Summary of DBMS_CLOUD_ADMIN Subprograms

This section covers the DBMS_CLOUD_ADMIN subprograms provided with Autonomous Database.

Subprogram	Description
CREATE_DATABASE_LINK Procedure	This procedure creates a database link to a target database in the schema calling the API. You first need to upload the wallet (`cwallet.sso`) containing the certificates for the target database using `DBMS_CLOUD.GET_OBJECT` and then create the database link using the wallet.
DISABLE_APP_CONT Procedure	This procedure disables database application continuity for the session associated with the specified service name in Autonomous Database.
DISABLE_EXTERNAL_AUTHENTICATION Procedure	This procedure disables external authentication for the Autonomous Database instance.
DISABLE_PRINCIPAL_AUTH Procedure	This procedure revokes principal based authentication for the specified provider and applies to the ADMIN user or to the specified user.
DISABLE_RESOURCE_PRINCIPAL Procedure	This procedure disables resource principal credential and creates the credential `OCI$RESOURCE_PRINCIPAL`. With a user name specified, other than ADMIN, the procedure grants the specified schema access to the resource principal credential.
DROP_DATABASE_LINK Procedure	This procedure drops a database link.
ENABLE_APP_CONT Procedure	This procedure enables database application continuity for the session associated with the specified service name in Autonomous Database.
ENABLE_AWS_ARN Procedure	This procedure enables a user to create AWS ARN credentials in Autonomous Database.
ENABLE_EXTERNAL_AUTHENTICATION Procedure	This procedure enables a user to logon to Autonomous Database using the specified external authentication scheme.
ENABLE_FEATURE Procedure	This procedure enables the specified feature on the Autonomous Database instance.
ENABLE_PRINCIPAL_AUTH Procedure	This procedure enables principal authentication for the specified provider and applies to the ADMIN user or the specified user.
ENABLE_RESOURCE_PRINCIPAL Procedure	This procedure enables resource principal credential and creates the credential `OCI$RESOURCE_PRINCIPAL`. With a user name specified, other than ADMIN, the procedure grants the specified schema access to the resource principal credential.
REPLAY_WORKLOAD Procedure	This procedure is overloaded. It initiates the workload replay.

CREATE_DATABASE_LINK Procedure

This procedure creates a database link to a target database in the schema calling the API. The overloaded form enables you to create a database link with Oracle-managed heterogeneous connectivity to a supported non-Oracle database.

Syntax

DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
       db_link_name         IN VARCHAR2,
       hostname             IN VARCHAR2,
       port                 IN NUMBER,
       service_name         IN VARCHAR2,
       ssl_server_cert_dn   IN VARCHAR2, 
       credential_name      IN VARCHAR2,
       directory_name       IN VARCHAR2 DEFAULT,
       gateway_link         IN BOOLEAN DEFAULT,
       public_link          IN BOOLEAN DEFAULT,
       private_target       IN BOOLEAN DEFAULT);

DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
       db_link_name         IN VARCHAR2,
       hostname             IN VARCHAR2,
       port                 IN NUMBER,
       service_name         IN VARCHAR2,
       ssl_server_cert_dn   IN VARCHAR2, 
       credential_name      IN VARCHAR2,
       directory_name       IN VARCHAR2 DEFAULT,
       gateway_params       IN CLOB DEFAULT);

Parameters

Parameter	Description
`db_link_name`	The name of the database link to create.
`hostname`	The hostname for the target database. When you specify a connection with Oracle-managed heterogeneous connectivity by supplying the `gateway_params` parameter, note the following: When the `db_type` value is `SNOWFLAKE` the `hostname` is the Snowflake account identifier. To find your Snowflake account identifier, see Account Identifier Formats by Cloud Platform and Region.
`port`	The port for the connections to the target database. To ensure security, when the connection is to an Oracle Database, ports are restricted to: `1521-1525`, or `2484`. When you specify a connection with Oracle-managed heterogeneous connectivity using the `gateway_params` parameter, set the port based on the `db_type` value: `AWSREDSHIFT`: use port `5439` `MYSQL`: use port `3306` `POSTGRES`: use port `5432` `SNOWFLAKE`: use port `443` See Oracle-Managed Heterogeneous Connectivity Database Types and Ports for more information.
`service_name`	The `service_name` for the database to link to. For a target Autonomous Database, find the service name by one of the following methods: Look in the `tnsnames.ora` file in the `wallet.zip` that you download from an Autonomous Database for your connection. Click DB Connection on the Oracle Cloud Infrastructure Console. In the Connection Strings area, each connection string includes a `service_name` entry with the connection string for the corresponding service. When both Mutual TLS (mTLS) and TLS connections are allowed, under TLS Authentication select TLS to view the TNS names and connection strings for connections with TLS authentication. See View TNS Names and Connection Strings for an Autonomous Database Instance for more information. Query `V$SERVICES` view. For example: `SELECT name FROM V$SERVICES;` When you specify a connection with Oracle-managed heterogeneous connectivity using the `gateway_params` parameter, the `service_name` is the database name of the non-Oracle database.
`ssl_server_cert_dn`	The DN value found in the server certificate. Oracle-managed heterogeneous connectivity is preconfigured with a wallet that contains most of the common trusted root and intermediate SSL certificates. The `ssl_server_cert_dn` must be `NULL` when you supply the `gateway_params` parameter. T o connect to an Oracle Database on a private endpoint without a wallet, specify a `NULL` value for the `ssl_server_cert_dn` parameter. In addition, to connect to an Oracle Database with TCP, the following must be true: The target database must be on a private endpoint. The `directory_name` parameter must be `NULL`. The `private_target` parameter must be `TRUE`.
`credential_name`	The name of a stored credential created with `DBMS_CLOUD.CREATE_CREDENTIAL`. This is the credentials to access the target database.
`directory_name`	The directory for the stored `cwallet.sso` file. The default value for this parameter is `'data_pump_dir'.` Oracle-managed heterogeneous connectivity is preconfigured with a wallet that contains most of the common trusted root and intermediate SSL certificates. The `directory_name` is not required when you supply the `gateway_params` parameter. T o connect to an Oracle Database with TCP, specify a `NULL` value for the `directory_name` parameter. In addition, to connect to an Oracle Database with TCP, the following must be true: The target database must be on a private endpoint. The `directory_name` parameter must be `NULL`. The `private_target` parameter must be `TRUE`.
`gateway_link`	Indicates if the database link is created to another Oracle Database or to an Oracle Database Gateway. If `gateway_link` is set to `FALSE`, this specifies a database link to another Autonomous Database or to another Oracle Database. If `gateway_link` is set to `TRUE`, this specifies a database link to a non-Oracle system. This creates a connect descriptor in the database link definition that specifies `(HS=OK)`. The default value for this parameter is `FALSE`.
`public_link`	Indicates if the database link is created as a public database link. To run `DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK` with this parameter set to `TRUE`, the user invoking the procedure must have `EXECUTE` privilege on the credential associated with the public database link and must have the `CREATE PUBLIC DATABASE LINK` system privilege. The `EXECUTE` privilege on the credential can be granted either by the `ADMIN` user or by the credential owner. The default value for this parameter is `FALSE`.
`private_target`	When a database link accesses a hostname that needs to be resolved in a VCN DNS server, specify the `private_target` parameter with value `TRUE`. When `private_target` is `TRUE`, the `hostname` parameter must be a single hostname. Using an IP address or SCAN IP for the `hostname` is not supported. The default value for this parameter is `FALSE`.
`gateway_params`	Specify the target database type for Oracle-managed heterogeneous connectivity to connect to non-Oracle databases. The `db_type` value must be one of: `AWSREDSHIFT` `AZURE` `MYSQL` `POSTGRES` `SNOWFLAKE` Specify the parameter with the `json_object` form. For example: `gateway_params => json_object('db_type' value 'AWSREDSHIFT')` See Oracle-Managed Heterogeneous Connectivity Database Types and Ports for required `port` values for each database type.

Usage Notes

When you use the private_target parameter, note that database links from an Autonomous Database to a database service that is on a private endpoint are only supported in commercial regions and US Government regions.

This feature is enabled by default in all commercial regions.

This feature is enabled by default in US Government regions for newly provisioned databases.

For existing US Government databases on a private endpoint, if you want to create database links from an Autonomous Database to a target in a US Government region, please file a Service Request at Oracle Cloud Support and request to enable the private endpoint in government regions database linking feature.

US Government regions include the following:
- Oracle Cloud Infrastructure US Government Cloud with FedRAMP Authorization
- Oracle Cloud Infrastructure US Federal Cloud with DISA Impact Level 5 Authorization
When connecting to a non-Oracle database, database linking is only supported if the target database is accessible through a public IP or a public hostname. See Create Database Links to Non-Oracle Databases for more information.
To run DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK with a user other than ADMIN you need to grant EXECUTE and CREATE DATABASE LINK privileges to that user. For example, run the following command as ADMIN to grant privileges to adb_user:
```
GRANT EXECUTE ON DBMS_CLOUD_ADMIN TO adb_user;
GRANT CREATE DATABASE LINK TO adb_user;
```
Only one wallet file is valid per directory specified with the directory_name parameter. You can only upload one cwallet.sso at a time to the directory you choose for wallet files. This means with a cwallet.sso in a directory, you can only create database links to the databases for which the wallet in that directory is valid. To use multiple cwallet.sso files with database links you need to create additional directories and put each cwallet.sso in a different directory.

See Create Directory in Autonomous Database for information on creating directories.

To create a database link to an Autonomous Database, set GLOBAL_NAMES to FALSE on the source database (non-Autonomous Database).

SQL> ALTER SYSTEM SET GLOBAL_NAMES = FALSE;
 
System altered.

SQL> SHOW PARAMETER GLOBAL_NAMES
NAME                     TYPE        VALUE
----------------------   ----------- -----------
global_names             boolean     FALSE

When the private_target parameter is TRUE, the hostname parameter specifies a private host inside the VCN.

Examples

BEGIN
  DBMS_CLOUD.CREATE_CREDENTIAL(
     credential_name => 'DB_LINK_CRED',
     username => 'adb_user',
     password => 'password');
  DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
     db_link_name => 'SALESLINK', 
     hostname => 'adb.eu-frankfurt-1.oraclecloud.com', 
     port => '1522',
     service_name => 'example_medium.adb.example.oraclecloud.com',
     ssl_server_cert_dn => 'CN=adb.example.oraclecloud.com,OU=Oracle BMCS FRANKFURT,O=Oracle Corporation,L=Redwood City,ST=California,C=US',
     credential_name => 'DB_LINK_CRED');
END;
/

BEGIN
  DBMS_CLOUD.CREATE_CREDENTIAL(
    credential_name => 'AWS_REDSHIFT_LINK_CRED',
    username => 'NICK',
    password => 'password'
  );
DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
          db_link_name => 'AWSREDSHIFT_LINK', 
          hostname => 'example.com', 
          port => '5439',
          service_name => 'example_service_name',
          credential_name => 'AWS_REDSHIFT_LINK_CRED',
          gateway_params => JSON_OBJECT('db_type'  value 'AWSREDSHIFT'),
          ssl_server_cert_dn => NULL);
END;
/

BEGIN
  DBMS_CLOUD.CREATE_CREDENTIAL(
    credential_name => 'PRIVATE_ENDPOINT_CRED',
    username => 'db_user',
    password => 'password'
  );
DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
          db_link_name => 'PRIVATE_ENDPOINT_DB_LINK', 
          hostname => 'exampleHostname', 
          port => '1521',
          service_name => 'exampleServiceName',
          credential_name => 'PRIVATE_ENDPOINT_CRED',
          ssl_server_cert_dn => NULL,
          directory_name => NULL,
          private_target => TRUE);
END;
/

DISABLE_APP_CONT Procedure

This procedure disables database application continuity for the session associated with the specified service name in Autonomous Database.

Syntax

DBMS_CLOUD_ADMIN.DISABLE_APP_CONT(
    service_name      IN VARCHAR2);

Parameters

Parameter Description

Parameter	Description
`service_name`	The `service_name` for the Autonomous Database service. To find service names: Look in the `tnsnames.ora` file in the `wallet.zip` that you download from an Autonomous Database for your connection. Click DB Connection on the Oracle Cloud Infrastructure Console. In the Connection Strings area, each connection string includes a `service_name` entry that contains the connection string for the corresponding service. When both Mutual TLS (mTLS) and TLS connections are allowed, under TLS Authentication select TLS to view the TNS names and connection strings for connections with TLS authentication. See View TNS Names and Connection Strings for an Autonomous Database Instance for more information. Query `V$SERVICES` view. For example: `SELECT name FROM V$SERVICES;`

service_name

The service_name for the Autonomous Database service.

To find service names:

Look in the tnsnames.ora file in the wallet.zip that you download from an Autonomous Database for your connection.
Click DB Connection on the Oracle Cloud Infrastructure Console. In the Connection Strings area, each connection string includes a service_name entry that contains the connection string for the corresponding service. When both Mutual TLS (mTLS) and TLS connections are allowed, under TLS Authentication select TLS to view the TNS names and connection strings for connections with TLS authentication. See View TNS Names and Connection Strings for an Autonomous Database Instance for more information.
Query V$SERVICES view. For example:
```
SELECT name FROM V$SERVICES;
```

Usage Notes

See Overview of Application Continuity for more information on Application Continuity.

Example

BEGIN
    DBMS_CLOUD_ADMIN.DISABLE_APP_CONT(
        service_name => 'nv123abc1_adb1_high.adb.oraclecloud.com' );
END;
/

Verify the value as follows:

SELECT name, failover_type FROM DBA_SERVICES;

NAME                                                    FAILOVER_TYPE
------------------------------------------------------- --------------
nv123abc1_adb1_high.adb.oraclecloud.com

DISABLE_EXTERNAL_AUTHENTICATION Procedure

Disables user authentication with external authentication schemes for the database.

Syntax

DBMS_CLOUD_ADMIN.DISABLE_EXTERNAL_AUTHENTICATION;

Exceptions

Exception	Error	Description
`invalid_ext_auth`	`ORA-20004`	See the accompanying message for a detailed explanation.

Example

BEGIN 
   DBMS_CLOUD_ADMIN.DISABLE_EXTERNAL_AUTHENTICATION;
END;
/

PL/SQL procedure successfully completed.

DISABLE_PRINCIPAL_AUTH Procedure

This procedure revokes principal based authentication for a specified provider on Autonomous Database and applies to the ADMIN user or to the specified user.

Syntax

DBMS_CLOUD_ADMIN.DISABLE_PRINCIPAL_AUTH(
       provider    IN VARCHAR2,
       username    IN VARCHAR2 DEFAULT 'ADMIN' );

Parameters

Parameter Description

Parameter	Description
`provider`	Specifies the type of provider. Valid values are: `OCI`, `AWS`, or `AZURE`.
`username`	Specifier the user to disable principal based authentication for. A null value is valid for the `username`. If `username` is not specified, the procedure applies for the `"ADMIN"` user.

provider

Specifies the type of provider. Valid values are: OCI, AWS, or AZURE.

username

Specifier the user to disable principal based authentication for.

A null value is valid for the username. If username is not specified, the procedure applies for the "ADMIN" user.

Usage Notes

When the provider value is AZURE and the username is ADMIN, the procedure disables Azure service principal based authentication on Autonomous Database and deletes the Azure application on the Autonomous Database instance.
When the provider value is AZURE and the username is a user other than the ADMIN user, the procedure revokes the privileges from the specified user. The ADMIN user and other users that are enabled to use the Azure service principal can continue to use ADMIN.AZURE$PA and the application that is created for the Autonomous Database instance remains on the instance.

Example

BEGIN 
     DBMS_CLOUD_ADMIN.DISABLE_PRINCIPAL_AUTH(
       provider => 'AZURE',
       username => 'SCOTT');
END;
/

DISABLE_RESOURCE_PRINCIPAL Procedure

Disable resource principal credential for the database or for the specified schema.

Syntax

DBMS_CLOUD_ADMIN.DISABLE_RESOURCE_PRINCIPAL(
   username         IN VARCHAR2);

Parameter

Parameter Description

Parameter	Description
`username`	Specifies an optional user name. The name of the database schema to remove resource principal access. If you do not supply a `username`, the `username` is set to ADMIN and the command removes the `OCI$RESOURCE_PRINCIPAL` credential.

username

Specifies an optional user name. The name of the database schema to remove resource principal access.

If you do not supply a username, the username is set to ADMIN and the command removes the OCI$RESOURCE_PRINCIPAL credential.

Exceptions

Exception	Error	Description
`resource principal is already disabled`	`ORA-20031`	If you attempt to disable the resource principal when it is already disabled.

Usage Notes

Resource principal is not available with refreshable clones.
You must set up a dynamic group and policies for the dynamic group before you call DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL.

See the following for more information on creating policies, creating a dynamic group, and creating rules:

Example

EXEC DBMS_CLOUD_ADMIN.DISABLE_RESOURCE_PRINCIPAL();

PL/SQL procedure successfully completed. 

SQL> select owner, credential_name from dba_credentials where credential_name = 'OCI$RESOURCE_PRINCIPAL'; 

No rows selected.

DROP_DATABASE_LINK Procedure

This procedure drops a database link.

Syntax

DBMS_CLOUD_ADMIN.DROP_DATABASE_LINK(
        db_link_name      IN VARCHAR2,
        public_link       IN BOOLEAN DEFAULT);

Parameters

Parameter Description

Parameter	Description
`db_link_name`	The name of the database link to drop.
`public_link`	To run `DBMS_CLOUD_ADMIN.DROP_DATABASE_LINK` with `public_link` set to `TRUE`, you must have the `DROP PUBLIC DATABASE LINK` system privilege. The default value for this parameter is `FALSE`.

db_link_name

The name of the database link to drop.

public_link

To run DBMS_CLOUD_ADMIN.DROP_DATABASE_LINK with public_link set to TRUE, you must have the DROP PUBLIC DATABASE LINK system privilege.

The default value for this parameter is FALSE.

Example

BEGIN
    DBMS_CLOUD_ADMIN.DROP_DATABASE_LINK(
        db_link_name => 'SALESLINK' );
END;
/

Usage Notes

After you are done using a database link and you run DBMS_CLOUD_ADMIN.DROP_DATABASE_LINK, to ensure security of your Oracle database remove any stored wallet files. For example:

Remove the wallet file in Object Store.
Use DBMS_CLOUD.DELETE_FILE to remove the wallet file from the data_pump_dir directory or from the user defined directory where the wallet file was uploaded.

ENABLE_APP_CONT Procedure

This procedure enables database application continuity for the session associated with the specified service name in Autonomous Database.

Syntax

DBMS_CLOUD_ADMIN.ENABLE_APP_CONT(
    service_name      IN VARCHAR2);

Parameters

Parameter Description

Parameter	Description
`service_name`	The `service_name` for the Autonomous Database service. To find service names: Look in the `tnsnames.ora` file in the `wallet.zip` that you download from an Autonomous Database for your connection. Click DB Connection on the Oracle Cloud Infrastructure Console. In the Connection Strings area, each connection string includes a `service_name` entry that contains the connection string for the corresponding service. When both Mutual TLS (mTLS) and TLS connections are allowed, under TLS Authentication select TLS to view the TNS names and connection strings for connections with TLS authentication. See View TNS Names and Connection Strings for an Autonomous Database Instance for more information. Query `V$SERVICES` view. For example: `SELECT name FROM V$SERVICES;`

service_name

The service_name for the Autonomous Database service.

To find service names:

Look in the tnsnames.ora file in the wallet.zip that you download from an Autonomous Database for your connection.
Click DB Connection on the Oracle Cloud Infrastructure Console. In the Connection Strings area, each connection string includes a service_name entry that contains the connection string for the corresponding service. When both Mutual TLS (mTLS) and TLS connections are allowed, under TLS Authentication select TLS to view the TNS names and connection strings for connections with TLS authentication. See View TNS Names and Connection Strings for an Autonomous Database Instance for more information.
Query V$SERVICES view. For example:
```
SELECT name FROM V$SERVICES;
```

Usage Notes

See Overview of Application Continuity for more information on Application Continuity.

Example

BEGIN
    DBMS_CLOUD_ADMIN.ENABLE_APP_CONT(
        service_name => 'nvthp2ht_adb1_high.adb.oraclecloud.com'
    );
END;
/

Verify the value as follows:

SELECT name, failover_type FROM DBA_SERVICES;

NAME                                                    FAILOVER_TYPE
------------------------------------------------------- -------------
nvthp2ht_adb1_high.adb.oraclecloud.com                 TRANSACTION

ENABLE_AWS_ARN Procedure

This procedure enables an Autonomous Database instance to use Amazon Resource Names (ARNs) to access AWS resources.

Syntax

DBMS_CLOUD_ADMIN.ENABLE_AWS_ARN(
       username     IN VARCHAR2 DEFAULT NULL,
       grant_option IN BOOLEAN DEFAULT FALSE);

Parameters

Parameter Description

Parameter	Description
`username`	Name of the user to enable to use Amazon Resource Names (ARNs). A null value is valid for the `username`. If `username` is not specified, the procedure applies for the `"ADMIN"` user.
`grant_option`	When `username` is supplied, if `grant_option` is `TRUE` the specified `username` can enable Amazon Resource Names (ARNs) usage for other users.

username

Name of the user to enable to use Amazon Resource Names (ARNs).

A null value is valid for the username. If username is not specified, the procedure applies for the "ADMIN" user.

grant_option

When username is supplied, if grant_option is TRUE the specified username can enable Amazon Resource Names (ARNs) usage for other users.

Example

BEGIN
    DBMS_CLOUD_ADMIN.ENABLE_AWS_ARN(
        username => 'adb_user'); 
END;
/

Usage Note

You must be the ADMIN user to run the procedure DBMS_CLOUD_ADMIN.ENABLE_AWS_ARN.

See Use Amazon Resource Names (ARNs) to Access AWS Resources for more information.

ENABLE_EXTERNAL_AUTHENTICATION Procedure

Enable users to login to the database with external authentication schemes.

Syntax

DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
   type         IN VARCHAR2,
   force        IN BOOLEAN DEFAULT FALSE,
   params       IN CLOB DEFAULT NULL
);

Parameter

Parameter Description

Parameter	Description
`type`	Specifies the external authentication type. Valid values: or . `'OCI_IAM'` `'AZURE_AD'` `'CMU'` `'KERBEROS'`
`force`	(Optional) Override a currently enabled external authentication scheme. Valid values are `TRUE` or `FALSE`. The default value is `FALSE`.
`params`	A JSON string that provides additional parameters for the external authentication. `CMU` parameters: `location_uri`: specifies the cloud storage URI for the bucket where files required for CMU are stored. If you specify `location_uri` there is a fixed name directory object `CMU_WALLET_DIR` created in the database at the path `'cmu_wallet'` to save the CMU configuration files. In this case, you do not need to supply the `directory_name` parameter. `credential_name`: specifies the credentials that are used to download the CMU configuration files from the Object Store to the directory object. Default value is `NULL` which allows you to provide a Public, Preauthenticated, or pre-signed URL for Object Store bucket or subfolder. `directory_name`: specifies the directory name where configuration files required for CMU are stored. If `directory_name` is supplied, you are expected to copy the CMU configuration files `dsi.ora` and `cwallet.sso` to this directory object. `KERBEROS` parameters: `location_uri`: specifies the cloud storage URI for the the bucket where files required for Kerberos are stored. If you specify `location_uri` there is a fixed name directory object `KERBEROS_DIR` created in the database to save the Kerberos configuration files. In this case, you do not need to supply the `directory_name` parameter. `credential_name`: specifies the credential that are used to download Kerberos configuration files from the Object Store location to the directory object. Default value is `NULL` which allows you to provide a Public, Preauthenticated, or pre-signed URL for Object Store bucket or subfolder. `directory_name`: specifies the directory name where files required for Kerberos are stored. If `directory_name` is supplied, you are expected to copy the Kerberos configuration files to this directory object. `AZURE_AD` parameters: `tenant_id`: Tenant ID of the Azure Account. Tenant Id specifies the Autonomous Database instance's Azure AD application registration. `application_id`: Azure Application ID created in Azure AD to assign roles/schema mappings for external authentication in the Autonomous Database instance. `application_id_uri`: Unique URI assigned to the Azure Application. This it the identifier for the Autonomous Database instance. The name must be domain qualified (this supports cross tenancy resource access). The maximum length for this parameter is 256 characters.

type

Specifies the external authentication type. Valid values: or .

'OCI_IAM'
'AZURE_AD'
'CMU'
'KERBEROS'

force

(Optional) Override a currently enabled external authentication scheme. Valid values are TRUE or FALSE.

The default value is FALSE.

params

A JSON string that provides additional parameters for the external authentication.

CMU parameters:

location_uri: specifies the cloud storage URI for the bucket where files required for CMU are stored.
If you specify location_uri there is a fixed name directory object CMU_WALLET_DIR created in the database at the path 'cmu_wallet' to save the CMU configuration files. In this case, you do not need to supply the directory_name parameter.
credential_name: specifies the credentials that are used to download the CMU configuration files from the Object Store to the directory object.
Default value is NULL which allows you to provide a Public, Preauthenticated, or pre-signed URL for Object Store bucket or subfolder.
directory_name: specifies the directory name where configuration files required for CMU are stored. If directory_name is supplied, you are expected to copy the CMU configuration files dsi.ora and cwallet.sso to this directory object.

KERBEROS parameters:

location_uri: specifies the cloud storage URI for the the bucket where files required for Kerberos are stored.
If you specify location_uri there is a fixed name directory object KERBEROS_DIR created in the database to save the Kerberos configuration files. In this case, you do not need to supply the directory_name parameter.
credential_name: specifies the credential that are used to download Kerberos configuration files from the Object Store location to the directory object.
Default value is NULL which allows you to provide a Public, Preauthenticated, or pre-signed URL for Object Store bucket or subfolder.
directory_name: specifies the directory name where files required for Kerberos are stored. If directory_name is supplied, you are expected to copy the Kerberos configuration files to this directory object.

AZURE_AD parameters:

tenant_id: Tenant ID of the Azure Account. Tenant Id specifies the Autonomous Database instance's Azure AD application registration.
application_id: Azure Application ID created in Azure AD to assign roles/schema mappings for external authentication in the Autonomous Database instance.
application_id_uri: Unique URI assigned to the Azure Application.
This it the identifier for the Autonomous Database instance. The name must be domain qualified (this supports cross tenancy resource access).

The maximum length for this parameter is 256 characters.

Exceptions

Exception	Error	Description
`invalid_ext_auth`	`ORA-20004`	See the accompanying message for a detailed explanation.

Usage Notes

With type OCI_IAM, if the resource principal is not enabled on the Autonomous Database instance, this routine enables resource principal with DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL.
This procedure sets the system parameters IDENTITY_PROVIDER_TYPE and IDENTITY_PROVIDER_CONFIG to required users to access the instance with Oracle Cloud Infrastructure Identity and Access Management authentication and authorization.

Examples

Enable OCI_IAM Authentication

BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
     type => 'OCI_IAM',
     force=> TRUE );
END;
/

PL/SQL procedure successfully completed.

Enable CMU Authentication for Microsoft Active Directory

You pass in a directory name that contains the CMU configuration files through params JSON argument.

BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
     type => 'CMU',
     force => TRUE,
     params => JSON_OBJECT('directory_name' value 'CMU_DIR'); // CMU_DIR directory object already exists
END;
/

PL/SQL procedure successfully completed.

You pass in a location URI pointing to an Object Storage location that contains CMU configuration files through params JSON argument.

BEGIN
   DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
       type     => 'CMU',
       params   => JSON_OBJECT('location_uri' value 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o',
                               'credential_name' value 'my_credential_name')
   );
END;
/

PL/SQL procedure successfully completed.

Enable Azure AD Authentication

BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
     type => 'AZURE_AD',
     force => TRUE,
     params   => JSON_OBJECT( 'tenant_id' VALUE '....',
                              'application_id' VALUE '...',
                              'application_id_uri' VALUE '.....' ));
END;
/

PL/SQL procedure successfully completed.

Enable Kerberos Authentication

You pass in a directory name that contains Kerberos configuration files through params JSON argument.

BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
     type => 'KERBEROS',
     force => TRUE,
     params => JSON_OBJECT('directory_name' value 'KERBEROS_DIR'); // KERBEROS_DIR directory object already exists
END;
/

PL/SQL procedure successfully completed.

You pass in a location URI pointing to an Object Storage location that contains Kerberos configuration files through params JSON argument.

BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
     type => 'KERBEROS',
     force => TRUE,
     params => JSON_OBJECT('location_uri' value 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o',
                           'credential_name' value 'my_credential_name');
END;
/

PL/SQL procedure successfully completed.

ENABLE_FEATURE Procedure

This procedure enables the specified feature on the Autonomous Database instance.

Syntax

DBMS_CLOUD_ADMIN.ENABLE_FEATURE(
    feature_name     IN VARCHAR2);

Parameters

Parameter	Description
`feature_name`	Name of the feature to enable. The only supported value is: `'JAVAVM'`.

Example

BEGIN
   DBMS_CLOUD_ADMIN.ENABLE_FEATURE (
        feature_name => 'JAVAVM' );
END;
/

Usage Note

After you run DBMS_CLOUD_ADMIN.ENABLE_FEATURE with feature_name value 'JAVAVM', you must restart the Autonomous Database instance to install Oracle Java.

ENABLE_PRINCIPAL_AUTH Procedure

This procedure enables principal authentication on Autonomous Database for the specified provider and applies to the ADMIN user or the specified user.

Syntax

DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH(
       provider    IN VARCHAR2,
       username    IN VARCHAR2 DEFAULT 'ADMIN',
       params      IN CLOB DEFAULT NULL);

Parameters

Parameter Description

Parameter	Description
`provider`	Specifies the type of provider. Valid values: `OCI`, `AWS`, or `AZURE`.
`username`	Name of the user who has principal authentication usage enabled. A null value is valid for the `username`. If `username` is not specified, the procedure applies for the `"ADMIN"` user.
`params`	Specifies the configuration parameters. When the `provider` parameter is `AWS` or `OCI`, `params` is not required. The default value is `NULL`. When the `provider` parameter is `AZURE`, the following options are valid: `azure_tenantid`: with the value of the Azure tenant ID. `grant_option`: with the value specified as a boolean value: `TRUE` or `FALSE`. The default is `FALSE`. When `TRUE` and a `username` is specified, the specified user can enable Azure principal authentication for other users.

provider

Specifies the type of provider.

Valid values: OCI, AWS, or AZURE.

username

Name of the user who has principal authentication usage enabled.

A null value is valid for the username. If username is not specified, the procedure applies for the "ADMIN" user.

params

Specifies the configuration parameters.

When the provider parameter is AWS or OCI, params is not required. The default value is NULL.

When the provider parameter is AZURE, the following options are valid:

azure_tenantid: with the value of the Azure tenant ID.

grant_option: with the value specified as a boolean value: TRUE or FALSE. The default is FALSE. When TRUE and a username is specified, the specified user can enable Azure principal authentication for other users.

Usage Note

When the provider parameter is AZURE, the params parameter must include the azure_tenantid in the following cases:

When DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH is called for the first time.
When DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH is called for the first time after DBMS_CLOUD_ADMIN.DISABLE_PRINCIPAL_AUTH is called with the provider parameter AZURE and the username ADMIN.

Example

BEGIN 
     DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH(
       provider => 'AZURE',
       username => 'SCOTT',
       params   => JSON_OBJECT('azure_tenantid' value 'azure_tenantid'));
END;
/

ENABLE_RESOURCE_PRINCIPAL Procedure

Enable resource principal credential for the database or for the specified schema. This procedure creates the credential OCI$RESOURCE_PRINCIPAL.

Syntax

DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL(
   username         IN VARCHAR2,
   grant_option     IN BOOLEAN DEFAULT FALSE);

Parameter

Parameter Description

Parameter	Description
`username`	Specifies an optional user name. The name of the database schema to be granted resource principal access. If you do not supply a `username`, the `username` is set to ADMIN.
`grant_option`	When `username` is supplied, if `grant_option` is `TRUE` the specified `username` can enable resource principal usage for other users.

username

Specifies an optional user name. The name of the database schema to be granted resource principal access.

If you do not supply a username, the username is set to ADMIN.

grant_option

When username is supplied, if grant_option is TRUE the specified username can enable resource principal usage for other users.

Exceptions

Exception	Error	Description
`resource principal is already enabled`	`ORA-20031`	If you attempt to enable the resource principal when it is already enabled.

Usage Notes

You must call DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL with the ADMIN username or with no arguments before you call DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL with a username for a database user schema.
Resource principal is not available with refreshable clones.
You must set up a dynamic group and policies for the dynamic group before you call DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL.

See the following for more information: for more information on creating a dynamic group and creating rules.

See for more information on policies.

Example

EXEC DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL();

PL/SQL procedure successfully completed. 

SQL> select owner, credential_name from dba_credentials where credential_name = 'OCI$RESOURCE_PRINCIPAL'; 

OWNER    CREDENTIAL_NAME
-------  ---------------
ADMIN    OCI$RESOURCE_PRINCIPAL

REPLAY_WORKLOAD Procedure

This procedure enables the ADMIN user to initiate a workload replay. This procedure allows you to replay the capture files from an on-premises database or other cloud service databases.

Syntax


DBMS_CLOUD_ADMIN.REPLAY_WORKLOAD(
        location_uri      IN VARCHAR2,               
        credential_name   IN VARCHAR2 DEFAULT NULL,
        synchronization   IN BOOLEAN  DEFAULT TRUE,
        process_capture   IN BOOLEAN  DEFAULT TRUE);

Parameters

Parameter	Description
`location_uri`	Specifies URI, that points to an Object Storage location that contains the captured files. This parameter is mandatory.
`credential_name`	Specifies the credential to access the object storage bucket. If you do not supply a `credential_name` value, the `credential_name` is set to NULL.
`synchronization`	Specifies the synchronization method used during workload replay. `TRUE` specifies that the synchronization is based on `SCN`. `FALSE` specifies that the synchronization is based on `TIME`. If you do not supply a `synchronization` value, the `synchronization` is set to TRUE.
`process_capture`	Specifies whether you need to specify `process_capture` value or not. It can be set to FALSE only when you replay the same workload on the target database repeatedly. If you do not supply a `process_capture` value, the `process_capture` is set to TRUE.

Example to replay the workload from an on-premises or other cloud service database into an Autonomous Database:

BEGIN 
  DBMS_CLOUD_ADMIN.REPLAY_WORKLOAD(
        location_uri    => 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o',
        credential_name => 'CRED_TEST',
        synchronization => TRUE,
        process_capture => TRUE);    
END;
/

When you run this procedure, it:

Downloads the capture files from the Object Storage location specified in location_uri, processes the capture files based on the process_capture parameter value.
Replays the captured workload based on the synchronization parameter value.

In this example, namespace-string is the Oracle Cloud Infrastructure object storage namespace and bucketname is the bucket name. See Understanding Object Storage Namespaces for more information.

See Navigate to Oracle Cloud Infrastructure Object Storage and Create Bucket for more information on Object Storage.

See Upload Files to Your Oracle Cloud Infrastructure Object Store Bucket for more information on uploading files to Object Storage.

The credential_name you use in this step is the credentials for the Object Store.

You don't need to create a credential to access Oracle Cloud Infrastructure Object Store if you enable resource principal credentials. See Use Resource Principal to Access Oracle Cloud Infrastructure Resources for more information.

Usage Notes

Run this procedure as the ADMIN user.
Before you start replay, you should upload the cap and capfiles subdirectories containing capture files that are created during capture to the Object Storage location.