Oracle Cloud Infrastructure Documentation

Create TLS Database Links from an Autonomous Database to another Autonomous Database

You can create TLS database links from an Autonomous Database on Dedicated Exadata Infrastructure to a target Autonomous Database that is on a public endpoint.

Parent topic: Link Data

Create One-way TLS Database Links from an Autonomous Database to another Autonomous Database

You can create one-way TLS database links from an Autonomous Database on Dedicated Exadata Infrastructure to a publicly accessible Autonomous Database.

To create database links to a public target, the target database must be accessible. Some databases, including Autonomous Databases, may limit access (for example, using Access Control Lists). Make sure you enable your target database to allow access from your source database for the database link to work. If you limit access with Access Control Lists (ACLs), you can find the outbound IP address of your source Autonomous Database and allow that IP address to connect to your target database. When the target database is another Autonomous Database, you can add the outbound IP address of the source database to the ACL of the target database.

See Obtain Tenancy Details for information on finding the outbound IP address.

To create a database link to a target Autonomous Database without a wallet (TLS):

  1. Ensure that one-way TLS connections are enabled.

    By default, one-way TLS connections are enabled when you provision an AVMC. See Create an Autonomous Exadata VM Cluster for more information.

    Note

    In an Autonomous Database on Dedicated Exadata Infrastructure, walletless connections work for one-way TLS by installing a custom SSL certificate issued by a public CA. For more details, see Prepare for TLS Walletless Connections.
  2. On the Autonomous Database instance where you are creating the database link, create credentials to access the target Autonomous Database. The username and password you specify with DBMS_CLOUD.CREATE_CREDENTIAL are the credentials for the target database (you use these credentials to create the database link).
    Note

    Supplying the credential_name parameter is required.

    For example: 

    BEGIN
  DBMS_CLOUD.CREATE_CREDENTIAL(
        credential_name => 'DB_LINK_CRED',
        username => 'NICK',
        password => 'password' );
END;
/

    The characters in the username parameter must be all uppercase letters.

    This operation stores the credentials in the database in an encrypted format. You can use any name for the credential name.

  3. Create a database link to the target Autonomous Database instance using DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK.

    For example:

    BEGIN
    DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
        db_link_name => 'SALESLINK', 
        hostname => 'adb.eu-frankfurt-1.oraclecloud.com', 
        port => '2484',
        service_name => 'example_medium.atpc.example.oraclecloud.com',
        credential_name => 'DB_LINK_CRED',
        directory_name => NULL);
END;
/

    To create a database link with DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK to a target Autonomous Database on a public endpoint using a secure TCP connection without a wallet, the directory_name parameter must be NULL.

    The port parameter value must be set to 2484 for TLS connections. However, if a different SCAN listener port number was chosen while provisioning the AVMC, you must use that port number. See Create Autonomous Exadata VM Cluster for more information.

    The ssl_server_cert_dn parameter can either be omitted or if included, specify a NULL value.

    Users other than ADMIN require privileges to run DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK.

  4. Use the database link you created to access data on the target database.

    For example:

    SELECT * FROM employees@SALESLINK;

For the credentials you create in Step 1, the target database credentials, if the password of the target user changes you can update the credential that contains the target user's credentials as follows:

BEGIN
    DBMS_CLOUD.UPDATE_CREDENTIAL (
          credential_name => 'DB_LINK_CRED',
          attribute => 'PASSWORD',
          value => 'password' );
END;
/

Where password is the new password.

After this operation, the existing database links that use this credential continue to work without having to drop and recreate the database links.

For additional information, see:

Create mTLS Database Links from an Autonomous Database to another Autonomous Database

You can to create mTLS database links from an Autonomous Database on Dedicated Exadata Infrastructure to a publicly accessible Autonomous Database.

To create database links to a public target, the target database must be accessible. Some databases, including Autonomous Databases, may limit access (for example, using Access Control Lists). Make sure you enable your target database to allow access from your source database for the database link to work. If you limit access with Access Control Lists (ACLs), you can find the outbound IP address of your source Autonomous Database and allow that IP address to connect to your target database. For example, if the target database is another Autonomous Database, you can add the outbound IP address of the source database to the ACL of the target database.

See Obtain Tenancy Details for information on finding the outbound IP address.

To create database links to a target Autonomous Database with a wallet (mTLS):

  1. Ensure that mTLS connections are enabled.

    By default, one-way TLS connections are enabled for an AVMC. You can enable mutual TLS (mTLS) authentication by selecting the Enable mutual TLS (mTLS) authentication check-box while provisioning the AVMC. See Create an Autonomous Exadata VM Cluster for more information.

  2. Copy your target database wallet, cwallet.sso, containing the certificates for the target database to Object Store.

    Note the following for the wallet file:

    • The wallet file, along with the Database user ID and password provide access to data in the target Oracle Database. Store wallet files in a secure location. Share wallet files only with authorized users.

    • Do not rename the wallet file. The wallet file in Object Storage must be named cwallet.sso.

  3. Create credentials to access your Object Store where you store the wallet file cwallet.sso. See CREATE_CREDENTIAL Procedure for information about the username and password parameters for different object storage services.
  4. Create a directory on Autonomous Database for the wallet file cwallet.sso.

    For example:

    CREATE DIRECTORY dblink_wallet_dir AS 'directory_path_of_your_choice';

    See Create Directory in Autonomous Database for information on creating directories.

  5. Use DBMS_CLOUD.GET_OBJECT to upload the target database wallet to the directory you created in the previous step, DBLINK_WALLET_DIR.

    For example:

    BEGIN 
    DBMS_CLOUD.GET_OBJECT(
        credential_name => 'DEF_CRED_NAME',
        object_uri => 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o/cwallet.sso',
        directory_name => 'DBLINK_WALLET_DIR'); 
END;
/

    In this example, namespace-string is the Oracle Cloud Infrastructure object storage namespace and bucketname is the bucket name. See Understanding Object Storage Namespaces for more information.

  6. On the Autonomous Database instance, create credentials to access the target database. The username and password you specify with DBMS_CLOUD.CREATE_CREDENTIAL are the credentials for the target database that you use to create the database link.
    Note

    Supplying the credential_name parameter is required.

    For example:

    BEGIN
    DBMS_CLOUD.CREATE_CREDENTIAL(
        credential_name => 'DB_LINK_CRED',
        username => 'NICK',
        password => 'password');
END;
/

    The characters in the username parameter must be all uppercase letters.

    This operation stores the credentials in the database in an encrypted format. You can use any name for the credential name.

  7. Create the database link to the target database using DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK.

    For example:

    BEGIN
    DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
        db_link_name => 'SALESLINK',
        hostname => 'adb.eu-frankfurt-1.oraclecloud.com', 
        port => '2484',
        service_name => 'example_medium.atpc.example.oraclecloud.com',
        ssl_server_cert_dn => 'CN=atpc.example.oraclecloud.com,OU=Oracle BMCS FRANKFURT,O=Oracle Corporation,L=Redwood City,ST=California,C=US',
        credential_name => 'DB_LINK_CRED',
        directory_name => 'DBLINK_WALLET_DIR');
END;
/

    Users other than ADMIN require privileges to run DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK.

    The port parameter value must be set to 2484 for TLS connections. However, if a different SCAN listener port number was chosen while provisioning the AVMC, you must use that port number. See Create Autonomous Exadata VM Cluster for more information.

    If the wallet file in the directory specified with directory_name is not cwallet.sso, the procedure reports an error such as: ORA-28759: failure to open file.

  8. Use the database link you created to access data on the target database.

    For example:

    SELECT * FROM employees@SALESLINK;

For the credentials you create in Step 5, the target database credentials, if the password of the target user changes you can update the credential that contains the target user's credentials as follows:

BEGIN
    DBMS_CLOUD.UPDATE_CREDENTIAL (
        credential_name => 'DB_LINK_CRED',
        attribute => 'PASSWORD',
        value => 'password' );
END;
/

Where password is the new password.

After this operation, the existing database links that use this credential continue to work without having to drop and recreate the database links.

For additional information, see:

Database Link Notes with a Target that is an Autonomous Database

Provides notes for creating database links to a target that is another Autonomous Database.

Notes for database links to another Autonomous Database:

  • Only one wallet file is valid per directory for use with database links. You can only upload one cwallet.sso at a time to the directory you choose for wallet files (for example DBLINK_WALLET_DIR). This means with a cwallet.sso in DBLINK_WALLET_DIR you can only create database links to the databases for which the wallet in that directory is valid. To use multiple cwallet.sso files with database links you need to create additional directories and put each cwallet.sso in a different directory. When you create database links with DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK, specify the directory that contains the wallet with the directory_name parameter.

    See Create Directory in Autonomous Database for information on creating directories.

  • To list the database links, use the ALL_DB_LINKS view. See ALL_DB_LINKS for more information.

  • The wallet file, along with the Database user ID and password provide access to data in the target Autonomous Database. Store wallet files in a secure location. Share wallet files only with authorized users.