{"id":10786,"date":"2018-01-20T22:16:45","date_gmt":"2018-01-20T21:16:45","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/"},"modified":"2018-01-20T22:16:45","modified_gmt":"2018-01-20T21:16:45","slug":"unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/","title":{"rendered":"Unplug an Encrypted PDB (ORA-46680: master keys of the container database must be exported)"},"content":{"rendered":"

By Franck Pachot<\/h2>\n

.
\nIn the Oracle Database Cloud DBaaS you provision a multitenant database where tablespaces are encrypted. This means that when you unplug\/plug the pluggable databases, you also need to export \/import the encryption keys. You cannot just copy the wallet because the wallet contains all CDB keys. Usually, you can be guided by the error messages, but this one needs a little explanation and an example.
\n
\nHere I’ll unplug PDB6 from CDB1 and plug it into CDB2<\/p>\n

[oracle@VM122 blogs]$ connect \/@CDB1 as sysdba\nSQLcl: Release 17.4.0 Production on Fri Jan 19 22:22:44 2018\nCopyright (c) 1982, 2018, Oracle.  All rights reserved.\nConnected to:\nOracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production\n \n22:22:46 SQL> show pdbs\n \n  CON_ID CON_NAME   OPEN MODE    RESTRICTED\n  ------ ---------- ------------ ---------- \n       2 PDB$SEED   READ ONLY    NO\n       3 PDB1       READ WRITE   NO\n       5 PDB6       READ WRITE   NO<\/code><\/pre>\n
Here are the master keys:<\/p>\n
\nSQL> select con_id,tag,substr(key_id,1,6)||'...' \"KEY_ID...\",creator,key_use,keystore_type,origin,creator_pdbname,activating_pdbname from v$encryption_keys;\n \n  CON_ID TAG    KEY_ID...   CREATOR   KEY_USE      KEYSTORE_TYPE       ORIGIN   CREATOR_PDBNAME   ACTIVATING_PDBNAME\n  ------ ---    ---------   -------   -------      -------------       ------   ---------------   ------------------\n       1 cdb1   AcyH+Z...   SYS       TDE IN PDB   SOFTWARE KEYSTORE   LOCAL    CDB$ROOT          CDB$ROOT\n       3 pdb6   Adnhnu...   SYS       TDE IN PDB   SOFTWARE KEYSTORE   LOCAL    PDB6              PDB6\n<\/code><\/pre>\n
Export keys and Unplug PDB<\/h3>\n
Let’s try to unplug PDB6:<\/p>\n
22:22:51 SQL> alter pluggable database PDB6 close immediate;\nPluggable database PDB6 altered.\n \n22:23:06 SQL> alter pluggable database PDB6 unplug into '\/var\/tmp\/PDB6.xml';\n \nError starting at line : 1 in command -\nalter pluggable database PDB6 unplug into '\/var\/tmp\/PDB6.xml'\nError report -\nORA-46680: master keys of the container database must be exported\n<\/code><\/pre>\n
This message is not clear. You don’t export the container database (CDB) key. You have to export the PDB ones.<\/p>\n
Then, I have to open the PDB, switch to it, and export the key:<\/p>\n
\nSQL> alter session set container=PDB6;\nSession altered.\n \nSQL> administer key management set keystore open identified by \"k3yCDB1\";\nKey MANAGEMENT succeeded.\n \nSQL> administer key management\n  2   export encryption keys with secret \"this is my secret password for the export\"\n  3   to '\/var\/tmp\/PDB6.p12'\n  4   identified by \"k3yCDB1\"\n  5  \/\n \nKey MANAGEMENT succeeded.\n<\/code><\/pre>\n
Note that I opened the keystore with a password. If you use an autologin wallet, you have to close it, in the CDB$ROOT, and open it with password.<\/p>\n
Now I can unplug the database:<\/p>\n
\nSQL> alter pluggable database PDB6 close immediate;\nPluggable database PDB6 altered.\n \nSQL> alter pluggable database PDB6 unplug into '\/var\/tmp\/PDB6.xml';\nPluggable database PDB6 altered.\n<\/code><\/pre>\n
Plug PDB and Import keys<\/h3>\n
I’ll plug it in CDB2:<\/p>\n
\nSQL> connect \/@CDB2 as sysdba\nConnected.\nSQL> create pluggable database PDB6 using '\/var\/tmp\/PDB6.xml' file_name_convert=('\/CDB1\/PDB6\/','\/CDB2\/PDB6\/');\nPluggable database PDB6 created.\n<\/code><\/pre>\n
When I open it, I get a warning:<\/p>\n
\n18:05:45 SQL> alter pluggable database PDB6 open;\nORA-24344: success with compilation error\n24344. 00000 -  \"success with compilation error\"\n*Cause:    A sql\/plsql compilation error occurred.\n*Action:   Return OCI_SUCCESS_WITH_INFO along with the error code\n \nPluggable database PDB6 altered.\n<\/code><\/pre>\n
The PDB is opened in restricted mode and then I have to import the wallet:<\/p>\n
\nSQL> show pdbs\n \n  CON_ID CON_NAME   OPEN MODE    RESTRICTED\n  ------ --------   ---- ----    ----------\n       2 PDB$SEED   READ ONLY    NO\n       6 PDB6       READ WRITE   YES\n \nSQL> select name,cause,type,status,message,action from pdb_plug_in_violations;\n \nNAME   CAUSE                   TYPE      STATUS     MESSAGE                                 ACTION\n----   -----                   ----      ------     -------                                 ------\nPDB6   Wallet Key Needed       ERROR     PENDING    PDB needs to import keys from source.   Import keys from source.\n<\/code><\/pre>\n
Then I open the destination CDB wallet and import the PDB keys into it:<\/p>\n
\nSQL> alter session set container=PDB6;\nSession altered.\n \nSQL> administer key management set keystore open identified by \"k3yCDB2\";\nKey MANAGEMENT succeeded.\n \nSQL> administer key management\n  2   import encryption keys with secret \"this is my secret password for the export\"\n  3   from '\/var\/tmp\/PDB6.p12'\n  4   identified by \"k3yCDB2\"\n  5   with backup\n  6  \/\n \nKey MANAGEMENT succeeded.\n<\/code><\/pre>\n
Now the PDB can be opened for all sessions<\/p>\n
\nSQL> alter session set container=CDB$ROOT;\nSession altered.\n \nSQL> alter pluggable database PDB6 close;\nPluggable database PDB6 altered.\n \nSQL> alter pluggable database PDB6 open;\nPluggable database PDB6 altered.\n<\/code><\/pre>\n
Here is a confirmation that the PDB has the same key as the in the origin CDB:<\/p>\n
\nSQL> select con_id,tag,substr(key_id,1,6)||'...' \"KEY_ID...\",creator,key_use,keystore_type,origin,creator_pdbname,activating_pdbname from v$encryption_keys;\n \n  CON_ID TAG    KEY_ID...   CREATOR   KEY_USE      KEYSTORE_TYPE       ORIGIN   CREATOR_PDBNAME   ACTIVATING_PDBNAME\n  ------ ---    ---------   -------   -------      -------------       ------   ---------------   ------------------\n       1 cdb2   AdTdo9...   SYS       TDE IN PDB   SOFTWARE KEYSTORE   LOCAL    CDB$ROOT          CDB$ROOT\n       4 pdb1   Adnhnu...   SYS       TDE IN PDB   SOFTWARE KEYSTORE   LOCAL    PDB6              PDB6\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
By Franck Pachot . In the Oracle Database Cloud DBaaS you provision a multitenant database where tablespaces are encrypted. This means that when you unplug\/plug the pluggable databases, you also need to export \/import the encryption keys. You cannot just copy the wallet because the wallet contains all CDB keys. Usually, you can be guided […]<\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[59],"tags":[220,64,96,209,66,223,448],"type_dbi":[],"class_list":["post-10786","post","type-post","status-publish","format-standard","hentry","category-oracle","tag-cdb","tag-multitenant","tag-oracle","tag-oracle-12c","tag-pdb","tag-pluggable-databases","tag-tde"],"acf":[],"yoast_head":"\nUnplug an Encrypted PDB (ORA-46680: master keys of the container database must be exported) - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unplug an Encrypted PDB (ORA-46680: master keys of the container database must be exported)\" \/>\n<meta property=\"og:description\" content=\"By Franck Pachot . In the Oracle Database Cloud DBaaS you provision a multitenant database where tablespaces are encrypted. This means that when you unplug\/plug the pluggable databases, you also need to export \/import the encryption keys. You cannot just copy the wallet because the wallet contains all CDB keys. Usually, you can be guided […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-01-20T21:16:45+00:00\" \/>\n<meta name=\"author\" content=\"Oracle Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Oracle Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/\"},\"author\":{\"name\":\"Oracle Team\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"headline\":\"Unplug an Encrypted PDB (ORA-46680: master keys of the container database must be exported)\",\"datePublished\":\"2018-01-20T21:16:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/\"},\"wordCount\":255,\"commentCount\":0,\"keywords\":[\"CDB\",\"multitenant\",\"Oracle\",\"Oracle 12c\",\"PDB\",\"Pluggable Databases\",\"TDE\"],\"articleSection\":[\"Oracle\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/\",\"name\":\"Unplug an Encrypted PDB (ORA-46680: master keys of the container database must be exported) - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2018-01-20T21:16:45+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Unplug an Encrypted PDB (ORA-46680: master keys of the container database must be exported)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\",\"name\":\"Oracle Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"caption\":\"Oracle Team\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Unplug an Encrypted PDB (ORA-46680: master keys of the container database must be exported) - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/","og_locale":"en_US","og_type":"article","og_title":"Unplug an Encrypted PDB (ORA-46680: master keys of the container database must be exported)","og_description":"By Franck Pachot . In the Oracle Database Cloud DBaaS you provision a multitenant database where tablespaces are encrypted. This means that when you unplug\/plug the pluggable databases, you also need to export \/import the encryption keys. You cannot just copy the wallet because the wallet contains all CDB keys. Usually, you can be guided […]","og_url":"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/","og_site_name":"dbi Blog","article_published_time":"2018-01-20T21:16:45+00:00","author":"Oracle Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Oracle Team","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/"},"author":{"name":"Oracle Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"headline":"Unplug an Encrypted PDB (ORA-46680: master keys of the container database must be exported)","datePublished":"2018-01-20T21:16:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/"},"wordCount":255,"commentCount":0,"keywords":["CDB","multitenant","Oracle","Oracle 12c","PDB","Pluggable Databases","TDE"],"articleSection":["Oracle"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/","url":"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/","name":"Unplug an Encrypted PDB (ORA-46680: master keys of the container database must be exported) - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2018-01-20T21:16:45+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/unplug-an-encrypted-pdb-ora-46680-master-keys-of-the-container-database-must-be-exported\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Unplug an Encrypted PDB (ORA-46680: master keys of the container database must be exported)"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee","name":"Oracle Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","caption":"Oracle Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/10786","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=10786"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/10786\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=10786"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=10786"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=10786"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=10786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}