Target Database Registration Overview

To use an Oracle database with Oracle Data Safe, you first need to register it with Oracle Data Safe.

This article has the following topics:

Supported Target Databases

You can register Autonomous Databases and DB systems in the Oracle cloud with Oracle Data Safe and you can register your own on-premises Oracle databases.

The following table lists the supported databases, their versions, and whether public or private IP addresses for the databases are supported.

Oracle Database Workload Types/Types/Oracle Database Software Editions Versions Network Access

Autonomous Databases on Shared Exadata Infrastructure

Workload types:

  • Autonomous Data Warehouse
  • Autonomous Transaction Processing

latest version

  • Secure access from everywhere (database has public IP)
  • Private virtual cloud network (database has private IP; connection via Oracle Data Safe private endpoint)

Autonomous Databases on Dedicated Exadata Infrastructure

Workload types:

  • Autonomous Data Warehouse
  • Autonomous Transaction Processing

latest version

  • Private virtual cloud network access (database has private IP; connection via Oracle Data Safe private endpoint)

DB system

DB system types:

  • Bare Metal
  • Virtual Machine
  • Exadata

Oracle Database software editions:

  • Standard Edition
  • Enterprise Edition
  • Enterprise Edition High Performance
  • Enterprise Edition Extreme Performance

12.1*, 12.2.0.1 or later

  • Bare Metal and Virtual Machine DB systems can have public or private IPs.
  • Exadata DB systems can have private IPs.

Oracle Database on an Oracle Cloud Infrastructure Compute instance

Oracle Database software editions:

  • Standard Edition
  • Enterprise Edition

12.1*, 12.2.0.1 or later

  • Private virtual cloud network access (database has private IP; connection via Oracle Data Safe private endpoint)

On-Premises Oracle Database**

Oracle Database software editions:

  • Standard Edition
  • Enterprise Edition

12.1*, 12.2.0.1 or later

  • On-premises Oracle databases can have public or private IPs.
  • Connection via Oracle Data Safe private endpoint.

* Provisioning of unified audit policies is not supported in Oracle Database 12.1.

** Oracle Data Safe supports on-premises Oracle databases via private endpoint in select regions. See Register On-Premises Oracle Databases by Using an Oracle Data Safe Private Endpoint for the list of regions and registration instructions.

Public Versus Private Endpoints

Oracle Data Safe connects to target databases with public IP addresses differently than it connects to target databases with private IP addresses.

If your database's IP address is public, it is referred to as a public endpoint. The IP address is accessible from the Internet through an Internet gateway.

If your database's IP address is private (within a private subnet), Internet traffic cannot access the database. You therefore need to create an Oracle Data Safe resource called a private endpoint in your VCN in Oracle Cloud Infrastructure so that Oracle Data Safe can connect to your database through it. The private endpoint essentially represents the Oracle Data Safe service in your VCN. The private endpoint manifests as a VNIC with a private IP address in a subnet of your choice. You do not need to create a public IP address for your database. A security list for your database VCN is required when setting up a private endpoint. Optionally, you can configure a network security group too.

Network Connections Between Oracle Data Safe and Target Databases with Public IP Addresses

The following diagram illustrates the network connections between Oracle Data Safe and target databases with public IP addresses.

In the diagram, Oracle Data Safe has its own VCN and the customer has two VCNs - one for the DB system and another for the Autonomous Database. There is one internet gateway per customer VCN.

Traffic from Oracle Data Safe to a DB system (VM or BM) with a public IP address is encrypted and flows through the Internet and gateways on the Oracle Cloud Infrastructure network. From Oracle Data Safe, traffic first goes to a network address translation (NAT) gateway on the Oracle Data Safe VCN. Next, the traffic travels on the Internet to an internet gateway in the customer VCN in Oracle Cloud Infrastructure. Lastly, the traffic travels to the database.

Traffic from Oracle Data Safe to an Autonomous Database with a public IP address flows entirely on the Oracle Cloud Infrastructure network. From Oracle Data Safe, traffic first goes to a service gateway on the Oracle Data Safe VCN. From there, it flows to an internet gateway on the customer VCN. Lastly, the traffic flows to the database.

Network Connections Between Oracle Data Safe and Target Databases with Private IP Addresses

The following diagram illustrates the network connection between Oracle Data Safe and a DB system (VM, BM, or Exadata) that has a private IP address.

In the diagram, both Oracle Data Safe and the customer each have one virtual cloud network (VCN) on the Oracle Cloud Infrastructure network. The DB system is on the customer VCN. Starting at Oracle Data Safe, traffic travels from the Oracle Data Safe VCN to a private endpoint in the customer VCN. Finally, the traffic flows to the database.

Where to Register Target Databases

Where you register a target database depends on the type of database.

  • You can register Autonomous Databases from their respective Consoles in Oracle Cloud Infrastructure.
  • You can register DB systems and on-premises Oracle databases from within the Oracle Data Safe Console.

You can register an Oracle cloud database that resides anywhere in your tenancy, however, cross-tenancy and cross-region registration are not supported.

Before registering a target database, it's important to review the registration workflow for your database because there are tasks that you need to complete prior to doing the actual registration. Each type of target database has its own recommended workflow.

Automated Registration Processes for Autonomous Databases

When you register an Autonomous Database, Oracle Data Safe automatically creates a resource group with the same name as the compartment in Oracle Cloud Infrastructure that contains the database.

Oracle Data Safe also automatically grants the AdministerAssessment and AdministerAudit privileges on the newly created resource group to the user registering the database. This is a special case where a user, not a group, is granted Oracle Data Safe privileges. With these default privileges, the user can manage the assessment and audit features on the database in the Oracle Data Safe Console. Specifically, the user can generate User Assessment and Security Assessment reports for the database, as well as start and stop audit data collection on the database.

TLS and TCP Connection Types

During target database registration, you can configure a Transmission Control Protocol (TCP) or Transport Layer Security (TLS) connection between Oracle Data Safe and the database. Oracle Data Safe is considered a client of the target database. A TLS connection is a TCPS connection that uses TLS cryptographic protocol. Oracle Data Safe supports version 1.2 of the TLS protocol, but not the Secure Sockets Layer (SSL) cryptographic protocol.

Autonomous Databases, by default, have TLS encryption enabled with client authentication. During registration, Oracle Cloud Infrastructure automatically creates a TLS connection between the Autonomous Database and Oracle Data Safe and takes care of the registration details for you.

You manually register DB systems in the Oracle Data Safe Console, and can choose a TCP or TLS connection. If your DB system has TLS configured, then you should choose TLS over TCP. A TLS connection to a target database provides privacy and data integrity, plus the identity of the communicating parties can be authenticated by using public key cryptography. Although authentication can be optional, the server typically requires it.

To establish a TCP connection between a DB system and Oracle Data Safe, the DB system must have both the network encryption and data integrity features enabled. By default, when a DB system is created, the required network encryption is enabled. The supported encryption algorithm is AES256. Supported cryptographic hash functions for checksum are SHA1, SHA256, SHA384, and SHA512. Non-encrypted TCP connections are not supported.

Oracle Data Safe Service Account on Target Databases

Every target database that you want to use with Oracle Data Safe requires an account on it for the Oracle Data Safe service. For a DB system, you need to create the Oracle Data Safe service account manually. Create it with the least amount of privileges on the database.

An Autonomous Database comes with an Oracle Data Safe service account precreated on it so you do not need to create one. The account is named DS$ADMIN and is initially locked with the password expired. When you register an Autonomous Database with Oracle Data Safe, Oracle Cloud Infrastructure unlocks this account and resets its password. If you deregister the Autonomous Database, the account is locked again.

Roles for the Oracle Data Safe Service Account

The Oracle Data Safe features that you can use with your target database depend on the roles granted to the Oracle Data Safe service account on that target database. You can grant and revoke roles as needed. Oracle recommends that you grant only the roles needed. How you grant roles depends on the type of target database.

The following table lists the roles that you can grant or revoke from the Oracle Data Safe service account on your target database. If you are registering a DB system, you can grant the roles in the first column. If you are registering an Autonomous Database, you can grant the roles in the second column. By default, some or most of the roles are granted by default so it is best to refer to each type of target registration.

DB System Role Autonomous Database Role Description

ASSESSMENT

DS$ASSESSMENT_ROLE

Privileges required for the User Assessment and Security Assessment features

AUDIT_COLLECTION

DS$AUDIT_COLLECTION_ROLE

Privileges required for accessing audit trails for the target database

DATA_DISCOVERY

DS$DATA_DISCOVERY_ROLE

Privileges required for the Data Discovery feature (discovering sensitive data in the target database)

MASKING

DS$DATA_MASKING_ROLE

Privileges required for the Data Masking feature (masking sensitive data in the target database)

AUDIT_SETTING

DS$AUDIT_SETTING_ROLE

Privileges required for updating target database audit policies