RMAN - Configuring setup Transparent Data Encryption

Configuring setup Transparent Data Encryption 

Check also below for reference:

RMAN -Auto-login Software Keystore -TDE

Using RMAN Transparent-mode Encrypted Backups -Manual

• Create a directory for saving the keystore in it

1. mkdir u01/app/oracle/product/12.1.0/dbhome_1/dbs/keystore

[oracle@srv1 admin]$ sqlplus / as sysdba

SQL*Plus: Release 12.1.0.2.0 Production on Thu Aug 1 14:17:43 2019

Copyright (c) 1982, 2014, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL> select name,open_mode from v$database;

NAME      OPEN_MODE
--------- --------------------
SMR1      READ WRITE


SQL> ! ls -al /u01/app/oracle/product/12.1.0/dbhome_1/dbs/keystore
total 12
drwxr-xr-x  2 oracle oinstall 4096 Aug  1 14:18 .
drwxr-xr-x. 3 oracle oinstall 4096 Aug  1 14:11 ..
-rw-r--r--  1 oracle oinstall 2408 Aug  1 14:18 ewallet.p12

• Specify the keystore location in sqlnet.ora 

[oracle@srv1 admin]$ cat sqlnet.ora

NAMES.DIRECTORY_PATH=(tnsnames, hostname)

ENCRYPTION_WALLET_LOCATION =

(SOURCE =

 (METHOD = FILE)  (METHOD_DATA =

 (DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/dbs/keystore)))

• Create the software keystore file

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle;

keystore altered.

• Open the software keystore file:

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle;

• Create the master encryption key. 

SQL> ADMINISTER KEY MANAGEMENT SET KEY  IDENTIFIED BY oracle WITH BACKUP USING 'for_rman' ;

keystore altered.

• Retrieve the key identifier 

SQL> SELECT KEY_ID FROM V$ENCRYPTION_KEYS;

KEY_ID

------------------------------------------------------------------------------

AW+nuISELk+Ov4+DaK8uq/EAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Found Error : TNS-12560: TNS:protocol adapter error TNS-00583: Valid node checking: unable to parse configuration parameters

Recently i got error while starting an listener, Reason was i made some changes in sqlnet.ora file adding TDE wallet location, Once disable it , Able to open listener file.

TNS-12560: TNS:protocol adapter error
 TNS-00583: Valid node checking: unable to parse configuration parameters

[oracle@srv1 admin]$ cat listener.ora
# listener.ora Network Configuration File: /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora
# Generated by Oracle configuration tools.

LISTENER_STANDALONE =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = srv1.example.com)(PORT = 1521))
    )
  )

[oracle@srv1 admin]$ lsnrctl start listener_standalone

LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 01-AUG-2019 14:31:47

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

Starting /u01/app/oracle/product/12.1.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 12.1.0.2.0 - Production
System parameter file is /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/srv1/listener_standalone/alert/log.xml
Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=srv1.example.com)(PORT=1521)))
TNS-12560: TNS:protocol adapter error
TNS-00583: Valid node checking: unable to parse configuration parameters


Listener failed to start. See the error message(s) above...

[oracle@srv1 admin]$ ll
total 52
-rw-r--r--. 1 oracle oinstall  344 Jun 26 13:33 listener1906261PM3350.bak
-rw-r--r--. 1 oracle oinstall  344 Jun 26 13:34 listener1906261PM3404.bak
-rw-r--r--. 1 oracle oinstall  491 Jun 26 13:55 listener1906261PM5505.bak
-rw-r--r--. 1 oracle oinstall  491 Jun 26 13:56 listener1906261PM5616.bak
-rw-r--r--. 1 oracle oinstall  301 Jun 26 13:56 listener.ora
drwxr-xr-x. 2 oracle oinstall 4096 Jun 25 17:13 samples
-rw-r--r--. 1 oracle oinstall  373 Oct 31  2013 shrept.lst
-rw-r--r--  1 oracle oinstall  177 Aug  1 14:15 sqlnet.ora
-rw-r--r--. 1 oracle oinstall  518 Jun 26 13:33 tnsnames1906261PM3350.bak
-rw-r--r--. 1 oracle oinstall  518 Jun 26 13:34 tnsnames1906261PM3404.bak
-rw-r--r--. 1 oracle oinstall  518 Jun 26 13:55 tnsnames1906261PM5505.bak
-rw-r--r--. 1 oracle oinstall  518 Jun 26 13:56 tnsnames1906261PM5616.bak
-rw-r--r--. 1 oracle oinstall  518 Jun 26 13:41 tnsnames.ora
[oracle@srv1 admin]$ vi sqlnet.ora
[oracle@srv1 admin]$ cat sqlnet.ora
# add the following to it:
#ENCRYPTION_WALLET_LOCATION =
#(SOURCE =
#(METHOD = FILE)
#(METHOD_DATA =
#(DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/dbs/keystore)))
[oracle@srv1 admin]$ lsnrctl start listener_standalone

LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 01-AUG-2019 14:32:55

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

Starting /u01/app/oracle/product/12.1.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 12.1.0.2.0 - Production
System parameter file is /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/srv1/listener_standalone/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=srv1.example.com)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=srv1.example.com)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     listener_standalone
Version                   TNSLSNR for Linux: Version 12.1.0.2.0 - Production
Start Date                01-AUG-2019 14:32:55
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora
Listener Log File         /u01/app/oracle/diag/tnslsnr/srv1/listener_standalone/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=srv1.example.com)(PORT=1521)))
The listener supports no services
The command completed successfully
[oracle@srv1 admin]$ ps -ef |grep lsnr
grid      7385     1  0 Jul31 ?        00:00:02 /u01/app/12.1.0/grid/bin/tnslsnr LISTENER -no_crs_notify -inherit
grid      7397     1  0 Jul31 ?        00:00:03 /u01/app/12.1.0/grid/bin/tnslsnr LISTENER_SCAN1 -no_crs_notify -inherit
oracle   20680     1  0 14:32 ?        00:00:00 /u01/app/oracle/product/12.1.0/dbhome_1/bin/tnslsnr listener_standalone -inherit
oracle   20685  9923  0 14:33 pts/0    00:00:00 grep lsnr
[oracle@srv1 admin]$

Rman Catalog script for Tablespace backup

RMAN> CREATE SCRIPT TBS_FULL_SCRIPT { BACKUP TABLESPACE &1 TAG &2 ;}

Enter value for 1: IDATA

Enter value for 2: SOETBS

created script TBS_FULL_SCRIPT

RMAN> RUN { EXECUTE SCRIPT TBS_FULL_SCRIPT USING IDATA'IDATA102018';}

executing script: TBS_FULL_SCRIPT

Starting backup at 01-AUG-19
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=52 instance=rac1 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00002 name=+DATA/RAC/DATAFILE/idata.269.1014653909
channel ORA_DISK_1: starting piece 1 at 01-AUG-19
channel ORA_DISK_1: finished piece 1 at 01-AUG-19
piece handle=/u01/Backup/ora_df1015161939_s191_s1 tag=IDATA102018 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:02:55
Finished backup at 01-AUG-19

RMAN> list backup tag 'IDATA102018';


List of Backup Sets
===================


BS Key  Type LV Size       Device Type Elapsed Time Completion Time
------- ---- -- ---------- ----------- ------------ ---------------
1430    Full    2.14G      DISK        00:02:50     01-AUG-19
        BP Key: 1433   Status: AVAILABLE  Compressed: NO  Tag: IDATA102018
        Piece Name: /u01/Backup/ora_df1015161939_s191_s1
  List of Datafiles in backup set 1430
  File LV Type Ckp SCN    Ckp Time  Name
  ---- -- ---- ---------- --------- ----
  2       Full 14593371   01-AUG-19 +DATA/RAC/DATAFILE/idata.269.1014653909

RMAN>

Recovery Manager complete.
[oracle@srv1 ~]$ rman target /  catalog rcowner/rcowner@smr2 script=TBS_FULL_SCRIPT USING IDATA  'IDATA2019'

Recovery Manager: Release 12.1.0.2.0 - Production on Thu Aug 1 13:34:31 2019

Copyright (c) 1982, 2014, Oracle and/or its affiliates.  All rights reserved.

connected to target database: RAC (DBID=2599942250)
connected to recovery catalog database

executing script: TBS_FULL_SCRIPT

Starting backup at 01-AUG-19
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=53 instance=rac1 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00002 name=+DATA/RAC/DATAFILE/idata.269.1014653909
channel ORA_DISK_1: starting piece 1 at 01-AUG-19
channel ORA_DISK_1: finished piece 1 at 01-AUG-19
piece handle=/u01/Backup/ora_df1015162475_s192_s1 tag=IDATA2019 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:03:16
Finished backup at 01-AUG-19

Recovery Manager complete.
[oracle@srv1 ~]$

[oracle@srv2 admin]$ rman target / catalog rcowner/rcowner@smr2 script=TBS_FULL_SCRIPT USING IDATA  'IDATA2019'

Recovery Manager: Release 12.1.0.2.0 - Production on Thu Aug 1 13:44:04 2019

Copyright (c) 1982, 2014, Oracle and/or its affiliates.  All rights reserved.

connected to target database: RAC (DBID=2599942250)
connected to recovery catalog database

executing script: TBS_FULL_SCRIPT

Starting backup at 01-AUG-19
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=107 instance=rac2 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00002 name=+DATA/RAC/DATAFILE/idata.269.1014653909
channel ORA_DISK_1: starting piece 1 at 01-AUG-19
channel ORA_DISK_1: finished piece 1 at 01-AUG-19
piece handle=/u01/Backup/ora_df1015163050_s193_s1 tag=IDATA2019 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:03:42
Finished backup at 01-AUG-19

Recovery Manager complete.
[oracle@srv2 admin]$