Restoring OKV in the Oracle Cloud to manage your encrypted databases

  This is the third of a multi-part blog series walking through how to copy your TDE encrypted on premise Oracle Database to an OCI instance in the oracle cloud. This blog post will focus on how to restore OKV (Oracle Key Vault) into an instance in OCI to manage your encryption keys, and support restoring an encrypted database.

The first part of this series went through how to migrate a database from on premise to an instance in the cloud using the Oracle Database Cloud Backup Module. You can find it here.

The second part of this series went through how to backup OKV to an immutable OCI bucket leveraging ZFSSA. You can find it here.

I will add to this by restoring from my OKV backup into the Oracle Cloud (OCI), and then restoring my database.

I am going to skip over how to migrate  my database to using OKV. If you are starting at the beginning (small database no encryption), the steps to get to this next blog post are.

1. Create a new database for testing.
2. Implement Advanced Security (TDE) which is covered in my post here.
3. Migrating from a local wallet to OKV which is covered in my post here.
4. Backup your database to an OCI bucket encrypted, and compressed.

At this point my database (ocitest),  is using my OKV environment on premise, and I have a backup of both my database, and OKV in Object Storage in the Oracle Cloud.

Create a ZFS Image in OCI to restore OKV from Object Store.

Log into OCI (you can do this with the 30 day trial), and create a new instance using the ZFS image. Below you can see that you can find this image under "Oracle images".

Select this image, upload your public key, and create the new instance.

There are a couple of great step-by-step guides to help you get started with the ZFS image in OCI.

• Overview on the steps to create a usable ZFS image
• ZFS on OCI quick Start Guide with detailed steps

I am not going to go through the process, as those 2 documents are extremely thorough, and will give you the detail needed to configure ZFS with attached storage within OCI.

Create an OKV Image in OCI to restore OKV from Object Store.

The next step to restore OKV is to create an OKV image in OCI.  At this point it is CRITICAL to create an image that is the same version of the source OKV backup.  As of writing this post, I am on 21.2, and I will create a 21.2 instance in OCI.

Again there is great documentation on how to do go through this process.  You need to create a "SYSADMIN" user. Since the users within OKV will get replaced during the install, this user will only be used temporarily.  Below are the links to start with.

• Start page for OCI marketplace
• Youtube video walking through deploying OKC in OCI

NOTE:

• Always deploy the same version in OCI as the backup you are restoring from.
• The command when first logging into the image to configure it may be different from the video, but the login screen will give you clear instructions.

Configure ZFS as a backup location for OKV

At this point if you follow my last blog post found here, you go through the same series of steps in OCI to configure OKV to use ZFS as a backup location that had been done to configure the original backups.

• Create the user on the ZFS image to own the backups
• Log into OKV and save the "public key" for Authentication.
• Configure SFTP on the ZFS image, and add the "Public Key" for the new user.
• Configure the OCI Object Store on the ZFS image as a "cloud target" pointing to the same bucket you had written to.
• Create a new project on the ZFS image with the OKV backup owner as the owner of the project.
• Configure protocols on the new project to ensure that "SFTP" is read/write.

The steps left NOT completed are

• Creating a share within the project
• Creating a backup location within OKV.

Restore the share to the ZFS image in OCI

Now we are ready to restore the backup from the OCI bucket to a share on the ZFS image.

On the ZFS, navigate to "SERVICES" => "Cloud", and within "Cloud" click on the "Backups" tab. Within that tab you will see the ZFS backups that have been sent to the target.

Find the backup that you want, and click on the circular arrow to restore that backup.

This will bring up a popup window where you will choose where to restore the backup to.  Chose the project that you previously created (with the OKV backup user, and "SFTP" protocol enabled"). Give the share a name, and click on "APPLY".

Then once you click on "APPLY" you will see a status popup telling you when it is completed.

When it completes the restore, take note of the share name, and you can configure OKV to restore from this share.

Restore the OKV backup in OCI

Now return to the OKV image in OCI, and navigate to "System" => "Backup and Restore" and create a new backup location, like we had done to create the original backup.

This time enter information for the ZFS image in OCI, and include the destination as "/export/{restored share name}".

Once this is configured click on the "Restore" button, and it will bring up a list of backups that are available to restore from the ZFS share.

Choose the backup you want to use (the backup time will help narrow it down). Click on "Restore" and it will bring up a popup window to enter the "Recovery Passphrase". Enter the passphrase set when OKV was originally installed in your data center, and click on "Restore".

NOTE: The backup is encrypted using the "Recovery Passphrase", and it is critical that you have the original passphrase available to complete this step.

When the restore starts, you will see a message, and OKV will not be available until the restore process completes.

Re-enroll your database  in OCI

Once OKV is restored, the users you created within OKV will be restored. The only items that will be saved are

• root
• support
• "recovery passphrase"

Within OCI where you are restoring your database, you will configure the database environment to start the restore process.  I started by creating a pfile, and some of the directories needed.

audit_file_dest='/u01/app/oracle/admin/ocitest/adump'
audit_trail='db'
compatible='19.0.0'
control_files='/u01/app/oracle/oradata/OCITEST/controlfile/o1_mf_jo6q53rf_.ctl''
db_block_size=8192
db_create_file_dest='/u01/app/oracle/oradata'
db_name='ocitest'
db_recovery_file_dest='/u01/app/oracle/fast_recovery_area'
db_recovery_file_dest_size=32212254720
diagnostic_dest='/u01/app/oracle'
enable_pluggable_database=true
pga_aggregate_target=1547m
processes=300
sga_target=4638m
tde_configuration='KEYSTORE_CONFIGURATION=OKV|FILE'
undo_tablespace='UNDOTBS1'
wallet_root='/u01/app/wallets/ocitest'

NOTE: Since you need OKV to decrypt the RMAN backup of the controlfile, you need to ensure the pfile contains the "WALLET_ROOT" and "TDE_COFIGURATION". 

Within OKV I re-enrolled the endpoint for my database, and I downloaded and installed the "okvclient.jar" in  the "WALLET_ROOT"/okv location.

Now to restore my database, I can use a script, like the script below to

• Startup nomount
• Open the wallet pointing to my keys in OKV
• Set the DBID
• Allocate the channel
• Restore the controlfile
• Mount the database.

sqlplus / as sysdba
SQL> startup nomount;
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "0KV2021!";
SQL> exit


rman target /
RMAN> set dbid=301925655;
RMAN> run {
RMAN> allocate CHANNEL c1 TYPE 'SBT_TAPE' PARMS  'SBT_LIBRARY=/home/oracle/ociconfig/lib/libopc.so,SBT_PARMS=(OPC_PFILE=/home/oracle/ociconfig/config/ocitestbackup.ora)';
RMAN> restore controlfile from autobackup ;
RMAN> release channel c1;
RMAN> }
RMAN> alter database mount;

Once mounted, I can follow the normal steps to restore my database, and my encryption keys are available.  The backup information for my OCI bucket is in my controlfile.