I have been recently able to make several migration tests from On-Premises to Exadata, and during some of my tests I faced a PDB_PLUG_IN_VIOLATIONS with cause been “Wallet Key Needed” when converting a migrated Non-CDB to PDB.
Read more: Migration from Non-CDB to Multitenant : Wallet Key NeededExplanation
This violation comes from the fact that the source Non-CDB database migrated on the Exadata from On-Premises was encrypted. The message is clear, the source wallet needs to be exported and imported in the new PDB after having run noncdb_to_pdb.sql script.
SQL> select name, cause, type, message, status from PDB_PLUG_IN_VIOLATIONS where type = 'ERROR' and status 'RESOLVED'; NAME CAUSE TYPE MESSAGE STATUS -------------------- ---------------------------------------------------------------- --------- ---------------------------------------------------------------------- --------- PDB_NAME Wallet Key Needed ERROR PDB needs to import keys from source. PENDING
Export wallet from the Non-CDB
Connecting to the Non-CDB source database, I can check the wallet configuration.
SQL> select WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET; WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS ------------------------------------------------------------ -------------------- -------------------- ------------------------------ /var/opt/oracle/dbaas_acfs/DB_NAME/wallet_root/tde/ FILE AUTOLOGIN OPEN
So I tried to export my wallet.
SQL> administer key management 2 export encryption keys with secret "" 3 to '/var/opt/oracle/dbaas_acfs/DB_NAME/DB_NAME_to_PDB_wallet.p12' 4 identified by "************" 5 / administer key management * ERROR at line 1: ORA-28417: password-based keystore is not open
But I faced following error:
ORA-28417: password-based keystore is not open
This is because my wallet is opened in autologin and not as password file.
So let’s close it and open it as password file.
To do so it should be sufficient to run a keystore close before running a keystore open.
SQL> administer key management set keystore close; keystore altered.
I was also trying moving the autologin cwallet.sso file and see how that works.
I first closed my Source Non-CDB database.
SQL> shutdown immediate Database closed. Database dismounted. ORACLE instance shut down.
Then I renamed the cwallet.sso file.
oracle@ExaCC-cl01n1:/var/opt/oracle/dbaas_acfs/DB_NAME/wallet_root/tde/ [PDB_NAME (CDB$ROOT)] mv cwallet.sso cwallet.sso.no_auto
I started again the database.
SQL> startup ORACLE instance started. Total System Global Area 3.7572E+10 bytes Fixed Size 13653168 bytes Variable Size 4697620480 bytes Database Buffers 3.2749E+10 bytes Redo Buffers 111153152 bytes Database mounted. Database opened.
I checked the wallet type and its status.
SQL> select WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET; WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS ------------------------------------------------------------ -------------------- -------------------- ------------------------------ /var/opt/oracle/dbaas_acfs/DB_NAME/wallet_root/tde/ FILE UNKNOWN CLOSED
As expected it was closed. I opened it.
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "*****************"; keystore altered.
Checked the wallet status again.
SQL> select WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET; WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS ------------------------------------------------------------ -------------------- -------------------- ------------------------------ /var/opt/oracle/dbaas_acfs/DB_NAME/wallet_root/tde/ FILE PASSWORD OPEN
Now the wallet is opened with password as needed. And I tried to export the wallet again.
SQL> administer key management 2 export encryption keys with secret "" 3 to '/var/opt/oracle/dbaas_acfs/DB_NAME/bak_DB_NAME_to_PDB_wallet.p12' 4 identified by "************" 5 / administer key management * ERROR at line 1: ORA-46644: creation or open of file to store the exported keys failed
I got a new error:
ORA-46644: creation or open of file to store the exported keys failed
This might be due to user permissions to write in the folder. Let’s save it in /tmp.
SQL> administer key management 2 export encryption keys with secret "" 3 to '/tmp/DB_NAME.p12' 4 identified by "************" 5 / keystore altered.
This time it worked.
I shutdown the database again.
SQL> shutdown immediate Database closed. Database dismounted. ORACLE instance shut down.
Moved the autologin wallet file back.
oracle@ExaCC-cl01n1:/var/opt/oracle/dbaas_acfs/DB_NAME/wallet_root/tde/ [PDB_NAME (CDB$ROOT)] mv cwallet.sso.no_auto cwallet.sso
Started the database again.
SQL> startup ORACLE instance started. Total System Global Area 3.7572E+10 bytes Fixed Size 13653168 bytes Variable Size 4697620480 bytes Database Buffers 3.2749E+10 bytes Redo Buffers 111153152 bytes Database mounted. Database opened.
And checked that my wallet has been automatically opened again.
SQL> select WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET; WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS ------------------------------------------------------------ -------------------- -------------------- ------------------------------ /var/opt/oracle/dbaas_acfs/DB_NAME/wallet_root/tde/ FILE AUTOLOGIN OPEN
Import the wallet in the PDB
Now we need to import the wallet in the PDB
I connected to the PDB.
SQL> alter session set container=PDB_NAME; Session altered. SQL> show pdbs CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 4 PDB_NAME READ WRITE YES
Check the wallet status.
SQL> select WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET; WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS ------------------------------------------------------------ -------------------- -------------------- ------------------------------ FILE AUTOLOGIN OPEN_NO_MASTER_KEY
I tried to import the wallet, expected it to fail as the wallet is with a autologin type.
SQL> administer key management 2 import encryption keys with secret "" 3 from '/tmp/DB_NAME.p12' 4 identified by "**************" 5 with backup USING 'pre-import-PDB_NAME' 6 / administer key management * ERROR at line 1: ORA-28417: password-based keystore is not open
So I need to connect to the CDB$ROOT to open the wallet with the password. I checked and could see that the wallet is opened automatically for the CDB$ROOT and all PDB. The CDB$ROOT wallet is shared with the PDB.
SQL> alter session set container=cdb$root; Session altered. SQL> select CON_ID, WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET; CON_ID WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS ---------- ------------------------------------------------------------ -------------------- -------------------- ------------------------------ 1 /var/opt/oracle/dbaas_acfs/CDB_NAME/wallet_root/tde/ FILE AUTOLOGIN OPEN 2 FILE AUTOLOGIN OPEN 3 FILE AUTOLOGIN OPEN 4 FILE AUTOLOGIN OPEN_NO_MASTER_KEY
So I closed the wallet, opened it with password and check its status.
SQL> administer key management set keystore close; keystore altered. SQL> administer key management set keystore open identified by "*************"; keystore altered. SQL> select CON_ID, WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET; CON_ID WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS ---------- ------------------------------------------------------------ -------------------- -------------------- ------------------------------ 1 /var/opt/oracle/dbaas_acfs/CDB_NAME/wallet_root/tde/ FILE PASSWORD OPEN 2 FILE UNKNOWN CLOSED 3 FILE UNKNOWN CLOSED 4 FILE UNKNOWN CLOSED
I connected to the PDB and tried to import the wallet.
SQL> alter session set container=PDB_NAME; Session altered. SQL> administer key management 2 import encryption keys with secret "" 3 from '/tmp/DB_NAME.p12' 4 identified by "**************" 5 with backup USING 'pre-import-PDB_NAME' 6 / administer key management * ERROR at line 1: ORA-46658: keystore not open in the container
Which was not working as expected as the wallet is closed for the PDB. So I opened it with password.
SQL> administer key management set keystore open identified by "***************"; keystore altered. SQL> select CON_ID, WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET; CON_ID WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS ---------- ------------------------------------------------------------ -------------------- -------------------- ------------------------------ 4 FILE PASSWORD OPEN_NO_MASTER_KEY
And could now successfully import it.
SQL> administer key management 2 import encryption keys with secret "" 3 from '/tmp/DB_NAME.p12' 4 identified by "******************" 5 with backup USING 'pre-import-PDB_NAME' 6 / keystore altered.
I checked the wallet status, and all good, it changed from OPEN_NO_MASTER_KEY to OPEN.
SQL> select CON_ID, WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET; CON_ID WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS ---------- ------------------------------------------------------------ -------------------- -------------------- ------------------------------ 4 FILE PASSWORD OPEN
I connected to the CDB$ROOT again. I checked the wallet status and could see it is open with password for the CDB$ROOT and new PDB and closed for the others, which might impact them. Not a problem in my case, as all here, is only used for tests for migration.
SQL> alter session set container=cdb$root; Session altered. SQL> select CON_ID, WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET; CON_ID WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS ---------- ------------------------------------------------------------ -------------------- -------------------- ------------------------------ 1 /var/opt/oracle/dbaas_acfs/CDB_NAME/wallet_root/tde/ FILE PASSWORD OPEN 2 FILE UNKNOWN CLOSED 3 FILE UNKNOWN CLOSED 4 FILE PASSWORD OPEN
I close the wallet.
SQL> administer key management set keystore close identified by "******************"; keystore altered.
And could check that the wallet has been automatically opened again for the CDB$ROOT and all PDB.
SQL> select CON_ID, WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET; CON_ID WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS ---------- ------------------------------------------------------------ -------------------- -------------------- ------------------------------ 1 /var/opt/oracle/dbaas_acfs/CDB_NAME/wallet_root/tde/ FILE AUTOLOGIN OPEN 2 FILE AUTOLOGIN OPEN 3 FILE AUTOLOGIN OPEN 4 FILE AUTOLOGIN OPEN
I restarted the PDBs and could see that the wallet key needed pdb violations has been resolved.
To wrap up
Converting an encrypted Non-CDB to PDB will require the wallet, containing the master key needed to encrypt/decrypt, to be exported from the source database and imported to the new PDB.
Last but not least, for me it was a lab, so no risk, but it is important to mention than we need to work carefully with the wallet and have good backup because loosing a wallet can be dramatical and can result in no way to access your data any more. Pay attention.