Oracle Data Safe supports registration of Oracle Databases on-premises. Oracle Data Safe sits on its own Virtual Cloud Network (VCN) within your working region on the Oracle Cloud Infrastructure (OCI) Network. To register a target database with Data Safe you must ensure that you have the appropriate permissions enabled through Oracle Cloud Infrastructure Identity and Access Management (IAM) which will be assigned to you by your administrator. This includes permission to register a target database with Oracle Data Safe, and permission to use or create either an Oracle Data Safe on-premises connector or private endpoint.

The registration of Active Data Guard associated databases is supported for on-premises databases. This allows you to audit the primary database and its standby databases as a single target with multiple unified audit trails.

When registering an on-premises Oracle Database there are two connectivity options, through a Data Safe private endpoint or through an on-premises connector. If you intend to connect through a private endpoint, you must have an established network peering connection, such as FastConnect or VPN Connect, between your Oracle Cloud Infrastructure (OCI) tenancy and your on-premises environment prior to registering your target database. 

Private Endpoint 

Registering a target database through a private endpoint requires the private endpoint to sit within a private subnet on your VCN in Oracle Cloud Infrastructure that has access to your on-premises database. During target registration with a private endpoint you can either select an existing private endpoint (as one private endpoint can be used to register multiple target databases) or create a new one. However, there can only be one private endpoint per VCN.

The connection between the Data Safe Private Endpoint and your Oracle Database on-premises can be either a TCP or TLS connection. If you choose TLS and client authentication is enabled on your target database, you need to upload your truststore and keystore files and provide the wallet's password during target registration. If client authentication is not enabled, you only need to upload the truststore file. The wallet or certificate needs to be created prior to starting target database registration.

The traffic from the Data Safe will be go through the private endpoint which will route the traffic through a Dynamic Routing Gateway (DRG) that sits on your VCN. The traffic will then travel to your database through the pre-established network peering connection, such as FastConnect or VPN Connect.

Security rules are required to allow communication between the private endpoint and your target database. You can configure the rules in network security groups (NSGs), which is recommended, or security lists (SLs). The egress rule, which needs to be configured in the private endpoint's NSG or SL, allows the private endpoint (from any port) to send requests to the target database IP address on its port. If your on-premises databases is a Real Application Cluster (RAC) database, then you need to specify an egress security rule for each IP address for each RAC database node. For security rules within Oracle Cloud Infrastructure, you can let the registration wizard configure the security rules for you or you can do it manually. Ensure that your on-premises database is configured to allow traffic from Oracle Data Safe.

When registering a target database through an on-premises connector Oracle recommends that you install the on-premises connector on a different host machine than the target database, although you can install it on the same machine, if needed. You will need to download the on-premises connector install bundle from Data Safe post registration. This install bundle will be run on the host machine where you intend the on-premises connector to sit. In a production environment, Oracle recommends that you install the same on-premises connector on two Linux hosts for high availability. If one of your hosts goes down due to system failure or maintenance, Oracle Data Safe connections automatically fail over to the on-premises connector running on the other host, and the on-going Oracle Data Safe operations are not affected. Once the on-premises connector has been properly installed and connected to the Oracle Database, Oracle Data Safe will be able to send requests to your on-premises Oracle Database by routing the request through the Cloud Connections Manager that sits on the Data Safe VCN. The connection between the Cloud Connections Manager and the on-premises connector is an encrypted TLS tunnel that is established from the on-premises connector. 

During target registration with on-premises connector you can either select an existing on-premises connector (as one connector can support multiple target databases) or create a new one. 

The connection between the on-premises connector and your on-premises Oracle Database can be either a TCP or TLS connection.