Errors Encountered When Enabling Database Management for Oracle Cloud Databases
Here are some errors you may encounter when enabling Database Management for Oracle Cloud Databases.
-
Could not enable the Database Management service on the cloud database due to an internal error
-
Operation failed because password secret is not accessible by Database Management
-
Could not connect to the cloud database due to an internal error
-
Unable to process request. Contact Oracle Support or try again later.
-
Error when processing the request. Contact Oracle Support to resolve the issue.
-
The operation failed due to error in Database Management service while processing the request.
-
Work request error: Operation failed because TCPS wallet details are incorrect
-
Database metrics are not collected for the DB systems in the Base Database Service
For information on how to resolve some other issues that you may encounter when enabling Database Management for Oracle Cloud Databases, see the Known Issues with Cloud Databases section in OCI Database Management Service: Known Issues When Enabling Database Management (Doc ID 2938669.1) in My Oracle Support.
Could not enable the Database Management service on the cloud database due to an internal error
The likely causes for this error can be categorized into the following areas:
- Ingress and egress rules are not set or are incorrect
- Cause: Ingress and egress security rules to NSGs or
Security Lists are not defined to allow the communication on port
1521.
Solution: Ensure that the ingress and egress rules are added to NSGs or Security Lists in the Oracle Cloud Database's VCN to allow communication between the Database Management private endpoint and the Oracle Cloud Database.
- Cause: Ingress and egress security rules to NSGs or
Security Lists are not defined to allow the communication on port
1521.
- Service Name
- Cause: The service name is incorrect.
Solution: Check and use the correct service name. You can verify the service name information from the database using the following query:
select value from v$parameter where name like '%service_name%'
- Cause: The service name provided on the Database Management page is not registered with the listener
and
gv$services
.Solution: Verify that the service name is registered with the listener and
gv$services
.
- Cause: The service name is incorrect.
- Missing Policies
- Cause: The required policies are not created.
Solution: Ensure that the required policies are created and granted to the user group enabling Database Management:
-
The following policy is required to create a secret:
Allow group DB-MGMT-ADMIN to manage secret-family in tenancy
-
The following policy is required to grant the Database Management service the permission to read database user password secrets:
Allow service dpd to read secret-family in compartment ABC
If you want to grant the permission to read secrets only from a specific vault, then update the policy to:
Allow service dpd to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
-
The following policy is required to read database user password secrets when using Database Management. Note that this policy is not required if the user has been granted the permission to create a secret (first policy in this list):
Allow group DB-MGMT-USER to read secret-family in compartment ABC
If you want to grant the permission to read secrets only from a specific vault, then update the policy to:
Allow group DB-MGMT-USER to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
For a complete list of the policies required to enable Database Management for Oracle Cloud Databases, see Permissions Required to Enable Diagnostics & Management for Oracle Cloud Databases.
-
- Cause: The required policies are not created.
- Incorrect Database User or Password
- Cause: The
SYS
user is used.Solution: Ensure that you do not use the
SYS
user. It's recommended that theDBSNMP
user is used. - Cause: The user is created at the incorrect level.
Solution: Ensure that the user is created at the correct level. For example, if enabling Database Management for a CDB, then the user must be created at the CDB level.
- Cause: The
- Incorrect TCPS Setting in sqlnet.ora
- Cause: If the TCPS protocol is used and both TLS and
Oracle native encryption (also called Advanced Networking Option (ANO)
encryption) are enabled in
sqlnet.ora
, then by default Oracle does not allow both encryption types.Solution: Add
SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS = true
tosqlnet.ora
to turn off Oracle native encryption when TCPS is used.
- Cause: If the TCPS protocol is used and both TLS and
Oracle native encryption (also called Advanced Networking Option (ANO)
encryption) are enabled in
- Incorrect database name or database unique name
- Cause: The database name or database unique name
specified at the database level does not match the details retrieved
from the Oracle Database cloud solution (Base Database Service, ExaDB-D,
or ExaDB-C@C).
Solution: Ensure that the database name and database unique name are the same at the database level and in the details retrieved from the Oracle Database cloud solution. To do so:
- Use the following command to retrieve the database
name and database unique name from the Oracle Database cloud
solution:
oci db database get --database-id <database_OCID>
- Use the following SQL statement to retrieve the
database name and database unique name specified at the database
level:
SELECT dbId, name as dbName, db_unique_name as dbUniqueName, replace(database_role, ' ','_') as dbRole, to_char(sys_extract_utc(cast(created as timestamp)), 'YYYY-MM-DD"T"HH24:MI:SS.FF3"Z"') as dbCreationTime, (SELECT value from v$parameter WHERE name = 'db_domain') dbDomain, (SELECT version FROM v$instance) as dbVersion, (SELECT banner FROM v$version where banner like 'Oracle%') as dbEdition, (SELECT dbtimezone FROM dual) as dbTimeZone, (SELECT value FROM v$parameter WHERE name = 'cluster_database') as isCluster, (SELECT value FROM nls_database_parameters WHERE parameter = 'NLS_CHARACTERSET') as charSet, (SELECT value FROM nls_database_parameters WHERE parameter = 'NLS_NCHAR_CHARACTERSET') as ncharSet, (SELECT value FROM v$parameter WHERE name = 'control_management_pack_access') as dbPacks FROM v$database
- Check whether the database name and database unique name are the same at the database level and in the details retrieved from the Oracle Database cloud solution. If there is a discrepancy, correct the details at the database level.
- Use the following command to retrieve the database
name and database unique name from the Oracle Database cloud
solution:
- Cause: The database name or database unique name
specified at the database level does not match the details retrieved
from the Oracle Database cloud solution (Base Database Service, ExaDB-D,
or ExaDB-C@C).
Operation failed because password secret is not accessible by Database Management
Here's the likely cause and what you can do to resolve the issue:
Cause: The required policies are not created.
Solution: Ensure that the required policies are created and granted to the user group enabling Database Management:
-
The following policy is required to create a secret:
Allow group DB-MGMT-ADMIN to manage secret-family in tenancy
-
The following policy is required to grant the Database Management service the permission to read database user password secrets:
Allow service dpd to read secret-family in compartment ABC
If you want to grant the permission to read secrets only from a specific vault, then update the policy to:
Allow service dpd to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
-
The following policy is required to read database user password secrets when using Database Management. Note that this policy is not required if the user has been granted the permission to create a secret (first policy in this list):
Allow group DB-MGMT-USER to read secret-family in compartment ABC
If you want to grant the permission to read secrets only from a specific vault, then update the policy to:
Allow group DB-MGMT-USER to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
Could not connect to the cloud database due to an internal error
Here's the likely cause and what you can do to resolve the issue:
Cause: The correct user is not used to enable Database Management or the user does not have the required privileges.
Solution: Ensure that the DBSNMP
or equivalent
user is used to enable Database Management and that the
user enabling Database Management has the required
permissions. For a complete list of the policies required to enable Database Management for Oracle Cloud Databases, see Permissions Required to Enable Diagnostics & Management for Oracle Cloud Databases.
Could not provision Database Management private endpoint. Please retry operation or contact Oracle Support.
The likely causes for this error can be categorized into the following areas:
- Insufficient CIDR allocation (user error)
- Cause: All non-reserved IP addresses of xx for xx
have already been allocated.
Solution: A Database Management private endpoint for single instance databases requires two private IP addresses and a Database Management private endpoint for RAC databases requires three private IP addresses. You must move the private endpoint to a different subnet or make IP addresses available in the existing subnet to proceed with private endpoint creation.
- Cause: All non-reserved IP addresses of xx for xx
have already been allocated.
- Insufficient private endpoint limit
- Cause: A private endpoint for RAC Oracle Cloud
Databases is already created, and only one private endpoint can be
created in a tenancy (per region) to connect to RAC databases.
Solution: Increase the private endpoint limit. To do so:
- Sign in to the Oracle Cloud Infrastructure console.
- Open the navigation menu and click Governance & Administration. Under Tenancy Management, click Limits, Quotas and Usage.
- On the Limits, Quotas and Usage page, click request a service limit increase in the introductory text.
- In the Request Service Limit Updates
panel:
- Resource Limit Update (this will be your new limit): In the Service Category drop-down list, select Others and in the Resource drop-down list, select Other Limits.
- Reason for request:
In this field, enter Resource: Database
Management Private Endpoints and provide
the following details:
- Total number of private endpoints to be added, and specify if the private endpoints are for single instance or RAC Oracle Cloud Databases.
- Specify if the databases are spread across multiple VCNs. For example, if you're requesting for a limit increase to ten, then the expectation is that your databases are spread across ten VCNs. Note that a private endpoint can manage multiple databases in the same VCN. For more information, see Create a Database Management Private Endpoint for Oracle Cloud Databases.
- Click Create Support Request.
- Cause: A private endpoint for RAC Oracle Cloud
Databases is already created, and only one private endpoint can be
created in a tenancy (per region) to connect to RAC databases.
Unable to process request. Contact Oracle Support or try again later.
Here's the likely cause and what you can do to resolve the issue:
Cause: The required Oracle Cloud Infrastructure Vault service policies are not created.
Solution: Ensure that the required policies are created and granted to the user group assigned the task of enabling Database Management:
-
The following policy is required to create a secret:
Allow group DB-MGMT-ADMIN to manage secret-family in tenancy
-
The following policy is required to grant the Database Management service the permission to read database user password secrets:
Allow service dpd to read secret-family in compartment ABC
If you want to grant the permission to read secrets only from a specific vault, then update the policy to:
Allow service dpd to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
-
The following policy is required to read database user password secrets when using Database Management. Note that this policy is not required if the user has been granted the permission to create a secret (first policy in this list):
Allow group DB-MGMT-USER to read secret-family in compartment ABC
If you want to grant the permission to read secrets only from a specific vault, then update the policy to:
Allow group DB-MGMT-USER to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
The supplied service name to connect to the cloud database was not recognized. Try again with a valid service name.
Here are the likely causes and what you can to do to resolve the issue:
- Cause: The service name is incorrect.
Solution: Check and use the correct service name. You can verify the service name information from the database using the following query:
select value from v$parameter where name like '%service_name%'
- Cause: The service name provided on the Database Management page is not registered with the listener and
gv$services
.Solution: Verify that the service name is registered with the listener and
gv$services
.
Error when processing the request. Contact Oracle Support to resolve the issue.
Here's the likely cause and what you can do to resolve the issue:
Cause: PDB enable threshold limit reached. Database Management can be enabled for a maximum of 10 PDBs in one CDB.
Solution: Increase the PDB enable threshold limit. To do so:
- Sign in to the Oracle Cloud Infrastructure console.
- Open the navigation menu and click Governance & Administration. Under Tenancy Management, click Limits, Quotas and Usage.
- On the Limits, Quotas and Usage page, click request a service limit increase in the introductory text.
- In the Request Service Limit Updates panel:
- Resource Limit Update (this will be your new limit): In the Service Category drop-down list, select Others and in the Resource drop-down list, select Other Limits.
- Reason for request: In this field,
enter Resource: Increase Database Management PDB Enable
Threshold Limit and provide the following details:
- The number of PDBs in a CDB for which Database Management should be enabled.
- The OCID of the associated CDB.
- Click Create Support Request.
The operation failed due to a network error
Here's the likely cause and what you can do to resolve the issue:
Cause: The specified port and service name are not correct.
Solution: Ensure that the port and service name are correct. To do so:
- Use the following query to verify the service name information from
the database:
select value from v$parameter where name like '%service_name%'
- Verify that the port details are correct.
- Update the port and service name, if required.
The network adapter could not establish the connection. Check and update the system's network security groups or security lists...
The likely causes for this error can be categorized into the following areas:
- Ingress and egress rules are not set or are incorrect
- Cause: Ingress and egress security rules to NSGs or
Security Lists are not defined to allow the communication on port
1521.
Solution: Ensure that the ingress and egress rules are added to NSGs or Security Lists in the Oracle Cloud Database's VCN to allow communication between the Database Management private endpoint and the Oracle Cloud Database.
- Cause: Ingress and egress security rules to NSGs or
Security Lists are not defined to allow the communication on port
1521.
- Service Name
- Cause: The service name is incorrect.
Solution: Check and use the correct service name. You can verify the service name information from the database using the following query:
select value from v$parameter where name like '%service_name%'
- Cause: The service name provided on the Database Management page is not registered with
the listener and
gv$services
.Solution: Verify that the service name is registered with the listener and
gv$services
.
- Cause: The service name is incorrect.
If the security rules and service name are correct and the error is still displayed, contact Oracle Support for assistance.
The operation failed due to error in Database Management service while processing the request.
Here's the likely cause and what you can do to resolve the issue:
Cause: You've enabled more than 15 clusters or RAC databases using a single private endpoint.
Solution: A single Database Management RAC private endpoint can connect to 15 clusters or RAC databases in a VCN. If you have more than 15 clusters in a VCN, then enabling them with the same private endpoint will fail. Contact Oracle Support for assistance.
Work request error: Operation failed because TCPS wallet details are incorrect
Here are the likely causes and what you can do to resolve the issue:
- Cause: The wallet content and password do not match.
Solution: Verify that the wallet content and password are correct.
- Cause: The wallet content and server certificate DN do not
match.
Solution: Verify that the wallet content and server certificate DN are correct.
- Cause: Wallet secret content does not have the valid structure expected
by Database Management.
Solution: Ensure that the wallet secret content is in the structure expected by Database Management. The valid structures are:
-
{ "walletFormat":"JKS", "keyStoreContent":"<Keystore Content Byte Array>", "keyStorePassword":"<Keystore Password>", "trustStoreContent":"<Truststore Content Byte Array>", "trustStorePassword":"<Truststore Password>", "serverCertDn":"<Server CERT DN>" }
-
{ "walletFormat":"PKCS12", "keyStoreContent":"<Wallet Content Byte Array>", "keyStorePassword":"<Wallet Password>", "trustStoreContent":"<Wallet Content Byte Array>", "trustStorePassword":"<Wallet Password>", "serverCertDn":"<Server CERT DN>" }
-
Database metrics are not collected for the DB systems in the Base Database Service
Here's the likely cause and what you can do to resolve the issue:
Cause: If you've enabled Database Management for a DB system in the Base Database Service using the TCPS protocol and also enabled Oracle Data Guard later, then the TCPS configuration will be overwritten by the Oracle Data Guard configuration process.
Solution: Reconfigure TCPS and enable Database Management for the DB system in the Base Database Service, after enabling Oracle Data Guard.