Using Oracle Data Safe's on-premises connector is an easy and convenient way to connect Oracle Data Safe to your on-premises Oracle database without needing FastConnect or VPN Connect.
If you have FastConnect or VPN Connect, you can also register your on-premises database via an Oracle Data Safe private endpoint. See Register On-Premises Oracle Databases by Using an Oracle Data Safe Private Endpoint.
This article has the following topics:
For this type of registration, you need to create an on-premises connector in your Oracle Data Safe service in Oracle Cloud Infrastructure, download an install bundle, and then install the on-premises connector on a host on your network. The on-premises connector establishes an encrypted TLS tunnel over the Internet to cloud Connection Managers in the Oracle Data Safe service tenancy. To finish the setup, you need to register your on-premises Oracle database with Oracle Data Safe from the Oracle Data Safe Console.
As shown in the following diagram, your on-premises Oracle database communicates with the Connection Manager of the on-premises connector on your network, which communicates with the cloud Connection Managers in Oracle Cloud Infrastructure. You can use one on-premises connector to connect to multiple on-premises Oracle databases.
The following table outlines the steps for registering an on-premises Oracle database by using an on-premises connector.
Obtain permission in Oracle Cloud Infrastructure Identity and Access Management (IAM) to create an Oracle Data Safe on-premises connector.
Create an Oracle Data Safe on-premises connector in the Oracle Data Safe service in Oracle Cloud Infrastructure.
Download the install bundle that contains the on-premises connector.
Install the on-premises connector on a host on your network.
Create a service account for Oracle Data Safe on your on-premises Oracle database.
Grant roles to the Oracle Data Safe service account on your on-premises Oracle database.
(Optional) Configure a TLS connection between your on-premises Oracle database and the on-premises connector on your host machine.
Register your on-premises Oracle database with Oracle Data Safe from the Oracle Data Safe Console.
Configure authorization policies in the Oracle Data Safe Console.
Obtain the Required Permission for Creating On-Premises Connectors
To create, update, and delete an Oracle Data Safe on-premises connector, you need to obtain permission in Oracle Cloud
Infrastructure Identity and Access Management (IAM) for the resource called
The following table describes the different permissions available for
|Permission||What you can do|
||View the list of Oracle Data Safe on-premises connectors in your tenancy|
||Inspect and read properties for Oracle Data Safe on-premises connectors in your tenancy|
||Inspect, read, create, update, delete, and move Oracle Data Safe on-premises connectors in your tenancy|
The following examples show how an IAM administrator could write
policies in IAM, from most generic to most specific. These policies assume that all
resources are in a single compartment called
Example 3-28 Broad Permission
In this example, the
dsadmins group (for example, a
group of Oracle Data Safe administrators) has broad permission to manage all Oracle Data Safe resources in compartment
allow group dsadmins to manage data-safe-family in compartment ADWcmp1
Example 3-29 Specific Permission
In this example, the
ProjectA group has specific
permission to manage Oracle Data Safe on-premises connectors in compartment
allow group ProjectA to manage onprem-connectors in compartment ADWcmp1
Create an On-Premises Connector in the Oracle Data Safe Service
Create an on-premises connector from the Oracle Data Safe service page in Oracle Cloud Infrastructure. You can create a maximum of five on-premises connectors.
- Sign in to the Oracle Cloud Infrastructure Console and select the region in which Oracle Data Safe is enabled in your tenancy.
- From the navigation menu, select Oracle Database, and then Data Safe.
- Under Connectivity Options, click On-Premises Connectors.
- On the right, click Create On-Premises Connector.The Create On-Premises Connector page is displayed.
- From the drop-down list, select the compartment in which you want to store the on-premises connector.
- Enter a name for the on-premises connector.
- (Optional) Enter a description for the on-premises connector.
- (Optional) To configure tagging, click Show Tagging Options, and
then configure a tag.
- Click Create On-Premises Connector.The on-premises connector is created and listed in the table. The initial life-cycle state of the on-premises connector is set to
Download the Install Bundle for the On-Premises Connector
You can download the install bundle for the on-premises connector from the Connector Detail page in the Oracle Data Safe service.
- From the Data Safe page in Oracle Cloud Infrastructure, click On-Premises Connectors.
- Click the on-premises connector that you created.
- Click Download Install Bundle.The Download Install Bundle dialog box is displayed.
- Enter a password for the install bundle, confirm it, and then click
Download.Keep this password on hand as you need it later when you install the on-premises connector on a host on your network.The install bundle is downloaded to your browser's default download location.
- Copy the install bundle ZIP file to a host machine on your network.
- Unzip the file and confirm that you have the following files:
README- Readme file with installation instructions
connector.conf- Connection Manager configuration file
downloads/orapki.zip- ZIP file containing an
orapkiscript and required JAR files
downloads/cman.zip- ZIP file containing Connection Manager binaries
downloads/cmanora.template- Connection Manager configuration template
util/datasafe_privileges.sql- Oracle Data Safe privileges SQL script. You can also download this script from the Register Target dialog box in the Oracle Data Safe Console.
wallet/ewallet.p12- P12 wallet
setup.py- Python setup script to install the on-premises connector
Install the On-Premises Connector on Your Network
Oracle recommends that you install the on-premises connector on a host machine other than your Oracle database host machine. You can, however, install it on the database host machine if needed.
In a production environment, Oracle recommends that you install the same on-premises connector on two Linux hosts for high availability. If one of your hosts goes down due to system failure or maintenance, Oracle Data Safe connections automatically fail over to the on-premises connector running on the other host, and the on-going Oracle Data Safe operations are not affected.
The Connection Manager, as part of your on-premises connector installation,
establishes a TLS tunnel to a cloud Connection Manager. You can control outgoing traffic
from your host machine to the IP address of the cloud Connection Manager, which listens on
port 443. The address of a cloud Connection Manager is
accesspoint.datasafe.REGIONNAME.oci.oraclecloud.com. For example, for the Ashburn
region, the address is
accesspoint.datasafe.us-ashburn-1.oci.oraclecloud.com. You can obtain the IP
address of the cloud Connection Manager by doing a DNS lookup.
The following items are also installed. For more information about these items, see the Database Administrator's Guide.
- SQL*Plus - Installed in the
- Listener control utility (
- Connection testing utility (
Hardware requirements for the host machine on which you are going to install the on-premises connector are as follows:
- Minimum CPU: 2
- Minimum RAM: 16GB
- Minimum local disk storage:
- 5GB, where the on-premises connection software plus log space takes 100 MB
/tmpspace: 100 MB
- Network interface bandwidth: 1Gbps
- Network connectivity:
- Outbound connectivity to Oracle Data Safe (
<region>with your region; for example,
- Local connectivity to target database listener hosts/ports
- Outbound connectivity to Oracle Data Safe (
Software requirements for the host machine on which you are going to install the on-premises connector are as follows:
- Operating system: Oracle Linux 7 or higher (Linux x86-64)
- Python 3.5 or higher - If you have multiple versions of Python installed, make sure that you set the default to Python 3.5 or higher, or explicitly provide the Python path when running the commands.
- Java version 7 or higher with a valid Java Home
For instructions on how to uninstall, update, stop, and show the status, please refer to the
READMEfile that comes with the install bundle.
- Open a command prompt on a host machine where you want to install the on-premises connector.
- As a user different from the
rootuser, enter the following command to install the on-premises connector.Do not run the installer as the
rootuser.Provide a port number for the on-premises connector. The
proxyargument is optional. You can skip the
proxyargument if the deploying host has public internet access. The on-premises connector does not support a proxy username and password.
The HTTP proxy may not be enough depending on your organization's network configuration and security policies. For example, some networks require a username and password for the HTTP proxy. In such cases contact your network administrator to open outbound connections to hosts in the
accesspoint.oraclecloud.comdomain using port 443 without going through an HTTP proxy.The install script automatically starts the on-premises connector.
$ python setup.py install --connector-port=<port> [--https-proxy=<proxy:port>]Examples:
$ python setup.py install --connector-port=1560 $ python setup.py install --connector-port=1560 --https-proxy=https://www-proxy.domain.com:80
- At the prompt, enter the password that you created when you downloaded the install
bundle.The on-premises connector is installed in the current directory and automatically started. The status for the on-premises connector in the Oracle Data Safe service in Oracle Cloud Infrastructure is now set to
- (Optional) To diagnose installation issues or execute additional commands (such as
uninstall, update, start, stop, and status), please refer to the
READMEfile that comes with the install bundle.
Create a Service Account for Oracle Data Safe on Your On-Premises Oracle Database
Create a service account on your database specifically for Oracle Data Safe. Create the account with the least amount of privileges.
- Log in to your database with an account that lets you create a user.
- Create a user account with minimal privileges, for example:
CREATE USER DATASAFE_ADMIN identified by password DEFAULT TABLESPACE "DATA" TEMPORARY TABLESPACE "TEMP"; GRANT CONNECT, RESOURCE TO DATASAFE_ADMIN;
passwordwith your own values.
- Do not use
SYSAUXas the default tablespace. You cannot mask data if you use these tablespaces.
Grant Roles to the Oracle Data Safe Service Account on Your On-Premises Oracle Database
The roles that you grant to the Oracle Data Safe service account determine the Oracle Data Safe features that you can use with your database. The following table describes the roles available for DB systems, on-premises Oracle databases, and Oracle databases on Compute instances.
Privileges required for the User Assessment and Security Assessment features
Privileges required for accessing audit trails for the target database
Privileges required for the Data Discovery feature (discovering sensitive data in the target database)
Privileges required for the Data Masking feature (masking sensitive data in the target database)
Privileges required for updating target database audit policies
To grant or revoke roles from the Oracle Data Safe service account on your database, you need to run the SQL privileges script called
datasafe_privileges.sql. You can download this script from the Oracle Data Safe Console. To run the script, you need to be connected to your database as the
You can run the script as many times as needed. For example,
suppose that in the beginning you only need to use the Activity Auditing feature in Oracle Data Safe. You can run the SQL privileges script to grant the database access to only Activity
Auditing. Later, you decide you want to use the Data Discovery feature too. You can run the
SQL privileges script again on the database to grant the database access to Data Discovery.
You cannot run the SQL privileges script on the root container of a database
- Copy the
datasafe_privileges.sqlscript to your database host machine. You can find this script in the
utilfolder of the install bundle.
- With SQL Developer or SQL*Plus (which is included in the
install bundle in the
oracle_cman_home/bindirectory), connect to your database as the
SYSuser, and then run the
datasafe_privileges.sqlscript with the following statement:
@datasafe_privileges.sql <DATASAFE_ADMIN> <GRANT/REVOKE> <AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL> [-VERBOSE]where:
<DATASAFE_ADMIN>is the name of the Oracle Data Safe service account that you created on your database. It is case-sensitive and must match the account name in the
dba_usersdata dictionary view in your database.
REVOKEdepending on whether you want to add privileges to or remove privileges from the Oracle Data Safe service account.
- Specify one or more Oracle Data Safe features, separated by a forward slash:
ALLgrants or revokes all the features.
-VERBOSEshows only the actual
GRANT/REVOKEcommands. This parameter is optional.
Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and Your Oracle Database
If you plan to configure a TLS connection during target registration in the Oracle Data Safe Console, beforehand you need to configure a TLS connection between the Connection Manager of the on-premises connector on your host machine and your Oracle database.
- Open a command prompt on the host machine that has the unzipped install bundle.
- Find the distinguished name (DN) of the Connection Manager certificate from the client
Connection Manager wallet by running the following command:
orapki wallet display -wallet <CMAN wallet location>
- Export the Connection Manager certificate by running the following command:
orapki wallet export -wallet <Connection Manager wallet location> -dn <distinguished name of the Connection Manager certificate> -cert <Connection Manager certificate file name>
- Add the Connection Manager certificate to your on-premises Oracle database server's
wallet by running the following command:
orapki wallet add -wallet <database wallet location> -trusted_cert -cert <Connection Manager certificate file name>
- Export the database server certificate by running the following command:
orapki wallet export -wallet <database wallet location> -dn <db server DN> -cert <database server certificate file>
- Add the database server certificate to the Connection Manager wallet by running the
following command. When prompted, enter the wallet password. This is the password that you
created when you downloaded and installed the install bundle.
orapki wallet add -wallet <Connection Manager wallet location> -trusted_cert -cert <database server certificate file>
- Restart the database listener and restart the on-premises connector.
Register an On-Premises Oracle Database by Using an On-Premises Connector
You can register an on-premises Oracle database with Oracle Data Safe from the Oracle Data Safe Console.
- Sign in to the Oracle Data Safe Console.
- Click the Targets tab.
- Click Register. The Register Target dialog box is displayed.
- Enter a name for your on-premises Oracle database. This name can be any name you want, and all characters are accepted. The maximum number of characters is 512.This name appears in all of the Oracle Data Safe reports that pertain to your target database.
- For target type, select Oracle On-Premises Database.
- (Optional) Enter a description for your target database.
- Select the compartment to which you want your target database to belong.You can add a target database to only one compartment and you cannot change the compartment after the target database is registered.
- From the Connection Type drop-down list, select On-Premises Connector.
- From the On-Premises Connector drop-down list, select the name of the on-premises connector that you created in the Oracle Data Safe service in Oracle Cloud Infrastructure.
- From the drop-down menu, select TCP or
TLS.The default is TCP.
- For Hostname/IP Address, enter the host name or IP address of your on-premises Oracle database.
- For Port Number, enter the port number of your on-premises Oracle database.
- For Database Service Name, enter the long-form service name of your on-premises Oracle database.
- Enter the database user name and password that you created on your on-premises
Oracle database specifically for theOracle Data Safe service.The user name is case-insensitive, unless you enclose it in quotation marks.You cannot specify database roles, such as
SYSKM, and you cannot specify
SYSas the user.
- (Optional) To verify that Oracle Data Safe can successfully connect to your on-premises Oracle database, click Test Connection.
- Click Register Target.You cannot register the target database if the connection test fails or if the on-premises Oracle database does not exist.
Configure Authorization Policies
After you register a database with Oracle Data Safe, you need to configure authorization policies in the Oracle Data Safe Console. Authorization policies determine which users can access the database and what they can do with the database.
You can configure authorization policies from the Security page in the Oracle Data Safe Console. To configure authorization policies, you need to be a tenancy administrator, an Oracle Data Safe administrator, or a delegated Oracle Data Safe administrator. See Create an Oracle Data Safe Administrators Group and Create a Delegated Administrator.
- Sign in to the Oracle Data Safe Console.
- At the top of the page, click Security.
- (Optional) To filter the list of compartments to show only those that have grants to users and user groups in Oracle Data Safe, select the Show compartments with grants only check box.
- Select the compartment for which you want to configure the authorization policy.A list of users and user groups is displayed.
- To grant a user or user group a privilege for a feature, select
View or Manage from the
Assessment, Discovery and Masking, and/or
Activity Auditing drop-down lists. You can still select Manage for a user or user group even if that user or user group cannot
inspectuser groups in the tenancy. In this case, the user group can read, create, update, and delete resources for the feature, but cannot configure authorization policies.
- To grant a user or user group the same privilege for all features, select
Managefrom the All Features drop-down list.
- To revoke a privilege from a user or user group, select -- in a feature drop-down list.
- To filter the list of user and user groups to only those that have privileges, move the Hide IAM user groups without any access rights to the right.
- Click Save.
To ensure that only the on-premises client can connect to your database, Oracle
recommends that you specify in the
INVITED_NODES the clients that
are allowed to access your database. For more information, see
TCP.INVITED_NODES in the Oracle
Database Net Services Reference Guide.
- For more information about Oracle Connection Manager in Oracle Cloud Infrastructure, see Configuring and Administering Oracle Connection Manager.
- For more information about Oracle SSL/TLS setups between the Oracle database and client, see Enabling Secure Sockets Layer.