1. Administering Oracle Data Safe
  2. Target Database Registration
  3. Manually Register a Target Database

Manually Register a Target Database

You can manually register all supported target databases with Oracle Data Safe from the Target Databases page in Oracle Cloud Infrastructure.

Overview

Advanced users may prefer to register target databases manually with Oracle Data Safe instead of using a wizard. Manual registration requires that you're familiar with target registration concepts and know how to fulfill all of the preregistration tasks without the assistance of the wizard.

You can also choose to register an Autonomous Database directly from the database's details page in Oracle Cloud Infrastructure. If your Autonomous Database has a public IP address, you simply click the Register link and you are done. If you are registering an Autonomous Database with a private IP address, you need have an Oracle Data Safe private endpoint created beforehand. When registering an Autonomous Database on Dedicated Exadata Infrastructure, you need to provide the ADMIN database user credentials.

Preregistration Tasks for Manual Target Database Registration

Before manually registering a database as an Oracle Data Safe target database, be sure to complete the following preregistration tasks.

Manually Register an Autonomous Database

Oracle recommends using the Oracle Data Safe registration wizard for Autonomous Databases; however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterward.

  1. Sign in to Oracle Cloud Infrastructure (OCI).
  2. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Data Safe - Database Security.
  3. Under Data Safe on the left, click Target Databases.
  4. Click Register Database.
  5. For Database Type, select Autonomous Database.
  6. Configure the fields as described in the following table.
    Field Instruction
    Select Database Select the name of your database. If needed, click Change Compartment, select a different compartment, and then select the name of your database.
    Data Safe Target Display Name Enter a friendly name for your target database.This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database.
    Description (Optional) Enter a description that is meaningful to you.
    Compartment Select the compartment where you want to store the target database registration information. The compartment doesn't have to be the same compartment in which the actual database resides. You cannot change the compartment after the target database is registered.
  7. Optionally, click Show advanced options to tag the notification.
    1. Click Add tag to create an additional optional tag to organize and track resources in your tenancy.
    2. Select a Tag namespace from the drop-down list.
    3. Provide a Tag key and Tag value.
  8. Click Register.

Manually Register an Oracle Cloud Database

Oracle recommends using the Oracle Data Safe registration wizard for Oracle Cloud Databases; however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterward.

  1. Sign in to Oracle Cloud Infrastructure (OCI).
  2. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Data Safe - Database Security.
  3. Under Data Safe on the left, click Target Databases.
  4. Click Register Database.
  5. For Database Type, select Oracle Cloud Database.
  6. Configure the fields as described in the following table.
    Field Instruction
    Cloud Database type Select Oracle Base Database Service, Oracle Exadata Database Service on Dedicated Infrastructure, or Oracle Exadata Database Service on Exascale Infrastructure.
    Select Database Select the name of your database. If needed, click Change Compartment, select a different compartment, and then select your database name.
    Data Safe Target Display Name Enter a friendly name for your target database. This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database.
    Description (Optional) Enter a description that is meaningful to you.
    Compartment Select the compartment where you want to store the target database registration information. The compartment doesn't have to be the same compartment in which the actual database resides. You cannot change the compartment after the target database is registered.
    Select Private Endpoint Select an Oracle Data Safe private endpoint. If needed, click Change Compartment to browse to a different compartment and select a private endpoint. If you do not have a private endpoint created, exit manual registration and create one.
    TCP/TLS Select TCP or TLS as the connection protocol. If you select TLS, you are presented with two options: One way TLS and Mutual TLS. If you select One way TLS, then do the following: Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and optionally, enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database. If you select Mutual TLS, then do the following: Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database. When client authentication is enabled on your target database, upload the KeyStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet. This file is not required when client authentication is disabled.
    Database Service Name Enter the long version of the database service name for the target database; for example, abc_prod.subnetad3.tttvcn.companyvcn.com. You can find the database service name in the tnsnames.ora file for your target database, or by running the following statement when connected to the PDB via SQL Plus: 
    select sys_context('userenv','service_name') from dual;
    Database Port Number Enter a custom port number; otherwise the default, pre-filled port number is used. For an Oracle Exadata Database Service on Dedicated Infrastructure database, enter the port number of the SCAN listener.
    Data Safe User and Database Password Enter the credentials for the Oracle Data Safe user account on your target database. A default Oracle Data Safe user name is displayed if it exists on your target database (for example, DATASAFE$ADMIN). The user name is case-insensitive, unless you enclose it in quotation marks. You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.
    Download Privilege Script To grant roles to the Oracle Data Safe user account on your target database, click Download Privilege Script and save the datasafe_privileges.sql script to your computer. The script includes instructions. Also see

    Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database.

  7. Optionally, click Show advanced options to tag the notification.
    1. Click Add tag to create an additional optional tag to organize and track resources in your tenancy.
    2. Select a Tag namespace from the drop-down list.
    3. Provide a Tag key and Tag value.
  8. Click Register.

Manually Register an Oracle On-Premises Database

Oracle recommends using the Oracle Data Safe registration wizard for Oracle On-Premises Databases; however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterward.

  1. Sign in to Oracle Cloud Infrastructure (OCI).
  2. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Data Safe - Database Security.
  3. Under Data Safe on the left, click Target Databases.
  4. Click Register Database.
  5. For Database Type, select Oracle On-Premises Database.
  6. Configure the fields as described in the following table.
    Field Instruction
    Data Safe Target Display Name Enter a friendly name for your target database.This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database.
    Description (Optional) Enter a description that is meaningful to you.
    Compartment Select the compartment where you want to store the target database registration information. The compartment doesn't have to be the same compartment in which the actual database resides. You cannot change the compartment after the target database is registered.
    Choose a connectivity option Select On-Premises Connector or Private Endpoint.
    Select Private Endpoint (If you chose private endpoint) Select the name of an existing Oracle Data Safe private endpoint. If needed, click Change Compartment to browse to a different compartment and select a private endpoint.
    Select On-Premises Connector (If you chose on-premises connector) Select the name of an existing Oracle Data Safe on-premises connector. If needed, click Change Compartment to browse to a different compartment and select an on-premises connector.
    Connection Protocol Select TCP or TLS as the connection protocol. If you select TLS, you are presented with two options: One way TLS and Mutual TLS. If you select One way TLS, then do the following: Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and optionally, enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database. If you select Mutual TLS, then do the following: Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database. When client authentication is enabled on your target database, upload the KeyStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet. This file is not required when client authentication is disabled.
    Database Service Name Enter the long version of the database service name for the target database; for example, abc_prod.subnetad3.tttvcn.companyvcn.com. You can find the database service name in the tnsnames.ora file for your target database, or by running the following statement when connected to the PDB via SQL Plus: 
    select sys_context('userenv','service_name') from dual;
    Database IP Address Enter the database IP addresses for each database node listener. Separate the IP addresses with a comma. For a RAC database, enter the IP addresses for the RAC database nodes.
    Database Port Number Enter a custom port number; otherwise the default, pre-filled port number is used. All node listeners have to run on the same port for on-premises databases.
    Data Safe User and Database Password Enter the credentials for the Oracle Data Safe user account on your target database. A default Oracle Data Safe user name is displayed (DATASAFE$ADMIN). The user name is case-insensitive, unless you enclose it in quotation marks. You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.
    Download Privilege Script To grant roles to the Oracle Data Safe user account on your target database, click Download Privilege Script and save the datasafe_privileges.sql script to your computer. The script includes instructions. Also see

    Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database.

  7. Optionally, click Show advanced options to tag the notification.
    1. Click Add tag to create an additional optional tag to organize and track resources in your tenancy.
    2. Select a Tag namespace from the drop-down list.
    3. Provide a Tag key and Tag value.
  8. Click Register.

Manually Register an Oracle Database on Compute

Oracle recommends using the Oracle Data Safe registration wizard for an Oracle Database on Compute; however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterward.

  1. Sign in to Oracle Cloud Infrastructure (OCI).
  2. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Data Safe - Database Security.
  3. Under Data Safe on the left, click Target Databases.
  4. Click Register Database.
  5. For Database Type, select Oracle Database on Compute.
  6. Configure the fields as described in the following table.
    Field Instruction
    Cloud environment Select Oracle Cloud Infrastructure if your database runs in Oracle Cloud Infrastructure, or select Other cloud environment if your target database runs in a non-Oracle cloud environment.
    Select Database (If your target database runs in Oracle Cloud Infrastructure) Select the name of your database. If needed, click Change Compartment, select a different compartment, and then select your database name.
    Data Safe Target Display Name Enter a friendly name for your target database. This name can be any name you want, and all characters are accepted. The maximum number of characters is 255. This name is displayed in all of the Oracle Data Safe reports that pertain to your target database.
    Description (Optional) Enter a description that is meaningful to you.
    Compartment Select the compartment where you want to store the target database registration information. The compartment doesn't have to be the same compartment in which the actual database resides. You cannot change the compartment after the target database is registered.
    Choose a connectivity option Select On-Premises Connector or Private Endpoint. If your target database runs in Oracle Cloud Infrastructure, Oracle recommends you use a private endpoint. If your target database runs in a non-Oracle cloud environment, Oracle recommends you use an on-premises connector.
    Select Private Endpoint (If you chose private endpoint) Select the name of an existing Oracle Data Safe private endpoint. If needed, click Change Compartment to browse to a different compartment and select a private endpoint.
    Select On-Premises Connector (If you chose on-premises connector) Select the name of an existing Oracle Data Safe on-premises connector. If needed, click Change Compartment to browse to a different compartment and select an on-premises connector.
    Connection Protocol Select TCP or TLS as the connection protocol. If you select TLS, you are presented with two options: One way TLS and Mutual TLS. If you select One way TLS, then do the following: Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and optionally, enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database. If you select Mutual TLS, then do the following: Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database. When client authentication is enabled on your target database, upload the KeyStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet. This file is not required when client authentication is disabled.
    Database Service Name Enter the long version of the database service name for the target database; for example, abc_prod.subnetad3.tttvcn.companyvcn.com. You can find the database service name in the tnsnames.ora file for your target database, or by running the following statement when connected to the PDB via SQL Plus: 
    select sys_context('userenv','service_name') from dual;
    Database IP Address (Non-Oracle cloud environments) Enter the database IP address for your target database.
    Database Port Number Enter a port number.
    Data Safe User and Database Password Enter the credentials for the Oracle Data Safe user account on your target database. A default Oracle Data Safe user name is displayed (DATASAFE$ADMIN). The user name is case-insensitive, unless you enclose it in quotation marks. You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.
    Download Privilege Script To grant roles to the Oracle Data Safe user account on your target database, click Download Privilege Script and save the datasafe_privileges.sql script to your computer. The script includes instructions. Also see

    Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database.

  7. Optionally, click Show advanced options to tag the notification.
    1. Click Add tag to create an additional optional tag to organize and track resources in your tenancy.
    2. Select a Tag namespace from the drop-down list.
    3. Provide a Tag key and Tag value.
  8. Click Register.

Manually Register a Cloud@Customer Database

Oracle recommends using the Oracle Data Safe registration wizard for Oracle Cloud@Customer Databases; however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterward.

  1. Sign in to Oracle Cloud Infrastructure (OCI).
  2. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Data Safe - Database Security.
  3. Under Data Safe on the left, click Target Databases.
  4. Click Register Database.
  5. For Database Type, select Oracle Cloud@Customer Database.
  6. For Choose a target type, select Exadata Cloud@Customer or Autonomous Database on Exadata Cloud@Customer, configure the fields for your target type, and then click Register.
  7. Optionally, click Show advanced options to tag the notification.
    1. Click Add tag to create an additional optional tag to organize and track resources in your tenancy.
    2. Select a Tag namespace from the drop-down list.
    3. Provide a Tag key and Tag value.
  8. Click Register.

Manually Register an Amazon RDS for Oracle database

Oracle recommends using the Oracle Data Safe registration wizard however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterward.

Preregistration Tasks for Registering Amazon RDS for Oracle with Private IP

The below topics should be completed before registering an Amazon RDS for Oracle database. Select the tab for registering with an Oracle Data Safe private endpoint if you have an established FastConnect or VPNConnect connection between your OCI tenancy and your Amazon cloud environment. If you are establishing a TCP connection, you do not need to perform the steps to create a wallet for TLS connection.

Task Number Task Link to Instructions
1 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to register a database with Oracle Data Safe Permissions to Register a Target Database with Oracle Data Safe
2 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to use an On-Premises Connector Permissions for an Oracle Data Safe On-Premises Connector
3 Create an Oracle Data Safe service account on your target database and grant it Oracle Data Safe roles. Create the service account as the SYS user.

Make sure to run the privilege script with the-RDSORACLE parameter as it is required if you are registering an Amazon RDS for Oracle database.

Create an Oracle Data Safe Service Account on Your Target Database

Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database
4 Create an On-premises Connector Create an Oracle Data Safe On-Premises Connector
5 Add the security certificate for the Amazon RDS specific region Add the Security Certificate for the Amazon RDS Specific Region
6 TLS connection only: Configure a connection between the on-premises connector and your target database Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and Your Oracle Database
Task Number Task Link to Instructions
1 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to register a database with Oracle Data Safe Permissions to Register a Target Database with Oracle Data Safe
2 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to use an Oracle Data Safe Private Endpoint Permissions for an Oracle Data Safe Private Endpoint
3 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to use the underlying virtual networking resources of the private endpoint. Virtual Cloud Networking Resources
4 Create an Oracle Data Safe service account on your target database and grant it Oracle Data Safe roles. Create the service account as the SYS user.

Make sure to run the privilege script with the-RDSORACLE parameter as it is required if you are registering an Amazon RDS for Oracle database.

Create an Oracle Data Safe Service Account on Your Target Database

Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database
5 Create an Oracle Data Safe private endpoint. Create an Oracle Data Safe Private Endpoint
6 Add the security certificate for the Amazon RDS specific region Add the Security Certificate for the Amazon RDS Specific Region
7 TLS connection only: Create a wallet or certificate Create a Wallet or Certificates for a TLS Connection

Manually Register Amazon RDS for Oracle

Oracle recommends using the Oracle Data Safe registration wizard however, advanced users can also use the manual registration option as described below. Be sure to complete the pre-registration tasks beforehand and the post-registration tasks afterward.

  1. Sign in to Oracle Cloud Infrastructure (OCI).
  2. From the navigation menu in Oracle Cloud Infrastructure, select Oracle Database, and then Data Safe - Database Security.
  3. Under Data Safe on the left, click Target Databases.
  4. Click Register Database.
  5. For Database Type, select Amazon RDS for Oracle.
  6. At DATA SAFE TARGET DISPLAY NAME, enter a target display name that is meaningful to you. Data Safe uses this name in its reports. All characters are accepted. The maximum number of characters is 255.
  7. (Optional) In the DESCRIPTION field, add a description that is meaningful to you.
  8. At COMPARTMENT, use the drop-down menu to select the compartment where you want to store the target database.
  9. Select either Private endpoint or On-premises connector as the connectivity option.
  10. Select an existing private endpoint or on-premises connector from the appropriate compartment.

  11. Select either TCP or TLS connection.

    If you select TLS connection, you are presented with two options: One way TLS and Mutual TLS. If you select One way TLS, then do the following:

    • Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and optionally, enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database.
    If you select Mutual TLS, then do the following:
    • Upload the TrustStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet and enter the wallet password. This file is required whether client authentication is enabled or disabled on your target database.
    • When client authentication is enabled on your target database, upload the KeyStore of your database in the format of PEM file, PKCS#12 wallet, or JKS wallet. This file is not required when client authentication is disabled.
    If you select TCP at TCP/TLS, you are not prompted for any additional details.

    Note:

    In your AWS environment you will need to:
    • Configure SSL option group to enable SSL connection. After enabling the SSL connection, the certificate authority would show up. See Oracle Secure Sockets Layer and Creating an option group from Amazon to learn how to enable the SSL option.
    • Modify the inbound rules on port 2484 (opened by default) on Amazon RDS to allow for TLS connection
    .
  12. At Database service name, enter the service name of the CDB or PDB.

    You can use the database name on the Configuration tab of the RDS Amazon console for service name.

  13. Enter the Database IP address/endpoint.

    Tip:

    For registration via private endpoint, an IP address should be provided.
  14. Enter the Database port number.

    The port number can be found under the Connectivity and Security tab of the Amazon RDS console.

  15. Perform this step if you did not already grant roles to the database user in the preregistration tasks.

    Click Download Privilege Script and save the datasafe_privileges.sql script to your computer. The script includes instructions on how to use it to grant privileges to the Oracle Data Safe service account on your target database. You should also refer to the preregistration task Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database for some additional details.

  16. At Database user name and Database password, enter the name and password of the user you created in the preregistration tasks. If the user name is mixed case, enclose it in double-quotes (" "). Oracle Data Safe uses this account to connect to the target database.
  17. Optionally, click Show Advanced Options to tag the notification.
    1. Click + Another Tag to create an additional optional tag to organize and track resources in your tenancy.
    2. Select a Tag Namespace from the drop-down list.
    3. Provide a Tag Key and Tag Value.
  18. Click Register.

Post Registration Tasks for Manual Target Database Registration

After you complete the manual target database registration, perform the following post registration tasks as needed:

  • (Optional) Grant users access to Oracle Data Safe features with the target database by configuring IAM policies. See Create IAM Policies for Oracle Data Safe Users.
  • (Optional) Change which features are allowed for the Oracle Data Safe service account on your target database by granting/revoking roles from the account. See Grant Roles to the Oracle Data Safe Service Account on Your Target Database.
  • For an Autonomous Database on Dedicated Exadata Infrastructure only: If Database Vault is enabled on your target database, connect to your target database as a user with the DV_ACCTMGR role and revoke the DV_ACCTMGR role from the ADMIN user.
  • For Oracle Database on a compute instance, make sure the firewall of the compute instance is configured to allow ingress traffic from the Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector.
  • For an Oracle On-Premises database or an Oracle Cloud@Customer database, make sure to allow ingress traffic to your target database from the Oracle Data Safe private endpoint or Oracle Data Safe on-premises connector.