This note is how to handle the plug-in warning “PDB needs to import keys from source” with 12.1.0.2, after a non-CDB database has been converted as a PDB inside another CDB database located in an OCI DBsystem.
In the example below, <password1> is the key setup to the non-CDB database to be imported and <password2> is the key setup on the target CDB (identical to the sys and system passwords specified from the console).
#1 Apply the patch 23271203
For OCI 180116, the patch is p23271203_12102180116ProactiveBP_Linux-x86-64.zip
#2 Export the keys from the source database (non-CDB):
administer key management set keystore open identified by "<password1>"; administer key management export encryption keys with secret "<password1>" to '/tmp/key_source.exp' identified by "<password1>";
#3 Recreate the wallet from the target CDB
! rm '/opt/oracle/dcs/commonstore/wallets/tde/<cdb>/cwallet.sso administer key management set keystore close; administer key management set keystore open identified by "<password2>"; administer key management set key identified by "<password2>" with backup; administer key management create AUTO_LOGIN keystore from keystore '/opt/oracle/dcs/commonstore/wallets/tde/<cdb>' identified by "<password2>";
#4 Import the key from the PDB
alter session set container=<PDB>; administer key management set keystore open identified by "<password2>"; administer key management import keys with secret "<password1>" from '/tmp/key_prod.exp' identified by "<password2>" with backup;
References
MOS 1944507.1 TDE Wallet Problem in 12c: Cannot do a Set Key operation when an auto-login wallet is present
MOS 2392653.1 How to UnPlug/Plug-in PDB (TDE Enabled) in DBaaS Environment