Provisioning a RAC TDE Enabled VPDB Fails Reporting ORA-46637: Cannot Add First Keystore to the Target Keystore (KBA9302)
KBA
KBA# 9302
Issue
During the provisioning of an Oracle RAC Virtual Pluggable Database (VPDB), Delphix fails the provision reporting the following error:
Failed to merge keystore at "/mnt/tde/tdekeystores/ractde1" and "/home/delphix/+OCR/WALLET/RACTDE2/tde" into the new keystore at "/mnt/tde/tdekeystores/oracle_tde_keystores/auxiliary_cdb_keystores/CvrpdbtdtNzr/tde".
Delphix currently does not support the use of ASM based keystores during VPDB TDE provisioning.
Prerequisites
The environment as it exists during the provisioning process:
- An Oracle RAC PDB has been successfully linked as the dSource to the Delphix Engine and a snapshot of this captured.
- An Oracle RAC Container Database (CDB) has been discovered by the Delphix Engine and is to be used as the destination for RAC VPDB provisions.
- The Oracle RAC CDB to be provisioned into has Transparent Data Encryption (TDE) enabled, a wallet/keystore configured, and this keystore is stored in an Oracle ASM diskgroup.
- An attempt has been made to provision a VPDB into the Oracle RAC CDB where the keystore is held in ASM.
- Delphix Virtualization Engine version 6.0.13.0 or higher is being used for provisioning.
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.13.0, 6.0.13.1, 6.0.14.0
Resolution
Relocate the target Oracle RAC CDB keystore from Oracle ASM based storage to a shared file system accessible to all cluster nodes, like NFS.
This will require the keystore be recreated outside of Oracle ASM using the process detailed in:
Delphix Knowledge Base article - Exporting a Keystore from ASM to a Target Host for Oracle TDE Provisioning ( KBA8286 )
OR
Oracle MOS note - How to Manage a TDE wallet created in ASM on primary and to copy on Standby in ASM (Doc ID 2251874.1).
ASM based keystores cannot be copied out of ASM using asmcmd cp commands. This is detailed in Oracle MOS note: Cannot open wallet from local filesystem after cp from ASM with asmcmd (Doc ID 2085607.1).
Troubleshooting
The Delphix error displayed as a result of the provision failure will resemble the following:
Error Failed to merge keystore at "/mnt/tde/tdekeystores/ractde1" and "/home/delphix/+OCR/WALLET/RACTDE2/tde" into the new keystore at "/mnt/tde/tdekeystores/oracle_tde_keystores/auxiliary_cdb_keystores/CvrpdbtdtNzr/tde". Error Code exception.oracle.tde.merge.into.new.keystore.failed Suggested Action Make sure that the parent TDE keystore password and/or target TDE keystore password are correct. Review error output for more details and retry the operation. Command Output StatementCallback; uncategorized SQLException for SQL [ADMINISTER KEY MANAGEMENT MERGE KEYSTORE '/mnt/tde/tdekeystores/ractde1' IDENTIFIED BY **** AND KEYSTORE '/home/delphix/+OCR/WALLET/RACTDE2/tde' IDENTIFIED BY **** INTO NEW KEYSTORE '/mnt/tde/tdekeystores/oracle_tde_keystores/auxiliary_cdb_keystores/CvrpdbtdtNzr/tde' IDENTIFIED BY ****]; SQL state [99999]; error code [46637]; ORA-46637: cannot add first keystore to the target keystore ; nested exception is java.sql.SQLException: ORA-46637: cannot add first keystore to the target keystore
The key to the problem is the ASM path seen in the administer key management command syntax.
This path is malformed '/home/delphix/+OCR/WALLET/RACTDE2/tde' and does not reflect the true location of the keystore belonging to the target CDB.
Related Articles
The following articles may provide more information or related information to this article:
- Exporting a Keystore from ASM to a Target Host for Oracle TDE Provisioning ( KBA8286 )
- Oracle MOS note: How to Manage a TDE wallet created in ASM on primary and to copy on Standby in ASM (Doc ID 2251874.1)
- Oracle MOS note: Cannot open wallet from local filesystem after cp from ASM with asmcmd (Doc ID 2085607.1)