By Mouhamadou Diaw

In an oracle environment with Transparent Data Encryption (TDE) the transfer of PDB may require additional steps.

In this blog we will see some steps which may be required when doing Unplug and Plug  of pluggable database

We plan to unplug the pluggable database PDB1 from PROD01 and plug it into CLNE02. Both container have TDE configured

Source : PROD01  with TDE

10:37:38 SQL> show PDB1s

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB1$SEED                       READ ONLY  NO
         3 PDB1                            READ WRITE NO
10:37:43 SQL>

Target : CLNE02 with TDE

10:37:05 SQL> show PDB1s

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB1$SEED                       READ ONLY  NO
	 3 POD2                           READ WRITE NO
10:37:09 SQL>

Export the encryption key on the source PDB1

On the source container PROD01, we have to export the encryption key while connecting to PDB1.

The option force is needed if AUTO LOGIN is used

SQL> alter session set container=PDB1;

Session altered.


11:24:23 SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "********" TO '/home/oracle/tde/export.p12' FORCE keystore IDENTIFIED BY ********;

keystore altered.

11:24:25 SQL>

Then verify that the key was exported.

11:24:25 SQL> host ls -l /home/oracle/tde/export.p12
-rw-r--r--. 1 oracle oinstall 2612 Feb 28 11:24 /home/oracle/tde/export.p12

11:25:36 SQL>

Unplug PDB1 from PROD01

After exporting the key, we can now unplug  PDB1

11:28:08 SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT

11:28:17 SQL> alter pluggable database PDB1 close;

Pluggable database altered.

11:28:30 SQL> show PDB1s

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB1$SEED                       READ ONLY  NO
         3 PDB1                           MOUNTED
         5 PDB1CLONE                      MOUNTED
11:28:36 SQL>


11:28:36 SQL> ALTER PLUGGABLE DATABASE PDB1 UNPLUG INTO '/home/oracle/PDB1.xml';

Pluggable database altered.

11:30:54 SQL>

Plug the database on CLNE02 

Now plug  PDB1 into CLNE02 

SQL> show parameter db_name

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
db_name                              string      CLNE02
SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT

SQL> CREATE PLUGGABLE DATABASE PDB1 USING '/home/oracle/PDB1.xml';

Pluggable database created.

SQL>

At this level we can open PDB1 in CLNE02 with errors, which is normal as we need to import the encryption key

11:37:16 SQL> alter pluggable database PDB1 open;

Warning: PDB1 altered with errors.       
11:37:34 SQL>

Import the key into PDB1 on CLNE02

Now let’s import the exported key into PDB1 on CLNE02.

-Open PDB1 in R/W mode if not

13:13:18 SQL> alter pluggable database PDB1 open;

Warning: PDB1 altered with errors.

13:13:35 SQL> show PDB1s

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB1$SEED                       READ ONLY  NO
         3 POD2                           READ WRITE NO
         4 PDB1                           READ WRITE YES

-Open the keystore on PDB if not

13:13:46 SQL> alter session set container=PDB1;


13:16:55 SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY ********;

keystore altered.

13:16:59 SQL>

-And then import the key

SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET ******** FROM '/home/oracle/tde/export.p12' IDENTIFIED BY ******** WITH BACKUP;


keystore altered.

-On CLNE02, restart the pluggable database PDB1

SQL> show con_name

CON_NAME
------------------------------
PDB1

13:18:52 SQL> shutdown
Pluggable Database closed.

13:19:00 SQL> startup
Pluggable Database opened.

PDB1 should no longer return any error now when starting in open mode

SQL> conn / as sysdba
Connected.
13:21:56 SQL> alter pluggable database PDB1 close;

Pluggable database altered.

13:22:07 SQL> alter pluggable database PDB1 open;

Pluggable database altered.

13:22:14 SQL> alter pluggable database all save state;

Pluggable database altered.

We can then validate on PDB1 that encrypted objects are accessible.

Conclusion

Hope this blog may help