Oracle Cloud Infrastructure Documentation

Prerequisites for Enabling Autonomous Databases

Ops Insights allows you to perform advanced and basic collections on your Autonomous Databases via a private endpoint or through secure access from anywhere, to enable data collection on an Autonomous Database the following prerequisites must be met:

Basic: No prerequisites are required.
Full Features: Requires three types of prerequisites: general, for IAM credential based connections, and for Local credential based connections. Ensure general prerequisites are met and the prerequisites for your desired credential connection type.
  • General prerequisites: If your network requires it, create a Private Endpoint. Make sure you set up the correct network requirements for your database, including the creation of private endpoints.
    The following table outlines the network requirements by type of autonomous databases:
    ADB Type Access Type Network Requirements
    ADB Serverless (ADB-S) Access Anywhere None
    ADB Serverless (ADB-S) Private Endpoint Same Private Endpoint requirements as cloud databases.
    Note

    Use the ADB private endpoint VCN/Subnet instead of the database VCN/Subnet
    For more information see: Enabling Exadata Systems and Cloud Service Databases
    Note

    For IAM credential connections, a DNS Proxy enabled private endpoint must be used for dedicated Autonomous Databases and shared Autonomous Databases with private endpoint access configured.
    ADB Serverless (ADB-S) ACL (Access Control List) Restricted The private endpoint needs to be placed in one of the whitelisted VCNs. This VCN must have access to the public ADB endpoint, typically via service gateway.

    For more information see: Configure Access Control Lists When You Provision or Clone an Instance
    ADB Dedicated (ADB-D) N/A Same requirements as cloud databases. For more information see: Enabling Exadata Systems and Cloud Service Databases
    Note

    Dedicated Autonomous Databases require a private endpoint with DNS Proxy enabled. Ops Insights private endpoints created prior to September 2023 did not offer DNS proxy. A new private endpoint may need to be created.
    Create a dynamic group for the Ops Insights resource principal containing the compartment(s) where the autonomous databases being enabled reside.
    Example policy to allow Ops Insights service to generate Autonomous Database wallets: 
    Allow any-user to read autonomous-database-family in compartment XYZ where
 ALL{request.principal.type='opsidatabaseinsight', request.operation='GenerateAutonomousDatabaseWallet'}
  • Local Credential Prerequisites: Policy to allow Ops Insights service to read the database password secret: 
    Allow any-user to read secret-family in tenancy where
ALL{request.principal.type='opsidatabaseinsight', target.vault.id =  'Vault OCID'}

  • IAM Credential Prerequisites: Ops Insights can use IAM based authentication to connect to an Oracle Autonomous database, this allows for a more cloud-friendly and secure solution. With Ops Insights you can write a resource principal policy that enables it to collect performance and SQL-based metrics from the Autonomous Database (same metrics will be collected via this alternate authentication approach).

    For more information on IAM based connections see: About Connecting to an Autonomous Database Instance Using IAM.

    There are two ways to enable IAM connections to your Autonomous Databases, via script or manually. Ops Insights highly recommends to use the script method.

    • To enable IAM connections for your Autonomous Databases using the Ops Insights script (recommended method) follow these steps:
      1. Create a dynamic group containing the OPSI resource (for example, iam_admin_dg_grp):
        All {instance.compartment.id = '<compartmentid>', request.principal.type='opsidatabaseinsight'}
      2. Run the credential creation script, located in MOS note: OCI : Creating the Autonomous Database Monitoring Credentials for Oracle Cloud Operations Insights (Doc ID 2933173.1).
        Note

        See the script usage instructions at the bottom of the MOS Note for creating the desired database user type.
    • To manually enable IAM connections for your Autonomous Databases follow these steps:
      1. Update Autonomous Database to allow IAM based connections:
        BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION( type => 'OCI_IAM', force => TRUE );
END;
/
# Check if its enabled
SELECT NAME, VALUE , TYPE FROM V$PARAMETER WHERE NAME='identity_provider_type';
      2. Create a dynamic group containing the OPSI resource (for example, iam_admin_dg_grp):
        All {instance.compartment.id = '<compartmentid>', request.principal.type='opsidatabaseinsight'}
      3. Create monitoring role with necessary grants to create session and connect; and also the grants to the tables OPSI collects from:
        CREATE ROLE DbTokenRole IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=iam_admin_dg_grp';
      4. Create a new database user (global) and assign it the role created in step 3:
        CREATE USER TESTDBUSER IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=iam_admin_dg_grp';
GRANT CREATE SESSION, CONNECT TO testDbTokenRole;
# Need rest of grants within aforementioned script for OPSI collections to work properly