Admin
TECHNEWS

Oracle Peoplesoft

Featured

Oracle DBCS on OCI Provisioning: TDE Encryption & Automated Patching

Provision Oracle DBCS on OCI with TDE encryption & automated patching. Secure your data and streamline database management effortlessly.

By Someshwar ThakurPublished: June 20, 202612 min read2 views✓ Fact Checked
Oracle DBCS on OCI Provisioning: TDE Encryption & Automated Patching
Oracle DBCS on OCI Provisioning: TDE Encryption & Automated Patching

Overview

In the dynamic landscape of enterprise applications, Oracle PeopleSoft environments demand robust, secure, and highly available database infrastructure. Oracle Database Cloud Service (DBCS) on Oracle Cloud Infrastructure (OCI) offers a compelling solution, providing fully managed Oracle databases that combine the power and reliability of Oracle's flagship database with the agility and scalability of cloud computing. This article delves into the critical aspects of provisioning an Oracle DBCS instance on OCI, focusing specifically on implementing Transparent Data Encryption (TDE) for data-at-rest security and configuring automated patching to ensure continuous security and optimal performance.

For organizations running PeopleSoft, the underlying database is the heart of the system, storing sensitive HR, financial, and student data. Protecting this data with TDE is not just a best practice; it's often a regulatory mandate (e.g., GDPR, HIPAA, PCI-DSS). Furthermore, maintaining the database with the latest security patches and bug fixes through automated patching significantly reduces the operational overhead and minimizes exposure to vulnerabilities, allowing PeopleSoft administrators and DBAs to focus on application-level optimizations rather than infrastructure management.

DBCS on OCI abstracts away much of the complexity associated with database management, including hardware provisioning, operating system installation, and initial database setup. By leveraging OCI's powerful CLI and console, we can provision a secure, enterprise-grade database instance in minutes, ready to support demanding applications like PeopleSoft with high performance and built-in resilience.

Prerequisites

Before embarking on the provisioning journey, ensure you have the following in place:

  • OCI Account: An active Oracle Cloud Infrastructure account with administrative privileges or specific IAM policies for database, virtual network, and object storage services.
  • IAM Policies: Sufficient IAM permissions for the user or group provisioning the database. Key policies include:
    • Allow group <your-group> to manage database-family in compartment <your-compartment>
    • Allow group <your-group> to manage virtual-network-family in compartment <your-compartment>
    • Allow group <your-group> to manage object-storage-family in compartment <your-compartment> (for backups)
  • Virtual Cloud Network (VCN): A pre-existing VCN in your chosen OCI region. It's best practice to deploy databases into a private subnet within this VCN.
  • Subnet: A private subnet within your VCN dedicated to database instances. This subnet should have appropriate routing to allow access to other necessary services (e.g., Object Storage for backups, service gateway for OCI services).
  • Network Security Group (NSG) or Security List: Configured to allow ingress traffic on port 1521 (Oracle Listener) from application servers or bastion hosts, and egress traffic as needed.
  • SSH Key Pair: An SSH public/private key pair. The public key will be uploaded during provisioning to enable SSH access to the database host for the opc user. You can generate one using ssh-keygen.
  • OCI CLI Installed and Configured: The Oracle Cloud Infrastructure Command Line Interface (CLI) should be installed and configured on your local machine. This allows for programmatic interaction with OCI services. Verify your setup with oci --version and oci setup config if needed.
  • Compartment: A logical compartment in OCI where the database system and related resources will reside.

Step-by-Step Implementation

1. Prepare OCI Networking

For optimal security and performance, we'll provision the DBCS instance into a private subnet. If you don't have a suitable VCN, subnet, and NSG, here's how to create them using the OCI CLI. We'll use us-ashburn-1 as our region and assume a compartment named hr-peoplesoft-compartment.

1.1. Create a VCN (if not already present)


# Define variables
COMPARTMENT_ID="ocid1.compartment.oc1..aaaaaaaan3fxxxxxxxxdk7xxxxxxxxf6xxxxxxxxd2xxxxxxxxfq"
VCN_DISPLAY_NAME="PeoplesoftVCN"
VCN_CIDR="10.0.0.0/16"
REGION="us-ashburn-1"

# Create VCN
oci network vcn create \
    --compartment-id "${COMPARTMENT_ID}" \
    --display-name "${VCN_DISPLAY_NAME}" \
    --cidr-block "${VCN_CIDR}" \
    --dns-label "peoplesoftvcn" \
    --region "${REGION}"

Note down the VCN OCID from the output (e.g., ocid1.vcn.oc1.iad.aaaaaaaao6xxxxxxxxf7xxxxxxxxdkxxxxxxxxf7xxxxxxxxfq).

1.2. Create a Private Subnet for the Database

We'll create a private subnet within the VCN. It's crucial for the database not to have direct internet access.


# Define variables
VCN_ID="ocid1.vcn.oc1.iad.aaaaaaaao6xxxxxxxxf7xxxxxxxxdkxxxxxxxxf7xxxxxxxxfq" # Replace with your VCN OCID
SUBNET_DISPLAY_NAME="PeoplesoftDBSUB"
SUBNET_CIDR="10.0.10.0/24"
AVAILABILITY_DOMAIN="AD-1" # Choose an AD in your region

# Create Subnet
oci network subnet create \
    --compartment-id "${COMPARTMENT_ID}" \
    --vcn-id "${VCN_ID}" \
    --display-name "${SUBNET_DISPLAY_NAME}" \
    --cidr-block "${SUBNET_CIDR}" \
    --prohibit-public-ip-on-vnic true \
    --dns-label "dbsubnet" \
    --availability-domain "${AVAILABILITY_DOMAIN}" \
    --region "${REGION}"

Note down the Subnet OCID from the output (e.g., ocid1.subnet.oc1.iad.aaaaaaaa6oxxxxxxxxfdxxxxxxxxd6xxxxxxxxdoxxxxxxxxdq).

1.3. Create a Network Security Group (NSG) for Database Traffic

NSGs provide granular control over network traffic for your database. We'll allow ingress on port 1521 (Oracle Listener) from a specific CIDR block (e.g., your application subnet or bastion host IP). For simplicity, we'll allow from the entire VCN CIDR for this example, but in production, be more restrictive.


# Define variables
NSG_DISPLAY_NAME="PeoplesoftDBNSG"

# Create NSG
oci network nsg create \
    --compartment-id "${COMPARTMENT_ID}" \
    --vcn-id "${VCN_ID}" \
    --display-name "${NSG_DISPLAY_NAME}" \
    --region "${REGION}"

# Get NSG ID (you can also parse it from the create command output)
NSG_ID=$(oci network nsg list --compartment-id "${COMPARTMENT_ID}" --vcn-id "${VCN_ID}" --display-name "${NSG_DISPLAY_NAME}" --query "data[0].id" --raw-output)

# Add Ingress Rule for Oracle Listener (Port 1521)
# Assuming your application servers are in 10.0.0.0/16 (the VCN CIDR)
oci network nsg-security-rule create \
    --nsg-id "${NSG_ID}" \
    --direction "INGRESS" \
    --protocol "6" \
    --source-type "CIDR_BLOCK" \
    --source "${VCN_CIDR}" \
    --tcp-options '{"destinationPortRange":{"max":1521,"min":1521}}' \
    --description "Allow SQLNet from VCN" \
    --region "${REGION}"

# Add Egress Rule (e.g., allow all egress for simplicity, refine in production)
oci network nsg-security-rule create \
    --nsg-id "${NSG_ID}" \
    --direction "EGRESS" \
    --protocol "ALL" \
    --destination-type "CIDR_BLOCK" \
    --destination "0.0.0.0/0" \
    --description "Allow all egress" \
    --region "${REGION}"

Note down the NSG OCID (e.g., ocid1.networksecuritygroup.oc1.iad.aaaaaaaaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxzq).

2. Generate SSH Key Pair

If you don't have an SSH key pair, generate one:


ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa_dbcs_peoplesoft -N ""
# Output will be ~/.ssh/id_rsa_dbcs_peoplesoft (private key) and ~/.ssh/id_rsa_dbcs_peoplesoft.pub (public key)

Keep the private key secure. You will need the content of the .pub file for provisioning.

3. Provision Oracle DBCS Instance with TDE Encryption

Now, we'll provision the database system. We'll use the "Virtual Machine DB System" option for this example, suitable for PeopleSoft deployments requiring dedicated resources. We'll specify TDE by providing a TDE wallet password.

First, identify a suitable database software image. You can list available images:


oci db software-image list \
    --compartment-id "${COMPARTMENT_ID}" \
    --image-shape-family "VM" \
    --db-version "19.0.0.0" \
    --query "data[?contains(\"display-name\", 'Enterprise Extreme Performance')].{displayName:\"display-name\", id:id}" \
    --raw-output | jq -r '.[0].id'

Let's assume the above command returns an ID like ocid1.dbsystemsoftwareimage.oc1.iad.aaaaaaaaqxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq. This will be our DB_SOFTWARE_IMAGE_ID.


# Define variables
DB_SYSTEM_DISPLAY_NAME="PeoplesoftProdDB"
DB_NAME="PSPROD" # Oracle database name (max 8 characters)
DB_EDITION="ENTERPRISE_EXTREME_PERFORMANCE" # Recommended for PeopleSoft
CPU_CORE_COUNT=4 # Number of OCPUs
DATA_STORAGE_SIZE_GB=500 # Data storage size in GB
ADMIN_PASSWORD="YourSecureAdminPassword1#" # SYS, SYSTEM, PDBADMIN password
TDE_WALLET_PASSWORD="YourSecureTDEWalletPassword1#" # Password for the TDE wallet
SSH_PUBLIC_KEY_FILE="~/.ssh/id_rsa_dbcs_peoplesoft.pub"
SSH_PUBLIC_KEY=$(cat "${SSH_PUBLIC_KEY_FILE}")
SUBNET_ID="ocid1.subnet.oc1.iad.aaaaaaaa6oxxxxxxxxfdxxxxxxxxd6xxxxxxxxdoxxxxxxxxdq" # Your Subnet OCID
NSG_ID="ocid1.networksecuritygroup.oc1.iad.aaaaaaaaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxzq" # Your NSG OCID

# Provision the DB System
oci db system launch \
    --compartment-id "${COMPARTMENT_ID}" \
    --display-name "${DB_SYSTEM_DISPLAY_NAME}" \
    --database-edition "${DB_EDITION}" \
    --db-system-options '{"databaseManagement":"MANAGED_EXTERNAL_ONLY"}' \
    --cpu-core-count "${CPU_CORE_COUNT}" \
    --data-storage-size-in-gbs "${DATA_STORAGE_SIZE_GB}" \
    --db-home-id "ocid1.dbhome.oc1.iad.aaaaaaaaqxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq" \
    --db-version "19.0.0.0" \
    --db-name "${DB_NAME}" \
    --admin-password "${ADMIN_PASSWORD}" \
    --tde-wallet-password "${TDE_WALLET_PASSWORD}" \
    --ssh-public-keys "[\"${SSH_PUBLIC_KEY}\"]" \
    --subnet-id "${SUBNET_ID}" \
    --nsg-ids "[\"${NSG_ID}\"]" \
    --hostname "psproddb" \
    --license-model "BRING_YOUR_OWN_LICENSE" \
    --database-software-image-id "ocid1.dbsystemsoftwareimage.oc1.iad.aaaaaaaaqxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq" \
    --shape "VM.Standard2.4" \
    --region "${REGION}" \
    --wait-for-state "AVAILABLE"

Explanation of Key Parameters:

  • --db-home-id and --database-software-image-id: These specify the Oracle Database version and image. For 19c, a specific image ID is preferred. If you omit --db-home-id, DBCS will create a new DB Home for the specified version.
  • --database-edition: For PeopleSoft, ENTERPRISE_EXTREME_PERFORMANCE is often chosen for its advanced features like In-Memory, Diagnostics Pack, Tuning Pack, and Real Application Clusters (RAC) support (though this example is for a single instance).
  • --admin-password: This is the password for the SYS, SYSTEM, and PDBADMIN users of your database.
  • --tde-wallet-password: This parameter is crucial for enabling TDE. By providing a password here, DBCS automatically creates and opens the TDE wallet during database creation and encrypts the tablespaces.
  • --ssh-public-keys: The public key allows SSH access to the underlying OS (as user opc).
  • --subnet-id and --nsg-ids: Ensure your database is deployed into the correct private network segment with appropriate security rules.
  • --license-model: Choose BRING_YOUR_OWN_LICENSE if you have existing Oracle licenses or LICENSE_INCLUDED for pay-as-you-go.
  • --shape: Defines the VM shape (OCPUs, memory). VM.Standard2.4 provides 4 OCPUs and 60GB RAM.
  • --wait-for-state "AVAILABLE": This makes the CLI command block until the DB system is fully provisioned and ready. This process can take 30-60 minutes.

4. Connect to the Database Instance and Verify TDE

Once the DB system is provisioned, you can connect to it via SSH and then to SQL*Plus.


# Get the public IP of the DB System (if you configured a public IP for SSH access, otherwise use a bastion host)
# For a private subnet, you would use a bastion host or OCI Bastion Service.
# Assuming you have a bastion host configured to reach the private IP of the DB node:
# First, get the private IP of your DB instance.
DB_SYSTEM_ID=$(oci db system list --compartment-id "${COMPARTMENT_ID}" --display-name "${DB_SYSTEM_DISPLAY_NAME}" --query "data[0].id" --raw-output)
DB_NODE_PRIVATE_IP=$(oci db node list --db-system-id "${DB_SYSTEM_ID}" --query "data[0].private-ip" --raw-output)

# SSH to the DB node via your bastion host (replace bastion_user@bastion_ip and path to your private key)
# Example using OCI Bastion service:
# oci bastion session create-port-forwarding \
#     --bastion-id "ocid1.bastion.oc1.iad.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
#     --display-name "db-ssh-session" \
#     --target-db-node-id "ocid1.dbnode.oc1.iad.aaaaaaaaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
#     --target-port 22 \
#     --session-ttl-in-seconds 1800 \
#     --ssh-public-key-file "~/.ssh/id_rsa_dbcs_peoplesoft.pub"

# Assuming direct SSH access for demonstration, or via a pre-configured bastion:
ssh -i ~/.ssh/id_rsa_dbcs_peoplesoft opc@"${DB_NODE_PRIVATE_IP}"

Once SSH'd into the database host, switch to the oracle user and connect to SQL*Plus:


sudo su - oracle
sqlplus / as sysdba

Now, verify TDE status:


SQL> SELECT * FROM V$ENCRYPTED_TABLESPACES;

TABLESPACE_NAME                ENCRYPTED
------------------------------ ---------
SYSTEM                         NO
SYSAUX                         NO
UNDOTBS1                       NO
TEMP                           NO
USERS                          YES
PDB$SEED:SYSTEM                NO
PDB$SEED:SYSAUX                NO
PDB$SEED:UNDOTBS1              NO
PDB$SEED:TEMP                  NO
PDB$SEED:USERS                 YES
PSPROD:SYSTEM                  NO
PSPROD:SYSAUX                  NO
PSPROD:UNDOTBS1                NO
PSPROD:TEMP                    NO
PSPROD:USERS                   YES

You should see USERS and other user-created tablespaces within your PDB (e.g., PSPROD:USERS) marked as YES for ENCRYPTED. System tablespaces (SYSTEM, SYSAUX, UNDOTBS, TEMP) are not typically encrypted by default with TDE, as their data is transient or metadata. The actual user data is what TDE is primarily designed to protect.


SQL> SELECT * FROM GV$ENCRYPTION_WALLET;

WRL_TYPE             WRL_PARAMETER                                        STATUS               WALLET_TYPE          WALLET_ORDER     CON_ID
-------------------- ---------------------------------------------------- -------------------- -------------------- ------------ ----------
FILE                 /opt/oracle/dcs/commonstore/wallets/tde/PSPROD       OPEN                 UNKNOWN                         1
FILE                 /opt/oracle/admin/PSPROD/tde_wallet                  OPEN_NO_MASTER_KEY   UNKNOWN                         0

The STATUS column showing OPEN indicates that the TDE wallet is open and operational. The WRL_PARAMETER points to the location of the wallet files.

5. Configure Automated Patching

Automated patching in DBCS ensures that your database systems, DB Homes, and databases are kept up-to-date with the latest Oracle patches. This significantly enhances security, stability, and compliance.

DBCS offers different patch models and allows you to enable or disable auto-patching and define maintenance windows.

5.1. View Available Patches for your DB System


oci db system patch list \
    --db-system-id "${DB_SYSTEM_ID}" \
    --region "${REGION}"

This command lists all available patches for your DB System, including Release Updates (RUs) and Release Update Revisions (RURs).

5.2. Configure Automated Patching during Provisioning (or later)

While the initial oci db system launch command doesn't have a direct --auto-patching-enabled flag for the *database*, it's managed at the DB System or DB Home level. You can update these settings after creation.

To enable automated patching for the DB System and define a maintenance window:


# Define variables
DB_SYSTEM_ID="ocid1.dbsystem.oc1.iad.aaaaaaaa6oxxxxxxxxfdxxxxxxxxd6xxxxxxxxdoxxxxxxxxdq" # Your DB System OCID
MAINTENANCE_WINDOW_DAY="SATURDAY" # Day of the week for maintenance (e.g., SUNDAY, MONDAY, etc.)
MAINTENANCE_WINDOW_HOUR="03:00" # Hour in UTC (e.g., 03:00 for 3 AM UTC)

# Update DB System to enable auto-patching and set a maintenance window
oci db system update \
    --db-system-id "${DB_SYSTEM_ID}" \
    --is-auto-patch-enabled true \
    --maintenance-window-details '{
        "dayOfWeek": "'"${MAINTENANCE_WINDOW_DAY}"'",
        "timeOfDay": "'"${MAINTENANCE_WINDOW_HOUR}"'"
    }' \
    --region "${REGION}"

Note: Automated patching for the *database* itself (e.g., applying Release Updates to the actual database within the DB Home) is typically configured at the DB Home level or through the OCI console. When you enable auto-patching at the DB System level, it ensures the underlying OS and grid infrastructure are patched. For the database binaries (DB Home), you manage updates via the OCI console or specific oci db home update commands.

To view the current patching configuration of your DB System:


oci db system get \
    --db-system-id "${DB_SYSTEM_ID}" \
    --region "${REGION}" \
    --query "data.{displayName:\"display-name\", isAutoPatchEnabled:\"is-auto-patch-enabled\", maintenanceWindow:\"maintenance-window\"}"

This will show if is-auto-patch-enabled is true and details of the maintenance-window.

For database patching within the DB Home, Oracle provides "Release Updates" (RUs) and "Release Update Revisions" (RURs). You can specify the desired patch model:


# Define variables
DB_HOME_ID="ocid1.dbhome.oc1.iad.aaaaaaaaqxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq" # Your DB Home OCID

# Update DB Home to use a specific patch model (e.g., RELEASE_UPDATE)
oci db home update \
    --db-home-id "${DB_HOME_ID}" \
    --patch-model "RELEASE_UPDATE" \
    --region "${REGION}"

Setting the patch-model to RELEASE_UPDATE ensures that the DB Home receives the latest Release Updates. Oracle will then apply these during the defined maintenance window if auto-patching is enabled at the system level. You can also trigger manual patching operations as needed via oci db home patch apply.

Security Considerations

Securing your Oracle DBCS instance is paramount, especially for sensitive PeopleSoft data. Here are critical considerations:

  • Network Security: Always deploy databases in private subnets. Use NSGs or Security Lists to restrict ingress to only necessary ports (1521 for SQL*Net) and source IPs (application servers, bastion hosts). Avoid public IPs on database nodes.
  • Transparent Data Encryption (TDE): TDE encrypts data at rest, protecting against unauthorized access to storage. Ensure strong, unique passwords for the TDE wallet. While DBCS manages the TDE wallet lifecycle, understanding its operation is key for auditing and troubleshooting.
  • Identity and Access Management (IAM): Implement the principle of least privilege. Create specific IAM groups and policies for DBAs, developers, and administrators, granting only the necessary permissions to manage database and network

Share this article

Written By

Someshwar Thakur

PS Admin, Cloud Architect, DBA

Sources & References

• Official company announcements and press releases

• Industry reports from Gartner, IDC, and Statista

• Peer-reviewed research and technical documentation

• On-record statements from industry experts

Last verified: June 20, 2026

Fact-checked by TechNews Venture editorial team

Leave a Comment

Comments are moderated and will appear after review.