Oracle Cloud Infrastructure Documentation

Create a Connection to an External Database

This topic provides information about creating external database connections using the OCI Console and API. The external database connection resource enables you to connect an external database handle to an Oracle Database instance located outside of OCI.

Note

Currently the External Database service supports only Management Agent Cloud Service (MACS) agents for creating a connection to your external databases. Enterprise Manager Cloud Control Agents are not supported at this time. For more information about MACS, see Management Agent.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don't have permission or are unauthorized, verify with your administrator what type of access you have and which compartment to work in.

For administrators: The policy in Let database admins manage Oracle Cloud external database resources lets the specified group do everything with databases and related database resources.

If you're new to policies, see Getting Started with Policies and Common Policies. For more information about writing policies for databases, see Policy Details for External Database.

Create a Connection to an External Pluggable Database

Perform the following steps to create a connection to an external pluggable database.

  1. Open the navigation menu. Select Oracle Database, and then select External Database.
  2. Under External Database, select Pluggable Databases.
  3. Select your Compartment. A list of external databases is displayed.
  4. In the list of external databases, click the name of the database for which you want to create the connection. Details of the external database you selected are displayed.
  5. Under Resources, Click Connectors.
  6. Click Connect to external pluggable database. The Connect to an external pluggable database dialog opens.
  7. Connector display name: Provide a user-friendly name to help you easily identify the resource.
  8. Connector type: Provide a connector type for the external database. You can select from the following:
    • External site: Create an Oracle Cloud Bridge connection within an OCI VCN to access an external database located in a Cloud Bridge external site. This option is compatible with the Database Management and Data Safe services.
    • MACS: Create an OCI Management Agent Cloud Service (MACS) connector to access your external database. You must configure the agent prior to connecting your external database. Select this option if you are using TCPS.
  9. External site ID: Provide an external site ID. This is required only if you select external site.
  10. Connector agent ID: Provide a connector agent ID. This is required only if you select MACS.
  11. Specify Connection string information for the connection.
  12. DNS hostname or SCAN name: Provide virtual IP (VIP) address or single client access name (SCAN) for the database on your premises that you are connecting to the OCI.
  13. Port: Provide the port being used by the database outside OCI for database connections.
  14. Service: Provide the service name being used by the database outside OCI for database connections.
  15. Protocol: Provide the protocol being used by the database outside OCI for database connections. You can select from either TCP or TCPS.
    Note

    TCPS is TCP/IP with SSL. This protocol enables an Oracle application on a client to communicate with remote databases through TCP/IP and SSL. Using SSL provides higher security than TCP alone. For more information, see TCP/IP with SSL Protocol in Database Net Services Administrator's Guide.

  16. If you have selected TCPS protocol, select between the following options:

    • Use existing secret
    • Create a new secret

  17. When you select Use existing secret, provide the following detail:

    • Provide a Database user password secret in your compartment.

  18. When you click Create a new secret, the Create TLS Secret windows opens. Provide the following details, and then click Create TLS secret.

    1. Secret name: Name for the secret you are creating.
    2. Description: [Optional] Description for the secret.
    3. Choose a compartment: The compartment where the secret must be stored.
    4. Vault in your compartment: Vault in your compartment where the secret is stored.
    5. Encryption key in your compartment: Encryption key in your compartment where the secret must be stored.
    6. SSL Trust Store Type: Type of the SSL trust store. Available options are PKCS12 and JKS. BCFKS is the only available option in US government regions.
    7. SSL Trust Store Location: Fully qualified path of the SSL trust store on the agent host.
    8. SSL Trust Store Password: Password of the SSL trust store.
    9. SSL Key Store Type: [Read-only] Type of the key store. It is automatically chosen to be the same as the SSL trust store type.
    10. SSL Key Store Location: Fully qualified path of the key store on the agent host.
    11. SSL Key Store Password: Password of the key store.
    12. SSL Server Certificate Distinguished Name: Unique name for the SSL server certificate.

    The JSON format for creating a new secret is as follows:

    If your wallet is PKCS12:

    {
    "sslTrustStoreType": "PKCS12",
    "sslTrustStoreLocation": "/mylocation/ewallet.p12",
    "sslTrustStorePassword": "mypassword",
    "sslKeyStoreType": "PKCS12",
    "sslKeyStoreLocation": "/mylocation/ewallet.p12",
    "sslKeyStorePassword": "mypassword",
    "sslServerCertDn": "C=US,O=OracleCorporation,CN=sslclient"
}

    If your wallet is JKS:

    {
    "sslTrustStoreType": "JKS",
    "sslTrustStoreLocation": "/mylocation/truststore.jks",
    "sslTrustStorePassword": "mypassword",
    "sslKeyStoreType": "JKS",
    "sslKeyStoreLocation": "/mylocation/keystore.jks",
    "sslKeyStorePassword": "mypassword",
    "sslServerCertDn": "C=US,O=OracleCorporation,CN=sslclient"
}
  19. Specify Database connection credentials for the connection.
  20. Username: Provide the user name for the database credentials to be used by this connection.
  21. Password: Provide the pasword for the database credentials to be used by this connection.
  22. Credential name prefix: This string is the first part of the full credential name. Your prefix is prepended to a system-generated Credential name prefix to create the full credential name.
  23. Credential name: (Read-only) Credential name of the connection.
  24. Role: Provide the role for the database credentials to be used by this connection. You can select between NORMAL and SYSDBA.
  25. Specify Network information for the connection.
  26. Virtual cloud network: The VCN in which to create the connection. Click Change compartment to select a VCN in a different compartment.
  27. Subnet: The subnet in which to create the connection.
  28. Network security groups: Optionally, you can specify one or more network security groups (NSGs) for your database. To use NSGs, switch on Use network security groups to control traffic toggle. NSGs function as virtual firewalls, enabling you to apply a set of ingress and egress security rules. A maximum of five NSGs can be specified. Note that you must have a virtual cloud network selected to be able to assign NSGs.
  29. Private IP address for VNIC: The IP address for the connection.
  30. Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator. For more information, see Resource Tags.
  31. Click Connect.

Create a Connection to an External Container Database

Perform the following steps to create a connection to an external container database.

  1. Open the navigation menu. Select Oracle Database, and then select External Database.
  2. Under External Database, select Container Databases.
  3. Select your Compartment. A list of external databases is displayed.
  4. In the list of external databases, click the name of the database for which you want to create the connection. Details of the external database you selected are displayed.
  5. Click Connect to external container database. The Connect to an external container database dialog opens.
  6. Connector display name: Provide a user-friendly name to help you easily identify the resource.
  7. Connector type: Provide a connector type for the external database. You can select from the following:
    • External site: Create an Oracle Cloud Bridge connection within an OCI VCN to access an external database located in a Cloud Bridge external site. This option is compatible with the Database Management and Data Safe services.
    • MACS: Create an OCI Management Agent Cloud Service (MACS) connector to access your external database. You must configure the agent prior to connecting your external database. Select this option if you are using TCPS.
  8. External site ID: Provide an external site ID. This is required only if you select external site.
  9. Connector agent ID: Provide a connector agent ID. This is required only if you select MACS.
  10. Specify Connection string information for the connection.
  11. DNS hostname or SCAN name: Provide virtual IP (VIP) address or single client access name (SCAN) for the database on your premises that you are connecting to the OCI.
  12. Port: Provide the port being used by the database outside OCI for database connections.
  13. Service: Provide the service name being used by the database outside OCI for database connections.
  14. Protocol: Provide the protocol being used by the database outside OCI for database connections. You can select from either TCP or TCPS.
    Note

    TCPS is TCP/IP with SSL. This protocol enables an Oracle application on a client to communicate with remote databases through TCP/IP and SSL. Using SSL provides higher security than TCP alone. For more information, see TCP/IP with SSL Protocol in Database Net Services Administrator's Guide.

  15. If you have selected TCPS protocol, select between the following options:

    • Use existing secret
    • Create a new secret

  16. When you select Use existing secret, provide the following detail:

    • Provide a Database user password secret in your compartment.

  17. When you click Create a new secret, the Create TLS Secret windows opens. Provide the following details, and then click Create TLS secret.

    1. Secret name: Name for the secret you are creating.
    2. Description: [Optional] Description for the secret.
    3. Choose a compartment: The compartment where the secret must be stored.
    4. Vault in your compartment: Vault in your compartment where the secret is stored.
    5. Encryption key in your compartment: Encryption key in your compartment where the secret must be stored.
    6. SSL Trust Store Type: Type of the SSL trust store. Available options are PKCS12 and JKS. BCFKS is the only available option in US government regions.
    7. SSL Trust Store Location: Fully qualified path of the SSL trust store on the agent host.
    8. SSL Trust Store Password: Password of the SSL trust store.
    9. SSL Key Store Type: [Read-only] Type of the key store. It is automatically chosen to be the same as the SSL trust store type.
    10. SSL Key Store Location: Fully qualified path of the key store on the agent host.
    11. SSL Key Store Password: Password of the key store.
    12. SSL Server Certificate Distinguished Name: Unique name for the SSL server certificate.

    The JSON format for creating a new secret is as follows:

    If your wallet is PKCS12:

    {
    "sslTrustStoreType": "PKCS12",
    "sslTrustStoreLocation": "/mylocation/ewallet.p12",
    "sslTrustStorePassword": "mypassword",
    "sslKeyStoreType": "PKCS12",
    "sslKeyStoreLocation": "/mylocation/ewallet.p12",
    "sslKeyStorePassword": "mypassword",
    "sslServerCertDn": "C=US,O=OracleCorporation,CN=sslclient"
}

    If your wallet is JKS:

    {
    "sslTrustStoreType": "JKS",
    "sslTrustStoreLocation": "/mylocation/truststore.jks",
    "sslTrustStorePassword": "mypassword",
    "sslKeyStoreType": "JKS",
    "sslKeyStoreLocation": "/mylocation/keystore.jks",
    "sslKeyStorePassword": "mypassword",
    "sslServerCertDn": "C=US,O=OracleCorporation,CN=sslclient"
}
  18. Specify Database connection credentials for the connection.
  19. Username: Provide the user name for the database credentials to be used by this connection.
  20. Password: Provide the pasword for the database credentials to be used by this connection.
  21. Credential name prefix: This string is the first part of the full credential name. Your prefix is prepended to a system-generated Credential name prefix to create the full credential name.
  22. Credential name: (Read-only) Credential name of the connection.
  23. Role: Provide the role for the database credentials to be used by this connection. You can select between NORMAL and SYSDBA.
  24. Specify Network information for the connection.
  25. Virtual cloud network: The VCN in which to create the connection. Click Change compartment to select a VCN in a different compartment.
  26. Subnet: The subnet in which to create the connection.
  27. Network security groups: Optionally, you can specify one or more network security groups (NSGs) for your database. To use NSGs, switch on Use network security groups to control traffic toggle. NSGs function as virtual firewalls, enabling you to apply a set of ingress and egress security rules. A maximum of five NSGs can be specified. Note that you must have a virtual cloud network selected to be able to assign NSGs.
  28. Private IP address for VNIC: The IP address for the connection.
  29. Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator. For more information, see Resource Tags.
  30. Click Connect.

Create a Connection to an External Non-Container Database

Perform the following steps to create a connection to an external non-container database.

  1. Open the navigation menu. Select Oracle Database, and then select External Database.
  2. Under External Database, select Non-Container Databases.
  3. Select your Compartment. A list of external databases is displayed.
  4. In the list of external databases, click the name of the database for which you want to create the connection. Details of the external database you selected are displayed.
  5. Click Connect to external non-CDB. The Connect to an external non-container database dialog opens.
  6. Connector display name: Provide a user-friendly name to help you easily identify the resource.
  7. Connector type: Provide a connector type for the external database. You can select from the following:
    • External site: Create an Oracle Cloud Bridge connection within an OCI VCN to access an external database located in a Cloud Bridge external site. This option is compatible with the Database Management and Data Safe services.
    • MACS: Create an OCI Management Agent Cloud Service (MACS) connector to access your external database. You must configure the agent prior to connecting your external database. Select this option if you are using TCPS.
  8. External site ID: Provide an external site ID. This is required only if you select external site.
  9. Connector agent ID: Provide a connector agent ID. This is required only if you select MACS.
  10. Specify Connection string information for the connection.
  11. DNS hostname or SCAN name: Provide virtual IP (VIP) address or single client access name (SCAN) for the database on your premises that you are connecting to the OCI.
  12. Port: Provide the port being used by the database outside OCI for database connections.
  13. Service: Provide the service name being used by the database outside OCI for database connections.
  14. Protocol: Provide the protocol being used by the database outside OCI for database connections. You can select from either TCP or TCPS.
    Note

    TCPS is TCP/IP with SSL. This protocol enables an Oracle application on a client to communicate with remote databases through TCP/IP and SSL. Using SSL provides higher security than TCP alone. For more information, see TCP/IP with SSL Protocol in Database Net Services Administrator's Guide.

  15. If you have selected TCPS protocol, select between the following options:

    • Use existing secret
    • Create a new secret

  16. When you select Use existing secret, provide the following detail:

    • Provide a Database user password secret in your compartment.

  17. When you click Create a new secret, the Create TLS Secret windows opens. Provide the following details, and then click Create TLS secret.

    1. Secret name: Name for the secret you are creating.
    2. Description: [Optional] Description for the secret.
    3. Choose a compartment: The compartment where the secret must be stored.
    4. Vault in your compartment: Vault in your compartment where the secret is stored.
    5. Encryption key in your compartment: Encryption key in your compartment where the secret must be stored.
    6. SSL Trust Store Type: Type of the SSL trust store. Available options are PKCS12 and JKS. BCFKS is the only available option in US government regions.
    7. SSL Trust Store Location: Fully qualified path of the SSL trust store on the agent host.
    8. SSL Trust Store Password: Password of the SSL trust store.
    9. SSL Key Store Type: [Read-only] Type of the key store. It is automatically chosen to be the same as the SSL trust store type.
    10. SSL Key Store Location: Fully qualified path of the key store on the agent host.
    11. SSL Key Store Password: Password of the key store.
    12. SSL Server Certificate Distinguished Name: Unique name for the SSL server certificate.

    The JSON format for creating a new secret is as follows:

    If your wallet is PKCS12:

    {
    "sslTrustStoreType": "PKCS12",
    "sslTrustStoreLocation": "/mylocation/ewallet.p12",
    "sslTrustStorePassword": "mypassword",
    "sslKeyStoreType": "PKCS12",
    "sslKeyStoreLocation": "/mylocation/ewallet.p12",
    "sslKeyStorePassword": "mypassword",
    "sslServerCertDn": "C=US,O=OracleCorporation,CN=sslclient"
}

    If your wallet is JKS:

    {
    "sslTrustStoreType": "JKS",
    "sslTrustStoreLocation": "/mylocation/truststore.jks",
    "sslTrustStorePassword": "mypassword",
    "sslKeyStoreType": "JKS",
    "sslKeyStoreLocation": "/mylocation/keystore.jks",
    "sslKeyStorePassword": "mypassword",
    "sslServerCertDn": "C=US,O=OracleCorporation,CN=sslclient"
}
  18. Specify Database connection credentials for the connection.
  19. Username: Provide the user name for the database credentials to be used by this connection.
  20. Password: Provide the pasword for the database credentials to be used by this connection.
  21. Credential name prefix: This string is the first part of the full credential name. Your prefix is prepended to a system-generated Credential name prefix to create the full credential name.
  22. Credential name: (Read-only) Credential name of the connection.
  23. Role: Provide the role for the database credentials to be used by this connection. You can select between NORMAL and SYSDBA.
  24. Specify Network information for the connection.
  25. Virtual cloud network: The VCN in which to create the connection. Click Change compartment to select a VCN in a different compartment.
  26. Subnet: The subnet in which to create the connection.
  27. Network security groups: Optionally, you can specify one or more network security groups (NSGs) for your database. To use NSGs, switch on Use network security groups to control traffic toggle. NSGs function as virtual firewalls, enabling you to apply a set of ingress and egress security rules. A maximum of five NSGs can be specified. Note that you must have a virtual cloud network selected to be able to assign NSGs.
  28. Private IP address for VNIC: The IP address for the connection.
  29. Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator. For more information, see Resource Tags.
  30. Click Connect.

Use the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use these API operations to create external database connections:

  • CreateExternalDatabaseConnector

For the complete list of APIs for the Database service, see Database Service API.