This document describes how to enable TDE TablespaceOnline Encryption of Oracle E-Business Suite Release 12.1 and 12.2 databases.
The most current version of this document can be obtained from My Oracle Support Knowledge Document 2559570.1.
- Section 1: Introduction
- Section 2: Prerequisites
- Section 3: TDE Online Datafile Encryption Restrictions
- Section 4: Procedure to Perform TDE Tablespace Online Encryption
- Section 5: Procedure for Decryption
- References
- Change Log
Section 1: Introduction
This document summarizes the procedure to enable TDE Tablespace Online Encryption for an Oracle E-Business Suite database. It is referred to as the Fast online Conversion method to convert existing clear data to TDE encrypted tablespaces. In order to use this feature, Oracle E-Business Suite database does not require downtime. As the encryption is transparent to the application, code does not have to be rewritten, and existing SQL statements work as they are. Transparent also means that any authorized database session can read the encrypted data without any problem: the encryption only applies to data-at-rest, i.e. the database datafiles and any backups of them.
This process is the recommended Oracle Maximum Availability Architecture best practice for converting to TDE with no downtime and least complexity. It supersedes previous methods for converting to TDE, as described in the References documents.Section 2: Prerequisites
- Understand TDE implications and restrictions and develop a process for maintaining wallets and keys. Refer to the Oracle Database Advanced Security Administrator's Guide 19.0.0) for further details
- Ensure the COMPATIBLE database parameter is set to the appropriate database version,19.0.0
- Take a full backup of your database before starting the procedure
Section 3: TDE Online Datafile Encryption Restrictions
The following restrictions apply to implementing Tablespace Encryption using Fast Online Conversion:
- TEMP tablespaces cannot be encrypted.
- External Large Objects (BFILEs) cannot be encrypted using TDE tablespace encryption. because these files reside outside the database.
Section 4: Procedure to Perform TDE Tablespace Online Encryption
This section describes the steps needed to perform TDE Tablespace Online Encryption for an Oracle E-Business Suite database.- Source your Oracle E-Business Suite Database Oracle Home.
- Create the required wallet by specifying the wallet location in the pfile or spfile file:
Refer to "Configure the Software Keystore Location and Type" in the Oracle Database Advanced Security Guide 19c for more information.- Create the corresponding directory manually:
$ mkdir -p $ORACLE_BASE/admin/<db_unique_name>/wallet
- Add the following entry to the parameter file:
alter system set WALLET_ROOT='$ORACLE_BASE/admin/<db_unique_name>/wallet' scope=spfile sid='*'; Restart the database
- Set the TDE_CONFIGURATION dynamic initialization parameter to specify the keystore type.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=both;
- Restart the database.
- Check the wallet location and status:
$ sqlplus / as sysdba;SQL>select * from V$encryption_wallet;
- Create the corresponding directory manually:
- Set the master encryption key from SQL*Plus:
Source the container database environment:
$ sqlplus / as sysdba;ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'keystore_location' IDENTIFIED BY software_keystore_password; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY software_keystore_password; ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY software_keystore_password WITH BACKUP; Connect to PDB <PDB_NAME> alter session set container="<PDB_NAME>"; ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY software_keystore_password; ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY software_keystore_password WITH BACKUP;
To create an Auto-Login or a Local Auto-Login Software Keystore: Source the container database environmentADMINISTER KEY MANAGEMENT CREATE [LOCAL] AUTO_LOGIN KEYSTORE FROM KEYSTORE 'keystore_location' IDENTIFIED BY software_keystore_password;Note: The keystore location is $ORACLE_BASE/admin/<db_unique_name>/wallet/tde - Bounce the database:
SQL> shutdown normal;
SQL> exit; - Startup the database normally, ensuring that the wallet is open:
Source the container database environment
sqlplus "/ as sysdba"
For AutologinSQL> startupFor Password based
SQL> startup mount;SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY software_keystore_password;SQL> alter database open;
Check the wallet location and status
SQL> select * from V$encryption_wallet; - Identify all the temporary and undo tablespaces in the CDB and PDB:
SQL>select tablespace_name from dba_tablespaces where contents='TEMPORARY' and STATUS='ONLINE';
SQL>select tablespace_name from dba_tablespaces where contents='UNDO' and STATUS='ONLINE'; - Encryption Conversions for Existing Online Tablespaces other than temp:
Source the container database environment
$ sqlplus / as sysdba;The following steps can be performed in the CDB or PDB as per your requirement:
Connect to PDB <PDB_NAME>
alter session set container="<PDB_NAME>";SQL> ALTER TABLESPACE users ENCRYPTION ONLINE USING 'AES192' ENCRYPT FILE_NAME_CONVERT = ('users1.dbf', 'users1_enc.dbf', 'users2.dbf', 'users2_enc.dbf');
Repeat the command above, as required for the other tablespaces that you wish to encrypt. If any tablespace datafile was missed,you can complete the conversion by performing the steps as documented inFinishing an Interrupted Online Encryption Conversion in the Oracle Database Advanced Security Guide 19c.Note: Ensure that there is sufficient space in the file system. If your datafile is 5Gb then 6Gb free space is required to perform the encryption of that datafile. - Check the status of tablespace encryption by connecting to SQL*Plus / as sysdba and running the query shown:
$ sqlplus / as sysdba
The following steps can be performed in the CDB or PDB as per your requirement:
Connect to PDB <PDB_NAME>
alter session set container="<PDB_NAME>";
SQL>select tablespace_name, encrypted from dba_tablespaces;
Section 5: Procedure for Decryption
Online Tablespace Encryption is a reversible procedure. This section lists the steps you can use to decrypt an encrypted database.
- Source the Oracle E-Business Suite Container Database Oracle Home.
- Decrypt the datafiles by running below "sqlplus / as sysdba"
The following steps can be performed in the CDB or PDB as per your requirement:
Connect to PDB <PDB_NAME>
alter session set container="<PDB_NAME>";SQL> ALTER TABLESPACE users ENCRYPTION ONLINE DECRYPT FILE_NAME_CONVERT = ('users1_enc.dbf', 'users1.dbf', 'users2_enc.dbf', 'users2.dbf');Repeat the command above, as required for the other tablespaces that you wish to decrypt.
If any tablespace datafile was missed,you can complete the conversion by performing the steps as documented inFinishing an Interrupted Online Encryption Conversion in the Oracle Database Advanced Security Guide 19c. - Check the status of encryption using the query in Step 8 above. It should show the tablespaces as NO for ENCRYPTED COLUMN.
- Close the wallet
- Shut down the container or pluggable database from SQL*Plus:
Source the container database environmentor PDB that you want to stop:
export ORACLE_PDB_SID="<PDB_NAME>"
$ sqlplus / as sysdba
SQL>shutdown - Start up the container or pluggable database from SQL*Plus:
Source the container database environmentor PDB that you want to start:set below
export ORACLE_PDB_SID="PDB_NAME"
$ sqlplus / as sysdba
SQL>startup
References
The following My Oracle Support knowledge documents describe earlier methods for converting Oracle E-Business Suite databases to use TDE:
- Document 828229.1, Using TDE Tablespace Encryption with Oracle E-Business Suite Release 12
- Document 1584458.1, Using TDE Tablespace Encryption with Oracle E-Business Suite Release 12 (Database 12c)
- Document 1585296.1, Using TDE Tablespace Encryption with Oracle E-Business Suite Release 12.2
No comments:
Post a Comment