Cloning a PDB with encrypted data in united mode – avoid ORA-00283

Posted in: Oracle, Technical Track

The purpose of this blog post is to give you some guidelines on how to avoid “ORA-00283: recovery session canceled due to errors” during a PDB clone operation and troubleshoot the same.

In the Oracle documentation (link), it notes the following:

When you clone a PDB, you must make the master encryption key of the source PDB available to cloned PDB.

This allows a cloned PDB to operate on the encrypted data. To perform the clone, you do not need to export and import the keys because Oracle Database transports the keys for you even if the cloned PDB is in a remote CDB. However, you will need to provide the keystore password of the CDB where you are creating the clone.

This statement is not fully true if the source PDB does not have its own master key.

How can a PDB not have its own master key?

When cloning a PDB within the same CDB, the master key of the source is used for the target. If, after the clone operation is complete a rekey (generate new master key) is not done on the target PDB, the target PDB will continue to use the master key that belongs to the original (source) PDB.

Now, if you perform a clone of the new (previously cloned) PDB to a remote CDB, there is a good chance the clone operation will fail with “ORA-00283: recovery session canceled due to errors”.

This is expected behavior.

The error message:

SQL> create pluggable database REMOTE_CLONE from PDB2@L1 KEYSTORE IDENTIFIED BY "*******";
create pluggable database REMOTE_CLONE from PDB2@L1 KEYSTORE IDENTIFIED BY "*******"
*
ERROR at line 1:
ORA-00283: recovery session canceled due to errors
ORA-28374: typed master key not found in wallet

When the newly cloned PDB does not have its own master keys, there are no records in V$ENCRYPTION_KEYS dynamic performance view. Performing a rekey operation of the master encryption key ensures that the newly cloned PDB uses its own unique keys, which will be visible in the V$ENCRYPTION_KEYS view.

As I see it, there are three scenarios:

  • If the source PDB has its own master key, then everything will work fine. The master key will be copied over to cloned PDB.
  • If the source PDB does not have its own master key (no records in V$ENCRYPTION_KEYS) and no recovery is needed (during clone operation) the clone operation will succeed.
    But afterwards, any data manipulation over encrypted data will fail.
  • If the source PDB does not have its own master key (no records in V$ENCRYPTION_KEYS) and during clone operation a recovery needs to be done over encrypted data, the clone operation will fail.

In the Oracle documentation in the “Cloning a PDB with Encrypted Data in a CDB in United Mode” steps, it is noted to perform a rekey of the master key for a cloned PDB. But there is no warning note about cloning a PDB to remote CDB when the source PDB does not have its own master key.

email

Interested in working with Ivica? Schedule a tech call.

About the Author

Senior Database Consultant
Ivica is an Oracle Certified Master 12c and 11g, and a recognized member of the Oracle ACE Program as an Oracle ACE Associate. He is a blogger and active contributor to the Oracle community and presents at many technology conferences. Known for his deep Oracle expertise and ability to troubleshoot quickly and efficiently, Ivica has the skills to solve problems quickly regardless of size and complexity. He is passionate about database performance and stability.

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *