--- title: "Migrating Non-Container Oracle Database to Container Oracle Database" slug: "migrating-non-container-oracle-database-to-container-oracle-database" updated: 2025-07-17T17:27:25Z published: 2025-07-17T17:27:25Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Migrating Non-Container Oracle Database to Container Oracle Database ## 1.0 Introduction This article explains the steps for **migrating a non-container Oracle database (non-CDB) to a container Oracle database (CDB)**, including the transfer of Transparent Data Encryption (TDE) keys managed by **Fortanix-Data-Security-Manager (DSM)**, which acts as the Hardware Security Module (HSM). It covers the process of migrating both the database and its associated TDE keys for a secure and seamless transition to a containerized Oracle environment. ## 2.0 Prerequisites Ensure that Oracle TDE is integrated with Fortanix DSM.*For more information, refer to*[*Using Fortanix Data Security Manager with Oracle TDE*](https://support.fortanix.com/docs/fortanix-using-fortanix-data-security-manager-with-oracle-tde)*.* ## 3.0 Assumption Both the container database and non-container database, such as **FORT11P**, are hosted on the same server. - Both the container database and non-container database, **FORT11P**, are integrated with the same Fortanix DSM cluster. - The container and non-container databases are configured to use separate Fortanix DSM groups and applications. ## 4.0 Before You Begin Before initiating the migration process, it is essential to properly prepare the non-container database for smooth migration to the container database, along with handling the necessary configurations and security keys . 1. **Check the Database Wallet State** Run the following command to ensure that the database wallet is in the open state: ```bash SELECT * FROM v$encryption_wallet; ``` 2. **Shutdown the Database and Open in Read-Only Mode** Run the following commands to shut down the database and restart it in read-only mode: ```bash SHUTDOWN IMMEDIATE; STARTUP OPEN READ ONLY; ``` 3. **Generate the Describe File** Use the `DBMS_PDB.DESCRIBE` procedure to create a describe file for the database: ```plaintext BEGIN  DBMS_PDB.DESCRIBE(    pdb_descr_file => '/u01/app/backup/FORT11P_19c.xml'); END; / ``` > [!NOTE] > NOTE > > The path `/u01/app/backup/FORT11P_19c.xml` specifies the location where the describe file will be created. ## 5.0 Migrating Non-Container Database to Container Database > [!NOTE] > NOTE > > Before performing the migration, ensure that the application associated with the container database (for example, App-A1) is assigned to both the container database group (for example, Group-G1) and the non-container database (non-CDB) group (for example, Group-G2). You can skip this step if you use the same application for both the container database and the non-container database. Perform the following steps to migrate a non-container database (non-CDB) to a container database (CDB), moving the database into a pluggable database (PDB) and ensuring proper setup and encryption management: 1. Run the following command to create a new PDB in the container database using the describe file generated in *Step 3* in [*Section 4.0: Before You Begin*](/v1/docs/migrating#40-before-you-begin). ```bash CREATE PLUGGABLE DATABASE FORT11P_PDB USING '/u01/app/backup/FORT11P_19c.xml'  COPY KEYSTORE IDENTIFIED BY "";   ``` Here, replace `<container_db_dsm_app_password>` with the **Password**for the App-A1, which is associated with the container database. 2. Run the following commands to verify that the wallet is open for the newly created PDB: ```bash show pds; select * from v$encryption_wallet; ``` 3. Run the following command to set the session to the newly created PDB and execute the non-CDB to PDB conversion script. This step converts the non-container database to a pluggable database: ```bash ALTER SESSION SET CONTAINER=FORT11P_PDB; @$ORACLE_HOME/rdbms/admin/noncdb_to_pdb.sql ``` 4. Run the following commands to open the PDB and save its state: ```bash ALTER PLUGGABLE DATABASE OPEN; alter PLUGGABLE DATABASE SAVE STATE; ``` 5. Run the following command to check if the new PDB is in restricted mode: ```bash show pds; ``` 6. Run the following command to move the auto-login wallet file as a backup: ```bash mv cwallet.sso cwallet.sso-BKP ``` 7. Run the following commands to restart the database and open the software wallet: ```bash shutdown immediate; startup; administer key management set keystore open identified by "" container=all; ``` Here, the `<container_db_dsm_app_password>` refers to the App-A1, which is associated with the container database. 8. Run the following command to import encryption keys into the new PDB: ```bash alter session set container=FORT11P_PDB; ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "HSM" FROM 'HSM' IDENTIFIED BY ""; ``` Here, replace `<container_db_dsm_app_password>` with the **Password**for the App-A1, which is associated with the container database. > [!NOTE] > NOTE > > Do not modify any other part of the command. 9. Run the following command to check that the PDB is no longer in restricted mode: ```bash show pds; ``` 10. Run the following commands to save the state of the new container database in non-restricted mode: ```bash ALTER SESSION SET CONTAINER=FORT11P_PDB;   ALTER PLUGGABLE DATABASE SAVE STATE; ``` 11. Run the following command to set a new key for the PDB: ```bash ALTER SESSION SET CONTAINER=FORT11P_PDB;   ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY ""; ``` Here, replace `<container_db_dsm_app_password>` with the **Password**for the App-A1, which is associated with the container database. 12. Run the following commands to restore the auto-login wallet file and restart the database: ```bash mv cwallet.sso-BKP cwallet.sso   SHUTDOWN IMMEDIATE;   STARTUP; ``` 13. Run the following command to verify the `mkid` of the newly migrated database: ```bash SELECT CON_ID, mkid FROM x$kcbdbk; ``` Additionally, if the App-A1 assigned to the container database is no longer required for the non-container database Group-G2, you can unassign it. The migration process is now complete. Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.