Impact of Database Recovery and Flashback Database on the TDE Wallet_1327519.1
|
In this Document
Applies to:Advanced Networking Option - Version 11.1.0.7 and laterInformation in this document applies to any platform. GoalWhat is the impact of the Database Media Recovery and Flashback Database operations on the Oracle TDE wallet? FixThese operations don't have any impact on the TDE wallet. More precisely:
2. if performing a Flashback Database and a master key change has been done in the covered interval of time, the operation will not be reflected in the wallet, ie all the master keys in the wallet before the flashback will be present at command completion. 3. the direct consequence of the above is that database media recovery cannot be used to recover wallet losses, when there are older wallet copies, if the master key has been changed within the interval between the wallet backup and the wallet loss. The recovery can be performed in this case until the moment when the master key has been changed. In this scenario if the latest wallet is not available after a rekey operation and the database needs to be recovered until the moment of the rekey operation, make sure to also restore a controlfile that was backed up before the latest rekey operation, since the latest controlfile has info about an unavailable master key which will lead to ORA-28374 errors during recovery.
mkdir $ORACLE_BASE/admin/$ORACLE_SID/{wallet,archive,backup}
mkdir $ORACLE_BASE/admin/$ORACLE_SID/backup/wallet SQL> sqlplus "/ as sysdba" SQL> alter system set log_archive_dest_1='location=/bugmnt16/em/celclnx14/SR3.3682242451/app/oracle/admin/TARDA1/archive'; SQL> alter system set log_archive_format='archive_TARDA1_%t_%s_%r.dbf' scope=spfile; SQL> shutdown immediate SQL> startup mount SQL> alter database archivelog; SQL> alter database flashback on; SQL> alter database open;
SQL> alter system set encryption key identified by "welcome1";
cd $ORACLE_BASE/admin/$ORACLE_SID/wallet
mkstore -wrl . -list Enter wallet password: Oracle Secret Store entries: ORACLE.SECURITY.DB.ENCRYPTION.AYRYEpb+cE95v4hVQGhMvOsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY ORACLE.SECURITY.TS.ENCRYPTION.BTJ9EEoIi7O8MokUyaU1SmMCAwAAAAAAAAAAAAAAAAAAAAAAAAAA 5. create an encrypted tablespace and an encrypted table and add some initial data:
SQL> create user test identified by test;
SQL> grant dba to test; SQL> create table test.test(id number encrypt); SQL> insert into test.test values(1); SQL> commit; SQL> create tablespace test datafile '/bugmnt16/em/celclnx14/SR3.3682242451/app/oracle/oradata/TARDA1/test01.dbf' size 10m encryption using '3des168' default storage(encrypt); SQL> create table test.ts_test(id number) tablespace test; SQL> insert into test.ts_test values(1); SQL> commit;
rman target /
RMAN> configure channel device type disk format '/bugmnt16/em/celclnx14/SR3.3682242451/app/oracle/admin/TARDA1/backup/db_backup%U.bkp'; RMAN> backup database plus archivelog; SQL> alter system set wallet close identified by "welcome1"; cp $ORACLE_BASE/admin/$ORACLE_SID/wallet/* $ORACLE_BASE/admin/$ORACLE_SID/backup/wallet/ewallet.p12.1
SQL> alter system set encryption key identified by "welcome1";
SQL> insert into test.test values(2); SQL> commit; SQL> insert into test.ts_test values(2); SQL> commit;
mkstore -wrl . -list
Enter wallet password: Oracle Secret Store entries: ORACLE.SECURITY.DB.ENCRYPTION.ASQ99v53Jk/nv3XHDxka99cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.AYRYEpb+cE95v4hVQGhMvOsAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY ORACLE.SECURITY.TS.ENCRYPTION.BTJ9EEoIi7O8MokUyaU1SmMCAwAAAAAAAAAAAAAAAAAAAAAAAAAA 8. make a new wallet backup, as ewallet.p12.2
cp $ORACLE_BASE/admin/$ORACLE_SID/wallet/* $ORACLE_BASE/admin/$ORACLE_SID/backup/wallet/ewallet.p12.2
SQL> shutdown immediate
rm $ORACLE_BASE/oradata/$ORACLE_SID/*dbf rm $ORACLE_BASE/admin/$ORACLE_SID/wallet/ewallet.p12 9. restore the backup and the first wallet and recover to present time.
cp $ORACLE_BASE/admin/$ORACLE_SID/backup/wallet/ewallet.p12.1 $ORACLE_BASE/admin/$ORACLE_SID/wallet/ewallet.p12
RMAN> restore database; SQL> alter system set wallet open identified by "welcome1"; RMAN> recover database; Fails with: Starting recover at 03-JUN-11 using channel ORA_DISK_1 starting media recovery media recovery failed RMAN-00571: =========================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571: =========================================================== RMAN-03002: failure of recover command at 06/03/2011 07:14:31 ORA-00283: recovery session canceled due to errors RMAN-11003: failure during parse/execution of SQL statement: alter database recover if needed start ORA-00283: recovery session canceled due to errors ORA-01110: data file 1: '/bugmnt16/em/celclnx14/SR3.3682242451/app/oracle/oradata/TARDA1/system01.dbf' ORA-28374: typed master key not found in wallet
As seen above, the database media recovery didn't affect the wallet.
SQL> alter system set wallet close identified by "welcome1";
cp $ORACLE_BASE/admin/$ORACLE_SID/backup/wallet/ewallet.p12.2 $ORACLE_BASE/admin/$ORACLE_SID/wallet/ewallet.p12 SQL> alter system set wallet open identified by "welcome1"; RMAN> recover database; Starting recover at 03-JUN-11 using target database control file instead of recovery catalog allocated channel: ORA_DISK_1 channel ORA_DISK_1: SID=192 device type=DISK starting media recovery media recovery complete, elapsed time: 00:00:01 Finished recover at 03-JUN-11
The solution, as seen above, is to use the latest wallet version.
SQL> alter database open;
SQL> select * from test.test; ID ---------- 1 2 SQL> select * from test.ts_test; ID ---------- 1 2 ReferencesNOTE:445147.1 - How To Generate A New Master Encryption Key for the TDE |
|
|
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/17252115/viewspace-1364338/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- Flashback DatabaseDatabase
- OCP-IZO-053_QUESTION390_ Flashback Database recovery point parametersDatabase
- flashback database 方法Database
- 配置Flashback DatabaseDatabase
- What is the Impact on the Database When Modifying the OS DateDatabase
- flashback技術之---flashback databaseDatabase
- 關於flashback databaseDatabase
- How to enable the flashback database:Database
- 測試flashback databaseDatabase
- flashback database測試Database
- flashback系列文章三(flashback database)Database
- 啟用flashback database 功能Database
- ORA-38760: This database instance failed to turn on flashback databaseDatabaseAI
- oracle flashback特性(3.2)--Flashback Database操作示例OracleDatabase
- flashback總結一之Flashback_DatabaseDatabase
- oracle 之recovery directory databaseOracleDatabase
- 應用oracle flashback--Flashback Database介紹OracleDatabase
- oracle 10g flashback databaseOracle 10gDatabase
- flashback drop/query/table/database/archiveDatabaseHive
- flashback database 結合 data guardDatabase
- Oracle 閃回特性(FLASHBACK DATABASE)OracleDatabase
- 10.2 flashback database 測試!Database
- 對於Database recovery的理解Database
- [Flashback]Flashback Database閃回資料庫實驗Database資料庫
- Flashback database與flashback table使用條件區別Database
- 【徵文】應用oracle flashback(3.2)--Flashback Database操作示例OracleDatabase
- Flashback Database 閃回資料庫Database資料庫
- flashback database的一點總結Database
- Transparent Data Encryption (TDE) in Oracle 10g Database Release 2Oracle 10gDatabase
- 【Flashback】Flashback Database閃回資料庫功能實驗Database資料庫
- flashback database如何選擇需要應用的flashback logDatabase
- 全面學習oracle flashback特性(3.2)--Flashback Database操作示例OracleDatabase
- 【Flashback】啟用Flashback Database閃回資料庫功能Database資料庫
- 【Flashback】Flashback Database閃回資料庫功能實踐Database資料庫
- ORA-38760: This database instance failed to turn on flashback database 第三篇DatabaseAI
- ORA-38760: This database instance failed to turn on flashback database 錯誤解決DatabaseAI
- Oracle -- flashback database基於ARC+flashback_log還是flashback_logOracleDatabase
- Flashback database基礎知識問答Database