23ai, DBCA, Cloud, and TDE

The 23ai is already available at Cloud and ExaCC as well. It is On-Prem, but it is Cloud too, so, we can use it. Recently I needed to create some databases manually (not using the ExaCc dbaas* utilities) and encountered some interesting details when using dbca. Mainly because at Cloud we are forced to have encrypted databases. You can skip directly to the end to see how to solve and create databases with TDE enabled since the beginning when using dbca, or read the rest of the post to check the root cause and the troubleshooting.

19c and traditional dbca

Just to remember, if you want to create a database using the dbca, you have a lot of options but nothing related to TDE:

[oracle@o8p1-19c ~]$ which dbca
/u01/app/oracle/product/19.18.0.0/dbhome_2/bin/dbca
[oracle@o8p1-19c ~]$
[oracle@o8p1-19c ~]$ dbca -silent -createDatabase -help |grep -i TDE
[oracle@o8p1-19c ~]$

23ai and traditional dbca usage

So, when I tried to create the database with dbca I tried to use it with the same parameters that I used in all my previous years. But it failed telling that “ORA-28361: Master key not yet set”:

[oracle@exxc05db01-]$ which dbca
/u02/app/oracle/product/23.0.0.0/dbhome_1/bin/dbca
[oracle@exxc05db01-]$
[oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I -adminManaged -sid DBN234I -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC
[WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
[WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
Prepare for db operation
4% complete
Creating and starting Oracle instance
5% complete
6% complete
8% complete
Creating database files
[WARNING] ORA-28361: Master key not yet set.

9% complete
[FATAL] ORA-00959: tablespace 'USERS' does not exist

12% complete
100% complete
[FATAL] ORA-00959: tablespace 'USERS' does not exist

8% complete
4% complete
0% complete
Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I/DBN234I.log" for further details.
[oracle@exxc05db01-]$

Intriguingly, the failure tells me that the master key was not found. So, I checked the log and I found nothing special, just that the file CreateDBFiles.log tells about the creation of the tablespaces failed because the master key was not found:

CREATE SMALLFILE TABLESPACE "USERS" LOGGING  DATAFILE  SIZE 5M AUTOEXTEND ON NEXT  1280K MAXSIZE UNLIMITED  EXTENT MANAGEMENT LOCAL  SEGMENT SPACE MANAGEMENT  AUTO
*
ERROR at line 1:
ORA-28361: Master key not yet set.
Help: https://docs.oracle.com/error-help/db/ora-28361/

Following the rabbit hole, I went to the alertlog and started some clues:

…
--ATTENTION--
Cannot transparently encrypt Oracle-managed tablespace SYSTEM (container 1) per Oracle Cloud mandate because master key has not been set.
Tablespace created: SYSTEM ts# 0
Completed: create tablespace SYSTEM datafile  SIZE 700M AUTOEXTEND ON NEXT  10240K MAXSIZE UNLIMITED

  EXTENT MANAGEMENT LOCAL online
…

And before of that, we have:

…
Broadcast on commit is enabled and is using RDMA mode.
--ATTENTION--
Master key must be set for the pluggable database (PDB) CON_ID=1 (CDB$ROOT) when TABLESPACE_ENCRYPTION is set. Not doing so will disable Hybrid Data Guard encryption.
2024-06-18T15:29:45.191424+02:00
…

So, I checked the TABLESPACE_ENCRYPTION parameter when databases were started and I had it set as AUTO_ENABLE:

…
System parameters with non-default values:
  processes                = 500
  use_large_pages          = "ONLY"
  pga_aggregate_limit      = 15G
  nls_language             = "AMERICAN"
  nls_territory            = "LUXEMBOURG"
  sga_target               = 4G
  db_block_size            = 8192
  tablespace_encryption    = "AUTO_ENABLE"
…

And we can see that was set as AUTO_ENABLE because it is cloud (ExaCC is cloud at the end):

Trying to bypass it

So, I checked the 23ai and for dbca now we have a complete set of parameters to work when creating the database. You can see below and the official documentation as well:

[oracle@exxc05db01-]$ dbca -silent -createDatabase -help
        -createDatabase - Command to Create a database.
                -responseFile | (-gdbName -templateName)
                -responseFile - <Fully qualified path for a response file>
                -gdbName <Global database name>
                -templateName <Specify an existing template in default location or the complete template path for DB Creation or provide a new template name for template creation>
                [-adminManaged | -managementPolicy]
                [-adminManaged <Admin managed database, this is default option>]
                [-managementPolicy <AUTOMATIC | RANK> Database management Policy, default value is AUTOMATIC]
                [-characterSet <Character set for the database>]
                [-configureTDE <true | false> Specify true to configure TDE wallet]
                        [-encryptPDBTablespaces <Specify ALL to encrypt all Tablespaces or A comma separated list of name:value pairs with tablespace encryption to true/false. For example SYSTEM:true,SYSAUX:false>]
                        [-encryptTablespaces <Specify ALL to encrypt all Tablespaces or A comma separated list of name:value pairs with tablespace encryption to true/false. For example SYSTEM:true,SYSAUX:false>]
                        [-pdbTDEPassword <Specify password for PDB TDE wallet>]
                        [-primaryDBTdeWallet <Specify the location for TDE wallet of primary database>]
                        [-sourcePdbTDEPassword <Specify password for source PDB TDE wallet and it is used only in creation of PDB from existing PDB which has TDE wallet>]
                        [-sourceTdeWalletPassword <Specify password for source database TDE wallet>]
                        [-tdeAlgorithm <Specify the TDE Algorithm Type.>]
                        [-tdeWalletLoginType <Specify the TDE Wallet Login Type, PASSWORD | AUTO_LOGIN  | LOCAL_AUTO_LOGIN. Default is PASSWORD for SI and AUTO_LOGIN is default for RAC]
                        [-tdeWalletModeForPDB <Type of keystore, either UNITED or ISOLATED. Default is UNITED>]
                        [-tdeWalletPassword <Specify password for TDE wallet>]
                        [-tdeWalletPathInTarFile <value>]
                        [-tdeWalletRoot <Specify the location for TDE wallet root init parameter>]
                [-createListener <Create a new listener to register your database. Specify in format, LISTENER_NAME:PORT>]
…
…

My first try was to disable TDE when calling dbca:

[oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I -adminManaged -sid DBN234I -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC -configureTDE FALSE
[WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
[WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
Prepare for db operation
4% complete
Creating and starting Oracle instance
5% complete
6% complete
8% complete
Creating database files
[WARNING] ORA-28361: Master key not yet set.

9% complete
[FATAL] ORA-00959: tablespace 'USERS' does not exist

12% complete
100% complete
[FATAL] ORA-00959: tablespace 'USERS' does not exist

8% complete
4% complete
0% complete
Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I/DBN234I.log" for further details.
[oracle@exxc05db01-]$

And in alertlog I had the same AUTO_ENABLE value for TABLESPACE_ENCRYPTION.

The second try was forcing dbca to set one parameter while creating the database. I made the call adding “-initParams “TABLESPACE_ENCRYPTION=MANUAL_ENABLE”. Don’t worry about the database name warning message I was creating/testing several times:

[oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I2 -adminManaged -sid DBN234I2 -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC -initParams "TABLESPACE_ENCRYPTION=MANUAL_ENABLE"
[WARNING] [DBT-10331] Specified SID Prefix (DBN234I2) may have a potential conflict with an already existing database on the system.
   CAUSE: The specified SID Prefix without the trailing numeric characters (DBN234I) may have a potential conflict with an already existing database on the system.
   ACTION: Specify a different SID Prefix that does not conflict with existing databases on the system.
[WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
[WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
Prepare for db operation
4% complete
Creating and starting Oracle instance
5% complete

6% complete
8% complete
Creating database files
[WARNING] ORA-28361: Master key not yet set.

9% complete
[FATAL] ORA-00959: tablespace 'USERS' does not exist

12% complete
100% complete
[FATAL] ORA-00959: tablespace 'USERS' does not exist

8% complete
4% complete
0% complete
Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I2/DBN234I20.log" for further details.
[oracle@exxc05db01-]$

In the trace file linked to this creation you can see that was called with the MANUAL_ENABLE:

[progressPage.flowWorker] [ 2024-06-18 15:29:17.838 CEST ] [InitParamAttributes.createInitFile:1904]  Processing init param tablespace_encryption
[progressPage.flowWorker] [ 2024-06-18 15:29:17.838 CEST ] [InitParamAttributes.createInitFile:1909]  The value is MANUAL_ENABLE

But even in alertlog, was forced to be enabled (compare the times):

2024-06-18T15:29:43.815393+02:00
Broadcast on commit is enabled and is using RDMA mode.
--ATTENTION--
Master key must be set for the pluggable database (PDB) CON_ID=1 (CDB$ROOT) when TABLESPACE_ENCRYPTION is set. Not doing so will disable Hybrid Data Guard encryption.
2024-06-18T15:29:45.191424+02:00

The third try was setting the old parameter ENCRYPT_NEW_TABLESPACES (that for 23ai was replaced by TABLESPACE_ENCRYPTION). But the same failure:

[oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I2 -adminManaged -sid DBN234I2 -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC -initParams "tablespace_encryption=MANUAL_ENABLE,encrypt_new_tablespaces=DDL"
[WARNING] [DBT-10331] Specified SID Prefix (DBN234I2) may have a potential conflict with an already existing database on the system.
   CAUSE: The specified SID Prefix without the trailing numeric characters (DBN234I) may have a potential conflict with an already existing database on the system.
   ACTION: Specify a different SID Prefix that does not conflict with existing databases on the system.
[WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
[WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
Prepare for db operation
4% complete
Creating and starting Oracle instance
5% complete
6% complete
8% complete
Creating database files
[WARNING] ORA-28361: Master key not yet set.

9% complete
[FATAL] ORA-00959: tablespace 'USERS' does not exist

12% complete
100% complete
[FATAL] ORA-00959: tablespace 'USERS' does not exist

8% complete
4% complete
0% complete
Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I2/DBN234I21.log" for further details.
[oracle@exxc05db01-]$

How to do it properly

So, if you want to create or database, using dbca at Cloud, you need to use the new parameters properly. Using the correct values. If you remember above, the dbca has a new parameter to be used for TDE, but how do we set them? Since the documentation for 23ai is not 100% released the only place that you can find the info in the Advanced Security Guide, topic 6.11.1 Using DBCA to Create an Encrypted Database.

The first step (since we are in RAC), is to create a shared folder for your wallet. At ExaCC you can create at ACFS, but if you do not use a shared folder between instances, you will receive one error. So, let’s create the folder at ACFS:

[oracle@exxc05db01-]$ mkdir /acfs01/acfs/DBN234I
[oracle@exxc05db01-]$

And after we can call dbca with the parameter below:

  • configureTDE: Defined as TRUE to enable TDE while creating database.
  • tdeWalletRoot: Folder where the wallet will be stored.
  • tdeWalletLoginType: For RAC needs to be AUTO_LOGIN.
  • tdeWalletPassword: It is the wallet/TDE password.
  • encryptPDBTablespaces: When you call the database creation, which PDB tablespaces will be encrypted. I recommend to setting it as ALL to avoid incompatibilities with other parameters.

So, using these new parameters my dbca call is:

[oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I -adminManaged -sid DBN234I -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC -configureTDE TRUE -tdeWalletRoot /acfs01/acfs/DBN234I -tdeWalletLoginType AUTO_LOGIN -TdeWalletPassword 'fdertyhj4567890h32aghte2457AAABB'  -encryptPDBTablespaces ALL
[WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
[WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
Prepare for db operation
4% complete
Creating and starting Oracle instance
5% complete
6% complete
[WARNING] ORA-02097: parameter cannot be modified because specified value is invalid
ORA-28457: ENCRYPT_NEW_TABLESPACES can only be set to ALWAYS when TABLESPACE_ENCRYPTION is set to AUTO_ENABLE.

8% complete
Creating database files
9% complete
12% complete
Creating data dictionary views
13% complete
16% complete
17% complete
18% complete
24% complete
Oracle JVM
30% complete
36% complete
42% complete
44% complete
Oracle Text
46% complete
48% complete
Oracle OLAP
52% complete
Oracle Spatial
53% complete
60% complete
Oracle Label Security
68% complete
Oracle Database Vault
76% complete
Creating cluster database views
77% complete
84% complete
Completing Database Creation
86% complete
87% complete
88% complete
Executing Post Configuration Actions
100% complete
Database creation complete. For details check the logfiles at:
 /u02/app/oracle/cfgtoollogs/dbca/DBN234I.
Database Information:
Global Database Name:DBN234I
System Identifier(SID) Prefix:DBN234I
Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I/DBN234I.log" for further details.
[oracle@exxc05db01-]$

As you can see now, the creation was fine. The interest is the warning about the ENCRYPT_NEW_TABLESPACES. I checked in the logs and was possible to see that the dbca tried to set it to DDL, but is not allowed since TABLESPACE_ENCRYPTION is forced to be AUTO_ENABLE.

Below we can see that the database was properly configured with TDE and tablespaces encrypted:

[oracle@exxc05db01-]$ ls -l /acfs01/acfs/DBN234I/
total 52
drwxr-x--- 2 oracle oinstall 20480 Jun 18 10:12 tde
[oracle@exxc05db01-]$ ls -l /acfs01/acfs/DBN234I/tde/
total 12
-rw------- 1 oracle asmdba 3864 Jun 18 10:12 cwallet.sso
-rw------- 1 oracle asmdba 2555 Jun 18 10:12 ewallet_2024061808124993.p12
-rw------- 1 oracle asmdba 3819 Jun 18 10:12 ewallet.p12
[oracle@exxc05db01-]$
[oracle@exxc05db01-]$
[oracle@exxc05db01-]$ export ORACLE_SID=DBN234I1
[oracle@exxc05db01-DBN234I1]$ sqlplus / as sysdba

SQL*Plus: Release 23.0.0.0.0 - Production on Tue Jun 18 11:18:33 2024
Version 23.4.0.24.05

Copyright (c) 1982, 2024, Oracle.  All rights reserved.


Connected to:
Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - Production
Version 23.4.0.24.05

SQL> show parameter tde

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
one_step_plugin_for_pdb_with_tde     boolean     FALSE
tde_configuration                    string      keystore_configuration=FILE
tde_key_cache                        boolean     FALSE
SQL>
SQL> show parameter ENCRYPT_NEW_TABLESPACES

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
encrypt_new_tablespaces              string      ALWAYS
SQL>
SQL> select TABLESPACE_NAME, ENCRYPTED, con_id from cdb_tablespaces order by con_id, TABLESPACE_NAME;

TABLESPACE_NAME                ENC     CON_ID
------------------------------ --- ----------
SYSAUX                         NO           1
SYSTEM                         NO           1
TEMP                           NO           1
UNDOTBS1                       NO           1
UNDOTBS2                       YES          1
USERS                          YES          1

6 rows selected.

SQL>
SQL> show parameter ENCRYPT_NEW_TABLESPACES

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
encrypt_new_tablespaces              string      ALWAYS
SQL>
SQL> show parameter TABLESPACE_ENCRYPTION

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
tablespace_encryption                string      AUTO_ENABLE
tablespace_encryption_default_algori string      AES256
thm
tablespace_encryption_default_cipher string      XTS
_mode
SQL>
SQL> exit
Disconnected from Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - Production
Version 23.4.0.24.05
[oracle@exxc05db01-DBN234I1]$

One detail that I didn’t appreciate was that just one UNDO is encrypted and we are kind of mixed, some CDB tablespaces are encrypted, and others are not.

Can we do better?

The answer is YES. We can use the parameter encryptTablespaces (with value ALL) and this will encrypt everything:

[oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I -adminManaged -sid DBN234I -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC -configureTDE TRUE -tdeWalletRoot /acfs01/acfs/DBN234I -tdeWalletLoginType AUTO_LOGIN -TdeWalletPassword 'fdertyhj4567890h32aghte2457AAABB'  -encryptPDBTablespaces ALL -encryptTablespaces ALL
[WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
[WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards.
   CAUSE:
a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9].
b.The password entered is a keyword that Oracle does not recommend to be used as password
   ACTION: Specify a strong password. If required refer Oracle documentation for guidelines.
Prepare for db operation
4% complete
Creating and starting Oracle instance
5% complete
6% complete
8% complete
Creating database files
9% complete
12% complete
Creating data dictionary views
13% complete
16% complete
17% complete
18% complete
24% complete
Oracle JVM
30% complete
36% complete
42% complete
44% complete
Oracle Text
46% complete
48% complete
Oracle OLAP
52% complete
Oracle Spatial
53% complete
60% complete
Oracle Label Security
68% complete
Oracle Database Vault
76% complete
Creating cluster database views
77% complete
84% complete
Completing Database Creation
86% complete
87% complete
88% complete
Executing Post Configuration Actions
100% complete
Database creation complete. For details check the logfiles at:
 /u02/app/oracle/cfgtoollogs/dbca/DBN234I.
Database Information:
Global Database Name:DBN234I
System Identifier(SID) Prefix:DBN234I
Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I/DBN234I0.log" for further details.
[oracle@exxc05db01-]$
[oracle@exxc05db01-]$
[oracle@exxc05db01-]$
[oracle@exxc05db01-]$ export ORACLE_SID=DBN234I1
[oracle@exxc05db01-DBN234I1]$
[oracle@exxc05db01-DBN234I1]$ sqlplus / as sysdba

SQL*Plus: Release 23.0.0.0.0 - Production on Thu Jun 20 15:03:06 2024
Version 23.4.0.24.05

Copyright (c) 1982, 2024, Oracle.  All rights reserved.


Connected to:
Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - Production
Version 23.4.0.24.05

SQL> show parameter tde

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
one_step_plugin_for_pdb_with_tde     boolean     FALSE
tde_configuration                    string      keystore_configuration=FILE
tde_key_cache                        boolean     FALSE
SQL> show parameter ENCRYPT_NEW_TABLESPACES

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
encrypt_new_tablespaces              string      ALWAYS
SQL> select TABLESPACE_NAME, ENCRYPTED, con_id from cdb_tablespaces order by con_id, TABLESPACE_NAME;

TABLESPACE_NAME                ENC     CON_ID
------------------------------ --- ----------
SYSAUX                         YES          1
SYSTEM                         YES          1
TEMP                           YES          1
UNDOTBS1                       YES          1
UNDOTBS2                       YES          1
USERS                          YES          1

6 rows selected.

SQL> show parameter ENCRYPT_NEW_TABLESPACES

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
encrypt_new_tablespaces              string      ALWAYS
SQL> show parameter TABLESPACE_ENCRYPTION

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
tablespace_encryption                string      AUTO_ENABLE
tablespace_encryption_default_algori string      AES256
thm
tablespace_encryption_default_cipher string      XTS
_mode
SQL> exit
Disconnected from Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - Production
Version 23.4.0.24.05
[oracle@exxc05db01-DBN234I1]$

As you can see above, now all the tablespaces are encrypted, all of them using auto_login wallet.

Summary

We have several points here. The 23ai version for ExaCC (and probably the same for OCI) is quite special since it forces us to use encryption because, in the end, it is Cloud. Usually (and 99% of the time) we don’t need to call the dbca manually and we use the OCI tools which will call properly the parameters.

Besides that, was quite a challenge (and nice at the end) to dig over the issue and identify the root cause. The documentation was quite new and obscure to discover where was the explanation about the correct parameters to be used.  The idea for this post was to summarize the troubleshooting and resume all the information in one place.

 

 

Disclaimer: “The postings on this site are my own and don’t necessarily represent my actual employer positions, strategies, or opinions. The information here was edited to be useful for general purposes, and specific data and identifications were removed to allow reach the generic audience and to be useful for the community. Post protected by copyright” 

2 thoughts on “23ai, DBCA, Cloud, and TDE

  1. Pingback: 23ai, DBCA and TDE - Fernando Simon

  2. Pingback: 23ai, orapwd and the format value - Fernando Simon

Leave a Reply

Your email address will not be published. Required fields are marked *