1. Administering Oracle Data Safe
  2. Target Database Registration
  3. Register an Amazon RDS for Oracle database
  4. Register Amazon RDS for Oracle with an On-Premises Connector

Register Amazon RDS for Oracle with an On-Premises Connector

Oracle recommends you use an on-premises connector to connect to target databases that run outside of Oracle Cloud Infrastructure.

Preregistration Tasks for Registering Amazon RDS for Oracle with an On-Premises Connector

The below topics should be completed before registering a target database with Oracle Data Safe with connection through an On-Premises Connector. One on-premises connector can be used to register multiple target databases. If you are establishing a TCP connection, you do not need to perform the steps to create a wallet for TLS connection.

Task Number Task Link to Instructions
1 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to register a database with Oracle Data Safe Permissions to Register a Target Database with Oracle Data Safe
2 In Oracle Cloud Infrastructure Identity and Access Management (IAM), obtain permissions to use an On-Premises Connector Permissions for an Oracle Data Safe On-Premises Connector
3 Create an Oracle Data Safe service account on your target database and grant it Oracle Data Safe roles. Create the service account as the SYS user.

Make sure to run the privilege script with the-RDSORACLE parameter as it is required if you are registering an Amazon RDS for Oracle database.

Create an Oracle Data Safe Service Account on Your Target Database

Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database
4 Create an On-premises Connector Create an Oracle Data Safe On-Premises Connector
5 Add the security certificate for the Amazon RDS specific region Add the Security Certificate for the Amazon RDS Specific Region
6 TLS connection only: Configure a connection between the on-premises connector and your target database Configure a TLS Connection Between the On-Premises Connector on Your Host Machine and Your Oracle Database

Run the Amazon RDS for Oracle Wizard

This is the Amazon RDS for Oracle registration workflow in the wizard:

Step 1: Target Information

  1. On the Overview page in the Oracle Data Safe service, find the Register Amazon RDS for Oracle tile and click Start Wizard.

    The wizard displays the Data Safe Target Information form.

  2. At DATA SAFE TARGET DISPLAY NAME, enter a target display name that is meaningful to you. Data Safe uses this name in its reports. All characters are accepted. The maximum number of characters is 255.
  3. At COMPARTMENT, use the drop-down menu to select the compartment where you want to store the target database.
  4. (Optional) In the DESCRIPTION field, add a description that is meaningful to you.
  5. At Database service name, enter the service name of the CDB or PDB.

    You can use the database name on the Configuration tab of the RDS Amazon console for service name.

  6. Enter the Database IP address/endpoint.

    The database endpoint can be found under the Connectivity and Security tab of the Amazon RDS console.

  7. Enter the Database port number.

    The port number can be found under the Connectivity and Security tab of the Amazon RDS console.

  8. Perform this step if you did not already grant roles to the database user in the preregistration tasks.

    Click Download Privilege Script and save the datasafe_privileges.sql script to your computer. The script includes instructions on how to use it to grant privileges to the Oracle Data Safe service account on your target database. You should also refer to the preregistration task Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database for some additional details.

  9. At Database user name and Database password, enter the name and password of the user you created in the preregistration tasks. If the user name is mixed case, enclose it in double-quotes (" "). Oracle Data Safe uses this account to connect to the target database.
  10. Optionally, click Show Advanced Options to tag the notification.
    1. Click + Another Tag to create an additional optional tag to organize and track resources in your tenancy.
    2. Select a Tag Namespace from the drop-down list.
    3. Provide a Tag Key and Tag Value.
  11. Click Next.

Step 2: Connectivity Option

  1. Select On-premises connector as your connectivity option.
  2. Select either TCP or TLS connection.
    If you select TLS connection:

    Note:

    In your AWS environment you will need to:
    • Configure SSL option group to enable SSL connection. After enabling the SSL connection, the certificate authority would show up. See Oracle Secure Sockets Layer and Creating an option group from Amazon to learn how to enable the SSL option.
    • Modify the inbound rules on port 2484 (opened by default) on Amazon RDS to allow for TLS connection
    .
  3. From the Select On-Premises Connector, use the drop-down menu to select the on-premises connector that you want to use.
  4. Click Next.

Step 3: Select Peer Database

If you're registering an Active Data Guard associated database then you can add the standby databases at this step. If you're not registering an Active Data Guard associated database, then skip this step by clicking Next.

  1. Click Add row on the Add additional Data Guard peer database(s) (Optional) page.

    It is also possible to register standby databases after the primary database has been registered. See Manage Peer Databases Associated with a Registered Active Data Guard Primary Database for more information.

  2. Enter the following information for the peer databases:
    • Peer display name
    • Database service name
    • Database IP address
    • Database port number
    • TCP/TLS
  3. Add more peer databases by clicking Add row.
  4. Click Next.

    Note:

    Because you are using an On-Premises Connector, the wizard takes you directly to Step 5: Review and submit. If you use a Private Endpoint, the wizard takes you to Step 4: Add security rules.

Review and Submit

In this step, the wizard displays the configuration you entered in the previous steps. To change any of these settings, click the Edit button on the right side of the corresponding title.

  1. Review the information on this page.
  2. Click the checkbox, I acknowledge that charges in Data Safe will apply for the Amazon RDS for Oracle database.
  3. Click Register.

Registration Process

After you click Register in Review and Submit, Oracle Data Safe creates the configuration and registers the target database. The next and final step in the wizard is to monitor the registration progress. The tasks required are listed and processed one-by-one.

Important:

Do not click the Close button in the wizard, sign out of OCI, or close the browser tab until the wizard shows that all of the tasks listed are resolved. If you close prematurely, then the information for all of the tasks that have not yet been completed is lost and the target database is not registered.

After You Submit the Registration

The wizard presents the Target Database Details page when the registration submission is finished. On this page, you can again review the registration details. The wizard displays the NEEDS_ATTENTION icon if a task must be performed or corrected before the process is complete. A hint message indicates the pending task. You can make the necessary changes in the tabs that are available. When you save your changes, the UPDATING icon is displayed. If there is no further work to do, the registration completes.

Post Registration Tasks

Oracle Recommendation:

Ensure that only the on-premises client can connect to your Amazon RDS for Oracle database by specifying in sqlnet.ora parameter called INVITED_NODES the clients that are allowed to access your database. See TCP.INVITED_NODES (Oracle Database Net Services Reference guide) for more information.