Provisioning a TDE OCI Vault-enabled vPDB

Provisioning a TDE OCI Vault-enabled Virtual Pluggable Database (vPDB) to a TDE OCI Vault-enabled target container requires specifying several TDE provisioning parameters.

Delphix Continuous Data Engine does not support provisioning a TDE OCI Vault-enabled vPDB from a source snapshot of a dSource or virtual database that is not encrypted or encrypted using a any other key provider at the time of linking.

Limitations

Provision the TDE OCI Vault-enabled has the following limitations:

  • The provisioning operation is only supported via CLI.

  • Provisioning the OCI Vault TDE-enabled vPDB is supported in a Linked CDB (i.e. Physical) only. Provisioning to a new vCDB is not supported.

  • Make sure both the dSource and target CDB are using OCI Vault for TDE.

  • The dSource and the target database must use the same OCI Vault, although different keys (OCIDs) within that Vault can be used.

  • Keystores are supported only in the United mode.

  • Only multitenant databases with Oracle database version 18 or higher are supported.

  • Both the dSource and the target CDB must use the same type of keystore for encryption—either customer-managed keys (HSM keystore) or Oracle-managed keys (software-based keystore).

  • Parent cdb.json and cwallet.sso from the source CDB must be copied to a local filesystem on the target host, they must not be on ASM storage. Target CDB keystores, however, can be on ASM storage.

    The cdb.json file is a KMS PKCS#11 configuration file used by the Oracle database client to securely communicate with the OCI Key Management Service (KMS).
    It defines the necessary parameters for PKCS#11-based integration with the KMS server, enabling access to customer-managed encryption keys stored in OCI Vault. This configuration file resides on the database node, typically at one of the following paths:

    • /var/opt/oracle/kms/tde/pkcs11/configs/<CDB_INSTANCE_NAME>/cdb.json

    • /opt/oracle/kms/tde/pkcs11/configs/<CDB_INSTANCE_NAME>/cdb.json

    Replace <CDB_INSTANCE_NAME> with the actual name of your Oracle Database instance.

Requirements for Oracle OCI vault-enabled target hosts and databases

To provision a vPDB to a TDE OCI Vault-enabled target container database, Delphix OS (delphix_os) users must have permission to execute the shell commands as the Oracle Install User for each node of the target database. Refer the standard permissions required to provision a virtual database in the Requirements for Oracle hosts and databases page.

  • /bin/cp: Required to copy parent KMS PKCS11 configuration files into the auxCDB KMS PKCS11 config file path, as well as the parent autologin wallet (cwallet.sso) file into the auxCDB wallet root location. This is needed to recover the parent dSource.

  • /bin/mkdir: Required to create the KMS PKCS11 configuration files path.

  • /bin/rmdir: Required to remove the KMS PKCS11 config directory of auxCDB after recovery.

  • /bin/rm: Required to remove the KMS PKCS11 config file of auxCDB after recovery.

  • /bin/cat: Required to merge the parent KMS PKCS11 config and target KMS PKCS11 config file when creating KMS PKCS11 config file for auxCDB.

Example:

The following permission should be added to the /etc/sudoers file for each database node:

Copy 
Defaults:delphix-os !requiretty 
delphix_os ALL=NOPASSWD: /bin/mount,/bin/umount,/bin/mkdir,/bin/rmdir,/bin/ps 
delphix_os ALL=(oracle) NOPASSWD: /bin/mkdir,/bin/cp,/bin/rm,/bin/rmdir,/bin/cat 

Above OS commands permissions can be restricted to the following directories:

  • Delphix toolkit directory path: /<delphix_toolkit_directory_path>.

  • KMS PKCS11 config path: /opt/oracle/kms/tde/pkcs11/configs or /var/opt/oracle/kms/tde/pkcs11/configs.

Prerequisites for provisioning

1. Check the Target Container Database (CDB)

  1. Log in to any target database node and run the following query:

    Copy 
    SQL> SELECT name, value FROM v$parameter WHERE name = 'tde_configuration';

  2. If keystore_configuration is OKV|FILE, change it to HSM|FILE:

    Copy 
    ALTER SYSTEM SET TDE_CONFIGURATION='KEYSTORE_CONFIGURATION=HSM|FILE' SCOPE=BOTH SID='*';

2. Copy required files from source host to target host

The /opt/oracle/kms/tde/pkcs11/configs/<instance_name>/cdb.json or /var/opt/oracle/kms/tde/pkcs11/configs/<instance_name>/cdb.json and $WALLLET_ROOT/tde/cwallet.sso files from the parent dSource database node must be made available on the target host, this can be copied to any location.

The target location and copied files must be readable by the delphix_os user.

During provisioning, the location where these files have been copied is recorded as source.parentTdeKeystorePath.

3. Configure tde_seps for the Target CDB on Each Node

  1. Log in to the target database node as the Oracle install user.

  2. Query the wallet root location:

    Copy 
    SQL> SELECT name, value FROM v$parameter WHERE name = 'wallet_root'

  3. Create a $WALLET_ROOT/tde_seps directory if it does not exist.

  4. Copy the autologin wallet: cp $WALLET_ROOT/tde/cwallet.sso $WALLET_ROOT/tde_seps/.

  5. If the tde_seps folder and the tde_seps/cwallet.sso file are created by a non-Oracle installation user, ensure that their ownership is changed to the Oracle installation user and Oracle installation group. By default, the ownership should be set to oracle:oinstall.

    Copy
    # tde_seps directory permission 
    drwxr-xr-x 2 oracle oinstall 4096 Mar  6 02:56 tde_seps 
    -rwx------ 1 oracle oinstall 3686 Mar  6 02:56 tde_seps/cwallet.sso 

  6. Repeat for all nodes.

Provisioning parameters

  1. Parent Database TDE Keystore Location - The path to a source database KMS PKCS11 Configuration file(i.e. cd.json) and source database autlogin wallet file (i.e. cwallet.sso) the target host.

    1. CLI Parameter: source.parentTdeKeystorePath

    2. Required

      This path must be readable on the target host by the Delphix user and Oracle install user.

    3. If provisioning to a RAC environment (cluster), make sure this path is shared between all the RAC cluster nodes.

      Parent Database TDE Keystore may be located on local storage, NFS or ACFS, but cannot be located on an ASM filesystem.

  2. TDE Encryption Secret - Secret for the exported keys.

    1. CLI Parameter: source.tdeExportedKeyFileSecret.

    2. Required

      This is a new user-specified secret required, when unplugging a vPDB.

  3. TDE Keystores root - Path to a directory on the target host under which all Continuous Data related TDE artifacts will be created.

    1. CLI Parameter: source.tdeKeystoresRootPath

    2. Required for cluster target.

    3. Optional for single instance target.

Steps to Provision a TDE OCI Vault-enabled vPDB

  1. Refer to the CLI cookbook: provisioning a virtual PDB in a target CDB page to set the provisioning parameters on CLI.

  2. If provisioning to a cluster target, set the keystore root directory path as described in this guide.

  3. Ensure the target Linked CDB exists on the target hosts with correctly set up encryption keys and an autologin wallet.

  4. Set the provisioning parameters (source.parentTdeKeystorePath (path containing cdb.json and cwallet.sso) and source.tdeExportedKeyFileSecret).

  5. Commit the changes.

Example CLI commands to provision Oracle OCI Vault TDE-enabled vPDB

Copy 
database provision 
set type=OracleMultitenantProvisionParameters
set source.type=OracleVirtualPdbSource
set sourceConfig.environmentUser=rac-tgt/dlpxqa
set source.mountBase=/mnt/provision
set container.name=rac_pdb
set source.name=rac_pdb
set container.group=Untitled
set source.allowAutoVDBRestartOnHostReboot=true
set sourceConfig.cdbConfig=CDBRCTGT_v33_phx
set sourceConfig.databaseName=rac_pdb
set timeflowPointParameters.container=CDBRCSRCPDB
set source.parentTdeKeystorePath=/mnt/shared1/keystores_root
set source.tdeExportedKeyFileSecret=delphix
set timeflowPointParameters.type=TimeflowPointSemantic
set sourceConfig.repository=rac-tgt/'/u01/app/oracle/product/19.0.0.0/dbhome_1'
commit