Prerequisites for Enabling Autonomous Databases
Ops Insights allows you to perform advanced and basic collections on your Autonomous Databases via a private endpoint or through secure access from anywhere, to enable data collection on an Autonomous Database the following prerequisites must be met:
Serverless and Dedicated Autonomous Databases
Basic: No prerequisites are required.- General prerequisites: If your
network requires it, create a Private Endpoint. Make
sure you set up the correct network requirements for
your database, including the creation of private
endpoints.
The following table outlines the network requirements by type of autonomous databases:
ADB Type Access Type Network Requirements ADB Serverless (ADB-S) Access Anywhere None ADB Serverless (ADB-S) Private Endpoint Same Private Endpoint requirements as cloud databases. NoteFor more information see: Enabling Exadata Systems and Cloud Service Databases
Use the ADB private endpoint VCN/Subnet instead of the database VCN/SubnetNote
For IAM credential connections, a DNS Proxy enabled private endpoint must be used for dedicated Autonomous Databases and shared Autonomous Databases with private endpoint access configured.ADB Serverless (ADB-S) ACL (Access Control List) Restricted The private endpoint needs to be placed in one of the whitelisted VCNs. This VCN must have access to the public ADB endpoint, typically via service gateway. For more information see: Configure Access Control Lists When You Provision or Clone an Instance
ADB on Dedicated Infrastructure (ADB-D) N/A Same requirements as cloud databases. For more information see: Enabling Exadata Systems and Cloud Service Databases Note
Dedicated Autonomous Databases require a private endpoint with DNS Proxy enabled. Ops Insights private endpoints created prior to September 2023 did not offer DNS proxy. A new private endpoint may need to be created.ADB on Exadata Cloud@Customer (ADB-C@C) N/A Install the latest version of the Management Agent and ensure network connectivity for the connection string.
For information on how to install a Management Agent to use with Ops Insights, see OCI : Observability & Management Support For Exadata Cloud (Article ID PNEWS1338)
For additional information on installing Management Agents see Install Management Agents.
Ensure a database monitoring user is created.
For information on creating Management Agent credentials see Management Agent Source Credentials
Review securing data recommendations: Secure on-premises observability data upload using Management Gateway.
.Create a policy that allows the Ops Insights resource principal containing the compartment(s) where the ADB-D databases being enabled reside to generate Autonomous Database wallets, for example:Allow any-user to read autonomous-database-family in compartment XYZ where ALL{request.principal.type='opsidatabaseinsight', request.operation='GenerateAutonomousDatabaseWallet'}
- Local Credential Prerequisites:
Policy to allow Ops Insights service to read the
database password secret:
Allow any-user to read secret-family in tenancy where ALL{request.principal.type='opsidatabaseinsight', target.vault.id = 'Vault OCID'}
-
IAM Credential Prerequisites: Ops Insights can use IAM based authentication to connect to an Oracle Autonomous database, this allows for a more cloud-friendly and secure solution. With Ops Insights you can write a resource principal policy that enables it to collect performance and SQL-based metrics from the Autonomous Database (same metrics will be collected via this alternate authentication approach).
For more information on IAM based connections see: About Connecting to an Autonomous Database Instance Using IAM.
There are two ways to enable IAM connections to your Autonomous Databases, via script or manually. Ops Insights highly recommends to use the script method.
- To enable IAM connections for your
Autonomous Databases using the Ops Insights script
(recommended method) follow these steps:
- Create a dynamic group containing
the OPSI resource (for example,
iam_admin_dg_grp
):All {instance.compartment.id = '<compartmentid>', request.principal.type='opsidatabaseinsight'}
- Run the credential creation
script, located in MOS note Creating the Autonomous Database Monitoring
Credentials for Oracle Cloud Operations Insights
(KB95891).
Note
See the script usage instructions at the bottom of the MOS Note for creating the desired database user type.
- Create a dynamic group containing
the OPSI resource (for example,
- To manually enable IAM
connections for your Autonomous Databases follow
these steps:
- Update Autonomous Database to
allow IAM based
connections:
BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION( type => 'OCI_IAM', force => TRUE ); END; / # Check if its enabled SELECT NAME, VALUE , TYPE FROM V$PARAMETER WHERE NAME='identity_provider_type';
- Create a dynamic group containing
the OPSI resource (for example,
iam_admin_dg_grp
):All {instance.compartment.id = '<compartmentid>', request.principal.type='opsidatabaseinsight'}
- Create monitoring role with
necessary grants to create session and connect;
and also the grants to the tables OPSI collects
from:
CREATE ROLE DbTokenRole IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=iam_admin_dg_grp';
- Create a new database user
(global) and assign it the role created in step
3:
CREATE USER TESTDBUSER IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=iam_admin_dg_grp'; GRANT CREATE SESSION, CONNECT TO testDbTokenRole; # Need rest of grants within aforementioned script for OPSI collections to work properly
- Update Autonomous Database to
allow IAM based
connections:
- To enable IAM connections for your
Autonomous Databases using the Ops Insights script
(recommended method) follow these steps: