The purpose of this document is to provide steps that needs to be followed when using Dbvisit Replicate with Oracle TDE. Dbvisit replicate supports Oracle TDE starting with Dbvisit Replicate version 2.9.02 .
From 12c oracle started using the term keystore instead of wallet and replaced command ALTER SYSTEM SET ENCRYPTION with ADMINISTER KEY MANAGEMENT . The keystore can also be stored in ASM , but Dbvisit Replicate 22.214.171.124 only supports keystore stored in the filesystem and does not support keystore stored in ASM. When using TDE with multitenant container databases, the root container(CDB$ROOT) must have a open keystore (wallet) with an Active Master Encryption Key, the pluggable databases can have separate master encryption keys for themselves. Data can be replicated from the TDE Source to a TDE Target and also to a NON-TDE target with some restrictions.
After completing the initial steps like running setup wizard, completing the ALL.sh script and before starting the MINE and APPLY, you can start the console and run the below command from the console to set the parameters for the TDE. After setting the below parameters you can start MINE/APPLY.
dbvrep> set _MINE_TDE_PASSWORD = kiwi123 // Password defined while creating the Keystore
dbvrep> set _MINE_TDE_WALLET = /u01/app/oracle/WALLET/SRCDB // Location of the Keystore
If you are using special characters in password, you need to use apostrophes for the _MINE_TDE_PASSWORD, for example:
dbvrep> set _MINE_TDE_PASSWORD = 'Pa$$word'
Changing Keystore password
Below are the steps that must be followed , when changing the keystore password.
- Shutdown the MINE process.
Change the Keystore password ,when the keystore is set to AUTOLOGIN.
SQL> ADMINISTER KEY MANAGEMENT ALTER KEYSTORE PASSWORD FORCE KEYSTORE IDENTIFIED BY kiwi123 SET dbvisit123 WITH BACKUP ;
Now change the TDE password in the MINE to the new password in the console.
dbvrep> set _MINE_TDE_PASSWORD = dbvisit123
- Start the MINE process.
Limitation when using TDE
- Keystore in ASM is not supported in Dbvisit Replicate 2.9.02
- Set Oracle Environment when starting MINE/APPLY when using TDE , since MINE searches for mkstore.
- Modifying a column in the source to encrypt/decrypt is not supported.
- Replicating to NON TDE target, adding a encrypted column does not work and creates a conflict , so as a workaround ignore the conflict and then add the column as non-encrypted column in the target and proceed further.