Hybrid Dataguard is a relatively new 19c feature that allows to have one side of a Dataguard configuration not encrypted. This is particularly useful when having a primary on premises and standby on a OCI, where tablespaces need to be encrypted. The main point is that it allows to spare a Advanced Security licenses on premises site. <\/p>\n\n\n\n
Usages of Hybrid Dataguard can be during migration to the cloud or just as a high availability solution, when we have a small on-premises data center. <\/p>\n\n\n\n
In the tutorial below I assume to have a primary database on premises without TDE, a we will create a standby in OCI with encryption enabled. The connection between on-premises and OCI is already configured and not explained.<\/p>\n\n\n\n\n\n\n\n
I use the following code to test if ports are open.<\/p>\n\n\n
\nIPLIST="10.161.97.224 10.161.97.225" # Destination IPs space separated\nfor IP in $IPLIST; do\n for PORT in 22 1521; do\n CHECK_IP=${IP}\/${PORT}\n timeout 1 bash -c "<\/dev\/tcp\/${CHECK_IP} && echo Port ${CHECK_IP} is open || echo Port ${CHECK_IP} is closed" || echo Connection timeout\n done\ndone\n<\/pre><\/div>\n\n\nPrepare primary database<\/h2>\n\n\n\nConfigure TDE Wallet <\/h3>\n\n\n\n
Even if the primary DB will not be encrypted, it is necessary to configure a TDE Wallet (called also Keystore). This requires a DB restart.<\/p>\n\n\n\n
First we create the wallet directory and set some static parameters.<\/p>\n\n\n
\nmkdir -p $ORACLE_BASE\/admin\/$ORACLE_SID\/wallet\/tde\nsqlplus \/ as sysdba\nSQL> ALTER SYSTEM SET tablespace_encryption=DECRYPT_ONLY SCOPE=spfile;\nSQL> ALTER SYSTEM SET wallet_root='\/u01\/app\/oracle\/admin\/cdb2\/wallet' SCOPE=spfile;\n<\/pre><\/div>\n\n\nPlan and restart database<\/strong> to activate the parameters.<\/p>\n\n\n\nSQL> shutdown immediate\nSQL> startup\n<\/pre><\/div>\n\n\nThen we define the TDE type as a software wallet (file), create the wallet and set a key for all containers (PDBs)<\/p>\n\n\n
\nSQL> ALTER SYSTEM SET tde_configuration='keystore_configuration=FILE';\nSQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE IDENTIFIED BY "<wallet password>";\nSQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<wallet password>" container=all;\nSQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "<wallet password>" with backup container=all;\nSQL> COL wrl_parameter FOR a40\nSQL> SELECT con_id,wrl_parameter, wrl_type, wallet_type, status from v$encryption_wallet;\n\n CON_ID WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS\n---------- ---------------------------------------- -------------------- -------------------- ------------------------------\n 1 \/u01\/app\/oracle\/admin\/cdb2\/wallet\/tde\/ FILE PASSWORD OPEN\n 2 FILE PASSWORD OPEN\n 3 FILE PASSWORD OPEN\n<\/pre><\/div>\n\n\nCreate an auto-login wallet, so the wallet opens automatically in read-only mode on DB startup. We close the read-write wallet, which is then automatically open in read-only mode (autologin).<\/p>\n\n\n
\nSQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '\/u01\/app\/oracle\/admin\/cdb2\/wallet\/tde\/' IDENTIFIED BY "<wallet password>";\nSQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "<wallet password>" container=all;\nSQL> select con_id,WRL_PARAMETER, WRL_TYPE,WALLET_TYPE, status from V$ENCRYPTION_WALLET;\n CON_ID WRL_PARAMETER WRL_TYPE WALLET_TYPE STATUS\n---------- ---------------------------------------- -------------------- -------------------- ------------------------------\n 1 \/u01\/app\/oracle\/admin\/cdb2\/wallet\/tde\/ FILE AUTOLOGIN OPEN\n 2 FILE AUTOLOGIN OPEN\n 3 FILE AUTOLOGIN OPEN\n<\/pre><\/div>\n\n\nPause database backups<\/h3>\n\n\n\n
Make sure that archivelogs generated during the creation of the standby are available until the end of the standby recovery.<\/p>\n\n\n\n
Standby logs and parameter<\/h3>\n\n\n\n
We set automatic file management and create the standby logs. The loop below works well with up to 9 redologs per thread.<\/p>\n\n\n
\nSQL> alter system set STANDBY_FILE_MANAGEMENT=AUTO;\n\nSQL> begin\nfor log_cur in ( select group#, thread#, bytes from v$log )\nloop\nexecute immediate 'alter database add standby logfile thread ' || log_cur.thread# || ' group ' || log_cur.thread# || '0' || log_cur.group# || ' size ' || log_cur.bytes ;\nend loop;\nend;\n\/\n<\/pre><\/div>\n\n\nCreate dummy DB in OCI<\/h2>\n\n\n\n
We need to create a dummy DB in OCI with the same DB_NAME and different DB_UNIQUE_NAME from our primary DB. This is make so that it appears correctly in the portal. This dummy DB will be replaced by our standby. SYS and TDE passwords given are not relevant, as we will be using the ones from primary.<\/p>\n\n\n\n
I do the operation directly on the OCI VM Cluster.<\/p>\n\n\n
\nDBNAME=cdb2\nSTANDBY_UNQNAME=cdb2_oci\nSTANDBY_OH=\/u02\/app\/oracle\/product\/19.0.0.0\/dbhome_1\nPDB_NAME=DUMMY_PDB\n\ndbaascli database create \\\n--dbName $DBNAME \\\n--dbUniqueName $STANDBY_UNQNAME \\\n--oracleHome STANDBY_OH \\\n--pdbName $PDB_NAME \\\n--sgaSizeInMB 7600 \\\n--pgaSizeInMB 3072 \\\n--dbTerritory SWITZERLAND \\\n--dbCharset AL32UTF8 \\\n--dbNCharset AL16UTF16 \\\n--dbLanguage AMERICAN\n<\/pre><\/div>\n\n\nCreate encrypted standby in OCI<\/h2>\n\n\n\nCopy Password file<\/h3>\n\n\n\n
Copy password file from on-premises to OCI<\/p>\n\n\n
\nPRIMARY_HOST=vm1.anjo.ch\nDBNAME=cdb2\nLEGACY_OH=\/u01\/app\/oracle\/product\/19.24.0\/db_1\nscp $PRIMARY_HOST:$LEGACY_OH\/dbs\/orapw${DBNAME} \/tmp\/orapw${DBNAME}\n<\/pre><\/div>\n\n\nMove the password files to ASM<\/p>\n\n\n
\nsudo su - grid\n[grid@oci-vm01 ~]$ \nDBNAME=cdb2\nSTANDBY_UNQNAME=CDB2_OCI\nDG_NAME=+DATAC1\n\nasmcmd pwcopy \/tmp\/orapw${DBNAME} \n${DG_NAME}\/${STANDBY_UNQNAME}\/PASSWORD\/orapw${STANDBY_UNQNAME}\n\nsudo su - oracle\n[oracle@oci-vm1 ~]$ \nDBNAME=cdb2\nSTANDBY_UNQNAME=CDB2_OCI\nDG_NAME=+DATAC1\n\nsrvctl modify database -db ${STANDBY_UNQNAME} -pwfile ${DG_NAME}\/${STANDBY_UNQNAME}\/PASSWORD\/orapw${STANDBY_UNQNAME}\n<\/pre><\/div>\n\n\nCopy TDE Wallet<\/h3>\n\n\n\n
First check where in OCI is the wallet of the dummy configured. We will overwrite this wallet.<\/p>\n\n\n
\nsqlplus -S \/ as sysdba <<EOF\nshow parameter wallet_root\nEOF\n\nNAME TYPE VALUE\n------------------------------------ ----------- ------------------------------\nwallet_root string \/var\/opt\/oracle\/dbaas_acfs\/cdb2\/wallet_root\n<\/pre><\/div>\n\n\nAnd we copy the wallet from legacy to this location<\/p>\n\n\n
\nDBNAME=cdb2\nscp $PRIMARY_HOST:\/u01\/app\/oracle\/admin\/${DBNAME}\/wallet\/tde\/*wallet* \/var\/opt\/oracle\/dbaas_acfs\/${DBNAME}\/wallet_root\/tde\/\n<\/pre><\/div>\n\n\nRestore control file<\/h3>\n\n\n\n[oracle@oci-vm1]$ rman target \/\nRMAN> STARTUP NOMOUNT\nRMAN> RESTORE STANDBY CONTROLFILE FROM SERVICE '\/\/vm1.anjo.ch:1521\/cdb2.anjo.ch';\nRMAN> ALTER DATABASE MOUNT;\n<\/pre><\/div>\n\n\nRestore as encrypted<\/h3>\n\n\n\n
We we use the new feature RESTORE AS ENCRYPTED DATABASE, which encrypts the datafiles while copying them from primary.<\/p>\n\n\n
\n[oracle@oci-vm1]$ rman target \/ | tee \/home\/oracle\/duplicate_$(date "+%Y_%m_%d-%Hh%M").log\nRMAN> CONFIGURE DEVICE TYPE DISK PARALLELISM 4; \nRMAN> RESTORE AS ENCRYPTED DATABASE FROM SERVICE '\/\/vm1.anjo.ch:1521\/cdb2.anjo.ch';\nRMAN> SWITCH DATABASE TO COPY;\n\nRMAN> RECOVER DATABASE FROM SERVICE '\/\/vm1.anjo.ch:1521\/cdb2.anjo.ch';\n<\/pre><\/div>\n\n\nIf DB is very large, one can then use recover to roll forward the standby without using archivelogs.<\/p>\n\n\n
\nsrvctl stop database -db ${STANDBY_UNQNAME}\nrman target \/\nRMAN> STARTUP NOMOUNT\nRMAN> RESTORE STANDBY CONTROLFILE FROM SERVICE '\/\/vm1.anjo.ch:1521\/cdb2.anjo.ch';\nRMAN> ALTER DATABASE MOUNT;\nRMAN> CATALOG START WITH '+DATAC1' noprompt; \/* ignore errors *\/\nRMAN> CATALOG START WITH '+RECOC1' noprompt; \/* ignore errors *\/\nRMAN> SWITCH DATABASE TO COPY;\nRMAN> SHUTDOWN IMMEDIATE;\n\nsrvctl start database -db ${STANDBY_UNQNAME} -startoption MOUNT\n\nrman target sys\/<password> # <-- It is necessary to provide password\nRMAN> CONFIGURE DEVICE TYPE DISK PARALLELISM 4; \nRMAN> RECOVER DATABASE FROM SERVICE '\/\/vm1.anjo.ch:1521\/cdb2.anjo.ch';\nRMAN> SWITCH DATABASE TO COPY;\n<\/pre><\/div>\n\n\nSet role as standby<\/h3>\n\n\n\n
The database should be set in the OCI clusterware as physical standby<\/p>\n\n\n
\n[oracle@oci-vm1]$ srvctl modify database -db ${STANDBY_UNQNAME} -role physical_standby -startoption mount\n<\/pre><\/div>\n\n\nClear redologs <\/h3>\n\n\n\nbegin\nfor log_cur in ( select group# group_no from v$log )\nloop\nexecute immediate 'alter database clear logfile group '||log_cur.group_no;\nend loop;\nend;\n\/\n\nbegin\nfor log_cur in ( select group# group_no from v$standby_log )\nloop\nexecute immediate 'alter database clear logfile group '||log_cur.group_no;\nend loop;\nend;\n\/\n<\/pre><\/div>\n\n\nPrepare dataguard broker<\/h3>\n\n\n\n
First we prepare the broke in standby database<\/p>\n\n\n
\nconnect \/ as sysdba\nSQL> alter system set dg_broker_config_file1='+DATAC1\/<standby unique name>\/dr1.dat';\nSQL> alter system set dg_broker_config_file2='+RECOC1\/<standby unique name>\/dr2.dat';\nSQL> alter system set dg_broker_start=true;\nSQL> alter system register;\n<\/pre><\/div>\n\n\nThen we prepare on primary, connecting to it from OCI<\/p>\n\n\n
\nconnect sys\/<password>@<primary unique name> as sysdba\nSQL> alter system set dg_broker_config_file1='+DATAC1\/<standby unique name>\/dr1.dat';\nSQL> alter system set dg_broker_config_file2='+RECOC1\/<standby unique name>\/dr2.dat';\nSQL> alter system set dg_broker_start=true;\n<\/pre><\/div>\n\n\nAnd create the dataguard configuration<\/p>\n\n\n
\ndgmgrl sys\/<password>@\/\/vm1.anjo.ch:1521\/cdb2.anjo.ch \nDGMGRL> CREATE CONFIGURATION dgconfig AS PRIMARY DATABASE IS <primary unique name> CONNECT IDENTIFIER IS <primary unique name>;\nDGMGRL> ADD DATABASE <standby unique name> AS CONNECT IDENTIFIER IS <standby unique name>;\nDGMGRL> ENABLE CONFIGURATION;\nDGMGRL> SHOW CONFIGURATION;\n<\/pre><\/div>\n\n\nIt might take a while until it shows “SUCCESSFUL”, important is to check in alertlog that the recovery is happening.<\/p>\n\n\n\n
Post-operations<\/h2>\n\n\n\nCheck if datafiles are encrypted<\/h3>\n\n\n\n
We can use DB Verify to check the encryption of datafiles.<\/p>\n\n\n
\nSYS@CDB2.CDB$ROOT> select file_name from dba_data_files;\n\n[oracle@oci-vm1]$ dbv FILE=<file_name>\n\nDBVERIFY: Release 19.0.0.0.0 - Production on Sat May 24 16:04:16 2025\nCopyright (c) 1982, 2019, Oracle and\/or its affiliates. All rights reserved.\n\nDBVERIFY - Verification starting : FILE = <file_name>\n\nDBVERIFY - Verification complete\n\nTotal Pages Examined : 113920\nTotal Pages Processed (Data) : 0\nTotal Pages Failing (Data) : 0\nTotal Pages Processed (Index): 0\nTotal Pages Failing (Index): 0\nTotal Pages Processed (Other): 1\nTotal Pages Processed (Seg) : 0\nTotal Pages Failing (Seg) : 0\nTotal Pages Empty : 17265\nTotal Pages Marked Corrupt : 0\nTotal Pages Influx : 0\nTotal Pages Encrypted : 96654 <-- Here shows that blocks are encrypted\nHighest block SCN : 0 (0.0)\n<\/pre><\/div>\n\n\nRe-enable Primary backups<\/h3>\n\n\n\n
In case they were paused, to not forget to enable back,<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Hybrid Dataguard is a relatively new 19c feature that allows to have one side of a Dataguard configuration not encrypted. This is particularly useful when having a primary on premises and standby on a OCI, where tablespaces need to be encrypted. The main point is that it allows to spare a Advanced Security licenses on […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51,10,52,6,9],"tags":[54,85],"class_list":{"0":"post-1002","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-cloud","7":"category-dataguard","8":"category-oci","9":"category-oracle","10":"category-security","11":"tag-oci","12":"tag-tde","13":"czr-hentry"},"_links":{"self":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1002","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/comments?post=1002"}],"version-history":[{"count":4,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1002\/revisions"}],"predecessor-version":[{"id":1007,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1002\/revisions\/1007"}],"wp:attachment":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/media?parent=1002"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/categories?post=1002"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/tags?post=1002"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}