Manually Register a Target Database
You can manually register all supported target databases with Oracle Data Safe from the Target Databases page in Oracle Cloud Infrastructure.
Overview
Advanced users may prefer to register target databases manually with Oracle Data Safe instead of using a wizard. Manual registration requires that you're familiar with target registration concepts and know how to fulfill all of the preregistration tasks without the assistance of the wizard.
You can also choose to register an Autonomous Database directly from the database's
details page in Oracle Cloud Infrastructure. If your Autonomous Database has a public IP
address, you simply click the Register link and you are done. If
you are registering an Autonomous Database with a private IP address, you need have an
Oracle Data Safe private endpoint created beforehand. When registering an Autonomous Database on
Dedicated Exadata Infrastructure, you need to provide the ADMIN
database user credentials.
Preregistration Tasks for Manual Target Database Registration
Before manually registering a database as an Oracle Data Safe target database, be sure to complete the following preregistration tasks.
- Obtain permissions in Oracle Cloud Infrastructure Identity and Access
Management (IAM) for registering your target database. See the following:
- Permissions to Register an Autonomous Database with Oracle Data Safe
- Permissions to Register an Oracle Cloud Database with Oracle Data Safe
- Permissions to Register an On-Premises Oracle Database with Oracle Data Safe
- Permissions to Register an Oracle Database on Compute with Oracle Data Safe
- Permissions to Register an Oracle Cloud@Customer Database with Oracle Data Safe
- If needed, create an Oracle Data Safe private endpoint or an Oracle Data Safe on-premises connector to connect Oracle Data Safe to your target database. See the following:
- If you are using an Oracle Data Safe private endpoint to connect your target database to Oracle Data Safe, create the necessary ingress and/or egress security rules. See Add Security Rules.
- (Oracle Cloud Databases only) If your database has a public IP address, then add Oracle Data Safe's NAT gateway IP address to your virtual cloud network's network security group (NSG) or security list. See Add Oracle Data Safe's NAT Gateway IP Address to Your Virtual Cloud Network's Security List.
- (Non-Autonomous Databases only) Create an Oracle Data Safe service account on your database. See Create an Oracle Data Safe Service Account on Your Target Database.
- Grant and revoke roles from the Oracle Data Safe service account on your target database to allow or disallow Oracle Data Safe features on the database. See Grant Roles to the Oracle Data Safe Service Account on Your Target Database.
- (Non-Autonomous Databases only) If you plan to configure a TLS connection to
your target database, then you need to do the following:
- If you are connecting to your target database via an Oracle Data Safe private endpoint, create a wallet or certificate. See Create a Wallet or Certificates for a TLS Connection.
- If you are connecting to your target database via an Oracle Data Safe on-premises connector, configure the TLS connection between your on-premises database and the on-premises connector on your host machine. See Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and Your Oracle Database.
- (Autonomous Database on Dedicated Exadata Infrastructure) If Database Vault is enabled on the database, connect to your database as a user with the
DV_ACCTMGR
role and temporarily grant the crole to the
ADMIN
user. - (Autonomous Database on Exadata Cloud@Customer) Configure a TLS connection between the on-premises connector on your host machine and your Autonomous Database. See Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and an Autonomous Database on Exadata Cloud@Customer Database.
Manually Register an Autonomous Database
Oracle recommends using the Oracle Data Safe registration wizard for Autonomous Databases; however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterwards.
Manually Register an Oracle Cloud Database
Oracle recommends using the Oracle Data Safe registration wizard for Oracle Cloud Databases; however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterwards.
Manually Register an Oracle On-Premises Database
Oracle recommends using the Oracle Data Safe registration wizard for Oracle On-Premises Databases; however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterwards.
Manually Register an Oracle Database on Compute
Oracle recommends using the Oracle Data Safe registration wizard for an Oracle Database on Compute; however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterwards.
Manually Register a Cloud@Customer Database
Oracle recommends using the Oracle Data Safe registration wizard for Oracle Cloud@Customer Databases; however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterwards.
- Sign in to Oracle Cloud Infrastructure (OCI).
- From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Data Safe - Database Security.
- Under Data Safe on the left, click Target Databases.
- Click Register Database.
- For Database Type, select Oracle Cloud@Customer Database.
- For Choose a target type, select Exadata Cloud@Customer or Autonomous Database on Exadata Cloud@Customer, configure the fields for your target type, and then click Register.
Select VM Cluster Select a VM cluster. If needed, click Change Compartment, select a different compartment, and then select a VM cluster. Data Safe Target Display Name Enter a friendly name for your target database. This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database. Description (Optional) Enter a description that is meaningful to you. Compartment Select the compartment where you want to store the target database registration information. The target database does not need to be stored in the same compartment as the VM cluster or database. You cannot change the compartment after the target database is registered. Choose a connectivity option Select On-Premises Connector or Private Endpoint, and then select the name of an existing Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector. If needed, click Change Compartment, browse to a different compartment, and then make your selection. Connection Protocol Select TCP or TLS. If you select TLS, upload your JKS wallet's truststore.jks
file, and enter the wallet password. If client authentication is enabled on your target database, also upload the JKS wallet'skeystore.jks
file. This file is not required if client authentication is not enabled.Database Service Name Enter the long version of the database service name for the target database; for example, abc_prod.subnetad3.tttvcn.companyvcn.com
. You can find the database service name in thetnsnames.ora
file for your target database, or by running the following statement when connected to the PDB via SQL Plus:select sys_context('userenv','service_name') from dual;
Database Port Number (Optional) If the database listener is not running on the default port, enter the custom port number; otherwise, leave this field blank. Data Safe User and Database Password Enter the credentials for the Oracle Data Safe user account on your target database. A default Oracle Data Safe user name is displayed ( DATASAFE$ADMIN
). The user name is case-insensitive, unless you enclose it in quotation marks. The password must be between 14 and 30 characters long and must contain at least 1 uppercase, 1 lowercase, 1 numeric, and 1 special character. You cannot specify database roles, such asSYSDBA
orSYSKM
, and you cannot specifySYS
as the user.Download Privilege Script To grant roles to the Oracle Data Safe user account on your target database, click Download Privilege Script and save the datasafe_privileges.sql
script to your computer. The script includes instructions. Also seeGrant Roles to the Oracle Data Safe Service on a Non-Autonomous Database.
Select Database Select a database. If needed, click Change Compartment, select a different compartment, and then select your database name. Data Safe Target Display Name Enter a friendly name for your target database. This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database. Description (Optional) Enter a description that is meaningful to you. Compartment Select the compartment where you want to store the target database registration information. The compartment doesn't have to be the same compartment in which the actual database resides. You cannot change the compartment after the target database is registered. Choose a connectivity option Select On-Premises Connector or Private Endpoint, and then select the name of an existing Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector. If needed, click Change Compartment, browse to a different compartment, and then make your selection.
If you choose on-premises connector, be sure to configure a TLS connection between the Connection Manager of the on-premises connector on your host machine and your target database. See Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and Your Oracle Database.
Database Admin User and Database Password Enter the credentials for the ADMIN
user account on your target database. This is required to unlock the Oracle Data Safe user account that already exists on your database.
Manually Register an Amazon RDS for Oracle database
Oracle recommends using the Oracle Data Safe registration wizard however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterward.
Preregistration Tasks for Registering Amazon RDS for Oracle with Private IP
The below topics should be completed before registering an Amazon RDS for Oracle database. Select the tab for registering with an Oracle Data Safe private endpoint if you have an established FastConnect or VPNConnect connection between your OCI tenancy and your Amazon cloud environment. If you are establishing a TCP connection, you do not need to perform the steps to create a wallet for TLS connection.
Task Number | Task | Link to Instructions |
---|---|---|
1 | In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to register a database with Oracle Data Safe | Permissions to Register a Target Database with Oracle Data Safe |
2 | In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to use an On-Premises Connector | Permissions for an Oracle Data Safe On-Premises Connector |
3 | Create an Oracle Data Safe service account on your target database and grant it Oracle Data Safe roles. Create the service account as the SYS
user.
Make sure to run the privilege script with
the |
Create an Oracle Data Safe Service Account on Your Target Database Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database |
4 | Create an On-premises Connector | Create an Oracle Data Safe On-Premises Connector |
5 | Add the security certificate for the Amazon RDS specific region | Add the Security Certificate for the Amazon RDS Specific Region |
6 | TLS connection only: Configure a connection between the on-premises connector and your target database | Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and Your Oracle Database |
Task Number | Task | Link to Instructions |
---|---|---|
1 | In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to register a database with Oracle Data Safe | Permissions to Register a Target Database with Oracle Data Safe |
2 | In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to use an Oracle Data Safe Private Endpoint | Permissions for an Oracle Data Safe Private Endpoint |
3 | In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to use the underlying virtual networking resources of the private endpoint. | Virtual Cloud Networking Resources |
4 | Create an Oracle Data Safe service account on your target database and grant it Oracle Data Safe roles. Create the service account as the SYS user.
Make sure to
run the privilege script with the |
Create an Oracle Data Safe Service Account on Your Target Database Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database |
5 | Create an Oracle Data Safe private endpoint. | Create an Oracle Data Safe Private Endpoint |
6 | Add the security certificate for the Amazon RDS specific region | Add the Security Certificate for the Amazon RDS Specific Region |
7 | TLS connection only: Create a wallet or certificate | Create a Wallet or Certificates for a TLS Connection |
Manually Register Amazon RDS for Oracle
Oracle recommends using the Oracle Data Safe registration wizard however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterward.
- Sign in to Oracle Cloud Infrastructure (OCI).
- From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Data Safe - Database Security.
- Under Data Safe on the left, click Target Databases.
- Click Register Database.
- For Database Type, select Amazon RDS for Oracle.
- At DATA SAFE TARGET DISPLAY NAME, enter a target display name that is meaningful to you. Data Safe uses this name in its reports. All characters are accepted. The maximum number of characters is 255.
- (Optional) In the DESCRIPTION field, add a description that is meaningful to you.
- At COMPARTMENT, use the drop-down menu to select the compartment where you want to store the target database.
- Select either Private endpoint or On-premises connector as the connectivity option.
- Select an existing private endpoint or on-premises connector from the appropriate compartment.
-
Select either TCP or TLS connection.
If you select TLS connection:
- (Private endpoint only): Convert the Amazon Web Services (AWS) region certificate that you downloading as a prerequisite from PEM format to JKS truststore format following the steps documented in Converting PEM-format keys to JKS format. For more information see Add the Security Certificate for the Amazon RDS Specific Region.
- (Private endpoint only): Upload your JKS wallet's
truststore.jks
file, and enter the wallet password. This file is required when client authentication is enabled or disabled on your target database. - (Private endpoint only): When client authentication is enabled
on your target database, upload the JKS wallet's
keystore.jks
file. This file is not required when client authentication is disabled.
Note:
In your AWS environment you will need to:- Configure SSL option group to enable SSL connection. After enabling the SSL connection, the certificate authority would show up. See Oracle Secure Sockets Layer and Creating an option group from Amazon to learn how to enable the SSL option.
- Modify the inbound rules on port 2484 (opened by default) on Amazon RDS to allow for TLS connection
- At DATABASE SERVICE NAME, enter the service name of the CDB or PDB.
You can use the database name on the Configuration tab of the RDS Amazon console for service name.
- Enter the
Database IP address/endpoint.
Tip:
For registration via private endpoint, an IP address should be provided. - Enter the Database port
number.
The port number can be found under the Connectivity and Security tab of the Amazon RDS console.
- Perform this step if you did not
already granted roles to the database user in the preregistration
tasks.
Click Download Privilege Script and save the
datasafe_privileges.sql
script to your computer. The script includes instructions on how to use it to grant privileges to the Oracle Data Safe service account on your target database. You should also refer to the preregistration task Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database for some additional details. - At DATABASE USERNAME and DATABASE PASSWORD, enter the name and password of the user you created in the preregistration tasks. Oracle Data Safe uses this account to connect to the target database.
- Click Register.
Post Registration Tasks for Manual Target Database Registration
After you complete the manual target database registration, perform the following post registration tasks as needed:
- (Optional) Grant users access to Oracle Data Safe features with the target database by configuring IAM policies. See Create IAM Policies for Oracle Data Safe Users.
- (Optional) Change which features are allowed for the Oracle Data Safe service account on your target database by granting/revoking roles from the account. See Grant Roles to the Oracle Data Safe Service Account on Your Target Database.
- For an Autonomous Database on Dedicated Exadata Infrastructure only: If Database
Vault is enabled on your target database, connect to your target database as a user
with the
DV_ACCTMGR
role and revoke theDV_ACCTMGR
role from theADMIN
user. - For Oracle Database on a compute instance, make sure the firewall of the compute instance is configured to allow ingress traffic from the Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector.
- For an Oracle On-Premises database or an Oracle Cloud@Customer database, make sure to allow ingress traffic to your target database from the Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector.