We're here to help!

Preliminary steps for Standby Database in Oracle Cloud TDE Wallet(12.1 and 12.2)

Follow

Read our docs This article explains the differences between a base build of an oracle 12.1 database and 12.2 database in the Oracle cloud, specifically when creating standby database. This article does not explain actual standby creation, but serves as an example to know what changes needs to be done before creating the standby.

 
Description

 We will first check the 12.1.0.2 database in cloud.

 Oracle Database Service (machine name : LAA Database : ORCL) in the cloud build was 12.1.0.2 SE
In this case All tablespaces are not encrypted on initial build.

SQL> select tablespace_name, encrypted from cdb_tablespaces where tablespace_name like 'USER%';

TABLESPACE_NAME        ENC
---------------------- ---
USERS                  NO

SQL> show parameter encr

NAME                           TYPE    VALUE
----------------------------   ------  ----------------------------
encrypt_new_tablespaces        string  CLOUD_ONLY

When we create new tablespaces its encrypted by default.

SQL> create tablespace users2 datafile '/u02/app/oracle/oradata/ORCL/users02.dbf' size 20M;

Tablespace created.

SQL>  select tablespace_name, encrypted from cdb_tablespaces where tablespace_name like 'USER%';

TABLESPACE_NAME         ENC
----------------------- ---
USERS                   NO
USERS2                  YES

Changing the encryption to DDL and create a new tablespace

SQL> alter system set encrypt_new_tablespaces = 'DDL';

System altered.

SQL> create tablespace users3 datafile '/u02/app/oracle/oradata/ORCL/users03.dbf' size 20M;

Tablespace created.

SQL> select tablespace_name, encrypted from cdb_tablespaces where tablespace_name like 'USER%';

TABLESPACE_NAME        ENC
---------------------- ---
USERS                  NO
USERS2                 YES
USERS3                 NO

In conclusion, with 12.1.0.2, initially the tablespaces are not created as Encrypted, but the default value for parameter encrypt_new_tablespaces (CLOUD_ONLY) means that new ones will be.  If you do not wish new tablespaces to be created as encrypted, alter this parameter to have a value of DDL.  If Encrypted tablepaces are desired, then follow the steps for 12.2.0.1 below with regards to the wallet file copy to the standby server.

Lets move on to the 12.2.0.1 database in Oracle Cloud, the default USERS tablespaces are created as encrypted in the default database build.

(Source Machine : LAA2 ; Target Machine : LAA3)

As a next step we started creating the standby database using version 8.0.10, the backups were successful but the restore failed when it started to restore the USERS tablespace in the standby server(which is also cloud) with the below error.

20170412 05:03:44 main::cmn_cat: RMAN-03002: failure of restore command at 04/12/2017 05:03:44
20170412 05:03:44 main::cmn_cat: ORA-19870: error while restoring backup piece /usr/tmp/dbv_LAACLOUD_csd_dbf_7_17s1flsu_1_1.rman
20170412 05:03:44 main::cmn_cat: ORA-19913: unable to decrypt backup

The wallet file was type autologin, which meant RMAN should open it and decrypt the backup files automatically.  However, the wallet files from the primary server need to be copied to the standby server.

[oracle@LAA2 ~]$ cd /u01/app/oracle/admin/LAA/tde_wallet/
[oracle@LAA2 tde_wallet]$ ls -lrt
total 20
-rw------- 1 oracle oinstall 2408 Apr 12 02:54 ewallet_2017041202541686.p12
-rw------- 1 oracle oinstall 5328 Apr 12 02:54 ewallet.p12
-rw------- 1 oracle oinstall 5371 Apr 12 02:54 cwallet.sso

[oracle@LAA2 tde_wallet]$ dbaascli tde status
DBAAS CLI version 1.0.0
Executing command tde status
TDE is configured on this instance with:
 keystore login: auto
 keystore status: open
 keystore type: autologin

We copied the files from Source (LAA2) to target (LAA3)

[oracle@LAA2 tde_wallet]$ scp *wallet* LAA3:/u01/app/oracle/admin/LAA/tde_wallet/

to the same location on the Standby Server (LAA3)

The sqlnet.ora was updated to reflect this location, and resumed the CSD from where it left off.

[oracle@LAA3 tde_wallet]$ ls -lrt
total 20
-rw------- 1 oracle oinstall 5328 Apr 12 05:21 ewallet.p12
-rw------- 1 oracle oinstall 2408 Apr 12 05:21 ewallet_2017041202541686.p12
-rw------- 1 oracle oinstall 5371 Apr 12 05:21 cwallet.sso

[oracle@LAA3 tde_wallet]$ cd $ORACLE_HOME/network/admin
[oracle@LAA3 admin]$ cat sqlnet.ora
..
ENCRYPTION_WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/LAA/tde_wallet)))
WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/LAA/db_wallet)))
..

If there are to be multiple databases on the one server. The tde_wallet directoy sits below directory $ORACLE_BASE/admin/$ORACLE_SID therefore the sqlnet.ora can also contain $ORACLE_SID environment variable to distinguish between databases.  

..
ENCRYPTION_WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/$ORACLE_SID/tde_wallet)))
WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/$ORACLE_SID/db_wallet)))
..

The standby resumed successfully after this step.

[oracle@LAA2 standby]$ ./dbvctl -d LAACLOUD -i
=============================================================
Dbvisit Standby Database Technology (8.0.10.18542) (pid 16496)
dbvctl started on laa2: Wed Apr 12 09:28:04 2017
=============================================================

Dbvisit Standby log gap report for LAA thread 1 at 201704120928:
-------------------------------------------------------------
Destination database on laa3 is at sequence: 4.
Source database on laa2 is at log sequence: 6.
Source database on laa2 is at archived log sequence: 5.
Dbvisit Standby last transfer log sequence: 5.
Dbvisit Standby last transfer at: 2017-04-12 09:27:44.

Archive log gap for LAA:  1.
Transfer log gap for LAA: 0.
Standby database time lag (DAYS-HH:MI:SS): +4:32:22.


=============================================================
dbvctl ended on laa2: Wed Apr 12 09:28:07 2017
=============================================================

[oracle@LAA2 standby]$

 

Note: Oracle 12.2 is fully supported as of Dbvisit Standby 8.0.14

 

Have more questions? Submit a request

Comments