Azure Key Vault Integration for Exadata Database Service on Oracle Database@Azure
Exadata Database Service on Oracle Database@Azure enables you to store your database's transparent data encryption (TDE) keys, also known as master encryption keys (MEKs) in either a file-based Oracle wallet or in the OCI Vault.
This feature enables Exadata Database Service on Oracle Database@Azure users to utilize Azure Key Vault (AKV) Managed HSM, AKV Premium and AKV Standard for managing TDE MEKs. This integration allows applications, Azure services, and databases to use a centralized key management solution for enhanced security and simplified key lifecycle management.
- Prerequisites
The following steps must be completed before you can configure Azure Key Vault as the key management for your databases. - Network Requirements for Creating an Identity Connector and KMS Resources
Azure Key Management Service (KMS) resources support both public and private connectivity. Azure Key Vault Managed HSM requires private connectivity, whereas Azure Key Vault Premium and Standard tiers support both public and private connectivity options. - Using the Console to Manage Azure Key Vault Integration for Exadata Database Service on Oracle Database@Azure
Learn how to manage Azure Key Vault integration for Exadata Database Service on Oracle Database@Azure. - Using the API to Manage Azure Key Vault Integration for Exadata Database Service on Oracle Database@Azure
Parent topic: How-to Guides
Prerequisites
The following steps must be completed before you can configure Azure Key Vault as the key management for your databases.
The following steps must be completed before you can configure Azure Key Vault as Key Management Service at the Exadata VM Cluster level.
- You must first complete the registration required for delegated subnets to use advanced network features mentioned in Network planning for Oracle Database@Azure, and then create an Azure Virtual Network with at least one delegated subnet in it to be used by Exadata VM cluster.
- Provision an Exadata VM Cluster via the Azure interface. See Provisioning an Exadata VM Cluster for Azure for step-by-step instructions.
- Review the networking requirements to determine whether the VM Cluster will connect to Azure KMS via a public network or through private connectivity. For more information, see Connected Machine agent network requirements or Network Requirements for Creating an Identity Connector and KMS Resources for specific steps to follow.
- Ensure that the following policy is created before creating the database.
allow any-user to manage oracle-db-azure-vaults IN tenancy where ALL { request.principal.type in ('cloudvmcluster') }
Network Requirements for Creating an Identity Connector and KMS Resources
Azure Key Management Service (KMS) resources support both public and private connectivity. Azure Key Vault Managed HSM requires private connectivity, whereas Azure Key Vault Premium and Standard tiers support both public and private connectivity options.
The following sections outline the network requirements for public network access.
Configuration Using Private Network
- Arc agent network configuration
To create an Identity Connector over a private network, an Azure Arc Private Link Scope and a Private Endpoint must be configured through the Azure portal. Refer to the Azure documentation for detailed steps on setting up private connectivity for Azure Arc-enabled servers.
Note
The Private Endpoint must be created in a non-delegated subnet within the Virtual Cloud Network (VCN) that hosts the Oracle Exadata VM Cluster. This is an Azure requirement, as Private Endpoints are not supported in delegated subnets. By default, Exadata VM Clusters are provisioned in delegated subnets.
Managed HSM requires private connectivity and is supported only in Azure regions that offer Advanced Networking features. For a list of supported regions, see Network planning for Oracle Database@Azure.
To allow communication with private agent resources over the private network, a private DNS zone and corresponding A records must be created within the VCN's DNS configuration in your Oracle Cloud Infrastructure (OCI) tenancy.
The DNS configuration for the Private Endpoint associated with the Private Link Scope must include the necessary private agent resource addresses.
First, retrieve the list of required addresses from the Azure portal. Then, update the DNS zone entry in OCI to complete the configuration.
Example: Add a Private Agent Resource (for example,
gbl.his.arc.azure.com
)The IP address associated with
gbl.his.arc.azure.com
, along with any other required agent resources, must be defined in the private DNS zone.Steps:
- Create a Private Zone
For more information, see Creating a Private DNS Zone.
- Zone type: Primary
- Zone name: <Descriptive name>
- Compartment: <Compartment name or OCID>
- Add DNS Records
- Navigate to the Records tab on the zone details page.
- Click Manage Records, then Add Record:
- Name: gbl.his.arc.azure.com
- Type: A (IPv4 address)
- TTL (seconds): 3600
- RDATA mode: Basic
- Address: <Private IP address>
- Publish the Zone
- Ensure the record appears on the zone's page after publishing.
- Verify that connectivity to Azure services from the VM cluster is routed through the private network.
Even with Private Connectivity, the following endpoints must be routed through the public network. You must define the required route rules as described in Configuration Using Public Network.
Agent resources:
packages.microsoft.com
login.microsoftonline.com
pas.windows.net
management.azure.com
- Create a Private Zone
- Azure Key Vault private endpoints configuration
To access endpoints of Azure Key Vaults over private connectivity, you must create a DNS zone. Additionally, an A record mapping the fully qualified domain name (FQDN) of the resource to the IP address of the corresponding private endpoint must be added in the OCI tenancy.
To access the Managed HSM service over a Private Endpoint in your virtual network hosting an Exadata VM Cluster, you can establish a private link connection to Managed HSM and associate it with either the default subnet or a non-delegated subnet. Follow the steps outlined in the "Configuration Using Private Network" section of the "Network Requirements for Creating an Identity Connector and KMS Resources" topic.. For more information, see Integrate Managed HSM with Azure Private Link.
Configuration Using Public Network
When using a public network, installing and configuring the Azure Arc agent requires outbound access to specific Azure service endpoints. These endpoints must be explicitly configured through NAT gateway route rules. If a NAT gateway is not already available, you must create one.
Key considerations:
- All connections use the TCP protocol, unless otherwise noted.
- All connections are outbound, unless otherwise specified.
- All traffic is encrypted using HTTPS (SSL/TLS) with officially signed and verifiable certificates.
To enable connectivity, you must configure the route table of the Virtual Cloud Network (VCN) associated with the Exadata VM Cluster to allow traffic via a NAT gateway.
Example Route Rule Configuration:
- Target Type: NAT Gateway
- Destination CIDR Block: <Azure service address block>
- Target NAT Gateway Compartment: <Compartment Name>
- Target NAT Gateway: <NAT Gateway Name or OCID>
- Description: management.azure.com
The table below lists the Azure endpoints that must be added to the route table rules. For reference, see the supporting Azure documentation here. For reference, see the supporting Azure documentation here.
Table 5-9 Azure enpoints - route table
Agent Resource | Purpose | When required | Private link capable |
---|---|---|---|
packages.microsoft.com |
Used to download the Linux installation package | At installation/update time | Public |
login.microsoftonline.com |
To access Microsoft Entra ID (IAM) | Always | Public |
pas.windows.net |
To access Microsoft Entra ID (IAM) | Always | Public |
*.login.microsoft.com |
To access Microsoft Entra ID (IAM) | Always | Public |
management.azure.com |
Azure Resource Manager - to create or delete the Arc server resource | When connecting or disconnecting a server only | Public, unless a resource management private link is also configured |
*.his.arc.azure.com (for example, gbl.his.arc.azure.com )
|
Metadata and hybrid identity services | Always | Private |
*.guestconfiguration.azure.com (for example, eastus-gas.guestconfiguration.azure.com )
|
Extension management and guest configuration services | Always | Private |
For more information about Microsoft Public IP Address blocks and download instructions, see Microsoft Public IP Space.
For more information about IP address ranges for Public Azure and download instructions, see Azure IP Ranges and Service Tags – Public Cloud.
To access endpoints for Azure Key Vault, if connectivity is unavailable, add a route rule using the IP address as described above.
Using the Console to Manage Azure Key Vault Integration for Exadata Database Service on Oracle Database@Azure
Learn how to manage Azure Key Vault integration for Exadata Database Service on Oracle Database@Azure.
- Create an Identity Connector from the OCI Console
Creating an Identity Connector installs the Azure Arc agent on the Exadata VM Cluster VMs, registering them as Azure Arc-enabled virtual machines. - View the details of an Identity Connector
To view the details of an identity connector, use this procedure. - Enable or Disable the Azure Key Management
This step installs the required library on the VM cluster to support Azure Key Vault integration. Ensure that an identity connector is created before enabling Azure Key Management on the Exadata VM Cluster. - Create Azure Key Vault (Managed HSM, Premium, and Standard) and Assign Required Permissions
Create Azure Key Vault Managed HSM, Azure Key Vault Premium, or Azure Key Vault Standard, then assign the permission. - Register Azure Key Vaults in the OCI console
This is an alternative way to register your Azure key vaults from the OCI console. If you have already registered your vault during the creation of a database in your existing Exadata VM Cluster, you can skip this step. - To create a database in an existing VM Cluster
This topic covers creating your first or subsequent databases. - Change the Key Management from Oracle Wallet to Azure Key Vault
Learn to change encryption keys between different encryption methods. - Rotate the Keys Managed by Azure Key Vault for a Container Database
To rotate the Azure key vault encryption key of a container database (CDB), use this procedure. - Rotate the Keys Managed by Azure Key Vault for a Pluggable Database
To rotate the Azure key vault encryption key of a pluggable database (PDB), use this procedure.
Create an Identity Connector from the OCI Console
Creating an Identity Connector installs the Azure Arc agent on the Exadata VM Cluster VMs, registering them as Azure Arc-enabled virtual machines.
This enables secure communication with the Azure Key Management Service (KMS) using the Azure identity generated by the Arc agent. The Azure Arc agent can communicate with Azure services over either a public network or a private connectivity setup. Learn more about Azure Arc.
Each Exadata VM cluster must have an identity connector enabled to access Azure resources. The identity connector establishes either a public or private connection between the Exadata VM cluster and Azure Key Management resources, depending on the roles assigned.
To generate an access token for your current Azure account, see az account get-access-token .
You can create an identity connector in one of two ways—using the Oracle Exadata Database Service on Dedicated Infrastructure interface or the Database Multicloud Integrations interface.
Oracle Exadata Database Service on Dedicated Infrastructure
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- From the left menu, click Exadata VM Clusters under Oracle Exadata Database Service on Dedicated Infrastructure.
- From the list of Exadata VM Clusters, select the cluster you are using.
- Select VM Cluster information, and then navigate to Identity connector located under Multicloud information. Click the Create link.
Note
If an identity connector has not been created previously, it is displayed as None.
- The Identity connector name, Exadata VM cluster, Azure subscription id, and Azure resource group name are read-only fields and will be populated with values.
- Enter your Azure tenant id, and Access token.
- Expand the Show advanced options section.
The Private connectivity information and Tags sections populate.
To enable a private endpoint connection, enter the Azure arc private link scope name.
- To add tags for your resources, click Add tag, and then enter required values.
- Review your selections, and then click Create to create the identity connector.
Database Multicloud Integrations
- Open the navigation menu. Click Oracle Database, then click Database Multicloud Integrations.
- Select Identity Connectors from the left navigation menu.
- From the Compartment drop-down list, select your compartment that you are using.
- Once you select your compartment, the Identity connector name automatically populates a name.
By default, the identity connector type is selected as Azure.
- Select ARC agent as an identity mechanism.
- Select your compartment from the Choose an Exadata VM cluster compartment list, and then select your Exadata VM Cluster from the Choose an Exadata VM cluster list.
- Enter your Azure tenant id. The Azure subscription id and Azure resource group name fields populate values based on your Exadata VM Cluster selection.
- Enter an Access token.
- Expand the Show advanced options section. The Private connectivity information and Tags sections populate. These fields are optional.
- To add tags for your resources, click Add tag, and then enter required values.
- Review your selections, and then click Create.
View the details of an Identity Connector
To view the details of an identity connector, use this procedure.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
- Click the name of the VM cluster of your choice.
- On the resulting VM Cluster Details page, in the Multicloud Information section, confirm that the Identity connector field displays the identity connector created previously.
- Click the name of the Identity Connector to view its details.
Enable or Disable the Azure Key Management
This step installs the required library on the VM cluster to support Azure Key Vault integration. Ensure that an identity connector is created before enabling Azure Key Management on the Exadata VM Cluster.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
- Click the name of the VM cluster of your choice.
- On the resulting VM Cluster Details page, in the Multicloud Information section, click the Enable link next to Azure key store.
- On the resulting Enable Azure key management dialog, click Enable to confirm the operation.
Confirming the action will install a library on your Exadata VM Cluster.
The status of Azure key store changes from Disabled to Enabled.
- To disable Azure key store, click the Disable link.
- On the resulting Disable Azure key management dialog, click Disable to confirm the operation.
Disabling the Azure key management removes the library installed during enablement, which will impact the availability of databases configured to use it.
Azure key management is configured at the VM cluster level, requiring all databases in the cluster to use the same key management solution. However, databases that use Oracle Wallet can coexist alongside those that use Azure Key Vault within the same cluster.
Create Azure Key Vault (Managed HSM, Premium, and Standard) and Assign Required Permissions
Create Azure Key Vault Managed HSM, Azure Key Vault Premium, or Azure Key Vault Standard, then assign the permission.
For more information, see Create a key vault using the Azure portal.
There are specific roles that must be assigned to the group to grant the necessary permissions for accessing and managing Azure Key Vault Managed HSM, Azure Key Vault Premium, and Azure Key Vault Standard resources.
- Create a group and add members.
Azure groups allow you to manage users by assigning them the same access and permissions to resources.
- To manage group in Azure, you are required to have User Administrator or Groups Administrator role. For more information, see Manage Microsoft Entra groups and group membership.
- You must create a security group and add members from the Microsoft Azure portal. You must select the Security option as your Group type. For more information, see Create a basic group and add members
- Assign the following roles based on the type of Azure Key Vault:
- For Managed HSM:
- IAM: Reader
- Local RBAC: Managed HSM crypto officer + Managed HSM crypto user
- For Key Vault Premium and Standard
- IAM : Reader + Key Vault Crypto Officer
- For Managed HSM:
For detailed steps, refer to Assign Azure roles using the Azure portal.
Register Azure Key Vaults in the OCI console
This is an alternative way to register your Azure key vaults from the OCI console. If you have already registered your vault during the creation of a database in your existing Exadata VM Cluster, you can skip this step.
- From the OCI console, navigate to Database Multicloud Integrations, and then select Microsoft Azure Integration. From the Microsoft Azure Integration section, select Azure Key Vaults.
Note
At least one key must be created in the vault on the Azure portal for the registration to succeed. - Select the Register Azure key vaults button.
- From the drop-down list, select your Compartment.
- From the Azure key vaults section, select an identity connector from the Discover Azure key vaults using connector list.
- Click Discover.
The list of Vault name(s) is displayed.
- Select the check box located next to Vault name.
- If you want to add tags for your resources, expand the Advanced options section, and then click Add tag.
- Click Register to register the vault(s) locally in the OCI.
- Once you register the vault, you can view the Display name, State, Type, Azure resource group,, and Created information of the vaults in the list.
- Select the vault you are using, and then click the Identity connector associations tab, which lists identity connector associations in the current compartment.
Note
A default association is automatically created between the vault and the Identity Connector used during the vault registration process. This allows the vault to be used on the Exadata VM cluster associated with that specific Identity Connector.If you want to use the same vault in other clusters that are registered with different Identity Connectors (i.e., not the one used during vault discovery), you must explicitly create an association between the vault and those additional Identity Connectors.
- Click Create association.
- From the drop-down list, select your Compartment, Azure key vault association name, and Identity connector.
- If you expand the Advanced options section, you can add Tags for organizing your resources.
- Review your selections, and then click Create.
To create a database in an existing VM Cluster
This topic covers creating your first or subsequent databases.
If IORM is enabled on the Exadata Cloud Infrastructure instance, then the default directive will apply to the new database and system performance might be impacted. Oracle recommends that you review the IORM settings and make applicable adjustments to the configuration after the new database is provisioned.
Before creating your first database and selecting Azure Key Vault for key management, ensure the following prerequisites are met:
- All network prerequisites outlined in the Network Requirements for Creating an Identity Connector and KMS Resources section are fulfilled
- The identity connector is created and available for use
- Azure key management is enabled at the VM cluster level
- The VM cluster has the necessary permissions to access the vaults
- The vaults are registered as OCI resources
- Virtual Machines Restriction: Scaling out a VM cluster does not automatically extend databases that use Azure Key Vault to the newly added virtual machine. To complete the extension, you must update the existing Identity Connector for the Exadata VM Cluster by supplying the Azure access token. After updating the Identity Connector, run the dbaascli database addInstance command to add the database instance to the new VM.
- Data Guard Restrictions:
- When creating a standby database for a primary that uses Azure Key Vault, ensure that the target VM cluster has an active Identity Connector, Azure key management is enabled, and the required association between the Identity Connector and the Key Vault is properly configured.
- Cross-region Data Guard and database restore operations are not supported for databases that use Azure Key Vault for key management.
- PDB Operations Restriction: Remote PDB operations—such as clone, refresh, and relocate—are supported only if both the source and destination databases use the same Transparent Data Encryption (TDE) key.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure
- Choose your Compartment.
- Navigate to the cloud VM cluster or DB system you want to create the
database in:
Cloud VM clusters (The New Exadata Cloud Infrastructure Resource Model): Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters. In the list of VM clusters, find the VM cluster you want to access and click its highlighted name to view the details page for the cluster.
DB systems: Under Oracle Base Database, click DB Systems. In the list of DB systems, find the Exadata DB system you want to access, and then click its name to display details about it.
- Click Create Database.
- In the Create Database dialog, enter the
following:
Note
You cannot modify thedb_name
,db_unique_name
, and SID prefix after creating the database.- Database name: The name for the
database. The database name must meet the requirements:
- Maximum of 8 characters
- Contain only alphanumeric characters
- Begin with an alphabetic character
- Cannot be part of the first 8 characters of a
DB_UNIQUE_NAME
on the VM cluster - DO NOT use the following reserved names:
grid
,ASM
- Database unique name suffix:
Optionally, specify a value for the
DB_UNIQUE_NAME
database parameter. The value is case insensitive.The unique name must meet the requirements:
- Maximum of 30 characters
- Contain only alphanumeric or underscore (_) characters
- Begin with an alphabetic character
- Unique across the VM cluster. Recommended to be unique across the tenancy.
If not specified, the system automatically generates a unique name value, as follows:<db_name>_<3_chars_unique_string>_<region-name>
- Database version: The version of the database. You can mix database versions on the Exadata DB system.
- PDB name: (Optional) For Oracle Database 12c (12.1.0.2) and later, you can specify the name of the pluggable database. The PDB name must begin with an alphabetic character, and can contain a maximum of eight alphanumeric characters. The only special character permitted is the underscore ( _).
To avoid potential service name collisions when using Oracle Net Services to connect to the PDB, ensure that the PDB name is unique across the entire VM cluster. If you do not provide the name of the first PDB, then a system-generated name is used.
- Database Home: The Oracle Database Home
for the database. Choose the applicable option:
- Select an existing Database Home: The Database Home display name field allows you to choose the Database Home from the existing homes for the database version you specified. If no Database Home with that version exists, you must create a new one.
- Create a new Database Home: Use this option to provision a new Database Home for your Data Guard peer database.
Click Change Database Image to use a desired Oracle-published image or a custom database software image that you have created in advance, then select an Image Type:
- Oracle Provided Database Software Images:
then you can use the Display all available version switch to choose from all available PSUs and RUs. The most recent release for each major version is indicated with a latest label.
Note
For the Oracle Database major version releases available in Oracle Cloud Infrastructure, images are provided for the current version plus the three most recent older versions (N through N - 3). For example, if an instance is using Oracle Database 19c, and the latest version of 19c offered is 19.8.0.0.0, images available for provisioning are for versions 19.8.0.0.0, 19.7.0.0, 19.6.0.0 and 19.5.0.0. - Custom Database Software Images: These images are created by your organization and contain customized configurations of software updates and patches. Use the Select a compartment, Select a region, and Select a Database version selectors to limit the list of custom database software images to a specific compartment, region, or Oracle Database software major release version.
Region filter defaults to the currently connected region and lists all the software images created in that region. When you choose a different region, the software image list is refreshed to display the software images created in the selected region.
- Oracle Provided Database Software Images:
- Create administrator credentials:
(Read only) A database administrator
SYS
user will be created with the password you supply.- Username: SYS
- Password: Supply the password
for this user. The password must meet the following criteria:
A strong password for SYS, SYSTEM, TDE wallet, and PDB Admin. The password must be 9 to 30 characters and contain at least two uppercase, two lowercase, two numeric, and two special characters. The special characters must be _, #, or -. The password must not contain the username (SYS, SYSTEM, and so on) or the word "oracle" either in forward or reversed order and regardless of casing.
- Confirm password: Re-enter the SYS password you specified.
- Using a TDE wallet password is optional. If you
are using customer-managed encryption keys stored in a vault in your
tenancy, the TDE wallet password is not applicable to your DB
system. Use Show Advanced Options at the end
of the Create Database dialog to configure
customer-managed keys.
If you are using customer-managed keys, or if you want to specify a different TDE wallet password, uncheck the Use the administrator password for the TDE wallet box. If you are using customer-managed keys, leave the TDE password fields blank. To set the TDE wallet password manually, enter a password in the Enter TDE wallet password field, and then confirm by entering it into the Confirm TDE wallet password field.
-
Configure database backups: Specify the settings for backing up the database to Autonomous Recovery Service or Object Storage:
- Enable automatic backup: Check the check box to enable automatic incremental backups for this database. If you are creating a database in a security zone compartment, you must enable automatic backups.
- Backup Destination: Your choices are Autonomous Recovery Service or Object Storage.
- Backup Scheduling:
- Object Storage (L0):
- Full backup scheduling day: Choose a day of the week for the initial and future L0 backups to start.
- Full backup scheduling time (UTC): Specify the time window when the full backups start when the automatic backup capability is selected.
-
Take the first backup immediately: A full backup is an operating system backup of all datafiles and the control file that constitute an Oracle Database. A full backup should also include the parameter file(s) associated with the database. You can take a full database backup when the database is shut down or while the database is open. You should not normally take a full backup after an instance failure or other unusual circumstances.
If you choose to defer the first full backup your database may not be recoverable in the event of a database failure.
- Object Storage (L1):
- Incremental backup scheduling time (UTC): Specify the time window when the incremental backups start when the automatic backup capability is selected.
- Autonomous Recovery Service (L0):
- Scheduled day for initial backup: Choose a day of the week for the initial backup.
- Scheduled time for initial backup (UTC): Select the time window for the initial backup.
-
Take the first backup immediately: A full backup is an operating system backup of all datafiles and the control file that constitute an Oracle Database. A full backup should also include the parameter file(s) associated with the database. You can take a full database backup when the database is shut down or while the database is open. You should not normally take a full backup after an instance failure or other unusual circumstances.
If you choose to defer the first full backup your database may not be recoverable in the event of a database failure.
- Autonomous Recovery Service (L1):
- Scheduled time for daily backup (UTC): Specify the time window when the incremental backups start when the automatic backup capability is selected.
- Object Storage (L0):
- Deletion options after database termination: Options that
you can use to retain protected database backups after the
database is terminated. These options can also help restore the
database from backups in case of accidental or malicious damage
to the database.
- Retain backups for the period specified in your protection policy or backup retention period: Select this option if you want to retain database backups for the entire period defined in the Object Storage Backup retention period or Autonomous Recovery Service protection policy after the database is terminated.
- Retain backups for 72 hours, then delete: Select this option to retain backups for a period of 72 hours after you terminate the database.
-
Backup Retention Period/Protection Policy: If you choose to enable automatic backups, you can choose a policy with one of the following preset retention periods, or a Custom policy.
Object Storage Backup retention period: 7, 15, 30, 45, 60. Default: 30 days. The system automatically deletes your incremental backups at the end of your chosen retention period.
Autonomous Recovery Service protection policy:
- Bronze: 14 days
- Silver: 35 days
- Gold: 65 days
- Platinum: 95 days
- Custom defined by you
- Default: Silver - 35 days
- Enable Real-Time Data Protection: Real-time protection is the continuous transfer of redo changes from a protected database to Autonomous Recovery Service. This reduces data loss and provides a recovery point objective (RPO) near 0. This is an extra cost option.
- Database name: The name for the
database. The database name must meet the requirements:
-
Click Show Advanced Options to specify advanced options for the database:
-
Management:
Oracle SID prefix: The Oracle Database instance number is automatically added to the SID prefix to create the
INSTANCE_NAME
database parameter. TheINSTANCE_NAME
parameter is also known as theSID
. TheSID
is unique across the cloud VM Cluster. If not specified,SID
prefix defaults to thedb_name
.Note
Entering anSID
prefix is only available for Oracle 12.1 databases and above.The
SID
prefix must meet the requirements:- Maximum of 12 characters
- Contain only alphanumeric characters. You can, however, use underscore (_), which is the only special character that is not restricted by this naming convention.
- Begin with an alphabetic character
- Unique in the VM cluster
- DO NOT use the following reserved names:
grid
,ASM
- Character set: The character set for the database. The default is AL32UTF8.
- National character set: The national character set for the database. The default is AL16UTF16.
-
Encryption:
If you are creating a database in an Exadata Cloud Service VM Cluster, then you can choose to use encryption based on encryption keys that you manage. By default, the database is configured using Oracle-managed encryption keys.
- To configure the database with encryption based on encryption keys you manage:
Note
If Azure key management is disabled at the VM cluster level, you will have three key management options: Oracle Wallet, OCI Vault, and Oracle Key Vault.- OCI Vault:
- You must have a valid encryption key in Oracle Cloud Infrastructure Vault service. See Let security admins manage vaults, keys, and secrets.
Note
You must use AES-256 encryption keys for your database. - Choose a Vault.
- Select a Master encryption key.
- To specify a key version other than the latest version of the selected key, check Choose the key version and enter the OCID of the key you want to use in the Key version OCID field.
Note
The Key version will only be assigned to the container database (CDB), and not to its pluggable database (PDB). PDB will be assigned an automatically generated new key version.
- You must have a valid encryption key in Oracle Cloud Infrastructure Vault service. See Let security admins manage vaults, keys, and secrets.
- Oracle Key Vault: Choose a compartment and select a key store from the chosen compartment.
- OCI Vault:
- To create a database using the Azure key Vault as key management solution:
Note
If Azure key management is enabled at the VM cluster level, you will have two key management options: Oracle Wallet and Azure Key Vault.- Select your Key Management type as Azure Key Vault.
- Select the Vault available in your compartment.
Note
The Vault list populates only registered vaults. Click the Register new vaults link to register your vault. From the Register Azure key vaults page, select your vault, and then click Register.Note
At least one key must be registered in your vaults. - Select the Key available in your compartment.
- To configure the database with encryption based on encryption keys you manage:
- Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags . If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
-
- Click Create Database.
You can now:
- Create or delete a CDB while a Data Guard setup is running on another database within the same Oracle home, and vice versa.
- Create or delete a CDB while concurrently performing Data Guard actions (switchover, failover, and reinstate) within the same Oracle home, and vice versa.
- Create or delete a CDB while concurrently creating or deleting a PDB within the same Oracle home, and vice versa.
- Create or delete a CDB concurrently within the same Oracle home.
- Create or delete a CDB while simultaneously updating VM Cluster tags.
After database creation is complete, the status changes from Provisioning to Available, and on the database details page for the new database, the Encryption section displays the encryption key name and the encryption key OCID.
WARNING:
Do not delete the encryption key from the vault. This causes any database protected by the key to become unavailable.Change the Key Management from Oracle Wallet to Azure Key Vault
Learn to change encryption keys between different encryption methods.
- Navigate to your existing Exadata VM Cluster in the OCI console. Select the Databases tab. Then, select the database resource that you are using.
- Select the Database information tab, and then scroll down to Key management section.
- In the Encryption section, verify that Key management is set to Oracle Wallet, and then select the Change link.
- Enter the following information on the Change key management page.
- Select your Key management as Azure key vault from the drop-down list.
- Select your Vault compartment that you are using, and then select your Vault that is available in the compartment.
- Select the Key compartment that you are using, and then select your Key from the drop-down list.
- Click Save changes.
Changing key management from Azure Key Vault to Oracle Wallet cannot be performed using the API or OCI Console—it is only supported through the dbaascli tde fileToHsm command. Additionally, switching between Azure Key Vault and OCI Vault or Oracle Key Vault (OKV) are not supported.
Rotate the Keys Managed by Azure Key Vault for a Container Database
To rotate the Azure key vault encryption key of a container database (CDB), use this procedure.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Choose your Compartment.
A list of VM Clusters is displayed for the chosen Compartment.
- In the list of VM Clusters, click the name of the VM cluster that contains the database that you want to rotate encryption keys.
- Click Databases.
- Click the name of the database that you want to rotate encryption keys.
The Database Details page displays information about the selected database.
- In the Encryption section, verify that the Key Management is set to Azure Key Vault, and then click the Rotate link.
- On the resulting Rotate Key dialog, click Rotate to confirm the action.
Key rotation must be performed through the OCI interface. Rotating the key directly from the Azure interface has no effect on the database.
Rotate the Keys Managed by Azure Key Vault for a Pluggable Database
To rotate the Azure key vault encryption key of a pluggable database (PDB), use this procedure.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Choose your Compartment.
A list of VM Clusters is displayed for the chosen Compartment.
- In the list of VM clusters, click the name of the VM cluster that contains the PDB you want to start, and then click its name to display the details page.
- Under Databases, find the database containing the PDB you want to rotate encryption keys.
- Click the name of the database to view the Database Details page.
- Click Pluggable Databases in the Resources section of the page.
A list of existing PDBs in this database is displayed.
- Click the name of the PDB that you want to rotate encryption keys.
The pluggable details page is displayed.
- In the Encryption section displays that the Key management is set as Azure Key Vault.
- Click the Rotate link.
- On the resulting Rotate Key dialog, click Rotate to confirm the action.
Using the API to Manage Azure Key Vault Integration for Exadata Database Service on Oracle Database@Azure
For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.
Use these API operations to manage Azure Key Vault integration for Exadata Database Service on Oracle Database@Azure.
Table 5-10 API operation to manage Azure Key Vault integration for Exadata Database Service on Oracle Database@Azure
API | Description |
---|---|
createOracleDbAzureConnector |
Captures Azure-specific details from the customer and automates the installation of the ARC Agent on the ExaDB-D VM Cluster. |
deleteOracleDbAzureConnector |
Deletes the Azure Connector resource and uninstalls the Arc Agent from the ExaDB-D VM Cluster. |
getOracleDbAzureConnector |
Fetches the details of a specific Azure Connector resource. |
listOracleDbAzureConnectors |
Lists Azure Connector resources based on the specified filters. |
CreateMultiCloudResourceDiscovery |
Creates a new multi-cloud resource discovery resource. |
GetMultiCloudResourceDiscovery |
Retrieves details of a specific multi-cloud resource discovery resource. |
ListMultiCloudResourceDiscoveries |
Retrieves a list of all multi-cloud resource discovery resources. |
CreateOracleDbAzureVaultAssociation |
Creates a new association between an Oracle DB and an Azure vault. |
GetOracleDbAzureVaultAssociation |
Retrieves details of a specific Oracle DB Azure vault association. |
ListOracleDbAzureVaultAssociations |
Retrieves a list of all Oracle DB Azure vault associations. |
CreateCloudVMCluster |
Creates a cloud VM cluster. |
GetCloudVmCluster |
Gets information about the specified cloud VM cluster. Applies to Exadata Cloud Service instances and Autonomous Database on dedicated Exadata infrastructure only. |
ListCloudVmClusters |
Gets a list of the cloud VM clusters in the specified compartment. Applies to Exadata Cloud Service instances and Autonomous Database on dedicated Exadata infrastructure only. |
DeleteCloudVMCluster |
Deletes the specified cloud VM cluster. Applies to Exadata Cloud Service instances and Autonomous Database on dedicated Exadata infrastructure only. |
CreateDatabase |
Creates a new database in the specified Database Home. If the database version is provided, it must match the version of the Database Home. Applies to Exadata and Exadata Cloud@Customer systems. |
CreateDatabaseFromBackup |
Details for creating a database by restoring from a database backup. Warning: Oracle recommends that you avoid using any confidential information when you supply string values using the API. |
MigrateVaultKey |
Changes encryption key management from customer-managed, using the Vault service, to Oracle-managed. |
RotateVaultKey |
Creates a new version of an existing Vault service key. |
RestoreDatabase |
Restores a Database based on the request parameters you provide. |