For this type of registration, you need to create an on-premises connector in your Oracle Data Safe service in Oracle Cloud Infrastructure, download an install bundle, and then install the on-premises connector on a host on your network. The on-premises connector establishes an encrypted TLS tunnel over the Internet to cloud Connection Managers in the Oracle Data Safe service tenancy. To finish the setup, you need to register your on-premises Oracle database with Oracle Data Safe from the Oracle Data Safe Console.

As shown in the following diagram, your on-premises Oracle database communicates with the Connection Manager of the on-premises connector on your network, which communicates with the cloud Connection Managers in Oracle Cloud Infrastructure. You can use one on-premises connector to connect to multiple on-premises Oracle databases.

The following table outlines the steps for registering an on-premises Oracle database by using an on-premises connector.

To create, update, and delete an Oracle Data Safe on-premises connector, you need to obtain permission in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the resource called onprem-connectors.

The following table describes the different permissions available for the onprem-connectors resource.

The following examples show how an IAM administrator could write policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

allow group dsadmins to manage data-safe-family in compartment ADWcmp1

allow group ProjectA to manage onprem-connectors in compartment ADWcmp1

1. Sign in to the Oracle Cloud Infrastructure Console and select the region in which Oracle Data Safe is enabled in your tenancy.
2. From the navigation menu, select Data Safe.
3. Under Connectivity Options, click On-Premises Connectors.
4. On the right, click Create On-Premises Connector.
   The Create On-Premises Connector page is displayed.
5. From the drop-down list, select the compartment in which you want to store the on-premises connector.
6. Enter a name for the on-premises connector.
7. (Optional) Enter a description for the on-premises connector.
8. (Optional) To configure tagging, click Show Tagging Options, and then configure a tag.
   
9. Click Create On-Premises Connector.
   The on-premises connector is created and listed in the table. The initial life-cycle state of the on-premises connector is set to INACTIVE.

1. From the Data Safe page in Oracle Cloud Infrastructure, click On-Premises Connectors.
2. Click the on-premises connector that you created.
   
3. Click Download Install Bundle.
   The Download Install Bundle dialog box is displayed.
4. Enter a password for the install bundle, confirm it, and then click Download.
   Keep this password on hand as you need it later when you install the on-premises connector on a host on your network.
   The install bundle is downloaded to your browser's default download location.
5. Copy the install bundle ZIP file to a host machine on your network.
6. Unzip the file and confirm that you have the following files:
   • README - Readme file with installation instructions
   • connector.conf - Connection Manager configuration file
   • downloads/orapki.zip - ZIP file containing an orapki script and required JAR files
   • downloads/cman.zip - ZIP file containing Connection Manager binaries
   • downloads/cmanora.template - Connection Manager configuration template
   • util/datasafe_privileges.sql - Oracle Data Safe privileges SQL script. You can also download this script from the Register Target dialog box in the Oracle Data Safe Console.
   • wallet/ewallet.p12 - P12 wallet
   • setup.py - Python setup script to install the on-premises connector

1. Open a command prompt on a host machine where you want to install the on-premises connector.
2. Enter the following command to install the on-premises connector.
   Provide a port number for the on-premises connector. The proxy argument is optional. You can skip the proxy argument if the deploying host has public internet access. The install script automatically starts the on-premises connector.

   $ python setup.py install --connector-port=<port> [--https-proxy=<proxy:port>]

   Examples:

   $ python setup.py install --connector-port=1560
   $ python setup.py install --connector-port=1560 --https-proxy=https://www-proxy.domain.com:80 

3. At the prompt, enter the password that you created when you downloaded the install bundle.
   The on-premises connector is installed in the current directory and automatically started. The status for the on-premises connector in the Oracle Data Safe service in Oracle Cloud Infrastructure is now set to ACTIVE.
4. (Optional) To diagnose installation issues or execute additional commands (such as uninstall, update, start, stop, and status), please refer to the README file that comes with the install bundle.

1. Log in to your target database with an account that lets you create a user.
2. Create a user account with minimal privileges, for example:

   CREATE USER DATASAFE_ADMIN identified by password
   DEFAULT TABLESPACE "DATA"
   TEMPORARY TABLESPACE "TEMP";
   GRANT CONNECT, RESOURCE TO DATASAFE_ADMIN;

   • Replace DATASAFE_ADMIN and password with your own values.
   • Do not use SYSTEM or SYSAUX as the default tablespace. You cannot mask data if you use these tablespaces.

1. Copy the datasafe_privileges.sql script to your database host machine. You can find this script in the util folder of the install bundle.
2. With SQL Developer or SQL*Plus (which is included in the install bundle in the oracle_cman_home/bin directory), connect to your database as the SYS user, and then run the datasafe_privileges.sql script with the following statement:

   @datasafe_privileges.sql <DATASAFE_ADMIN> <GRANT/REVOKE> <AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL> [-VERBOSE]

   where:
   • <DATASAFE_ADMIN> is the name of the Oracle Data Safe service account that you created on your database. It is case-sensitive and must match the account name in the dba_users data dictionary view in your database.
   • Specify GRANT or REVOKE depending on whether you want to add privileges to or remove privileges from the Oracle Data Safe service account.
   • Specify one or more Oracle Data Safe features, separated by a forward slash: AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL. ALL grants or revokes all the features.
   • -VERBOSE shows only the actual GRANT/REVOKE commands. This parameter is optional.

1. Open a command prompt on the host machine that has the unzipped install bundle.
2. Find the distinguished name (DN) of the Connection Manager certificate from the client Connection Manager wallet by running the following command:

   orapki wallet display -wallet <CMAN wallet location>

3. Export the Connection Manager certificate by running the following command:

   orapki wallet export -wallet <Connection Manager wallet location> -dn <distinguished name of the Connection Manager certificate> -cert <Connection Manager certificate file name>

4. Add the Connection Manager certificate to your on-premises Oracle database server's wallet by running the following command:

   orapki wallet add -wallet <database wallet location> -trusted_cert -cert <Connection Manager certificate file name>

5. Export the database server certificate by running the following command:

   orapki wallet export -wallet <database wallet location> -dn <db server DN> -cert <database server certificate file>

6. Add the database server certificate to the Connection Manager wallet by running the following command. When prompted, enter the wallet password. This is the password that you created when you downloaded and installed the install bundle.

   orapki wallet add -wallet <Connection Manager wallet location> -trusted_cert -cert <database server certificate file>

7. Restart the database listener and restart the on-premises connector.

1. Sign in to the Oracle Data Safe Console.
2. Click the Targets tab.
3. Click Register.
   The Register Target dialog box is displayed.
4. Enter a name for your on-premises Oracle database.
   This name can be any name you want, and all characters are accepted. The maximum number of characters is 512.
   This name appears in all of the Oracle Data Safe reports that pertain to your target database.
5. For target type, select Oracle On-Premises Database.
6. (Optional) Enter a description for your target database.
7. Select the compartment to which you want your target database to belong.
   You can add a target database to only one compartment and you cannot change the compartment after the target database is registered.
8. From the Connection Type drop-down list, select On-Premises Connector.
9. From the On-Premises Connector drop-down list, select the name of the on-premises connector that you created in the Oracle Data Safe service in Oracle Cloud Infrastructure.
10. From the drop-down menu, select TCP or TLS.
    The default is TCP.
11. For Hostname/IP Address, enter the host name or IP address of your on-premises Oracle database.
12. For Port Number, enter the port number of your on-premises Oracle database.
13. For Database Service Name, enter the long-form service name of your on-premises Oracle database.
14. Enter the database user name and password that you created on your on-premises Oracle database specifically for theOracle Data Safe service.
    If you created the user without quotation marks, you need to enter the user name in uppercase here. For example, if the user name on the target database is called test, then you need to enter TEST.
    You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.
15. (Optional) To verify that Oracle Data Safe can successfully connect to your on-premises Oracle database, click Test Connection.
16. Click Register Target.
    You cannot register the target database if the connection test fails or if the on-premises Oracle database does not exist.

1. Sign in to the Oracle Data Safe Console.
2. At the top of the page, click Security.
3. Select the compartment for which you want to configure the authorization policy.
   A list of user groups is displayed.
4. To grant a group a privilege for a feature, select View or Manage from the Assessment, Discovery and Masking, and/or Activity Auditing drop-down lists.
   You can still select Manage for a user group even if that group cannot inspect groups in the tenancy. In this case, the group can read, create, update, and delete resources for the feature, but cannot configure authorization policies.
5. To grant a group the same privilege for all features, select –- (none), View, or Manage from the All Features drop-down list.
6. To revoke a privilege from a group, select -- in a feature drop-down list.
7. To filter the list of groups to only those that have privileges, move the Hide IAM user groups without any access rights to the right.
8. Click Save.

To ensure that only the on-premises client can connect to your on-premises Oracle database, Oracle recommends that you specify in the sqlnet.ora parameter called INVITED_NODES the clients that are allowed to access your database. For more information, see TCP.INVITED_NODES in the Oracle Database Net Services Reference Guide.

• For more information about Oracle Connection Manager in Oracle Cloud Infrastructure, see Configuring Oracle Connection Manager.
• For more information about Oracle SSL/TLS setups between the Oracle database and client, see Enabling Secure Sockets Layer.