1.0 Introduction
This article explains the steps for migrating a non-container Oracle database (non-CDB) to a container Oracle database (CDB), including the transfer of Transparent Data Encryption (TDE) keys managed by Fortanix-Data-Security-Manager (DSM) , which acts as the Hardware Security Module (HSM). It covers the process of migrating both the database and its associated TDE keys for a secure and seamless transition to a containerized Oracle environment.
2.0 Prerequisites
Ensure that Oracle TDE is integrated with Fortanix DSM. For detailed steps, refer to Using Fortanix Data Security Manager with Oracle TDE.
3.0 Assumption
Both the container database and non-container database, such as FORT11P, are hosted on the same server.
Both the container database and non-container database, FORT11P, are integrated with the same Fortanix DSM cluster.
The container and non-container databases are configured to use separate Fortanix DSM groups and applications.
4.0 Before You Begin
Before initiating the migration process, it is essential to properly prepare the non-container database for smooth migration to the container database, along with handling the necessary configurations and security keys .
Check the Database Wallet State
Run the following command to ensure that the database wallet is in the open state:
SELECT * FROM v$encryption_wallet;Shutdown the Database and Open in Read-Only Mode
Run the following commands to shut down the database and restart it in read-only mode:
SHUTDOWN IMMEDIATE; STARTUP OPEN READ ONLY;Generate the Describe File
Use the
DBMS_PDB.DESCRIBEprocedure to create a describe file for the database:BEGIN DBMS_PDB.DESCRIBE( pdb_descr_file => '/u01/app/backup/FORT11P_19c.xml'); END; /
NOTE
The path
/u01/app/backup/FORT11P_19c.xmlspecifies the location where the describe file will be created.
5.0 Migrating Non-Container Database to Container Database
NOTE
Before performing the migration, ensure that the application associated with the container database (for example, App-A1) is assigned to both the container database group (for example, Group-G1) and the non-container database (non-CDB) group (for example, Group-G2). You can skip this step if you use the same application for both the container database and the non-container database.
Perform the following steps to migrate a non-container database (non-CDB) to a container database (CDB), moving the database into a pluggable database (PDB) and ensuring proper setup and encryption management:
Run the following command to create a new PDB in the container database using the describe file generated in Step 3 in Section 4.0: Before You Begin.
CREATE PLUGGABLE DATABASE FORT11P_PDB USING '/u01/app/backup/FORT11P_19c.xml' COPY KEYSTORE IDENTIFIED BY "<container_db_dsm_app_password>";Here, replace
<container_db_dsm_app_password>with the Password for the App-A1, which is associated with the container database.Run the following commands to verify that the wallet is open for the newly created PDB:
show pds; select * from v$encryption_wallet;Run the following command to set the session to the newly created PDB and execute the non-CDB to PDB conversion script. This step converts the non-container database to a pluggable database:
ALTER SESSION SET CONTAINER=FORT11P_PDB; @$ORACLE_HOME/rdbms/admin/noncdb_to_pdb.sqlRun the following commands to open the PDB and save its state:
ALTER PLUGGABLE DATABASE OPEN; alter PLUGGABLE DATABASE SAVE STATE;Run the following command to check if the new PDB is in restricted mode:
show pds;Run the following command to move the auto-login wallet file as a backup:
mv cwallet.sso cwallet.sso-BKPRun the following commands to restart the database and open the software wallet:
shutdown immediate; startup; administer key management set keystore open identified by "<container_db_dsm_app_password>" container=all;Here, the
<container_db_dsm_app_password>refers to the App-A1, which is associated with the container database.Run the following command to import encryption keys into the new PDB:
alter session set container=FORT11P_PDB; ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "HSM" FROM 'HSM' IDENTIFIED BY "<container_db_dsm_app_password>";Here, replace
<container_db_dsm_app_password>with the Password for the App-A1, which is associated with the container database.NOTE
Do not modify any other part of the command.
Run the following command to check that the PDB is no longer in restricted mode:
show pds;Run the following commands to save the state of the new container database in non-restricted mode:
ALTER SESSION SET CONTAINER=FORT11P_PDB; ALTER PLUGGABLE DATABASE SAVE STATE;Run the following command to set a new key for the PDB:
ALTER SESSION SET CONTAINER=FORT11P_PDB; ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY "<container_db_dsm_app_password>";Here, replace
<container_db_dsm_app_password>with the Password for the App-A1, which is associated with the container database.Run the following commands to restore the auto-login wallet file and restart the database:
mv cwallet.sso-BKP cwallet.sso SHUTDOWN IMMEDIATE; STARTUP;Run the following command to verify the
mkidof the newly migrated database:SELECT CON_ID, mkid FROM x$kcbdbk;
Additionally, if the App-A1 assigned to the container database is no longer required for the non-container database Group-G2, you can unassign it.
The migration process is now complete.