Oracle Cloud Infrastructure Documentation

Get Started with Operations Insights

Supported Configurations for Operations Insights

The following chart highlights supported configurations available for Operations Insights

Table 2-1 Operations Insights Supported Configurations

Categories Features OCI Autonomous Shared and Dedicated Databases OCI Database Cloud Service Databases * Exadata Database Service on Dedicated Infrastructure Agent- Monitored External Databases and Hosts (on-premises) + Enterprise Manager Databases and Hosts (On-premises) #
Capacity Planning Database Capacity Planning AVAILABLE

(Exadata Cloud@Customer not supported)

 AVAILABLE AVAILABLE AVAILABLE AVAILABLE
Host Capacity Planning NOT APPLICABLE AVAILABLE

(Network and Storage Metrics are not supported for host targets onboarded via Oracle Database or Exadata Database Service)

 AVAILABLE

(Network and Storage Metrics are not supported for host targets onboarded via Oracle Database or Exadata Database Service)

 AVAILABLE

(Includes OCI Compute)

 AVAILABLE
SQL Warehouse SQL Warehouse AVAILABLE AVAILABLE AVAILABLE AVAILABLE AVAILABLE
SQL Explorer AVAILABLE

(With Full Features)

 AVAILABLE AVAILABLE

(Databases running on it)

 AVAILABLE AVAILABLE

(EM 13.5 RU13+)
SQL Insights AVAILABLE

(With Full Features)

 AVAILABLE AVAILABLE

(Databases running on it)

 AVAILABLE AVAILABLE

(EM 13.5 RU13+)
Exadata Insights Exadata Insights NOT APPLICABLE NOT APPLICABLE AVAILABLE NOT CURRENTLY AVAILABLE AVAILABLE
Exadata Explorer NOT APPLICABLE NOT APPLICABLE AVAILABLE NOT CURRENTLY AVAILABLE AVAILABLE
Other ADDM Spotlight Available

(With Full Features)

 AVAILABLE AVAILABLE AVAILABLE NOT CURRENTLY AVAILABLE
News Reports AVAILABLE AVAILABLE AVAILABLE AVAILABLE AVAILABLE
Warehouses AWR Hub AVAILABLE

(No database patches needed)

 NOT CURRENTLY AVAILABLE NOT CURRENTLY AVAILABLE AVAILABLE

(Database patches needed)

 AVAILABLE

(Database patches needed)
AWR Explorer AVAILABLE NOT CURRENTLY AVAILABLE NOT CURRENTLY AVAILABLE AVAILABLE AVAILABLE
EM Warehouse NOT APPLICABLE NOT APPLICABLE NOT APPLICABLE NOT APPLICABLE AVAILABLE
Exadata Warehouse NOT APPLICABLE NOT APPLICABLE NOT APPLICABLE NOT APPLICABLE AVAILABLE
Key Value
* Bare Metal, Virtual Machine, Pluggable Databases 19c and above, and Non-Container Databases 12c and above
+ Linux, Solaris Sparc, Windows
# Linux, zLinux, Solaris, Windows, AIX

Exadata Database Machine, Exadata Cloud@Customer, Exadata Database on Dedicated Infrastructure

Note: Requires EM 13.5 RU13+

Explore Operations Insights Using Demo Mode

Use Demo Mode to explore Operations Insights functionality immediately without having to configure a monitored environment. When Demo Mode is enabled, Operations Insights is populated with curated data that lets you explore its various resource monitoring and analysis capabilities without having to create a comprehensive, resource-rich environment.

Note

Demo Mode uses a dedicated read-only tenancy and requires your tenancy administrator to set up the requisite demo policy and region subscription. Operations Insights provides an easy-to-use UI to implement these prerequisites if they have not been met.

When first creating the policies, it may take approximately 1 minute for the policies to take effect. So when exiting the dialog you may see an error banner the first time.

To enable Demo Mode, navigate to the Operations Insights Overview page and click Enable Demo Mode.
Graphic shows the Enable Demo Mode button highlighted on the Overview page.

When Demo Mode data is enabled, specific control functionality, such as the ability to add database/host resources or select compartments is deactivated.

To disable Demo Mode, navigate to the Overview page and click Disable Demo Mode. You will be returned to your original tenancy, and all Operations Insights control functions will be reactivated. Alternatively, you can click the Disable button in the red banner that appears at the top-right of any page while Demo Mode is enabled

OCI Prerequisites: Set Up Groups, Users and Policies

In OCI, you grant access to tasks and resources in an identity domain by assigning users to administrator roles. You also write policies to control access to a service, such as Operations Insights. Family resource-types (aggregate resource types) are predefined in OCI and they give access to components that are typically used together. For Operations Insights, this predefined resource type is called opsi-family.

Table 2-2 Summary of tasks

Task Type Details
Create an Administrator group Optional Create an Administrator Group and User
Create an Administrator user Optional Create an Administrator Group and User
Create a non-administrator user group Optional Create a Non-administrator Group and User
Create non-administrator users Optional Create a Non-administrator Group and User
Create Administrator policies Mandatory Create and Manage Policies With Policy Advisor
Create non-admnistrator user policies Mandatory Create and Manage Policies With Policy Advisor

Before you can start enabling and using Operations Insights, your tenancy administrator has to create at least one group of administrators (to configure OCI and enable Operations Insights) and non-administrators (to use Operations Insights). There is no requirement to create a separate group exclusively for Operations Insights, you may use groups you already have.

Create an Administrator Group and User

Define policies to give the group and the administrator accounts that belong to it the ability to enable Operations Insights on OCI resources.

The following procedures show an example of an Administrator group called opsi-admins, a user opsiadmin is added to this group, and a new policy is created called opsi-admin-policy that grants administrators Operations Insights enable/disable permissions on their full fleet of resources.

  1. Log into the Console as a tenancy administrator, open the navigation menu and click Governance and Administration, go to Identity and click Groups.
  2. Click Create Group and create a new group.
  3. Enter a meaningful name, for example opsi-adminsand, optionally a description.
  4. Click Create Group.
  5. Go back to Governance and Administration, select Identity and click Users. A list of the users in your tenancy displays.
  6. Click Create User and create one or more new users. Create a user named opsiadmin.
  7. Add the user opsiadmin to the opsi-admin group.
    1. Go back to Governance and Administration, select Identity, and then click Users.

      A list of the users in your tenancy displays.

    2. Select one or more users and add them to the group authorized to use Operations Insights.

Create a Non-administrator Group and User

In the following procedures, you will create a new group called opsi-users, add the user opsiuser to this group, create a new policy called opsi-user-policy, and add the user opsiuser to this group.

  1. Log in to the Console as your tenancy administrator and navigate to Governance and Administration > Identity and click Groups.

    A list of the groups in your tenancy displays.

  2. Click Create Group and create a new group.
  3. Enter a meaningful name. For example, opsi-users.
  4. (Optional) Enter a description. Avoid entering confidential information.
  5. Click Create Group.
  6. Go back to Governance and Administration, select Identity and click Users. A list of the users in your tenancy displays.
  7. Click Create User and create one or more new users. Create a user named opsiuser.
  8. Add opsiuser to the opsi-users group.
    1. Go back to Governance and Administration, select Identity, and then click Users.

      A list of the users in your tenancy displays.

    2. Select one or more users and add them to the group authorized to use Operations Insights.

Create and Manage Policies With Policy Advisor

Use Policy Advisor to quickly establish OCI permissions on resources that allow them to be enabled for Operations Insights. Policy Advisor is a centralized location where you can view, create, update, and delete policies required for Operations Insights.

Policy Advisor automates creating following policies:
  • Policies needed by users of Operations Insights (both administrators and read-only users).
  • Policies needed by Operations Insights service to function properly.
  • Policies to set up demo mode (optional).

Setup Prerequisite Policies for Operations Insights

As an administrator with the ability to create policies in the root compartment, follow these steps to set up the required prerequisite policies with Policy Advisor:
  1. From the Operations Insights Overview page, on the upper right hand click on Policy Advisor. This will launch the Policy Advisor wizard.
  2. Under the Resource access click the Configure button for Operations Insights. These policies will provide the prerequisites needed to use the Operations Insights service.
  3. In the Operations Insights service prerequisites window select the user groups that need to access to the prerequisite policies click on + Add user group. Check mark all groups required and check mark whether Administrator access or User access is required. When complete click Select.
  4. In the Operations Insights service prerequisites window you will now see the user groups and access level that you configured. To the right of this table select the Compartments that the user group may access. When all compartments have been added click Preview and apply changes.
  5. The Complete Prerequisites window allows you to preview the policy statements that will be applied, click Next to apply them.
  6. Once the prerequisite policies have been applied a green check mark will appear, to finish click Close. The prerequisite policies have been applied.

Setup and Manage Policies for Operations Insights Services

With Policy Advisor you can grant and modify the necessary policies for specific telemetry type and resource types that need to be analyzed with Operations Insights from your environment, both for the user group which will be performing this action and for the service itself.

The following is a list of telemetry and resource types whose policies can be managed from Policy Advisor:
  • Databases:
    • Autonomous databases on OCI
    • Bare metal, VM and Exa-DB databases on OCI
    • External Databases (via telemetry):
      • Enterprise Manager managed databases
      • OCI Management Agent managed databases
  • Compute instances and hosts
    • Computes instances on OCI
    • External hosts (via telemetry):
      • Enterprise Manager managed hosts
      • OCI Management Agent managed hosts
  • Exadata
    • Exadata systems (telemetry via Enterprise Manager)
    • Exadata Database Service on Dedicated Infrastructure (ExaDB-D)
  • News reports
To set up the specific policies first ensure that the necessary buckets have been created in the compartments to be used, and follow these steps:
  1. From the Operations Insights Overview page, on the upper right hand click on Policy Advisor. This will launch the Policy Advisor wizard.
  2. Under the Resource access tab you will see the names of the services that require policies to be applied for Operations Insights to work. Select the service you wish to edit and click the Configure button.
  3. In the Operations Insights service prerequisites window select the user groups that need to have their policy access modified
    1. To add user groups click on + Add user group. Check mark all groups required and check mark whether Administrator access or User access is required. When complete click Select.
    2. To remove user groups select the three dots to the right of a user group that has access and select Remove, this will remove it from the table.
  4. In the selected service prerequisites window you will now see the user groups and access level that you configured. To the right of this table select the Compartments that the user groups may access is visible.
    1. To add compartments click on the text box and select the appropriate compartments.
    2. To remove compartments click on the X to the right of each compartment.
    When all compartments have been modified click Preview and apply changes.
  5. The Complete Prerequisites window allows you to preview the policy statements that will be applied, showing first statements to be deleted and the policy statements that will be applied. Click Next to apply them.
  6. Once the prerequisite policies have been applied a green check mark will appear, to finish click Close. The prerequisite policies have been applied.

Create Policies Using the Console

It is strongly recommended to always use the Policy Advisor when setting up policies to ensure ease of use, and proper configuration. However if your environment requires more in-depth access control or granting the policies themselves manually these can be done using the console.

Create Administrator Policies

Users can only use Operations Insights if their group has been granted the requisite permissions. To allow the opsiadmin administrator to enable/disable Operations Insights on their full fleet of resources and access to all analytics data, you must create an identity policy to grant the opsi-admin user group permissions.
Note

All policies can be written at compartment-scoped level, except the Operations Insights Warehouse / AWR Hub which requires root/tenancy level.
  1. Log into the Console as your tenancy administrator, Open the navigation menu and under Governance and Administration, go to Identity and click Policies.
  2. Use the create a policy instructions and give the policy a meaningful name. For example, opsi-admin-policy.
  3. Add the following policy statement to allow the group to enable/disable Operations Insights or, to create/enable/disable a Management Agent host or an Enterprise Manager managed database, or to update/add tags to all Operations Insights resources. For example, if your admin group is called opsi-admin group and you want to add this policy at the tenancy level, add the following: 
    allow group opsi-admins to manage opsi-family in tenancy
allow group opsi-admins to manage management-dashboard-family in tenancy
    Note that policies can also be created at the compartment level.

    See also Details for Management Dashboard for more details on policies for using Dashboards.

  4. Depending on what resources you will be enabling add the following policies:
    Enabling Policies Details
    Autonomous Databases - basic features allow group opsi-admins to use autonomous-database-family in tenancy Basic features include Capacity Planning and SQL Warehouse.
    Autonomous Databases - full features allow group opsi-admins to use autonomous-database-family in tenancy

    allow group opsi-admins to manage virtual-network-family in tenancy

    allow group opsi-admins to read secret-family in tenancy

    allow group opsi-admins to read secret-family in tenancy

    allow service operations-insights to read secret-family in tenancy where ANY {target.vault.id = 'mydbVault'}

    allow service operations-insights to read autonomous-database-family in tenancy where ALL{request.operation='GenerateAutonomousDatabaseWallet'}

    Full features currently include SQL Explorer and ADDM Spotlight.

    Virtual network access is needed as part of the private endpoint reverse connection creation.

    Secret family access is required to read the database user password from OCI vault for running data collections against the database.

    Wallet generation permission is needed for connecting over mTLS to the database.

    See also Autonomous Database Full Feature Support.

    Bare Metal, VMs and ExaDB-D Databases

    allow group opsi-admins to use database-family in tenancy

    allow group opsi-admins to manage virtual-network-family in tenancy

    allow group opsi-admins to read secret-family in tenancy

    allow service operations-insights to read secret-family in tenancy where ANY {target.vault.id = 'mydbVault'}

    		 Access to Operations Insights is via private endpoint.

    Virtual network access is needed as part of the private endpoint reverse connection creation.

    Secret family access is required to read the database user password from OCI vault for running data collections against the database.
    External databases, hosts and Engineered Systems using Oracle Enterprise Manager

    allow dynamic-group opsienterprisemanagerbridge to read object-family in compartment MyBucketCompartment where ANY (target.bucket.name='embridge-bucket')

    allow group opsi-admins to inspect object-family in tenancy

    		 Enterprise Manager is an on-premises Oracle management solution that can integrate with OCI services and share data. You need to create a dynamic group to access the data in an Object Storage compartment, for example: ALL {resource.type='opsienterprisemanagerbridge'}

    If you will be enabling databases managed by Enterprise Manager (databases and hosts) see complete policies details under: Adding Enterprise Manager Targets.

    External databases and hosts using the OCI Management Agent

    allow group opsi-admins to use external-database-family in tenancy

    allow group opsi-admins to manage management-agent-install-keys in tenancy

    		 Any resources outside of OCI, such as on-premises databases that are not managed by Enterprise Manager, will require a Management Agent. If you will enable databases managed using a Management Agent, see also management agent policies.
    OCI Compute Instances

    allow group opsi-admins to manage management-agents in tenancy

    allow group opsi-admins to manage instance-family in tenancy

    allow group opsi-admins to read instance-agent-plugins in tenancy

    		 These instances can be enabled using Management Agents. See also the special policies under Deploy Management Agents on Compute Instances.
    AWR Hub (performance data from the Oracle Database Automatic Workload Repository) ADB-S: allow dynamic-group OPSI_AWR_Hub_Dynamic_Group to manage opsi-awr-hub-sources in tenancy

    ADB-D and external databases: allow group <User Group> to use opsi-awr-hub-sources in tenancy

    Legacy policy: allow opsi-admins to manage opsi-family in tenancy

    Note that there are additional policies required when you create an AWR Hub. You can add these through the guided creation process.

    For complete details see Analyze Automatic Workload Repository (AWR) Performance Data.

    EM Warehouse (continuous ingestion of EM data) allow group opsi-admins to manage opsi-em-warehouse-family in tenancy EM Warehouse continuously ingests Enterprise Manager repository metric data and stores it in an ADW Warehouse or OCI Object Store. See Analyze Automatic Workload Repository (AWR) Performance Data.
    Exadata Warehouse N/A Exadata Warehouse is a repository of data from on-premises and cloud-based Oracle Engineered Systems monitored by Enterprise Manager. See Exadata Warehouse.
    News reports allow service operations-insights to use ons-topics in compartment opsi_prod

    allow group opsi-admins to inspect ons-topic in tenancy

    		 News report generates weekly email reports on your OPSI monitored fleet using ONS (Oracle Notification Services). See: News Reports.
  5. Click Create.

Create Non-administrator Policies

Users can only use Operations Insights if their group has been granted the requisite permissions. To allow the opsiuser user to enable/disable Operations Insights on only Autonomous Databases within their tenancy, you must create an identity policy to grant the opsi-users user appropriate group permissions.

  1. Log in to the Console as your tenancy administrator and navigate to Governance and Administration > Identity and click Policies.
  2. Use the To create a policy instructions and give the policy a meaningful name. For example, opsi-user-policy.
  3. Add a policy statement to allow the group to enable/disable Operations Insights. For example, for the opsi-users group, add the following:
    allow group opsi-users to use opsi-family in tenancy
allow group opsi-users to read management-dashboard-family in tenancy
  4. Click Create.

For more fine grained control access to Operations Insights, see Details for Operations Insights.

Prerequisites for Enabling Resources

Operations Insights pulls in resource data from multiple sources. For example, some data may come from your databases (resources) in OCI and some data may come from on-premises databases. The Operations Insights interface allows you to select various telemetry types at setup time. Depending on the telemetry, adding resources require specific prerequisites to be met before enabling them for Operations Insights.

There are three telemetries where target data can be pulled from:

Here is a summary all prerequisites by telemetry type and by resource type:
Note

If you have not completed the setup for groups, users and policies, see OCI Prerequisites: Set Up Groups, Users and Policies.
Telemetry Type Resource Prerequisites
Cloud Infrastructure Autonomous Databases - basic features (includes Capacity Planning and SQL Warehouse) No prerequisites
Cloud Infrastructure Autonomous Databases - full features (includes basic features plus SQL Explorer, and ADDM Spotlight) Autonomous Database Full Feature Support
Cloud Infrastructure Bare Metal, Virtual Machines and ExaDB-D Databases Prerequisites for Enabling Database Cloud Service Databases and Exadata Cloud Service
Enterprise Manager External databases, hosts and Engineered Systems using Oracle Enterprise Manager Adding Enterprise Manager Targets
Agent Service External databases and hosts using the OCI Management Agent Agent Service: OCI Management Agent Based Resources
Cloud Infrastructure OCI Compute Instances Perform Prerequisites for Deploying Management Agents on Compute Instances

Warehouses
Source Description Prerequiste
Directly from databases AWR Hub stores detailed database performance data from the Oracle Database Automatic Workload Repository (AWR) Analyze Automatic Workload Repository (AWR) Performance Data
Enterprise Manager EM Warehouse (continuous ingestion of EM data via Cloud Bridge) Enterprise Manager Warehouse
Enterprise Manager Exadata Warehouse (repository of data from on-premises and cloud-based Oracle Engineered Systems monitored by Enterprise Manager) Exadata Warehouse

Cloud Infrastructure

If your resources exist in OCI, you will choose to add these resources using the telemetry option "Cloud Infrastructure". The prerequisites vary by the type of OCI resource as listed above.

Enterprise Manager

If your resources are already managed by Oracle Enterprise Manager, you can choose to add these resources using the telemetry option "Enterprise Manager". For complete details on prerequisites for enabling Enterprise Manager managed resources, see Adding Enterprise Manager Targets.

You can also setup the EM Warehouse to continuously ingest Enterprise Manager repository data (from one or more repositories) and store it in an ADW Warehouse or OCI Object Store. See: Enterprise Manager Warehouse.

Exadata Warehouse is a repository of data from on-premises and cloud-based Oracle Engineered Systems monitored by Enterprise Manager. For prerequisites of this setup, see Exadata Warehouse.

Agent Service: OCI Management Agent Based Resources

In order to enable Operations Insights on hosts or database systems outside of the Oracle Cloud, not managed by Enterprise Manager, you need to deploy a Management Agent. The agent will enable data collection for these resources.

Summary of prerequisites for enabling agent-based resources:

Task Type Details
Install and configure an OCI Management Agent Mandatory On-premises hosts and databases: Install and configure an OCI Management Agent

OCI Compute: Deploy Management Agents on Compute Instances
Create external databases and connectors in the external database handles Mandatory for external databases Create external database handles and connectors in the external database service

Install and configure an OCI Management Agent

Install an OCI Management Agent in order to monitor a database or a host. The Oracle Cloud Infrastructure Management Agent is required to establish a connection with an external database during the discovery process and to enable communication and data collection.

While the first step (creating the dynamic group for the agent) is no longer required, this video provides a good overview of the Management Agent installation.

For complete information on how to install Management Agents, see Install Management Agents.

If the resources you are enabling reside on OCI Compute instances, see Deploy Management Agents on Compute Instances.

Create external database handles and connectors in the external database service

If your resources are databases, create external database handles and connectors in the external database (outside of Operations Insights). In summary, these are the required steps:
  1. Discover the database: this creates a shell resource in OCI that Operations Insights will connect to.
  2. Create a database connector and attach the management agent you just installed to it.
  3. Repeat the prior steps for each PDB, if your databases are container databases.
For more information, see Creating External Database Handles.

Enabling Database Cloud Service Databases and Exadata Cloud Service

Operations Insights allows you to use the Capacity Planning and SQL Warehouse functionality to gain insight into Oracle Databases deployed in Oracle Cloud (Bare Metal, Virtual Machine VM, and Exadata Cloud Service).

Note

Exadata Database Service on Dedicated Infrastructure, Cloud@Customer and Database Machine support is available via the Enterprise Manager telemetry. See Add Exadata Systems Monitored by Enterprise Manager.

Using Operations Insights on Oracle Cloud Databases and Exadata systems allows you to:

  • Analyze resource usage of databases across cloud databases
  • Forecast future demand for database resources such as CPU, memory, and storage based on historical trends
  • Compare SQL performance across databases and identify common patterns
  • Monitor ASM disk group usage.
  • Analyze storage server (cell) I/O/Throughput.

The following topics are covered:

  1. Prerequisites

  2. Create a Private Endpoint

  3. Add a Cloud Service Database

  4. Add an Exadata Cloud Service System

  5. Add Exadata Systems Monitored by Enterprise Manager

Prerequisites

Permissions

The following Oracle Cloud Infrastructure service permissions are required to enable Operations Insights for Oracle Cloud Databases and additionally for Exadata Cloud Service systems.

  • Bare Metal and Virtual Machine DB systems and Exadata Cloud Service permissions: To enable Operations Insights for Oracle Cloud Databases, you must have the required Bare Metal and Virtual Machine DB systems and Exadata Cloud Service permissions.
    Note

    To use Exadata Insights, you must enable the Exadata target and not the database directly.
    Here's an example of a policy that grants the opsi-admins user group the permission to enable Operations Insights for the Oracle Cloud Databases in the tenancy:
    Note

    These policies can be compartment-scoped as well. 
    allow group opsi-admins to read database-family in tenancy
    For Exadata, the following policies are also required:
    Note

    These policies can be compartment-scoped as well. 
    allow group opsi-admins to read cloud-exadata-infrastructures in tenancy
    allow group opsi-admins to read cloud-vmclusters in tenancy

    For more information on specific Bare Metal and Virtual Machine DB systems and Exadata Cloud service resource-types and permissions, see Details for Bare Metal and Virtual Machine DB Systems and Details for Exadata Cloud Service Instances.

  • Networking service permissions: To work with the Operations Insights private endpoint and enable communication between Operations Insights and the Oracle Cloud Database, you must have the manage permission on the vnics resource-type and the use permission on the subnets resource-type and either the network-security-groups or security-lists resource-type (You can either open up network access via a network security group (the database should have been configured to use the same), or the subnet needs to have the appropriate security lists (the subnet the database resides in)).

    Here are examples of the individual policies that grant the opsi-admins user group the required permissions: 

    allow group opsi-admins to manage vnics in tenancy
allow group opsi-admins to use subnets in tenancy
allow group opsi-admins to use network-security-groups in tenancy
    
allow group opsi-admins to use security-lists in tenancy

    Or a single policy using the Networking service aggregate resource-type grants the opsi-admins user group the same permissions detailed in the preceding paragraph: 

    allow group opsi-admins to manage virtual-network-family in tenancy

    For more information on the Networking service resource-types and permissions, see the Networking section in Details for the Core Services.

  • Vault service permissions:

    Cloud database credentials are added to the OCI Vault service, so you will have to write a policy to allow Operations Insights to read them for metric data collections. To create new secrets or use existing secrets when specifying the database credentials to enable Operations Insights for Oracle Cloud Databases, you must have the manage permission on the secret-family aggregate resource-type.

    Here's an example of the policy that grants the opsi-admins user group the permission to create and use secrets in the tenancy: 

    allow group opsi-admins to manage secret-family in tenancy

    In addition to the user group policy for the Vault service, the following service policy is required to grant Operations Insights the permission to read database password secrets in a specific vault:

    allow service operations-insights to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
    Note

    Compartment ABC is the compartment of the vault. This compartment is not required to match the compartment of the database.

    For more information on the Vault service resource-types and permissions, see Details for the Vault Service.

Oracle Cloud Database-related Prerequisite

  • To enable and use Operations Insights for Oracle Cloud Databases, you must grant a database user, such as DBSNMP, the privileges required to access and monitor the Oracle Cloud Database. Important: When selecting a CDB, the database user must be a common user for all PDBs within the CDB.
    SQL> GRANT SELECT ANY DICTIONARY, SELECT_CATALOG_ROLE TO DBSNMP;
    For instructions on how to set up Oracle Database monitoring credentials, see Creating the Oracle Database Monitoring Credentials for Oracle Cloud Infrastructure Database Management and Operations Insights (Doc ID 2857604.1).
  • Before starting to add databases in Operations Insights execute the best practice script steps outlined in OCI : Best Practices / Troubleshooting Guide For Monitoring Databases In Operations Insights (Doc ID 2942938.1).
    Note

    It is strongly recommended the script be run every 6 months or if any databases are missing the storage or tablespace data.
  • Security best practices require that you change your passwords frequently, especially database passwords. The Security Technical Implementation Guide (STIG) and the Center for Internet Security (CIS) security benchmarks require regular password rotation. Oracle Database password lifetime is controlled through the user profiles, for more information see: Using a Password Management Policy.

    Changing the passwords for interactive database users such as DBAs is easy; they are forced to change it the next time they log into the database after their password has expired. However, the situation is more complicated when the database account is supporting an application like Database Management or Operations Insights running on multiple mid-tiers. If the password is changed in the database but not yet in these systems, they could repeatedly attempt to log in with the old password. This could result in account lockouts and potential service interruptions.

    Now you can follow security best practices for password update AND maintain application availability, this feature is available for Oracle Databases 19.12 and above. For more information see: Managing Gradual Database Password Rollover for Applications.

Enabling Network Communication

Specific network settings are required to enable communication between Operation Insights and Oracle Cloud Databases.

You must enable communication between Operations Insights and the Oracle Cloud Database by adding the ingress and egress security rules to an NSG or a Security List in the VCN in which the Oracle Cloud Database can be accessed.

Before you enable communication between Operations Insights and the Oracle Cloud Database, you must:

  • Ensure that you're familiar with security rules. For information, see Security Rules.
  • Depending on whether you want to use NSGs or Security Lists to add the ingress and egress rules, you must have the required permissions and be familiar with how to add security rules.
    Note

    • An NSG must be available to create an Operations Insights private endpoint. For more information, see Network Security Groups.
    • A security list rule that allows access over the database port <number> is applied to the NSG for access within the VCN or subnet CIDR block. For more information, see Security Lists.
  • Make a note of the Oracle Cloud Database private IP addresses and port details and the Operations Insights private IP addresses. These are details that you may have to enter when you add security rules, and here's information on where you can find them:
    • For Oracle Cloud Database port details, see the DB System Information section on the Database System Details page for Oracle Databases on Bare Metal and Virtual Machine DB systems. For Oracle Databases on Exadata Cloud service, see Network details on the Exadata VM Cluster Details page.
    • For Oracle Cloud Database private IP addresses, see the Nodes section on the Database System Details page for single instance databases on Bare Metal and Virtual Machine DB systems. For RAC databases, use the Scan IP Address, which is available on the DB System Details page for the Virtual Machine DB system and on the Exadata VM Cluster Details page for the Exadata Cloud service.

    Note that an Operations Insights private endpoint for single instance Oracle Cloud Databases in the Bare Metal and Virtual Machine DB systems has only one private IP address and an Operations Insights private endpoint for RAC Oracle Cloud Databases in the Virtual Machine DB system and Exadata Cloud service has two private IP addresses.

For Operations Insights to communicate with the Oracle Cloud Database, you must add ingress and egress security rules using either Network Security Groups (NSG) or Security Lists. The following examples illustrate how to enable communication between an Operations Insights private endpoint and the Oracle Databases on a Virtual Machine DB system using NSGs and Security Lists.

Create an NSG to enable communication between the Operations Insights private endpoint and a Virtual Machine DB system

In the following example, an NSG is created and added to:

  • A Virtual Machine DB system
  • An Operations Insights private endpoint for single instance Oracle Cloud Databases (which is already created)

On completing the tasks listed in this example, the Operations Insights private endpoint will have access to all the single instance databases in the Virtual Machine DB system's VCN without impacting the VCN's subnet architecture.

For information on creating an NSG in the Virtual Machine DB system's VCN, see To create an NSG.

When creating the NSG, add the following stateful security rules. These security rules will then be added to the Virtual Machine DB system's VCN:
Note

The Virtual Machine DB system's VCN port is configured by the user, enter the port number you previously configured.
  • Ingress rule for the Virtual Machine DB system's VCN: The Virtual Machine DB system's VCN can receive incoming traffic from the Operations Insights private endpoint's subnet (10.0.0.0/24) from any port.
  • Egress rule for the Operations Insights private endpoint: The Operations Insights private endpoint's subnet (from any port) can send requests to the Virtual Machine DB system's VCN (10.0.0.0/16) on port 1521.
Note

Enter the port you have configured for the TCPS enabled database if the port is different from 1521.

Security rules in an NSG

After you create the NSG, you must add it to the Virtual Machine DB system and the Operations Insights private endpoint.

For information on how to add the NSG to the Virtual Machine DB system, see To edit the Network Security Groups (NSGs) for your DB System.

To add the NSG to the Operations Insights private endpoint, go to the Operations Insights Private Endpoint Administration page (Administration > Private Endpoints) and click the private endpoint to which you want to add the NSG. On the Private Endpoint Details page, click Edit against Network Security Groups and add the newly created NSG.

Add security rules to a Security List to enable communication between an Operations Insights private endpoint and a Virtual Machine DB system

In the following example, stateful security rules are added to an existing Security List in the Virtual Machine DB system's VCN to enable communication between an Operations Insights private endpoint for single instance Oracle Cloud Databases and all the subnets in the VCN. This ensures that the Operations Insights private endpoint can access all the single instance databases in the VCN.

For information on updating an existing Security List, see To update rules in an existing security list.

Add the following stateful security rules to the Security List:
Note

The Virtual Machine DB system's VCN port is configured by the user, enter the port number you previously configured.
  • Ingress rule for the Virtual Machine DB system's VCN: The Virtual Machine DB system's VCN can receive incoming traffic from the Operations Insights private IP address (10.0.0.6/32) from any port.
  • Egress rule for the Operations Insights private endpoint: The Operations Insights private IP address (from any port) can send requests to the Virtual Machine DB system's VCN (10.0.0.0/16) on port 1521.
Note

Enter the port you have configured for the TCPS enabled database if the port is different from 1521.

Security rules in a security list.

Obtaining CIDR Block Values

The CIDR block values used to define rules will be specific to your environment and not those shown in the above examples. You can obtain the correct CIDR ingress/egress rule values for your Operations Insights environment as follows:

  • Ingress Rules

    The ingress rule you need to create depends on the subnet specified when creating the private endpoint. You can find the CIDR block on the VCN/Subnet page. Operations Insights also provides a convenient link to the VCN/Subnet page directly from the Private Endpoint Details page.


    Graphic shows the the VCN/Subnet page link from the Private Endpoint Details page.

  • Egress Rules

    The egress rule you need to create depends on the VCN in which your Oracle Cloud Database(s) reside. You can find the CIDR block by navigating to the database details page where you'll find a link to the associated VCN.


    Graphic shows the DB details page.


    Graphic shows the VCN details page.

    Note

    You should write your rule using the entire CIDR block so that the private endpoint can be used for all databases in the VCN.

TCPS Enabling Permissions

If you opt to use the TCP/IP with Transport Layer Security (TCPS) protocol to securely connect to the Oracle Cloud Database, then you're required to enter the port number and upload the database wallet when enabling Database Management.

The authentication and signing credentials, including the private keys, certificates, and trusted certificates used by Transport Layer Security (TLS) are stored in a wallet. This wallet must be saved as a secret with an encryption key in the Vault service. The supported database wallet formats are:
  • Java Keystore (JKS): To save a Java Keystore wallet as a secret, you're required to enter the Keystore password, Keystore content (.jks file), Truststore password, Truststore content (.jks file), and the Certificate Distinguished Name (DN) for the wallet.
  • Public-Key Cryptography Standards (PKCS) # 12: To save a PKCS#12 wallet as a secret, you're required to enter the wallet password, wallet content (.p12 file), and the certificate DN for the wallet.

For information on how to configure TLS authentication, see Configuring Transport Layer Security Authentication.

Create a Private Endpoint

A private endpoint is a private IP address within your Virtual Cloud Network (VCN) that you can use to access a given service within Oracle Cloud Infrastructure.

Operations Insights communicates with Oracle Cloud Databases via private endpoints defined within a Virtual Cloud Network (VCN). For more information about private access and endpoints to OCI services, see Private Endpoints .

Private endpoints must be created in each service, private endpoints created in other services will not appear in the Operations Insights private endpoint list page. However Database Management endpoints can be converted to Operations Insights endpoints.

Note

Before you create a private endpoint in Operations Insights, you must have the following details:

  • The name of the VCN used to access your database.
  • The name of the subnet in the VCN.
  • The name of the network security group (optional).

The private endpoint is a representation of Operations Insights in the VCN in which the Oracle Cloud Database can be accessed, and acts as a VNIC with private IP addresses in a subnet of your choice. The private endpoint does not have to be on the same subnet as the Oracle Cloud Database, but it must be on a subnet that can communicate with the Oracle Cloud Database.

Operations Insights lets you create the following types of private endpoints:

  • Private endpoint for single instance Oracle Cloud Databases: You can create a maximum of five Operations Insights private endpoints in your tenancy (per region) to connect to single instance Oracle Cloud Databases in the Bare Metal and Virtual Machine DB systems. There is no restriction on the number of single instance databases for which you can enable Operations Insights using a single private endpoint. The private endpoint for single instance Oracle Cloud Databases has only one private IP address.
  • Private endpoint for RAC Oracle Cloud Databases: You can create only one Operations Insights private endpoint in your tenancy (per region) to connect to RAC Oracle Cloud Databases in the Virtual Machine DB system and Exadata Cloud service. One private endpoint for RAC Oracle Cloud Databases can support up to 15 single client access network listeners (SCANs). In the case of Virtual Machine DB systems, a SCAN is equal to one RAC Virtual Machine DB system. In the case of Exadata Cloud service, it is equal to one Exadata Cloud service VM cluster, regardless of the number of individual RAC databases hosted on the Exadata Cloud service VM cluster. The private endpoint for RAC Oracle Cloud Databases has two private IP addresses.
    Note

    The RAC option should ALWAYS be used for Exadata Cloud Service systems.
Note

You can create one private endpoint of each type in a VCN, which means that you can create one private endpoint for single instance databases and one for RAC databases.

Creating a Private Endpoint

To create a private endpoint:

  1. From the Operations Insights main menu, click Administration and then Private Endpoints to access the Private Endpoint Administration page for the currently selected compartment. If endpoints for the compartment were previously defined, they will appear in the table where you can perform administrative functions.
  2. Click Create Private Endpoint. The Create Private Endpoint dialog displays.
    Private Endpoint dialog

  3. Enter the required parameters to define the endpoint:
    • Name: An easily identifiable name for the endpoint.
    • Description: Optional
    • Compartment: Select a compartment in which to create the private endpoint from the drop-down list. By default, the compartment that was selected prior to clicking Create Private Endpoint is chosen. Note that this does not have to match the database compartment.

    Configuration

    The private endpoint will be created in the VCN and subnet selected here. Select a subnet that has connectivity to the subnet which contains the database that will be added to Operations Insights.

    • Use this private endpoint for RAC databases. You should select this when connecting to an ExaDB-D/VM RAC database. It can only be set during private endpoint creation and cannot be changed later.
    • Virtual Cloud Network in <compartment>: Select the VCN within the current compartment that will be used to access the Cloud database. If desired, use the drop-down list to choose another VCN in that compartment.
    • Subnet in <compartment>: Select a subnet within the chosen VCN. By default, the first subnet in the drop-down list is selected.

    Network Security Group (optional)

    A network security group lets you add additional fine-grained security access to any resources that will be using the private endpoint. A security group acts as a virtual firewall that allows you to separate your VCN's subnet architecture from your security requirements.

    To add a network security group to the private endpoint,

    1. Click +Another Network Security Group.
    2. Select an existing network security group from the drop-down selector.
    3. If no security groups exist, click Add new to display the VCN details page where you can define a new Network Security Group for that VCN.
    4. From the Network Security Group region of the Create Private Endpoint dialog, click the refresh icon. The newly defined security group will be available in the drop-down selector.

  4. Click Create Private Endpoint. The Private Endpoint Details page displays where you can view private endpoint information including direct links to the details pages for the endpoint’s VCN, subnet, and network security groups.

For more information about security groups, see Network Security Groups

From the Private Endpoints Details page, you can perform the following operations:

  • View existing or define new resource tags
  • Edit the private endpoint (name, description, add/delete network security groups)
  • Move the private endpoint to a different compartment
  • Add resource tags
  • Delete the private endpoint
  • Register Oracle Cloud Databases with the private endpoint
  • View work requests associated with the private endpoint. Note: By default, the details page displays database resources. To display work resources, click Work Requests in the Resources menu. For more information about work requests, see Work Resources.

The above operations can also be performed from the Private Endpoint Administration page via the context menu (vertical ellipsis) for each private endpoint.

Deleting a Private Endpoint

You can delete a private endpoint from the Private Endpoint Administration page. Important: All databases accessing the private endpoint must first be disabled.

Add a Cloud Service Database

With a private endpoint defined, you are ready to add a database that uses that endpoint. You can add databases from the Private Endpoint Details page or from the Database Fleet Administration page.

Before adding a database make sure you run the best practice script steps for Operation Insight databases outlined in OCI : Best Practices / Troubleshooting Guide For Monitoring Databases In Operations Insights (Doc ID 2942938.1). It is strongly recommended the script be run every 6 months or if any databases are missing the storage or tablespace data.

Note

If you are onboarding an Exadata Cloud Service database, see Add an Exadata Cloud Service System.
  1. From the Operations Insights main menu, click Administration and then Database Fleet. Alternatively, navigate to a Private Endpoint Details page.
  2. Click Add Databases. The Add Databases to Operations Insights dialog displays.
    Add DB dialog with Bare Metal selected

  3. Under Choose a cloud database type, select Bare metal, VM and Exadata. The Select Database region displays.
  4. Enter the required database selection information:
    1. Database Type: Choose either Bare Metal, Virtual Machine or ExaCS. For each database type, there are different resources that can be specified:
      1. For Bare metal, VM you can only add database systems
      2. For ExaCS, you can only add VM Clusters
    2. Database System: Select a database system (Bare Metal, VM Clusters for ExaCS) from the current compartment. If needed, you can change compartments.
    3. Protocol:Select either TCP (default) or TCPS, depending on your configuration.
      Note

      If Oracle Data Guard is enabled on a Bare Metal or Virtual Machine DB system after Database Management was enabled for it using the TCPS protocol, then TCPS will have to be reconfigured. Enabling Oracle Data Guard is causing TCPS configuration to be overwritten, and it's recommended that TCPS is configured on a Bare Metal or Virtual Machine DB system after enabling Oracle Data Guard.
    4. Port: Enter the port number, the default Oracle recommended TCP port is 1521.
    5. Database Wallet Secret (only for TCPS): When using a TCPS connection protocol a database wallet secret is required. Select the corresponding secret from the drop down list or click Create new wallet secret to create a new secret, the Create database wallet secret window appears.
      In the Create database wallet secret enter the following information:
      • Name: Wallet secret name.
      • Description (optional): Description for the wallet.
      • Create in compartment: Database compartment where the wallet will be used.
      • Vault: Vault within the compartment where the wallet will be stored.
      • Encryption key: Encryption key to be used, select from drop down menu.
      • Wallet format:
        • For Java key store (JKS files) wallets the following is additionally required:
          • Key store password: Enter the key store password for the Java key store wallet..
          • Key store content: Drag the JKS file into the Operations Insight UI from a local machine.
          • Trust store password: Enter the Trust store password required for the Java key store wallet.
          • Trust store content: Drag the Trust score JKS file into the Operations Insight UI from a local machine.
        • For PKCS#12 (P12 files) wallets the following is additionally required:
          • Wallet password: Enter the required PKCD#12 wallet password.
          • PKCS#12 wallet content: Drag the P12 file into the Operations Insight UI from a local machine.
      • Certificate DN: Enter the certificate chain to be used.
    6. Database Home: Select a database home (system or cluster). All database homes in the database system are available in the drop-down selector.
    7. Database: Select a database from the database home. Databases are identified as either container or non-container. If you select a container database, you’ll be provided with the option of selecting all PDBs in the container or a single PDB.
      Note

      When PDBs are added or removed from the DB System or VM Cluster, they will automatically be enabled or disabled:
      • When performing disable, you should simply select the CDB and disable that target alone. That will disable all the PDBs as well.
      • When performing a delete, you should simply select the CDB and disable that target alone. That will disable all the PDBs as well.
      • If you previously disabled the CDB (and thus all the PDBs) and you want to re-enable Operations Insights, you should do so just on the CDB resource.
    8. Pluggable Database (optional): When a container database is selected, you can select all PDBs or a single PDB.
    9. Service Name: If no pluggable database was specified above, enter the service name corresponding to the container database (CDB). If one was specified, enter the service name corresponding to the specified pluggable database.
  5. Specify credentials for the connection: If no pluggable database (PDB) was specified above, enter the common user name for the CDB and all the PDBs and choose the secret corresponding to the password for the container database (CDB) user. If an individual PDB was specified, enter the user name and choose the corresponding secret for the specified pluggable database.
    Note

    For Government realms, the password for the database user monitoring the Oracle Cloud Database must meet the following Federal Information Processing Standards (FIPS) requirements:
    • Password length must be between 14 to 127 characters.
    • Password must have at least two lowercase, two uppercase, two digits, and two special characters.

    To create a new secret, click Create New Secret.

    Note

    In order to create a secret within OCI Vault, the encryption key being used must be set as follows: Click on Key Shape: Algorithm, and select:AES. Advanced Encryption Standard (AES) keys are symmetric keys that you can use to encrypt data at rest.

    Key types, like RSA and ECDSA will not work for encrypting data at rest and are not recommended for Operations Insights operations. For more information see: Creating a Master Encryption Key.

    To change the monitoring user or secret reference, you need to disable the database and then re-enable it (upon re-enable a pop-up displays to allow you to make changes).

    For more information, see Overview of Vault .

  6. Select a private endpoint that has network access to this database via a VCN.
    Note

    Make sure to select a private endpoint that is RAC Enabled if the database being enabled is a cluster database

    To create a new private endpoint, click Create New Endpoint to access the Private Endpoint Administration page. For more information about creating private endpoints, see Create a Private Endpoint.

  7. Click Add Databases. The newly added database will appear in the Database Fleet Administration page as well as the Private Endpoint Details page.

Change a TCPS Cloud Service Database to TCP

You can change a TCPS monitored cloud database to a default TCP connection, first disable the database by clicking the three dot action menu for the database you want to edit. Once disabled click on Edit Connection Details, select TCP as the protocol and update the port number. Once complete re-enable the database.

You can also change a TCP monitored database to a TCPS connection by clicking the three dot action menu for the database you with to edit, disabling the database, click on Edit Connection Details, select TCPS as the protocol and update the port number. Once complete re-enable the database.

Add an Exadata Cloud Service System

With a private endpoint defined, you’re ready to add an Exadata system that uses that endpoint. You can add Exadata systems from the Private Endpoint Details page or from the Exadata Fleet Administration page.

  1. From the Operations Insights main menu, click Administration and then Exadata Fleet.
  2. Click Add Exadata System. The Add Exadata Systems to Operations Insights dialog displays.
    Image shows the Add Exadata System to Operations Insights dialog.

  3. Ensure Cloud Infrastructure Exadata Cloud Service is selected.
  4. Under Exadata Infrastructure in <compartment name>, select the desired Exadata infrastructure from the drop-down menu. You can change the compartment if necessary. Changing the compartment will query that compartment for valid Exadata Infrastructures.
  5. Select the VM Cluster and Private Endpoint from their respective drop-down menus to change the default values, if necessary.
    Note

    Optionally, you may add additional VM Clusters.

    Once the Exadata Infrastructure, VM Cluster, and Private Endpoint have been selected, you have the option of adding member databases now or at a later time. Member databases within the selected VM Cluster appear in the Members table. IMPORTANT: At least one Container Database must be added (if one was not previously on-boarded). It is required to pull the Exadata metrics.

  6. To enable a member Container Database for Operations Insights, you must set the credentials. Click Set Credentials to display the Set Container Database Credentials dialog. Alternatively, you can select Set Credentials from the Action menu (vertical ellipses) for a specific database member in the table.
  7. Enter the required credential information and click Set Credentials.
    Note

    The database user should be a common user between the Container Database and all Pluggable Databases within the Container Database. See Creating the Oracle Database Monitoring Credentials for Oracle Cloud Infrastructure Database Management and Operations Insights (Doc ID 2857604.1).
  8. Click Add Exadata System. The Exadata Details page for the new system displays.
    Image shows the Exadata Details page.

    As noted earlier, if you did not enable all member databases while adding the Exadata system to Operations Insights, you can add them via the Exadata Details page.

    The newly added system will appear in the Exadata Fleet Administration page.

Enabling/Disabling Exadata Cloud Service Databases

If Exadata Cloud Service databases were previously enabled, they do not need to be enabled again. If all the Container Databases/Non-Container Databases are already enabled, simply select the VM Cluster and the Private Endpoint used when adding the Exadata system.

When disabling the Exadata system, it's highly recommended that this be done on the Exadata system itself as this will disable the databases and hosts automatically.

If you want to disable a single Container Database and its Pluggable Databases, simply disable the Container Database and all its Pluggable Databases will also be disabled as a result.

Adding Enterprise Manager Targets

You can use Operations Insights to perform resource analysis against databases and hosts managed by Enterprise Manager.

Enterprise Manager lets you transfer data from Enterprise Manager targets and Oracle Management Repository (OMR) to an OCI Object Storage bucket, where it is easily accessed by Operations Insights.

System Prerequisites

  • Oracle Enterprise Manager 13c Release 5 Update 13 (13.5.0.13) or above
  • Oracle Enterprise Manager Agents must be on 13c Release 13 (13.5.0.13) or above
  • Database Plugin version 13.5.0.13 or above

Data transfer from Enterprise Manager to Operations Insights is configured in two steps:

  1. Set up target-level data transfer from Enterprise Manager to OCI Object Storage.
  2. Set up data transfer from OCI Object Storage to Operations Insights.

Each step involves setting up a data transfer bridge. There are two bridges involved in Enterprise Manager-Operations Insights communication:

  • An Enterprise Manager Cloud Bridge to move target-level data from Enterprise Manager to OCI Object Storage bucket.
  • An Operations Insights EM Bridge to move data from the OCI Object Storage bucket to Operations Insights for analysis.
Note

Oracle recommends updating Oracle (Enterprise Manager) Management Agents to at least Oracle Enterprise Manager 13c Release 5 Update 13 (13.5.0.13) as the newer agent versions resolve operational issues affecting databases using the Cloud Bridge.

EM Bridge Prerequisites

Before setting up the EM Bridge, you need to create Identity and Access Management (IAM) policies in order to read from the configured Object Storage Bucket. Create a dynamic group and provide permissions for the dynamic group to access the data in the above Object Storage compartment. Additionally, add policies to use the opsi-enterprise-manager-bridge resource, which is part of opsi-family aggregate resource-type. The following examples illustrate the policy creation process.

  • Example rule for bridge dynamic group where the resource can be in any compartment in tenancy:
    ALL {resource.type='opsienterprisemanagerbridge'}
  • Example rule for bridge dynamic group with specific resource compartment OCID:
    ALL {resource.type='opsienterprisemanagerbridge', resource.compartment.id = <opsienterprisemanagerbridge_resource_compartment_OCID>}
  • Example policy to allow the dynamic group READ access to the Object Storage bucket:
    allow dynamic-group <group_name> to read object-family in compartment <bucket_compartment_name> where ANY{target.bucket.name=<embridge-bucket>}

Data Flow

Once Enterprise Manager to Operations Insights connectivity is set up, your target data is automatically uploaded at frequent intervals to the Object Storage bucket so that Operations Insights is always working with the most recent target data.

The following graphic illustrates how target data flows from Enterprise Manager to an OCI service once the configuration process has been completed. Highlighted in red is the portion of the setup you will perform for Operations Insights.

Note

The Object Storage bucket must already exist before creating an EM Bridge.

Graphic illustrates the data flow from Enterprise Manager to Operations Insights

For instructions on setting up Enterprise Manager target-level data transfer to the Object Storage bucket and setting up the Cloud Bridge for Operations Insights, see Integrating Enterprise Manager with OCI Services in the Enterprise Manager Cloud Control Administrator's Guide.

When selecting the OCI Service while enabling Data Export select the appropriate service for your needs:
  • Operations Insights: Capacity Planning and SQL Warehouse: For Exadata Insights, Host Capacity Planning, Database Capacity Planning, SQL Warehouse, and SQL Explorer.
  • Operations Insights: EM Warehouse
  • Operations Insights: Exadata Warehouse

Create an EM Bridge

You create an EM bridge to move target-level data from an OCI Object Storage bucket to Operations Insights.

To create an EM bridge:

  1. Open the navigation menu and click Observability and Management. Under Operations Insights, click Administration. The Database Fleet option is selected by default in the Operation Insights navigation menu.
  2. Click EM Bridges. The EM Bridge Administration page displays.
  3. Click Create Bridge. The Create Enterprise Manager Bridge dialog displays.
  4. Enter the following:
    • EM Bridge Name: A user-friendly name that lets you easily identify the source.
    • Compartment: The compartment where the EM bridge will be located.
    • Bridge Description: A meaningful description detailing specifics about the bridge.
    • Bucket Name: The name of the Object Storage bucket where Enterprise Manager target-level data is being uploaded. For more information about buckets, see Managing Buckets.
  5. Click Create Bridge.

The newly created bridge will appear in the EM Bridge Administration page table. Once your bridge is created, you can click on the bridge name in the table to access the bridge's detail page where you can edit the bridge description, move the bridge to a different compartment, add tags, or add/enable/disable databases.

Delete an EM Bridge

You can delete an EM bridge to remove a connection between Operations Insights and the OCI Object Storage bucket.

WARNING:

: Before you can delete an EM bridge, you must first disable AND delete all Enterprise Manager resources associated with the EM bridge.

To delete an EM bridge:

  1. Open the navigation menu and click Observability and Management. Under Operations Insights, click Administration. The Database Fleet option is selected by default in the Operation Insights navigation menu.
  2. Click EM Bridges. The EM Bridge Administration page displays.
  3. In the EM Bridge table, click on the EM bridge you want to delete. The details page for the EM bridge displays.
  4. For each enabled resource in the table, choose Disable Operations Insights from the Actions menu. All resources must be disabled.
    Note

    Any Exadata Systems should be disabled and deleted first (this will also disable and delete the child databases and hosts).
  5. For each disabled database in the table, click the vertical ellipses to display the pop-up menu and choose Delete Operations Insights.
  6. Once all databases have been disabled and deleted, click Delete at the top of the EM Bridge details page to start the bridge deletion process.

Delete EM Bridge Bucket Data

You can delete EM Bridge bucket data for Operations Insights managed Enterprise Manager targets after 10 days by adding the object storage lifecycle rules. For more information on object storage lifecycle rules see: Using Object Lifecycle Management.

Add Exadata Systems Monitored by Enterprise Manager

When you add an Exadata systems monitored by Enterprise Manager (Exadata Database Service on Dedicated Infrastructure, Exadata Cloud@Customer or Database Machine), you'll be able to use Exadata Insights capacity planning features to optimize performance and resource usage.

Prerequisites

  • IMPORTANT: Enterprise Manager configuration (setting up the OCI Bridge) MUST be done first. See Integrating Enterprise Manager with OCI Services.
  • EM Bridge and Object Storage bucket has been set up.
  • Enable Exadata Systems for Operations Insights.
    • Exadata Database Service on Dedicated Infrastructure, Exadata Database Machines, and Exadata Cloud@Customer deployments must be monitored by Enterprise Manager.
  • Exadata Insights is compatible with the following versions of Enterprise Manager:
    • On-premises (Exadata Database Machine): Enterprise Manager 13c Release 5 Update 10 (13.5.0.10) and greater
    • Cloud Service (Exadata Database Service on Dedicated Infrastructure and Exadata Cloud@Customer): Enterprise Manager 13c Release 5 Update 10 (13.5.0.10) and greater

To enable one or more Exadata systems from a compartment for Exadata Insights, log in to OCI and do the following:

  1. Open the navigation menu and click Observability and Management. Under Operations Insights, click Administration.
  2. From the Operations Insights menu, click Exadata Fleet.
  3. Click Add Exadata System. The Add Exadata System to Operations Insights dialog displays.
  4. Select the Enterprise Manager telemetry.
  5. Select the Enterprise Manager Bridge that contains the Exadata System(s) you want to add from the drop-down menu. If necessary, you can change the compartment where the bridge is located.
  6. Select the Exadata System you want to add from the drop-down menu. Members of the Exadata System are displayed in the Members table.
    Note

    The database and host targets are shown in this table are the only ones which will be created as first-class OCI resources.
  7. Select the Destination Compartment from the drop-down menu.
  8. All Exadata System members shown in the table will be enabled for Operations Insights. Optionally, you can change the Destination Compartment.
  9. By default, the list of Exadata System members will be automatically synchronized to match the member resources in Enterprise Manager. If desired, you can turn off this feature, however, you will have to manually add members via the Exadata Details administration page if new members are added to the Exadata System.
    Note

    Members will not be automatically disabled or deleted.
  10. Click Add Exadata System. The Exadata details page displays.

Available Actions

Once you've added an Exadata System to Operations Insights, in addition to enabling and disabling the system, you can also add tags and move these resources to different compartments (only Enterprise Manager databases can be moved), change the auto-synchronization settings, and add new members.

Access Operations Insights

There are two ways to access the Operations Insights Console: Through the Oracle Cloud Infrastructure Console or from the Oracle Database Service details page in Oracle Cloud Infrastructure.

Oracle Cloud Infrastructure Console

To access Operations Insights, you can first sign in to the Oracle Cloud Infrastructure Console, and then access Operations Insights via the Oracle Cloud Infrastructure Console main menu.

Open the navigation menu, click Observability & Management. Under Operations Insights, click Overview.

Database Service Details

For a database managed within OCI (External and Autonomous databases only), you can access Operations Insights directly from the database's details page. Operations Insights options appear in the lower-left corner of the page. These options vary depending on whether or not a database has been enabled for Operations Insights.

  • Database is already enabled.

    If Operations Insights has been enabled for a database, Disable and View links appear. Click Disable to disable Operations Insights for the database directly without accessing the Console. Click View to access the Operations Insights Overview page.

  • Database is not enabled.

    If Operations Insights is not currently enabled for the database, an Enable link appears,which allows you to enable Operations Insights for the database without having to access the Operations Insights Overview page.

Application Menu and Scope

When you select either Databases or Hosts from the Capacity Planning menu, a Resources sub-menu is presented.

  • Databases: Summary, CPU, Storage, Memory, and I/O.
  • Hosts: Summary, CPU, and Memory

These pages comprise the Capacity Planning application of Operations Insights Service.

Below the sub-menu are Scope and Filters sections that define the global time and target scope shared across the Capacity Planning application.

For Databases

  • Compartment: Capacity Planning is scoped to all databases enabled for Operations Insights and belonging to a specific compartment.
  • Database Type: The database scope can be further narrowed by filtering on database type.
  • Database: This option allows you to narrow the scope to a single database. To limit the number of databases that appear in the drop-down menu, you can type in a partial name to filter out unwanted databases.
  • Time Range: This is the historical time period on which Capacity Planning trends and forecasts will be based, ranging from previous day up to last 25 months.

For Hosts

  • Compartment: Capacity Planning is scoped to all hosts enabled for Operations Insights and belonging to a specific compartment.
  • Platform Type: The host operating system type. Currently supported platform types:
    • Linux
    • Solaris

      Solaris is available as a platform type when:

      • The host is managed by a Management Agent Cloud Service (SPARC only).

    • zLinux
    • Windows

      Windows is available as a platform when:

      • Windows hosts are monitored by Oracle Enterprise Manager 13c Release 5 Update 4 (13.5.0.4) and Management Agent.

      • Windows hosts are running in Compute instances where the host is monitored by the Management Agent Cloud Service.
  • Host: This option allows you to narrow the scope to a single host. To limit the number of hosts that appear in the drop-down menu, you can type in a partial name to filter out unwanted hosts.
  • Time Range: This is the historical time period on which Capacity Planning trends and forecasts will be based, ranging from previous day up to last 25 months.

Filtering Databases and Hosts Across Applications

To restrict Capacity Planning (databases or hosts) and Oracle SQL Warehouse insight/analysis to a subset of enabled databases/hosts, use the Database Name/Host or Host filter.


The graphic shows the Filter sub-menu with the Database Name/Host filter highlighted

  1. Click Select to display the Select by Names/Hosts dialog.
  2. Choose how you want to select databases. Under Select Databases By, choose whether you want to select databases by name or host name (all databases that reside on the selected host). Similarly, you can select from a list of enabled hosts if you are working with Hosts insight/analysis.
  3. Depending on the option you chose in step 2, select a database or host from the drop-down list. Repeat this step until you've added all databases/hosts of interest.
  4. Click Apply.

To remove the filter, click Clear.

Filtering Databases and Hosts Using Tags

You can filter host and database resources by namespaces, tags, and tag values. Tag filtering lets you display only those resources for which a specific tag has been assigned. This can greatly simplify resource management. For example, you want to perform Capacity Planning on your production databases only. By tagging your production databases with a Lifecycle State of Production, you can easily isolate only the production databases in Operations Insights.

This section covers the following topics:

Apply Tags to Resources

  1. Navigate tot he Operations Insights Administration page. From the OCI console, select Observability & Management, and the under Operations Insights, select Administration.
  2. Select a resource type from the left navigation menu. For example, Database Fleet or Host Fleet.
  3. For a specific resource in the list, select Add Tag from that resource's Action menu (vertical ellipses).
  4. Enter the requisite tag information and click Add tag. Repeat this step for however many tags you want to define for this resource.
  5. Click Add tags when you're finished.

Filter by Tags


Graphic shows the Tag filter menu option.

  1. Click Add to display the Apply a Tag Filter dialog.
    Graphic shows the Apply Tag dialog.

  2. Select a Tag Namespace (optional) and enter a Tag Key.
  3. To narrow tag filtering, you can define supplementary patterns on which to filter. By default, Match any value is selected. To define additional Tag Key pattern filtering criteria, click Match any of the following and enter the text to be used for filtering. You can define additional text filtering criteria by clicking Add (+) and entering the desired text.
  4. Click Apply Filter.

    To remove the filter, click Clear.

Group by Tags

You can create an arbitrary grouping of target resources based on tag keys and tag values used by free-form and defined tags,

  • Free-form Tag: A basic metadata association that consists of a key and a value only. Free-form tags have limited functionality. See Understanding Free-form Tags. Free-form tags allows any user to add tags to resources.
  • Tag (or Defined Tag): A tag is the instance of a key definition that is applied to a resource. It consists of a namespace, a key, and a value. "Tag" is used generically to refer to defined tags. Tag administrators create and manage defined tags.

Using free-form and defined tags to create grouping of target resources based on tag keys and tag values lets you perform trend and forecast analysis on any meaningful set of resources. For example, you can define a specific tag keys for all databases that are part of the Sales department within North America and then specify only databases that meet those specific tag key and value criteria be used for trend and forecast analysis or, as shown in the SQL Warehouse example below, group all the SQL statements running in databases as part of a particular department or application grouping. This tag grouping feature can be used with Capacity Planning, Exadata Insights, and Oracle SQL Warehouse.


Image shows tag grouping implemented for trend and forecast analysis.

For more information about tags and how to use them for filtering, see:

Viewing Resources Across Compartments

Operations Insights allows you to analyze database and host resources across an entire compartment hierarchy, letting you perform comprehensive fleet-wide analysis.

Cross-compartment data access allows you to gather insights at the root or parent compartment level: Resources residing at all sub-levels can be aggregated for more meaningful fleet analysis. For example, a corporate parent compartment contains two primary sub-compartments (Finance and Human Resources), each with its own database. Additionally, both Finance and Human Resources compartments have sub-compartments with their own databases. You're interested in all databases belonging to the Finance department due to excessive CPU usage. You can select the top-level Finance compartment and then use Capacity Planning to compare CPU utilization between databases residing within the Finance compartment hierarchy.

Cross-compartment resource access lets you:

  • Analyze all resources within a given region for the entire tenancy
  • Respect current authorization policies by authorizing the highest compartment as part of the authorization decision
  • Analyze all resources within a given compartment subtree

Select the desired compartment under Scope and click the Include child compartments option to activate cross-compartment access.


Graphic shows the child compartment scope option.

Note

Cross-compartment data access is not supported for Exadata Insights.

Accessing Related Services

Operations Insights provides direct access to the Oracle Cloud Infrastructure Database Management service which provides real-time monitoring, performance management, tuning, and database administration. Database Management features include:

  • Fleet Monitoring and Management: Monitor multiple Oracle Database services deployed within OCI compartments, proactively detect and identify the root cause of performance issues across a fleet of databases, and respond to performance and configuration-related alerts.
  • Database Groups: Automate database fleet management and define routine database jobs scheduled to run against a set of databases.
  • Database Summary: Monitor key usage and performance metrics in real-time for a specific database.
  • Jobs: Create and run jobs using your own custom SQL, PL/SQL, and SQL scripts.

You can access Database Management via the Related Features menu on the left menu pane, the Related Services tile on the Overview page, or the Database Fleet Administration page.

Working with Operations Insights Resources

The first step to using Operation Insights is to enable resources for the service. This allows you to use Operation Insights' powerful analysis and forecasting tools to optimize performance of your IT assets. Operations Insights resources can be disabled and re-enabled as required.

You can:

Enable Databases for the Service

Once a database is enabled, you'll be able to use Operations Insights Capacity Planning and Oracle SQL Warehouse features to optimize performance and resource usage.

Note

The data may take up to 24 hours to appear.

If you want to view more granular data (7 days or less), you can select a smaller time range.

Monitoring Credentials

Before adding a database, ensure that you have proper monitoring credentials set up. For instructions on how to set up External and Cloud Oracle Database monitoring credentials (Virtual Machine, Bare Metal, and Exadata) see Creating the Oracle Database Monitoring Credentials for Oracle Cloud Infrastructure Database Management and Operations Insights (Doc ID 2857604.1).

To create an Autonomous Database monitoring credential see, see Creating the Autonomous Database Monitoring Credentials for Oracle Cloud Operations Insights (Doc ID 2933173.1).

Enable Databases for Operations Insights

To enable one or more databases for Operations Insights, log in to OCI and do the following:

  1. Open the navigation menu and click Observability and Management. Under Operations Insights, click Administration and then Database Fleet..The Database Fleet Administration page displays.
  2. Click Add Databases. The Add Databases to Operations Insights dialog displays.
  3. Click on the desired Telemetry. Available telemetries are:
    • Cloud Infrastructure: Autonomous databases running in OCI, Exadata Cloud Service databases , Virtual Machine, and Bare Metal.
    • Enterprise Manager: Databases monitored and managed via Enterprise Manager. You'll need to select the EM Bridge. In addition, you'll also need to select the destination compartment as shown in the next step.
    • Agent Service: Databases monitored by the OCI Management Agent Service. You'll need to select the destination compartment as shown in the next step. In addition, you'll also need to select an external connector.
  4. Select the Compartment that contains the database that you want to enable for Operations Insights.
    Note

    This is not needed for Enterprise Manager databases (you select the EM bridge instead) and you choose the destination compartment.

    For Management Agent databases you must also select the connector after selecting the database to enable.

    Optionally, if there are many databases and you know which ones you want to enable, you can filter the returned results based on database type.
  5. Select a database to enable.
    Note

    Autonomous Databases and Enterprise Manager databases allow you to multi-select databases for enablement. The multi-select feature is not available for databases monitored by Management Agents, Virtual Machine, or Bare Metal. Alternatively, for Exadata, you can bulk enable the entire the entire Exadata system.
  6. Click Enable. The enable request is submitted for processing. Depending on amount of data that needs to be uploaded, it may take a few minutes for the process to complete. Data may take up to 24 hours to appear in Operations Insights for newly enabled database.

Available Actions

Once you've added a database to Operations Insights, in addition to enabling and disabling the database, you can also add tags and move these resources to different compartments (only Enterprise Manager databases can be moved). These actions can be accessed by clicking the vertical ellipses for any database in the Database Fleet table.

Note

Autonomous Databases, databases monitored by Management Agents, Virtual Machine, Bare Metal, and Exadata Cloud Service follow the DBaaS resource compartment.

Disable Databases for the Service

If you no longer want a database covered by Operations Insights capacity planning and SQL analytics functionality, you need to disable the enabled database for Operations Insights. When you disable a database, billing stops and the resource will not be available for analytics. The operation is not terminal—the data that was previously collected will not be removed.

To disable a database for Operations Insights, log in to OCI and do the following:

  1. Open the navigation menu and click Observability and Management. Under Operations Insights, click Administration and then Database Fleet..

    The Database Fleet Administration page displays.

  2. Choose the Compartment that contains the database that you want to disable for Operations Insights. Optionally, if there are many databases and you know which ones you want to disable, you can filter the returned results based on database type.

    The Operations Insights State column indicates whether or not a database is currently enabled or disabled.

  3. Select one or more databases to disable.
  4. From the Actions menu, select Disable Operations Insights. Operations Insights asks whether you want to enable the selected database.
  5. Click Disable. The disable request is submitted for processing.

Autonomous Database Full Feature Support

Operations Insights allows you to perform advanced collections on your Autonomous Databases via a private endpoint or through secure access from anywhere. These connection methods allows Operations Insights to connect to the database directly and enable Full Features collection, which includes SQL Explorer and ADDM Spotlight.

Prerequisites

To enable Full Features collection set on an Autonomous Database the following prerequisites must be met:
  1. Enable the Autonomous Database in Operations Insights, for more information see Enable Databases for the Service
  2. If your network requires it, create a Private Endpoint. Make sure you set up the correct network requirements for your database, including the creation of private endpoints. The following table outlines the network requirements by type of autonomous databases:
    ADB Type Access Type Network Requirements
    ADB Serverless (ADB-S) Access Anywhere None
    ADB Serverless (ADB-S) Private Endpoint Same Private Endpoint requirements as cloud databases.
    Note

    Use the ADB private endpoint VCN/Subnet instead of the database VCN/Subnet
    For more information see: Enabling Database Cloud Service Databases and Exadata Cloud Service
    ADB Serverless (ADB-S) ACL (Access Control List) Restricted The private endpoint needs to be placed in one of the whitelisted VCNs. This VCN must have access to the public ADB endpoint, typically via service gateway.

    For more information see: Configure Access Control Lists When You Provision or Clone an Instance
    ADB Dedicated (ADB-D) N/A Same requirements as cloud databases. For more information see: Enabling Database Cloud Service Databases and Exadata Cloud Service
    Note

    Dedicated Autonomous Databases require a private endpoint with DNS Proxy enabled. Operations Insights private endpoints created prior to September 2023 did not require the DNS proxy enabled. A new private endpoint may need to be created.
  3. Create the policies to allow Operations Insights service to generate autonomous database wallets, and to read the database password secret. It is recommended this step be performed automatically when setting up the Advanced Features collection in Step 4.
    Example policy to allow Operations Insights service to generate Autonomous Database wallets: 
    allow service operations-insights to read autonomous-database-family in tenancy where ALL{request.operation='GenerateAutonomousDatabaseWallet'}
    Example policy to allow Operations Insights service to read the database password secret: 
    allow service operations-insights to read secret-family in tenancy where ANY{target.secret.id='<SecretId>'}

Enable Full Features Collection For an Autonomous Database

To enable Full Features collection for an Autonomous Database follow these steps:
  1. Log into OCI, navigate to Observability and Management, then Operation Insights and click on Administration.
  2. Under Administration select Database Fleet. This will show you the Database Fleet Administration table where all your databases that have an enabled Operation Insights state are displayed. Autonomous Databases with an Active state and a Basic Feature Set are eligible for Full Feature enabling.
  3. Select an Autonomous Database you wish to enable the advanced features for and click on the three dots menu located at the right end of the table. From the menu select Enable Full Feature Set.
  4. In the Enable Full Feature Set window enter the database user name and user password secret. If your Autonomous Database is configured for private endpoint check mark Access database via private network and provide the Private endpoint. Databases configured with ACL restricted and ADB-D require private endpoint connections.

    The connect string information is automatically filled out by the service.

    If you have not previously created the policies to generate Autonomous Database wallets click on Complete the prerequisites, and then click on Apply.

    Click Enable.
    Note

    ADB-S configured with ACL and ADB-D databases may require new private endpoints that have DNS proxy enabled selected. If this parameter is not selected, you will not see existing private endpoints in the drop down menu for these types of databases.
  5. In the Database Fleet Administration table, the Autonomous Database under the Operations Insight State row will now show Full, advanced features are now being collected.

Enable Hosts for the Service

Once a host is enabled, you'll be able to use Operations Insights Capacity Planning features to optimize performance and resource usage.

To enable one or more hosts from a compartment for Operations Insights, log in to OCI and do the following:

  1. Open the navigation menu and click Observability and Management. Under Operations Insights, click Administration and then Host Fleet.

    The Host Fleet Administration page displays.

  2. Click Add Hosts. The Add Hosts to Operations Insights dialog displays with the Agent Service telemetry selected.
  3. Click on the desired Telemetry. Available telemetries are:
    • Cloud Infrastructure: Hosts in Oracle Cloud Infrastructure (OCI Compute).
    • Enterprise Manager: Hosts monitored and managed via Enterprise Manager. You'll need to select the EM Bridge. In addition, you'll also need to select the destination compartment as shown in the next step.
    • Agent Service: Hosts monitored by the OCI Management Agent Service. You'll need to select the destination compartment as shown in the next step.
  4. Select the Management Agent Compartment (Compute Instance Compartment if Cloud Infrastructure telemetry has been selected) that contains the host that you want to enable for Operations Insights. Optionally, if there are many hosts and you know which ones you want to enable, you can filter the returned results based on Host Display Name.
    Note

    This does not apply to Enterprise Manager hosts.
  5. Select one or more hosts to enable.
  6. Click Add Hosts. The add hosts request is submitted for processing. Depending on amount of data that needs to be uploaded, it may take a few minutes for the process to complete. Data may take up to 24 hours to appear in Operations Insights for newly enabled hosts.

Available Actions

Once you've added a host to Operations Insights, in addition to enabling and disabling the host, you can also add tags and move these resources to different compartments. These actions can be accessed by clicking the vertical ellipses for any host in the Host Fleet table.

Disable Hosts for the Service

If you no longer want a host covered by Operations Insights capacity planning functionality, you need to disable the enabled host for Operations Insight

To disable a database for Operations Insights, log in to OCI and do the following:

  1. Open the navigation menu and click Observability and Management. Under Operations Insights, click Administration and then Host Fleet.

    The Host Fleet Administration page displays.

  2. Choose the Compartment that contains the host that you want to disable for Operations Insights. Optionally, if there are many hosts and you know which ones you want to disable, you can filter the returned results based on Host Display Name.

    The Operations Insights State column indicates whether a host is currently enabled or not.

  3. Select one or more hosts to disable.
  4. From the Actions menu, select Disable Operations Insights. Operations Insights asks whether you want to enable the selected host.
  5. Click Disable. The disable request is submitted for processing.

Disable Exadata Systems for the Service

To disable an Exadata System for Operations Insights, log in to OCI and do the following:

Note

Disabling an Exadata system also disables the related hosts and databases.
  1. Open the navigation menu and click Observability and Management. Under Operations Insights, click Administration and then Exadata Fleet.

    The Exadata Fleet Administration page displays.

  2. Choose the Compartment that contains the Exadata System that you want to disable for Operations Insights. Optionally, if there are many Exadata systems and you know which ones you want to disable, you can filter the returned results based on Exadata System Name.

    The Operations Insights State column indicates whether an Exadata System is currently enabled or not.

  3. Select one or more Exadata Systems to disable.
  4. From the Actions menu, select Disable Operations Insights. Operations Insights asks whether you want to disable the selected system.
  5. Click Disable. The disable request is submitted for processing.