Salesforce

TDE Roll forward fails 15500

Printable View
« Go Back

Information

 
TitleTDE Roll forward fails 15500
URL NameTDE-roll-forward-fails-newinstance-rebind-15500
Article Number000138185
EnvironmentProduct: OpenEdge
Version: 10.2B, 11.x
OS: All supported platforms
Other: TDE
Question/Problem Description
Roll forward fails on a TDE enabled database restored with -newinstance

After restoring a TDE enabled database with PROREST -newinstance, roll forward fails because the database cannot be accessed 15678 15679 
After binding the existing key store file to the new database GUID with "keystore rebind", roll forward fails with error 15500 11014
Steps to Reproduce
Clarifying Information
The keystore saved from the TDE enabled database when the PROBKUP was taken is used
User passphrase was changed with epolicy manage keystore userphrase for roll forward processing
The source TDE enabled database has AI encryption enabled.
Error MessageThis database was created with the -newinstance option. (15678)
Keystore rebind must be run before accessing the database. (15679)

<ai file> is encrypted, but there is no encryption policy loaded to decrypt it. (15500)
roll forward open <ai file> error: -1. (11014)
Defect Number
Enhancement Number
Cause
While "changing" the passphrase does not change the time stamp of the database and allows subsequent roll forward actions
iow: to use a new passphrase instead of the production passphrase for security reasons:
proutil dbname -C epolicy manage keystore userphrase -Passphrase

Rebinding the keystore, with epolicy manage keystore rebind -Passphrase to allow any access to the database after creating a new instance of the database, binds the existing keystore to the new database GUID (a new guid is set by the 'newinstance' parameter when the database is created).

Since the restored database (for roll forward) no longer has ai enabled, this database has no ai encryption policy in the new keystore.
Resolution
To Roll Forward AI encryted notes:

1.  Restore the TDE backup volume without -newinstance 
$  prorest dbname <backupvolume> -verbose

2.  Copy the production keystore that is kept in line with PROBKUPS and if required, rename it to the restored database name (dbname.ks)

When the backup was initially taken, the utility posts the following message in TDE enabled database lg files:
(15525) Your database backup is not complete until you have made an OS backup or copy of your key store. 

3.  (Optionally) Change the production TDE passphrase for the restored database
$  proutil dbname -C epolicy manage keystore userphrase -Passphrase

Enter the key store passphrase for database <dbname> : <Admin Passphrase>
This command modifies encryption access control in the Key store file. After successful completion of the command, the Keystore file must be backed-up. (15518)

Enter new passphrase [required] :<new User Passphrase>

Please Retype your Passphrase for Verification
Enter new passphrase [required] : <new User Passphrase>

4. Roll forward against the restored TDE enabled database
$  rfutil dbname  -C roll forward -a <ai file> -Passphrase <new User Passphrase>

5. Once the required AI files have all been applied, carry out whatever further epolicy activities are needed.
 
Workaround
Notes
Keyword Phrase
Last Modified Date2/19/2018 8:18 AM
Powered by