Monday, June 28, 2021

ORA-12696: Double Encryption Turned On Even When IGNORE_ANO_ENCRYPTION_FOR_TCPS=TRUE is Set

The error "ORA-12696: Double Encryption Turned On, login disallowed" is an expected one when both SSL and Native encryption (ANO) is enabled. By default Oracle doesn't allow both encryption types and return the above error.

However, there is a parameter that could be set so that ANO is ignored for TCPS connections. The parameter is called IGNORE_ANO_ENCRYPTION_FOR_TCPS and setting this to TRUE would allow both TCP with ANO and TCPS connections to be used concurrently.
While settting up this configuration the connections for TCPS were failing with ORA-12696. The parameter IGNORE_ANO_ENCRYPTION_FOR_TCPS could be set on either sqlnet.ora or in the TNS alias. No matter where it was set, the TCPS connections kept getting the above error. It was puzzling as the documentation was followed to the letter.



Apparently the issue is with documetnation. The parameter is actaully called "SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS" (visible on the step 4 below). However the documentation where it shows how to set it and helpful copy buttons all ignore the "SQLNET." part. See below for current documentation at the time of this blog post.

MOS Doc 2614143.1 which also address the same issue shows it being set as IGNORE_ANO_ENCRYPTION_FOR_TCPS=TRUE (though the sqlnet.ora content shown in the same MOS has it set correctly).
SR was raised to correct the documentation so that parameter is reflected correctly with the prefix SQLNET. similar to other parameters such as SQLNET.ENCRYPTION_CLIENT, SQLNET.ENCRYPTION_TYPES_CLIENT and etc which all has been documented with SQLNET. prefix.
Only place this is correctly reflected (time of this blog) is in net services reference guide (which helped to identify the root cause of the issue).
When setting this on the TNS alias then the parameter could be with sqlnet. prefix or without it(documentation is correct for this setting).

Saturday, June 19, 2021

Installing Oracle Restart Without ASM

By default Oracle resstart requires at least one ASM disk group to be created during the installation. This post shows steps for installing Oracle restart without creating any ASM disk group.
1. First step in this process is to install the grid infrastructure using the "software only" option. If OUI is used this will be the "Set up Software Only" option. For this post the test steup was done using the grid response file. The response file indicate which section to fill to do a software only instllation.
## To register software for 'Grid Infrastructure'                            ##
##  - Fill out sections A,B and D                                            ##
##  - Provide the cluster nodes in section D when choosing CRS_SWONLY as     ##
##    installation option in section A                                       ##
Section A consists of information for oraIneventory, oracle base and installation option.
#-------------------------------------------------------------------------------
# Specify the location which holds the inventory files.
# This is an optional parameter if installing on
# Windows based Operating System.
#-------------------------------------------------------------------------------
INVENTORY_LOCATION=/opt/app/oraInventory

#-------------------------------------------------------------------------------
# Specify the installation option.
# Allowed values: CRS_CONFIG or HA_CONFIG or UPGRADE or CRS_SWONLY or HA_SWONLY
#   - CRS_CONFIG  : To register home and configure Grid Infrastructure for cluster
#   - HA_CONFIG   : To register home and configure Grid Infrastructure for stand alone server
#   - UPGRADE     : To register home and upgrade clusterware software of earlier release
#   - CRS_SWONLY  : To register Grid Infrastructure Software home (can be configured for cluster
#                   or stand alone server later)
#   - HA_SWONLY   : To register Grid Infrastructure Software home (can be configured for stand
#                   alone server later. This is only supported on Windows.)
#   - CRS_ADDNODE : To add more nodes to the cluster
#   - CRS_DELETE_NODE : To delete nodes to the cluster
#-------------------------------------------------------------------------------
oracle.install.option=CRS_SWONLY

#-------------------------------------------------------------------------------
# Specify the complete path of the Oracle Base.
#-------------------------------------------------------------------------------
ORACLE_BASE=/opt/app/oracle
Section B specify ASM related privileged user groups. Even though ASM is not configured in this case, it is possible to use the same set of user group that would be used in a ASM setup. If not setup the group appropriatly for the enviornment being setup.
################################################################################
#                                                                              #
#                              SECTION B - GROUPS                              #
#                                                                              #
#   The following three groups need to be assigned for all GI installations.   #
#   OSDBA and OSOPER can be the same or different.  OSASM must be different    #
#   than the other two.                                                        #
#   The value to be specified for OSDBA, OSOPER and OSASM group is only for    #
#   Unix based Operating System.                                               #
#   These groups are not required for upgrades, as they will be determined     #
#   from the Oracle home to upgrade.                                           #
#                                                                              #
################################################################################
#-------------------------------------------------------------------------------
# The OSDBA_GROUP is the OS group which is to be granted SYSDBA privileges.
#-------------------------------------------------------------------------------
oracle.install.asm.OSDBA=asmdba

#-------------------------------------------------------------------------------
# The OSOPER_GROUP is the OS group which is to be granted SYSOPER privileges.
# The value to be specified for OSOPER group is optional.
# Value should not be provided if configuring Client Cluster - i.e. storageOption=CLIENT_ASM_STORAGE.
#-------------------------------------------------------------------------------
oracle.install.asm.OSOPER=asmoper

#-------------------------------------------------------------------------------
# The OSASM_GROUP is the OS group which is to be granted SYSASM privileges. This
# must be different than the previous two.
#-------------------------------------------------------------------------------
oracle.install.asm.OSASM=asmadmin
Section D has many parameters but for Oracle restart setup only the following is needed to be filled, which specify the hostname.
################################################################################
#                                                                              #
#                           SECTION D - CLUSTER & GNS                         #
#                                                                              #
################################################################################
#-------------------------------------------------------------------------------
#
#-------------------------------------------------------------------------------
oracle.install.crs.config.clusterNodes=ip-172-31-7-187

#-------------------------------------------------------------------------------
2. Install the grid infrastructure using the response file.
./gridSetup.sh -silent -responseFile grid.rsp
3. At the end of the installation the grid infrastructure would be configured to an Oracle restart configuration by running roothas.sh in GI_HOME/crs/install as the root user.
./roothas.sh
Using configuration parameter file: /opt/app/oracle/product/19.x.0/grid/crs/install/crsconfig_params
The log of current session can be found at:
  /opt/app/oracle/crsdata/ip-172-31-12-240/crsconfig/roothas_2021-02-15_04-09-40PM.log
2021/02/15 16:09:41 CLSRSC-363: User ignored prerequisites during installation
Redirecting to /bin/systemctl restart rsyslog.service
LOCAL ADD MODE
Creating OCR keys for user 'oracle', privgrp 'oinstall'..
Operation successful.
LOCAL ONLY MODE
Successfully accumulated necessary OCR keys.
Creating OCR keys for user 'root', privgrp 'root'..
Operation successful.
CRS-4664: Node ip-172-31-12-240 successfully pinned.
2021/02/15 16:10:08 CLSRSC-330: Adding Clusterware entries to file 'oracle-ohasd.service'

ip-172-31-12-240     2021/02/15 16:12:24     /opt/app/oracle/crsdata/ip-172-31-12-240/olr/backup_20210215_161224.olr     1944883066
2021/02/15 16:12:25 CLSRSC-327: Successfully configured Oracle Restart for a standalone server
4. At this stage the resource states would be as below
Resource Name             Type                      Target             State              Host
-------------             ------                    -------            --------           ----------
ora.cssd                  ora.cssd.type             OFFLINE            OFFLINE
ora.diskmon               ora.diskmon.type          OFFLINE            OFFLINE
ora.evmd                  ora.evm.type              ONLINE             ONLINE             ip-172-31-7-187
ora.ons                   ora.ons.type              OFFLINE            OFFLINE
It is important to have the cssd status online. Without it, when managing the databases following errors is thrown
$ srvctl start database -db testfs
PRCD-1024 : Failed to retrieve instance list for database testfs
PRCR-1055 : Cluster membership check failed for node ip-172-31-12-240
5. Enable the cssd to auto start and restart HAS.
crsctl modify resource "ora.cssd" -attr "AUTO_START=1" -unsupported
crsctl stop has
crsctl start has -nowait

Resource Name             Type                      Target             State              Host
-------------             ------                    -------            --------           ----------
ora.cssd                  ora.cssd.type             ONLINE             ONLINE             ip-172-31-7-187
ora.diskmon               ora.diskmon.type          OFFLINE            OFFLINE
ora.evmd                  ora.evm.type              ONLINE             ONLINE             ip-172-31-7-187
ora.ons                   ora.ons.type              OFFLINE            OFFLINE


6. Add listener
srvctl add listener -endpoints tcp:1521
srvctl start listener

Resource Name             Type                      Target             State              Host
-------------             ------                    -------            --------           ----------
ora.LISTENER.lsnr         ora.listener.type         ONLINE             ONLINE             ip-172-31-7-187
ora.cssd                  ora.cssd.type             ONLINE             ONLINE             ip-172-31-7-187
ora.diskmon               ora.diskmon.type          OFFLINE            OFFLINE
ora.evmd                  ora.evm.type              ONLINE             ONLINE             ip-172-31-7-187
ora.ons                   ora.ons.type              OFFLINE            OFFLINE
7. Enable ONS if this is used for data guard and client failover is setup.
srvctl enable ons
srvctl start ons

Resource Name             Type                      Target             State              Host
-------------             ------                    -------            --------           ----------
ora.LISTENER.lsnr         ora.listener.type         ONLINE             ONLINE             ip-172-31-7-187
ora.cssd                  ora.cssd.type             ONLINE             ONLINE             ip-172-31-7-187
ora.diskmon               ora.diskmon.type          OFFLINE            OFFLINE
ora.evmd                  ora.evm.type              ONLINE             ONLINE             ip-172-31-7-187
ora.ons                   ora.ons.type              ONLINE             ONLINE             ip-172-31-7-187
8. Create the CDB. File system is given as the storage type for CDB and two directories are specified for datafileDestination and recoveryAreaDestination. These gets set to db_create_file_dest and db_recovery_file_dest since OMF is set to true. The CDB will be automatically registered with the HAS service and could be managed with srvctl commands.
dbca -createDatabase -gdbName testfs -templateName /home/oracle/New_Database.dbt 
-characterSet AL32UTF8 -emConfiguration DBEXPRESS 
-storageType FS -datafileDestination  /opt/data  
-recoveryAreaDestination /opt/fra 
-sysPassword testCDB1234 -systemPassword testCDB1234 
-createAsContainerDatabase true 
-memoryMgmtType AUTO_SGA  -enableArchive false 
-useOMF true  -nationalCharacterSet AL16UTF16 
-databaseConfigType SINGLE -silent

Resource Name             Type                      Target             State              Host
-------------             ------                    -------            --------           ----------
ora.LISTENER.lsnr         ora.listener.type         ONLINE             ONLINE             ip-172-31-7-187
ora.cssd                  ora.cssd.type             ONLINE             ONLINE             ip-172-31-7-187
ora.diskmon               ora.diskmon.type          OFFLINE            OFFLINE
ora.evmd                  ora.evm.type              ONLINE             ONLINE             ip-172-31-7-187
ora.ons                   ora.ons.type              ONLINE             ONLINE             ip-172-31-7-187
ora.testfs.db             ora.database.type         ONLINE             ONLINE             ip-172-31-7-187
9. Create the PDB
dbca -silent -createPluggableDatabase -pdbName testpdb -sourceDB $ORACLE_SID -createUserTableSpace true -pdbAdminPassword adminPBD123
10. If a data guard configuraiton is created from a similar setup and data guard broker is created then it will detect the presence of clusterware.
DGMGRL> validate database testfs2

  Database Role:     Physical standby database
  Primary Database:  testfs

  Ready for Switchover:  Yes
  Ready for Failover:    Yes (Primary Running)

  Managed by Clusterware:
    testfs :  YES
    testfs2:  YES
Related Posts
Oracle Extended Cluster Setup on 19c
Installing 19c (19.3) RAC on RHEL 7 Using Response File
Installing 18c (18.3) RAC on RHEL 7 with Role Separation - Clusterware
Installing 12cR2 (12.2.0.1) RAC on RHEL 6 with Role Separation - Clusterware
Installing 12c (12.1.0.2) Flex Cluster on RHEL 6 with Role Separation
Installing 12c (12.1.0.1) RAC on RHEL 6 with Role Separation - Clusterware
Installing 11gR2 (11.2.0.3) GI with Role Separation on RHEL 6
Installing 11gR2 (11.2.0.3) GI with Role Separation on OEL 6
Installing 11gR2 Standalone Server with ASM and Role Separation on RHEL 6
11gR2 Standalone Data Guard (with ASM and Role Separation)

Saturday, June 12, 2021

Move PDB to a Different ASM Disk Group

This post shows the steps for moving PDB related data files from one disk group to another. Currently the PDB data files reside in a disk group called +DATA and data file path is
+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/
TESTCDB is the CDB name and 9CBA2DF91A8C7012E053F4071FAC36E9 is the PDBs GUID.
The PDB will be moved to a ASM disk group called PDBDG.
1. Run a RMAN backup as copy to create data files copies in the destination diskgroup.
RMAN> backup as copy pluggable database testpdb2 format '+pdbdg';

Starting backup at 08-FEB-21
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=141 device type=DISK
allocated channel: ORA_DISK_2
channel ORA_DISK_2: SID=877 device type=DISK
allocated channel: ORA_DISK_3
channel ORA_DISK_3: SID=13 device type=DISK
allocated channel: ORA_DISK_4
channel ORA_DISK_4: SID=137 device type=DISK
channel ORA_DISK_1: starting datafile copy
input datafile file number=00045 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/system.301.1063988727
channel ORA_DISK_2: starting datafile copy
input datafile file number=00046 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/sysaux.300.1063988727
channel ORA_DISK_3: starting datafile copy
input datafile file number=00047 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/undotbs1.299.1063988727
channel ORA_DISK_4: starting datafile copy
input datafile file number=00049 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/oradbaudit.304.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/sysaux.257.1063989107 tag=TAG20210208T163145 RECID=1 STAMP=1063989121
channel ORA_DISK_2: datafile copy complete, elapsed time: 00:00:15
channel ORA_DISK_2: starting datafile copy
input datafile file number=00050 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/box.303.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/system.256.1063989107 tag=TAG20210208T163145 RECID=3 STAMP=1063989121
channel ORA_DISK_1: datafile copy complete, elapsed time: 00:00:16
channel ORA_DISK_1: starting datafile copy
input datafile file number=00051 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/lobs.306.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/box.260.1063989121 tag=TAG20210208T163145 RECID=5 STAMP=1063989122
channel ORA_DISK_2: datafile copy complete, elapsed time: 00:00:01
channel ORA_DISK_2: starting datafile copy
input datafile file number=00052 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/indexes.309.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/undotbs1.258.1063989111 tag=TAG20210208T163145 RECID=4 STAMP=1063989121
channel ORA_DISK_3: datafile copy complete, elapsed time: 00:00:16
channel ORA_DISK_3: starting datafile copy
input datafile file number=00053 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/repos.308.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/oradbaudit.259.1063989117 tag=TAG20210208T163145 RECID=2 STAMP=1063989121
channel ORA_DISK_4: datafile copy complete, elapsed time: 00:00:18
channel ORA_DISK_4: starting datafile copy
input datafile file number=00054 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/audits.307.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/lobs.261.1063989123 tag=TAG20210208T163145 RECID=6 STAMP=1063989124
channel ORA_DISK_1: datafile copy complete, elapsed time: 00:00:02
channel ORA_DISK_1: starting datafile copy
input datafile file number=00055 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/audindexes.310.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/indexes.262.1063989123 tag=TAG20210208T163145 RECID=7 STAMP=1063989124
channel ORA_DISK_2: datafile copy complete, elapsed time: 00:00:03
channel ORA_DISK_2: starting datafile copy
input datafile file number=00056 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/audlobs.282.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/repos.263.1063989125 tag=TAG20210208T163145 RECID=8 STAMP=1063989125
channel ORA_DISK_3: datafile copy complete, elapsed time: 00:00:01
channel ORA_DISK_3: starting datafile copy
input datafile file number=00057 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/tbs.280.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/audits.264.1063989125 tag=TAG20210208T163145 RECID=9 STAMP=1063989125
channel ORA_DISK_4: datafile copy complete, elapsed time: 00:00:02
channel ORA_DISK_4: starting datafile copy
input datafile file number=00058 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/cheindexes.281.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/audindexes.265.1063989125 tag=TAG20210208T163145 RECID=10 STAMP=1063989127
channel ORA_DISK_1: datafile copy complete, elapsed time: 00:00:02
channel ORA_DISK_1: starting datafile copy
input datafile file number=00059 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/abs.283.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/audlobs.266.1063989127 tag=TAG20210208T163145 RECID=11 STAMP=1063989127
channel ORA_DISK_2: datafile copy complete, elapsed time: 00:00:03
channel ORA_DISK_2: starting datafile copy
input datafile file number=00060 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/nstbs.297.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/tbs.267.1063989127 tag=TAG20210208T163145 RECID=12 STAMP=1063989128
channel ORA_DISK_3: datafile copy complete, elapsed time: 00:00:03
channel ORA_DISK_3: starting datafile copy
input datafile file number=00061 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/lkstbs.298.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/cheindexes.268.1063989129 tag=TAG20210208T163145 RECID=13 STAMP=1063989129
channel ORA_DISK_4: datafile copy complete, elapsed time: 00:00:02
channel ORA_DISK_4: starting datafile copy
input datafile file number=00048 name=+DATA/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/users.305.1063988727
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/abs.269.1063989129 tag=TAG20210208T163145 RECID=14 STAMP=1063989129
channel ORA_DISK_1: datafile copy complete, elapsed time: 00:00:02
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/nstbs.270.1063989129 tag=TAG20210208T163145 RECID=15 STAMP=1063989130
channel ORA_DISK_2: datafile copy complete, elapsed time: 00:00:02
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/lkstbs.271.1063989131 tag=TAG20210208T163145 RECID=16 STAMP=1063989131
channel ORA_DISK_3: datafile copy complete, elapsed time: 00:00:02
output file name=+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/users.272.1063989131 tag=TAG20210208T163145 RECID=17 STAMP=1063989131
channel ORA_DISK_4: datafile copy complete, elapsed time: 00:00:01
Finished backup at 08-FEB-21

Starting Control File and SPFILE Autobackup at 08-FEB-21
piece handle=+FRA/TESTCDB/AUTOBACKUP/2021_02_08/s_1063989132.284.1063989133 comment=NONE
Finished Control File and SPFILE Autobackup at 08-FEB-21

2. As system tablespaces are also moved the switch to new location cannot be done while PDB is open.
RMAN> switch pluggable database testpdb2 to copy;

RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of switch to copy command at 02/08/2021 16:32:29
RMAN-06572: database is open and datafile 45 is not offline
So the PDB must be closed (downtime) and then switch to the data file copies.
RMAN> alter pluggable database testpdb2 close;

Statement processed

RMAN>  switch pluggable database testpdb2 to copy;

datafile 45 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/system.256.1063989107"
datafile 46 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/sysaux.257.1063989107"
datafile 47 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/undotbs1.258.1063989111"
datafile 48 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/users.272.1063989131"
datafile 49 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/oradbaudit.259.1063989117"
datafile 50 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/box.260.1063989121"
datafile 51 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/lobs.261.1063989123"
datafile 52 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/indexes.262.1063989123"
datafile 53 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/repos.263.1063989125"
datafile 54 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/audits.264.1063989125"
datafile 55 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/audindexes.265.1063989125"
datafile 56 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/audlobs.266.1063989127"
datafile 57 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/tbs.267.1063989127"
datafile 58 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/cheindexes.268.1063989129"
datafile 59 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/abs.269.1063989129"
datafile 60 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/nstbs.270.1063989129"
datafile 61 switched to datafile copy "+PDBDG/TESTCDB/9CBA2DF91A8C7012E053F4071FAC36E9/DATAFILE/lkstbs.271.1063989131"




3. Recover the PDB
RMAN> recover pluggable database testpdb2;

Starting recover at 08-FEB-21
using channel ORA_DISK_1
using channel ORA_DISK_2
using channel ORA_DISK_3
using channel ORA_DISK_4

starting media recovery
media recovery complete, elapsed time: 00:00:01

Finished recover at 08-FEB-21
4. Open the PDB
RMAN> alter pluggable database testpdb2 open;

Statement processed
Related Posts
Moving 11gR2 RAC to New Set of ASM Diskgroups
Moving non-RAC Database and ASM Between Servers

Saturday, June 5, 2021

Cryptographic Checksum Mismatch Error on EM 13.4 Repository DB Alert Log

Following error was observed in the EM (EM 13.4) repository database alert log.
NI cryptographic checksum mismatch error: 12599.

  VERSION INFORMATION:
        TNS for Linux: Version 19.0.0.0.0 - Production
        Oracle Bequeath NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production
        TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production
  Version 19.6.0.0.0
  Time: 24-MAR-2020 13:54:03
  Tracing not turned on.
  Tns error struct:
    ns main err code: 12599

TNS-12599: TNS:cryptographic checksum mismatch
    ns secondary err code: 12656
    nt main err code: 0
    nt secondary err code: 0
    nt OS err code: 0
2020-03-24T13:54:03.565478+00:00
The sqlnet.ora in the Oracle home had the following parameters set which are related to encrypting while in transit.
SQLNET.ENCRYPTION_SERVER=required
SQLNET.ENCRYPTION_CLIENT=required

SQLNET.ENCRYPTION_TYPES_SERVER=aes256
SQLNET.ENCRYPTION_TYPES_CLIENT=aes256

SQLNET.CRYPTO_CHECKSUM_SERVER=required
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1)

SQLNET.CRYPTO_CHECKSUM_CLIENT=required
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(SHA1)
The error is differnt to when there's no common encryption or checksum between client and server. Following shows the output for such a case (output is same whether the mismatch is on encryption or checksum).
Fatal NI connect error 12650, connecting to:
 (ADDRESS=(PROTOCOL=tcp)(HOST=10.17.16.19)(PORT=62960))

  VERSION INFORMATION:
        TNS for Linux: Version 19.0.0.0.0 - Production
        Oracle Bequeath NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production
        TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production
  Version 19.8.0.0.0
  Time: 17-SEP-2020 14:46:49
  Tracing not turned on.
  Tns error struct:
    ns main err code: 12650

TNS-12650: No common encryption or data integrity algorithm
    ns secondary err code: 0
    nt main err code: 0
    nt secondary err code: 0
    nt OS err code: 0
opiodr aborting process unknown ospid (6796) as a result of ORA-609
2020-09-17T14:46:50.321241+05:30



MOS note 2332486.1 this is due to bug 26933408. As a solution it offers two patches, 26933408 for OMS (server side) and 31840839 for agent (client side). After the patches were applied the error message did appear any more.

Related Metalink Notes
TNS-12599: TNS:cryptographic Checksum Mismatch in alert.log after enabling of encryption on the server side [ID 1927120.1]
EM 13c: Enterprise Manager 13c Cloud Control Target Database Repeating Alert Log Errors: TNS-12599: TNS:cryptographic Checksum Mismatch [ID 2332486.1]