Oracle 12c TDE on RAC Database with Physical Standby RAC. The Oracle Database Home has Multiple Instances, due to which we have to use parameter $ORACLE_UNQNAME for ENCRYPTION_WALLET_LOCATION in sqlnet.ora file
In Oracle 12c ALTER SYSTEM and orapki has been deprecated and the correct method is to use ADMINISTER KEY MANAGEMENT commands. Many of the statements from the ALTER SYSTEM SQL statement correspond to the ADMINISTER KEY MANAGEMENT statement.
1. Create folder for wallets, since this is RAC cluster database ,it is better to have a shared filesystem. In our case it is ACFS
mkdir -p /ACFS/wallets/primeprd mkdir -p /ACFS/wallets/onlnprd chown -R oracle:oinstall /ACFS/wallets/primeprd chown -R oracle:oinstall /ACFS/wallets/onlnprd
2. Create sqlnet.ora file with encryption wallet location, do on both nodes with oracle user
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY=/ACFS/wallets/$ORACLE_UNQNAME/)))
3. Set DB Unique Name for the databases and verfiy the encryption wallet location, do on both nodes with oracle user
Also it is better to set the ORACLE_UNQNAME in the user profile
export ORACLE_UNQNAME=`$ORACLE_HOME/bin/srvctl config database |grep -w ${ORACLE_SID%?}` echo $ORACLE_UNQNAME srvctl setenv database -d primeprd -T "ORACLE_UNQNAME=primeprd" select * from v$encryption_wallet; export ORACLE_UNQNAME=`$ORACLE_HOME/bin/srvctl config database |grep -w ${ORACLE_SID%?}` echo $ORACLE_UNQNAME srvctl setenv database -d onlnprd -T "ORACLE_UNQNAME=onlnprd" select * from v$encryption_wallet;
4. At Dr side, with Oracle user in DB home directory
mkdir -p /ACFS/wallets/primedr mkdir -p /ACFS/wallets/onlndr chown -R oracle:oinstall /ACFS/wallets/onlndr chown -R oracle:oinstall /ACFS/wallets/primedr
Create sqlnet.ora file in DR side with encryption wallet location, do on both nodes with oracle user
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY=/ACFS/wallets/$ORACLE_UNQNAME/))) export ORACLE_UNQNAME=`$ORACLE_HOME/bin/srvctl config database |grep -w ${ORACLE_SID%?}` echo $ORACLE_UNQNAME srvctl setenv database -d onlndr -T "ORACLE_UNQNAME=onlndr" export ORACLE_UNQNAME=`$ORACLE_HOME/bin/srvctl config database |grep -w ${ORACLE_SID%?}` echo $ORACLE_UNQNAME srvctl setenv database -d primedr -T "ORACLE_UNQNAME=primedr" SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC ------------------------------ -------------------- --------- --------- CON_ID ---------- FILE /ACFS/wallet/primeprd/ NOT_AVAILABLE UNKNOWN SINGLE UNDEFINED SQL> administer key management create keystore '/ACFS/wallet/primeprd/' identified by "Abc1234$#"; keystore altered. SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC ------------------------------ -------------------- --------- --------- CON_ID ---------- FILE /ACFS/wallet/primeprd/ CLOSED UNKNOWN SINGLE UNDEFINED SQL> administer key management set keystore open identified by Abc1234$#; keystore altered. SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC ------------------------------ -------------------- --------- --------- CON_ID ---------- FILE /ACFS/wallet/primeprd/ OPEN_NO_MASTER_KEY PASSWORD SINGLE UNDEFINED SQL> administer key management create key identified by Abc1234$# with backup; keystore altered. SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC ------------------------------ -------------------- --------- --------- CON_ID ---------- FILE /ACFS/wallet/primeprd/ OPEN_NO_MASTER_KEY PASSWORD SINGLE UNDEFINED SQL> select key_id from v$encryption_keys; KEY_ID ------------------------------------------------------------------------------ AcVlvDzDNE8iv/rD38jpCtYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SQL> administer key management use key 'AcVlvDzDNE8iv/rD38jpCtYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' identified by Abc1234$# with backup; keystore altered. SQL> select key_id,activation_time from v$encryption_keys; KEY_ID ------------------------------------------------------------------------------ ACTIVATION_TIME --------------------------------------------------------------------------- AcVlvDzDNE8iv/rD38jpCtYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 23-NOV-16 09.53.46.485930 AM +00:00 SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC ------------------------------ -------------------- --------- --------- CON_ID ---------- FILE /ACFS/wallet/primeprd/ OPEN PASSWORD SINGLE NO primeprd1::12c-->srvctl stop database -d primeprd primeprd1::12c-->srvctl start database -d primeprd primeprd1::12c-->sqld SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC ------------------------------ -------------------- --------- --------- CON_ID ---------- FILE /ACFS/wallet/primeprd/ CLOSED UNKNOWN SINGLE UNDEFINED SQL> administer key management set keystore open identified by Abc1234$#; keystore altered. SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC ------------------------------ -------------------- --------- --------- CON_ID ---------- FILE /ACFS/wallet/primeprd/ OPEN PASSWORD SINGLE NO -- Create Auto Login for the Keystore -- SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/ACFS/wallet/primeprd/' identified by Abc1234$#; keystore altered. primeprd1::12c-->srvctl stop database -d primeprd primeprd1::12c-->srvctl start database -d primeprd primeprd1::12c-->sqld SQL*Plus: Release 12.1.0.2.0 Production on Wed Nov 23 13:13:30 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP, Advanced Analytics and Real Application Testing options SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC ------------------------------ -------------------- --------- --------- CON_ID ---------- FILE /ACFS/wallet/primeprd/ OPEN AUTOLOGIN SINGLE NO Copy the Encryption key Files to Standby Site as "Oracle" user primeprd2::12c-->cd /ACFS/wallet/primeprd/ primeprd2::12c-->scp -r * oracle@exadrdbadm01:/ACFS/wallets/primedr The authenticity of host 'exadrdbadm01 (10.5.238.11)' can't be established. RSA key fingerprint is c8:c0:69:80:1c:c8:ea:e3:6c:46:6b:c1:05:86:aa:c9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'exadrdbadm01,10.5.238.11' (RSA) to the list of known hosts. oracle@exadrdbadm01's password: cwallet.sso 100% 3893 3.8KB/s 00:00 ewallet_2016112309525312.p12 100% 2408 2.4KB/s 00:00 ewallet_2016112309534645.p12 100% 3656 3.6KB/s 00:00 ewallet.p12 100% 3848 3.8KB/s 00:00 -- At DR Side on Both Nodes-- SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC CON_ID ------------------------------ -------------------- --------- --------- ---------- FILE /u03/app/oracle/admin/primedr/wallet NOT_AVAILABLE UNKNOWN SINGLE UNDEFINED /home/oracle::12c-->cd /u03/app/oracle/product/12.1.0.2/teststandby/network/admin/ /u03/app/oracle/product/12.1.0.2/teststandby/network/admin::12c-->vi sqlnet.ora ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /ACFS/wallets/primedr/$ORACLE_UNQNAME/))) /u03/app/oracle/product/12.1.0.2/teststandby/network/admin::12c-->sqld SQL*Plus: Release 12.1.0.2.0 Production on Wed Nov 23 13:27:22 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP, Advanced Analytics and Real Application Testing options SQL> select * from v$encryption_wallet; WRL_TYPE -------------------- WRL_PARAMETER -------------------------------------------------------------------------------- STATUS WALLET_TYPE WALLET_OR FULLY_BAC ------------------------------ -------------------- --------- --------- CON_ID ---------- FILE /ACFS/wallets/primedr/ OPEN AUTOLOGIN SINGLE NO SQL> exit 5. Create Encrypted Tablespace CREATE TABLESPACE encrypt_ts DATAFILE '+DATAC1' SIZE 250M ENCRYPTION USING 'AES256' DEFAULT STORAGE (ENCRYPT);