Oracle Cloud Database-related Prerequisite Tasks

Before you enable and use Database Management Diagnostics & Management for Oracle Cloud Databases, you must complete the prerequisite tasks listed in the following table.

Currently, you can use Diagnostics & Management to monitor and manage the Oracle Databases running on the following Oracle Database cloud solutions:

Base Database Service
ExaDB-D
ExaDB-C@C

Task Description More Information

Grant a database user the privileges required to monitor and manage the Oracle Cloud Database and save the database user password in a secret

Task	Description	More Information
Grant a database user the privileges required to monitor and manage the Oracle Cloud Database and save the database user password in a secret	You must grant the database user the privileges required to monitor and manage the Oracle Cloud Database using Diagnostics & Management. You can use the available SQL scripts to create a new database user with the required set of privileges to monitor the Oracle Cloud Database or to perform advanced diagnostics and administrative tasks. Use the Oracle Cloud Infrastructure Vault service to save the database user password in a secret with an encryption key. The Vault service is a managed service that enables you to centrally manage the encryption keys that protect your data and the secret credentials that you use to securely access resources. Note that if you change the database user password, then you must also update the secret with the new password by creating a new version of the secret and updating the contents. Configure Gradual Password Rollover For Oracle Databases 19c and later, it's recommended that you define a gradual password rollover time, which allows you to connect to the database using both the old and new passwords during the gradual rollover time period. Since both the old and new passwords are valid for some time, downtime is minimized. Using a gradual password rollover, you can avoid any disruptions in the use of Diagnostics & Management features for your databases.	For information on the required database user privileges, see Database User Privileges Required for Diagnostics & Management. For information on the SQL script to create a monitoring user with the privileges required to monitor the Oracle Cloud Database, see Creating the Oracle Database Monitoring Credentials for Database Management (Doc ID 2857604.1) in My Oracle Support. For information on the SQL script to create a user with the privileges required to perform advanced diagnostics and administrative tasks, see Creating the Oracle Database Management Advanced Diagnostics User and Administration User (Doc ID 2978493.1) in My Oracle Support. For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault. For information on the Gradual Password Rollover feature, see Managing Gradual Database Password Rollover for Applications in Oracle Database Security Guide.
Enable communication between Database Management and the Oracle Cloud Database	*For Oracle Cloud Databases in Base Database Service and ExaDB-D* Create a private endpoint that acts as Database Management's network point of presence in the VCN in which the Oracle Cloud Database can be accessed. Add ingress and egress security rules to Network Security Groups (NSGs) or Security Lists in the Oracle Cloud Database's VCN to enable communication between the Database Management private endpoint and the Oracle Cloud Database. *For Oracle Cloud Databases in ExaDB-D and ExaDB-C@C* Enable communication and data collection using a Management Agent. You must ensure that a Management Agent 210403.1349 or later is installed on one of the nodes in the Exadata cluster. The installed Management Agent requires: Network access to Oracle Cloud Infrastructure. Network access to connect to the Oracle Cloud Database. Note that you can either use a private endpoint or a Management Agent to enable communication between Database Management and Oracle Cloud Databases in ExaDB-D.	For information on how to create a Database Management private endpoint, see Create a Database Management Private Endpoint for Oracle Cloud Databases. For information on how to enable communication between Database Management and the Oracle Cloud Database, see Enable Communication Between Database Management and Oracle Cloud Databases. For generic information on how to install a Management Agent, see Perform Prerequisites for Deploying Management Agents and Install Management Agents. For information on how to install a Management Agent on Exadata Cloud, see Observability & Management Support For Exadata Cloud (Doc ID 3015115.1) in My Oracle Support.
Save the database wallet as a secret in the Vault service if you want to use the TCPS protocol when enabling Diagnostics & Management (Optional)	If you opt to use the TCP/IP with Transport Layer Security (TCPS) protocol to securely connect to the Oracle Cloud Database, then you're required to enter the port number and upload the database wallet when enabling Diagnostics & Management. The authentication and signing credentials, including the private keys, certificates, and trusted certificates used by Transport Layer Security (TLS) are stored in a wallet. This wallet must be saved as a secret with an encryption key in the Vault service. The supported database wallet formats are: Java Keystore (JKS): To save a Java Keystore wallet as a secret, you're required to enter the Keystore password, Keystore content (`.jks` file), Truststore password, Truststore content (`.jks` file), and the Certificate Distinguished Name (DN) for the wallet. Public-Key Cryptography Standards (PKCS) # 12: To save a PKCS#12 wallet as a secret, you're required to enter the wallet password, wallet content (`.p12` file), and the certificate DN for the wallet. Note that the JKS and PKCS wallet formats are not supported in the US Gov realms and only the BCFKS wallet format is supported.	For information on how to configure TLS authentication, see Configuring Transport Layer Security Authentication in Oracle Database Security Guide. For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault.

You must grant the database user the privileges required to monitor and manage the Oracle Cloud Database using Diagnostics & Management. You can use the available SQL scripts to create a new database user with the required set of privileges to monitor the Oracle Cloud Database or to perform advanced diagnostics and administrative tasks.

Use the Oracle Cloud Infrastructure Vault service to save the database user password in a secret with an encryption key. The Vault service is a managed service that enables you to centrally manage the encryption keys that protect your data and the secret credentials that you use to securely access resources. Note that if you change the database user password, then you must also update the secret with the new password by creating a new version of the secret and updating the contents.

Configure Gradual Password Rollover

For Oracle Databases 19c and later, it's recommended that you define a gradual password rollover time, which allows you to connect to the database using both the old and new passwords during the gradual rollover time period. Since both the old and new passwords are valid for some time, downtime is minimized. Using a gradual password rollover, you can avoid any disruptions in the use of Diagnostics & Management features for your databases.

For information on the required database user privileges, see Database User Privileges Required for Diagnostics & Management.

For information on the SQL script to create a monitoring user with the privileges required to monitor the Oracle Cloud Database, see Creating the Oracle Database Monitoring Credentials for Database Management (Doc ID 2857604.1) in My Oracle Support.

For information on the SQL script to create a user with the privileges required to perform advanced diagnostics and administrative tasks, see Creating the Oracle Database Management Advanced Diagnostics User and Administration User (Doc ID 2978493.1) in My Oracle Support.

For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault.

For information on the Gradual Password Rollover feature, see Managing Gradual Database Password Rollover for Applications in Oracle Database Security Guide.

Enable communication between Database Management and the Oracle Cloud Database

For Oracle Cloud Databases in Base Database Service and ExaDB-D

Create a private endpoint that acts as Database Management's network point of presence in the VCN in which the Oracle Cloud Database can be accessed.
Add ingress and egress security rules to Network Security Groups (NSGs) or Security Lists in the Oracle Cloud Database's VCN to enable communication between the Database Management private endpoint and the Oracle Cloud Database.

For Oracle Cloud Databases in ExaDB-D and ExaDB-C@C

Enable communication and data collection using a Management Agent. You must ensure that a Management Agent 210403.1349 or later is installed on one of the nodes in the Exadata cluster. The installed Management Agent requires:

Network access to Oracle Cloud Infrastructure.
Network access to connect to the Oracle Cloud Database.

Note that you can either use a private endpoint or a Management Agent to enable communication between Database Management and Oracle Cloud Databases in ExaDB-D.

For information on how to create a Database Management private endpoint, see Create a Database Management Private Endpoint for Oracle Cloud Databases.

For information on how to enable communication between Database Management and the Oracle Cloud Database, see Enable Communication Between Database Management and Oracle Cloud Databases.

For generic information on how to install a Management Agent, see Perform Prerequisites for Deploying Management Agents and Install Management Agents.

For information on how to install a Management Agent on Exadata Cloud, see Observability & Management Support For Exadata Cloud (Doc ID 3015115.1) in My Oracle Support.

Save the database wallet as a secret in the Vault service if you want to use the TCPS protocol when enabling Diagnostics & Management (Optional)

If you opt to use the TCP/IP with Transport Layer Security (TCPS) protocol to securely connect to the Oracle Cloud Database, then you're required to enter the port number and upload the database wallet when enabling Diagnostics & Management.

The authentication and signing credentials, including the private keys, certificates, and trusted certificates used by Transport Layer Security (TLS) are stored in a wallet. This wallet must be saved as a secret with an encryption key in the Vault service.

The supported database wallet formats are:

Java Keystore (JKS): To save a Java Keystore wallet as a secret, you're required to enter the Keystore password, Keystore content (.jks file), Truststore password, Truststore content (.jks file), and the Certificate Distinguished Name (DN) for the wallet.
Public-Key Cryptography Standards (PKCS) # 12: To save a PKCS#12 wallet as a secret, you're required to enter the wallet password, wallet content (.p12 file), and the certificate DN for the wallet.

Note that the JKS and PKCS wallet formats are not supported in the US Gov realms and only the BCFKS wallet format is supported.

For information on how to configure TLS authentication, see Configuring Transport Layer Security Authentication in Oracle Database Security Guide.

For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault.

Oracle Cloud Infrastructure Documentation