OCI - Create Pluggable Database Creation Failed with ORA-28361 / ORA-959
(Doc ID 2882344.1)
Last updated on JULY 12, 2022
Applies to:
Oracle Cloud Infrastructure - Database Service - Version N/A to N/A [Release 1.0]Information in this document applies to any platform.
Symptoms
By default TDE is enabled in OCI VM DB system. The create pluggable database creation failed with ORA-28361 if common user is created and default quota assigned to USER tablespace.
The steps to replicate the issue.
SQL> create user c##tcuser identified by xxx default tablespace users quota unlimited on users;
User created.
SQL> grant create session to c##tcuser container=all;
Grant succeeded.
SQL> create pluggable database TCPDB admin user pdbuser identified by "xxxxx" storage (maxsize unlimited) default tablespace users datafile size 10m autoextend on;
Pluggable database created.
SQL> alter pluggable database TCPDB open;
Warning: PDB altered with errors.
From the DB alert log file.
TCPDB(4):Force tablespace USERS to be encrypted
TCPDB(4):Master key not set for this container (4). Please ensure that wallet is configured and master key is set.
TCPDB(4):ORA-28361 signalled during: CREATE TABLESPACE "USERS" DATAFILE size 10m autoextend on SEGMENT SPACE MANAGEMENT AUTO...
TCPDB(4):Error while creating default tablespace during post plug operations. These errors need to be fixed man ually
2022-07-10T18:34:09.525894+00:00
TCPDB(4):Errors in file /u01/app/oracle/diag/rdbms/db0622_gru1gr/DB06221/trace/DB06221_ora_25131.trc:
ORA-00604: error occurred at recursive SQL level 1
ORA-28361: master key not yet set
The TDE wallet status in v$encryption_wallet and pdb_plug_in_violations status.
sqlplus " / as sysdba"
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
4 TCPDB READ WRITE YES
SQL>alter session set container=TCPDB;
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
-------------------- ------------------------------ ------------------------------ -------------------- --------- -------- --------- ----------
FILE OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE UNITED UNDEFINED 4
The PDB plugin violation failed with Sync Failure as shown below
select name,cause,message,status,action from pdb_plug_in_violations where name='TCPDB'
NAME CAUSE MESSAGE STATUS ACTION
---------- ------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------- --------- ------------------------------
TCPDB is encrypted tablespace? Tablespace SYSTEM is not encrypted. Oracle Cloud mandates all tablespaces should be encrypted. PENDING Encrypt the tablespace.
TCPDB is encrypted tablespace? Tablespace SYSAUX is not encrypted. Oracle Cloud mandates all tablespaces should be encrypted. PENDING Encrypt the tablespace.
TCPDB Sync Failure Sync PDB failed with ORA-959 during 'create user c##tcuser identified by * default tablespace users quota unlimited on users container = all' PENDING
The TDE key activation failed with ORA-28442 as PDB is RESTRICTED mode.
administer key management set key using tag 'tag' force keystore identified by xxxxx with backup using 'backup_identifier'
*
ERROR at line 1:
ORA-28442: Rekey of the TDE master encryption key is not permitted when the database is in restricted mode.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Cause |
| Solution |
| References |