MIME-Version: 1.0
References: <CAP0kZ-2Hb3jCFXY=SHEp58yzY9ZNEz13fP8hcYePkKjfxzWAug@mail.gmail.com>
 <CAEwv4fHHQjzyUKGOiCbQRbT1wuEOBU_rgh0=F4ucwJsAYQfWyg@mail.gmail.com>
In-Reply-To: <CAEwv4fHHQjzyUKGOiCbQRbT1wuEOBU_rgh0=F4ucwJsAYQfWyg@mail.gmail.com>
From: Ruan Linehan <ruandav@gmail.com>
Date: Wed, 1 Jan 2020 20:19:44 +0000
Message-ID: <CAP0kZ-23JSQW97qB=n-aeRzo5gBDRkEa1zYD_=0YXya=58s_OQ@mail.gmail.com>
Subject: Re: 12.1-12.2 PDB Upgrade with TDE
To: anthony Sanchez <anthonycsanchez@gmail.com>, Oracle-L oracle-l <oracle-l@freelists.org>
Content-Type: multipart/alternative; boundary="000000000000ca70fb059b19ccbf"
Sender: oracle-l-bounce@freelists.org
Errors-to: oracle-l-bounce@freelists.org
Precedence: normal
Reply-To: ruandav@gmail.com
--000000000000ca70fb059b19ccbf
Content-Type: text/plain; charset="UTF-8"

Hi Angthony,

Yes, have tried to rekey and also tried to explicitly direct the cloned PDB
to "use" the supposedly (partially?) imported key (when the key has been
imported prior to a clone attempt). e.g. administer key management use key
'Abcf34545....etc' identified by "password2" with backup;

Notably, a rekey or the 'use key' AKM commands will not work until I have
brought the cloned PDB out of restricted mode as I will receive the error
below...
ORA-28442: Rekey of the TDE Master encryption key is not permitted when the
database is in restricted mode...

Which means that I pretty much have to attempt an import of the key to
remove the pdb_plug_in_violation, and perform the upgrade steps, in order
to reach a position where I must close/open the PDB to finally get it out
of restricted mode *before* I attempt to either 'set' or 'use key'... and
by that stage, the PDB is not in a positive state with the usual TDE
specific errors and complaints completely littering the alert log.

There are about 33 slightly different methods now (in terms of either
sequencing or commands) which I have attempted to perform. All of which I
know do not work in my scenario. Just hoping someone may have crossed this
particular bridge before me and can suggest what just one working
sequence/path should look like, so I can focus on debugging that route...

Thanks,
Ruan

On Wed, Jan 1, 2020 at 4:45 PM anthony Sanchez <anthonycsanchez@gmail.com>
wrote:

> Hi ruan,
> Have you tried resetting the master key in your pdb after clone?
>
> Connect to pdb
>
> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY
> keystorepassword with backup;
>
>
>
>
> On Wed, Jan 1, 2020, 3:40 AM Ruan Linehan <ruandav@gmail.com> wrote:
>
>> Hi list,
>>
>> I am very stuck and really beginning to tread water on an SR with the
>> below scenario. Would anyone have experience of a 12.1-12.2 Multitenant PDB
>> upgrade path via remote clone including TDE??
>>
>>       Source 12.1 Multitenant PDB on Exadata RAC with TDE.
>>       Destination 12.2 Multitenant PDB on Exadata RAC (Separate CDB on
>> the same cluster with separate software wallet).
>>
>> I am attempting to perform a 12.1 --> 12.2 individual PDB upgrade via
>> remote clone between CDB containers. I have verified the process as
>> successful when using a non-TDE [Tablespace] specific PDB. i.e. perform the
>> necessary preupgrade.jar steps in the 12.1 source side, clone the PDB over
>> a DB link into the 12.2 destination side and then proceed with the
>> catctl/catupgrd scripting to perform the upgrade. No issues and all works
>> fine... without TDE.
>>
>> However, when TDE is in the mix on the source PDB, I cannot manage to
>> succeed in transitioning the TDE key properly from source side over into
>> the destination side (Either before, during or post the upgrade scripting).
>> Below is a summary of steps for context but the issues comes down to; how
>> do I get a TDE key imported successfully when cloning from a 12.1 CDB to a
>> 12.2 CDB...
>>
>>
>> *High Level summary:*
>>
>> 1. Export the TDE key from the source 12.1 side (*From within the PDB
>> itself)...
>>     - administer key management set keystore open identified by
>> "password1";
>>     - administer key management export encryption keys with secret
>> "password1" to '/tmp/source_side.p12' identified by "password1";
>>
>> * Note1* - I believe the export operation is 100% clean as the same
>> steps used for this export work seamlessly when performing clones of TDE
>> specific PDBs between *12.1* CDBs.
>>
>> 2. Put the source PDB in ReadOnly...
>>     - alter pluggable database ORCL close immediate instances=all;
>>     - alter pluggable database ORCL open  read only instances=all;
>>
>> 3. Perform DB Link clone between containers (*From the CDB$ROOT of the
>> destination 12.2 CDB)
>>     - create pluggable database ORCL122 from ORCL@CLONE_LINK standbys =
>> none;
>>
>> * Note2* - The DB link is fine as the PDB creates in restricted mode. I
>> have also attempted incorporating the "keystore identified by" syntax as
>> part of the create statement.
>>     i.e. create pluggable database ORCL122 from ORCL@CLONE_LINK keystore
>> identified by "password1" standbys = none;
>>
>> 4. Open the cloned pluggable...
>>     - alter pluggable database ORCL122 open instances=all;
>>
>> * Note3* - At this point, the absence of the TDE required key is evident
>> in the alert log messaging, "PDB needs to import keys from source". But
>> there is no PDB_PLUG_IN_VIOLATION entry present yet, for the TDE key. Only
>> an error as expected for the upgrade path, "PDB's version does not match
>> CDB's version", which is quite expected. The PDB exists in restricted mode,
>> ready for upgrade.
>>
>> 5.  It's from this point that I run into difficulty. I can try to proceed
>> with the catupgrd script operations firstly. Once that completes (seemingly
>> cleanly), there is a PDB_PLUG_IN_VIOLATION entry for the TDE key
>> requirement.  I can then try and import the TDE (*From within the 122 PDB
>> itself) key per:
>>     - administer key management import encryption keys with secret
>> "password1" from '/tmp/source_side.p12' identified by "password1" with
>> backup;
>>
>> Alternatively, I could try and perform the import 'ahead of time' at the
>> CDB$ROOT container, prior to the clone operation at all. This command
>> succeeds as I can see the additional entry populated into the
>> v$encryption_keys view and within the software wallet, detailing the source
>> of the key.
>>
>> Alternatively, I can try and transition the key, from the CDB$ROOT
>> container levels between CDBs instead using the "WITH IDENTIFIER" clause
>> syntax as I note that certain operations are directed to be performed at
>> the root level from 12.2 forward, but the very same result occurs in the
>> end...
>>
>>
>> I can observe the messaging "Keys imported: PDB ORCL122 can now open in
>> normal mode" recorded in the alert log and the PDB_PLUG_IN_VIOLATION entry
>> disappears. Great!
>> However, no matter how I "get the Key in", post a close/open of the PDB
>> (To get it out of restricted mode) - I immediately start receiving errors
>> in the alert log around master key not found in current keystore and typed
>> master key not found in wallet. It seems no matter how I try to transition
>> the correct key INTO the 12.2 destination side, the AKM commands appear to
>> succeed but upon proper opening of the PDB, I am flooded with TDE errors in
>> the alert logs.
>>
>>
>> Mr. Pachot made it look frustratingly easy here - my experience differs
>> significantly, and not sure where I am going wrong:
>> https://blog.dbi-services.com/12cr2-upgrade-by-remote-clone-with-tde-in-dbaas/
>>
>> So the TL;DR version of the above is simply...
>> a) Is this manner of migration path supported?
>> b) At what stage/point in the sequence should I look to perform the TDE
>> key IMPORT on the destination side when cloning between 12.1-12.2 CDBs for
>> an upgrade in this manner?
>> c) And should the tried and trusted 12.1 key import syntax work
>> effectively for importing the key on the 12.2 destination side or am
>> missing something?
>>     "administer key management import encryption keys with secret
>> "password1" from '/tmp/source_side.p12' identified by "password1" with
>> backup;""
>>
>> Regards,
>> Ruan
>>
>

--000000000000ca70fb059b19ccbf
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Angthony,<br><br>Yes, have tried to rekey and also trie=
d to explicitly direct the cloned PDB to &quot;use&quot; the supposedly (pa=
rtially?) imported key (when the key has been imported prior to a clone att=
empt). e.g. administer key management use key &#39;Abcf34545....etc&#39; id=
entified=C2=A0by &quot;password2&quot; with backup;=C2=A0<div><br>Notably, =
a rekey or the &#39;use key&#39; AKM commands will not work until I have br=
ought the cloned PDB out of restricted mode as I will receive the error bel=
ow...<br>ORA-28442: Rekey of the TDE Master encryption key is not permitted=
 when the database is in restricted mode...<br><br>Which means that I prett=
y much have to attempt an import of the key to remove the pdb_plug_in_viola=
tion, and perform the upgrade steps, in order to reach a position where I m=
ust close/open the PDB to finally get it out of restricted mode <u>before</=
u> I attempt to either &#39;set&#39; or &#39;use key&#39;... and by that st=
age, the PDB is not in a positive state with the usual TDE specific errors =
and complaints completely littering the alert log. <br><br>There are about =
33 slightly different methods now (in terms of either sequencing or command=
s) which I have attempted to perform. All of which I know do not work in my=
 scenario. Just hoping someone may have crossed this particular bridge befo=
re me and can suggest what just one working sequence/path should look like,=
 so I can focus on debugging that route...<br><br>Thanks,<br>Ruan=C2=A0<br>=
</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_=
attr">On Wed, Jan 1, 2020 at 4:45 PM anthony Sanchez &lt;<a href=3D"mailto:=
anthonycsanchez@gmail.com">anthonycsanchez@gmail.com</a>&gt; wrote:<br></di=
v><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;borde=
r-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"auto">Hi ru=
an,<div dir=3D"auto">Have you tried resetting the master key in your pdb af=
ter clone?</div><div dir=3D"auto"><br></div><div dir=3D"auto">Connect to pd=
b</div><div dir=3D"auto"><br></div><div dir=3D"auto"><div dir=3D"auto">ADMI=
NISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY keystorepassword=
 with backup;</div><div dir=3D"auto"><br></div></div><div dir=3D"auto"><br>=
</div><div dir=3D"auto"><br></div></div><br><div class=3D"gmail_quote"><div=
 dir=3D"ltr" class=3D"gmail_attr">On Wed, Jan 1, 2020, 3:40 AM Ruan Linehan=
 &lt;<a href=3D"mailto:ruandav@gmail.com" target=3D"_blank">ruandav@gmail.c=
om</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
"><div dir=3D"ltr">Hi list,<br><br>I am very stuck and really beginning to =
tread water on an SR with the below scenario. Would anyone have experience =
of a 12.1-12.2 Multitenant PDB upgrade path via remote clone including TDE?=
?<br><br>=C2=A0 =C2=A0 =C2=A0 Source 12.1 Multitenant PDB on Exadata RAC wi=
th TDE. <br>=C2=A0 =C2=A0 =C2=A0 Destination 12.2 Multitenant PDB on Exadat=
a RAC (Separate CDB on the same cluster with separate software wallet).<br>=
<br>I am attempting to perform a 12.1 --&gt; 12.2 individual PDB upgrade vi=
a remote clone between CDB containers. I have verified the process as succe=
ssful when using a non-TDE [Tablespace] specific PDB. i.e. perform the nece=
ssary preupgrade.jar steps in the 12.1 source side, clone the PDB over a DB=
 link into the 12.2 destination side and then proceed with the catctl/catup=
grd scripting to perform the upgrade. No issues and all works fine... witho=
ut TDE. <br><br>However, when TDE is in the mix on the source PDB, I cannot=
 manage to succeed in transitioning the TDE key properly from source side o=
ver into the destination side (Either before, during or post the upgrade sc=
ripting). Below is a summary of steps for context but the issues comes down=
 to; how do I get a TDE key imported successfully when cloning from a 12.1 =
CDB to a 12.2 CDB...<br><br><br><b><u>High Level summary:</u></b><br><br>1.=
 Export the TDE key from the source 12.1 side (*From within the PDB itself)=
...<br>=C2=A0 =C2=A0 - administer key management set keystore open identifi=
ed by &quot;password1&quot;;=C2=A0<div>=C2=A0 =C2=A0 - administer key manag=
ement export encryption keys with secret &quot;password1&quot; to &#39;/tmp=
/source_side.p12&#39; identified by &quot;password1&quot;; <br><br><u>	Note=
1</u> - I believe the export operation is 100% clean as the same steps used=
 for this export work seamlessly when performing clones of TDE specific PDB=
s between <u>12.1</u> CDBs.<br><br>2. Put the source PDB in ReadOnly...<br>=
	=C2=A0 =C2=A0 - alter pluggable database ORCL close immediate instances=3D=
all; <br>	=C2=A0 =C2=A0 - alter pluggable database ORCL open =C2=A0read onl=
y instances=3Dall; <br><br>3. Perform DB Link clone between containers (*Fr=
om the CDB$ROOT of the destination 12.2 CDB)<br>	=C2=A0 =C2=A0 - create plu=
ggable database ORCL122 from ORCL@CLONE_LINK standbys =3D none; <br><br><u>=
	Note2</u> - The DB link is fine as the PDB creates in restricted mode. I h=
ave also attempted incorporating the &quot;keystore identified by&quot; syn=
tax as part of the create statement.<br>	=C2=A0 =C2=A0 i.e. create pluggabl=
e database ORCL122 from ORCL@CLONE_LINK keystore identified by &quot;passwo=
rd1&quot; standbys =3D none; <br><br>4. Open the cloned pluggable...<br>	=
=C2=A0 =C2=A0 - alter pluggable database ORCL122 open instances=3Dall; <br>=
	<br><u>	Note3</u> - At this point, the absence of the TDE required key is =
evident in the alert log messaging, &quot;PDB needs to import keys from sou=
rce&quot;. But there is no PDB_PLUG_IN_VIOLATION entry present yet, for the=
 TDE key. Only an error as expected for the upgrade path, &quot;PDB&#39;s v=
ersion does not match CDB&#39;s version&quot;, which is quite expected. The=
 PDB exists in restricted mode, ready for upgrade. <br><br>5.=C2=A0 It&#39;=
s from this point that I run into difficulty. I can try to proceed with the=
 catupgrd script operations firstly. Once that completes (seemingly cleanly=
), there is a PDB_PLUG_IN_VIOLATION entry for the TDE key requirement.=C2=
=A0 I can then try and import the TDE (*From within the 122 PDB itself) key=
 per:<br>	=C2=A0 =C2=A0 - 	administer key management import encryption keys=
 with secret &quot;password1&quot; from &#39;/tmp/source_side.p12&#39; iden=
tified by &quot;password1&quot; with backup; <br><br>Alternatively, I could=
 try and perform the import &#39;ahead of time&#39; at the CDB$ROOT contain=
er, prior to the clone operation at all. This command succeeds as I can see=
 the additional entry populated into the v$encryption_keys view and within =
the software wallet, detailing the source of the key. <br><br>Alternatively=
, I can try and transition the key, from the CDB$ROOT container levels betw=
een CDBs instead using the &quot;WITH IDENTIFIER&quot; clause syntax as I n=
ote that certain operations are directed to be performed at the root level =
from 12.2 forward, but the very same result occurs in the end...<br><br><br=
>I can observe the messaging &quot;Keys imported: PDB ORCL122 can now open =
in normal mode&quot; recorded in the alert log and the PDB_PLUG_IN_VIOLATIO=
N entry disappears. Great!<br>However, no matter how I &quot;get the Key in=
&quot;, post a close/open of the PDB (To get it out of restricted mode) - I=
 immediately start receiving errors in the alert log around master key not =
found in current keystore and typed master key not found in wallet. It seem=
s no matter how I try to transition the correct key INTO the 12.2 destinati=
on side, the AKM commands appear to succeed but upon proper opening of the =
PDB, I am flooded with TDE errors in the alert logs. <br><br><br>Mr. Pachot=
 made it look frustratingly easy here - my experience differs significantly=
, and not sure where I am going wrong: <a href=3D"https://blog.dbi-services=
.com/12cr2-upgrade-by-remote-clone-with-tde-in-dbaas/" rel=3D"noreferrer" t=
arget=3D"_blank">https://blog.dbi-services.com/12cr2-upgrade-by-remote-clon=
e-with-tde-in-dbaas/</a></div><div><br>So the TL;DR version of the above is=
 simply...<br>a) Is this manner of migration path supported?=C2=A0</div><di=
v>b) At what stage/point in the sequence should I look to perform the TDE k=
ey IMPORT on the destination side when cloning between 12.1-12.2 CDBs for a=
n upgrade in this manner?<br>c) And should the tried and trusted 12.1 key i=
mport syntax work effectively for importing the key on the 12.2 destination=
 side or am missing something?=C2=A0</div><div>=C2=A0 =C2=A0 &quot;administ=
er key management import encryption keys with secret &quot;password1&quot; =
from &#39;/tmp/source_side.p12&#39; identified by &quot;password1&quot; wit=
h backup;&quot;&quot;<br><br>Regards,</div><div>Ruan</div></div>
</blockquote></div>
</blockquote></div>

--000000000000ca70fb059b19ccbf--
--
http://www.freelists.org/webpage/oracle-l