Cloud Security Perspectives and Insights

Master Pluggable Databases in OCI In Just 5 Minutes

Provisioning an Oracle database in Oracle Cloud Infrastructure (OCI) is quick and easy .... it takes not more than a few mouse clicks and your database is ready within minutes.  Once you've provisioned a 12.2 database (that includes all the 18c releases) in OCI, you'll notice that ...:

  • it is always configured as a single-tenant database (root container with one pluggable database), and
  • Transparent Data Encryption is already turned on, and the USERS tablespaces of the root container and the PDB are already encrypted.

Because the 'encrypt_new_tablespaces' system parameter is set to CLOUD_ONLY by default, all new application tablespaces will be automatically encrypted with AES128, even if the "encryption" syntax is omitted from the 'create tablespace' commands.

Databases in OCI are created with an auto-open wallet, but for further wallet operations, the wallet password needs to be known regardless; the default wallet password is the administrator password that you provided when completing the Web-Form to initially provision the database.

In order to make the configuration of TDE complete, set the ORACLE_UNQNAME environment variable on the OS level (set in .bash_profile), and in server control (because even single instance databases in OCI run on Oracle Grid Infrastructure). In a single instance database, ORACLE_UNQNAME is usually the same as the ORACLE_SID; in RAC databases, the ORACLE_UNQNAME is equal to ORACLE_SID minus the number, for example: A 2-node RAC has FINRAC1 and FINRAC2 as ORACLE_SIDs, the ORACLE_UNQNAME should be FINRAC.

How to clone a pluggable database with encrypted tablespaces:

SYS:CDB$ROOT> show pdbs;
------ --------- ---------- -----------

If the source database is opened READ WRITE, then the next command will create a "hot" clone, which requires local UNDO tablespaces and archive logging to be turned on.  If this is not feasible, stop and restart the source PDB as READ ONLY while it is being cloned.

SYS:CDB$ROOT> create pluggable database TESTPDB from FINPDB keystore identified by "wallet-pwd";

This guarantees that your source database (which might contain sensitive data) can only be cloned by an administrator who knows the wallet password.

SYS:CDB$ROOT> alter pluggable database TESTPDB open;

Now the new pluggable database needs its own encryption key.  Connect to TESTPDB and execute:

SYS:TESTPDB> administer key management set key force keystore identified by "wallet-pwd" with backup [container = current];

To test, select data from a table that is stored in an encrypted tablespace, or create a new tablespace which will be encrypted by default; in both cases, the cloned database will use its own master encryption key that was created in the previous step.

SYS:TESTPDB> create tablespace PROTECTED datafile size 50m;
Tablespace created.

If you are interested learning more about other use cases, please let me know through the comment section below.  To learn more about Oracle Database Security and Oracle Cloud Infrastructure, please visit our webpages.

Join the discussion

Comments ( 1 )
  • Raj Gupta Tuesday, February 19, 2019
    Thanks for sharing the details and summarizing in simple writing.

    I am having few question-
    1- What about if source PDB has huge size, Is above create pluggable database also have the same data as source pluggable dB?

    2- Do we have to copy datafile at new location as required for new pluggable database?

    Please suggest.

    Once again thank you for writing.

    raj Gupta
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.