Cloning a Remote PDB Using DBLink in a TDE-Enabled Oracle Database

Cloning a Remote PDB Using DBLink in a TDE-Enabled Oracle Database

Prerequisites

Before proceeding with cloning a Pluggable Database (PDB) from a remote container database (CDB) using DBLink, ensure the following:

✅ TDE (Transparent Data Encryption) is enabled on both source and target databases.
✅ A valid DBLink exists between source and target CDBs.
✅ The PDB name is unique in the target CDB.
✅ Both CDBs have compatible parameters (e.g., compatible initialization parameter).
✅ The target database has enough storage to accommodate the cloned PDB.

1. Identify Source PDB on the Source Database Server

Check Available PDBs

SQL> show pdbs;

    CON_ID CON_NAME                OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                READ ONLY    NO
         3 PDB1                    READ WRITE   NO
         4 SPDB                  READ WRITE   NO  -- PDB to be cloned

Check the PDB Service Name

$ lsnrctl status | grep -i SPDB
Service "spdb.sub0x0xxxxx0x0.myvcn.oraclevcn.com" has 1 instance(s).

2. Create a User in the Source PDB

SQL> alter session set container=SPDB;

Session altered.

SQL> create user clone_user identified by mypassword1234#;

User created.

SQL> grant create session, create pluggable database to clone_user;

Grant succeeded.

GRANT DBA TO clone_user;

3. Configure TNS Entry on the Target Database Server

$ sudo su - oracle
$ cd $ORACLE_HOME/network/admin
$ vi tnsnames.ora

TNS Entry for SPDB

SPDB =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = 129.xx.xx.xx)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = spdb.sub0x0xxxxx0x0.myvcn.oraclevcn.com)
    )
  )

Note: Replace HOST with the source database public IP.

Test the TNS Connection

$ tnsping SPDB

TNS Ping Utility for Linux: Version 12.2.0.1.0 - Production
OK (330 msec)

4. Create a Database Link on the Target Database

SQL> create database link SPDB_LINK connect to clone_user

 identified by "mypassword1234#" using 'SPDB';

Database link created.

Verify the Connection

SQL> alter session set global_names=FALSE;

Session altered.

SQL> select * from dual@SPDB_LINK;

D
-
X

Check Current PDBs on the Target Database

SQL> show pdbs;

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         3 PDB1                           READ WRITE NO

5. Clone the Source PDB to the Target Database

First set ‘one_step_plugin_for_pdb_with_tde’ to TRUE, this parameter enables the target CDB to simplify the move of TDE keys in a single step PDB move operation. ONE_STEP_PLUGIN_FOR_PDB_WITH_TDE eliminates the need of having to manually provide a keystore password when you import the TDE keys into the PDB after it has moved to the target CDB.

Target CDB :

-- On Target CDB , Set this Parameter to TRUE :

ALTER SYSTEM SET one_step_plugin_for_pdb_with_tde=TRUE SCOPE=BOTH sid='*';

connect as sysdba

SQL> create pluggable database PDB2 from SPDB@SPDB_LINK 

KEYSTORE IDENTIFIED BY '<target_contianer_wallet_pwd>';

Pluggable database created.

Verify the Cloned PDB

SQL> show pdbs;

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         3 PDB1                           READ WRITE NO
         5 PDB2                           MOUNTED           -- New PDB

Open the Cloned PDB

SQL> alter pluggable database PDB2 open;

Pluggable database altered.

Check Open Mode

SQL> show pdbs;

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         3 PDB1                           READ WRITE NO
         5 PDB2                           READ WRITE NO  -- Opened in read/write

6. Test Tablespace Creation in the Cloned PDB

SQL> alter session set container=PDB2;

Session altered.

SQL> create tablespace TEST datafile '+DATA';

Tablespace created.

Verify Tablespace Encryption

SQL> select tablespace_name, status, encrypted from dba_tablespaces;

TABLESPACE_NAME                STATUS    ENC
------------------------------ --------- ---
SYSTEM                         ONLINE    NO
SYSAUX                         ONLINE    NO
UNDOTBS1                       ONLINE    NO
TEMP                           ONLINE    NO
USERS                          ONLINE    YES
TEST                           ONLINE    YES  -- New tablespace

7. Validate Wallet and PDB Plug-in Violations

Check Wallet Status at CDB Level

SQL> select * from v$encryption_wallet;

WRL_TYPE   WRL_PARAMETER                                   STATUS      WALLET_TYPE  CON_ID
---------  ---------------------------------------------  -----------  -----------  ------
FILE       /opt/oracle/dcs/commonstore/wallets/tde/DB12C2_xxx/  OPEN   AUTOLOGIN   1

Check for Plug-in Violations

SQL> select name, cause, type, message, status from 

PDB_PLUG_IN_VIOLATIONS where type = 'ERROR' and status <> 'RESOLVED';

No rows selected.

Check Wallet Status in the Cloned PDB

SQL> alter session set container=PDB2;

Session altered.

SQL> select * from v$encryption_wallet;

WRL_TYPE   WRL_PARAMETER                                   STATUS      WALLET_TYPE  CON_ID
---------  ---------------------------------------------  -----------  -----------  ------
FILE       /opt/oracle/dcs/commonstore/wallets/tde/DB12C2_xxx/  OPEN   AUTOLOGIN   5

By following these steps, we successfully cloned a remote PDB using a database link in a TDE-enabled Oracle environment. This method ensures that the cloned database remains encrypted and compliant with security standards

Please do like and subscribe to my youtube channel: https://www.youtube.com/@foalabs If you like this post please follow,share and comment