Configure Oracle Database Features for Oracle Exadata Database Service on Exascale Infrastructure
Learn how to configure Oracle Multitenant, tablespace encryption, and other options for your Oracle Exadata Database Service on Exascale Infrastructure instance.
- Using Oracle Multitenant on an Oracle Exadata Database Service on Exascale Infrastructure Instance
Learn about requirements for different features when using Multitenant environments in Oracle Exadata Database Service on Exascale Infrastructure. - Managing Tablespace Encryption
Learn about how tablespace encryption is implemented in Oracle Exadata Database Service on Exascale Infrastructure
Parent topic: How-to Guides
Using Oracle Multitenant on an Oracle Exadata Database Service on Exascale Infrastructure Instance
Learn about requirements for different features when using Multitenant environments in Oracle Exadata Database Service on Exascale Infrastructure.
When you create an Oracle Exadata Database Service on Exascale Infrastructure Instance, an Oracle Multitenant environment is created.
The multitenant architecture enables Oracle Database to function as a multitenant container database (CDB) that includes zero, one, or many pluggable databases (PDBs). A PDB is a portable collection of schemas, schema objects, and non-schema objects that appears to an Oracle Net Services client as a non-CDB.
To use Oracle Transparent Data Encryption (TDE) in a pluggable database (PDB), you must create and activate a master encryption key for the PDB.
In a multitenant environment, each PDB has its own master encryption key which is stored in a single keystore used by all containers.
You must export and import the master encryption key for any encrypted PDBs you plug into your Oracle Exadata Database Service on Exascale Infrastructure Instance CDB.
If your source PDB is encrypted, you must export the master encryption key and then import it.
You can export and import all of the TDE master encryption keys that belong to the PDB by exporting and importing the TDE master encryption keys from within a PDB. Export and import of TDE master encryption keys support the PDB unplug and plug operations. During a PDB unplug and plug, all of the TDE master encryption keys that belong to a PDB, as well as the metadata, are involved.
See "Using Transparent Data Encryption with Other Oracle Features" in Oracle Database Advanced Security Guide.
See "ADMINISTER KEY MANAGEMENT" in Oracle Database SQL Language Reference..
- To determine if you need to create and activate an encryption key for the PDB
- To create and activate the master encryption key in a PDB
- To export and import a master encryption key
Related Topics
To determine if you need to create and activate an encryption key for the PDB
- Invoke SQL*Plus and log in to the database as the
SYS
user withSYSDBA
privileges. -
Set the container to the PDB:
SQL> ALTER SESSION SET CONTAINER = pdb;
-
Query
V$ENCRYPTION_WALLET
as follows:SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;
If the
STATUS
column contains a value ofOPEN_NO_MASTER_KEY
, you need to create and activate the master encryption key.
To create and activate the master encryption key in a PDB
-
Set the container to the PDB:
SQL> ALTER SESSION SET CONTAINER = pdb;
-
Create and activate a master encryption key in the PDB by executing the following command:
SQL> ADMINISTER KEY MANAGEMENT SET KEY USING TAG 'tag' FORCE KEYSTORE IDENTIFIED BY keystore-password WITH BACKUP USING 'backup_identifier';
In the previous command:
keystore-password
is the keystore password. By default, the keystore password is set to the value of the administration password that is specified when the database is created.- The optional
USING TAG 'tag'
clause can be used to associate a tag with the new master encryption key. - The
WITH BACKUP
clause, and the optionalUSING 'backup_identifier'
clause, can be used to create a backup of the keystore before the new master encryption key is created.
See also
ADMINISTER KEY MANAGEMENT
in Oracle Database SQL Language Reference for Release19, 18 or 12.2.Note
To enable key management operations while the keystore is in use, Oracle Database 12c Release 2, and later, includes the
FORCE KEYSTORE
option to theADMINISTER KEY MANAGEMENT
command. This option is also available for Oracle Database 12c Release 1 with the October 2017, or later, bundle patch.If your Oracle Database 12c Release 1 database does not have the October 2017, or later, bundle patch installed, you can perform the following alternative steps:
- Close the keystore.
- Open the password-based keystore.
- Create and activate a master encryption key in the PDB by using
ADMINISTER KEY MANAGEMENT
without theFORCE KEYSTORE
option. - Update the auto-login keystore by using
ADMINISTER KEY MANAGEMENT
with theCREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE
option.
-
Query
V$ENCRYPTION_WALLET
again to verify that theSTATUS
column is set toOPEN
:SQL> SELECT wrl_parameter, status, wallet_type FROM v$encryption_wallet;
-
Query
V$INSTANCE
and take note of the value in theHOST_NAME
column, which identifies the database server that contains the newly updated keystore files:SQL> SELECT host_name FROM v$instance;
-
Copy the updated keystore files to all of the other database servers.
To distribute the updated keystore, you must perform the following actions on each database server that does not contain the updated keystore files:
-
Connect to the root container and query
V$ENCRYPTION_WALLET
. Take note of the keystore location contained in theWRL_PARAMETER
column:SQL> SELECT wrl_parameter, status FROM v$encryption_wallet;
-
Copy the updated keystore files.
You must copy all of the updated keystore files from a database server that is already updated. Use the keystore location observed in the
WRL_PARAMETER
column ofV$ENCRYPTION_WALLET
.
Open the updated keystore:SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE open FORCE KEYSTORE IDENTIFIED BY keystore-password CONTAINER=all;
Note
To enable key management operations while the keystore is in use, Oracle Database 12c Release 2, and later, includes the
FORCE KEYSTORE
option to theADMINISTER KEY MANAGEMENT
command. This option is also available for Oracle Database 12c Release 1 with the October 2017, or later, bundle patch.If your Oracle Database 12c Release 1 database does not have the October 2017, or later, bundle patch installed, you can perform the following alternative steps:
- Close the keystore before copying the updated keystore files.
- Copy the updated keystore files.
- Open the updated keystore by using
ADMINISTER KEY MANAGEMENT
without theFORCE KEYSTORE
option.
-
-
Query
GV$ENCRYPTION_WALLET
to verify that theSTATUS
column is set toOPEN
across all of the database instances:SQL> SELECT wrl_parameter, status, wallet_type FROM gv$encryption_wallet;
To export and import a master encryption key
- Export the master encryption key.
- Invoke SQL*Plus and log in to the PDB.
-
Execute the following command:
SQL> ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "secret" TO 'filename' IDENTIFIED BY keystore-password;
- Import the master encryption key.
- Invoke SQL*Plus and log in to the PDB.
-
Execute the following command:
SQL> ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "secret" FROM 'filename' IDENTIFIED BY keystore-password;
Managing Tablespace Encryption
Learn about how tablespace encryption is implemented in Oracle Exadata Database Service on Exascale Infrastructure
By default, all new tablespaces that you create in an Exadata database are encrypted.
However, the tablespaces that are initially created when the database is created may not be encrypted by default.
- For databases that use Oracle Database 12c Release 2 or later, only the
USERS
tablespaces initially created when the database was created are encrypted. No other tablespaces are encrypted including the non-USERS
tablespaces in:- The root container (
CDB$ROOT
). - The seed pluggable database (
PDB$SEED
). - The first PDB, which is created when the database is created.
- The root container (
- For databases that use Oracle Database 12c Release 1 or Oracle Database 11g, none of the tablespaces initially created when the database was created are encrypted.
For further information about the implementation of tablespace encryption in Exadata, along with how it impacts various deployment scenarios, see:
Oracle Database Tablespace Encryption Behavior in Oracle Cloud (Doc ID 2359020.1).
Creating Encrypted Tablespaces
User-created tablespaces are encrypted by default.
By default, any new tablespaces created by using the SQL CREATE TABLESPACE
command are encrypted with the AES128 encryption algorithm. You do not need to include the USING 'encrypt_algorithm'
clause to use the default encryption.
You can specify another supported algorithm by including the USING 'encrypt_algorithm' clause in the CREATE TABLESPACE command. Supported algorithms are AES256, AES192, AES128, and 3DES168.
Managing Tablespace Encryption
You can manage the software keystore (known as an Oracle wallet in Oracle Database 11g), the master encryption key, and control whether encryption is enabled by default.
Managing the Master Encryption Key
Tablespace encryption uses a two-tiered, key-based architecture to transparently encrypt (and decrypt) tablespaces. The master encryption key is stored in an external security module (software keystore). This master encryption key is used to encrypt the tablespace encryption key, which in turn is used to encrypt and decrypt data in the tablespace.
When a database is created on an Exadata Cloud Service instance, a local software keystore is created. The keystore is local to the compute nodes and is protected by the administration password specified during the database creation process. The auto-login software keystore is automatically opened when the database is started.
You can change (rotate) the master encryption key by using the ADMINISTER KEY MANAGEMENT SQL
statement. For example:
SQL> ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY USING TAG 'tag'
IDENTIFIED BY password WITH BACKUP USING 'backup';
keystore altered.
See "Managing the TDE Master Encryption Key" in Oracle Database Advanced Security Guide.
Controlling Default Tablespace Encryption
The ENCRYPT_NEW_TABLESPACES
initialization parameter controls the default encryption of new tablespaces. In Exadata databases, this parameter is set to CLOUD_ONLY
by default.
Values of this parameter are as follows.
Value | Description |
---|---|
ALWAYS
|
During creation, tablespaces are transparently encrypted with the AES128 algorithm unless a different algorithm is specified in the ENCRYPTION clause.
|
CLOUD_ONLY
|
Tablespaces created in an Exadata database are transparently encrypted with the AES128 algorithm unless a different algorithm is specified in the ENCRYPTION clause. For non-cloud databases, tablespaces are only encrypted if the ENCRYPTION clause is specified. ENCRYPTION is the default value.
|
DDL
|
During creation, tablespaces are not transparently encrypted by default, and are only encrypted if the ENCRYPTION clause is specified.
|
With Oracle Database 12c Release 2 (12.2), or later, you can no longer create an unencrypted tablespace in an Exadata database. An error message is returned if you set
ENCRYPT_NEW_TABLESPACES
to DDL
and issue a CREATE TABLESPACE
command without specifying an ENCRYPTION
clause.