli move-database
command to move a database from one Oracle home to another home of the same database version.# odacli move-database -i database_ID -dh destination_database_home_ID
For more information about the
odacli move-database
command options, see the Oracle Database Appliance Command Line Reference chapter in this guide.
Related Topics
Parent topic: Working with Databases
Upgrading a Database
Use the Oracle Appliance Manager Browser User Interface to upgrade an Oracle database to a different database home version.
Note:
You cannot upgrade Oracle RAC or Oracle RAC One Node Database to a destination database home of Standard Edition Oracle Database 19c or later. You must first convert Oracle RAC Or Oracle RAC One Node Database to single-instance Oracle Database using theodacli
modify-database
command and then upgrade the
single-instance Oracle Database to a destination database home of
Standard Edition 19c or later.
Parent topic: Working with Databases
Upgrading a Database Manually Using AutoUpgrade
Use AutoUpgrade to manually upgrade an earlier release of Oracle database on Oracle Database Appliance.
- The Oracle Database Appliance server must be on Oracle Database Appliance release 19.19 or later.
- The repository must be updated with the target database clone version on the source and target Oracle Database Appliance systems.
Parent topic: Working with Databases
Deleting a Database
Use the Oracle Appliance Manager Browser User Interface to delete an Oracle database.
Parent topic: Working with Databases
Working with Database Homes
Use the Browser User Interface to display a list of database homes, details, and create and delete database homes.
- About Managing Multiple Oracle Homes on Oracle Database Appliance
Create and manage one or more Oracle home directories and Oracle databases on Oracle Database Appliance. - Viewing Database Homes
Use the Browser User Interface to display a list of database homes and database home details, including databases associated with a DB home. - Creating a Database Home
Use the Browser User Interface to create database homes in Oracle Database Appliance. - Deleting a Database Home
Use the Browser User Interface to delete an Oracle database home.
Parent topic: Managing Oracle Databases
About Managing Multiple Oracle Homes on Oracle Database Appliance
Create and manage one or more Oracle home directories and Oracle databases on Oracle Database Appliance.
Oracle home is the directory in which you install Oracle Database binaries, and from which Oracle Database runs. Oracle Database Appliance supports multiple Oracle homes, including support of different release Oracle Database homes. You can create multiple Oracle databases on a given Oracle home. Use Oracle Appliance Manager Browser User Interface to create and manage multiple Oracle homes and databases on Oracle Database Appliance. Oracle Database Appliance Manager automatically creates an Oracle Database Oracle home that is compliant with Oracle’s Optimal Flexible Architecture (OFA) standards.
Check the Oracle Database Appliance Release Notes to obtain information about the specific Oracle software releases supported for your Oracle Database Appliance platform.
When you use ODACLI commands to create multiple homes on Oracle Database Appliance, the commands start the Oracle Home cloning process. In Oracle Database Appliance deployments, the user oracle
is the default software installation owner.
You can use the Browser User Interface or the command-line interface to create and manage databases.
Use ODACLI commands to create, list, describe, and delete databases on Oracle Database Appliance. The odacli create-database
command enables you to create a database with minimal user input. When you run this command without any additional options, the command creates a new database home (ORACLE_HOME). You can create a database in an existing home by using the --dbhomeid
option. To find the dbhomeid, use the odacli list-dbhomes
command.
Alternatively, you can use the Browser User Interface to create list, describe and delete databases and database homes. You can display a list of all Database Homes that includes the database home name, ID, version, the date and time that the database home was created and the location on the same page. You can also create and delete database homes on the Browser User Interface.
Caution:
Do not apply Oracle Database patches directly to Oracle Databases on Oracle Database Appliance. Only use Oracle Database Appliance patch bundles, which are tested to work across the whole software stack. If a one-off database patch is required, it may be applied to the Oracle Home. When you apply the Oracle Database Appliance patch bundle, it may cause a conflict during future patching events and you might need to roll back and then re-apply the patch.
Parent topic: Working with Database Homes
Viewing Database Homes
Use the Browser User Interface to display a list of database homes and database home details, including databases associated with a DB home.
Parent topic: Working with Database Homes
Creating a Database Home
Use the Browser User Interface to create database homes in Oracle Database Appliance.
Parent topic: Working with Database Homes
Deleting a Database Home
Use the Browser User Interface to delete an Oracle database home.
Parent topic: Working with Database Homes
Migrating Databases
Review these topics to learn how to prepare for and migrate an entire database to your Oracle Database Appliance.
- About Migrating Databases
You can migrate an entire active container database (CDB) or non-CDB database to an Oracle Database Appliance machine by using the RMAN duplicate command. - Configuring a Static Listener
Configure a static listener before you duplicate a database. - Migrating a Database
Use theRMAN Duplicate
command to migrate the entire database to the appliance. - Registering a Database
Use theodacli register-database
command to register the migrated database with the appliance.
Parent topic: Managing Oracle Databases
About Migrating Databases
You can migrate an entire active container database (CDB) or non-CDB database to an Oracle Database Appliance machine by using the RMAN duplicate command.
When using RMAN Duplicate, ensure to have network connectivity from source and target databases:
-
Source database: The existing database to be migrated.
-
Target database: The new database created on an Oracle Database Appliance environment.
If you do not have network connectivity between the source and the target environments, you can use the offline migration method. Offline migration uses RMAN backup sets for duplication, which does not require connectivity to the primary database.
At a high level, the procedure involves the following steps:
-
Deploy or update Oracle Database Appliance to the latest version.
Confirm that the provisioning completed successfully. On bare metal systems, use the command
odacli list-jobs
and the commandodacli describe-job
to verify the status. -
Create an instance only database from the command-line interface.
-
On bare metal systems, use the command
odacli create-database
with theinstanceonly
flag on an Oracle Database Appliance machine. The new database is the target database.
Creating an instance only database also creates the following:
-
ACFS Filesystem used to store the database files
-
Directory structures that are required by the database instance/rman duplicate command
-
Password file for the SYS user
-
-
Configure a static listener.
-
Migrate the existing database to the target database using the backup and restore operations.
-
Register the migrated database with the appliance.
Note:
You can only migrate and register a database of the same storage type. For example, to migrate and register an Oracle ACFS database, you must create an Oracle ACFS database and then migrate and register it. Similarly, to to migrate an Oracle ASM database, you must create an Oracle ASM database and then migrate it.Parent topic: Migrating Databases
Configuring a Static Listener
Configure a static listener before you duplicate a database.
The static listener is only required when using RMAN Duplicate command.
Perform the following steps to manually configure the listener.ora
file:
Parent topic: Migrating Databases
Migrating a Database
Use the RMAN Duplicate
command to migrate the entire database to the appliance.
Parent topic: Migrating Databases
Registering a Database
Use the odacli register-database
command to register the migrated database with the appliance.
The dbclass
, dbshape
, servicename
and password are mandatory for registering the database. The dbclass
and dbshape
determine the sga_target
and pga_target
settings. The database init.ora
parameters are reset as part of the odacli register-database
command. Review the init.ora
parameters after registration and ensure that the parameters set correctly.
Follow these steps to register a database:
Parent topic: Migrating Databases
About Registering a TDE-Enabled Database
Understand the process to register Transparent Data Encryption (TDE) enabled databases.
Starting with Oracle Database Appliance release 19.12, a new attribute called
TDE Wallet Management
is added to the database. The TDE Wallet
Management
value can be either EXTERNAL
, which means TDE is not
configured by Oracle Database Appliance, or the value can be ODA
, which
means TDE is configured by Oracle Database Appliance. If the database is not TDE-enabled,
then the value of the TDE Wallet Management
attribute is NULL. If a
database of release 18c or later is registered, then its TDE wallet management attribute
value is ODA
by default. If a database of release earlier than 18c is
registered, then the TDE wallet management attribute value is EXTERNAL
by
default. The examples with sample output are provided at the end of this topic.
For Oracle Database release 19c or later, if the TDE Wallet Management
value is EXTERNAL
, then you can change this value to ODA
using the --change-tdewallet-mgmt
option in the odacli
modify-database
command. You must provide the TDE password when prompted.
TDE Wallet Management
value can be changed from EXTERNAL
to ODA
while upgrading
the database to 19c or later using the --change-tdewallet-mgmt
option in
the odacli upgrade-database
command.
Note:
Oracle Database Appliance does not support the conversion of a non-TDE database to a TDE-enabled database.Note:
In this Oracle Database Appliance release, you cannot register a TDE-enabled database with TDE Keys stored on Oracle Key Vault.Prerequisites to Register a TDE-Enabled Database
- You can use either the software keystore or the hardware keystore to configure TDE.
- If TDE is configured using the software keystore, then you must use only the
SQLNET.ENCRYPTION_WALLET_LOCATION
parameter. - If TDE is configured using the software keystore, then for bare metal
deployments, password-protected wallet (
ewallet.p12
) and autologin TDE wallet (cwallet.sso
) must be available in the location/opt/oracle/dcs/commonstore/wallets/tde/db_uniquename/
. - If autologin TDE wallet (
cwallet.sso
) is not present but password-protected wallet (ewallet.p12
) is present, then TDE password must be provided in the register database request. - For Oracle Database Appliance DB systems deployments, if TDE is configured
using Software keystore, then TDE must be configured using the
WALLET_ROOT
parameter and TDE wallets must be at location+DATA/DB_UNIQUE_NAME/tde
. - The instance name of the database being registered must be same as the database name. This condition also applies to the databases that do not have TDE enabled.
When TDE Wallet Management
value is
EXTERNAL
TDE Wallet
Management
value is EXTERNAL
:
- TDE wallet re-key using ODACLI commands is not supported. You can connect to
the database and re-key the TDE
wallet.
# odacli modify-database -in db_name -rkt Enter TDE wallet password: DCS-10040:Operation 'Re-Key of TDE wallet' is not supported: TDE wallet management is not ODA.
- TDE wallet password change using ODACLI commands is not
supported.
# odacli modify-database -in db_name -ctp Enter current TDE wallet password: Enter new TDE wallet password: Retype new TDE wallet password: DCS-10040:Operation 'Password change of TDE wallet' is not supported: TDE wallet management is not ODA.
- TDE wallet backup is not
supported.
# odacli create-backup -in database_name -c tdewallet DCS-10040:Operation 'Backup of TDE wallet' is not supported: TDE wallet management is not ODA.
- TDE wallet is not backed up while performing database
backup.
# odacli create-backup -in database_name -bt regular-l0 { "jobId" : "49153a90-d4bd-45e7-b3b7-46078621b895", "status" : "Created", "message" : null, "reports" : [ ], "createTimestamp" : "August 24, 2021 05:59:53 AM UTC", "resourceList" : [ ], "description" : "Create regular-l0 Backup[TAG:auto][Db:db_name][OSS:example]", "updatedTime" : "August 24, 2021 05:59:53 AM UTC" } # odacli describe-job -i 49153a90-d4bd-45e7-b3b7-46078621b895 Job details ---------------------------------------------------------------- ID: 49153a90-d4bd-45e7-b3b7-46078621b895 Description: Create regular-l0 Backup[TAG:auto][Db:db_name][OSS:example] Status: Success Created: August 24, 2021 5:59:53 AM UTC Message: Task Name Start Time End Time Status ---------------------------------------- ----------------------------------- ----------------------------------- ---------- Validate backup config August 24, 2021 5:59:56 AM UTC August 24, 2021 5:59:56 AM UTC Success Container validation August 24, 2021 5:59:56 AM UTC August 24, 2021 5:59:57 AM UTC Success libopc existence check August 24, 2021 5:59:57 AM UTC August 24, 2021 5:59:57 AM UTC Success Backup Validations August 24, 2021 5:59:57 AM UTC August 24, 2021 6:00:02 AM UTC Success Recovery Window validation August 24, 2021 6:00:02 AM UTC August 24, 2021 6:00:05 AM UTC Success Archivelog deletion policy configuration August 24, 2021 6:00:05 AM UTC August 24, 2021 6:00:08 AM UTC Success Database backup August 24, 2021 6:00:08 AM UTC August 24, 2021 6:02:06 AM UTC Success # odacli describe-backupreport -i b75c7ffa-68f8-4eea-8f12-bfe30b8c92f7 | grep -i tde "tdeWalletLoc" : null,
- Restore of TDE wallet is not
supported.
# odacli restore-tdewallet -in db_name Enter TDE wallet password: DCS-10040:Operation 'Restore of TDE wallet' is not supported: TDE wallet management is not ODA.
- Cloning of TDE-enabled database is not
supported.
odacli clone-database -n db_name2 -f db_name -u db_name2 Enter SYS user password: Retype SYS user password: DCS-10040:Operation 'Cloning of TDE database' is not supported: TDE wallet management is not ODA.
- When you move the database from one database home to another database home,
the
SQLNET.ENCRYPTION_WALLET_LOCATION
parameter is updated in the destination database home. - When you upgrade the database, the
SQLNET.ENCRYPTION_WALLET_LOCATION
parameter is updated in the new database home. - When you update the database home, the
SQLNET.ENCRYPTION_WALLET_LOCATION
parameter is updated in the new database home. - When you delete a database, the TDE wallet is not deleted.
- For Oracle Database Appliance DB systems, only databases that have TDE configured using
the
WALLET_ROOT
parameter can be registered.
Example 9-1 Sample output of TDE-enabled database registered in bare metal deployments
# odacli describe-database -in mydb
Database details
----------------------------------------------------------------
ID: 47de99d6-62cc-4623-a38c-1ac880e7082c
Description: mydb
DB Name: mydb
DB Version: 19.11.0.0.210420
DB Type: SI
DB Role: PRIMARY
DB Target Node Name: node1
DB Edition: EE
DBID: 2987837625
Instance Only Database: false
CDB: false
PDB Name:
PDB Admin User Name:
High-Availability Enabled: false
Class: OLTP
Shape: odb1
Storage: ASM
DB Redundancy:
CharacterSet: AL32UTF8
National CharacterSet: AL16UTF16
Language: AMERICAN
Territory: AMERICA
Home ID: 6717bed4-104a-415b-8d26-c0de634a2c85
Console Enabled: false
TDE Enabled: false
TDE Wallet Management: External
Level 0 Backup Day: Sunday
AutoBackup Enabled: true
Created: May 18, 2021 3:33:13 AM UTC
DB Domain Name: example_domain
Associated Networks: Public-network
CPU Pool Name:
Example 9-2 Sample output of TDE-enabled database registered in Oracle Database Appliance DB System deployments
# odacli describe-database -in mydb
odacli describe-database -in mydb
Database details
----------------------------------------------------------------
ID: 47de99d6-62cc-4623-a38c-1ac880e7082c
Description: mydb
DB Name: mydb
DB Version: 19.11.0.0.210420
DB Type: SI
DB Role: PRIMARY
DB Target Node Name: node1
DB Edition: EE
DBID: 2987837625
Instance Only Database: false
CDB: false
PDB Name:
PDB Admin User Name:
High-Availability Enabled:false
Class: OLTP
Shape: odb1
Storage: ASM
DB Redundancy:
CharacterSet: AL32UTF8
National CharacterSet: AL16UTF16
Language: AMERICAN
Territory: AMERICA
Home ID: 6717bed4-104a-415b-8d26-c0de634a2c85
Console Enabled: false
TDE Enabled: false
TDE Wallet Management: ODA
Level 0 Backup Day: Sunday
AutoBackup Enabled: true
Created: May 18, 2021 4:33:13 AM UTC
DB Domain Name: example_domain
Associated Networks: Public-network
CPU Pool Name:
Example 9-3 Sample output of TDE-enabled database registered in Oracle Database Appliance when password-protected wallet (ewallet.p12) exists but not the autologin TDE wallet (cwallet.sso)
# odacli register-database -sn example_service --dbclass OLTP --dbshape odb2
Enter SYS user password:
DCS-10011:Input parameter 'TDE wallet password' cannot be NULL.Required to generate Autologin wallet at /opt/oracle/dcs/commonstore/wallets/tde/db_name
odacli register-database -sn example_service --dbclass OLTP --dbshape odb2 -tp
Enter SYS, SYSTEM and PDB Admin user password:
Retype SYS, SYSTEM and PDB Admin user password:
Enter TDE wallet password
Retype TDE wallet password:
{
"jobId" : "4903b711-f144-4aed-9bf6-31c79dbce261",
"status" : "Created",
"message" : null,
"reports" : [ ],
"createTimestamp" : "August 25, 2021 05:42:13 AM UTC",
"resourceList" : [ ],
"description" : "Database service registration with db service name: example_service",
"updatedTime" : "August 25, 2021 05:42:14 AM UTC"
}
# odacli describe-job -i 4903b711-f144-4aed-9bf6-31c79dbce261
Job details
----------------------------------------------------------------
ID: 4903b711-f144-4aed-9bf6-31c79dbce261
Description: Database service registration with db service name: example_service
Status: Success
Created: August 25, 2021 5:42:13 AM UTC
Message:
Task Name Start Time End Time Status
---------------------------------------- ----------------------------------- ----------------------------------- ----------
TDE parameter validate at destination August 25, 2021 5:42:14 AM UTC August 25, 2021 5:42:14 AM UTC Success
Enable OMF parameters August 25, 2021 5:42:17 AM UTC August 25, 2021 5:42:17 AM UTC Success
Setting db character set August 25, 2021 5:42:17 AM UTC August 25, 2021 5:42:18 AM UTC Success
Move Spfile to right location August 25, 2021 5:42:18 AM UTC August 25, 2021 5:42:24 AM UTC Success
Enable DbSizing Template August 25, 2021 5:42:24 AM UTC August 25, 2021 5:43:15 AM UTC Success
Copy Pwfile to Shared Storage August 25, 2021 5:43:16 AM UTC August 25, 2021 5:43:20 AM UTC Success
Running DataPatch August 25, 2021 5:43:20 AM UTC August 25, 2021 5:43:32 AM UTC Success
configuring TDE August 25, 2021 5:43:32 AM UTC August 25, 2021 5:44:51 AM UTC Success
Reset Associated Networks August 25, 2021 5:44:52 AM UTC August 25, 2021 5:44:55 AM UTC Success
Parent topic: Managing Oracle Databases
About Managing Multiple Database Instances Using Instance Caging
Use instance caging to manage your system resources on Oracle Database Appliance.
Oracle Database provides a method for managing CPU allocations on a multi-CPU server that runs multiple database instances. This method is called instance caging. Instance caging uses an initialization parameter to limit the number of CPUs that an instance can use simultaneously.
Instance caging and Oracle Database Resource Manager (the Resource Manager) work together to support your desired service levels across multiple instances. Consolidation can minimize idle resources, maximize efficiency, and lower costs.
Oracle Database Appliance templates are already tuned for the size of each database instance workload. They are designed to run on a specific number of cores. Instance caging ensures that each database workload is restricted to the set of cores allocated by the template, enabling multiple databases to run concurrently with no performance degradation, up to the capacity of Oracle Database Appliance. You can select database template sizes larger than your current needs to provide for planned growth.
Note:
Oracle strongly recommends that you use the Oracle Database Appliance templates, because they implement best practices and are configured specifically for Oracle Database Appliance.
The Oracle Database Appliance Manager interface refers to the database sizing templates as database classes.
By default, instance caging is not enabled on Oracle Database Appliance. To enable instance caging, set the initialization parameter, RESOURCE_MANAGER_PLAN
, for each database on Oracle Database Appliance. The parameter specifies the plan to be used by the Resource Manager for the current instance. Setting this parameter directs the Resource Manager to allocate core resources among databases. If a plan is not specified with this parameter, then the Resource Manager and instance caging are not enabled.
Instance caging allocation of core resources is enabled in accordance with the Oracle Database Appliance database template size that you select for each database. The CPU_COUNT
initialization parameter is set in the template. Use the CPU_COUNT
setting that matches the size of each database to consolidate, and follow the standard instructions for configuring instance caging.
Parent topic: Managing Oracle Databases
Oracle EM Express and DB Console
You can use Oracle Enterprise Manager Database Express (EM Express), or the Database Control Console (DB Console) to manage your database.
The EM Express console is available for supported releases of Oracle Database. The consoles are web-based tools for managing Oracle Databases.
The EM Express console provides the following features:
-
Support for basic administrative tasks, such as storage and user management
-
Comprehensive solutions for performance diagnostics and tuning
-
Performance advisors in a graphic user interface
-
Oracle Database utilities in a graphic user interface, such as SQL*Loader and Oracle Recovery Manager (RMAN)
EM Express is built inside the database server and cannot perform actions outside the database.
Parent topic: Managing Oracle Databases