TDE_HEALTHCHECK 

The TDE health-check was planned to give Oracle Support personnel a quick overview about your TDE setup, but eventually it was decided to include it in recent Oracle Database RUs in 19c and 26ai.

In Oracle database 19c before 19.30, you need to apply patch 38486044.

It is very easy to use: First, compile it with:

SQL> @$ORACLE_HOME/rdbms/admin/tde_healthcheck.sql

To get the complete results, simply execute:

SQL> execute tde_healthcheck.get_tde_healthcheck_report;

Individual checks allow for a more targeted validation:

SQL> exec tde_healthcheck.get_wallet_root;

Display WALLET_ROOT from gv$parameter. 

SQL> exec tde_healthcheck.get_wallet_location;

Where are my TDE wallets? Usually in WALLET_ROOT/tde 

SQL> exec tde_healthcheck.get_tde_config;

Shows the value of the parameter TDE_CONFIGURATION.

SQL> exec tde_healthcheck.get_props_details;

Read the TDE configuration from internal tables. 

SQL> exec tde_healthcheck.validate_tde_primary_keystore;

Compares the TDE settings in the spfile with internal tables. 

SQL> exec tde_healthcheck.get_tablespace_encryption_config;

Shows the value of the parameter TABLESPACE_ENCRYPTION.  

SQL> exec tde_healthcheck.get_encwallet_details;

Validates TDE wallet location type (FILE, ASM, OKV), united or isolated PDBs, and other details.

SQL> exec tde_healthcheck.get_enckeys_details;

Key-IDs (in base64), creation and activation times of TDE keys in CDB and PDBs.

SQL> exec tde_healthcheck.get_pdbs_enckeys;

Shows activated TDE keys (in hex) for CDB and all PDBs. 

SQL> exec tde_healthcheck.get_encrypted_tablespaces;

Shows list of encrypted tablespaces in CDB and all PDBs, with their encryption algorithm.

SQL> exec tde_healthcheck.get_missingkey_info_from_allinstance;

Shows required vs. available keys; if keys are missing, call Oracle Support.

SQL> exec tde_healthcheck.get_encrypted_datafiles;

Shows list of encrypted data files in CDB and all PDBs.

Link to LinkedIn post.


Location: San Diego, Kalifornien, USA

Comments

Post a Comment

Popular posts from this blog

Upgrade encrypted databases to 26ai

  Oracle AI Database 26ai has been made available to all customers (on-prem or any cloud). With this, the "upgrade" question will come sooner rather than later. Upgrading to Oracle AI Database 26ai  is only possible from 19c and 21c , older releases cannot be directly upgraded to 26ai. If your 19c or 21c databases are encrypted, and TDE is set up with the old (desupported) sqlnet.ora parameters (ENCRYPTION_WALLET_LOCATION), upgrades will be blocked and pre-upgrade checks will fail with 'TDE_WALLET_ROOT_NOT_IN_USE'. You need to have WALLET_ROOT and TDE_CONFIGURATION set before the upgrade. Also, the GOST and ARIA encryption algorithms are desupported in 26ai; before upgrading, online-rekey those tablespaces to AES with XTS cipher mode; for upgrades via database links to 26ai CDBs, we have introduced the "rekey using" parameter: SQL> create pluggable database "FINANCE" from FINANCE@dblink rekey using 'AES256' MODE 'XTS'; ...
Read more

Copy TDE wallets out of and into ASM with kscopy

  As organizations continue to strengthen their database security posture, centralizing encryption key management has become an increasingly important operational and compliance requirement. Oracle Key Vault (OKV) provides a secure, scalable platform for managing Transparent Data Encryption (TDE) master keys across enterprise database environments. When migrating existing encrypted Oracle RAC databases from traditional wallet-based key management to OKV, careful planning can help ensure a smooth transition while preserving access to both current and historical encryption keys.  Before migrating an encrypted, RAC-enabled database from a shared local TDE wallet to OKV, it is recommended to leverage OKV's unique capability and upload the current and all retired TDE keys to OKV. In Oracle RAC, only shared wallets (for example stored in ACFS or directly in ASM) that can be accessed by all RAC instances are supported. Using individual TDE wallets for each RAC node is ...
Read more