Skip to main content

How to Unplug and Plug a PDB Having TDE from One Container to Another


<<Back to DB Administration Main Page

How to Unplug and Plug a PDB Having Encryption (TDE) from One Container to Another

Setup Overview Source Container: CDB01
No of PDB's in Source Container 2 (PDB01 and PDB02)
PDB01 using TDE
PDB02 using TDE
Target Container: CDB02
Note: Even if the PDB you are unplugging and re-plugging to another container, don't have any encrypted object but Wallet keys, are treated exactly same as PDB having encrypted objects.
Task: In this post I will unplug the PDB02 from CDB01 and Plug it in CDB002 on the same host without copying the datafile (using NOCOPY Method).
Precheck
1) Perform Full PDB backup of PDB02 database.
2) Create PDB description XML file for PDB(PDB02)
SQL> exec dbms_pdb.describe (PDB_DESCR_FILE=>'/u01/app/oracle/PDB02.xml', PDB_NAME=>'PDB02');
3) Verify the status of the PDB.
SQL> select pdb_name, status from cdb_pdbs where pdb_name in ('PDB02');
4)  Checking the Compatibility of the PDB with the Target CDB
SQL> BEGIN
IF dbms_pdb.check_plug_compatibility('/u01/app/oracle/PDB02.xml') THEN
dbms_output.put_line('no violations found');
ELSE
dbms_output.put_line('violations found');
END IF;
END;
/
SQL> SELECT type, message, action FROM pdb_plug_in_violations WHERE name = 'PDB02';
At this point resolve if there is any violation found. If not proceed with unplug

How to Unplug a PDB Having Encrypted Objects from CDB to Plug into Another CDB

Step1> Check if wallet keys are available in Source PDB
SQL>col creator for a5
SQL>col key_use for a10
SQL>col keystore_type for a25
SQL>col origin for a10
SQL>col creator_pdbname for a15
SQL>col activating_pdbname for a15

select con_id,substr(key_id,1,6)||'...' "KEY_ID...",creator,key_use,keystore_type,origin,creator_pdbname,activating_pdbname from v$encryption_keys;
    CON_ID KEY_ID...     CREAT KEY_USE    KEYSTORE_TYPE             ORIGIN     CREATOR_PDBNAME ACTIVATING_PDBN
---------- ------------- ----- ---------- ------------------------- ---------- --------------- ---------------
         0 AdiYqO...     SYS   TDE IN PDB SOFTWARE KEYSTORE         LOCAL      PDB02           PDB02

1 row selected.
As you can see PDB02 is very well having the wallet keys. Once the PDB is having the wallet keys, you must export/import the wallet as well to be able to unplug and re-plug the PDB in another container, even if the PDB don't have any encrypted object.
Step2> Export the Wallet Key from Source PDB
CDB011> alter session set container=PDB02;
Session altered.
CDB011> administer key management export encryption keys with secret "xxxxxxx" TO '/u01/app/oracle/pdb02key.exp' identified by xxxxxxx;
keystore altered.
Step3> Close the Source PDB on all Instances 
CDB011> alter pluggable database PDB02 close immediate instances=('CDB011','CDB012');
Pluggable database altered.
Step4> Unplug PDB database
CDB011> alter pluggable database PDB02 unplug into '/u01/app/oracle/TMP_PDB02.xml';
Pluggable database altered.
Step5> Drop Source PDB database (Keep the datafiles)
CDB011> drop pluggable database PDB02 keep datafiles;
Pluggable database dropped.
Step6> Check Source PDB database Status
CDB011> select pdb_name, status from cdb_pdbs where pdb_name in ('PDB02');
no rows selected

How to Plug an Unplugged PDB (Having Encrypted Objects TDE Enabled )in Same or Different Container

Step1> Prepare the Target Container
The step can be done much in advance to minimize the downtime 
a) Target container should have same options installed as source
b) Important database parameter (eg NLS_CHARACTERSET, DB_BLOCK_SIZE etc) should be same as source
c) Wallet must be created should be open in root container ReadHere: How to Configure Wallet
Step2> Verify the Wallet/Keystore Status in Target Root Container
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> set linesize 200
SQL>col WALLET_DIR for a32
SQL>col status for a21
SQL>select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;
STATUS                WALLET_DIR                       WALLET_TYPE
--------------------- -------------------------------- ------------------------------------------------------------
OPEN                  +DATAC4/CDB02/wallet/            PASSWORD
1 row selected.
Note:- Wallet must be open in root container
Step3> Plug the PDB database
SQL> show pdbs;
    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
SQL> create pluggable database PDB02 using '/u01/app/oracle/TMP_PDB02.xml' NOCOPY TEMPFILE REUSE;
Pluggable database created.
Step4>Check PDB Status
SQL> select pdb_name, status from cdb_pdbs where pdb_name='PDB02';
PDB_NAME   STATUS
---------- --------------------
PDB02      NEW
1 row selected.
SQL> select open_mode,con_id from v$pdbs where name='PDB02';
OPEN_MODE                          CON_ID
------------------------------ ----------
MOUNTED                                 3
1 row selected.
Step5>Open PDB
SQL> alter pluggable database PDB02 open;
Warning: PDB altered with errors.
Step6> Check PDB Status again
SQL> show pdbs
    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         3 PDB02                          READ WRITE   YES
Step7>Check Violations
SQL> col MESSAGE for a50
SQL> col ACTION for a50
SQL> set line 200
SQL> SELECT type, message, action FROM pdb_plug_in_violations WHERE name = 'PDB02';

TYPE            MESSAGE                                            ACTION
--------------- -------------------------------------------------- --------------------------------------------------
ERROR           PDB needs to import keys from source.              Import keys from source.
1 row selected.
Step8> Import Keys
The Keys must be imported from the export taken in Step2 while unplugging the PDB
SQL> alter session set container=PDB02
Session altered.
SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "xxxxxxxx" FROM '/u01/app/oracle/pdb02key.exp' IDENTIFIED BY xxxxxxx;
ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "xxxxxx" FROM '/u01/app/oracle/pdb02key.exp' IDENTIFIED BY xxxxxxx
*
ERROR at line 1:

ORA-46658: keystore not open in the container

Let's open the KeyStore and Retry
SQL> alter session set container=PDB02;
Session altered.
CDB021> show con_name
CON_NAME
------------------------------
PDB02
SLQ> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "xxxxx";
keystore altered.
SQL> set linesize 200
SQL> col WALLET_DIR for a32
SQL> col status for a21
SQL> select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;

STATUS                WALLET_DIR                       WALLET_TYPE
--------------------- -------------------------------- ------------------------------------------------------------
OPEN_NO_MASTER_KEY    +DATAC4/CDB02/wallet/            PASSWORD
1 row selected.
SQL> show con_name
CON_NAME
------------------------------
PDB02
SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "xxxxxxx" FROM '/u01/app/oracle/pdb02key.exp' IDENTIFIED BY xxxxxxx;
ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "xxxxxxx" FROM '/u01/app/oracle/pdb02key.exp' IDENTIFIED BY xxxxxxxx
*
ERROR at line 1:

ORA-46631: keystore needs to be backed up

Solution: Import the Keys with backup option
SQL> show con_name
CON_NAME
------------------------------
PDB02

SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "xxxxxxx" FROM '/u01/app/oracle/pdb02key.exp' IDENTIFIED BY xxxxxx with backup;

keystore altered.
SQL> set linesize 200
SQL> col WALLET_DIR for a32
SQL> col status for a21
SQL> select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;

STATUS                WALLET_DIR                       WALLET_TYPE
--------------------- -------------------------------- ------------------------------------------------------------
OPEN                  +DATAC4/CDB02/wallet/            PASSWORD

1 row selected.
Step9> Restart the PDB and Check the Status
SQL> alter pluggable database PDB02 close immediate  instances=('CDB021','CDB022');
Pluggable database altered.
SQL> alter pluggable database PDB02 open instances=('CDB021','CDB022');
Pluggable database altered.
SQL> show pdbs;
    CON_ID        CON_NAME        OPEN MODE         RESTRICTED
---------- ------------------------------ ---------- ----------
         3                  PDB02                READ WRITE          NO



Step10> Check PDB Violations
SLQ> SELECT type, message, action FROM pdb_plug_in_violations WHERE name = 'PDB02';
no rows selected




Related Posts
How to Unplug and Plug a PDB from One Container to Another
How to configure TDE Using Wallet in pluggable database in 12c

Comments

Popular posts from this blog

How to Power On/off Oracle Exadata Machine

<<Back to Exadata Main Page How to Power On/off Oracle Exadata Machine Oracle Exadata machines can be powered on/off either by pressing the power button on front of the server or by logging in to the ILOM interface. Powering on servers using  button on front of the server The power on sequence is as follows. 1. Start Rack, including switches  Note:- Ensure the switches have had power applied for a few minutes to complete power on  configuration before starting Exadata Storage Servers 2.Start Exadata Storage Servers  Note:- Ensure all Exadata Storage Servers complete the boot process before starting the   database servers 3. Start Database Servers Powering On Servers Remotely using ILOM The ILOM can be accessed using the Web console, the command-line interface (CLI), IPMI, or SNMP. For example, to apply power to server dm01cel01 using IPMI, where dm01cel01-ilom is the host name of the ILOM for the serve...

ORA-28374: typed master key not found in wallet

<<Back to Oracle DB Security Main Page ORA-46665: master keys not activated for all PDBs during REKEY SQL> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY xxxx WITH BACKUP CONTAINER = ALL ; ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY xxxx WITH BACKUP CONTAINER = ALL * ERROR at line 1: ORA-46665: master keys not activated for all PDBs during REKEY I found following in the trace file REKEY: Create Key in PDB 3 resulted in error 46658 *** 2019-02-06T15:27:04.667485+01:00 (CDB$ROOT(1)) REKEY: Activation of Key AdnU5OzNP08Qv1mIyXhP/64AAAAAAAAAAAAAAAAAAAAAAAAAAAAA in PDB 3 resulted in error 28374 REKEY: Keystore needs to be restored from the REKEY backup.Aborting REKEY! Cause: All this hassle started because I accidently deleted the wallet and all wallet backup files too and also forgot the keystore password. There was no way to restore the wallet back. Fortunately in my case the PDB which had encrypted data was supposed to be deco...

How to Find VIP of an Oracle RAC Cluster

<<Back to Oracle RAC Main Page How to Find Out VIP of an Oracle RAC Cluster Login clusterware owner (oracle) and execute the below command to find out the VIP hostname used in Oracle RAC $ olsnodes -i node1     node1-vip node2     node2-vip OR $ srvctl config nodeapps -viponly Network 1 exists Subnet IPv4: 10.0.0.0/255.255.0.0/bondeth0, static Subnet IPv6: Ping Targets: Network is enabled Network is individually enabled on nodes: Network is individually disabled on nodes: VIP exists: network number 1, hosting node node1 VIP Name: node1-vip VIP IPv4 Address: 10.0.0.1 VIP IPv6 Address: VIP is enabled. VIP is individually enabled on nodes: VIP is individually disabled on nodes: VIP exists: network number 1, hosting node node2 VIP Name: node2-vip VIP IPv4 Address: 10.0.0.2 VIP IPv6 Address: VIP is enabled. VIP is individually enabled on nodes: VIP is individually disabled on nodes:

ORA-46630: keystore cannot be created at the specified location

<<Back to DB Administration Main Page ORA-46630: keystore cannot be created at the specified location CDB011> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '+DATAC4/CDB01/wallet/' IDENTIFIED BY "xxxxxxx"; ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '+DATAC4/CDB01/wallet/' IDENTIFIED BY "EncTest123" * ERROR at line 1: ORA-46630: keystore cannot be created at the specified location Cause  Creating a keystore at a location where there is already a keystore exists Solution To solve the problem, use a different location to create a keystore (use ENCRYPTION_WALLET_LOCATION in sqlnet.ora file to specify the keystore location), or move this ewallet.p12 file to some other location. Note: Oracle does not recommend deleting keystore file (ewallet.p12) that belongs to a database. If you have multiple keystores, you can choose to merge them rather than deleting either of them.

ORA-65104: operation not allowed on an inactive pluggable database alter pluggable database open

<<Back to DB Administration Main Page ORA-65104: operation not allowed on an inactive pluggable database SQL> alter pluggable database TEST_CLON open; alter pluggable database TEST_CLON open * ERROR at line 1: ORA-65104: operation not allowed on an inactive pluggable database Cause The pluggable database status was UNUSABLE. It was still being created or there was an error during the create operation. A PDB can only be opened if it is successfully created and its status is marked as NEW in cdb_pdbs.status column SQL> select PDB_NAME,STATUS from cdb_pdbs; PDB_NAME             STATUS -------------------- --------------------------- PDB$SEED             NORMAL TEST_CLON            UNUSABLE Solution:  Drop the PDB and create it again. Related Posts How to Clone Oracle PDB (Pluggable Database) with in the Same Container

ORA-16905: The member was not enabled yet

<<Back to Oracle DataGuard Main Page ORA-16905 Physical Standby Database is disabled DGMGRL> show configuration; Configuration - DG_ORCL1P   Protection Mode: MaxPerformance   Members:   ORCL1PP - Primary database     ORCL1PS - Physical standby database (disabled)       ORA-16905: The member was not enabled yet. Fast-Start Failover:  Disabled Configuration Status: SUCCESS   (status updated 58 seconds ago) DGMGRL> DGMGRL> enable database 'ORCL1PS'; Enabled. DGMGRL>  show configuration; Configuration - DG_ORCL1P   Protection Mode: MaxPerformance   Members:   ORCL1PP - Primary database     ORCL1PS - Physical standby database Fast-Start Failover:  Disabled Configuration Status: SUCCESS   (status updated 38 seconds ago)

How to Switch Log File from All Instances in RAC

<<Back to Oracle RAC Main Page Switch The Log File of All Instances in Oracle RAC. In many cases you need to switch the logfile of the database. You can switch logfile using alter system switch logfile command but if you want to switch the logfile from all the instances you need to execute the command on all the instances individually and therefore you must login on all the instances. You can avoid this and switch logfile of all instances by just running the below command from any of the instance in RAC database SQL> ALTER SYSTEM SWITCH ALL LOGFILE;   System altered.

Starting RMAN and connecting to Database

  <<Back to Oracle Backup & Recovery Main Page Starting RMAN and connecting to Database Starting RMAN and connecting to Database To start RMAN you need to set the environment and type rman and press enter. You can connect to database either using connect command or using command line option. using command line option localhost:$ export ORACLE_HOME=/ora_app/product/18c/dbd2 localhost:$ export PATH=$ORACLE_HOME/bin:$PATH localhost:$ export ORACLE_SID=ORCL1P localhost:$ rman target / Recovery Manager: Release 18.0.0.0.0 - Production on Sun Apr 4 08:11:01 2021 Version 18.11.0.0.0 Copyright (c) 1982, 2018, Oracle and/or its affiliates.  All rights reserved. connected to target database: ORCL1P (DBID=4215484517) RMAN> using connect option localhost:$ rman RMAN> connect target sys@ORCL1P  target database Password:******** connected to target database: ORCL1P (DBID=4215484517) NOTE: To use connect command you need to ensure that  you have proper TNS sentry...

How to Attach to a Datapump Job and Check Status of Export or Import

<<Back to Oracle DATAPUMP Main Page How to check the progress of  export or import Jobs You can attach to the export/import  job using ATTACH parameter of oracle datapump utility. Once you are attached to the job you check its status by typing STATUS command. Let us see how Step1>  Find the Export/Import Job Name You can find the datapump job information from  DBA_DATAPUMP_JOBS or  USER_DATAPUMP_JOBS view. SQL> SELECT OWNER_NAME,JOB_NAME,OPERATION,JOB_MODE,STATE from DBA_DATAPUMP_JOBS; OWNER_NAME JOB_NAME                       OPERATION            JOB_MODE   STATE ---------- ------------------------------ -------------------- ---------- ---------- SYSTEM     SYS_EXPORT_FULL_02          ...

ORA-46655: no valid keys in the file from which keys are to be imported

<<Back to DB Administration Main Page SQL> administer key management import encryption keys with secret "xxxx" from '/tmp/pdb02_tde_key.exp' force keystore identified by "xxxx" with backup; administer key management import encryption keys with secret "xxxxxx" from '/tmp/pdb02_tde_key.exp' force keystore identified by "xxxxxx" with backup * ERROR at line 1: ORA-46655: no valid keys in the file from which keys are to be imported Cause: Either the keys to be imported already present in the target database or correct container (PDB) is not set. Solution: In my case I got the error because I attempted to import the keys for newly plugged database PDB02 from CDB$ROOT container. To Solve the issue just switched to the correct container and re run the import. SQL> show con_name CON_NAME ------------------------------ CDB$ROOT <===Wrong Container selected  SQL> alter session set container=PDB02; Session alt...