Register an Oracle Cloud@Customer Database

You can register Oracle Cloud@Customer databases as target databases with Oracle Data Safe.

In Oracle Data Safe, use the Oracle Cloud@Customer Databases wizard to register the following Oracle Cloud@Customer databases:

  • Exadata Database on Cloud@Customer
  • Autonomous Database on Exadata Cloud@Customer

Note:

Be sure to complete the preregistration tasks before using the wizard and the post registration tasks after using the wizard.

Cloud@Customer Preregistration Tasks

The following table lists the preregistration tasks.

Task Number Task Link to Instructions
1 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to register your target database. Permissions to Register an Oracle Cloud@Customer Database with Oracle Data Safe
2 (Exadata Database on Cloud@Customer) Create an Oracle Data Safe service account on your target database and grant it Oracle Data Safe roles. Create the service account as the SYS user.

Create an Oracle Data Safe Service Account on Your Target Database

3 (Exadata Database on Cloud@Customer) Grant the Oracle Data Safe service account on your target database Oracle Data Safe roles.

Grant Roles to the Oracle Data Safe Service Account on Your Target Database

4 (Exadata Database on Cloud@Customer) If you plan to connect to the target database via an Oracle Data Safe private endpoint and want to configure a TLS connection, create a wallet or certificate.

Create a Wallet or Certificates for a TLS Connection.

Run the Oracle Cloud@Customer Databases Wizard

This is the registration workflow in the wizard:

Step 1: Target Information

  1. On the Overview page in the Oracle Data Safe service, find the Oracle Cloud@Customer Databases tile and click Start Wizard.
    The wizard displays the Data Safe Target Information form.
  2. Select Exadata Cloud@Customer or Autonomous Database on Exadata Cloud@Customer.
  3. At Select VM Cluster (for Exadata Database on Cloud@Customer) or Select Database (for Autonomous Database on Exadata Cloud@Customer), select the VM cluster or database respectively. If your VM cluster or database resides in a different compartment, click Change compartment, select the correct compartment, and then select your VM cluster or database.
  4. At Data Safe Target Display Name, enter a target database name that is meaningful to you. Oracle Data Safe uses this name in its reports.
  5. At Compartment, select the compartment where you want to store the Oracle Data Safe target database. Use the drop-down menu to select a different compartment if needed.
    The target database does not need to be stored in the same compartment as the VM cluster or database.
  6. (Optional) In the Description field, enter a description that is meaningful to you.
  7. (Exadata Database on Cloud@Customer) At Database Service Name, enter the service name of the CDB or PDB.
  8. (Exadata Database on Cloud @Customer) Perform this step if you did not already grant roles to the database user in the preregistration tasks.
    Click Download Privilege Script and save the datasafe_privileges.sql script to your computer. The script includes instructions on how to use it to grant privileges to the Oracle Data Safe service account on your target database.

    See Also:

    You should also refer to the Grant Roles preregistration task for some additional details. These instructions apply to target databases using Oracle Data Safe private endpoints and also those using on-premises connectors:

    Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database

  9. (Exadata Database on Cloud@Customer) At Database User Name and Database Password, enter the credentials for the Oracle Data Safe user account that you created on your target database during the preregistration tasks. Oracle Data Safe uses this account to connect to the database. If the user name is mixed case, enclose it in double-quotes (" "). The password must be between 14 and 30 characters long and must contain at least 1 uppercase, 1 lowercase, 1 numeric, and 1 special character.
  10. (Autonomous Database on Exadata Cloud@Customer) At Database Admin User and Database Password, enter the credentials of the database ADMIN user to unlock the Oracle Data Safe user account that exists by default on the database.
  11. Click Next.

Step 2: Connectivity Option

In this step, choose to connect to the target database through either an Oracle Data Safe on-premises connector or an Oracle Data Safe private endpoint. If you have FastConnect or VPN Connect set up between your network and a virtual cloud network (VCN) in Oracle Cloud Infrastructure, you can register your database with Oracle Data Safe by using an Oracle Data Safe private endpoint.

Note:

  • FastConnect in Oracle Cloud Infrastructure is a secure connection between a customer's on-premises network and Oracle Cloud Infrastructure over a private network.
  • VPN Connect in Oracle Cloud Infrastructure is a site-to-site IPSec virtual private network that securely connects your on-premises network to Oracle Cloud Infrastructure, using your existing internet connection.
For an Exadata Database on Cloud@Customer, you can also choose the connectivity protocol (TCP or TLS). For an Autonomous Database on Exadata Cloud@Customer database, Oracle Data Safe automatically uses TLS.
  1. Select On-premises connector or Private endpoint.
  2. (Exadata Database on Cloud@Customer) For TCP/TLS, select TCP or TLS.
    • If you select TCP (the default), you are not prompted for any additional details.
    • If you are connecting via a private endpoint and select TLS, then you are presented with two options: One way TLS and Mutual TLS. If you select One way TLS, then do the following:
      • Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and optionally, enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database.
      If you select Mutual TLS, then do the following:
      • Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database.
      • When client authentication is enabled on your target database, upload the KeyStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet. This file is not required when client authentication is disabled.
  3. (Autonomous Database on Exadata Cloud@Customer) If you selected On-premises connector in step 1, be sure to configure a TLS connection between the on-premises connector on your host machine and your target database. See Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and an Autonomous Database on Exadata Cloud@Customer Database. If you selected Private Endpoint in step 1, no additional steps are needed for the TLS connection.
  4. (Exadata Database on Cloud@Customer) If the database listener is not running on the default port, enter the custom port number; otherwise, leave this field blank.
  5. For Do you want to use an existing Private endpoint (or On-premises connector): Select Yes to reuse or No to create an Oracle Data Safe on-premises connector or an Oracle Data Safe private endpoint, and then configure the following fields according to your selection.
  6. Click Next.
    If you selected On-premises connector, the wizard will skip Step 4: Add security rule.

Step 3: Select Peer Database

If you're registering an Active Data Guard associated database then you can add the standby databases at this step. If you're not registering an Active Data Guard associated database, then skip this step by clicking Next.

  1. On the Select Additional Peer Database to Register (Optional) page you will see a list of standby database that are associated with the primary database that you specified in the previous step. Select from the list which of the standby databases you would like to register as peers.

    It is also possible to register standby databases after the primary database has been registered. See Manage Peer Databases Associated with a Registered Active Data Guard Primary Database for more information.

  2. (Optional) Click + on a standby database to see the details for and edit any of the following if necessary:
    • Peer Display Name
    • Database Service Name
    • Database Port Number
    • TCP/TLS
  3. Click Next.

If you selected On-premises connector in Step 1, the wizard takes you directly to Step 5: Review and submit.

Step 4: Add Security Rule

Note:

This step applies only if you are configuring a private endpoint.

In this step, the wizard adds the required egress rules to enable communication between the Oracle Data Safe private endpoint and your target database. Egress rules do not need to be stored within the same security list, network security group, or same compartment. If you already created the necessary security rules, you can choose to skip this step. An ingress rule is not required.

See Also:

For more information about security lists and network security groups, see Access and Security in the Oracle Cloud Infrastructure documentation.
  1. Choose to configure the security rules now or later.
    If you choose to configure later, click Next to bypass the security rule configuration and proceed to Step 4: Review and Submit. Later, you can configure the security rules under Networking in the Oracle Cloud Infrastructure Console. You may want to skip this step now if you already have security rules that you want to apply. Your target database remains inactive in Oracle Data Safe until the security rules are configured either in the Oracle Data Safe wizard or on the Oracle Cloud Infrastructure Console.
  2. Choose to add egress security rules to a Security List or a Network Security Group, and then select the security list or network security group from the drop-down list.
  3. Review the egress rules.

    If you are registering peer databases as part of an Active Data Guard associated database, then you will see an egress rule for each standby database that you selected to regiser as a peer database in Step 3: Select Peer Databases.

    The wizard creates an egress rule for each database server node's VIP (virtual IP address) in the VM cluster network.
  4. Click Next to go to Step 5: Review and Submit.

Step 4: Review and Submit

If you configured a target database using an Oracle Data Safe private endpoint, the Review and Submit page displays the configuration for Target Database Information, Connectivity Option, and Security Rules.

If you configured a target database that uses an Oracle Data Safe on-premises connector, you did not need to configure security rules, so this summary shows information about your target database and connectivity.

To change any of these settings, click the Edit button on the right side of the corresponding tile.
  1. Review the target database configuration.
  2. If the information is correct, click Register. If not, click Previous to return to any of the earlier steps, or click Cancel.

Post Registration Tasks for an Oracle Cloud@Customer Database

The following table lists tasks that you need to complete after you run the Oracle Cloud@Customer Databases wizard.

Task Number Task Link to Instructions
1

(If you selected to create an Oracle Data Safe on-premises connector) Download the install bundle for the on-premises connector and then install the on-premises connector on a host machine on your network.

Create an Oracle Data Safe On-Premises Connector
2 (If you are using a TLS connection and an Oracle Data Safe on-premises connector) Configure a TLS connection between the on-premises connector and your target database.
3

(Optional) Change which features are allowed for the Oracle Data Safe service account on your target database by granting/revoking roles from the account. You need to be the SYS user.

Grant Roles to the Oracle Data Safe Service Account on Your Target Database
4

(Optional) Grant users access to Oracle Data Safe features with the target database by configuring policies in Oracle Cloud Infrastructure Identity and Access Management.

Create IAM Policies for Oracle Data Safe Users
5

(If needed) Update the ADMIN credentials for your target database on the Target Database Details page.

Manage Target Databases - See the Update the Database User section
6

Make sure to allow ingress traffic to your target database from the Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector.

(none)