Oracle Cloud Infrastructure Documentation

Register DB Systems that have Public IP Addresses

In the Oracle Data Safe Console, you can register DB systems that have public IP addresses. During registration, you configure either a TCP or TLS connection.

This article has the following topics:

Workflow

The following table lists the steps for registering a DB system that has a public IP address.

Step Description Reference

1

Obtain the required permissions in Oracle Cloud Infrastructure and Oracle Data Safe to register your DB system.

Obtain the Required Permissions for Registering DB Systems

2

Enable traffic coming from the Oracle Data Safe Network Address Translation (NAT) gateway.

Add Oracle Data Safe's NAT Gateway IP Address to Your Virtual Cloud Network's Security List
3

Create a service account on your DB system specifically for Oracle Data Safe.

Create a Service Account for Oracle Data Safe on Your DB System

4

Grant roles to the Oracle Data Safe service account.

Grant Roles to the Oracle Data Safe Service Account

5

If you plan to connect to your DB system via a TLS connection, create the necessary certificates and/or wallets.

Create a Wallet or Certificate for a TLS Connection to a DB System

6

Register your DB system in the Oracle Data Safe Console.

Register a DB System that has a Public IP Address

7

Configure authorization policies in the Oracle Data Safe Console.

Configure Authorization Policies

Obtain the Required Permissions for Registering DB Systems

Obtain the following permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM), on the database, and in Oracle Data Safe:

  • Permission in IAM to access to the database: The user group to which you belong requires at least the inspect permission on three resource types: db-systems, db-nodes, and vnics. For example, to grant the Data-Safe-Admins group the inspect permission on all db-systems, db-nodes, and vnics in a tenancy, a tenancy administrator could write the following policy:
    allow group Data-Safe-Admins to inspect db-systems in tenancy
allow group Data-Safe-Admins to inspect db-nodes in tenancy
allow group Data-Safe-Admins to inspect vnics in tenancy
  • Permission to log in to the database as an administrator: You need to be able to log in as the SYS account to create the Oracle Data Safeservice account and run the SQL privileges script.
  • Permission to manage at least one feature in Oracle Data Safe: The user group to which you belong needs to be able to register, update, and delete target databases in Oracle Data Safe for at least one feature.

Add Oracle Data Safe's NAT Gateway IP Address to Your Virtual Cloud Network's Security List

To allow Oracle Data Safe to connect to your DB system, a database administrator needs to add an ingress security rule to your database's virtual cloud network (VCN). In the rule, specify Oracle Data Safe's Network Address Translation (NAT) gateway IP address that corresponds to the region in which Oracle Data Safe is enabled. For more information, see Security Lists in the Oracle Cloud Infrastructure documentation.

NAT Gateway IP Addresses for Oracle Data Safe

The following table lists the IP addresses of the Network Address Translation (NAT) gateways for the regional Oracle Data Safe services in Oracle Cloud Infrastructure.

Region Name Region Identifier IP Address
Australia East (Sydney) ap-sydney-1 192.29.144.137
Australia Southeast (Melbourne) ap-melbourne-1 192.29.208.54
Brazil East (Sao Paulo) sa-saopaulo-1 192.29.128.12
Canada Southeast (Toronto) ca-toronto-1 192.29.11.175
Canada Southeast (Montreal) ca-montreal-1 192.29.80.133
Chile Central (Santiago) sa-santiago-1 129.149.33.79
Germany Central (Frankfurt) eu-frankfurt-1 138.1.2.134
India Central (Hyderabad) ap-hyperabad 129.148.128.73
India West (Mumbai) ap-mumbai-1 192.29.50.43
Japan Central (Osaka) ap-osaka-1 192.29.241.166
Japan East (Tokyo) ap-tokyo-1 192.29.39.149
Netherlands Northwest (Amsterdam) eu-amsterdam-1 192.29.192.5
NRI Dedicated Region ap-chiyoda-1 151.104.93.74
Saudi Arabia West (Jeddah) me-jeddah-1 192.29.224.67
South Korea Central (Seoul) ap-seoul-1 192.29.21.43
South Korea North (Chuncheon) ap-chuncheon-1 129.148.144.110
Switzerland North (Zurich) eu-zurich-1 192.29.56.254
UAE East (Dubai) me-dubai-1 129.148.214.150
UK Gov South (London) uk-gov-london-1 151.104.51.221
UK Gov West (Newport) uk-gov-cardiff-1 151.104.60.181
UK South (London) uk-london-1 147.154.236.187
UK West (Cardiff) uk-cardiff-1 129.149.16.17
US East (Ashburn) us-ashburn-1 147.154.0.253
US West (Phoenix) us-phoenix-1 147.154.108.200
US West (San Jose) us-sanjose-1 129.148.160.136

Create a Service Account for Oracle Data Safe on Your DB System

Create a service account on your database specifically for Oracle Data Safe. Create the account with the least amount of privileges.

  1. Log in to your database with an account that lets you create a user.
  2. Create a user account with minimal privileges, for example:
    CREATE USER DATASAFE_ADMIN identified by password
DEFAULT TABLESPACE "DATA"
TEMPORARY TABLESPACE "TEMP";
GRANT CONNECT, RESOURCE TO DATASAFE_ADMIN;
    • Replace DATASAFE_ADMIN and password with your own values.
    • Do not use SYSTEM or SYSAUX as the default tablespace. You cannot mask data if you use these tablespaces.

Grant Roles to the Oracle Data Safe Service Account

The roles that you grant to the Oracle Data Safe service account determine the Oracle Data Safe features that you can use with your database. The following table describes the roles available for DB systems, on-premises Oracle databases, and Oracle databases on Compute instances.

Role Description

ASSESSMENT

Privileges required for the User Assessment and Security Assessment features

AUDIT_COLLECTION

Privileges required for accessing audit trails for the target database

DATA_DISCOVERY

Privileges required for the Data Discovery feature (discovering sensitive data in the target database)

MASKING

Privileges required for the Data Masking feature (masking sensitive data in the target database)

AUDIT_SETTING

Privileges required for updating target database audit policies

To grant or revoke roles from the Oracle Data Safe service account on your database, you need to run the SQL privileges script called datasafe_privileges.sql. You can download this script from the Oracle Data Safe Console. To run the script, you need to be connected to your database as the SYS user.

You can run the script as many times as needed. For example, suppose that in the beginning you only need to use the Activity Auditing feature in Oracle Data Safe. You can run the SQL privileges script to grant the database access to only Activity Auditing. Later, you decide you want to use the Data Discovery feature too. You can run the SQL privileges script again on the database to grant the database access to Data Discovery. You cannot run the SQL privileges script on the root container of a database (CDB$ROOT).

  1. Download the SQL privileges script from the Oracle Data Safe Console:
    1. Sign in to the Oracle Data Safe Console, and click the Targets tab.
    2. Click Register.
      The Register Target dialog box is displayed.
    3. Click Download Privilege Script and save the datasafe_privileges.sql script to your computer.
    4. Click Cancel.
  2. With SQL Developer or SQL*Plus, connect to your database as the SYS user, and then run the SQL privileges script with the following statement: 
    @datasafe_privileges.sql <DATASAFE_ADMIN> <GRANT/REVOKE> <AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL> [-VERBOSE]
    • <DATASAFE_ADMIN> is the name of the Oracle Data Safe service account that you created on your database. It is case-sensitive and must match the account name in the dba_users data dictionary view in your database.
    • Specify GRANT or REVOKE depending on whether you want to add privileges to or remove privileges from the Oracle Data Safe service account.
    • Specify one or more Oracle Data Safe features, separated by a forward slash: AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL. ALL grants or revokes all the features.
    • -VERBOSE shows only the actual GRANT/REVOKE commands. This parameter is optional.

Create a Wallet or Certificate for a TLS Connection to a DB System

If you plan to configure a TLS connection to your database during registration, you need to create a wallet or certificate beforehand so that you can upload it during registration. The wallet or certificate you create depends on whether client authentication is enabled or disabled on your database. To check whether client authentication is enabled, view the SSL_CLIENT_AUTHENTICATION parameter in the sqlnet.ora file on your database. If it's equal to TRUE, then client authentication is enabled; otherwise it's not enabled.

When Client Authentication is Enabled on Your Target Database

When client authentication is enabled on your database, create a JKS wallet. The wallet must have the following items:

  • Signing certificate chain (or root certificate if there is no intermediate signing certificate) that was used to issue the Oracle Data Safe private key and public certificate.
  • Private key for Oracle Data Safe, which is acting as a client to the database.
  • Public certificate for Oracle Data Safe, which is acting as a client to the database.

For an example of how to create a JKS wallet with self-signed certificates, see Create Wallets and Certificates.

When Client Authentication is Disabled on Your Target Database

When client authentication is disabled on your database, create one of the following certificates or wallets:

  • Self-signed certificate for the database.
  • Signing root certificate that can issue the public certificate for the database (if an intermediate signing certificate is not involved in the public certificate signing)
  • JKS Wallet (if an intermediate certificate is involved in the public certificate signing). Add to the wallet the signing certificate chain that issues the public certificate for the database.

Supported certificate types are Privacy Enhanced Mail (PEM) and Distinguished Encoding Rules (DER). Supported file extensions are PEM, CER, CERT, CRT, and DER. If a commonly used certificate authority (CA) signs the certificate that is used by the database, then creating a certificate or wallet is optional.

For an example on how to create a PEM certificate using self-signed certificates, see Create Wallets and Certificates.

Keep in Mind

  • The maximum size for a wallet or certificate that you can upload during target registration is 50 KB.
  • If a user password or wallet password changes, you can simply update the password in the Oracle Data Safe Console. You do not need to delete the wallet.
  • If you delete a target database that uses a wallet to connect, the wallet is also deleted.
  • Passwordless SSL authentication based on PKI is enabled when SQLNET.AUTHENTICATION_SERVICES = TCPS in the sqlnet.ora file of a target database. Passwordless SSL authentication based on PKI is not supported in Oracle Data Safe.

Register a DB System that has a Public IP Address

You can manually register a DB system that has a public IP address from the Oracle Data Safe Console. If you plan to configure a TLS connection during registration, you need to have a wallet or certificate on hand to upload.

  1. Sign in to the Oracle Data Safe Console.
  2. Click the Targets tab.
  3. Click Register.
    The Register Target dialog box is displayed.
  4. Enter a name for your target database.
    This name can be any name you want, and all characters are accepted. The maximum number of characters is 512.
    This name appears in all of the Oracle Data Safe reports that pertain to your target database.
  5. Leave Oracle Cloud Database selected as the target type.
  6. (Optional) Enter a description for your target database.
  7. Select the compartment to which you want the target database to belong.

    You can register a target database to only one compartment and you cannot change the compartment after the target database is registered.

  8. For Database with Private IP, leave No selected.
  9. In the OCID field, enter the Oracle Cloud Identifier (OCID) for your target database; for example, ocid1.dbsystem.oc1.iad.abcd1eef2bcd1xxyabcd12...
    The OCID is used to validate whether you have the inspect, use, or manage privilege on the target database in Oracle Cloud Infrastructure Identity and Access Management (IAM).
    The OCID for the target database is available in the database's console in Oracle Cloud Infrastructure.
  10. For connection type, select TCP or TLS.

    The default selection is TCP.

  11. In the IP Address field, enter the public IP address for the target database.
    The public IP address should match the public IP address for the database in Oracle Cloud Infrastructure Console.
  12. Enter the port number for the database.
  13. Enter the long version of the database service name, for example, abc_prod.subnetad3.tttvcn.companyvcn.com.
    You can find the database service name in the database's Console in Oracle Cloud Infrastructure. You can also find the database service name the following way:
    1. Connect to your database.
    2. Switch to the PDB that you want to register with Oracle Data Safe.
    3. Run the following command:
      SQL> select sys_context('userenv','service_name') from dual;
  14. If you are configuring a TLS connection, enter the Target Distinguished Name.
    This name is the distinguished name used while creating the certificate on target database.
    An example name is CN=abcd.uscom-east-1.example.com,OU=Oracle BMCS US,O=Oracle Corporation,L=Redwood City,ST=California,C=US.
  15. If you are configuring a TLS connection and client authentication is enabled on your target database, then follow the steps below to upload a JKS wallet.
    1. From the Certificate/Wallet Type drop-down list, select JKS Wallet.
    2. For Certificate/Wallet, click Browse, and then select a truststore JKS file.
    3. For Keystore Wallet, click Browse, and then select a keystore JKS file.
    4. Enter the wallet password.
  16. If you are configuring a TLS connection and client authentication is disabled on your target database, select a certificate or wallet type, and then follow the corresponding steps listed in the table below. You can choose to upload a JKS wallet, Privacy Enhanced Mail (PEM) certificate, Distinguished Encoding Rules (DER) certificate, or nothing.
    Wallet or Certificate Type Steps

    JKS Wallet
    1. Click Choose File.
    2. Select a truststore JKS file.
    3. Enter the wallet password.

    DER Certificate
    1. Click Choose File
    2. Select a CRT or DER file.

    Supported file extensions are CER, CERT, CRT, and DER.

    PEM Certificate
    1. Click Choose File.
    2. Select a PEM or DER file.

    Supported file extensions are PEM and DER.

    NONE

    You do not need to upload any files.
  17. Enter the database user name and password that you created on the target database specifically for Oracle Data Safe.
    The user name is case-insensitive, unless you enclose it in quotation marks.
    You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.
  18. (Optional) To verify that Oracle Data Safe can successfully connect to the target database, click Test Connection.
  19. Click Register Target.
    You cannot register the target database if the connection test fails or if the target database does not exist.

Configure Authorization Policies

After you register a database with Oracle Data Safe, you need to configure authorization policies in the Oracle Data Safe Console. Authorization policies determine which users can access the database and what they can do with the database.

You can configure authorization policies from the Security page in the Oracle Data Safe Console. To configure authorization policies, you need to be a tenancy administrator, an Oracle Data Safe administrator, or a delegated Oracle Data Safe administrator. See Create an Oracle Data Safe Administrators Group and Create a Delegated Administrator.

  1. Sign in to the Oracle Data Safe Console.
  2. At the top of the page, click Security.
  3. (Optional) To filter the list of compartments to show only those that have grants to users and user groups in Oracle Data Safe, select the Show compartments with grants only check box.
  4. Select the compartment for which you want to configure the authorization policy.
    A list of users and user groups is displayed.
  5. To grant a user or user group a privilege for a feature, select View or Manage from the Assessment, Discovery and Masking, and/or Activity Auditing drop-down lists.
    You can still select Manage for a user or user group even if that user or user group cannot inspect user groups in the tenancy. In this case, the user group can read, create, update, and delete resources for the feature, but cannot configure authorization policies.
  6. To grant a user or user group the same privilege for all features, select –- (none), View, or Manage from the All Features drop-down list.
  7. To revoke a privilege from a user or user group, select -- in a feature drop-down list.
  8. To filter the list of user and user groups to only those that have privileges, move the Hide IAM user groups without any access rights to the right.
  9. Click Save.