Google Cloud Key Management Integration for Exadata Database Service on Oracle Database@Google Cloud

To create your ASM VM cluster, be prepared to provide values for the fields required for configuring the infrastructure.

1. Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure
2. Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
   Note
   
   

   Multiple VM clusters may be created only in a Multi-VM enabled Infrastructure.

3. Click Create Exadata VM Cluster.

   The Create Exadata VM Cluster page is displayed. Provide the required information to configure the VM cluster.

4. Compartment: Select a compartment for the VM cluster resource.
5. Display name: Enter a user-friendly display name for the VM cluster. The name doesn't need to be unique. An Oracle Cloud Identifier (OCID) will uniquely identify the VM cluster. Avoid entering confidential information.
6. Select Exadata infrastructure: Select the infrastructure resource that will contain the VM cluster. You must choose an infrastructure resource that has enough resources to create a new VM cluster. Click Change Compartment and pick a different compartment from the one you are working in to view infrastructure resources in other compartments.
   Note
   
   

   Multiple VM clusters may be created only in a Multi-VM enabled Infrastructure.

7. VM Cluster Type:
   Note
   
   

   You cannot change the VM cluster type after deploying the VM cluster. If you wish to change the VM cluster type, you must create a new VM cluster and migrate the database to the new cluster.

   • Exadata Database: Standard Database VM with no restrictions, suitable for all workloads.
   • Exadata Database-Developer: Developer Database VM with restrictions, suitable for application development only.
8. Configure the VM cluster: Specify the DB servers to used for new VM cluster (by default all DB Servers are selected). Click Select DB Servers to select from the available DB servers, and then click Save.

   VM Cluster Type - Exadata Database: Select a minimum of one database server for VM placement. If you require a high availability database service that remains available during maintenance and unplanned outages, select at least two database servers. Maximum resources available for allocation per VM are based on the number of database servers selected.

   VM Cluster Type - Exadata Database-Developer: Select one database server for VM placement. Only one database server may be selected.

   In the Resource allocation per VM pane:

   • Specify the number of OCPU/ECPU you want to allocate to each of the VM cluster's virtual machine compute nodes. For VM clusters created on X11M Exadata infrastructure specify ECPUs. For VM Clusters created on X10M and earlier Exadata infrastructure, specify OCPUs. The minimum is 2 OCPU per VM for X10M and earlier infrastructure or 8 ECPUs per VM for VM clusters created on X11M Exadata infrastructure. The read-only Requested OCPU count for the Exadata VM cluster field displays the total number of OCPU or ECPU cores you are allocating.
   • Specify the Memory per VM to allocate to each VM. The minimum per VM is 30 GB.
   • Specify the Local Storage per VM to allocate local storage to each VM. The minimum per VM is 60 GB.

     Each time when you create a new VM cluster, the space remaining out of the total available space is utilized for the new VM cluster.

     In addition to /u02, you can specify the size of additional local file systems.

     For more information and instructions to specify the size for each individual VM, see Introduction to Scale Up or Scale Down Operations.

     • Click Show additional local file systems configuration options.
     • Specify the size of /, /u01, /tmp, /var, /var/log, /var/log/audit, and /home file systems as needed.
       Note
       
       

       • You can only expand these file systems and cannot reduce the size once expanded.
       • Due to backup partitions and mirroring, the / and /var file systems will consume twice the space they were allocated, which is indicated in the read-only Total allocated storage for / (GB) due to mirroring and Total allocated storage for /tmp (GB) due to mirroring fields.
     • After creating the VM Cluster, check the Exadata Resources section on the Exadata Infrastructure Details page to check the file size allocated to the local storage (/u02) and local storage (additional file systems).
9. Exadata storage:
   • Specify the usable Exadata storage TB. Specify the storage in multiples of 1 TB. Minimum: 2 TB
   • Allocate storage for Exadata sparse snapshots: Select this configuration option if you intend to use snapshot functionality within your VM cluster. If you select this option, the SPARSE disk group is created, which enables you to use VM cluster snapshot functionality for PDB sparse cloning. If you do not select this option, the SPARSE disk group is not created and snapshot functionality will not be available on any database deployments that are created in the environment.
     Note
     
     

     The storage configuration option for sparse snapshots cannot be changed after VM cluster creation.

   • Allocate storage for local backups: Select this option if you intend to perform database backups to the local Exadata storage within your Exadata Cloud Infrastructure instance. If you select this option, more space is allocated to the RECO disk group, which is used to store backups on Exadata storage. If you do not select this option, more space is allocated to the DATA disk group, which enables you to store more information in your databases.
     Note
     
     

     The storage configuration option for local backups cannot be changed after VM cluster creation.

10. Version:
    • Oracle Grid Infrastructure version: From the list, choose the Oracle Grid Infrastructure release (19c and 23ai) that you want to install on the VM cluster.

      The Oracle Grid Infrastructure release determines the Oracle Database releases that can be supported on the VM cluster. You cannot run an Oracle Database release that is later than the Oracle Grid Infrastructure software release.

      Note
      
      

      Minimum requirements for provisioning a VM Cluster with Grid Infrastructure 23ai:

      • Exadata Guest VM running Exadata System Software 23.1.8
      • Exadata Infrastructure running Exadata System Software 23.1.x
    • Exadata guest version:
      • Exadata infrastructure with Oracle Linux 7 and Exadata image version 22.1.10.0.0.230422:
        • The Change image button is not enabled.
        • The Oracle Grid Infrastructure version defaults to 19.0.0.0.0.
        • The Exadata guest version will be the same as that of the host OS.
      • Exadata infrastructure with Oracle Linux 8 and Exadata image version 23.1.3.0.0.230613:
        • The Exadata guest version defaults to the latest (23.1.3.0).
        • The Oracle Grid Infrastructure version defaults to 19.0.0.0.0
        • The Change image button is enabled.
        • Click Change image.

          The resulting Change image panel displays the list of available major versions of Exadata image (23.1.3.0 and 22.1.3.0).

          The most recent release for each major version is indicated by "(latest)".

        • Slide Display all available versions.

          Six past versions including the latest versions of Exadata images 23.1.3.0 and 22.1.3.0 are displayed.

        • Choose a version.
        • Click Save Changes.
11. SSH Keys: Add the public key portion of each key pair you want to use for SSH access to the VM cluster:
    • Generate SSH key pair (Default option) Select this radio button to generate an SSH keypair. Then in the dialog below click Save private key to download the key, and optionally click Save public key to download the key.
    • Upload SSH key files: Select this radio button to browse or drag and drop .pub files.
    • Paste SSH keys: Select this radio button to paste in individual public keys. To paste multiple keys, click + Another SSH Key, and supply a single key for each entry.
12. Network settings: Specify the following:
    Note
    
    

    IP addresses (100.64.0.0/10) are used for Exadata Cloud Infrastructure X8M interconnect

    .

    You do not have the option to choose between IPv4 (single stack) and IPv4/IPv6 (dual stack) if both configurations exist. For more information, see VCN and Subnet Management.

    • Virtual cloud network: The VCN in which you want to create the VM cluster. Click Change Compartment to select a VCN in a different compartment.
    • Client subnet: The subnet to which the VM cluster should attach. Click Change Compartment to select a subnet in a different compartment.

      Do not use a subnet that overlaps with 192.168.16.16/28, which is used by the Oracle Clusterware private interconnect on the database instance. Specifying an overlapping subnet causes the private interconnect to malfunction.

    • Backup subnet: The subnet to use for the backup network, which is typically used to transport backup information to and from the Backup Destination, and for Data Guard replication. Click Change Compartment to select a subnet in a different compartment, if applicable.

      Do not use a subnet that overlaps with 192.168.128.0/20. This restriction applies to both the client subnet and backup subnet.

      If you plan to back up databases to Object Storage or Autonomous Recovery service, see the network prerequisites in Managing Exadata Database Backups.

      Note
      
      

      In case Autonomous Recovery Service is used, a new dedicated subnet is highly recommended. Review the network requirements and configurations required to backup your Oracle Cloud databases to Recovery Service. See, Configuring Network Resources for Recovery Service.

    • Network Security Groups: Optionally, you can specify one or more network security groups (NSGs) for both the client and backup networks. NSGs function as virtual firewalls, allowing you to apply a set of ingress and egress security rules to your Exadata Cloud Infrastructure VM cluster. A maximum of five NSGs can be specified. For more information, see Network Security Groups and Network Setup for Exadata Cloud Infrastructure Instances.

      Note that if you choose a subnet with a security list, the security rules for the VM cluster will be a union of the rules in the security list and the NSGs.

      To use network security groups:

      • Check the Use network security groups to control traffic check box. This box appears under both the selector for the client subnet and the backup subnet. You can apply NSGs to either the client or the backup network, or to both networks. Note that you must have a virtual cloud network selected to be able to assign NSGs to a network.
      • Specify the NSG to use with the network. You might need to use more than one NSG. If you're not sure, contact your network administrator.
      • To use additional NSGs with the network, click +;Another Network Security Group.
      Note
      
      

      To provide your cloud VM Cluster resources with additional security, you can use Oracle Cloud Infrastructure Zero Trust Packet Routing to ensure that only resources identified with security attributes have network permissions to access your resources. Oracle provides Database policy templates that you can use to assist you with creating policies for common database security use cases. To configure it now, you must already have created security attributes with Oracle Cloud Infrastructure Zero Trust Packet Routing. Click Show Advanced Options at the end of this procedure.

      Be aware that when you provide security attributes for a cluster, as soon as it is applied, all resources require a Zero Trust Packet policy to access the cluster. If there is a security attribute on an endpoint, then it must satisfy both network security group (NSG) and Oracle Cloud Infrastructure Zero Trust Packet Routing policy (OCI ZPR) rules.

    • To use private DNS Service
      Note
      
      

      A Private DNS must be configured before it can be selected. See Configure Private DNS

      • Check the Use private DNS Service check box.
      • Select a private view. Click Change Compartment to select a private view in a different compartment.
      • Select a private zone. Click Change Compartment to select a private zone in a different compartment.
    • Hostname prefix: Your choice of hostname for the Exadata VM cluster. The host name must begin with an alphabetic character and can contain only alphanumeric characters and hyphens (-). The maximum number of characters allowed for an Exadata VM cluster is 12.

      Caution:

      The hostname must be unique within the subnet. If it is not unique, the VM cluster will fail to provision.

    • Host domain name: The domain name for the VM cluster. If the selected subnet uses the Oracle-provided Internet and VCN Resolver for DNS name resolution, this field displays the domain name for the subnet and it can't be changed. Otherwise, you can provide your choice of the domain name. Hyphens (-) are not permitted.

      If you plan to store database backups in Object Storage or Autonomous Recovery service, Oracle recommends that you use a VCN Resolver for DNS name resolution for the client subnet because it automatically resolves the Swift endpoints used for backups.

    • Host and domain URL: This read-only field combines the host and domain names to display the fully qualified domain name (FQDN) for the database. The maximum length is 63 characters.
13. Choose a license type: The type of license you want to use for the VM cluster. Your choice affects metering for billing.
    • License Included means the cost of the cloud service includes a license for the Database service.
    • Bring Your Own License (BYOL) means you are an Oracle Database customer with an Unlimited License Agreement or Non-Unlimited License Agreement and want to use your license with Oracle Cloud Infrastructure. This removes the need for separate on-premises licenses and cloud licenses.
14. Diagnostics Collection: By enabling diagnostics collection and notifications, Oracle Cloud Operations and you will be able to identify, investigate, track, and resolve guest VM issues quickly and effectively. Subscribe to Events to get notified about resource state changes.
    Note
    
    

    You are opting in with the understanding that the above list of events (or metrics, log files) can change in the future. You can opt out of this feature at any time

    .
    • Enable Diagnostic Events: Allow Oracle to collect and publish critical, warning, error, and information events to me.
    • Enable Health Monitoring: Allow Oracle to collect health metrics/events such as Oracle Database up/down, disk space usage, and so on, and share them with Oracle Cloud operations. You will also receive notification of some events.
    • Enable Incident Logs and Trace Collection: Allow Oracle to collect incident logs and traces to enable fault diagnosis and issue resolution.
    Note
    
    

    You are opting in with the understanding that the above list of events (or metrics, log files) can change in the future. You can opt-out of this feature at any time.

    All three checkboxes are selected by default. You can leave the default settings as is or clear the check boxes as needed. You can view the Diagnostic Collection settings on the VM Cluster Details page under General Information >> Diagnostics Collection.

    • Enabled: When you choose to collect diagnostics, health metrics, incident logs, and trace files (all three options).
    • Disabled: When you choose not to collect diagnostics, health metrics, incident logs, and trace files (all three options).
    • Partially Enabled: When you choose to collect diagnostics, health metrics, incident logs, and trace files ( one or two options).
15. Click Show Advanced Options to specify advanced options for the VM cluster:

    • Time zone: This option is located in the Management tab. The default time zone for the VM cluster is UTC, but you can specify a different time zone. The time zone options are those supported in both the Java.util.TimeZone class and the Oracle Linux operating system.

      Note
      
      

      If you want to set a time zone other than UTC or the browser-detected time zone, and if you do not see the time zone you want, try selecting the Select another time zone, option, then selecting "Miscellaneous" in the Region or country list and searching the additional Time zone selections.

    • SCAN Listener Port: This option is located in the Network tab. You can assign a SCAN listener port (TCP/IP) in the range between 1024 and 8999. The default is 1521.
      Note
      
      Manually changing the SCAN listener port of a VM cluster after provisioning using the backend software is not supported. This change can cause Data Guard provisioning to fail.
    • Zero Trust Packet Routing (ZPR): This option is located in the Security attributes tab. Select a namespace, and provide the key and value for the security attribute. To complete this step during configuration, you must already have set up security attributes with Oracle Cloud Infrastructure Zero Trust Packet Routing. You can also add security attributes after configuration, and add them later. For more information about adding Oracle Exadata Database Service on Dedicated Infrastructure specific policies, see Policy Template Builder.
    • Cloud Automation Update: Oracle periodically applies updates to the database tools and agent software necessary for cloud tooling and automation. You can configure your preferred time window for these updates to be applied to your VM Cluster.

      Set the start time for cloud automation updates.

      Note
      
      

      Oracle will check for latest VM Cloud Automation updates every day between the configured time window and apply updates when applicable. If automation is unable to start applying updates within the configured time window due to some underlying long running process, Oracle will automatically check the following day during the configured time window to start applying cloud automation updates to the VM Cluster.

      Enable early access for cloud tools update: VM clusters designated for early access receive updates 1-2 weeks before they are available to other systems. Check this check box if you want early adoption for this VM cluster.

      Cloud Automation Update Freeze Period: Oracle periodically applies updates to the database tools and agent software necessary for cloud tooling and automation. Enable a freeze period to define a time window during which Oracle automation will not apply cloud updates.

      Move the slider to set the freeze period.

      Note
      
      

      • The freeze period can extend for a maximum of 45 days from the start date.
      • Oracle automation will automatically apply updates with critical security fixes (CVSS >= 9) even during a configured freeze period.
    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
16. Click Create.

To view the details of an identity connector attached to a VM cluster, use this procedure.

1. Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
2. Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
3. Click the name of the VM cluster of your choice.
4. On the resulting VM Cluster Details page, in the Multicloud Information section, confirm that the Identity connector field displays the identity connector attached to this VM cluster.
5. Click the name of the Identity Connector to view its details.

   You will be redirected to the Database Multicloud Integrations portal.

To create a key ring, use this procedure.

1. Open the Google Cloud Console, navigate to the Key Management page.
2. Click Create key ring.
3. Provide the following details:
   • Name: Enter a descriptive name for the key ring.
   • Location: Select a location for your key ring.

     Important:

     • Key rings with the same name can exist in different locations, so you must always specify the location.
     • Choose a location close to the resources you want to protect.
     • For Customer Managed Encryption Keys, ensure the key ring is in the same location as the resources that will use it.

     Choosing a location for your Key Ring:

     When creating a key ring in Google Cloud Key Management Service (KMS), selecting the right location is crucial. Your choice affects where your cryptographic keys are stored and how they're replicated. For more information, see Cloud KMS locations.

     • Region:
       • Data is stored in a specific geographic region.
       • Keys remain within the boundaries of this single region.
       • Ideal for:
         • Low-latency applications
         • Compliance with data residency requirements
         • Region-specific workloads
     • Multi-region:
       • Data is replicated across multiple regions within a larger geographical area.
       • Google manages distribution and replication automatically.
       • You cannot select individual data centers or regions.
       • Ideal for:
         • High availability
         • Resilient, fault-tolerant applications
         • Services serving a wide regional area
     • Global:
       • A special type of multi-region.
       • Keys are distributed across Google data centers worldwide.
       • Location selection and control are not available.
       • Ideal for:
         • Applications with global users
         • Use cases needing maximum redundancy and reach
4. Click Create.

Once the key ring is created, you can begin creating and managing encryption keys within it.

To create a raw symmetric encryption key in the specified key ring and location, use this procedure.

1. Open the Google Cloud Console, navigate to the Key Management page.
2. Click the name of the key ring where you want to create the key.
3. Click Create key.
4. Provide the following details:
   • Key name: Enter a descriptive name for your key.
   • Protection level: Choose Software or HSM (Hardware Security Module).

     The protection level of a key can't be changed after the key is created. For more information, see Protection levels.

   • Key material: Select Generate key or Import key.

     Generate key material in Cloud KMS or import key material that is maintained outside of Google Cloud. For more information, see Customer-managed encryption keys (CMEK).

   • Purpose and Algorithm:

     For more information, see Key purposes and algorithms.

     • Set Purpose to Raw encryption/decryption.
     • For Algorithm, select AES-256-CBC.
5. Click Create.

After creation, you can use this key for cryptographic operations that require AES-CBC encryption and decryption.

To allow a key to be discoverable in Oracle Cloud Infrastructure (OCI), use this procedure.

1. In Google Cloud KMS, select the key you want to make discoverable.
2. Navigate to the Permissions tab and click Add principal.
3. In the New principals field, enter the service account associated with your Workload Resource Service Agent.
   Note
   
   

   You can find this service account on the Identity Connector details page, under the GCP Information section. Look for the Workload resource service agent and note its ID — this is the required service account.

4. Under Assign roles, add a role of your choice.
   Note
   
   

   Create a custom role with the following minimum permissions and assign it to the key ring of your choice.

   These permissions together allow OCI to:

   • Discover KMS resources like key rings and keys.
   • Access metadata about keys and their versions.
   • Use the keys for cryptographic operations (encryption/decryption).
   • Create key versions.

   Minimum Required Permissions:

   • cloudkms.cryptoKeyVersions.get

     Allows retrieval of metadata for a specific key version.

   • cloudkms.cryptoKeyVersions.manageRawAesCbcKeys

     Enables management of raw AES-CBC key material (import, rotation, etc.).

   • cloudkms.cryptoKeyVersions.create

     Allows creation of new key versions within a key.

   • cloudkms.cryptoKeyVersions.list

     Lists all versions of a given key.

   • cloudkms.cryptoKeyVersions.useToDecrypt

     Grants permission to use a key version for decrypting data.

   • cloudkms.cryptoKeyVersions.useToEncrypt

     Grants permission to use a key version for encrypting data.

   • cloudkms.cryptoKeys.get

     Allows retrieval of metadata for a key.

   • cloudkms.cryptoKeys.list

     Lists all keys within a key ring.

   • cloudkms.keyRings.get

     Allows retrieval of metadata for a key ring.

   • cloudkms.locations.get

     Retrieves information about supported key locations.

5. Click Save to apply the changes.
6. Click Refresh to confirm that the updated permissions have taken effect.

To enable Google Cloud Customer Managed Encryption Keys (CMEK) for your VM cluster, you must first register the GCP Key Ring in OCI.

1. In the Database Multicloud Integrations portal, navigate to: Google Cloud Integration > GCP Key Rings.
2. Click GCP Key Ring,
3. Click Register GCP key rings
4. On the resulting Register GCP key rings page, provide the following details:
   • Compartment: Select the compartment where the VM cluster resides.
   • Identity Connector: Choose the Identity Connector attached to the VM cluster.
   • Key Ring: Enter the name of the GCP key ring to register.

     To discover all available key rings through a single identity connector, you must grant the following permissions to that identity connector. These permissions should be assigned at the appropriate project or folder level to ensure the connector can access all key rings across the intended scope.

     • cloudkms.keyRings.list

       Allows listing all key rings within a project.

     • cloudkms.locations.get

       Allows retrieving metadata for a specific key ring.

5. Click Discover to verify if the key ring exists in GCP.

   If successful, the key ring’s details will be displayed.

   Note
   
   

   Only key rings can be registered — not individual keys. All supported keys associated with a registered key ring will be available, provided the required permissions are in place.

6. Click Register.

To enable GCP CMEK for your Exadata VM Cluster, use this procedure.

1. Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
2. Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
3. Select the name of the VM cluster you want to configure.
4. On the VM Cluster Details page, scroll to the Multicloud Information section and click Enable next to GCP CMEK.
5. To disable GCP CMEK, click Disable.

This topic describes only the steps for creating a database and using GCP Customer-managed encryption key (CMEK) as the key management solution.

For the generic database creation procedure, see To create a database in an existing VM Cluster.

To change encryption keys between different encryption methods, use this procedure.

1. Navigate to your database details page in the OCI console.
2. In the Encryption section, verify that Key management is set to Oracle Wallet, and then click the Change link.
3. Enter the following information on the Change key management page.
   1. Select your Key management as GCP Customer Managed Encryption Key from the drop-down list.
   2. Select the compartment you are using, and then choose the Key Ring available in that compartment.
   3. Next, select the Key compartment you are using, and then choose the desired Key from the drop-down list.
   4. Click Save changes.

To rotate the GCP Customer Managed Encryption Key of a container database (CDB), use this procedure.

1. Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
2. Choose your Compartment.

   A list of VM Clusters is displayed for the chosen Compartment.

3. In the list of VM Clusters, click the name of the VM cluster that contains the database that you want to rotate encryption keys.
4. Click Databases.
5. Click the name of the database that you want to rotate encryption keys.

   The Database Details page displays information about the selected database.

6. In the Encryption section, verify that the Key Management is set to GCP Customer Managed Encryption Key, and then click the Rotate link.
7. On the resulting Rotate Key dialog, click Rotate to confirm the action.

To rotate the GCP Customer Managed Encryption Key of a pluggable database (PDB), use this procedure.

1. Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
2. Choose your Compartment.

   A list of VM Clusters is displayed for the chosen Compartment.

3. In the list of VM clusters, click the name of the VM cluster that contains the PDB you want to start, and then click its name to display the details page.
4. Under Databases, find the database containing the PDB you want to rotate encryption keys.
5. Click the name of the database to view the Database Details page.
6. Click Pluggable Databases in the Resources section of the page.

   A list of existing PDBs in this database is displayed.

7. Click the name of the PDB that you want to rotate encryption keys.

   The pluggable details page is displayed.

8. In the Encryption section displays that the Key management is set as GCP Customer Managed Encryption Key.
9. Click the Rotate link.
10. On the resulting Rotate Key dialog, click Rotate to confirm the action.