The 23ai is already available at Cloud and ExaCC as well. It is On-Prem, but it is Cloud too, so, we can use it. Recently I needed to create some databases manually (not using the ExaCc dbaas* utilities) and encountered some interesting details when using dbca. Mainly because at Cloud we are forced to have encrypted databases. You can skip directly to the end to see how to solve and create databases with TDE enabled since the beginning when using dbca, or read the rest of the post to check the root cause and the troubleshooting.
19c and traditional dbca
Just to remember, if you want to create a database using the dbca, you have a lot of options but nothing related to TDE:
[oracle@o8p1-19c ~]$ which dbca /u01/app/oracle/product/19.18.0.0/dbhome_2/bin/dbca [oracle@o8p1-19c ~]$ [oracle@o8p1-19c ~]$ dbca -silent -createDatabase -help |grep -i TDE [oracle@o8p1-19c ~]$
23ai and traditional dbca usage
So, when I tried to create the database with dbca I tried to use it with the same parameters that I used in all my previous years. But it failed telling that “ORA-28361: Master key not yet set”:
[oracle@exxc05db01-]$ which dbca /u02/app/oracle/product/23.0.0.0/dbhome_1/bin/dbca [oracle@exxc05db01-]$ [oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I -adminManaged -sid DBN234I -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC [WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. [WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. Prepare for db operation 4% complete Creating and starting Oracle instance 5% complete 6% complete 8% complete Creating database files [WARNING] ORA-28361: Master key not yet set. 9% complete [FATAL] ORA-00959: tablespace 'USERS' does not exist 12% complete 100% complete [FATAL] ORA-00959: tablespace 'USERS' does not exist 8% complete 4% complete 0% complete Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I/DBN234I.log" for further details. [oracle@exxc05db01-]$
Intriguingly, the failure tells me that the master key was not found. So, I checked the log and I found nothing special, just that the file CreateDBFiles.log tells about the creation of the tablespaces failed because the master key was not found:
CREATE SMALLFILE TABLESPACE "USERS" LOGGING DATAFILE SIZE 5M AUTOEXTEND ON NEXT 1280K MAXSIZE UNLIMITED EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO * ERROR at line 1: ORA-28361: Master key not yet set. Help: https://docs.oracle.com/error-help/db/ora-28361/
Following the rabbit hole, I went to the alertlog and started some clues:
… --ATTENTION-- Cannot transparently encrypt Oracle-managed tablespace SYSTEM (container 1) per Oracle Cloud mandate because master key has not been set. Tablespace created: SYSTEM ts# 0 Completed: create tablespace SYSTEM datafile SIZE 700M AUTOEXTEND ON NEXT 10240K MAXSIZE UNLIMITED EXTENT MANAGEMENT LOCAL online …
And before of that, we have:
… Broadcast on commit is enabled and is using RDMA mode. --ATTENTION-- Master key must be set for the pluggable database (PDB) CON_ID=1 (CDB$ROOT) when TABLESPACE_ENCRYPTION is set. Not doing so will disable Hybrid Data Guard encryption. 2024-06-18T15:29:45.191424+02:00 …
So, I checked the TABLESPACE_ENCRYPTION parameter when databases were started and I had it set as AUTO_ENABLE:
… System parameters with non-default values: processes = 500 use_large_pages = "ONLY" pga_aggregate_limit = 15G nls_language = "AMERICAN" nls_territory = "LUXEMBOURG" sga_target = 4G db_block_size = 8192 tablespace_encryption = "AUTO_ENABLE" …
And we can see that was set as AUTO_ENABLE because it is cloud (ExaCC is cloud at the end):
Trying to bypass it
So, I checked the 23ai and for dbca now we have a complete set of parameters to work when creating the database. You can see below and the official documentation as well:
[oracle@exxc05db01-]$ dbca -silent -createDatabase -help -createDatabase - Command to Create a database. -responseFile | (-gdbName -templateName) -responseFile - <Fully qualified path for a response file> -gdbName <Global database name> -templateName <Specify an existing template in default location or the complete template path for DB Creation or provide a new template name for template creation> [-adminManaged | -managementPolicy] [-adminManaged <Admin managed database, this is default option>] [-managementPolicy <AUTOMATIC | RANK> Database management Policy, default value is AUTOMATIC] [-characterSet <Character set for the database>] [-configureTDE <true | false> Specify true to configure TDE wallet] [-encryptPDBTablespaces <Specify ALL to encrypt all Tablespaces or A comma separated list of name:value pairs with tablespace encryption to true/false. For example SYSTEM:true,SYSAUX:false>] [-encryptTablespaces <Specify ALL to encrypt all Tablespaces or A comma separated list of name:value pairs with tablespace encryption to true/false. For example SYSTEM:true,SYSAUX:false>] [-pdbTDEPassword <Specify password for PDB TDE wallet>] [-primaryDBTdeWallet <Specify the location for TDE wallet of primary database>] [-sourcePdbTDEPassword <Specify password for source PDB TDE wallet and it is used only in creation of PDB from existing PDB which has TDE wallet>] [-sourceTdeWalletPassword <Specify password for source database TDE wallet>] [-tdeAlgorithm <Specify the TDE Algorithm Type.>] [-tdeWalletLoginType <Specify the TDE Wallet Login Type, PASSWORD | AUTO_LOGIN | LOCAL_AUTO_LOGIN. Default is PASSWORD for SI and AUTO_LOGIN is default for RAC] [-tdeWalletModeForPDB <Type of keystore, either UNITED or ISOLATED. Default is UNITED>] [-tdeWalletPassword <Specify password for TDE wallet>] [-tdeWalletPathInTarFile <value>] [-tdeWalletRoot <Specify the location for TDE wallet root init parameter>] [-createListener <Create a new listener to register your database. Specify in format, LISTENER_NAME:PORT>] … …
My first try was to disable TDE when calling dbca:
[oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I -adminManaged -sid DBN234I -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC -configureTDE FALSE [WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. [WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. Prepare for db operation 4% complete Creating and starting Oracle instance 5% complete 6% complete 8% complete Creating database files [WARNING] ORA-28361: Master key not yet set. 9% complete [FATAL] ORA-00959: tablespace 'USERS' does not exist 12% complete 100% complete [FATAL] ORA-00959: tablespace 'USERS' does not exist 8% complete 4% complete 0% complete Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I/DBN234I.log" for further details. [oracle@exxc05db01-]$
And in alertlog I had the same AUTO_ENABLE value for TABLESPACE_ENCRYPTION.
The second try was forcing dbca to set one parameter while creating the database. I made the call adding “-initParams “TABLESPACE_ENCRYPTION=MANUAL_ENABLE”. Don’t worry about the database name warning message I was creating/testing several times:
[oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I2 -adminManaged -sid DBN234I2 -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC -initParams "TABLESPACE_ENCRYPTION=MANUAL_ENABLE" [WARNING] [DBT-10331] Specified SID Prefix (DBN234I2) may have a potential conflict with an already existing database on the system. CAUSE: The specified SID Prefix without the trailing numeric characters (DBN234I) may have a potential conflict with an already existing database on the system. ACTION: Specify a different SID Prefix that does not conflict with existing databases on the system. [WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. [WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. Prepare for db operation 4% complete Creating and starting Oracle instance 5% complete 6% complete 8% complete Creating database files [WARNING] ORA-28361: Master key not yet set. 9% complete [FATAL] ORA-00959: tablespace 'USERS' does not exist 12% complete 100% complete [FATAL] ORA-00959: tablespace 'USERS' does not exist 8% complete 4% complete 0% complete Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I2/DBN234I20.log" for further details. [oracle@exxc05db01-]$
In the trace file linked to this creation you can see that was called with the MANUAL_ENABLE:
[progressPage.flowWorker] [ 2024-06-18 15:29:17.838 CEST ] [InitParamAttributes.createInitFile:1904] Processing init param tablespace_encryption [progressPage.flowWorker] [ 2024-06-18 15:29:17.838 CEST ] [InitParamAttributes.createInitFile:1909] The value is MANUAL_ENABLE
But even in alertlog, was forced to be enabled (compare the times):
2024-06-18T15:29:43.815393+02:00 Broadcast on commit is enabled and is using RDMA mode. --ATTENTION-- Master key must be set for the pluggable database (PDB) CON_ID=1 (CDB$ROOT) when TABLESPACE_ENCRYPTION is set. Not doing so will disable Hybrid Data Guard encryption. 2024-06-18T15:29:45.191424+02:00
The third try was setting the old parameter ENCRYPT_NEW_TABLESPACES (that for 23ai was replaced by TABLESPACE_ENCRYPTION). But the same failure:
[oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I2 -adminManaged -sid DBN234I2 -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC -initParams "tablespace_encryption=MANUAL_ENABLE,encrypt_new_tablespaces=DDL" [WARNING] [DBT-10331] Specified SID Prefix (DBN234I2) may have a potential conflict with an already existing database on the system. CAUSE: The specified SID Prefix without the trailing numeric characters (DBN234I) may have a potential conflict with an already existing database on the system. ACTION: Specify a different SID Prefix that does not conflict with existing databases on the system. [WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. [WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. Prepare for db operation 4% complete Creating and starting Oracle instance 5% complete 6% complete 8% complete Creating database files [WARNING] ORA-28361: Master key not yet set. 9% complete [FATAL] ORA-00959: tablespace 'USERS' does not exist 12% complete 100% complete [FATAL] ORA-00959: tablespace 'USERS' does not exist 8% complete 4% complete 0% complete Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I2/DBN234I21.log" for further details. [oracle@exxc05db01-]$
How to do it properly
So, if you want to create or database, using dbca at Cloud, you need to use the new parameters properly. Using the correct values. If you remember above, the dbca has a new parameter to be used for TDE, but how do we set them? Since the documentation for 23ai is not 100% released the only place that you can find the info in the Advanced Security Guide, topic 6.11.1 Using DBCA to Create an Encrypted Database.
The first step (since we are in RAC), is to create a shared folder for your wallet. At ExaCC you can create at ACFS, but if you do not use a shared folder between instances, you will receive one error. So, let’s create the folder at ACFS:
[oracle@exxc05db01-]$ mkdir /acfs01/acfs/DBN234I [oracle@exxc05db01-]$
And after we can call dbca with the parameter below:
- configureTDE: Defined as TRUE to enable TDE while creating database.
- tdeWalletRoot: Folder where the wallet will be stored.
- tdeWalletLoginType: For RAC needs to be AUTO_LOGIN.
- tdeWalletPassword: It is the wallet/TDE password.
- encryptPDBTablespaces: When you call the database creation, which PDB tablespaces will be encrypted. I recommend to setting it as ALL to avoid incompatibilities with other parameters.
So, using these new parameters my dbca call is:
[oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I -adminManaged -sid DBN234I -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC -configureTDE TRUE -tdeWalletRoot /acfs01/acfs/DBN234I -tdeWalletLoginType AUTO_LOGIN -TdeWalletPassword 'fdertyhj4567890h32aghte2457AAABB' -encryptPDBTablespaces ALL [WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. [WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. Prepare for db operation 4% complete Creating and starting Oracle instance 5% complete 6% complete [WARNING] ORA-02097: parameter cannot be modified because specified value is invalid ORA-28457: ENCRYPT_NEW_TABLESPACES can only be set to ALWAYS when TABLESPACE_ENCRYPTION is set to AUTO_ENABLE. 8% complete Creating database files 9% complete 12% complete Creating data dictionary views 13% complete 16% complete 17% complete 18% complete 24% complete Oracle JVM 30% complete 36% complete 42% complete 44% complete Oracle Text 46% complete 48% complete Oracle OLAP 52% complete Oracle Spatial 53% complete 60% complete Oracle Label Security 68% complete Oracle Database Vault 76% complete Creating cluster database views 77% complete 84% complete Completing Database Creation 86% complete 87% complete 88% complete Executing Post Configuration Actions 100% complete Database creation complete. For details check the logfiles at: /u02/app/oracle/cfgtoollogs/dbca/DBN234I. Database Information: Global Database Name:DBN234I System Identifier(SID) Prefix:DBN234I Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I/DBN234I.log" for further details. [oracle@exxc05db01-]$
As you can see now, the creation was fine. The interest is the warning about the ENCRYPT_NEW_TABLESPACES. I checked in the logs and was possible to see that the dbca tried to set it to DDL, but is not allowed since TABLESPACE_ENCRYPTION is forced to be AUTO_ENABLE.
Below we can see that the database was properly configured with TDE and tablespaces encrypted:
[oracle@exxc05db01-]$ ls -l /acfs01/acfs/DBN234I/ total 52 drwxr-x--- 2 oracle oinstall 20480 Jun 18 10:12 tde [oracle@exxc05db01-]$ ls -l /acfs01/acfs/DBN234I/tde/ total 12 -rw------- 1 oracle asmdba 3864 Jun 18 10:12 cwallet.sso -rw------- 1 oracle asmdba 2555 Jun 18 10:12 ewallet_2024061808124993.p12 -rw------- 1 oracle asmdba 3819 Jun 18 10:12 ewallet.p12 [oracle@exxc05db01-]$ [oracle@exxc05db01-]$ [oracle@exxc05db01-]$ export ORACLE_SID=DBN234I1 [oracle@exxc05db01-DBN234I1]$ sqlplus / as sysdba SQL*Plus: Release 23.0.0.0.0 - Production on Tue Jun 18 11:18:33 2024 Version 23.4.0.24.05 Copyright (c) 1982, 2024, Oracle. All rights reserved. Connected to: Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - Production Version 23.4.0.24.05 SQL> show parameter tde NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ one_step_plugin_for_pdb_with_tde boolean FALSE tde_configuration string keystore_configuration=FILE tde_key_cache boolean FALSE SQL> SQL> show parameter ENCRYPT_NEW_TABLESPACES NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ encrypt_new_tablespaces string ALWAYS SQL> SQL> select TABLESPACE_NAME, ENCRYPTED, con_id from cdb_tablespaces order by con_id, TABLESPACE_NAME; TABLESPACE_NAME ENC CON_ID ------------------------------ --- ---------- SYSAUX NO 1 SYSTEM NO 1 TEMP NO 1 UNDOTBS1 NO 1 UNDOTBS2 YES 1 USERS YES 1 6 rows selected. SQL> SQL> show parameter ENCRYPT_NEW_TABLESPACES NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ encrypt_new_tablespaces string ALWAYS SQL> SQL> show parameter TABLESPACE_ENCRYPTION NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ tablespace_encryption string AUTO_ENABLE tablespace_encryption_default_algori string AES256 thm tablespace_encryption_default_cipher string XTS _mode SQL> SQL> exit Disconnected from Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - Production Version 23.4.0.24.05 [oracle@exxc05db01-DBN234I1]$
One detail that I didn’t appreciate was that just one UNDO is encrypted and we are kind of mixed, some CDB tablespaces are encrypted, and others are not.
Can we do better?
The answer is YES. We can use the parameter encryptTablespaces (with value ALL) and this will encrypt everything:
[oracle@exxc05db01-]$ dbca -silent -createDatabase -templateName TEMPLATE_23ai.dbt -gdbName DBN234I -adminManaged -sid DBN234I -sysPassword oracle23ai -systemPassword oracle23ai -createAsContainerDatabase TRUE -useLocalUndoForPDBs TRUE -characterSet AL32UTF8 -emConfiguration NONE -sampleSchema false -storageType ASM -diskGroupName DATAC4 -recoveryGroupName RECOC4 -nodelist exxc05db01,exxc06db01 -databaseConfigType RAC -configureTDE TRUE -tdeWalletRoot /acfs01/acfs/DBN234I -tdeWalletLoginType AUTO_LOGIN -TdeWalletPassword 'fdertyhj4567890h32aghte2457AAABB' -encryptPDBTablespaces ALL -encryptTablespaces ALL [WARNING] [DBT-06208] The 'SYS' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. [WARNING] [DBT-06208] The 'SYSTEM' password entered does not conform to the Oracle recommended standards. CAUSE: a. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. b.The password entered is a keyword that Oracle does not recommend to be used as password ACTION: Specify a strong password. If required refer Oracle documentation for guidelines. Prepare for db operation 4% complete Creating and starting Oracle instance 5% complete 6% complete 8% complete Creating database files 9% complete 12% complete Creating data dictionary views 13% complete 16% complete 17% complete 18% complete 24% complete Oracle JVM 30% complete 36% complete 42% complete 44% complete Oracle Text 46% complete 48% complete Oracle OLAP 52% complete Oracle Spatial 53% complete 60% complete Oracle Label Security 68% complete Oracle Database Vault 76% complete Creating cluster database views 77% complete 84% complete Completing Database Creation 86% complete 87% complete 88% complete Executing Post Configuration Actions 100% complete Database creation complete. For details check the logfiles at: /u02/app/oracle/cfgtoollogs/dbca/DBN234I. Database Information: Global Database Name:DBN234I System Identifier(SID) Prefix:DBN234I Look at the log file "/u02/app/oracle/cfgtoollogs/dbca/DBN234I/DBN234I0.log" for further details. [oracle@exxc05db01-]$ [oracle@exxc05db01-]$ [oracle@exxc05db01-]$ [oracle@exxc05db01-]$ export ORACLE_SID=DBN234I1 [oracle@exxc05db01-DBN234I1]$ [oracle@exxc05db01-DBN234I1]$ sqlplus / as sysdba SQL*Plus: Release 23.0.0.0.0 - Production on Thu Jun 20 15:03:06 2024 Version 23.4.0.24.05 Copyright (c) 1982, 2024, Oracle. All rights reserved. Connected to: Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - Production Version 23.4.0.24.05 SQL> show parameter tde NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ one_step_plugin_for_pdb_with_tde boolean FALSE tde_configuration string keystore_configuration=FILE tde_key_cache boolean FALSE SQL> show parameter ENCRYPT_NEW_TABLESPACES NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ encrypt_new_tablespaces string ALWAYS SQL> select TABLESPACE_NAME, ENCRYPTED, con_id from cdb_tablespaces order by con_id, TABLESPACE_NAME; TABLESPACE_NAME ENC CON_ID ------------------------------ --- ---------- SYSAUX YES 1 SYSTEM YES 1 TEMP YES 1 UNDOTBS1 YES 1 UNDOTBS2 YES 1 USERS YES 1 6 rows selected. SQL> show parameter ENCRYPT_NEW_TABLESPACES NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ encrypt_new_tablespaces string ALWAYS SQL> show parameter TABLESPACE_ENCRYPTION NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ tablespace_encryption string AUTO_ENABLE tablespace_encryption_default_algori string AES256 thm tablespace_encryption_default_cipher string XTS _mode SQL> exit Disconnected from Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - Production Version 23.4.0.24.05 [oracle@exxc05db01-DBN234I1]$
As you can see above, now all the tablespaces are encrypted, all of them using auto_login wallet.
Summary
We have several points here. The 23ai version for ExaCC (and probably the same for OCI) is quite special since it forces us to use encryption because, in the end, it is Cloud. Usually (and 99% of the time) we don’t need to call the dbca manually and we use the OCI tools which will call properly the parameters.
Besides that, was quite a challenge (and nice at the end) to dig over the issue and identify the root cause. The documentation was quite new and obscure to discover where was the explanation about the correct parameters to be used. The idea for this post was to summarize the troubleshooting and resume all the information in one place.
Disclaimer: “The postings on this site are my own and don’t necessarily represent my actual employer positions, strategies, or opinions. The information here was edited to be useful for general purposes, and specific data and identifications were removed to allow reach the generic audience and to be useful for the community. Post protected by copyright”
Pingback: 23ai, DBCA and TDE - Fernando Simon
Pingback: 23ai, orapwd and the format value - Fernando Simon