Provisioning a VDB from an Encrypted Oracle Database
Delphix Administration / Oracle Environments and Data Sources / Provisioning VDBs from Oracle, Oracle RAC, and Oracle PDB Sources / Provisioning a VDB from an Encrypted Oracle Database

This topic describes how to provision a VDB from an encrypted database.

This topic does not apply to vPDBs.

The Delphix Engine supports provisioning from a dSource linked to a physical database that has been encrypted with Oracle's Transparent Database Encryption (TDE), which can be used to encrypt columns or tablespaces.

Provisioning a VDB from an encrypted dSource requires that you have an auto-open wallet set up in the target environment, because the provisioning process requires the master key stored in the wallet file. You can either set up an auto-open wallet for the source database and copy the auto-open wallet files (both ewallet.p12 and cwallet.sso) to the target environment, or first copy the encryption wallet file (ewallet.p12) to the target environment, and then generate an auto-open wallet from the encryption wallet file.

When provisioning a VDB from an encrypted dSource, if the target environment has other databases that also use TDE, each database should use a different wallet. Please check Oracle documentation on how to set up different wallet locations for different databases. For example, you can use $ORACLE_SID in the DIRECTORY clause of the ENCRYPTION_WALLET_LOCATION parameter in sqlnet.ora:

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/opt/oracle/wallets/$ORACLE_SID)))

Procedure

  1. Check for any encrypted columns or tablespaces on the source database by using these commands:

    SELECT t.name name, e.encryptionalg algorithm FROM v$tablespace t, v$encrypted_tablespaces e

WHERE t.ts# = e.ts# and upper(e.encryptedts) = 'YES';

  2. Copy wallet files from the source database to the target environment, and then configure the sqlnet.ora file on the target to point to the directory where the wallet is located. 

    $ more sqlnet.ora

ENCRYPTION_WALLET_LOCATION=(SOURCE(METHOD=file) (METHOD_DATA=(DIRECTORY=/opt/oracle/oradata/nf/wallet)))

  3. If the source database does not use auto-open wallet, create the auto-open wallet at the target environment. 

    $ orapki wallet create -wallet /opt/oracle/oradata/nf/wallet -auto_login [-pwd password]

  4. Proceed with provisioning the VDB as described in Provisioning an Oracle VDB.