Provisioning TDE Enabled (19c) Oracle EBS PDB

Refer Provisioning a TDE-enabled vPDB and
Provisioning a TDE software keystore based vPDB sections.

  • Copy the source DB keystore (WALLET_ROOT) files cwallet.sso, ewallet.p12 to target server and mention that location in Parent Database TDE Keystore Location.

  • On Source CDB, run below query to get WALLET_ROOT(files cwallet.sso, ewallet.p12) location -

select wrl_parameter from v$encryption_wallet;

WRL_PARAMETER
------------------------
/home/oravis/wallet/tde/

It is mandatory to copy the ewallet.p12 file from the source to the target server for the target container database to use it. No exporting of keys needed, this is done by the Delphix Continuous Data Engine itself using the path and secrets provided in the configuration. On the target server, cwallet.sso, ewallet.p12 files should be owned by the ORACLE_HOME installation owner.provision oracle ebs tde

The Parent Database TDE keystore Location is the location of the keystore for the dSource, which can be the actual location if it’s a provision back to the source, or else it needs to be copied to the target. The parent keystore password is the password for the dSource keystore. You can decide the TDE Secret for Exported Keys, which is a mandatory input and secret can be anything, it is used when exporting and importing the encryption keys.provision oracle ebs tdeprovision oracle ebs tde

Once a TDE-enabled vPDB is provisioned, it can be used the same as a non-TDE-enabled vPDB within Delphix, with the exception of migrate.  There are few caveats:

  • A refresh operation will use the parent keystore for the recovery. If the dSource is rekeyed then the user will need to update the parent keystore with the new keys. Similarly, if the location or password to the parent keystore has changed then they should be updated before the refresh.

  • A rewind operation will use the target keystore for the recovery. If the vPDB is rekeyed after it is provisioned, then the rekey will update the target keystore, so it does not need to be updated in Delphix.

  • For a single vPDB in a vCDB, if the vCDB keystore location is changed, the new path must be updated in Delphix before refresh or rewind.

  • Each disable operation will result in the keys being exported to an exported keyfile in the artifact directory, to be used for a subsequent enable. Refresh and rewind operations will first disable the existing vPDB, so those will also result in a new exported keyfile in the artifact directory.

  • Provisioning a second-generation vPDB (vvPDB) from a TDE-enabled vPDB is done in the same manner as a first-generation vPDB, by specifying the TDE parameters during provision. The current keystore for the vPDB can be specified as the parent keystore.

The remaining configure clone & Pre-snapshot hooks remain unchanged. It is mandatory to use hooks mentioned in the documentation while provisioning the TDE vPDB database. Follow the instructions from step 8 to the end in the Oracle EBS database hooks on OCI ExaCC or ExaCS page.