Enable Autonomous Databases & Full Feature Support

Ops Insights allows you to perform advanced and basic collections on your Autonomous Databases via a private endpoint or through secure access from anywhere. These connection methods allows Ops Insights to connect to the database directly and enable Full Features collection, which includes SQL Explorer and ADDM Spotlight.

Prerequisites

To enable data collection on an Autonomous Database the following prerequisites must be met:

Basic: No prerequisites are required.

Full Features: Requires three types of prerequisites: general, for IAM credential based connections, and for Local credential based connections. Ensure general prerequisites are met and the prerequisites for your desired credential connection type.

General prerequisites:
  • If your network requires it, create a Private Endpoint. Make sure you set up the correct network requirements for your database, including the creation of private endpoints. The following table outlines the network requirements by type of autonomous databases:
    ADB Type Access Type Network Requirements
    ADB Serverless (ADB-S) Access Anywhere None
    ADB Serverless (ADB-S) Private Endpoint Same Private Endpoint requirements as cloud databases.
    Note

    Use the ADB private endpoint VCN/Subnet instead of the database VCN/Subnet
    For more information see: Enabling Exadata Systems and Cloud Service Databases
    Note

    For IAM credential connections, a DNS Proxy enabled private endpoint must be used for dedicated Autonomous Databases and shared Autonomous Databases with private endpoint access configured.
    ADB Serverless (ADB-S) ACL (Access Control List) Restricted The private endpoint needs to be placed in one of the whitelisted VCNs. This VCN must have access to the public ADB endpoint, typically via service gateway.

    For more information see: Configure Access Control Lists When You Provision or Clone an Instance

    ADB Dedicated (ADB-D) N/A Same requirements as cloud databases. For more information see: Enabling Exadata Systems and Cloud Service Databases
    Note

    Dedicated Autonomous Databases require a private endpoint with DNS Proxy enabled. Ops Insights private endpoints created prior to September 2023 did not offer DNS proxy. A new private endpoint may need to be created.
  • Create a dynamic group for the Ops Insights resource principal containing the compartment(s) where the autonomous databases being enabled reside.
    Example policy to allow Ops Insights service to generate Autonomous Database wallets:
    allow any-user to read autonomous-database-family in compartment XYZ where
     ALL{request.principal.type='opsidatabaseinsight', request.operation='GenerateAutonomousDatabaseWallet'}
Local Credential Prerequisites
  • Policy to allow Ops Insights service to read the database password secret:
    allow any-user to read secret-family in tenancy where
    ALL{request.principal.type='opsidatabaseinsight', target.vault.id =  'Vault OCID'}
IAM Credential Prerequisites
  • Ops Insights can use IAM based authentication to connect to an Oracle Autonomous database, this allows for a more cloud-friendly and secure solution. With Ops Insights you can write a resource principal policy that enables it to collect performance and SQL-based metrics from the Autonomous Database (same metrics will be collected via this alternate authentication approach).

    For more information on IAM based connections see: About Connecting to an Autonomous Database Instance Using IAM.

    There are two ways to enable IAM connections to your Autonomous Databases, via script or manually. Ops Insights highly recommends to use the script method.
    • To enable IAM connections for your Autonomous Databases using the Ops Insights script (recommended method) follow these steps:
      1. Create a dynamic group containing the OPSI resource (for example, iam_admin_dg_grp):
        All {instance.compartment.id = '<compartmentid>', request.principal.type='opsidatabaseinsight'}
      2. Run the credential creation script, located in MOS note: OCI : Creating the Autonomous Database Monitoring Credentials for Oracle Cloud Operations Insights (Doc ID 2933173.1).
        Note

        See the script usage instructions at the bottom of the MOS Note for creating the desired database user type.
    • To manually enable IAM connections for your Autonomous Databases follow these steps:
      1. Update Autonomous Database to allow IAM based connections:
        BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION( type => 'OCI_IAM', force => TRUE );
        END;
        /
        # Check if its enabled
        SELECT NAME, VALUE , TYPE FROM V$PARAMETER WHERE NAME='identity_provider_type';
      2. Create a dynamic group containing the OPSI resource (for example, iam_admin_dg_grp):
        All {instance.compartment.id = '<compartmentid>', request.principal.type='opsidatabaseinsight'}
      3. Create monitoring role with necessary grants to create session and connect; and also the grants to the tables OPSI collects from:
        CREATE ROLE DbTokenRole IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=iam_admin_dg_grp';
      4. Create a new database user (global) and assign it the role created in step 3:
        CREATE USER TESTDBUSER IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=iam_admin_dg_grp';
        GRANT CREATE SESSION, CONNECT TO testDbTokenRole;
        # Need rest of grants within aforementioned script for OPSI collections to work properly

Enable Autonomous Databases

To enable one or more Autonomous Databases for Ops Insights, log in to OCI and do the following:

  1. Open the navigation menu and click Observability and Management. Under Ops Insights, click Administration and then Database Fleet.The Database Fleet Administration page displays.
  2. Click Add Databases. The Add Databases to Ops Insights dialog displays.Add Autonomous Database
  3. Under Telemetry click on Cloud Infrastructure. Under cloud database type select Autonomous Oracle Databases.
  4. Select the Compartment that contains the database that you want to enable for Ops Insights. Optionally, if there are many databases and you know which ones you want to enable, you can filter the returned results based on database type.
  5. Select one or more Autonomous Databases to enable. In this step you can also setup the collection type for your Autonomous Database, by default the check mark option under Full features set is selected. This allows for Full Features collection, deselecting this will limit to Basic Features (Capacity Planning and SQL Warehouse).
    To enable Full Feature collections click on Set connection properties to setup the Full Feature connection. This opens the Set full feature credentials window. In this window you can select whether an IAM credential connection or a local database credential option.
    • For an IAM credential, ensure the IAM connection prerequisites mentioned above have been completed and follow these steps:IAM Credential
      1. Select the IAM Credential radio button
      2. Optional, if prompted complete the missing prerequisite policies
      3. Enter the connection string for IAM
      4. Click on Save changes
      5. Ensure that the Prerequisites field shows Complete for all Autonomous Databases to be added
    • For a Local credential follow these steps:Local credential
      1. Select the Local Credential radio button
      2. Enter the Database user name
      3. Enter the Database user password secret and verify the compartment chosen
        Note

        If you wish to enter a new password secret click on Create password Secret and enter the name, description, compartment, vault, encryption key, and user password. Once entered click onCreate password secret.
      4. Enter the Connection string
      5. Click on Save changes
      6. Ensure that the Prerequisites field shows Complete for all Autonomous Databases to be added

    If you have chosen Basic Features, deselect the Full features set check mark from the selected databases.

  6. Once you have selected the Autonomous Databases, and configured the feature type (basic or full) and the connection type for Full Features, click Add Databases. This will bring you to the main Database Fleet page where you can monitor the progress for the newly added databases. Once the state shows as Active the process has successfully completed.

Upgrade an Existing Autonomous Database to Full Features Collection

To enable Full Features collection for an existing Autonomous Database that is set up for basic collection follow these steps:
  1. Log into OCI, navigate to Observability and Management, then Ops Insights and click on Administration.
  2. Under Administration select Database Fleet. This will show you the Database Fleet Administration table where all your databases that have an enabled Ops Insights state are displayed. Autonomous Databases with an Active state and a Basic Feature Set are eligible for Full Feature enabling.
  3. Select an Autonomous Database you wish to enable the advanced features for and click on the three dots menu located at the right end of the table. From the menu select Enable Full Feature Set.
  4. In the Enable Full Feature Set window select either IAM or Local credentials.
    Note

    Databases configured with ACL restricted or private endpoint access, and ADB-D require private endpoint connections.

    The connect string information is automatically filled out by the service.

    If you have not previously created the policies to generate Autonomous Database wallets click on Complete the prerequisites, and then click on Apply.

    Click Enable.
    Note

    ADB-D databases require new private endpoints that have DNS proxy enabled selected. If this parameter is not selected, you will not see existing private endpoints in the drop down menu for these types of databases.
  5. In the Database Fleet Administration table, the Autonomous Database under the Ops Insights State row will now show Full, advanced features are now being collected.