Create a Compartment

If you don't already have a compartment, create a compartment in your tenancy.

For more information, see Working with Compartments.

Create a Virtual Cloud Network

Create a Virtual Cloud Network (VCN) with at least one subnet in the compartment.

The subnet must be regional, spanning all availability domains.

For more information, see VCNs and Subnets.

Create a Database Migration User Group

Create a user group to manage agents, database registrations (connections), migrations, and jobs, and then add users in charge of database migrations to the group.

Take note of the group name. You will create policies for the group in Creating Resource Policies. For more information, see Managing Groups.

Create an OCI API Key Pair

Create an OCI API key pair if you intend to directly use the REST API, OCI Software Development Kits and Command Line Interface, or if you are installing the Database Migration agent.

Follow the instructions in Required Keys and OCIDs.

Create Data Transfer Storage

If you are not using a database link to transfer files directly from the source to the target database server, you must set up an Object Storage Service bucket for temporary storage of the Data Pump export dumps.

See Creating a Bucket for details.

Make sure that the file system used for the Data Pump export directory has sufficient space to store Data Pump dump files.

Designate or Create a Vault

Designate a Vault resource and create a key in the Master Encryption Keys for use with Database Migration.

Create a Vault if you do not already have one. See the Vault documentation for details.

Configure Oracle GoldenGate Microservices for Data Replication

If you plan to enable data replication for your migrations, you will need to set up an Oracle GoldenGate Microservices hub, using the instructions in Set Up Oracle GoldenGate for Online Migrations.

Install Oracle GoldenGate Microservices

1. Deploy the "Oracle GoldenGate for Oracle - Database Migrations" image from Oracle Cloud Marketplace as follows.

   The "Database Migrations" version of the Oracle GoldenGate Marketplace image provides limited free licensing for use with OCI Database Migration Service. See the license agreement for details.

   Any other use of Oracle GoldenGate requires purchasing a license for the Oracle GoldenGate product. See the Oracle GoldenGate documentation for more information.

   1. Log in to Oracle Cloud Marketplace.
   2. Search for the "Oracle GoldenGate for Oracle - Database Migrations" Marketplace listing.
   3. From the Marketplace search results, select the "Oracle GoldenGate for Oracle - Database Migrations" listing.

   4. Deploy the image using the instructions at Deploying Oracle GoldenGate Microservices on Oracle Cloud Marketplace.

      For Oracle Autonomous Database Serverless , Specify the Autonomous Database target during the deployment.

2. Ensure that the wallets containing certificates for TLS authentication is located in the correct directory on the GoldenGate instance.

   For an Oracle Autonomous Database Serverless target, the wallet file should be located in directory /u02/deployments/deployment_name/etc/adb

   For Oracle Autonomous Database on Dedicated Exadata Infrastructure targets, you must manually download the wallet file and unpack it to /u02/deployments/deployment_name/etc/adb.

   If the source database is configured to use SSL/TLS, that wallet should also be located in /u02/deployments/deployment_name/etc

3. Verify that the GoldenGate hub subnet allows ingress for port 443.

   See the security ingress rules described in the use case in Configuration: Network Isolation by Subnet.

Create GoldenGate Users on the Source Database

On the source database, create a GoldenGate administration user, for example ggadmin.

If the source database is multitenant, create the user in the PDB, and also create a different user in the CDB root, for example c##ggadmin.

To create ggadmin:

CREATE USER ggadmin IDENTIFIED BY ggadmin_password DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp;
ALTER USER ggadmin QUOTA 100M ON USERS;
GRANT UNLIMITED TABLESPACE TO ggadmin;
GRANT CONNECT, RESOURCE TO ggadmin;
GRANT SELECT ANY DICTIONARY TO GGADMIN;
GRANT CREATE VIEW TO GGADMIN;
GRANT EXECUTE ON dbms_lock TO ggadmin;
EXEC dbms_goldengate_auth.GRANT_ADMIN_PRIVILEGE('ggadmin');

To create c##ggadmin:

CREATE USER c##ggadmin IDENTIFIED BY c##ggadmin_password DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp;
ALTER USER c##ggadmin QUOTA 100M ON USERS;
GRANT UNLIMITED TABLESPACE TO c##ggadmin;
GRANT CONNECT, RESOURCE TO c##ggadmin container=all;
GRANT SELECT ANY DICTIONARY TO C##GGADMIN container=all;
GRANT CREATE VIEW TO C##GGADMIN container=all;
GRANT EXECUTE ON dbms_lock TO c##ggadmin container=all;
EXEC dbms_goldengate_auth.GRANT_ADMIN_PRIVILEGE('c##ggadmin',container=>'all');

Create or Unlock the GoldenGate User on the Target Database

On co-managed targets:

If the target is not Oracle Autonomous Database, create a ggadmin user in the target PDB. This user is similar to the ggadmin user you created on the source database, but will require more privileges. See Establishing Oracle GoldenGate Credentials for information about privileges required for a "Replicat all modes" user.

On Autonomous targets:

Autonomous Database has a pre-created ggadmin user that you must unlock. These commands need to be run on the GoldenGate marketplace Target instance.

1. Connect to the target database as admin.

   export TNS_ADMIN=/u02/deployments/Target/etc
   export ORACLE_HOME=/u01/app/client/oracle19
   $ $ORACLE_HOME/bin/sqlplus admin/ADW_password@ADW_name

   An example of the ADW_name would be targetatp_high.

2. Unlock ggadmin.

   SQL> ALTER USER ggadmin IDENTIFIED BY ggadmin_password ACCOUNT UNLOCK;

3. Verify that ggadmin is unlocked.

   export TNS_ADMIN=/u02/deployments/Target/etc
   export ORACLE_HOME=/u01/app/client/oracle19
   $ORACLE_HOME/bin/sqlplus ggadmin/ADW_password@ADW_name

Previously, in Creating Resources you created a user group for Oracle Cloud Infrastructure Database Migration. Now you will configure group permissions so that members can manage Database Migration resources.

The examples in this procedure use the group name dmsGroup.

Remember that only resources within the same compartment can access each other, unless the proper permissions are granted. Ensure that you have the proper permissions to view and select the appropriate VCN and subnet when creating Connections.

Allowing Database Migration resource management

The following statements give a group of users permission to manage connections (database registrations), migrations, agents, and jobs in Database Migration:

allow group dmsGroup to manage odms-connection in compartment dmsCompartment
allow group dmsGroup to manage odms-migration in compartment dmsCompartment
allow group dmsGroup to manage odms-agent in compartment dmsCompartment
allow group dmsGroup to manage odms-job in compartment dmsCompartment

The manage permission lets users create and delete Database Migration resources, such as migrations and database registrations.

Limiting users to only "use" capability

If you want a group of users that only have the ability to use the Database Migration resources, but not create and delete them, then create a separate group for users and replace manage with use.

allow group dmsUserGroup to use odms-connection in compartment dmsCompartment
allow group dmsUserGroup to use odms-migration in compartment dmsCompartment
allow group dmsUserGroup to use odms-agent in compartment dmsCompartment
allow group dmsUserGroup to use odms-job in compartment dmsCompartment

Only users with a manage permission for the odms-migration resources can create and delete migrations. Users with the use permission can perform migrations and edit resources, but cannot create or delete the resources.

Allowing network resource management

To let users of dmsGroup manage the network resources for Database Migration resources:

allow group dmsGroup to manage virtual-network-family in compartment dmsCompartment

If the manage virtual-network-family policy is restricted because of security reasons then the following policies are required:

allow group dmsGroup to inspect vcns in compartment dmsCompartment
allow group dmsGroup to use subnets in compartment dmsCompartment
allow group dmsGroup to manage vnic in compartment dmsCompartment

This way, you can view the list of existing VCNs, view and work with subnets, and have all of the permissions on VNIC. These policies are required when you create a database registration.

Allowing tag-namespaces and tag management

To let users of dmsGroup manage tag-namespaces and tags, add the policy:

allow group dmsGroup to manage tag-namespaces in compartment dmsCompartment

To configure sudo access for source database servers:

If the source database server is accessed through SSH, then configure sudo operations to run without prompting for a password for the database installed user and the root user.

For example, if database installed user is oracle, then run sudo su - oracle.

Note that the opc user is a standard Oracle cloud user that is used to access database servers, but you can use any privileged user that has sudo privileges.

For the root user run sudo su -.

Also, note that because the target database server is on the cloud only any sudo operations are configured already.

Using Database Migration APIs

OCI Database Migration service APIs are documented at https://docs.oracle.com/iaas/api/#/en/database-migration/20210929/.

See REST APIs and Software Development Kits and Command Line Interface for more information about using REST APIs and the OCI Software Development Kits and Command Line Interface.