Renaming a Pluggable Database (PDB) in Oracle 19c when Transparent Data Encryption (TDE) is enabled requires extra care to preserve encryption keys and wallet configurations. Here’s a step-by-step guide to help you do it safely:
Step 1: Export TDE Encryption Keys
Before renaming, export the encryption keys from the source PDB.
ALTER SESSION SET CONTAINER=source_pdb;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <keystore_password>;
ADMINISTER KEY MANAGEMENT EXPORT ENCRYPTION KEYS WITH SECRET "<secret_password>"
TO '<wallet_location>/exp_tde.exp' IDENTIFIED BY <keystore_password>;
Step 2: Unplug and Drop the Source PDB
ALTER PLUGGABLE DATABASE source_pdb CLOSE;
ALTER PLUGGABLE DATABASE source_pdb UNPLUG INTO '/path/source_pdb.xml';
DROP PLUGGABLE DATABASE source_pdb;
Step 3: Create the New PDB with the Desired Name
CREATE PLUGGABLE DATABASE new_pdb USING '/path/source_pdb.xml' NOCOPY
SERVICE_NAME_CONVERT=('source_pdb','new_pdb');
ALTER PLUGGABLE DATABASE new_pdb OPEN READ WRITE;
You may see warnings due to missing encryption keys—this is expected.
Step 4: Import TDE Encryption Keys
ALTER SESSION SET CONTAINER=new_pdb;
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <keystore_password>;
ADMINISTER KEY MANAGEMENT IMPORT ENCRYPTION KEYS WITH SECRET "<secret_password>"
FROM '<wallet_location>/exp_tde.exp' IDENTIFIED BY <keystore_password> WITH BACKUP;
Step 5: Restart and Verify
SHUTDOWN IMMEDIATE;
STARTUP;
SHOW PDBS;
Ensure the new PDB name appears and is in READ WRITE mode.
Step 6: Re-enable Auto-login Wallet (Optional)
If you use auto-login wallets do as below.
mv cwallet.sso cwallet.sso.bkp
ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<wallet_location>' IDENTIFIED BY <keystore_password>;
What challenges should I expect when renaming a PDB?
Common Challenges
TDE Key Management
You must export and re-import encryption keys manually.
Forgetting this step can lead to inaccessible encrypted data in the new PDB.
Directory Structure
Renaming a PDB doesn’t rename its underlying datafile directories.
You’ll need to use online datafile move commands if you want directory names to match the new PDB name.
Service Name Conflicts
If a service already exists with the target PDB name, you’ll need to delete it before proceeding.
PDB$SEED Restrictions
You cannot rename the PDB$SEED—it’s hardcoded and immutable.
Plug-in Violations
After creating the new PDB, you may see warnings in PDB_PLUG_IN_VIOLATIONS
due to missing encryption keys.
Auto-login Wallet Issues
If you use auto-login wallets (cwallet.sso
), you’ll need to disable and recreate them after the rename.
Application Dependencies
Applications and TNS entries pointing to the old PDB name must be updated manually.
Bugs in Older Versions
If you’re not on the late.st patch level, you might encounter bugs like ORA-600
or ORA-60
during rename operations