Creating and Managing Exadata Databases

This topic describes creating and managing Oracle Databases on an Exadata Cloud Service instance instance.

When you create a Exadata Cloud Service instance, an initial Database Home and database are created. You can create additional Database Homes and databases at any time by using the Console or the Oracle Cloud Infrastructure API.

When you add a database to a VM cluster or a DB system resource on an Exadata instance, the database versions you can select from depend on the current patch level of that resource. You may have to patch your VM cluster or DB system to add later database versions.

After you provision a database, you can move it to another Database Home. Consolidating databases under the same home can facilitate management of these resources. All databases in a given Database Home share the Oracle Database binaries and therefore, have the same database version. The Oracle-recommended way to patch a database to a version that is different from the current version is to move the database to a home running the target version. For information about patching, see Patching an Exadata Cloud Service Instance.

Note

When provisioning databases, make sure your VM cluster or DB system has enough OCPUs enabled to support the total number of database instances on the system. Oracle recommends the following general rule: for each database, enable 1 OCPU per node. See To scale CPU cores in an Exadata Cloud Service cloud VM cluster or DB system for information on scaling your OCPU count up or down.
When you create an Exadata database, you can choose to encrypt the database using your own encryption keys that you manage. You can rotate encryption keys, periodically, to maintain security compliance and, in cases of personnel changes, to disable access to a database.
Note

  • The encryption key you use must be AES-256.
  • To ensure that your Exadata database uses the most current versions of the Vault encryption key, rotate the key from the database details page on the Oracle Cloud Infrastructure Console. Do not use the Vault service.
  • You can only use Oracle-managed encryption keys if your database is enabled with Oracle Data Guard.

If you want to use your own encryption keys to encrypt a database that you create, then you must create a dynamic group and assign specific policies to the group for customer-managed encryption keys. See Managing Dynamic Groups and Let security admins manage vaults, keys, and secrets. Additionally, see To integrate customer-managed key management into Exadata Cloud Service if you need to update customer-managed encryption libraries for the Vault service.

You can also add and remove databases, and perform other management tasks on a database by using command line utilities. For information and instructions on how to use these utilities, see Creating and Managing Exadata Databases Manually.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  you should work in.

For administrators: The policy in Let database admins manage Oracle Cloud database systems lets the specified group do everything with databases and related Database resources.

To enable management of customer-managed encryption keys, you must create a policy in the tenancy that allows a particular dynamic group to do so, similar to the following:

allow dynamic-group dynamic_group_name to manage keys in tenancy

If you are new to policies, then see Getting Started with Policies and Common Policies. If you want more information about writing policies for databases, then see Details for the Database Service.

Using the Console

To create a database in an existing Exadata Cloud Service instance
Note

If IORM is enabled on the Exadata Cloud Service instance, the default directive will apply to the new database and system performance might be impacted. Oracle recommends that you review the IORM settings and make applicable adjustments to the configuration after the new database is provisioned.
  1. Open the navigation menu. Under Oracle Database, click Bare Metal, VM, and Exadata.
  2. Choose your Compartment.
  3. Navigate to the cloud VM cluster or DB system you want to create the database in:

    Cloud VM clusters (new resource model): Under Exadata at Oracle Cloud, click Exadata VM Clusters. In the list of VM clusters, find the VM cluster you want to access and click its highlighted name to view the details page for the cluster.

    DB systems: Under Bare Metal, VM, and Exadata, click DB Systems. In the list of DB systems, find the Exadata DB system you want to access, and then click its name to display details about it.

  4. Click Create Database.
  5. In the Create Database dialog, enter the following:

    • Database name: The name for the database. The database name must begin with an alphabetic character and can contain a maximum of eight alphanumeric characters. Special characters are not permitted.
    • Database version: The version of the database. You can mix database versions on the Exadata DB system.
    • PDB name: (Optional) For Oracle Database 12c (12.1.0.2) and later, you can specify the name of the pluggable database. The PDB name must begin with an alphabetic character, and can contain a maximum of eight alphanumeric characters. The only special character permitted is the underscore ( _).
    • Database Home: The Oracle Database Home for the database. Choose the applicable option:

      • Select an existing Database Home: The Database Home display name field allows you to choose the Database Home from the existing homes for the database version you specified. If no Database Home with that version exists, you must create a new one.
      • Create a new Database Home: A database home will be created using the database version and the Database Home display name you specified.
    • Create administrator credentials: A database administrator SYS user will be created with the password you supply.

      • Username: SYS
      • Password: Supply the password for this user. The password must meet the following criteria:

        A strong password for SYS, SYSTEM, TDE wallet, and PDB Admin. The password must be 9 to 30 characters and contain at least two uppercase, two lowercase, two numeric, and two special characters. The special characters must be _, #, or -. The password must not contain the username (SYS, SYSTEM, and so on) or the word "oracle" either in forward or reversed order and regardless of casing.
      • Confirm password: Re-enter the SYS password you specified.
    • Select workload type: Choose the workload type that best suits your application:

      • Online Transactional Processing (OLTP) configures the database for a transactional workload, with a bias towards high volumes of random data access.
      • Decision Support System (DSS) configures the database for a decision support or data warehouse workload, with a bias towards large data scanning operations.
    • Configure database backups: Specify the settings for backing up the database to Object Storage:

      • Enable automatic backup: Check the check box to enable automatic incremental backups for this database. If you are creating a database in a security zone compartment, you must enable automatic backups.
      • Backup retention period: If you enable automatic backups, you can choose one of the following preset retention periods: 7 days, 15 days, 30 days, 45 days, or 60 days. The default selection is 30 days.
      • Backup Scheduling: If you enable automatic backups, you can choose a two-hour scheduling window to control when backup operations begin. If you do not specify a window, the six-hour default window of 00:00 to 06:00 (in the time zone of the DB system's region) is used for your database. See Automatic Incremental Backups for more information.
  6. Click Show Advanced Options to specify advanced options for the database:

    • Character set: The character set for the database. The default is AL32UTF8.
    • National character set: The national character set for the database. The default is AL16UTF16.
    • If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
    • If you are creating a database in an Exadata Cloud Service VM cluster, then you can choose to use encryption based on encryption keys that you manage. By default, the database is configured using Oracle-managed encryption keys. To configure the database with encryption based on encryption keys you manage:
      1. Click the Encryption tab.
      2. Select Use customer-managed keys. You must have a valid encryption key in Oracle Cloud Infrastructure Vault service. See Let security admins manage vaults, keys, and secrets.
        Note

        Oracle only supports AES-256 encryption keys.
      3. Choose a vault from the Vault in compartment drop-down. You can change the compartment by clicking the CHANGE COMPARTMENT link.
      4. Select an encryption key from the Master encryption key in compartment drop-down. You can change the compartment containing the encryption key you want to use by clicking the CHANGE COMPARTMENT link.
      5. If you want to use an encryption key that you import into your vault, then select Choose the key version and enter the OCID of the key you want to use in the Key version OCID field.
      Note

      • Oracle supports customer-managed keys on databases after Oracle Database 11g release 2 (11.2.0.4).
      • If you choose to provide an OCID for the valid key version, then ensure that the OCID corresponds to the key version you want to use.
  7. Click Create Database.

After database creation is complete, the status changes from Provisioning to Available, and on the database details page for the new database, the Encryption section displays the encryption key name and the encryption key OCID.

Caution

Do not delete the encryption key from the vault. This causes any database protected by the key to become unavailable.
To create a database from a backup

Before you begin, note the following:

  • When you create a database from a backup, the availability domain is the same as the availability domain that hosts the backup.
  • The Oracle Database software version you specify must be the same or later version as that of the backed-up database.
  • If you are creating a database from an automatic backup, then you can choose any level 0 weekly backup, or a level 1 incremental backup created after the most recent level 0 backup. For more information on automatic backups, see Using the Console
  • If the backup being used to create a database is in a security zone compartment, the database cannot be created in a compartment that is not in a security zone. See the Security Zone Policies topic for a full list of policies that affect Database service resources.
  1. Open the navigation menu. Under Oracle Database, click Bare Metal, VM, and Exadata.
  2. Choose your Compartment.
  3. Navigate to a backup.

    • Standalone backups: Click Standalone Backups under Bare Metal, VM, and Exadata.
    • Automatic backups: Navigate to the Database Details page of the database associated with the backup:

      • Cloud VM clusters (new resource model): Under Exadata at Oracle Cloud, click Exadata VM Clusters. In the list of VM clusters, find the VM cluster you want to access and click its highlighted name to view the details page for the cluster.
      • DB systems: Under Bare Metal, VM, and Exadata, click DB Systems. In the list of DB systems, find the Exadata DB system you want to access, and then click its name to display details about it.

      Click the name of the database associated with the backup that you will use to create the new database. Locate the backup in the list of backups on the Database Details page.

  4. Click the Actions icon (three dots) for the backup you chose.
  5. Click Create Database. On the Create Database from Backup page, configure the database as follows.
  6. In the Configure your DB system section:

    • Backups created in cloud VM clusters: Choose a cloud VM cluster to run the database from the Select a VM cluster drop-down list.
    • Backups created in DB systems: Choose a shape from the Select a shape drop-down list, then choose a DB system to run the database from the Select a DB system drop-down list.
  7. In the Configure Database Home section:

    • Select an existing Database Home: If you choose this option, make a selection from the Select a Database Home drop-down list.
    • Create a new Database home: If you choose this option, enter a name for the new Database Home in the Database Home display name field.
  8. In the Configure database section:

    • In the Database name field, accept the default name or name the database.

      The database name must begin with an alphabetic character and can contain a maximum of eight alphanumeric characters. Special characters are not permitted.

    • In the Password and Confirm password fields, enter and re-enter a password.

      A strong password for SYS administrator must be 9 to 30 characters and contain at least two uppercase, two lowercase, two numeric, and two special characters. The special characters must be _, #, or -. The password must not contain the user name (SYS, SYSTEM, and so on) or the word "oracle" either in forward or reverse order and regardless of casing.

  9. In the Enter the source database's TDE wallet or RMAN password field, enter a password that matches either the Transparent Data Encryption (TDE) wallet password or RMAN password for the source database.
  10. Click Create Database.
To navigate to a list of backups for a particular database:
  1. Click the DB system name that contains the specific database to display the DB System Details page.

  2. From the list of databases, click the database name associated with the backup you want to use to display a list of backups on the database details page. You can also access the list of backups for a database by clicking Backups in the Resources section.

To navigate to the list of standalone backups for your current compartment:
To move a database to another Database Home
  1. Open the navigation menu. Under Oracle Database, click Bare Metal, VM, and Exadata.
  2. Choose your Compartment.
  3. Navigate to the database:

    Cloud VM clusters (new resource model): Under Exadata at Oracle Cloud, click Exadata VM Clusters. In the list of VM clusters, find the VM cluster you want to access and click its highlighted name to view the details page for the cluster.

    DB systems: Under Bare Metal, VM, and Exadata, click DB Systems. In the list of DB systems, find the Exadata DB system you want to access, and then click its name to display details about it.

  4. Click Move to Another Home.
  5. Select the target Database Home.
  6. Click Move Database.
  7. Confirm the move operation.

    The database will be stopped in the current home and then restarted in the destination home. While the database is being moved, the Database Home status displays as Moving Database. When the operation completes, Database Home is updated with the current home. If the operation is unsuccessful, the status of the database displays as Failed, and the Database Home field provides information about the reason for the failure.

To terminate a database

You'll get the chance to back up the database prior to terminating it. This creates a standalone backup that can be used to create a database later. We recommend that you create this final backup for any production (non-test) database.

Note

Terminating a database removes all automatic incremental backups of the database from Oracle Cloud Infrastructure Object Storage. However, all full backups that were created on demand, including your final backup, will persist as standalone backups.

You cannot terminate a database that is assuming the primary role in a Data Guard association. To terminate it, you can switch it over to the standby role.

  1. Open the navigation menu. Under Oracle Database, click Bare Metal, VM, and Exadata.
  2. Choose your Compartment.
  3. Navigate to the database.

    X8M systems: Under Exadata at Oracle Cloud, click Exadata VM Clusters. In the list of cloud VM clusters, find the VM cluster containing the database you want to manage and click its highlighted name to view the details page for the cluster.

    In the list of databases, click the highlighted name of the database you wish to manage. The Database Details page is displayed.

    X6, X7, or X8 systems: Under Bare Metal, VM, and Exadata, click DB Systems. In the list of DB systems, find the Exadata DB system containing the database you want to manage and click its highlighted name to view the details page for the DB system.

    In the list of databases, click the highlighted name of the database you wish to manage. The Database Details page is displayed.

  4. Click More Actions, and then click Terminate.
  5. In the confirmation dialog, indicate whether you want to back up the database before terminating it, and type the name of the database to confirm the termination.
  6. Click Terminate Database.

    The database's status indicates Terminating.

To administer Vault encryption keys

After you provision a database in an Exadata DB system or VM cluster, you can rotate the Vault encryption key or change the encryption management configuration for that database.

Note

  • To ensure that your Exadata database uses the most current version of the Vault encryption key, rotate the key from the database details page on the Oracle Cloud Infrastructure Console. Do not use the Vault service.
  • You can rotate Vault encryption keys only on databases that are configured with customer-managed keys.
  • You can change encryption key management from Oracle-managed keys to customer-managed keys but you cannot change from customer-managed keys to Oracle-managed keys.
  • If the database for which you are changing encryption key management is using Oracle-managed keys and is enabled with Oracle Data Guard, then you cannot change to customer-managed keys.
  • Oracle supports administering encryption keys on databases after Oracle Database 11g release 2 (11.2.0.4).
  1. Open the navigation menu. Under Oracle Database, click Bare Metal, VM, and Exadata.
  2. Choose your compartment from the Compartment drop-down.
  3. Navigate to the cloud VM cluster or DB system that contains the database for which you want to change encryption management or to rotate a key.

    Cloud VM clusters: Under Exadata at Oracle Cloud, click Exadata VM Clusters. In the list of VM clusters, locate the VM cluster you want to access and click its highlighted name to view the details page for the cluster.

    DB systems: Under Bare Metal, VM, and Exadata, click DB Systems. In the list of DB systems, locate the Exadata DB system you want to access and click its name to display its details page.

  4. In the Databases section, click the name of the database for which you want to change encryption management or to rotate a key to display its details page.
  5. Click the More Actions drop-down.
  6. Click Administer Encryption Key.

    To rotate an encryption key on a database using customer-managed keys:

    1. Click Rotate Encryption Key to display a confirmation dialog.
    2. Click Rotate Key.

    To change key management type from Oracle-managed keys to customer-managed keys:

    1. Click Change Key Mangement Type.
    2. Select Use customer-managed keys.

      You must have a valid encryption key in Oracle Cloud Infrastructure Vault service and provide the information in the subsequent steps. See Key and Secret Management Concepts.

    3. Choose a vault from the Vault in compartment drop-down. You can change the compartment by clicking the CHANGE COMPARTMENT link.
    4. Select an encryption key from the Master encryption key in compartment drop-down. You can change the compartment containing the encryption key you want to use by clicking the CHANGE COMPARTMENT link.
    5. If you want to use an encryption key that you import into your vault, then select Choose the key version and enter the OCID of the key you want to use in the Key version OCID field.
    Note

    Changing key management causes the database to become briefly unavailable.
    Caution

    After changing key management to customer-managed keys, do not delete the encryption key from the vault as this can cause the database to become unavailable.
  7. Click Apply.

On the database details page for this database, the Encryption section displays the encryption key name and the encryption key OCID.

Changing the Database Passwords

The password that you specify in the Database Admin Password field when you create a new Exadata Cloud Service instance or database is set as the password for the SYS, SYSTEM, TDE wallet, and PDB Admin credentials. Use the following procedures if you need to change passwords for an existing database.

Note that if you are enabling Data Guard for a database, the SYS password and the TDE wallet password of the primary and standby databases must all be the same.

To change the SYS password for an Exadata Cloud Service database
  1. Log onto the cloud VM cluster or DB system host as opc.
  2. Run the following command:

    sudo dbaascli database changepassword --dbname <database_name>
To change the TDE wallet password for an Exadata Cloud Service database
  1. Log onto the cloud VM cluster or DB system host as opc.
  2. Run the following command:

    sudo dbaascli tde changepassword --dbname <database_name>