It is now easier to upgrade and convert your encrypted Oracle Database. The latest version of AutoUpgrade adds much better support for Oracle Databases that are encrypted with Transparent Data Encryption (TDE).
You must ensure that you are using the latest version of AutoUpgrade. You can download it from My Oracle Support AutoUpgrade Tool (Doc ID 2485457.1). At the time of writing, the latest version of AutoUpgrade is 22.2:
$ java -jar autoupgrade.jar -version build.version 22.2.220324
Dealing with TDE, also means dealing with sensitive information. AutoUpgrade must adequately protect the TDE keystore passwords. To do so, AutoUpgrade can have its own keystore to store sensitive information, i.e., TDE keystore passwords. Whenever a TDE keystore password is needed, e.g., during an unplug-plug upgrade of an encrypted PDB, it can get the password from the AutoUpgrade keystore.
You need to tell AutoUpgrade where it can create the keystore. You do so in the config file:
When you start to use the AutoUpgrade keystore the following files are created in the directory:
$ pwd /etc/oracle/keystores/autoupgrade/DB12 $ ll -rw-------. 1 oracle dba 765 Mar 28 14:56 cwallet.sso -rw-------. 1 oracle dba 720 Mar 28 14:56 ewallet.p12
It is similar to other keystores that Oracle Database use. ewallet.p12 is the keystore, and cwallet.sso is an auto-login keystore used to open the real keystore. You don’t have to create an auto-login keystore.
You should protect the AutoUpgrade keystore files like you protect any other Oracle Database keystore:
- Apply restrictive file system permissions.
- Audit access.
- Back it up.
Using the Keystore
Create your AutoUpgrade config file and specify
global.keystore as described above. Start an interactive prompt that allows you to add the necessary passwords:
$ java -jar autoupgrade.jar -config DB12.cfg -load_password
The first time you use the AutoUpgrade keystore, you must provide a password that protects the AutoUpgrade keystore:
Starting AutoUpgrade Password Loader - Type help for available options Creating new keystore - Password required Enter password: Enter password again: Keystore was successfully created
In the TDE console, the following commands are available:
The SID references the databases. If you want to add a TDE password for the database DB12, use the following command:
TDE> add DB12 Enter your secret/Password: Re-enter your secret/Password: TDE> add CDB2 Enter your secret/Password: Re-enter your secret/Password:
If you want to delete the TDE password for DB12:
TDE> delete DB12 Keystore Password is required prior to operation Enter wallet password:
When you save the passwords into the AutoUpgrade keystore, you must decide whether you want to have an auto-login keystore:
TDE> save Convert the keystore to auto-login [YES|NO] ?
I recommend using auto-login keystores. If you do not create an AutoUpgrade auto-login keystore, you will be prompted for the AutoUpgrade keystore password when you start AutoUpgrade.
If you want to use AutoUpgrade in noconsole mode (
-noconsole), then an auto-login keystore is required.
I will show how to upgrade and convert encrypted databases in later blog posts.
Loss of AutoUpgrade Keystore
What happens if your AutoUpgrade keystore is lost? This is fairly simple. You can re-create the keystore and load all passwords into it using the
load_password command line option as described above.
We have added new preupgrade checks to the analyze phase in AutoUpgrade. These checks will help you to provide the needed passwords and ensure your TDE configuration meets certain standards:
You can read more about these checks in MOS note Database Preupgrade tool check list. (Doc ID 2380601.1).
4 thoughts on “AutoUpgrade and Transparent Data Encryption (TDE)”
Does the load-password feature work with 220.127.116.11 databases? I cannot get it too load the wallet password for a 12.1 CDB.When adding the password for the 18.104.22.168. database the action remains as load password wallet.
|ORACLE_SID| Action Required|TDE Password|SEPS Status|Active Wallet Type|
| cdbvj01|Load password wallet| Unknown| Inactive| Password|
| cdbvj191| | Verified| Inactive| Any|
Yes, the feature should work for any version supported by AutoUpgrade – which is the case with 22.214.171.124. What exactly are you trying to do? I think it could be an unplug-plug upgrade from 126.96.36.199 to 19c. Is that correct?
autotoupgrade is definitely an awesome tool for Oracle DB upgrade.
I successfully played with it on a configuration having primary 188.8.131.52 rac 2 nodes and standby rac 2 nodes with TDE (wallet on file system).
Unfortunately it didn’t work when the wallet files were in ASM (either for source 12.2 or target 19c): autoupgrade always failed to copy the wallet files.
Is there a plan to have autoupgrade successfully work with TDE files located in ASM instead of files system?
Thanks for the positive feedback. It’s good to hear you like AutoUpgrade. We put a lot of hard work in it.
I am not aware about any restrictions with the TDE keystore on ASM. Do you have a SR with this error? If not, may I ask you to create one. Be sure to attach the log files from the error (java -jar autoupgrade.jar -config …. -zip). I will have one of the developers look at the problem, so we can get it sorted.