Configure the RDBMS

After the container is running, prepare the database instance so that it can authenticate to the Private AI Services endpoint.

Verify HTTP2 connectivity:

curl  --http2-prior-knowledge -i --cacert $SECRETS_DIR/cert.pem https://$HOST:8443/health

Configure the SSL wallet

This is expected to be run as SYSDBA on the container database (CDB).

Choose one of the following approaches to establish trust between the database and the Private AI Services Container:
1. Use an existing wallet.
  
  Reuse the database's current SSL wallet by noting the wallet location (<existing_wallet_path>). Ensure that you have the wallet password available and use that path in the certificate import step later in this setup.
2. Create a new wallet.
  
  If no SSL wallet is configured yet, create a new auto-login wallet and capture its path (<wallet_path>):
```
orapki wallet create -wallet <wallet_path> -pwd <your_chosen_wallet_pwd> -auto_login
```
  To use the new wallet, the ssl_wallet property needs to be updated to point to it:
```
ALTER DATABASE PROPERTY SET ssl_wallet='file:<wallet_path>';
```
Add the certificate to the wallet.

Add the container digital certificate to the wallet path you selected in the previous step (either the existing wallet or the newly created one).
```
orapki wallet add -wallet <wallet_path> -trusted_cert -cert <path_to_certificate> -pwd <your_chosen_wallet_pwd>
```
For more details about wallet creation and certificate management, see Oracle AI Database Utilities.

Use the container credential.

This is expected to be run as the same schema USER and in the same pluggable database (PDB) as the index creation.

Note:

The schema user needs the following privileges, granted by the PDB SYS user:

```
GRANT DB_DEVELOPER_ROLE TO <user>
```
```
GRANT CREATE CREDENTIAL TO <user>
```

DECLARE
  jo json_object_t := json_object_t();
BEGIN
  jo.put('access_token', '&api_key'); -- Provide the "API key" listed in step 6
  dbms_vector.create_credential(
    credential_name => 'MYCREDENTIALNAME', -- Replace with your preferred credential identifier
    params => json(jo.to_string));
END;
/

BEGIN
  dbms_network_acl_admin.append_host_ace (
    host => '<container host>',
    ace => xs$ace_type(
      privilege_list => xs$name_list('http', 'http_proxy', 'resolve'),
      principal_name => USER,
      principal_type => xs_acl.ptype_db));
  dbms_network_acl_admin.append_wallet_ace(
    wallet_path => 'file:<wallet_path>',
    ace => xs$ace_type(
      principal_name => USER,
      principal_type => xs_acl.ptype_db,
      privilege_list => xs$name_list('use_client_certificates', 'use_passwords')));
END;
/

See CREATE_CREDENTIAL in Oracle AI Database PL/SQL Packages and Types Reference for more information about the credential name.

Use PL/SQL to confirm that the container is reachable from the RDBMS and that the host ACE is set up correctly.

SET SERVEROUTPUT ON;
 
CREATE OR REPLACE PROCEDURE check_reachable(
  url       IN VARCHAR2,
  wallet    IN VARCHAR2
) IS
  req utl_http.req;
  res utl_http.resp;
  buffer VARCHAR2(4000);
BEGIN
  utl_http.set_wallet(wallet);
  req := utl_http.begin_request(url, 'GET', 'HTTP/1.1');
  res := utl_http.get_response(req);
 
  BEGIN
    dbms_output.put_line('HTTPS response status code: ' || res.status_code);
 
    IF show_body THEN
      LOOP
        utl_http.read_line(res, buffer);
        dbms_output.put_line(buffer);
      END LOOP;
    END IF;
 
    utl_http.end_response(res);
  EXCEPTION
    WHEN utl_http.end_of_body THEN
      utl_http.end_response(res);
  END;
END check_reachable;
/
 
exec check_reachable(url => 'https://&host:&port/health', wallet => 'file:&wallet’);

A status code of 200 indicates that the container is reachable and the ACE host is set up correctly.

With the credential in place, vector indexes can be created with an OFFLOAD_URL that targets the container's endpoint.:

CREATE VECTOR INDEX gist_idx ON gist(embedding)
  ORGANIZATION INMEMORY NEIGHBOR GRAPH
  DISTANCE EUCLIDEAN
  PARAMETERS (
    TYPE                       HNSW,
    OFFLOAD_CREDENTIAL_NAME    MYCREDENTIALNAME, -- Use the same credential_name as for dbms_vector.create_credential
    OFFLOAD_URL                'https://<container_host>:<port>/v1/index'
)
PARALLEL 4;

As an alternative to the CREATE VECTOR INDEX statement, you can use the CREATE_INDEX function of the DBMS_VECTOR PL/SQL package. In both cases, specify the offload_credential_name and offload_url parameters to offload index creation to the Private AI Services Container.

BEGIN
  DBMS_VECTOR.CREATE_INDEX(
    IDX_NAME                => 'gist_idx_2',
    TABLE_NAME              => 'SIFTTRAIN',
    IDX_PARTITIONING_SCHEME => NULL,
    IDX_VECTOR_COL          => 'embedding',
    IDX_DISTANCE_METRIC     => 'EUCLIDEAN',
    IDX_ORGANIZATION        => 'INMEMORY NEIGHBOR GRAPH',
    IDX_PARAMETERS          => '{
                                  "type": "HNSW", 
                                  "neighbors": 32, 
                                  "efConstruction": 200, 
                                  "offload_credential_name": "privateai",
                                  "offload_url": "https://<container_host>:<port>/v1/index"
                                }'
  );
END;
/

You can also use the DBMS_VECTOR.REBUILD_INDEX function to rebuild an index using the vector index service:

BEGIN
  DBMS_VECTOR.REBUILD_INDEX(
    IDX_NAME        => 'gist_idx_2',
    IDX_PARAMETERS  => '{
                         "type": "HNSW", 
                         "neighbors": 32, 
                         "efConstruction": 200, 
                         "offload_credential_name": "privateai",
                         "offload_url": "https://<container_host>:<port>/v1/index"
                         }'
  );
END;
/