Autonomous AI Database-related Prerequisite Tasks

Before you enable and use Database Management Diagnostics & Management for Autonomous AI Databases, you must complete the prerequisite tasks listed in the following table.

Task Description More Information

Grant a database user the privileges required to monitor and manage the Autonomous AI Database and save the database user password in a secret

Task	Description	More Information
Grant a database user the privileges required to monitor and manage the Autonomous AI Database and save the database user password in a secret	You must grant the database user the privileges required to monitor and manage the Autonomous AI Database using Diagnostics & Management. Note that on enabling Diagnostics & Management, the Basic monitoring preferred credential can be set to use the `ADBSNMP` user, however, it's recommended that you set the Advanced diagnostics preferred credential to use the `ADMIN` user, or set the session credential to use the `ADMIN` user. This is because some of the advanced monitoring and management features like Performance Hub require additional privileges, which the `ADBSNMP` user does not have. Use the Oracle Cloud Infrastructure Vault service to save the database user password in a secret with an encryption key. The Vault service lets you store and manage encryption keys and secrets to securely access resources. Note that if you change the database user password, you must also update the secret with the new password by creating a new version of the secret and updating the contents.	For information on how to set preferred or session credentials, see Set and Use Credentials. For information on the required database user privileges, see Database User Privileges Required for Diagnostics & Management. For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault.
Configure network access between Database Management and the Autonomous AI Database	You can use a Management Agent 210403.1349 or later to configure network access between Database Management and Autonomous AI Databases. To use a Management Agent, you must ensure that it's installed on a compute instance or host that has access to the Autonomous AI Database. Note that in addition to a Management Agent, the following network access options are available for Autonomous AI Databases Serverless or on Dedicated Exadata Infrastructure: *For Autonomous AI Database Serverless* There are three types of network access options available for Autonomous AI Database Serverless and to confirm which of the options to use or to update network access, go to the Autonomous AI Database details page. Note that if mutual TLS (mTLS) authentication is required, you must download the wallet and save it in a Vault service secret. This secret is required when enabling Diagnostics & Management for the Autonomous AI Database. For more information, see the last row of this table. Secure access from everywhere: To use this option, a private endpoint is not required, however, mTLS authentication is required. Secure access from allowed IPs and VCNs only: To use this option, you must: Ensure that a VCN and subnet are available. You can either create a VCN or use an existing VCN. Create a Database Management private endpoint that acts as Database Management's network point of presence in the VCN. Ensure that the VCN is added to the Access Control Rules (ACLs) to communicate with the Autonomous AI Database. If the IP address or CIDR for the VCN is added to the ACL, you must ensure that it includes the IP address of the Database Management private point or the IP ranges of the subnet containing the Database Management private endpoint. Ensure that a service gateway is available for the VCN, and the subnet has access to the service gateway. Add ingress and egress security rules (TCP protocol, port 1521 or 1522) to NSGs or Security Lists in the VCN to enable communication between the Database Management private endpoint and the Autonomous AI Database. Private endpoint access only: To use this option, you must: Create a Database Management private endpoint in the Autonomous AI Database VCN. If the Autonomous AI Database is in a private subnet in the VCN, it's recommended that the Database Management private endpoint also resides in the same subnet. If there's an existing Database Management private endpoint in the same VCN, you can reuse it even if it's not in the same subnet. Add ingress and egress security rules (TCP protocol, port 1521 or 1522) to NSGs or Security Lists in the VCN to enable communication between the Database Management private endpoint and the Autonomous AI Database. If an NSG or Security List is not available, create one and add ingress and egress security rules on TCP protocol with a port used for JDBC for the subnet IP CIDR. Note that if the Autonomous AI Database and the Database Management private endpoint are not in the same subnet, you must: Replace the JDBC port constraint with All on the non-database end. Replace the subnet IP CIDR with the VCN IP CIDR. *For Autonomous AI Database on Dedicated Exadata Infrastructure* You can configure network access between Database Management and the Autonomous AI Database on Dedicated Exadata Infrastructure using a Database Management private endpoint. When creating the Database Management private endpoint, select the Use this private endpoint for RAC databases or Dedicated Autonomous AI Databases option. By default, TLS walletless connections are enabled when provisioning Autonomous Exadata VM Cluster (AVMC) and a wallet is not required, however, if network settings are configured for mTLS and mTLS connections are selected, then you must download the wallet and save it in a Vault service secret. This secret is required when enabling Diagnostics & Management for the Autonomous AI Database on Dedicated Exadata Infrastructure. For more information, see the last row of this table.	For information on how to install a Management Agent, see Perform Prerequisites for Deploying Management Agents and Install Management Agents. For information on network access options for Autonomous AI Database Serverless, see About Network Access Options in Using Oracle Autonomous AI Database Serverless. For information on how to access Autonomous AI Database Serverless, see Configure Network Access with Access Control Rules (ACLs) and Private Endpoints. For information on how to access Autonomous AI Database on Dedicated Exadata Infrastructure, see Connect to Autonomous AI Database on Dedicated Exadata Infrastructure. For information on TLS walletless connections for Autonomous AI Database on Dedicated Exadata Infrastructure, see Prepare for TLS Walletless Connections. For information on how to create a Database Management private endpoint, see Create a Database Management Private Endpoint for Autonomous AI Databases. For information on NSGs and Security Lists, see Access and Security.
Save the wallet in a Vault service secret for mTLS connections	Download the wallet from the Autonomous AI Database details page. For Autonomous AI Databases Serverless, it's recommended that you download the Regional wallet. Once you download the wallet, you must extract the `wallet_<databasename>.zip` file, save the SSO wallet (`cwallet.sso` file) in a Vault service secret with an encryption key, and upload the secret to enable Diagnostics & Management for the Autonomous AI Database. If you've not created a database wallet secret in the Vault service, you can create the secret when enabling Diagnostics & Management, and automatically add the SSO wallet to the secret. If you opt to create the database wallet secret in the Vault service before enabling Diagnostics & Management, the following free-form tag must be associated with the secret to make it available for use in Database Management: `DBM_Wallet_Type: "DATABASE"`	For information on how to download the wallet, see: Download Client Credentials (Wallets) for Autonomous AI Database Serverless Download Client Credentials for Autonomous AI Database on Dedicated Exadata Infrastructure For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault.

You must grant the database user the privileges required to monitor and manage the Autonomous AI Database using Diagnostics & Management.

Note that on enabling Diagnostics & Management, the Basic monitoring preferred credential can be set to use the ADBSNMP user, however, it's recommended that you set the Advanced diagnostics preferred credential to use the ADMIN user, or set the session credential to use the ADMIN user. This is because some of the advanced monitoring and management features like Performance Hub require additional privileges, which the ADBSNMP user does not have.

Use the Oracle Cloud Infrastructure Vault service to save the database user password in a secret with an encryption key. The Vault service lets you store and manage encryption keys and secrets to securely access resources. Note that if you change the database user password, you must also update the secret with the new password by creating a new version of the secret and updating the contents.

For information on how to set preferred or session credentials, see Set and Use Credentials.

For information on the required database user privileges, see Database User Privileges Required for Diagnostics & Management.

For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault.

Configure network access between Database Management and the Autonomous AI Database

You can use a Management Agent 210403.1349 or later to configure network access between Database Management and Autonomous AI Databases. To use a Management Agent, you must ensure that it's installed on a compute instance or host that has access to the Autonomous AI Database.

Note that in addition to a Management Agent, the following network access options are available for Autonomous AI Databases Serverless or on Dedicated Exadata Infrastructure:

For Autonomous AI Database Serverless

There are three types of network access options available for Autonomous AI Database Serverless and to confirm which of the options to use or to update network access, go to the Autonomous AI Database details page.

Note that if mutual TLS (mTLS) authentication is required, you must download the wallet and save it in a Vault service secret. This secret is required when enabling Diagnostics & Management for the Autonomous AI Database. For more information, see the last row of this table.

Secure access from everywhere: To use this option, a private endpoint is not required, however, mTLS authentication is required.
Secure access from allowed IPs and VCNs only: To use this option, you must:
1. Ensure that a VCN and subnet are available. You can either create a VCN or use an existing VCN.
2. Create a Database Management private endpoint that acts as Database Management's network point of presence in the VCN.
3. Ensure that the VCN is added to the Access Control Rules (ACLs) to communicate with the Autonomous AI Database. If the IP address or CIDR for the VCN is added to the ACL, you must ensure that it includes the IP address of the Database Management private point or the IP ranges of the subnet containing the Database Management private endpoint.
4. Ensure that a service gateway is available for the VCN, and the subnet has access to the service gateway.
5. Add ingress and egress security rules (TCP protocol, port 1521 or 1522) to NSGs or Security Lists in the VCN to enable communication between the Database Management private endpoint and the Autonomous AI Database.
Private endpoint access only: To use this option, you must:
1. Create a Database Management private endpoint in the Autonomous AI Database VCN. If the Autonomous AI Database is in a private subnet in the VCN, it's recommended that the Database Management private endpoint also resides in the same subnet. If there's an existing Database Management private endpoint in the same VCN, you can reuse it even if it's not in the same subnet.
2. Add ingress and egress security rules (TCP protocol, port 1521 or 1522) to NSGs or Security Lists in the VCN to enable communication between the Database Management private endpoint and the Autonomous AI Database. If an NSG or Security List is not available, create one and add ingress and egress security rules on TCP protocol with a port used for JDBC for the subnet IP CIDR.
  Note that if the Autonomous AI Database and the Database Management private endpoint are not in the same subnet, you must:
  - Replace the JDBC port constraint with All on the non-database end.
  - Replace the subnet IP CIDR with the VCN IP CIDR.

For Autonomous AI Database on Dedicated Exadata Infrastructure

You can configure network access between Database Management and the Autonomous AI Database on Dedicated Exadata Infrastructure using a Database Management private endpoint. When creating the Database Management private endpoint, select the Use this private endpoint for RAC databases or Dedicated Autonomous AI Databases option. By default, TLS walletless connections are enabled when provisioning Autonomous Exadata VM Cluster (AVMC) and a wallet is not required, however, if network settings are configured for mTLS and mTLS connections are selected, then you must download the wallet and save it in a Vault service secret. This secret is required when enabling Diagnostics & Management for the Autonomous AI Database on Dedicated Exadata Infrastructure. For more information, see the last row of this table.

For information on how to install a Management Agent, see Perform Prerequisites for Deploying Management Agents and Install Management Agents.

For information on network access options for Autonomous AI Database Serverless, see About Network Access Options in Using Oracle Autonomous AI Database Serverless.

For information on how to access Autonomous AI Database Serverless, see Configure Network Access with Access Control Rules (ACLs) and Private Endpoints.

For information on how to access Autonomous AI Database on Dedicated Exadata Infrastructure, see Connect to Autonomous AI Database on Dedicated Exadata Infrastructure.

For information on TLS walletless connections for Autonomous AI Database on Dedicated Exadata Infrastructure, see Prepare for TLS Walletless Connections.

For information on how to create a Database Management private endpoint, see Create a Database Management Private Endpoint for Autonomous AI Databases.

For information on NSGs and Security Lists, see Access and Security.

Save the wallet in a Vault service secret for mTLS connections

Download the wallet from the Autonomous AI Database details page. For Autonomous AI Databases Serverless, it's recommended that you download the Regional wallet.

Once you download the wallet, you must extract the wallet_<databasename>.zip file, save the SSO wallet (cwallet.sso file) in a Vault service secret with an encryption key, and upload the secret to enable Diagnostics & Management for the Autonomous AI Database.

If you've not created a database wallet secret in the Vault service, you can create the secret when enabling Diagnostics & Management, and automatically add the SSO wallet to the secret.

If you opt to create the database wallet secret in the Vault service before enabling Diagnostics & Management, the following free-form tag must be associated with the secret to make it available for use in Database Management:

DBM_Wallet_Type: "DATABASE"

For information on how to download the wallet, see:

Download Client Credentials (Wallets) for Autonomous AI Database Serverless
Download Client Credentials for Autonomous AI Database on Dedicated Exadata Infrastructure

For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault.

Oracle Cloud Infrastructure Documentation

Autonomous AI Database-related Prerequisite Tasks