Forum Stats

  • 3,838,667 Users
  • 2,262,392 Discussions
  • 7,900,730 Comments

Discussions

How do I copy keys between OKV servers when moving a PDB?

James-ISHelp
James-ISHelp Member Posts: 8 Red Ribbon
edited Jun 15, 2020 4:00AM in Database Security - General

Hi, I have two 18.3 Oracle Key Vault servers on different networks.

I have two 19.4 CDB databases setup with OKV and the PDB's have encrypted tablespaces and data.

At the moment the keystore_mode is united, between the CDB and PDB.

I need to copy a PDB between the two networks and somehow export and copy the keys with the PDB across networks.

If I try and export the encryption keys I get an ORA-28417: password-based keystore is not open.

I cannot find any documentation on how to do this?

Answers

  • Emad Al-Mousa
    Emad Al-Mousa Member Posts: 716 Bronze Trophy
    edited Jun 14, 2020 2:01PM

    Hi,

    have you tried opening the wallet explicitly ?

    SQL> administer key management set keystore open identified by <keystore password>;

  • James-ISHelp
    James-ISHelp Member Posts: 8 Red Ribbon
    edited Jun 15, 2020 3:39AM

    If I run

    administer key management export encryption keys with secret "x" to 'p12 file' identified by "password";

    I get the following error

    ORA-28417: password-based keystore is not open

    The way around it is to

    Create another wallet it OKV and add the PDB's keys into it, e.g. db_export_wallet.

    Run to create a wallet

    orapki wallet create -wallet db_export_wallet -pwd xxx

    The use the okvutil to export the OKV wallets contents to the new wallet.

    okvutil download --location ~ --type wallet --overwrite --group db_export_wallet

    Unplug the PDB and copy the PDB files and wallet directory to the new server.

    On the other side upload the wallet into the OKV wallet

    okvutil upload --location ~ --type wallet --group db_export_wallet

    Plug in the PDB using keystore identified by, open the PDB and open the PDB keystore.

    James.

  • James-ISHelp
    James-ISHelp Member Posts: 8 Red Ribbon
    edited Jun 15, 2020 3:52AM

    Sorry, the import should be to the current OVK wallet not the name of the export wallet

    okvutilupload --location ~ --type wallet --group <default CDB's wallet>

  • James-ISHelp
    James-ISHelp Member Posts: 8 Red Ribbon
    edited Jun 15, 2020 4:00AM

    Also, the ~ should be the ~/db_export_wallet, sorry having a bad Monday.

    So it should be:

    orapki wallet create -wallet ~/db_export_wallet

    okvutil download --location ~/db_export_wallet --type wallet --group db_export_wallet

    Copy PDB and wallet

    okvutil upload --location ~/db_export_wallet --type wallet --group okv_db_wallet_name

    create pluggable database abc using 'x.pdb' keystore identified by "password";

    alter pluggable database abc open read write;

    alter session set container=abc;

    administer key management set keystore open identified by "password";