Provisioning a TDE-enabled vPDB to a cluster target
Overview
Provisioning a Virtual Pluggable Database (vPDB) to a linked RAC container database first involves using the GUI or CLI to specify the vPDB parameters (such as the vPDB name and target container) along with the snapshot to provision from. Once the provision job is started with these parameters, the Delphix Engine does the following:
Chooses an available instance from the target cluster and mounts the snapshot files on that instance.
Creates and opens (in mount mode) the auxiliary container database on the target instance, using the snapshot files. The auxiliary container database will have both the CDB and PDB data files from the dSource.
Completes recovery to bring the auxiliary container database into a consistent state.
Finalizes the state of the auxiliary database and unplugs the vPDB datafiles.
When provisioning to a vCDB target, converts the auxiliary CDB into the final vCDB.
Plugs the vPDB into the target database, and opens it in read-write mode on the same target instance used for recovery.
Spawns start jobs to open the vPDB in read-write mode on the remaining target instances in parallel.
If the dSource is TDE-enabled, then Delphix will need to perform additional operations to complete the provision of a TDE-enabled vPDB to a TDE-enabled cluster target (indicated in red):
Chooses an available instance from the target cluster and mounts the snapshot files on that instance.
Creates a keystore with the necessary keys to apply encrypted archived log files on the target instance.
Creates and opens (in mount mode) the auxiliary container database on the target instance, using the snapshot files. The auxiliary container database will have both the CDB and PDB data files from the dSource.
Completes recovery to bring the auxiliary container database into a consistent state.
Rotates the vPDB and auxiliary CDB master encryption keys by generating new keys that are unique to the vPDB/auxiliary CDB and not associated with the source PDB or CDB.
Exports only the newly generated keys to an exported keyfile to enable unplug.
Finalizes the state of the auxiliary database and unplugs the vPDB datafiles.
Imports the vPDB key from the exported keyfile into the target keystore.
When provisioning to a vCDB target, converts the auxiliary CDB into the final vCDB and creates the vCDB keystore from the auxCDB keystore.
Opens the keystore on each node.
Plugs the vPDB into the target database, and opens it in read-write mode on the same target instance used for recovery.
Spawns start jobs to open the vPDB in read-write mode on the remaining target instances.
All the same information needed for a single instance TDE-enabled vPDB provision is also required for a cluster TDE-enabled vPDB provision, specifically the target keystore password, parent keystore path and password, and encryption secret. The keystores root path is required for a cluster provision.
Shared storage for keystores
In a cluster database, the database files are on shared storage, which is accessible from all instances in the cluster. If the database is encrypted, then the keystore file itself is also located on the operating system. Oracle recommends that the keystore also be on shared storage, on a different disk from the database files. If the keystore is not on shared storage, then it must be copied to all instances in the cluster after any changes, such as importing a key or generating a new key. Similarly, Delphix recommends that the parent keystore specified for the provision also be on shared storage. If not, then the same file must be copied to all of the instances before the vPDB is first provisioned, and any updates to the parent keystore must also be copied to all of the instances before any vPDB refresh or rewind.
As the autologin wallet is located in the same location as the password-based keystore, it should also be on shared storage. For this reason, local_autologin
wallets will not work properly, as they will be accessed from multiple nodes in the cluster.
When provisioning to a new vCDB in a cluster target, the path provided for Target vCDB TDE Keystore location must be on shared storage and available to all cluster hosts.
keystores root path requirements
The artifact directory for a given vPDB is created under the keystores root. As a subsequent operation on the vPDB may choose a different instance than the one used for the initial provision, the artifact directory needs to be accessible from all instances in the cluster. Delphix requires that the keystores root be specified for a TDE-enabled vPDB provision to a cluster target, and furthermore that it be located on shared storage. The engine will validate that this is the case before proceeding with the initial provision.