Register Autononomous Databases on Dedicated Exadata Infrastructure

You can register an Autonomous Database on Dedicated Exadata Infrastructure from within the Oracle Cloud Infrastructure Console.

This article has the following topics:

Workflow

To register an Autonomous Database on dedicated Exadata infrastructure, you need to create an Oracle Data Safe private endpoint in Oracle Cloud Infrastructure prior to registration. To create the private endpoint, you require various permissions. You also require permissions to perform the actual target database registration. After you register the database, you can update the security list and network security group with the information you obtain from the target registration.

The following table outlines the steps for registering an Autonomous Database on dedicated Exadata Infrastructure.

Step Description Reference

1

Obtain the required permissions in Oracle Cloud Infrastructure and Oracle Data Safe to register your Autonomous Database.

Obtain the Required Permissions for Registering Your Autonomous Database

2

Obtain the required permissions for managing virtual networking resources in Oracle Cloud Infrastructure.

Obtain the Required Permissions for Managing Virtual Networking Resources in Oracle Cloud Infrastructure

3

Obtain the required permissions for creating an Oracle Data Safe private endpoint.

Obtain the Required Permissions for Creating Oracle Data Safe Private Endpoints

4

Create an Oracle Data Safe private endpoint in Oracle Cloud Infrastructure.

Create an Oracle Data Safe Private Endpoint

5

Update the security list and network security group.

Update the Security List and Network Security Group for an Autonomous Database on Dedicated Exadata Infrastructure

6

Register your Autonomous Database in its Console in Oracle Cloud Infrastructure.

Register an Autonomous Database on Dedicated Exadata Infrastructure

7

Grant or revoke roles from the Oracle Data Safe service account.

Grant Roles to the Oracle Data Safe Service Account on Your Autonomous Database

8

(Optional) Narrow down the security rules for your database to only allow communication between Oracle Data Safe and specific IP addresses for your database.

Update the Security List and Network Security Group for an Autonomous Database on Dedicated Exadata Infrastructure

9

Configure authorization policies in the Oracle Data Safe Console.

Configure Authorization Policies

Obtain the Required Permissions for Registering Your Autonomous Database

To register an Autonomous Database with Oracle Data Safe, you require permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM), on the database, and in Oracle Data Safe.

  • Permission in IAM to access to the database. The user group to which you belong requires at least the use permission on the autonomous-database resource type. For example, to grant the Data-Safe-Admins group the use permission on all Autonomous Databases in the Finance compartment, a tenancy administrator could write the following policy statement:
    allow group Data-Safe-Admins to use autonomous-database in compartment Finance
  • Permission to log in to the database as an administrator. You need to be able to log in as a PDB administrator (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL package in order to grant additional roles to the DS$ADMIN service account for Oracle Data Safe.
  • Permission to manage at least one feature in Oracle Data Safe. The user group to which you belong needs to be granted the manage privilege on at least one feature in Oracle Data Safe (Assessment, Activity Auditing, or Discovery and Masking) so that you can register, update, and delete target databases for that feature.

Obtain the Required Permissions for Managing Virtual Networking Resources in Oracle Cloud Infrastructure

Prior to creating an Oracle Data Safe private endpoint, you need to obtain permissions for managing virtual networking resources in Oracle Cloud Infrastructure. You require certain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the relevant compartments in your tenancy. The following table lists the required permissions for virtual networking resources for each type of private endpoint operation.

Operation Required Access on Underlying Resources

Create a private endpoint

For the private endpoint compartment:

  • Create/Delete VNIC
  • Update members in a network security group
  • Associate a network security group

For the subnet compartment:

  • Attach/detach subnet

Update a private endpoint

For the private endpoint compartment:

  • Update VNIC
  • Update members in a network security group
  • Associate a network security group

Delete a private endpoint

For the private endpoint compartment:

  • Delete VNIC
  • Update members in a network security group

For the subnet compartment

  • Detach subnet

The following examples show how an IAM administrator could write the policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

Example 3-6 Broad permission

In this example, the dbadmin group has broad permission to use all virtual networking resources in the compartment ADWcmp1.

allow group dbadmin to manage virtual-network-family in compartment ADWcmp1

Example 3-7 Specific permissions

In this example, the dbadmin group has specific permissions on network resources. The third statement is required only if you want to use network security groups to control traffic to and from the private endpoint.

allow group dbadmin to manage vnics in compartment ADWcmp1
allow group dbadmin to use subnets in compartment ADWcmp1
allow group dbadmin to use network-security-groups in compartment ADWcmp1 

Obtain the Required Permissions for Creating Oracle Data Safe Private Endpoints

To create, update, or delete Oracle Data Safe private endpoints, you require permissions on Oracle Data Safe resources in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the relevant compartments in your tenancy. There are two types of Oracle Data Safe resources on which you can grant permissions:

  • data-safe-family
  • data-safe-private-endpoints

The following table describes the different permissions for an Oracle Data Safe private endpoint.

Permission What you can do

inspect

List an Oracle Data Safe resource in Oracle Cloud Infrastructure

read or use

Inspect and view properties for an Oracle Data Safe resource in Oracle Cloud Infrastructure

manage

Inspect, read, create, update, delete, and move an Oracle Data Safe resource in Oracle Cloud Infrastructure

The following examples show how an IAM administrator could write the policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

Example 3-8 Broad permission

In this example, the dsadmins group (for example, a group of Oracle Data Safe administrators) has broad permission to manage all Oracle Data Safe resources in the compartment ADWcmp1.

allow group dsadmins to manage data-safe-family in compartment ADWcmp1

Example 3-9 Specific permission

In this example, the ProjectA group has specific permission to manage the resource called data-safe-private-endpoints.

allow group ProjectA to manage data-safe-private-endpoints in compartment ADWcmp1

Create an Oracle Data Safe Private Endpoint

You can create an Oracle Data Safe private endpoint from the Oracle Data Safe service page in Oracle Cloud Infrastructure. You typically create the private endpoint in the same VCN as your database. The only exception is, if you are using VCN peering. In that case, you can select another VCN for which VCN peering with your database's VCN is set up. The private IP address does not need to be on the same subnet as your database, although, it does need to be on a subnet that can communicate with the database. You can create a maximum of one private endpoint per VCN.

Note

If a private endpoint already exists in the same VCN as your database, then you do not need to create a private endpoint.

When you create a private endpoint, you have the option to associate network security groups (NSGs) with it. You may need to do this to ensure the private endpoint can access your database. A network security group specifies egress and ingress security rules at the IP address level. You can create network security groups by using Oracle Cloud Infrastructure's networking service. See Access and Security in the Oracle Cloud Infrastructure documentation.

  1. Refer to the following table to obtain the network information for your database.
    Database How to Find Network Information for the Database
    DB system that has a private IP address
    1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Bare Metal, VM, and Exadata.
    2. Click the name of your DB system.
    3. On the DB System Information tab, under Network, make note of the VCN and subnet names.
    Autonomous Database on Dedicated Exadata Infrastructure that has a private IP address
    1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Autonomous Dedicated Infrastructure.
    2. Click Autonomous Exadata Infrastructure.
    3. On the right, in the Autonomous Exadata Infrastructure table, click the name of the infrastructure in which your database exists.
    4. Under Network, make note of the VCN and subnet names.
    Autonomous Database on Shared Exadata Infrastructure that has a private IP address
    1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Autonomous Data Warehouse or Autonomous Transaction Processing.
    2. From the Compartment drop-down list, select the compartment that contains your Autonomous Database.
    3. On the right, click the name of your Autonomous Database.
    4. Under Network on the the Autonomous Database Information tab, make note of the VCN and subnet names.
    Oracle Database on a compute instance in Oracle Cloud Infrastructure
    1. From the navigation menu in Oracle Cloud Infrastructure, select Compute, and then Instances.
    2. Click the name of your compute instance.
    3. On the Instance Information tab, make note of the VCN and subnet names.
    Oracle Database on a compute instance in a non-Oracle cloud environment
    1. From the navigation menu in Oracle cloud Infrastructure, select Networking, and then Site-to-Site VPN (IPSec) or FastConnect.
    2. Select the VCN and subnet in Oracle Cloud Infrastructure that has connectivity via FastConnect or VPN Connect to your database.
    3. If you do not have FastConnect or VPN Connect set up, Oracle recommends that you use an Oracle Data Safe on-premises connector instead. See Register On-Premises Oracle Databases by Using an Oracle Data Safe On-Premises Connector.
    On-Premises Oracle Database

    Obtain the name of the virtual cloud network and subnet on which your on-premises Oracle database can be accessed.

  2. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Data Safe.
    The Overview page is displayed.
  3. On the left, click Private Endpoints.
    The Private Endpoints page is displayed.
  4. Click Create Private Endpoint.
    The Create Private Endpoint page is displayed.
  5. In the NAME field, enter a name for your private endpoint.
  6. Select a compartment in which to store your private endpoint.
  7. Scroll down to the Private Endpoint Information section.
  8. From the VIRTUAL CLOUD NETWORK drop-down list, select the VCN on which your database can be accessed. If needed, click CHANGE COMPARTMENT and select the compartment that stores your VCN.
  9. From the SUBNET drop-down list, select a subnet within the selected VCN. If needed, click CHANGE COMPARTMENT and select the compartment that stores the subnet that you want to use.
    The subnet can be in a different compartment than the VCN. The subnet that you select needs to have access to the database's subnet.
  10. (Optional) In the PRIVATE IP field, specify a private IP address.
    If you do not specify a private IP address, Oracle Cloud Infrastructure automatically generates one for you in the selected subnet.
  11. (Optional) Select a network security group to which your database belongs.
  12. (Optional) To add another network security group, click + Another Network Security Group, and select another network security group.
  13. Click Create Private Endpoint.
    A private endpoint for Oracle Data Safe is provisioned in your database's VCN.
  14. To view details for your private endpoint, click its name. Take note of the Private IP address that was assigned to the Private Endpoint (or that you assigned to it). It is needed for configuring security rules.

Update the Security List and Network Security Group for an Autonomous Database on Dedicated Exadata Infrastructure

Update the security list for your virtual cloud network (VCN) and, if implemented, the network security group for your database subnet to allow traffic from the Oracle Data Safe private endpoint IP address to the database IP address(es). This step allows Oracle Data Safe to access your database. A security list acts as a virtual firewall for your database and consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the security list is associated with. Both stateful and stateless security rules in the security list are allowed. For more information about security lists and network security groups, see Access and Security in the Oracle Cloud Infrastructure documentation.

For your database to communicate with Oracle Data Safe, you need to create two security rules:

  • Ingress rule for the database: Allow the database to receive incoming traffic on its port from the private IP address of the Oracle Data Safe private endpoint (from any port). For an Oracle database in a non-Oracle cloud environment, you might have to configure an ingress rule in the non-Oracle cloud environment. Setting up an ingress rule in Oracle Cloud Infrastructure is not necessary.
  • Egress rule for the Oracle Data Safe private endpoint: Allow the Oracle Data Safe private endpoint (from any port) to send requests to the database IP address(es) on the database's port.

There are two approaches that you can take when creating the ingress and egress rules. The first approach is to allow communication between Oracle Data Safe and all IP addresses within the same subnet (0.0.0.0/0). This configuration allows Oracle Data Safe to connect to all of your databases in the subnet. The other approach is to configure separate ingress and egress rules for each database IP address.

Example 3-10 Configuring security rules for an Autonomous Database on Dedicated Exadata Infrastructure and an Oracle Data Safe private endpoint

Suppose you want to register an Autonomous Database on Dedicated Exadata Infrastructure. Currently, all IP addresses on the database's subnet can communicate with each other. This is required for an Autonomous Database on Dedicated Infrastructure prior to registering it with Oracle Data Safe. After registering the database, you decide to narrow down the scope of communication on the subnet. From the Target Details dialog box for your database in the Oracle Data Safe Console, you view the two floating IP addresses for your database: 10.0.0.164 and 10.0.0.165.

Note

An Autonomous Transaction Processing - Dedicated database can have up to 8 floating IP addresses for the database nodes.

Next, you configure security rules the following way in the database VCN:

  • Ingress for the database: The database on port 2484 can receive incoming traffic from the private endpoint's private IP address (from any port).
  • Egress for the private endpoint:
    • The private endpoint (from any port) can send requests to the database IP address 10.0.0.164 on port 2484.
    • The private endpoint (from any port) can send requests to the database IP address 10.0.0.165 on port 2484.

Register an Autonomous Database on Dedicated Exadata Infrastructure

You can register an Autonomous Database on dedicated Exadata infrastructure from the database's Console in Oracle Cloud Infrastructure. Prior to registration, be sure to do the following:

  • Create an Oracle Data Safe private endpoint in your database's VCN; otherwise, registration will fail.
  • Obtain the ADMIN password for your database.
  • If you are registering an Autonomous Database on dedicated Exadata infrastructure and Database Vault is enabled on the database: Connect to your database as a user with the DV_ACCTMGR role and temporarily grant the DV_ACCTMGR role to the ADMIN user.
  1. Sign in to the Oracle Cloud Infrastructure Console.
  2. From the navigation menu, select Oracle Database, and then Autonomous Dedicated Infrastructure.
  3. Under Dedicated Infrastructure, click Autonomous Exadata Infrastructure (also referred to as AEI).
  4. In the table, click the container database that contains your database.
    Your Autonomous Database is a plugglable database (PDB).
  5. In the Autonomous Databases table, click the name of your database.
  6. If you need to reset the password for your database, do the following:
    1. From the More Actions menu, select Admin Password.
      The Admin Password dialog box is displayed.
    2. Enter a new ADMIN password, confirm it, and then click Update.
  7. On the Autonomous Database Information tab, under Data Safe, click Register.
    The Register Database with Data Safe dialog box is displayed.
  8. Enter the password for the ADMIN database user account, and then click Confirm.
    The ADMIN password is required to unlock an Oracle Data Safe user account (DS$ADMIN) that is already created in your database.
    The registration process is started and a work request is created. The registration process automatically searches for and uses the Oracle Data Safe private endpoint on your database's VCN.
  9. To view the work request, do the following:
    1. Scroll down the page.
    2. On the left under Resources, click Work Requests.
    3. In the Work Request table, find the operation called Register Autonomous Dedicated Database with Data Safe.
  10. Wait for the registration process to finish.
    When the registration process is completed, the database is automatically registered to the same compartment to which it belongs in Oracle Cloud Infrastructure. The user registering the database is automatically authorized to manage the User Assessment, Security Assessment, and Activity Auditing features for that compartment.
  11. If the registration operation fails, make sure that you have correctly configured an Oracle Data Safe private endpoint in your database's VCN. See Create an Oracle Data Safe Private Endpoint and Update the Security List and Network Security Group for a DB System with a Private IP Address.
  12. Obtain the IP addresses for the database nodes and the database's port number from the Oracle Data Safe Console:
    1. Click View Console.
      The Oracle Data Safe Console is displayed. Notice that the dashboard is automatically filtered to show data only for your database.
    2. Click the Targets tab.
      Your database is listed in the table.
    3. Click the name of your database to view its registration information.
    4. Make note of the IP addresses and port number.
      The IP addresses are floating IP addresses for the database nodes. There can be up to eight IP addresses. Later, you can create security rules for these IP addresses if needed.
    5. Click Close.
  13. (Optional) If you registered an Autonomous Database on dedicated Exadata infrastructure and Database Vault is enabled on the database: Connect to your database as a user with the DV_ACCTMGR role and revoke the DV_ACCTMGR role from the ADMIN user.

Grant Roles to the Oracle Data Safe Service Account on Your Autonomous Database

By default, your Autonomous Database comes with a database account specifically created for Oracle Data Safe named DS$ADMIN. The roles that you grant to this account determine the Oracle Data Safe features that you can use with your Autonomous Database.

For an Autonomous Database on Shared Exadata Infrastructure, all roles are already granted by default, except for DS$DATA_MASKING_ROLE.

For an Autonomous Database on Dedicated Exadata Infrastructure, only DS$ASSESSMENT_ROLE and DS$AUDIT_COLLECTION_ROLE are granted by default. You need to grant the other roles.

Note

If Database Vault is enabled on your Autonomous Database, be aware that there are specific steps to take in the procedure below to get Oracle Data Safe to work with Database Vault.
The following table describes the available roles for Autonomous Databases.
Autonomous Database Role Description

DS$ASSESSMENT_ROLE

Privileges required for the User Assessment and Security Assessment features

DS$AUDIT_COLLECTION_ROLE

Privileges required for accessing audit trails for the target database

DS$DATA_DISCOVERY_ROLE

Privileges required for the Data Discovery feature (discovering sensitive data in the target database)

DS$DATA_MASKING_ROLE

Privileges required for the Data Masking feature (masking sensitive data in the target database)

DS$AUDIT_SETTING_ROLE

Privileges required for updating target database audit policies

To grant or revoke roles from the Oracle Data Safe service account on an Autonomous Database database, you can run the DS_TARGET_UTIL PL/SQL package on the Autonomous Database. You need to run this package as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package.

You can grant or revoke roles as often as needed.

  1. If Database Vault is enabled on your database and you want to use the User Assessment or Security Assessment features in Oracle Data Safe, connect to your database as a user with the DV_OWNER role and grant the DV_SECANALYST role to the DS$ADMIN user.
  2. To grant or revoke a role from the Oracle Data Safe service account, do the following:
    1. Using a tool like SQL*Plus or SQL Developer, log in to your Autonomous Database as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package.
    2. Run one of the following commands:
      EXECUTE DS_TARGET_UTIL.GRANT_ROLE('role_name');

      or

      EXECUTE DS_TARGET_UTIL.REVOKE_ROLE('role_name');

      where role_name is the name of an Oracle Data Safe role. role_name must be in quotation marks.

      Note

      If Database Vault is enabled on your database and you grant the DS$DATA_MASKING_ROLE role, expect an ORA-20001 error and proceed to step 3.
  3. If Database Vault is enabled on your database and you want to use the Data Masking feature in Oracle Data Safe, do the following:
    1. Connect to the database as a user with the DV_OWNER role and authorize the ADMIN user to the Oracle System Privilege and Role Management Realm.
    2. Connect to the database as the ADMIN user and grant UNLIMITED TABLESPACE to the DS$ADMIN user.
    You can now use the Data Masking feature.
  4. (Optional) If Database Vault is enabled on your database and you want to revoke the User Assessment or Security Assessment feature: Connect to the database as the a user with the DV_OWNER role and revoke the DV_SECANALYST role from the DS$ADMIN user.
    The Assessment features are no longer available for the database.
  5. (Optional) If Database Vault is enabled on your database and you want to revoke the Data Masking feature:
    1. Connect to the database as the ADMIN user and revoke UNLIMITED TABLESPACE from the DS$ADMIN user.
    2. Connect to the database as a user with the DV_OWNER role and unauthorize the ADMIN user from the Oracle System Privilege and Role Management Realm.
    The Data Masking feature is no longer available for the database.

Configure Authorization Policies

After you register a database with Oracle Data Safe, you need to configure authorization policies in the Oracle Data Safe Console. Authorization policies determine which users can access the database and what they can do with the database.

You can configure authorization policies from the Security page in the Oracle Data Safe Console. To configure authorization policies, you need to be a tenancy administrator, an Oracle Data Safe administrator, or a delegated Oracle Data Safe administrator. See Create an Oracle Data Safe Administrators Group and Create a Delegated Administrator.

  1. Sign in to the Oracle Data Safe Console.
  2. At the top of the page, click Security.
  3. (Optional) To filter the list of compartments to show only those that have grants to users and user groups in Oracle Data Safe, select the Show compartments with grants only check box.
  4. Select the compartment for which you want to configure the authorization policy.
    A list of users and user groups is displayed.
  5. To grant a user or user group a privilege for a feature, select View or Manage from the Assessment, Discovery and Masking, and/or Activity Auditing drop-down lists.
    You can still select Manage for a user or user group even if that user or user group cannot inspect user groups in the tenancy. In this case, the user group can read, create, update, and delete resources for the feature, but cannot configure authorization policies.
  6. To grant a user or user group the same privilege for all features, select –- (none), View, or Manage from the All Features drop-down list.
  7. To revoke a privilege from a user or user group, select -- in a feature drop-down list.
  8. To filter the list of user and user groups to only those that have privileges, move the Hide IAM user groups without any access rights to the right.
  9. Click Save.