Register an Autonomous Database

You can use the Autonomous Databases wizard to register Autonomous Databases as Oracle Data Safe target databases.

Use the Autonomous Databases wizard for the following databases:

  • Autonomous Database on Shared Exadata Infrastructure with Secure Access from Everywhere
  • Autonomous Database on Shared Exadata Infrastructure with Secure access from allowed IPs and VCNs only
  • Autonomous Database on Shared Exadata Infrastructure with Private VCN Access (requires a Data Safe private endpoint)
  • Autonomous Database on Dedicated Exadata Infrastructure (requires a Data Safe private endpoint)

Note:

Be sure to complete the preregistration tasks before using the wizard and the post registration tasks after using the wizard.

This article has the following topics:

Preregistration Tasks for an Autonomous Database

The following table lists the preregistration tasks.

Task Number Task Link to Instructions
1 Obtain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) to register your target database. Permissions to Register an Autonomous Database with Oracle Data Safe
2 (For Autonomous Database on Dedicated Exadata Infrastructure)
  • Obtain the ADMIN password for your target database because you need it during target database registration.
  • If Database Vault is enabled on the database, connect to your database as a user with the DV_ACCTMGR role and temporarily grant the DV_ACCTMGR role to the ADMIN user.
(none)

Run the Autonomous Databases Wizard

There is some variation in the workflow in the wizard, depending on whether the Autonomous Database you select is configured to run on shared or dedicated Exadata infrastructure and (in the case of shared infrastructure) if network access is via public or private IP. The wizard detects these configuration settings in the Autonomous Database you have selected and adjusts the steps accordingly. For example, if the database is configured with a public IP to be securely accessible from everywhere, then the steps to select a connectivity option and add a security rule are not needed and are skipped.

This is the Autonomous Database registration workflow:

Step 1: Select Database

  1. On the Overview page in the Oracle Data Safe service, find the Autonomous Databases tile and click Start Wizard.
    The wizard displays the Data Safe Target Information form.
  2. If your database does not reside in the compartment shown, click CHANGE COMPARTMENT and select the correct compartment.
  3. Select the target database that you want to register.
    You can select only one target database.
    The wizard automatically fills in the DATA SAFE TARGET DISPLAY NAME and COMPARTMENT fields. If you want to register the database in a compartment other than the OCI compartment where the database is stored, select a different compartment from the drop-down list.
  4. Enter a target display name that is meaningful to you. Oracle Data Safe uses this name in its reports.
  5. (Optional) In the DESCRIPTION field, add a description that is meaningful to you.
  6. For an Autonomous Database on Dedicated Exadata Infrastructure only: At DATABASE USERNAME and DATABASE PASSWORD, enter the credentials of the database ADMIN user. This unlocks the Oracle Data Safe service account (DS$ADMIN) in the database. This step does not apply to Autonomous Databases on Shared Exadata Infrastructure.

    Note:

    The credentials requested here are for the database ADMIN user, not those of the Oracle Data Safe service account in the database.
  7. Click Next.
    • If you are registering a target database that uses a private IP address, the Next button takes you to Step 2: Connectivity Option.
    • If you are registering an Autonomous Database on Shared Exadata Infrastructure with Secure Access from Everywhere, there is no need to choose a connectivity option or add a security rule. In this case, the wizard bypasses these steps and takes you directly to Step 4: Review and Submit.

Step 2: Connectivity Option

If you are registering a target database that is configured to use a private IP address, then an Oracle Data Safe private endpoint is required.

If an Oracle Data Safe private endpoint for the VCN of the database already exists, the wizard automatically selects it for you. If none exists, then in the Private Endpoint Information form the wizard prompts for the basic information in needs to create a new Oracle Data Safe private endpoint for the target database. The name, VCN, and subnet are preassigned. You can change any of the parameters entered into the form.
  1. Review all of the parameter values and change them as needed.
  2. Click Next.
    The wizard progresses to Step 3: Add Security Rule.

Step 3: Add Security Rule

In this step, add the required security rules. To allow communication from Oracle Data Safe to your database, you need to add two security rules:

  • Ingress rule for the database: Allow the database to receive incoming traffic on its port from the private IP address of the Oracle Data Safe private endpoint (from any port).
  • Egress rule for the Oracle Data Safe private endpoint: Allow the Oracle Data Safe private endpoint (from any port) to send requests to the database IP address(es) on the database's port.

The ingress and egress rules do not need to be stored within the same security list, network security group, or same compartment. If you already created the necessary security rules, you can choose to skip this step.

See Also:

For more information about security lists and network security groups, see Access and Security in the Oracle Cloud Infrastructure documentation.
  1. At DO YOU WANT TO ADD THE SECURITY RULES NOW? , select either Yes or No.
    If you select No, you can then click Next to bypass the security rules configuration and proceed to Step 4: Review and Submit. You can configure the security rules later in the Oracle Cloud Infrastructure Console (under Networking). You may want to skip this step now if you already have security rules that you want to apply. Note that the target database remains inactive in Oracle Data Safe until the security rules are configured either in the Oracle Data Safe wizard or in the Oracle Cloud Infrastructure console.
  2. If you select Yes, then at ADD INGRESS SECURITY RULE, select either SECURITY LIST or NETWORK SECURITY GROUP. Then use the drop-down menu to select the Security List or Network Security Group to which you want to add the ingress rule.
    In the Ingress Rule tile, the wizard shows you the ingress rule to be added to the security list or network security group you selected.
  3. At ADD EGRESS SECURITY RULE, select either SECURITY LIST or NETWORK SECURITY GROUP.
  4. At the next prompt, select the security list or network security group where you want to add the rule.
  5. Click Next to go to Step 4: Review and Submit.

Step 4. Review and Submit

If you configured a target database that uses a private IP address, the Review and Submit page displays the configuration for Target Database Information, Connectivity Option, and Security Rules.

If you configured a target database that uses a public IP address, you did not need to configure a connectivity option or security rules, so this summary of the configuration shows only the following information, all of which you selected in Step 1:

  • Display Name of Selected Database
  • Compartment for Target
  • Data Safe Target Display Name
  • Description
To change any of these settings, click the Edit button on the right side of the corresponding tile.
  1. Review the target database configuration.
  2. If the information is correct, click Register. If not, click Previous to return to any of the earlier steps, or click Cancel.

Step 5. Registration Progress

After you click Register in Step 4: Review and Submit, Oracle Data Safe creates the configuration and registers the target database. The next and final step in the wizard is to monitor the registration progress. As part of the registration, if a new private endpoint is required or ingress/egress rules are added, the tasks required are listed and processed one-by-one. If there are any errors, they are reported here. You can click the Previous button to return to previous pages and correct the errors.

Important:

Do not click the Close button in the wizard, sign out of OCI, or close the browser tab until the wizard shows that all of the tasks listed are resolved. If you close prematurely, then the information for all of the tasks that have not yet been completed is lost and the target database is not registered. Use the Close button to exit the page if an error occurs in the registration process.

When Registration is Complete

The wizard presents the Target Database Details page when the registration is finished. On this page you can again review the registration details. Options on this page that are not available for the selected target database are grayed out. For Autonmous Database, the options available are on the More Actions tab. You can change the compartment where the registration is store, add tags, or deregister the target database.

The database icon on the left indicates the current status of the registration process.

Post Registration Tasks for an Autonomous Database

The following table lists tasks that you need to complete after you run the Autonomous Databases wizard.

Task Number Task Link to Instructions
1

(Optional) Change which features are allowed for the Oracle Data Safe service account on your target database by granting/revoking roles from the account. You need to be a PDB administrator (ADMIN) or a user that has execute permission on the DS_TARGET_UTIL package.

Note:

During target registration, all roles are already granted by default, except for DS$DATA_MASKING_ROLE.
Grant Roles to the Oracle Data Safe Service Account on Your Target Database
2

(Optional) Grant users access to Oracle Data Safe features with the target database by configuring policies in Oracle Cloud Infrastructure Identity and Access Management.

Create IAM Policies for Oracle Data Safe Users
3

(Autonomous Database on Dedicated Exadata Infrastructure only) If Database Vault is enabled on your target database, connect to your target database as a user with the DV_ACCTMGR role and revoke the DV_ACCTMGR role from the ADMIN user.

(none)