在我们配置完TDE之后,创建pdb需要clone从已配置TDE的pdb。如果不从已配置TDE的pdb clone新的pdb,则会出现新建的pdb的TDE状态不对
此为配置完TDE的状态
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
-------------------- ------------------------------ ------------------------------ -------------------- --------- -------- --------- ----------
ASM +recoc1/cdbs7/tde/ OPEN AUTOLOGIN SINGLE NONE NO 1
ASM OPEN AUTOLOGIN SINGLE UNITED NO 2
ASM OPEN AUTOLOGIN SINGLE UNITED NO 3
ASM OPEN AUTOLOGIN SINGLE UNITED NO 4
ASM OPEN AUTOLOGIN SINGLE UNITED NO 5
ASM OPEN AUTOLOGIN SINGLE UNITED NO 6
ASM OPEN AUTOLOGIN SINGLE UNITED NO 7
ASM OPEN AUTOLOGIN SINGLE UNITED NO 8
ASM OPEN AUTOLOGIN SINGLE UNITED NO 10
9 rows selected.
通过以下两种方式创建两个pdb
SQL> create pluggable database cdbs7pdb10009 admin user pdbadmin identified by cdbs7 roles=(connect);
Pluggable database created.
上面创建的CDBS7PDB10009的TDE状态会不对,为OPEN_NO_MASTER_KEY
SQL> create pluggable database cdbs7pdb100010 from cdbs7pdb10006 keystore identified by "WelCome-123#";
Pluggable database created.
cdbs7pdb10010这种方式创建的pdb则TDE没问题
SQL> select * from v$encryption_wallet;
WRL_TYPE WRL_PARAMETER STATUS WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
-------------------- ------------------------------ ------------------------------ -------------------- --------- -------- --------- ----------
ASM +recoc1/cdbs7/tde/ OPEN AUTOLOGIN SINGLE NONE NO 1
ASM OPEN AUTOLOGIN SINGLE UNITED NO 2
ASM OPEN AUTOLOGIN SINGLE UNITED NO 3
ASM OPEN AUTOLOGIN SINGLE UNITED NO 4
ASM OPEN AUTOLOGIN SINGLE UNITED NO 5
ASM OPEN AUTOLOGIN SINGLE UNITED NO 6
ASM OPEN AUTOLOGIN SINGLE UNITED NO 7
ASM OPEN AUTOLOGIN SINGLE UNITED NO 8
ASM OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE UNITED UNDEFINED 9
ASM OPEN AUTOLOGIN SINGLE UNITED NO 10
ASM OPEN AUTOLOGIN SINGLE UNITED NO 13
11 rows selected.
解决方法
第一种
SQL> alter session set container=cdbs7pdb10009;
Session altered.
SQL> administer key management set encryption key force keystore identified by "WelCome-123#" with backup;
keystore altered.
如果第一种解决不了,就用第二种
首先需要将auto_login wallet备份
首先找到wallet所在的位置
SQL> show parameter wallet_root;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
wallet_root string +recoc1/cdbs7
ASMCMD> cp cwallet.sso cwallet.sso.0006
copying +recoc1/cdbs7/tde/cwallet.sso -> +recoc1/cdbs7/tde/cwallet.sso.0006
ASMCMD> rm cwallet.sso
然后重启DB
srvctl stop database -d cdbs7
srvctl start database -d cdbs7
然后
alter session set container=cdbs7pdb10009;
administer key management set encryption key identified by "WelCome-123#" with backup;
然后
alter session set container=cdb$root;
随后重建auto_login wallet
administer key management create auto_login keystore from keystore '+recoc1/cdbs7/tde' identified by "WelCome-123#";
解决问题,这就是第二种方法,首先移除auto_login wallet,然后进入那个有问题的pdb,创建master key,随后新建auto_login wallet。