Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Configure a Cross-Region Oracle Data Guard for Oracle Base Database Service with OCI Vault

Introduction

We are pleased to announce the general availability (GA) of Oracle Cloud Infrastructure (OCI) Vault integration for cross-region Oracle Data Guard on Oracle Base Database Service. With this feature, a cross-region Oracle Data Guard can be set up between two databases if their keys reside in a Virtual Private Vault (VPV) and are managed by the OCI Vault service.

Oracle Data Guard customers prefer to have the encryption keys used for the primary and standby databases available in the primary and standby regions, respectively, to protect against a single point of failure for the OCI Vault key. OCI Vault service provides cross-region replication (CRR) functionality to replicate the OCI vault keys across the regions within a realm, and these keys can be assigned to primary and standby databases. Once CRR is enabled for a VPV in the source region, keys are automatically and asynchronously replicated to the destination region.

Objectives

• Enable Data Guard Association on an Oracle Base Database Service database system (DB System) when the primary database uses customer-managed encryption.

• Migrate from Oracle-managed keys to customer-managed keys for an existing cross-region Oracle Data Guard configuration.

Prerequisites

• A Virtual Private Vault and an encryption key should be created in the region where you will create your primary database. The key protection method can be either Hardware Security Module (HSM) or software. The encryption key algorithm to use must be AES-256.

• The Virtual Private Vault must be replicated to the region where you will create the standby database.

• Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) policies should be configured for the Oracle Base Database Service DB System to manage the vault and keys.

• An Oracle Base Database Service VM DB System database protected by Virtual Private Vault keys.

Task 1: Enable Oracle Data Guard on an Oracle Base Database Service DB System

Assuming you have created a VPV based database in Oracle Base Database Service, you can navigate to the DB System and enable Oracle Data Guard on a DB System when the primary database is using customer-managed encryption. While creating the standby database, select a region with a replica of the vault. Once the Oracle Data Guard is set up, the primary database will use the key at the primary region, and the standby database will use the replicated key at the replicated region.

Perform the following steps to enable Oracle Data Guard on the DB System when the primary database uses customer-managed encryption.

1. Open the navigation menu and click Oracle Database and Oracle Base Database Service.

   

2. Click the DB System that contains the database you want to assume the primary role for Oracle Data Guard.

   

3. In the DB System Details page, under the Databases section, click the database you want to make primary.

   

4. In the Database Details page, under the Resources section, click Data Guard Associations and then Enable Data Guard.

   

5. In the Create peer DB system page, enter required information for the peer DB System and click Enable Data Guard.

   

   Note:

   • In Region, select the region of the new peer DB System that has a replica of the Virtual Private Vault.
   • Once the Oracle Data Guard is set up, the primary database will use the key at the primary region, and the standby database will use the replicated key at the replicated region.

6. In the primary database details page, we can see the information about the primary database and its peer and display their respective roles as Primary or Standby.

   

7. The standby database details page provides the standby database information and its peer (primary database) details.

   

Task 2: Migrate from Oracle-managed keys to Customer-managed keys for an existing cross-region Oracle Data Guard Configuration

If you have a cross-region Oracle Data Guard set up between databases that use Oracle-managed keys, you can move them to use customer-managed keys that are part of Virtual Private Vault.

Perform the following steps to Migrate from Oracle-managed keys to customer-managed keys for an existing cross-region Oracle Data Guard configuration.

1. Navigate to the Database Details page of the primary database, click the More Actions menu, and then click Manage encryption key.

   

2. In the Manage encryption key page, select Use customer-managed keys, Vault (Virtual Private Vault), Master encryption key and click Save Changes.

   

   

Related Links

• What’s New in Oracle Base Database Service

• Oracle Base Database Service How To’s Video Playlist

Acknowledgments

• Authors - Pravin Jha, Tammy Bednar, Leo Alvarado (Product Management)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Configure a Cross-Region Oracle Data Guard for Oracle Base Database Service with OCI Vault

F92904-01

February 2024

Copyright © 2024, Oracle and/or its affiliates.