DB needs to import keys from source error on 12c

This note is how to handle the plug-in warning “PDB needs to import keys from source” with 12.1.0.2, after a non-CDB database has been converted as a PDB inside another CDB database located in an OCI DBsystem.

In the example below, <password1> is the key setup to the non-CDB database to be imported and <password2> is the key setup on the target CDB (identical to the sys and system passwords specified from the console).

#1 Apply the patch 23271203

For OCI 180116, the patch is p23271203_12102180116ProactiveBP_Linux-x86-64.zip

#2 Export the keys from the source database (non-CDB):

administer key management set keystore open identified by "<password1>";
administer key management export encryption keys with secret "<password1>"
to '/tmp/key_source.exp' identified by "<password1>";

#3 Recreate the wallet from the target CDB

! rm '/opt/oracle/dcs/commonstore/wallets/tde/<cdb>/cwallet.sso

administer key management set keystore close;
administer key management set keystore open identified by "<password2>";
administer key management set key identified by "<password2>" with backup;
administer key management create AUTO_LOGIN keystore from keystore 
'/opt/oracle/dcs/commonstore/wallets/tde/<cdb>' identified by "<password2>";

#4 Import the key from the PDB

alter session set container=<PDB>;
administer key management set keystore open identified by "<password2>";
administer key management import keys with secret "<password1>"
from '/tmp/key_prod.exp' identified by "<password2>" with backup;

References

MOS 1944507.1 TDE Wallet Problem in 12c: Cannot do a Set Key operation when an auto-login wallet is present
MOS 2392653.1 How to UnPlug/Plug-in PDB (TDE Enabled) in DBaaS Environment