Register DB Systems that have Private IP Addresses

Oracle Data Safe can connect to a DB system that has a private IP address on a virtual cloud network (VCN) in Oracle Cloud Infrastructure (OCI).

This article has the following topics:

Workflow

To register a DB system that has a private IP address, you need to create an Oracle Data Safe private endpoint in Oracle Cloud Infrastructure prior to registration. After you create the private endpoint and before you register your DB system, it's important to update the security list and network security group.

The following table lists the steps for registering a DB system (Virtual Machine, Bare Metal, or Exadata) that has a private IP address.

Step Description Reference

1

Obtain the required permissions in Oracle Cloud Infrastructure and Oracle Data Safe to register your DB system.

Obtain the Required Permissions for Registering DB Systems

2

Obtain the required permissions for managing virtual networking resources in Oracle Cloud Infrastructure.

Obtain the Required Permissions for Managing Virtual Networking Resources in Oracle Cloud Infrastructure

3

Obtain the required permissions for creating an Oracle Data Safe private endpoint in Oracle Cloud Infrastructure.

Obtain the Required Permissions for Creating Oracle Data Safe Private Endpoints

4

Create an Oracle Data Safe private endpoint.

Create an Oracle Data Safe Private Endpoint

5

Update the related security list and optional network security group.

Update the Security List and Network Security Group for a DB System with a Private IP Address

6

Create a service account on your database specifically for Oracle Data Safe.

Create a Service Account for Oracle Data Safe on Your DB System

7

Run the SQL privileges script on your database to grant the initial roles to the Oracle Data Safe service account. The roles determine which Oracle Data Safe features are available to the DB system.

Grant Roles to the Oracle Data Safe Service Account on Your DB System

8

(Optional) Create a wallet or certificate for a TLS connection. If you plan to configure a TLS connection from Oracle Data Safe to your target database, create or obtain the necessary wallet or certificate files.

Create a Wallet or Certificate for a TLS Connection to a DB System

9

Register your DB system with Oracle Data Safe

Register a DB System that has a Private IP Address

Obtain the Required Permissions for Registering DB Systems

Obtain the following permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM), on the database, and in Oracle Data Safe:

  • Permission in IAM to access to the database: The user group to which you belong requires at least the inspect permission on three resource types: db-systems, db-nodes, and vnics. For example, to grant the Data-Safe-Admins group the inspect permission on all db-systems, db-nodes, and vnics in a tenancy, a tenancy administrator could write the following policy:
    allow group Data-Safe-Admins to inspect db-systems in tenancy
    allow group Data-Safe-Admins to inspect db-nodes in tenancy
    allow group Data-Safe-Admins to inspect vnics in tenancy
  • Permission to log in to the database as an administrator: You need to be able to log in as the SYS account to create the Oracle Data Safeservice account and run the SQL privileges script.
  • Permission to manage at least one feature in Oracle Data Safe: The user group to which you belong needs to be able to register, update, and delete target databases in Oracle Data Safe for at least one feature.

Obtain the Required Permissions for Managing Virtual Networking Resources in Oracle Cloud Infrastructure

Prior to creating an Oracle Data Safe private endpoint, you need to obtain permissions for managing virtual networking resources in Oracle Cloud Infrastructure. You require certain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the relevant compartments in your tenancy. The following table lists the required permissions for virtual networking resources for each type of private endpoint operation.

Operation Required Access on Underlying Resources

Create a private endpoint

For the private endpoint compartment:

  • Create/Delete VNIC
  • Update members in a network security group
  • Associate a network security group

For the subnet compartment:

  • Attach/detach subnet

Update a private endpoint

For the private endpoint compartment:

  • Update VNIC
  • Update members in a network security group
  • Associate a network security group

Delete a private endpoint

For the private endpoint compartment:

  • Delete VNIC
  • Update members in a network security group

For the subnet compartment

  • Detach subnet

The following examples show how an IAM administrator could write the policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

Example 3-6 Broad permission

In this example, the dbadmin group has broad permission to use all virtual networking resources in the compartment ADWcmp1.

allow group dbadmin to manage virtual-network-family in compartment ADWcmp1

Example 3-7 Specific permissions

In this example, the dbadmin group has specific permissions on network resources. The third statement is required only if you want to use network security groups to control traffic to and from the private endpoint.

allow group dbadmin to manage vnics in compartment ADWcmp1
allow group dbadmin to use subnets in compartment ADWcmp1
allow group dbadmin to use network-security-groups in compartment ADWcmp1 

Obtain the Required Permissions for Creating Oracle Data Safe Private Endpoints

To create, update, or delete Oracle Data Safe private endpoints, you require permissions on Oracle Data Safe resources in Oracle Cloud Infrastructure Identity and Access Management (IAM) for the relevant compartments in your tenancy. There are two types of Oracle Data Safe resources on which you can grant permissions:

  • data-safe-family
  • data-safe-private-endpoints

The following table describes the different permissions for an Oracle Data Safe private endpoint.

Permission What you can do

inspect

List an Oracle Data Safe resource in Oracle Cloud Infrastructure

read or use

Inspect and view properties for an Oracle Data Safe resource in Oracle Cloud Infrastructure

manage

Inspect, read, create, update, delete, and move an Oracle Data Safe resource in Oracle Cloud Infrastructure

The following examples show how an IAM administrator could write the policies in IAM, from most generic to most specific. These policies assume that all resources are in a single compartment called ADWcmp1.

Example 3-8 Broad permission

In this example, the dsadmins group (for example, a group of Oracle Data Safe administrators) has broad permission to manage all Oracle Data Safe resources in the compartment ADWcmp1.

allow group dsadmins to manage data-safe-family in compartment ADWcmp1

Example 3-9 Specific permission

In this example, the ProjectA group has specific permission to manage the resource called data-safe-private-endpoints.

allow group ProjectA to manage data-safe-private-endpoints in compartment ADWcmp1

Create an Oracle Data Safe Private Endpoint

If your database has a private IP address, you need to create an Oracle Data Safe private endpoint for it prior to registering it with Oracle Data Safe. You can create private endpoints on the Data Safe page in Oracle Cloud Infrastructure. Be sure to create the private endpoint in the same tenancy and VCN as your database. The private IP address does not need to be on the same subnet as your database, although, it does need to be on a subnet that can communicate with the database. You can create a maximum of one private endpoint per VCN.

When you create a private endpoint, you have the option to associate a network security group (NSG) with it. You may need to do this to ensure the private endpoint can access your target database. A network security group specifies egress and ingress security rules at the IP address level. You can create network security groups by using Oracle Cloud Infrastructure's networking service. See Access and Security in the Oracle Cloud Infrastructure documentation.

  1. To find the network information for a DB system that has a private IP address, do the following:
    1. From the navigation menu in Oracle Cloud Infrastructure, select Bare Metal, VM, and Exadata.
    2. Click the name of your DB system.
    3. On the DB System Information tab, under Network, make note of the VCN and subnet names.
      DB System Information tab
  2. To find the network information for an Autonomous Database that has a private IP address, do the following:
    1. From the navigation menu in Oracle Cloud Infrastructure, select Autonomous Data Warehouse or Autonomous Transaction Processing.
    2. On the left, under Dedicated Infrastructure, click Autonomous Exadata Infrastructure.
    3. On the right, in the Autonomous Exadata Infrastructure table, click the name of the infrastructure in which your database exists.
      The details for your infrastructure are displayed.
    4. Under Network, make note of the VCN and subnet names.
  3. From the navigation menu in Oracle Cloud Infrastructure, select Data Safe.
    The Data Safe page is displayed.
  4. On the left, click Private Endpoints.
    The Private Endpoints page is displayed.Private Endpoints page
  5. Click Create Private Endpoint.
    The Create Private Endpoint page is displayed.
  6. In the NAME field, enter a name for your private endpoint.
  7. Select a compartment in which to store your private endpoint.
  8. Scroll down to the Private Endpoint Information section.
  9. From the VIRTUAL CLOUD NETWORK drop-down list, select your database's VCN. If needed, click CHANGE COMPARTMENT and select the compartment that stores your VCN.
    You can select a different VCN than your database's VCN if VCN peering is set up between your database's VCN and the VCN that you select here.
  10. From the SUBNET drop-down list, select a subnet within the selected VCN. If needed, click CHANGE COMPARTMENT and select the compartment that stores the subnet that you want to use.
    The subnet can be in a different compartment than the VCN. The subnet that you select needs to have access to the database's subnet.
  11. (Optional) In the PRIVATE IP field, specify a private IP address.
    If you do not specify a private IP address, Oracle Cloud Infrastructure automatically generates one for you in the selected subnet.
  12. (Optional) Select a network security group.

    The following screenshot shows you an example configuration for a private endpoint:


    Create Private Endpoint page

  13. Click Create Private Endpoint.
    A private endpoint is provisioned in the customer VCN (the VCN that you selected). The following screenshot shows you the private endpoint listed on the Private Endpoints page.Private endpoint is listed on the Private Endpoint page
  14. To view details for your private endpoint, click its name. Please take note of the Private IP address that was assigned to the Private Endpoint (or that you assigned to it). It is needed when you configure the security rules in the next steps.
    Private Endpoint Information page

Update the Security List and Network Security Group for a DB System with a Private IP Address

Update the security list for your virtual cloud network (VCN) and, if implemented, the network security group for your database subnet to allow traffic from the Oracle Data Safe private endpoint IP address to the database IP address(es). This step allows Oracle Data Safe to access your database. A security list acts as a virtual firewall for your database and consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the security list is associated with. Both stateful and stateless security rules in the security list are allowed. For more information about security lists and network security groups, see Access and Security in the Oracle Cloud Infrastructure documentation.

For your database to communicate with Oracle Data Safe, you need to create two security rules:

  • Ingress rule for the database: Allow the database to receive incoming traffic on its port from the private IP address of the Oracle Data Safe private endpoint (from any port).
  • Egress rule for the Oracle Data Safe private endpoint: Allow the Oracle Data Safe private endpoint (from any port) to send requests to the database IP address(es) on the database's port.

There are two approaches that you can take when creating the ingress and egress rules. The first approach is to allow communication between Oracle Data Safe and all IP addresses within the same subnet (0.0.0.0/0). This configuration allows Oracle Data Safe to connect to all of your databases in the subnet. The other approach is to configure separate ingress and egress rules for each database IP address.

Example 3-10 Configuring security rules for a DB system with a private IP address and an Oracle Data Safe private endpoint

Suppose you are configuring stateful security rules for a Virtual Machine DB system and an Oracle Data Safe private endpoint. The security rules are configured the following way in the database VCN:

  • Ingress for the database: The database (on port 1521) can receive incoming traffic from the private endpoint's private IP address (10.0.0.6) from any port.
  • Egress for the private endpoint: The private endpoint (from any port) can send requests to the database's private IP address (10.0.0.2) on port 1521.

The following diagram illustrates the private endpoint, database, and security rules.

The following screenshot shows you the ingress and egress rules in Oracle Cloud Infrastructure.

Ingress and egress rules example
Note

For Exadata DB systems (also referred to as ExaCS databases), you need to allow communication between the Oracle Data Safe private endpoint (all ports) and all floating IP addresses for the database nodes as well as scan IP addresses for the database system (port 1521).

Create a Service Account for Oracle Data Safe on Your DB System

Create a service account on the database specifically for Oracle Data Safe. Create the account with the least amount of privileges.

  1. Log in to your target database with an account that lets you to create a user.
  2. Create a user account with minimal privileges, for example:
    CREATE USER DATASAFE_ADMIN identified by password
    DEFAULT TABLESPACE "DATA"
    TEMPORARY TABLESPACE "TEMP";
    GRANT CONNECT, RESOURCE TO DATASAFE_ADMIN;
    • Replace DATASAFE_ADMIN and password with your own values.
    • Do not use SYSTEM or SYSAUX as the default tablespace. You cannot mask data if you use these tablespaces.

Grant Roles to the Oracle Data Safe Service Account on Your DB System

The roles that you grant to the Oracle Data Safe service account determine the Oracle Data Safe features that you can use with your DB system. The following table describes each role.

DB System Role Description

ASSESSMENT

Privileges required for the User Assessment and Security Assessment features

AUDIT_COLLECTION

Privileges required for accessing audit trails for the target database

DATA_DISCOVERY

Privileges required for the Data Discovery feature (discovering sensitive data in the target database)

MASKING

Privileges required for the Data Masking feature (masking sensitive data in the target database)

AUDIT_SETTING

Privileges required for updating target database audit policies

To grant or revoke roles from the Oracle Data Safe service account on a DB system, you need to run the SQL privileges script. You can download this script from the Oracle Data Safe Console. To run the script, you need to be connected to your DB system as the SYS user.

You can run the script as many times as needed. For example, suppose that in the beginning you only need to use the Activity Auditing feature in Oracle Data Safe. You can run the SQL privileges script to grant the target database access to only Activity Auditing. Later, you decide you want to use the Data Discovery feature too. You can run the SQL privileges script again on the target database to grant the database access to Data Discovery. You cannot run the SQL privileges script on the root container of a target database (CDB$ROOT).

  1. Download the SQL privileges script from the Oracle Data Safe Console:
    1. Sign in to the Oracle Data Safe Console, and click the Targets tab.
    2. Click Add.
      The Add Target dialog box is displayed.
    3. Click Download Privilege Script and save the dscs_privileges.sql script to your computer.
    4. Click Cancel.
  2. With SQL Developer or SQL*Plus, connect to your database as the SYS user, and then run the SQL privileges script with the following statement:
    @dscs_privileges.sql <DATASAFE_ADMIN> <GRANT/REVOKE> <AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL> [-VERBOSE]
    • <DATASAFE_ADMIN> is the name of the Oracle Data Safe service account that you created on your DB system. It is case-sensitive and must match the account name in the dba_users data dictionary view in your database.
    • Specify GRANT or REVOKE depending on whether you want to add privileges to or remove privileges from the Oracle Data Safe service account.
    • Specify one or more Oracle Data Safe features, separated by a forward slash: AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL. ALL grants or revokes all the features.
    • -VERBOSE shows only the actual GRANT/REVOKE commands. This parameter is optional.

Create a Wallet or Certificate for a TLS Connection to a DB System

If you plan to configure a TLS connection to your DB system, you need to create a wallet or certificate that you can upload during target database registration. The wallet or certificate you create depends on whether client authentication is enabled or disabled on your target database. To check whether client authentication is enabled, view the SSL_CLIENT_AUTHENTICATION parameter in the sqlnet.ora file. If it's equal to TRUE, then client authentication is enabled; otherwise it's not enabled.

When Client Authentication is Enabled on Your Target Database

When client authentication is enabled on your target database, create a JKS wallet. The wallet must have the following items:

  • Signing certificate chain (or root certificate if there is no intermediate signing certificate) that was used to issue the Oracle Data Safe private key and public certificate.
  • Private key for Oracle Data Safe, which is acting as a client to the target database.
  • Public certificate for Oracle Data Safe, which is acting as a client to the target database.

For an example of how to create a JKS wallet with self-signed certificates, see Create Wallets and Certificates.

When Client Authentication is Disabled on Your Target Database

When client authentication is disabled on your target database, create one of the following certificates or wallets:

  • Self-signed certificate for the target database.
  • Signing root certificate that can issue the public certificate for the target database (if an intermediate signing certificate is not involved in the public certificate signing)
  • JKS Wallet (if an intermediate certificate is involved in the public certificate signing). Add to the wallet the signing certificate chain that issues the public certificate for the target database.

Supported certificate types are Privacy Enhanced Mail (PEM) and Distinguished Encoding Rules (DER). Supported file extensions are PEM, CER, CERT, CRT, and DER. If a commonly used certificate authority (CA) signs the certificate that is used by the target database, then creating a certificate or wallet is optional.

For an example on how to create a PEM certificate using self-signed certificates, see Create Wallets and Certificates.

Keep in Mind

  • The maximum size for a wallet or certificate that you can upload during target registration is 50 KB.
  • If a user password or wallet password changes, you can simply update the password in the Oracle Data Safe Console. You do not need to delete the wallet.
  • If you delete a target database that uses a wallet to connect, the wallet is also deleted.
  • Passwordless SSL authentication based on PKI is enabled when SQLNET.AUTHENTICATION_SERVICES = TCPS in the sqlnet.ora file of a target database. Passwordless SSL authentication based on PKI is not supported in Oracle Data Safe.

Register a DB System that has a Private IP Address

You can manually register a DB system that has a private IP address from theOracle Data Safe Console. During registration, you are required to select a private endpoint and enter the database's private IP address and Oracle Cloud Identifier (OCID). If you plan to configure a TLS connection, you need to have a wallet or certificate on hand to upload.

  1. From the database's Console in Oracle Cloud Infrastructure, obtain the private IP address for the database.
    For an Exadata DB system, Oracle recommends that you use one of the scan IP addresses. You can find a scan IP address under Network on the DB System Information tab, as shown in the following screenshot.
    DB System Information tab
  2. Sign in to the Oracle Data Safe Console.
  3. Click the Targets tab.
  4. Click Register.
    The Register Target dialog box is displayed.
  5. Specify a name for your target database.
  6. For Target Type, select Oracle Database.
  7. (Optional) Enter a description for your target database.
  8. Select the resource group to which you want your target database to belong. Alternatively, you can specify a new resource group.
  9. For Database with Private IP, select Yes.
  10. For Private Endpoint, select the name of the private endpoint that you created for your target database.
  11. In the OCID field, enter the Oracle Cloud Identifier of your database system.
    You cannot use the OCID of the database or PDB.
  12. For the connection type, select TCP or TLS.
    The default selection is TCP.
  13. In the Hostname/IP Address field, enter the private IP address for your database.
    For an Exadata DB system, Oracle recommends that you enter one of the private scan IP addresses. Alternatively, you can enter the private floating IP address of any one of the database nodes.
  14. Enter the port number for the database.
  15. Enter the long version of the database service name for the target database; for example, abc_prod.subnetad3.tttvcn.companyvcn.com.
    For Virtual Machine, Bare Metal, and Exadata DB systems, you can find the service name by running the following statement when connected to the PDB via SQL Plus:
    select sys_context('userenv','service_name') from dual;
    Note

    For Virtual Machine and Bare Metal DB systems, you can also find the name in the database's Console in Oracle Cloud Infrastructure.

  16. If you are configuring a TLS connection, enter the Target Distinguished Name.
    This name is the distinguished name used while creating the certificate on target database.
    An example name is CN=abcd.uscom-east-1.example.com,OU=Oracle BMCS US,O=Oracle Corporation,L=Redwood City,ST=California,C=US.
  17. If you are configuring a TLS connection and client authentication is enabled on your target database, then follow the steps below to upload a JKS wallet.
    1. Click the first Choose File button, and select a truststore.jks file.
    2. Click the second Choose File button, and select a keystore.jks file.
    3. Enter the wallet password.
  18. If you are configuring a TLS connection and client authentication is disabled on your target database, then follow the steps in the table below to upload a JKS wallet, Privacy Enhanced Mail (PEM) certificate, Distinguished Encoding Rules (DER) certificate, or nothing.
    Wallet or Certificate Type Steps

    JKS Wallet

    1. Click Choose File, select a trustore.jks file.
    2. Enter the wallet password.

    DER Certificate

    1. Click Choose File
    2. Select a CRT or DER file.

    Supported file extensions are CER, CERT, CRT, and DER.

    PEM Certificate

    1. Click Choose File.
    2. Select a PEM or DER file.

    Supported file extensions are PEM and DER.

    NONE

    You do not need to upload any files.

  19. Enter the database user name and password that you created on the target database specifically for Oracle Data Safe.
    If you created the user on the target database without quotation marks, you need to enter the user name in uppercase here. For example, if the user name on the target database is called test, then you need to enter TEST.
    You cannot specify database roles, such as SYSDBA or SYSKM, and you cannot specify SYS as the user.
  20. (Optional) To verify that Oracle Data Safe can successfully connect to the target database, click Test Connection.
  21. Before you register the target, click Download Privilege Script and save the dscs_privileges.sql script to your computer. You need to run this script on your database after you are done with registration.
  22. Click Register Target.
    You cannot register the target database if the connection test fails or if the target database does not exist.

Related Content