Oracle 19c

---

How to Patch/Upgrade Java (JDK and JRE) in both Oracle Home and OEM Agent 13.5 home to latest certified version

This entry was posted in Enterprise Manager Oracle Oracle 19c Patchset Update Security on 20.02.2026 by Miguel Anjo

A vulnerability scan from the customer pointed out many problems due to old patch backups and old JDK versions installed in a Oracle VM.

Many of the problems were with the files:

/u01/app/oracle/product/oem13c/agent/agent_13.5.0.0.0/oracle_common/jdk/jre/lib/rt.jar
/u01/app/oracle/product/19.0.0/dbhome_1/jdk/jre/lib/rt.jar

What I learned:

• OEM Agent 13.5 default java version is 1.8.0_261, also after patching to the latest RU!
• Oracle OPatch has its own JRE and this is not updated when applying latest JDK patch for Oracle Home
• Upgrade JDK in Oracle Home is online

What I already knew:

• Oracle DB Release Updates (RU) install the before-last JDK version.
• There is in CPU4 – Oracle Critical Patch Update (CPU) Jan 2026 for Oracle Database Products (or the document for last CPU) a specific Patch to upgrade the JDK to the latest certified version (online patch).
• The old patches are kept in a folder “.patch_storage”, for the needs of rollback. Vulnerability tools are picky and find it as potentially dangerous. The latest OPatch versions have a “util obfuscate” which will change the name and a little the contents of the files, so vulnerability tools do not find it. I blogged about it two years ago: Opatch now obfuscates its own backups – the new “opatch util Obfuscate” option explained

Below how I “cleanup” the vulnerabilities at my customer VM. This instructions are for java version 1.8.0_481, latest certified for Oracle in January 2026 :

(more…)

---

Follow the progress of a PDB remote cloning

This entry was posted in cloning Multitenant Oracle Oracle 19c on 14.01.2026 by Miguel Anjo

For a PDB migration, I’ve configured a Refresh PDB clone.

SQL> CREATE PLUGGABLE DATABASE P1QXPTO from P1QXPTO@C1Q_OLDCDB REFRESH MODE EVERY 2 HOURS;

The PDB is 16TB and copying will take a few hours. To get the progress, it is not so straight forward:

• there is no size in V$PDBs until the end
• the ASM space is reserved from the beginning
• there are no files in V$DATAFILE or V$ASM_FILE during the copy

The only place to follow the PDB clone is using V$SQL_LONGOPS, as explained at KB135098 – How to Monitor PDB Clone / Move On ‘Create Pluggable Database’ with ‘COPY’ Clause Statement Execution.

(more…)

---

Classic My Oracle Support is gone 1

This entry was posted in My Oracle Support Oracle 19c on 08.12.2025 by Miguel Anjo

This morning I wanted to look for a note and to my surprise the old Metalink, then My Oracle Support portal, did not exist anymore.

All is now merged in the new “My Oracle Support” site, previously known as “My Oracle Cloud Support”.

The link to bookmark is https://support.oracle.com/support/

New DocID, now is KB

Important to notice is, The  DocID number were changed. For instance, to find the following note:
    ”How to add an Additional Listener in RAC setup (Doc ID 2456650.1)”

You need to look for the title. The document has now a new ID, starting with KB (Knowledge Base):

The links from Google are still not updated and do not work.

The solution is to search for the title in the new Oracle Support site.

Or use the MOS DocId to KB link translation I’ve compiled.

Old SRs, new SRs

The SRs from the “classic” portal are now at the end of the list as “Archived Service Requests”.

There are three headings now:

1. These service requests need your attention
2. Oracle is working on these service requests for you
3. Archived Service Requests (last 2 years from old portal)

To create new SRs for On-premises, you need to search for “Oracle Database”:

Feedback

Unfortunately there is not anymore the possibility to:

• see last searches
• see last views documents/notes
• favorites
• use old DocID in the search (would be enough to keep in the text of the new note!)
• No wget script to download patches
• Search engine does not prioritize most viewed notes

I’ll get used to the new portal, but as everytime, changes are not easy.

Status 10.12.2025:

• Link to patches were removed from notes. You can use the URL: https://support.oracle.com/support/?patchId=<patchID>
• A Top50 list was created by Oracle, still no ‘sorry’ for the confusion generated
• No more Google results for Oracle Support site

---

Extend Swap in Oracle Linux

This entry was posted in Linux Oracle 19c and tagged Oracle Linux 9 on 14.10.2025 by Miguel Anjo

The client has also configured a small Swap mountpoint, when looking at all memory available on the server. Oracle documentation says this:

The VM has 116GB memory, and 32GB reserved for HugePages. The actual swap mountpoint is 4GB big and, based on the Oracle Server Configuration Checklist for 19c, the swap mountpoint should be in this case 16GB.

I’m using Oracle Linux 9, xfs filesystems. I’ll increase the swap mountpoint online, with the databases running.

(more…)

---

TDE misconfigured and ORA-28353: failed to open wallet

This entry was posted in Oracle Oracle 19c Oracle 23ai Security TDE on 26.08.2025 by Miguel Anjo

I did script the TDE wallet configuration for my client.

• Script 1 – Set the static parameters TABLESPACE_ENCRYPTION and WALLET_ROOT in the spfile.
• Script 2 – Restart the database
• Script 3 – Create the wallet, open the wallet, set the Masterkey, create the autologin wallet.

When running this 3rd script on a database it failed on the second command:

SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY  "wallet_password";
keystore altered.

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "wallet_password";
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "wallet_password"
*
ERROR at line 1:
ORA-28353: failed to open wallet

(more…)

---

Recover missing Masterkey – the famous ORA-28374 2

This entry was posted in Oracle Oracle 19c Oracle 23ai Security on 21.08.2025 by Miguel Anjo

The client plugged a non-encrypted PDB into a CDB with TDE Encryption Wallet enabled. All works fine, we can read the data. However when trying to create a tablespace we get:

CDB1 SQL> create tablespace TBS_NEW;
Error starting at line : 1 in command -
create tablespace t1
Error report -
ORA-28374: typed master key not found in wallet
28374. 0000 -  "typed master key not found in wallet"
*Cause:    You attempted to access encrypted tablespace or redo logs with a typed master key not existing in the wallet.
*Action:   Copy the correct Oracle Wallet from the instance where the tablespace was created.

What is wrong?

(more…)

---

Encrypt the whole Oracle database online with TDE

This entry was posted in Oracle Oracle 19c Security on 15.07.2025 by Miguel Anjo

Some programs are part of Oracle ISV – Independent Software Vendors – program and include various types of Oracle licenses. This allows to install the application database in various Oracle configurations. At my customer, the software includes Advance Security Option Oracle license. This was the reason we decided, even before moving to the cloud, to encrypt the database.

Here is a summary on how to perform full online encryption (TDE) of a database. The process is quite simple, but there are known surprises you might want to avoid.

(more…)

---

Oracle TDE – the basic information you need to know when encrypting the whole database

This entry was posted in Cloud Engineering Systems ExaCC Exadata OCI Oracle Oracle 19c and tagged OCI oracle 19c tde on 21.05.2025 by Miguel Anjo

TDE – Transparent Data Encryption – is the Oracle solution for protecting data at rest. This refers, protecting data that is stored in one file or one disk. This data will be encrypted. Only after the database is open and the wallet password is given, you can query the data and see it.

Recently I’ve been working more with ExaCC and migrating databases from on-premises to the Cloud. Took quite some days to get into TDE and sometimes confusing terms used in the documentation and on the web.

This post summarizes all the concepts to have in mind when working with Oracle encrypted databases, which is the default in the Cloud and Exadata systems.

(more…)

---

DataGuard in RAC and redo apply performance in consolidated environments

This entry was posted in DataGuard Oracle 19c on 15.05.2025 by Miguel Anjo

My customer has five standby databases in the same 2-node RAC cluster. Today, after an ASM data diskgroup full, several databases had to recover quite some archivelogs.

The load on the first node immediately went to the roof when I restarted the redo apply, after adding space to the diskgroup.

This because, by default, the redo apply starts on the first available instance of the RAC cluster, which in this case was the first instance for all DBs.

Two things I learned:

(more…)

---

New mandatory unified audit policy on 19.26

This entry was posted in Audit Oracle Oracle 19c Oracle 23ai on 06.02.2025 by Miguel Anjo

This feature was just backported from Oracle 23ai. The new ORA$MANDATORY audit policy was added with the Oracle 19.26 RU. This policy is not visible at UNIFIED_AUDIT_POLICIES or AUDIT_UNIFIED_ENABLED_POLICIES.

After patching the database to 19.26, then you see entries on UNIFIED_AUDIT_TRAIL:

SYS@CDB2.CDB$ROOT> select EVENT_TIMESTMAP, SYSTEM_PRIVILEGE_USED, ACTION_NAME 
from UNIFIED_AUDIT_TRAIL 
where UNIFIED_AUDIT_POLICIES='ORA$MANDATORY' 
order by EVENT_TIMESTMAP;

                  EVENT_TIMESTAMP     SYSTEM_PRIVILEGE_USED       ACTION_NAME
_________________________________ _________________________ _________________
02-FEB-2025 21:54:56.192982000    SYSDBA                    LOGON
02-FEB-2025 21:54:56.216549000    SYSDBA                    SELECT
02-FEB-2025 21:55:00.381577000    SYSDBA, ALTER DATABASE    ALTER DATABASE
02-FEB-2025 21:55:00.393882000    SYSDBA                    LOGOFF
...

The actions that are audited by ORA$MANDATORY policy are described on Oracle 23ai documentation.

What I find interesting, is that the “ALTER DATABASE MOUNT” during startup is audited, so we can have a good history of database startups.

(more…)

---

---