Configurando TDE em PDB com PLUG e UNPLUG do database.

Este artigo descreve o processo de configurar uma TDE no CDB e desconectar o PDB1 da instância CDB1 e conectar-se à instância CDB2 na mesma máquina com um novo nome de PDB2.

1 – Configurar TDE na Origem – CDB (cdb1)

A) Criar diretórios

[root@vm1 ~]# mkdir -p /etc/ORACLE/WALLETS/cdb1
 [root@vm1 ~]# mkdir -p /etc/ORACLE/WALLETS/cdb2
 [root@vm1 ~]# chown -R oracle:oinstall /etc/ORACLE
 [root@vm1 ~]# chmod -R 755 /etc/ORACLE

B) Edite o sqlnet.ora para configurar o Wallet

ENCRYPTION_WALLET_LOCATION=
  (SOURCE=
   (METHOD=FILE)
    (METHOD_DATA=
     (DIRECTORY=/etc/ORACLE/WALLETS/$ORACLE_SID/)))

C) Configure Database – cdb1

[oracle@vm1 ~]$ . oraenv <<< cdb1
 ORACLE_SID = [db01] ? The Oracle base remains unchanged with value /u01/app/oracle
 [oracle@vm1 ~]$ sqlplus
 SQL*Plus: Release 12.1.0.2.0 Production on Tue Sep 3 20:58:03 2019
 Copyright (c) 1982, 2014, Oracle.  All rights reserved.
 Enter user-name: / as sysdba
 Connected to:
 Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
 With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
 SQL>
 SQL>
 SQL>
 SQL> show pdbs
 CON_ID CON_NAME                       OPEN MODE  RESTRICTED
 
      2 PDB$SEED                       READ ONLY  NO      3 PDB1                           READ WRITE NO      4 PDB2                           READ WRITE NO
 SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/ORACLE/WALLETS/cdb1' IDENTIFIED BY oracle;
 keystore altered.
 SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle container=all;
 keystore altered.
 SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle  WITH BACKUP USING 'emp_key_backup'
 keystore altered.
 SQL> alter session set container=pdb1;
 Session altered.
 SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle  WITH BACKUP USING 'emp_key_backup';
 keystore altered.
 SQL> set linesize 500
 SQL> select * from v$encryption_wallet;
 WRL_TYPE             WRL_PARAMETER                                      STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID
 
 FILE                 /etc/ORACLE/WALLETS/cdb1/                          OPEN                           PASSWORD             SINGLE    NO                 0
 SQL> create tablespace TESTE
   datafile '/u01/app/oracle/oradata/cdb1/pdb1/teste.dbf' size 10m
   encryption using 'AES256'
   default storage (encrypt);
 Tablespace created.

D) Faça o export da key da Origem – PDB(pdb1)

SQL>ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "oracle" TO '/home/oracle/export.p12' IDENTIFIED BY oracle;
 keystore altered.
 SQL> !
 [oracle@vm1 ~]$ ls -ltr export.p12
 -rw-r--r--. 1 oracle oinstall    2612 Sep  3 21:08 export.p12
 [oracle@vm1 ~]$ exit

E) Unplug e DROP PDB(pdb1)

SQL> alter pluggable database close immediate;
 Pluggable database altered.
 SQL> conn / as sysdba
 Connected.
 SQL> alter pluggable database pdb1 unplug into '/home/oracle/pdb1.xml';
 Pluggable database altered.
 SQL> drop pluggable database pdb1 keep datafiles;
 Pluggable database dropped.
 SQL> exit
 Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
 With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

2 – Configure o TDE no Destino – CDB(cdb2)

[oracle@vm1 ~]$ . oraenv <<< cdb2
 ORACLE_SID = [cdb1] ? The Oracle base remains unchanged with value /u01/app/oracle
 [oracle@vm1 ~]$ ls /etc/ORACLE/WALLETS/
 cdb1  cdb2
 [oracle@vm1 ~]$ sqlplus
 SQL*Plus: Release 12.1.0.2.0 Production on Tue Sep 3 21:13:12 2019
 Copyright (c) 1982, 2014, Oracle.  All rights reserved.
 Enter user-name: / as sysdba
 Connected to an idle instance.
 SQL> startup
 ORACLE instance started.
 Total System Global Area 1241513984 bytes
 Fixed Size                  2923872 bytes
 Variable Size             452985504 bytes
 Database Buffers          771751936 bytes
 Redo Buffers               13852672 bytes
 Database mounted.
 Database opened.
 SQL> show pdbs
 CON_ID CON_NAME                       OPEN MODE  RESTRICTED
 
      2 PDB$SEED                       READ ONLY  NO      3 PDB1                           MOUNTED
 SQL>
 SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/ORACLE/WALLETS/cdb2' IDENTIFIED BY oracle;
 keystore altered.
 SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle;
 keystore altered.
 SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY oracle WITH BACKUP USING 'emp_key_backup';
 keystore altered.
 SQL>
 SQL>

F) PLUG PDB(pdb2) usando Unplugged pdb1

SQL> create pluggable database pdb2 as clone using '/home/oracle/pdb1.xml'
   2  file_name_convert=('/u01/app/oracle/oradata/cdb1/pdb1/','/u01/app/oracle/oradata/cdb2/pdb2/');
 Pluggable database created.
 SQL> alter pluggable database pdb2 open;
 Warning: PDB altered with errors.

G) Importe a key da Origem PDB(pdb1) no Destino PDB(pdb2)

SQL> alter session set container=pdb2;
 Session altered.
 SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle;
 keystore altered.
 SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "oracle" FROM '/home/oracle/export.p12' IDENTIFIED BY oracle WITH BACKUP;
 keystore altered.
 SQL> shut immediate;
 Pluggable Database closed.
 SQL> startup
 Pluggable Database opened.

H) Valide o PDB se está totalmente integrado com CDB2

SQL> conn / as sysdba
 Connected.
 SQL> select message,status from pdb_plug_in_violations where status <> 'RESOLVED';
 SQL> /
 no rows selected
 SQL> show pdbs
 CON_ID CON_NAME                       OPEN MODE  RESTRICTED
 
      2 PDB$SEED                       READ ONLY  NO      3 PDB1                           MOUNTED      4 PDB2                           READ WRITE NO
 SQL>

Espero ter ajudado !!!

Até a próxima

Este artigo foi escrito por André Ontalba e Rodrigo Mufalani

Disclaimer: “The postings on this site are my own and don’t necessarily represent may actual employer positions, strategies or opinions. The information here was edited  to be useful for general purpose, specific data and identifications was removed to allow reach generic audience and to be useful.”