How to Create an OCI PDB with a Specific Time Zone File Version

When you provision a new database in Oracle Cloud Infrastructure (OCI), it always comes with the latest timezone file installed.

But in a recent migration, we wanted a database with a specific timezone file version.

Here’s how you can get a new PDB with a custom timezone file.

Using OCI Tooling Doesn’t Work

The OCI tooling uses a template file to provision the database faster. But the template file comes with the latest timezone file. Timezone files are part of the Release Update, so the newer Release Update you’re on, the newer the timezone file is.

Using template files for provisioning means that you don’t get to choose which version of the timezone file you want in your database. Further, the usual hacks like removing timezone files from the Oracle home or using the environment variable ORA_TZFILE won’t work.

The Solution

I’m going to create a new PDB in an on-prem database, export that PDB to OCI and use that as my new PDB.

  • I start by finding an existing CDB with the desired timezone file, or I create a new one. ~~~ select version from v$timezone_file;</p> <pre><code> VERSION ———- 44 ~~~

  • I don’t need to check * The patch level: I’ll sort out any patch differences with Datapatch in OCI. * The components: CDBs in OCI have all components installed.

  • I create a new empty PDB: ~~~ CREATE PLUGGABLE DATABASE PDBTEMPLATE ADMIN USER ADMIN IDENTIFIED BY mys3cr3tpassw0rd!; ~~~

  • I close and unplug my PDB: ~~~~ ALTER PLUGGABLE DATABASE PDBTEMPLATE CLOSE; ALTER PLUGGABLE DATABASE PDBTEMPLATE UNPLUG INTO ‘/home/oracle/pdbtemplate.pdb’; DROP PLUGGABLE DATABASE PDBTEMPLATE INCLUDING DATAFILES; ~~~~

  • I transfer the PDB to my host in OCI. In my test, the size of the PDB was 600 MB. Size: 0,61735765 GB

  • Now, I can create a new PDB using the archive file: ~~~~ CREATE PLUGGABLE DATABASE PDBNEW USING ‘/home/oracle/pdbtemplate.pdb’; ALTER PLUGGABLE DATABASE PDBNEW OPEN READ WRITE; ~~~~ * The PDB probably opens with plug-in violations. I ignore this for now.

  • I need to sort out any patching difference: ~~~~ $ORACLE_HOME/OPatch/datapatch -pdbs PDBNEW ~~~~

  • After a restart I check for plug-in violations: ~~~~ ALTER PLUGGABLE DATABASE PDBNEW CLOSE IMMEDIATE; ALTER PLUGGABLE DATABASE PDBNEW OPEN; SELECT TYPE, CAUSE, MESSAGE, ACTION FROM PDB_PLUG_IN_VIOLATIONS WHERE NAME=‘PDBNEW’ AND STATUS != ‘RESOLVED’ AND NOT (CAUSE=‘OPTION’ AND TYPE=‘WARNING’ AND MESSAGE LIKE ‘%PDB installed version NULL%’);</p> <pre><code> TYPE CAUSE MESSAGE ACTION __________ ___________________________ _________________________________________________________________________________________________ __________________________ WARNING is encrypted tablespace? Tablespace SYSTEM is not encrypted. Oracle Cloud mandates all tablespaces should be encrypted. Encrypt the tablespace. WARNING is encrypted tablespace? Tablespace SYSAUX is not encrypted. Oracle Cloud mandates all tablespaces should be encrypted. Encrypt the tablespace. ~~~~ * The query removes any *warnings* about components missing in my PDB. * I can ignore the warning about missing encryption of *SYSTEM* and *SYSAUX*

  • Finally, I create an encryption key (or rotate the key if the PDB is already encrypted): ~~~~ ALTER SESSION SET CONTAINER=PDBNEW; ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY <keystore-password> WITH BACKUP; ~~~~

  • Last, let’s check the timezone file versions in my CDB: ~~~~ ALTER SESSION SET CONTAINER=CDB$ROOT; SELECT CON$NAME, VALUE$ FROM CONTAINERS(SYS.PROPS$) WHERE NAME=‘DST_PRIMARY_TT_VERSION’ ORDER BY 1;</p> <pre><code> CON$NAME VALUE$ ___________ _________ CDB$ROOT 45 PDBNEW 44 ~~~~ * The CDB uses the latest timezone file version, *45*. * My new PDB uses an older timezone file, *44*.

That’s It!

This workaround enables you to create PDBs with a custom timezone file version. I can use the same approach if I want a PDB with a specific set of components installed.

If there is network connectivity between the source and target CDB, I could also clone the PDBTEMPLATE over a network link.

Happy migrating!

Understanding ORA-02298 And Missing Parent Rows During Data Pump Import

In a recent migration, Data Pump couldn’t validate a foreign key constraint because rows were missing in the parent table.

01-JUN-26 03:12:18.148: W-8 Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/REF_CONSTRAINT
01-JUN-26 03:18:58.517: ORA-39083: Object type REF_CONSTRAINT:"APPUSER"."FK_CHILDTABLE_C001" failed to create with error:
ORA-02298: cannot validate (APPUSER.FK_CHILDTABLE_C001) - parent keys not found
ALTER TABLE "APPUSER"."CHILDTABLE" ADD CONSTRAINT "FK_CHILDTABLE_C001"
  FOREIGN KEY ("C001") REFERENCES "APPUSER"."PARENTTABLE" ("C001") ENABLE

In the source database, the constraint was validated. How come rows are now missing?

Data Pump Export

By default, a Data Pump export is not fully consistent. Instead, each table is consistent only within that object. Here’s an example:

Object SCN
Export starts 100
Table, T1 110
Table, PARENT1 120
Table, CHILD1 130
Export finishes 140

If no users are connected to the system, the export is logically consistent even though the tables were exported as of different SCNs.

But imagine the following:

  • There is a parent/child relationship between PARENT1 and CHILD1 enforced by a foreign key constraint.
  • A user inserts data at SCN 125. So, in between the export of PARENT1 and CHILD1.
  • Parent row is not exported because PARENT1 is exported as of SCN 120.
  • Child row is exported because CHILD1 is exported as of SCN 130.

During import, Data Pump can’t create and validate the foreign key constraint because the parent rows are missing.

GoldenGate

In this specific migration, this wasn’t a real problem because Data Pump and GoldenGate work together.

  • On export, Data Pump notes the SCN at which each table were exported.
  • On import, Data Pump writes the SCNs into the target database.
  • GoldenGate uses Automatic Per Table Instantiation to start the replication from the SCN at which the export was made.
Object Replicat starts at SCN
Table, T1 110
Table, PARENT1 120
Table, CHILD1 130

Once GoldenGate has replicated the changes beyond SCN 125, we could create and validate the constraint.

Zero Downtime Migration (ZDM)

We were doing the migration using ZDM. We had to instruct ZDM to ignore the error using the response file parameter:

IGNOREIMPORTERRORS=ORA-02298,...

Other Solutions

Fully Consistent Export

You can instruct Data Pump to make a fully consistent export, so all tables are exported as of the same SCN. Using the example from above:

Object SCN
Export starts 100
Table, T1 100
Table, PARENT1 100
Table, CHILD1 100
Export finishes 140

To do so, add the following parameter:

expdp ... flashback_time=systimestamp

In ZDM, you use the response file parameter:

DATAPUMPSETTINGS_DATAPUMPPARAMETERS_FLASHBACKTIME=SYSTIMESTAMP

This requires that there’s enough UNDO in your database. If your export runs for 4 hours before it reaches CHILD1, then you potentially need a lot of undo to read the table as it looked 4 hours ago.

On an big, active database there is a risk that your export now fails with:

ORA-31693: Table data object "APPUSER"."CHILD1" failed to load/unload and is being skipped due to error:
ORA-02354: error in exporting/importing data
ORA-01555: snapshot too old: rollback segment number 1 with name "_SYSSMU15_987654321$" too small

In which case you should start the export in an off-peak period or from a standby database.

Standby Database

If exporting from your primary database gives you problems with ORA-01555, consider doing it from a snapshot standby database.

If no one is using the standby database, then you don’t even have to perform a fully consistent export using FLASHBACK_SCN or FLASHBACK_TIME.

That’s It

Normally, seeing ORA-02298 during a Data Pump import is a serious problem.

However, if you’re doing an initial load then you can probably validate the constraint once replication starts.

Happy exporting!

When You Forget To Rekey Your Encrypted Database

[The other day I was helping a customer perform an unplug-plug upgrade of an encrypted PDB using AutoUpgrade and a refreshable clone PDB.

Cloning PDB2 to NEWPDB2 and upgrading it

But it kept failing during the initial copy of the PDB:

upg> Copying remote database 'PDB2' as 'NEWPDB2' for job 101

-------------------------------------------------
Errors in database [CDB19]
Stage     [CLONEPDB]
Operation [STOPPED]
Status    [ERROR]
Info    [
Error: UPG-4016
[Unexpected exception error]
Cause: There was an error during the database clone operation
For further details, see the log file located at /u01/app/oracle/cfgtoollogs/autoupgrade/CDB19/101/autoupgrade_20400101_user.log]

-------------------------------------------------
Logs: [/u01/app/oracle/cfgtoollogs/autoupgrade/CDB19/101/autoupgrade_20400101_user.log]
-------------------------------------------------

Luckily, there’s extensive logging in AutoUpgrade, so I went into the directory holding the logs from the CLONEPDB stage and found the following:

create pluggable database "NEWPDB2"  FROM PDB2@CLONEPDB   file_name_convert=none  tempfile reuse keystore identified by "*" REFRESH MODE MANUAL
*
ERROR at line 1:
ORA-17628: Oracle error 46659 returned by remote Oracle server
ORA-46659: master encryption keys for the given PDB not found
Help: https://docs.oracle.com/error-help/db/ora-17628/

Let’s dig into the error.

A Possible Solution

A search on MOS revealed a note with a possible solution:

  • Manually export/import the encryption keys, or
  • Use the undocumented INCLUDING SHARED KEYS clause on the CREATE PLUGGABLE DATABASE statement.

I didn’t like these solutions because:

  • The target CDB should be able to import the keys automatically over the database link.
  • It worked fine on other encrypted databases without the workaround.

So what was the problem?

The Root Cause

  • In the source CDB, I could see from V$ENCRYPTION_KEYS that the source PDB, PDB2, didn’t have any encryption keys.

  • There should be an encryption key activated by PDB2. But the query returned no rows.

    SELECT * FROM v$encryption_keys WHERE activating_pdbname='PDB2';
    
  • So which encryption key did PDB2 use?

  • It turns out that PDB2 was recently created by cloning another local PDB, PDB1. PDB2 was recently cloned from PDB1

  • After cloning an encrypted PDB, the new PDB keeps using the same encryption keys as the source PDB. This is called a shared key.

  • So, PDB2 was using the same encryption key as PDB1.

  • For security reasons, if you try to clone a PDB using a shared key, the database errors out.

The Solution

  • I advise you to rekey your database after cloning. This ensures that the clone gets its own encryption keys and, thus, strengthens security.

  • After connecting to PDB2, I performed a rekey using the set key command:

    alter session set container=PDB2;
    administer key management set key
       force keystore identified by "<keystore_pwd>"
       with backup;
    
    
  • Then, I could clone PDB2 using refreshable clone PDB and upgrade it without problems.

Lesson Learned

  • Oracle recommends that you rotate your encryption keys by doing a rekey.
  • After cloning an encrypted database, you should perform a rekey, so the clone has its own encryption keys and does not share encryption keys with another database.
  • The database can operate with a shared key, but it might cause problems later.

Happy upgrading!

AutoUpgrade New Features: Download Tools (AHF, CVU, SQLcl)

Once you try downloading patches using AutoUpgrade, you’ll never do it from My Oracle Support again.

But what if you want to download:

Do you really have to do that from My Oracle Support? Of course – AutoUpgrade has you covered!

Download Tools

  1. I’ve already configured AutoUpgrade to download patches.

  2. I create a config file:

    global.global_log_dir=/home/oracle/autoupgrade/logs
    global.keystore=/home/oracle/autoupgrade/keystore
    global.folder=/home/oracle/autoupgrade/patches
    
    patch1.platform=LINUX.X64
    patch1.target_version=19
    patch1.patch=SQLCL,AHF,CVU
    
    • Notice the patch specification. It contains the three new keywords that instruct AutoUpgrade to download the tools.
  3. I start AutoUpgrade in download mode:

    AutoUpgrade Patching 26.3.260401 launched with default internal options
    Processing config file ...
    Loading AutoUpgrade Patching keystore
    AutoUpgrade Patching keystore is loaded
    
    Connected to MOS - Searching for specified patches
    
    -----------------------------------------------------
    Downloading files to /home/oracle/autoupgrade/patches
    -----------------------------------------------------
    PLACEHOLDER - DOWNLOAD LATEST AHF (TFA and ORACHK/EXACHK)
        File: AHF-LINUX_v26.3.1.zip - LOCATED
    
    Standalone CVU (OL8+, RHEL8+) January 2026
        File: cvupack_linux_ol8_x86_64.zip - LOCATED
    
    sqlcl-latest.zip 26.1.2.132.1334 (May 2026)
        File: sqlcl-latest.zip - LOCATED
    ------------------------------------------------------	
    
  • AutoUpgrade places the latest version of the tools in the download folder.

  • Nice and simple.

Multiple Platforms

  • If I have multiple platforms, I can download for all of them:

    patch1.platform=LINUX.X64
    patch1.target_version=19
    patch1.patch=SQLCL,AHF,CVU
    
    patch2.platform=WINDOWS.X64
    patch2.target_version=19
    patch2.patch=SQLCL,AHF,CVU
    
    patch3.platform=AIX.X64
    patch3.target_version=19
    patch3.patch=SQLCL,AHF,CVU
    
    • Notice how each platform has its own prefix (patch1, patch2, and patch3).
  • When I start AutoUpgrade in download mode, it downloads the tools for the three platforms.

That’s It

There are several tools that help you work with Oracle AI Database. Don’t miss out, update the tools and benefit from the latest enhancements.

Do you have a favorite tool that AutoUpgrade should download for you? Drop a comment and I’ll see what we can do.

Happy patching!

Is Your Oracle AI Database Ready For Patching?

My colleagues enhanced Datapatch so it can check your Oracle AI Database and see if it’s prone to errors we’ve seen at other customers.

This check is called a Datapatch Sanity Check.

It is a lightweight and non-intrusive check that scans an Oracle AI Database and produces a report with findings.

How to Run a Sanity Check

  • Before patching, assess the patching readiness of your Oracle AI Database:
    export ORACLE_SID=ORCL
    cd $ORACLE_HOME/OPatch
    ./datapatch -sanity_checks
    
    • You can run the check on an active database.
    • The check scans the operating system, database and all open PDBs.
  • Datapatch prints the report on the screen. Examine it:
    SQL Patching sanity checks version 19.27.0.0.0 on Fri 12 Jun 2026 03:25:42 PM GMT
    Copyright (c) 2021, 2026, Oracle.  All rights reserved.
    
    Log file for this invocation: /u01/app/oracle/cfgtoollogs/sqlpatch/sanity_checks_20260612_152542_17281/sanity_checks_20260612_152542_17281.log
    
    Running checks
    JSON report generated in /u01/app/oracle/cfgtoollogs/sqlpatch/sanity_checks_20260612_152542_17281/sqlpatch_sanity_checks_summary.json file
    Checks completed. Printing report:
    
    Check: Database component status - OK
    Check: PDB Violations - OK
    Check: Invalid System Objects - OK
    Check: Tablespace Status - OK
    Check: Backup jobs - OK
    Check: Temp file exists - OK
    Check: Temp file online - OK
    Check: Data Pump running - OK
    Check: Container status - OK
    Check: Oracle Database Keystore - OK
    Check: Dictionary statistics gathering - OK
    Check: Scheduled Jobs - OK
    Check: GoldenGate triggers - OK
    Check: Logminer DDL triggers - OK
    Check: Check sys public grants - OK
    Check: Statistics gathering running - OK
    Check: Optim dictionary upgrade parameter - OK
    Check: Symlinks on oracle home path - OK
    Check: Central Inventory - OK
    Check: Queryable Inventory dba directories - OK
    Check: Queryable Inventory locks - OK
    Check: Queryable Inventory package - OK
    Check: Queryable Inventory external table - OK
    Check: Imperva processes - OK
    Check: Guardium processes - OK
    Check: Locale - OK
    
    Refer to MOS Note 2975965.1 and debug log
    /u01/app/oracle/cfgtoollogs/sqlpatch/sanity_checks_20260612_152542_17281/sanity_checks_debug_20260612_152542_17281.log
    
    SQL Patching sanity checks completed on Fri 12 Jun 2026 03:26:18 PM GMT	
    
    • All checks passed.

Usage Notes

  • The checks may give the following result:

    • OK
    • WARNING
    • ERROR
  • Datapatch exit codes:

    • 0 – All checks passed
    • 1 – Errors found
    • 2 – Warnings found
  • If the database is an Oracle RAC Database, Datapatch also connects to the other nodes to conduct scanning. This requires passwordless SSH between the nodes.

  • The Sanity Check doesn’t check whether patches need to be applied or not. To determine whether patches need to be installed in the database, use:

    ./datapatch -prereq
    

That’s It

Checking your database upfront will help you avoid some of the common pitfalls when installing patches.

Happy patching!

Further Reading

How to Make Oracle AI Database Patching Easier

Oracle recently announced that they strongly recommend customers to apply Release Updates frequently and also announced plans to release monthly security updates.

For most of you this means that they must patch more often. Here are some ideas that can help you ease the burden of patching.

Grab a coffee with your DBA buddies and go over the list. Perhaps you’re missing out.

Patches

Oracle Home

  • Use out-of-place patching. This allows you to install the new Oracle home in advance. It reduces downtime, is less risky and makes rollbacks easier.

    • Use a brand-new home each time.
    • If you insist on in-place patching or clone Oracle homes be sure to clean up.
  • Create and use gold images. Once you’ve created your own gold image, you can deploy it to other hosts faster than installing and patching a new Oracle home.

    • Standardize on as few gold images as possible. Ideally, you have only one gold image for a specific Release Update.
  • Move files out of the Oracle home. You can find many configuration files and such inside the Oracle home. You must copy them to the new Oracle home when you use out-of-place patching – unless you use AutoUpgrade that does it for you.

    • Many of these files can be placed outside the Oracle home.

Connectivity

Patching

Datapatch

  • You can run Datapatch while users are connected. Knowing this you can minimize the outage on single instance databases by allowing users to connect as soon as you’ve restarted the database in the new Oracle home.

  • Use Datapatch sanity checks to assess the patch readiness of your database.

    • Generate the report by running datapatch -sanity_checks.
    • It’s a lightweight, non-intrusive check of the database.
  • Regularly clean up old patching metadata.

    • Limit the space used by Datapatch in the SYSTEM tablespace.
  • If you wonder what Datapatch spends time on, check the Datapatch logs in $ORACLE_BASE/cfgtoollogs/sqlpatch.

  • Ensure Datapatch patches the most important PDBs first.

    • Datapatch patches many PDBs at the same time. This depends on the database CPU_COUNT.
    • By default, Datapatch takes the PDBs in order by CON_ID.
    • But you can change the order using ALTER PLUGGABLE DATABASE <pdb_name> PRIORITY 1. The lower the priority, the sooner the PDB is processed.
  • Patch multiple databases at the same time.

    • Datapatch works on one database only. But you can start multiple instances of Datapatch to patch multiple databases simultaneously provided you have the CPU resources.
  • Speed up patching by removing unused components. Check your database using SELECT * FROM cdb_registry.

    • Generally, the more components, the longer patching/upgrading takes.

Automation

  • Automate the patching process. Including:

    • Rollback
    • Removal of old Oracle home
    • Listener patching
  • Tim Hall (ORACLE-BASE) wrote a series of blog posts about automation.

  • Use AutoUpgrade to automate the patching process.

  • Use Fleet Patching and Provisioning to automate the patching process.

    • A huge benefit for Exadata systems as FPP can patch the entire stack.
    • Separately licensed.

Grid Infrastructure

Miscellaneous

  • Familiarize yourself with the new patch level.

  • Oracle tries to avoid plan changes after patching by adding optimizer fixes as installed, but disabled. This increases plan stability.

That’s It

Did you find anything useful? Do you have other ideas to make patching easier?

Drop a comment and let’s help each other.

Happy patching!

Further Reading

Statistics and Migrations – Well-Kept Secrets Revealed

This is the title of our upcoming webinar. Join us for a zero marketing, all tech session.

When: Thursday, June 18, 14:00 CEST How: Sign up

What’s It About?

Statistics are the oil that keeps your database well-running. We all know – from bitter experience – what happens when you don’t get it right.

But what do you do with your statistics when you migrate a database? Do you bring them along or gather new ones? Does the recommendation change when you move to Oracle Autonomous AI Database?

There’s no single, universal answer. But we can equip you with the knowledge you need to make the right decision for your database. In this session, we outline the options, techniques, and best strategies. Whether you’re migrating to a new environment, a different operating system, a brand-new Exadata system, or Oracle Autonomous AI Database, we provide practical guidance, best practices, and a few well-kept secrets.

Join Us

I hope to see you there. As always, our entire team will be there and answer all your questions.

Recent Webinars on Database Patching

After a short delay, the latest Release Updates are out for Linux.

Are you wondering about the remaining platforms? Or do you want to refresh your knowledge of database patching? We recently aired two webinars that you’ll find interesting.

Webinar
Database Patching for DBAs – Patch smarter, not harder Slides Q&A Recording
Patch smarter, not harder – MS Windows Special Edition Slides Q&A Recording

If you’re still downloading patches from My Oracle Support, you must watch these webinars. Save yourself a lot of time and grab all the patches you need in one command.

If you have RAC databases and the applications are a little slow to drain or you just want more control, check out the DBA-controlled draining we recently introduced.

My Highlights

Here are a few of the topics that I find especially useful:

Next Webinar

It didn’t take long after the last one before we settled on the next webinar:

Statistics and Migrations – Well-Kept Secrets Revealed

Interested? Take a look at the abstract and sign up.

Happy patching!

The Easiest Way to Download the Latest OPatch

I just saw a post on LinkedIn about the OPatch page on My Oracle Support stating it was the worst experience ever!

I had a look and I agree there’s room for improvement (possibly an understatement). I’ll see if I can find someone to give it a polish.

In the meantime, let me show you a much better to download the latest OPatch. Using AutoUpgrade in download mode.

How to Download OPatch

I download from my Mac, but Windows or Linux would do fine as well.

  1. I download the latest version of AutoUpgrade:

    wget https://download.oracle.com/otn-pub/otn_software/autoupgrade.jar
    
  2. I create an AutoUpgrade config file called get-patches:

    global.global_log_dir=/Users/daniel/orcl/autoupgrade/logs
    global.keystore=/Users/daniel/orcl/autoupgrade/keystore
    global.folder=/Users/daniel/Downloads/patches
    
    patch1.platform=LINUX.X64
    patch1.target_version=19
    patch1.patch=OPATCH
    
    • I use the platform parameter to instruct AutoUpgrade to find OPatch for Linux.
    • I want OPatch for an 19c database and I specify that with target_version.
    • I just want OPatch, so I set patch=OPATCH.
  3. I’ve already used AutoUpgrade to download patches, so my My Oracle Support credentials are already stored in the AutoUpgrade keystore. If you’ve never used AutoUpgrade to download patches, follow the instructions below (see Creating an AutoUpgrade Keystore).

  4. I download the patches by starting AutoUpgrade in download mode:

    java -jar autoupgrade.jar -config get-patches -patch -mode download
    
  5. AutoUpgrade finds and downloads the right version of OPatch:

    AutoUpgrade Patching 26.3.260401 launched with default internal options
    Processing config file ...
    Loading AutoUpgrade Patching keystore
    AutoUpgrade Patching keystore is loaded
    
    Connected to MOS - Searching for specified patches
    
    ------------------------------------------------------
    Downloading files to /Users/daniel/Downloads/patches
    ------------------------------------------------------
    OPatch 12.2.0.1.51 for DB 19.0.0.0.0 (Apr 2026)
       File: p6880880_190000_Linux-x86-64.zip - VALIDATED
    ------------------------------------------------------
    
  6. That’s it! Is it really that easy? Yes, it is…

Happy patching!

What About the Other Platforms and Releases?

  • You can download for more platforms by adding:
    patch2.platform=WINDOWS.X64
    patch2.target_version=19
    patch2.patch=OPATCH
    
    patch3.platform=AIX.x64
    patch3.target_version=19
    patch3.patch=OPATCH
    
  • You can download for more releases by adding:
    patch4.platform=LINUX.X64
    patch4.target_version=21
    patch4.patch=OPATCH
    
    patch5.platform=LINUX.X64
    patch5.target_version=26
    patch5.patch=OPATCH
    
    • AutoUpgrade supports downloading patches from Oracle Database 19c and onwards.

Creating an AutoUpgrade Keystore

The first time I use AutoUpgrade to download patches, I must store my MOS credentials in the AutoUpgrade keystore.

  1. I create my config file. It must include global.keystore to specify the location of the AutoUpgrade keystore.

  2. I start the password console:

    java -jar autoupgrade.jar -config get-patches -patch -load_password
    
  3. AutoUpgrade prompts for a password to protect its keystore. AutoUpgrade uses the password to encrypt the keystore, which stores my My Oracle Support credentials.

    • This is not the database keystore password that you use for TDE Tablespace Encryption.
    Processing config file ...
    
    Starting AutoUpgrade Patching Password Loader - Type help for available options
    Creating new AutoUpgrade Patching keystore - Password required
    Enter password:
    Enter password again:
    
  4. I specify my MOS username. AutoUpgrade then prompts me for the MOS password:

    MOS> add -user <mos-username-or-email>
    Enter your secret/Password:
    Re-enter your secret/Password:
    
  5. I save the changes, and I choose to create an auto-login keystore so I don’t have to enter the AutoUpgrade keystore password every time AutoUpgrade starts:

    MOS> save
    Convert the AutoUpgrade Patching keystore to auto-login [YES|NO] ? YES
    
  6. I exit, and that’s it:

    MOS> exit
    
    AutoUpgrade Patching Password Loader finished - Exiting AutoUpgrade Patching
    

Here’s a video explaining the use of the AutoUpgrade keystore:

Further Reading

AutoUpgrade New Features: Download the Newest AutoUpgrade.jar

I’ve told you a million times:

Always get the latest version of AutoUpgrade!

A while ago, AutoUpgrade even became available for direct download from Oracle.com. But it must be even easier.

Now, AutoUpgrade downloads the latest version of itself when you use the keywords RECOMMENDED or AU. Here’s an example:

global.global_log_dir=/home/oracle/autoupgrade-patching/log
global.keystore=/home/oracle/autoupgrade-patching/keystore
global.folder=/home/oracle/autoupgrade/patches
patch1.target_version=19
patch1.patch=RECOMMENDED

I start AutoUpgrade:

java -jar autoupgrade.jar -config download.cfg -mode download -patch

Conveniently, AutoUpgrade grabs the latest version after downloading the patches:

Connected to MOS - Searching for specified patches

-----------------------------------------------------
Downloading files to /home/oracle/autoupgrade/patches
-----------------------------------------------------
DATABASE RELEASE UPDATE 19.30.0.0.0(REL-JAN260130)
    File: p38632161_190000_Linux-x86-64.zip - LOCATED

...

autoupgrade.jar 26.2 (February 2026)
    File: autoupgrade.jar - LOCATED
-----------------------------------------------------

Simple and easy!

Other Tools

Besides AutoUpgrade, there are other important tools for Oracle AI Database.

Here’s a little sneak peek at what the next version of AutoUpgrade brings. Using this config file:

global.global_log_dir=/home/oracle/autoupgrade-patching/log
global.keystore=/home/oracle/autoupgrade-patching/keystore
global.folder=/home/oracle/autoupgrade/patches

patch1.target_version=19
patch1.patch=AHF,CVU,SQLCL

You’ll get the latest versions of:

  • Autonomous Health Framework
  • Cluster Verification Utility
  • SQLcl

Leave a comment if you think there are other tools that AutoUpgrade should get for you.