Implementing AWS DMS with an Oracle DB source and encrypted tablespaces

I recently implemented AWS DMS replication from an Oracle database source hosted in the Oracle Cloud Infrastructure to AWS S3.  We hit an issue because the Oracle tablespaces were encrypted, and the AWS RMS replication site could not read the archive logs. This blog lists the steps taken to allow the DMS replication to occur.

Source DB:

Oracle Release 12.1.0.2.0

DB Location Oracle Infrastructure As a Service

Single Node

Non ASM

CDB/PDB

DMS Database user: AWSDMS

Oracle Tablespace encryption enabled.

Oracle Binary Reader was used as we had lob columns.

Target: AWS S3

The source Oracle database was configured following the AWS documentation:

https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html

AWS Endpoints Configuration

 The encrypted database password needs to be added to the endpoint’s password.

Select the Oracle source endpoint you have configured.

Modify the Oracle source endpoint.

The entries for the source Oracle Endpoint password and endpoint specific entries need to be added/updated to include the Database Encryption.

Endpoint Password Entry

The endpoint’s password field will be like this: (system user password, asm password, TDE value for securityDbEncryption)

Example – where ASM is not used.

manager,, TXMTTSTTqTOt4LP42+pGXcMmHT2YTuhTYp+MYU8OXXly/5vbCO0DXTDdQoplfKgGyf5rYxjSPqVDBQsTXHcFBw08IT==

Endpoint Specific Settings

Example:

useLogMinerReader=N;useBfile=Y;addSupplementalLogging=Y;securityDbEncryptionName=ORACLE.SECURITY.DB.ENCRYPTION.AdSlnG9Zk23vwDFG8Z5Td0AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Getting the Endpoint settings from the source Oracle Database
Check DB Wallet Location

oracle>sqlplus “/ as sysdba”

select status,WRL_PARAMETER, WALLET_TYPE

from v$encryption_wallet

STATUS                         WRL_PARAMETER                                                WALLET_TYPE

—————————— ———————————————————— ——————–

OPEN                           /u01/app/oracle/admin/XXXXX/tde_wallet/                    AUTOLOGIN

Display Wallet Contents

[oracle]$ orapki wallet display -wallet /u01/app/oracle/admin/XXXXX/tde_wallet -complete

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

Subject:        CN=oracle

User Certificates:

Oracle Secret Store entries:

ORACLE.SECURITY.DB.ENCRYPTION.XY+o/rhyt0/Nvyhp0UxsAG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ORACLE.SECURITY.DB.ENCRYPTION.XYNvOz7ERT/tv4HobwFGdspAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY

ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.835687915GH2328T0587904000TE345

ORACLE.SECURITY.ID.ENCRYPTION.

ORACLE.SECURITY.KB.ENCRYPTION.

ORACLE.SECURITY.KM.ENCRYPTION.XY+o/rhyt0/Nvyhp0UxsAG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ORACLE.SECURITY.KM.ENCRYPTION. XYNvOz7ERT/tv4HobwFGdspAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Trusted Certificates:

Get CDB Encryption Key

This CDB key ID is used for the AWS source endpoint settings. It will match to an entry obtained from the wallet’s contents listing.

[Oracle]$ sqlplus / as sysdba

SELECT KEY_ID

FROM V$ENCRYPTION_KEYS

WHERE ACTIVATION_TIME = (SELECT MAX(ACTIVATION_TIME)

                         FROM V$ENCRYPTION_KEYS

                         WHERE ACTIVATING_DBID = (SELECT DBID FROM V$DATABASE)); 

KEY_ID

——————————————————————————

XY+o/rhyt0/Nvyhp0UxsAG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Get the Encrypted Password (You will wallet the password)

 [oracle]$ mkstore -wrl /u01/app/oracle/admin/XXXXXX/tde_wallet/ -viewEntry ORACLE.SECURITYDB.ENCRYPTION.XY+o/rhyt0/Nvyhp0UxsAG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Oracle Secret Store Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

DB.ENCRYPTION.XY+o/rhyt0/Nvyhp0UxsAG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA = TXMTTSTTqTOt4LP42+pGXcMmHT2YTuhTYp+MYU8OXXly/5vbCO0DXTDdQoplfKgGyf5rYxjSPqVDBQsTXHcFBw08IT==

[oracle]$

Entries for the AWS password source end points

Database username password: AWSDMS

ASM Password (not implemented at this site):  ,

Encrypted password: TXMTTSTTqTOt4LP42+pGXcMmHT2YTuhTYp+MYU8OXXly/5vbCO0DXTDdQoplfKgGyf5rYxjSPqVDBQsTXHcFBw08IT==

Example (ASM is not used):

oracle,, TXMTTSTTqTOt4LP42+pGXcMmHT2YTuhTYp+MYU8OXXly/5vbCO0DXTDdQoplfKgGyf5rYxjSPqVDBQsTXHcFBw08IT==

Entries for the AWS Endpoint-specific settings

Note the DB encryption entry is same as the CDD key ID.

useLogMinerReader=N;useBfile=Y;addSupplementalLogging=Y;securityDbEncryptionName=ORACLE. DB.ENCRYPTION.XY+o/rhyt0/Nvyhp0UxsAG4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Example DMS AWS Oracle DB Encryption Errors

Last Error Task error notification received from subtask 0, thread 0 [reptask/replicationtask.c:2673] [1022316] The specified Secret Store Encryption Entries were not used to encrypt Redo log ‘/u04/app/oracle/redo/redo02.log’. 

Add the entry ‘ORACLE.SECURITY.DB.ENCRYPTION.PTXyze8AS0/txdhkxwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’; Error executing source loop; Stream component failed at subtask 0, component st_0_4N255TUMG7TMESWT43KPMBOQ7E ; Stream component ‘st_0_4N255TUMG7TMESWT43KPMBOQ7E’ terminated [reptask/replicationtask.c:2680] [1022316] Stop Reason FATAL_ERROR Error Level FATAL

Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share through Email