It's been a while since my last post, just seem to get out of the habit of posting and have been preparing a presentation which i'm due to give Wednesday at UKOUG but had to post this topic I've discovered over the past few days.
Initially i resisted posting as i thought i must have missed something but it seems not......
So as you may have been aware we've been using Azure quite a bit this past 6 months, this past 2 weeks we were doing another trial of something and being lazy again i though rather than ordering an IaaS machine and then setting all the oracle users and kernel parameter etc I would just use a prebuilt image from the azure marketplace which comes with oracle all pre setup ready for me to just create a database.
So i went ahead and ordered that - see screenshot below
This all ordered fine and after updating the hosts file with my server name (everything else seemed to be auto done) i went ahead and created a database with dbca.
This all ran through fine and the dbca left me with a working database.
However this is when it got a little interesting.....
This is what happened when i tried to add a tablespace.....
SQL> create tablespace rich datafile '/oradata/rich01.dbf' size 8M;
create tablespace rich datafile '/oradata/rich01.dbf' size 8M
*
ERROR at line 1:
ORA-28365: wallet is not open
What?
I'm not meant to be using TDE - whats going on here?
Maybe there is something screwy with dbca or the template ( i don't normally use dbca) - lets try and create a database manually just running catalog/catproc....
And the same thing happens - what is going on?
Lets check the alert log
create tablespace rich datafile '/oradata/rich01.dbf' size 8M
Force tablespace RICH to be encrypted with AES128
ORA-28365 signalled during: create tablespace rich datafile '/oradata/rich01.dbf' size 8M...
Hmm - that's even more interesting - seems there is some forced encryption of tablespaces feature kicking in - which as far as i know doesn't exist in 12.1 (at least not outside of oracle public cloud).
It looks to me like somehow oracle have uploaded their public cloud image (where i think this has been implemented) to azure and are making that available - but without the wallet/tde bits to actually make it work.
I think this is a custom version of the oracle binary making this happen- there is nothing in 12.1 that makes tablespaces forced to be encrypted is there?
Anyone know?
For reference the version of the software in the image is 12.1.0.2.160119.
To further confirm my suspicion i installed 12.1.0.2 myself on the same server and it works fine without this issue.
What amazes me though is that this image is unusable but it is the one oracle have published to the azure cloud. I can't be the first person to have the issue surely?
Anyone else aware of this happening?
Is this how it behaves in oracle public cloud where i assume the TDE stuff is working correctly?
Oh and by the way it doesn't seem fixable - any about of messing around with wallets etc does not seem to resolve this.......
Anyone would think Oracle don't want people to use Azure.....
Next they'll be revoking licence included options for Oracle ... oh hold on they already did that.....
If it were 12.2 I would think it were the "ENCRYPT_NEW_TABLESPACES=CLOUD_ONLY" or "ENCRYPT_NEW_TABLESPACES=ALWAYS" parameter setting. I wonder if they have back-ported that to this build of 12.1 for the cloud?
ReplyDeleteOracle use TDE for all their cloud stuff, irrespective of options bought. I wonder if they have done something similar for this Azure build?
Cheers
Tim...