Thursday, August 16, 2018

How to Export/Import Oracle DB Wallet Keys on 12c

Export/Import Keys from non-CDB to PDB

Export keys from Source Database

Connect to Source database
Make sure keystore is open on the Source
select wrl_type,con_id,wrl_parameter,status from v$encryption_wallet;
If not Open:    administer key management set keystore open identified by "password";
Make sure WALLET_TYPE is not AUTOLOGIN. If WALLET_TYPE = AUTOLOGIN,
 see steps below to setup an explicit password before export.
NOTE:  This will cause an outage on the source database as you will have to close and re-open the wallet.
If the database was upgraded from 11G, you will need to perform a rekey of the master key first.  
To check if you need to perform a rekey
select creator_dbname, CREATOR_INSTANCE_NAME from v$encryption_keys;
If these columns are NULL, then you will need to rekey
select key_id from v$encryption_keys    (will generally be 1 row)
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY password WITH BACKUP;
select key_id from v$encryption_keys    (you will see an extra row added from when you ran previously)
Export Keystore from Source
ADMINISTER KEY MANAGEMENT EXPORT KEYS WITH SECRET "password"

TO '/u02/storage/TDE/export2.exp' IDENTIFIED BY password;

Import keys into PDB

Create PDB from non-CDB after the rekey is performed
Copy export file to CDB Host  /u02/storage/PDB

Connect to CDB and make sure wallet is open
select wrl_type,con_id,wrl_parameter,status from v$encryption_wallet;
If not Open:    administer key management set keystore open identified by "password";
Connect to PDB and make sure wallet is open
select wrl_type,con_id,wrl_parameter,status from v$encryption_wallet;
If not Open:    administer key management set keystore open identified by "password";
Import Keystore
ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "password"

FROM '/u02/storage/PDB/export.exp' IDENTIFIED BY password WITH BACKUP;

select key_id from v$encryption_keys    
Close and Open PDB

No comments: