The provision itself is executed within the context of the environment user specified during the provision. This user does not have to be the Oracle user, and in fact, often is not. The Delphix user must be a member of the oracle group. During a TDE-enabled vPDB provision, the parent keystore is merged from a user-specified location to a location under the keystores root directory. The Delphix user does this copy via
ADMINISTER KEY MANAGEMENT command. Since the Oracle user will do this, the Oracle user must be able to also create files in the wallet location.
The privilege requirements are satisfied by ensuring that the parent keystore has group read privileges, and the keystores root directory (owned by the Delphix user) has group write privileges.
Applicable only for OKV
If TDE is configured using
sqlnet.ora for a database version of Oracle 18c or higher and provisioning to a vCDB, it is crucial to ensure that the Delphix Continuous Data Engine user has the necessary access to create a directory under
WALLET_ROOT. This is because Delphix Continuous Data Engine attempts to configure the virtual Container Database (vCDB) using the
WALLET_ROOT initialization parameter. In the case of Oracle Key Vault, the location of
WALLET_ROOT is fixed, specifically the parent directory of