Troubleshooting and Limitations
Limitations
| # | Description |
|---|---|
| 1 | User Specified Error Replacement Value For Large Object For users without sufficient permissions to access the migrated data, CDP can be configured to return any of the following: — Standard “insufficient permissions” error — NULL value (not the error) — User specified error replacement value. For large object data types, CDP does not support the user-defined error replacement value. Standard error and Null value replacement are supported. |
| 2 | User Specified Error Replacement Value is Not Supported for large CHAR and NCHAR The user specified error replacement value does not support CHAR data larger than 1022 and NCHAR larger than 512. |
| 3 | Error Replacement Values The error replacement value is not supported when a select query with 'where' clause is executed on a domain indexed column. |
| 4 | Running the Data Migration Process When migrating, key rotating, or unencrypting Large Object data types (BLOB and CLOB only), the batch size is 1. |
| 5 | Long Raw Data Type A table containing LONG RAW data type cannot be encrypted. |
| 6 | Domain Indexes Domain indexes cannot be created for large objects and VARCHAR2 of size 2000-4000 and NVARCHAR2 of size 1000-2000 data types that are converted into BLOB after migration. |
| 7 | Domain Indexes Domain indexes cannot be created on columns encrypted with field-level IVs. |
| 8 | On Large Objects, Domain Indexes Cannot be Created Oracle does not allow creating domain indexes on Large Object data types. So, domain indexes cannot be created on the Large Object data types in CDP. |
| 9 | Large Object: BFILE The BFILE data type is used to store information such as the name and location of an external binary file. CDP encrypts the information stored in BFILE; however, it does not encrypt the actual file stored in the file system. |
| 10 | Large Objects In Oracle, large objects (CLOB and BLOB) only up to 2GB are supported. Any attempt to migrate a large object (CLOB or BLOB), greater than 2GB, returns the following error:Large Object length exceeds the maximum supported size of 2GB.Also, any attempt to insert a BLOB file >=2GB in an encrypted table returns the following error: ERROR at line 1: ORA-20101: *** Specified Lob value is greater than maximum limit(2GB) ORA-06512: at "INGRIAN.INGFASTENCRYPTBLOBBYNAME", line 40 ORA-06512: at "TESTLOB.TB_BLOB1GB_UPD_TRIG", line 1 ORA-04088: error during execution of trigger 'TESTLOB.TB_BLOB1GB_UPD_TRIG' ORA-06512: at "TESTLOB.LOAD_LOB_FROM_FILE", line 29 ORA-06512: at line 1 |
| 11 | Symbolic LinksThe path entered for the log file must not include symbolic links, and it must specify a file name. On some operating systems, the use of symbolic links cause error and display the following message: The provider has not yet been installed on this database. You must install the provider before you can map users. |
| 12 | Name UDFs Name UDF (for example, ing_e_vrc_nm430) operations are not permitted while online migration/key rotation is in progress. |
| 13 | Domain Index Equality The Domain Index Equality works only in the remote mode. |
| 14 | Case-sensitivity Not Supported for User/Schema Names Case-sensitivity is not supported for user/schema names. |
| 15 | Error Replacement Value for CHAR (512 and above) Error replacement value set for CHAR (512 and above) gives null even if error replacement value is set. |
Troubleshooting
The following table provides information on how to handle problems occurring in CDP
| # | Description |
|---|---|
| 1 | Oracle Listener Error While using CDP with Oracle, if the error “ORA-12505, TNS:listener does not currently know of SID given in connect Descriptor” occurs, modify the listener.ora and tnsnames.ora files. |
| 2 | Upgrading to Future Software Versions After upgrading CDP, if problems occur while setting parameters in the properties file, the values can be copied from the old properties file stored in the |
| 3 | User Mapping If a database user is unable to perform desired operations, then the user is not mapped or the Key Manager user does not have access to the key. In such cases, any cryptographic operations fail. Make sure that the database user is mapped to a CipherTrust Manager user. When a database user sends a request to the Key Manager, CDP searches its list of user mappings (contained in the ING_AUTHORIZED_USER table in the CDP metadata database). If the database user appears on the list or is a member of a mapped database role, CDP includes the associated Key Manager user and password in the request. If those credentials are valid and the Key Manager user has access to the required key, then the Key Manager performs the operation. |
| 4 | Error At the Start of Online Migration/Key Rotation While starting the online migration/key rotation, if queries are being executed simultaneously, the error “ORA-00054: resource busy and acquire with NOWAIT specified or timeout expired” may appear. Click Restore Data to restore the table. |
| 5 | Error in the Middle of Online Migration/Key Rotation While the online migration/key rotation is in progress, if queries are being executed simultaneously, the error “ORA-00054: resource busy and acquire with NOWAIT specified or timeout expired” may appear. Click Resume Operation to resume the operation. |
| 6 | Domain Index Created on DATE Column After the domain index is created on a DATE column, performing the Select operation on this column returns the following errors: ORA-29902: error in executing ODCIIndexStart() routine. This an Oracle issue. To resolve this issue, contact the Oracle support. |
| 7 | Unable to Select Multiple Columns Having Same Name, But in Different CasesWhile using Windows Internet Explorer, if multiple columns have the same name, but in different cases, (for example, Column1, COLUMN1, COLumn1, etc.), then the properties of multiple columns cannot be selected while performing key rotation or creating domain indexes. This is a Windows Internet Explorer issue. To work around this issue, use Mozilla Firefox or Google Chrome as the web browser on Windows. |
| 8 | "certificate verify failed" Error in Logs If the "certificate verify failed" error appears in logs, verify that: — Certificate is not expired. — Windows OS version is as per Microsoft's recommendation for support of SHA-256 algorithms. For details, refer to: http://blogs.technet.com/b/pki/archive/2010/09/30/sha2- and-windows.aspx. |
| 9 | “ORA-03113: end-of-file on communication channel error” Consider a table having some rows inserted into it using a script. Now, migrate the table and delete the old data. Perform key rotation and simultaneously insert some data using the same script. Make sure that the script is run just before the key rotation starts and it is ended before the key rotation completes. Now, again run the same script. The following error may appear: ERROR at line 1: ORA-03113: end-of-file on communication channel Process ID: 8952 Session ID: 20 Serial number: 225 This is an Oracle issue and is fixed in Oracle 11.2.0.3. |
| 10 | Illegal Key Size If Unlimited Strength Jurisdiction Policy files are not updated from Oracle site, then the following error appears: ERROR at line 1: ORA-29532: Java call terminated by uncaught Java exception: java.sql.SQLException: Error: description [Decrypt by Name failed] message [Illegal key size] stack trace [java.security. InvalidKeyException: Illegal key size |
| 11 | ORA-06598: insufficient INHERIT PRIVILEGES privilege On Oracle 12c, While uninstalling CDP, if following error appears: ORA-06598: insufficient INHERIT PRIVILEGES privilege Then workaround is to Grant permission using below query and try uninstallation again. GRANT INHERIT PRIVILEGES ON USER sys to ingrian; |
| 12 | Unauthorized user accessIf an unauthorized user tries to access the encrypted data then following errors appear in CDP log file: 1401: Unknown key name or insufficient permissions The key is not valid Cannot get key for local encryption |
| 13 | Group Permissions on Key If, in group permissions on key, a user is not authorized to perform Encrypt/Decrypt/Export operations then the following errors appear: User is not authorized to perform this operation at this time for:PolicyEncrypt User is not authorized to perform this operation at this time for: PolicyDecrypt |
