Table of Contents
Purpose
This document aims to demonstrate the Oracle multitenant architecture, Oracle Key Vault, and TDE integration to PDBs.
Who should refer to this document?
Any Individual interested in learning about TDE and the Oracle Key Vault + PDB integration.
Multitenant Architecture
A Tenant is a group of users who share common access with specific privileges to software instances. Oracle database supports multitenant architecture, which enables multitenant container database (CDB).
Note: Starting in Oracle Database 21c, a multitenant container database is the only supported architecture. In earlier releases, Oracle supported non-container databases (non-CDBs).
What is a Container Database (CDB)?
CONTAINER
1. A container is a collection of schemas, objects, and related structures in a multitenant container database (CDB).
2. In other words, a container is a logical grouping of objects representing a self-contained environment.
3. A Unique ID and name identify each container in a CDB.
4. A multitenant container database (CDB) contains one or more PDBs (Pluggable Databases) and application containers.
5. From these PDBs in a CDB, except for one PDB, called “SEED (PDB$SEED),” PDB comes from Oracle. Others are customer-created PDBs.
CONTAINER DATABASE (CDB)
A container database consists of one pluggable Seed (PDB$SEED) database, which is Oracle-supplied, and one or more or zero (none) customer-created pluggable databases. Every multitenant container database (CDB) has the below containers,
1. Root container (CDB root container).
2. One System container.
3. Application containers (Zero or more).
4. User-created PDBs (Zero or more).
5. One Seed PDB.
ROOT (CDB$ROOT)
1. The root stores Oracle Oracle-supplied metadata and common users.
2. A common user is a database user, typical or standard in every container.
a. For example, SYSTEM is a CDB user with DBA privileges.
b. Also, SYS is a common CDB user.
c. Oracle-supplied common users are SYS and SYSTEM.
d. Common users such as SYSTEM can connect to the CDB root and any PDBs in the container database.
e. Every common user can connect to and perform operations within the root of its container and within any PDB to which it has sufficient privileges or grants.
3. The root container is named CDB$ROOT.
4. The CDB is a collection of Schemas, Schema Objects, and non-schema Objects to which all PDBs belong.
SYSTEM CONTAINER
1. The system container holds the core components of a CDB, which means the system container is a logical entity that includes the root CDB (container database) and all the PDBs (Pluggable databases) within the CDB.
2. While it’s called a container, the system container doesn’t represent a physical unit. It’s a logical concept that helps organize and manage the CDB and associated PDBs.
3. The system container contains the CDB$ROOT and all the PDBs (PDB$SEED) within the CDB.
APPLICATION CONTAINER
1. An application container consists of precisely one application root.
2. An application root shares some characteristics with the CDB root because it is created with the CREATE PLUGGABLE DATABASE statement.
3. Application root contains common objects and some characteristics with a PDB.
4. Application root belongs only to the CDB$ROOT and not to any container.
PLUGGABLE DATABASE CONTAINER (PDB)
1. A Pluggable Database contains data and code necessary to support a specific set of features.
2. No PDBs exist at the creation of a CDB.
3. You can add PDBs according to your business requirements. These PDBs are called User-created PDBs.
4. A PDB can belong to zero or one application container. If it belongs to an application, it is called Application PDB.
5. An application seed is an optional application PDB that acts as a user-created template, enabling you to create new application PDBs rapidly.
SEED PLUGGABLE DATABASE CONTAINER (PDB)
The seed PDB is a vanilla template that the CDB uses to create new PDBs. The seed PDB is named PDB$SEED. You cannot add or modify the objects in PDB$SEED.
Step by Step process to create new Pluggable Databases in Oracle 19c or higher.
PREREQUISITES
1. You must be connected to a CDB. The CDB must be open and in READ+WRITE mode.
2. To create a PDB or an application container, the current container must be the root and you must have the CREATE PLUGGABLE DATABASE system privilege, granted commonly.
3. To create an application seed or an application PDB, the current container must be an application root, the application container must be open and in READ WRITE mode, and you must have the CREATE PLUGGABLE DATABASE system privilege, either granted commonly or granted locally in that application container.
4. If src_pdb_name refers to a PDB in the same CDB, then you must have the CREATE PLUGGABLE DATABASE system privilege in the root of the CDB in which the new PDB will be created and in the PDB being cloned.
a. In simpler terms, to clone a PDB within a CDB, you need elevated administrative privileges (CREATE PLUGGABLE DATABASE) at the ROOT$CDB (Central management - Root) level and the source PDB level.
5. Suppose src_pdb_name refers to a PDB in a remote database or a non-CDB. In that case, you must have the CREATE PLUGGABLE DATABASE system privilege in the root of the CDB in which the new PDB will be created, and the remote user must have the CREATE PLUGGABLE DATABASE system privilege in the PDB or non-CDB to which src_pdb_name refers.
a. In simpler terms, you need to have CREATE PLUGGABLE DATABASE system privilege in the main CDB where you want to create the new PDB.
b. The user on the remote database or non-CDB, should also have CREATE PLUGGABLE DATABASE system privilege.
c. Both users should have CREATE PLUGGABLE DATABASE system privileges to create a PDB.
CREATE A PDB FROM THE COMMAND PROMPT
1. Login to the Linux Database Server.
a. ssh user@server_fqdn
2. Ensure to create the new PDB directory.
a. mkdir /u01/app/oracle/oradata/mycdb/mypdb/
3. Set the Oracle environment variables.
4. sqlplus /nolog
$ sqlplus /nolog
SQL*Plus: Release 23.0.0.0.0 - Production on Thu Feb 22 2024 22:35:45 Copyright (c) 1982, 2023, Oracle. All rights reserved.
Connected to: Oracle Database 23 EE 64bit Production TNSLSNR for Linux x86_64 Release 23.0.0.0.0 - Production
SQL> |
5. select file_name from dba_data_files;
SQL> select file_name from dba_data_files; FILE_NAME ---------------------------------------------------------------------- /u01/app/oracle/oradata/orcl/USERS01.dbf /u01/app/oracle/oradata/orcl/SYSTEM01.dbf /u01/app/oracle/oradata/orcl/UNDO_ORCL01.dbf /u02/app/oracle/oradata/orcl/INDX_ORCL01.dbf /u02/app/oracle/oradata/orcl/TEMP01.dbf |
6. select file_name from dba_temp_files;
SQL> select file_name from dba_temp_files;
FILE_NAME -------------------------------------------------------------------------------- /u01/app/oracle/oradata/temp01.dbf |
7. connect sys/pwd@server_fqdn:1521/cdb as sysdba (or) CONNECT sys as sysdba;
SQL> connect sys/pwd@server_fqdn:1521/cdb as sysdba; Connected.
Or
SQL> CONNECT sys as sysdba; Connected. |
8. Execute the SQL below to ensure you are connected to the correct CDB.
SQL> show con_name;
CON_NAME -------------- CDB$ROOT |
9. Check PDBs. The below query retrieves information about all PDBs in the database, including their ID, name, open mode (READ WRITE or READ ONLY), and whether they are restricted (YES or NO).
SELECT pdb_id, name, open_mode, restricted FROM v$pdbs;
Output: PDB_ID NAME OPEN_MODE RESTRICTED ------ ---------- --------- ---------- 2 PDB$SEED READ ONLY NO 3 PDB1 READ WRITE NO 4 PDB2 READ ONLY YES |
10.Create a Pluggable database. There are several ways you can adapt to create a pluggable database; some are listed below.
Example:
CREATE PLUGGABLE DATABASE salespdb ADMIN USER salesadm IDENTIFIED BY password ROLES = (dba) DEFAULT TABLESPACE sales DATAFILE '/disk1/oracle/dbs/salespdb/sales01.dbf' SIZE 250M AUTOEXTEND ON FILE_NAME_CONVERT = ('/disk1/oracle/dbs/pdbseed/', '/disk1/oracle/dbs/salespdb/') STORAGE (MAXSIZE 2G) PATH_PREFIX = '/disk1/oracle/dbs/salespdb/';
Command:
CREATE PLUGGABLE DATABASE mypdb ADMIN USER pdb_admin IDENTIFIED BY mypassword DEFAULT TABLESPACE myts DATAFILE '/u01/app/oracle/oradata/mycdb/mypdb01.dbf' SIZE 100M FILE_NAME_CONVERT=('/u01/app/oracle/oradata/mycdb/pdbseed/', '/u01/app/oracle/oradata/mycdb/mypdb/');
Pluggable database created. |
11. Show all PDBs in the CDB. The below output displays information about all the Pluggable Databases (PDBs) in the current Container Database (CDB). It includes the Container ID (CON_ID), the PDB name (CON_NAME), the open mode (OPEN MODE), and whether it is restricted (RESTRICTED).
SQL> SHOW PDBS;
CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 PDB1 READ WRITE NO 4 PDB2 READ ONLY YES |
12. Open the Pluggable database. The below SQL command opens the specified PDB named "mypdb". If successful, it will display "Pluggable database altered." at the SQL prompt.
Command: ALTER PLUGGABLE DATABASE mypdb OPEN;
Output: Pluggable database altered. |
13. Connect to the new PDB (Pluggable Database).
SQL> SHOW CON_NAME;
Output: CON_NAME ------------------------------ CDB$ROOT
SQL> ALTER SESSION SET CONTAINER = mypdb;
Output: Session altered. |
14. SQLs you can execute after connecting to the PDB.
Check on Username
SQL> SELECT USERNAME, CONTAINER_NAME FROM DUAL;
Output: USERNAME CONTAINER_NAME---------------------- ----------------------your_username pdb_name |
Check Available Tablespaces
SQL> SELECT tablespace_name, total_space, free_space FROM dba_tablespaces;
Output: TABLESPACE_NAME TOTAL_SPACE FREE_SPACE ------------------------------ ----------- ----------- SYSTEM 1024M 900M USERS 2048M 1800M UNDO 512M 450M |
List User Tables:
SELECT * FROM dba_tables WHERE owner='your_username';
Output: TABLE_NAME COLUMN_NAME DATA_TYPE---------------------------------- ------------------------ --------EMP_DETAILS EMPLOYEE_ID NUMBEREMP_DETAILS FIRST_NAME VARCHAR2(50)EMP_DETAILS LAST_NAME VARCHAR2(50) |
Create a User and Grant privileges.
-- Create userCREATE USER new_user IDENTIFIED BY password DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp; -- Grant privilegesGRANT CONNECT, RESOURCE TO new_user; Output User created.Grant succeeded. |
SQL> select pdb_name,status from cdb_pdbs; PDB_NAME STATUS---------- -------------PDBDB NORMALPDB$SEED NORMAL SQL> select con_id,name,open_mode from v$pdbs; CON_ID NAME OPEN_MODE------- ------------------ ----------2 PDB$SEED READ ONLY3 PDBDB. READ WRITE SQL>
|
15. Configure tnsnames.
PDB_MYDB = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = hostname)(PORT = port)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = mypdb) ) ) |
16. Configure listener.
LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = hostname)(PORT = 1521)) ) )
Command:
-- Stop the PDB listener lsnrctl stop listener_name
-- Start the PDB listener lsnrctl start listener_name
Output: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=1521))) The command completed successfully.
|
CREATE PDB FROM THE CONSOLE.
Launch the Console and perform the below steps,
1. Open the navigation menu. Select Oracle Database, then select Oracle Base Database.
2. Select your Compartment. A list of DB systems is displayed.
3. In the list of DB systems, find the DB system in which you want to create the PDB. Click the DB system name to display details about it.
4. In the list of databases, find the database in which you want to create the PDB. Click the database name to display details about it.
5. In the Resources section of the page, click Pluggable Databases.
6. Click Create pluggable database.
7. In the Create pluggable database window, provide the following details:
8. PDB name: Enter a name for the PDB. The name must begin with an alphabetic character and can contain a maximum of 30 alphanumeric characters.
9. Unlock my PDB admin account: Optional. Select this option to specify a PDB admin password and configure the PDB to be unlocked at creation.
PDB admin password: Create and enter a PDB admin password. The password must contain:
|
10. TDE wallet password of the database: Enter the TDE wallet password for the source CDB.
11.Take a backup of the PDB immediately: You must enable auto-backup on the CDB to back up a PDB immediately. This check box is checked by default if auto-backup is enabled on the CDB.
KEY POINTS TO REMEMBER WHILE CREATING PDBS
1. When creating a new PDB, its service name might clash with an existing service name within the CDB.
2. This collision occurs within the listener namespace, which directs users to the specific CDB and PDB.
3. Collisions can involve default services (predefined by Oracle) or user-created services.
Example
1. Imagine two CDBs on the same server, both using the same listener.
2. A collision happens if a new PDB in one CDB has the same service name as a PDB in the other CDB.
Consequences
1. Operating a PDB with a colliding service name is not allowed.
2. This can lead to connection issues and unexpected behavior.
Solutions
1. Rename the PDB: If the collision involves the PDB's default service name, you must rename the PDB itself before using it.
2. Drop and recreate service: If the collision involves a user-created service within the PDB, you must drop that service and create a new one with a different name but with the same purpose and properties.
Configure TDE in the Pluggable Database (PDB)
HOW TO CHECK WHETHER TDE HAS BEEN IMPLEMENTED IN AN ORACLE DATABASE?
1. Execute the below SQL to find out if the Oracle database has been encrypted with TDE (After logging into the database using sqlplus).
select mklocact from x$kcbtek where TS# in (select ts# from v$tablespace where name=‘SYSTEM’); |
a. If the above SQL returns a value of 1, the TDE encryption has been applied earlier.
b. STOP here, and DO NOT execute the TDE encryption SQLs.
c. If the above SQL returns a value of 0, then apply TDE.
2. ssh to the Oracle Database server (Port 22) [The below ssh commands are for informational purposes only].
i. ssh -i <private_key> user@IPAddress.
ii. ssh -i <private_key> user@servername.
iii. sudo su – grid_user
iv. srvrctl config database -v (lists all databases on the host)
Example Output: Database01 /u01/app/oracle/product/19.0.0.0/dbhome_1 19.0.0.0 Database02 /u01/app/oracle/product/23.0.0.0/dbhome_2 23.0.0.0 Database03 /u01/app/oracle/product/12.1.0.0/dbhome_3 12.1.0.0 |
v. sudo to oracle user
[root@database_server ~]# su - oracle [oracle@database_server ~]$ . oraenv ORACLE_SID = [oracle] ? Database01 The Oracle base has been set to /u01/app/oracle |
vi. To get server details execute the below command.
· srvrctl config database -d Database01
vii. Oracle environment variables (The below env variables are just for Informational purposes ONLY).
export ORACLE_BASE=/u02/app/oracle export ORACLE_HOME=$ORACLE_BASE/product/19.0.0.0/dbhome_1 export ORACLE_SID=Database011 export ORACLE_UNIQUE_NAME=Database01 export PATH=$PATH:$ORACLE_HOME/bin:$HOME/bin export LD_LIBRARY_PATH=$ORACLE_HOME/lib export ORACLE_BASE ORACLE_HOME ORACLE_SID PATH LD_LIBRARY_PATH |
viii. After executing oraenv, set the below environment variables to access the sqlplus.
export ORACLE_SID=Database011 export ORACLE_UNIQUE_NAME=Database01 sqlplus / as sysdba |
b. Execute the below SQL to check if OKV is already configured.
SQL> select upper(WRL_TYPE) from v$encryption_wallet where upper(status)=’OPEN’; |
· If the output has rows associated with the HSM encryption type, skip to Tablespace encryption.
· If the output has no rows for all the databases, proceed with TDE encryption.
· Next is to check in the sqlnet.ora file to see if it has any encryption entries like below,
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /cdbrdbms/etc/$ORACLE_SID) ) ) |
c. TDE script uses the OKV staging directory: $ORACLE_BASE/OKV_DIRECTORY/config. If the DB instances are configured as HSM, and no tablespaces are encrypted, clear or delete the contents from the above directory (Before deleting any files, I would take a backup. You should decide according to your situation).
d. If any of the DB instances are configured as type: FILE, then contact your application teams before proceeding with the TDE encryption.
e. Back up the sqlnet.ora file.
cp -p sqlnet.ora sqlnet.ora.$(date)_backup |
ORACLE KEY VAULT DOWNLOAD
1. Launch a browser and navigate to https://edelivery.oracle.com.
2. Enter credentials and Click sign in.
3. Go to the “All Categories” Menu and select Release.
4. Enter “Oracle Key Vault” and click on search.
5. Select Oracle Key Vault 21.7.0.0.0 from the list and click on the Add to the Cart button.
6. Go the Cart.
7. Click Checkout.
8. Verify the details of the installation package on the next page. Click on the Continuebutton.
9. Review and accept the license and click on the Continue button.
10. File: Vpart_number.zip appears on the download page.
12.The file size would be more than 4GB, takes time to download.
13.Make a directory and unzip the contents using the unzip command.
a. unzip Vpart_number.zip -d /home/user/data
14.Once downloaded, mount the .iso
ORACLE KEY VAULT INSTALL
1. After mounting the iso, the following initialization screen appears with options.
2. There are 2 options to install OKV, with FIPS and without FIPS.
a. FIPS: Federal Information Processing Standard.
3. Select the appropriate one and click Enter.
4. Once the installation starts, you will be prompted to enter the password for the root user.
5. Once the password is set, go to the next step, which prompts you to enter the user ID and password for the root user.
6. You have to remount or reinsert your disk after logging in as the root user.
7. Select Network Mode window appears after a couple of minutes.
8. If you want Classic Mode, select Option 1. In classic mode, one network interface is used. Dual NIC mode enables you to configure Oracle Key Vault to use two network interfaces or ethernet ports. It is helpful as a guard against physical or software failures and adds redundancy to the network layer.
9. If you later decide to switch to dual NIC, you can do so, provided you are in a standalone configuration.
10.But, if you are in a multi-master cluster configuration, you must first delete the node from the cluster, configure the node to use dual NIC mode, and re-induct the node back into the cluster to switch to a dual NIC mode.
11. If you choose Option 1, select it and press ENTER.
a. Select from the available options from the Select default network interface screen and click OK.
b. In the Network settings screen, enter the IP address, Network mask, and Gateway settings for the default network interface. The network administrator for your site can provide this information.
c. Click on OK.
12.If you choose Option 2, select it and press ENTER.
a. From the Select Bond Mode screen, select the bond mode choices for the two network interfaces you plan to use and click OK.
i. Round Robin: Sequentially from the first available interface to the last.
ii. Active-Backup: Configures the network interfaces as Active and Backup. Only one interface is Active at a given point in time.
iii. 802.3ad: Network packets are transmitted and received on all interfaces. This mode requires a switch that supports IEEE 802.3ad dynamic link aggregation (My View: This mode depends on the switch, which is external hardware. Consider the pros and cons when using this mode, like what happens if this switch fails?).
b. In the Network settings screen, enter the IP address, Network mask, Gateway, and Hostname settings for the default network interface. Here, the hostname can be a fully qualified domain name or just a hostname without fqdn.
13.The installer installs and configures the operating system, database, and OKV on the host. The installation process can take longer.
14.Once the installation is complete, you will be prompted to enter the password for the support. Once SSH is enabled, the support user is the only user who can SSH into the Oracle Key Vault. SSH should be disabled unless upgrade patches are applied, or contact Oracle Support for directions.
# passwd support New password: Retype new password passwd: All authentication tokens updated successfully. |
ORACLE KEY VAULT (OKV) POST-INSTALLATION TASKS
· Launch a web browser and type the URL: https://192.0.2.254
· The above IP is the Oracle Key Vault’s IP Address.
· Accept the security warning message for untrusted or self-signed certificate warning and connect to the Oracle Key Vault Server.
· Enter the Root Password and Click on Login.
· After you login, the post-install config screen appears.
· From the User-Setup Pane, create three administrative accounts.
o Key Administrator
o System Administrator
o Audit Manager
· Enter the details
· Ensure that the passwords comply with the password policies.
· In the recovery passphrase section, create the recovery password.
· Important note
Caution: It is important to establish a secure process for the storage and retrieval of the recovery passphrase, including older recovery passphrases. The only way to recover from a lost recovery passphrase is to re-install Key Vault. Be aware that if you enter either of these passwords incorrectly three times in a row, then the account is locked for 15 minutes. Note also that the root and support user passwords expire after 365 days. If you log in to the Oracle Key Vault management console within 120 days before the expiration, you will see an alert that the password expires in remaining_number_of_days days. If you log in after the expiration date, then you can use the old password only to log in and change the password to a new one. |
· Next, set the DNS IP addresses. Contact your network administrator for the IP addresses. You can only set up the NTP server names after you save the changes on this page, including the DNS addresses.
· Click on the SAVE button at the upper right-hand corner of the Post-Install screen.
· The Login screen appears.
· Configure the System Time: Oracle recommends that when you configure the system time, to configure all three NTP servers, using their host names. When you do, select the “Synchronize Periodically” option.
· Configure System alerts.
CONFIGURING TDE
1. Update the sqlnet.ora file.
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /cdb/etc/$ORACLE_SID) ) ) |
2. Create a Keystore on the CDB Database and generate encryption key for CDB.
Model: ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY keystore_password WITH BACKUP USING 'backup_destination';
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/cdb/etc/keystore_backup' IDENTIFIED BY "password"; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "password"; ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "password" WITH BACKUP; |
3. Verify whether the wallet has been opened in CDB Database.
SQL> SELECT * FROM v$encryption_wallet;
WRL_PARAMETER STATUS WALLET_TYPE WALLET_PATH ---------------------- -------------------- ------------- ---------------------------- CDB$ROOT OPEN SOFTWARE /u01/app/oracle/product/19.0.0/dbhomep/dbs/wallet/cdb$root.so |
4. Open the PDB and set the PDB as the current database.
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 PDBDB1 MOUNTED 4 PDBDB2 MOUNTED
SQL> alter pluggable database PDBDB1 open;
Pluggable database altered.
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 PDBDB1 MOUNTED 4 PDBDB2 READ WRITE NO |
SQL> alter session set container=PDBDB2;
Session altered.
SQL> show con_name
CON_NAME ------------------------------ PDBDB2 |
5. Open the Keystore in the PDB and generate encryption for the PDB.
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "password"; keystore altered SQL> show pdbs CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 4 PDBDB2 READ WRITE NO
SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC ------------------------------ -------------------- --------- --------- CON_ID ---------- FILE /cdb/etc/keystore_backup/ OPEN_NO_MASTER_KEY PASSWORD SINGLE UNDEFINED 0 |
6. With Backup.
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "password" with backup; keystore altered.
SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC ------------------------------ -------------------- --------- --------- CON_ID ---------- FILE /cdb/etc/keystore_backup/ OPEN PASSWORD SINGLE NO 0 |
7. Create encrypted Tablespace.
SQL> show pdbs CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 4 PDDB2 READ WRITE NO
SQL> create tablespace enc128_ts datafile '/cdb/64bit/app/oracle/oradata/keystore_bakup/keystore_bakup1/Test_encrption.dbf' size 1M autoextend on next 1M encryption using 'AES128' default storage (encrypt) / 2 3 4 5 6
Tablespace created. |
ISSUES AND TROUBLESHOOTING
ISSUE -1
DESCRIPTION OF THE ISSUE AND TROUBLESHOOTING | |
ERROR | ORA-00600: internal error code, arguments: [kcbtse_encdec_tbsblk_1], [n], [n] |
CAUSE | There are some known Bugs like mentioned below which can cause the similar failure. |
KNOWN BUGS | Bug 31048741 - ORA-00600: INTERNAL ERROR CODE, ARGUMENTS: [KCBTSE_ENCDEC_TBSBLK_1] Bug 31666449 - RMAN STANDBY OR PRIMARY BACKUP OF ENCRYPTED TABLESPACES MAY FAIL WITH ORA-600 [KCBTSE_ENCDEC_TBSBLK_1] However, if the patches are already applied for these known Bugs and still the issue exists, the corresponding trace file needs to be reviewed carefully to determine the exact cause. |
EXAMPLE OF TRACE FILE |
Dump continued from file: <Trace filename> ORA-00600: internal error code, arguments: [kcbtse_encdec_tbsblk_1], [5], [10], [809500674], [193], [2], [16], [4294967295], [], [], [], [] ----- Abridged Call Stack Trace ----- <Skipped 2 stack frames>kcbtse_encdec_tbsblk_pdb1<-krboReadBlk<-krboReadSpHeader<-krboinit<-krbb1po<-krbbtgb<-krbbpcint<-krbbpcCbkArgs<-krbbpcCbk<-kpdbSwitch<-krbbpc<-krbibpc<-pevm_icd_call_common<-pfrinstr_ICAL<-pfrrun_no_tool<-pfrrun<-plsql_run<-pricar<-pricbr<-prient2<-prient<-kkxrpc<-kporpc<-opiodr<-ttcpip<-opitsk<-opiino<-opiodr<-opidrv<-sou2o<-opimai_real<-ssthrdmain<-main<-__libc_start_main ----- End of Abridged Call Stack Trace ----- Partial short call stack signature: 0x3c2e7bea9e2a543b Tablespace key not found as expected. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Exact causeKey versions: pkv 0 pkv2 4294967295 gkv 0 gkv2 4294967295 input 4294967295 fon 1 cfv 1 tekafnrl 0x22184ae50Dumping PGA key chainkcbtse_dump_keychain: pdb 5 kcbtsemkid:mkid: 6c3b392071d64fd7bfb6ed0fe9e2ec59 current pdb 5 kcbtsemkloc 1, kcbtsemkid is: 6c3b392071d64fd7bfb6ed0fe9e2ec59 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< MKID of PDB (CON_ID=5)kcbtsemkid_rootmkid: c41e5f386c6b4fa0bf362ac189ce7a49 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< MKID of CDB$ROOT current pdb 5 kcbtsemkloc 1, kcbtsemkid is: 6c3b392071d64fd7bfb6ed0fe9e2ec59kcbtsecfdbkodkcbtse_dump_keychain1:41401 kcbtse_print_kod: printing kcbtekod structure 0x21dd2bfba--kcbtekod_ena=2 kcbtekod_flag=0xe kcbtekod_mkloc=0x1--kcbtekod_key=bb0eea88ca783562c267f28f0cd26c8a00000000000000000000000000000000--kcbtekod_mkeyid=6c3b392071d64fd7bfb6ed0fe9e2ec59kcbtsecfdbkod_rootkcbtse_dump_keychain1:41404 kcbtse_print_kod: printing kcbtekod structure 0x600b3bba--kcbtekod_ena=2 kcbtekod_flag=0xe kcbtekod_mkloc=0x1--kcbtekod_key=7c1667d4c27d691344f0bdbf84513936e8f0f8902b7e83741d715df347d35ca9--kcbtekod_mkeyid=c41e5f386c6b4fa0bf362ac189ce7a49kcbtsencdbk: 0x21bf3eb68 kcbtsencdbk_root 0x219e565e8kcbtse_dump_keychain: Start dumping key chain state..--------------------------------kcbtek structure 0x7f3515d33eb8utsn: 0x500000010 (5/16), alg: 2 keystate: 2 inv?: 0 usesalt?: 1 enctbs?: 1 obf?: 0 keyver: 0 fbkey?: 0 fullenc?: 0 frn?: 0 rcv?: 0 skipchk?: 0 use_for_dec?: 0encrypted key: bb0eea88ca783562c267f28f0cd26c8a00000000000000000000000000000000mklocact 1 mkloc 1, mkid: 6c3b392071d64fd7bfb6ed0fe9e2ec59 kcl: [0x7f3515d33db8,0x7f351bb03598] --------------------------------Looking for this target key image:kcbz_encdec_tbsblk:43722 kcbtse_print_kod: printing kcbtekod structure 0x7f3510c7c778--kcbtekod_ena=0 kcbtekod_flag=0x0 kcbtekod_mkloc=0x0--kcbtekod_key=0000000000000000000000000000000000000000000000000000000000000000--kcbtekod_mkeyid=00000000000000000000000000000000 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< MKEYID is 0Dump of buffer cache at level 1 for pdb=5 tsn=10 rdba=809500674 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< PDB (CON_ID=5) and TSN#10BH (0x2b3d87778) file#: 193 rdba: 0x30400002 (193/2) class: 13 ba: 0x2b27d0000set: 60 pool: 3 bsz: 8192 bsi: 0 sflg: 0 pwc: 0,25dbwrid: 0 obj: -1 objn: -1 tsn: [5/10] afn: 193 hint: f hash: [0x3f5509b18,0x3f5509b18] lru: [0x2cfd905c0,0x299e0ba80]ckptq: [NULL] fileq: [NULL]objq: [NULL] objaq: [NULL]st: CR md: NULL tch: 1 lfb: 181cr: [scn: 0x8389e196f7d],[xid: 0x0.0.0],[uba: 0x0.0.0],[cls: 0x8389e196f7d],[sfl: 0x0],[lc: 0x0]flags: encrypted_on_diskPrinting buffer operation history (latest change first):cnt: 1601. sid:11 L213:zib:bic:FCR 02. sid:11 L764:zib:bis:FEN03. sid:11 L212:zib:bic:FSQ 04. sid:11 L032:zib:getlock:SUCC05. sid:11 L968:MK_SCR:ulnk:objq 06. sid:11 L122:zgb:set:st07. sid:11 L830:olq1:clr:WRT+CKT 08. sid:11 L951:zgb:lnk:objq09. sid:11 L372:zgb:set:MEXCL 10. sid:11 L245:zgb:keep:FEN11. sid:11 L896:z_mkfr:ulnk:objq 12. sid:11 L083:zgb:ent:fn13. sid:00 L147:zibmlt:mk:SHR 14. sid:00 L766:zibmlt:bis:FEN15. sid:00 L210:zibmlt:bic:FSQ 16. sid:00 L710:zibmlt:bis:FBPbuffer tsn: 10 rdba: 0x30400002 (193/2)scn: 0x838853824c7 seq: 0x02 flg: 0x14 tail: 0x24c71d02frmt: 0x02 chkval: 0x0ad4 type: 0x1d=KTFB Bitmapped File Space Header----- End of Customized Incident Dump(s) -----[----- SQL Statement (None) ----- Current SQL information unavailable - no cursor. ----- PL/SQL Call Stack ----- object line objecthandle number name0x134de1788 1707 package body SYS.DBMS_BACKUP_RESTORE.BACKUPPIECECREATE |
Observations
From the sample trace file, the cause of the issue is linked to,
1. The cause of the issue seems to be "Tablespace key not found as expected.”
2. The Masterkey associated with the CDB$ROOT and PDB is c41e5f386c6b4fa0bf362ac189ce7a49 and 6c3b392071d64fd7bfb6ed0fe9e2ec59 respectively.
3. It's observed that MKEYID associated with some datafile blocks is ZERO (0) which belongs to the TS#10 in the PDB (CON_ID=5).
References
1. Oracle Support and Oracle Documentation.
2. My Work Experience.
3. Knowledge transfers.
Comments