1. Administering Oracle Data Safe
  2. Target Database Registration
  3. Register an Amazon RDS for Oracle database
  4. Register Amazon RDS for Oracle with an Oracle Data Safe Private Endpoint

Register Amazon RDS for Oracle with an Oracle Data Safe Private Endpoint

If you intend to connect through a Data Safe private endpoint, you must have an established network peering connection, such as FastConnect or VPNConnect, between your Oracle Cloud Infrastructure (OCI) tenancy and your Amazon cloud environment prior to registering your target database.

Preregistration Tasks for Registering Amazon RDS for Oracle with an Oracle Data Safe Private Endpoint

The below topics should be completed before registering a target database with Oracle Data Safe with connection through a Data Safe Private Endpoint. One private endpoint can be used to register multiple target databases, but there can only be one private endpoint per Virtual Cloud Network (VCN). If you are establishing a TCP connection, you do not need to perform the steps to create a wallet for TLS connection.

Task Number Task Link to Instructions
1 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to register a database with Oracle Data Safe Permissions to Register a Target Database with Oracle Data Safe
2 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to use an Oracle Data Safe Private Endpoint Permissions for an Oracle Data Safe Private Endpoint
3 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to use the underlying virtual networking resources of the private endpoint. Virtual Cloud Networking Resources
4 Create an Oracle Data Safe service account on your target database and grant it Oracle Data Safe roles. Create the service account as the SYS user.

Make sure to run the privilege script with the-RDSORACLE parameter as it is required if you are registering an Amazon RDS for Oracle database.

Create an Oracle Data Safe Service Account on Your Target Database

Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database
5 Create an Oracle Data Safe private endpoint. Create an Oracle Data Safe Private Endpoint
6 Add the security certificate for the Amazon RDS specific region Add the Security Certificate for the Amazon RDS Specific Region
7 TLS connection only: Create a wallet or certificate Create a Wallet or Certificates for a TLS Connection

Run the Amazon RDS for Oracle Wizard

This is the Amazon RDS for Oracle registration workflow in the wizard:

Step 1: Target Information

  1. On the Overview page in the Oracle Data Safe service, find the Register Amazon RDS for Oracle tile and click Start Wizard.

    The wizard displays the Data Safe Target Information form.

  2. At DATA SAFE TARGET DISPLAY NAME, enter a target display name that is meaningful to you. Data Safe uses this name in its reports. All characters are accepted. The maximum number of characters is 255.
  3. At COMPARTMENT, use the drop-down menu to select the compartment where you want to store the target database.
  4. (Optional) In the DESCRIPTION field, add a description that is meaningful to you.
  5. At DATABASE SERVICE NAME, enter the service name of the CDB or PDB.

    You can use the database name on the Configuration tab of the RDS Amazon console for service name.

  6. Enter the Database IP address/endpoint.

    Tip:

    For registration via private endpoint, an IP address should be provided.
  7. Enter the Database port number.

    The port number can be found under the Connectivity and Security tab of the Amazon RDS console.

  8. Perform this step if you did not already granted roles to the database user in the preregistration tasks.

    Click Download Privilege Script and save the datasafe_privileges.sql script to your computer. The script includes instructions on how to use it to grant privileges to the Oracle Data Safe service account on your target database. You should also refer to the preregistration task Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database for some additional details.

  9. At DATABASE USERNAME and DATABASE PASSWORD, enter the name and password of the user you created in the preregistration tasks. If the user name is mixed case, enclose it in double-quotes (" "). Oracle Data Safe uses this account to connect to the target database.
  10. Click Next.

Step 2: Connectivity Option

If you have already setup network peering, such as through FastConnect or VPN Connect, that allows you to access your Amazon RDS for Oracle database from a virtual cloud network (VCN) in OCI, then you can leverage that connection and register your database via a Data Safe private endpoint. The private endpoint essentially represents the Oracle Data Safe service in your VCN with a private IP address in a subnet of your choice.

  1. Select Private endpoint as your connectivity option.

    Note:

    If you select Private Endpoint, then if the database is configured with a private IP address and an Oracle Data Safe private endpoint is already configured for the VCN of the database, that private endpoint is automatically selected. (You can have only one Oracle Data Safe private endpoint per VCN.)

  2. Select either TCP or TLS connection.

    If you select TLS connection:

    1. Convert the Amazon Web Services (AWS) region certificate that you downloading as a prerequisite from PEM format to JKS truststore format following the steps documented in Converting PEM-format keys to JKS format. For more information see Add the Security Certificate for the Amazon RDS Specific Region.
    2. Upload your JKS wallet's truststore.jks file, and enter the wallet password. This file is required when client authentication is enabled or disabled on your target database.
    3. When client authentication is enabled on your target database, upload the JKS wallet's keystore.jks file. This file is not required when client authentication is disabled.

    Note:

    In your AWS environment you will need to:
    • Configure SSL option group to enable SSL connection. After enabling the SSL connection, the certificate authority would show up. See Oracle Secure Sockets Layer and Creating an option group from Amazon to learn how to enable the SSL option.
    • Modify the inbound rules on port 2484 (opened by default) on Amazon RDS to allow for TLS connection
    .
  3. From the Select Private Endpoint, use the drop-down menu to select the private endpoint that you want to use.
  4. Click Next.

Step 3: Add Security Rule

An egress rule is required if you configure Amazon RDS for Oracle to use an Oracle Data Safe private endpoint. The egress rule allows the Oracle Data Safe private endpoint (from any port) to send requests to the database IP address(es) on the database's port.

  1. At Do you want to add the security rules now? , select Yes.

    If you select No, you can then click Next to bypass the egress rule selection and proceed to Step 4: Review and Submit. You can configure the egress rule later in the Oracle Cloud Infrastructure console (under Networking). Note that the target database remains inactive in Oracle Data Safe until the egress rule is configured either in the Oracle Data Safe wizard or on the Oracle Cloud Infrastructure Console.

  2. Select either Security List or Network Security Group (recommended) for where the egress security rule should be added to.
  3. Select the security list or network security group from the drop down.

    The registration wizard will create the displayed egress rule in the selected list or group.

  4. Click Next.

See Also:

For more information about security lists and network security groups, see Access and Security in the Oracle Cloud Infrastructure documentation.

Review and Submit

In this step, the wizard displays the configuration you entered in the previous steps. To change any of these settings, click the Edit button on the right side of the corresponding title.

  1. Review the information on this page.
  2. Click the checkbox, I acknowledge that charges in Data Safe will apply for the Amazon RDS for Oracle database.
  3. Click Register.

Registration Process

After you click Register in Review and Submit, Oracle Data Safe creates the configuration and registers the target database. The next and final step in the wizard is to monitor the registration progress. The tasks required are listed and processed one-by-one.

Important:

Do not click the Close button in the wizard, sign out of OCI, or close the browser tab until the wizard shows that all of the tasks listed are resolved. If you close prematurely, then the information for all of the tasks that have not yet been completed is lost and the target database is not registered.

After You Submit the Registration

The wizard presents the Target Database Details page when the registration submission is finished. On this page, you can again review the registration details. The wizard displays the NEEDS_ATTENTION icon if a task must be performed or corrected before the process is complete. A hint message indicates the pending task. You can make the necessary changes in the tabs that are available. When you save your changes, the UPDATING icon is displayed. If there is no further work to do, the registration completes.