Register On-Premises Oracle Databases by Using an Oracle Data Safe On-Premises Connector
Using Oracle Data Safe's on-premises connector is an easy and convenient way to connect Oracle Data Safe to your on-premises Oracle database without needing FastConnect or VPN Connect.
This article has the following topics:
- Overview
- Workflow
- Obtain the Required Permission for Creating On-Premises Connectors
- Create an On-Premises Connector in the Oracle Data Safe Service
- Download the Install Bundle for the On-Premises Connector
- Install the On-Premises Connector on Your Network
- Create a Service Account for Oracle Data Safe on Your On-Premises Oracle Database
- Grant Roles to the Oracle Data Safe Service Account on Your On-Premises Oracle Database
- Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and the On-Premises Oracle Database
- Register an On-Premises Oracle Database by Using an On-Premises Connector
- Configure Authorization Policies
- Best Practices
- Related Topics
Parent topic: Target Database Registration
Overview
For this type of registration, you need to create an on-premises connector in your Oracle Data Safe service in Oracle Cloud Infrastructure, download an install bundle, and then install the on-premises connector on a host on your network. The on-premises connector establishes an encrypted TLS tunnel over the Internet to cloud Connection Managers in the Oracle Data Safe service tenancy. To finish the setup, you need to register your on-premises Oracle database with Oracle Data Safe from the Oracle Data Safe Console.
As shown in the following diagram, your on-premises Oracle database communicates with the Connection Manager of the on-premises connector on your network, which communicates with the cloud Connection Managers in Oracle Cloud Infrastructure. You can use one on-premises connector to connect to multiple on-premises Oracle databases.
Workflow
The following table outlines the steps for registering an on-premises Oracle database by using an on-premises connector.
Step | Description | Reference |
---|---|---|
1 |
Obtain permission in Oracle Cloud Infrastructure Identity and Access Management (IAM) to create an Oracle Data Safe on-premises connector. |
Obtain the Required Permission for Creating On-Premises Connectors |
2 |
Create an Oracle Data Safe on-premises connector in the Oracle Data Safe service in Oracle Cloud Infrastructure. |
Create an On-Premises Connector in the Oracle Data Safe Service |
3 |
Download the install bundle that contains the on-premises connector. |
|
4 |
Install the on-premises connector on a host on your network. |
|
5 |
Create a service account for Oracle Data Safe on your on-premises Oracle database. |
Create a Service Account for Oracle Data Safe on Your On-Premises Oracle Database |
6 |
Grant roles to the Oracle Data Safe service account on your on-premises Oracle database. |
Grant Roles to the Oracle Data Safe Service Account on Your On-Premises Oracle Database |
7 |
(Optional) Configure a TLS connection between your on-premises Oracle database and the on-premises connector on your host machine. |
|
8 |
Register your on-premises Oracle database with Oracle Data Safe from the Oracle Data Safe Console. |
Register an On-Premises Oracle Database by Using an On-Premises Connector |
9 |
Configure authorization policies in the Oracle Data Safe Console. |
Obtain the Required Permission for Creating On-Premises Connectors
To create, update, and delete an Oracle Data Safe on-premises connector, you need to obtain permission in Oracle Cloud Infrastructure
Identity and Access Management (IAM) for the resource called
onprem-connectors
.
The following table describes the different permissions available for the
onprem-connectors
resource.
Permission | What you can do |
---|---|
inspect |
View the list of Oracle Data Safe on-premises connectors in your tenancy |
read or use |
Inspect and read properties for Oracle Data Safe on-premises connectors in your tenancy |
manage |
Inspect, read, create, update, delete, and move Oracle Data Safe on-premises connectors in your tenancy |
The following examples show how an IAM administrator could write policies in IAM, from
most generic to most specific. These policies assume that all resources are in a single
compartment called ADWcmp1
.
Example 3-26 Broad Permission
In this example, the dsadmins
group (for example, a group of Oracle Data Safe administrators) has broad permission to manage all Oracle Data Safe resources in compartment ADWcmp1
.
allow group dsadmins to manage data-safe-family in compartment ADWcmp1
Example 3-27 Specific Permission
In this example, the ProjectA
group has specific permission to
manage Oracle Data Safe on-premises connectors in compartment ADWcmp1
.
allow group ProjectA to manage onprem-connectors in compartment ADWcmp1
Create an On-Premises Connector in the Oracle Data Safe Service
Create an on-premises connector from the Oracle Data Safe service page in Oracle Cloud Infrastructure. You can create a maximum of five on-premises connectors.
Download the Install Bundle for the On-Premises Connector
You can download the install bundle for the on-premises connector from the Connector Detail page in the Oracle Data Safe service.
Install the On-Premises Connector on Your Network
This part shows you how to install the on-premises connector. Oracle
recommends that you install the on-premises connector on a host machine other than
your on-premises Oracle database host machine. You can, however, install it on the
database host machine if needed. Do not run the installer as the
root
user.
The Connection Manager, as part of your on-premises connector
installation on your host machine, establishes a TLS tunnel to a cloud Connection
Manager. You can control outgoing traffic from your host machine to the IP address
of the cloud Connection Manager, which listens on port 443. The address of a cloud
Connection Manager is
accesspoint.datasafe.REGIONNAME.oci.oraclecloud.com
. For example, for
the Ashburn region, the address is
accesspoint.datasafe.us-ashburn-1.oci.oraclecloud.com
. You can obtain
the IP address of the cloud Connection Manager by doing a DNS lookup.
The following items are also installed. For more information about these items, see the Database Administrator's Guide.
- SQL*Plus - Installed in the
oracle_cman_home/bin
directory. - Listener control utility (
lsnrctl
) - Connection testing utility (
tnsping
)
Be sure that the host machine on which you are going to install the on-premises connector has the following software:
- Operating system: Oracle Linux 7 or higher
- Python 3.5 or higher - If you have multiple versions of Python installed, make sure that you set the default to Python 3.5 or higher, or explicitly provide the Python path when running the commands.
- Java version 7 or higher with a valid Java Home
(
JAVA_HOME
)
For instructions on how to uninstall, update, stop, and show the status, please refer to the
README
file that comes with the install bundle.
Create a Service Account for Oracle Data Safe on Your On-Premises Oracle Database
Create a service account on your target database specifically for Oracle Data Safe. Create the account with the least amount of privileges.
Grant Roles to the Oracle Data Safe Service Account on Your On-Premises Oracle Database
The roles that you grant to the Oracle Data Safe service account determine the Oracle Data Safe features that you can use with your database. The following table describes the roles available for DB systems, on-premises Oracle databases, and Oracle databases on Compute instances.
Role | Description |
---|---|
|
Privileges required for the User Assessment and Security Assessment features |
|
Privileges required for accessing audit trails for the target database |
|
Privileges required for the Data Discovery feature (discovering sensitive data in the target database) |
|
Privileges required for the Data Masking feature (masking sensitive data in the target database) |
|
Privileges required for updating target database audit policies |
To grant or revoke roles from the Oracle Data Safe service account on your database, you need to run the SQL privileges script called
datasafe_privileges.sql
. You can download this script from the Oracle Data Safe Console. To run the script, you need to be connected to your database as the
SYS
user.
You can run the script as many times as needed. For example,
suppose that in the beginning you only need to use the Activity Auditing feature in Oracle Data Safe. You can run the SQL privileges script to grant the database access to only Activity
Auditing. Later, you decide you want to use the Data Discovery feature too. You can run the
SQL privileges script again on the database to grant the database access to Data Discovery.
You cannot run the SQL privileges script on the root container of a database
(CDB$ROOT
).
Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and the On-Premises Oracle Database
If you plan to configure a TLS connection during target registration in the Oracle Data Safe Console, you first need to configure a TLS connection between the Connection Manager of the on-premises connector on your host machine and your on-premises Oracle database.
Register an On-Premises Oracle Database by Using an On-Premises Connector
You can register an on-premises Oracle database with Oracle Data Safe from the Oracle Data Safe Console.
Configure Authorization Policies
After you register a target database with Oracle Data Safe, you need to configure authorization policies in the Oracle Data Safe Console. Authorization policies determine which user groups can access the target database and what the users groups can do with the target database.
You can configure authorization policies from the Security page in the Oracle Data Safe Console. To configure authorization policies, you need to be an Oracle Data Safe administrator or a delegated Oracle Data Safe administrator. See Create an Oracle Data Safe Administrators Group and Create a Delegated Administrator.
Best Practices
To ensure that only the on-premises client can connect to your on-premises Oracle
database, Oracle recommends that you specify in the sqlnet.ora
parameter called INVITED_NODES
the clients that are allowed to access
your database. For more information, see TCP.INVITED_NODES
in the Oracle Database Net Services Reference
Guide.
Related Topics
- For more information about Oracle Connection Manager in Oracle Cloud Infrastructure, see Configuring Oracle Connection Manager.
- For more information about Oracle SSL/TLS setups between the Oracle database and client, see Enabling Secure Sockets Layer.