Migration of File based TDE to OKV for Exadata Database Service on Cloud at Customer Gen2
(Doc ID 2823650.1)
Last updated on APRIL 17, 2023
Applies to:
Oracle Key Vault - Version 21.1.0.0 and laterOracle Database - Enterprise Edition - Version 12.1.0.2 and later
Gen 2 Exadata Cloud at Customer - Version All Versions and later
Linux x86-64
Goal
The purpose of this document is to provide step-by-step instructions on how to migrate Exadata Database Service on Cloud at Customer (ExaDB-C@C) Gen2 File based TDE to Oracle Key Vault (OKV) for RDBMS versions 12.1, 18c and 19c databases.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |
| Migrate File based TDE to OKV for Exadata Database Service on Cloud at Customer Gen2 |
| Overview |
| OKV UI Console Configuration Steps |
| Step 1.1 - Create Endpoints in the OKV Console |
| Step 1.2 - Create Wallet in the OKV Console |
| Step 1.3 - Set Wallet as default Wallet for each ExaDB-C@C RAC database instance Endpoint |
| Step 1.4 - Enroll each Endpoint |
| ExaDB-C@C Database Configuration Steps |
| Step 2.1 - Copy OKV Client software on each Endpoint (database node) |
| Step 2.2 - Create Wallet Root on each DB Node (Needs to be local – cannot be shared) |
| Step 2.3 - Install OKV endpoint software on each DB Node |
| Step 2.4 - Verify connection to OKV |
| Step 2.5 - Upload Current Wallets to OKV (Migration from File to OKV) |
| Step 2.6 - Add OKV PASSWORD to the Keystore to allow AUTOLOGIN into the OKV Keystore (RUN ON ALL NODES) |
| Step 2.7 - Add Secret Key to use external store (RUN ON ALL Nodes – For 18c and 19c ONLY) |
| Step 2.8 - Update Database Initialization Parameters (18c and 19c ONLY) |
| Step 2.9 - Sqlnet.ora and RAC DB Environmental Settings (12.1 ONLY) |
| Step 2.10 - Bounce the database |
| Step 2.11 - Migrate to OKV (rekey the database - Run on one node) |
| Step 2.12 - Queries to verify your OKV environment |
| Step 2.13 - Cloud registration updates (CREG file Changes on all Nodes) |
| Known Issues and Troubleshooting |
| The okvclient.ora soft link issue |
| 12.1 RDBMS wallet key needed for cloned PDB |
| Data Guard with OKV |
| Rotate keys delayed update to v$encrypted_tablespaces view |
| References |