Converting an encrypted non-CDB to a PDB requires the keystore passwords of the non-CDB and the target CDB. You can do it with AutoUpgrade, and you can upgrade in the same operation.
How To
The Oracle Database DB12 is encrypted and on Oracle Database 12.2. I want to upgrade, convert, and plug it into CDB2 on Oracle Database 19c.
- Ensure that AutoUpgrade is version 22.2 or higher:
$ java -jar autoupgrade.jar -version
- Create your AutoUpgrade config file and set
global.keystore
as specified in a previous blog post:global.autoupg_log_dir=/u01/app/oracle/cfgtoollogs/autoupgrade global.keystore=/u01/app/oracle/admin/autoupgrade/keystore upg1.log_dir=/u01/app/oracle/cfgtoollogs/autoupgrade/DB12 upg1.source_home=/u01/app/oracle/product/12.2.0.1 upg1.target_home=/u01/app/oracle/product/19 upg1.sid=DB12 upg1.target_cdb=CDB2
- Analyze:
$ java -jar autoupgrade.jar -config DB12.cfg -mode analyze
- The summary report warns me that TDE keystore passwords are needed:
There are more details in the preupgrade log file:[Stage Name] PRECHECKS [Status] FAILURE [Start Time] 2022-03-29 12:42:32 [Duration] [Log Directory] /u01/app/oracle/cfgtoollogs/autoupgrade/DB12/DB12/100/prechecks [Detail] /u01/app/oracle/cfgtoollogs/autoupgrade/DB12/DB12/100/prechecks/db12_preupgrade.log Check failed for DB12, manual intervention needed for the below checks [TDE_PASSWORDS_REQUIRED]
============== BEFORE UPGRADE ============== REQUIRED ACTIONS ================ 1. Perform the specified action ... ORACLE_SID Action Required ------------------------------ ------------------------ CDB2 Add TDE password DB12 Add TDE password
- Add the TDE keystore passwords into the AutoUpgrade keystore:
$ java -jar autoupgrade.jar -config DB12.cfg -load_password TDE> add DB12 Enter your secret/Password: Re-enter your secret/Password: TDE> add CDB2 Enter your secret/Password: Re-enter your secret/Password:
- Save the passwords into the AutoUpgrade keystore. I choose to create an auto-login keystore:
TDE> save Convert the keystore to auto-login [YES|NO] ? YES TDE> exit
- Re-analyze the database:
$ java -jar autoupgrade.jar -config DB12.cfg -mode analyze
- If AutoUpgrade does not report any other problems, start the upgrade and conversion. Since I chose to create an AutoUpgrade auto-login keystore, I don’t have to provide the password when AutoUpgrade starts:
$ java -jar autoupgrade.jar -config DB12.cfg -mode deploy
- That’s it!
What Happens
- First, AutoUpgrade upgrades the database to Oracle Database 19c. This is a regular non-CDB database upgrade. It requires an auto-login keystore.
- After the upgrade, AutoUpgrade exports the encryption keys into a file. To avoid writing the encryption keys in clear text in the export file, the database needs a passphrase (transport secret) to encrypt the encryption key. AutoUpgrade generates a passphrase and stores it in the AutoUpgrade keystore. In addition, the database needs the keystore password. This is the
WITH SECRET
andIDENTIFIED BY
clauses of theADMINISTER KEY MANAGEMENT EXPORT KEYS
statement. - The encryption keys is imported into CDB$ROOT of the target CDB. To load the encryption keys from the export file, the database needs the passphrase and keystore password (of the target CDB). AutoUpgrade gets both password from the AutoUpgrade keystore. This is the
WITH SECRET
andIDENTIFIED BY
clauses of theADMINISTER KEY MANAGEMENT IMPORT KEYS
statement. - The pluggable database is created from the manifest file using
CREATE PLUGGABLE DATABASE
statement. - AutoUpgrade executes the
ADMINISTER KEY MANAGEMENT IMPORT KEYS
statement again – this time while connected to the PDB itself. - Finally, AutoUpgrade completes the PDB conversion by running noncdb_to_pdb.sql.
The encryption keys are imported two times – first in CDB$ROOT and then in the PDB itself. AutoUpgrade must import into CDB$ROOT if the PDB has any of the system tablespaces (SYSTEM or SYSAUX) or the undo tablespace encrypted.
Fallback
AutoUpgrade fallback functionality also works for an upgrade and PDB conversion. But there are a few requirements:
- A
target_pdb_copy_option
must be specified. - The database must be Enterprise Edition.
- A guaranteed restore point must be created (default behavior).
It is not possible to revert the PDB conversion. To fall back the data files must be copied as part of the PDB conversion. You specify that the data files are copied by using the config file parameter target_pdb_copy_option
.
As an example, if I want to copy the data files during plug-in and generate OMF names, I use this parameter:
upg1.target_pdb_copy_option=file_name_convert=NONE
AutoUpgrade automatically creates a guaranteed restore point in the beginning of an upgrade. AutoUpgrade will issue a FLASHBACK DATABASE
statement to revert the upgrade. The parameter restoration
governs the creation of the restore point. The default value is YES
, meaning AutoUpgrade creates a guaranteed restore point, and fallback is possible.
If all prerequisites are met, I can revert the entire operation and return the database to the original state (from 19c PDB back into a 12.2 non-CDB). 103 is the job id of the upgrade/PDB conversion:
$ java -jar autoupgrade.jar -config PDB1.cfg -restore -jobs 103
Hi Daniel,
I will apologize in advance for all of the stupid questions that I have submitted recently. 🙂 I tried to set up a migration test of an 11.2.0.4 single instance database to a new 19c CDB/PDB (on the same host) using the new functionality in autoupgrade 22.2 for the handling of the TDE keystore. The analyze phase has detected a KEYSTORE_CONFLICT error. Details have been posted in the appropriate Community:
https://community.oracle.com/mosc/discussion/comment/16875383
Would appreciate your thoughts before submitting a SR on this issue. Need to get this sorted out quickly.
Thanks,
Doug
LikeLike
Hi Doug,
I am glad that you started using the new TDE functionality. I did my best to answer your question on the community forum. Please have a look at the response.
Reach out to me if things doesn’t get sorted out.
Regards,
Daniel
LikeLike
My single-instance upgrade scenario completed successfully. Working on the RAC migration now and could use a bit of guidance on RAC specific setup. This is not easily located in the documentation and I haven’t found any examples online. I must get this thoroughly tested for a migration next weekend.
Again, I posted the question to the Community at https://community.oracle.com/mosc/discussion/4518571/autoupgrade-configuration-for-non-cdb-11g-rac-to-pdb-19c-rac#latest
TIA,
Doug
LikeLike
Hi Doug,
I see you have already made good progress with your upgrade. Good job!
I am curios where you found information about “dbname” parameter. I was removed a few versions ago.
Also, it seems that you have already explored the new TDE options in AutoUpgrade with success. I would love to hear your thoughts about the new functionality and if there is something that we should change.
Perhaps we can talk on Zoom one day? If interested, please reach out to me on daniel.overby.hansen@oracle.com.
Thanks,
Daniel
LikeLike