Enable Autonomous Databases & Full Feature Support
Ops Insights allows you to perform advanced and basic collections on your Autonomous Databases via a private endpoint or through secure access from anywhere. These connection methods allows Ops Insights to connect to the database directly and enable Full Features collection, which includes SQL Explorer and ADDM Spotlight.
Prerequisites
To enable data collection on an Autonomous Database the following prerequisites must be met:Basic: No prerequisites are required.
Full Features: Requires three types of prerequisites: general, for IAM credential based connections, and for Local credential based connections. Ensure general prerequisites are met and the prerequisites for your desired credential connection type.
- If your network requires it, create a Private Endpoint. Make sure you set up the correct network requirements for your database, including the creation of private endpoints. The following table outlines the network requirements by type of autonomous databases:
ADB Type Access Type Network Requirements ADB Serverless (ADB-S) Access Anywhere None ADB Serverless (ADB-S) Private Endpoint Same Private Endpoint requirements as cloud databases. NoteFor more information see: Enabling Exadata Systems and Cloud Service Databases
Use the ADB private endpoint VCN/Subnet instead of the database VCN/SubnetNote
For IAM credential connections, a DNS Proxy enabled private endpoint must be used for dedicated Autonomous Databases and shared Autonomous Databases with private endpoint access configured.ADB Serverless (ADB-S) ACL (Access Control List) Restricted The private endpoint needs to be placed in one of the whitelisted VCNs. This VCN must have access to the public ADB endpoint, typically via service gateway. For more information see: Configure Access Control Lists When You Provision or Clone an Instance
ADB Dedicated (ADB-D) N/A Same requirements as cloud databases. For more information see: Enabling Exadata Systems and Cloud Service Databases Note
Dedicated Autonomous Databases require a private endpoint with DNS Proxy enabled. Ops Insights private endpoints created prior to September 2023 did not offer DNS proxy. A new private endpoint may need to be created. - Create a dynamic group for the Ops Insights resource principal containing the compartment(s) where the autonomous databases being enabled reside.
Example policy to allow Ops Insights service to generate Autonomous Database wallets:
allow any-user to read autonomous-database-family in compartment XYZ where ALL{request.principal.type='opsidatabaseinsight', request.operation='GenerateAutonomousDatabaseWallet'}
- Policy to allow Ops Insights service to read the database password secret:
allow any-user to read secret-family in tenancy where ALL{request.principal.type='opsidatabaseinsight', target.vault.id = 'Vault OCID'}
- Ops Insights can use IAM based authentication to connect to an Oracle Autonomous database, this allows for a more cloud-friendly and secure solution. With Ops Insights you can write a resource principal policy that enables it to collect performance and SQL-based metrics from the Autonomous Database (same metrics will be collected via this alternate authentication approach).
For more information on IAM based connections see: About Connecting to an Autonomous Database Instance Using IAM.
There are two ways to enable IAM connections to your Autonomous Databases, via script or manually. Ops Insights highly recommends to use the script method.- To enable IAM connections for your Autonomous Databases using the Ops Insights script (recommended method) follow these steps:
- Create a dynamic group containing the OPSI resource (for example,
iam_admin_dg_grp
):All {instance.compartment.id = '<compartmentid>', request.principal.type='opsidatabaseinsight'}
- Run the credential creation script, located in MOS note: OCI : Creating the Autonomous Database Monitoring Credentials for Oracle Cloud Operations Insights (Doc ID 2933173.1).
Note
See the script usage instructions at the bottom of the MOS Note for creating the desired database user type.
- Create a dynamic group containing the OPSI resource (for example,
- To manually enable IAM connections for your Autonomous Databases follow these steps:
- Update Autonomous Database to allow IAM based connections:
BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION( type => 'OCI_IAM', force => TRUE ); END; / # Check if its enabled SELECT NAME, VALUE , TYPE FROM V$PARAMETER WHERE NAME='identity_provider_type';
- Create a dynamic group containing the OPSI resource (for example,
iam_admin_dg_grp
):All {instance.compartment.id = '<compartmentid>', request.principal.type='opsidatabaseinsight'}
- Create monitoring role with necessary grants to create session and connect; and also the grants to the tables OPSI collects from:
CREATE ROLE DbTokenRole IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=iam_admin_dg_grp';
- Create a new database user (global) and assign it the role created in step 3:
CREATE USER TESTDBUSER IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=iam_admin_dg_grp'; GRANT CREATE SESSION, CONNECT TO testDbTokenRole; # Need rest of grants within aforementioned script for OPSI collections to work properly
- Update Autonomous Database to allow IAM based connections:
- To enable IAM connections for your Autonomous Databases using the Ops Insights script (recommended method) follow these steps:
Enable Autonomous Databases
To enable one or more Autonomous Databases for Ops Insights, log in to OCI and do the following:
- Open the navigation menu and click Observability and Management. Under Ops Insights, click Administration and then Database Fleet.The Database Fleet Administration page displays.
- Click Add Databases. The Add Databases to Ops Insights dialog displays.
- Under Telemetry click on Cloud Infrastructure. Under cloud database type select Autonomous Oracle Databases.
- Select the Compartment that contains the database that you want to enable for Ops Insights. Optionally, if there are many databases and you know which ones you want to enable, you can filter the returned results based on database type.
- Select one or more Autonomous Databases to enable. In this step you can also setup the collection type for your Autonomous Database, by default the check mark option under Full features set is selected. This allows for Full Features collection, deselecting this will limit to Basic Features (Capacity Planning and SQL Warehouse).
To enable Full Feature collections click on Set connection properties to setup the Full Feature connection. This opens the Set full feature credentials window. In this window you can select whether an IAM credential connection or a local database credential option.
- For an IAM credential, ensure the IAM connection prerequisites mentioned above have been completed and follow these steps:
- Select the IAM Credential radio button
- Optional, if prompted complete the missing prerequisite policies
- Enter the connection string for IAM
- Click on Save changes
- Ensure that the Prerequisites field shows Complete for all Autonomous Databases to be added
- For a Local credential follow these steps:
- Select the Local Credential radio button
- Enter the Database user name
- Enter the Database user password secret and verify the compartment chosen
Note
If you wish to enter a new password secret click on Create password Secret and enter the name, description, compartment, vault, encryption key, and user password. Once entered click onCreate password secret. - Enter the Connection string
- Click on Save changes
- Ensure that the Prerequisites field shows Complete for all Autonomous Databases to be added
If you have chosen Basic Features, deselect the Full features set check mark from the selected databases.
- For an IAM credential, ensure the IAM connection prerequisites mentioned above have been completed and follow these steps:
- Once you have selected the Autonomous Databases, and configured the feature type (basic or full) and the connection type for Full Features, click Add Databases. This will bring you to the main Database Fleet page where you can monitor the progress for the newly added databases. Once the state shows as Active the process has successfully completed.
Upgrade an Existing Autonomous Database to Full Features Collection
- Log into OCI, navigate to Observability and Management, then Ops Insights and click on Administration.
- Under Administration select Database Fleet. This will show you the Database Fleet Administration table where all your databases that have an enabled Ops Insights state are displayed. Autonomous Databases with an Active state and a Basic Feature Set are eligible for Full Feature enabling.
- Select an Autonomous Database you wish to enable the advanced features for and click on the three dots menu located at the right end of the table. From the menu select Enable Full Feature Set.
- In the Enable Full Feature Set window select either IAM or Local credentials.
Note
Databases configured with ACL restricted or private endpoint access, and ADB-D require private endpoint connections.The connect string information is automatically filled out by the service.
If you have not previously created the policies to generate Autonomous Database wallets click on Complete the prerequisites, and then click on Apply.
Click Enable.Note
ADB-D databases require new private endpoints that have DNS proxy enabled selected. If this parameter is not selected, you will not see existing private endpoints in the drop down menu for these types of databases. - In the Database Fleet Administration table, the Autonomous Database under the Ops Insights State row will now show Full, advanced features are now being collected.