This document describes creating Dbvisit DDC configuration and establishing database synchronization for Oracle Cloud infrastructure Base Database Service (OCI DBCS) hybrid environments. There are several abbreviations and items used in this document, here’s the explanation:

OCI: Oracle Cloud Infrastructure

DBCS: Oracle Database Cloud Service (also referred to as Base Database Service)

Cloud Native Database: Database which was provisioned by Oracle DBCS. This implies it is already encrypted and has an existing keystore.

On Premise Native Database: Database which was provisioned in an on premise environment without any encryption and without an existing keystore

Keystore: Container which stores the TDE encryption key used to encrypt and decrypt datafiles. Keystore is protected by user generated password. Keystore was in the past reffered to as “wallet”.

CDB, PDB : Container Database, Pluggable database

1 1. Concepts, considerations and Requirements
2 2. Provisioning of OCI DBCS
3 3. OCI DBCS Post-Provisioning Steps
4 4. Installing Dbvisit Software
5 5. Creating OCI DBCS Standby Database from on Premise Primary Database
6 6. Creating On Premise Standby Database from OCI DBCS Primary Database
7 7. Restrictions and Known Limitations

1. Concepts, considerations and Requirements

Dbvisit StandbyMP OCI Hybrid functionality is available from and including release 12.2. It allows you to create sycnhronization between database on DBCS System (which is forcefully encrypted) and on premise unencrypted database.

This is ensured by using specific Oracle database init parameters on both sides. There is also keystore present on both sides at the same time. The concrete settings are explained on the following picture:

Database roles have no influence on the properties displayed in the picture. The init parameters, Keystores are datafiles encryption will remain always the same, regardless whether database role is primary or standby. So for example parameter TABLESPACE_ENCRYPTION will be set to DECRYPT_ONLY on the on premise database regardless whether it has primary or standby role. There are identical keystore files on primary and standby.

1.1 Supported Database Versions and Configurations

The only supported Oracle version is 19c and it is further required that the database is at minimum on 19.25 RU. Database must be also created as CDB/PDB.
Non-CDB architecture or other releases are not supported.
OCI DBCS is always provisioned with latest RU, but it is possible to select older RU (maximum 1 year back). It is required that primary and standby ORACLE_HOME are on equal patchlevel which is at least 19.25.
You are required to apply patch 33672295 to on premise and OCI DBCS ORACLE_HOME

Patch 33672295 is included with 19.28 RU and further

The operating system on on premise host must be Linux, because OCI DBCS doesn’t use Windows

1.2 Keystore and TDE Master Encryption Key Backup Strategy

When using OCI Hybrid configuration, you must establish effective backup strategy for Keystore and for the Encryption password (Keystore Password). Encrypted data can only be accessed if keystore is available and you should know at all times the password for that keystore.

There is no such thing as “Recover Lost Keystore or recover lost encryption password”. If you lose the keystore and/or the password for the keystore, all data which were encrypted with that keystore and password will be lost forever as they cannot be ever again decrypted.

1.3 Supported Dbvisit StandbyMP features in DBCS Hybrid environments

Dbvisit StandbyMP supports all actions and functionality as any other non-OCI DBCS Hybrid configuration except:

Oracle Concept allows decryption only on database (CDB anb PDB) or whole tablespace level. Decryption can never happen on single datafile.

1.4 Datafile Encryption on OCI DBCS for on premise native database

When creating standby database on OCI DBCS for your on premise unencrypted primary, only user pluggable database datafiles will be encrypted during Dbvisit Create standby database process. All datafiles of primary database regardless whether its role is primary or standby (for example after switchover) will remain unencrypted. Dbvisit uses Encryption in united mode: single TDE key is used to encrypt all pluggable databases.

1.5 Datafile Encryption on OCI DBCS for OCI DBCS native database

By default, OCI DBCS provisions database which has encrypted CDB and user PDB datafiles. Dbvisit doesn’t modify this encryption in any way.

1.6 Primary database downtime

This concerns only on premise native primary database. To create standby database on OCI DBCS, parameters TABLESPACE_ENCRYPTION and WALLERT_ROOT will need to be set by Dbvisit which require your primary datbase restart during create standby database process.

Alternatively, you can set required parameters (TABLESPACE_ENCRYPTION, WALLERT_ROOT and TDE_CONFIGURATION) manually before running create standby database process with scope=spfile and restart primary database at your preferred time.

1.7 On Premise native primary database lifecycle and TDE

Once you will include any on premise native primary database in OCI Hybrid configuration, you will have to indefinitely retain TDE parameters and also the keystore for this database. This is still valid even tough no datafiles are encrypted in the on premise database or even if you later drop and delete OCI DBCS standby database or whole DBCS.

1.8 OCI DBCS database host and On Premise database host connectivity

You have to ensure that both hosts have network connectivity (typically by using site to site VPN). Setting up the hosts network connectivity is not covered in this guide as it is outside of Dbvisit scope. You need to ensure that communication is allowed between on premise and OCI DBCS on ports used by Dbvisit as described here:

Installation Requirements | 1.1 Network Communication Requirements

1.9 Primary / Standby Database on ASM and Filesystem support

All combinations of on premise storage types and OCIDBS storage types are supported.

2. Provisioning of OCI DBCS

The steps below show how DBCS system should be provisioned from the scratch. If you’re using existing DBCS, you should still review the steps below to confirm that your DBCS will work correctly with Dbvisit OCI Hybrid synchronization.

You can start the provisioning process by selecting “Oracle Base Database Service” in the cloud GUI:

You can choose most DBCS options based on your preferrence, they are not important for the Dbvisit Hybrid synchronization. There are however some options which you’re required to change as follows:

2.1 Database Name and Database Unique Name

If you intend to provision DBCS as a standby system, you should choose exactly same Database name (1) as your existing on premise primary database. You can check the Database name by following statement on your primary database:

sho parameter db_name

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
db_name                              string      ONPREM01

In addition, you should also choose different database unique name for your DBCS database. Add specific suffix (2) to have different db_unique_name (3) than your existing primary database. Your existing primary database unique name can be checked by running following statement:

sho parameter db_unique_name

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
db_unique_name                       string      ONPREM01

2.2 Database Release version

The database release should be set to 19c (1):

Starting July 2025, the oldest available installable RU for 19c is 19.25 which automatically fulfills the patchlevel requirement on the OCI DBCS.

You must then choose the exact database image which is identical to your current installed release on your on premise primary database server (2). You can determine your current version in the on premise evironment by running:

$ORACLE_HOME/OPatch/opatch lsinventory | grep "RELEASE UPDATE"
Patch description:  "OJVM RELEASE UPDATE: 19.27.0.0.250415 (37499406)"
Patch description:  "OCW RELEASE UPDATE 19.27.0.0.0 (37654975)"

Then after pressing (2) you can specify the exact release:

Enable “Display All versions” (1) select your release (2) and confirm (3).

If you installed any additional individual patches outside RU scope on your primary, you will have to install the same patches on OCI DBCS as well (once the provisioning finishes) - ORACLE_HOME patchlevel between on premise and OCI DBCS must exactly match

2.3 PDB

Specify PDB name which matches your existing on premise database PDB name (1):

You can determine the name of existing PDB:

sho pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         3 ONPREM01PDB                    READ WRITE NO

2.4 Credentials and TDE Password

We recommend to use same password (1) for SYS and wallet (2):

If OCI DBCS will be your primary system, you must safely store the password as you won’t be able to access the data without it in the future.

If OCI DBCS will be your standby system, the generated keystore will be later replaced by new keystored generated by Dbvisit during create standby database process.

In addition, in advanced option, you must use the default option “Use Oracle-managed keys” (1):

Once all options are correctly set, start provisioning of OCI DBCS.

3. OCI DBCS Post-Provisioning Steps

3.1 Apply patch 33672295

This step is needed if DBCS was provisioned with earlier RU than 19.28. Download patch 33672295 from MOS and apply according to README.

3.2 OCI DBCS as new primary system

If OCI DBCS will be your new primary system, we do strongly suggest that you establish your TDE Keystore backup policy at this point. We also suggest that you verify the TDE keystore password works by running command:

$ /u01/app/oracle/product/19.0.0/dbhome_1/bin/orapki wallet display -wallet /opt/oracle/dcs/commonstore/wallets/ONPREM01_OCI/tde/ewallet.p12

The contents of keystore are displayed only when the password is correct:

32E4323F135D1EBBE063E80DF40A811C/ cdb_ocids.json                    tde/
[oracle@ocidoc ~]$ /u01/app/oracle/product/19.0.0/dbhome_1/bin/orapki wallet display -wallet /opt/oracle/dcs/commonstore/wallets/ONPREM01_OCI/tde/ewallet.p12
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Requested Certificates:
Subject:        CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.AcHNUQvomk+tv+LPxx8h9MYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.AeYwswDk6U8kv77BH3h40zwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.32E4323F135D1EBBE063E80DF40A811C
ORACLE.SECURITY.ID.ENCRYPTION.
ORACLE.SECURITY.KB.ENCRYPTION.
ORACLE.SECURITY.KM.ENCRYPTION.AcHNUQvomk+tv+LPxx8h9MYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.KM.ENCRYPTION.AeYwswDk6U8kv77BH3h40zwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:

3.3 OCI DBCS as new standby system

If OCI DBCS will be your new standby system, it is needed to delete the existing database and also remove existing DBCS keystore to avoid any mixup. None of these items will be used in further OCI Hybrid configuration. You can drop the database by running as oracle user:

export ORACLE_SID=ONPREM01
rman target /
startup mount force dba;
drop database including backups;

[oracle@ocidoc ~]$ . oraenv
ORACLE_SID = [ONPREM01] ?
The Oracle base has been set to /u01/app/oracle
[oracle@ocidoc ~]$ rman target /

Recovery Manager: Release 19.0.0.0.0 - Production on Thu Aug 14 11:47:48 2025
Version 19.27.0.0.0

Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.

connected to target database: ONPREM01 (DBID=1928426375)

RMAN> startup mount force dba;
startup mount force dba;
Oracle instance started
database mounted

Total System Global Area    6442447480 bytes

Fixed Size                     9192056 bytes
Variable Size               1073741824 bytes
Database Buffers            5217714176 bytes
Redo Buffers                 141799424 bytes


RMAN> drop database including backups;
drop database including backups;
database name is "ONPREM01" and DBID is 1928426375

Do you really want to drop all backups and the database (enter YES or NO)? yes

using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=20 device type=DISK

List of Backup Pieces
BP Key  BS Key  Pc# Cp# Status      Device Type Piece Name
------- ------- --- --- ----------- ----------- ----------
1       1       1   1   AVAILABLE   DISK        /u03/app/oracle/fast_recovery_area/ONPREM01_OCI/autobackup/2025_08_14/o1_mf_n_1209121279_n9vjj09q_.bkp
2       2       1   1   AVAILABLE   DISK        /u03/app/oracle/fast_recovery_area/ONPREM01_OCI/autobackup/2025_08_14/o1_mf_s_1209122168_n9vkcrpm_.bkp
deleted backup piece
backup piece handle=/u03/app/oracle/fast_recovery_area/ONPREM01_OCI/autobackup/2025_08_14/o1_mf_n_1209121279_n9vjj09q_.bkp RECID=1 STAMP=1209121280
deleted backup piece
backup piece handle=/u03/app/oracle/fast_recovery_area/ONPREM01_OCI/autobackup/2025_08_14/o1_mf_s_1209122168_n9vkcrpm_.bkp RECID=2 STAMP=1209122168
Deleted 2 objects


released channel: ORA_DISK_1
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=20 device type=DISK
specification does not match any datafile copy in the repository
specification does not match any control file copy in the repository
specification does not match any control file copy in the repository
List of Archived Log Copies for database with db_unique_name ONPREM01_OCI
=====================================================================

Key     Thrd Seq     S Low Time
------- ---- ------- - ---------
1       1    1       A 14-AUG-25
        Name: /u03/app/oracle/fast_recovery_area/ONPREM01_OCI/archivelog/2025_08_14/o1_mf_1_1_n9vjj6jt_.arc

2       1    2       A 14-AUG-25
        Name: /u03/app/oracle/fast_recovery_area/ONPREM01_OCI/archivelog/2025_08_14/o1_mf_1_2_n9vjmq82_.arc

3       1    3       A 14-AUG-25
        Name: /u03/app/oracle/fast_recovery_area/ONPREM01_OCI/archivelog/2025_08_14/o1_mf_1_3_n9vjs3hn_.arc

deleted archived log
archived log file name=/u03/app/oracle/fast_recovery_area/ONPREM01_OCI/archivelog/2025_08_14/o1_mf_1_1_n9vjj6jt_.arc RECID=1 STAMP=1209121286
deleted archived log
archived log file name=/u03/app/oracle/fast_recovery_area/ONPREM01_OCI/archivelog/2025_08_14/o1_mf_1_2_n9vjmq82_.arc RECID=2 STAMP=1209121399
deleted archived log
archived log file name=/u03/app/oracle/fast_recovery_area/ONPREM01_OCI/archivelog/2025_08_14/o1_mf_1_3_n9vjs3hn_.arc RECID=3 STAMP=1209121572
Deleted 3 objects


database name is "ONPREM01" and DBID is 1928426375
database dropped

The keystore can be deleted manually:

rm -rf /opt/oracle/dcs/commonstore/wallets/ONPREM01_OCI

4. Installing Dbvisit Software

Dbvisit StandbyMP software installation doesn’t require any specific step for hybrid environments. You can refer to general documentation on how to install the software:

Installation Requirements

Installation Guide

As stated in the installation requirements, take special care that all network comunication works pefrectly and hostname resolution is consistent on primary and standby server.

Make sure to start all the components after installation: you should have dbvagentmanager running on OCI DBCS host and at the on premise host. Dbvcontrol should be running as well on one of the hosts or on additional third host.

5. Creating OCI DBCS Standby Database from on Premise Primary Database

It is not supported to use dbvctl for creating DDC and Standby database in OCI hybrid environment

This section will explain steps needed to create OCI DBCS standby database from on premise primary database.

There are two possible cases / variants for this scenario. Both variants are very much similar with only minor difference which will be pointed out further in this section when individual steps are described. The two variants are:

A. There is no existing keystore on the on premise host

This is typical scenario when setting up first Hybrid configuration for your primary database. In this case, you will be prompted during create standby database for keystore password and Dbvisit will create the new keystore for you.

B. There is an existing keystore on the on premise host

This can happen if for example your primary database was already used in the past for OCI Hybrid configuration, or you are re-creating standby database on OCI DBCS. In this case, Dbvisit will re-use the existing keystore and will not create a new one.

When re-using existing keystore, you must ensure that you know the password for this existing keystore. If not, unrecoverable data loss can occur.

You can check for an existing keystore by examining parameter wallet_root on your primary and listing directory contents. The wallet_root parameter is not set if there is no existing keystore:

sho parameter root

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
wallet_root                          string

In this example, wallet_root is not set, meaning there’s no existing keystore.

5.1 Prerequisites

In addition to prerequisites listed below, all general prerequisites for Oracle Database Synchronization as described in user guide must be met:

Prerequisites

5.1.1 Check Existing Keystore

Check for existing keystore on primary server by running:

SQL> sho parameter root

sho parameter root

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
wallet_root                          string      /etc/oracle/KEYSTORE/PREM19

If wallet_root is set and points to different directory than /etc/oracle/KEYSTORE/$ORACLE_SID do not proceed further and contact Dbvisit Support.

If there is an existing keystore on primary on premise host, verify that you know the password for this keystore by running command:

$ $ORACLE_HOME/bin/orapki wallet display -wallet /opt/oracle/dcs/commonstore/wallets/ONPREM01_OCI/tde/ewallet.p12

After providing correct password, keystore contents are displayed.

5.1.2 Check That required patch is present in the ORACLE_HOME on premise host and DBCS host

Execute following command as oracle user with Database Home sourced to ensure required patch is applied:

$ORACLE_HOME/OPatch/opatch lsinventory | grep 33672295

Example output when patch is applied:

$ORACLE_HOME/OPatch/opatch lsinventory | grep 33672295
Patch  33672295     : applied on Thu Jul 17 13:32:53 UTC 2025
     33672295

5.1.3 Check that PDBs are open

Before creating standby database on OCI DBCS, all PDBs on primary on premise must be opened in read write mode. Ensure that by running:

SQL> show pdbs;

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         3 ONPREM01PDB                    READ WRITE NO

We recommend to run command in CDB:

SQL> alter pluggable database all save state;

to ensure the PDB will start as opened read-write even after CDB database restart.

5.1.4 Check or set on premise TDE parameters

There are two parameters which must be set to correct values in order to correctly establish synchronization in the hybrid environment:

wallet_root = /etc/oracle/KEYSTORE/$ORACLE_SID
tablespace_encryption = DECRYPT_ONLY

When these parameters are not set on your on premise native database, Dbvisit will automatically set these parameters when finalizing the create standby database process. This will result in primary database restart.

If you wish to restart primary database at specific time and not during create standby database process, you can set these parameters before running create standby database process:

alter system set wallet_root='/etc/oracle/KEYSTORE/ONPREM01' scope=spfile;
alter system set tablespace_encryption = DECRYPT_ONLY scope=spfile;
startup force;

create standby database process will then detect these parameter and will not restart your primary database.

5.1.5 Check that no datafiles are encrypted in the on premise database

Following selects will show you whether any datafiles or tablespace are encrypted:

select tablespace_name,encrypted from dba_tablespaces;
select file#,tablespace_name,encrypted from v$datafile_header;

The ENCRYPTED column must always for all tablespaces and datafiles be equal to “NO”.

5.1.6 Keystore directory must exist on standby server

Directory /etc/oracle/KEYSTORE must exist on standby server, must be empty and writable by oracle user. Create the directory on standby server like so:

sudo mkdir -p /etc/oracle/KEYSTORE
sudo chown oracle:oinstall /etc/oracle/KEYSTORE

5.2 Create new DDC configuration

Below example will show you the usage of dbvcontrol GUI for creating new DDC hybrid configuration. Using dbvcli command line is also possible. It is not supported to use dbvctl for this task. Example environment used for this configuration:

Primary on premise server: onprem3

Standby DBCS server: ocidoc

Primary Database db_name: ONPREM01

Primary Database db_unique_name: ONPREM01

Primary Database PDBs: single pluggable database ONPREM01PDB

Start by creating new oracle configuration:

Select primary host:

continue by selecting primary database:

Select standby host afterwards:

Afterwards the DDC form will be presented:

You should see an indication that the standby host is on OCI DBCS (1). This indication can take some seconds until it appears. Make sure to match your Standby Database Unique Name to the unique name you specified when provisioning OCI DBCS (2). Finally, enter licence key (3) and create configuration (4).

Configuration will be then visible in the dashboard:

clicking on “Set up Now” (1) will initiate create standby database process

5.3 Create OCI DBCS Standby Database

Below example will show you the usage of dbvcontrol GUI for creating new DBCS Standby database (CSD). Using dbvcli command line is also possible. It is not supported to use dbvctl for this task.

There are two possibilities of CSD flow, depending on whether there is an existing wallet and whether the TDE prameters were pre-set or not (OCI Hybrid Configuration | 5.1.4 Check or set on premise TDE parameters ). Everything else for setting up OCI DBCS Standby database process remains the same as with regular create standby database process: Create Standby Database (CSD)

5.3.1 No Existing Wallet on Primary on premise database

In this case, user is requested to enter Keystore password and Dbvisit will create the keystore during create standby database process:

Make absolutely sure to remember and store the password in safe location. Losing the password may result in unrecoverable data loss. It is impossible to recover the password once the create standby database process is started.

If TDE parameters were not pre-set, warning that primary database will be restarted will be shown:

The restart of primary database does occur once standby database is fully restored on standby OCI DBCS side.

5.3.2 Existing Wallet is present in /etc/oracle/KEYSTORE/$ORACLE_SID on Primary on premise database

If wallet_root parameter is already set and Dbvisit detects existing usable wallet on primary on premise host in wallet_root directory, informational message is displayed at the bottom of the create standby database screen:

At the end of create standby database process, this wallet will be copied to standby OCI DBCS side and user PDB datafiles will be encrypted using this wallet. It is critical that password for this existing wallet is known to the user.

5.3.3 General Notes

These notes are valid for all CSD variants for creating OCI DBCS Standby Database

It is not needed to adjust the TDE parameters for standby OCI DBCS database. Although they are shown and possible to edit:

Dbvisit will forcefully overwrite them with proper values for OCI DBCS Standby database.

Once OCI DBCS standby database is created, Dbvisit will automatically encrypt all user PDBs datafiles using the TDE encryption key from the newly created keystore

It is not possible to restart failed CSD process, incomplete standby database must be always deleted and process started from the scratch

If there is an existing keystore present in the wallet_root on the on premise server which is not recognized by the primary database, following error will be shown:

User is required to either change wallet_root parameter or remove all files from the wallet_root directory. We advise to create backup before removal.

5.4 Create OCI DBCS Standby Post-Steps

Once OCI DBCS Standby database is created it is needed to verify that all user PDB datafiles are encrypted. This can be done by following select:

select file#,tablespace_name,encrypted from v$datafile_header where con_id not in (1,2);

The result should be that all displayed datafiles should have “encrypted” column = YES, like in this example:

     FILE# TABLESPACE_NAME                ENC
---------- ------------------------------ ---
         9 SYSTEM                         YES
        10 SYSAUX                         YES
        11 UNDOTBS1                       YES
        12 USERS                          YES

If no datafiles are encrypted on OCI DBCS Standby database the CSD process is not considered as a success.

CDB datafiles and PDB$SEED datafiles are never encrypted by Dbvisit.

The on-premise primary database backup used by Dbvisit to create OCI DBCS standby database, will remain on OCI DBCS machine after the create standby database process completes. Because the backup is not encrypted in any way, we recommend that users manually delete these RMAN backup files from OCI DBCS machine without any delay. The RMAN backup files are located on standby server in temporary directory which was selected by user during Dbvisit create standby database process.

6. Creating On Premise Standby Database from OCI DBCS Primary Database

It is not supported to use dbvctl for creating DDC and Standby database in OCI hybrid environment

This section will explain steps needed to create OCI DBCS standby database from on premise primary database. Steps below are valid for on-premise native database and for OCI DBCS native database. On premise database can also assume primary role on OCI DBCS and be source for standby database creation.

There are only two notable differences between OCI DBCS native database and on-premise native database. These differences are however not relevant for the standby database creation.

OCI DBCS Native database on OCI DBCS

has user PBD and CDB datafiles encrypted
has initial wallet_root location set to /opt/oracle/dcs/commonstore/wallets/<db_unique_name>

Dbvisit StandbyMP create standby database process always sets wallet_root to /etc/oracle/KEYSTORE

On Premise Native database on OCI DBCS

has only user PBD datafiles encrypted
has wallet_root location set to /etc/oracle/KEYSTORE/<db_unique_name>

Any primary database on OCI DBCS will have TDE encryption parameters already set and wallet is existing, hence there are no variants in create standby database process as when creating standby database from on premise primary.

6.1 Prerequisites

In addition to prerequisites listed below, all general prerequisites for Oracle Database Synchronization as described in user guide must be met:

Prerequisites

6.1.1 Check existing keystore

Check for existing keystore on primary OCI DBCS server by running:

SQL> sho parameter root

sho parameter root

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
wallet_root                          string      /opt/oracle/dcs/commonstore/wallets/TEST01_dzv_iad

If there is an existing keystore on primary on premise host, verify that you know the password for this keystore by running command:

$ $ORACLE_HOME/bin/orapki wallet display -wallet /opt/oracle/dcs/commonstore/wallets/TEST01_dzv_iad/tde/ewallet.p12

After providing correct password, keystore contents are displayed.

You must ensure that you know the password for this existing keystore

6.1.2 Check That required patch is present in the ORACLE_HOME on OCI DBCS host and on on premise host

Execute following command as oracle user with Database Home sourced to ensure required patch is applied:

$ORACLE_HOME/OPatch/opatch lsinventory | grep 33672295

Example output when patch is applied:

$ORACLE_HOME/OPatch/opatch lsinventory | grep 33672295
Patch  33672295     : applied on Thu Jul 17 13:32:53 UTC 2025
     33672295

6.1.3 Check that PDBs are open

Before creating standby database in the on premise environment, all PDBs on primary DBCS database must be opened in read write mode. Ensure that by running:

SQL> show pdbs;

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         3 ONPREM01PDB                    READ WRITE NO

6.1.4 Check TDE parameters

The TDE related parameters should be always set on the OCI DBCS side and should have following values:

wallet_root = /opt/oracle/dcs/commonstore/wallets/TEST01_dzv_iad/tde
tablespace_encryption = AUTO_ENABLE

if OCI DBCS was originally standby database from on premise native database, wallet_root will be set to /etc/oracle/KEYSTORE

6.1.5 Keystore directory must exist on standby server

Directory /etc/oracle/KEYSTORE must exist on standby server, must be empty and writable by oracle user. Create the directory on standby server like so:

sudo mkdir -p /etc/oracle/KEYSTORE
sudo chown oracle:oinstall /etc/oracle/KEYSTORE

6.2 Create new DDC configuration

Below example will show you the usage of dbvcontrol GUI for creating new DDC hybrid configuration. Using dbvcli command line is also possible. It is not supported to use dbvctl for this task. Example environment used for this configuration:

Primary DBCS Server: ociqa

Standby On premise Server: onprem1

Primary Database db_name: TEST01

Primary Database db_unique_name: TEST01_dzv_iad

Primary Database PDBs: single pluggable database TEST01PDB

Start by creating new oracle configuration:

Select primary host:

Afterwards select primary database:

and then standby host:

You should see an indication that primary host is in the OCI. On the following screen, correct indicated fields:

(1) correct ARCHSOURCE directory to db_name (compulsory: we don’t recomment to use db_unique_name here)

(2) set recognizable ORACLE_SID (optional: you can set it same as db_unique_name)

(3) set recognizable db_unique_name (compulsory: you should set different db_unique_name for yoru standby database than db_unique_name of your OCI DBCS database)

(4) correct ARCHDEST directory to db_name (compulsory: we don’t recomment to use db_unique_name here)

(5) correct DDC name to db_name (compulsory)

(6) enter licence key

(7) submit create configuration form

Configuration will be then visible in the dashboard:

clicking on “Set up Now” (1) will initiate create standby database process

6.3 Create On Premise Standby Database

Below example will show you the usage of dbvcontrol GUI for creating new On premise Standby database (CSD). Using dbvcli command line is also possible. It is not supported to use dbvctl for this task.

Working wallet must be always present on OCI DBCS side (otherwise OCI DBCS side would be corrupted) and at the same time, Oracle OCI configuration ensures TDE parameters are correctly set and therefore it is never needed to restart primary database on OCI DBCS. Because of this, CSD process remains the same as with regular create standby database process: Create Standby Database (CSD) with only following differences:

there is an informational message that this will be hybrid setup:

It is not needed to adjust the TDE parameters for standby on premise database database. Although they are shown and possible to edit:

Dbvisit will forcefully overwrite them with proper values for OCI DBCS Standby database.

It is not possible to restart failed CSD process, incomplete standby database must be always deleted and process started from the scratch

In most cases primary server will not be correctly configured to use huge pages and because of this we do recommend to remove this parameter for the on premise standby database:

If you wish to retain this parameter, you must ensure the correct configuration for number of huge pages of your on premise standby host, otherwise the CSD process will fail.

During CSD process, all datafiles need to be transferred first to the on premise server. Only then can the “restore as decrypt” begin, which is also indicated in the CSD task details (1,2):

Once CSD process completes, all datafiles of the on premise standby database will be unencrypted.

6.4 Create OCI DBCS Standby Post-Steps

Once On premise Standby database is created it is needed to verify that all database datafiles are unencrypted. This can be done by following select:

select file#,tablespace_name,encrypted from v$datafile_header;

The result should be that for all datafiles the “encrypted” column = NO, like in this example:

SQL> select file#,tablespace_name,encrypted from v$datafile_header;

     FILE# TABLESPACE_NAME                ENC
---------- ------------------------------ ---
         1 SYSTEM                         NO
         3 SYSAUX                         NO
         4 UNDOTBS1                       NO
         5 SYSTEM                         NO
         6 SYSAUX                         NO
         7 USERS                          NO
         8 UNDOTBS1                       NO
         9 SYSTEM                         NO
        10 SYSAUX                         NO
        11 UNDOTBS1                       NO
        12 USERS                          NO

If any datafile is shown as encrypted in the on premise standby database, you should immediately drop this database and you must not use it. Otherwise It would be TDE licence violation.

7. Restrictions and Known Limitations

The list below includes unsupported features and limitations which should not be used in OCI Hybrid configuration. The features are not disabled in the code, so users are responsible for avoiding using these features in OCI Hybrid configuration.

7.1 Refresh / add new Pluggable databases

At this moment it is not supported to refresh or synchronize newly added pluggable databases from primary to standby in OCI Hybrid configuration. To avoid any potential issues, we suggest to set following DDC parameter:

PDB_SYNC = N

Documentation link for DDC parameter change:

Modifying DDC File

7.2 Incremental backup synchronization

Incremental backup sync process is decribed here:

Incremental Backup Synchronization (SYNC)

Due to datafiles encryption, incremental backup can cause datafile integrity issues. For synchronizing standby databasse without available archivelogs, the SYNC process cannot be used and it will be needed to delete standby database and recreate it from the scratch.

7.3 Refresh Single Datafile

Refresh single datafile process is decribed here:

Oracle Miscellaneous Operation Tasks | 1.2 Refresh One Datafile

Datafile encryption doesn’t allow decryption to happen on single datafile level. Decryption is possible only on database or tablespace level. Due to this fact this functionality is unsupported.

For synchronizing standby databasse without available archivelogs, it will be needed to delete standby database and recreate it ffrom the scratch.

7.4 Adding New datafile to on premise created tablespace on OCI DBCS primary

this is related only to OCI DBCS side

Under very specific circumstances, it it possible to encounter situation, when newly added datafile on OCI DBS primary will not be encrypted. The conditions and steps to achieve such situation are:

A. Create On premise Standby Database from OCI DBCS primary

B. Perform switchover, converting the on premise standby database to primary role

C. Create new tablespace in user PDB on the on premise primary

D. Perform switchover, converting the OCI DBCS standby database to primary role

E. On OCI DBCS primary add new datafile to the on premise created tablespace

F. Result is inconsistently encrypted datafiles in single tablespace:

SQL> select file#,tablespace_name,encrypted from v$datafile_header where tablespace_name='TESTA';

     FILE# TABLESPACE_NAME                ENC
---------- ------------------------------ ---
        13 TESTA                          YES
        14 TESTA                          NO

If this situation is encountered, we recommend to start the OCI DBCS primary database in MOUNT mode and manually encrypt the unencrypted datafile from within the PDB container:

SQL> alter session set container=TEST01PDB;

Session altered.

SQL> alter database datafile '+DATA/TEST01_DZV_IAD/39FA349481D22BC4E0637500000A957F/DATAFILE/testa.282.1210864967' encrypt;

Database altered.