It is now easier to upgrade and convert your encrypted Oracle Database. The latest version of AutoUpgrade adds much better support for Oracle Databases that are encrypted with Transparent Data Encryption (TDE).
You must ensure that you are using the latest version of AutoUpgrade. You can download it from My Oracle Support AutoUpgrade Tool (Doc ID 2485457.1). At the time of writing, the latest version of AutoUpgrade is 22.2:
$ java -jar autoupgrade.jar -version build.version 22.2.220324
Dealing with TDE, also means dealing with sensitive information. AutoUpgrade must adequately protect the TDE keystore passwords. To do so, AutoUpgrade can have its own keystore to store sensitive information, i.e., TDE keystore passwords. Whenever a TDE keystore password is needed, e.g., during an unplug-plug upgrade of an encrypted PDB, it can get the password from the AutoUpgrade keystore.
You need to tell AutoUpgrade where it can create the keystore. You do so in the config file:
When you start to use the AutoUpgrade keystore the following files are created in the directory:
$ pwd /etc/oracle/keystores/autoupgrade/DB12 $ ll -rw-------. 1 oracle dba 765 Mar 28 14:56 cwallet.sso -rw-------. 1 oracle dba 720 Mar 28 14:56 ewallet.p12
It is similar to other keystores that Oracle Database use. ewallet.p12 is the keystore, and cwallet.sso is an auto-login keystore used to open the real keystore. You don’t have to create an auto-login keystore.
You should protect the AutoUpgrade keystore files like you protect any other Oracle Database keystore:
- Apply restrictive file system permissions.
- Audit access.
- Back it up.
Using the Keystore
Create your AutoUpgrade config file and specify
global.keystore as described above. Start an interactive prompt that allows you to add the necessary passwords:
$ java -jar autoupgrade.jar -config DB12.cfg -load_password
The first time you use the AutoUpgrade keystore, you must provide a password that protects the AutoUpgrade keystore:
Starting AutoUpgrade Password Loader - Type help for available options Creating new keystore - Password required Enter password: Enter password again: Keystore was successfully created
In the TDE console, the following commands are available:
The SID references the databases. If you want to add a TDE password for the database DB12, use the following command:
TDE> add DB12 Enter your secret/Password: Re-enter your secret/Password: TDE> add CDB2 Enter your secret/Password: Re-enter your secret/Password:
If you want to delete the TDE password for DB12:
TDE> delete DB12 Keystore Password is required prior to operation Enter wallet password:
When you save the passwords into the AutoUpgrade keystore, you must decide whether you want to have an auto-login keystore:
TDE> save Convert the keystore to auto-login [YES|NO] ?
I recommend using auto-login keystores. If you do not create an AutoUpgrade auto-login keystore, you will be prompted for the AutoUpgrade keystore password when you start AutoUpgrade.
If you want to use AutoUpgrade in noconsole mode (
-noconsole), then an auto-login keystore is required.
I will show how to upgrade and convert encrypted databases in later blog posts.
Loss of AutoUpgrade Keystore
What happens if your AutoUpgrade keystore is lost? This is fairly simple. You can re-create the keystore and load all passwords into it using the
load_password command line option as described above.
We have added new preupgrade checks to the analyze phase in AutoUpgrade. These checks will help you to provide the needed passwords and ensure your TDE configuration meets certain standards:
You can read more about these checks in MOS note Database Preupgrade tool check list. (Doc ID 2380601.1).