FailSafe Clustered Database Won't Start After EFS Encryption Applied To Database Filesystem (Doc ID 2271824.1)

Last updated on AUGUST 23, 2017

Applies to:

Oracle Fail Safe - Version 4.1 to 4.1
Microsoft Windows x64 (64-bit) - Version: 2008 R2

Symptoms

Using Microsoft file system encryption shared filesystem with the databases datafiles on it.
MircoSoft Encrypting Filesystem

I find one FAQ on this
http://www.oracle.com/technetwork/database/windows/faq-100614.html#EFS

Seems it is not widely used with Oracle, but is supported.

Problem description:

FailSafe Clustered database won't start after EFS encryption Applied to database files

When  rebooting the active node OFS moves the database group to the passive node which becomes active.
On node 2 the   database with EFS filesystem for datafiles is not started by OFS.

When moving the group back to node 1, again same issue OFS does not start database. 

Oracle Enterprise 12.1.0.2 with Oracle Fail Safe 4.1.1.3
Installed on a 2 node Windows 2012 R2 X64 MS FailOver cluster

Created database on cluster shared volume and added databae to Oracle Fails Safe without issue
At this point database workis fine until the folder containing the database files is encrypted via EFS
After which Neither the Windows Failover Manager nor the Oracle Fail Safe manager can start the databases

However, the database can be started by starting the Windows service for the database and then launching SQLPlus and starting the database from there.
After someone logging into the server with the Oracle Fail Safe service account the database can be started from the Windows Failover cluster manager and the Oracle Fail Safe Manager until the next server restart.

Note:EFS certificate has been imported into
Oracle home account
Oracle database service
Oracle Fail safe account
Oracle fail Safe Service
Local Computer
(xxx\Personal and xxx\Trusted Root Certification Authorities).

Once the database does start it is clear that only the Oracle Fail Safe Service account seems to touch the database files (shown as Client User)
Which differs from a non-clustered database start where the user starting the database is shown as the client user

Application event log:  

 

Information 2017-04-12 8:42:46 PM OracleMSCSServices 3 Oracle Database Oracle Fail Safe resource MHP2TP72 successfully forced offline.
Warning 2017-04-12 8:42:43 PM OracleMSCSServices 2 Oracle Database Oracle Fail Safe resource MHP2TP72 is being forced offline.
Error 2017-04-12 8:42:43 PM OracleMSCSServices 1 Oracle Database Oracle Fail Safe resource MHP2TP72 failed to start.
ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist

System event log: 

Information 2017-04-12 8:42:43 PM Service Control Manager 7036 None The OracleServiceMHP2TP72 service entered the stopped state.
Error 2017-04-12 8:42:43 PM Microsoft-Windows-FailoverClustering 1069 Resource Control Manager "Cluster resource 'MHP2TP72' of type 'Oracle Database' in clustered role 'MHP-ORASVR2-OP1' failed.

Windows Sysinternals Process Monitor (ProcMon) shows this

High Resolution Date & Time: 2017-04-17 10:06:14.4258677 PM
Event Class: File System
Operation: CreateFile
Result: ACCESS DENIED
Path: H:\app\oracle\oradata\MHP2TP72\paramsMHP2TP72.ORA              ifile in question
TID: 11412
Duration: 117.8711789
Desired Access: Generic Read
Disposition: Open
Options: Synchronous IO Non-Alert, Non-Directory File
Attributes: N
ShareMode: Read, Write
AllocationSize: n/a
Impersonating: FORCES\S-MHP-OFSadmin-IIE

Changes

 Using MircoSoft Encrypting Filesystem (EFS) filesystem for datafiles with OFS on MS Cluster.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms