在tde环境下从pdb从united mode转化为isolated mode失败后如何回退

我们在尝试将pdb从united mode 模式转化为isolated mode模式失败了
现在的处境就是因为isolated mode的keystore或者master encryption key没有配置好，tde_configuration这个参数已经修改为了keystore_configuration=file,就是keystore mode已经为isolated
，但是keystore或者master encryption key又没有配置好。这个时候想把pdb open，open会失败，报wallet not open，想将tde_cofiguration改为使用united mode的keystore，又因为pdb没有open ，没法修改，这就陷入了死结

oracle针对这种情况给出了方案，就是在cdb level修改pdb level的tde_configuration这个参数

07:52:01 SQL> select status,keystore_mode from v$encryption_wallet;

STATUS			       KEYSTORE
------------------------------ --------
NOT_AVAILABLE		       ISOLATED

Elapsed: 00:00:00.03
07:52:16 SQL> select name,open_mode from gv$pdbs;

NAME		     OPEN_MODE
-------------------- ----------
TDETEST2PDB10896     MOUNTED
TDETEST2PDB10896     MOUNTED

Elapsed: 00:00:00.02
07:52:43 SQL> alter pluggable database open read write instances=all;
alter pluggable database open read write instances=all
*
ERROR at line 1:
ORA-65107: Error encountered when processing the current task on instance:1
ORA-00704: bootstrap process failure
ORA-28365: wallet is not open
07:53:24 SQL> show parameter tde_configuration;

NAME				     TYPE	 VALUE
------------------------------------ ----------- ------------------------------
tde_configuration		     string	 keystore_configuration=file
07:53:31 SQL> alter system set tde_configuration='' scope=memory;
alter system set tde_configuration='' scope=memory
*
ERROR at line 1:
ORA-01219: database or pluggable database not open: queries allowed on fixed tables or views only


Elapsed: 00:00:00.00

oracle针对这种情况给出了方案，就是在cdb level修改pdb level的tde_configuration这个参数

07:59:53 SQL> select a.status,a.keystore_mode,b.name from v$encryption_wallet a,v$pdbs b where a.con_id=b.con_id and b.name='TDETEST2PDB10896';

STATUS			       KEYSTORE NAME
------------------------------ -------- --------------------
NOT_AVAILABLE		       ISOLATED TDETEST2PDB10896

Elapsed: 00:00:00.14

08:00:46 SQL> select status,keystore_mode from v$encryption_wallet;

STATUS			       KEYSTORE
------------------------------ --------
OPEN			       NONE
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       UNITED
CLOSED			       ISOLATED
CLOSED			       ISOLATED
CLOSED			       ISOLATED
CLOSED			       ISOLATED
CLOSED			       ISOLATED
NOT_AVAILABLE		       ISOLATED
CLOSED			       UNITED
CLOSED			       ISOLATED
NOT_AVAILABLE		       ISOLATED

25 rows selected.

Elapsed: 00:00:00.15

这个命令是关键，运行了这个命令之后，所有的pdb的keystore都变成了united mdoe，然后我们就可以将真正需要isolate mode的pdb修改为isolated mode

08:51:29 SQL> alter system reset tde_configuration scope=both sid='*';

System altered.

Elapsed: 00:00:00.02


08:51:46 SQL> alter database open;

Database altered.

Elapsed: 00:00:04.13
08:52:10 SQL> select status,keystore_mode from v$encryption_wallet;

STATUS			       KEYSTORE
------------------------------ --------
NOT_AVAILABLE		       NONE
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED
NOT_AVAILABLE		       UNITED

25 rows selected.

Elapsed: 00:00:00.26

08:56:05 SQL> alter session set container=tdetest2pdb10896;

Session altered.

Elapsed: 00:00:00.00
08:56:25 SQL> administer key management set keystore open identified by "WelCome-123#";

keystore altered.

Elapsed: 00:00:00.01
08:56:42 SQL> alter pluggable database open read write instances=all;

Pluggable database altered.

Elapsed: 00:00:03.34
08:57:02 SQL> select * from u1.t_1;

A
------------------------------
detroy test 202012272345

Elapsed: 00:00:00.02

至此，pdb tdetest2pdb10896由united mode转化为isolated mode失败后如何恢复就做完了

期间碰到了这个错误

08:47:01 SQL> alter system reset tde_configuration scope=memory;
alter system reset tde_configuration scope=memory
*
ERROR at line 1:
ORA-32012: cannot reset the memory value of initialization parameter


Elapsed: 00:00:00.01

这个错误应该是这样就可以避免 alter system reset tde_configuration scope=both sid='*';

alter system reset tde_configuration scope=both sid='*';这个命令应该是最好是在cdb处于mount状态下做吧，还没有摸清到底在数据库open的状态能不能做，做了会有什么问题。

另外一个命令
alter system set tde_configuration='keystore_configuration=file,container=tdetest2pdb10888' scope=both si='*';这个命令是在pdb无法open，而又需要修改pdb的keystore mode为isolated的情况下使用的

alter system reset tde_configuration scope=both sid='*';这个命令其实是用于pdb的keystore状态为isolated ，但是其实又有问题，需要退回到united mode模式时使用的

alter system reset tde_configuration scope=both sid='*';这个命令应该是会把cdb level的tde_configuration回退到一个值，然后将pdb level的这个tde_configuration参数全部置空，这其实就是默认让所有的pdb都使用united mode的keystore了，如果确实有的pdb是使用isolated keystore，并且没有问题的话，那应该要使用这个命令alter system set tde_configuration='keystore_configuration=file,container=tdetest2pdb10888' scope=both si='*';将这个pdb修改为使用isolated mode的keystore

alter system set tde_configuration=‘keystore_configuration=file,container=tdetest2pdb10888’ scope=both si=’’;
alter system reset tde_configuration scope=both sid=’’;
这两个命令就是用来解决pdb的keystore的类型（tde_configuration这个参数所指定的）和实际不符的时候如何解决问题的。