转://oracle Wallet在expdp/impdp中使用场景
oracle Wallet的使用(即内部加密技术TDE(Transparent Data Encryption ))
1. TDE是Oracle10gR2中推出的一个新功能,使用时要保证Oracle版本是在10gR2或者以上
--查看oracle版本:
select * from v$version;
2、创建一个新目录,并指定为Wallet目录
D:\oracle\product\10.2.0\admin\ora10\ora_wallet
3. 设置wallet目录,在参数文件sqlnet.ora中(window+f,在你安装盘区查找sqlnet.ora),按照下面的格式加入信息:
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)
(METHOD_DATA=(DIRECTORY=D:\oracle\product\10.2.0\admin\ora10\ora_wallet)))
4. 创建master key文件,指定wallet密码,使用SYS用户登入系统,建立加密文件
SQL> alter system set encryption key identified by "wallet";
System altered
-- 密码"wallet"不加引号时,后面使用时也不需要用引号
此时在设置的目录下,多出一个Personal Information Exchange类型的文件,相当于我们生成的master key文件。D:\oracle\product\10.2.0\admin\ora10\ora_wallet\ewallet.p12
5、启动、关闭Wallet
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "wallet";
ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "wallet"
ORA-28354: wallet 已经打开
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE; --关闭
System altered
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "wallet"; --打开
System altered
到此,已经成功配置了Wallet,创建了master key。
使用datapump传输加密表请先确认TDE Encryption wallet状态 2014-10-07 17:30:02
分类: Oracle
这里讨论的是列加密模式,即具有TDE encrypted column的表如何在源库、目标库之间通过expdp、impdp进行传输。前提是源库和目标库上的encryption wallet都必须处于open状态,如果源库或者目标库有任何一侧的wallet没有open,都会引起导入或者导出操作的失败。以下列举了容易引起导入导出失败的一些场景,帮我们更进一步的理解TDE的工作过程。
场景1:导出时源库encryption wallet处于open状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于open状态
---源库wallet处于open状态下进行导出
alter system set encryption wallet open identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
OPEN
create table t13 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t13 values('A','11');
commit;
expdp scott/abcd_1234 directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=exp_t13.log reuse_dumpfiles=yes
Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=exp_t13.log reuse_dumpfiles=yes
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 8 MB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "SCOTT"."T13" 5.406 KB 1 rows
ORA-39173: Encrypted data has been stored unencrypted in dump file set.
Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:
/oradata01/hisdmp/monthly/t13.dmp
Job "SCOTT"."SYS_EXPORT_TABLE_01" completed with 1 error(s) at 16:21:16
scp /oradata01/hisdmp/monthly/t13.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
---目标库wallet处于open状态,成功导入
alter system set encryption wallet open identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
OPEN
impdp scott/abcd_1234 directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log
Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log
Processing object type TABLE_EXPORT/TABLE/TABLE
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
. . imported "SCOTT"."T13" 5.406 KB 1 rows
Job "SCOTT"."SYS_IMPORT_TABLE_01" successfully completed at 16:20:47
场景2:导出时源库encryption wallet处于open状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于close状态
---源库wallet处于open状态下进行导出
步骤同场景1
--目标库wallet处于close状态,导入失败
alter system set encryption wallet close identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
CLOSED
---ORA-28365因wallet close所以无法创建encrypted column
impdp scott/abcd_1234 directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log;
Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log
Processing object type TABLE_EXPORT/TABLE/TABLE
ORA-39083: Object type TABLE:"SCOTT"."T13" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "SCOTT"."T13" ("C1" VARCHAR2(1 BYTE) ENCRYPT USING 'AES192' 'SHA-1', "C2" VARCHAR2(2 BYTE)) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 8388608 NEXT 8388608 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT) TABLESPACE "TS_
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Job "SCOTT"."SYS_IMPORT_TABLE_01" completed with 1 error(s) at 16:22:17
场景3:导出时源库encryption wallet处于close状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于open状态
---源库导出时wallet处于close状态
alter system set encryption wallet open identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
OPEN
create table t14 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t14 values('B','22');
commit;
alter system set encryption wallet close identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
CLOSED
---因为wallet处于close,所以无法对表中加密列的数据进行解密,在接下来导入的时候可以看到仅导入了表结构
expdp scott/abcd_1234 directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=exp_t14.log reuse_dumpfiles=yes;
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=exp_t14.log reuse_dumpfiles=yes
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 8 MB
Processing object type TABLE_EXPORT/TABLE/TABLE
ORA-31693: Table data object "SCOTT"."T14" failed to load/unload and is being skipped due to error:
ORA-29913: error in executing ODCIEXTTABLEPOPULATE callout
ORA-28365: wallet is not open
ORA-39173: Encrypted data has been stored unencrypted in dump file set.
Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:
/oradata01/hisdmp/monthly/t14.dmp
Job "SCOTT"."SYS_EXPORT_TABLE_01" completed with 2 error(s) at 16:31:12
scp /oradata01/hisdmp/monthly/t14.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
---目标库导入
alter system set encryption wallet open identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
OPEN
---导入部分成功,字段维持加密状态
impdp scott/abcd_1234 directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log
Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log
Processing object type TABLE_EXPORT/TABLE/TABLE
Job "SCOTT"."SYS_IMPORT_TABLE_01" successfully completed at 16:32:50
select owner,table_name,column_name from dba_encrypted_columns where table_name='T14';
OWNER TABLE_NAME COLUMN_NAME
------------------------------ ------------------------------ ------------------------------
SCOTT T14 C1
---但查询无内容,只把表结构导入了进来,没有任何数据
select * from scott.t14
no rows selected
---检查t14表的加密key并和orapki命令输出的相比较,impdp后表encrypted column自动使用了目标库的masterkey进行加密,证明源和目标库上的masterkey无需保持一致
col object_name format a13
col owner format a13
set linesize 120
select obj#,mkeyid,object_name,owner from enc$,dba_objects where object_id=obj#;
OBJ# MKEYID OBJECT_NAME OWNER
---------- ---------------------------------------------------------------- ------------- -------------
5553580 AZHXajyQJ08Iv5X80kXWLBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA T14 SCOTT
orapki wallet display -wallet /oradata06/wallet
Requested Certificates:
Subject: CN=oracle
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.AZHXajyQJ08Iv5X80kXWLBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.TS.ENCRYPTION.BS8N9QmwrZrPOcpY6aJPnZYCAwAAAAAAAAAAAAAAAAAAAAAAAAAA
Trusted Certificates:
场景4:导出时源库encryption wallet处于close状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于close状态
---源库导出时wallet处于close状态
导出步骤同场景3,
---目标库导入
alter system set encryption wallet close identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
CLOSED
drop table scott.t14;
***目标库的encryption wallet close,出现ORA-28353在意料之中
impdp scott/abcd_1234 directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log
Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log
Processing object type TABLE_EXPORT/TABLE/TABLE
ORA-39083: Object type TABLE:"SCOTT"."T14" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "SCOTT"."T14" ("C1" VARCHAR2(1 BYTE) ENCRYPT USING 'AES192' 'SHA-1', "C2" VARCHAR2(2 BYTE)) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 8388608 NEXT 8388608 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT) TABLESPACE "TS_
Job "SCOTT"."SYS_IMPORT_TABLE_01" completed with 1 error(s) at 16:37:21
场景5:导出时源库encryption wallet处于open状态,使用ENCRYPTION=ENCRYPTED_COLUMNS_ONLY在dumpfile中对加密列以加密方式存储;导入时目标库wallet处于open状态
---源库导出,wallet处于open状态
alter system set encryption wallet open identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
OPEN
create table t15 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t15 values('C','33');
commit;
---注意这里只能使用password模式,不能使用transparent和dual模式
expdp scott/abcd_1234 directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=exp_t15.log reuse_dumpfiles=yes encryption=ENCRYPTED_COLUMNS_ONLY encryption_password=tde_1234;
Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=exp_t15.log reuse_dumpfiles=yes encryption=ENCRYPTED_COLUMNS_ONLY encryption_password=********
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 8 MB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "SCOTT"."T15" 5.460 KB 1 rows
Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:
/oradata01/hisdmp/monthly/t15.dmp
Job "SCOTT"."SYS_EXPORT_TABLE_01" successfully completed at 17:27:06
scp /oradata01/hisdmp/monthly/t15.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
---目标库wallet处于open状态,成功导入
alter system set encryption wallet open identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
OPEN
impdp scott/abcd_1234 directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=imp_t15.log encryption_password=tde_1234
Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=imp_t15.log encryption_password=********
Processing object type TABLE_EXPORT/TABLE/TABLE
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
. . imported "SCOTT"."T15" 5.460 KB 1 rows
Job "SCOTT"."SYS_IMPORT_TABLE_01" successfully completed at 17:28:58
场景6:导出时源库encryption wallet处于open状态,使用ENCRYPTION=ENCRYPTED_COLUMNS_ONLY在dumpfile中对加密列以加密方式存储;导入时目标库wallet处于close状态
---源库导出,wallet处于open状态
导出步骤同场景5
---关闭目标库的encryption wallet
alter system set encryption wallet close identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
CLOSED
---ORA-28365因wallet close所以无法创建encrypted column
impdp scott/abcd_1234 directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=imp_t15.log encryption_password=tde_1234
ORA-39002: invalid operation
ORA-39180: unable to encrypt ENCRYPTION_PASSWORD
ORA-28365: wallet is not open
场景7:导出时源库encryption wallet处于close状态,使用ENCRYPTION=ENCRYPTED_COLUMNS_ONLY在dumpfile中对加密列以加密方式存储;因导出即失败所以无法继续进行导入
---源库导出,导出时wallet处于close状态
alter system set encryption wallet open identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
OPEN
create table t16 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t16 values('C','33');
commit;
alter system set encryption wallet close identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
CLOSED
---注意这里只能使用password模式,不能使用transparent和dual模式,之所以报错是因为使用password对encrypted column在导出时进行加密之前必须先用masterkey对encrypted列进行解密,对解密的结果再进行加密,而这时wallet close无法获取到masterkey,所以加密过程就无法继续
expdp scott/abcd_1234 directory=hisdmp dumpfile=t16.dmp tables=t16 logfile=exp_t16.log reuse_dumpfiles=yes encryption=ENCRYPTED_COLUMNS_ONLY encryption_password=tde_1234;
ORA-39001: invalid argument value
ORA-39180: unable to encrypt ENCRYPTION_PASSWORD
ORA-28365: wallet is not open
场景8:导出时源库encryption wallet处于open状态,使用ENCRYPTION=ALL在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于open状态,并分别对上述两种模式下导出的dumpfile进行导入
---源库导出,wallet处于open状态
alter system set encryption wallet open identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
OPEN
create table t17 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t17 values('C','33');
commit;
---分别使用transparent和password两种模式进行导出
***transparent模式
expdp scott/abcd_1234 directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=exp_t17t.log reuse_dumpfiles=yes encryption=all encryption_mode=transparent
Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=exp_t17t.log reuse_dumpfiles=yes encryption=all encryption_mode=transparent
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 8 MB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "SCOTT"."T17" 5.414 KB 1 rows
Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:
/oradata01/hisdmp/monthly/t17t.dmp
Job "SCOTT"."SYS_EXPORT_TABLE_01" successfully completed at 21:00:06
***password模式
expdp scott/abcd_1234 directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=exp_t17p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=tde_1234;
Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=exp_t17p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=********
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 8 MB
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "SCOTT"."T17" 5.414 KB 1 rows
Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:
/oradata01/hisdmp/monthly/t17p.dmp
Job "SCOTT"."SYS_EXPORT_TABLE_01" successfully completed at 21:01:18
scp /oradata01/hisdmp/monthly/t17t.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
scp /oradata01/hisdmp/monthly/t17p.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
---目标库wallet处于open状态,分别导入transparent、password模式导出的dmp
alter system set encryption wallet open identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
OPEN
---导入以encryption_mode=transparent方式导出的t17t.dmp,因源、目标库的masterkey不一致发生了ORA-28362,进一步导致ORA-39189目标库无法解密由源库masterkey加密的dumpfile
impdp scott/abcd_1234 directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=imp_t17t.log
ORA-39002: invalid operation
ORA-39189: unable to decrypt dump file set
ORA-28362: master key not found
---导入以encryption_mode=password方式导出的t17p.dmp,导入成功
impdp scott/abcd_1234 directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17p.log encryption_password=tde_1234
Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17p.log encryption_password=********
Processing object type TABLE_EXPORT/TABLE/TABLE
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
. . imported "SCOTT"."T17" 5.414 KB 1 rows
Job "SCOTT"."SYS_IMPORT_TABLE_01" successfully completed at 21:03:14
场景9:导出时源库encryption wallet处于open状态,使用ENCRYPTION=ALL在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于close状态,并分别对上述两种模式下导出的dumpfile进行导入
--源库导出,wallet处于open状态
导出过程同场景8
--关闭目标库的encryption wallet,再次尝试以上两种导入
alter system set encryption wallet close identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
CLOSED
---尝试导入以encryption=transparent方式导出的t17t.dmp,因目标库wallet close无法找到解密dmpfile所需的masterkey,导入失败
impdp scott/abcd_1234 directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=imp_t17t.log
ORA-39002: invalid operation
ORA-39189: unable to decrypt dump file set
ORA-28365: wallet is not open
---尝试导入以encryption=password方式导出的t17p.dmp,能够解密出dmpfile,但是因目标库wallet close,所以无法创建encrypted columns
impdp scott/abcd_1234 directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17t.log encryption_password=tde_1234
Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17t.log encryption_password=********
Processing object type TABLE_EXPORT/TABLE/TABLE
ORA-39083: Object type TABLE:"SCOTT"."T17" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "SCOTT"."T17" ("C1" VARCHAR2(1 BYTE) ENCRYPT USING 'AES192' 'SHA-1', "C2" VARCHAR2(2 BYTE)) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 8388608 NEXT 8388608 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT) TABLESPACE "TS_
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Job "SCOTT"."SYS_IMPORT_TABLE_01" completed with 1 error(s) at 21:09:10
场景10:导出时源库encryption wallet处于close状态,使用ENCRYPTION=ALL在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于open状态,并分别对上述两种模式下导出的dumpfile进行导入
---源库导出,导出时wallet处于close状态
alter system set encryption wallet open identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
OPEN
create table t18 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t18 values('C','33');
commit;
alter system set encryption wallet close identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
CLOSED
---分别使用transparent和password两种模式,前者需要masterkey加密dmpfile,后者需要先用masterkey解密encrypted columns后再用password加密,两者都需要wallet open,但实际wallet处于close状态,所以这两种导出都有问题
--transparent模式导出失败
expdp scott/abcd_1234 directory=hisdmp dumpfile=t18t.dmp tables=t18 logfile=exp_t18t.log reuse_dumpfiles=yes encryption=all encryption_mode=transparent
ORA-39002: invalid operation
ORA-39188: unable to encrypt dump file set
ORA-28365: wallet is not open
--password模式导出,仅导出了表结构,因为无法使用masterkey Decrypt加密列
expdp scott/abcd_1234 directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=exp_t18p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=tde_1234;
Starting "SCOTT"."SYS_EXPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=exp_t18p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=********
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 8 MB
Processing object type TABLE_EXPORT/TABLE/TABLE
ORA-31693: Table data object "SCOTT"."T18" failed to load/unload and is being skipped due to error:
ORA-29913: error in executing ODCIEXTTABLEPOPULATE callout
ORA-28365: wallet is not open
Master table "SCOTT"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SCOTT.SYS_EXPORT_TABLE_01 is:
/oradata01/hisdmp/monthly/t18p.dmp
Job "SCOTT"."SYS_EXPORT_TABLE_01" completed with 1 error(s) at 21:17:11
scp /oradata01/hisdmp/monthly/t18p.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
---目标库wallet处于open状态,导入encryption_mode=transparent方式导出的t18p.dmp
因该方式下导出dmpfile失败,所以略去
---目标库wallet处于open状态,导入encryption_mode=password方式导出的t18p.dmp
alter system set encryption wallet open identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
OPEN
impdp scott/abcd_1234 directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18p.log encryption_password=tde_1234
Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18p.log encryption_password=********
Processing object type TABLE_EXPORT/TABLE/TABLE
Job "SCOTT"."SYS_IMPORT_TABLE_01" successfully completed at 21:22:05
***检查t18表无内容,仅有表结构,相当于expdp时指定了encryption=metadata_only
SQL> select * from scott.t18;
no rows selected
场景11:导出时源库encryption wallet处于close状态,使用ENCRYPTION=ALL在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于close状态,并分别对上述两种模式下导出的dumpfile进行导入
---源库导出,导出时wallet处于close状态
导出步骤同场景10
--关闭目标库的encryption wallet,再次尝试以上导入
alter system set encryption wallet close identified by "tde_1234";
select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/oradata06/wallet
CLOSED
---尝试导入encryption_mode=transparent方式导出的t18p.dmp
因该方式下导出dmpfile失败,所以略去
---尝试导入以encryption=password方式导出的t18p.dmp,因目标库wallet close,无法创建encrypted columns,导入失败
impdp scott/abcd_1234 directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18t.log encryption_password=tde_1234
Master table "SCOTT"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SCOTT"."SYS_IMPORT_TABLE_01": scott/******** directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18t.log encryption_password=********
Processing object type TABLE_EXPORT/TABLE/TABLE
ORA-39083: Object type TABLE:"SCOTT"."T18" failed to create with error:
ORA-28365: wallet is not open
Failing sql is:
CREATE TABLE "SCOTT"."T18" ("C1" VARCHAR2(1 BYTE) ENCRYPT USING 'AES192' 'SHA-1', "C2" VARCHAR2(2 BYTE)) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 8388608 NEXT 8388608 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT) TABLESPACE "TS_
Job "SCOTT"."SYS_IMPORT_TABLE_01" completed with 1 error(s) at 21:24:04
针对实验场景的结果归纳如下:
源库expdp时的encryption wallet状态 |
能否正常导出加密表 |
目标库impdp时的encryption wallet状态 |
Expdp参数Encryption_mode取值 |
Expdp参数Encryption取值 |
导入结果 |
Open |
能 |
Open |
无 |
无 |
正常 |
Open |
能 |
Close |
无 |
无 |
失败 |
Close |
能 |
Open |
无 |
无 |
仅表结构 |
Close |
能 |
Close |
无 |
无 |
失败 |
Open |
能 |
Open |
password |
ENCRYPTED_COLUMNS_ONLY |
正常 |
Open |
能 |
Close |
password |
ENCRYPTED_COLUMNS_ONLY |
失败 |
Close |
否 |
- |
password |
ENCRYPTED_COLUMNS_ONLY |
- |
Open |
能 |
Open |
transparent |
ALL |
失败 |
Open |
能 |
Open |
password |
ALL |
正常 |
Open |
能 |
Close |
transparent |
ALL |
失败 |
Open |
能 |
Close |
password |
ALL |
失败 |
Close |
否 |
- |
transparent |
ALL |
- |
Close |
能 |
open |
password |
All |
仅表结构 |
Close |
能 |
Close |
password |
All |
失败 |
总结:
含有加密列的表进行导出、导入时:
1、 源库上执行导出操作时encryption wallet只有处于open状态才能导出完整的内容,如果是close的情况下一般会把表结构导出(但encryption= ENCRYPTED_COLUMNS_ONLY和encryption_mode=transparent两种情况除外,这两种情况连表结构都不会导出,直接报错退出)
2、目标库执行导入操作时,需要先对dumpfile文件进行解密(如果expdp出来的时候进行了加密),再用自己的masterkey重新对表进行加密,这两个步骤中任意一个有问题都会引起导入失败
3、如果安全上允许建议启用auto login encryption wallet,数据库重启后会自动open
转://oracle Wallet在expdp/impdp中使用场景的更多相关文章
- Oracle数据迁移expdp/impdp
Oracle数据迁移expdp/impdp目的:指导项目侧自行进行简单的数据泵迁移工作. 本文实验环境:Oracle 11.2.0.4,利用数据库自带的scott示例用户进行试验测试. 1.首先需要创 ...
- ORACLE 数据泵 expdp/impdp
ORACLE 数据泵 expdp/impdp 一.概念 Oracle Database 10g 引入了最新的数据泵(Data Dump)技术,数据泵导出导入 (EXPDP 和 IMPDP)的作用: 1 ...
- Oracle expdp impdp中 exclude/include 的使用
exclude和include参数能够在使用expdp或impdp是对特定的对象或对象类型进行筛选或过滤.比如因工作的需要导出特定的表或不导出特定的表.视图以及存储过程.索引.约束.授权统计信息等等. ...
- expdp impdp中 exclude/include 的使用
exclude和include参数能够在使用expdp或impdp是对特定的对象或对象类型进行筛选或过滤.比如因工作的需要导出特定的表或不导出特定 的表.视图以及存储过程.索引.约束.授权统计信息等等 ...
- Oracle 11g 数据库 expdp/impdp 全量导入导出
从一个用户导出导入到另一个用户 问题 环境:oracle 11g; redhat 6 usera是具有DBA权限,密码为usera 全量导出usera用户下的所有内容,并导入到新建的userb用户 解 ...
- oracle导出/导入 expdp/impdp
Oracle使用EXPDP和IMPDP数据泵进行导出导入的方法(常用方法) 使用expdp和impdp时应该注重的事项: 1.exp和imp是客户端工具程序,它们既可以在客户端使用,也可以在服务端使用 ...
- Oracle数据库备份 expdp/impdp导出导入命令
使用EXPDP和IMPDP时应该注意的事项: EXP和IMP是客户端工具程序,它们既可以在客户端使用,也可以在服务端使用. EXPDP和IMPDP是服务端的工具程序,他们只能在ORACLE服务端使用, ...
- Oracle exp,imp,expdp,impdp数据导入导出
一.导出模式(三种模式)及命令格式 1. 全库模式 exp 用户名/密码@网络服务名 full=y file=路径\文件名.dmp log=路径\文件名.log 2. 用户模式(一般情况下采用此模式) ...
- Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(下)
<Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(上)> <Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(下)> 目的:指导项 ...
随机推荐
- 聊聊ES7与ES8特性
译者按: 转眼ES6发布2年了,是时候了解一下ES7与ES8特性了! 原文: ES7 and ES8 Features 译者: Fundebug 为了保证可读性,本文采用意译而非直译,并且对源代码进行 ...
- 预览github代码
方法一:最简单的方法,在代码的url前面加上: http://htmlpreview.github.com/? 方法二: 使用Githubpages, 方法一有可能会修改css样式,不过方法二略复杂, ...
- git方式安装thinkphp5
1.thinkphp 的github 代码版本地址:https://github.com/top-think 2. 点击think 复制 地址 3. 新建thinkphp5 文件夹 git clone ...
- 通过JS生成由字母与数字组合的随机字符串
在项目中可能需要随机生成字母数字组成的字符,如生成3-32位长度的字母数字组合的随机字符串(位数不固定)或者生成43位随机字符串(位数固定) 使用Math.random()与toString()方法的 ...
- 【机器学习基本理论】详解最大似然估计(MLE)、最大后验概率估计(MAP),以及贝叶斯公式的理解
[机器学习基本理论]详解最大似然估计(MLE).最大后验概率估计(MAP),以及贝叶斯公式的理解 https://mp.csdn.net/postedit/81664644 最大似然估计(Maximu ...
- 如何用ABP框架快速完成项目(9) - 用ABP一个人快速完成项目(5) - 不要执着于设计模式和DDD理论,避免原教旨主义
为什么要写这节文章呢? 首先主动看我这系列文章和参加活动课程的同学, 肯定是积极好学的. 所以很大概率是学过设计模式和DDD理论的. 很大概率不是走一点都不懂设计模式和DDD理论这个极端, 而是走 ...
- Android图片的Base64编码与解码
Base64是网络上最常见的用于传输8Bit字节码的编码方式之一,Base64就是一种基于64个可打印字符来表示二进制数据的方法. Base64编码是从二进制到字符的过程,可用于在HTTP环境下传递较 ...
- Android为TV端助力 史上最简单易懂的跨进程通讯(Messenger)!
不需要AIDL也不需要复杂的ContentProvider,也不需要SharedPreferences或者共享存储文件! 只需要简单易懂的Messenger,它也称为信使,通过它可以在不同进程中传递m ...
- Node.js学习起步
Node.js学习: 简单的说 Node.js 就是运行在服务端的 JavaScript.Node.js 是一个基于Chrome JavaScript 运行时建立的一个平台.Node.js是一个事件驱 ...
- leetcode-67.二进制求和
leetcode-67.二进制求和 Points 数组 数学 题意 给定两个二进制字符串,返回他们的和(用二进制表示). 输入为非空字符串且只包含数字 1 和 0. 示例 1: 输入: a = &qu ...