My Oracle Support Banner

Migration of File based TDE to OKV for ExaDB-D Using Automation via REST (Doc ID 2924192.1)

Last updated on JULY 12, 2024

Applies to:

Oracle Cloud Infrastructure - Exadata Cloud Service - Version N/A to N/A [Release N/A]
Oracle Key Vault - Version 21.3.0.0 to 21.5.0.0
Oracle Database - Enterprise Edition - Version 12.1.0.2 to 19.17.0.0.0 [Release 12.1 to 19]
Linux x86-64

Goal

The purpose of this doc is to provide step-by-step instructions on how to migrate File based TDE to Oracle Key Vault (OKV) using REST for RDBMS versions 12.1 and 19c databases that exist in the Exadata Database Service on Dedicated Infrastructure (ExaDB-D). The steps will include the VCN (Virtual Cloud Network) creation, provisioning the Exadata Infrastructure, virtual cluster, and the Oracle Key Vault instance using Oracle Key Vault Services in OCI. For Oracle Key Vault setup, automation scripts using REST were used to install the Oracle Key Vault RESTFul Service Utility, create the default wallet and endpoints, and download and install the Oracle Key Vault endpoint client software. The automation scripts can be changed to suit customer standards.

 

CDB/PDB isolated keystore mode is not supported on BaseDB, ExaDB-D, and ExaDB-C@C cloud services.

 

Summary of software versions used in this documentation:

    • dbaastools -  dbaastools_exa-1.0-1+22.4.1.0.1_221121.1117.x86_64
    • RDBMS – 12.1.0.2.221018, 19.16.0.0,19.17.0.0
    • Oracle Key Vault (OKV): 21.4, 21.5
    • OS: Oracle Linux Server 7.9
    • Imageinfo: 21.2.11.0.0.220622, 22.1.4.0.0.221020


Conventions:
    • Hostnames, key id’s, passwords and database names used in this documentation are fictitious
    • Examples are based on a two node cluster
    • Unless specified, commands and queries can be used for all RDBMS versions discussed in this documentation

Assumptions:

    • The documentation assumes the Endpoint Adminstrator has access to create endpoints and wallets on the Oracle Key Vault Server.
    • The automation scripts assumes the Oracle Key Vault cluster is a multi-node cluster. Automation scripts are attached to the MOS Note
    • The EXADB-D Infrastructure and EXADB-D VM's have been provisioned
    • The documentation assumes UNITED mode for PDB keystore is used; CDB/PDB isolated keystore mode is not supported on BaseDB, ExaDB-D, and ExaDB-C@C cloud services.

Software Requirements:
    • dbaastools – DBAAS_21.3.1.1.0_LINUX.X64_211012.0110 and up
    • dbcs-agent - 21.3.1.1.0_LINUX.X64_211012.0110 and up (Please contact Oracle Support if dbcs-agent update is required)
    • RDBMS –  For 19c - 19.6 and up


For more information on the Oracle Key Vault, please visit the following link:

https://docs.oracle.com/en/database/oracle/key-vault/

 

Data Guard testing was completed for ExaDB-D to ExaDB-D Only. Hybrid Data Guard setup between ExaDB-C@C to ExaDB-D has not been completed.

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Goal
Solution
 Step 1) INGRESS/EGRESS RULES FOR SUBNETS in VIRTUAL CLOUD NETWORK (VCN):
 Step 2) BASTION SETUP:
 Step 3) OKV SERVICE PROVISIONING:
 Step 4) RUN AUTOMATION SCRIPT - FIRST RUN (okv_lead.sh ONLY):
 Step 5) RUN AUTOMATION SCRIPT - SECOND RUN (OKV_LEAD.SH):
 Step 6) RUN DEPLOYMENT SCRIPT:
 Step 7) COPY CURRENT TDE WALLETS TO $OKV_HOME/TDE (ALL NODES):
 Step 8) UPLOAD WALLET (ONE NODE ONLY):
 Step 9) ADD SECRETS:
 Step 10) DATABASE INITIALIZATION PARAMETERS (19C and up):
 Step 11) FOR 12.1, UPDATE SQLNET.ORA (ALL NODES)  AND RAC ENVIRONMENT VARIABLES (ONE NODE ONLY):
 Step 12) MIGRATE KEYS (ONE NODE ONLY):
 Step 13) VERIFY WALLET STATUS:
 Step 14) UPDATE CREG (ALL NODES):
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.