There are four types of Oracle cloud databases in Oracle Cloud Infrastructure that you can register with Oracle Data Safe:

• Oracle Database@Azure (Oracle Exadata Service)
• Oracle Base Database: DB System on a virtual machine (VM)
• Oracle Exadata Database Service on Dedicated Infrastructure (a VM cluster hosting Oracle databases that resides on Exadata racks in an OCI region)
• Oracle Exadata Database Service on Exascale Infrastructure (storage of database files are managed by Oracle in the Exadata Exascale Vault)

Oracle Data Safe sits on its own Virtual Cloud Network (VCN) within your working region on the Oracle Cloud Infrastructure (OCI) Network. To register a target database with Data Safe you must ensure that you have the appropriate permissions enabled through Oracle Cloud Infrastructure Identity and Access Management (IAM) which will be assigned to you by your administrator. This includes permission to register a target database with Oracle Data Safe, and permission to use or create an Oracle Data Safe private endpoint.

The registration of Active Data Guard associated databases is supported for all cloud databases. This allows you to audit the primary database and its standby databases as a single target with multiple unified audit trails.

Registration

Registering an Oracle cloud database with a private IP requires an Oracle Data Safe private endpoint to sit on a private subnet within your VCN. During target registration you can either select an existing private endpoint (as one private endpoint can be used to register multiple target databases) or create a new one. However, there can only be one private endpoint per VCN.

Security rules are required to allow communication between the private endpoint and your target database. You can configure the rules in network security groups (NSGs), which is recommended, or security lists (SLs). The egress rule, which needs to be configured in the private endpoint's NSG or SL, allows the private endpoint (from any port) to send requests to the target database IP address on its port. For an Exadata cloud database, create an egress rule for one of the scan IP addresses. Alternatively, you can use the private floating IP address of any one of the database nodes. The ingress rule, which is configured in the target database's NSG or SL, allows the database to receive incoming traffic on its port from the private IP address of the private endpoint (from any port). For security rules within Oracle Cloud Infrastructure, you can let the registration wizard configure the security rules for you or you can do it manually.

TLS or TCP Connection Protocol

During registration you can specify if you would like the connection between the Data Safe and your Oracle cloud database to be either TCP or TLS. If you choose TLS and client authentication is enabled on your target database, you need to upload your truststore and keystore files and provide the wallet's password during target registration. If client authentication is not enabled, you only need to upload the truststore file. The wallet or certificate needs to be created prior to starting target database registration.

• Add Oracle Data Safe's NAT Gateway IP Address to Your virtual Cloud Network's Security List
• Preregistration Tasks for an Oracle Cloud Database
• Run the Oracle Cloud Databases Wizard
• Create a Wallet or Certificates for a TLS Connection