Many commands that involve Transparent Data Encryption (TDE) require inputting the TDE keystore password. Also, when you use AutoUpgrade. on an encrypted Oracle Database you probably need to store the TDE keystore password using the -load_password option.
Manually inputting passwords is unsuitable for an environment with a high degree of automation. In Oracle Database it is solved by Secure External Password Store (SEPS) (as of Oracle Database 12.2). In a previous blog post, I showed how you could use it to your advantage.
This blog post is about how to use AutoUpgrade together with SEPS.
Good News
As of version 22.2 AutoUpgrade fully supports Oracle Database with a Secure External Password Store. If SEPS contains the TDE keystore password, you don’t have to input the password using the -load_password option.
If you are using AutoUpgrade in some sort of automation (like Ansible), you should look into SEPS. AutoUpgrade can use SEPS when the TDE keystore password is needed, and you can upgrade and convert completely unattended.
How To
The Oracle Database DB12 is encrypted and on Oracle Database 12.2. I want to upgrade, convert, and plug it into CDB2 on Oracle Database 19c.
- Ensure that your Oracle Databases DB12 and CDB2 are properly configured with a Secure External Password Store and it contains the TDE keystore password.
- Ensure that AutoUpgrade is version 22.2 or higher:
$ java -jar autoupgrade.jar -version - Create your AutoUpgrade config file and set
global.keystoreas specified in a previous blog post:global.autoupg_log_dir=/u01/app/oracle/cfgtoollogs/autoupgrade global.keystore=/u01/app/oracle/admin/autoupgrade/keystore upg1.log_dir=/u01/app/oracle/cfgtoollogs/autoupgrade/DB12 upg1.source_home=/u01/app/oracle/product/12.2.0.1 upg1.target_home=/u01/app/oracle/product/19 upg1.sid=DB12 upg1.target_cdb=CDB2 - Analyze:
$ java -jar autoupgrade.jar -config DB12.cfg -mode analyze - The summary report tells me everything is fine; just go ahead. I don’t need to input the TDE keystore passwords:
[Stage Name] PRECHECKS [Status] SUCCESS [Start Time] 2022-03-30 10:28:38 [Duration] [Log Directory] /u01/app/oracle/cfgtoollogs/autoupgrade/DB12/DB12/100/prechecks [Detail] /u01/app/oracle/cfgtoollogs/autoupgrade/DB12/DB12/100/prechecks/db12_preupgrade.log Check passed and no manual intervention needed - Optionally, I can use the
-load_passwordprompt to check the TDE configuration:
Action Required is empty and verifies that I don’t need to input the TDE keystore passwords. AutoUpgrade checked SEPS in CDB2 and found that it works. It is impossible to check SEPS in DB12 because it is on Oracle Database 12.2. The functionality was added in Oracle Database 19c.$ java -jar autoupgrade.jar -config DB12.cfg -load_password TDE> list +----------+---------------+------------------+-----------+------------------+ |ORACLE_SID|Action Required| TDE Password|SEPS Status|Active Wallet Type| +----------+---------------+------------------+-----------+------------------+ | CDB2| |No password loaded| Verified| Any| | DB12| |No password loaded| Unknown| Auto-login| +----------+---------------+------------------+-----------+------------------+ - Start the upgrade and conversion:
$ java -jar autoupgrade.jar -config DB12.cfg -mode deploy - That’s it!
What Happens
- You must configure an AutoUpgrade keystore. Even though you are not loading any TDE keystore passwords, it is still required. Some commands require a passphrase (or transport secret) and AutoUpgrade must store them in its keystore.
- Whenever a database is using SEPS, and a TDE keystore password is required, AutoUpgrade will use the
IDENTIFIED BY EXTERNAL STOREclause.
What Else
You can mix and match. If only one database uses SEPS, you can input the other TDE keystore password manually using the -load_password option. AutoUpgrade will check your database configuration and ask only for the needed TDE keystore passwords.
Databases Are Fun 