Register an Oracle Cloud Database

You can register Oracle cloud databases as target databases for Oracle Data Safe.

In Oracle Data Safe, use the Oracle Cloud Databases wizard to register the following databases:

  • Oracle Base Database Service (DB system - Virtual Machine)
  • Oracle Exadata Database Service on Dedicated Infrastructure (Exadata VM cluster)
  • Oracle Database@Azure (Oracle Exadata Database@Azure)

Note:

Be sure to complete the preregistration tasks before using the wizard and the post registration tasks after using the wizard.

Preregistration Tasks for an Oracle Cloud Database

The following table lists the preregistration tasks.

Task Number Task Link to Instructions
1 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to register your target database. Permissions to Register an Oracle Cloud Database with Oracle Data Safe
2 Create an Oracle Data Safe service account on your target database and grant it Oracle Data Safe roles. Create the service account as the SYS user.

Create an Oracle Data Safe Service Account on Your Target Database

Grant Roles to the Oracle Data Safe Service Account on Your Target Database

3 (Optional) If you plan to configure a TLS connection to your target database, create a wallet or certificate. Create a Wallet or Certificates for a TLS Connection
4 If you're planning to register a database with Active Data Guard association:
  • Ensure that the primary and standby databases use the same private endpoint to connect to Oracle Data Safe.
  • Ensure that your Active Data Guard association follows the prerequisites of using Oracle Data Guard on a DB System
Use Oracle Data Guard on a DB System

Run the Oracle Cloud Databases Wizard

There is some variation in the workflow in the wizard, depending on whether you choose the TCP or TLS protocol.

This is the Oracle Cloud Database registration workflow in the wizard:

Step 1: Select Database

  1. On the Overview page in the Oracle Data Safe service, find the Oracle Cloud Databases tile and click Start Wizard.
    The wizard displays the Data Safe Target Information form.
  2. At Cloud Database Type, select Oracle Base Database, Oracle Exadata Database Service on Dedicated Infrastructure, or Oracle Database@Azure .
  3. Selecting a database or VM cluster:
    1. If you selected Oracle Base Database or Oracle Database@Azure in the previous step: At Select Database, find and select the database.
    2. If you selected Oracle Exadata Database Service on Dedicated Infrastructure in the previous step: At Select VM Cluster, find and select the VM cluster.
    If your database or VM cluster does not reside in the compartment shown, click Change CompartmentIf you want to register the database or VM cluster in a compartment other than the OCI compartment where the database or VM cluster is stored, then in the Compartment field, select a different compartment from the drop-down list.

    Tip:

    If you're registering a database with Active Data Guard, it is recommended to select the primary database for registration in this step and add the standby databases as peers in the following step, Step 2: Select Peer Databases.
  4. If you selected Oracle Exadata Database Service on Dedicated Infrastructure earlier, select a database home from the Select database dropdown.
  5. Enter a target display name that is meaningful to you. Oracle Data Safe uses this name in its reports. All characters are accepted. The maximum number of characters is 255.
  6. (Optional) In the Description box, add a description that is meaningful to you.
  7. At Database Service Name, enter the service name of the PDB or CDB.
  8. (Optional) At Database Port Number, the default port number is pre-filled. You may enter in a custom port number, otherwise the default will be used. For an Oracle Exadata Database Service on Dedicated Infrastructure database, enter the port number of the SCAN listener.
  9. At TCP/TLS, select the network protocol.
    If you select the TLS protocol, you are presented with two options: One way TLS and Mutual TLS. If you select One way TLS, then do the following:
    • Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and optionally, enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database.
    If you select Mutual TLS, then do the following:
    • Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database.
    • When client authentication is enabled on your target database, upload the KeyStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet. This file is not required when client authentication is disabled.
    If you select TCP at TCP/TLS, you are not prompted for any additional details.
  10. Perform this step if you did not already grant roles to the database user in the preregistration tasks.
    Click Download Privilege Script and save the datasafe_privileges.sql script to your computer. The script includes instructions on how to use it to grant privileges to the Oracle Data Safe service account on your target database. You should also refer to the preregistration task Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database for some additional details.
  11. At Database User Name and Database Password, enter the name and password of the user you created in the preregistration tasks. If the user name is mixed case, enclose it in double-quotes (" ").
    Oracle Data Safe uses this account to connect to the target database.
  12. Click Next.

Step 2: Connectivity Option

An Oracle Data Safe private endpoint is required. Because you can only have one private endpoint in each VCN, if one already exists in the VCN (Virtual Cloud Network) of the database, Oracle Data Safe automatically selects it for you. You can then click Next to go directly to Step 4: Add Security Rule.

If no Oracle Data Safe private endpoint exists in the VCN, the wizard creates one and shows you the proposed configuration. You can change any of the parameters that are automatically entered in the form.

  1. At Name, accept the given private endpoint name or provide a different one.
  2. At Compartment, select the given compartment or use the drop-down menu to select a different one.
    The private endpoint does not need to be stored in the same compartment as the selected cloud database.
  3. At Virtual Cloud Network accept the given compartment or use the drop-down menu to select the compartment where the VCN is stored. The private endpoint must run in the same VCN as the database or the VCN of the private endpoint must have VCN peering set up with the VCN of the target database.
  4. At Subnet, accept the given compartment for the subnet or use the drop-down menu to select a different compartment. You can use any subnet. However, Oracle recommends that you use the same subnet as your database.
  5. (Optional) At Private IP, enter the private IP address that should be assigned to the private endpoint. If you do not enter a private IP address, Oracle Data Safe assigns one automatically.
  6. (Optional) Click Show Advanced Options.
    Use this option to attach OCI metadata tags to the private endpoint. Select the Tag Namespace and the Tag Key within the selected namespace. Then assign a value to this tag.
  7. Click Next.

Step 3: Select Peer Database

If you're registering an Active Data Guard associated database then you can select the standby databases at this step. If you're not registering an Active Data Guard associated database, then skip this step by clicking Next.

  1. On the Select Additional Peer Database to Register (Optional) page you will see a list of standby database that are associated with the primary database that you specified in the previous step. Select from the list which of the standby databases you would like to register as peers.

    It is also possible to register standby databases after the primary database has been registered. See Manage Peer Databases Associated with a Registered Active Data Guard Primary Database for more information.

  2. (Optional) Click + on a standby database to see the details for and edit any of the following if necessary:
    • Peer Display Name
    • Database Service Name
    • Database Port Number
    • TCP/TLS
  3. Click Next.

Step 4: Add Security Rule

In this step, add the required security rules. To allow communication from Oracle Data Safe to your database, you need to add two security rules:

  • Ingress rule for the database: Allow the database to receive incoming traffic on its port from the private IP address of the Oracle Data Safe private endpoint (from any port).
  • Egress rule for the Oracle Data Safe private endpoint: Allow the Oracle Data Safe private endpoint (from any port) to send requests to the database IP address(es) on the database's port.

The ingress and egress rules do not need to be stored within the same security list, network security group, or same compartment. If you already created the necessary security rules, you can choose to skip this step.

See Also:

For more information about security lists and network security groups, see Access and Security in the Oracle Cloud Infrastructure documentation.
  1. At Do you want to add the security rules now? , select either Yes or No.

    If you select No, you can then click Next to bypass the security rules configuration and proceed to Review and Submit. You can configure the security rules later in the Oracle Cloud Infrastructure Console (under Networking). You may want to skip this step now if you already have security rules that you want to apply. Note that the target database remains inactive in Oracle Data Safe until the security rules are configured either in the Oracle Data Safe wizard or in the Oracle Cloud Infrastructure console.

  2. If you select Yes, then at Add Ingress Security Rule, select either Security List or Network Security Group. Then use the drop-down menu to select the Security List or Network Security Group to which you want to add the ingress rule.

    In the Ingress Rule tile, the wizard shows you the ingress rule to be added to the security list or network security group you selected.

  3. At Add Egress Security Rule, select either Security List or Network Security Group.
  4. At the next prompt, select the security list or network security group where you want to add the rule.

    If you are registering peer databases as part of an Active Data Guard associated database, then you will see an egress rule for each standby database that you selected to regiser as a peer database in Step 3: Select Peer Databases.

  5. Click Next to go to Review and Submit.

Step 5: Review and Submit

If you configured a target database using an Oracle Data Safe private endpoint, the Review and Submit page displays the configuration for Target Database Information, Connectivity Option, and Security Rules.

If you are configured peer databases as part of an Active Data Guard enabled database, then you will review the Peer Target Database Information for each peer as well.

To change any of these settings, click the Edit button on the right side of the corresponding tile.
  1. Review the target database configuration.
  2. If the information is correct, click Register. If not, click Previous to return to any of the earlier steps, or click Cancel.

Step 6: Registration Progress

After you click Register in Step 5: Review and Submit, Oracle Data Safe creates the configuration and registers the target database. The next and final step in the wizard is to monitor the registration progress. The required tasks are listed and processed one-by-one.

Important:

Do not click the Close button in the wizard, sign out of OCI, or close the browser tab until the wizard shows that all of the tasks listed are resolved. If you exit prematurely, then the information for all of the tasks that have not yet been completed is lost and the target database is not registered.

After You Submit the Registration

The wizard presents the Target Database Details page when the registration submission is finished. On this page, you can again review the registration details. The wizard displays the NEEDS_ATTENTION icon if a task must be performed or corrected before the process is complete. A hint message indicates the pending task. You can make the necessary changes in the tabs that are available. When you save your changes, the UPDATING icon is displayed. If there is no further work to do, the registration completes.

Post Registration Tasks for an Oracle Cloud Database

The following table lists tasks that you need to complete after you run the Oracle Cloud Databases wizard.

Task Number Task Link to Instructions
1

(Optional) Change which features are allowed for the Oracle Data Safe service account on your target database by granting/revoking roles from the account. You need to be the SYS user.

Grant Roles to the Oracle Data Safe Service Account on Your Target Database
2

(Optional) Grant users access to Oracle Data Safe features with the target database by configuring policies in Oracle Cloud Infrastructure Identity and Access Management.

Create IAM Policies for Oracle Data Safe Users