CLI cookbook: Provisioning a TDE-enabled vPDB in a target CDB

This topic describes how to provision a TDE-enabled virtual pluggable database (vPDB) in a target CDB (a linked CDB or existing vCDB) using the command-line interface.

This process applies to Oracle version 12.2.0.1 or later versions. 

Prerequisites

The prerequisites are the same as described in CLI Cookbook: Provisioning a Virtual PDB in a Target CDB, plus the following extra prerequisites: 

  • TDE must be configured for the source container database before it’s linked to the engine.

  • The source PDB must have TDE configured before it’s linked as dSources to Delphix.

  • The keystore file of the source container database must be accessible from the target host. If the target database is running in a RAC environment, the keystore file of the source container database must be accessible from all target nodes.

  • TDE Keystore Password must be set for the target CDB.

  • If the target database is running in a RAC environment, TDE Keystores Root must be set for each node.

In the example CLI provision detailed below, assuming:

  • The source container database TDE Keystore Password is mySrcCdbTdePwd.

  • The source container database keystore file can be accessed from the target host(s) with path /u01/app/oracle/keystores/cdb12/wallet.

  • The vPDB’s TDE Secret for Exported Keys is myVpdbTdeSecret.

  • The source PDB’s isolated mode TDE Keystore Password is mySrcPdbTdePwd.

  • The source PDB’s isolated mode keystore file can be accessed from the target host(s) with path /u01/app/oracle/keystores/cdb12/pdb1/wallet.

  • The new vPDB’s TDE keystore password is myVpdbTdePwd.

For more information about TDE parameters, please refer to Provisioning a TDE-enabled vPDB.

Procedure

After following all steps in the Procedure section of CLI Cookbook: Provisioning a Virtual PDB in a Target CDB to set provision parameters, set TDE-related parameters as follows before the commit: 

  1. Set parentTdeKeystorePath, which is the path used to access the source CDB’s TDE keystore file from the target host(s).

    Copy 
    delphix database provision *> set source.parentTdeKeystorePath=/u01/app/oracle/keystores/cdb12/wallet

  2. Set parentTdeKeystorePassword, which is the password of the source CDB’s TDE keystore.

    Copy 
    delphix database provision *> set source.parentTdeKeystorePassword=mySrcCdbTdePwd

  3. Supply tdeExportedKeyFileSecret, which is the password used for exporting the vPDB’s keys to the keyfile.

    Copy 
    delphix database provision *> set source.tdeExportedKeyFileSecret=myVpdbTdeSecret
  4. If the source PDB is in isolated mode, then set the following additional parameters to provision the vPDB in isolated mode.

    1. Set parentPdbTdeKeystorePath, which is the path used to access the source PDB’s isolated mode TDE keystore file from target host(s).

      Copy
      delphix database provision *> set source.parentPdbTdeKeystorePath=/u01/app/oracle/keystores/cdb12/pdb1/wallet

    2. Set parentPdbTdeKeystorePassword, which is the password of the source PDB’s isolated mode TDE keystore.

      Copy
      delphix database provision *> set source.parentPdbTdeKeystorePassword=mySrcPdbTdePwd

    3. Set targetPdbTdeKeystorePassword, which is the password of the new vPDB’s isolated mode TDE keystore.

      Copy
      delphix database provision *> set source.targetPdbTdeKeystorePassword=myVpdbTdePwd

  5. After all the parameters are set, initiate the provision by committing the operation in the CLI:

    Copy 
    delphix database provision *> commit