1. Administering Oracle Data Safe
  2. Target Database Registration
  3. Manage Target Databases

Manage Target Databases

As your target databases and their environments evolve, you may need to perform various life-cycle management activities.

View Registration Details for a Target Database

You can view registration details from the Target Database Details page in the Oracle Data Safe service in Oracle Cloud Infrastructure.

  1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then select Data Safe - Database Security.
    The Overview page for the Oracle Data Safe service is displayed.
  2. Under Data Safe on the left, click Target Databases.
  3. Under List Scope on the left, select the compartment that contains the target databases that you want to view.
  4. (Optional) To list all of the target databases in the child compartments too, select the INCLUDE CHILD COMPARTMENTS check box.
  5. Click the name of the target database for which you want to view registration details.
    The Target Database Details page is displayed.
  6. View the registration details for the selected target database on the Target Database Details tab. The details vary depending on the database type.

Update Connection Details for a Target Database

From the Target Database Details page, you can update connection details for a target database. The connection details vary depending on the database type; for example, TCP/TLS, database service name, database port number, and so on.

For example, for some target databases you can change the Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector configuration for a target database.

  1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then select Data Safe - Database Security.
    The Overview page for the Oracle Data Safe service is displayed.
  2. Under Data Safe on the left, click Target Databases.
  3. Under List Scope on the left, select the compartment that contains the target databases that you want to view.
  4. (Optional) To list all of the target databases in the child compartments too, select the Include Child Compartments check box.
  5. Click the name of the target database that you want to update.
    The Target Database Details page is displayed.
  6. Click Edit Connection Details.
    The Edit Connection Details window is displayed.
  7. Modify the connection details as needed, and then click Save Changes.

Update a Target Database Name and Description

You can update the name and description for your target database.

  1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then select Data Safe - Database Security.
    The Overview page for the Oracle Data Safe service is displayed.
  2. Under Data Safe on the left, click Target Databases.
  3. Under List Scope on the left, select the compartment that contains your target database.
  4. (Optional) To list all of the target databases in the child compartments too, select the INCLUDE CHILD COMPARTMENTS check box.
  5. Click the name of the target database that you want to update.
    The Target Database Details page is displayed.
  6. To modify the target database name, click the pencil icon next to the Name field, modify the name, and then click the save icon.
  7. To modify the target database description, click the pencil icon next to the Description field, modify the description, and then click the save icon.

Update the Database User

You can use the Update Database User feature on the Target Database Details page to update the user credentials on your target database that Oracle Data Safe requires.

For a non-Autonomous Database, you can update the credentials for the Oracle Data Safe service account. For an Autonomous Database, you can update the credentials for the ADMIN account, which is required to unlock the Oracle Data Safe user account that already exists on the database.

  1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then select Data Safe - Database Security.
    The Overview page for the Oracle Data Safe service is displayed.
  2. Under Data Safe on the left, click Target Databases.
  3. Under List Scope on the left, select the compartment that contains the target databases that you want to view.
  4. (Optional) To list all of the target databases in the child compartments too, select the INCLUDE CHILD COMPARTMENTS check box.
  5. Click the name of the target database.
    The Target Database Details page is displayed.
  6. Click Update Database User.
    The Update Database User panel is displayed.
  7. Modify the credentials as needed, and then click Save Changes.

Manage Peer Databases Associated with a Registered Active Data Guard Primary Database

When you register a target database that is the primary database in an Active Data Guard association, you can manage the associated standby databases from the Target Database Details page of the primary database. Managing the standby databases can include, adding them as peer databases, refreshing their connection details, editing their connection details, or deregistering them from Oracle Data Safe.

  1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then select Data Safe - Database Security.

    The Overview page for the Oracle Data Safe service is displayed.

  2. Under Data Safe on the left, click Target Databases.
  3. Under List Scope on the left, select the compartment that contains the target databases that you want to view.
  4. (Optional) To list all of the target databases in the child compartments too, select the INCLUDE CHILD COMPARTMENTS check box.
  5. Click the name of the target database for which you want to add peer databases to or refresh peer database connections for.

    The Target Database Details page is displayed.

  6. To add peer databases, click Add Peer Database.
    1. In the side pane you will see a list of standby database that are associated with the selected primary database. Select from the list which of the standby databases you would like to register as peers.
    2. (Optional) Click + on a standby database to see the details for and edit any of the following if necessary:
      • Peer Display Name
      • Database Service Name
      • Database Port Number
      • TCP/TLS
    3. Click Add Peer Database
  7. To manually refresh peer database connections, click Refresh.

    Note:

    Oracle Data Safe automatically checks and refreshes the peer database connection details every hour.
  8. To edit connection details of or deregister a peer database, click on the name of the peer database from the Peer Databases section.

    This will bring you to the Peer Database Details page.

    1. To edit connection details, click Edit Connection Details, edit the information as necessary, and click Save Changes.

      Note:

      If the peer database is the root database, the connection details can't be edited. The Secondary key value for a root database is 0.
    2. To deregister the peer database, click Deregister.

What to Do in Data Safe After Performing a Manual Switch Over of Active Data Guard Associated Target Databases?

If you have registered Active Data Guard associated target databases in Data Safe, you are able to see the role (primary or standby) of the databases. If you perform a manual switchover of the databases, you may not see the changes in the roles reflected immediately in Data Safe.

As a result of this, it's possible that a data masking job will fail because the proper read and write permissions are not associated with the database.

To prevent this from occurring, after performing a manual switchover, refresh the database connections. See Manage Peer Databases Associated with a Registered Active Data Guard Primary Database for more information.

Move a Target Database to a Different Compartment

  1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then select Data Safe - Database Security.
    The Overview page for the Oracle Data Safe service is displayed.
  2. Under Data Safe on the left, click Target Databases.
  3. Under List Scope on the left, select the compartment that contains your target database.
  4. (Optional) To list all of the target databases in the child compartments too, select the INCLUDE CHILD COMPARTMENTS check box.
  5. Click the name of the target database that you want to update.
    The Target Database Details page is displayed.
  6. From the More Actions menu, select Move Resource.
    A Move Resource to a Different Compartment dialog box is displayed.
  7. From the drop-down list, select a different compartment, and then click Move Resource.
    The target database is immediately moved to the compartment.

Activate or Deactivate a Target Database

The activate and deactivate features are available for Oracle Cloud Databases only. When you deactivate a target database, it can no longer be used in Oracle Data Safe and audit data collection is stopped for the target database. Users who have access to the target database can still view existing reports and assessments.

  1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then select Data Safe - Database Security.
    The Overview page for the Oracle Data Safe service is displayed.
  2. Under Data Safe on the left, click Target Databases.
  3. Under List Scope on the left, select the compartment that contains the target database that you want to activate or deactivate.
  4. (Optional) To list all of the target databases in the child compartments too, select the INCLUDE CHILD COMPARTMENTS check box.
  5. Click the name of the target database that you want to activate or deactivate.
    The Target Database Details page is displayed.
  6. From the More Actions menu, select Activate or Deactivate.
  7. To confirm, click Activate or Deactivate.
    Your target database is activated or deactivated from Oracle Data Safe.

Deregister a Target Database

When you deregister a target database, the target database is no longer available in Oracle Data Safe. If your target database is connected via a private endpoint, the private endpoint is not automatically deleted during deregistration. You can still view collected audit data in the audit reports for a deregistered target database as long as the audit data retention period is not expired.

  1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then select Data Safe - Database Security.
    The Overview page for the Oracle Data Safe service is displayed.
  2. Under Data Safe on the left, click Target Databases.
  3. Under List Scope on the left, select the compartment that contains the target database that you want to deregister.
  4. (Optional) To list all of the target databases in the child compartments too, select the INCLUDE CHILD COMPARTMENTS check box.
  5. Click the name of the target database that you want to deregister.
    The Target Database Details page is displayed.
  6. From the More Actions menu, select Deregister.
  7. To confirm, click Deregister.
    Your target database is deregistered from Oracle Data Safe.

    For 45 days, your target database remains in a DELETED state in the user interface, and the metadata about your target database is kept in Oracle Data Safe. After 45 days, Oracle Data Safe permanently removes all metadata about your target database and your target database is no longer listed in the user interface.

    The target database's audit policies and audit profiles are scheduled for deletion in an automatic cleanup job. Following the first run of the cleanup job, the policies are visible and marked as FAILED. Following the second run of the clean up job, the policies are visible and marked as DELETED. The policies are hard deleted following the third run of the clean up job and then are no longer be visible.

    Note:

    A maximum of five policies are cleaned up per day. So, in cases where more than five policies need to be cleaned up, the remaining policies are queued up for the next day's cleanup job.

    The target database's audit data remains in the Oracle Data Safe repository for the period dictated by the audit data retention setting (on the Settings page).

    The target database's audit profiles are deleted when there are no more audit events for the target in Oracle Data Safe.

    Resources associated with or used by the target database (for example, sensitive data models, sensitive types, masking policies, and reports) are not deleted when the target database is deregistered. You need to manually delete these items.

Resources That Are Automatically Deleted When a Target Database is De-registered

When you de-register a target database there are a number of resources that are automatically deleted. However, there are also some resources that can't be deleted. See the below list to learn what happens to certain resources when a target database is de-registered.

Table 3-1 Resources that are automatically deleted when a target database is de-registered

Functional Area Data Safe Resource Data Safe Resource Name in OCI IAM Comments
Activity Auditing Audit Profile* data-safe-audit-profiles In a cleanup job once there are no more audit events for the target
Activity Auditing Audit Trail data-safe-audit-trails  
Activity Auditing Audit Event data-safe-audit-events Once the retention policy is over
Activity Auditing Audit Policy* data-safe-audit-policies  
Activity Auditing/Alerts Target Alert Policy Associations data-safe-target-alert-policy-associations  
Activity Auditing/Alerts Report data-safe-reports Reports that are older than 90 days will be deleted in a routine cleanup job
Activity Auditing Archive Retrievals data-safe-archive-retrievals Yes - After the retrieved data has been online for 30 days
User Assessment User Assessment user-assessments In a routine cleanup job
Security Assessment Security Assessment security-assessments In a routine cleanup job
SQL Firewall Database Security Config data-safe-database-security-configs In a routine cleanup job
SQL Firewall Security Policy data-safe-security-policies In a routine cleanup job
SQL Firewall Security Policy Deployment data-safe-security-policy-deployments In a routine cleanup job
SQL Firewall Firewall Policy data-safe-sql-firewall-policies In a routine cleanup job
SQL Firewall SQL Collection data-safe-sql-collections In a routine cleanup job
SQL Firewall Violation Logs data-safe-sql-firewall-violations Yes-After the 12 month retention period has passed
SQL Firewall SQL Firewall Allowed SQL data-safe-sql-firewall-allowed-sqls In a routine cleanup job
*When a target database is de-registered, the target database's audit policies and audit profiles are scheduled for deletion in an automatic cleanup job. Following the first run of the cleanup job, the policies are visible and marked as FAILED. Following the second run of the clean up job, the policies are visible and marked as DELETED. The policies are hard deleted following the third run of the clean up job and then are no longer be visible.

Note:

A maximum of 100 policies are cleaned up per day. So, in cases where more than 100 policies need to be cleaned up, the remaining policies are queued up for the next day's cleanup job.

The routine cleanup job runs frequently and deletes a number of resources whenever it runs. If you have many resources in the queue to be deleted, it may take several runs of the cleanup job to empty the queue.

Resources associated with or used by the target database (for example, sensitive data models, masking policies, and reports) are not deleted when the target database is de-registered. You need to manually delete these items. See What Resources Can Be Deleted While a Target Database is Active for more information.

Related Topics

Manage Network Access Changes for an Oracle Autonomous Database Serverless

You can change the network access type for your Oracle Autonomous Database Serverless from Secure Access from Anywhere to Virtual cloud network, and vice versa. When making a network access change, you may need to perform tasks to maintain the database's registration with Oracle Data Safe.

Overview

If you plan to switch the network access for your Oracle Autonomous Database Serverless from Secure Access from Anywhere (public endpoint) to Virtual cloud network (private endpoint), prior to making the network access change, you need to create an Oracle Data Safe private endpoint on the same virtual cloud network (VCN) and subnet as your database. If you plan to switch from a private endpoint to a public endpoint, you do not need to do anything other than make the network switch. You do not need to deregister your Autonomous Database with Oracle Data Safe beforehand. Your database will have a public IP address after you make the change and you can view that IP address from the database's Console. You may want to delete the Oracle Data Safe private endpoint previously used because it is no longer needed.

Note:

If your Oracle Autonomous Database Serverless is not yet registered with Oracle Data Safe, first make the network access change and then register your database.

When you switch the network access type for your Autonomous Database from Secure Access from Anywhere to Virtual cloud network, the database's private endpoint communicates with Oracle Data Safe's private endpoint. The two private endpoints allow Oracle Data Safe to communicate with your database. This scenario is illustrated in the diagram below.

If there is no Oracle Data Safe private endpoint available and you attempt to make the network access change, you will get a message stating that the "Data Safe service may be disrupted if you switch to using a private endpoint without first configuring a Data Safe private endpoint.", as shown in the screenshot below. In this case, the switch will fail.

Confirm network access change screenshot

Workflow

If your Oracle Autonomous Database Serverless is already registered with Oracle Data Safe and you want to switch the database's network access type from Secure Access from Anywhere to Virtual cloud network, then follow the general steps listed in the table below.

Step Description Reference

1

Create an Oracle Data Safe private endpoint.

Create an Oracle Data Safe Private Endpoint

2

Switch the network access type to VCN for your Oracle Autonomous Database Serverless.

Change from Public to Private Endpoints with Autonomous Database

3

Update the security rules to allow communication between Oracle Data Safe and your Autonomous Database.

Update the Security Rules to Allow Communication Between Oracle Data Safe and Your Database

Update the Security Rules to Allow Communication Between Oracle Data Safe and Your Database

Update the ingress and egress security rules for the Network Security Groups (NSGs) on your private VCN in Oracle Cloud Infrastructure to allow traffic from Oracle Data Safe's private endpoint to your Autonomous Database's private endpoint. While both an NSG and a security list act as virtual firewalls for your database, Oracle recommends that you use NSGs. For more information, see Network Security Groups.

Example 3-4 Configure security rules for an Oracle Autonomous Database Serverless with private VCN access

Suppose you provision an Oracle Autonomous Database Serverless with private VCN access in Oracle Cloud Infrastructure. During provisioning, Oracle Cloud Infrastructure automatically creates a private endpoint for your database and you associate an NSG with your database.

To obtain the private IP address for your database's private endpoint and view the NSG name, you access the Autonomous Database Information tab in your database's Console in Oracle Cloud Infrastructure. As shown in the following screenshot, under Network, the private endpoint's IP address is 10.0.10.232 and the NSG name is test_nsg.

Autonomous Database Information tab for an Oracle Autonomous Database Serverless with private VCN access

To obtain the private IP address and NSG for Oracle Data Safe's private endpoint, you access the Private Endpoint Information tab on the Data Safe page in Oracle Cloud Infrastructure. As shown in the following screenshot, the IP address is 10.0.10.160 and the NSG name is nsg_not_allow_pdb_pe_ip.


Private Endpoint Information tab

Next, you create a security rule for each of the NSGs the following way:

  • Ingress rule for the database private endpoint NSG: The database's private endpoint IP address, 10.0.10.232 (on port 1522), can receive incoming traffic from Oracle Data Safe's private endpoint IP address, 10.0.0.6 (from any port).
  • Egress rule for the Oracle Data Safe private endpoint NSG: Oracle Data Safe's private endpoint IP address, 10.0.0.6 (from any port), can send requests to the database's private endpoint IP address, 10.0.10.232 (on port 1522).

The following diagram illustrates the security rules.

What to Do if an Autonomous Database Name Changes

If you rename your Autonomous Database from the database's Console in Oracle Cloud Infrastructure, the change is automatically propagated to Oracle Data Safe. Oracle recommends that you update the target database name in Oracle Data Safe to best match your database name.

Each target database name must be unique in Oracle Data Safe. By updating your target database name, you can avoid name conflicts in the future.

To update the name of your target database:
  1. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then select Data Safe - Database Security.
    The Overview page for the Oracle Data Safe service is displayed.
  2. Under Data Safe on the left, click Target Databases.
  3. Under List Scope on the left, select the compartment that contains your target database.
  4. (Optional) To list all of the target databases in the child compartments too, select the INCLUDE CHILD COMPARTMENTS check box.
  5. Click the name of the target database that you want to update.
    The Target Database Details page is displayed.
  6. Click the edit button (pencil icon) next to the target database name, modify the name, and then click the save button (disk icon).