Create a VM cluster in an Exadata Cloud Infrastructure instance.

1. Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure
2. Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
   Note
   
   Multiple VM clusters may be created only in a Multi-VM enabled Infrastructure.
3. Click Create Exadata VM Cluster.

   The Create Exadata VM Cluster page is displayed. Provide the required information to configure the VM cluster.

4. Compartment: Select a compartment for the VM cluster resource.
5. Display name: Enter a user-friendly display name for the VM cluster. The name doesn't need to be unique. An Oracle Cloud Identifier (OCID) will uniquely identify the VM cluster. Avoid entering confidential information.
6. Select Exadata infrastructure: Select the infrastructure resource that will contain the VM cluster. You must choose an infrastructure resource that has enough resources to create a new VM cluster. Click Change Compartment and pick a different compartment from the one you are working in to view infrastructure resources in other compartments.
   Note
   
   Multiple VM clusters may be created only in a Multi-VM enabled Infrastructure
7. Choose the Oracle Grid Infrastructure version: From the list, choose the Oracle Grid Infrastructure release (19c and 23ai) that you want to install on the VM cluster.

   The Oracle Grid Infrastructure release determines the Oracle Database releases that can be supported on the VM cluster. You cannot run an Oracle Database release that is later than the Oracle Grid Infrastructure software release.

   Note
   
   Minimum requirements for provisioning a VM Cluster with Grid Infrastructure 23ai:

   • Exadata Guest VM running Exadata System Software 23.1.8
   • Exadata Infrastructure running Exadata System Software 23.1.x
8. Choose an Exadata image version:
   • Exadata infrastructure with Oracle Linux 7 and Exadata image version 22.1.10.0.0.230422:
     • The Change image button is not enabled.
     • The Oracle Grid Infrastructure version defaults to 19.0.0.0.0.
     • The Exadata guest version will be the same as that of the host OS.
   • Exadata infrastructure with Oracle Linux 8 and Exadata image version 23.1.3.0.0.230613:
     • The Exadata guest version defaults to the latest (23.1.3.0).
     • The Oracle Grid Infrastructure version defaults to 19.0.0.0.0
     • The Change image button is enabled.
     • Click Change image.

       The resulting Change image panel displays the list of available major versions of Exadata image (23.1.3.0 and 22.1.3.0).

       The most recent release for each major version is indicated by "(latest)".

     • Slide Display all available versions.

       Six past versions including the latest versions of Exadata images 23.1.3.0 and 22.1.3.0 are displayed.

     • Choose a version.
     • Click Save Changes.
9. Configure the VM cluster: Specify the DB servers to used for new VM cluster (by default all DB Servers are selected). Click Select DB Servers to select from the available DB servers, and then click Save.

   In the Resource allocation per VM pane:

   • Specify the number of OCPU/ECPU you want to allocate to each of the VM cluster's virtual machine compute nodes. For VM clusters created on X11M Exadata infrastructure specify ECPUs. For VM Clusters created on X10M and earlier Exadata infrastructure, specify OCPUs. The minimum is 2 OCPU per VM for X10M and earlier infrastructure or 8 ECPUs per VM for VM clusters created on X11M Exadata infrastructure. The read-only Requested OCPU count for the Exadata VM cluster field displays the total number of OCPU or ECPU cores you are allocating.
   • Specify the Memory per VM to allocate to each VM. The minimum per VM is 30 GB.
   • Specify the Local Storage per VM to allocate local storage to each VM. The minimum per VM is 60 GB.

     Each time when you create a new VM cluster, the space remaining out of the total available space is utilized for the new VM cluster.

     In addition to /u02, you can specify the size of additional local file systems.

     For more information and instructions to specify the size for each individual VM, see Introduction to Scale Up or Scale Down Operations.

     • Click Show additional local file systems configuration options.
     • Specify the size of /, /u01, /tmp, /var, /var/log, /var/log/audit, and /home file systems as needed.
       Note
       
       

       • You can only expand these file systems and cannot reduce the size once expanded.
       • Due to backup partitions and mirroring, the / and /var file systems will consume twice the space they were allocated, which is indicated in the read-only Total allocated storage for / (GB) due to mirroring and Total allocated storage for /tmp (GB) due to mirroring fields.
     • After creating the VM Cluster, check the Exadata Resources section on the Exadata Infrastructure Details page to check the file size allocated to the local storage (/u02) and local storage (additional file systems).
10. Configure Exadata storage: Specify the following:

    • Specify the usable Exadata storage TB. Specify the storage in multiples of 1 TB. Minimum: 2 TB
    • Allocate storage for Exadata sparse snapshots: Select this configuration option if you intend to use snapshot functionality within your VM cluster. If you select this option, the SPARSE disk group is created, which enables you to use VM cluster snapshot functionality for PDB sparse cloning. If you do not select this option, the SPARSE disk group is not created and snapshot functionality will not be available on any database deployments that are created in the environment.
      Note
      
      The storage configuration option for sparse snapshots cannot be changed after VM cluster creation.
    • Allocate storage for local backups: Select this option if you intend to perform database backups to the local Exadata storage within your Exadata Cloud Infrastructure instance. If you select this option, more space is allocated to the RECO disk group, which is used to store backups on Exadata storage. If you do not select this option, more space is allocated to the DATA disk group, which enables you to store more information in your databases.
      Note
      
      The storage configuration option for local backups cannot be changed after VM cluster creation.
11. Add SSH key: Add the public key portion of each key pair you want to use for SSH access to the VM cluster:
    • Generate SSH key pair (Default option) Select this radio button to generate an SSH keypair. Then in the dialog below click Save private key to download the key, and optionally click Save public key to download the key.
    • Upload SSH key files: Select this radio button to browse or drag and drop .pub files.
    • Paste SSH keys: Select this radio button to paste in individual public keys. To paste multiple keys, click + Another SSH Key, and supply a single key for each entry.
12. Configure the network settings: Specify the following:
    Note
    
    IP addresses (100.64.0.0/10) are used for Exadata Cloud Infrastructure X8M interconnect.

    You do not have the option to choose between IPv4 (single stack) and IPv4/IPv6 (dual stack) if both configurations exist. For more information, see VCN and Subnet Management.

    • Virtual cloud network: The VCN in which you want to create the VM cluster. Click Change Compartment to select a VCN in a different compartment.
    • Client subnet: The subnet to which the VM cluster should attach. Click Change Compartment to select a subnet in a different compartment.

      Do not use a subnet that overlaps with 192.168.16.16/28, which is used by the Oracle Clusterware private interconnect on the database instance. Specifying an overlapping subnet causes the private interconnect to malfunction.

    • Backup subnet: The subnet to use for the backup network, which is typically used to transport backup information to and from the Backup Destination, and for Data Guard replication. Click Change Compartment to select a subnet in a different compartment, if applicable.

      Do not use a subnet that overlaps with 192.168.128.0/20. This restriction applies to both the client subnet and backup subnet.

      If you plan to back up databases to Object Storage or Autonomous Recovery service, see the network prerequisites in Managing Exadata Database Backups.

      Note
      
      In case Autonomous Recovery Service is used, a new dedicated subnet is highly recommended. Review the network requirements and configurations required to backup your Oracle Cloud databases to Recovery Service. See, Configuring Network Resources for Recovery Service.
    • Network Security Groups: Optionally, you can specify one or more network security groups (NSGs) for both the client and backup networks. NSGs function as virtual firewalls, allowing you to apply a set of ingress and egress security rules to your Exadata Cloud Infrastructure VM cluster. A maximum of five NSGs can be specified. For more information, see Network Security Groups and Network Setup for Exadata Cloud Infrastructure Instances.

      Note that if you choose a subnet with a security list, the security rules for the VM cluster will be a union of the rules in the security list and the NSGs.

      To use network security groups:

      • Check the Use network security groups to control traffic check box. This box appears under both the selector for the client subnet and the backup subnet. You can apply NSGs to either the client or the backup network, or to both networks. Note that you must have a virtual cloud network selected to be able to assign NSGs to a network.
      • Specify the NSG to use with the network. You might need to use more than one NSG. If you're not sure, contact your network administrator.
      • To use additional NSGs with the network, click +;Another Network Security Group.
      Note
      
      

      To provide your cloud VM Cluster resources with additional security, you can use Oracle Cloud Infrastructure Zero Trust Packet Routing to ensure that only resources identified with security attributes have network permissions to access your resources. Oracle provides Database policy templates that you can use to assist you with creating policies for common database security use cases. To configure it now, you must already have created security attributes with Oracle Cloud Infrastructure Zero Trust Packet Routing. Click Show Advanced Options at the end of this procedure.

      Be aware that when you provide security attributes for a cluster, as soon as it is applied, all resources require a Zero Trust Packet policy to access the cluster. If there is a security attribute on an endpoint, then it must satisfy both network security group (NSG) and Oracle Cloud Infrastructure Zero Trust Packet Routing policy (OCI ZPR) rules.

    • To use private DNS Service
      Note
      
      A Private DNS must be configured before it can be selected. See "Configure Private DNS"
      • Check the Use private DNS Service check box.
      • Select a private view. Click Change Compartment to select a private view in a different compartment.
      • Select a private zone. Click Change Compartment to select a private zone in a different compartment.
    • Hostname prefix: Your choice of hostname for the Exadata VM cluster. The host name must begin with an alphabetic character and can contain only alphanumeric characters and hyphens (-). The maximum number of characters allowed for an Exadata VM cluster is 12.

      Caution:

      The hostname must be unique within the subnet. If it is not unique, the VM cluster will fail to provision.
    • Host domain name: The domain name for the VM cluster. If the selected subnet uses the Oracle-provided Internet and VCN Resolver for DNS name resolution, this field displays the domain name for the subnet and it can't be changed. Otherwise, you can provide your choice of the domain name. Hyphens (-) are not permitted.

      If you plan to store database backups in Object Storage or Autonomous Recovery service, Oracle recommends that you use a VCN Resolver for DNS name resolution for the client subnet because it automatically resolves the Swift endpoints used for backups.

    • Host and domain URL: This read-only field combines the host and domain names to display the fully qualified domain name (FQDN) for the database. The maximum length is 63 characters.
13. Choose a license type: The type of license you want to use for the VM cluster. Your choice affects metering for billing.
    • License Included means the cost of the cloud service includes a license for the Database service.
    • Bring Your Own License (BYOL) means you are an Oracle Database customer with an Unlimited License Agreement or Non-Unlimited License Agreement and want to use your license with Oracle Cloud Infrastructure. This removes the need for separate on-premises licenses and cloud licenses.
14. Diagnostics Collection: By enabling diagnostics collection and notifications, Oracle Cloud Operations and you will be able to identify, investigate, track, and resolve guest VM issues quickly and effectively. Subscribe to Events to get notified about resource state changes.
    Note
    
    You are opting in with the understanding that the above list of events (or metrics, log files) can change in the future. You can opt out of this feature at any time.
    • Enable Diagnostic Events: Allow Oracle to collect and publish critical, warning, error, and information events to me.
    • Enable Health Monitoring: Allow Oracle to collect health metrics/events such as Oracle Database up/down, disk space usage, and so on, and share them with Oracle Cloud operations. You will also receive notification of some events.
    • Enable Incident Logs and Trace Collection: Allow Oracle to collect incident logs and traces to enable fault diagnosis and issue resolution.
    Note
    
    You are opting in with the understanding that the above list of events (or metrics, log files) can change in the future. You can opt-out of this feature at any time.
    All three checkboxes are selected by default. You can leave the default settings as is or clear the checkboxes as needed. You can view the Diagnostic Collection settings on the VM Cluster Details page under General Information >> Diagnostics Collection.

    • Enabled: When you choose to collect diagnostics, health metrics, incident logs, and trace files (all three options).
    • Disabled: When you choose not to collect diagnostics, health metrics, incident logs, and trace files (all three options).
    • Partially Enabled: When you choose to collect diagnostics, health metrics, incident logs, and trace files ( one or two options).
15. Click Show Advanced Options to specify advanced options for the VM cluster:

    • Time zone: This option is located in the Management tab. The default time zone for the VM cluster is UTC, but you can specify a different time zone. The time zone options are those supported in both the Java.util.TimeZone class and the Oracle Linux operating system.

      Note
      
      

      If you want to set a time zone other than UTC or the browser-detected time zone, and if you do not see the time zone you want, try selecting the Select another time zone, option, then selecting "Miscellaneous" in the Region or country list and searching the additional Time zone selections.

    • SCAN Listener Port: This option is located in the Network tab. You can assign a SCAN listener port (TCP/IP) in the range between 1024 and 8999. The default is 1521.
      Note
      
      Manually changing the SCAN listener port of a VM cluster after provisioning using the backend software is not supported. This change can cause Data Guard provisioning to fail.
    • Zero Trust Packet Routing (ZPR): This option is located in the Security attributes tab. Select a namespace, and provide the key and value for the security attribute. To complete this step during configuration, you must already have set up security attributes with Oracle Cloud Infrastructure Zero Trust Packet Routing. You can also add security attributes after configuration, and add them later. For more information about adding Oracle Exadata Database Service on Dedicated Infrastructure specific policies, see Policy Template Builder.
    • Cloud Automation Update: Oracle periodically applies updates to the database tools and agent software necessary for cloud tooling and automation. You can configure your preferred time window for these updates to be applied to your VM Cluster.

      Set the start time for cloud automation updates.

      Note
      
      Oracle will check for latest VM Cloud Automation updates every day between the configured time window and apply updates when applicable. If automation is unable to start applying updates within the configured time window due to some underlying long running process, Oracle will automatically check the following day during the configured time window to start applying cloud automation updates to the VM Cluster.

      Enable early access for cloud tools update: VM clusters designated for early access receive updates 1-2 weeks before they are available to other systems. Check this check box if you want early adoption for this VM cluster.

      Cloud Automation Update Freeze Period: Oracle periodically applies updates to the database tools and agent software necessary for cloud tooling and automation. Enable a freeze period to define a time window during which Oracle automation will not apply cloud updates.

      Move the slider to set the freeze period.

      Note
      
      

      • The freeze period can extend for a maximum of 45 days from the start date.
      • Oracle automation will automatically apply updates with critical security fixes (CVSS >= 9) even during a configured freeze period.
    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
16. Click Create.

To view the details of an identity connector attached to a VM cluster, use this procedure.

1. Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
2. Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
3. Click the name of the VM cluster of your choice.
4. On the resulting VM Cluster Details page, in the Multicloud Information section, confirm that the Identity connector field displays the identity connector attached to this VM cluster.
5. Click the name of the Identity Connector to view its details.

   You will be redirected to the Database Multicloud Integrations portal.

To create a key ring, use this procedure.

1. Open the Google Cloud Console, navigate to the Key Management page.
2. Click Create key ring.
3. Provide the following details:
   • Name: Enter a descriptive name for the key ring.
   • Location: Select a location for your key ring.

     Important:

     • Key rings with the same name can exist in different locations, so you must always specify the location.
     • Choose a location close to the resources you want to protect.
     • For Customer Managed Encryption Keys, ensure the key ring is in the same location as the resources that will use it.

     Choosing a location for your Key Ring:

     When creating a key ring in Google Cloud Key Management Service (KMS), selecting the right location is crucial. Your choice affects where your cryptographic keys are stored and how they're replicated. For more information, see Cloud KMS locations.

     • Region:
       • Data is stored in a specific geographic region.
       • Keys remain within the boundaries of this single region.
       • Ideal for:
         • Low-latency applications
         • Compliance with data residency requirements
         • Region-specific workloads
     • Multi-region:
       • Data is replicated across multiple regions within a larger geographical area.
       • Google manages distribution and replication automatically.
       • You cannot select individual data centers or regions.
       • Ideal for:
         • High availability
         • Resilient, fault-tolerant applications
         • Services serving a wide regional area
     • Global:
       • A special type of multi-region.
       • Keys are distributed across Google data centers worldwide.
       • Location selection and control are not available.
       • Ideal for:
         • Applications with global users
         • Use cases needing maximum redundancy and reach
4. Click Create.

Once the key ring is created, you can begin creating and managing encryption keys within it.

To create a raw symmetric encryption key in the specified key ring and location, use this procedure.

1. Open the Google Cloud Console, navigate to the Key Management page.
2. Click the name of the key ring where you want to create the key.
3. Click Create key.
4. Provide the following details:
   • Key name: Enter a descriptive name for your key.
   • Protection level: Choose Software or HSM (Hardware Security Module).

     The protection level of a key can't be changed after the key is created. For more information, see Protection levels.

   • Key material: Select Generate key or Import key.

     Generate key material in Cloud KMS or import key material that is maintained outside of Google Cloud. For more information, see Customer-managed encryption keys (CMEK).

   • Purpose and Algorithm:

     For more information, see Key purposes and algorithms.

     • Set Purpose to Raw encryption/decryption.
     • For Algorithm, select AES-256-CBC.
5. Click Create.

After creation, you can use this key for cryptographic operations that require AES-CBC encryption and decryption.

To allow a key to be discoverable in Oracle Cloud Infrastructure (OCI), use this procedure.

1. In Google Cloud KMS, select the key you want to make discoverable.
2. Navigate to the Permissions tab and click Add principal.
3. In the New principals field, enter the service account associated with your Workload Resource Service Agent.
   Note
   
   

   You can find this service account on the Identity Connector details page, under the GCP Information section. Look for the Workload resource service agent and note its ID — this is the required service account.

4. Under Assign roles, add a role of your choice.
   Note
   
   

   Create a custom role with the following minimum permissions and assign it to the key ring of your choice.

   These permissions together allow OCI to:

   • Discover KMS resources like key rings and keys.
   • Access metadata about keys and their versions.
   • Use the keys for cryptographic operations (encryption/decryption).
   • Create key versions.

   Minimum Required Permissions:

   • cloudkms.cryptoKeyVersions.get

     Allows retrieval of metadata for a specific key version.

   • cloudkms.cryptoKeyVersions.manageRawAesCbcKeys

     Enables management of raw AES-CBC key material (import, rotation, etc.).

   • cloudkms.cryptoKeyVersions.create

     Allows creation of new key versions within a key.

   • cloudkms.cryptoKeyVersions.list

     Lists all versions of a given key.

   • cloudkms.cryptoKeyVersions.useToDecrypt

     Grants permission to use a key version for decrypting data.

   • cloudkms.cryptoKeyVersions.useToEncrypt

     Grants permission to use a key version for encrypting data.

   • cloudkms.cryptoKeys.get

     Allows retrieval of metadata for a key.

   • cloudkms.cryptoKeys.list

     Lists all keys within a key ring.

   • cloudkms.keyRings.get

     Allows retrieval of metadata for a key ring.

   • cloudkms.locations.get

     Retrieves information about supported key locations.

5. Click Save to apply the changes.
6. Click Refresh to confirm that the updated permissions have taken effect.

To enable Google Cloud Customer Managed Encryption Keys (CMEK) for your VM cluster, you must first register the GCP Key Ring in OCI.

1. In the Database Multicloud Integrations portal, navigate to: Google Cloud Integration > GCP Key Rings.
2. Click GCP Key Ring,
3. Click Register GCP key rings
4. On the resulting Register GCP key rings page, provide the following details:
   • Compartment: Select the compartment where the VM cluster resides.
   • Identity Connector: Choose the Identity Connector attached to the VM cluster.
   • Key Ring: Enter the name of the GCP key ring to register.

     To discover all available key rings through a single identity connector, you must grant the following permissions to that identity connector. These permissions should be assigned at the appropriate project or folder level to ensure the connector can access all key rings across the intended scope.

     • cloudkms.keyRings.list

       Allows listing all key rings within a project.

     • cloudkms.locations.get

       Allows retrieving metadata for a specific key ring.

5. Click Discover to verify if the key ring exists in GCP.

   If successful, the key ring’s details will be displayed.

   Note
   
   

   Only key rings can be registered — not individual keys. All supported keys associated with a registered key ring will be available, provided the required permissions are in place.

6. Click Register.

To enable GCP CMEK for your Exadata VM Cluster, use this procedure.

1. Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
2. Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
3. Select the name of the VM cluster you want to configure.
4. On the VM Cluster Details page, scroll to the Multicloud Information section and click Enable next to GCP CMEK.
5. To disable GCP CMEK, click Disable.

This topic covers creating your first or subsequent databases.

1. Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure
2. Choose your Compartment.
3. Navigate to the cloud VM cluster you want to create the database in:

   Cloud VM clusters (The New Exadata Cloud Infrastructure Resource Model): Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters. In the list of VM clusters, find the VM cluster you want to access and click its highlighted name to view the details page for the cluster.

4. Click Create Database.
5. In the Create Database dialog, enter the following:
   Note
   
   You cannot modify the db_name, db_unique_name, and SID prefix after creating the database.
   • Database name: The name for the database. The database name must meet the requirements:
     • Maximum of 8 characters
     • Contain only alphanumeric characters
     • Begin with an alphabetic character
     • Cannot be part of the first 8 characters of a DB_UNIQUE_NAME on the VM cluster
     • DO NOT use the following reserved names: grid, ASM
   • Database unique name suffix:

     Optionally, specify a value for the DB_UNIQUE_NAME database parameter. The value is case insensitive.

     The unique name must meet the requirements:

     • Maximum of 30 characters
     • Contain only alphanumeric or underscore (_) characters
     • Begin with an alphabetic character
     • Unique across the VM cluster. Recommended to be unique across the tenancy.
     If not specified, the system automatically generates a unique name value, as follows:

     <db_name>_<3_chars_unique_string>_<region-name>

   • Database version: The version of the database. You can mix database versions on the Exadata VM cluster.
   • PDB name: (Optional) For Oracle Database 12c (12.1.0.2) and later, you can specify the name of the pluggable database. The PDB name must begin with an alphabetic character, and can contain a maximum of eight alphanumeric characters. The only special character permitted is the underscore ( _).

     To avoid potential service name collisions when using Oracle Net Services to connect to the PDB, ensure that the PDB name is unique across the entire VM cluster. If you do not provide the name of the first PDB, then a system-generated name is used.

   • Database Home: The Oracle Database Home for the database. Choose the applicable option:
     • Select an existing Database Home: The Database Home display name field allows you to choose the Database Home from the existing homes for the database version you specified. If no Database Home with that version exists, you must create a new one.
     • Create a new Database Home: Use this option to provision a new Database Home for your Data Guard peer database.

       Click Change Database Image to use a desired Oracle-published image or a custom database software image that you have created in advance, then select an Image Type:

       • Oracle Provided Database Software Images:

         then you can use the Display all available version switch to choose from all available PSUs and RUs. The most recent release for each major version is indicated with a latest label.

         Note
         
         For the Oracle Database major version releases available in Oracle Cloud Infrastructure, images are provided for the current version plus the three most recent older versions (N through N - 3). For example, if an instance is using Oracle Database 19c, and the latest version of 19c offered is 19.8.0.0.0, images available for provisioning are for versions 19.8.0.0.0, 19.7.0.0, 19.6.0.0 and 19.5.0.0.
       • Custom Database Software Images: These images are created by your organization and contain customized configurations of software updates and patches. Use the Select a compartment, Select a region, and Select a Database version selectors to limit the list of custom database software images to a specific compartment, region, or Oracle Database software major release version.

         Region filter defaults to the currently connected region and lists all the software images created in that region. When you choose a different region, the software image list is refreshed to display the software images created in the selected region.

   • Create administrator credentials: (Read only) A database administrator SYS user will be created with the password you supply.
     • Username: SYS
     • Password: Supply the password for this user. The password must meet the following criteria:

       A strong password for SYS, SYSTEM, TDE wallet, and PDB Admin. The password must be 9 to 30 characters and contain at least two uppercase, two lowercase, two numeric, and two special characters. The special characters must be _, #, or -. The password must not contain the username (SYS, SYSTEM, and so on) or the word "oracle" either in forward or reversed order and regardless of casing.

     • Confirm password: Re-enter the SYS password you specified.
     • Using a TDE wallet password is optional. If you are using customer-managed encryption keys stored in a vault in your tenancy, the TDE wallet password is not applicable to your VM Cluster. Use Show Advanced Options at the end of the Create Database dialog to configure customer-managed keys.

       If you are using customer-managed keys, or if you want to specify a different TDE wallet password, uncheck the Use the administrator password for the TDE wallet box. If you are using customer-managed keys, leave the TDE password fields blank. To set the TDE wallet password manually, enter a password in the Enter TDE wallet password field, and then confirm by entering it into the Confirm TDE wallet password field.

   • Configure database backups: Specify the settings for backing up the database to Autonomous Recovery Service or Object Storage:

     • Enable automatic backup: Check the check box to enable automatic incremental backups for this database. If you are creating a database in a security zone compartment, you must enable automatic backups.
     • Backup Destination: Your choices are Autonomous Recovery Service or Object Storage.
     • Backup Scheduling:
       • Object Storage (L0):
         • Full backup scheduling day: Choose a day of the week for the initial and future L0 backups to start.
         • Full backup scheduling time (UTC): Specify the time window when the full backups start when the automatic backup capability is selected.

         • Take the first backup immediately: A full backup is an operating system backup of all datafiles and the control file that constitute an Oracle Database. A full backup should also include the parameter file(s) associated with the database. You can take a full database backup when the database is shut down or while the database is open. You should not normally take a full backup after an instance failure or other unusual circumstances.

           If you choose to defer the first full backup your database may not be recoverable in the event of a database failure.

       • Object Storage (L1):
         • Incremental backup scheduling time (UTC): Specify the time window when the incremental backups start when the automatic backup capability is selected.
       • Autonomous Recovery Service (L0):
         • Scheduled day for initial backup: Choose a day of the week for the initial backup.
         • Scheduled time for initial backup (UTC): Select the time window for the initial backup.

         • Take the first backup immediately: A full backup is an operating system backup of all datafiles and the control file that constitute an Oracle Database. A full backup should also include the parameter file(s) associated with the database. You can take a full database backup when the database is shut down or while the database is open. You should not normally take a full backup after an instance failure or other unusual circumstances.

           If you choose to defer the first full backup your database may not be recoverable in the event of a database failure.

       • Autonomous Recovery Service (L1):
         • Scheduled time for daily backup (UTC): Specify the time window when the incremental backups start when the automatic backup capability is selected.
     • Deletion options after database termination: Options that you can use to retain protected database backups after the database is terminated. These options can also help restore the database from backups in case of accidental or malicious damage to the database.
       • Retain backups for the period specified in your protection policy or backup retention period: Select this option if you want to retain database backups for the entire period defined in the Object Storage Backup retention period or Autonomous Recovery Service protection policy after the database is terminated.
       • Retain backups for 72 hours, then delete: Select this option to retain backups for a period of 72 hours after you terminate the database.

     • Backup Retention Period/Protection Policy: If you choose to enable automatic backups, you can choose a policy with one of the following preset retention periods, or a Custom policy.

       Object Storage Backup retention period: 7, 15, 30, 45, 60. Default: 30 days. The system automatically deletes your incremental backups at the end of your chosen retention period.

       Autonomous Recovery Service protection policy:

       • Bronze: 14 days
       • Silver: 35 days
       • Gold: 65 days
       • Platinum: 95 days
       • Custom defined by you
       • Default: Silver - 35 days
     • Enable Real-Time Data Protection: Real-time protection is the continuous transfer of redo changes from a protected database to Autonomous Recovery Service. This reduces data loss and provides a recovery point objective (RPO) near 0. This is an extra cost option.
6. Click Show Advanced Options to specify advanced options for the database:
   • Management:

     Oracle SID prefix: The Oracle Database instance number is automatically added to the SID prefix to create the INSTANCE_NAME database parameter. The INSTANCE_NAME parameter is also known as the SID. The SID is unique across the cloud VM Cluster. If not specified, SID prefix defaults to the db_name.

     Note
     
     Entering an SID prefix is only available for Oracle 12.1 databases and above.

     The SID prefix must meet the requirements:

     • Maximum of 12 characters
     • Contain only alphanumeric characters. You can, however, use underscore (_), which is the only special character that is not restricted by this naming convention.
     • Begin with an alphabetic character
     • Unique in the VM cluster
     • DO NOT use the following reserved names: grid, ASM
   • Character set: The character set for the database. The default is AL32UTF8.
   • National character set: The national character set for the database. The default is AL16UTF16.
   • Encryption:

     If you are creating a database in an Exadata Cloud Service VM Cluster, then you can choose to use encryption based on encryption keys that you manage. By default, the database is configured using Oracle-managed encryption keys.

     • To configure the database with encryption based on encryption keys you manage:
       Note
       
       If Azure key management or GCP Customer Managed Encryption Key is disabled at the VM cluster level, you will have three key management options: Oracle Wallet, OCI Vault, and Oracle Key Vault.
       • OCI Vault:
         1. You must have a valid encryption key in Oracle Cloud Infrastructure Vault service. See Let security admins manage vaults, keys, and secrets.
            Note
            
            You must use AES-256 encryption keys for your database.
         2. Choose a Vault.
         3. Select a Master encryption key.
         4. To specify a key version other than the latest version of the selected key, check Choose the key version and enter the OCID of the key you want to use in the Key version OCID field.
            Note
            
            The Key version will only be assigned to the container database (CDB), and not to its pluggable database (PDB). PDB will be assigned an automatically generated new key version.
       • Oracle Key Vault: Choose a compartment and select a key store from the chosen compartment.
     • To create a database using the Azure key Vault as key management:
       Note
       
       If Azure key management is enabled at the VM cluster level, you will have two key management options: Oracle Wallet and Azure Key Vault.
       1. Select your Key Management type as Azure Key Vault.
       2. Select the Vault available in your compartment.
          Note
          
          The Vault list populates only registered vaults. Click the Register new vaults link to register your vault. From the Register Azure key vaults page, select your vault, and then click Register.
          Note
          
          At least one key must be registered in your vaults.
       3. Select the Key available in your compartment.
     • To create a database using GCP Customer Managed Encryption Key as key management:
       Note
       
       If GCP Customer Managed Encryption Key is enabled, you will have two key management options: Oracle Wallet and GCP Customer Managed Encryption Key.
       1. Select GCP Customer Managed Encryption Key as your Key Management option.
       2. Select the Key ring available in your compartment.
          Note
          
          

          Only registered key rings are listed.

          If your desired key ring is not visible, it may not have been registered yet. Click Register Key Rings to discover and register it.

          For detailed instructions, refer to Register GCP Key Ring in Oracle Cloud Infrastructure (OCI).

       3. Select the encryption key within the selected Key ring and compartment.
   • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags . If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
7. Click Create Database.

After database creation is complete, the status changes from Provisioning to Available, and on the database details page for the new database, the Encryption section displays the encryption key name and the encryption key OCID.

To change encryption keys between different encryption methods, use this procedure.

1. Navigate to your database details page in the OCI console.
2. In the Encryption section, verify that Key management is set to Oracle Wallet, and then click the Change link.
3. Enter the following information on the Change key management page.
   1. Select your Key management as GCP Customer Managed Encryption Key from the drop-down list.
   2. Select the compartment you are using, and then choose the Key Ring available in that compartment.
   3. Next, select the Key compartment you are using, and then choose the desired Key from the drop-down list.
   4. Click Save changes.

To rotate the GCP Customer Managed Encryption Key of a container database (CDB), use this procedure.

1. Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
2. Choose your Compartment.

   A list of VM Clusters is displayed for the chosen Compartment.

3. In the list of VM Clusters, click the name of the VM cluster that contains the database that you want to rotate encryption keys.
4. Click Databases.
5. Click the name of the database that you want to rotate encryption keys.

   The Database Details page displays information about the selected database.

6. In the Encryption section, verify that the Key Management is set to GCP Customer Managed Encryption Key, and then click the Rotate link.
7. On the resulting Rotate Key dialog, click Rotate to confirm the action.

To rotate the GCP Customer Managed Encryption Key of a pluggable database (PDB), use this procedure.

1. Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
2. Choose your Compartment.

   A list of VM Clusters is displayed for the chosen Compartment.

3. In the list of VM clusters, click the name of the VM cluster that contains the PDB you want to start, and then click its name to display the details page.
4. Under Databases, find the database containing the PDB you want to rotate encryption keys.
5. Click the name of the database to view the Database Details page.
6. Click Pluggable Databases in the Resources section of the page.

   A list of existing PDBs in this database is displayed.

7. Click the name of the PDB that you want to rotate encryption keys.

   The pluggable details page is displayed.

8. In the Encryption section displays that the Key management is set as GCP Customer Managed Encryption Key.
9. Click the Rotate link.
10. On the resulting Rotate Key dialog, click Rotate to confirm the action.