Rename PDB in oracle database in tde environment

Renaming a Pluggable Database (PDB) in Oracle 19c when Transparent Data Encryption (TDE) is enabled requires extra care to preserve encryption keys and wallet configurations. Here’s a step-by-step guide to help you do it safely:

Step 1: Export TDE Encryption Keys

Before renaming, export the encryption keys from the source PDB.

ALTER SESSION SET CONTAINER=source_pdb;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <keystore_password>;
ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "<secret_password>" 
TO '<wallet_location>/exp_tde.exp' IDENTIFIED BY <keystore_password>;

Step 2: Unplug and Drop the Source PDB

ALTER PLUGGABLE DATABASE source_pdb CLOSE;
ALTER PLUGGABLE DATABASE source_pdb UNPLUG INTO '/path/source_pdb.xml';
DROP PLUGGABLE DATABASE source_pdb;

Step 3: Create the New PDB with the Desired Name

CREATE PLUGGABLE DATABASE new_pdb USING '/path/source_pdb.xml' NOCOPY 
SERVICE_NAME_CONVERT=('source_pdb','new_pdb');
ALTER PLUGGABLE DATABASE new_pdb OPEN READ WRITE;

You may see warnings due to missing encryption keys—this is expected.

Step 4: Import TDE Encryption Keys

ALTER SESSION SET CONTAINER=new_pdb;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <keystore_password>;
ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "<secret_password>" 
FROM '<wallet_location>/exp_tde.exp' IDENTIFIED BY <keystore_password> WITH BACKUP;

Step 5: Restart and Verify

SHUTDOWN IMMEDIATE;
STARTUP;
SHOW PDBS;

Ensure the new PDB name appears and is in READ WRITE mode.

Step 6: Re-enable Auto-login Wallet (Optional)

If you use auto-login wallets do as below.

mv cwallet.sso cwallet.sso.bkp
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<wallet_location>' IDENTIFIED BY <keystore_password>;

What challenges should I expect when renaming a PDB?

Common Challenges

TDE Key Management

You must export and re-import encryption keys manually.
Forgetting this step can lead to inaccessible encrypted data in the new PDB.

Directory Structure

Renaming a PDB doesn’t rename its underlying datafile directories.
You’ll need to use online datafile move commands if you want directory names to match the new PDB name.

Service Name Conflicts

If a service already exists with the target PDB name, you’ll need to delete it before proceeding.

PDB$SEED Restrictions

You cannot rename the PDB$SEED—it’s hardcoded and immutable.

Plug-in Violations

After creating the new PDB, you may see warnings in PDB_PLUG_IN_VIOLATIONS due to missing encryption keys.

Auto-login Wallet Issues

If you use auto-login wallets (cwallet.sso), you’ll need to disable and recreate them after the rename.

Application Dependencies

Applications and TNS entries pointing to the old PDB name must be updated manually.

Bugs in Older Versions

If you’re not on the late.st patch level, you might encounter bugs like ORA-600 or ORA-60 during rename operations

Leave a Comment