New functionality superseeds the functionality mentioned in this blog post. Please use the method described in Upgrading an Encrypted Non-CDB and Converting To PDB.
Using AutoUpgrade, you can upgrade your encrypted Oracle Database and convert to a pluggable database. The process is not entirely automated, so you must handle the TDE encryption key manually.
A new parameter called skip_tde_key_import is introduced. Here is what the documentation says:
(Optional) The default is NO. You can use this option for non-CDB-to-PDB and unplug/plug operations. When set to YES, the upgrade is run, but import of the source database KeyStore into the target database is skipped, without raising an error. AutoUpgrade will leave the PDB open in upgrade mode, so that you can import the keys manually yourself. After you import the keys, you must then restart the database in normal mode.
In other words, AutoUpgrade does everything except import of the TDE encryption key.
How To
This is what happens:
AutoUpgrade handles the green things – you handle the yellow thing. My environment:
- Non-CDB called FTEX running on Oracle Database 11.2.0.4
- FTEX is encrypted with TDE and has an auto-login keystore
- CDB called CDB2 running on Oracle Database 19c
- CDB2 is prepared for TDE and has a keystore defined
First, I ensure that AutoUpgrade is version 21.2 or newer:
java -jar autoupgrade.jar -version
I create a config file for AutoUpgrade. Notice, that I have specified that the database is plugged into CDB2 using the parameter target_cdb. Also, notice that I have specified the new parameter skip_tde_key_import and set it to YES:
upg1.source_home=/u01/app/oracle/product/11.2.0.4
upg1.target_home=/u01/app/oracle/product/19
upg1.sid=FTEX
upg1.target_cdb=CDB2
upg1.skip_tde_key_import=YES
Then, I analyze my database (FTEX) for any issues:
java -jar autoupgrade.jar -config FTEX.cfg -mode analyze
No issues are detected, so I proceed with the upgrade:
java -jar autoupgrade.jar -config FTEX.cfg -mode deploy
After the upgrade and conversion to PDB, I log on to CDB2. I want to check the outcome. Has FTEX been upgraded and converted?
SQL> select name, open_mode, restricted from v$pdbs
NAME OPEN_MODE RESTRICTED
PDB$SEED READ ONLY NO
FTEX READ WRITE YES
Open – but restricted. I check for plug-in violations:
SQL> select cause, type, message, status, action
from pdb_plug_in_violations
where name = 'FTEX' AND status not in ('RESOLVED')
CAUSE TYPE MESSAGE STATUS ACTION
Wallet Key Needed ERROR PDB needs to import keys from source. PENDING Import keys from source.
OK. This is expected. AutoUpgrade does not handle the TDE encryption key. See the yellow part of the arrow above. You have to do that.
I start by merging the two keystores – the keystore of the old non-CDB database (FTEX) and the keystore of the CDB (CDB2). I merge the two keystores into the one of CDB2:
CDB$ROOT SQL> administer key management
merge keystore '/u01/app/oracle/admin/FTEX/wallet' identified by "oracle_4U"
into existing keystore '/u01/app/oracle/admin/CDB2/wallet/tde' identified by "oracle_4U"
with backup using 'merge_keystore';
Notice that I have specified the folders of keystores and not the actually file names. I have also specified the keystore password for both the keystores. And, finally, I tell the database to create a backup of the keystore before the merge (as a precaution – and I recommend always doing that).
Now, I switch to the FTEX PDB. I need to configure FTEX to use the TDE encryption key that is merged from the old keystore. Each key in the keystore has a key ID and I tell the PDB to use the right one. I explain later on how to determine the key ID:
CDB$ROOT SQL> alter session set container=FTEX;
FTEX SQL> administer key management
use key 'Ad8l2SYuf0/dv+6Au9tRmAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
force keystore identified by "oracle_4U"
with backup using 'use_key_ftex';
Now, the PDB knows the TDE encryption key and you can actually start to query data from an encrypted tablespace. However, there is still a plug-in violation saying the TDE encryption key has to be imported. The PDB insists that the encryption key is imported – rather than merged into the keystore. So I will export the key from the PDB and import it again:
FTEX SQL> administer key management
export keys with secret "secret-passphrase"
to '/etc/oracle/exported-keys-ftex' force keystore identified by "oracle_4U";
FTEX SQL> administer key management
import keys with secret "secret-passphrase"
from '/etc/oracle/exported-keys-ftex' force keystore identified by "oracle_4U"
with backup using 'import_key_ftex';
FTEX SQL> host rm /etc/oracle/exported-keys-ftex
The encryption key is saved in an encrypted file in the OS. The file is encrypted using a passphrase (secret-passphrase), and you should pick a better one than I did. Finally – and important – I remove the file from the OS when I am done. I don’t want my encryption keys lying around in files all over the OS.
I restart the FTEX PDB:
FTEX SQL> alter pluggable database FTEX close immediate;
FTEX SQL> alter pluggable database FTEX open;
And the PDB is now open in READ WRITE mode and unrestricted
SQL> select name, open_mode, restricted from v$pdbs
NAME OPEN_MODE RESTRICTED
PDB$SEED READ ONLY NO
FTEX READ WRITE NO
I check for plug-in violations:
SQL> select cause, type, message, status, action
from pdb_plug_in_violations
where name = 'FTEX' AND status not in ('RESOLVED')
No rows selected.
Job done! Encrypted database upgraded and converted to a PDB.
Determine Key ID
Use the orapki utility to determine the key ID of the TDE encryption key. Specify the location of the old non-CDB keystore:
orapki wallet display -wallet /u01/app/oracle/admin/FTEX/wallet
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.Ad8l2SYuf0/dv+6Au9tRmAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.TS.ENCRYPTION.BUCsXzQga4wfJ8gNSuptAPMCAwAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
The TDE encryption key is starting with ORACLE.SECURITY.DB.ENCRYPTION and doesn’t end on MASTERKEY. In the above example the key ID is Ad8l2SYuf0/dv+6Au9tRmAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.
If your non-CDB is Oracle Database 12c or later you can also get the key ID using a view:
SQL> select key_id from v$encryption_keys where key_use='TDE';
Why Do I Need to Export and Import?
Above you saw that I had to export and import the encryption keys, even after merging the keystores. You might ask: Why is that even needed? Why is the ADMINISTER KEY MANAGEMENT MERGE KEYSTORE command not enough?
That’s a very good question. I have reached out to our security people to get their take on it. It sounds like a bug to me.
The Future
The above solution makes it easier to handle encrypted databases. But we are not satisfied yet. A future version of AutoUpgrade will have even better support for encrypted databases, and everything will be automated.
The biggest issue for us is to find a safe way to handle the TDE keystore password. We need to have a safe way of getting the password from you and storing it in memory until we actually need it.
We are just about to start testing the very first version of AutoUpgrade with proper TDE support. If you are interested in becoming a beta tester, reach out to me to work something out.
Conclusion
Converting encrypted databases to PDB is now possible in AutoUpgrade. AutoUpgrade mainly handles the process, but you have to manage the TDE encryption keys yourself.
New functionality superseeds the functionality mentioned in this blog post. Please use the method described in Upgrading an Encrypted Non-CDB and Converting To PDB.
Databases Are Fun 
Do these steps would work even for a RAC environment?
LikeLike
Hi Balaji,
I haven’t tried it myself, but it should. I don’t see any reason why it wouldn’t work, and it is not mentioned as a restriction.
Regards,
Daniel
LikeLike
Hi Daniel,
We upgraded the RAC database with these steps . Strangely we face the error : ORA-28374: typed master key not found in wallet randomly while connecting to the database. Any advice on same. I have raised a case with Oracle Support too. (SR # 3-27874575201) . Wallet location is still local on both nodes and not ASM yet
We do get this error randomly on both nodes.
SQL> conn dbsnmp/*************@PSTEST
Connected.
SQL> conn dbsnmp/*************@PSTEST
ERROR:
ORA-28374: typed master key not found in wallet
SQL> conn dbsnmp/*************@PSTEST1
Connected.
SQL> conn dbsnmp/*************@PSTEST1
ERROR:
ORA-02002: error while writing to audit trail
ORA-28374: typed master key not found in wallet
Connected.
SQL> conn dbsnmp/*************@PSTEST2
Connected.
SQL> conn dbsnmp/*************@PSTEST2
ERROR:
ORA-28374: typed master key not found in wallet
LikeLike
Hi Balaji,
I have not heard of anything specific with that error and RAC databases. I couldn’t find any good match in our bug database. In addition to the SR you might also try the troubleshooting steps in “Step by Step Troubleshooting Guide for TDE Error ORA-28374 (Doc ID 1541818.1)”.
Also, are you using a recent version of Oracle Database 19c? In the previous Release Updates we have fixed quite many bugs, so if possible, it might be worth trying to reproduce the problem on 19.13.0 or 19.14.0 (when it comes in January).
I am not a TDE expert, so there might be something that I have missed. The above is the only advice I can give – besides working with support on the issue.
Regards,
Daniel
LikeLike
Thanks Daniel for the inputs. We are using 19.11 as per our requirement. Agree the issue is strange; no longer facing issue on Node 1 post Re-key of Master key but still face issue with Node 2 . Still working with Oracle Support.
LikeLike
Thanks for the detailed blog, Daniel. May I know when we can anticipate the version of AutoUpgrade with full TDE support? Happy Holidays!
LikeLike
Hi,
We are just making the final test of a new version of AutoUpgrade that has better support for TDE – for upgrades and plug-ins. The new version allows you to enter the TDE keystore password, so it can be used by AutoUpgrade, and it integrates with Secure External Password Store as well.
If all goes well it should come out in Q1.
Regards,
Daniel
LikeLike
Daniel, I am about a month away from our first 11.2.0.4 (with TDE) to 19.10 PDB migration. Will the new autoupgrade be available soon?
Regards,
Doug
LikeLike
Hi Doug, Per metalink 2485457.1 the release notes for the latest version do mention full TDE support. However, I’m eagerly looking forward to the documentation to be updated. Hi Daniel, a revision to this blog mentioning the full TDE support would be much appreciated 🙂 Thanks in advance.
LikeLike
The new version is a pleasant surprise. I subscribe to that MOS Doc, but had not yet received notification that it had been updated.
Wondering if anyone has seen this issue? As a test, I am trying to migrate a previously upgraded non-CDB database now at 19c to a 19c PDB, both running from same ORACLE_HOME.
In sqlnet.ora, the path to the encryption wallet uses $ORACLE_UNQNAME and it is defined in the autoupgrade config file as noncdb1.env=ORACLE_UNQNAME=AFUT9. There is an init.ora file in $ORACLE_HOME/dbs containing spfile=’+DATAC1/AFUT9/spfileAFUT9.ora’.
Autoupgrade 21.3 does not appear to be able to open the non-CDB database in read-only mode and open the wallet.
2022-03-19 00:10:06.383 INFO SQL*Plus data: ORA-01078: failure in processing system parameters
ORA-01565: error in identifying file ‘+DATAC1/AFUT9/spfileAFUT9.ora’
ORA-17503: ksfdopn:2 Failed to open file +DATAC1/AFUT9/spfileAFUT9.ora
ORA-15056: additional error message
ORA-06512: at line 4
ORA-17503: ksfdopn:2 Failed to open file +DATAC1/AFUT9/spfileafut9.ora
ORA-12578: TNS:wallet open failed
ORA-06512: at “SYS.X$DBMS_DISKGROUP”, line 405
ORA-06512: at line 2
alter database open read only
*
ERROR at line 1:
ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0
Even after autoupgrade has disabled the resource resource ora.afut9.db, it can be manually started in SQL*Plus and the wallet auto-opens. Not sure how autoupgrade has configured the environment to cause this step to fail.
LikeLike
Good news to report. The new autoupgrade 22.1 resolves the above issue wihtout any additional configuration change. Migration of the non-CDB 19c database to a 19c PDB was successful. I had skip_tde_key_import=yes, so now must set up the wallet manually.
Looking forward to some tips on how to leverage the full TDE support included in this release.
LikeLike
Hi Doug,
As Sriram writes there is a new version just released which has much better support for TDE.
Regards,
Daniel
LikeLike
Hi Sriram,
You are right. The new version has almost complete support for TDE. It is only a niche area which are not fully supported. Our documentation has been updated, but we are currently waiting for the entire docs.oracle.com to be refreshed. It hopefully happens soon.
I hope to be able to write an updated blog post about the new TDE functionality very soon.
Stay tuned!
Regards,
Daniel
LikeLike
Hi Doug,
Good to hear that the new version solved your initial problem.
I hope to be able to make a blog post within the next week about the new functionality. The Upgrade Guide has been updated, but we are currently waiting for a refresh of docs.oracle.com. Hopefully, it will happen soon.
If you want to try it out, add the following to the AutoUpgrade config file:
global.keystore_location=/u01/app/oracle/autoupgrade/keystore
Then run:
java -jar autoupgrade.jar -config …. -load_password
This will allow you to input the keystore passwords that are required for the operation specified in your config file. After that, you can start autoupgrade in the usual way. And it will take the keystore passwords that you previously input.
Regards,
Daniel
P.s. The commands and syntax are from the top of my head. If it doesn’t work, get the right syntax from:
java -jar autoupgrade.jar -help
LikeLike