Thursday, 1 August 2019

RMAN -Auto-login Software Keystore -TDE

 RMAN -Auto-login Software Keystore -TDE

[oracle@srv1 admin]$ sqlplus / as sysdba

SQL*Plus: Release 12.1.0.2.0 Production on Thu Aug 1 16:38:26 2019

Copyright (c) 1982, 2014, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options


  • Create auto-login keystore.


SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u01/app/oracle/product/12.1.0/dbhome_1/dbs/keystore' IDENTIFIED BY oracle;

keystore altered.

  • Verify the created files (ewallet*.p12 and cwallet.sso). 

SQL> !ls -la /u01/app/oracle/product/12.1.0/dbhome_1/dbs/keystore
total 20
drwxr-xr-x  2 oracle oinstall 4096 Aug  1 16:40 .
drwxr-xr-x. 3 oracle oinstall 4096 Aug  1 16:28 ..
-rw-r--r--  1 oracle oinstall 3893 Aug  1 16:40 cwallet.sso
-rw-r--r--  1 oracle oinstall 2408 Aug  1 16:19 ewallet_2019080110494479_for_rman.p12
-rw-r--r--  1 oracle oinstall 3848 Aug  1 16:19 ewallet.p12

SQL>


  • Restart the database
RMAN> SHUTDOWN IMMEDIATE;

using target database control file instead of recovery catalog
database closed
database dismounted
Oracle instance shut down

RMAN> STARTUP

connected to target database (not started)
Oracle instance started
database mounted
database opened

Total System Global Area    1795162112 bytes

Fixed Size                     2925456 bytes
Variable Size                553651312 bytes
Database Buffers            1224736768 bytes
Redo Buffers                  13848576 bytes


  • Trying taking another encrypted backup for the users tablespace it will throw error

RMAN> SELECT KEY_ID FROM V$ENCRYPTION_KEYS;

KEY_ID
------------------------------------------------------------------------------
AW+nuISELk+Ov4+DaK8uq/EAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

RMAN>
RMAN> SET ENCRYPTION ON;

executing command: SET encryption

RMAN> BACKUP TABLESPACE users TAG 'ENCRYPTED_USERS';

Starting backup at 01-AUG-19
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=62 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00006 name=/u01/app/oracle/oradata/smr1/users01.dbf
channel ORA_DISK_1: starting piece 1 at 01-AUG-19
channel ORA_DISK_1: finished piece 1 at 01-AUG-19
piece handle=/u01/app/oracle/fast_recovery_area/SMR1/backupset/2019_08_01/o1_mf_nnndf_ENCRYPTED_USERS_gn5lhwsd_.bkp tag=ENCRYPTED_USERS comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 01-AUG-19

RMAN>
###############################################################################


  • add the following to your sqlnet.ora file


ENCRYPTION_WALLET_LOCATION =
(SOURCE =
 (METHOD = FILE)  (METHOD_DATA =
 (DIRECTORY =/u01/app/oracle/product/12.1.0/dbhome_1/dbs/keystore))
Posted by at No comments:

ORA-19914: unable to encrypt backup ORA-28365: wallet is not open -TDE Password-based keystore

[oracle@srv1 admin]$ sqlplus / as sysdba

SQL*Plus: Release 12.1.0.2.0 Production on Thu Aug 1 16:28:15 2019

Copyright (c) 1982, 2014, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL> shut immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> STARTUP
ORACLE instance started.

Total System Global Area 1795162112 bytes
Fixed Size                  2925456 bytes
Variable Size             553651312 bytes
Database Buffers         1224736768 bytes
Redo Buffers               13848576 bytes
Database mounted.
Database opened.
SQL>

SQL> SELECT KEY_ID FROM V$ENCRYPTION_KEYS;

no rows selected
[oracle@srv1 admin]$ rman target /

Recovery Manager: Release 12.1.0.2.0 - Production on Thu Aug 1 16:30:41 2019

Copyright (c) 1982, 2014, Oracle and/or its affiliates.  All rights reserved.

connected to target database: SMR1 (DBID=3409868754)

RMAN> SET ENCRYPTION ON;

executing command: SET encryption
using target database control file instead of recovery catalog

RMAN> BACKUP TABLESPACE users TAG 'ENCRYPTED_USERS';

Starting backup at 01-AUG-19
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=63 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00006 name=/u01/app/oracle/oradata/smr1/users01.dbf
channel ORA_DISK_1: starting piece 1 at 01-AUG-19
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03009: failure of backup command on ORA_DISK_1 channel at 08/01/2019 16:30:58
ORA-19914: unable to encrypt backup
ORA-28365: wallet is not open

RMAN>
RMAN> sql 'ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle';

sql statement: ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle

RMAN> SET ENCRYPTION ON;

executing command: SET encryption

RMAN> BACKUP TABLESPACE users TAG 'ENCRYPTED_USERS';

Starting backup at 01-AUG-19
using channel ORA_DISK_1
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00006 name=/u01/app/oracle/oradata/smr1/users01.dbf
channel ORA_DISK_1: starting piece 1 at 01-AUG-19
channel ORA_DISK_1: finished piece 1 at 01-AUG-19
piece handle=/u01/app/oracle/fast_recovery_area/SMR1/backupset/2019_08_01/o1_mf_nnndf_ENCRYPTED_USERS_gn5kxhcv_.bkp tag=ENCRYPTED_USERS comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 01-AUG-19

RMAN>

Posted by at No comments:

Using RMAN Transparent-mode Encrypted Backups -Manual

Scenario: 
Taking encrypted backup of tablespace using RMAN utility
  • Connect to target database

[oracle@srv1 admin]$ rman target /

Recovery Manager: Release 12.1.0.2.0 - Production on Thu Aug 1 16:22:24 2019

Copyright (c) 1982, 2014, Oracle and/or its affiliates.  All rights reserved.

connected to target database: SMR1 (DBID=3409868754)


  • Display and check encryption algorithm

RMAN> show encryption algorithm;

using target database control file instead of recovery catalog
RMAN configuration parameters for database with db_unique_name SMR1 are:
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default


  • Enable encryption

RMAN> set encryption on;

executing command: SET encryption

  • Check Schema status


RMAN> report schema;

Report of database schema for database with db_unique_name SMR1

List of Permanent Datafiles
===========================
File Size(MB) Tablespace           RB segs Datafile Name
---- -------- -------------------- ------- ------------------------
1    790      SYSTEM               YES     /u01/app/oracle/oradata/smr1/system01.dbf
3    690      SYSAUX               NO      /u01/app/oracle/oradata/smr1/sysaux01.dbf
4    135      UNDOTBS1             YES     /u01/app/oracle/oradata/smr1/undotbs01.dbf
6    5        USERS                NO      /u01/app/oracle/oradata/smr1/users01.dbf

List of Temporary Files
=======================
File Size(MB) Tablespace           Maxsize(MB) Tempfile Name
---- -------- -------------------- ----------- --------------------
1    197      TEMP                 32767       /u01/app/oracle/oradata/smr1/temp01.dbf


  • Backup tablespace users with TAG 'ENCRYPTED_USERS

RMAN> BACKUP TABLESPACE USERS TAG 'ENCRYPTED_USERS';

Starting backup at 01-AUG-19
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=69 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00006 name=/u01/app/oracle/oradata/smr1/users01.dbf
channel ORA_DISK_1: starting piece 1 at 01-AUG-19
channel ORA_DISK_1: finished piece 1 at 01-AUG-19
piece handle=/u01/app/oracle/fast_recovery_area/SMR1/backupset/2019_08_01/o1_mf_nnndf_ENCRYPTED_USERS_gn5k5m0l_.bkp tag=ENCRYPTED_USERS comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:02
Finished backup at 01-AUG-19


  • check backup status 

RMAN> list backupset TAG 'ENCRYPTED_USERS';


List of Backup Sets
===================


BS Key  Type LV Size       Device Type Elapsed Time Completion Time
------- ---- -- ---------- ----------- ------------ ---------------
1       Full    1.61M      DISK        00:00:01     01-AUG-19
        BP Key: 1   Status: AVAILABLE  Compressed: NO  Tag: ENCRYPTED_USERS
        Piece Name: /u01/app/oracle/fast_recovery_area/SMR1/backupset/2019_08_01/o1_mf_nnndf_ENCRYPTED_USERS_gn5k5m0l_.bkp
  List of Datafiles in backup set 1
  File LV Type Ckp SCN    Ckp Time  Name
  ---- -- ---- ---------- --------- ----
  6       Full 2006836    01-AUG-19 /u01/app/oracle/oradata/smr1/users01.dbf

  • Using query check  encrypted backupset status 

RMAN> SELECT S.RECID AS "BS_REC", P.RECID AS "BP_REC", P.ENCRYPTED FROM   V$BACKUP_PIECE P, V$BACKUP_SET S WHERE  P.SET_STAMP = S.SET_STAMP   AND  P.SET_COUNT = S.SET_COUNT   AND  P.TAG ='ENCRYPTED_USERS';

    BS_REC     BP_REC ENC
---------- ---------- ---
         1          1 YES

RMAN>

[oracle@srv1 admin]$ ls -al /u01/app/oracle/product/12.1.0/dbhome_1/dbs/keystore
total 16
drwxr-xr-x  2 oracle oinstall 4096 Aug  1 16:19 .
drwxr-xr-x. 3 oracle oinstall 4096 Aug  1 16:23 ..
-rw-r--r--  1 oracle oinstall 2408 Aug  1 16:19 ewallet_2019080110494479_for_rman.p12
-rw-r--r--  1 oracle oinstall 3848 Aug  1 16:19 ewallet.p12
[oracle@srv1 admin]$

Posted by at No comments:
Subscribe to: Posts (Atom)