Upgrade Oracle 19c Autonomous Database to 26ai

 

Introduction:

• You can upgrade Oracle 19c Autonomous Database to 26ai through a scheduled in-place upgrade or by creating a clone.
• In-place Upgrade: this method schedules an in-place upgrade from the Oracle Cloud (OCI) Console, which handles the process automatically during a designated time.
• You may select the earliest available schedule or a future schedule.
• Selecting the earliest available schedule for an upgrade will incur no additional charges.
• Scheduling an upgrade for a future date will reserve additional upgrade resources and will incur additional charges up till the upgrade completes.
• Upgrade windows are available based on the size of the database, connected standbys and refreshable clones. If a date is disabled in the scheduler, it is because the date falls outside available upgrade windows.
• Create a Clone: this method creates a new 26ai version of your 19c database with minimal downtime, allowing for a cutover later.

In this blog, I'll demonstrate upgrading Always Free ADB with In-place Upgrade method.

Prerequisites:

• A free tier or paid Oracle Cloud account
• A provisioned Always free ADB

Steps to upgrade ADB with In-Place Upgrade

1. Open OCI console navigation menu and select Oracle AI Database > Autonomous AI Database.

2. On Autonomous AI Database page, select the right compartment and click on 19c ADB database you want to upgrade.

3. On ADB home page, navigate to Autonomous AI Database Information tab page and click on Schedule upgrade to 26ai button next to Database version property. 

4. On Schedule upgrade to 26ai window, select Schedule option from Select Schedule drop list item, then click Schedule button.

Note: You can only select Earliest available schedule for Always Free ADB as this option doesn't incur additional charges.

5. A work request will be created to schedule ADB upgrade to 26ai. Navigate to Work requests tab page. Notice operation name "Upgrade Autonomous AI Database scheduled time for DB upgrade to 26ai".

6. Navigate back to Autonomous AI Database Information tab page, notice that database upgrade is scheduled to run on Earliest available schedule as highlighted below.

Note: database is still available until the upgrade scheduled time. Database will not be available during upgrade. Database upgrade duration depends on database size.

7. After Oracle has upgraded database on the scheduled time, database version is 26ai now.

That completes the workshop.

Thanks for reading !!!

Create OCI Kubernetes Cluster (OKE)

 

Introduction:

• Oracle Cloud Infrastructure Kubernetes Engine (OKE) is a fully-managed, scalable, and highly available service for deploying containerized applications to the cloud.
• With OKE, you can build, deploy, and manage cloud-native applications using open source Kubernetes that is certified as conformant by the Cloud Native Computing Foundation (CNCF).
• OKE supports a range of deployment options. You can choose to run applications on virtual nodes for serverless operation, on managed nodes for shared responsibility between you and Oracle, or on self-managed nodes when you require advanced customization or specific compute resources, such as GPU or high-performance networking.
• OKE supports multiple compute shapes, including bare metal and virtual machine types, and enables you to select the configuration that best fits your cost, performance, or hardware needs.
• You manage clusters through the OCI Console, REST API, and CLI, and you can access Kubernetes clusters using standard Kubernetes tools such as kubectl, the Kubernetes Dashboard, and the Kubernetes API.

In this blog, I'll demonstrate the following:

• Create OKE cluster 
• Access the OKE in the Oracle Cloud shell using kubectl tool
• Deploy a WebLogic application 

Prerequisites: 

• A free tier or paid Oracle Cloud account
• OCI IAM Compartment

Task #1: Create OCI OKE Cluster

1. Open the navigation menu and select Developer Services > Kubernetes Clusters (OKE).

2. On the Kubernetes Clusters (OKE) window, select the right compartment then click Create cluster.

3. On the Create Cluster page, Quick Create pane is pre-selected. Keep the default selection and click Submit. Quick Create option will create network resources required for OKE deployment (VCN, IG, NAT, SGW).

4. On the Create Cluster (quick) window, name cluster and select compartment & Kubernetes version.

- Kubernetes API endpoint: select Public endpoint pane. The Kubernetes cluster will be hosted on a public subnet with a public IP address auto-generated. 

- Node type: select Managed pane. The Kubernetes nodes are provisioned compute instances in your tenancy.

- Kubernetes worker nodes: select Private workers pane. The Kubernetes worker nodes will be hosted in a private subnet.

- The number of nodes in the node pool: select 1

5. This will start to create a cluster, and takes 7 to 10 minutes to complete.

6. You can view the Kubernetes private nodes under Compute instances. It is only one VM instance in our workshop as the OKE cluster was created with one worker node.

Task #2: Access the OKE in the Cloud shell

1. On the cluster details page, click Access Cluster from Actions menu.

2. Make sure the Cloud Shell Access is selected. Click the Copy link from the command to access kubeconfig for the cluster. Then click Launch Cloud Shell.

3. Paste the copied command to the command shell prompt. Then hit enter.

oci ce cluster create-kubeconfig \

--cluster-id ocid1.cluster.oc1.ca-toronto-1.aaaaaaaaih5bnpzon36xbckvstvx6ejb5zkgbqkbwmqxkwbumcbibec7ngpq \

--file $HOME/.kube/config --region ca-toronto-1 --token-version 2.0.0  \

--kube-endpoint PUBLIC_ENDPOINT

Task #3: Setup WebLogic Domain and Demo Application on OKE

1. Download WebLogic Domain and Application demo zip file to the home directory in the Cloud Shell using below command.

wget https://objectstorage.us-phoenix-1.oraclecloud.com/n/axfo51x8x2ap/b/apmocw-bucket-2022/o/wls-hol.zip

2. Unzip the file. This will create a directory wls-hol.

unzip ~/wls-hol.zip

3. Add executable permission to the shell script files in the folder by running the following command.

chmod +x ~/wls-hol/*.sh

4. Execute the command below to run a shell script from the wls-hol directory. This will create a WebLogic domain on the OKE in your tenancy. The process may take a few minutes to complete.

cd ~/wls-hol; ./deployWls.sh

Ensure that you see the message 'Cluster configuration complete!' and the URL to launch a demo application (http://<Public-IP>/opdemo/?dsname=testDatasource)

5.  Run the kubectl command below to display the information of the services created.

The namespace of the WebLogic Server services in this workshop is sample-domain1-ns.

From the command output from the output above, locate the LoadBalancer service. Note down the External-IP.

kubectl get svc --all-namespaces

kubectl get pod -n sample-domain1-ns

6. On your computer, open a new browser tab and access the application with the following URL

http://<External IP of the Load Balancer>/opdemo/?dsname=testDatasource

That completes the workshop.

Thanks for reading !!!

Securing Oracle Database with Industry Standards and Best Practices

 

Introduction:

• Oracle Enterprise Manager (OEM) provides solution to secure and ensure compliance with security policies defined by security officers and auditors.
• With Audit for Compliance feature, you can secure the entire stack from databases, underlying Linux hosts and Exadata infrastructure with out-of-box security controls.
• For Oracle Databases 12c, 19c, and 23ai, CIS Benchmark is an industry compliance standards that is available out-of-the-box. Besides that, Department of Defense (DoD) Security Technical Implementation Guide (STIG) standard is available out-of-the-box for regulatory requirements.

Importance & Benefit:

• Establish consistent and measurable security baselines.
• Maintain continuous compliance across all Oracle environments.
• Provide audit-ready documentation for regulators and stakeholders.
• Support secure operations and reduce configuration drift.

In this blog, I'll demonstrate how to leverage CIS Benchmark for Oracle Database 19c to secure Pluggable Databases.

Prerequisites:

• Oracle OEM 13.5.0.21 or higher 
• Oracle 19.23 multitenant database discovered by OEM

Task: Securing Pluggable Database with CIS Benchmarks

1. Once logged in OEM, navigate to Enterprise > Compliance > Library

2. Click Compliance Standards tab. To list CIS Benchmarks, search for "Oracle 19c Database CIS".

Select "Pluggable Database" from the "Applicable To" drop list item, then click Search. 

3. Select the row "Oracle 19c Database CIS V1.1.0 - Level 1 - RDBMS using Unified Auditing for Oracle Pluggable Database", then click Associate Targets.

4. Click Add and Select hr.subnet.vcn.oraclevcn.com_FINANCE PDB.

CIS security controls is getting processed and it will take approximately few minutes to complete.

5. To analyze compliance results, navigate to Enterprise > Compliance > Dashboard 

6. At the bottom of the page, you will see Compliance Summary section. Click on Standards tab to see the results of CIS Benchmark assessment.

Click on Non-Compliant Targets number (1 in this demo), pop-up window shows Targets showing the Compliance Score. This indicates pluggable database hr.subnet.vcn.oraclevcn.com_FINANCE  Compliance score is only 41% against the CIS benchmark baseline.

7. To analyze severity, Click on Critical number (92), you will see unique violations for this target. 

8. To see compliance results, click on "Oracle 19c Database CIS V1.1.0 - Level 1 - RDBMS using Unified Auditing". You will see the main CIS categories along with their corresponding CIS control rules and any violations.

The Target Scorecard pie chart displays the overall compliance evaluation status of the monitored target, summarizing its adherence to defined CIS benchmark security policies.

The Rule Evaluations pie chart represents a summary of each rule evaluation status compliant, critical, warning, minor warning, and error in terms of the percentage of rules.

Click on one of the Violation Count numbers. Violation dialog box appears, you can export to Excel for offline analysis. Click Back and Close.

9. Select Violation tab. This table provides comprehensive details for each rule, target name, applicable pluggable database, and violation severity with keywords. You can select an individual violation to view its detailed statement and recommended actions for quick remediation.

You will find Event details on violated rule information, violation details, and a guided resolution option for recommendations. 

Click on Corrective actions. You will see the Corrective Actions pop-up window.

10. select the row labeled CORRECTIVE_ACTION_REVOKE_DBA_ROLE_PRIVILEGE. Choose preferred credentials and click Submit.

11. You will be presented with a pop-up window for Corrective action. Click to view execution details.

12. You will notice that the DBA role job was successfully revoked.

13. Now we will view the remediated status for the pluggable database. 

Navigate to Targets > Databases. Select hr.subnet.vcn.oraclevcn.com_FINANCE pluggable database. You will be navigated to PDB database home page.

14. Click Oracle Database > Configuration > Latest

15. You will see the latest configuration. Click Refresh.

Processing will take about few minutes to complete and get refreshed.

16. Navigate to Enterprise > Compliance > Dashboard

You will notice a reduction in violations from 92 to 91

17. To generate a comprehensive compliance report for CIS compliance standards and its associated pluggable database targets, click on Reports.

18. Report will show Summary of Pass and Failed Rules, Compliance Score, Results Details along with Standard Rules.

That completes the demo.

Thanks for reading !!!