Gian's Database Security Blog

No doubt about it, using a command line interface to get things done is easy and efficient if you know how to use it. For something as comprehensive as the OCI Command Line Interface (oci-cli), figuring out what those commands are can be a little time consuming. My goal for this post is to give you a jump-start with some of these commands, specifically around registering Data Safe targets. I will assume that you already have oci-cli setup; if you don’t, take a look at this Quickstart guide.

Lets look at the command we’re going to need, then I’ll break some of the key components of it:

oci data-safe target-database create --compartment-id <your_compartment_ocid>  --database-details file://database-details.json --connection-option file://connection-option.json --credentials file://credentials.json

The only required parameters of that command are –compartment-id and –database-details. With the exception of –compartment-id, all the parameters I used are defined as “complex type” parameters and as such require you to provide the necessary information in json files. Use the following four commands to generate the sample json files which you can populate with information specific to your environment:

oci data-safe target-database create --generate-param-json-input database-details > database-details.json
oci data-safe target-database create --generate-param-json-input connection-option > connection-option.json
oci data-safe target-database create --generate-param-json-input credentials > credentials.json
oci data-safe target-database create --generate-param-json-input tls-config > tls-config.json

The database-details.json was probably the most challenging one to complete because finding what the supported values for “infrastructureType” wasn’t as straightforward as I would have hoped. So, in the spirit of the jump-start, detailed information about this file and related parameters can be found in the API reference guide here. The raw sample file looks like this:


[
"This parameter should actually be a JSON object rather than an array - pick one of the following object variants to use",
{
"autonomousDatabaseId": "string",
"databaseType": "AUTONOMOUS_DATABASE",
"infrastructureType": "string"
},
{
"databaseType": "DATABASE_CLOUD_SERVICE",
"dbSystemId": "string",
"infrastructureType": "string",
"listenerPort": 0,
"serviceName": "string",
"vmClusterId": "string"
},
{
"databaseType": "INSTALLED_DATABASE",
"infrastructureType": "string",
"instanceId": "string",
"ipAddresses": [
"string",
"string"
],
"listenerPort": 0,
"serviceName": "string"
}
]

The file I used for my database looks something like this:

{
"databaseType": "DATABASE_CLOUD_SERVICE",
"dbSystemId": "ocid1.dbsystem.oc1.phx.anyh.....................6a",
"infrastructureType": "ORACLE_CLOUD",
"listenerPort": 1521,
"serviceName": "pdb1.privatesubnet.vcn123.oraclevcn.com"
}

You may have noticed that my database was running on a private subnet in OCI and as such I had to create a Private Endpoint to allow the Data Safe service to connect to the target. Steps to accomplish that in the OCI Console can be found here, but here is the oci-cli command used to get that done (note that there are route and security list rule changes that need to be made before your Private Endpoint is really usable):

oci data-safe private-endpoint create --compartment-id ocid1.compartment.oc1..aaaaa................5jq --display-name "GFS Private Endpoint" --subnet-id ocid1.subnet.oc1.phx.aaaaa..........kqa --vcn-id ocid1.vcn.oc1.phx.ama.............aaq

Lastly, here are a few additional points to help you get started:

• If you are not using Autonomous Database, you need to create an account at the PDB level of the database and grant it necessary roles and privileges. Documentation for that can be found here.
• The password for said service account needs to have a password of 14 characters or more.