Register DB Systems that have Public IP Addresses
In the Oracle Data Safe Console, you can register DB systems that have public IP addresses. During registration, you configure either a TCP or TLS connection.
This article has the following topics:
- Workflow
- Obtain the Required Permissions for Registering DB Systems
- Add Oracle Data Safe's NAT Gateway IP Address to Your Virtual Cloud Network's Security List
- Create a Service Account for Oracle Data Safe on Your DB System
- Grant Roles to the Oracle Data Safe Service Account
- Create a Wallet or Certificate for a TLS Connection to a DB System
- Register a DB System that has a Public IP Address
- Configure Authorization Policies
Parent topic: Target Database Registration
Workflow
The following table lists the steps for registering a DB system that has a public IP address.
Step | Description | Reference |
---|---|---|
1 |
Obtain the required permissions in Oracle Cloud Infrastructure and Oracle Data Safe to register your DB system. |
|
2 |
Enable traffic coming from the Oracle Data Safe Network Address Translation (NAT) gateway. |
Add Oracle Data Safe's NAT Gateway IP Address to Your Virtual Cloud Network's Security List |
3 |
Create a service account on your DB system specifically for Oracle Data Safe. |
Create a Service Account for Oracle Data Safe on Your DB System |
4 |
Grant roles to the Oracle Data Safe service account. |
|
5 |
If you plan to connect to your DB system via a TLS connection, create the necessary certificates and/or wallets. |
Create a Wallet or Certificate for a TLS Connection to a DB System |
6 |
Register your DB system in the Oracle Data Safe Console. |
Register a DB System that has a Public IP Address |
7 |
Configure authorization policies in the Oracle Data Safe Console. |
Parent topic: Register DB Systems that have Public IP Addresses
Obtain the Required Permissions for Registering DB Systems
Obtain the following permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM), on the database, and in Oracle Data Safe:
- Permission in IAM to access to the database: The user group to which
you belong requires at least the
inspect
permission on three resource types:db-systems
,db-nodes
, andvnics
. For example, to grant theData-Safe-Admins
group theinspect
permission on alldb-systems
,db-nodes
, andvnics
in a tenancy, a tenancy administrator could write the following policy:allow group Data-Safe-Admins to inspect db-systems in tenancy allow group Data-Safe-Admins to inspect db-nodes in tenancy allow group Data-Safe-Admins to inspect vnics in tenancy
- Permission to log in to the database as an administrator: You need to
be able to log in as the
SYS
account to create the Oracle Data Safeservice account and run the SQL privileges script. - Permission to
manage
at least one feature in Oracle Data Safe: The user group to which you belong needs to be able to register, update, and delete target databases in Oracle Data Safe for at least one feature.
Parent topic: Register DB Systems that have Public IP Addresses
Add Oracle Data Safe's NAT Gateway IP Address to Your Virtual Cloud Network's Security List
To allow Oracle Data Safe to connect to your DB system, a database administrator needs to add an ingress security rule to your database's virtual cloud network (VCN). In the rule, specify Oracle Data Safe's Network Address Translation (NAT) gateway IP address that corresponds to the region in which Oracle Data Safe is enabled. For more information, see Security Lists in the Oracle Cloud Infrastructure documentation.
Parent topic: Register DB Systems that have Public IP Addresses
NAT Gateway IP Addresses for Oracle Data Safe
The following table lists the IP addresses of the Network Address Translation (NAT) gateways for the regional Oracle Data Safe services in Oracle Cloud Infrastructure.
Region Name | Region Identifier | IP Address |
---|---|---|
Australia East (Sydney) | ap-sydney-1 | 192.29.144.137 |
Australia Southeast (Melbourne) | ap-melbourne-1 | 192.29.208.54 |
Brazil East (Sao Paulo) | sa-saopaulo-1 | 192.29.128.12 |
Canada Southeast (Toronto) | ca-toronto-1 | 192.29.11.175 |
Canada Southeast (Montreal) | ca-montreal-1 | 192.29.80.133 |
Chile Central (Santiago) | sa-santiago-1 | 129.149.33.79 |
Germany Central (Frankfurt) | eu-frankfurt-1 | 138.1.2.134 |
India Central (Hyderabad) | ap-hyperabad | 129.148.128.73 |
India West (Mumbai) | ap-mumbai-1 | 192.29.50.43 |
Japan Central (Osaka) | ap-osaka-1 | 192.29.241.166 |
Japan East (Tokyo) | ap-tokyo-1 | 192.29.39.149 |
Netherlands Northwest (Amsterdam) | eu-amsterdam-1 | 192.29.192.5 |
NRI Dedicated Region | ap-chiyoda-1 | 151.104.93.74 |
Saudi Arabia West (Jeddah) | me-jeddah-1 | 192.29.224.67 |
South Korea Central (Seoul) | ap-seoul-1 | 192.29.21.43 |
South Korea North (Chuncheon) | ap-chuncheon-1 | 129.148.144.110 |
Switzerland North (Zurich) | eu-zurich-1 | 192.29.56.254 |
UAE East (Dubai) | me-dubai-1 | 129.148.214.150 |
UK Gov South (London) | uk-gov-london-1 | 151.104.51.221 |
UK Gov West (Newport) | uk-gov-cardiff-1 | 151.104.60.181 |
UK South (London) | uk-london-1 | 147.154.236.187 |
UK West (Cardiff) | uk-cardiff-1 | 129.149.16.17 |
US East (Ashburn) | us-ashburn-1 | 147.154.0.253 |
US West (Phoenix) | us-phoenix-1 | 147.154.108.200 |
US West (San Jose) | us-sanjose-1 | 129.148.160.136 |
Create a Service Account for Oracle Data Safe on Your DB System
Create a service account on your target database specifically for Oracle Data Safe. Create the account with the least amount of privileges.
Parent topic: Register DB Systems that have Public IP Addresses
Grant Roles to the Oracle Data Safe Service Account
The roles that you grant to the Oracle Data Safe service account determine the Oracle Data Safe features that you can use with your database. The following table describes the roles available for DB systems, on-premises Oracle databases, and Oracle databases on Compute instances.
Role | Description |
---|---|
|
Privileges required for the User Assessment and Security Assessment features |
|
Privileges required for accessing audit trails for the target database |
|
Privileges required for the Data Discovery feature (discovering sensitive data in the target database) |
|
Privileges required for the Data Masking feature (masking sensitive data in the target database) |
|
Privileges required for updating target database audit policies |
To grant or revoke roles from the Oracle Data Safe service account on your database, you need to run the SQL privileges script called
datasafe_privileges.sql
. You can download this script from the Oracle Data Safe Console. To run the script, you need to be connected to your database as the
SYS
user.
You can run the script as many times as needed. For example,
suppose that in the beginning you only need to use the Activity Auditing feature in Oracle Data Safe. You can run the SQL privileges script to grant the database access to only Activity
Auditing. Later, you decide you want to use the Data Discovery feature too. You can run the
SQL privileges script again on the database to grant the database access to Data Discovery.
You cannot run the SQL privileges script on the root container of a database
(CDB$ROOT
).
Parent topic: Register DB Systems that have Public IP Addresses
Create a Wallet or Certificate for a TLS Connection to a DB System
If you plan to configure a TLS connection to your target database (DB system,
on-premises Oracle database, or Oracle database on a Compute instance), you need to create a
wallet or certificate that you can upload during target database registration. The wallet or
certificate you create depends on whether client authentication is enabled or disabled on
your database. To check whether client authentication is enabled, view the
SSL_CLIENT_AUTHENTICATION
parameter in the sqlnet.ora
file on your database. If it's equal to TRUE
, then client authentication is
enabled; otherwise it's not enabled.
- When Client Authentication is Enabled on Your Target Database
- When Client Authentication is Disabled on Your Target Database
- Keep in Mind
Parent topic: Register DB Systems that have Public IP Addresses
When Client Authentication is Enabled on Your Target Database
When client authentication is enabled on your target database, create a JKS wallet. The wallet must have the following items:
- Signing certificate chain (or root certificate if there is no intermediate signing certificate) that was used to issue the Oracle Data Safe private key and public certificate.
- Private key for Oracle Data Safe, which is acting as a client to the target database.
- Public certificate for Oracle Data Safe, which is acting as a client to the target database.
For an example of how to create a JKS wallet with self-signed certificates, see Create Wallets and Certificates.
When Client Authentication is Disabled on Your Target Database
When client authentication is disabled on your target database, create one of the following certificates or wallets:
- Self-signed certificate for the target database.
- Signing root certificate that can issue the public certificate for the target database (if an intermediate signing certificate is not involved in the public certificate signing)
- JKS Wallet (if an intermediate certificate is involved in the public certificate signing). Add to the wallet the signing certificate chain that issues the public certificate for the target database.
Supported certificate types are Privacy Enhanced Mail (PEM) and Distinguished Encoding Rules (DER). Supported file extensions are PEM, CER, CERT, CRT, and DER. If a commonly used certificate authority (CA) signs the certificate that is used by the target database, then creating a certificate or wallet is optional.
For an example on how to create a PEM certificate using self-signed certificates, see Create Wallets and Certificates.
Keep in Mind
- The maximum size for a wallet or certificate that you can upload during target registration is 50 KB.
- If a user password or wallet password changes, you can simply update the password in the Oracle Data Safe Console. You do not need to delete the wallet.
- If you delete a target database that uses a wallet to connect, the wallet is also deleted.
- Passwordless SSL authentication based on PKI is enabled when
SQLNET.AUTHENTICATION_SERVICES = TCPS
in thesqlnet.ora
file of a target database. Passwordless SSL authentication based on PKI is not supported in Oracle Data Safe.
Register a DB System that has a Public IP Address
You can manually register a DB system that has a public IP address from theOracle Data Safe Console. If you plan to configure a TLS connection during registration, you need to have a wallet or certificate on hand to upload.
Parent topic: Register DB Systems that have Public IP Addresses
Configure Authorization Policies
After you register a target database with Oracle Data Safe, you need to configure authorization policies in the Oracle Data Safe Console. Authorization policies determine which users can access the target database and what they can do with the target database.
You can configure authorization policies from the Security page in the Oracle Data Safe Console. To configure authorization policies, you need to be a tenancy administrator, an Oracle Data Safe administrator, or a delegated Oracle Data Safe administrator. See Create an Oracle Data Safe Administrators Group and Create a Delegated Administrator.
Parent topic: Register DB Systems that have Public IP Addresses