Converting a TDE encrypted NON CDB to PDB

As a lot of people we are preparing the upgrade to the next long term support version 19c.
At my customer, we mainly have 12.1 non multi tentant and 12.2 multi tenant databases.

Some of them have Database Vault and TDE. 

After a successful upgrade to 19c ( 19.5, 19.6 and 19.8) using the fantastic auto upgrade tool, I need to convert it to multitenant.

I tried different ways to do this :

  • DBMS_PDB.describe and plug in the non_cdb 
  • remote creation of PDB

Each time we received following error or an error similar to this

create pluggable database pdbXXX from non$cdb@XXX.acme.com KEYSTORE IDENTIFIED BY "tde_key_fake_password" ; 
create pluggable database pdbXXX from non$cdb@ XXX.acme.com KEYSTORE IDENTIFIED BY "tde_key_fake_password" 

ERROR at line 1: 
ORA-01078: failure in processing system parameters 
LRM-00111: no closing quote for value 'KEYSTORE_C' 


The common line in all the errors we received was KEYSTORE_C


After opening SR it was clear we hit bug 

Bug 31310564 - CLONE TDE-ENABLED NON-CDB TO PDB FAILS WITH ORA-01078

Unfortunately no patch exists yet and support was quite unresponsive, after talking to Mike Dietrich it appears to be related to the new way of working to configure TDE.

In 19c instead of using those dreadful sqlnet.ora entries to indicate the location of the TDE_WALLET you can use another way :

prior to 19c you do this in the following way :


ssl_client_authentication = false
encryption_wallet_location =
  (source =
    (method = file)
    (method_data =
      (directory = /zfs/encwallet/<DB_UNIQUE_NAME> )
    )

)



Which leads to sometimes multiple issues if you have multiple sqlnet.ora parameters 


So in 19c you can now set 


wallet_root=<directory_where_wallet>

tde_configuration='KEYSTORE_CONFIGURATION=FILE'


It is there that the issue lays when trying to take over the parameters from the source PDB it fails on the TDE_CONFIGURATION.


As a workaround I configured the TDE wallets again the old fashioned way and that made it possible to do. Make sure you check v$encryption_wallet to see if the wallet is open...


create pluggable database pdbXXX from non$cdb@XXX.acme.com KEYSTORE IDENTIFIED BY "tde_key_fake_password" ;

Pluggable database created.


Elapsed 00:02:01.04


Note I tested this on 19.8 will do also on 19.5 the version we have currently installed


UPDATE  1: Tested in 19.5 and there I get another error and core dump so 19.8 is the version you want to be on

UPDATE 2 : Got following reply in my SR

 

"
Unfortunately it will be Fixed Ver: 21.1 also its not include in any RU yet
"

 

So basically Oracle creates a new feature that breaks things and then fixes it in a version available in 1 year ?

Big thank you Mike to help me understand the issue and the time you took to go through the SR 



Comments

Anonymous said…
Thank you for this blog post, it helped me with my issue that I was trying to figure out for a few days !

Popular posts from this blog

Pieter quo vadis

19c Data Guard Series Part III adding a PDB to and existing Data Guard configuration