Manually Register a Target Database

Oracle recommends using the Oracle Data Safe registration wizards for registering databases with Oracle Data Safe; however, advanced users can also use the manual registration option on the Target databases page. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterward.

Manual registration allows you to select Oracle Data Safe private endpoints on VCNs peered with your database’s VCN; whereas, you cannot do this using a registration wizard.

You can also choose to register an Autonomous AI Database directly from the database’s details page in Oracle Cloud Infrastructure. If your Autonomous AI Database has a public IP address, you simply select the Register link and you are done. If you are registering an Autonomous AI Database with a private IP address, you need to have an Oracle Data Safe private endpoint created beforehand. When registering an Autonomous AI Database on Dedicated Exadata Infrastructure, you need to provide the ADMIN database user credentials.

Preregistration Tasks for Manual Target Database Registration

Before manually registering a database as an Oracle Data Safe target database, be sure to complete the following preregistration tasks.

• Obtain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) for registering your target database. See the following:

  • Permissions to Register an Autonomous AI Database with Oracle Data Safe

  • Permissions to Register an Oracle Cloud Database with Oracle Data Safe

  • Permissions to Register an On-Premises Oracle Database with Oracle Data Safe

  • Permissions to Register an Oracle Database on a Compute Instance with Oracle Data Safe

  • Permissions to Register an Oracle Cloud@Customer Database with Oracle Data Safe

  • Permissions to Register an Amazon RDS for Oracle Database with Oracle Data Safe

• If needed, create an Oracle Data Safe private endpoint or an Oracle Data Safe on-premises connector to connect Oracle Data Safe to your target database. See the following:

  • Create an Oracle Data Safe Private Endpoint

  • Create an Oracle Data Safe On-Premises Connector

• If you are using an Oracle Data Safe private endpoint to connect your target database to Oracle Data Safe, create the necessary security rules. If your database resides in Oracle Cloud Infrastructure (OCI), create an ingress and egress rule. Otherwise, only create an egress rule in OCI and configure your own database network to allow incoming traffic from the Oracle Data Safe private endpoint. See Add Security Rules.

• (Non-Autonomous AI Databases only) Create an Oracle Data Safe service account on your database. See Create an Oracle Data Safe Service Account on Your Database.

• Grant and revoke roles from the Oracle Data Safe service account on your target database to allow or disallow Oracle Data Safe features on the database. See Grant Roles to the Oracle Data Safe Service Account on Your Target Database.

• (Non-Autonomous AI Databases only) If you plan to configure a TLS connection to your target database, then you need to do the following:

  • If you are connecting to your target database via an Oracle Data Safe private endpoint, create a wallet or certificate. See Create a Wallet or Certificates for a TLS Connection.

  • If you are connecting to your target database via an Oracle Data Safe on-premises connector, configure the TLS connection between your on-premises database and the on-premises connector on your host machine. See Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and Your Database.

• (Autonomous AI Database on Dedicated Exadata Infrastructure) If Database Vault is enabled on the database, connect to your database as a user with the DV_ACCTMGR role and temporarily grant the c role to the ADMIN user.

• (Autonomous AI Database on Exadata Cloud@Customer) Configure a TLS connection between the on-premises connector on your host machine and your Autonomous AI Database. See Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and an Autonomous AI Database on Exadata Cloud@Customer Database.

• (Amazon RDS at Oracle) Add the security certificate for the Amazon RDS specific region. See Add the Security Certificate for the Amazon RDS Specific Region.

Manually Register an Autonomous AI Database

If your database has a private IP address, then you need to select a private endpoint compartment and name. If the private endpoint is not yet created, exit manual registration and create one.

1. From the navigation menu in Oracle Cloud Infrastructure (OCI), select Oracle AI Database, and then under Data Safe - Database Security, select Target Databases.

2. Select Register database.

3. Configure the Register target database page as described in the following table.

   Field	Instruction
   Database type	Select Autonomous AI Database.
   Select database compartment	Select the compartment where your database is stored.
   Select database	Select the name of your database.
   Data Safe target display name	Enter a friendly name for your target database.This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database.
   Description	(Optional) Enter a description that is meaningful to you.
   Compartment	Select the compartment where you want to store the target database registration information. The compartment doesn’t have to be the same compartment in which the actual database resides.
   (if required) Select private endpoint compartment	Select the compartment that stores your Oracle Data Safe private endpoint.
   (if required) Select private endpoint	Select your Oracle Data Safe private endpoint.

4. (Optional) To add a tag to organize and track this resource in your tenancy, select Add tag. Select a namespace, select a key, and enter a key value.

5. Select Register.

Manually Register an Oracle Cloud Database

1. From the navigation menu in Oracle Cloud Infrastructure (OCI), select Oracle AI Database, and then under Data Safe - Database Security, select Target Databases.

2. Select Register database.

3. Configure the Register target database page as described in the following table.

   Field	Instruction
   Database type	Select Oracle cloud database.
   Cloud database type	Select Oracle Base Database, Oracle Exadata Database Service on Dedicated Infrastructure, Oracle Exadata Database Service on Exascale Infrastructure, Oracle Exadata Database Service@AWS, Oracle Exadata Database Service@Azure, or Oracle Exadata Database Service@GCP.
   Select database compartment	Select the compartment where your database is stored.
   Select database/Select VM cluster	Select the name of your database or VM cluster.
   Select PDB from list	Select this option if you want to identify your PDB by its name. After you select this option, select the name of your database and the name of your PDB.
   Enter database service name	Select this option if you want to specify the database service name of your target database. After you select this option, under Data Safe target connection details, enter the long version of the database service name for the target database; for example, abc_prod.subnetad3.tttvcn.companyvcn.com. You can find the database service name in the tnsnames.ora file for your target database, or by running the following statement when connected to the PDB via SQL Plus: select sys_context('userenv','service_name') from dual;
   Data Safe target display name	Enter a friendly name for your target database. This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database.
   Compartment	Select the compartment where you want to store the target database registration information. The compartment doesn’t have to be the same compartment in which the actual database resides.
   Description	(Optional) Enter a description that is meaningful to you.
   Database port number	Enter the database port number. For Oracle Exadata Database Service on Dedicated Infrastructure, enter the port number of the SCAN listener.
   TCP/TLS	Select TCP or TLS as the connection protocol. If you select TLS, you are presented with two options: One way TLS and Mutual TLS. If you select One way TLS, then do the following: Upload the TrustStore of your database in PEM, PKCS#12 wallet, or JKS wallet format. You can also enter the wallet password if required. This file is required whether client authentication is enabled or disabled on your target database. If you select Mutual TLS, then do the following: Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database. When client authentication is enabled on your target database, upload the KeyStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet. This file is not required when client authentication is disabled.
   Select private endpoint compartment	Select the compartment that stores your Oracle Data Safe private endpoint.
   Select private endpoint	Select your Oracle Data Safe private endpoint. If you do not have a private endpoint created, exit manual registration and create one.
   Download privilege script	To grant roles to the Oracle Data Safe user account on your target database, select Download privilege script and save the datasafe_privileges.sql script to your computer. The script includes instructions. See Grant Roles to the Oracle Data Safe Service on a Non-Autonomous AI Database.
   Data Safe user and Database password	Enter the credentials for the Oracle Data Safe user account on your target database. A default Oracle Data Safe user name is displayed if it exists on your target database (for example, DATASAFE$ADMIN). The user name is case-insensitive, unless you enclose it in quotation marks. You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.

4. (Optional) To add a tag to organize and track this resource in your tenancy, select Add tag. Select a namespace, select a key, and enter a key value.

5. Select Register.

Manually Register an On-Premises Oracle Database

1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle AI Database, and then select Data Safe - Database Security.

2. Under Data Safe - Database Security, select Target Databases.

3. Select Register database.

4. Configure the Register target database page as described in the following table.

   Field	Instruction
   Database type	Select On-premises Oracle database.
   Data Safe target display name	Enter a friendly name for your target database.This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database.
   Description	(Optional) Enter a description that is meaningful to you.
   Compartment	Select the compartment where you want to store the target database registration information. The compartment doesn’t have to be the same compartment in which the actual database resides.
   Choose a connectivity option	Select On-premises connector or Private endpoint.
   Select a private endpoint (or on-premises connector) compartment	Select the compartment that stores your Oracle Data Safe private endpoint (or on-premises connector).
   Select private endpoint (or on-premises connector)	Select the name of an existing Oracle Data Safe private endpoint (or on-premises connector).
   TCP/TLS	This option is available if you are using a private endpoint. Select TCP or TLS as the connection protocol. If you select TLS, you are presented with two options: One way TLS and Mutual TLS. If you select One way TLS, then do the following: Upload the TrustStore of your database in PEM, PKCS#12 wallet, or JKS wallet format. You can also enter the wallet password if required. This file is required whether client authentication is enabled or disabled on your target database. If you select Mutual TLS, then do the following: Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database. When client authentication is enabled on your target database, upload the KeyStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet. This file is not required when client authentication is disabled.
   Database service name	Enter the long version of the database service name for the target database; for example, abc_prod.subnetad3.tttvcn.companyvcn.com. You can find the database service name in the tnsnames.ora file for your target database, or by running the following statement when connected to the PDB via SQL Plus: select sys_context('userenv','service_name') from dual;
   Database IP address	Enter the database IP addresses for each database node listener. Separate the IP addresses with a comma. For a RAC database, enter the IP addresses for the RAC database nodes.
   Database port number	Enter a custom port number; otherwise the default, pre-filled port number is used. All node listeners have to run on the same port for on-premises databases.
   Download Privilege Script	To grant roles to the Oracle Data Safe user account on your target database, click Download privilege script and save the datasafe_privileges.sql script to your computer. The script includes instructions. See Grant Roles to the Oracle Data Safe Service on a Non-Autonomous AI Database.
   Database username and Database password	Enter the credentials for the Oracle Data Safe user account on your target database. A default Oracle Data Safe user name is displayed (DATASAFE$ADMIN). The user name is case-insensitive, unless you enclose it in quotation marks. You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.

5. (Optional) To add a tag to organize and track this resource in your tenancy, select Add tag. Select a namespace, select a key, and enter a key value.

6. Select Register.

Manually Register an Oracle Database on a Compute Instance

1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle AI Database, and then select Data Safe - Database Security.

2. Under Data Safe - Database Security, select Target Databases.

3. Select Register database.

4. Configure the Register target database page as described in the following table.

   Field	Instruction
   Database type	Select Oracle database on compute.
   Cloud environment	Select Oracle Cloud Infrastructure if your database runs in Oracle Cloud Infrastructure, or select AWS or other cloud environment if your target database runs in a non-Oracle cloud environment.
   Select database compartment (for an OCI database)	Select the compartment that stores your database.
   Select database (for an OCI database)	Select the name of your database.
   Data Safe target display name	Enter a friendly name for your target database. This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database.
   Description	(Optional) Enter a description that is meaningful to you.
   Compartment	Select the compartment where you want to store the target database registration information. The compartment doesn’t have to be the same compartment in which the actual database resides.
   Choose a connectivity option	Select Private endpoint or On-premises connector. If your target database runs in Oracle Cloud Infrastructure, Oracle recommends you use a private endpoint. If your target database runs in a non-Oracle cloud environment, Oracle recommends you use an on-premises connector. If you select Private endpoint and already have one created, Oracle Data Safe automatically selects it for you. In this case, the options to choose a compartment and private endpoint name are not displayed.
   Select private endpoint (or on-premises connector) compartment	Select the name of the compartment that stores your Oracle Data Safe private endpoint (or on-premises connector).
   Select private endpoint (or on-premises connector)	Select the name of an existing Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector.
   TCP/TLS	This option is available if you are using a private endpoint. Select TCP or TLS as the connection protocol. If you select TLS, you are presented with two options: One way TLS and Mutual TLS. If you select One way TLS, then do the following: Upload the TrustStore of your database in PEM, PKCS#12 wallet, or JKS wallet format. You can also enter the wallet password if required. This file is required whether client authentication is enabled or disabled on your target database. If you select Mutual TLS, then do the following: Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database. When client authentication is enabled on your target database, upload the KeyStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet. This file is not required when client authentication is disabled.
   Database service name	Enter the long version of the database service name for the target database; for example, abc_prod.subnetad3.tttvcn.companyvcn.com. You can find the database service name in the tnsnames.ora file for your target database, or by running the following statement when connected to the PDB via SQL Plus: select sys_context('userenv','service_name') from dual;
   Database IP address	(Non-Oracle cloud environments) Enter the database IP address for your target database.
   Database port number	Enter a port number.
   Download privilege script	To grant roles to the Oracle Data Safe user account on your target database, click Download privilege script and save the datasafe_privileges.sql script to your computer. The script includes instructions. See Grant Roles to the Oracle Data Safe Service on a Non-Autonomous AI Database.
   Database user and Database password	Enter the credentials for the Oracle Data Safe user account on your target database. A default Oracle Data Safe user name is displayed (DATASAFE$ADMIN). The user name is case-insensitive, unless you enclose it in quotation marks. You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.

5. (Optional) To add a tag to organize and track this resource in your tenancy, select Add tag. Select a namespace, select a key, and enter a key value.

6. Select Register.

Manually Register an Oracle Cloud@Customer Database

1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle AI Database, and then Data Safe - Database Security.

2. Under Data Safe - Database Security, select Target Databases.

3. Select Register database.

4. Configure the Register target database page as described in the following table.

   Field	Instruction
   Database type	Select Oracle Cloud@Customer database.
   Cloud@Customer database type	Select Oracle Exadata Database Service on Cloud@Customer or Autonomous AI Database on Exadata Cloud@Customer.
   Select VM cluster (or database) compartment	Select the compartment that stores your VM cluster or database.
   Select VM cluster (or database)	Select the VM cluster or database.
   Select PDB from list	Select this option if you want to identify your PDB by its name. After you select this option, select the name of your database and the name of your PDB.
   Enter database service name (Oracle Exadata Database Service on Cloud@Customer)	Select this option if you want to specify the database service name of your target database. After you select this option, under Data Safe target connection details, enter the long version of the database service name for the target database; for example, abc_prod.subnetad3.tttvcn.companyvcn.com. You can find the database service name in the tnsnames.ora file for your target database, or by running the following statement when connected to the PDB via SQL Plus: select sys_context('userenv','service_name') from dual;
   Data Safe target display name	Enter a friendly name for your target database. This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database.
   Description	(Optional) Enter a description that is meaningful to you.
   Compartment	Select the compartment where you want to store the target database registration information. The target database does not need to be stored in the same compartment as the VM cluster or database.
   Choose a connectivity option	Select Private endpoint or On-premises connector.
   Select private endpoint (or on-premises connector) compartment	Select the compartment that stores your Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector.
   Select private endpoint (or on-premises connector)	Select your Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector.
   TCP/TLS (Oracle Exadata Database Service on Cloud@Customer)	This option is available if you are using a private endpoint. Select TCP or TLS as the connection protocol. If you select TLS, you are presented with two options: One way TLS and Mutual TLS. If you select One way TLS, then do the following: Upload the TrustStore of your database in PEM, PKCS#12 wallet, or JKS wallet format. You can also enter the wallet password if required. This file is required whether client authentication is enabled or disabled on your target database. If you select Mutual TLS, then do the following: Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database. When client authentication is enabled on your target database, upload the KeyStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet. This file is not required when client authentication is disabled.
   Database port number (Oracle Exadata Database Service on Cloud@Customer)	(Optional) If the database listener is not running on the default port, enter the custom port number; otherwise, leave this field blank.
   Download privilege script (Oracle Exadata Database Service on Cloud@Customer)	To grant roles to the Oracle Data Safe user account on your target database, click Download privilege script and save the datasafe_privileges.sql script to your computer. The script includes instructions. See Grant Roles to the Oracle Data Safe Service on a Non-Autonomous AI Database.
   Database user name and Database password	For Oracle Exadata Database Service on Cloud@Customer: Enter the credentials for the Oracle Data Safe user account on your target database. A default Oracle Data Safe user name is displayed (DATASAFE$ADMIN for Oracle Exadata Database Service on Cloud@Customer or ADMIN for Autonomous AI Database on Exadata Cloud@Customer). The user name is case-insensitive, unless you enclose it in quotation marks. The password must be between 14 and 30 characters long and must contain at least 1 uppercase, 1 lowercase, 1 numeric, and 1 special character. You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.

5. (Optional) To add a tag to organize and track this resource in your tenancy, select Add tag. Select a namespace, select a key, and enter a key value.

6. Select Register.

Manually Register an Amazon RDS for Oracle Database

1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle AI Database, and then select Data Safe - Database Security.

2. Under Data Safe - Database Security, select Target Databases.

3. Select Register database.

4. Configure the Register target database page as described in the following table.

   Field	Instruction
   Database type	Select Amazon RDS for Oracle.
   Data Safe target display name	Enter a friendly name for your target database. This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database.
   Description	(Optional) Enter a description that is meaningful to you.
   Compartment	Select the compartment where you want to store the target database registration information. The compartment doesn’t have to be the same compartment in which the actual database resides.
   Choose a connectivity option	Select Private endpoint or On-premises connector.
   Select private endpoint (or on-premises connector) compartment	Select the name of the compartment that stores your Oracle Data Safe private endpoint (or on-premises connector).
   Select private endpoint (or on-premises connector)	Select the name of an existing Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector.
   TCP/TLS	This option is available if you are using a private endpoint. Select TCP or TLS as the connection protocol. If you select TLS, you are presented with two options: One way TLS and Mutual TLS. If you select One way TLS, then do the following: Upload the TrustStore of your database in PEM, PKCS#12 wallet, or JKS wallet format. You can also enter the wallet password if required. This file is required whether client authentication is enabled or disabled on your target database. If you select Mutual TLS, then do the following: Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database. When client authentication is enabled on your target database, upload the KeyStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet. This file is not required when client authentication is disabled.
   Database service name	Enter the long version of the database service name for the target database; for example, abc_prod.subnetad3.tttvcn.companyvcn.com. You can find the database service name in the tnsnames.ora file for your target database, or by running the following statement when connected to the PDB via SQL Plus: select sys_context('userenv','service_name') from dual;
   Database IP address	Enter the database IP address/endpoint for your target database.
   Database port number	Enter a port number.
   Download privilege script	To grant roles to the Oracle Data Safe user account on your target database, click Download privilege script and save the datasafe_privileges.sql script to your computer. The script includes instructions. See Grant Roles to the Oracle Data Safe Service on a Non-Autonomous AI Database.
   Database user and Database password	Enter the credentials for the Oracle Data Safe user account on your target database. A default Oracle Data Safe user name is displayed (DATASAFE$ADMIN). The user name is case-insensitive, unless you enclose it in quotation marks. You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.

5. (Optional) To add a tag to organize and track this resource in your tenancy, select Add tag. Select a namespace, select a key, and enter a key value.

6. Select Register.

Post Registration Tasks for Manual Target Database Registration

After you complete the manual target database registration, perform the following post registration tasks as needed:

• (Optional) Grant users access to Oracle Data Safe features with the target database by configuring IAM policies. See Create IAM Policies for Oracle Data Safe Users.

• (Optional) Change which features are allowed for the Oracle Data Safe service account on your target database by granting/revoking roles from the account. See Grant Roles to the Oracle Data Safe Service Account on Your Target Database.

• For an Autonomous AI Database on Dedicated Exadata Infrastructure only: If Database Vault is enabled on your target database, connect to your target database as a user with the DV_ACCTMGR role and revoke the DV_ACCTMGR role from the ADMIN user.

• For a target database outside of Oracle Cloud Infrastructure (OCI), make sure to allow ingress traffic to your target database from the Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector.

• (If you are using an on-premises connector) Oracle recommendation: Ensure that only the on-premises client can connect to your on-premises Oracle database by specifying in sqlnet.ora parameter called INVITED_NODES the clients that are allowed to access your database.