Monday, May 10, 2021

Configuring ExaCC backups of an Oracle Database

This post covers how to configure your backups of an ExaCC database beyond the web interface. 


First off the documentation can be found below, along with using the "--help" option at the command line with "bkup_api"

Configuration - https://docs.oracle.com/en/cloud/cloud-at-customer/exadata-cloud-at-customer/exacc/customize-backup-configuration-using-bkup_api.html

Backup execution - https://docs.oracle.com/en/cloud/cloud-at-customer/exadata-cloud-at-customer/exacc/create-demand-backup.html#GUID-2370EA04-3141-4D02-B328-5EE9A10F66F2



    Step #1 - Configure backup settings in ExaCC

    The next step is to configure my database to be backed up using the tooling. This is pretty straightforward. I click on the "edit backup" button and fill in the information for my database and save it.  In my case I am using ZFS, and the need to make sure that I change my container to the container where the ZFS is configured.

    NOTE : The backup strategy is a Weekly L0 (full) backup every Sunday, and a daily L1 (differential incremental backup) on all other days. The time the backup is scheduled can be found in either the backup settings, or by looking at the crontab file.



    Then I just wait until I see complete. If I click on the work requests, I can see the progress until it's finished.



    Step #2 - Update the settings to use my RMAN catalog.

    First I need to get what the current settings are for my database (dbsg2) and save them in a config file so I can update them.

    I log into the first node, and su to root.
    Once there I execute "get config --all" and save all the settings to a file that I can update.

    NOTE : I an creating a new file under the bakup_api/cfg directory to make it easy to find.

    $ sudo su -
    Last login: Thu May  6 11:43:46 PDT 2021 on pts/0
    [root@ecc ~]## /var/opt/oracle/bkup_api/bkup_api get config --all --file=/var/opt/oracle/bkup_api/cfg/dbsg2.cfg --dbname dbsg2
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    -> Action : get_config
    -> logfile: /var/opt/oracle/log/dbsg2/bkup_api_log/bkup_api_92303612_20210506125612.006275.log
    File /var/opt/oracle/bkup_api/cfg/dbsg2.cfg created
    
    

    Now I am going to edit it and make some changes.

    I changed to RMAN catalog settings to use my catalog.
    NOTE: The entry has to be the connect string, not a tnsnames.ora entry.

    #### This section is applicable when using a rman catalog ####
    # Enables RMAN catalog. Can be set to yes or no.
    bkup_use_rcat=yes
    
    ## Below parameters are required if rman catalog is enabled
    # RMAN catalog user
    bkup_rcat_user=rco
    
    
    # RMAN catalog password
    #bkup_rcat_passwd=RMan19c#_
    
    # RMAN catalog conn string
    bkup_rcat_conn=ecc-scan.bgrenn.com:1521:rmanpdb.bgrenn.com
    
    
    

    Now I am going to commit (set) the changes using the "set config" command
    # /var/opt/oracle/bkup_api/bkup_api set config --file=/var/opt/oracle/bkup_api/cfg/dbsg2.cfg --dbname dbsg2 
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    -> Action : set_config
    -> logfile: /var/opt/oracle/log/dbsg2/bkup_api_log/bkup_api_b800281f_20210506130824.084259.log
    cfgfile : /var/opt/oracle/bkup_api/cfg/dbsg2.cfg
    Using configuration file: /var/opt/oracle/bkup_api/cfg/dbsg2.cfg
    API::Parameters validated.
    UUID d0845ea0aea611eb98fb52540068a695 for this set_config(configure-backup)
    ** process started with PID: 86143
    ** see log file for monitor progress
    -------------------------------------
    
    


    And after a few minutes, I am going to check and make sure it was successful by using the configure_status command

    
    /var/opt/oracle/bkup_api/bkup_api configure_status --dbname dbsg2
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    -> Action : configure_status
    -> logfile: /var/opt/oracle/log/dbsg2/bkup_api_log/bkup_api_fa81558e_20210507060019.504831.log
    * Last registered operation: 2021-05-07 12:58:41 UTC 
    * Configure backup status: finished
    **************************************************
    * API History: API steps
      API:: NEW PROCESS 120531
    *
    * RETURN CODE:0
    ##################################################
    
    
    Everything looks good !  It removed my configuration file (which is good because it had the password in it).  
    I found that 2 things happened as part of adding an RMAN catalog
    1. The password  for the RMAN catalog user is now stored in the wallet file.
    2. There is an entry in my tnsnames file on all nodes for "CATALOG" which points to the rman catalog.

    NOTE: When part of this process is to register the database with the RMAN catalog. You do not have to manually register the database in the catalog.

    Step #3 - Take a manual backup

    Now logged in as OPC, and becoming Root, and can run a special backup using bkup_api


    # /var/opt/oracle/bkup_api/bkup_api bkup_start --dbname=dbsg2
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    -> Action : bkup_start
    -> logfile: /var/opt/oracle/log/dbsg2/bkup_api_log/bkup_api_9458c30f_20210510084341.430481.log
    UUID 7f6622f8b1a611eb865552540068a695 for this backup
    ** process started with PID: 336757
    ** see log file for monitor progress
    -------------------------------------
    
    

    I can see the status while it's running

    /var/opt/oracle/bkup_api/bkup_api bkup_status --dbname=dbsg2
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    -> Action : bkup_status
    -> logfile: /var/opt/oracle/log/dbsg2/bkup_api_log/bkup_api_46545e6f_20210510084812.014419.log
    (' Warning: unable to get current configuration of:', 'catalog')
    * Current backup settings:
    * Last registered Bkup: 05-10 15:44 UTC API::336757:: Starting dbaas backup process
    * Bkup state: running
    **************************************************
    * API History: API steps
      API:: NEW PROCESS 336757
      API:: Starting dbaas backup process
    *
    * RETURN CODE:0
    ##################################################
    
    

    And I waited a few minutes, and I can see it was successful.

    # /var/opt/oracle/bkup_api/bkup_api bkup_status --dbname=dbsg2
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    -> Action : bkup_status
    -> logfile: /var/opt/oracle/log/dbsg2/bkup_api_log/bkup_api_8acd03e3_20210510085129.207757.log
    (' Warning: unable to get current configuration of:', 'catalog')
    * Current backup settings:
    * Last registered Bkup: 05-10 15:44 UTC API::336757:: Starting dbaas backup process
    * Bkup state: running
    **************************************************
    * API History: API steps
      API:: NEW PROCESS 336757
      API:: Starting dbaas backup process
    *************************************************
    * Backup steps
     -> 2021-05-10 08:44:20.651787 - API:: invoked with args : -dbname=dbsg2 -uuid=7f6622f8b1a611eb865552540068a695 -level1 
     -> 2021-05-10 08:44:23.458698 - API:: Wallet is in open AUTOLOGIN state
     -> 2021-05-10 08:44:24.204793 - API:: Oracle database state is up and running
     -> 2021-05-10 08:44:25.686134 - API:: CATALOG SETTINGS 
     -> 2021-05-10 08:45:19.767284 - API:: DB instance: dbsg2
     -> 2021-05-10 08:45:19.767424 - API:: Validating the backup repository ...... 
     -> 2021-05-10 08:46:38.263401 - API::      All backup pieces are ok
     -> 2021-05-10 08:46:38.263584 - API:: Validating the TDE wallet ...... 
     -> 2021-05-10 08:46:41.842706 - API:: TDE check successful.
     -> 2021-05-10 08:46:42.446560 - API:: Performing incremental backup to shared storage
     -> 2021-05-10 08:46:42.448228 - API:: Executing rman instructions
     -> 2021-05-10 08:49:21.161884 - API:: ....... OK
     -> 2021-05-10 08:49:21.162089 - API:: Incremental backup to shared storage is Completed
     -> 2021-05-10 08:49:21.163822 - API:: Starting backup of config files
     -> 2021-05-10 08:49:21.699197 - API:: Determining the oracle database id
     -> 2021-05-10 08:49:21.726308 - API::  DBID: 2005517379
     -> 2021-05-10 08:49:22.040891 - API:: Creating directories to store config files
     -> 2021-05-10 08:49:22.085476 - API:: Enabling RAC exclusions for config files.
     -> 2021-05-10 08:49:22.114211 - API:: Compressing config files into tar files
     -> 2021-05-10 08:49:22.173842 - API:: Uploading config files to NFS location
     -> 2021-05-10 08:49:22.222493 - API:: Removing temporary location /var/opt/oracle/log/dbsg2/obkup/7f6622f8b1a611eb865552540068a695.
     -> 2021-05-10 08:49:22.224071 - API:: Config files backup ended successfully
     -> 2021-05-10 08:49:26.052494 - API:: All requested tasks are completed
    *
    * RETURN CODE:0
    ##################################################
    
    


    Step #4 - Check my periodic backups


    Now it's been a few days (I started on Thursday and it's now Monday).
    I am going to check on the incremental backups, and the archive log backups.

    There are 2 ways I can do this.

    Using the bkup_api command to list the backups that have run.

    # /var/opt/oracle/bkup_api/bkup_api list --dbname=dbsg2
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    -> Action : list
    -> logfile: /var/opt/oracle/log/dbsg2/bkup_api_log/bkup_api_eddcd4e1_20210510064145.497707.log
    -> Listing all backups
      Backup Tag             Completion Date (UTC)            Type          keep    
    ----------------------   -----------------------      -----------    --------
       TAG20210506T123203     05/06/2021 19:32:03       full        False
       TAG20210506T131438     05/06/2021 20:14:38       incremental        False
       TAG20210507T012240     05/07/2021 08:22:40       incremental        False
       TAG20210508T012315     05/08/2021 08:23:15       incremental        False
       TAG20210509T012438     05/09/2021 08:24:38       full        False
       TAG20210510T012322     05/10/2021 08:23:22       incremental        False
    
    

    Using the RMAN catalog

    Backup Type         Encrypted Tag                                Backup Piece                                                 Backup Time           Day Of Week
    -------------------- --------- --------------------------------- ------------------------------------------------------------ -------------------- --------------------
    Full L0              YES       DBAAS_FULL_BACKUP20210506122626     /backup/dbaas_bkup_DBSG2_2005517379_0dvu5rp2_13_1          05/06/21 12:29:32    THURSDAY
    Differential L1      YES       DBAAS_INCR_BACKUP20210506131110     /backup/dbaas_bkup_DBSG2_2005517379_2avu5ud1_74_1          05/06/21 13:14:18    THURSDAY
    Differential L1      YES       DBAAS_INCR_BACKUP20210507011926     /backup/dbaas_bkup_DBSG2_2005517379_72vu792b_226_1         05/07/21 01:22:27    FRIDAY
    Differential L1      YES       DBAAS_INCR_BACKUP20210508011939     /backup/dbaas_bkup_DBSG2_2005517379_lbvu9tf3_683_1         05/08/21 01:22:51    SATURDAY
    Full L0              YES       DBAAS_FULL_BACKUP20210509011940     /backup/dbaas_bkup_DBSG2_2005517379_u3vuchr8_963_1         05/09/21 01:22:59    SUNDAY
    Differential L1      YES       DBAAS_INCR_BACKUP20210510011940     /backup/dbaas_bkup_DBSG2_2005517379_6rvuf672_1243_1        05/10/21 01:22:49    MONDAY
    
    
    

    NOTE: I can see that a periodic L1 (differential) is executed at 1:22 AM, every day but Sunday where a Full backup is executed.

    Now to look at archive log backups -- I am going to show a subset.

    Again I can use the bkup_api "list_jobs" command and see all the backup jobs that have been run (which include archive logs).


    # /var/opt/oracle/bkup_api/bkup_api list_jobs --dbname dbsg2 | more
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    -> Action : list_jobs
    -> logfile: /var/opt/oracle/log/dbsg2/bkup_api_log/bkup_api_b2532724_20210510070545.552300.log
    UUID                             | DATE                | STATUS  | TAG                 | ACTION              
    e7ad1ef6aea011eb9c8252540068a695 | 2021-05-06 19:26:23 | success | TAG20210506T123203  | create-backup-full  
    03616d68aea211eba5aa52540068a695 | 2021-05-06 19:34:12 | success | TAG20210506T123516  | archivelog-backup   
    33fae162aea611eba0ed52540068a695 | 2021-05-06 20:04:12 | success | TAG20210506T130518  | archivelog-backup   
    267c21daaea711eb9d3852540068a695 | 2021-05-06 20:11:07 | success | TAG20210506T131438  | create-backup-incremental
    650fd222aeaa11ebb58652540068a695 | 2021-05-06 20:34:12 | success | TAG20210506T133516  | archivelog-backup   
    961831e4aeae11ebb0d452540068a695 | 2021-05-06 21:04:11 | success | TAG20210506T140517  | archivelog-backup   
    c6919f28aeb211eb957e52540068a695 | 2021-05-06 21:34:12 | success | TAG20210506T143518  | archivelog-backup   
    f7ce0d0caeb611eb97c552540068a695 | 2021-05-06 22:04:12 | success | TAG20210506T150522  | archivelog-backup   
    286e8ea6aebb11eb864c52540068a695 | 2021-05-06 22:34:11 | success | TAG20210506T153516  | archivelog-backup   
    598f77eeaebf11eb92c052540068a695 | 2021-05-06 23:04:11 | success | TAG20210506T160518  | archivelog-backup   
    89f4919aaec311eb9a9452540068a695 | 2021-05-06 23:34:11 | success | TAG20210506T163516  | archivelog-backup   
    bb5ba95eaec711ebb1ed52540068a695 | 2021-05-07 00:04:11 | success | TAG20210506T170518  | archivelog-backup   
     
    

    Step #5 - On demand backups 

    Now that I have my database configured, I am going to demonstrate some of the options you can add to your backup.

    I am going to create a keep backup and give it a tag using bkup_start

    $ /var/opt/oracle/bkup_api/bkup_api bkup_start --dbname=dbsg2 --keep --tag=Maymonthlybackup
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    -> Action : bkup_start
    -> logfile: /var/opt/oracle/log/dbsg2/bkup_api_log/bkup_api_7d923417_20210507113940.052080.log
    UUID 958a58beaf6311eba98a52540068a695 for this backup
    ** process started with PID: 262102
    ** see log file for monitor progress
    -------------------------------------
    
    

    Now to list it.

    $ /var/opt/oracle/bkup_api/bkup_api list --dbname dbsg2 --keep
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    -> Action : list
    -> logfile: /var/opt/oracle/log/dbsg2/bkup_api_log/bkup_api_19714a18_20210507114254.007083.log
    -> Listing all backups
      Backup Tag                           Completion Date (UTC)      Type          keep    
    ----------------------                 -----------------------   -----------    --------
       Maymonthlybackup20210507T113125     05/07/2021 18:31:25       keep-forever   True
    
    

    Step #6 - Restore my database


    The last step I'm going to do in my database is to restore it to a previous point in time.

    Below is what you see in the console.
    NOTE - If you chose a specific time it will be in UTC time.


    I pick a time to restore to, and click on the 'Restore Database' option. I can follow the process by looking at 'Workload Requests'.




    Step #7 - Validating backups


    A great feature of the command tool is the ability to validate backups that have been taken.  This is easy to do with the 'bkup_api reval_start' command.

    I started my validate for my database dbbsg and I saved the uuid to monitor it.

    # /var/opt/oracle/bkup_api/bkup_api reval_start --dbname=dbbsg
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    -> Action : reval_start
    -> logfile: /var/opt/oracle/log/dbbsg/bkup_api_log/bkup_api_d0647aa8_20210511032638.300613.log
    UUID 5f204c4cb24311eb887252540068a695 for restore validation
    ** process started with PID: 15281
    ** Backup Request uuid     : 5f204c4cb24311eb887252540068a695
    
    

    Now to monitor it using the uuid until it's done, and I can see it completed successfully.

    # /var/opt/oracle/bkup_api/bkup_api --uuid=5f204c4cb24311eb887252540068a695 --dbname=dbbsg
    DBaaS Backup API V1.5 @2021 Multi-Oracle home
    @ STARTING CHECK STATUS 5f204c4cb24311eb887252540068a695
    [ REQUEST TICKET ]
    [UUID    ->  5f204c4cb24311eb887252540068a695 
    [DBNAME  ->  dbbsg 
    [STATE   ->  success 
    [ACTION  ->  start-restore-validate 
    [STARTED ->  2021-05-11 10:26:39 UTC 
    [ENDED   ->  2021-05-11 10:28:00 UTC 
    [PID     ->  15281 
    [TAG     ->  None 
    [PCT     ->  0.0 
    [LOG     ->  2021-05-11 03:26:39.780830 - API:: invoked with args : -dbname=dbbsg -reval=default  
    [LOG     ->  2021-05-11 03:26:42.324669 - API:: Wallet is in open AUTOLOGIN state 
    [LOG     ->  2021-05-11 03:26:42.996885 - API:: Oracle database state is up and running 
    [LOG     ->  2021-05-11 03:28:00.857565 - API:: ....... OK 
    [LOG     ->  2021-05-11 03:28:00.857645 - API:: Restore Validation is Completed 
    [ END TICKET ]
    
    

    Step #8 - Restoring/listing/backups with API

    There are many options to restoring with the API for both the "database" which consists of the CDB and all PDBs, or just a specific PDB.

    Below are some of the commands that help with this.
    NOTE: All commands are executed using "bkup_api" from /var/opt/oracle/bkup_api as "oracle"


    Command Options Description
    bkup_start   Start new special backup now
    bkup_start --keep Create keep backup
    bkup_start --level0 Perform a new FULL level 0 backup 
    bkup_start --level1 Perform a new level1 incremental backup
    bkup_start --cron Creates an incremntal backup through Cron
    bkup_chkcfg   Verifies that backups have been configured
    bkup_status   Shows the status of the most recent backup
    list   Shows the list of the most recent backups
    reval_start   Starts a restore validation of datafiles
    archreval_start   Starts a revalidation of archive logs
    recover_start --latest Recover from latest backup
    recover_start --scn Recover to SCN #
    recover_start --b Recover using a specific backup tag and defuzzy to archivelog following
    recover_start -t Recover to time. Specify --nonutc to use a non-UTC timestamp
    recover_status   Show status of most recent recover of this database


    With recovery you can also just recover a single PDB
    • --pdb={pdbname} - Recovery just a single PDB
    You can also specify if the config files should be restored
    • --cfgfiles - store the configuration files (controlfiles, spfiles etc) along with database files.

    Step #9 - Configuration changes

    You can execute the "bkup_api get config --dbname={dbname}" to create a file containing the  current configuration.  In that file you can see some of the other changes you can be.
    Below is what I see it using the version at the time of writing this.

    Config Parameter Settings Description
    bkup_cron_entry yes/no Enable/Disable automatic backups
    bkup_archlog_cron_entry yes/no Enable automatic archive log cleanup when not using tooling
    bkup_cfg_files yes/no Enable backup of Config files
    bkup_daily_time hh24:mi Time to execute daily backup
    bkup_archlog_frequency 15,20,30… How many minutes apart to execute archive log backups
    bkup_disk yes/no Backups to the FRA
    bkup_disk_recovery_window 1-14 Recover window of FRA
    bkup_oss_xxx   Backup settings when backing up to Object Store in Public Cloud
    bkup_zdlra_xx   Backup settings when backing up to a ZDLRA
    bkup_nfs_xxx   Backup settings when backing up to NFS
    bkup_set_section_size yes/no Set to yes to over ride the default setting
    bkup_section_size   Value for Over riding the default setting for section size
    bkup_channels_node xx Number of channels to be used by RMAN
    bkup_use_rcat yes/no If you are using an RMAN catalog
    bkup_rcat_xxx   RMAN catalog settings

    Step #10 - Scheduled backups


    Backups are scheduled in the crontab on the first node of a cluster. You can view schedule by executing "sudo su - " to become root, and look at the /etc/crontab file.
    Below is what is there for my database (dbsg2)

    # Example of job definition:
    # .---------------- minute (0 - 59)
    # |  .------------- hour (0 - 23)
    # |  |  .---------- day of month (1 - 31)
    # |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
    # |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
    # |  |  |  |  |
    # *  *  *  *  * user-name  command to be executed
    
    15 * * * * oracle /var/opt/oracle/misc/backup_db_wallets.pl
    15 * * * * oracle /var/opt/oracle/dbaascli/dbaascli tde backup --alldb
    19 1 * * * oracle /var/opt/oracle/bkup_api/bkup_api bkup_start --cron --dbname=dbsg2
    4,34 * * * * oracle /var/opt/oracle/bkup_api/bkup_api bkup_archlogs --cron --dbname=dbsg2
    
    
    The jobs that are scheduled to execute are.

    1. backup_db_wallets.pl - Every 15 minutes this script executes from the Crontab.  This script goes through the list of databases (regardless if database backups have been turned on) and it makes a copy of the SEPS wallet file in the current wallet location adding the current date/time. The old copy is removed and only one back exists.

    The following 2 settings are in my configuration file (/var/opt/oracle/creg/dbsg2.ini) are used as the source location of the wallet, and the location for the backup

     wallet_loc=/var/opt/oracle/dbaas_acfs/dbsg2/db_wallet
     wallet_loc_bak=/u02/app/oracle/admin/dbsg2/db_wallet

    NOTE: This wallet is used for storing user credentials and is an autologin wallet.
    I can see the credentials stored. In my case it is both the "sys" password, and the password for "rco". If I was using OSS (object store) my login credential would be stored in this wallet, and if I backed up to ZDLRA, this wallet would contain my connection to the ZDLRA(s) I was backing up to.
    2: CATALOG rco
    1: dbsg2 sys

    2. /var/opt/oracle/dbaascli/dbaascli tde backup --alldb - Every 15 minutes this script executes from the Crontab.  This script goes through the list of databases (regardless if database backups have been turned on) and it makes a copy of the TDE wallet file in the $ORACLE_BASE directory.
    The location is $ORACLE_BASE/{db_name}/tde_wallet/tde/

    The output from this script is in /var/opt/oracle/log/misc/backup

    3. /var/opt/oracle/bkup_api/bkup_api bkup_start --cron --dbname={mydb}- Every at 1:19 AM,  This time is determined in the bkup_api configuration using the parameter  "bkup_daily_time".  This is the same API that is called to perform an on-demand backup from the command line, but with a '--cron' parameter also.

    4. /var/opt/oracle/bkup_api/bkup_api bkup_archlogs --dbname={mydb} Every 30 minutes this script is executed based on the 'bkup_archlog_frequency' bkup_api configuration setting. This script will backup my archive logs to the backup location.

    Friday, April 23, 2021

    Enrolling my ExaCC RAC database using REST APIs

     This post will continue the process of automating the enrollment of my RAC database using the OKV REST API, and some automation scripts. the steps to create the scripts are in my previous post.



    NOTE: These steps are for ExaCC specific.  If you want to learn about configuring OKV with Autonomous Database (ADB) when using ExaCC, the product manager, Peter Wahl has a great blog post on this topic.  He also has videos as part of the "Ask Tom" series if you want to learn more about OKV 21c, or just OKV in general.

    The first step is to download the zip file I created in the previous post. I downloaded it onto the first DB host in my RAC cluster.  I unzipped it into /home/oracle/okv.

    Below is what I am starting with.

    .
     |-lib
     | |-okvrestcli.jar
     |-bin
     |-conf
     | |-okvrestcli_logging.properties
     | |-okvrestcli.ini
     | |-ewallet.p12.lck
     | |-ewallet.p12
     | |-cwallet.sso.lck
     | |-cwallet.sso
     | |-okvclient.ora
     |-setenv.sh
     |-run-me.sh
    
    

    STEP #1 - Set the environment

    First I am going to set my environment to the database instance I want to configure (jckey1), and then I am going to source the environment for my OKV install.


    [oracle@exacc1]$ cd /home/oracle/okv
    [oracle@exacc1]$ . oraenv
    ORACLE_SID = [jckey1] ? jckey1
    The Oracle base remains unchanged with value /u02/app/oracle
    [oracle@exacc1]$ . ./setenv.sh
     
     
    create environment variables OKV_RESTCLI_HOME and OKC_RESTCLI_CONFIG  
     
    $OKV_RESTCLI_HOME    :  /home/oracle/okv 
    $OKV_RESTCLI_CONFIG  :  /home/oracle/okv/conf/okvrestcli.ini 
     
    Adding $OKV_RESTCLI_BIN to the $PATH  
    
    
    

    STEP #2 - Execute the enrollment creation script

    The next step is to execute the run-me.sh that I created in the previous post. This will create the enrollment script. At the end of the output you will see the script it creates (okv-ep.sh).

    NOTE: It will default to my DBNAME for the wallet name.

    [oracle@exacc1]$ ./run-me.sh
    executing script with $OKV_RESTCLI_HOME=/home/oracle/okv DB Name is identified as jckey and ORACLE_SID is set to jckey1 setting Press enter to keep this default [jckey], or enter the DB Name DB Name [enter for Default] : Using DB Name : jckey #!/bin/bash mkdir -pv /u02/app/oracle/admin/jckey/wallet mkdir -pv /u02/app/oracle/admin/jckey/wallet/okv okv manage-access wallet create --wallet JCKEY --description "wallet for database JCKEY" --unique FALSE okv admin endpoint create --endpoint JCKEY1_on_exacc1 --description "exacc11, 10.136.106.36" --type ORACLE_DB --platform L INUX64 --unique FALSE okv manage-access wallet set-default --wallet JCKEY --endpoint JCKEY1_on_exacc1 expect << _EOF set timeout 120 spawn okv admin endpoint provision --endpoint JCKEY1_on_exacc1 --location /u02/app/oracle/admin/jckey/wallet/okv --auto -login FALSE expect "Enter Oracle Key Vault endpoint password: " send "change-on-install\r" expect eof _EOF

    STEP #2 - Execute the enrollment script

    [oracle@exacc1]$ ./okv-ep.sh
    {
      "result" : "Success"
    }
    {
      "result" : "Success"
    }
    {
      "result" : "Success"
    }
    spawn okv admin endpoint provision --endpoint JCKEY1_on_exacc1 --location /u02/app/oracle/admin/jckey/wallet/okv --auto-login FALSE
    Enter Oracle Key Vault endpoint password: 
    {
      "result" : "Success",
      "value" : {
        "javaHome" : "/u02/app/oracle/product/19.0.0.0/dbhome_8/jdk"
      }
    }
    
    

    STEP #3 - We can verify what the enrollment script did

     

    I am first going to look under $ORACLE_BASE/admin/$DBNAME/wallet where it placed the okv client.
    [oracle@exacc1]$ pwd
    /u02/app/oracle/admin/jckey/wallet
    [oracle@exacc1]$ find . | sed -e "s/[^-][^\/]*\// |/g" -e "s/|\([^ ]\)/|-\1/"
    .
      |-okv
     | |-bin
     | | |-okveps.x64
     | | |-okvutil
     | | |-root.sh
     | |-ssl
     | | |-ewallet.p12
     | |-csdk
     | | |-lib
     | | | |-liborasdk.so
     | |-jlib
     | | |-okvutil.jar
     | |-conf
     | | |-okvclient.ora
     | | |-logging.properties
     | | |-okvclient.lck
     | |-lib
     | | |-liborapkcs.so
     | |-log
     | | |-okvutil.deploy.log
    
    
    

    Now I am going to verify in OKV and I can see the wallet got created for my database.

    And I am going to look at the endpoint, and verify the default wallet is set.


    STEP #4 Execute root.sh (only if this is the first install on this host).


    I execute the root.sh script in the /bin directory as root.

    [root@exacc1]# ./root.sh
    Creating directory: /opt/oracle/extapi/64/hsm/oracle/1.0.0/
    Copying PKCS library to /opt/oracle/extapi/64/hsm/oracle/1.0.0/
    Setting PKCS library file permissions
    Installation successful.
    
    

    STEP #5 - Verify we can contact the OKV server


    The next step is to execute the okvutil list command to verify we can contact the OKV host, and that the default wallet is configured.

    [oracle@exacc1]$ ./okvutil list
    Enter Oracle Key Vault endpoint password: 
    Unique ID                               Type            Identifier
    9E8BD892-D799-44B7-8289-94447E7ACC54    Template    Default template for JCKEY1_ON_ECC5C2N1
    
    

    STEP #6 - change the OKV endpoint password 

    [oracle@exacc1]$ /u02/app/oracle/admin/jckey/wallet/okv/bin/okvutil changepwd -t wallet -l /u02/app/oracle/admin/jckey/wallet/okv/ssl/
    Enter wallet password: change-on-install
    Enter new wallet password: {my new password}
    Confirm new wallet password:  {my new password}
    Wallet password changed successfully
    
    

    STEP #7 Install the client and change the password on all nodes.


    I followed the steps above on the other 3 nodes to install the client and change the password.

    STEP #8 Upload the keys from the wallet file.

    I uploaded the keys from the shared wallet files on ACFS.
    [oracle@exacc1]$ /u02/app/oracle/admin/jckey/wallet/okv/bin/okvutil upload -t wallet -l /var/opt/oracle/dbaas_acfs/jckey/wallet_root/tde -v 2 -g JCKEY
    okvutil version 21.1.0.0.0
    Endpoint type: Oracle Database
    Configuration file: /u02/app/oracle/admin/jckey/wallet/okv/conf/okvclient.ora
    Server: 10.136.102.243:5696 
    Standby Servers: 
    Uploading from /acfs01/dbaas_acfs/jckey/wallet_root/tde
    Enter source wallet password: 
    Enter Oracle Key Vault endpoint password: 
    ORACLE.SECURITY.DB.ENCRYPTION.Ab8Sv6Ezs08fv9Sy7/zZB8oAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.KM.ENCRYPTION.Ab8Sv6Ezs08fv9Sy7/zZB8oAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.KB.ENCRYPTION.
    ORACLE.SECURITY.ID.ENCRYPTION.
    ORACLE.SECURITY.KM.ENCRYPTION.ATQdCFHhVk9Yv7er6uZtDf8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.DB.ENCRYPTION.ATQdCFHhVk9Yv7er6uZtDf8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.BFF45EC14E46013BE053246A880A5564
    ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
    
    Uploaded 2 TDE keys
    Uploaded 0 SEPS entries
    Uploaded 0 other secrets
    Uploaded 4 opaque objects
    
    Uploading private persona
    Uploading certificate request
    Uploading trust points
    
    Uploaded 1 private keys
    Uploaded 1 certificate requests
    Uploaded 0 user certificates
    Uploaded 0 trust points
    
    Upload succeeded
    

    STEP #9 Copy current wallet, and add OKV credentials.

    Now you copy the current wallet file (from the ACFS location) to the tde directory (new OKV install)  next to the OKV install.
     In my case since my OKV client is installed in $ORACLE_BASE/admin/jckey/wallet (which will be the WALLET_ROOT),  the tde directory will be the file location for wallets.
    I am also adding my password credentials to the local wallet.

    NOTE: "OKV_PASSWORD" is used to open the wallet. "HSM_PASSWORD" is used to access the OKV server(s).


    mkdir /u02/app/oracle/admin/jckey/wallet/tde_seps
    mkdir /u02/app/oracle/admin/jckey/wallet/tde
    cp /var/opt/oracle/dbaas_acfs/jckey/wallet_root/tde/* /u02/app/oracle/admin/jckey/wallet/tde/.
    ADMINISTER KEY MANAGEMENT ADD SECRET 'Welcome1+' FOR CLIENT 'OKV_PASSWORD' TO LOCAL AUTO_LOGIN KEYSTORE '/u02/app/oracle/admin/jckey/wallet/tde_seps';
    ADMINISTER KEY MANAGEMENT ADD SECRET 'Welcome1+' FOR CLIENT 'HSM_PASSWORD' TO AUTO_LOGIN KEYSTORE '/u02/app/oracle/admin/jckey/wallet/tde';
    
    

    STEP # 10 Change the WALLET_ROOT

    Since WALLET_ROOT can only be changed with a restart, I am going to shut down all instances in the cluster and perform the next few steps on the first node only.

    SQL> alter system set WALLET_ROOT='/u02/app/oracle/admin/jckey/wallet' scope=spfile;
    
    System altered.
    
    SQL> shutdown immediate
    startup mount;
    ORA-01109: database not open
    
    
    Database dismounted.
    ORACLE instance shut down.
    SQL> 
    alter system set tde_configuration='KEYSTORE_CONFIGURATION=OKV|FILE' scope=both;
    
    select b.name pdb_name,wrl_type,
    wrl_parameter,
    status,wallet_type,
    keystore_mode,
    fully_backed_up
    from v$encryption_wallet a,v$containers b
    where a.con_id = b.con_id(+);SQL> SQL> SQL> SQL> SQL> SQL> SQL>   2    3    4    5    6    7  
    
    PDB Name   Type       WRL_PARAMETER					 Status 			WALLET_TYPE	     KEYSTORE Backed Up
    ---------- ---------- -------------------------------------------------- ------------------------------ -------------------- -------- ----------
    CDB$ROOT   FILE       /u02/app/oracle/admin/jckey/wallet/tde/		 OPEN				AUTOLOGIN	     NONE     YES
    CDB$ROOT   OKV								 OPEN_NO_MASTER_KEY		OKV		     NONE     UNDEFINED
    PDB$SEED   FILE 							 OPEN				AUTOLOGIN	     UNITED   YES
    PDB$SEED   OKV								 OPEN_NO_MASTER_KEY		OKV		     UNITED   UNDEFINED
    JCKPDB	   FILE 							 OPEN				AUTOLOGIN	     UNITED   YES
    JCKPDB	   OKV								 OPEN_NO_MASTER_KEY		OKV		     UNITED   UNDEFINED
    
    SQL> shutdown immediate
    startup ;
    
    
    

    STEP # 11 Combine the local wallet File and OKV. 

      Next I need to migrate the keys using the local wallet. Note this will rekey the database.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "-okv key" MIGRATE USING "-local wallet key-" WITH BACKUP;

    STEP # 12 restart the instance and make sure the wallet open.

    
    PDB Name   Type       WRL_PARAMETER                              Status              WALLET_TYPE     KEYSTORE Backed Up
    ---------- ---------- -------------------------------            ------------------- --------------- --------- ----------
    CDB$ROOT   FILE       /u02/app/oracle/admin/jckey/wallet/tde/    OPEN                AUTOLOGIN       NONE     YES
    CDB$ROOT   OKV                                                   OPEN                OKV             NONE     UNDEFINED
    PDB$SEED   FILE                                                  OPEN                AUTOLOGIN       UNITED   YES
    PDB$SEED   OKV                                                   OPEN                OKV             UNITED   UNDEFINED
    JCKPDB     FILE                                                  OPEN                AUTOLOGIN       UNITED   YES
    JCKPDB     OKV                                                   OPEN                OKV             UNITED   UNDEFINED
    
    
    

    STEP # 13 rebuild the local wallet with the password

    I deleted the original wallet files from the "tde" and "tde_seps" directories and recreated them using the exact same steps from step #9. The only addition is that I needed to create the wallet first

    
    ADMINISTER KEY MANAGEMENT ADD SECRET 'Welcome1+' FOR CLIENT 'OKV_PASSWORD' TO LOCAL AUTO_LOGIN KEYSTORE '/u02/app/oracle/admin/jckey/wallet/tde_seps';
    ADMINISTER KEY MANAGEMENT ADD SECRET 'Welcome1+' FOR CLIENT 'HSM_PASSWORD' TO AUTO_LOGIN KEYSTORE '/u02/app/oracle/admin/jckey/wallet/tde';
    
    
    I then pushed executed the same commands to create the wallets on all the nodes in the clusters in the same location .

    STEP # 14 - Bounce the database.

    I bounced the database and made sure the wallet was open on all 4 nodes. Done.



    INST_ID    PDB Name Type  WRL_PARAMETER                           Status               WALLET_TYPE   KEYSTORE Backed Up
    -------- ---------- ----- ----------------------------------------  ------------------ -------------- -------- ---------
    1        CDB$ROOT   OKV                                             OPEN               OKV            NONE     UNDEFINED
    2        CDB$ROOT   OKV                                             OPEN               OKV            NONE     UNDEFINED
    3        CDB$ROOT   OKV                                             OPEN               OKV            NONE     UNDEFINED
    4        CDB$ROOT   OKV                                             OPEN               OKV            NONE     UNDEFINED
    1        PDB$SEED   OKV                                             OPEN               OKV            UNITED   UNDEFINED
    2        PDB$SEED   OKV                                             OPEN               OKV            UNITED   UNDEFINED
    3        PDB$SEED   OKV                                             OPEN               OKV            UNITED   UNDEFINED
    4        PDB$SEED   OKV                                             OPEN               OKV            UNITED   UNDEFINED
    1        JCKPDB     OKV                                             OPEN               OKV            UNITED   UNDEFINED
    2        JCKPDB     OKV                                             OPEN               OKV            UNITED   UNDEFINED
    3        JCKPDB     OKV                                             OPEN               OKV            UNITED   UNDEFINED
    4        JCKPDB     OKV                                             OPEN               OKV            UNITED   UNDEFINED
    1        PDB$SEED   FILE                                            OPEN_NO_MASTER_KEY AUTOLOGIN      UNITED   UNDEFINED
    1        CDB$ROOT   FILE  /u02/app/oracle/admin/jckey/wallet/tde/   OPEN_NO_MASTER_KEY AUTOLOGIN      NONE     UNDEFINED
    2        CDB$ROOT   FILE  /u02/app/oracle/admin/jckey/wallet/tde/   OPEN_NO_MASTER_KEY AUTOLOGIN      NONE     UNDEFINED
    3        CDB$ROOT   FILE  /u02/app/oracle/admin/jckey/wallet/tde/   OPEN_NO_MASTER_KEY AUTOLOGIN      NONE     UNDEFINED
    4        CDB$ROOT   FILE  /u02/app/oracle/admin/jckey/wallet/tde/   OPEN_NO_MASTER_KEY AUTOLOGIN      NONE     UNDEFINED
    1        PDB$SEED   FILE                                            OPEN_NO_MASTER_KEY AUTOLOGIN      UNITED   UNDEFINED
    2        PDB$SEED   FILE                                            OPEN_NO_MASTER_KEY AUTOLOGIN      UNITED   UNDEFINED
    3        PDB$SEED   FILE                                            OPEN_NO_MASTER_KEY AUTOLOGIN      UNITED   UNDEFINED
    4        PDB$SEED   FILE                                            OPEN_NO_MASTER_KEY AUTOLOGIN      UNITED   UNDEFINED
    1        JCKPDB     FILE                                            OPEN_NO_MASTER_KEY AUTOLOGIN      UNITED   UNDEFINED
    2        JCKPDB     FILE                                            OPEN_NO_MASTER_KEY AUTOLOGIN      UNITED   UNDEFINED
    3        JCKPDB     FILE                                            OPEN_NO_MASTER_KEY AUTOLOGIN      UNITED   UNDEFINED
    4        JCKPDB     FILE                                            OPEN_NO_MASTER_KEY AUTOLOGIN      UNITED   UNDEFINED
    
    


    That's all there is to it. I now have my ExaCC database configuring to use OKV as the key store, and autologin into the wallet on all instances !

    Thursday, April 22, 2021

    Configuring OKV automation using REST APIs

     This post will go through the process of creating a few simple scripts to automate OKV installation using the REST API capability of OKV.


    NOTE: This information was provided by the product manager Peter Wahl who has a great blog on the features of OKV and some great "Ask Tom" sessions on OKV (and other security pieces),you can watch and learn more.


    Step #1 Configure RESTful Services and download client tool

    First you need to configure the OKV server for RESTful Services. The instructions can be found here. This is done by navigating to the System tab and clicking on RESTful Services.
    It is recommended that you only enable the RESTful services when you are actively onboarding new endpoints.


    This bring up the window below.



     There are three things you want to do from this window.
    1. Click on the "Enable" box to enable RESTful services
    2. Download the okvrestcliepackage.zip which are the client utilities.
    3. Save this setting to enable RESTful services.
    Now that we have this file, we need to download it our client and start creating the scripts to automate this process.

    I downloaded the zip file to my DB host to configure it. I unzipped it in /home/oracle/okv/rest

    NOTE: you can also download it directly from the OKV hosts by using any of the commands below.



    Step #2 Create a user for the restapi steps

    I create a new user in OKV called "restapi" and you can see the permissions below.  Before using the new user, you must login and change the password because the password is expired by default when creating a new user.






    Step #3 unzip and configure the client tool 


    I unzipped the client tool into my home directory on a DB server so I can put together the automation scripts. In my case I unzipped it into /home/oracle/okv/rest. This creates 3 sub directories. I am going to format the output using this command.




    Below is what the output looks like

    .
     |-lib
     | |-okvrestcli.jar
     |-bin
     | |-okv.bat
     | |-okv
     |-conf
     | |-okvrestcli.ini
     | |-okvrestcli_logging.properties
    
    

    Step #4 - Set the environment for the CLI

    In order to configure OKV, I am going to need some variables set in my environment. I can do this manually, but in my case I decided to create a "setenv.sh" script that will set the variables and add the OKV script to my path to be executed. I also included the ability to pass a parameter (ORACLE_SID) so that you can use the script in a loop across multiple instances on the same host.
     The 3 main variables I will be using are

    OKV_RESTCLI_HOME - Location of the scripts that I am going to be installing. If I source the setenv.sh script, it will set the home to this location.

    OKV_RESTCLI_CONFIG - Name of the configuration file that contains the rest CLI configuration.

    OKV_HOME - Location to install OKV for the current instance.  This location is $ORACLE_BASE/admin/${DB_UNIQUE_NAME}/okv_home.  This follows the standard for ExaCC.


    NOTE: If this is a NEW database

    If you want to use these steps to configure OKV on a new database, you need to perform the following steps prior to executing "/ ./setenv.sh".
    1. Add the new $ORACLE_SIDE for the host in the "/etc/oratab" file.
    2. Create the directory "mkdir $ORACLE_BASE/admin/{DB Unique Name}"
    3. Create the directory "mkdir -p $ORACLE_BASE/diag/rdbms/${DB Unique Name}/${ORACLE_SID}
    4. Use ". oraenv" to set the environment to this $ORACLE_SID



    Step #5 - Set initialization parameters in okvrestcli.ini file


    Next, I am going to configure the initialization parameters. These are found in the okvrestcli.ini file.
    You can see that the file contains a "[Default]" profile and a few other example profiles. We will start with the default profile. In this we are going to set a few of the properties.

    LOG_PROPERTY - Location of the logging properties. Default location is ./conf directory.

    SERVER - IP address (or DNS) of one or more OKV hosts 

     OKV_CLIENT_CONFIG - location of the config file. Default location is ./conf directory

    USER - OKV user that has authority to administer endpoints an wallets. In this case it will be the restapi user that I created.

    PASSWORD - Password for the user, or location of wallet containing the password. I am NOT going to use this as I am going to use a wallet file.

     CLIENT_WALLET - I am going to use a wallet to store the password, and this is the location of the wallet file. I will be creating the autologin wallet later.

     

    Below is what my "[Default]" configuration file looks like after my changes which is located at $OKV_RESTCLI_HOME/conf/okvrestcli.ini . I am going to use the environmental variables I set in the setenv.sh script. 

    NOTE: I am choosing to store my password in wallet rather than clear text in the .ini file.

              You need to change the server to either the server name or the IP address.


    Step #6 Create the wallet to save the password encrypted

    Since I chose to put my password in a wallet, I now need to create that wallet. Using the instructions in the document (linked to at the beginning of this blog), I execute the command from the directory I installed into (/home/oracle/okv/rest)



    Step #7 Create and execute the run-me.sh script


    The last step is to create the script that will be executed  on the host to create the provision script.  In my script, I took the default and did some checking. This script will
    • Ensure the variable OKV_RESTCLI_HOME is set before it can be executed.
    • Determine the DB_UNIQUE_NAME from the $ORACLE_BASE/diag/rdbms/*/$ORACLE_SID directory. Solving for the  * should give us the DB_UNIQUE_NAME
    • While executing, it tells you what it believes the DB_UNIQUE_NAME is, and gives you a chance to change it if incorrect.
    • It will validate if the endpoint group exists by accessing OKV. If the endpoint group already exists, it does not try to create it again. If it doesn't exist it will create the endpoint group.
    • It will validate if the wallet exists by accessing OKV. If the wallet already exists, it does not try to create it again. If it doesn't exist it will create the wallet .
    • t will add the endpoint, add this endpoint to the endpoint group, and assign the wallet to this endpoint.
    • It will install the client software in $ORACLE_BASE/admin/$DB_UNIQUE_NAME/okv_home/okv
    Below is the script I am using.




    Step #8 Execute okv-install-${ORACLE_SID}.sh to validate that enrollment works

    [oracle@pmdexa1dbadm01vm01 okv]$ ./okv-ep.sh
    {
      "result" : "Success"
    }
    {
      "result" : "Success"
    }
    {
      "result" : "Success"
    }
    spawn okv admin endpoint provision --endpoint DEMO31_on_pmdexa1dbadm01vm01 --location /u01/app/oracle/admin/demo31/wallet/okv --auto-login FALSE
    Enter Oracle Key Vault endpoint password:
    {
      "result" : "Success"
    }
    
    
    Once I ran it I removed the files that were created for the install.

    Step #9 Zip it all up and place it in a location to be downloaded

    Below is the scripts that will be part of the zip file.

    .
     |-wallet
     | |-ewallet.p12.lck
     | |-ewallet.p12
     | |-cwallet.sso.lck
     | |-cwallet.sso
     |-conf
     | |-okvrestcli_logging.properties
     | |-okvrestcli.ini
     |-setenv.sh
     |-runme.sh
     |-lib
     | |-okvrestcli.jar
     |-bin
     | |-okv
     | |-okv.bat
    

    Now I am ready to download this zip file to my Database Host and enroll a database.

    NOTE: To change the script to work on another OKV all host I only had to make 3 changes.
    • Update the okvrestcli.ini file with OKV host IP
    • Update the okvrestcli.ini file with the the user
    • recreate the wallet file that contains the password for the OKV user

    Step #10 Run root.sh if this is the first on a host

    When a new endpoint is added, a script is downloaded into the $OKV_HOME/okv/bin/ directory called root.sh.. This script will copy the PKCS library (liborapkcs.so) in central location on the host as root. This file is needed for the database to access OKV. The location of this file is different on different OS systems.

    NOTE: If you are already using a key management software on this host for Oracle databases, running root.sh could overwrite the library used. 



    Wednesday, April 7, 2021

    Migrate your TDE wallet to Oracle Key Vault

    How to migrate your local TDE wallet to  Oracle  Key Vault .            




    Here and here are the links to the 21C document that I used for to go through this process.

    Also, in order to keep up on OKV and new features, the Product manager Peter Wahl has a great blog where you can learn about on the latest additions to the product, and new release information.

    I am assuming that you installed the OKV server cluster by this point.


    NOTE: If you are using the RestAPI method of installing the client, you can go straight to step #6. Be sure you have changed the password using the command below.


    Below are the steps.

    1) Add the database/host to OKV as an endpoint.

     Remember in OKV, each endpoint is unique, but a wallet is shared between endpoints.

      I navigate to the endpoint tab and click on the "Add" button.

    I fill in the information for my database (TDETEST from my previous post). This is the CDB, as I am using a UNITED wallet for all PDBs that are a member of my CDB. Once filled in I click on the "Register" button.




    Once registered, I can see it on the Endpoint screen.  Note the "Enroll Token" column. This is needed to enroll the endpoint itself.  Save this token, as this will be needed by the person who actually enrolls each DB host/Database.



    2) Create wallet in OKV and associate it with the endpoint(s)


    Now that OKV is installed and configured on the client we can create a wallet in OKV to upload the keys into.  I am going to start by logging back into OKV and navigating to the wallets tab and clicking on "Create" to create a new wallet.
    The screen belows comes up, and I enter the name of the new wallet to hold the keys for my CDB. I then click on save to save the new wallet.

      




    3) Make this wallet the default wallet for the endpoint



    Now go to the endpoints tab and click on the "endpoint name"





    At this point you want to make this wallet the default wallet for the endpoint.  Click on the "Choose Wallet" button, and it will bring up the window in front. Select the correct wallet and click on save. This will set the default wallet for this endpoint when it is enrolled in the next step.



     
      

    4) Download the OKV client install file


    Now that the database/host is registered in OKV (the combination of the 2 is the endpoint), I need to download the jar file which will configure the setting on the database host.
    The download is initiated by  logging out of the OKV console, and clicking on the "Endpoint Enrollment and Software Download" link on the logon screen. I highlighted it below.

    You might not have noticed this link before !  Now click on the link, you don't need to login for this step.  It will bring up the window below and in that window you will 
    • Click on the "Submit Token" button, and it will validate the token
    • Click on "Enroll" to begin the download of the install file. If SMTP was configured, you can also have the software install e-mailed to the endpoint administrator.
    The download file is a jar file called okvclient.jar. It is highly recommended that you rename it because it is specific to this endpoint.



    5) Transfer the .jar file to the database host and install it.

    The pre-requisites are in the install guide. The oracle environment during the install must be set to the database you are configuration ($ORACLE_HOME, $ORACLE_BASE, $ORACLE_SID)

    My target directory is going to be "/home/oracle/app/oracle/admin/tdetest/wallet/okv" and I copied my .jar file to /home/oracle/app/oracle/admin/tdetest  (which I renamed to tdetest_okv.jar). 

    Execute java passing the location of the jar file, followed by -d "install location"

    
    [oracle@oracle-server okvtest]$ java -jar /home/oracle/app/oracle/admin/tdetest/tdetest_okv.jar -d /home/oracle/app/oracle/admin/tdetest/wallet/okv
    Detected JAVA_HOME: /home/oracle/db_19c/jdk Enter new Key Vault endpoint password (<enter> for auto-login): Confirm new Key Vault endpoint password: The endpoint software for Oracle Key Vault installed successfully. Deleted the file : /home/oracle/app/oracle/okvfiles/okvtest/okvtest_install.jar [oracle@oracle-server okvtest]$


    If this is the first time OKV is being installed on the server, you need to execute the root.sh script (located in the /bin directory within the install location) as root.  If it has already been executed, you can skip this step.

    Creating directory: /opt/oracle/extapi/64/hsm/oracle/1.0.0/
    Copying PKCS library to /opt/oracle/extapi/64/hsm/oracle/1.0.0/
    Setting PKCS library file permissions

    Finally, verify that we can connect OKV by executing "okvutil list". If successful, you will receive "default template". This script is located in the /bin directory within the install.

    oracle@oracle-server bin]$ ./okvutil list
    Enter Oracle Key Vault endpoint password:
    Unique ID                               Type            Identifier
    E8C825BB-649C-451E-98B8-E128B675FD31    Template        Default template for TDETEST_PRIMARY_NODE1
    
    
    


    6) Review how OKV connects to the database.

    • WALLET_ROOT is set in the database, and within WALLET_ROOT there is an "/okv" directory where the endpoint software must be installed.
    • On the OS itself, a library is installed (as root if it's not already there) to take care of the encryption. The location on Linux is "/opt/oracle/extapi/64/hsm/oracle"
    • A link is created to a config file for this endpoint. This link is located in $ORACLE_BASE/okv/$DB_UNIQUE_NAME and links to 2 files that were part of the install. okvclient.lck, and okvclient.ora.
        NOTE: okvclient.ora is the configuration file where parameters are set for the endpoint. 

       

     7) Upload the keys from the local wallet into OKV 

    Now we upload the keys from the local wallet into OKV.

    The command is 
    "okvutil upload -t WALLET -l {wallet location on host} -g {key vault wallet name} -v 2

    NOTE: the Key Vault wallet name is case sensitive
    [oracle@oracle-server bin]$ ./okvutil upload -t WALLET -l  /home/oracle/app/oracle/admin/tdetest/wallet/tde -g tdetest -v 2
    okvutil version 21.1.0.0.0
    Endpoint type: Oracle Database
    Configuration file: /home/oracle/app/oracle/admin/tdetest/wallet/okv/conf/okvclient.ora
    Server: 10.0.0.150:5696
    Standby Servers:
    Uploading from /home/oracle/app/oracle/admin/tdetest/wallet/tde
    
    Enter source wallet password:
    Enter Oracle Key Vault endpoint password:
    ORACLE.SECURITY.ID.ENCRYPTION.
    ORACLE.SECURITY.KB.ENCRYPTION.
    ORACLE.SECURITY.KT.ENCRYPTION.AQDBKozP1k8Mvwq4sH7ptKYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.KM.ENCRYPTION.AQDBKozP1k8Mvwq4sH7ptKYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.DB.ENCRYPTION.AQDBKozP1k8Mvwq4sH7ptKYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.KT.ENCRYPTION.AYURdnq5XU8Rv7IipWqWgHoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.KM.ENCRYPTION.AYURdnq5XU8Rv7IipWqWgHoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.DB.ENCRYPTION.AYURdnq5XU8Rv7IipWqWgHoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.BF507489CE7703B4E0536800000A8180
    ORACLE.SECURITY.KM.ENCRYPTION.AXLqsppXAU9kv9JLJCcfGYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.DB.ENCRYPTION.AXLqsppXAU9kv9JLJCcfGYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.KT.ENCRYPTION.AXLqsppXAU9kv9JLJCcfGYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.BF5072A8540A032BE0536800000AB0DD
    ORACLE.SECURITY.KM.ENCRYPTION.AXDVlynThU8bvwblg7vruGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.DB.ENCRYPTION.AXDVlynThU8bvwblg7vruGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.KT.ENCRYPTION.AXDVlynThU8bvwblg7vruGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.BF50708B8BEB0266E0536800000A7B90
    ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
    
    Uploaded 4 TDE keys
    Uploaded 0 SEPS entries
    Uploaded 0 other secrets
    Uploaded 6 opaque objects
    
    Uploading private persona
    Uploading certificate request
    Uploading trust points
    
    Uploaded 1 private keys
    Uploaded 1 certificate requests
    Uploaded 0 user certificates
    Uploaded 0 trust points
    
    
    Upload succeeded
    
    

    Within the upload, I can see where the TDE master keys are being uploaded for my PDBs by looking at the PDB guids.

    PDB            PDB_ID

    SQL> column name format a40
    SQL> select name,guid from v$pdbs;
    
    NAME                                     GUID
    ---------------------------------------- --------------------------------
    PDB$SEED                                 BF5039AF39966A70E0536800000A09E1
    TDEPDB1                                  BF50708B8BEB0266E0536800000A7B90
    TDEPDB2                                  BF5072A8540A032BE0536800000AB0DD
    TDEPDB3                                  BF507489CE7703B4E0536800000A8180
    
    


    And I can look in the wallet in OKV (filtering by Symmetric key) and see the contents that was uploaded from the local wallet. In this screen I can identify the PDB key because I used tags when I created the keys.





    8) Add secret to allow use of "External Store". 

    1) I am going to add the OKV password to the keystore as a secret to allow me to use the "EXTERNAL STORE" instead of the password.

    ADMINISTER KEY MANAGEMENT ADD SECRET '0KV2021!' FOR CLIENT 'OKV_PASSWORD' TO LOCAL AUTO_LOGIN KEYSTORE '/home/oracle/app/oracle/admin/tdetest/wallet/tde_seps';
    


    NOTE
    : As I pointed out in the last post

    • The keystore must be in a subdirectory of the WALLET_ROOT location called "tde_seps" in order to be found.
    • The "FOR CLIENT" entry must be 'OKV_PASSWORD' to be found.
    • It must be AUTO_LOGIN so that it can be opened and used.

    2) I am going to add the OKV password to the keystore as a secret to allow me to auto logon to the OKV Keystore.

    ADMINISTER KEY MANAGEMENT ADD SECRET '0KV2021!' FOR CLIENT 'HSM_PASSWORD' TO AUTO_LOGIN KEYSTORE '/home/oracle/app/oracle/admin/tdetest/wallet/tde';
    

    3)  I need to change the TDE_CONFIGURATION (which is dynamic).

    'ALTER SYSTEM SET TDE_CONFIGURATION = "KEYSTORE_CONFIGURATION=OKV|FILE" SCOPE = BOTH;

    4) I am going to bounce the database, and ensure that both my file and OKV wallets open up properly.

    
    PDB Name   Type       WRL_PARAMETER                                      Status                         WALLET_TYPE          KEYSTORE Backed Up
    ---------- ---------- -------------------------------------------------- ------------------------------ -------------------- -------- ----------
    CDB$ROOT   FILE       /home/oracle/app/oracle/admin/tdetest/wallet//tde/ OPEN                           AUTOLOGIN            NONE     YES
    CDB$ROOT   OKV                                                           OPEN_NO_MASTER_KEY             OKV                  NONE     UNDEFINED
    PDB$SEED   FILE                                                          OPEN                           AUTOLOGIN            UNITED   YES
    PDB$SEED   OKV                                                           OPEN_NO_MASTER_KEY             OKV                  UNITED   UNDEFINED
    TDEPDB1    FILE                                                          OPEN                           AUTOLOGIN            UNITED   YES
    TDEPDB1    OKV                                                           OPEN_NO_MASTER_KEY             OKV                  UNITED   UNDEFINED
    TDEPDB2    FILE                                                          OPEN                           AUTOLOGIN            UNITED   YES
    TDEPDB2    OKV                                                           OPEN_NO_MASTER_KEY             OKV                  UNITED   UNDEFINED
    TDEPDB3    FILE                                                          OPEN                           AUTOLOGIN            UNITED   YES
    TDEPDB3    OKV                                                           OPEN_NO_MASTER_KEY             OKV                  UNITED   UNDEFINED
    
    
    10 rows selected.
    
    


    9) Combine the local wallet File and OKV. 

      Next I need to migrate the keys using the local wallet. Note this will rekey the database.

    ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY IDENTIFIED BY "0KV2021!" MIGRATE USING "F1LE2021!" WITH BACKUP;

    I am going to bounce the database and ensure it comes up with both Keystores opened.

    PDB Name   Type       WRL_PARAMETER                                      Status                         WALLET_TYPE          KEYSTORE Backed Up
    ---------- ---------- -------------------------------------------------- ------------------------------ -------------------- -------- ----------
    CDB$ROOT   FILE       /home/oracle/app/oracle/admin/tdetest/wallet//tde/ OPEN                           AUTOLOGIN            NONE     YES
    CDB$ROOT   OKV                                                           OPEN                           OKV                  NONE     UNDEFINED
    PDB$SEED   FILE                                                          CLOSED                         UNKNOWN              UNITED   UNDEFINED
    PDB$SEED   OKV                                                           CLOSED                         UNKNOWN              UNITED   UNDEFINED
    TDEPDB1    FILE                                                          OPEN                           AUTOLOGIN            UNITED   YES
    TDEPDB1    OKV                                                           OPEN                           OKV                  UNITED   UNDEFINED
    TDEPDB2    FILE                                                          OPEN                           AUTOLOGIN            UNITED   YES
    TDEPDB2    OKV                                                           OPEN                           OKV                  UNITED   UNDEFINED
    TDEPDB3    FILE                                                          OPEN                           AUTOLOGIN            UNITED   YES
    TDEPDB3    OKV                                                           OPEN                           OKV                  UNITED   UNDEFINED
    
    

    9) Combine the local wallet


    That's all there is to it !

    The most important notes I found during this process

    • WALLET_ROOT and TDE_CONFIGURATION should be used in 19c.
    • The password for OKV
      • add secret to the wallet in WALLET_ROOT/tde_seps using client 'OKV_PASSWORD'
      • add secret to the wallet in WALLET_ROOT/tde using client 'HSM_PASSWORD'
    • OKV must  be installed in WALLET_ROOT/okv 
    • The local wallet for TDE must be in WALLET_ROOT/tde