This section describes the steps needed to perform TDE Tablespace Online Encryption for an Oracle E-Business Suite database.
Source your Oracle E-Business Suite Database Oracle Home.
Create the required wallet by specifying the wallet location in the pfile or spfile file:
Create the corresponding directory manually:
$ mkdir -p $ORACLE_BASE/admin/<db_unique_name>/wallet
Add the following entry to the parameter file:
alter system set WALLET_ROOT='$ORACLE_BASE/admin/<db_unique_name>/wallet' scope=spfile sid='*';
Restart the database
Set the TDE_CONFIGURATION dynamic initialization parameter to specify the keystore type.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=both;
Restart the database.
Check the wallet location and status:
$ sqlplus / as sysdba;
SQL>select * from V$encryption_wallet;
Set the master encryption key from SQL*Plus:
Source the container database environment:
$ sqlplus / as sysdba;
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'keystore_location' IDENTIFIED BY software_keystore_password;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY software_keystore_password;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY software_keystore_password WITH BACKUP;
Connect to PDB <PDB_NAME>
alter session set container="<PDB_NAME>";
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY software_keystore_password;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY software_keystore_password WITH BACKUP;
To create an Auto-Login or a Local Auto-Login Software Keystore:
Source the container database environment
ADMINISTER KEY MANAGEMENT CREATE [LOCAL] AUTO_LOGIN KEYSTORE FROM KEYSTORE 'keystore_location' IDENTIFIED BY software_keystore_password;
Note: The keystore location is $ORACLE_BASE/admin/<db_unique_name>/wallet/tde
Bounce the database:
SQL> shutdown normal;
SQL> exit;
Startup the database normally, ensuring that the wallet is open:
Source the container database environment
sqlplus "/ as sysdba"
For Autologin
SQL> startup
For Password based
SQL> startup mount;
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY software_keystore_password;
SQL> alter database open;
Check the wallet location and status
SQL> select * from V$encryption_wallet;
Identify all the temporary and undo tablespaces in the CDB and PDB:
SQL>select tablespace_name from dba_tablespaces where contents='TEMPORARY' and STATUS='ONLINE';
SQL>select tablespace_name from dba_tablespaces where contents='UNDO' and STATUS='ONLINE';
Encryption Conversions for Existing Online Tablespaces other than temp:
Source the container database environment
$ sqlplus / as sysdba;
The following steps can be performed in the CDB or PDB as per your requirement:
Connect to PDB <PDB_NAME>
alter session set container="<PDB_NAME>";
SQL> ALTER TABLESPACE users ENCRYPTION ONLINE USING 'AES192' ENCRYPT FILE_NAME_CONVERT = ('users1.dbf', 'users1_enc.dbf', 'users2.dbf', 'users2_enc.dbf');
Repeat the command above, as required for the other tablespaces that you wish to encrypt. If any tablespace datafile was missed,you can complete the conversion by performing the steps as documented in Finishing an Interrupted Online Encryption Conversion.
Note: Ensure that there is sufficient space in the file system. If your datafile is 5Gb then 6Gb free space is required to perform the encryption of that datafile.
Check the status of tablespace encryption by connecting to SQL*Plus / as sysdba and running the query shown:
$ sqlplus / as sysdba
The following steps can be performed in the CDB or PDB as per your requirement:
Connect to PDB <PDB_NAME>
alter session set container="<PDB_NAME>";
SQL>select tablespace_name, encrypted from dba_tablespaces;
Procedure for Decryption
Online Tablespace Encryption is a reversible procedure. This section lists the steps you can use to decrypt an encrypted database.
Source the Oracle E-Business Suite Container Database Oracle Home.
Decrypt the datafiles by running below "sqlplus / as sysdba"
The following steps can be performed in the CDB or PDB as per your requirement:
Connect to PDB <PDB_NAME>
alter session set container="<PDB_NAME>";
SQL> ALTER TABLESPACE users ENCRYPTION ONLINE DECRYPT FILE_NAME_CONVERT = ('users1_enc.dbf', 'users1.dbf', 'users2_enc.dbf', 'users2.dbf');
Repeat the command above, as required for the other tablespaces that you wish to decrypt.
Check the status of encryption using the query in Step 8 above. It should show the tablespaces as NO for ENCRYPTED COLUMN.
Close the wallet
Shut down the container or pluggable database from SQL*Plus:
Source the container database environment or PDB that you want to stop:
export ORACLE_PDB_SID="<PDB_NAME>"
$ sqlplus / as sysdba
SQL>shutdown
Start up the container or pluggable database from SQL*Plus:
Source the container database environment or PDB that you want to start: set below
export ORACLE_PDB_SID="PDB_NAME"
$ sqlplus / as sysdba
SQL>startup
Source your Oracle E-Business Suite Database Oracle Home.
Create the required wallet by specifying the wallet location in the pfile or spfile file:
Create the corresponding directory manually:
$ mkdir -p $ORACLE_BASE/admin/<db_unique_name>/wallet
Add the following entry to the parameter file:
alter system set WALLET_ROOT='$ORACLE_BASE/admin/<db_unique_name>/wallet' scope=spfile sid='*';
Restart the database
Set the TDE_CONFIGURATION dynamic initialization parameter to specify the keystore type.
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" scope=both;
Restart the database.
Check the wallet location and status:
$ sqlplus / as sysdba;
SQL>select * from V$encryption_wallet;
Set the master encryption key from SQL*Plus:
Source the container database environment:
$ sqlplus / as sysdba;
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE 'keystore_location' IDENTIFIED BY software_keystore_password;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY software_keystore_password;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY software_keystore_password WITH BACKUP;
Connect to PDB <PDB_NAME>
alter session set container="<PDB_NAME>";
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY software_keystore_password;
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY software_keystore_password WITH BACKUP;
To create an Auto-Login or a Local Auto-Login Software Keystore:
Source the container database environment
ADMINISTER KEY MANAGEMENT CREATE [LOCAL] AUTO_LOGIN KEYSTORE FROM KEYSTORE 'keystore_location' IDENTIFIED BY software_keystore_password;
Note: The keystore location is $ORACLE_BASE/admin/<db_unique_name>/wallet/tde
Bounce the database:
SQL> shutdown normal;
SQL> exit;
Startup the database normally, ensuring that the wallet is open:
Source the container database environment
sqlplus "/ as sysdba"
For Autologin
SQL> startup
For Password based
SQL> startup mount;
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY software_keystore_password;
SQL> alter database open;
Check the wallet location and status
SQL> select * from V$encryption_wallet;
Identify all the temporary and undo tablespaces in the CDB and PDB:
SQL>select tablespace_name from dba_tablespaces where contents='TEMPORARY' and STATUS='ONLINE';
SQL>select tablespace_name from dba_tablespaces where contents='UNDO' and STATUS='ONLINE';
Encryption Conversions for Existing Online Tablespaces other than temp:
Source the container database environment
$ sqlplus / as sysdba;
The following steps can be performed in the CDB or PDB as per your requirement:
Connect to PDB <PDB_NAME>
alter session set container="<PDB_NAME>";
SQL> ALTER TABLESPACE users ENCRYPTION ONLINE USING 'AES192' ENCRYPT FILE_NAME_CONVERT = ('users1.dbf', 'users1_enc.dbf', 'users2.dbf', 'users2_enc.dbf');
Repeat the command above, as required for the other tablespaces that you wish to encrypt. If any tablespace datafile was missed,you can complete the conversion by performing the steps as documented in Finishing an Interrupted Online Encryption Conversion.
Note: Ensure that there is sufficient space in the file system. If your datafile is 5Gb then 6Gb free space is required to perform the encryption of that datafile.
Check the status of tablespace encryption by connecting to SQL*Plus / as sysdba and running the query shown:
$ sqlplus / as sysdba
The following steps can be performed in the CDB or PDB as per your requirement:
Connect to PDB <PDB_NAME>
alter session set container="<PDB_NAME>";
SQL>select tablespace_name, encrypted from dba_tablespaces;
Procedure for Decryption
Online Tablespace Encryption is a reversible procedure. This section lists the steps you can use to decrypt an encrypted database.
Source the Oracle E-Business Suite Container Database Oracle Home.
Decrypt the datafiles by running below "sqlplus / as sysdba"
The following steps can be performed in the CDB or PDB as per your requirement:
Connect to PDB <PDB_NAME>
alter session set container="<PDB_NAME>";
SQL> ALTER TABLESPACE users ENCRYPTION ONLINE DECRYPT FILE_NAME_CONVERT = ('users1_enc.dbf', 'users1.dbf', 'users2_enc.dbf', 'users2.dbf');
Repeat the command above, as required for the other tablespaces that you wish to decrypt.
Check the status of encryption using the query in Step 8 above. It should show the tablespaces as NO for ENCRYPTED COLUMN.
Close the wallet
Shut down the container or pluggable database from SQL*Plus:
Source the container database environment or PDB that you want to stop:
export ORACLE_PDB_SID="<PDB_NAME>"
$ sqlplus / as sysdba
SQL>shutdown
Start up the container or pluggable database from SQL*Plus:
Source the container database environment or PDB that you want to start: set below
export ORACLE_PDB_SID="PDB_NAME"
$ sqlplus / as sysdba
SQL>startup