Oracle Cloud Infrastructure Documentation

Managing Exadata Database Services in Google Cloud

After provisioning any OracleDB@GCP resource, you can use the Google Cloud console for a limited set of management functions.

Common Management Functions from the Google Cloud Console

The following management functions are available for all resources from the Google Cloud console for that resource.

Access the Resource Console

These are the steps to perform to access the resource console.

  1. From the Google Cloud console, select Oracle Database@Google Cloud application.
  2. From the left menu, select Exadata Database.
  3. If the console lists and manages several resources, select the resource type at the top of the console.

List Status for all Resources of the Same Type

These are the steps to perform to list status for all resources of the same type.

  1. Follow the steps to Access the resource console.
  2. Resources will be shown in the list as Succeeded, Failed, or Provisioning.
  3. Access the specifics of that resource by selecting the link in the Name field in the table.

Provision a New Resource

These are the steps to provision a new resource.

  1. Follow the steps to Access the resource console.
  2. Select the + Create icon at the top of the console.
  3. Follow the provisioning flows for Task 2: Provisioning Exadata Infrastructure for Google Cloud or Task 3: Provisioning an Exadata VM Cluster for Google Cloud as needed.

Refresh the Console's Info

These are the steps to perform to refresh the console's info.

  1. Follow the steps to Access the resource console.
  2. Select the Refresh icon at the top of the console.
  3. Wait for the console to reload.

Remove a Resource

These are the steps to perform to remove a resource.

  1. Follow the steps to Access the resource console.
  2. You can remove a single resource from the console by selecting the vertical elipsis on the right side of the table. Once you have selected the resource(s) to remove, you can then select the Delete icon.

Access the OCI Console

These are the steps to perform to access the OCI console.

  1. Follow the steps to Access the resource console.
  2. Select the link to the resource from the Display name field in the table.
  3. Select the MANAGE IN OCI icon at the top of the details page.
  4. Manage the resource from within the OCI console.

Perform a Connectivity Test

These are the steps to perform a connectivity test.

  1. Follow the steps to Access the OCI console.
  2. Navigate to the Pluggable Database Details page.
  3. Select the PDB Connection.
  4. Select Show to expand the Connection String information.
  5. Open Oracle SQL Developer. If you don't have SQL Developer installed, download SQL Developer and install.
  6. Within SQL Developer, open a new connection with the following information.
    1. Name - Enter a name of your choice used to save your connection.
    2. Username - Enter SYS.
    3. Password - Enter the password used when creating the PDB.
    4. Role - Select SYSDBA.
    5. Save Password - Select the box if you security rules allow. If not, you will need to enter the PDB password every time you use this connection in SQL Developer.
    6. Connection Type - Select Basic.
    7. Hostname - Enter one of the host IPs from the Connection Strings above.
    8. Port - The default is 1521. You only need to change this if you have altered default port settings for the PDB.
    9. Service Name - Enter the SERVICE_NAME value from the host IP you previously selected. This is from the Connection Strings above.
    10. Select the Test button. The Status at the bottom of the connections list, should show as Success. If the connection is not a success, one or more of the Hostname, Port, and Service Name fields is incorrect, or the PDB is not currently running.
    11. Select the Save button.
    12. Select the Connect button.

Support for OracleDB@GCP

These are the steps to access support resources.

  1. Follow the steps to Access the OCI console.
  2. From the OCI console, there are two ways to access support resources.
    1. At the top of the page, select the Help (?) icon at the top-right of the menu bar.
    2. On the right-side of the page, select the floating Support icon. NOTE: This icon can be moved by the user, and the precise horizontal location can vary from user to user.
  3. You have several support options from here, including documentation, requesting help via chat, visiting the Support Center, posting a question to a forum, submitting feedback, requesting a limit increase, and creating a support request.
  4. If you need to create a support request, select that option.
  5. The support request page will auto-populate with information needed by Oracle Support Services, including resource name, resource OCID, service group, service, and several other items dependent upon the specific OracleDB@GCP resource.
  6. Select the support option from the following options:
    1. Critical outage for critical production system outage or a critical business function is unavailable or unstable. You or an alternate contact must be available to work this issue 24x7 if needed.
    2. Significant impairment for critical system or a business function experiencing severe loss of service. Operations can continue in a restricted manner. You or an alternate contact are available to work this issue during normal business hours.
    3. Technical issue where functionality, errors, or a performance issue impact some operations.
    4. General guidance where a product or service usage question, product or service setup, or documentation clarification is needed.
  7. Select the Create Support Request button.
  8. The support ticket is created. This ticket can be monitored within the OCI console or via My Oracle Support (MOS).

Access Control for Google Cloud Projects

These are steps to manage access to resources, and specify roles for users in Google Cloud projects.

  1. From the Google Cloud console, navigate to Identity and Access management (IAM) page.
  2. The VIEW BY PRINCIPALS section lists all the principals who have been granted some roles for the project.
  3. To grant access to the principal who does not have any existing roles on the resource, select the + GRANT ACCESS link, and then enter an identifier for the principal.
    Note

    Principals are users, groups, domains and service accounts.
  4. To grant access to the principal who already has other roles on the resource, click the checkbox located near to the Type field, and then select the pencil icon to Edit principal.
  5. Select a role from the dropdown list located under the Assign roles section.
  6. If you want to add a condition to the role, click on the + ADD IAM CONDITION link.
    Note

    Adding a condition to the role is optional.
  7. If you want to add other roles to the principal, select + ADD ANOTHER ROLE, and then click the SAVE button.

Required Permission for Google Cloud Cross-Projects

If you want to provision an Exadata VM Cluster in a Google Cloud project where your Exadata Infrastructure is located in different project, you , or the admin with the required privileges, must assign the Exadata Infrastructure User role.

Request a Limit Increase for OracleDB@GCP

Learn how to request a service limit increase.

If you need to increase a service limit for your OracleDB@GCP , see Requesting a Limit Increase for Database Resources.

Google Cloud Key Management Integration for Exadata Database Service on Oracle Database@Google Cloud

Exadata Database Service on Oracle Database@Google Cloud supports integration with Google Cloud Platform's Key Management Service (KMS). This enhancement allows users to manage transparent data encryption (TDE) master encryption keys (MEKs) using GCP Customer-Managed Encryption Keys (CMEKs). Previously, TDE MEKs could only be stored in a file-based Oracle Wallet , Oracle Cloud Infrastructure (OCI) Vault, or Oracle Key Vault (OKV). With this capability, you can store and manage MEKs directly in GCP KMS, providing improved key lifecycle control and alignment with organization-specific security policies. This integration enables applications, Google Cloud services, and databases to benefit from a centralized key management solution that offers enhanced security and simplified key lifecycle management.

Prerequisites:

Before configuring GCP Customer-Managed Encryption Keys (CMEK) as the key management service for your databases, ensure the following prerequisites are met.

  1. Provision an Exadata Infrastructure. See Task 1: Provisioning Exadata Infrastructure for Google Cloud for step-by-step instructions.
  2. Provision an Exadata VM Cluster. See Task 2: Provisioning an Exadata VM Cluster for Google Cloud for step-by-step instructions.
    Note

    When you provision an Exadata VM Cluster, an identity connector is automatically created and associated with your Exadata VM Cluster.
  3. Configure GCP Customer-Managed Encryption Keys (CMEK) as Key Management Service at the Exadata VM Cluster level.
    Note

    To enable GCP CMEK for databases deployed in Exadata Database, you must configure CMEK as the key management option at the VM cluster level. Once CMEK is enabled, all database encryption and decryption operations will use the specified GCP-managed key. Before enabling CMEK, you must ensure :
    • The required GCP key rings and encryption keys are already created in GCP.
    • These keys are mirrored as anchor resources in OCI, ensuring synchronization between GCP and OCI.
    • The anchor resources are in place for database provisioning and for managing the encryption key lifecycle, including key rotation, revocation, and auditing.
  4. The database uses the cluster resource principal to securely retrieve GCP key resources. To enable this functionality, you must define the appropriate IAM policies in your OCI tenancy.
    Read-Only Access to Oracle GCP Keys: 
    Allow any-user to read oracle-db-gcp-keys in compartment id <your-compartment-OCID> 
where all { request.principal.type = 'cloudvmcluster'}
    This policy grants read-only access to GCP key resources for the VM cluster resource principal.

Verify the Default Identity Connector Attached to the VM Cluster

These are the required steps to view the details of an identity connector.

  1. From the OCI navigation menu , select Oracle Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
  2. From the left menu, select Exadata VM Clusters located under Oracle Exadata Database Service on Dedicated Infrastructure.
  3. From the list of Exadata VM Clusters, select the cluster you are using.
  4. Select the VM Cluster information tab, and then navigate to Identity connector located under Multicloud information.
    Note

    Confirm that the Identity connector field displays the identity connector attached to your Exadata VM Cluster.
  5. Select the Identity connector link to view the details of it.
Note

From the GCP information section, copy your Workload resource service agent as it is required for the next section.

Create a Key Ring in Google Cloud Console

  1. From the GCP console, select Key management, and then select KEY RINGS tab.
  2. Select the + CREATE KEY RING button to start the process.
  3. From the Create key ring page, enter a descriptive name in the Key ring name field.
  4. The Location type field has three options. These options are Region, Multi-region and Global. Based on your system requirements, select your location type.
    Note

    • Key rings with the same name can exist in different locations, so you must always specify the location.
    • Choose a location close to the resources you want to protect.
    • For Customer-Managed Encryption Keys (CMEK) , ensure the key ring is in the same location as the resources that will use it.
    • While creating a key ring in Cloud Key Management, selecting the right location is crucial. Your choice affects where your cryptographic keys are stored and how they're replicated. For more information, see Cloud KMS locations.
  5. Review your information, and then select the Create button
  6. Once the key ring is created, you can create and manage encryption keys within it.

Create a Key in Google Cloud Console

To create a raw symmetric encryption key in the specified key ring and location, complete the following steps:

  1. From the GCP console, select Key management, and then select KEY RINGS tab.
  2. From the key ring list, select your key ring that you previously created.
  3. From the Key ring details page, select + CREATE KEY button.
  4. From the Create key page, complete the following substeps:
    1. In the Name and protection section, enter a descriptive name in the Key name field.
    2. Select the Protection Level. Chose either the Software or HSM option.
      Note

      The protection level of a key can't be changed after the key is created. For more information, see Protection levels.
    3. Select the CONTINUE button.
    4. In the Key material section, select the Generated key option, and then select the CONTINUE button.
      Note

      Generated key material in Cloud KMS or import key material that is maintained outside of Google Cloud. For more information, see Customer-managed encryption keys (CMEK).
    5. From the Purpose and algorithm section, select the Raw symmetric encrypt/decrypt option as your Purpose. From the Algorithm dropdown list, chose either the AES-128-CBC or AES-256-CBC option. Then, select the CONTINUE button. For more information, see Key purposes and algorithms.
    6. In the Versions section, select the CONTINUE button.
    7. The Additional settings section is optional.
    8. Select the CREATE button to create a key.
  5. The Location type field has two options. These options are Region and Multi-region. Based on your system requirements, select your location type.
  6. Review your information, and then select the Create button
  7. After creating a key, you can use it for cryptographic operations that require AES-CBC encryption and decryption.

Grant Permissions in Google Cloud KMS for Key Discovery by Oracle Cloud Infrastructure (OCI)

To allow a key to be discoverable in OCI, complete the following steps:

  1. Create a custom role. For more information, see Create and manage custom roles.
  2. Complete the following substeps to assign the following permissions to your custom role for key discovery in OCI.
    1. From the GCP console, select Key management, and then select KEY RINGS tab.
    2. From the list, select the key that you are using.
    3. From the Permissions tab, select the + Add principal.
    4. In the New principals field, paste your Workload resource service agent of the identity connector.
    5. From the Assign roles section, add a role of your choice.
      Note

      You must create a custom role with the following permissions and assign it to your key ring.

      Table 1-2 Required Permissions:

      Role name Description
      cloudkms.cryptoKeyVersions.get Retrieve metadata of a specific key version
      cloudkms.cryptoKeyVersions.manageRawAesCbcKeys Manage raw AES-CBC key material
      cloudkms.cryptoKeyVersions.create Create new key versions within a key
      cloudkms.cryptoKeyVersions.list List all versions of a key
      cloudkms.cryptoKeyVersions.useToDecrypt Use a key version to decrypt data
      cloudkms.cryptoKeyVersions.useToEncrypt Use a key version to encrypt data
      cloudkms.cryptoKeys.get Retrieve metadata of a key
      cloudkms.cryptoKeys.list List all keys in a key ring
      cloudkms.keyRings.get Retrieve metadata of a key ring
      cloudkms.locations.get Retrieve information about supported key locations
    6. Select the Save button to apply the changes.
  3. Complete the following substeps to assign the Browser role to your identity connector.
    1. From the GCP console, select IAM & Admin, and then select IAM.
    2. From the IAM page, select the + Grant access button.
    3. From the Add principal dropdown list, select your service account of an identity connector.
      Note

      From the Identity Connector details page, under the GCP Information section, locate the Workload resource service agent and note its ID. This is the service account associated with the Identity Connector.
    4. From the Role dropdown list, select Browser, and then select the Save button.
  4. Complete the following substeps to assign the following roles to your key ring.
    1. From the GCP console, select Key management, and then select Key rings tab.
    2. Select the checkbox of the key ring that you are using, and then select the + ADD PRINCIPAL button.
    3. In the New principals field, paste your Workload resource service agent of the identity connector.
    4. From the Role dropdown list, select the following roles:
      1. Cloud KMS Crypto Operator
      2. Cloud KMS Expert Raw AES-CBC Key Manager
      3. Cloud KMS Viewer
    5. Select the Save button.

Register GCP Key Ring in Oracle Cloud Infrastructure (OCI)

To enable GCP CMEK for your Exadata VM Cluster, you must first register the key ring in OCI.
Note

Before you proceed, ensure that the required permissions described in the Create a Role and Assign Required Permissions from the GCP Console section are granted.
  1. From the OCI console , select Oracle Database, and then select Database Multicloud Integrations and then select Google Cloud Integration.
  2. From the left menu, select the GCP Key Rings link, and then click on the Register GCP key rings button.
  3. From the Register GCP key rings page, select your Compartment.
  4. In the GCP key rings section, select your identity connector and enter your key ring name in the Key ring names field.
  5. Select the Discover button which populates a list of Key ring. Select your key ring, and then select the Register button.
    Note

    Only key rings can be registered. Individual keys cannot be registered. All supported keys associated with a registered key ring will be available, once the required permissions are granted.

Enable or Disable Google Cloud Key Management

When you provision an Exadata VM Cluster, GCP CMEK is disabled by default. Complete the following steps to enable your GCP CMEK.

  1. From the OCI navigation menu , select Oracle Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
  2. From the left menu, select Exadata VM Clusters located under Oracle Exadata Database Service on Dedicated Infrastructure.
  3. From the list of Exadata VM Clusters, select the cluster you are using.
  4. Select VM Cluster information, and then navigate to GCP Customer Managed Encryption Key located under Multicloud information.
  5. Select the Enable button to enable it.
    Note

    If you want to disable GCP Customer Managed Encryption Key, select the Disable button.

Create a Database in an Existing Exadata VM Cluster and Choose GCP Customer Managed Encryption Key as the Key Management.

Follow the instructions described in the To create a database in an existing Exadata Cloud Infrastructure instance documentation, and then select GCP Customer Managed Encryption Key as your Key management.

Change the Key Management from Oracle Wallet to GCP Customer Managed Encryption Key

These are steps to change encryption keys between different encryption methods.

  1. Navigate to your existing Exadata VM Cluster in the OCI console. Select the Databases tab. Then, select the database resource that you are using.
  2. Select the Database information tab, and then scroll down to Key management section.
  3. In the Encryption section, verify that Key management is set to Oracle Wallet, and then select the Change link.
  4. Enter the following information on the Change key management page.
    • Select your Key management as GCP Customer Managed Encryption Key from the drop-down list.
    • Select your Key ring compartment that you are using, and then select your Key ring that is available in the compartment.
    • Select the Key compartment that you are using, and then select your Key from the dropdown list.
    • Select the Save changes button to submit.

Rotate the GCP Customer Managed Encryption Key of a Container Database (CDB)

  1. From the OCI navigation menu, select Oracle Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
  2. Navigate to your existing Exadata VM Cluster in the OCI console, select the Databases tab. Then, choose your container database, and then select the Database information tab.
  3. In the Encryption section, verify that Key management is set to GCP Customer Managed Encryption Key, and then select the Rotate key link.
  4. Select the Rotate button to confirm the key rotation.

Rotate the GCP Customer Managed Encryption Key of a Pluggable Database (PDB)

  1. From the OCI navigation menu, select Oracle Database, and then select Oracle Exadata Database Service on Dedicated Infrastructure.
  2. Select your Exadata VM Cluster, and then select Databases link from the left menu.
  3. Select the Name field of your database you are using, then select Pluggable Databases link under the Resources section.
  4. Select the Name field of the pluggable database you want to use.
  5. The Encryption section displays that the Key management is set as GCP Customer Managed Encryption Key. Select the Rotate link, and then select the Rotate button to confirm the rotation of key.