By Mouhamadou Diaw
In an oracle environment with Transparent Data Encryption (TDE) the transfer of PDB may require additional steps.
In this blog we will see some steps which may be required when doing Unplug and Plug of pluggable database
We plan to unplug the pluggable database PDB1 from PROD01 and plug it into CLNE02. Both container have TDE configured
Source : PROD01 with TDE
10:37:38 SQL> show PDB1s
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB1$SEED READ ONLY NO
3 PDB1 READ WRITE NO
10:37:43 SQL>
Target : CLNE02 with TDE
10:37:05 SQL> show PDB1s
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB1$SEED READ ONLY NO
3 POD2 READ WRITE NO
10:37:09 SQL>
Export the encryption key on the source PDB1
On the source container PROD01, we have to export the encryption key while connecting to PDB1.
The option force is needed if AUTO LOGIN is used
SQL> alter session set container=PDB1;
Session altered.
11:24:23 SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "********" TO '/home/oracle/tde/export.p12' FORCE keystore IDENTIFIED BY ********;
keystore altered.
11:24:25 SQL>
Then verify that the key was exported.
11:24:25 SQL> host ls -l /home/oracle/tde/export.p12
-rw-r--r--. 1 oracle oinstall 2612 Feb 28 11:24 /home/oracle/tde/export.p12
11:25:36 SQL>
Unplug PDB1 from PROD01
After exporting the key, we can now unplug PDB1
11:28:08 SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
11:28:17 SQL> alter pluggable database PDB1 close;
Pluggable database altered.
11:28:30 SQL> show PDB1s
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB1$SEED READ ONLY NO
3 PDB1 MOUNTED
5 PDB1CLONE MOUNTED
11:28:36 SQL>
11:28:36 SQL> ALTER PLUGGABLE DATABASE PDB1 UNPLUG INTO '/home/oracle/PDB1.xml';
Pluggable database altered.
11:30:54 SQL>
Plug the database on CLNE02
Now plug PDB1 into CLNE02
SQL> show parameter db_name
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
db_name string CLNE02
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> CREATE PLUGGABLE DATABASE PDB1 USING '/home/oracle/PDB1.xml';
Pluggable database created.
SQL>
At this level we can open PDB1 in CLNE02 with errors, which is normal as we need to import the encryption key
11:37:16 SQL> alter pluggable database PDB1 open;
Warning: PDB1 altered with errors.
11:37:34 SQL>
Import the key into PDB1 on CLNE02
Now let’s import the exported key into PDB1 on CLNE02.
-Open PDB1 in R/W mode if not
13:13:18 SQL> alter pluggable database PDB1 open;
Warning: PDB1 altered with errors.
13:13:35 SQL> show PDB1s
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB1$SEED READ ONLY NO
3 POD2 READ WRITE NO
4 PDB1 READ WRITE YES
-Open the keystore on PDB if not
13:13:46 SQL> alter session set container=PDB1;
13:16:55 SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY ********;
keystore altered.
13:16:59 SQL>
-And then import the key
SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET ******** FROM '/home/oracle/tde/export.p12' IDENTIFIED BY ******** WITH BACKUP;
keystore altered.
-On CLNE02, restart the pluggable database PDB1
SQL> show con_name
CON_NAME
------------------------------
PDB1
13:18:52 SQL> shutdown
Pluggable Database closed.
13:19:00 SQL> startup
Pluggable Database opened.
PDB1 should no longer return any error now when starting in open mode
SQL> conn / as sysdba
Connected.
13:21:56 SQL> alter pluggable database PDB1 close;
Pluggable database altered.
13:22:07 SQL> alter pluggable database PDB1 open;
Pluggable database altered.
13:22:14 SQL> alter pluggable database all save state;
Pluggable database altered.
We can then validate on PDB1 that encrypted objects are accessible.
Conclusion
Hope this blog may help
SORE MAHMOUDOU
25.08.2023Bonsoir Monsieur Mouhamadou Diaw,
j'ai suivi avec attention la personnalisation du fichier de mot de passe dans le SGBD ORACLE.
En effet, j'ai une question car je suis un peu perdu face à : -- Check if the password contains the username
pw_lower := NLS_LOWER(password);
IF instr(pw_lower, NLS_LOWER(username)) > 0 THEN
raise_application_error(-20002, 'Password contains the username');
END IF;
le NLS_LOWER est il un fichier de paramètre que l'on peut éditer également ou voir son contenu?
au plaisir d'apprendre auprès de vous.
Cordialement
Clemens Bleile
17.09.2023Hello,
I actually do not see where the password file is related to the blog, but let me still try to answer your question:
NLS_LOWER is a function similar to the LOWER-function, which makes all characters provided in the argument lower case. But in comparison to the normal lower-function NLS_LOWER can consider specifics of languages. E.g. take the example of the documentation:
SELECT NLS_LOWER('NOKTASINDA', 'NLS_SORT = XTurkish') "Lowercase"
FROM DUAL;
Lowercase
----------
noktasında
The lower case I in this language does not have a dot on the i.
Regards
CLemens