OCI

Using Letsencrypt with OCI

Security is one of the biggest topics and concerns in the IT industry nowadays and since more and more services a hosted in cloud environments, the need for secure configurations increases steadily. One small part is to secure any connections in some way or another so that nobody can see your precious data just by capturing data streams. For generic TCP connections the most common way to do this is using Transport Layer Security, or short: TLS and in former times called Secure Socket Layer, short: SSL. And with the release of Let’s Encrypt it became easier to obtain TLS certificates that are widely accepted.

System users in OCI

Once you are hosting an application in some environment, doesn’t matter if on-premises or in the cloud, you want to get notified by the application when soemthing happens or you need to take action. As an example let’s assume that may be a GitLab community edition you manage yourself in the Oracle Cloud Infrastructure. For this purpose there’s an Email Delivery Service which you can use to send mails from your cloud applications. For this to work you have to configure DKIM and SPF records for a DNS domain and configure aproved sender email addresses that may be used by your application. Maybe I’ll cover that in another blog post but that shouldn’t be addressed here now.

Using terraform import to migrate resources

Terraform is a nice tool when managing infrastructures in your cloud environment. It becomes really powerful when it comes to mass deployment and managing resources where you don’t need to repeat yourself too much. I think many of us experienced the start of a project with singleton resources when we were bloody newbies. But as time passes by the need for a more scalable solution emerges and you need to transform that singleton into a more iterative manner of resource management.

Talks in 2024

I am happy to announce that I will be appearing at least at two conferences organized by DOAG, the German Oracle user group. The first talk will be held at the DOAG Datenbank 2024 and the topic is Transparent Data Encryption auf Engineered Systems - Kleine Helfer which is about TDE and their helpers on engineered systems on premises and in the OCI. I love this conference in Düsseldorf and am happy to be there again.

IPv6 and private subnets in OCI

IPv6 is raoming around since many years, it was launched in 1998. That’s 26 years ago and it is still not used by default in many locations. Why is that, especially when IPv6 is the recommended protocol for internet communication? Unfortunately IPv6 isn’t default even with modern cloud providers like Oracle with it’s OCI. Of course you will get a world wide usable and routed subnet if you like, but you have to enable it by yourself in the first place. You’ll get DHCPv6 for free with recurring adresses, so that you can name things even after a reboot. But in difference to IPv4 you’re not able to communicate with the internet if your resource is in a private subnet as shown in the diagram below.

Cloning an OCI Vault secured PDB - Part II

Last year I tried to duplicate a TDE encrypted pluggable database from one Exadata Cloud Machine to another into a separate CDB which is not a standby system of the first one. Normally this is not a big problem, because you can copy over the encryption key(s) from the source within the clone command. But that does not work when your encryption keys are stored in the OCI Vault service. Just for refresh, this is the error you’ll get if you try.

Cloning an OCI Vault secured PDB

On some days you just want want to perform a simple task, one you have done several times before and know that it will not take too much time to complete. But sometimes you will face a new challenge and spend a whole day to fix an issue that can’t be fixed. Such a day was today. What happened? I wanted to clone a PDB via DB link from a source CDB to a target CDB. So far so easy, isn’t it?