1. Administering Oracle Data Safe
  2. Target Database Registration
  3. Register an Oracle Database on a Compute Instance

Register an Oracle Database on a Compute Instance

You can use the Oracle Databases on Compute wizard to register an Oracle Database on a compute instance as Oracle Data Safe target databases.

Use the Oracle Databases on Compute wizard to register the following databases:

  • Oracle Database on a compute instance in Oracle Cloud Infrastructure
  • Oracle Database on a compute instance in a non-Oracle cloud environment

Note:

Be sure to complete the preregistration tasks before using the wizard and the post registration tasks after using the wizard.

Preregistration Tasks for an Oracle Database on Compute

The following table lists the preregistration tasks.

Task Number Task Link to Instructions
1 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to register an Oracle Database on Compute. Permissions to Register an Oracle Database on Compute with Oracle Data Safe
2 Create an Oracle Data Safe service account on your target database and grant it Oracle Data Safe roles. Create the service account as the SYS user.

Create an Oracle Data Safe Service Account on Your Target Database

Grant Roles to the Oracle Data Safe Service Account on Your Target Database
3 (Optional) If you plan to connect to the target database via an Oracle Data Safe private endpoint and want to configure a TLS connection, create a wallet or certificate. Create a Wallet or Certificates for a TLS Connection

Run the Oracle Databases on Compute Wizard

In the wizard, you can choose an Oracle Data Safe private endpoint or an Oracle Data Safe on-premises connector to connect to your target database. Consider the following recommendations:

  • For an Oracle Database on Compute in Oracle Cloud Infrastructure: Oracle recommends that you use an Oracle Data Safe private endpoint to connect your target database to Oracle Data Safe.
  • For an Oracle Database on Compute in a non-Oracle cloud environment (for example, in Amazon Web Services or Azure): Oracle recommends that you use an Oracle Data Safe on-premises connector to connect your target database to Oracle Data Safe. You can use a private endpoint, however, to do so you need an existing FastConnect or VPN Connect set up between Oracle Cloud Infrastructure and your non-Oracle cloud environment. The private endpoint then needs to be created in the Virtual Cloud Network (in Oracle Cloud Infrastructure) that has access to your target database. Without this setup, Oracle recommends that you use an on-premises connector instead.

This is the registration workflow in the wizard:

Step 1: Select Database

If you select ORACLE CLOUD INFRASTRUCTURE

  1. On the Overview page in the Oracle Data Safe service, find the Oracle Databases on Compute tile and click Start Wizard. The wizard displays the Data Safe Target Information form.
  2. Select either ORACLE CLOUD INFRASTRUCTURE or OTHER CLOUD ENVIRONMENT.
  3. If you selected ORACLE CLOUD INFRASTRUCTURE then at SELECT COMPUTE INSTANCE, select the OCI compute instance on which your database is running. If your compute instance does not reside in the compartment shown, click CHANGE COMPARTMENT, then locate and select the compute instance.
    This field does not appear if you select OTHER CLOUD ENVIRONMENT.
  4. At DATA SAFE TARGET DISPLAY NAME, enter a target display name that is meaningful to you. Data Safe uses this name in its reports. All characters are accepted. The maximum number of characters is 255.
  5. At COMPARTMENT, select the compartment where you want to store the target database. If you want to register the database in a compartment other than the OCI compartment where the database is stored, select a different compartment from the drop-down list.
  6. (Optional) In the DESCRIPTION field, add a description that is meaningful to you.
  7. At DATABASE SERVICE NAME, enter the service name of the PDB or CDB.
  8. If you selected OTHER CLOUD ENVIRONMENT, then at DATABASE IP ADDRESS, enter the IP address of the database.
    This field does not appear if you select ORACLE CLOUD INFRASTRUCTURE.
  9. At DATABASE PORT NUMBER, enter the port number of your database listener.
  10. Perform this step if you did not already grant roles to the database user in the preregistration tasks.
    Click Download Privilege Script and save the datasafe_privileges.sql script to your computer. The script includes instructions on how to use it to grant privileges to the Oracle Data Safe service account on your target database. You should also refer to the preregistration task Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database for some additional details.
  11. At DATABASE USERNAME and DATABASE PASSWORD, enter the name and password of the user you created in the preregistration tasks. If the user name is mixed case, enclose it in double-quotes (" ").
    Oracle Data Safe uses this account to connect to the database.
  12. Click Next.

Step 2: Connectivity Option

In this step choose to connect to the target database through either an on-premises connector or a through an Oracle Data Safe private endpoint.

If you have FastConnect or VPN Connect set up between your on-premises network and a virtual cloud network (VCN) in Oracle Cloud Infrastructure, you can register an on-premises Oracle database with Oracle Data Safe by using an Oracle Data Safe private endpoint.

  1. At Choose a connectivity option, click either On-Premises Connector or Private Endpoint.

    Note:

    If you select Private Endpoint, then if the database is configured with a private IP address and an Oracle Data Safe private endpoint is already configured for the VCN of the database, that private endpoint is automatically selected. (You can have only one Oracle Data Safe private endpoint per VCN.)
  2. At TCP/TLS, select the network protocol.
    If you select the TLS protocal and choose Private Endpoint, then do the following:
    • Upload your JKS wallet's truststore.jks file, and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database.
    • When client authentication is enabled on your target database, upload the JKS wallet's keystore.jks file. This file is not required when client authentication is disabled.
    If you select TCP at TCP/TLS, you are not prompted for any additional details.
  3. If you chose On-Premises Connector in Step 1, then at DO YOU WANT TO USE AN EXISTING ON-PREMISES CONNECTOR?, click YES or NO. If you select YES, then from SELECT ON-PREMISES CONNECTOR, use the drop-down menu to select the on-premises connector that you want to use. If you select NO, the wizard prompts for basic information it needs to create a new on-premises connector for the target database.
  4. If instead you chose Private Endpoint in Step 1, then at DO YOU WANT TO USE AN EXISTING PRIVATE ENDPOINT?, click YES or NO. If you select YES, then from SELECT PRIVATE ENDPOINT, use the drop-down menu to select the private endpoint that you want to use. If you select NO, the wizard prompts for basic information it needs to create a new private endpoint for the target database. The private endpoint needs to be in a VCN that can access your on-premises database.
  5. At COMPARTMENT use the drop-down menu to select the compartment where you want to store the on-premises connector or private endpoint.
  6. At NAME, provide a name of your choice.
  7. At DESCRIPTION, enter a description.
  8. Click Next.
    If you selected Private Endpoint in Step 1, the wizard proceeds to Step 3: Add Security Rule.
    If you selected On-Premises Connector in Step 1, the wizard bypasses Step 3: Add Security Rule and takes you directly to Step 4: Review and Submit.

Step 3: Add Security Rule

In this step, add the required security rules. To allow communication from Oracle Data Safe to your database, you need to add two security rules:

  • Ingress rule for the database: Allow the database to receive incoming traffic on its port from the private IP address of the Oracle Data Safe private endpoint (from any port).
  • Egress rule for the Oracle Data Safe private endpoint: Allow the Oracle Data Safe private endpoint (from any port) to send requests to the database IP address(es) on the database's port.

The ingress and egress rules do not need to be stored within the same security list, network security group, or same compartment. If you already created the necessary security rules, you can choose to skip this step.

See Also:

For more information about security lists and network security groups, see Access and Security in the Oracle Cloud Infrastructure documentation.
  1. At Do you want to add the security rules now? , select either Yes or No.
    If you select No, you can then click Next to bypass the security rules configuration and proceed to Review and Submit. You can configure the security rules later in the Oracle Cloud Infrastructure Console (under Networking). You may want to skip this step now if you already have security rules that you want to apply. Note that the target database remains inactive in Oracle Data Safe until the security rules are configured either in the Oracle Data Safe wizard or in the Oracle Cloud Infrastructure console.
  2. If you select Yes, then at Add Ingress Security Rule, select either Security List or Network Security Group. Then use the drop-down menu to select the Security List or Network Security Group to which you want to add the ingress rule.
    In the Ingress Rule tile, the wizard shows you the ingress rule to be added to the security list or network security group you selected.
  3. At Add Egress Security Rule, select either Security List or Network Security Group.
  4. At the next prompt, select the security list or network security group where you want to add the rule.
  5. Click Next to go to Review and Submit.

Step 4: Review and Submit

In this step, the wizard displays the configuration you entered in Step 1: Target Database Information, Step 2: Connectivity Option, and Step 3: Security Rules.

  1. Review the information on this page.
  2. If all of the settings are correct, click Register. If not, you can click Previous to redo any of the earlier steps, or click Cancel.

Step 5: Registration Progress

After you click Register in Step 4: Review and Submit, Oracle Data Safe creates the configuration and registers the target database. The next and final step in the wizard is to monitor the registration progress. The tasks required are listed and processed one-by-one.

Important:

Do not click the Close button in the wizard, sign out of OCI, or close the browser tab until the wizard shows that all of the tasks listed are resolved. If you exit prematurely, then the information for all of the tasks that have not yet been completed is lost and the target database is not registered.

After You Submit the Registration

The wizard presents the Target Database Details page when the registration submission is finished. On this page, you can again review the registration details. The wizard displays the NEEDS_ATTENTION icon if a task must be performed or corrected before the process is complete. A hint message indicates the pending task. You can make the necessary changes in the tabs that are available. When you save your changes, the UPDATING icon is displayed. If there is no further work to do, the registration completes.

Post Registration Tasks for an Oracle Database on Compute

The following table lists the tasks you need to complete after you run the Oracle Databases on Compute wizard.

Task Number Task Link to Instructions
1

(If you are using an Oracle Data Safe on-premises connector) Download the install bundle for the on-premises connector and then install the on-premises connector on a host machine on your network.

Create an Oracle Data Safe On-Premises Connector
2 (If you are using a TLS connection and an Oracle Data Safe on-premises connector) Configure a TLS connection between the on-premises connector and your target database. Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and Your Oracle Database
3

(Optional) Change which features are allowed for the Oracle Data Safe service account on your target database by granting/revoking roles from the account. You need to be the SYS user.

Grant Roles to the Oracle Data Safe Service Account on Your Target Database
4

(Optional) Grant users access to Oracle Data Safe features with the target database by configuring policies in Oracle Cloud Infrastructure Identity and Access Management.

Create IAM Policies for Oracle Data Safe Users
5 Make sure the firewall of the compute instance is configured to allow ingress traffic from the Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector. (none)