Register On-Premises Oracle Databases by Using an Oracle Data Safe Private Endpoint

You can register an on-premises Oracle database with Oracle Data Safe by using an Oracle Data Safe private endpoint.

This article has the following topics:

Overview

If you have FastConnect or VPN Connect set up between your on-premises network and a virtual cloud network (VCN) in Oracle Cloud Infrastructure, you can register an on-premises Oracle database with Oracle Data Safe by using an Oracle Data Safe private endpoint.

  • FastConnect in Oracle Cloud Infrastructure is a secure connection between a customer's on-premises network and Oracle Cloud Infrastructure over a private network.
  • VPN Connect in Oracle Cloud Infrastructure is a site-to-site IPSec virtual private network that securely connects your on-premises network to Oracle Cloud Infrastructure, using your existing internet connection.
Note

This article assumes that you already have FastConnect or VPN Connect set up. If not, you can use the Oracle Data Safe on-premises connector to register your on-premises Oracle database. See Register On-Premises Oracle Databases by Using an Oracle Data Safe On-Premises Connector.

Prior to registration, you need to create an Oracle Data Safe private endpoint in your tenancy in Oracle Cloud Infrastructure (OCI). As illustrated in the following diagram, the Oracle Data Safe private endpoint communicates with your on-premises Oracle database over a private connection, either FastConnect or virtual private network (VPN), in Oracle Cloud Infrastructure. The Oracle Data Safe private endpoint communicates with the Oracle Data Safe service over the Oracle Cloud Infrastructure network.

Network configuration for an on-premises Oracle database to connect to an Oracle Data Safe private endpoint

Workflow

The following table outlines the steps for registering an on-premises Oracle database by using an Oracle Data Safe private endpoint.

Step Description Reference

1

Obtain the required permission for registering an on-premises Oracle database with Oracle Data Safe.

Obtain the Required Permissions for Registering an On-Premises Oracle Database with Oracle Data Safe

2

Obtain the required permissions for managing virtual networking resources in Oracle Cloud Infrastructure.

Obtain the Required Permissions for Managing Virtual Networking Resources in Oracle Cloud Infrastructure

3

Obtain the required permissions for creating an Oracle Data Safe private endpoint.

Obtain the Required Permissions for Creating Oracle Data Safe Private Endpoints

4

Create an Oracle Data Safe private endpoint in Oracle Cloud Infrastructure for an on-premises Oracle database.

Create an Oracle Data Safe Private Endpoint

5

Update the security list and network security group for your on-premises Oracle database.

Update the Security List and Network Security Group

6

Create an Oracle Data Safe service account on your on-premises Oracle database.

Create a Service Account for Oracle Data Safe on Your On-Premises Oracle Database

7

Grant roles to the Oracle Data Safe service account on your on-premises Oracle database.

Grant Roles to the Oracle Data Safe Service Account

8

(Optional) Create a wallet or certificate for a TLS connection to an on-premises Oracle database.

Create a Wallet or Certificate for a TLS Connection to an On-Premises Oracle Database

9

Register your on-premises Oracle database with Oracle Data Safe from the Oracle Data Safe Console.

Register Your On-Premises Oracle Database by Using a Private Endpoint

10

Configure authorization policies in the Oracle Data Safe Console.

Configure Authorization Policies

Obtain the Required Permissions for Registering an On-Premises Oracle Database with Oracle Data Safe

To register an on-premises Oracle database or an Exadata Cloud@Customer database with Oracle Data Safe, you require one of the following:

  • The manage permission on the data-safe resource in Oracle Cloud Infrastructure Identity and Access Management (IAM). With this permission, you are an Oracle Data Safe administrator and have access to all features and functionality. For example, suppose you are a member of the Data-Safe-Admins group in IAM. A tenancy administrator can create a policy in IAM, consisting of the following two statements, to make your group the Oracle Data Safe administrators for the tenancy:
    Allow group Data-Safe-Admins to manage data-safe in tenancy
    Allow group Data-Safe-Admins to inspect groups in tenancy
  • The Administer privilege in the Oracle Data Safe Console on at least one feature. For example, the AdministerMasking privilege lets you register target databases to use with the Data Discovery and Data Masking features. An Oracle Data Safe administrator can create an authorization policy in the Oracle Data Safe Console that grants you this privilege.

Obtain the Required Permissions for Managing Virtual Networking Resources in Oracle Cloud Infrastructure

Prior to creating an Oracle Data Safe private endpoint, you need to obtain permissions for managing virtual networking resources in Oracle Cloud Infrastructure. You require certain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the relevant compartments in your tenancy. The following table lists the required permissions for virtual networking resources for each type of private endpoint operation.

Operation Required Access on Underlying Resources

Create a private endpoint

For the private endpoint compartment:

  • Create/Delete VNIC
  • Update members in a network security group
  • Associate a network security group

For the subnet compartment:

  • Attach/detach subnet

Update a private endpoint

For the private endpoint compartment:

  • Update VNIC
  • Update members in a network security group
  • Associate a network security group

Delete a private endpoint

For the private endpoint compartment:

  • Delete VNIC
  • Update members in a network security group

For the subnet compartment

  • Detach subnet

The following examples show how an IAM administrator could write the policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

Example 3-23 Broad permission

In this example, the dbadmin group has broad permission to use all virtual networking resources in the compartment ADWcmp1.

allow group dbadmin to manage virtual-network-family in compartment ADWcmp1

Example 3-24 Specific permissions

In this example, the dbadmin group has specific permissions on network resources. The third statement is required only if you want to use network security groups to control traffic to and from the private endpoint.

allow group dbadmin to manage vnics in compartment ADWcmp1
allow group dbadmin to use subnets in compartment ADWcmp1
allow group dbadmin to use network-security-groups in compartment ADWcmp1 

Obtain the Required Permissions for Creating Oracle Data Safe Private Endpoints

To create, update, or delete Oracle Data Safe private endpoints, you require permissions on Oracle Data Safe resources in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the relevant compartments in your tenancy. There are two types of Oracle Data Safe resources on which you can grant permissions:

  • data-safe-family
  • data-safe-private-endpoints

The following table describes the different permissions for an Oracle Data Safe private endpoint.

Permission What you can do

inspect

List an Oracle Data Safe resource in Oracle Cloud Infrastructure

read or use

Inspect and view properties for an Oracle Data Safe resource in Oracle Cloud Infrastructure

manage

Inspect, read, create, update, delete, and move an Oracle Data Safe resource in Oracle Cloud Infrastructure

The following examples show how an IAM administrator could write the policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

Example 3-25 Broad permission

In this example, the dsadmins group (for example, a group of Oracle Data Safe administrators) has broad permission to manage all Oracle Data Safe resources in the compartment ADWcmp1.

allow group dsadmins to manage data-safe-family in compartment ADWcmp1

Example 3-26 Specific permission

In this example, the ProjectA group has specific permission to manage the resource called data-safe-private-endpoints.

allow group ProjectA to manage data-safe-private-endpoints in compartment ADWcmp1

Create an Oracle Data Safe Private Endpoint

You can create an Oracle Data Safe private endpoint from the Oracle Data Safe service page in Oracle Cloud Infrastructure. You typically create the private endpoint in the same VCN as your database. The only exception is, if you are using VCN peering. In that case, you can select another VCN for which VCN peering with your database's VCN is set up. The private IP address does not need to be on the same subnet as your database, although, it does need to be on a subnet that can communicate with the database. You can create a maximum of one private endpoint per VCN.

Note

If a private endpoint already exists in the same VCN as your database, then you do not need to create a private endpoint.

When you create a private endpoint, you have the option to associate network security groups (NSGs) with it. You may need to do this to ensure the private endpoint can access your database. A network security group specifies egress and ingress security rules at the IP address level. You can create network security groups by using Oracle Cloud Infrastructure's networking service. See Access and Security in the Oracle Cloud Infrastructure documentation.

  1. Refer to the following table to obtain the network information for your database.
    Database How to Find Network Information for the Database
    DB system that has a private IP address
    1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Bare Metal, VM, and Exadata.
    2. Click the name of your DB system.
    3. On the DB System Information tab, under Network, make note of the VCN and subnet names.
    Autonomous Database on Dedicated Exadata Infrastructure that has a private IP address
    1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Autonomous Dedicated Infrastructure.
    2. Click Autonomous Exadata Infrastructure.
    3. On the right, in the Autonomous Exadata Infrastructure table, click the name of the infrastructure in which your database exists.
    4. Under Network, make note of the VCN and subnet names.
    Autonomous Database on Shared Exadata Infrastructure that has a private IP address
    1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Autonomous Data Warehouse or Autonomous Transaction Processing.
    2. From the Compartment drop-down list, select the compartment that contains your Autonomous Database.
    3. On the right, click the name of your Autonomous Database.
    4. Under Network on the the Autonomous Database Information tab, make note of the VCN and subnet names.
    Oracle Database on a compute instance in Oracle Cloud Infrastructure
    1. From the navigation menu in Oracle Cloud Infrastructure, select Compute, and then Instances.
    2. Click the name of your compute instance.
    3. On the Instance Information tab, make note of the VCN and subnet names.
    Oracle Database on a compute instance in a non-Oracle cloud environment
    1. From the navigation menu in Oracle cloud Infrastructure, select Networking, and then Site-to-Site VPN (IPSec) or FastConnect.
    2. Select the VCN and subnet in Oracle Cloud Infrastructure that has connectivity via FastConnect or VPN Connect to your database.
    3. If you do not have FastConnect or VPN Connect set up, Oracle recommends that you use an Oracle Data Safe on-premises connector instead. See Register On-Premises Oracle Databases by Using an Oracle Data Safe On-Premises Connector.
    On-Premises Oracle Database

    Obtain the name of the virtual cloud network and subnet on which your on-premises Oracle database can be accessed.

  2. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Data Safe.
    The Overview page is displayed.
  3. On the left, click Private Endpoints.
    The Private Endpoints page is displayed.
  4. Click Create Private Endpoint.
    The Create Private Endpoint page is displayed.
  5. In the NAME field, enter a name for your private endpoint.
  6. Select a compartment in which to store your private endpoint.
  7. Scroll down to the Private Endpoint Information section.
  8. From the VIRTUAL CLOUD NETWORK drop-down list, select the VCN on which your database can be accessed. If needed, click CHANGE COMPARTMENT and select the compartment that stores your VCN.
  9. From the SUBNET drop-down list, select a subnet within the selected VCN. If needed, click CHANGE COMPARTMENT and select the compartment that stores the subnet that you want to use.
    The subnet can be in a different compartment than the VCN. The subnet that you select needs to have access to the database's subnet.
  10. (Optional) In the PRIVATE IP field, specify a private IP address.
    If you do not specify a private IP address, Oracle Cloud Infrastructure automatically generates one for you in the selected subnet.
  11. (Optional) Select a network security group to which your database belongs.
  12. (Optional) To add another network security group, click + Another Network Security Group, and select another network security group.
  13. Click Create Private Endpoint.
    A private endpoint for Oracle Data Safe is provisioned in your database's VCN.
  14. To view details for your private endpoint, click its name. Take note of the Private IP address that was assigned to the Private Endpoint (or that you assigned to it). It is needed for configuring security rules.

Update the Security List and Network Security Group

Update the security list for your virtual cloud network (VCN) and, if implemented, the network security group for your database subnet, to allow traffic from the Oracle Data Safe private endpoint IP address to the database IP address(es). This step allows Oracle Data Safe to access your database. A security list acts as a virtual firewall for your database and consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the security list is associated with. Both stateful and stateless security rules in the security list are allowed. For more information about security lists and network security groups, see Access and Security in the Oracle Cloud Infrastructure documentation.

When you use an Oracle Data Safe private endpoint to connect your on-premises Oracle database to Oracle Data Safe, you need to create an egress rule for the Oracle Data Safe private endpoint. Configure the rule to allow the Oracle Data Safe private endpoint (from any port) to send requests to the database IP address(es) on the database's port.

Example 3-27 Configure a stateful security rule for an on-premises Oracle database and an Oracle Data Safe private endpoint

Suppose you are configuring a stateful security rule for an on-premises Oracle database and an Oracle Data Safe private endpoint. The IP address where the on-premises Oracle database listener is running is 10.0.0.2.

You configure an egress security rule on your virtual cloud network (VCN) in Oracle Cloud Infrastructure. The rule allows the private endpoint (from any port) to send requests to the database's private IP address (10.0.0.2) on port 1521. The database's IP address is the address where the listener is running.

Note

For a Real Application Cluster (RAC) database, you need to specify the IP addresses for the RAC database nodes and not the SCAN IP addresses. Whether you specify all the nodes in your RAC database depends on how you have your pluggable databases (PDBs) configured.

The following diagram illustrates the Oracle Data Safe private endpoint, the on-premises Oracle database, and the egress rule.

The following screenshot shows you the egress rule configured in Oracle Cloud Infrastructure. The Destination field is the private IP address of the database.

Screenshot of an egress rule for an on-premises Oracle database that connects to Oracle Data Safe via a private endpoint

Create a Service Account for Oracle Data Safe on Your On-Premises Oracle Database

Create a service account on your database specifically for Oracle Data Safe. Create the account with the least amount of privileges.

  1. Log in to your database with an account that lets you create a user.
  2. Create a user account with minimal privileges, for example:
    CREATE USER DATASAFE_ADMIN identified by password
    DEFAULT TABLESPACE "DATA"
    TEMPORARY TABLESPACE "TEMP";
    GRANT CONNECT, RESOURCE TO DATASAFE_ADMIN;
    • Replace DATASAFE_ADMIN and password with your own values.
    • Do not use SYSTEM or SYSAUX as the default tablespace. You cannot mask data if you use these tablespaces.

Grant Roles to the Oracle Data Safe Service Account

The roles that you grant to the Oracle Data Safe service account determine the Oracle Data Safe features that you can use with your database. The following table describes the roles available for DB systems, on-premises Oracle databases, and Oracle databases on Compute instances.

Role Description

ASSESSMENT

Privileges required for the User Assessment and Security Assessment features

AUDIT_COLLECTION

Privileges required for accessing audit trails for the target database

DATA_DISCOVERY

Privileges required for the Data Discovery feature (discovering sensitive data in the target database)

MASKING

Privileges required for the Data Masking feature (masking sensitive data in the target database)

AUDIT_SETTING

Privileges required for updating target database audit policies

To grant or revoke roles from the Oracle Data Safe service account on your database, you need to run the SQL privileges script called datasafe_privileges.sql. You can download this script from the Oracle Data Safe Console. To run the script, you need to be connected to your database as the SYS user.

You can run the script as many times as needed. For example, suppose that in the beginning you only need to use the Activity Auditing feature in Oracle Data Safe. You can run the SQL privileges script to grant the database access to only Activity Auditing. Later, you decide you want to use the Data Discovery feature too. You can run the SQL privileges script again on the database to grant the database access to Data Discovery. You cannot run the SQL privileges script on the root container of a database (CDB$ROOT).

  1. Download the SQL privileges script from the Oracle Data Safe Console:
    1. Sign in to the Oracle Data Safe Console, and click the Targets tab.
    2. Click Register.
      The Register Target dialog box is displayed.
    3. Click Download Privilege Script and save the datasafe_privileges.sql script to your computer.
    4. Click Cancel.
  2. With SQL Developer or SQL*Plus, connect to your database as the SYS user, and then run the SQL privileges script with the following statement:
    @datasafe_privileges.sql <DATASAFE_ADMIN> <GRANT/REVOKE> <AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL> [-VERBOSE]
    • <DATASAFE_ADMIN> is the name of the Oracle Data Safe service account that you created on your database. It is case-sensitive and must match the account name in the dba_users data dictionary view in your database.
    • Specify GRANT or REVOKE depending on whether you want to add privileges to or remove privileges from the Oracle Data Safe service account.
    • Specify one or more Oracle Data Safe features, separated by a forward slash: AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL. ALL grants or revokes all the features.
    • -VERBOSE shows only the actual GRANT/REVOKE commands. This parameter is optional.

Create a Wallet or Certificate for a TLS Connection to an On-Premises Oracle Database

If you plan to configure a TLS connection to your database during registration, you need to create a wallet or certificate beforehand so that you can upload it during registration. The wallet or certificate you create depends on whether client authentication is enabled or disabled on your database. To check whether client authentication is enabled, view the SSL_CLIENT_AUTHENTICATION parameter in the sqlnet.ora file on your database. If it's equal to TRUE, then client authentication is enabled; otherwise it's not enabled.

When Client Authentication is Enabled on Your Target Database

When client authentication is enabled on your database, create a JKS wallet. The wallet must have the following items:

  • Signing certificate chain (or root certificate if there is no intermediate signing certificate) that was used to issue the Oracle Data Safe private key and public certificate.
  • Private key for Oracle Data Safe, which is acting as a client to the database.
  • Public certificate for Oracle Data Safe, which is acting as a client to the database.

For an example of how to create a JKS wallet with self-signed certificates, see Create Wallets and Certificates.

When Client Authentication is Disabled on Your Target Database

When client authentication is disabled on your database, create one of the following certificates or wallets:

  • Self-signed certificate for the database.
  • Signing root certificate that can issue the public certificate for the database (if an intermediate signing certificate is not involved in the public certificate signing)
  • JKS Wallet (if an intermediate certificate is involved in the public certificate signing). Add to the wallet the signing certificate chain that issues the public certificate for the database.

Supported certificate types are Privacy Enhanced Mail (PEM) and Distinguished Encoding Rules (DER). Supported file extensions are PEM, CER, CERT, CRT, and DER. If a commonly used certificate authority (CA) signs the certificate that is used by the database, then creating a certificate or wallet is optional.

For an example on how to create a PEM certificate using self-signed certificates, see Create Wallets and Certificates.

Keep in Mind

  • The maximum size for a wallet or certificate that you can upload during target registration is 50 KB.
  • If a user password or wallet password changes, you can simply update the password in the Oracle Data Safe Console. You do not need to delete the wallet.
  • If you delete a target database that uses a wallet to connect, the wallet is also deleted.
  • Passwordless SSL authentication based on PKI is enabled when SQLNET.AUTHENTICATION_SERVICES = TCPS in the sqlnet.ora file of a target database. Passwordless SSL authentication based on PKI is not supported in Oracle Data Safe.

Register Your On-Premises Oracle Database by Using a Private Endpoint

You can register an on-premises Oracle database from the Oracle Data Safe Console.

  1. Obtain the IP address(es) for your database.
  2. Sign in to the Oracle Data Safe Console.
  3. Click the Targets tab.
  4. Click Register.
    The Register Target dialog box is displayed.
  5. Enter a name for your target database.
  6. For Target Type, select Oracle On-Premises Database.
  7. (Optional) Enter a description for your target database.
  8. Select the compartment to which you want your target database to belong.
  9. From the Connectivity Option drop-down list, select Private Endpoint.
  10. From the Private Endpoint drop-down list, select the Oracle Data Safe private endpoint that you created in your VCN.
  11. From the drop-down list, select TCP or TLS.

    The default selection is TCP.

  12. Enter the private IP address(es) of the database node listeners.

    If you have more than one database node listener, you need to enter the IP address for each node listener. You can separate the IP addresses with a space or comma. For a RAC database, enter the IP addresses for the RAC database nodes.

  13. Enter the port number of the database.

    All node listeners have to run on the same port.

  14. Enter the long version of the database service name for the database; for example, abc_prod.subnetad3.tttvcn.companyvcn.com.

    You can find the database service name by running the following statement when connected to the PDB via SQL Plus:

    select sys_context('userenv','service_name') from dual;
  15. If you are configuring a TLS connection, enter the Target Distinguished Name.
    This name is the distinguished name used while creating the certificate on target database.
    An example name is CN=abcd.uscom-east-1.example.com,OU=Oracle BMCS US,O=Oracle Corporation,L=Redwood City,ST=California,C=US.
  16. If you are configuring a TLS connection and client authentication is enabled on your target database, then follow the steps below to upload a JKS wallet.
    1. From the Certificate/Wallet Type drop-down list, select JKS Wallet.
    2. For Certificate/Wallet, click Browse, and then select a truststore JKS file.
    3. For Keystore Wallet, click Browse, and then select a keystore JKS file.
    4. Enter the wallet password.
  17. If you are configuring a TLS connection and client authentication is disabled on your target database, select a certificate or wallet type, and then follow the corresponding steps listed in the table below. You can choose to upload a JKS wallet, Privacy Enhanced Mail (PEM) certificate, Distinguished Encoding Rules (DER) certificate, or nothing.
    Wallet or Certificate Type Steps

    JKS Wallet

    1. Click Browse.
    2. Select a truststore JKS file.
    3. Enter the wallet password.

    DER Certificate

    1. Click Browse.
    2. Select a CRT or DER file.

    Supported file extensions are CER, CERT, CRT, and DER.

    PEM Certificate

    1. Click Browse.
    2. Select a PEM or DER file.

    Supported file extensions are PEM and DER.

    NONE

    You do not need to upload any files.

  18. Enter the database user name and password that you created on the target database specifically for Oracle Data Safe.
    The user name is case-insensitive, unless you enclose it in quotation marks.
    You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.
  19. (Optional) To verify that Oracle Data Safe can successfully connect to the target database, click Test Connection.
  20. Click Register Target.
    You cannot register the target database if the connection test fails or if the target database does not exist.

Configure Authorization Policies

After you register a database with Oracle Data Safe, you need to configure authorization policies in the Oracle Data Safe Console. Authorization policies determine which users can access the database and what they can do with the database.

You can configure authorization policies from the Security page in the Oracle Data Safe Console. To configure authorization policies, you need to be a tenancy administrator, an Oracle Data Safe administrator, or a delegated Oracle Data Safe administrator. See Create an Oracle Data Safe Administrators Group and Create a Delegated Administrator.

  1. Sign in to the Oracle Data Safe Console.
  2. At the top of the page, click Security.
  3. (Optional) To filter the list of compartments to show only those that have grants to users and user groups in Oracle Data Safe, select the Show compartments with grants only check box.
  4. Select the compartment for which you want to configure the authorization policy.
    A list of users and user groups is displayed.
  5. To grant a user or user group a privilege for a feature, select View or Manage from the Assessment, Discovery and Masking, and/or Activity Auditing drop-down lists.
    You can still select Manage for a user or user group even if that user or user group cannot inspect user groups in the tenancy. In this case, the user group can read, create, update, and delete resources for the feature, but cannot configure authorization policies.
  6. To grant a user or user group the same privilege for all features, select –- (none), View, or Manage from the All Features drop-down list.
  7. To revoke a privilege from a user or user group, select -- in a feature drop-down list.
  8. To filter the list of user and user groups to only those that have privileges, move the Hide IAM user groups without any access rights to the right.
  9. Click Save.

Related Content