<<Back to DB Administration Main Page
How to Unplug and Plug a PDB Having Encryption (TDE) from One Container to Another
Setup Overview Source Container: CDB01No of PDB's in Source Container 2 (PDB01 and PDB02)
PDB01 using TDE
PDB02 using TDE
Target Container: CDB02
Note: Even if the PDB you are unplugging and re-plugging to another container, don't have any encrypted object but Wallet keys, are treated exactly same as PDB having encrypted objects.
Task: In this post I will unplug the PDB02 from CDB01 and Plug it in CDB002 on the same host without copying the datafile (using NOCOPY Method).
Precheck
1) Perform Full PDB backup of PDB02 database.2) Create PDB description XML file for PDB(PDB02)
SQL> exec dbms_pdb.describe (PDB_DESCR_FILE=>'/u01/app/oracle/PDB02.xml', PDB_NAME=>'PDB02');
3) Verify the status of the PDB.
SQL> select pdb_name, status from cdb_pdbs where pdb_name in ('PDB02');
4) Checking the Compatibility of the PDB with the Target CDB
SQL> BEGIN
IF dbms_pdb.check_plug_compatibility('/u01/app/oracle/PDB02.xml') THEN
dbms_output.put_line('no violations found');
ELSE
dbms_output.put_line('violations found');
END IF;
END;
/
SQL> SELECT type, message, action FROM pdb_plug_in_violations WHERE name = 'PDB02';
At this point resolve if there is any violation found. If not proceed with unplug
How to Unplug a PDB Having Encrypted Objects from CDB to Plug into Another CDB
Step1> Check if wallet keys are available in Source PDBSQL>col creator for a5
SQL>col key_use for a10
SQL>col keystore_type for a25
SQL>col origin for a10
SQL>col creator_pdbname for a15
SQL>col activating_pdbname for a15
select con_id,substr(key_id,1,6)||'...' "KEY_ID...",creator,key_use,keystore_type,origin,creator_pdbname,activating_pdbname from v$encryption_keys;
CON_ID KEY_ID... CREAT KEY_USE KEYSTORE_TYPE ORIGIN CREATOR_PDBNAME ACTIVATING_PDBN
---------- ------------- ----- ---------- ------------------------- ---------- --------------- ---------------
0 AdiYqO... SYS TDE IN PDB SOFTWARE KEYSTORE LOCAL PDB02 PDB02
1 row selected.
As you can see PDB02 is very well having the wallet keys. Once the PDB is having the wallet keys, you must export/import the wallet as well to be able to unplug and re-plug the PDB in another container, even if the PDB don't have any encrypted object.
Step2> Export the Wallet Key from Source PDB
CDB011> alter session set container=PDB02;
Session altered.
CDB011> administer key management export encryption keys with secret "xxxxxxx" TO '/u01/app/oracle/pdb02key.exp' identified by xxxxxxx;
keystore altered.
CDB011> alter pluggable database PDB02 close immediate instances=('CDB011','CDB012');
Pluggable database altered.
Step4> Unplug PDB database
CDB011> alter pluggable database PDB02 unplug into '/u01/app/oracle/TMP_PDB02.xml';
Pluggable database altered.
Step5> Drop Source PDB database (Keep the datafiles)
CDB011> drop pluggable database PDB02 keep datafiles;
Pluggable database dropped.
Step6> Check Source PDB database Status
CDB011> select pdb_name, status from cdb_pdbs where pdb_name in ('PDB02');
no rows selected
How to Plug an Unplugged PDB (Having Encrypted Objects TDE Enabled )in Same or Different Container
Step1> Prepare the Target Container
The step can be done much in advance to minimize the downtime
a) Target container should have same options installed as source
b) Important database parameter (eg NLS_CHARACTERSET, DB_BLOCK_SIZE etc) should be same as source
c) Wallet must be created should be open in root container ReadHere: How to Configure Wallet
Step2> Verify the Wallet/Keystore Status in Target Root Container
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> set linesize 200
SQL>col WALLET_DIR for a32
SQL>col status for a21
SQL>select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;
CON_NAME
------------------------------
CDB$ROOT
SQL> set linesize 200
SQL>col WALLET_DIR for a32
SQL>col status for a21
SQL>select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;
STATUS WALLET_DIR WALLET_TYPE
--------------------- -------------------------------- ------------------------------------------------------------
OPEN +DATAC4/CDB02/wallet/ PASSWORD
--------------------- -------------------------------- ------------------------------------------------------------
OPEN +DATAC4/CDB02/wallet/ PASSWORD
1 row selected.
Note:- Wallet must be open in root container
Step3> Plug the PDB database
SQL> show pdbs;
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
SQL> create pluggable database PDB02 using '/u01/app/oracle/TMP_PDB02.xml' NOCOPY TEMPFILE REUSE;
Pluggable database created.
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
SQL> create pluggable database PDB02 using '/u01/app/oracle/TMP_PDB02.xml' NOCOPY TEMPFILE REUSE;
Pluggable database created.
Step4>Check PDB Status
SQL> select pdb_name, status from cdb_pdbs where pdb_name='PDB02';
PDB_NAME STATUS
---------- --------------------
PDB02 NEW
1 row selected.
PDB_NAME STATUS
---------- --------------------
PDB02 NEW
1 row selected.
SQL> select open_mode,con_id from v$pdbs where name='PDB02';
OPEN_MODE CON_ID
------------------------------ ----------
MOUNTED 3
1 row selected.
OPEN_MODE CON_ID
------------------------------ ----------
MOUNTED 3
1 row selected.
Step5>Open PDB
SQL> alter pluggable database PDB02 open;
Warning: PDB altered with errors.
Warning: PDB altered with errors.
Step6> Check PDB Status again
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 PDB02 READ WRITE YES
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 PDB02 READ WRITE YES
Step7>Check Violations
SQL> col MESSAGE for a50
SQL> col ACTION for a50
SQL> set line 200
SQL> SELECT type, message, action FROM pdb_plug_in_violations WHERE name = 'PDB02';
TYPE MESSAGE ACTION
--------------- -------------------------------------------------- --------------------------------------------------
ERROR PDB needs to import keys from source. Import keys from source.
1 row selected.
Step8> Import Keys SQL> col ACTION for a50
SQL> set line 200
SQL> SELECT type, message, action FROM pdb_plug_in_violations WHERE name = 'PDB02';
TYPE MESSAGE ACTION
--------------- -------------------------------------------------- --------------------------------------------------
ERROR PDB needs to import keys from source. Import keys from source.
1 row selected.
The Keys must be imported from the export taken in Step2 while unplugging the PDB
SQL> alter session set container=PDB02
Session altered.
SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "xxxxxxxx" FROM '/u01/app/oracle/pdb02key.exp' IDENTIFIED BY xxxxxxx;
ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "xxxxxx" FROM '/u01/app/oracle/pdb02key.exp' IDENTIFIED BY xxxxxxx
*
ERROR at line 1:
ORA-46658: keystore not open in the container
Let's open the KeyStore and RetrySQL> alter session set container=PDB02;
Session altered.
CDB021> show con_name
CON_NAME
------------------------------
PDB02
SLQ> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "xxxxx";
keystore altered.
SQL> set linesize 200
SQL> col WALLET_DIR for a32
SQL> col status for a21
SQL> select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;
STATUS WALLET_DIR WALLET_TYPE
--------------------- -------------------------------- ------------------------------------------------------------
OPEN_NO_MASTER_KEY +DATAC4/CDB02/wallet/ PASSWORD
1 row selected.
SQL> show con_name
CON_NAME
------------------------------
PDB02
SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "xxxxxxx" FROM '/u01/app/oracle/pdb02key.exp' IDENTIFIED BY xxxxxxx;
ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "xxxxxxx" FROM '/u01/app/oracle/pdb02key.exp' IDENTIFIED BY xxxxxxxx
*
ERROR at line 1:
ORA-46631: keystore needs to be backed up
Solution: Import the Keys with backup optionSQL> show con_name
CON_NAME
------------------------------
PDB02
SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "xxxxxxx" FROM '/u01/app/oracle/pdb02key.exp' IDENTIFIED BY xxxxxx with backup;
keystore altered.
SQL> set linesize 200
SQL> col WALLET_DIR for a32
SQL> col status for a21
SQL> select STATUS,WRL_PARAMETER WALLET_DIR,WALLET_TYPE from V$ENCRYPTION_WALLET;
STATUS WALLET_DIR WALLET_TYPE
--------------------- -------------------------------- ------------------------------------------------------------
OPEN +DATAC4/CDB02/wallet/ PASSWORD
1 row selected.
Step9> Restart the PDB and Check the Status
SQL> alter pluggable database PDB02 close immediate instances=('CDB021','CDB022');
Pluggable database altered.
SQL> alter pluggable database PDB02 open instances=('CDB021','CDB022');
Pluggable database altered.
SQL> show pdbs;
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
3 PDB02 READ WRITE NO
Step10> Check PDB Violations
SLQ> SELECT type, message, action FROM pdb_plug_in_violations WHERE name = 'PDB02';
no rows selected
Related Posts
How to Unplug and Plug a PDB from One Container to Another
How to configure TDE Using Wallet in pluggable database in 12c
Comments
Post a Comment