Skip to main content
Feedback

Oracle Wallet (TDE) support

The Oracle Source connector supports reading data protected by Oracle Transparent Data Encryption (TDE). To decrypt TDE-protected data during Standard Load and CDC Data Flows, provide your Oracle Wallet on the connection. You can either upload the wallet file or enter the wallet key entries manually.

Supported Oracle versions

TDE support requires Oracle 12c R1 (12.1) or later. Sources on earlier versions are rejected at Test Connection with the ORACLE_VERSION_UNSUPPORTED error.

Oracle versionStandard Load (column TDE)Standard Load (tablespace TDE)CDC over TDENotes
12c R1 (12.1)SupportedSupportedSupportedMinimum supported version.
12c R2 (12.2)SupportedSupportedSupportedIntroduces isolated per-PDB keystores.
18cSupportedSupportedSupportedN/A.
19c (LTS)SupportedSupportedSupportedPrimary validation target.
21cSupportedSupportedSupportedN/A.
23aiSupportedSupportedSupportedFree and Enterprise Edition.
26ai (AI Database)SupportedSupportedSupportedTDE encryption only.

Required permissions

Beyond your standard Standard Load and CDC privileges, the connection user needs the following wallet-specific grants:

PermissionPurpose
SELECT on V_$ENCRYPTION_WALLETCheck whether the wallet is open or closed.
SELECT on V_$ENCRYPTED_TABLESPACESDetect tablespace-level TDE.
SELECT on DBA_ENCRYPTED_COLUMNSDetect column-level TDE.
GRANT SELECT ON V_$ENCRYPTION_WALLET TO <username>;
GRANT SELECT ON V_$ENCRYPTED_TABLESPACES TO <username>;
GRANT SELECT ON DBA_ENCRYPTED_COLUMNS TO <username>;
note
  • For the complete list of Oracle permissions required for standard Data Flows, CDC, flashback query, and synonym support, refer to Oracle required permissions.
  • Wallet status is not verified only once. Data Integration checks wallet status on every run and at Data Flow activation, because a DBA can close the wallet at any point after you save the connection. Keep these grants in place for the life of the connection.
  • If the connection user lacks SELECT on V_$ENCRYPTION_WALLET, wallet status cannot be verified, and both Test Connection and subsequent runs fail with TDE_PRIVS_MISSING (ORA-01031).

Multi-tenant (CDB/PDB) sources

For multi-tenant sources, open the wallet at the CDB root for all containers:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "<password>" CONTAINER = ALL;

Isolated per-PDB keystores (12.2 and later) must also be opened from inside each PDB.

Supported encryption types

Encryption typeStandard LoadCDC
Column-level TDE (ENCRYPT column)SupportedSupported
Tablespace-level TDESupportedSupported
Object typeStandard LoadCDCNotes
TableSupportedSupportedN/A
ViewSupportedSupportedUnderlying table or tables are decrypted.
Synonym to table or viewSupportedSupportedResolves to the base object.
Synonym to external object (database link)SupportedNot supportedExisting limitation.
Materialized viewSupportedNot supportedExisting limitation.
note

The following are not supported: columns encrypted with 3DES168; HSM or Oracle Key Vault (PKCS#11) integrations; and TDE as a target.

Troubleshooting

ErrorMeaningWhat to do
ORACLE_VERSION_UNSUPPORTEDThe source is older than Oracle 12.1.Upgrade the source, or disable TDE support.
TDE_DETECTED_NO_WALLET_CONFIGUREDTDE is detected on an object, but no wallet is configured.Add the Oracle Wallet in the connection settings.
TDE_WALLET_CLOSEDThe wallet is not open on the source (ORA-28365).Open the Oracle Wallet, then retry.
TDE_WALLET_INVALIDThe wallet or key entry does not match the database (ORA-28353).Update the wallet, or add the new key entry, then resume.
TDE_PRIVS_MISSINGThe connection user lacks SELECT on V_$ENCRYPTION_WALLET (ORA-01031).Grant SELECT on V_$ENCRYPTION_WALLET to the replication user, then retry.
TDE_LOGMINER_UNSUPPORTEDLogMiner cannot decrypt the row image, for example a 3DES168 column.Exclude the object from CDC, or use Standard Load instead.
On this Page