Google Cloud Key Management Integration for Exadata Database Service on Oracle Database@Google Cloud
Exadata Database Service on Oracle Database@Google Cloud now supports integration with Google Cloud Platform's Key Management Service (KMS).
This enhancement allows users to manage Transparent Data Encryption (TDE) master encryption keys (MEKs) using GCP Customer-Managed Encryption Keys (CMEKs).
Previously, Transparent Data Encryption (TDE) master encryption keys (MEKs) could only be stored in a file-based Oracle Wallet, Oracle Cloud Infrastructure (OCI) Vault, or Oracle Key Vault (OKV).. With this update, users can now store and manage MEKs directly in GCP KMS, providing improved key lifecycle control and alignment with organization-specific security policies.
This integration enables applications, Google Cloud services, and databases to benefit from a centralized key management solution that offers enhanced security and simplified key lifecycle management.
- Prerequisites
Before configuring GCP Customer Managed Encryption Keys (CMEK) as the key management service for your databases, ensure the following prerequisites are met. - Using the Console to Manage GCP KMS Integration for Exadata Database Service on Oracle Database@Google Cloud
Learn how to manage GCP KMS integration for Exadata Database Service on Oracle Database@Google Cloud. - Using the API to Manage GCP KMS Integration for Exadata Database Service on Oracle Database@Google Cloud
Parent topic: How-to Guides
Prerequisites
Before configuring GCP Customer Managed Encryption Keys (CMEK) as the key management service for your databases, ensure the following prerequisites are met.
- Provision an Exadata VM Cluster via the Google Cloud console. See Provisioning an Exadata VM Cluster for Google Cloud for step-by-step instructions.
- Review the Identity Connector connection to ensure it is correctly configured and active. For more information, see Verify the Default Identity Connector Attached to the VM Cluster.
- Prerequisites for Configuring GCP Customer Managed Encryption Keys (CMEK) at the Exadata VM Cluster Level.
To enable Google Cloud Platform (GCP) Customer Managed Encryption Keys (CMEK) for databases deployed with Exadata Database Service on Oracle Database@Google Cloud, you must configure CMEK as the key management option at the VM cluster level. Once CMEK is enabled, all database encryption and decryption operations will use the specified GCP-managed key.
Before enabling CMEK, ensure that:- The required GCP key rings and encryption keys are already created in GCP.
- These keys are mirrored as anchor resources in Oracle Cloud Infrastructure (OCI), ensuring synchronization between GCP and OCI.
- The anchor resources are in place for database provisioning and for managing the encryption key lifecycle, including key rotation, revocation, and auditing.
- IAM Policy Requirements for Accessing GCP Key Resources.
The database uses the cluster resource principal to securely retrieve GCP key resources. To enable this functionality, you must define the appropriate IAM policies in your OCI tenancy.
Read-Only Access to Oracle GCP Keys:Allow any-user to read oracle-db-gcp-keys in compartment id <your-compartment-OCID> where all { request.principal.type = 'cloudvmcluster',}
This policy grants read-only access to GCP key resources for the VM cluster resource principal.
Using the Console to Manage GCP KMS Integration for Exadata Database Service on Oracle Database@Google Cloud
Learn how to manage GCP KMS integration for Exadata Database Service on Oracle Database@Google Cloud.
- To create a cloud VM cluster resource
Create a VM cluster in an Exadata Cloud Infrastructure instance. - Verify the Default Identity Connector Attached to the VM Cluster
To view the details of an identity connector attached to a VM cluster, use this procedure. - Create a Key Ring in Google Cloud Console
To create a key ring, use this procedure. - Create a Key in Google Cloud Console
To create a raw symmetric encryption key in the specified key ring and location, use this procedure. - Grant Permissions in Google Cloud KMS for Key Discovery by Oracle Cloud Infrastructure (OCI)
To allow a key to be discoverable in Oracle Cloud Infrastructure (OCI), use this procedure. - Register GCP Key Ring in Oracle Cloud Infrastructure (OCI)
To enable Google Cloud Customer Managed Encryption Keys (CMEK) for your VM cluster, you must first register the GCP Key Ring in OCI. - Enable or Disable Google Cloud Key Management
To enable GCP CMEK for your Exadata VM Cluster, use this procedure. - To create a database in an existing VM Cluster
This topic covers creating your first or subsequent databases. - Change the Key Management from Oracle Wallet to GCP Customer Managed Encryption Key (CMEK)
To change encryption keys between different encryption methods, use this procedure. - Rotate the GCP Customer Managed Encryption Key of a Container Database (CDB)
To rotate the GCP Customer Managed Encryption Key of a container database (CDB), use this procedure. - Rotate the GCP Customer Managed Encryption Key of a Pluggable Database (PDB)
To rotate the GCP Customer Managed Encryption Key of a pluggable database (PDB), use this procedure.
To create a cloud VM cluster resource
Create a VM cluster in an Exadata Cloud Infrastructure instance.
To create a cloud VM cluster in an Exadata Cloud Infrastructure instance, you must have first created a Cloud Exadata infrastructure resource.
Multi-VM enabled Infrastructure will support creating multiple VM Clusters. Infrastructures created before the feature Create and Manage Multiple Virtual Machines per Exadata System (MultiVM) and VM Cluster Node Subsetting was released only support creating a single cloud VM cluster.
When you provision an Exadata VM cluster in Exadata Database Service on Oracle Database@Google Cloud, an Identity Connector is automatically created and associated with the VM cluster.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure
- Under Oracle Exadata Database
Service on Dedicated Infrastructure, click Exadata VM
Clusters.
Note
Multiple VM clusters may be created only in a Multi-VM enabled Infrastructure. - Click Create Exadata VM Cluster.
The Create Exadata VM Cluster page is displayed. Provide the required information to configure the VM cluster.
- Compartment: Select a compartment for the VM cluster resource.
- Display name: Enter a user-friendly display name for the VM cluster. The name doesn't need to be unique. An Oracle Cloud Identifier (OCID) will uniquely identify the VM cluster. Avoid entering confidential information.
- Select Exadata infrastructure: Select the infrastructure
resource that will contain the VM cluster. You must choose an infrastructure
resource that has enough resources to create a new VM cluster. Click
Change Compartment and pick a different compartment from
the one you are working in to view infrastructure resources in other
compartments.
Note
Multiple VM clusters may be created only in a Multi-VM enabled Infrastructure - Choose the Oracle Grid Infrastructure version: From the
list, choose the Oracle Grid Infrastructure release (19c and 23ai) that you want to
install on the VM cluster.
The Oracle Grid Infrastructure release determines the Oracle Database releases that can be supported on the VM cluster. You cannot run an Oracle Database release that is later than the Oracle Grid Infrastructure software release.
Note
Minimum requirements for provisioning a VM Cluster with Grid Infrastructure 23ai:- Exadata Guest VM running Exadata System Software 23.1.8
- Exadata Infrastructure running Exadata System Software 23.1.x
- Choose an Exadata image version:
- Exadata infrastructure with Oracle Linux 7 and
Exadata image version 22.1.10.0.0.230422:
- The Change image button is not enabled.
- The Oracle Grid Infrastructure version defaults to 19.0.0.0.0.
- The Exadata guest version will be the same as that of the host OS.
- Exadata infrastructure with Oracle Linux 8 and
Exadata image version 23.1.3.0.0.230613:
- The Exadata guest version defaults to the latest (23.1.3.0).
- The Oracle Grid Infrastructure version defaults to 19.0.0.0.0
- The Change image button is enabled.
- Click Change image.
The resulting Change image panel displays the list of available major versions of Exadata image (23.1.3.0 and 22.1.3.0).
The most recent release for each major version is indicated by "(latest)".
- Slide Display all available
versions.
Six past versions including the latest versions of Exadata images 23.1.3.0 and 22.1.3.0 are displayed.
- Choose a version.
- Click Save Changes.
- Exadata infrastructure with Oracle Linux 7 and
Exadata image version 22.1.10.0.0.230422:
- Configure the VM cluster: Specify the DB servers to used for new VM cluster (by default all DB Servers are selected). Click Select DB Servers to select from the available DB servers, and then click Save.
In the Resource allocation per VM pane:
- Specify the number of OCPU/ECPU you want to allocate to each of the VM cluster's virtual machine compute nodes. For VM clusters created on X11M Exadata infrastructure specify ECPUs. For VM Clusters created on X10M and earlier Exadata infrastructure, specify OCPUs. The minimum is 2 OCPU per VM for X10M and earlier infrastructure or 8 ECPUs per VM for VM clusters created on X11M Exadata infrastructure. The read-only Requested OCPU count for the Exadata VM cluster field displays the total number of OCPU or ECPU cores you are allocating.
- Specify the Memory per VM to allocate to each VM. The minimum per VM is 30 GB.
- Specify the Local Storage per VM to allocate local storage to each VM. The minimum per VM is 60 GB.
Each time when you create a new VM cluster, the space remaining out of the total available space is utilized for the new VM cluster.
In addition to
/u02
, you can specify the size of additional local file systems.For more information and instructions to specify the size for each individual VM, see Introduction to Scale Up or Scale Down Operations.
- Click Show additional local file systems configuration options.
- Specify the size of
/
,/u01
,/tmp
,/var
,/var/log
,/var/log/audit
, and/home
file systems as needed.Note
- You can only expand these file systems and cannot reduce the size once expanded.
- Due to backup partitions and mirroring, the
/
and/var
file systems will consume twice the space they were allocated, which is indicated in the read-only Total allocated storage for / (GB) due to mirroring and Total allocated storage for /tmp (GB) due to mirroring fields.
- After creating the VM Cluster, check the Exadata Resources section on the Exadata Infrastructure Details page to check the file size allocated to the local storage (
/u02
) and local storage (additional file systems).
-
Configure Exadata storage: Specify the following:
- Specify the usable Exadata storage TB. Specify the storage in multiples of 1 TB. Minimum: 2 TB
- Allocate storage for Exadata sparse snapshots:
Select this configuration option if you intend to use
snapshot functionality within your VM cluster. If you select this
option, the SPARSE disk group is created, which enables you to use VM
cluster snapshot functionality for PDB sparse cloning. If you do not
select this option, the SPARSE disk group is not created and snapshot
functionality will not be available on any database deployments that are
created in the environment.
Note
The storage configuration option for sparse snapshots cannot be changed after VM cluster creation. -
Allocate storage for local backups: Select this
option if you intend to perform database backups to the local Exadata
storage within your Exadata Cloud Infrastructure instance. If you select this option, more space
is allocated to the RECO disk group, which is used to store backups on
Exadata storage. If you do not select this option, more space is
allocated to the DATA disk group, which enables you to store more
information in your databases.
Note
The storage configuration option for local backups cannot be changed after VM cluster creation.
- Add SSH key: Add the public key portion of each key pair you want to use for SSH access to the VM cluster:
- Generate SSH key pair (Default option) Select this radio button to generate an SSH keypair. Then in the dialog below click Save private key to download the key, and optionally click Save public key to download the key.
- Upload SSH key files: Select this radio button to browse or drag and drop .pub files.
- Paste SSH keys: Select this radio button to paste in individual public keys. To paste multiple keys, click + Another SSH Key, and supply a single key for each entry.
- Configure the network settings: Specify the following:
Note
IP addresses (100.64.0.0/10) are used for Exadata Cloud Infrastructure X8M interconnect.You do not have the option to choose between IPv4 (single stack) and IPv4/IPv6 (dual stack) if both configurations exist. For more information, see VCN and Subnet Management.
- Virtual cloud network: The VCN in which you want to create the VM cluster. Click Change Compartment to select a VCN in a different compartment.
- Client subnet: The subnet to which the VM cluster should attach. Click Change Compartment to select a subnet in a different compartment.
Do not use a subnet that overlaps with 192.168.16.16/28, which is used by the Oracle Clusterware private interconnect on the database instance. Specifying an overlapping subnet causes the private interconnect to malfunction.
- Backup subnet: The subnet to use for the backup network, which is typically used to transport backup information to and from the Backup Destination, and for Data Guard replication. Click Change Compartment to select a subnet in a different compartment, if applicable.
Do not use a subnet that overlaps with 192.168.128.0/20. This restriction applies to both the client subnet and backup subnet.
If you plan to back up databases to Object Storage or Autonomous Recovery service, see the network prerequisites in Managing Exadata Database Backups.
Note
In case Autonomous Recovery Service is used, a new dedicated subnet is highly recommended. Review the network requirements and configurations required to backup your Oracle Cloud databases to Recovery Service. See, Configuring Network Resources for Recovery Service. - Network Security Groups: Optionally, you can specify one or more network security groups (NSGs) for both the client and backup networks. NSGs function as virtual firewalls, allowing you to apply a set of ingress and egress security rules to your Exadata Cloud Infrastructure VM cluster. A maximum of five NSGs can be specified. For more information, see Network Security Groups and Network Setup for Exadata Cloud Infrastructure Instances.
Note that if you choose a subnet with a security list, the security rules for the VM cluster will be a union of the rules in the security list and the NSGs.
To use network security groups:
- Check the Use network security groups to control traffic check box. This box appears under both the selector for the client subnet and the backup subnet. You can apply NSGs to either the client or the backup network, or to both networks. Note that you must have a virtual cloud network selected to be able to assign NSGs to a network.
- Specify the NSG to use with the network. You might need to use more than one NSG. If you're not sure, contact your network administrator.
- To use additional NSGs with the network, click +;Another Network Security Group.
Note
To provide your cloud VM Cluster resources with additional security, you can use Oracle Cloud Infrastructure Zero Trust Packet Routing to ensure that only resources identified with security attributes have network permissions to access your resources. Oracle provides Database policy templates that you can use to assist you with creating policies for common database security use cases. To configure it now, you must already have created security attributes with Oracle Cloud Infrastructure Zero Trust Packet Routing. Click Show Advanced Options at the end of this procedure.
Be aware that when you provide security attributes for a cluster, as soon as it is applied, all resources require a Zero Trust Packet policy to access the cluster. If there is a security attribute on an endpoint, then it must satisfy both network security group (NSG) and Oracle Cloud Infrastructure Zero Trust Packet Routing policy (OCI ZPR) rules.
- To use private DNS ServiceNote
A Private DNS must be configured before it can be selected. See "Configure Private DNS"- Check the Use private DNS Service check box.
- Select a private view. Click Change Compartment to select a private view in a different compartment.
- Select a private zone. Click Change Compartment to select a private zone in a different compartment.
- Hostname prefix: Your choice of hostname for the Exadata VM cluster. The host name must begin with an alphabetic character and can contain only alphanumeric characters and hyphens (-). The maximum number of characters allowed for an Exadata VM cluster is 12.
Caution:
The hostname must be unique within the subnet. If it is not unique, the VM cluster will fail to provision. - Host domain name: The domain name for the VM cluster. If the selected subnet uses the Oracle-provided Internet and VCN Resolver for DNS name resolution, this field displays the domain name for the subnet and it can't be changed. Otherwise, you can provide your choice of the domain name. Hyphens (-) are not permitted.
If you plan to store database backups in Object Storage or Autonomous Recovery service, Oracle recommends that you use a VCN Resolver for DNS name resolution for the client subnet because it automatically resolves the Swift endpoints used for backups.
- Host and domain URL: This read-only field combines the host and domain names to display the fully qualified domain name (FQDN) for the database. The maximum length is 63 characters.
- Choose a license type: The type of license you want to use for the VM cluster. Your choice affects metering for billing.
- License Included means the cost of the cloud service includes a license for the Database service.
- Bring Your Own License (BYOL) means you are an Oracle Database customer with an Unlimited License Agreement or Non-Unlimited License Agreement and want to use your license with Oracle Cloud Infrastructure. This removes the need for separate on-premises licenses and cloud licenses.
- Diagnostics Collection: By enabling diagnostics
collection and notifications, Oracle Cloud Operations and you will be able to
identify, investigate, track, and resolve guest VM issues quickly and effectively.
Subscribe to Events to get notified about resource state changes.
Note
You are opting in with the understanding that the above list of events (or metrics, log files) can change in the future. You can opt out of this feature at any time.- Enable Diagnostic Events: Allow Oracle to collect and publish critical, warning, error, and information events to me.
- Enable Health Monitoring: Allow Oracle to collect health metrics/events such as Oracle Database up/down, disk space usage, and so on, and share them with Oracle Cloud operations. You will also receive notification of some events.
- Enable Incident Logs and Trace Collection: Allow Oracle to collect incident logs and traces to enable fault diagnosis and issue resolution.
Note
You are opting in with the understanding that the above list of events (or metrics, log files) can change in the future. You can opt-out of this feature at any time.All three checkboxes are selected by default. You can leave the default settings as is or clear the checkboxes as needed. You can view the Diagnostic Collection settings on the VM Cluster Details page under General Information >> Diagnostics Collection.- Enabled: When you choose to collect diagnostics, health metrics, incident logs, and trace files (all three options).
- Disabled: When you choose not to collect diagnostics, health metrics, incident logs, and trace files (all three options).
- Partially Enabled: When you choose to collect diagnostics, health metrics, incident logs, and trace files ( one or two options).
- Click Show Advanced Options to specify advanced options for the VM cluster:
-
Time zone: This option is located in the Management tab. The default time zone for the VM cluster is UTC, but you can specify a different time zone. The time zone options are those supported in both the
Java.util.TimeZone
class and the Oracle Linux operating system.Note
If you want to set a time zone other than UTC or the browser-detected time zone, and if you do not see the time zone you want, try selecting the Select another time zone, option, then selecting "Miscellaneous" in the Region or country list and searching the additional Time zone selections.
- SCAN Listener Port: This option is located in the Network tab. You can assign a SCAN listener port (TCP/IP) in the range between 1024 and 8999. The default is 1521.
Note
Manually changing the SCAN listener port of a VM cluster after provisioning using the backend software is not supported. This change can cause Data Guard provisioning to fail. - Zero Trust Packet Routing (ZPR): This option is located in the Security attributes tab. Select a namespace, and provide the key and value for the security attribute. To complete this step during configuration, you must already have set up security attributes with Oracle Cloud Infrastructure Zero Trust Packet Routing. You can also add security attributes after configuration, and add them later. For more information about adding Oracle Exadata Database Service on Dedicated Infrastructure specific policies, see Policy Template Builder.
- Cloud Automation Update: Oracle periodically applies updates to the database tools and agent software necessary for cloud tooling and automation. You can configure your preferred time window for these updates to be applied to your VM Cluster.
Set the start time for cloud automation updates.
Note
Oracle will check for latest VM Cloud Automation updates every day between the configured time window and apply updates when applicable. If automation is unable to start applying updates within the configured time window due to some underlying long running process, Oracle will automatically check the following day during the configured time window to start applying cloud automation updates to the VM Cluster.Enable early access for cloud tools update: VM clusters designated for early access receive updates 1-2 weeks before they are available to other systems. Check this check box if you want early adoption for this VM cluster.
Cloud Automation Update Freeze Period: Oracle periodically applies updates to the database tools and agent software necessary for cloud tooling and automation. Enable a freeze period to define a time window during which Oracle automation will not apply cloud updates.
Move the slider to set the freeze period.
Note
- The freeze period can extend for a maximum of 45 days from the start date.
- Oracle automation will automatically apply updates with critical security fixes (CVSS >= 9) even during a configured freeze period.
- Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
-
- Click Create.
WHAT NEXT?
- You can view the VM Cluster Details page by clicking the name of the VM cluster in the list of clusters. From the VM Cluster Details page, you can create your first database in the cluster by clicking Create Database
- The SCAN IP address (IPv4) and SCAN IP address (IPv6) fields in the Network section on the VM Cluster Details page displays the dual stack IP address details.
- The Cloud Automation Update field in the Version section on the VM Cluster Details page displays the freeze period you have set.
Related Topics
- Network Security Groups
- Network Setup for Exadata Cloud Infrastructure Instances
- Security Lists
- Configure Private DNS
- Resource Tags
- To create a database in an existing VM Cluster
- Oracle Cloud Infrastructure Zero Trust Packet Routing
- Getting Started with Events
- Overview of Database Service Events
- Overview of Automatic Diagnostic Collection
Verify the Default Identity Connector Attached to the VM Cluster
To view the details of an identity connector attached to a VM cluster, use this procedure.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
- Click the name of the VM cluster of your choice.
- On the resulting VM Cluster Details page, in the Multicloud Information section, confirm that the Identity connector field displays the identity connector attached to this VM cluster.
- Click the name of the Identity Connector to view its details.
You will be redirected to the Database Multicloud Integrations portal.
Create a Key Ring in Google Cloud Console
To create a key ring, use this procedure.
- Open the Google Cloud Console, navigate to the Key Management page.
- Click Create key ring.
- Provide the following details:
- Name: Enter a descriptive name for the key ring.
- Location: Select a location for your key ring.
Important:
- Key rings with the same name can exist in different locations, so you must always specify the location.
- Choose a location close to the resources you want to protect.
- For Customer Managed Encryption Keys, ensure the key ring is in the same location as the resources that will use it.
Choosing a location for your Key Ring:
When creating a key ring in Google Cloud Key Management Service (KMS), selecting the right location is crucial. Your choice affects where your cryptographic keys are stored and how they're replicated. For more information, see Cloud KMS locations.
- Region:
- Data is stored in a specific geographic region.
- Keys remain within the boundaries of this single region.
- Ideal for:
- Low-latency applications
- Compliance with data residency requirements
- Region-specific workloads
- Multi-region:
- Data is replicated across multiple regions within a larger geographical area.
- Google manages distribution and replication automatically.
- You cannot select individual data centers or regions.
- Ideal for:
- High availability
- Resilient, fault-tolerant applications
- Services serving a wide regional area
- Global:
- A special type of multi-region.
- Keys are distributed across Google data centers worldwide.
- Location selection and control are not available.
- Ideal for:
- Applications with global users
- Use cases needing maximum redundancy and reach
- Click Create.
Once the key ring is created, you can begin creating and managing encryption keys within it.
Create a Key in Google Cloud Console
To create a raw symmetric encryption key in the specified key ring and location, use this procedure.
- Open the Google Cloud Console, navigate to the Key Management page.
- Click the name of the key ring where you want to create the key.
- Click Create key.
- Provide the following details:
- Key name: Enter a descriptive name for your key.
- Protection level: Choose Software or HSM (Hardware Security Module).
The protection level of a key can't be changed after the key is created. For more information, see Protection levels.
- Key material: Select Generate key or Import key.
Generate key material in Cloud KMS or import key material that is maintained outside of Google Cloud. For more information, see Customer-managed encryption keys (CMEK).
- Purpose and Algorithm:
For more information, see Key purposes and algorithms.
- Set Purpose to Raw encryption/decryption.
- For Algorithm, select AES-256-CBC.
- Click Create.
After creation, you can use this key for cryptographic operations that require AES-CBC encryption and decryption.
Grant Permissions in Google Cloud KMS for Key Discovery by Oracle Cloud Infrastructure (OCI)
To allow a key to be discoverable in Oracle Cloud Infrastructure (OCI), use this procedure.
- In Google Cloud KMS, select the key you want to make discoverable.
- Navigate to the Permissions tab and click Add principal.
- In the New principals field, enter the service account associated with your Workload Resource Service Agent.
Note
You can find this service account on the Identity Connector details page, under the GCP Information section. Look for the Workload resource service agent and note its ID — this is the required service account.
- Under Assign roles, add a role of your choice.
Note
Create a custom role with the following minimum permissions and assign it to the key ring of your choice.
These permissions together allow OCI to:
- Discover KMS resources like key rings and keys.
- Access metadata about keys and their versions.
- Use the keys for cryptographic operations (encryption/decryption).
- Create key versions.
Minimum Required Permissions:
cloudkms.cryptoKeyVersions.get
Allows retrieval of metadata for a specific key version.
cloudkms.cryptoKeyVersions.manageRawAesCbcKeys
Enables management of raw AES-CBC key material (import, rotation, etc.).
cloudkms.cryptoKeyVersions.create
Allows creation of new key versions within a key.
cloudkms.cryptoKeyVersions.list
Lists all versions of a given key.
cloudkms.cryptoKeyVersions.useToDecrypt
Grants permission to use a key version for decrypting data.
cloudkms.cryptoKeyVersions.useToEncrypt
Grants permission to use a key version for encrypting data.
cloudkms.cryptoKeys.get
Allows retrieval of metadata for a key.
cloudkms.cryptoKeys.list
Lists all keys within a key ring.
cloudkms.keyRings.get
Allows retrieval of metadata for a key ring.
cloudkms.locations.get
Retrieves information about supported key locations.
- Click Save to apply the changes.
- Click Refresh to confirm that the updated permissions have taken effect.
Register GCP Key Ring in Oracle Cloud Infrastructure (OCI)
To enable Google Cloud Customer Managed Encryption Keys (CMEK) for your VM cluster, you must first register the GCP Key Ring in OCI.
Before proceeding, ensure that the permissions outlined in Grant Permissions in Google Cloud KMS for Key Discovery by Oracle Cloud Infrastructure (OCI) have been granted.
- In the Database Multicloud Integrations portal, navigate to: Google Cloud Integration > GCP Key Rings.
- Click GCP Key Ring,
- Click Register GCP key rings
- On the resulting Register GCP key rings page, provide the following details:
- Compartment: Select the compartment where the VM cluster resides.
- Identity Connector: Choose the Identity Connector attached to the VM cluster.
- Key Ring: Enter the name of the GCP key ring to register.
To discover all available key rings through a single identity connector, you must grant the following permissions to that identity connector. These permissions should be assigned at the appropriate project or folder level to ensure the connector can access all key rings across the intended scope.
cloudkms.keyRings.list
Allows listing all key rings within a project.
cloudkms.locations.get
Allows retrieving metadata for a specific key ring.
- Click Discover to verify if the key ring exists in GCP.
If successful, the key ring’s details will be displayed.
Note
Only key rings can be registered — not individual keys. All supported keys associated with a registered key ring will be available, provided the required permissions are in place.
- Click Register.
Enable or Disable Google Cloud Key Management
To enable GCP CMEK for your Exadata VM Cluster, use this procedure.
When you provision an Exadata VM Cluster, GCP CMEK is disabled by default.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters.
- Select the name of the VM cluster you want to configure.
- On the VM Cluster Details page, scroll to the Multicloud Information section and click Enable next to GCP CMEK.
- To disable GCP CMEK, click Disable.
To create a database in an existing VM Cluster
This topic covers creating your first or subsequent databases.
If IORM is enabled on the Exadata Cloud Infrastructure instance, then the default directive will apply to the new database and system performance might be impacted. Oracle recommends that you review the IORM settings and make applicable adjustments to the configuration after the new database is provisioned.
Before creating your first database and selecting Azure Key Vault for key management, ensure the following prerequisites are met:
- All network prerequisites outlined in the Network Requirements for Creating an Identity Connector and KMS Resources section are fulfilled
- The identity connector is created and available for use
- Azure key management is enabled at the VM cluster level
- The VM cluster has the necessary permissions to access the vaults
- The vaults are registered as OCI resources
- Virtual Machines Restriction: Scaling out a VM cluster does not automatically extend databases that use Azure Key Vault to the newly added virtual machine. To complete the extension, you must update the existing Identity Connector for the Exadata VM Cluster by supplying the Azure access token. After updating the Identity Connector, run the dbaascli database addInstance command to add the database instance to the new VM.
- Data Guard Restrictions:
- When creating a standby database for a primary that uses Azure Key Vault, ensure that the target VM cluster has an active Identity Connector, Azure key management is enabled, and the required association between the Identity Connector and the Key Vault is properly configured.
- Cross-region Data Guard and database restore operations are not supported for databases that use Azure Key Vault for key management.
- PDB Operations Restriction: Remote PDB operations—such as clone, refresh, and relocate—are supported only if both the source and destination databases use the same Transparent Data Encryption (TDE) key.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure
- Choose your Compartment.
- Navigate to the cloud VM cluster you want to create the database in:
Cloud VM clusters (The New Exadata Cloud Infrastructure Resource Model): Under Oracle Exadata Database Service on Dedicated Infrastructure, click Exadata VM Clusters. In the list of VM clusters, find the VM cluster you want to access and click its highlighted name to view the details page for the cluster.
- Click Create Database.
- In the Create Database dialog, enter the
following:
Note
You cannot modify thedb_name
,db_unique_name
, and SID prefix after creating the database.- Database name: The name for the
database. The database name must meet the requirements:
- Maximum of 8 characters
- Contain only alphanumeric characters
- Begin with an alphabetic character
- Cannot be part of the first 8 characters of a
DB_UNIQUE_NAME
on the VM cluster - DO NOT use the following reserved names:
grid
,ASM
- Database unique name suffix:
Optionally, specify a value for the
DB_UNIQUE_NAME
database parameter. The value is case insensitive.The unique name must meet the requirements:
- Maximum of 30 characters
- Contain only alphanumeric or underscore (_) characters
- Begin with an alphabetic character
- Unique across the VM cluster. Recommended to be unique across the tenancy.
If not specified, the system automatically generates a unique name value, as follows:<db_name>_<3_chars_unique_string>_<region-name>
- Database version: The version of the database. You can mix database versions on the Exadata VM cluster.
- PDB name: (Optional) For Oracle Database 12c (12.1.0.2) and later, you can specify the name of the pluggable database. The PDB name must begin with an alphabetic character, and can contain a maximum of eight alphanumeric characters. The only special character permitted is the underscore ( _).
To avoid potential service name collisions when using Oracle Net Services to connect to the PDB, ensure that the PDB name is unique across the entire VM cluster. If you do not provide the name of the first PDB, then a system-generated name is used.
- Database Home: The Oracle Database Home
for the database. Choose the applicable option:
- Select an existing Database Home: The Database Home display name field allows you to choose the Database Home from the existing homes for the database version you specified. If no Database Home with that version exists, you must create a new one.
- Create a new Database Home: Use this option to provision a new Database Home for your Data Guard peer database.
Click Change Database Image to use a desired Oracle-published image or a custom database software image that you have created in advance, then select an Image Type:
- Oracle Provided Database Software Images:
then you can use the Display all available version switch to choose from all available PSUs and RUs. The most recent release for each major version is indicated with a latest label.
Note
For the Oracle Database major version releases available in Oracle Cloud Infrastructure, images are provided for the current version plus the three most recent older versions (N through N - 3). For example, if an instance is using Oracle Database 19c, and the latest version of 19c offered is 19.8.0.0.0, images available for provisioning are for versions 19.8.0.0.0, 19.7.0.0, 19.6.0.0 and 19.5.0.0. - Custom Database Software Images: These images are created by your organization and contain customized configurations of software updates and patches. Use the Select a compartment, Select a region, and Select a Database version selectors to limit the list of custom database software images to a specific compartment, region, or Oracle Database software major release version.
Region filter defaults to the currently connected region and lists all the software images created in that region. When you choose a different region, the software image list is refreshed to display the software images created in the selected region.
- Oracle Provided Database Software Images:
- Create administrator credentials:
(Read only) A database administrator
SYS
user will be created with the password you supply.- Username: SYS
- Password: Supply the password
for this user. The password must meet the following criteria:
A strong password for SYS, SYSTEM, TDE wallet, and PDB Admin. The password must be 9 to 30 characters and contain at least two uppercase, two lowercase, two numeric, and two special characters. The special characters must be _, #, or -. The password must not contain the username (SYS, SYSTEM, and so on) or the word "oracle" either in forward or reversed order and regardless of casing.
- Confirm password: Re-enter the SYS password you specified.
- Using a TDE wallet password is optional. If you are using customer-managed encryption keys stored in a vault in your tenancy, the TDE wallet password is not applicable to your VM Cluster. Use Show Advanced Options at the end of the Create Database dialog to configure customer-managed keys.
If you are using customer-managed keys, or if you want to specify a different TDE wallet password, uncheck the Use the administrator password for the TDE wallet box. If you are using customer-managed keys, leave the TDE password fields blank. To set the TDE wallet password manually, enter a password in the Enter TDE wallet password field, and then confirm by entering it into the Confirm TDE wallet password field.
-
Configure database backups: Specify the settings for backing up the database to Autonomous Recovery Service or Object Storage:
- Enable automatic backup: Check the check box to enable automatic incremental backups for this database. If you are creating a database in a security zone compartment, you must enable automatic backups.
- Backup Destination: Your choices are Autonomous Recovery Service or Object Storage.
- Backup Scheduling:
- Object Storage (L0):
- Full backup scheduling day: Choose a day of the week for the initial and future L0 backups to start.
- Full backup scheduling time (UTC): Specify the time window when the full backups start when the automatic backup capability is selected.
-
Take the first backup immediately: A full backup is an operating system backup of all datafiles and the control file that constitute an Oracle Database. A full backup should also include the parameter file(s) associated with the database. You can take a full database backup when the database is shut down or while the database is open. You should not normally take a full backup after an instance failure or other unusual circumstances.
If you choose to defer the first full backup your database may not be recoverable in the event of a database failure.
- Object Storage (L1):
- Incremental backup scheduling time (UTC): Specify the time window when the incremental backups start when the automatic backup capability is selected.
- Autonomous Recovery Service (L0):
- Scheduled day for initial backup: Choose a day of the week for the initial backup.
- Scheduled time for initial backup (UTC): Select the time window for the initial backup.
-
Take the first backup immediately: A full backup is an operating system backup of all datafiles and the control file that constitute an Oracle Database. A full backup should also include the parameter file(s) associated with the database. You can take a full database backup when the database is shut down or while the database is open. You should not normally take a full backup after an instance failure or other unusual circumstances.
If you choose to defer the first full backup your database may not be recoverable in the event of a database failure.
- Autonomous Recovery Service (L1):
- Scheduled time for daily backup (UTC): Specify the time window when the incremental backups start when the automatic backup capability is selected.
- Object Storage (L0):
- Deletion options after database termination: Options that
you can use to retain protected database backups after the
database is terminated. These options can also help restore the
database from backups in case of accidental or malicious damage
to the database.
- Retain backups for the period specified in your protection policy or backup retention period: Select this option if you want to retain database backups for the entire period defined in the Object Storage Backup retention period or Autonomous Recovery Service protection policy after the database is terminated.
- Retain backups for 72 hours, then delete: Select this option to retain backups for a period of 72 hours after you terminate the database.
-
Backup Retention Period/Protection Policy: If you choose to enable automatic backups, you can choose a policy with one of the following preset retention periods, or a Custom policy.
Object Storage Backup retention period: 7, 15, 30, 45, 60. Default: 30 days. The system automatically deletes your incremental backups at the end of your chosen retention period.
Autonomous Recovery Service protection policy:
- Bronze: 14 days
- Silver: 35 days
- Gold: 65 days
- Platinum: 95 days
- Custom defined by you
- Default: Silver - 35 days
- Enable Real-Time Data Protection: Real-time protection is the continuous transfer of redo changes from a protected database to Autonomous Recovery Service. This reduces data loss and provides a recovery point objective (RPO) near 0. This is an extra cost option.
- Database name: The name for the
database. The database name must meet the requirements:
- Click Show Advanced Options to specify advanced options for the database:
- Management:
Oracle SID prefix: The Oracle Database instance number is automatically added to the SID prefix to create the
INSTANCE_NAME
database parameter. TheINSTANCE_NAME
parameter is also known as theSID
. TheSID
is unique across the cloud VM Cluster. If not specified,SID
prefix defaults to thedb_name
.Note
Entering anSID
prefix is only available for Oracle 12.1 databases and above.The
SID
prefix must meet the requirements:- Maximum of 12 characters
- Contain only alphanumeric characters. You can, however, use underscore (_), which is the only special character that is not restricted by this naming convention.
- Begin with an alphabetic character
- Unique in the VM cluster
- DO NOT use the following reserved names:
grid
,ASM
- Character set: The character set for the database. The default is AL32UTF8.
- National character set: The national character set for the database. The default is AL16UTF16.
- Encryption:
If you are creating a database in an Exadata Cloud Service VM Cluster, then you can choose to use encryption based on encryption keys that you manage. By default, the database is configured using Oracle-managed encryption keys.
- To configure the database with encryption based on encryption keys you manage:
Note
If Azure key management or GCP Customer Managed Encryption Key is disabled at the VM cluster level, you will have three key management options: Oracle Wallet, OCI Vault, and Oracle Key Vault.- OCI Vault:
- You must have a valid encryption key in Oracle Cloud Infrastructure Vault service. See Let security admins manage vaults, keys, and secrets.
Note
You must use AES-256 encryption keys for your database. - Choose a Vault.
- Select a Master encryption key.
- To specify a key version other than the latest version of the selected key, check Choose the key version and enter the OCID of the key you want to use in the Key version OCID field.
Note
The Key version will only be assigned to the container database (CDB), and not to its pluggable database (PDB). PDB will be assigned an automatically generated new key version.
- You must have a valid encryption key in Oracle Cloud Infrastructure Vault service. See Let security admins manage vaults, keys, and secrets.
- Oracle Key Vault: Choose a compartment and select a key store from the chosen compartment.
- OCI Vault:
- To create a database using the Azure key Vault as key management:
Note
If Azure key management is enabled at the VM cluster level, you will have two key management options: Oracle Wallet and Azure Key Vault.- Select your Key Management type as Azure Key Vault.
- Select the Vault available in your compartment.
Note
The Vault list populates only registered vaults. Click the Register new vaults link to register your vault. From the Register Azure key vaults page, select your vault, and then click Register.Note
At least one key must be registered in your vaults. - Select the Key available in your compartment.
- To create a database using GCP Customer Managed Encryption Key as key management:
Note
If GCP Customer Managed Encryption Key is enabled, you will have two key management options: Oracle Wallet and GCP Customer Managed Encryption Key.- Select GCP Customer Managed Encryption Key as your Key Management option.
- Select the Key ring available in your compartment.
Note
Only registered key rings are listed.
If your desired key ring is not visible, it may not have been registered yet. Click Register Key Rings to discover and register it.
For detailed instructions, refer to Register GCP Key Ring in Oracle Cloud Infrastructure (OCI).
- Select the encryption key within the selected Key ring and compartment.
- To configure the database with encryption based on encryption keys you manage:
- Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags . If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
- Management:
- Click Create Database.
You can now:
- Create or delete a CDB while a Data Guard setup is running on another database within the same Oracle home, and vice versa.
- Create or delete a CDB while concurrently performing Data Guard actions (switchover, failover, and reinstate) within the same Oracle home, and vice versa.
- Create or delete a CDB while concurrently creating or deleting a PDB within the same Oracle home, and vice versa.
- Create or delete a CDB concurrently within the same Oracle home.
- Create or delete a CDB while simultaneously updating VM Cluster tags.
After database creation is complete, the status changes from Provisioning to Available, and on the database details page for the new database, the Encryption section displays the encryption key name and the encryption key OCID.
WARNING:
Do not delete the encryption key from the vault. This causes any database protected by the key to become unavailable.Change the Key Management from Oracle Wallet to GCP Customer Managed Encryption Key (CMEK)
To change encryption keys between different encryption methods, use this procedure.
- You cannot migrate from GCP Customer Managed Encryption Key to Oracle Wallet.
- Your database will experience a brief downtime while the key management configuration is being updated.
- Navigate to your database details page in the OCI console.
- In the Encryption section, verify that Key management is set to Oracle Wallet, and then click the Change link.
- Enter the following information on the Change key management page.
- Select your Key management as GCP Customer Managed Encryption Key from the drop-down list.
- Select the compartment you are using, and then choose the Key Ring available in that compartment.
- Next, select the Key compartment you are using, and then choose the desired Key from the drop-down list.
- Click Save changes.
Rotate the GCP Customer Managed Encryption Key of a Container Database (CDB)
To rotate the GCP Customer Managed Encryption Key of a container database (CDB), use this procedure.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Choose your Compartment.
A list of VM Clusters is displayed for the chosen Compartment.
- In the list of VM Clusters, click the name of the VM cluster that contains the database that you want to rotate encryption keys.
- Click Databases.
- Click the name of the database that you want to rotate encryption keys.
The Database Details page displays information about the selected database.
- In the Encryption section, verify that the Key Management is set to GCP Customer Managed Encryption Key, and then click the Rotate link.
- On the resulting Rotate Key dialog, click Rotate to confirm the action.
Rotate the GCP Customer Managed Encryption Key of a Pluggable Database (PDB)
To rotate the GCP Customer Managed Encryption Key of a pluggable database (PDB), use this procedure.
- Open the navigation menu. Click Oracle Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
- Choose your Compartment.
A list of VM Clusters is displayed for the chosen Compartment.
- In the list of VM clusters, click the name of the VM cluster that contains the PDB you want to start, and then click its name to display the details page.
- Under Databases, find the database containing the PDB you want to rotate encryption keys.
- Click the name of the database to view the Database Details page.
- Click Pluggable Databases in the Resources section of the page.
A list of existing PDBs in this database is displayed.
- Click the name of the PDB that you want to rotate encryption keys.
The pluggable details page is displayed.
- In the Encryption section displays that the Key management is set as GCP Customer Managed Encryption Key.
- Click the Rotate link.
- On the resulting Rotate Key dialog, click Rotate to confirm the action.
Using the API to Manage GCP KMS Integration for Exadata Database Service on Oracle Database@Google Cloud
For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.
The following resources will be made available to customers through OCI SDK, CLI, and Terraform. These APIs will be used by customers who wish to integrate Oracle Database on Exadata with Google Cloud Services.
Table 5-10 OracleDbGcpIdentityConnectors
API | Description |
---|---|
ListOracleDbGcpIdentityConnectors |
Lists all GCP Identity Connector resources based on the specified filters. |
GetOracleDbGcpIdentityConnector |
Retrieves detailed information about a specific GCP Identity Connector resource. |
CreateOracleDbGcpIdentityConnector |
Creates a new GCP Identity Connector resource for the specified ExaDB-D VM Cluster. |
UpdateOracleDbGcpIdentityConnector |
Updates the configuration details of an existing GCP Identity Connector resource. |
ChangeOracleDbGcpIdentityConnectorCompartment |
Moves the GCP Identity Connector resource to a different compartment. |
DeleteOracleDbGcpIdentityConnector |
Deletes the specified GCP Identity Connector resource. |
Table 5-11 OracleDbGcpKeyRings
API | Description |
---|---|
ListOracleDbGcpKeyRings |
Lists all GCP Key Ring resources based on the specified filters. |
CreateOracleDbGcpKeyRing |
Creates a new GCP Key Ring resource. |
ChangeOracleDbGcpKeyRingCompartment |
Moves the GCP Key Ring resource to a different compartment. |
RefreshOracleDbGcpKeyRing |
Refreshes the details of a GCP Key Ring resource. |
GetOracleDbGcpKeyRing |
Retrieves detailed information about a specific GCP Key Ring resource. |
UpdateOracleDbGcpKeyRing |
Updates the configuration details of an existing GCP Key Ring resource. |
DeleteOracleDbGcpKeyRing |
Deletes the specified GCP Key Ring resource. |
Table 5-12 OracleDbGcpKeyKeys
API | Description |
---|---|
ListOracleDbGcpKeys |
Lists all GCP Key Ring resources based on the specified filters. |
GetOracleDbGcpKey |
Retrieves detailed information about a specific GCP Key resource. |