5 Managing Keystores and TDE Master Encryption Keys in United Mode
United mode enables you to create a common keystore for the CDB and the PDBs for which the keystore is in united mode.
The keys for the CDB and the PDBs reside in the common keystore.
- About Managing Keystores and TDE Master Encryption Keys in United Mode
In united mode, you create the keystore and TDE master encryption key for CDB and PDBs that reside in the same keystore. - Operations That Are Allowed in United Mode
ManyADMINISTER KEY MANAGEMENT
operations performed in the CDB root apply to keystores and encryption keys in the united mode PDB. - Operations That Are Not Allowed in a United Mode PDB
ADMINISTER KEY MANAGEMENT
operations that are not allowed in a united mode PDB can be performed in the CDB root. - Configuring the Keystore Location and Type for United Mode
For united mode, you can configure the keystore location and type by using only parameters or a combination of parameters and theALTER SYSTEM
statement. - Configuring a Software Keystore for Use in United Mode
In united mode, the software keystore resides in the CDB root but the master keys from this keystore are available for the PDBs that have their keystore in united mode. - Configuring a Hardware Keystore in United Mode
In united mode, a hardware keystore resides in a hardware security module (HSM), which is designed to store encryption keys. - Administering Keystores and TDE Master Encryption Keys in United Mode
After you configure a keystore and master encryption key for use in united mode, you can perform tasks such as rekeying TDE master encryption keys. - Administering Transparent Data Encryption in United Mode
You can perform general administrative tasks with Transparent Data Encryption in united mode.
Parent topic: Using Transparent Data Encryption
About Managing Keystores and TDE Master Encryption Keys in United Mode
In united mode, you create the keystore and TDE master encryption key for CDB and PDBs that reside in the same keystore.
The keys for PDBs having keystore in united mode, can be created from CDB root or from the PDB.
This design enables you to have one keystore to manage the entire CDB environment, enabling the PDBs to share this keystore, but you can customize the behavior of this keystore in the individual united mode PDBs. For example, in a united mode PDB, you can configure a TDE master encryption key for the PDB in the united keystore that you created in the CDB root, open the keystore locally, and close the keystore locally. In order to perform these actions, the keystore in the CDB root must be open.
Before you configure your environment to use united mode or isolated mode, all the PDBs in the CDB environment are considered to be in united mode.
To use united mode, you must follow these general steps:
-
In the CDB root, configure the database to use united mode by setting the
WALLET_ROOT
andTDE_CONFIGURATION
parameters.The
WALLET_ROOT
parameter sets the location for the wallet directory and theTDE_CONFIGURATION
parameter sets the type of keystore to use. -
Restart the database so that these settings take effect.
-
In the CDB root, create the keystore, open the keystore, and then create the TDE master encryption key.
-
In each united mode PDB, perform TDE master encryption key tasks as needed, such as opening the keystore locally in the united mode PDB and creating the TDE master encryption key for the PDB. Remember that the keystore is managed by the CDB root, but must contain a TDE master encryption key that is specific to the PDB for the PDB to be able to use TDE.
When you run ADMINISTER KEY MANAGEMENT
statements in united mode from the CDB root, if the statement accepts the CONTAINER
clause, and if you set it to ALL
, then the statement applies only to the CDB root and its associated united mode PDBs. Any PDB that is in isolated mode is not affected.
Operations That Are Allowed in United Mode
Many ADMINISTER KEY MANAGEMENT
operations performed in the CDB root apply to keystores and encryption keys in the united mode PDB.
Available United Mode-Related Operations in a CDB Root
Table 5-1 describes the ADMINISTER KEY MANAGEMENT
operations that you can perform in the CDB root.
Table 5-1 ADMINISTER KEY MANAGEMENT United Mode Operations in a CDB Root
Operation | Syntax | United Mode Notes |
---|---|---|
Creating a keystore |
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE ['keystore_location'] IDENTIFIED BY keystore_password; |
After you create the keystore in the CDB root, by default it is available in the united mode PDBs. Do not include the |
Opening a keystore |
ADMINISTER KEY MANAGEMENT
SET KEYSTORE OPEN
IDENTIFIED BY
[EXTERNAL STORE | keystore_password]
[CONTAINER = ALL | CURRENT]; |
In this operation, the |
Changing a keystore password |
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY old_keystore_password SET new_keystore_passwordWITH BACKUP [USING 'backup_identifier']; |
Do not include the |
Backing up a keystore |
ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE [USING 'backup_identifier'] [FORCE KEYSTORE] IDENTIFIED BY [EXTERNAL STORE | keystore_password] [TO 'keystore_location']; |
Do not include the |
Closing a keystore without force |
ADMINISTER KEY MANAGEMENT
SET KEYSTORE CLOSE
[IDENTIFIED BY [EXTERNAL STORE | keystore_password]]
[CONTAINER = ALL | CURRENT]; |
If an isolated mode PDB keystore is open, then this statement raises an |
Closing a keystore with force |
ADMINISTER KEY MANAGEMENT
FORCE KEYSTORE CLOSE
[IDENTIFIED BY [EXTERNAL STORE | keystore_password]]
[CONTAINER = ALL | CURRENT]; |
This operation allows the keystore to be closed in the CDB root when an isolated keystore is open. |
Creating and activating a new TDE master encryption key (rekeying) |
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY [FORCE KEYSTORE] [USING TAG 'tag_name'] IDENTIFIED BY [EXTERNAL STORE | keystore_password] [WITH BACKUP [USING 'backup_identifier']] [CONTAINER = ALL | CURRENT] |
- |
Creating a user-defined TDE master encryption key for either now ( |
ADMINISTER KEY MANAGEMENT [SET | CREATE] [ENCRYPTION] KEY 'mkid:mk | mk' [USING ALGORITHM 'algorithm'] [FORCE KEYSTORE] [USING TAG 'tag_name'] IDENTIFIED BY [EXTERNAL STORE | keystore_password] [WITH BACKUP [USING 'backup_identifier']] [CONTAINER = CURRENT]; |
- |
Activating an existing TDE master encryption key |
ADMINISTER KEY MANAGEMENT USE [ENCRYPTION] KEY 'key_id [USING TAG 'tag'] IDENTIFIED BY [EXTERNAL STORE | keystore_password] WITH BACKUP [USING 'backup_identifier']; |
Do not include the |
Tagging a TDE master encryption key |
ADMINISTER KEY MANAGEMENT SET TAG 'tag' FOR 'key_id' IDENTIFIED BY [EXTERNAL STORE | keystore_password ] WITH BACKUP [USING 'backup_identifier']; |
Do not include the |
Moving a TDE master encryption key to a new keystore |
ADMINISTER KEY MANAGEMENT MOVE [ENCRYPTION] KEYS TO NEW KEYSTORE 'keystore_location1' IDENTIFIED BY keystore1_password FROM [FORCE] KEYSTORE IDENTIFIED BY keystore_password [WITH IDENTIFIER IN { 'key_id' [, 'key_id' ]... | ( subquery ) } ] [WITH BACKUP [USING 'backup_identifier']; |
You can only move the master encryption key to a keystore that is within the same container (for example, between keystores in the CDB root or between keystores in the same PDB). You cannot move the master encryption key from a keystore in the CDB root to a keystore in a PDB, and vice versa. Do not include the |
Available Operations in a United Mode PDB
Table 5-2 describes the ADMINISTER KEY MANAGEMENT
operations that you can perform in a united mode PDB.
Table 5-2 ADMINISTER KEY MANAGEMENT United Mode PDB Operations
Operation | Syntax | United Mode Notes |
---|---|---|
Opening a keystore |
ADMINISTER KEY MANAGEMENT
SET KEYSTORE OPEN
IDENTIFIED BY
[EXTERNAL STORE | keystore_password]
[CONTAINER = CURRENT]; |
In this operation, the |
Closing a keystore without force |
ADMINISTER KEY MANAGEMENT
SET KEYSTORE CLOSE
[IDENTIFIED BY keystore_password]
[CONTAINER = CURRENT]; |
- |
Closing a keystore with force |
ADMINISTER KEY MANAGEMENT
FORCE KEYSTORE CLOSE
IDENTIFIED BY
[EXTERNAL STORE | keystore_password]
[CONTAINER = CURRENT]; |
- |
Creating and activating a new TDE master encryption key (rekeying or rotating) |
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY [FORCE KEYSTORE] [USING TAG 'tag_name'] IDENTIFIED BY [EXTERNAL STORE | keystore_password] [WITH BACKUP [USING 'backup_identifier']] [CONTAINER = CURRENT]; |
- |
Creating a user-defined TDE master encryption key for use either now ( |
ADMINISTER KEY MANAGEMENT SET | CREATE [ENCRYPTION] KEY 'mkid:mk | mk' [USING ALGORITHM 'algorithm'] [FORCE KEYSTORE] IDENTIFIED BY [EXTERNAL STORE | keystore_password] [WITH BACKUP [USING 'backup_identifier']] [CONTAINER = CURRENT]; |
- |
Activating an existing TDE master encryption key |
ADMINISTER KEY MANAGEMENT USE [ENCRYPTION] KEY 'key_id' [USING TAG 'tag'] IDENTIFIED BY [EXTERNAL STORE | keystore_password] [WITH BACKUP [USING 'backup_identifier']]; |
Do not include the |
Tagging a TDE master encryption key |
ADMINISTER KEY MANAGEMENT SET TAG 'tag' FOR 'key_id' [FORCE KEYSTORE] IDENTIFIED BY [EXTERNAL STORE | keystore_password] [WITH BACKUP [USING 'backup_identifier']]; |
Do not include the |
Moving an encryption key to a new keystore |
ADMINISTER KEY MANAGEMENT MOVE [ENCRYPTION] KEYS TO NEW KEYSTORE 'keystore_location1' IDENTIFIED BY keystore1_password FROM [FORCE] KEYSTORE IDENTIFIED BY keystore_password [WITH IDENTIFIER IN { 'key_id' [, 'key_id' ]... | ( subquery ) } ] [WITH BACKUP [USING 'backup_identifier']]; |
Do not include the |
Moving a key from a united mode keystore in the CDB root to an isolated mode keystore in a PDB |
ADMINISTER KEY MANAGEMENT ISOLATE KEYSTORE IDENTIFIED BY isolated_keystore_password FROM ROOT KEYSTORE [FORCE KEYSTORE] IDENTIFIED BY [EXTERNAL STORE | united_keystore_password] [WITH BACKUP [USING backup_id]]; |
Do not include the |
Using the |
ADMINISTER KEY MANAGEMENT [FORCE] ISOLATE KEYSTORE IDENTIFIED BY isolated_keystore_password FROM ROOT KEYSTORE [FORCE KEYSTORE] IDENTIFIED BY [EXTERNAL STORE | united_keystore_password] [WITH BACKUP [USING backup_id]]; |
- |
Operations That Are Not Allowed in a United Mode PDB
ADMINISTER KEY MANAGEMENT
operations that are not allowed in a united mode PDB can be performed in the CDB root.
These operations are as follows:
-
Keystore operations:
-
Performing merge operations on keystores
-
Exporting a keystore
-
Importing a keystore
-
Migrating a keystore
-
Reverse-migrating a keystore
-
Moving the keys of a keystore that is in the CDB root into the keystores of a PDB
-
Moving the keys from a PDB into a united mode keystore that is in the CDB root
-
-
Encryption key operations:
-
Using the
CONTAINER = ALL
clause to create a new TDE master encryption key for later user in each pluggable database (PDB)
-
-
Client secret operations:
-
Adding client secrets
-
Updating client secrets
-
Deleting client secrets
-
Configuring the Keystore Location and Type for United Mode
For united mode, you can configure the keystore location and type by using only parameters or a combination of parameters and the ALTER SYSTEM
statement.
- Configuring United Mode by Editing the Initialization Parameter File
You can configure united mode by setting both theWALLET_ROOT
andTDE_CONFIGURATION
parameters in the initialization parameter file. - Configuring United Mode with the Initialization Parameter File and ALTER SYSTEM
If your environment relies on server parameter files (spfile) or parameter files (pfile), then you can setTDE_CONFIGURATION
usingALTER SYSTEM
withSCOPE
.
Configuring United Mode by Editing the Initialization Parameter File
You can configure united mode by setting both the WALLET_ROOT
and TDE_CONFIGURATION
parameters in the initialization parameter file.
Configuring United Mode with the Initialization Parameter File and ALTER SYSTEM
If your environment relies on server parameter files (spfile) or parameter files (pfile), then you can set TDE_CONFIGURATION
using ALTER SYSTEM
with SCOPE
.
WALLET_ROOT
static initialization parameter in the initialization parameter file.
Configuring a Software Keystore for Use in United Mode
In united mode, the software keystore resides in the CDB root but the master keys from this keystore are available for the PDBs that have their keystore in united mode.
- About Configuring a Software Keystore in United Mode
In united mode, the keystore that you create in the CDB root will be accessible by the united mode PDBs. - Step 1: Create the Software Keystore
In united mode, you must create the keystore in the CDB root. - Step 2: Open the Software Keystore in a United Mode PDB
To open a software keystore in united mode, you must use theADMINISTER KEY MANAGEMENT
statement with theSET KEYSTORE OPEN
clause. - Step 3: Set the TDE Master Encryption Key in the Software Keystore in United Mode
To set the TDE master encryption key in the keystore when the PDB is configured in united mode, use theADMINISTER KEY MANAGEMENT
statement with theSET KEY
clause. - Step 4: Encrypt Your Data in United Mode
Now that you have completed the keystore configuration and the PDB is configured in united mode, you can begin to encrypt data in the PDB.
About Configuring a Software Keystore in United Mode
In united mode, the keystore that you create in the CDB root will be accessible by the united mode PDBs.
In general, to configure a united mode software keystore after you have enabled united mode, you create and open the keystore in the CDB root, and then create a master encryption key for this keystore. Afterward, you can begin to encrypt data for tables and tablespaces that will be accessible throughout the CDB environment.
The V$ENCRYPTION_WALLET
dynamic view describes the status and location of the keystore. For example, the following query shows the open-closed status and the keystore location of the CDB root keystore (CON_ID 1
) and its associated united mode PDBs. The WRL_PARAMETER
column shows the CDB root keystore location being in the $ORACLE_BASE/wallet/tde
directory.
SELECT CON_ID, STATUS, WRL_PARAMETER FROM V$ENCRYPTION_WALLET; CON_ID STATUS WRL_PARAMETER ------ ------ ----------------------------- 1 OPEN /app/oracle/wallet/tde/ 2 CLOSED 3 OPEN 4 OPEN 5 OPEN
In this output, there is no keystore path listed for the other PDBs in this CDB because these PDBs use the keystore in the CDB root. If any of these PDBs are isolated and you create a keystore in the isolated mode PDB, then when you perform this query, the WRL_PARAMETER
column will show the keystore path for the isolated mode PDB.
You can create a secure external store for the software keystore. This feature enables you to hide the password from the operating system: it removes the need for storing clear-text keystore passwords in scripts or other tools that can access the database without user intervention, such as overnight batch scripts. The location for this keystore is set by the EXTERNAL_KEYSTORE_CREDENTIAL_LOCATION
initialization parameter. In a multitenant environment, different PDBs can access this external store location when you run the ADMINISTER KEY MANAGEMENT
statement using the IDENTIFIED BY EXTERNAL STORE
clause. This way, you can centrally locate the password and then update it only once in the external store.
Parent topic: Configuring a Software Keystore for Use in United Mode
Step 1: Create the Software Keystore
In united mode, you must create the keystore in the CDB root.
ewallet.p12
file, which contains the keystore, appears in the designated keystore location. For example, if you had set the WALLET_ROOT
parameter to $ORACLE_BASE/wallet
and the TDE_CONFIGURATION
parameter to FILE
(for TDE, which creates a tde
directory in the wallet root location), then the keystore will be created in the $ORACLE_BASE/wallet/tde
directory. The name of the keystore is ewallet.p12
.
Related Topics
Parent topic: Configuring a Software Keystore for Use in United Mode
Step 2: Open the Software Keystore in a United Mode PDB
To open a software keystore in united mode, you must use the ADMINISTER KEY MANAGEMENT
statement with the SET KEYSTORE OPEN
clause.
Related Topics
Parent topic: Configuring a Software Keystore for Use in United Mode
Step 3: Set the TDE Master Encryption Key in the Software Keystore in United Mode
To set the TDE master encryption key in the keystore when the PDB is configured in united mode, use the ADMINISTER KEY MANAGEMENT
statement with the SET KEY
clause.
Parent topic: Configuring a Software Keystore for Use in United Mode
Configuring a Hardware Keystore in United Mode
In united mode, a hardware keystore resides in a hardware security module (HSM), which is designed to store encryption keys.
- About Configuring a Hardware Keystore in United Mode
You must create a hardware keystore in a PDB using isolated mode but you can perform other tasks in united mode. - Step 1: Configure the United Mode Hardware Security Module
To configure a third-party hardware security module, you must copy the PKCS#11 library to the correct location and follow your vendor's instructions - Step 2: Open the Hardware Keystore in a United Mode PDB
To open a hardware keystore in united mode, you must use theADMINISTER KEY MANAGEMENT
statement with theSET KEYSTORE OPEN
clause. - Step 3: Set the TDE Master Encryption Key in the Hardware Keystore in United Mode
To set the TDE master encryption key in the keystore when the PDB is configured in united mode, use theADMINISTER KEY MANAGEMENT
statement with theSET KEY
clause. - Step 4: Encrypt Your Data in United Mode
Now that you have completed the keystore configuration and the PDB is configured in united mode, you can begin to encrypt data in the PDB.
About Configuring a Hardware Keystore in United Mode
You must create a hardware keystore in a PDB using isolated mode but you can perform other tasks in united mode.
To configure a hardware keystore for a PDB in isolated mode, you first must set the WALLET_ROOT
parameter. This is necessary for two reasons: first, to have support for migrating to a software keystore in the future, and second, because the configuration file for Oracle Key Vault is retrieved from a location under WALLET_ROOT
. Afterwards, you must set the KEYSTORE_CONFIGURATION
attribute of the TDE_CONFIGURATION
parameter to HSM
or OKV
, open the configured hardware keystore, and then set the TDE master encryption key for the PDB. After you complete these tasks, you can begin to encrypt data in the PDB.
How you specify the IDENTIFIED BY
clause when you run the ADMINISTER KEY MANAGEMENT
statement depends on the type of hardware keystore. For a hardware security module (HSM
), you use the following syntax:
IDENTIFIED BY "user_name:password"
For an Oracle Key Vault keystore, you can omit the user_name
and colon (but keep the quotation marks):
IDENTIFIED BY "password"
Parent topic: Configuring a Hardware Keystore in United Mode
Step 1: Configure the United Mode Hardware Security Module
To configure a third-party hardware security module, you must copy the PKCS#11 library to the correct location and follow your vendor's instructions
Related Topics
Parent topic: Configuring a Hardware Keystore in United Mode
Step 2: Open the Hardware Keystore in a United Mode PDB
To open a hardware keystore in united mode, you must use the ADMINISTER KEY MANAGEMENT
statement with the SET KEYSTORE OPEN
clause.
Related Topics
Parent topic: Configuring a Hardware Keystore in United Mode
Step 3: Set the TDE Master Encryption Key in the Hardware Keystore in United Mode
To set the TDE master encryption key in the keystore when the PDB is configured in united mode, use the ADMINISTER KEY MANAGEMENT
statement with the SET KEY
clause.
Parent topic: Configuring a Hardware Keystore in United Mode
Administering Keystores and TDE Master Encryption Keys in United Mode
After you configure a keystore and master encryption key for use in united mode, you can perform tasks such as rekeying TDE master encryption keys.
- Changing the Keystore Password in United Mode
You can change the password of either a software keystore or a hardware keystores only in the CDB root. - Backing Up a Password-Protected Software Keystore in United Mode
TheBACKUP KEYSTORE
clause of theADMINISTER KEY MANAGEMENT
statement backs up a password-protected software keystore. - Closing Keystores in United Mode
You can close both software and hardware keystores in united mode, unless the system tablespace is encrypted. - Creating a User-Defined TDE Master Encryption Key in United Mode
To create a user-defined TDE master encryption key, use theADMINISTER KEY MANAGEMENT
statement with theSET | CREATE [ENCRYPTION] KEY
clause. - Example: Creating a Master Encryption Key in All PDBs
You can use theADMINISTER KEY MANAGEMENT CREATE KEY USING TAG
statement to create a TDE master encryption key in all PDBs. - Creating a TDE Master Encryption Key for Later Use in United Mode
A keystore must be opened before you can create a TDE master encryption key for use later on in united mode. - Activating a TDE Master Encryption Key in United Mode
To activate a TDE master encryption key in united mode, you must open the keystore and useADMINISTER KEY MANAGEMENT
with theUSE KEY
clause. - Rekeying the TDE Master Encryption Key in United Mode
You can use theADMINISTER KEY MANAGEMENT
statement with theSET KEY
clause to rekey a TDE master encryption key. - Finding the TDE Master Encryption Key That Is in Use in United Mode
A TDE master encryption key that is in use is the key that was activated most recently for the database. - Creating a Custom Attribute Tag in United Mode
To create a custom attribute tag in united mode, you must use theSET TAG
clause of theADMINISTER KEY MANAGEMENT
statement. - Moving a TDE Master Encryption Key into a New Keystore in United Mode
In united mode, you can move an existing TDE master encryption key into a new keystore from an existing software password keystore. - Automatically Removing Inactive TDE Master Encryption Keys in United Mode
In united mode, theREMOVE_INACTIVE_STANDBY_TDE_MASTER_KEY
initialization parameter can configure the automatic removal of inactive TDE master encryption keys. - Isolating a Pluggable Database Keystore
Isolating a PDB keystore moves the master encryption key from the CDB root keystore into an isolated mode keystore in the a PDB.
Changing the Keystore Password in United Mode
You can change the password of either a software keystore or a hardware keystores only in the CDB root.
- Changing the Password-Protected Software Keystore Password in United Mode
To change the password of a password-protected software keystore in united mode, you must use theADMINISTER KEY MANAGEMENT
statement in the CDB root. - Changing the Password of a Hardware Keystore in United Mode
To change the password of a hardware keystore, you must close the hardware keystore and then change the password from the hardware keystore management interface.
Changing the Password-Protected Software Keystore Password in United Mode
To change the password of a password-protected software keystore in united mode, you must use the ADMINISTER KEY MANAGEMENT
statement in the CDB root.
-
Log in to the CDB root as a user who has been granted the
ADMINISTER KEY MANAGEMENT
orSYSKM
privilege. -
Use the following syntax to change the password for the keystore:
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD [FORCE KEYSTORE] IDENTIFIED BY old_keystore_password SET new_keystore_password [WITH BACKUP [USING 'backup_identifier']];
In this specification:
-
FORCE KEYSTORE
temporarily opens the password-protected keystore for this operation if the keystore is closed if an auto-login keystore is configured and is currently open, or if a password-protected keystore is configured and is currently closed. -
old_password
is the current keystore password that you want to change. -
new_password
is the new password that you set for the keystore. -
You do not need to include the
CONTAINER
clause because the password can only be changed locally, in the CDB root.
The following example creates a backup of the keystore and then changes the password:
ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD IDENTIFIED BY old_password SET new_password WITH BACKUP USING 'pwd_change'; keystore altered.
This example performs the same operation but uses the
FORCE KEYSTORE
clause in case the auto-login software keystore is in use or the password-protected software keystore is closed.ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD FORCE KEYSTORE IDENTIFIED BY old_password SET new_password WITH BACKUP USING 'pwd_change'; keystore altered.
-
Changing the Password of a Hardware Keystore in United Mode
To change the password of a hardware keystore, you must close the hardware keystore and then change the password from the hardware keystore management interface.
-
Log in to the CDB root as a user who has been granted the
ADMINISTER KEY MANAGEMENT
orSYSKM
privilege. -
Close the hardware keystore.
For example, for an HSM:
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "psmith:password";
For a keystore whose password is stored externally:
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY EXTERNAL STORE;
-
From the hardware security module management interface, create a new hardware security module password.
-
Update the credentials of the HSM in the external store to use "
user_name:password"
.Currently, the external store contains the old HSM credentials, which would no longer work.
For example:
ADMINISTER KEY MANAGEMENT UPDATE SECRET 'user_name:password' FOR CLIENT 'TDE_WALLET' TO LOCAL AUTO_LOGIN KEYSTORE '/etc/ORACLE/WALLETS/orcl/external_store';
-
In SQL*Plus, open the hardware keystore.
For example, for an HSM:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "psmith:new_password";
For a hardware keystore whose password is stored externally:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY EXTERNAL STORE;
Related Topics
Parent topic: Changing the Keystore Password in United Mode
Backing Up a Password-Protected Software Keystore in United Mode
The BACKUP KEYSTORE
clause of the ADMINISTER KEY MANAGEMENT
statement backs up a password-protected software keystore.
-
Log in to the CDB root as a user who has been granted the
ADMINISTER KEY MANAGEMENT
orSYSKM
privilege.For example:
sqlplus c##sec_admin@hrpdb as syskm Enter password: password Connected.
-
Back up the keystore by using the following syntax:
ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE [USING 'backup_identifier'] [FORCE KEYSTORE] IDENTIFIED BY [EXTERNAL STORE | software_keystore_password] [TO 'keystore_location'];
In this specification:
-
USING
backup_identifier
is an optional string that you can provide to identify the backup. Enclose this identifier in single quotation marks (' '
). This identifier is appended to the named keystore file (for example,ewallet_
time-stamp
_emp_key_backup.p12
). -
FORCE KEYSTORE
temporarily opens the password-protected keystore for this operation. You must open the keystore for this operation. -
IDENTIFIED BY
is required for theBACKUP KEYSTORE
operation on a password-protected keystore because although the backup is simply a copy of the existing keystore, the status of the TDE master encryption key in the password-protected keystore must be set toBACKED UP
and for this change the keystore password is required. -
keystore_location
is the path at which the backup keystore is stored. This setting is restricted to the PDB when the PDB lockdown profileEXTERNAL_FILE_ACCESS
setting is blocked in the PDB or when thePATH_PREFIX
variable was not set when the PDB was created. If you do not specify thekeystore_location
, then the backup is created in the same directory as the original keystore. Enclose this location in single quotation marks (' '
). -
You do not need to include the
CONTAINER
clause because the keystore can only be backup up locally, in the CDB root.
The following example backs up a software keystore in the same location as the source keystore.
ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'hr.emp_keystore' FORCE KEYSTORE IDENTIFIED BY software_keystore_password ; keystore altered.
In the following version, the password for the keystore is external, so the
EXTERNAL STORE
clause is used.ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE USING 'hr.emp_keystore' FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE;
After you run this statement, an
ewallet_
identifier
.p12
file (for example,ewallet_
time-stamp
_hr.emp_keystore.p12
) appears in the keystore backup location. -
Related Topics
Closing Keystores in United Mode
You can close both software and hardware keystores in united mode, unless the system tablespace is encrypted.
- Closing a Software Keystore in United Mode
You can close password-protected keystores, auto-login keystores, and local auto-login software keystores in united mode. - Closing a Hardware Keystore in United Mode
To close a hardware keystore, you must use theADMINISTER KEY MANAGEMENT
statement with theSET KEYSTORE CLOSE
clause.
Closing a Software Keystore in United Mode
You can close password-protected keystores, auto-login keystores, and local auto-login software keystores in united mode.
- Log in to the CDB root or the united mode PDB as a user who has been granted the
ADMINISTER KEY MANAGEMENT
orSYSKM
privilege. - Close the software keystore.
- For a password-protected software keystore, use the following syntax if you are in the CDB root:
ADMINISTER KEY MANAGEMENT SET | FORCE KEYSTORE CLOSE [IDENTIFIED BY [EXTERNAL STORE | software_keystore_password]] [CONTAINER = ALL | CURRENT];
Use the
SET
clause to close the keystore without force. If there is a dependent keystore that is open (for example, an isolated mode PDB keystore and you are trying to close the CDB root keystore), then anORA-46692 cannot close wallet
error appears. If this happens, then use theFORCE
clause instead ofSET
to temporarily close the dependent keystore during the close operation. TheSTATUS
column of theV$ENCRYPTION_WALLET
view shows if a keystore is open.If you are in the united mode PDB, then either omit the
CONTAINER
clause or set it toCURRENT
. - For an auto-login or local auto-login software keystore, use this syntax if you are in the CDB root:
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE [CONTAINER = ALL | CURRENT];
- For a password-protected software keystore, use the following syntax if you are in the CDB root:
Related Topics
Parent topic: Closing Keystores in United Mode
Closing a Hardware Keystore in United Mode
To close a hardware keystore, you must use the ADMINISTER KEY MANAGEMENT
statement with the SET KEYSTORE CLOSE
clause.
Related Topics
Parent topic: Closing Keystores in United Mode
Creating a User-Defined TDE Master Encryption Key in United Mode
To create a user-defined TDE master encryption key, use the ADMINISTER KEY MANAGEMENT
statement with the SET | CREATE [ENCRYPTION] KEY
clause.
Related Topics
Example: Creating a Master Encryption Key in All PDBs
You can use the ADMINISTER KEY MANAGEMENT CREATE KEY USING TAG
statement to create a TDE master encryption key in all PDBs.
Example 5-1 shows how to create a master encryption key in all of the PDBs in a multitenant environment. It uses the FORCE KEYSTORE
clause in the event that the auto-login keystore in the CDB root is open. The password is stored externally, so the EXTERNAL STORE
setting is used for the IDENTIFIED BY
clause. After you execute this statement, a master encryption key is created in each PDB. You can find the identifiers for these keys as follows:
-
Log in to the PDB and then query the
TAG
column of theV$ENCRYPTION_KEYS
view. -
Log in to the CDB root and then query the
INST_ID
andTAG
columns of theGV$ENCRYPTION_KEYS
view.
You also can check the CREATION_TIME
column of these views to find the most recently created key, which would be the key that you created from this statement. After you create the keys, you can individually activate the keys in each of the PDBs.
Example 5-1 Creating a Master Encryption Key in All of the PDBs
ADMINISTER KEY MANAGEMENT CREATE KEY USING TAG 'scope:all pdbs;description:Create Key for ALL PDBS' FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE WITH BACKUP CONTAINER = ALL; keystore altered.
Creating a TDE Master Encryption Key for Later Use in United Mode
A keystore must be opened before you can create a TDE master encryption key for use later on in united mode.
Related Topics
Activating a TDE Master Encryption Key in United Mode
To activate a TDE master encryption key in united mode, you must open the keystore and use ADMINISTER KEY MANAGEMENT
with the USE KEY
clause.
-
Log in to the CDB root or the united mode PDB as a user who has been granted the
ADMINISTER KEY MANAGEMENT
orSYSKM
privilege. -
Query the
ORIGIN
andKEY_ID
columns of theV$ENCRYPTION_KEYS
view to find the key identifier.For example:
SELECT ORIGIN, KEY_ID FROM V$ENCRYPTION_KEYS; ORIGIN KEY_ID ------ ---------------------------------------------- LOCAL ARaHD762tUkkvyLgPzAi6hMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-
Use this key identifier to activate the TDE master encryption key by using the following syntax:
ADMINISTER KEY MANAGEMENT USE KEY 'key_identifier_from_V$ENCRYPTION_KEYS' [USING TAG 'tag'] [FORCE KEYSTORE] IDENTIFIED BY [EXTERNAL STORE | keystore_password] WITH BACKUP [USING 'backup_identifier'] [CONTAINER = ALL | CURRENT];
In this specification:
-
FORCE KEYSTORE
temporarily opens the password-protected keystore for this operation. You must open the keystore for this operation. -
CONTAINER
: In the CDB root, setCONTAINER
to eitherALL
orCURRENT
. In a PDB, omit theCONTAINER
clause. In both cases, omittingCONTAINER
defaults toCURRENT
.
For example:
ADMINISTER KEY MANAGEMENT USE KEY 'ARaHD762tUkkvyLgPzAi6hMAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' FORCE KEYSTORE IDENTIFIED BY EXTERNAL STORE WITH BACKUP CONTAINER = ALL;
-
Related Topics
Rekeying the TDE Master Encryption Key in United Mode
You can use the ADMINISTER KEY MANAGEMENT
statement with the SET KEY
clause to rekey a TDE master encryption key.
-
Log in to the CDB root or the united mode PDB as a user who has been granted the
ADMINISTER KEY MANAGEMENT
orSYSKM
privilege. -
If you are rekeying the TDE master encryption key for a keystore that has auto login enabled, then ensure that both the auto login keystore, identified by the
.sso
file, and the encryption keystore, identified by the.p12
file, are present.You can find the location of these files by querying the
WRL_PARAMETER
column of theV$ENCRYPTION_WALLET
view. To find theWRL_PARAMETER
values for all of the database instances, query theGV$ENCRYPTION_WALLET
view. -
Rekey the TDE master encryption key by using the following syntax:
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY [FORCE KEYSTORE] [USING TAG 'tag_name'] IDENTIFIED BY [EXTERNAL STORE | keystore_password] [WITH BACKUP [USING 'backup_identifier']] [CONTAINER = ALL | CURRENT];
In this specification:
-
tag
is the associated attributes and information that you define. Enclose this setting in single quotation marks (' '
). -
FORCE KEYSTORE
temporarily opens the password-protected keystore for this operation. You must open the keystore for this operation. -
IDENTIFIED BY
can be one of the following settings:-
EXTERNAL STORE
uses the keystore password stored in the external store to perform the keystore operation. -
keystore_password
is the password that was created for this keystore.
-
-
CONTAINER
: In the CDB root, setCONTAINER
to eitherALL
orCURRENT
. In a PDB, set it toCURRENT
. In both cases, omittingCONTAINER
defaults toCURRENT
.
For example:
ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY keystore_password WITH BACKUP USING 'emp_key_backup' CONTAINER = CURRENT; keystore altered.
-
Related Topics
Finding the TDE Master Encryption Key That Is in Use in United Mode
A TDE master encryption key that is in use is the key that was activated most recently for the database.
Creating a Custom Attribute Tag in United Mode
To create a custom attribute tag in united mode, you must use the SET TAG
clause of the ADMINISTER KEY MANAGEMENT
statement.
-
Log in to the CDB root or the united mode PDB as a user who has been granted the
ADMINISTER KEY MANAGEMENT
orSYSKM
privilege. -
If necessary, query the
TAG
column of theV$ENCRYPTION_KEY
dynamic view to find a listing of existing tags for the TDE master encryption keys.When you create a new tag for a TDE master encryption key, it overwrites the existing tag for that TDE master encryption key.
-
Create the custom attribute tag by using the following syntax:
ADMINISTER KEY MANAGEMENT SET TAG 'tag' FOR 'master_key_identifier' [FORCE KEYSTORE] IDENTIFIED BY [EXTERNAL STORE | keystore_password] WITH BACKUP [USING 'backup_identifier'];
In this specification
-
tag
is the associated attributes or information that you define. Enclose this information in single quotation marks (' '
). -
master_key_identifier
identifies the TDE master encryption key for which thetag
is set. To find a list of TDE master encryption key identifiers, query theKEY_ID
column of theV$ENCRYPTION_KEYS
dynamic view. -
FORCE KEYSTORE
temporarily opens the password-protected keystore for this operation. You must open the keystore for this operation. -
IDENTIFIED BY
can be one of the following settings:-
EXTERNAL STORE
uses the keystore password stored in the external store to perform the keystore operation. -
keystore_password
is the password that was created for this keystore.
-
-
backup_identifier
defines the tag values. Enclose this setting in single quotation marks (' ')
and separate each value with a colon.
For example, to create a tag that uses two values, one to capture a specific session ID and the second to capture a specific terminal ID:
ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY USING TAG 'sessionid=3205062574:terminal=xcvt' IDENTIFIED BY keystore_password WITH BACKUP; keystore altered.
Both the session ID (
3205062574
) and terminal ID (xcvt
) can derive their values by using either theSYS_CONTEXT
function with theUSERENV
namespace, or by using theUSERENV
function. -
Related Topics
Moving a TDE Master Encryption Key into a New Keystore in United Mode
In united mode, you can move an existing TDE master encryption key into a new keystore from an existing software password keystore.
Related Topics
Automatically Removing Inactive TDE Master Encryption Keys in United Mode
In united mode, the REMOVE_INACTIVE_STANDBY_TDE_MASTER_KEY
initialization parameter can configure the automatic removal of inactive TDE master encryption keys.
Isolating a Pluggable Database Keystore
Isolating a PDB keystore moves the master encryption key from the CDB root keystore into an isolated mode keystore in the a PDB.
ADMINISTER KEY MANAGEMENT
privilege for the PDB can manage the keystore.
Administering Transparent Data Encryption in United Mode
You can perform general administrative tasks with Transparent Data Encryption in united mode.
- Moving PDBs from One CDB to Another in United Mode
In united mode, you can automatically move a PDB from one CDB to another (for example, for load balancing or adding new functionality). - Unplugging and Plugging a PDB with Encrypted Data in a CDB in United Mode
In united mode, for a PDB that has encrypted data, you can plug it into a CDB. Conversely, you can unplug this PDB from the CDB. - Managing Cloned PDBs with Encrypted Data in United Mode
In united mode, you can clone a PDB that has encrypted data in a CDB. - How Keystore Open and Close Operations Work in United Mode
You should be aware of how keystore open and close operations work in united mode. - Finding the Keystore Status for All of the PDBs in United Mode
You can create a convenience function that uses theV$ENCRYPTION_WALLET
view to find the status for keystores in all PDBs in a CDB.
Moving PDBs from One CDB to Another in United Mode
In united mode, you can automatically move a PDB from one CDB to another (for example, for load balancing or adding new functionality).
ONE_STEP_PLUGIN_FOR_PDB_WITH_TDE
dynamic system parameter to TRUE
to enable the PDB to include the TDE keys in the PDB move operation. This parameter avoids you having to manually provide a keystore password when you import the TDE keys into the PDB after it has moved to a different CDB. When ONE_STEP_PLUGIN_FOR_PDB_WITH_TDE
is set to TRUE
, the database caches the keystore password in memory, obfuscated at the system level, and then uses it for the import operation. The default for ONE_STEP_PLUGIN_FOR_PDB_WITH_TDE
is FALSE
.
Related Topics
Parent topic: Administering Transparent Data Encryption in United Mode
Unplugging and Plugging a PDB with Encrypted Data in a CDB in United Mode
In united mode, for a PDB that has encrypted data, you can plug it into a CDB. Conversely, you can unplug this PDB from the CDB.
- Unplugging a PDB That Has Encrypted Data in United Mode
In united mode, you can unplug a PDB with encrypted data and export it into an XML metadata file or an archive file. - Plugging a PDB That Has Encrypted Data into a CDB in United Mode
To plug a PDB that has encrypted data into a CDB, you first plug in the PDB and then you can set the keystore in the PDB. - Unplugging a PDB That Has Master Encryption Keys Stored in a Hardware Keystore in United Mode
You can unplug a PDB from one CDB that has been configured with an HSM and then plug it into another CDB also configured with an hardware keystore. - Plugging a PDB That Has Master Encryption Keys Stored in a Hardware Keystore in United Mode
TheADMINISTER KEY MANAGEMENT
statement can import a TDE master encryption key from a hardware keystore to a PDB that has been moved to another CDB.
Parent topic: Administering Transparent Data Encryption in United Mode
Unplugging a PDB That Has Encrypted Data in United Mode
In united mode, you can unplug a PDB with encrypted data and export it into an XML metadata file or an archive file.
STATUS
column of the DBA_PDBS
data dictionary view.
Plugging a PDB That Has Encrypted Data into a CDB in United Mode
To plug a PDB that has encrypted data into a CDB, you first plug in the PDB and then you can set the keystore in the PDB.
0
because this operation invalidates the history of the previous keys. You can check the key version by querying the KEY_VERSION
column of the V$ENCRYPTED_TABLESPACES
dynamic view. Similarly, if a control file is lost and recreated, then the previous history of the keys is reset to 0
. You can check if a PDB has already been plugged in by querying the STATUS
column of the DBA_PDBS
data dictionary view.
-
From the CDB root, create the PDB by plugging the unplugged PDB into the CDB.
To perform this operation for united mode, include the
DECRYPT USING transport_secret
clause.You must use this clause if the metadata or archive file for the PDB has encrypted data. Otherwise, an
ORA-46680: master keys of the container database must be exported
error is returned.-
For example, if you had exported the PDB data into a metadata XML file:
CREATE PLUGGABLE DATABASE CDB1_PDB2 USING '/tmp/cdb1_pdb2.xml' NOCOPY KEYSTORE IDENTIFIED BY password DECRYPT USING transport_secret;
-
If you had exported the PDB into an archive file:
CREATE PLUGGABLE DATABASE CDB1_PDB2 USING '/tmp/cdb1_pdb2.pdb' DECRYPT USING transport_secret;
During the open operation of the PDB after the plug operation, Oracle Database determines if the PDB has encrypted data. If so, it opens the PDB in the
RESTRICTED
mode.If you want to create the PDB by cloning another PDB or from a non-CDB, and if the source database has encrypted data or a TDE master encryption key that has been set, then you must provide the keystore password by including the
keystore identified by keystore_password
clause in theCREATE PLUGGABLE DATABASE ... FROM
SQL statement. You must provide this password even if the source database is using an auto-login software keystore. You can find if the source database has encrypted data or a TDE master encryption key set in the keystore by querying theV$ENCRYPTION_KEYS
dynamic view -
-
Open the PDB.
For example:
ALTER PLUGGABLE DATABASE CDB1_PDB2 OPEN;
-
Open the keystore in the CDB root.
For example:
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password;
Optionally, open the keystore in the PDB.
-
In either the CDB root or the PDB (if the keystore is open in the PDB), set the TDE master encryption key for the PDB.
For example:
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY keystore_password WITH BACKUP USING 'emp_key_backup';
Unplugging a PDB That Has Master Encryption Keys Stored in a Hardware Keystore in United Mode
You can unplug a PDB from one CDB that has been configured with an HSM and then plug it into another CDB also configured with an hardware keystore.
Related Topics
Managing Cloned PDBs with Encrypted Data in United Mode
In united mode, you can clone a PDB that has encrypted data in a CDB.
- About Managing Cloned PDBs That Have Encrypted Data in United Mode
When you clone a PDB, you must make the master encryption key of the source PDB available to cloned PDB. - Cloning a PDB with Encrypted Data in a CDB in United Mode
TheCREATE PLUGGABLE DATABASE
statement with theKEYSTORE IDENTIFIED BY
clause can clone a PDB that has encrypted data. - Performing a Remote Clone of PDB with Encrypted Data Between Two CDBs in United Mode
TheCREATE PLUGGABLE DATABASE
statement with theKEYSTORE IDENTIFIED BY
clause can remotely clone a PDB that has encrypted data. - Relocating Across CDBs a Cloned PDB with Encrypted Data in United Mode
TheCREATE PLUGGABLE DATABASE
statement with theKEYSTORE IDENTIFIED BY
clause can relocate across CDBs a cloned PDB that has encrypted data.
Parent topic: Administering Transparent Data Encryption in United Mode
About Managing Cloned PDBs That Have Encrypted Data in United Mode
When you clone a PDB, you must make the master encryption key of the source PDB available to cloned PDB.
This allows a cloned PDB to operate on the encrypted data. To perform the clone, you do not need to export and import the keys because Oracle Database transports the keys for you even if the cloned PDB is in a remote CDB. However, you will need to provide the keystore password of the CDB where you are creating the clone.
If the PDBs have encrypted data, then you can perform remote clone operations on PDBs between CDBs, and relocate PDBs across CDBs.
Parent topic: Managing Cloned PDBs with Encrypted Data in United Mode
Cloning a PDB with Encrypted Data in a CDB in United Mode
The CREATE PLUGGABLE DATABASE
statement with the KEYSTORE IDENTIFIED BY
clause can clone a PDB that has encrypted data.
Related Topics
Parent topic: Managing Cloned PDBs with Encrypted Data in United Mode
Performing a Remote Clone of PDB with Encrypted Data Between Two CDBs in United Mode
The CREATE PLUGGABLE DATABASE
statement with the KEYSTORE IDENTIFIED BY
clause can remotely clone a PDB that has encrypted data.
How Keystore Open and Close Operations Work in United Mode
You should be aware of how keystore open and close operations work in united mode.
For each PDB in united mode, you must explicitly open the password-protected software keystore or hardware keystore in the PDB to enable the Transparent Data Encryption operations to proceed. (Auto-login and local auto-login software keystores open automatically.) Closing a keystore on a PDB blocks all of the Transparent Data Encryption operations on that PDB.
The open and close keystore operations in a PDB depend on the open and close status of the keystore in the CDB root.
Note the following:
-
You can create a separate keystore password for each PDB in united mode.
-
Before you can manually open a software password-protected or hardware keystore in an individual PDB, you must open the keystore in the CDB root.
-
If an auto-login keystore is in use, or if the keystore is closed, then include the
FORCE KEYSTORE
clause in theADMINISTER KEY MANAGEMENT
statement when you open or close the keystore. -
If the keystore is a password-protected software keystore that uses an external store for passwords, then set the
IDENTIFIED BY
clause toEXTERNAL STORE
. -
Before you can set a TDE master encryption key in an individual PDB, you must set the key in the CDB root.
-
Auto-login and local auto-login software keystores open automatically. You do not need to manually open these from the CDB root first, or from the PDB.
-
If you close the keystore in the CDB root, then the keystores in the dependent PDBs also close. A keystore close operation in the root is the equivalent of performing a keystore close operation with the
CONTAINER
clause set toALL
. -
If you perform an
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN
statement in the CDB root and set theCONTAINER
clause toALL
, then the keystore will only be opened in each PDB that is configured in united mode, and any PDB that is configured in isolated mode is not opened.
Parent topic: Administering Transparent Data Encryption in United Mode
Finding the Keystore Status for All of the PDBs in United Mode
You can create a convenience function that uses the V$ENCRYPTION_WALLET
view to find the status for keystores in all PDBs in a CDB.
The V$ENCRYPTION_WALLET
view displays the status of the keystore in a PDB, whether it is open, closed, uses a software or hardware keystore, and so on.
-
To create a function that uses the
V$ENCRYPTION_WALLET
view to find the keystore status, use theCREATE PROCEDURE
PL/SQL statement.
Example 5-2 shows how to create this function.
Example 5-2 Function to Find the Keystore Status of All of the PDBs in a CDB
CREATE OR REPLACE PROCEDURE all_pdb_v$encryption_wallet IS err_occ BOOLEAN; curr_pdb VARCHAR2(30); pdb_name VARCHAR2(30); wrl_type VARCHAR2(20); status VARCHAR2(30); wallet_type VARCHAR2(20); wallet_order VARCHAR2(12); fully_backed_up VARCHAR2(15); wrl_parameter VARCHAR2(4000); cursor sel_pdbs IS SELECT NAME FROM V$CONTAINERS WHERE NAME <> 'PDB$SEED' order by con_id desc; BEGIN -- Store the original PDB name SELECT sys_context('userenv', 'con_name') INTO curr_pdb FROM DUAL; IF curr_pdb <> 'CDB$ROOT' THEN dbms_output.put_line('Operation valid in ROOT only'); END IF; err_occ := FALSE; dbms_output.put_line('---'); dbms_output.put_line('PDB_NAME WRL_TYPE STATUS '); dbms_output.put_line('------------------------------ -------- ------------------------------'); dbms_output.put_line('WALLET_TYPE WALLET_ORDER FULLY_BACKED_UP'); dbms_output.put_line('-------------------- ------------ ---------------'); dbms_output.put_line('WRL_PARAMETER'); dbms_output.put_line('--------------------------------------------------------------------------'); FOR pdbinfo IN sel_pdbs LOOP pdb_name := DBMS_ASSERT.ENQUOTE_NAME(pdbinfo.name, FALSE); EXECUTE IMMEDIATE 'ALTER SESSION SET CONTAINER = ' || pdb_name; BEGIN pdb_name := rpad(substr(pdb_name,1,30), 30, ' '); EXECUTE IMMEDIATE 'SELECT wrl_type from V$ENCRYPTION_WALLET' into wrl_type; wrl_type := rpad(substr(wrl_type,1,8), 8, ' '); EXECUTE IMMEDIATE 'SELECT status from V$ENCRYPTION_WALLET' into status; status := rpad(substr(status,1,30), 30, ' '); EXECUTE IMMEDIATE 'SELECT wallet_type from V$ENCRYPTION_WALLET' into wallet_type; wallet_type := rpad(substr(wallet_type,1,20), 20, ' '); EXECUTE IMMEDIATE 'SELECT wallet_order from V$ENCRYPTION_WALLET' into wallet_order; wallet_order := rpad(substr(wallet_order,1,9), 12, ' '); EXECUTE IMMEDIATE 'SELECT fully_backed_up from V$ENCRYPTION_WALLET' into fully_backed_up; fully_backed_up := rpad(substr(fully_backed_up,1,9), 15, ' '); EXECUTE IMMEDIATE 'SELECT wrl_parameter from V$ENCRYPTION_WALLET' into wrl_parameter; wrl_parameter := rpad(substr(wrl_parameter,1,79), 79, ' '); dbms_output.put_line(pdb_name || ' ' || wrl_type || ' ' || status); dbms_output.put_line(wallet_type || ' ' || wallet_order || ' ' || fully_backed_up); dbms_output.put_line(wrl_parameter); EXCEPTION WHEN OTHERS THEN err_occ := TRUE; END; END LOOP; IF err_occ = TRUE THEN dbms_output.put_line('One or more PDB resulted in an error'); END IF; END; . / set serveroutput on exec all_pdb_v$encryption_wallet;
Parent topic: Administering Transparent Data Encryption in United Mode