How-to Guides
A collection of tasks and procedures for managing Exadata Database Service on Dedicated Infrastructure.
- Manage Database Security with Oracle Data Safe
- Connecting to an Exadata Cloud Infrastructure Instance
This topic explains how to connect to an Exadata Cloud Infrastructure instance using SSH or SQL Developer. - Manage Exadata Cloud Infrastructure
Use the provided tools to manage the Infrastructure. - Configure Oracle-Managed Infrastructure Maintenance
Oracle performs the updates to all of the Oracle-managed infrastructure components on Exadata Cloud Infrastructure. - Manage VM Clusters
Learn how to manage your VM clusters on Exadata Cloud Infrastructure. - Manage Software Images
- Create Oracle Database Homes on an Exadata Cloud Infrastructure System
Learn to create Oracle Database Homes on Exadata Cloud Infrastructure. - Managing Oracle Database Homes on an Exadata Cloud Infrastructure Instance
You can delete or view information about Oracle Database Homes (referred to as "Database Homes" in Oracle Cloud Infrastructure) by using the Oracle Cloud Infrastructure Console, the API, or the CLI. - Manage Databases on Exadata Cloud Infrastructure
- Manage Database Backup and Recovery on Oracle Exadata Database Service on Dedicated Infrastructure
Learn how to work with the backup and recovery facilities provided by Oracle Exadata Database Service on Dedicated Infrastructure. - Patch and Update an Exadata Cloud Infrastructure System
- Interim Software Updates
For authorized environments, learn how to download interim software updates. - Use Oracle Data Guard with Exadata Cloud Infrastructure
Learn to configure and manage Data Guard Groups in your VM cluster. - Configure Oracle Database Features for Exadata Cloud Infrastructure
This topic describes how to configure Oracle Multitenant, tablespace encryption, and Huge Pages for use with your Exadata Cloud Infrastructure instance. - Managing Exadata Cloud Infrastructure I/O Resource Management (IORM)
- Manage Keys Using an External Keystore
Review the use cases and implementation details of an external keystore. - Managing Encryption Keys on External Devices
Learn how to store and manage database encryption keys. - Migrate to Exadata Cloud Infrastructure
For general guidance on methods and tools to migrate databases to Oracle Cloud Infrastructure database services, including Exadata Cloud Infrastructure see "Migrating Databases to the Cloud". - Connect Identity and Access Management (IAM) Users to Oracle Exadata Database Service on Dedicated Infrastructure
You can configure Oracle Exadata Database Service on Dedicated Infrastructure to use Oracle Cloud Infrastructure Identity and Access Management (IAM) authentication and authorization to allow IAM users to access an Oracle Database with IAM credentials. - Authenticating and Authorizing Microsoft Entra ID (MS-EI) Users for Oracle Databases on Oracle Exadata Database Service on Dedicated Infrastructure
An Oracle Database can be configured for Microsoft Azure users of Microsoft Entra ID to connect using single sign-on authentication. - Azure Key Vault Integration for Exadata Database Service on Oracle Database@Azure
Exadata Database Service on Oracle Database@Azure enables you to store your database's transparent data encryption (TDE) keys, also known as master encryption keys (MEKs) in either a file-based Oracle wallet or in the OCI Vault. - Google Cloud Key Management Integration for Exadata Database Service on Oracle Database@Google Cloud
Exadata Database Service on Oracle Database@Google Cloud now supports integration with Google Cloud Platform's Key Management Service (KMS). - AWS Key Management Service Integration for Exadata Database Service on Oracle Database@AWS
Exadata Database Service on Oracle Database@AWS supports integration with AWS Key Management Service (KMS). This enhancement allows users to manage Transparent Data Encryption (TDE) master encryption keys (MEKs) using AWS customer managed keys. - Database Multicloud Integration for Oracle Database Cloud Services
- Cross-Region Data Guard Enablement
Review the prerequisites for enabling cross-region Data Guard when databases use cloud service provider (CSP) key management solutions.
Cross-Region Data Guard Enablement
Review the prerequisites for enabling cross-region Data Guard when databases use cloud service provider (CSP) key management solutions.
Oracle currently supports the following cloud service provider key management services for managing Transparent Data Encryption (TDE) master encryption keys when configuring cross-region Data Guard:
- Microsoft Azure: Azure Key Vault (Standard and Premium) and Managed HSM
- Google Cloud: Customer-Managed Encryption Keys (CMEK)
- AWS: AWS Key Management Service (KMS) and CloudHSM
- Prerequisites
Ensure that the following requirements are met before configuring Cross-Region Data Guard. - Replicate Key Resources Across Regions
Before replicating encryption resources across regions, ensure that all prerequisites are met. - Delete Replicated Encryption Resources
Delete replicated encryption resources only after confirming that no active associations or dependencies exist. - Encryption Resource Deletion Guidelines
Guidelines for deleting replicated and non-replicated encryption resources across multiple cloud service providers, based on their association and replication status. - Lifecycle States of Replicated Encryption Resources
A replicated encryption resource can be in one of the following lifecycle states. - Enable Data Guard for Databases using Azure, Google Cloud, and AWS Key Management Services
Before enabling Data Guard, verify the key management configuration on the primary database.
Parent topic: How-to Guides
Prerequisites
Ensure that the following requirements are met before configuring Cross-Region Data Guard.
Key Management and Replication Requirements
The encryption key resource must be replicated from the source region to the destination region. Depending on the key management service used, this includes replicating the vault, key ring, or encryption key.
VM Cluster Configuration Requirements
The VM cluster hosting the standby database must meet the following requirements:
- An identity connector must be created (applicable when using Azure Key Vault).
- Cloud service provider key management must be enabled for the VM cluster using one of the supported services:
- Azure Key Vault (AKV)
- Google Cloud Customer-Managed Encryption Keys (CMEK)
- AWS Key Management Service (AWS KMS)
For detailed configuration steps, see the following sections:
- Prerequisites for configuring Azure Key Vault as the key management service for your databases and Network Requirements for Creating an Identity Connector and KMS Resources.
- Prerequisites for configuring Google Cloud Customer-Managed Encryption Keys (CMEK) as the key management service for your databases.
- Prerequisites for configuring AWS KMS as the key management service for your databases.
Additional Disaster Recovery Guidance
For information about implementing cross-region disaster recovery using Active Data Guard with multicloud deployments, refer to the following solution guides:
- Oracle Exadata Database Service on Oracle Database@AWS
- Oracle Exadata Database Service on Oracle Database@Azure
- Oracle Exadata Database Service on Oracle Database@Google Cloud
Restrictions
Be aware of the following limitations:
- The source and destination container databases (CDBs) must use the same TDE master encryption key.
- Refreshable clone PDBs are not supported on the standby database
Parent topic: Cross-Region Data Guard Enablement
Replicate Key Resources Across Regions
Before replicating encryption resources across regions, ensure that all prerequisites are met.
- Open the navigation menu.
- Click Oracle AI Database, then Database Multicloud Integrations, and then one of the following:
- Microsoft Azure Integration
- Google Cloud Integration
- AWS Integration
To replicate an Azure Key Vault
- Click Azure Key Vaults.
- Select required vault from the list.
- From the Actions menu, select Replicate Azure key vault.
- Select the target region.
- Click Replicate.
After the operation completes, you can view the replicated key vault details, including the region and replication status, in the Cross-region Replications tab.
To replicate a GCP Key Ring
- Click GCP Key Rings.
- Select required key ring from the list.
- From the Actions menu, select Replicate GCP key ring.
- Select the target region.
- Click Replicate.
After the operation completes, you can view the replicated key ring details, including the region and replication status, in the Cross-region Replications tab.
To replicate an AWS Key
- Click AWS Keys.
- Select required key from the list.
- From the Actions menu, select Replicate AWS Key.
- Select the target region.
- Click Replicate.
After the operation completes, you can view the replicated key details, including the region and replication status, in the Cross-region Replications tab.
Parent topic: Cross-Region Data Guard Enablement
Delete Replicated Encryption Resources
Delete replicated encryption resources only after confirming that no active associations or dependencies exist.
- Open the navigation menu.
- Click Oracle AI Database, then Database Multicloud Integrations, and then one of the following:
- Microsoft Azure Integration
- Google Cloud Integration
- AWS Integration
To delete an Azure Key Vault
- Click Azure Key Vaults.
- Select the compartment.
List of vaults are displayed.
- Select the vault you're interested in.
- From the Actions menu, select Delete.
- In the confirmation dialog box, enter DELETE to confirm the action.
- Click Delete.
To delete a GCP Key Ring
- Click GCP Key Rings.
- Select the compartment.
List of GCP Key Rings are displayed.
- Select the Key Ring you're interested in.
- From the Actions menu, select Delete.
- In the confirmation dialog box, enter DELETE to confirm the action.
- Click Delete.
To delete an AWS Key
- Click AWS Keys.
- Select the compartment.
List of AWS Keys are displayed.
- Select the AWS Key you're interested in.
- From the Actions menu, select Delete.
- In the confirmation dialog box, enter DELETE to confirm the action.
- Click Delete.
Parent topic: Cross-Region Data Guard Enablement
Encryption Resource Deletion Guidelines
Guidelines for deleting replicated and non-replicated encryption resources across multiple cloud service providers, based on their association and replication status.
Non-Replicated Encryption Resource
Azure Key Vault
An Azure Key Vault cannot be deleted if it has active Identity Connector associations.
To proceed:
- Identify Identity Connector association(s) referencing Azure Key Vault
<OCID>in<REGION>. - Remove the association(s), or reassign dependent resources to a different Key Vault.
- Retry the delete operation.
Google Cloud KMS (Customer-Managed Encryption Key, CMEK)
A GCP Key Ring cannot be deleted if it contains keys actively associated with resources (for example, databases created using CMEK).
To proceed:
- Identify resources currently using keys from the Key Ring.
- Reconfigure those resources to use a different encryption key, or delete the dependent resources.
- Retry the delete operation once all associations are removed.
AWS Key Management Service (AWS KMS)
An AWS KMS key cannot be deleted if it has active associations (for example, databases encrypted using AWS KMS).
AWS KMS keys are not deleted immediately; they must be scheduled for deletion and are subject to a mandatory waiting period.
To proceed:
- Identify resources currently encrypted with the KMS key.
- Reconfigure or delete the dependent resources.
- Schedule the key for deletion once all dependencies are removed.
Key Takeaways
- Always check for active associations before attempting deletion.
- Replicated resources require additional care since associations may exist across primary and standby regions.
- Non-replicated resources follow cloud-provider–specific rules and cannot be deleted until dependencies are cleared.
Replicated Encryption Resource
You can delete a replicated encryption resource from either the primary region or a standby region.
- Deletion from the primary region:
The resource is deleted from the primary region and automatically removed from all associated standby (replicated) regions.
- Deletion from a standby region:
The resource is deleted only from the selected standby region. The resource remains unchanged in the primary region and any other standby regions.
Parent topic: Cross-Region Data Guard Enablement
Lifecycle States of Replicated Encryption Resources
A replicated encryption resource can be in one of the following lifecycle states.
- CREATING: The replicated encryption resource is being created.
- ACTIVE: The replicated encryption resource has been successfully created and is operational.
- UPDATING: The replicated encryption resource is being modified.
- DELETING: The replicated encryption resource is in the process of being deleted.
- DELETED: The replicated encryption resource has been deleted and is no longer available.
- FAILED: The replicated encryption resource operation failed. Review the associated logs or error messages for more information.
Parent topic: Cross-Region Data Guard Enablement
Enable Data Guard for Databases using Azure, Google Cloud, and AWS Key Management Services
Before enabling Data Guard, verify the key management configuration on the primary database.
- Navigate to the Database Details page of the primary database where you plan to enable Data Guard.
- In the Encryption section, review the values under Key Management.
Confirm the values based on your configured key management service:
- If using Azure Key Vault
- Key Management: Azure Key Vault
- Vault: Vault name
- Key: Key value
- If using Google Cloud CMEK
- Key Management: GCP Customer-Managed Encryption Key (CMEK)
- Key Ring: Key ring value
- Key: Key value
- If using AWS KMS
- Key Management: AWS Customer-Managed Key (CMK)
- Key: Key value
For the generic Data Guard enablement procedure, see To Enable Data Guard on an Exadata Cloud Infrastructure System.
Parent topic: Cross-Region Data Guard Enablement