Register On-Premises Oracle Databases by Using an Oracle Data Safe On-Premises Connector

Using Oracle Data Safe's on-premises connector is an easy and convenient way to connect Oracle Data Safe to your on-premises Oracle database without needing FastConnect or VPN Connect.

If you have FastConnect or VPN Connect, you can also register your on-premises database via an Oracle Data Safe private endpoint. See Register On-Premises Oracle Databases by Using an Oracle Data Safe Private Endpoint.

This article has the following topics:

Overview

For this type of registration, you need to create an on-premises connector in your Oracle Data Safe service in Oracle Cloud Infrastructure, download an install bundle, and then install the on-premises connector on a host on your network. The on-premises connector establishes an encrypted TLS tunnel over the Internet to cloud Connection Managers in the Oracle Data Safe service tenancy. To finish the setup, you need to register your on-premises Oracle database with Oracle Data Safe from the Oracle Data Safe Console.

As shown in the following diagram, your on-premises Oracle database communicates with the Connection Manager of the on-premises connector on your network, which communicates with the cloud Connection Managers in Oracle Cloud Infrastructure. You can use one on-premises connector to connect to multiple on-premises Oracle databases.

Workflow

The following table outlines the steps for registering an on-premises Oracle database by using an on-premises connector.

Step Description Reference

1

Obtain permission in Oracle Cloud Infrastructure Identity and Access Management (IAM) to create an Oracle Data Safe on-premises connector.

Obtain the Required Permission for Creating On-Premises Connectors

2

Create an Oracle Data Safe on-premises connector in the Oracle Data Safe service in Oracle Cloud Infrastructure.

Create an On-Premises Connector in the Oracle Data Safe Service

3

Download the install bundle that contains the on-premises connector.

Download the Install Bundle for the On-Premises Connector

4

Install the on-premises connector on a host on your network.

Install the On-Premises Connector on Your Network

5

Create a service account for Oracle Data Safe on your on-premises Oracle database.

Create a Service Account for Oracle Data Safe on Your On-Premises Oracle Database

6

Grant roles to the Oracle Data Safe service account on your on-premises Oracle database.

Grant Roles to the Oracle Data Safe Service Account on Your On-Premises Oracle Database

7

(Optional) Configure a TLS connection between your on-premises Oracle database and the on-premises connector on your host machine.

Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and Your Oracle Database

8

Register your on-premises Oracle database with Oracle Data Safe from the Oracle Data Safe Console.

Register an On-Premises Oracle Database by Using an On-Premises Connector

9

Configure authorization policies in the Oracle Data Safe Console.

Configure Authorization Policies

Obtain the Required Permission for Creating On-Premises Connectors

To create, update, and delete an Oracle Data Safe on-premises connector, you need to obtain permission in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the resource called onprem-connectors.

The following table describes the different permissions available for the onprem-connectors resource.

Permission What you can do
inspect View the list of Oracle Data Safe on-premises connectors in your tenancy
read or use Inspect and read properties for Oracle Data Safe on-premises connectors in your tenancy
manage Inspect, read, create, update, delete, and move Oracle Data Safe on-premises connectors in your tenancy

The following examples show how an IAM administrator could write policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

Example 3-28 Broad Permission

In this example, the dsadmins group (for example, a group of Oracle Data Safe administrators) has broad permission to manage all Oracle Data Safe resources in compartment ADWcmp1.

allow group dsadmins to manage data-safe-family in compartment ADWcmp1

Example 3-29 Specific Permission

In this example, the ProjectA group has specific permission to manage Oracle Data Safe on-premises connectors in compartment ADWcmp1.

allow group ProjectA to manage onprem-connectors in compartment ADWcmp1

Create an On-Premises Connector in the Oracle Data Safe Service

Create an on-premises connector from the Oracle Data Safe service page in Oracle Cloud Infrastructure. You can create a maximum of five on-premises connectors.

  1. Sign in to the Oracle Cloud Infrastructure Console and select the region in which Oracle Data Safe is enabled in your tenancy.
  2. From the navigation menu, select Oracle Database, and then Data Safe.
  3. Under Connectivity Options, click On-Premises Connectors.
  4. On the right, click Create On-Premises Connector.
    The Create On-Premises Connector page is displayed.
  5. From the drop-down list, select the compartment in which you want to store the on-premises connector.
  6. Enter a name for the on-premises connector.
  7. (Optional) Enter a description for the on-premises connector.
  8. (Optional) To configure tagging, click Show Tagging Options, and then configure a tag.
    Create On-Premises Connector page
  9. Click Create On-Premises Connector.
    The on-premises connector is created and listed in the table. The initial life-cycle state of the on-premises connector is set to INACTIVE.

Download the Install Bundle for the On-Premises Connector

You can download the install bundle for the on-premises connector from the Connector Detail page in the Oracle Data Safe service.

  1. From the Data Safe page in Oracle Cloud Infrastructure, click On-Premises Connectors.
  2. Click the on-premises connector that you created.
    Download Install Bundle option
  3. Click Download Install Bundle.
    The Download Install Bundle dialog box is displayed.
  4. Enter a password for the install bundle, confirm it, and then click Download.
    Keep this password on hand as you need it later when you install the on-premises connector on a host on your network.
    The install bundle is downloaded to your browser's default download location.
  5. Copy the install bundle ZIP file to a host machine on your network.
  6. Unzip the file and confirm that you have the following files:
    • README - Readme file with installation instructions
    • connector.conf - Connection Manager configuration file
    • downloads/orapki.zip - ZIP file containing an orapki script and required JAR files
    • downloads/cman.zip - ZIP file containing Connection Manager binaries
    • downloads/cmanora.template - Connection Manager configuration template
    • util/datasafe_privileges.sql - Oracle Data Safe privileges SQL script. You can also download this script from the Register Target dialog box in the Oracle Data Safe Console.
    • wallet/ewallet.p12 - P12 wallet
    • setup.py - Python setup script to install the on-premises connector

Install the On-Premises Connector on Your Network

Oracle recommends that you install the on-premises connector on a host machine other than your Oracle database host machine. You can, however, install it on the database host machine if needed.

In a production environment, Oracle recommends that you install the same on-premises connector on two Linux hosts for high availability. If one of your hosts goes down due to system failure or maintenance, Oracle Data Safe connections automatically fail over to the on-premises connector running on the other host, and the on-going Oracle Data Safe operations are not affected.

The Connection Manager, as part of your on-premises connector installation, establishes a TLS tunnel to a cloud Connection Manager. You can control outgoing traffic from your host machine to the IP address of the cloud Connection Manager, which listens on port 443. The address of a cloud Connection Manager is accesspoint.datasafe.REGIONNAME.oci.oraclecloud.com. For example, for the Ashburn region, the address is accesspoint.datasafe.us-ashburn-1.oci.oraclecloud.com. You can obtain the IP address of the cloud Connection Manager by doing a DNS lookup.

The following items are also installed. For more information about these items, see the Database Administrator's Guide.

  • SQL*Plus - Installed in the oracle_cman_home/bin directory.
  • Listener control utility (lsnrctl)
  • Connection testing utility (tnsping)

Hardware requirements for the host machine on which you are going to install the on-premises connector are as follows:

  • Minimum CPU: 2
  • Minimum RAM: 16GB
  • Minimum local disk storage:
    • 5GB, where the on-premises connection software plus log space takes 100 MB
    • /tmp space: 100 MB
  • Network interface bandwidth: 1Gbps
  • Network connectivity:
    • Outbound connectivity to Oracle Data Safe (accesspoint.datasafe.<region>.oci.oraclecloud.com:443). Replace <region> with your region; for example, accesspoint.datasafe.us-ashburn-1.oci.oraclecloud.com.
    • Local connectivity to target database listener hosts/ports

Software requirements for the host machine on which you are going to install the on-premises connector are as follows:

  • Operating system: Oracle Linux 7 or higher (Linux x86-64)
  • Python 3.5 or higher - If you have multiple versions of Python installed, make sure that you set the default to Python 3.5 or higher, or explicitly provide the Python path when running the commands.
  • Java version 7 or higher with a valid Java Home (JAVA_HOME)
Note

For instructions on how to uninstall, update, stop, and show the status, please refer to the README file that comes with the install bundle.
  1. Open a command prompt on a host machine where you want to install the on-premises connector.
  2. As a user different from the root user, enter the following command to install the on-premises connector.
    Do not run the installer as the root user.
    Provide a port number for the on-premises connector. The proxy argument is optional. You can skip the proxy argument if the deploying host has public internet access. The on-premises connector does not support a proxy username and password.

    The HTTP proxy may not be enough depending on your organization's network configuration and security policies. For example, some networks require a username and password for the HTTP proxy. In such cases contact your network administrator to open outbound connections to hosts in the accesspoint.oraclecloud.com domain using port 443 without going through an HTTP proxy.

    The install script automatically starts the on-premises connector.
    $ python setup.py install --connector-port=<port> [--https-proxy=<proxy:port>]
    Examples:
    $ python setup.py install --connector-port=1560
    $ python setup.py install --connector-port=1560 --https-proxy=https://www-proxy.domain.com:80 
  3. At the prompt, enter the password that you created when you downloaded the install bundle.
    The on-premises connector is installed in the current directory and automatically started. The status for the on-premises connector in the Oracle Data Safe service in Oracle Cloud Infrastructure is now set to ACTIVE.Connector Details page set to ACTIVE
  4. (Optional) To diagnose installation issues or execute additional commands (such as uninstall, update, start, stop, and status), please refer to the README file that comes with the install bundle.

Create a Service Account for Oracle Data Safe on Your On-Premises Oracle Database

Create a service account on your database specifically for Oracle Data Safe. Create the account with the least amount of privileges.

  1. Log in to your database with an account that lets you create a user.
  2. Create a user account with minimal privileges, for example:
    CREATE USER DATASAFE_ADMIN identified by password
    DEFAULT TABLESPACE "DATA"
    TEMPORARY TABLESPACE "TEMP";
    GRANT CONNECT, RESOURCE TO DATASAFE_ADMIN;
    • Replace DATASAFE_ADMIN and password with your own values.
    • Do not use SYSTEM or SYSAUX as the default tablespace. You cannot mask data if you use these tablespaces.

Grant Roles to the Oracle Data Safe Service Account on Your On-Premises Oracle Database

The roles that you grant to the Oracle Data Safe service account determine the Oracle Data Safe features that you can use with your database. The following table describes the roles available for DB systems, on-premises Oracle databases, and Oracle databases on Compute instances.

Role Description

ASSESSMENT

Privileges required for the User Assessment and Security Assessment features

AUDIT_COLLECTION

Privileges required for accessing audit trails for the target database

DATA_DISCOVERY

Privileges required for the Data Discovery feature (discovering sensitive data in the target database)

MASKING

Privileges required for the Data Masking feature (masking sensitive data in the target database)

AUDIT_SETTING

Privileges required for updating target database audit policies

To grant or revoke roles from the Oracle Data Safe service account on your database, you need to run the SQL privileges script called datasafe_privileges.sql. You can download this script from the Oracle Data Safe Console. To run the script, you need to be connected to your database as the SYS user.

You can run the script as many times as needed. For example, suppose that in the beginning you only need to use the Activity Auditing feature in Oracle Data Safe. You can run the SQL privileges script to grant the database access to only Activity Auditing. Later, you decide you want to use the Data Discovery feature too. You can run the SQL privileges script again on the database to grant the database access to Data Discovery. You cannot run the SQL privileges script on the root container of a database (CDB$ROOT).

  1. Copy the datasafe_privileges.sql script to your database host machine. You can find this script in the util folder of the install bundle.
  2. With SQL Developer or SQL*Plus (which is included in the install bundle in the oracle_cman_home/bin directory), connect to your database as the SYS user, and then run the datasafe_privileges.sql script with the following statement:
    @datasafe_privileges.sql <DATASAFE_ADMIN> <GRANT/REVOKE> <AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL> [-VERBOSE]
    where:
    • <DATASAFE_ADMIN> is the name of the Oracle Data Safe service account that you created on your database. It is case-sensitive and must match the account name in the dba_users data dictionary view in your database.
    • Specify GRANT or REVOKE depending on whether you want to add privileges to or remove privileges from the Oracle Data Safe service account.
    • Specify one or more Oracle Data Safe features, separated by a forward slash: AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL. ALL grants or revokes all the features.
    • -VERBOSE shows only the actual GRANT/REVOKE commands. This parameter is optional.

Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and Your Oracle Database

If you plan to configure a TLS connection during target registration in the Oracle Data Safe Console, beforehand you need to configure a TLS connection between the Connection Manager of the on-premises connector on your host machine and your Oracle database.

  1. Open a command prompt on the host machine that has the unzipped install bundle.
  2. Find the distinguished name (DN) of the Connection Manager certificate from the client Connection Manager wallet by running the following command:
    orapki wallet display -wallet <CMAN wallet location>
  3. Export the Connection Manager certificate by running the following command:
    orapki wallet export -wallet <Connection Manager wallet location> -dn <distinguished name of the Connection Manager certificate> -cert <Connection Manager certificate file name>
  4. Add the Connection Manager certificate to your on-premises Oracle database server's wallet by running the following command:
    orapki wallet add -wallet <database wallet location> -trusted_cert -cert <Connection Manager certificate file name>
  5. Export the database server certificate by running the following command:
    orapki wallet export -wallet <database wallet location> -dn <db server DN> -cert <database server certificate file>
  6. Add the database server certificate to the Connection Manager wallet by running the following command. When prompted, enter the wallet password. This is the password that you created when you downloaded and installed the install bundle.
    orapki wallet add -wallet <Connection Manager wallet location> -trusted_cert -cert <database server certificate file>
  7. Restart the database listener and restart the on-premises connector.

Register an On-Premises Oracle Database by Using an On-Premises Connector

You can register an on-premises Oracle database with Oracle Data Safe from the Oracle Data Safe Console.

  1. Sign in to the Oracle Data Safe Console.
  2. Click the Targets tab.
  3. Click Register.
    The Register Target dialog box is displayed.
  4. Enter a name for your on-premises Oracle database.
    This name can be any name you want, and all characters are accepted. The maximum number of characters is 512.
    This name appears in all of the Oracle Data Safe reports that pertain to your target database.
  5. For target type, select Oracle On-Premises Database.
  6. (Optional) Enter a description for your target database.
  7. Select the compartment to which you want your target database to belong.
    You can add a target database to only one compartment and you cannot change the compartment after the target database is registered.
  8. From the Connection Type drop-down list, select On-Premises Connector.
  9. From the On-Premises Connector drop-down list, select the name of the on-premises connector that you created in the Oracle Data Safe service in Oracle Cloud Infrastructure.
  10. From the drop-down menu, select TCP or TLS.
    The default is TCP.
  11. For Hostname/IP Address, enter the host name or IP address of your on-premises Oracle database.
  12. For Port Number, enter the port number of your on-premises Oracle database.
  13. For Database Service Name, enter the long-form service name of your on-premises Oracle database.
  14. Enter the database user name and password that you created on your on-premises Oracle database specifically for theOracle Data Safe service.
    The user name is case-insensitive, unless you enclose it in quotation marks.
    You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.
  15. (Optional) To verify that Oracle Data Safe can successfully connect to your on-premises Oracle database, click Test Connection.
  16. Click Register Target.
    You cannot register the target database if the connection test fails or if the on-premises Oracle database does not exist.

Configure Authorization Policies

After you register a database with Oracle Data Safe, you need to configure authorization policies in the Oracle Data Safe Console. Authorization policies determine which users can access the database and what they can do with the database.

You can configure authorization policies from the Security page in the Oracle Data Safe Console. To configure authorization policies, you need to be a tenancy administrator, an Oracle Data Safe administrator, or a delegated Oracle Data Safe administrator. See Create an Oracle Data Safe Administrators Group and Create a Delegated Administrator.

  1. Sign in to the Oracle Data Safe Console.
  2. At the top of the page, click Security.
  3. (Optional) To filter the list of compartments to show only those that have grants to users and user groups in Oracle Data Safe, select the Show compartments with grants only check box.
  4. Select the compartment for which you want to configure the authorization policy.
    A list of users and user groups is displayed.
  5. To grant a user or user group a privilege for a feature, select View or Manage from the Assessment, Discovery and Masking, and/or Activity Auditing drop-down lists.
    You can still select Manage for a user or user group even if that user or user group cannot inspect user groups in the tenancy. In this case, the user group can read, create, update, and delete resources for the feature, but cannot configure authorization policies.
  6. To grant a user or user group the same privilege for all features, select –- (none), View, or Manage from the All Features drop-down list.
  7. To revoke a privilege from a user or user group, select -- in a feature drop-down list.
  8. To filter the list of user and user groups to only those that have privileges, move the Hide IAM user groups without any access rights to the right.
  9. Click Save.

Best Practices

To ensure that only the on-premises client can connect to your database, Oracle recommends that you specify in the sqlnet.ora parameter called INVITED_NODES the clients that are allowed to access your database. For more information, see TCP.INVITED_NODES in the Oracle Database Net Services Reference Guide.

Related Topics