Service Administration
The topics below cover various Oracle Digital Assistant administration tasks on the OCI console, including managing and monitoring events, metrics, notifications, billing, and the Digital Assistant instances themselves.
Manage Features
In each release of Oracle Digital Assistant, there are sets of optional features that you can enable or disable. You do so by selecting a profile that contains the features you want to have enabled.
To change the optional features that are enabled:
- In Oracle Digital Assistant, click to open the side menu and select Settings > Feature Management.
- From the Current profile dropdown, select the profile that corresponds with the features that you want enabled and disabled.
Audit Trail
Should you need to see a history of user activity in an instance of Oracle Digital Assistant and you have administrator privileges for the instance, you can view the instance's activity logs.
These logs capture granular detail of user sessions, such as listing, creating, editing, and deleting skills.
To browse the logs:
- In the instance, click to open the side menu and select Settings > Audit Trail.
- If you want to see results for more than the current day, go to the Today dropdown and select a different date range.
- Click + Criteria one or more times to create search criteria to home in on the type of activity that you want to view.
- Click Search.
- To see details for a log entry, click the entry.
Example: Searching for Delete Operations
Here's an example of how you can use the search feature to see all delete operations:
- Click + Criteria.
- In the Filter field, select Operation.
- In the Operator field, select Starts With.
- In the value field, enter
Delete
. - Click Search.
In the results for that search, you'll see entries for any operations with names beginning with Delete
, such as DeleteSkill
or DeleteSkillIntent
.
Events for Digital Assistant Instances
You can create automation based on state changes for your Oracle Digital Assistant service instances by using event types, rules, and actions.
For information on how events work, see Overview of Events.
Event Types
These are the event types that Oracle Digital Assistant service instances emit:
Friendly Name | Event Type |
---|---|
Change Digital Assistant Compartment Begin |
|
Change Digital Assistant Compartment End |
|
Create Digital Assistant Instance Begin |
|
Create Digital Assistant Instance End |
|
Delete Digital Assistant Instance Begin |
|
Delete Digital Assistant Instance End |
|
Update Digital Assistant Instance |
|
Example Digital Assistant Service Instance Event
This is a reference event for Oracle Digital Assistant service instances.
{
"id": "ocid1.eventschema.oc1.phx.abyhqljrfajridyag4epdbthdjuhwgkwxxog32ed4e36yx2zotmphyxe3z5q",
"exampleEvent": {
"eventID": "unique_id",
"eventTime": "2019-10-09T13:58:03.575Z",
"contentType": "application/json",
"eventType": "com.oraclecloud.digitalassistant.createodainstance.end",
"cloudEventsVersion": "0.1",
"source": "DigitalAssistant",
"extensions": {
"compartmentId": "ocid1.compartment.oc1..unique_ID"
},
"eventTypeVersion": "2.0",
"data": {
"resourceName": "example_name",
"compartmentId": "ocid1.compartment.oc1..unique_ID",
"availabilityDomain": "all",
"compartmentName": "example_name",
"resourceId": "ocid1.odainstance.oc1.phx.unique_ID"
}
},
"serviceName": "Digital Assistant",
"displayName": "ODA Instance - Create End",
"eventType": "com.oraclecloud.digitalassistant.createodainstance.end",
"additionalDetails": [],
"timeCreated": "2019-10-09T13:58:03.575Z"
}
Metrics, Alarms, Notifications, and Billing
You can monitor the health, performance, and usage of Oracle Digital Assistant service instances in Oracle Cloud Infrastructure by using metrics, alarms, and notifications.
For example, you can:
- See how many messages have been sent over a given period of time by users to skills and digital assistants in your service instance.
- See any errors that have occurred over a given period of time.
- Set alarms to alert you when any of these metrics hit a certain threshold.
For information on how these features work, see Monitoring Overview and Notifications Overview.
Digital Assistant Metrics
Oracle Digital Assistant metrics are emitted with the metric namespace oci_digitalassistant
.
Here are the available metrics for Oracle Digital Assistant instances.
Metric | Metric Display Name | Unit | Description | Dimensions |
---|---|---|---|---|
RuntimeRequests |
Runtime Requests | count |
Number of runtime requests sent to the service. This includes
|
resourceId resourceDisplayName shape |
RuntimeErrorResponses |
Runtime Error Responses | count |
Number of runtime error responses returned during conversations with a skill or digital assistant. This includes API calls that return status codes of 400-499 and 500-599. Such errors may indicate problem with a channel or its configuration. |
resourceId resourceDisplayName shape errorType |
CustomComponentErrorResponses |
Custom Component Error Responses | count | Number of error responses received from custom components or from functions from the Functions service. | resourceId resourceDisplayName shape |
CustomComponentRejectedResponses |
Custom Component Rejected Responses | count |
Number of invalid responses received from custom components or functions from the Functions service. For example, this might include responses with a 200 status code but which are wrapped in malformed JSON. |
resourceId resourceDisplayName shape |
You can view metrics by individual service instance or in aggregated form for all instances.
View Metrics for a Single Instance
To view metrics for an individual service instance:
- In the Infrastructure Console, click on the top left to open the navigation menu, select Analytics & AI, and then click Digital Assistant.
- Select the instance's compartment.
- Select the instance.
- Scroll down to the Metrics section of the page to view the metrics.
View Metrics for All Instances
To view aggregated metrics for all service instances:
- In the Infrastructure Console, click on the top left to open the navigation menu, select Observability & Management, and then click Service Metrics.
- In the Compartments dropdown, select the compartment for which you want to view metrics.
- In the Metric Namespace, select oci_digitalassistant.
Monitor Billing
The Infrastructure Console provides various billing and payment tools that make it easy to monitor your Oracle Digital Assistant billing, service costs, and usage.
To view your billing and usage, perform the following steps:
- Sign in to Oracle Cloud as the cloud account administrator. You can find your account name and login information in your welcome email.
- In the Infrastructure Console, click on the top left to open the navigation menu, select Governance & Administration, and then select one of the following options:
-
Cost Analysis: provides easy-to-use visualization tools to help you track and optimize your spending.
-
Cost and Usage Report: view comma-separated value (CSV) files that can be used to get detailed breakdowns of resources for audit or invoice reconciliation.
Note
The first time you access usage reports, you must create a policy in your root compartment. Follow the instructions on the Usage Report page to create the policy, copying the statements as directed.
-
Budgets: set thresholds for your spending. You can set alerts on your budget to let you know when you might exceed your budget, and you can view all of your budgets and spending from one single place.
-
Invoices: view and download invoices for your usage.
-
For more information on the billing and payment tools, see Billing and Payment Tools Overview.
Stop and Start Instances
You can stop and start instances of Oracle Digital Assistant.
When you stop an instance, the instance's state changes to INACTIVE, which means that the instance can't be accessed and any metering is suspended. Starting an instance returns it to the ACTIVE state, making it available to users and resuming metering.
To stop or start an instance:
- In the Infrastructure Console, click on the top left to open the navigation menu, select Analytics and AI, and select Digital Assistant (which appears under the AI Services category on the page).
- Select the instance's compartment.
- Select the instance.
- Click the Stop or Start button.
Delete an Instance
To permanently delete an instance of Oracle Digital Assistant:
- In the Infrastructure Console, click on the top left to open the navigation menu, select Analytics & AI, and select Digital Assistant (which appears under the AI Services category on the page).
- Select the instance's compartment.
- Select the instance.
- From the More Actions menu, select Delete.
Break Glass
Oracle Break Glass for Oracle Digital Assistant enables you to securely restrict Oracle's access to your cloud environment.
The Break Glass for Oracle Digital Assistant feature is enabled if you have a Digital Assistant instance that is paired with a Fusion-based Oracle Cloud Applications subscription that includes Break Glass.
When you use Break Glass, Oracle Support representatives can access your cloud environment only after relevant approvals and authorization to troubleshoot any issues that may arise in your cloud environment.
Break Glass has these primary features:
- Temporary access approval, in which Oracle personnel can only access instance data through a strict customer approval process. Typically, such a process would only be initiated to help resolve a customer service request.
Such access is time limited. Any temporary access credentials are automatically reset after the agreed upon time.
Such access is logged and detailed reports are available.
- The option to upload your own Transparent Data Encryption (TDE) master encryption key.
By default, your data in the Oracle Cloud environment is encrypted at rest using TDE.
With Break Glass, you can upload your own TDE master encryption key and manage its lifecycle. If you provide your own key, your data will also be protected and audited using Data Vault. You can also periodically update the keys.
Temporary Access Approval
If you submit a service request (SR) and Oracle Support determines that it needs access to some of your data for debugging purposes, you can agree to give them temporary access to your service instance data. Here's the general flow of the process:
- You submit an SR.
- If Oracle Support determines that they need access to any of your data for debugging purposes, they will contact your administrator via email for approval to conduct a Break Glass session. (The email has a link to the Temporary Access Approval page of your Digital Assistant, where your administrator can click Approve or Reject.)
- If your administrator approves the request, a temporary password is generated to enable Oracle Support to start a Break Glass session, in which they can access the required data.
- Once Oracle support completes its work in the Break Glass session, they terminate the session. If they don't explicitly terminate the session, it expires automatically within the timeframe that you have agreed upon.
Provide Your Own Key
By default, Oracle provides and manages the TDE keys for encrypting the data in your Digital Assistant instance.
If your instance has Break Glass enabled, you can also replace the Oracle-provided private key with your own, which also enables you to rotate the keys as you require.
When you first switch to using your own key, you need to allow some time for your instance to be out of service. You should also back up any key artifacts in your instance.
Create and Import Your TDE Master Key
To provide your own key, follow these steps:
- In Oracle Digital Assistant, click to open the side menu and select Settings > Break Glass.
- On the Provide Your Own Key Page, click + Provide Your Own Key.
- Click Public Key to download the Oracle public wrapping key that you will need to encrypt your own transparent data encryption (TDE) master key.
- Use OpenSSL to generate and encrypt your key:
- Create a new directory for the key and assign it to an environment variable:
$ mkdir –p dir_of_key
$ export KEYPATH dir_of_key
- Make sure the directory is restricted:
$ chmod go-rwx $KEYPATH
- Generate the TDE master key:
$ openssl rand 32 > $KEYPATH/clearkey
- Encrypt your generated TDE master key with the Oracle public wrapping key that you downloaded in step 3:
$ openssl pkeyutl -encrypt -in $KEYPATH/clearkey -inkey $KEYPATH/wrappingkey -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 > $KEYPATH/wrappedkey
- Create a new directory for the key and assign it to an environment variable:
- In the External Key Data Source field, upload the encrypted TDE master key (e.g.
wrappedkey
, as in the above example). - In the Email Address field, enter the email address of the person to notify when the reconfiguration of the Digital Assistant instance has finished and the instance is ready to used again.
- Click Submit and then Confirm.
Update the Key
If you have previously provided your own TDE key for your Digital Assistant instance, you can update that key.
- In Oracle Digital Assistant, click to open the side menu and select Settings > Break Glass.
- On the Provide Your Own Key Page, click + Update the key.
- Click Public Key to download the Oracle public wrapping key that you will need to encrypt your own transparent data encryption (TDE) master key.
- Use OpenSSL to generate and encrypt your key:
- Create a new directory for the key and assign it to an environment variable:
$mkdir –p dir_of_key
$ export KEYPATH dir_of_key
- Make sure the directory is restricted:
$ chmod go-rwx $KEYPATH
- Generate the TDE master key:
$ openssl rand 32 > $KEYPATH/clearkey
- Encrypt your generated TDE master key with the Oracle public wrapping key that you downloaded in step 3:
$ openssl pkeyutl -encrypt -in $KEYPATH/clearkey -inkey $KEYPATH/wrappingkey -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 > $KEYPATH/wrappedkey
- Create a new directory for the key and assign it to an environment variable:
- In the External Key Data Source field, upload the encrypted TDE master key.
- Click Submit and then Confirm.
Once you create or update your key, you have to wait 16 days or more before you can update it again.
Disaster Recovery
Oracle Digital Assistant has a high-availability (HA) architecture to prevent against disasters and to smoothly recover from what disasters do occur. Here are some facets of the architecture of Oracle Cloud Infrasture and Digital Assistant that are used to prevent and mitigate disasters:
- Oracle Cloud Infrasture is divided into regions. Each region is separated from other regions by great distances, meaning that disasters such as earthquakes and major weather events that may negatively impact service in one region are extremely unlikely to affect the other regions.
- Within each data center, there are three fault domains, each of which is a physically separate grouping of hardware and infrastructure with its own power supply and cooling.
- The architecture of a single Digital Assistant instance is spread among different fault domains with automated backup, which makes it resilient against any disasters that may occur in that region.
Cross-Region Failover
Oracle Digital Assistant is architected for high availability (HA). However, if you need to ensure that your instance can still function if a disaster strikes your instance's region, you can request to have cross-region failover set up.
When cross-region failover is set up and the primary instance goes down:
- Any runtime requests to the primary instance are redirected to the backup instance.
- A banner appears in the Digital Assistant UI that notes that the backup instance is being used.
- You should not do any work on skills, digital assistants, channels, Insights, or other artifacts (whether through the UI or through REST APIs) in the backup instance. Any changes you make in the backup instance will not be preserved when the primary instance is restored.
When the outage ends:
- Service to the primary instance is restored.
- Any Insights data that has accumulated on the backup instance is preserved and combined with existing Insights data associated with the primary instance.
- Artifacts such as skills and digital assistants are restored to the state they were in when the primary instance went down. (Practically speaking, this simply means any changes that you happen to make to these artifacts in the backup instance won't be preserved.)
Set Up Failover
To set up cross-region failover:
- File a service request (SR) for cross-region failover and, in the request, mention the instance URL of the primary Digital Assistant instance.
- Once the Support team has responded to you with information on which backup regions are available, subscribe to a backup region in the OCI Console.
The Support team will then create the backup instance.
During the failover setup, a system-level skill (named Echo
) is set up in the instance you have specified and exposed through a web channel (named heartbeat
) in that instance. From the backup region, the primary instance is then regularly polled for its health status through this skill.
Private Endpoint
You can set up a private endpoint to give your Oracle Digital Assistant secure access to backend services that are not exposed to the public internet.
For example, you might need to set up a private endpoint to be able to connect to an on-premises database, or a database running in an Oracle Cloud Infrastructure VCN, that you need to use for SQL Dialog skills. Or you may need to connect to REST service that's on-premises or in a VCN.
Set Up a Private Endpoint
To set up a private endpoint for Digital Assistant, you follow these general steps:
- Make sure that you have the required permissions to configure private endpoints and attach them to Digital Assistant instances.
- If you don't already have them in place, on the OCI Console, create a
virtual cloud network (VCN) and its associated resources, including:
- At least one subnet.
- Route tables to route the traffic through the subnet to its destinations.
- Security lists or network security groups to establish a set of ingress and egress security rules that you'll use for the private endpoint.
- Optionally, an Internet gateway to give Internet access to the VCN.
- Optionally, an NAT (Network Address Translation) gateway, which gives resources that don't have public IP addresses access to the Internet without exposing them to incoming Internet connections.
- Create the private endpoint and associate it with your Digital Assistant instance.
- In Digital Assistant, configure a data service or REST service that points to the endpoint.
Permissions for Private Endpoints
To set up private endpoints, you need to have the proper permissions in the Infrastructure Console.
There are two resource types for private endpoints that encompass these required permissions:
oda-private-endpoints
- enables you to configure private endpoints and SCAN proxies.oda-private-endpoint-attachments
- enables you to attach a private endpoint a Digital Assistant instance.
Permissions for those resource types are also part of the oda-family
resource type. So if you are covered by a policy statement to manage
oda-family
resource types in the compartment where your private
endpoint is, you don't have to create separate policies for your private endpoints.
The following are examples of broad policies to enable creation and configuration of private endpoints and attach them to Digital Assistant instances.
allow group <group-name> to manage oda-private-endpoints in compartment <private-endpoint-compartment>
allow group <group-name> to manage oda-private-endpoint-attachments in compartment <private-endpoint-compartment>
For more detail on how policies work, see Digital Assistant Policies.
Create a Policy to Access a Private Endpoint
-
In the Infrastructure Console, click on the top left to open the navigation menu, select Identity & Security, and then click Policies.
A list of the policies in the compartment you're viewing is displayed.
-
From the list of compartments, select the compartment to which you want to attach the policy. This controls who can later modify or delete the policy (see Policy Attachment).
-
Click Create Policy.
-
Complete the wizard, making sure that they name you provide is unique across all policies in your tenancy.
Create a Private Endpoint
- In the Infrastructure Console, click on the top left to open the navigation menu, select Analytics & AI, and select Digital Assistant (which appears under the AI Services category on the page).
- In the left navigation of the AI Services page that appears, click Private endpoints.
- If you haven't already done so, create the compartment where you want to keep the private endpoint and, optionally, add the VCN and subnet you will be using to that compartment.
- Click Create private endpoint and fill in the required fields, including the VCN and private subnet.
- Once the endpoint is created, click Associate ODA Instance, select the compartment that contains the Digital Assistant instance that you want to be able to use the private endpoint, and then select that instance.
Add a Service for the Private Endpoint in Digital Assistant
Once you have created a private endpoint, you need to add a service for that private endpoint to use it in Digital Assistant.
- To add a data service for the private endpoint, see Connect to the Data Service.
- To add a REST service for the private endpoint, see Add a REST Service for an Endpoint.
SCAN Proxies for Private Endpoints
If you are using your private endpoint for a RAC-enabled database, you also need to configure a SCAN proxy for the private endpoint.
To set up a SCAN proxy:
- Get the SCAN DNS name and port number for the database.
- If the database is an on-premises database, get it from the database administrator.
- If the database is on OCI, do the following in the Infrastructure Console:
- Navigate to the DB System Details page for the database and select the DB system information tab.
- In the Network section of the page, copy the SCAN DNS name and paste it in a convenient place.
- Note the Port Number.
- In the Infrastructure Console, click on the top left to open the navigation menu, select Analytics & AI, and select Private endpoints (which appears under the AI Services category on the page).
- Select your private endpoint.
- In the Resources section of the page, select SCAN proxies.
- Click Add SCAN proxy.
- In the Add SCAN proxy dialog, select the type
(FQDN (for fully-qualified domain name) or IP
address) and then fill in the rest of the required fields.
- If you have selected FQDN as the proxy type, use the database's SCAN DNS name for the Host name and the database's port number as the Port.
- If you have selected IP address as the proxy type, click Add SCAN Listener to add IP addresses and port numbers for one or more SCAN listeners in the database.
If you are unsuccessful creating a SCAN proxy through the Infrastructure Console, you can do so with Digital Assistant's management APIs, which you can invoke using the OCI Command-Line Interface (CLI). See Using the OCI CLI to Configure SCAN Proxies.
Using the OCI CLI to Configure SCAN Proxies
You can use the OCI CLI to configure SCAN proxies for a Digital Assistant private endpoint.
See https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm for info on getting the CLI set up.
See https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.47.0/oci_cli_docs/cmdref/oda.html for the command reference for Digital Assistant APIs.
Here are some example CLI commands:
- Get a list of SCAN proxies for an existing Digital Assistant private
endpoint:
$ oci oda management oda-private-endpoint-scan-proxy list --oda-private-endpoint-id <ocid-for-private-endpoint> --region <region-name> --auth security_token --profile oc1_boat
This should return an empty list if no SCAN proxies have been created.
- Create a SCAN proxy for an IP-based SCAN Listener
address:
$ oci oda management oda-private-endpoint-scan-proxy create --scan-listener-type IP --protocol TCP --scan-listener-infos '[{"scan-listener-fqdn": null, "scan-listener-ip": "2.2.2.2", "scan-listener-port": 1521}]' --oda-private-endpoint-id <ocid-for-private-endpoint> --region <region-name> --auth security_token --profile oc1_boat
- Create a SCAN proxy for an FQDN-based SCAN Listener
address:
$ oci oda management oda-private-endpoint-scan-proxy create --scan-listener-type FQDN --protocol TCP --scan-listener-infos '[{"scan-listener-fqdn": "myhost.example.com", "scan-listener-ip": null, "scan-listener-port": 1521}]' --oda-private-endpoint-id <ocid-for-private-endpoint> --region <region-name> --auth security_token --profile oc1_boat
The above examples include the
--auth security_token
and
--profile oc1_boat
, arguments but they might not be necessary,
depending on how you have configured authentication for your CLI installation.
Further Administration Information
Once you have set up your Oracle Digital Assistant instance and its users, you may wish to delve further into setup of your account. Here are some topics containing more details on administering services in Oracle Cloud Infrastructure that you may wish to explore:
Programmatic Creation and Management of Skills and Digital Assistants
The Digital Assistant Service Instance API enables you to programmatically manage skills and their artifacts, digital assistants, and channels. This includes creation, updating, deletion, and training. In addition, you can manage other resources in your instance that your skills depend on, such as authorization services and translation services.
You can access the API through multiple SDKs and a CLI. See the OCI Developer Tools and Resources page for the details.
Packaged Skills
If you are managing multiple Digital Assistant instances, you can programmatically manage packages for those instances as well.
A package can contain some combination of skills and digital assistants as well as specify any required resources, such as translation services, authorization services, and custom parameters that are required for the skills.
You can manage the importing and updating of these packages through the Digital Assistant Service Instance API.
For information on working with the API and the SDKs and the CLI that are based on that API, see the OCI Developer Tools and Resources page.
Importing and Managing Packages
In general, the process for importing packages using the API (either directly or via the CLI or one of the SDKs) is:
- If it doesn't yet exist, create the Oracle Digital Assistant instance where you want to import the package.
- Call
CreateOdaInstance
to create the instance. - From the response to the
CreateOdaInstance
call, take theopc-work-request-id
response header value and use it to callGetWorkRequest
to monitor the progress of the instance creation operation. - Once the instance creation has completed, using the value of the
odaInstanceId
attribute that was returned in the response body to callGetOdaInstance.
- Call
- Call
ListPackages
to see what packages are available for the instance (or instances) that you specify. - For any available packages that you want to import, call
GetPackage
to get the package's import contract.The import contract specifies conditions that need to be satisfied before you can import the package. This might include things like specifying an auth provider and filling in values for custom parameters.
- Satisfy the import contract.
You do so by constructing a payload that provides values for all of the required parameters in the import contract. The payload might looks something like this:
{ "packageId": "<packageId-OCID>", "parameterValues": { "authProvider.providerX.clientSecret": "some value", "authProvider.providerX.authorizationEndpointUrl": "http://host:80/file", "authProvider.providerX.revokeEndpointUrl": "http://host:80/file", "authProvider.providerX.allowedScopes": "some value", "authProvider.providerX.tokenEndpointUrl": "http://host:80/file", "authProvider.IDCS_OAuthForIDR.allowedScopes": "some value", "authProvider.providerX.clientId": "some value", "skillParameter.da.backendRestEndPoint": "http://host:80/file", } }
To simplify this task, the
GetPackage
response contains a section calleddefaultParameterValues
that you can use to assemble the parameter value portion of the payload. - Import the package into the instance(s).
- Call
CreateImportedPackage
using the payload you just assembled. - From the response to the
CreateImportedPackage
call, take theopc-work-request-id
response header value and use it to callGetWorkRequest
to monitor the progress of the package import operation. - Once the package import has completed, using the value of the
odaInstanceId
attribute that was returned in the response body to callGetImportedPackage
to view the package details.
- Call
If an update for a package is available, you can add that updated package to the instance
through the UpdateImportedPackage
operation.