Before you can start using Oracle Cloud Infrastructure Database Migration, you must create Database Migration policies in your tenancy, create any dependent objects needed for the migration, and configure the source and target databases as required.
Before You Begin
Before you begin working with Oracle Cloud Infrastructure Database Migration, you must have an Oracle Cloud Infrastructure account with administrator privileges.
See Add a User with Oracle Cloud Administrator Permissions for details.
Use the following instructions to create the resources that Oracle Cloud Infrastructure Database Migration operations depend on.
Create a Compartment
If you don't already have a compartment, create a compartment in your tenancy.
For more information, see Working with Compartments.
Create a Virtual Cloud Network
Create a Virtual Cloud Network (VCN) with at least one subnet in the compartment.
The subnet must be regional, spanning all availability domains.
For more information, see VCNs and Subnets.
If you don't see your subnet listed, go back and check that it was created as a regional subnet. By default, the VCN wizard creates non-regional subnets.
Create a Database Migration User Group
Create a user group to manage agents, database registrations (connections), migrations, and jobs, and then add users in charge of database migrations to the group.
Create an OCI API Key Pair
Create an OCI API key pair if you intend to directly use the REST API, OCI Software Development Kits and Command Line Interface, or if you are installing the Database Migration agent.
Follow the instructions in Required Keys and OCIDs.
Create Data Transfer Storage
If you are not using a database link to transfer files directly from the source to the target database server, you must set up an Object Storage Service bucket for temporary storage of the Data Pump export dumps.
See Creating a Bucket for details.
Make sure that the file system used for the Data Pump export directory has sufficient space to store Data Pump dump files.
Designate or Create a Vault
Designate a Vault resource and create a key in the Master Encryption Keys for use with Database Migration.
Create a Vault if you do not already have one. See the Vault documentation for details.
Configure Oracle GoldenGate Microservices for Data Replication
If you plan to enable data replication for your migrations, you will need to set up an Oracle GoldenGate Microservices hub, using the instructions in Set Up Oracle GoldenGate for Online Migrations.
Set Up Oracle GoldenGate for Online Migrations
Online migrations with Oracle Cloud Infrastructure Database Migration have a few additional prerequisite tasks, because you must install Oracle GoldenGate Microservices, create GoldenGate users on the source database, and unlock the GoldenGate user on the target database.
Install Oracle GoldenGate Microservices
Oracle Cloud Infrastructure Database Migration service supports Oracle GoldenGate 21c through the stack version of the "Oracle GoldenGate for Oracle - Database Migrations" image available in Oracle Cloud Marketplace. The Oracle GoldenGate 19c version is deprecated. For Oracle GoldenGate 19c, if there are multiple deployments for source and target in separate servers, then:
- You must register the deployments in the Service Manager which is on the IP address that is registered with Oracle Cloud Infrastructure Database Migration.
- The passwords for Service Manager and deployments must be identical.
Deploy the "Oracle GoldenGate for Oracle - Database Migrations" image from Oracle Cloud Marketplace as follows.
The "Database Migrations" version of the Oracle GoldenGate Marketplace image provides limited free licensing for use with OCI Database Migration Service. See the license agreement for details.
Any other use of Oracle GoldenGate requires purchasing a license for the Oracle GoldenGate product. See the Oracle GoldenGate documentation for more information.
- Log in to Oracle Cloud Marketplace.
- Search for the "Oracle GoldenGate for Oracle - Database Migrations" Marketplace listing.
- From the Marketplace search results, select the "Oracle GoldenGate for Oracle - Database Migrations" listing.
Deploy the image using the instructions at Deploying Oracle GoldenGate Microservices on Oracle Cloud Marketplace.
For Oracle Autonomous Database Serverless , Specify the Autonomous Database target during the deployment.
- Ensure that the wallets containing certificates for TLS authentication is located in the correct directory on the GoldenGate instance.
For an Oracle Autonomous Database Serverless target, the wallet file should be located in directory
For Oracle Autonomous Database on Dedicated Exadata Infrastructure targets, you must manually download the wallet file and unpack it to
If the source database is configured to use SSL/TLS, that wallet should also be located in
Verify that the GoldenGate hub subnet allows ingress for port 443.
See the security ingress rules described in the use case in Configuration: Network Isolation by Subnet.
Create GoldenGate Users on the Source Database
On the source database, create a GoldenGate administration user, for
If the source database is multitenant, create the user in the PDB, and
also create a different user in the CDB root, for example
CREATE USER ggadmin IDENTIFIED BY ggadmin_password DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp; ALTER USER ggadmin QUOTA 100M ON USERS; GRANT UNLIMITED TABLESPACE TO ggadmin; GRANT CONNECT, RESOURCE TO ggadmin; GRANT SELECT ANY DICTIONARY TO GGADMIN; GRANT CREATE VIEW TO GGADMIN; GRANT EXECUTE ON dbms_lock TO ggadmin; EXEC dbms_goldengate_auth.GRANT_ADMIN_PRIVILEGE('ggadmin');
CREATE USER c##ggadmin IDENTIFIED BY c##ggadmin_password DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp; ALTER USER c##ggadmin QUOTA 100M ON USERS; GRANT UNLIMITED TABLESPACE TO c##ggadmin; GRANT CONNECT, RESOURCE TO c##ggadmin container=all; GRANT SELECT ANY DICTIONARY TO C##GGADMIN container=all; GRANT CREATE VIEW TO C##GGADMIN container=all; GRANT EXECUTE ON dbms_lock TO c##ggadmin container=all; EXEC dbms_goldengate_auth.GRANT_ADMIN_PRIVILEGE('c##ggadmin',container=>'all');
Create or Unlock the GoldenGate User on the Target Database
On co-managed targets:
If the target is not Oracle Autonomous Database, create a
ggadmin user in the target PDB. This user is similar to the
ggadmin user you created on the source database, but will require more privileges. See Establishing Oracle GoldenGate Credentials for information about privileges required for a "Replicat all modes" user.
On Autonomous targets:
Autonomous Database has a pre-created
ggadmin user that
you must unlock. These commands need to be run on the GoldenGate marketplace Target
Connect to the target database as
export TNS_ADMIN=/u02/deployments/Target/etc export ORACLE_HOME=/u01/app/client/oracle19 $ $ORACLE_HOME/bin/sqlplus admin/ADW_password@ADW_name
An example of the ADW_name would be targetatp_high.
SQL> ALTER USER ggadmin IDENTIFIED BY ggadmin_password ACCOUNT UNLOCK;
export TNS_ADMIN=/u02/deployments/Target/etc export ORACLE_HOME=/u01/app/client/oracle19 $ORACLE_HOME/bin/sqlplus ggadmin/ADW_password@ADW_name
Oracle Cloud Infrastructure Database Migration Service supports only those scenarios where the Target database and Oracle GoldenGate, both run on private IP addresses.
Giving Permissions to Database Migration Users
Use IAM policies to grant certain capabilities to the Oracle Cloud Infrastructure Database Migration user group.
Previously, in Creating Resources you created a user group for Oracle Cloud Infrastructure Database Migration. Now you will configure group permissions so that members can manage Database Migration resources.
The examples in this procedure use the group name
Remember that only resources within the same compartment can access each other, unless the proper permissions are granted. Ensure that you have the proper permissions to view and select the appropriate VCN and subnet when creating Connections.
Allowing Database Migration resource management
The following statements give a group of users permission to manage connections (database registrations), migrations, agents, and jobs in Database Migration:
allow group dmsGroup to manage odms-connection in compartment dmsCompartment allow group dmsGroup to manage odms-migration in compartment dmsCompartment allow group dmsGroup to manage odms-agent in compartment dmsCompartment allow group dmsGroup to manage odms-job in compartment dmsCompartment
manage permission lets users create and delete
Database Migration resources, such as migrations and database registrations.
Limiting users to only "use" capability
If you want a group of users that only have the ability to use the Database Migration
resources, but not create and delete them, then create a separate group for users
allow group dmsUserGroup to use odms-connection in compartment dmsCompartment allow group dmsUserGroup to use odms-migration in compartment dmsCompartment allow group dmsUserGroup to use odms-agent in compartment dmsCompartment allow group dmsUserGroup to use odms-job in compartment dmsCompartment
Only users with a
manage permission for the
odms-migration resources can create and delete migrations.
Users with the
use permission can perform migrations and edit
resources, but cannot create or delete the resources.
Allowing network resource management
To let users of
dmsGroup manage the network resources for Database
allow group dmsGroup to manage virtual-network-family in compartment dmsCompartment
manage virtual-network-family policy is
restricted because of security reasons then the following policies are required:
allow group dmsGroup to inspect vcns in compartment dmsCompartment allow group dmsGroup to use subnets in compartment dmsCompartment allow group dmsGroup to manage vnic in compartment dmsCompartment
This way, you can view the list of existing VCNs, view and work with subnets, and have all of the permissions on VNIC. These policies are required when you create a database registration.
tag-namespaces and tag management
To let users of
tags, add the policy:
allow group dmsGroup to manage tag-namespaces in compartment dmsCompartment
To apply a defined tag, you must at least have permission to
usethe tag namespace. To learn more about tagging, see Resource Tags.
Configuring SUDO Access
You may need to grant certain users authority to perform operations using
sudo on the source database servers.
sudo access for source database
If the source database server is accessed through SSH, then configure
sudo operations to run without prompting for a password for the
database installed user and the
For example, if database installed user is
sudo su - oracle.
Note that the
opc user is a standard Oracle cloud user
that is used to access database servers, but you can use any privileged user that
root user run
sudo su -.
Also, note that because the target database server is on the cloud only
sudo operations are configured already.
Accessing the Database Migration Service
You can access Oracle Cloud Infrastructure Database Migration using the Oracle Cloud Interface Console (a browser based interface), REST APIs, or Oracle Cloud Infrastructure Software Development Kits and Command Line Interface.
To access Database Migration using the Console:
Use a supported browser to access the Console.
See Signing In to the Console for details.
Enter your cloud tenant, user name, and password, when prompted.
Click Sign in.
In the upper-right corner of the window, select a region that offers the Database Migration service enabled; for example, US East (Ashburn).
Database Migration resources, such as database registrations, migrations, agents, and jobs, are region-specific. Therefore, you want to make sure that you select Database Migration in the region that contains the resources that you need.
From the navigation menu, select Database Migration.
The Migrations page for the Database Migration service is displayed.
Using Database Migration APIs
OCI Database Migration service APIs are documented at https://docs.oracle.com/iaas/api/#/en/database-migration/20210929/.
See REST APIs and Software Development Kits and Command Line Interface for more information about using REST APIs and the OCI Software Development Kits and Command Line Interface.