Showing posts with label ADB. Show all posts
Showing posts with label ADB. Show all posts

Saturday, November 22, 2025

Upgrade Oracle 19c Autonomous Database to 26ai

 

Introduction:

  • You can upgrade Oracle 19c Autonomous Database to 26ai through a scheduled in-place upgrade or by creating a clone.
  • In-place Upgrade: this method schedules an in-place upgrade from the Oracle Cloud (OCI) Console, which handles the process automatically during a designated time.
    • You may select the earliest available schedule or a future schedule.
    • Selecting the earliest available schedule for an upgrade will incur no additional charges.
    • Scheduling an upgrade for a future date will reserve additional upgrade resources and will incur additional charges up till the upgrade completes.
    • Upgrade windows are available based on the size of the database, connected standbys and refreshable clones. If a date is disabled in the scheduler, it is because the date falls outside available upgrade windows.
  • Create a Clone: this method creates a new 26ai version of your 19c database with minimal downtime, allowing for a cutover later.

In this blog, I'll demonstrate upgrading Always Free ADB with In-place Upgrade method.

Prerequisites:
  • A free tier or paid Oracle Cloud account
  • A provisioned Always free ADB

Steps to upgrade ADB with In-Place Upgrade

1. Open OCI console navigation menu and select Oracle AI Database > Autonomous AI Database.

























2. On Autonomous AI Database page, select the right compartment and click on 19c ADB database you want to upgrade.

















3. On ADB home page, navigate to Autonomous AI Database Information tab page and click on Schedule upgrade to 26ai button next to Database version property. 


























4. On Schedule upgrade to 26ai window, select Schedule option from Select Schedule drop list item, then click Schedule button.

Note: You can only select Earliest available schedule for Always Free ADB as this option doesn't incur additional charges.
















5. A work request will be created to schedule ADB upgrade to 26ai. Navigate to Work requests tab page. Notice operation name "Upgrade Autonomous AI Database scheduled time for DB upgrade to 26ai".













6. Navigate back to Autonomous AI Database Information tab page, notice that database upgrade is scheduled to run on Earliest available schedule as highlighted below.

Note: database is still available until the upgrade scheduled time. Database will not be available during upgrade. Database upgrade duration depends on database size.



























7. After Oracle has upgraded database on the scheduled time, database version is 26ai now.
































That completes the workshop.
Thanks for reading !!!

at No comments:
Labels:

Tuesday, September 16, 2025

Oracle Database Vault on Autonomous Database

 

Business Introduction:

  • Oracle Database Vault is a security feature built into Autonomous Database Shared that enforces separation of duties and controls access to sensitive application data.
  • It lets organizations restrict even highly privileged users (like DBAs) from directly viewing or altering sensitive business data, while still allowing them to perform administrative tasks.
  • Oracle Database Vault secures existing database environments transparently, eliminating costly and time consuming application changes.
Business Importance:
  • Protects sensitive data against insider threats and misconfigurations.
  • Meets compliance requirements by controlling who can access what.
  • Reduces risk exposure by preventing unauthorized or accidental access by administrators.
  • Strengthens trust with customers and regulators by proving strong internal data controls.
Potential ROI:
  • Reduced compliance costs: built-in controls help meet audit requirements faster, with less manual work.
  • Avoidance of fines & breaches: one data breach or regulatory violation can cost millions in penalties and reputation damage.
  • Business continuity & trust: demonstrating strong data governance can improve customer confidence and shorten sales cycles in regulated industries.

In this blog, I'll demonstrate the following:
  • Enable Database Vault in an Autonomous Database Shared
  • Protect sensitive data using a Database Vault realm

Prerequisites:
  • A free tier or paid Oracle Cloud account
  • Oracle Autonomous Database Shared (serverless ADB service) 

      Note: The Configure/Enable/Disable DV command syntax, which will be used in this blog, is only for Autonomous Database Shared. Other Oracle database flavors use a slightly different syntax.        

      Task #1: Setup Application Schema and Users


1. In Autonomous database details page, open SQL worksheet.











2. Create the application schema.

CREATE USER appschema IDENTIFIED BY WElcome_123#;
GRANT CREATE SESSION, CREATE TABLE TO appschema;
GRANT UNLIMITED TABLESPACE TO appschema;
BEGIN
   ORDS_ADMIN.ENABLE_SCHEMA(
   p_enabled => TRUE,
   p_schema => UPPER('appschema'),      
   p_url_mapping_type => 'BASE_PATH',
   p_url_mapping_pattern => LOWER('appschema'),
   p_auto_rest_auth => TRUE);
END;
/
CREATE TABLE appschema.customers AS SELECT * FROM sh.customers;
CREATE TABLE appschema.countries AS SELECT * FROM sh.countries;











3. Create the working users.

--- Create DBA_USER
CREATE USER dba_user IDENTIFIED BY WElcome_123#;
GRANT PDB_DBA TO dba_user;
BEGIN
   ORDS_ADMIN.ENABLE_SCHEMA(
    p_enabled => TRUE,
    p_schema => UPPER('dba_user'),
    p_url_mapping_type => 'BASE_PATH',
    p_url_mapping_pattern => LOWER('dba_user'),
    p_auto_rest_auth => TRUE);
END;
/
-- Create APPUSER user
CREATE USER appuser IDENTIFIED BY WElcome_123#;
GRANT CREATE SESSION, READ ANY TABLE TO appuser;
BEGIN
   ORDS_ADMIN.ENABLE_SCHEMA(
    p_enabled => TRUE,
    p_schema => UPPER('appuser'),
    p_url_mapping_type => 'BASE_PATH',
    p_url_mapping_pattern => LOWER('appuser'),
    p_auto_rest_auth => TRUE);
END;
/






















     Task #2: Enable Database Vault


     1. Create DV owner and DV account manager user accounts.
          - DV_ADMIN_OWNER is the owner of DV objects 
          - DV_ADMIN_ACCTS creates users and change user passwords

-- Create DV owner
CREATE USER dv_admin_owner IDENTIFIED BY WElcome_123#;
GRANT CREATE SESSION TO dv_admin_owner;
GRANT SELECT ANY DICTIONARY TO dv_admin_owner;
GRANT AUDIT_ADMIN to dv_admin_owner;

-- Create DV account manager
CREATE USER dv_admin_accts IDENTIFIED BY WElcome_123#;
GRANT CREATE SESSION TO dv_admin_accts;
GRANT AUDIT_ADMIN to dv_admin_accts;

-- Enable SQL Worksheet for the users just created
BEGIN
   ORDS_ADMIN.ENABLE_SCHEMA(
    p_enabled => TRUE,
    p_schema => UPPER('dv_admin_owner'),
    p_url_mapping_type => 'BASE_PATH',
    p_url_mapping_pattern => LOWER('dv_admin_owner'),
    p_auto_rest_auth => TRUE);
   ORDS_ADMIN.ENABLE_SCHEMA(
    p_enabled => TRUE,
    p_schema => UPPER('dv_admin_accts'),
    p_url_mapping_type => 'BASE_PATH',
    p_url_mapping_pattern => LOWER('dv_admin_accts'),
    p_auto_rest_auth => TRUE);
END;
/













2. Configure the database vault user accounts.

EXEC DBMS_CLOUD_MACADM.CONFIGURE_DATABASE_VAULT('dv_admin_owner', 'dv_admin_accts')










3. Verify DV is configured but not yet enabled.

SELECT * FROM DBA_DV_STATUS;













4. Enable Database Vault.

EXEC DBMS_CLOUD_MACADM.ENABLE_DATABASE_VAULT;











5. Restart Autonomous Database using OCI console to complete DV enabling process.

SELECT * FROM DBA_DV_STATUS;













6. Once DV is enabled, DBA_USER no longer can create/alter/drop DB user accounts even DBA_USER has PDB_DBA role. The duties of DBA_USER are separate from the duties of DV account administrator (DV_ADMIN_ACCTS) and DV security administrator (DV_ADMIN_OWNER).




Task #3: Create a Simple DV Realm

Now we create a DV realm to secure table APPSCHEMA.CUSTOMERS from access by DBA_USER and APPSCHEMA and grant access to APPUSER only.



  • A realm is a protected zone inside the database where database schemas, objects, and roles can be secured.
  • After you have secured these into a realm, you can use the realm to control the use of system and object privileges by specific accounts or roles.
  • This enables you to enforce context-sensitive access controls for anyone who wants to use these schemas, objects, and roles.

1. Connect to database and confirm you can query table APPSCHEMA.CUSTOMERS as users (DBA_USER, APPSCHEMA, and APPUSER) before creating DV realm.

SELECT cust_id, cust_first_name, cust_last_name, cust_email, cust_main_phone_number
   FROM appschema.customers
   WHERE rownum < 5;











2. Create a realm to secure APPSCHEMA tables by running below PL/SQL block as DV owner user (DV_ADMIN_OWNER).

   BEGIN
      DVSYS.DBMS_MACADM.CREATE_REALM(
          realm_name => 'PROTECT_APPSCHEMA'
          ,description => 'A mandatory realm to protect APPSCHEMA tables'
          ,enabled => DBMS_MACUTL.G_YES
          ,audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL
          ,realm_type => 1);
   END;
   /
-- Show the current DV realm
SELECT name, description, enabled FROM dba_dv_realm WHERE id# >= 5000 ORDER BY 1;
















3. Add table APPSCHEMA.CUSTOMERS to the realm to protect by running below PL/SQL block as DV owner user (DV_ADMIN_OWNER).

   BEGIN
       DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(
           realm_name   => 'PROTECT_APPSCHEMA',
           object_owner => 'APPSCHEMA',
           object_name  => 'CUSTOMERS',
           object_type  => 'TABLE');
   END;
   /

-- Show the objects protected by the DV realm PROTECT_APPSCHEMA
SELECT realm_name, owner, object_name, object_type
  FROM dvsys.dba_dv_realm_object
 WHERE realm_name IN (SELECT name FROM dvsys.dv$realm WHERE id# >= 5000);

















4. Now check the effect of the this realm. Query table APPSCHEMA.CUSTOMERS as users (DBA_USER, APPSCHEMA, and APPUSER). You will get "ORA-01031: insufficient privileges", because objects in this realm cannot be accessed by any database user including DBA and schema owner.

SELECT cust_id, cust_first_name, cust_last_name, cust_email, cust_main_phone_number
   FROM appschema.customers
   WHERE rownum < 5;












5. As DV owner user (DV_ADMIN_OWNER), authorize application user (APPUSER) by adding the user to the realm by executing below PL/SQL block.

   BEGIN
       DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
           realm_name   => 'PROTECT_APPSCHEMA',
           grantee      => 'APPUSER');
   END;
   /











6. Re-execute the query again from APPUSER. It should work now.

SELECT cust_id, cust_first_name, cust_last_name, cust_email, cust_main_phone_number
   FROM appschema.customers
   WHERE rownum < 5;













Task #4: Disable Database Vault


1. Connect to database as DV owner (DV_ADMIN_OWNER) and drop DV realm.

BEGIN
    DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE(realm_name => 'PROTECT_APPSCHEMA');
END;
/

-- Show the current DV realm
SELECT name, description, enabled FROM dba_dv_realm WHERE id# >= 5000 order by 1;






















2. Disable DB vault on autonomous database.

EXEC DBMS_CLOUD_MACADM.DISABLE_DATABASE_VAULT;

















3. Restart autonomous database to complete database vault disabling process. Once restart completes, log in to the database as DBA_USER and verify DV is disabled.


4. Drop database vault owner and account manager users.

DROP USER sec_admin_owen;
DROP USER accts_admin_ace;



Note: Because Database vault is disabled, separation of duties is also disabled.


Thanks for reading !!!









 



at No comments:
Labels:

Tuesday, January 2, 2024

Deploy Oracle Autonomous Database Free Container Image on Linux VM

 

- Overview:

  • Oracle announced the general availability of Autonomous Database free container image at Oracle 2023 Cloudworld.
  • The ADB free container image comes pre-built with the following components exactly like OCI ADB serverless public cloud service: 
    • Oracle Autonomous Databases (ADW or ATP).
    • Oracle Application Express (Apex).
    • Oracle Rest Data Service. (ORDS).
    • Database Actions including SQL Developer, Performance Hub.
    • MongoDB API.
  • You can use the free container image to perform a local development and the ability to merge your work later in an OCI ADB service.
  • Oracle Autonomous Database Free container minimum needs 4 CPUs and 8 GB memory.
  • The free container image is now available on Oracle Container Github Registry.  

In this blog, I'll demonstrate the steps to deploy the ADB free container image on an Oracle Linux VM running from Oracle VM VirtualBox on my laptop. 

 
Prerequisites:
  • Oracle VM VirtualBox installed.
  • Oracle Linux 8 VM with internet access running from Oracle VM VirtualBox.

Step #1: Install and Start Docker on Linux VM

As root user 

1. Install yum-utils package using command:
    dnf install -y dnf-utils zip unzip  

2. Enable all required repositories using command:
    dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo

3. Install Docker using commands:
    dnf remove -y runc
    dnf install -y docker-ce --nobest

4. Enable and start Docker service using commands:
     systemctl start docker.service
     systemctl status docker.service





5. Confirm Docker version using command:
     docker version




















Step #2: Download and Run ADB Free Container Image

As non root user with sudo privilege.

1. Pull the image from the repository and start a container to run ADB free container image using command:

sudo docker run -d \
-p 1521:1522 \
-p 1522:1522 \
-p 8443:8443 \
-p 27017:27017 \
--hostname <Your_Host_name Or IP Address> \
--cap-add SYS_ADMIN \ 
--device /dev/fuse \
--name <Your Docket container name> \
container-registry.oracle.com/database/adb-free:latest

Where:
- Ports:

Port

Description

1521

TLS

1522

mTLS

8443

HTTPS port for ORDS / APEX and Database Actions

27017

Mongo API ( MY_ATP )

- hostname: is the Fully Qualified Domain Name (FQDN) of your host.
For OFS mount, container should start with SYS_ADMIN capability. 
- Also, virtual device /dev/fuse should be accessible.















2. Check new Docker image using command:
     sudo docker image ls     





3. Check the status of the ADB container using command:
    sudo docker container ls





4. Change the preinstalled default expired password for the ADMIN user for MY_ADW and MY_ATP instances.
- For ATP instance
   sudo docker exec <Container_ID> /u01/scripts/change_expired_password.sh MY_ATP admin Welcome_MY_ATP_1234 <New Password>













- For ADW instance:
   sudo docker exec <Container_ID> /u01/scripts/change_expired_password.sh MY_ADW admin Welcome_MY_ADW_1234 <New Password>







Step #3: Sign-in to Web Database Actions

- APEX

https://<Host_Name>:8443/ords/my_atp/
https://<Host_Name>:8443/ords/my_adw/

- SQL Developer Web 
https://<Host_Name>:8443/ords/my_atp/sql-developer
https://<Host_Name>:8443/ords/my_adw/sql-developer

Sign-in with admin user and password previously reset in step #2.



































































at No comments:
Labels:
Subscribe to: Posts (Atom)

Oracle AI Database Private Agent Factory Overview

  From AI to Agentic AI To understand the Private Agent Factory, we must first look at the broader landscape of artificial intelligence.  Th...