This post explains the steps needed to clone a Pluggable Database (PDB) when either Source or Target or both uses Oracle Key Vault (OKV).
Case 1: When both Source and Target databases are using Oracle Key Vault (TDE Direct connection)
1. Create the PDB in the Target container by cloning the Source PDB (whichever method customer feels suitable).
2. Find the currently Active Masterkey corresponding to the Source PDB (from v$encryption_keys) and Add Target DB’s Wallet as a Member of this Masterkey using following steps:
- Login to OKV Console as a user with Key Admin privilege.
- Navigate to ‘Keys & Wallets‘ -> ‘All Items‘.
- Click on ‘Action‘ button, Select the ‘Filter‘ -> ‘Column‘ -> ‘Name‘. Choose ‘Operator‘ as ‘like‘ and in the ‘Expression‘ field put Source PDB’s Masterkey and press ‘Apply‘ button.
- It will display an entry corresponding to that Masterkey. Click on the ‘Pencil‘ icon to Edit the entry.
- In the details window click on ‘Add Wallet Membership’ button. Select the Target DB’s wallet and then click ‘Add’ button.
Case 2: When Source database is using Software (Local) wallet and only Target database is using OKV (TDE Direct connection)
As the Source database is using Local wallet the Masterkey for the corresponding PDB doesn’t exist in OKV hence following steps needs to be performed
1. Create and Enroll an endpoint for the Source database in OKV
2. Create a Virtual wallet and assign it to the Endpoint.
3. Upload the local wallet from Source database to this newly created Virtual Wallet in OKV (using okvutil upload command).
4. Now all the keys of the Source database should be present in the Virtual wallet (please verify).
5. Keep only those keys (in the Virtual Wallet) which correspond to the PDB to be cloned and delete the remaining ones.
6. Clone the Source PDB to Target server
7. For each key in the Source’s Virtual Wallet, Add Target DB’s wallet as a member (as explained in Step#2 of SCENARIO#1)
Case 3: Where Source database is using OKV (TDE Direct connection) and Target Database is using Software (Local) wallet
As the Source DB is using OKV, and the keys are not available locally after cloning the PDB, it (the cloned PDB) will still try to communicate to OKV. Hence below mentioned steps are needed:
1. Reverse migrate the Source database from OKV to local TDE i.e. configure the Source database to use Local TDE wallet.
2. Clone the Source PDB to Target container
3. Export the keys from Source PDB and Import the same to Target PDB.
NOTE: Following commands can be used to Export/Import the Keys:
ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "export_secret" TO '[export_file_name]' IDENTIFIED BY [keystore_password]; ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "import_secret" FROM '[export_file_name]' IDENTIFIED BY [keystore_password] WITH BACKUP;
4. Now migrate the Source database back to OKV again i.e. configure the Source database to use OKV.