Use the Oracle Cloud Infrastructure Vault service to save the database user password in a secret with an encryption key. The Vault service is a managed service that enables you to centrally manage the encryption keys that protect your data and the secret credentials that you use to securely access resources. Note that if you change the database user password, then you must also update the secret with the new password by creating a new version of the secret and updating the contents.

Configure Gradual Password Rollover

For Oracle Databases 19c and later, it's recommended that you define a gradual password rollover time, which allows you to connect to the database using both the old and new passwords during the gradual rollover time period. Since both the old and new passwords are valid for some time, downtime is minimized. Using a gradual password rollover, you can avoid any disruptions in the use of Diagnostics & Management features for your databases.

For information on the SQL script to create a monitoring user with the privileges required to monitor the Oracle Cloud Database, see Creating the Oracle Database Monitoring Credentials for Database Management (Doc ID 2857604.1) in My Oracle Support.

For information on the SQL script to create a user with the privileges required to perform advanced diagnostics and administrative tasks, see Creating the Oracle Database Management Advanced Diagnostics User and Administration User (Doc ID 2978493.1) in My Oracle Support.

For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault.

For information on the Gradual Password Rollover feature, see Managing Gradual Database Password Rollover for Applications in Oracle Database Security Guide.

For Oracle Cloud Databases in Base Database Service and ExaDB-D

1. Create a private endpoint that acts as Database Management's network point of presence in the VCN in which the Oracle Cloud Database can be accessed.
2. Add ingress and egress security rules to Network Security Groups (NSGs) or Security Lists in the Oracle Cloud Database's VCN to enable communication between the Database Management private endpoint and the Oracle Cloud Database.

For Oracle Cloud Databases in ExaDB-C@C

Enable communication and data collection using a Management Agent. You must ensure that a Management Agent 210403.1349 or later is installed on one of the nodes in the Exadata cluster. The installed Management Agent requires:

• Network access to Oracle Cloud Infrastructure.
• Network access to connect to the Oracle Cloud Database.

For information on how to enable communication between Database Management and the Oracle Cloud Database, see Enable Communication Between Database Management and Oracle Cloud Databases.

For generic information on how to install a Management Agent, see Perform Prerequisites for Deploying Management Agents and Install Management Agents.

For information on how to install a Management Agent on Exadata Cloud, see Observability & Management Support For Exadata Cloud (Doc ID 3015115.1) in My Oracle Support.

The authentication and signing credentials, including the private keys, certificates, and trusted certificates used by Transport Layer Security (TLS) are stored in a wallet. This wallet must be saved as a secret with an encryption key in the Vault service.

The supported database wallet formats are:

• Java Keystore (JKS): To save a Java Keystore wallet as a secret, you're required to enter the Keystore password, Keystore content (.jks file), Truststore password, Truststore content (.jks file), and the Certificate Distinguished Name (DN) for the wallet.
• Public-Key Cryptography Standards (PKCS) # 12: To save a PKCS#12 wallet as a secret, you're required to enter the wallet password, wallet content (.p12 file), and the certificate DN for the wallet.

Note that the JKS and PKCS wallet formats are not supported in the US Gov realms and only the BCFKS wallet format is supported.

For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault.