Cloning a PDB with encrypted data in united mode - avoid ORA-00283
The purpose of this blog post is to give you some guidelines on how to avoid " ORA-00283: recovery session canceled due to errors" during a PDB clone operation and troubleshoot the same. In the Oracle documentation ( link), it notes the following:
When you clone a PDB, you must make the master encryption key of the source PDB available to cloned PDB. This allows a cloned PDB to operate on the encrypted data. To perform the clone, you do not need to export and import the keys because Oracle Database transports the keys for you even if the cloned PDB is in a remote CDB. However, you will need to provide the keystore password of the CDB where you are creating the clone.This statement is not fully true if the source PDB does not have its own master key.
How can a PDB not have its own master key?When cloning a PDB within the same CDB, the master key of the source is used for the target. If, after the clone operation is complete a rekey (generate new master key) is not done on the target PDB, the target PDB will continue to use the master key that belongs to the original (source) PDB. Now, if you perform a clone of the new (previously cloned) PDB to a remote CDB, there is a good chance the clone operation will fail with "ORA-00283: recovery session canceled due to errors". This is expected behavior. The error message: [code lang="sql"] SQL> create pluggable database REMOTE_CLONE from PDB2@L1 KEYSTORE IDENTIFIED BY "*******"; create pluggable database REMOTE_CLONE from PDB2@L1 KEYSTORE IDENTIFIED BY "*******" * ERROR at line 1: ORA-00283: recovery session canceled due to errors ORA-28374: typed master key not found in wallet [/code] When the newly cloned PDB does not have its own master keys, there are no records in V$ENCRYPTION_KEYS dynamic performance view. Performing a rekey operation of the master encryption key ensures that the newly cloned PDB uses its own unique keys, which will be visible in the V$ENCRYPTION_KEYS view. As I see it, there are three scenarios:
- If the source PDB has its own master key, then everything will work fine. The master key will be copied over to cloned PDB.
- If the source PDB does not have its own master key (no records in V$ENCRYPTION_KEYS) and no recovery is needed (during clone operation) the clone operation will succeed. But afterwards, any data manipulation over encrypted data will fail.
- If the source PDB does not have its own master key (no records in V$ENCRYPTION_KEYS) and during clone operation a recovery needs to be done over encrypted data, the clone operation will fail.