# Working with RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). Following, you can find instructions for creating, managing, and maintaining your RDS Custom for Oracle DB instances. **Topics** + [ # RDS Custom for Oracle end of support ](RDS-Custom-for-Oracle-end-of-support.md) + [ # RDS Custom for Oracle workflow ](custom-concept.workflow.md) + [ # Database architecture for Amazon RDS Custom for Oracle ](custom-oracle.db-architecture.md) + [ # Feature availability and support for RDS Custom for Oracle ](custom-oracle-feature-support.md) + [ # RDS Custom for Oracle requirements and limitations ](custom-reqs-limits.md) + [ # Setting up your environment for Amazon RDS Custom for Oracle ](custom-setup-orcl.md) + [ # Working with custom engine versions for Amazon RDS Custom for Oracle ](custom-cev.md) + [ # Configuring a DB instance for Amazon RDS Custom for Oracle ](custom-creating.md) + [ # Managing an Amazon RDS Custom for Oracle DB instance ](custom-managing.md) + [ # Managing a Multi-AZ deployment for RDS Custom for Oracle ](custom-oracle-multiaz.md) + [ # Working with Oracle replicas for RDS Custom for Oracle ](custom-rr.md) + [ # Backing up and restoring an Amazon RDS Custom for Oracle DB instance ](custom-backup.md) + [ # Working with option groups in RDS Custom for Oracle ](custom-oracle-option-groups.md) + [ # Migrating an on-premises database to RDS Custom for Oracle ](custom-migrating-oracle.md) + [ # Upgrading a DB instance for Amazon RDS Custom for Oracle ](custom-upgrading.md) + [ # Troubleshooting DB issues for Amazon RDS Custom for Oracle ](custom-troubleshooting.md) + [ # Known issues for Amazon RDS Custom for Oracle ](custom-known-issues.md) # RDS Custom for Oracle end of support **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](#RDS-Custom-for-Oracle-end-of-support). ## Overview After careful consideration, AWS has made the decision to discontinue the Amazon RDS Custom for Oracle service. The service will be deprecated effective **March 31, 2027**. This prescriptive guidance provides detailed migration strategies to help you migrate from RDS Custom for Oracle to self-managed Oracle databases on Amazon Elastic Compute Cloud (Amazon EC2). ### Key timelimes + **From March 31, 2026 to March 31, 2027**: We recommend that you migrate from RDS Custom for Oracle to running Oracle on EC2. During this period, you can continue using RDS Custom for Oracle with existing features and support. + **After March 31, 2027**: You will no longer be able to use the RDS Custom for Oracle service. ### Target audience This guidance is intended for: + Database administrators responsible for Oracle database migrations + Cloud architects planning migration strategies + DevOps engineers managing database infrastructure + IT managers overseeing the migration process ### Prerequisites Before you begin, ensure you have: + An active Amazon RDS Custom for Oracle instance running Oracle 19c Enterprise Edition + Appropriate AWS Identity and Access Management (IAM) permissions to create and manage EC2 instances + Understanding of your database architecture (non-CDB or multitenant CDB with PDBs) + Network connectivity planning between source and target instances + Backup and recovery strategy for your migration ## Migration options As part of the migration process, you can choose one of two migration options based on your business requirements and use case: ### Option 1: RMAN Active Duplication (Online/Offline Migration) **Best suited for** + Workloads that can afford planned downtime during final cutover + Simpler migration requirements with fewer moving parts + Databases where you want a straightforward, one-time migration + Scenarios where you don't need continuous synchronization before cutover **Key characteristics** + **Downtime**: Minimal downtime during final cutover (database remains online during duplication, brief downtime for final cutover) + **Complexity**: Lower complexity with direct database duplication + **Duration**: Migration time depends on database size and network bandwidth + **Fallback**: Requires maintaining the source database until validation is complete + **Online capability**: Source database remains online and accessible during the duplication process **Migration approach:** RMAN active duplication creates an exact copy of the source database on the target by copying database files over the network from the live, running source database. The source database remains online and accessible to applications during the duplication process. For multitenant databases, RMAN automatically duplicates the entire CDB including `CDB$ROOT`, `PDB$SEED`, and all pluggable databases in a single operation. Only a brief cutover window is needed to redirect applications to the new EC2 instance. ### Option 2: Oracle Data Guard (Online Migration) **Best suited for** + Production workloads requiring minimal downtime + Mission-critical databases that must remain available + Scenarios where you need continuous synchronization before cutover + Migrations requiring built-in fallback capability **Key characteristics** + **Downtime**: Near-zero downtime (seconds to minutes for switchover) + **Complexity**: Higher complexity with Data Guard configuration + **Duration**: Initial setup time plus continuous synchronization until switchover + **Fallback**: Built-in fallback capability by keeping the source as a standby **Migration approach:** Oracle Data Guard maintains a synchronized standby database by continuously shipping and applying redo logs from the primary database. When you're ready to complete the migration, you perform a switchover that promotes the EC2 standby to primary with minimal downtime. For multitenant databases, Data Guard automatically protects the entire CDB including all PDBs. **Decision matrix** Use the following matrix to help choose the appropriate migration option: | **Aspect** | **RMAN Active Duplication** | **Oracle Data Guard** | | --- | --- | --- | | **Source database availability** | Online during duplication | Online during entire process | | **Acceptable downtime** | Minutes to hours (final cutover) | Seconds to minutes (switchover) | | **Migration complexity** | Lower | Higher | | **Continuous synchronization** | No | Yes | | **Fallback capability** | Manual (keep source) | Built-in (automatic) | | **Testing before cutover** | Limited | Full testing possible | | **Network bandwidth requirement** | High during duplication | Moderate (continuous) | | **Best for** | Most migrations, dev/test, planned cutover | Production, mission-critical, near-zero downtime | ### Architecture considerations Both migration options support two Oracle database architectures: **Non-CDB** Traditional single-instance Oracle databases without the multitenant architecture. These databases: + Have a single database instance + Do not use pluggable databases (PDBs) + Are simpler to manage and migrate + Typically named ORCL in RDS Custom for Oracle **Multitenant (CDB with PDBs)** Container databases (CDB) hosting multiple pluggable databases (PDBs), introduced in Oracle 12c. These databases: + Have a container database (CDB) with `CDB$ROOT` and `PDB$SEED` + Host one or more pluggable databases (PDBs) + Provide database consolidation and resource isolation + Typically named RDSCDB in RDS Custom for Oracle + Use Oracle Managed Files (OMF) with GUID-based subdirectories for PDB data files **Important note for multitenant migrations**: The target database will be renamed to ORCL during the migration process (source: RDSCDB → target: ORCL). This simplifies the target configuration and aligns with standard naming conventions. **Key differences in migration approach** | **Aspect** | **Non-CDB** | **Multitenant (CDB with PDBs)** | | --- | --- | --- | | **Migration scope** | Single database | Entire CDB with all PDBs | | **Post-migration state** | Database open READ WRITE | CDB open READ WRITE; PDBs in MOUNTED state | | **PDB management** | N/A | Must open PDBs and configure auto-open | | **Cleanup** | Single database | CDB\$1ROOT (cascades to PDBs); handle C\$1\$1 common users | | **Application connections** | Database service | PDB services (not CDB) | | **Parameter file** | Standard parameters | Requires enable\$1pluggable\$1database=TRUE | | **Complexity** | Lower | Higher due to multiple containers | ## Common prerequisites for both migration options Before starting either migration option, complete the following prerequisite steps: 1. Launch and configure EC2 instance Launch an EC2 instance with the following considerations: + **Instance type**: Choose an EC2 instance type that meets the resource requirements of your workload. Using the same instance class as your RDS Custom instance is a good starting point. Consider memory, CPU, and network bandwidth requirements. + **Operating system**: Oracle Linux or Red Hat Enterprise Linux (matching or compatible with your RDS Custom OS version) + **Oracle software**: Install Oracle Database software (same major version, minor version, Release Update, and ideally the same one-off patches as RDS Custom). Ensure the Oracle software is installed in /u01/app/oracle/ or your preferred location. + **Storage**: Configure Amazon EBS volumes with appropriate size and IOPS to meet your workload requirements. Consider using gp3 volumes for cost-effective performance or io2 Block Express for high-performance workloads. 1. Configure storage architecture 1. File system storage (recommended for most scenarios) + Use standard file system directories for Oracle data files + Simpler to manage and suitable for most workloads + This guidance uses file system storage examples 1. Oracle Automatic Storage Management (ASM) + If your workload requires ASM, install and configure standalone ASM on the EC2 instance + Adjust all path parameters in the init file accordingly to use ASM disk groups (e.g., \$1DATA, \$1FRA) + The migration process is similar for ASM, with path adjustments 1. Set up file transfer mechanism Create a mechanism to transfer files between RDS Custom and EC2 instances. You have several options: 1. Option A: Amazon S3 (recommended for most scenarios) + Create an Amazon S3 bucket or use an existing one + Install and configure AWS CLI on both instances + For instructions, see [Getting started with the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). 1. Option B: Direct SCP/SFTP + If SSH ports are open between instances, you can transfer files directly + Suitable for small files like parameter files and password files 1. Option C: Amazon EFS + If you already have Amazon EFS mounted on both instances, you can use it as a shared file system + Suitable for environments with existing EFS infrastructure This guidance uses Amazon S3 for examples, but you can adapt the commands for your chosen method. 1. Configure network connectivity Ensure network connectivity between the RDS Custom and EC2 instances: + **Same VPC**: Security groups must allow bidirectional traffic on the Oracle listener port (default 1521, or your custom port) + **Different VPCs (same account)**: Set up VPC peering and configure route tables and security groups + **Different accounts**: Set up VPC peering across accounts or use AWS Transit Gateway + **Verify connectivity**: Use ping and telnet to test connectivity on the database port 1. Create directory structure on EC2 The directory structure depends on your database architecture: **Example For Non-CDB:** ``` # Non-CDB directories mkdir -p /u01/app/oracle/oradata/ORCL/controlfile/ mkdir -p /u01/app/oracle/oradata/ORCL/datafile mkdir -p /u01/app/oracle/oradata/ORCL/onlinelog mkdir -p /u01/app/oracle/oradata/ORCL/arch mkdir -p /u01/app/oracle/admin/ORCL/adump mkdir -p /u01/app/oracle/backup # Set ownership chown -R oracle:oinstall /u01/app/oracle/oradata/ORCL chown -R oracle:oinstall /u01/app/oracle/admin/ORCL chown -R oracle:oinstall /u01/app/oracle/backup ``` **Example For Multitenant (CDB with PDBs)** ``` # CDB directories mkdir -p /u01/app/oracle/oradata/ORCL/controlfile/ mkdir -p /u01/app/oracle/oradata/ORCL/cdb/datafile mkdir -p /u01/app/oracle/oradata/ORCL/pdbseed/datafile mkdir -p /u01/app/oracle/oradata/ORCL/onlinelog mkdir -p /u01/app/oracle/oradata/ORCL/arch mkdir -p /u01/app/oracle/admin/ORCL/adump mkdir -p /u01/app/oracle/backup # PDB directories (RDS Custom uses OMF with GUID-based paths) # Create a generic pdb directory - migration will create subdirectories as needed mkdir -p /u01/app/oracle/oradata/ORCL/pdb/datafile # Set ownership chown -R oracle:oinstall /u01/app/oracle/oradata/ORCL chown -R oracle:oinstall /u01/app/oracle/admin/ORCL chown -R oracle:oinstall /u01/app/oracle/backup ``` **Note** RDS Custom for Oracle uses Oracle Managed Files (OMF) for PDB data files with GUID-based subdirectories (e.g., `/rdsdbdata/db/pdb/RDSCDB_A/{GUID}/datafile/`). The migration process will automatically create the necessary subdirectory structure on the target. You only need to create the parent directories. **Storage strategy**: Consider using a separate EBS volume for /u01/app/oracle/backup to easily detach and remove it after migration completes, freeing up storage costs. 1. Verify source database configuration Before starting the migration, verify your source database configuration: 1. Log in to the RDS Custom database host as the rdsdb user and set the environment: **Example** ``` # For non-CDB export ORACLE_HOME=/rdsdbbin/oracle.19.custom.r1.EE.1 export ORACLE_SID=ORCL export PATH=$ORACLE_HOME/bin:$PATH # For multitenant CDB export ORACLE_HOME=/rdsdbbin/oracle.19.custom.r1.EE-CDB.1 export ORACLE_SID=RDSCDB export PATH=$ORACLE_HOME/bin:$PATH ``` 1. Connect to the database and check the architecture: **Example** ``` sqlplus / as sysdba SQL> SELECT name, cdb, open_mode, log_mode FROM v$database; ``` **Example For Non-CDB, expected output** ``` NAME CDB OPEN_MODE LOG_MODE --------- --- -------------------- ------------ ORCL NO READ WRITE ARCHIVELOG ``` **Example For Multitenant (CDB), expected output:** ``` NAME CDB OPEN_MODE LOG_MODE --------- --- -------------------- ------------ RDSCDB YES READ WRITE ARCHIVELOG ``` 1. **If you have a multitenant CDB**, list all PDBs and their status: **Example** ``` SQL> SELECT con_id, name, open_mode, restricted FROM v$pdbs; ``` Expected output (example with 1 PDB named ORCLDB): **Example** ``` CON_ID NAME OPEN_MODE RES ---------- ------------------------------ ---------- --- 2 PDB$SEED READ ONLY NO 3 ORCLDB READ WRITE NO ``` 1. Check the total database size: **Example For Non-CDB:** ``` SQL> SELECT SUM(bytes)/1024/1024/1024 AS total_size_gb FROM dba_data_files; ``` **Example For Multitenant:** ``` -- Total CDB size (all containers) SQL> SELECT SUM(bytes)/1024/1024/1024 AS total_size_gb FROM cdb_data_files; -- Size per PDB SQL> SELECT p.name AS pdb_name, ROUND(SUM(d.bytes)/1024/1024/1024, 2) AS size_gb FROM v$pdbs p JOIN cdb_data_files d ON p.con_id = d.con_id GROUP BY p.name, p.con_id ORDER BY p.con_id; ``` ## Option 1: Physical Migration Using RMAN Active Duplication **Topics** + [ ### When to use RMAN active duplication ](#RDS-Custom-for-Oracle-end-of-support-option-1-when-to-use) + [ ### RMAN active duplication overview ](#RDS-Custom-for-Oracle-end-of-support-option-1-overview) + [ ### Migration workflow for RMAN active duplication ](#RDS-Custom-for-Oracle-end-of-support-option-1-migration-workflow) + [ ### Step 1: Pause Amazon RDS Custom automation ](#RDS-Custom-for-Oracle-end-of-support-option-1-step-1) + [ ### Step 2: Create password and parameter files ](#RDS-Custom-for-Oracle-end-of-support-option-1-step-2) + [ ### Step 3: Transfer files to EC2 ](#RDS-Custom-for-Oracle-end-of-support-option-1-step-3) + [ ### Step 4: Edit parameter file on EC2 ](#RDS-Custom-for-Oracle-end-of-support-option-1-step-4) + [ ### Step 5: Configure TNS and listener ](#RDS-Custom-for-Oracle-end-of-support-option-1-step-5) + [ ### Step 6: Start database in `NOMOUNT` on EC2 ](#RDS-Custom-for-Oracle-end-of-support-option-1-step-6) + [ ### Step 7: Perform RMAN active duplication ](#RDS-Custom-for-Oracle-end-of-support-option-1-step-7) + [ ### Step 8: Open PDBs (multitenant only) ](#RDS-Custom-for-Oracle-end-of-support-option-1-step-8) + [ ### Step 9: Remove RDS Custom objects ](#RDS-Custom-for-Oracle-end-of-support-option-1-step-9) + [ ### Step 10: Configure automatic startup ](#RDS-Custom-for-Oracle-end-of-support-option-1-step-10) + [ ### Step 11: Final validation ](#RDS-Custom-for-Oracle-end-of-support-option-1-step-11) This section provides detailed steps for migrating your Oracle database from RDS Custom for Oracle to EC2 using RMAN active duplication. This method duplicates from a live, running database, keeping the source online and accessible during the migration process. ### When to use RMAN active duplication Choose RMAN active duplication when: + You want to keep the source database online and accessible during migration + You can afford a brief cutover window for final application redirection + You want a straightforward migration process with fewer moving parts + Your database size and network bandwidth allow for reasonable duplication time + You don't need continuous synchronization before cutover + You're migrating production, development, or test databases ### RMAN active duplication overview RMAN active duplication doesn't require a backup of the source database or taking the source database offline. It duplicates the live, running source database to the destination by copying database files over the network while the source remains online and accessible to applications. **Key advantages:** + **Source remains online**: Applications can continue accessing the source database during duplication + **No backup required**: Eliminates the need for intermediate backup storage + **Direct network transfer**: Database files are copied directly from source to target + **Automatic consistency**: RMAN ensures the duplicate database is consistent + **Single operation**: For multitenant, duplicates entire CDB including all PDBs in one operation The duplication process creates an exact copy of the source database on the target, including all data files, control files, and redo logs. The source database continues to serve application requests throughout the duplication process. Only a brief cutover window is needed at the end to redirect applications from the source to the target. **Typical timeline** 1. **Duplication phase** (source remains online): 30 minutes to several hours depending on database size 1. **Validation phase** (source remains online): Hours to days as needed 1. **Cutover phase** (brief downtime): Minutes to redirect applications to EC2 ### Migration workflow for RMAN active duplication **RDS Custom DB instance (source) steps:** 1. Pause Amazon RDS Custom automation 1. Verify database architecture (non-CDB or CDB with PDBs) 1. Create a password file and parameter file from the source database 1. Copy the password file and parameter file to the target EC2 instance 1. Verify the source database is running in archive log mode 1. Configure tnsnames.ora on the RDS Custom DB server **EC2 DB instance (target) steps:** 1. Edit the parameter file for EC2 (architecture-specific) 1. Configure tnsnames.ora on EC2 1. Configure the environment for the EC2 instance 1. Configure Oracle Listener on EC2 1. Start the database on EC2 in NOMOUNT state **RMAN duplication steps:** 1. Perform RMAN active duplication 1. Open the database (and PDBs for multitenant) 1. Configure PDB auto-open (multitenant only) 1. Remove RDS Custom specific users and objects 1. Create SPFILE and configure automatic startup 1. Resume Amazon RDS Custom automation on source (if keeping it active) ### Step 1: Pause Amazon RDS Custom automation Pause the automation mode on your RDS Custom instance before proceeding with the migration steps to ensure the automation doesn't interfere with the RMAN activity. The --resume-full-automation-mode-minute parameter (240 minutes = 4 hours in this example) should be adjusted based on your database size and expected duplication time. **Important**: Pausing automation does not affect database availability. The database remains online and accessible to applications during the duplication process. **Example** ``` aws rds modify-db-instance \ --db-instance-identifier my-custom-instance \ --automation-mode all-paused \ --resume-full-automation-mode-minute 240 \ --region us-east-1 --query 'DBInstances[0].AutomationMode' ``` Validate the automation status: **Example** ``` aws ds describe-db-instances \ --db-instance-identifier my-custom-instance \ --region us-east-1 \ --query 'DBInstances[0].AutomationMode' ``` Expected output: "`all-paused`" ### Step 2: Create password and parameter files Create a password file using `orapwd`. Retrieve the SYS password from AWS Secrets Manager (stored during RDS Custom instance creation). **Example** ``` # Non-CDB $ORACLE_HOME/bin/orapwd file=/rdsdbdata/config/orapwORCL password= entries=10 # Multitenant $ORACLE_HOME/bin/orapwd file=/rdsdbdata/config/orapwRDSCDB password= entries=10 ``` Create a parameter file from the source database: **Example** ``` sqlplus / as sysdba SQL> CREATE PFILE='/tmp/initORCL.ora' FROM SPFILE; -- Non-CDB SQL> CREATE PFILE='/tmp/initRDSCDB.ora' FROM SPFILE; -- Multitenant ``` The generated parameter file will contain RDS Custom-specific paths and parameters. For multitenant, key parameters include: + `enable_pluggable_database`=`TRUE` (critical for multitenant) + `noncdb_compatible`=`TRUE` (for backward compatibility) + Data file paths for `CDB$ROOT`, `PDB$SEED`, and all PDBs + `db_create_file_dest` and `db_create_online_log_dest_1` for OMF ### Step 3: Transfer files to EC2 Choose your preferred file transfer method. This guidance uses Amazon S3 for examples. **Using Amazon S3:** #### Using Amazon S3: **Example For Non-CDB:** ``` # Copy files to Amazon S3 from the RDS Custom instance aws s3 cp /tmp/initORCL.ora s3:/// aws s3 cp /rdsdbdata/config/orapwORCL s3:/// # On EC2, download files aws s3 cp s3:///initORCL.ora $ORACLE_HOME/dbs/ aws s3 cp s3:///orapwORCL $ORACLE_HOME/dbs/ ``` **Example For Multitenant** ``` # Copy files to Amazon S3 from the RDS Custom instance aws s3 cp /tmp/initRDSCDB.ora s3:/// aws s3 cp /rdsdbdata/config/orapwRDSCDB s3:/// # On EC2, download and rename files to use ORCL naming aws s3 cp s3:///initRDSCDB.ora $ORACLE_HOME/dbs/initORCL.ora aws s3 cp s3:///orapwRDSCDB $ORACLE_HOME/dbs/orapwORCL ``` Validate the files on EC2: **Example** ``` ls -l $ORACLE_HOME/dbs/initORCL.ora ls -l $ORACLE_HOME/dbs/orapwORCL ``` ### Step 4: Edit parameter file on EC2 The parameter file requires careful editing to ensure successful migration. This is one of the most critical steps in the migration process. Edit `$ORACLE_HOME/dbs/initORCL.ora` on the EC2 instance and make these critical changes: 1. **Update database name**: For multitenant, change all occurrences of RDSCDB to ORCL 1. **Convert RDS Custom paths to EC2 paths**: Replace /rdsdbdata/ with /u01/app/oracle/ 1. **Remove RDS Custom-specific parameters** + `dg_broker_config_file1` and `dg_broker_config_file2` (if present - indicates a replica existed) + `standby_file_management` (if present) + `spfile` (we'll create a new SPFILE later) + Any `log_archive_dest` parameters pointing to standby destinations (keep only `log_archive_dest_1` for local archiving) 1. **Add file name conversion parameters** (see below) 1. **Adjust memory parameters** based on your EC2 instance size (optional but recommended) **Understanding file name conversion parameters:** The `DB_FILE_NAME_CONVERT` and `LOG_FILE_NAME_CONVERT` parameters are critical for RMAN duplication. They tell RMAN how to map source file paths to target file paths during the duplication process. Without these parameters, RMAN will attempt to create files in the same paths as the source, which will fail on EC2. **Key considerations:** + Each parameter accepts pairs of strings: source path followed by target path + Multiple pairs can be specified in a single parameter + For multitenant, you must map paths for `CDB$ROOT`, `PDB$SEED`, and all PDBs + The order of pairs matters - RMAN processes them in the order specified + Paths are case-sensitive and must match exactly **Path mappings:** **Non-CDB:** | **RDS Custom path** | **EC2 path** | **Description** | | --- | --- | --- | | /rdsdbbin | /u01/app/oracle | Oracle base | | /rdsdbdata/db/ORCL\$1A/datafile/ | /u01/app/oracle/oradata/ORCL/datafile/ | Data files | | /rdsdbdata/db/ORCL\$1A/controlfile/ | /u01/app/oracle/oradata/ORCL/controlfile/ | Control files | | /rdsdbdata/db/ORCL\$1A/onlinelog/ | /u01/app/oracle/oradata/ORCL/onlinelog/ | Online redo logs | | /rdsdbdata/db/ORCL\$1A/arch/ | /u01/app/oracle/oradata/ORCL/arch/ | Archive logs | | /rdsdbdata/admin/ORCL/adump | /u01/app/oracle/admin/ORCL/adump | Audit dump | | /rdsdbdata/log | /u01/app/oracle | Diagnostic destination | **Multitenant** | **RDS Custom path** | **EC2 path** | **Description** | | --- | --- | --- | | /rdsdbbin | /u01/app/oracle | Oracle base | | /rdsdbdata/db/cdb/RDSCDB/datafile/ | /u01/app/oracle/oradata/ORCL/cdb/datafile/ | CDB root data files | | /rdsdbdata/db/cdb/pdbseed/ | /u01/app/oracle/oradata/ORCL/pdbseed/datafile/ | PDB\$1SEED data files | | /rdsdbdata/db/pdb/RDSCDB\$1A/ | /u01/app/oracle/oradata/ORCL/pdb/datafile/ | PDB data files (OMF with GUID) | | /rdsdbdata/db/cdb/RDSCDB\$1A/controlfile/ | /u01/app/oracle/oradata/ORCL/controlfile/ | Control files | | /rdsdbdata/db/cdb/RDSCDB\$1A/onlinelog/ | /u01/app/oracle/oradata/ORCL/onlinelog/ | Online redo logs | | /rdsdbdata/db/cdb/RDSCDB\$1A/arch/redolog | /u01/app/oracle/oradata/ORCL/arch/ | Archive logs | | /rdsdbdata/admin/RDSCDB/adump | /u01/app/oracle/admin/ORCL/adump | Audit dump | | /rdsdbdata/log | /u01/app/oracle | Diagnostic destination | **Add conversion parameters:** **Example Non-CDB:** ``` *.DB_FILE_NAME_CONVERT='/rdsdbdata/db/ORCL_A/datafile/','/u01/app/oracle/oradata/ORCL/datafile/' *.LOG_FILE_NAME_CONVERT='/rdsdbdata/db/ORCL_A/onlinelog/','/u01/app/oracle/oradata/ORCL/onlinelog/' ``` **Example **Multitenant** (must include mappings for CDB root, `PDB$SEED`, and all PDB paths):** ``` *.DB_FILE_NAME_CONVERT='/rdsdbdata/db/cdb/RDSCDB/datafile/','/u01/app/oracle/oradata/ORCL/cdb/datafile/','/rdsdbdata/db/cdb/pdbseed/','/u01/app/oracle/oradata/ORCL/pdbseed/datafile/','/rdsdbdata/db/pdb/RDSCDB_A/','/u01/app/oracle/oradata/ORCL/pdb/datafile/' *.LOG_FILE_NAME_CONVERT='/rdsdbdata/db/cdb/RDSCDB_A/onlinelog/','/u01/app/oracle/oradata/ORCL/onlinelog/' ``` **Important**: For multitenant, ensure `enable_pluggable_database`=`TRUE` is present in the parameter file. RDS Custom uses OMF for PDB data files with GUID-based subdirectories - the path mapping handles this automatically. **Complete example parameter files:** **Example Non-CDB parameter file (`initORCL.ora`):** ``` ORCL.__data_transfer_cache_size=0 ORCL.__db_cache_size=6039797760 ORCL.__inmemory_ext_roarea=0 ORCL.__inmemory_ext_rwarea=0 ORCL.__java_pool_size=0 ORCL.__large_pool_size=33554432 ORCL.__oracle_base='/u01/app/oracle' ORCL.__pga_aggregate_target=4966055936 ORCL.__sga_target=7449083904 ORCL.__shared_io_pool_size=134217728 ORCL.__shared_pool_size=1207959552 ORCL.__streams_pool_size=0 ORCL.__unified_pga_pool_size=0 *.archive_lag_target=300 *.audit_file_dest='/u01/app/oracle/admin/ORCL/adump' *.compatible='19.0.0' *.control_files='/u01/app/oracle/oradata/ORCL/controlfile/control-01.ctl' *.db_block_checking='MEDIUM' *.db_create_file_dest='/u01/app/oracle/oradata/ORCL' *.db_name='ORCL' *.db_recovery_file_dest_size=1073741824 *.db_unique_name='ORCL' *.dbfips_140=FALSE *.diagnostic_dest='/u01/app/oracle' *.filesystemio_options='setall' *.heat_map='OFF' *.job_queue_processes=50 *.local_listener='(address=(protocol=tcp)(host=)(port=1521))' *.log_archive_dest_1='location="/u01/app/oracle/oradata/ORCL/arch", valid_for=(ALL_LOGFILES,ALL_ROLES)' *.log_archive_format='-%s-%t-%r.arc' *.max_string_size='STANDARD' *.memory_max_target=12385852416 *.memory_target=12385852416 *.open_cursors=300 *.pga_aggregate_target=0 *.processes=1673 *.recyclebin='OFF' *.sga_target=0 *.undo_tablespace='UNDO_T1' *.use_large_pages='FALSE' *.DB_FILE_NAME_CONVERT='/rdsdbdata/db/ORCL_A/datafile/','/u01/app/oracle/oradata/ORCL/datafile/' *.LOG_FILE_NAME_CONVERT='/rdsdbdata/db/ORCL_A/onlinelog/','/u01/app/oracle/oradata/ORCL/onlinelog/' ``` **Example Multitenant parameter file (`initORCL.ora`):** ``` ORCL.__data_transfer_cache_size=0 ORCL.__db_cache_size=6006243328 ORCL.__inmemory_ext_roarea=0 ORCL.__inmemory_ext_rwarea=0 ORCL.__java_pool_size=0 ORCL.__large_pool_size=33554432 ORCL.__oracle_base='/u01/app/oracle' ORCL.__pga_aggregate_target=4966055936 ORCL.__sga_target=7415529472 ORCL.__shared_io_pool_size=134217728 ORCL.__shared_pool_size=1207959552 ORCL.__streams_pool_size=0 ORCL.__unified_pga_pool_size=0 *.archive_lag_target=300 *.audit_file_dest='/u01/app/oracle/admin/ORCL/adump' *.compatible='19.0.0' *.control_files='/u01/app/oracle/oradata/ORCL/controlfile/control-01.ctl' *.db_block_checking='MEDIUM' *.db_create_file_dest='/u01/app/oracle/oradata/ORCL/pdb/datafile' *.db_create_online_log_dest_1='/u01/app/oracle/oradata/ORCL' *.db_name='ORCL' *.db_recovery_file_dest_size=1073741824 *.db_unique_name='ORCL' *.dbfips_140=FALSE *.diagnostic_dest='/u01/app/oracle' *.enable_pluggable_database=TRUE *.filesystemio_options='setall' *.heat_map='OFF' *.job_queue_processes=50 *.local_listener='(address=(protocol=tcp)(host=)(port=1521))' *.log_archive_dest_1='location="/u01/app/oracle/oradata/ORCL/arch", valid_for=(ALL_LOGFILES,ALL_ROLES)' *.log_archive_format='-%s-%t-%r.arc' *.max_string_size='STANDARD' *.memory_max_target=12361688064 *.memory_target=12361688064 *.noncdb_compatible=TRUE *.open_cursors=300 *.pga_aggregate_target=0 *.processes=1670 *.recyclebin='OFF' *.sga_target=0 *.undo_tablespace='UNDO_T1' *.use_large_pages='FALSE' *.DB_FILE_NAME_CONVERT='/rdsdbdata/db/cdb/RDSCDB/datafile/','/u01/app/oracle/oradata/ORCL/cdb/datafile/','/rdsdbdata/db/cdb/pdbseed/','/u01/app/oracle/oradata/ORCL/pdbseed/datafile/','/rdsdbdata/db/pdb/RDSCDB_A/','/u01/app/oracle/oradata/ORCL/pdb/datafile/' *.LOG_FILE_NAME_CONVERT='/rdsdbdata/db/cdb/RDSCDB_A/onlinelog/','/u01/app/oracle/oradata/ORCL/onlinelog/' ``` **Key parameter explanations:** + `enable_pluggable_database=TRUE`: Required for multitenant CDB. This parameter enables the pluggable database feature. + `noncdb_compatible=TRUE`: Set by RDS Custom for backward compatibility. Can be kept or removed based on your requirements. + `db_create_file_dest`: Specifies the default location for Oracle Managed Files (OMF). For multitenant, this points to the PDB datafile directory. + `db_create_online_log_dest_1`: Specifies the location for online redo logs when using OMF. + `DB_FILE_NAME_CONVERT`: Critical for RMAN duplication. Maps source data file paths to target paths. + `LOG_FILE_NAME_CONVERT`: Maps source redo log paths to target paths. + `memory_target` and `memory_max_target`: Adjust these based on your EC2 instance memory. The values shown are examples. + `processes`: Maximum number of operating system processes that can connect to Oracle. Adjust based on your workload. **Memory sizing guidelines:** When adjusting memory parameters for your EC2 instance: | **EC2 Instance Memory** | **Recommended memory\$1target** | **Recommended memory\$1max\$1target** | | --- | --- | --- | | 16 GB | 12 GB (12884901888 bytes) | 14 GB (15032385536 bytes) | | 32 GB | 24 GB (25769803776 bytes) | 28 GB (30064771072 bytes) | | 64 GB | 48 GB (51539607552 bytes) | 56 GB (60129542144 bytes) | | 128 GB | 96 GB (103079215104 bytes) | 112 GB (120259084288 bytes) | Leave approximately 20-25% of system memory for the operating system and other processes. ### Step 5: Configure TNS and listener On both instances, add TNS entries to `tnsnames.ora`: **Example Non-CDB:** ``` DB_SOURCE = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = )(PORT = 1521)) (CONNECT_DATA = (SID = ORCL))) DB_TARGET = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = )(PORT = 1521)) (CONNECT_DATA = (SID = ORCL))) ``` **Example Multitenant:** ``` DB_SOURCE = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = )(PORT = 1521)) (CONNECT_DATA = (SID = RDSCDB))) DB_TARGET = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = )(PORT = 1521)) (CONNECT_DATA = (SID = ORCL))) ``` **Example Configure listener on EC2 (`$ORACLE_HOME/network/admin/listener.ora`):** ``` LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = )(PORT = 1521))) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = ORCL) (ORACLE_HOME = /u01/app/oracle/product/19.0.0/dbhome_1) (SID_NAME = ORCL))) ``` **Example Start listener:** ``` lsnrctl start ``` **Note** For RMAN active duplication, the TNS entries connect to the database instance using SID (not SERVICE\$1NAME). For multitenant, this connects to the CDB, and RMAN automatically duplicates all PDBs. ### Step 6: Start database in `NOMOUNT` on EC2 **Example** ``` export ORACLE_SID=ORCL export ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1 export PATH=$ORACLE_HOME/bin:$PATH sqlplus / as sysdba SQL> STARTUP NOMOUNT PFILE='$ORACLE_HOME/dbs/initORCL.ora'; ``` **Example Verify parameters:** ``` SQL> SHOW PARAMETER db_name SQL> SHOW PARAMETER control_files SQL> SHOW PARAMETER enable_pluggable_database -- For multitenant ``` ### Step 7: Perform RMAN active duplication RMAN active duplication copies the database from the live, running source to the target. The source database remains online and accessible to applications throughout this process. Connect RMAN to both the source and target instances: **Example** ``` rman target sys/@DB_SOURCE auxiliary sys/@DB_TARGET ``` **Example Expected output for non-CDB:** ``` Recovery Manager: Release 19.0.0.0.0 - Production connected to target database: ORCL (DBID=4089929259) connected to auxiliary database: ORCL (not mounted) ``` **Example Expected output for multitenant:** ``` Recovery Manager: Release 19.0.0.0.0 - Production connected to target database: RDSCDB (DBID=4089929259) connected to auxiliary database: ORCL (not mounted) ``` **Example Run the active duplication command:** ``` RMAN> DUPLICATE DATABASE TO 'ORCL' FROM ACTIVE DATABASE NOFILENAMECHECK; ``` **Note** **Source remains online**: The source database continues to serve application requests during duplication **For non-CDB**: This duplicates the entire database while it remains online **For multitenant**: This duplicates the entire CDB including `CDB$ROOT`, `PDB$SEED`, and all PDBs in a single operation while the source remains online **NOFILENAMECHECK**: Allows RMAN to proceed even if file names differ between source and target **Duration**: Depends on database size and network bandwidth. For a 100GB database, expect 30-60 minutes **Network impact:** High network bandwidth usage during duplication, but source database remains accessible **The RMAN active duplication process includes several phases:** 1. Connecting to source and target databases 1. Creating an `SPFILE` from memory on the target 1. Restoring the control file to the target 1. Mounting the target database 1. Copying all data files from source to target over the network (source remains online) 1. Recovering the target database 1. Opening the target database with `RESETLOGS` **During duplication, the source database:** + Remains in `READ WRITE` mode + Continues to accept connections + Processes transactions normally + Generates redo logs normally + Is fully accessible to applications **Example Monitor progress in another session:** ``` SQL> SELECT sid, serial#, sofar, totalwork, ROUND(sofar/totalwork*100,2) pct_complete FROM v$session_longops WHERE totalwork > 0 AND sofar <> totalwork; ``` **Detailed monitoring and troubleshooting during RMAN duplication:** While RMAN duplication is running, you can monitor its progress using several methods: 1. **Monitor RMAN output:** The RMAN session will display detailed progress information including: + Channel allocation + Datafile copy progress + Estimated completion time + Bytes processed ``` channel ORA_AUX_DISK_1: starting datafile copy input datafile file number=00001 name=/rdsdbdata/db/ORCL_A/datafile/system01.dbf output file name=/u01/app/oracle/oradata/ORCL/datafile/system01.dbf tag=TAG20260303T120000 channel ORA_AUX_DISK_1: datafile copy complete, elapsed time: 00:05:23 channel ORA_AUX_DISK_1: starting datafile copy input datafile file number=00003 name=/rdsdbdata/db/ORCL_A/datafile/sysaux01.dbf output file name=/u01/app/oracle/oradata/ORCL/datafile/sysaux01.dbf tag=TAG20260303T120000 ``` **Example output:** ``` channel ORA_AUX_DISK_1: starting datafile copy input datafile file number=00001 name=/rdsdbdata/db/ORCL_A/datafile/system01.dbf output file name=/u01/app/oracle/oradata/ORCL/datafile/system01.dbf tag=TAG20260303T120000 channel ORA_AUX_DISK_1: datafile copy complete, elapsed time: 00:05:23 channel ORA_AUX_DISK_1: starting datafile copy input datafile file number=00003 name=/rdsdbdata/db/ORCL_A/datafile/sysaux01.dbf output file name=/u01/app/oracle/oradata/ORCL/datafile/sysaux01.dbf tag=TAG20260303T120000 ``` 1. **Monitor long-running operations:** **Example In a separate SQL\$1Plus session on the target EC2 instance:** ``` SQL> SELECT sid, serial#, opname, sofar, totalwork, ROUND(sofar/totalwork*100,2) pct_complete, time_remaining, elapsed_seconds FROM v$session_longops WHERE totalwork > 0 AND sofar <> totalwork ORDER BY start_time; ``` **This query shows:** + `opname`: Operation name (e.g., "RMAN: full datafile restore") + `sofar`: Blocks processed so far + `totalwork`: Total blocks to process + `pct_complete`: Percentage complete + `time_remaining`: Estimated seconds remaining + `elapsed_seconds`: Time elapsed so far 1. **Monitor RMAN channels:** **Example** ``` SQL> SELECT sid, serial#, context, sofar, totalwork, ROUND(sofar/totalwork*100,2) pct_complete FROM v$session_longops WHERE opname LIKE 'RMAN%' AND totalwork > 0 AND sofar <> totalwork; ``` 1. **Check alert log:** **Example On the target EC2 instance, monitor the alert log for any errors or warnings:** ``` tail -f $ORACLE_BASE/diag/rdbms/orcl/ORCL/trace/alert_ORCL.log ``` **Common issues during RMAN duplication:** + **Network timeout** ``` RMAN-03009: failure of duplicate command on ORA_AUX_DISK_1 channel ORA-03135: connection lost contact ``` **Solution**: Increase network timeout values in `sqlnet.ora` on both instances: ``` SQLNET.RECV_TIMEOUT=600 SQLNET.SEND_TIMEOUT=600 ``` + **Insufficient space on target** ``` RMAN-03009: failure of duplicate command ORA-19504: failed to create file "/u01/app/oracle/oradata/ORCL/datafile/users01.dbf" ORA-27040: file create error, unable to create file Linux-x86_64 Error: 28: No space left on device ``` **Solution**: Check available space and add more EBS volume capacity: ``` df -h /u01/app/oracle/oradata ``` + **Parameter file errors** ``` RMAN-05021: this configuration cannot be used RMAN-06004: ORACLE error from auxiliary database: ORA-01261: Parameter db_create_file_dest destination string cannot be translated ``` **Solution**: Verify all directories in the parameter file exist and have proper permissions. + **Password file mismatch** ``` RMAN-00571: =========================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571: =========================================================== RMAN-03002: failure of duplicate command at 03/03/2026 12:00:00 RMAN-06136: ORACLE error from auxiliary database: ORA-01017: invalid username/password; logon denied ``` **Solution**: Ensure the password file on the target matches the source and has the correct name (`orapwORCL`). ### Step 8: Open PDBs (multitenant only) After RMAN duplication completes, the CDB on EC2 is open in `READ WRITE` mode, but all PDBs are in `MOUNTED` state. This is expected behavior - you must open them manually. Check the current PDB status: ``` SQL> SELECT con_id, name, open_mode FROM v$pdbs; ``` Expected output (example with one PDB named `ORCLDB`): ``` CON_ID NAME OPEN_MODE ---------- ------------------------------ ---------- 2 PDB$SEED READ ONLY 3 ORCLDB MOUNTED ``` Open all PDBs: ``` SQL> ALTER PLUGGABLE DATABASE ALL OPEN; Pluggable database altered. ``` Verify all PDBs are now open in `READ WRITE` mode: ``` SQL> SELECT con_id, name, open_mode, restricted FROM v$pdbs; ``` Expected output: ``` CON_ID NAME OPEN_MODE RES ---------- ------------------------------ ---------- --- 2 PDB$SEED READ ONLY NO 3 ORCLDB READ WRITE NO ``` Configure auto-open on startup using the save state method (recommended for Oracle 19c): ``` SQL> ALTER PLUGGABLE DATABASE ALL SAVE STATE; Pluggable database altered. ``` This tells Oracle to remember the current open state of PDBs and restore it on CDB startup. Verify the saved state: ``` SQL> SELECT con_name, instance_name, state FROM dba_pdb_saved_states; ``` Verify PDB services are registered with the listener: ``` lsnrctl services ``` Expected output should show services for the CDB and each PDB. If services aren't showing: ``` SQL> ALTER SYSTEM REGISTER; ``` Then check again with `lsnrctl services`. ### Step 9: Remove RDS Custom objects Because this is now a self-managed database on EC2, you should remove RDS Custom-specific users and objects. The cleanup process differs between non-CDB and multitenant architectures. **Important** Before dropping RDS-specific users and tablespaces, verify that no application objects exist under these schemas: ``` SQL> SELECT owner, object_type, COUNT(*) FROM dba_objects WHERE owner IN ('RDSADMIN', 'RDS_DATAGUARD') AND object_name NOT LIKE 'RDS%' AND object_name NOT LIKE 'SYS_%' GROUP BY owner, object_type; ``` If any application objects are found, migrate them to appropriate application schemas before proceeding. **Example Non-CDB:** ``` SQL> DROP USER RDSADMIN CASCADE; SQL> DROP USER RDS_DATAGUARD CASCADE; SQL> DROP DIRECTORY OPATCH_INST_DIR; SQL> DROP DIRECTORY OPATCH_LOG_DIR; SQL> DROP DIRECTORY OPATCH_SCRIPT_DIR; SQL> DROP TABLESPACE RDSADMIN INCLUDING CONTENTS AND DATAFILES; -- Verify removal SQL> SELECT username FROM dba_users WHERE username LIKE '%RDS%'; ``` Expected output: `no rows selected` **Multitenant:** In a multitenant environment, RDS Custom creates common users in `CDB$ROOT` that are visible across all PDBs. You must clean up from `CDB$ROOT`. ``` -- Connect to CDB$ROOT SQL> SHOW CON_NAME; -- Check for RDS-specific common users (including C## prefixed users) SQL> SELECT username, common, con_id FROM cdb_users WHERE username LIKE '%RDS%' OR username LIKE 'C##RDS%' ORDER BY username; -- Drop non-common users SQL> DROP USER RDSADMIN CASCADE; SQL> DROP USER RDS_DATAGUARD CASCADE; -- If any C## common users exist -- SQL> DROP USER C##RDSADMIN CASCADE ; -- Drop directories and tablespace SQL> DROP DIRECTORY OPATCH_INST_DIR; SQL> DROP DIRECTORY OPATCH_LOG_DIR; SQL> DROP DIRECTORY OPATCH_SCRIPT_DIR; SQL> DROP TABLESPACE RDSADMIN INCLUDING CONTENTS AND DATAFILES; -- Verify removal from CDB$ROOT SQL> SELECT username FROM dba_users WHERE username LIKE '%RDS%'; -- Verify removal from each PDB SQL> ALTER SESSION SET CONTAINER = ; SQL> SELECT username FROM dba_users WHERE username LIKE '%RDS%'; ``` Expected output for all queries: `no rows selected` ### Step 10: Configure automatic startup Create `SPFILE`: ``` SQL> CREATE SPFILE FROM PFILE='$ORACLE_HOME/dbs/initORCL.ora'; SQL> SHUTDOWN IMMEDIATE; SQL> STARTUP; ``` For multitenant, ensure PDBs open: ``` SQL> ALTER PLUGGABLE DATABASE ALL OPEN; ``` Edit `/etc/oratab`: ``` ORCL:/u01/app/oracle/product/19.0.0/dbhome_1:Y ``` ### Step 11: Final validation **Example Non-CDB:** ``` SQL> SELECT name, open_mode, log_mode FROM v$database; SQL> SELECT SUM(bytes)/1024/1024/1024 AS size_gb FROM dba_data_files; SQL> SELECT COUNT(*) FROM dba_objects WHERE status = 'INVALID'; ``` **Example Multitenant:** ``` SQL> SELECT name, open_mode, log_mode, cdb FROM v$database; SQL> SELECT con_id, name, open_mode FROM v$pdbs; SQL> SELECT SUM(bytes)/1024/1024/1024 AS total_size_gb FROM cdb_data_files; SQL> SELECT con_id, COUNT(*) FROM cdb_objects WHERE status = 'INVALID' GROUP BY con_id; ``` ``` Test application connectivity: # Non-CDB sqlplus /@:1521/ORCL # Multitenant (connect to PDB) sqlplus /@:1521/ ``` **Step 12: Resume RDS Custom automation** ``` aws rds modify-db-instance \ --db-instance-identifier my-custom-instance \ --automation-mode full \ --region us-east-1 ``` ## Option 2: Physical Migration Using Oracle Data Guard This section provides detailed steps for migrating your Oracle database from RDS Custom for Oracle to EC2 using Oracle Data Guard. This method is suitable for migrations requiring minimal downtime. ### When to use Oracle Data Guard **Choose Oracle Data Guard when:** + You require minimal downtime (seconds to minutes for switchover) + You're migrating production or mission-critical databases + You need continuous synchronization before cutover + You want built-in fallback capability + You need to test the target database before committing to the migration ### Oracle Data Guard overview Oracle Data Guard maintains a synchronized standby database by continuously shipping and applying redo logs from the primary database. When you're ready to complete the migration, you perform a switchover that promotes the EC2 standby to primary with minimal downtime (seconds to minutes). For multitenant databases, Data Guard automatically protects the entire CDB including all PDBs. Redo generated by any PDB is shipped to the standby and applied to the corresponding PDB on the standby. ### Migration workflow for Oracle Data Guard **RDS Custom DB instance (primary) steps:** 1. Pause Amazon RDS Custom automation 1. Verify database architecture (non-CDB or CDB with PDBs) 1. Confirm the primary database is running in archive log mode and `FORCE_LOGGING` is enabled 1. Create a password file 1. Perform an RMAN online backup of the primary database (or use active duplication) 1. Create a parameter file from the source database 1. Copy the backup sets, parameter file, and password file to the target EC2 instance **EC2 DB instance (standby) steps:** 1. Copy all files from the source to the EC2 instance 1. Copy the password file to the EC2 instance 1. Edit the parameter file for EC2 (architecture-specific) 1. Create the server parameter file from the parameter file 1. Restore standby control file and database **Data Guard configuration steps:** 1. Configure Oracle listeners on both instances 1. Configure tnsnames.ora on both instances 1. Start the Oracle Data Guard broker on both instances (optional but recommended) 1. Enable Oracle Data Guard configuration 1. Configure fal\$1server and fal\$1client on the EC2 standby instance 1. Configure the standby redo log files on both instances 1. Recover the standby instance 1. Perform the manual switchover 1. Open the database (and PDBs for multitenant) 1. Configure PDB auto-open (multitenant only) 1. Remove RDS Custom specific users and objects 1. Create SPFILE and configure automatic startup ### Step 1: Pause Amazon RDS Custom automation Pause the automation mode on your RDS Custom instance. The `--resume-full-automation-mode-minute` parameter should be adjusted based on your database size and expected Data Guard setup time. ``` aws rds modify-db-instance \ --db-instance-identifier my-custom-instance \ --automation-mode all-paused \ --resume-full-automation-mode-minute 480 \ --region us-east-1 ``` Validate the automation status: ``` aws rds describe-db-instances \ --db-instance-identifier my-custom-instance \ --region us-east-1 \ --query 'DBInstances[0].AutomationMode' ``` Expected output: "`all-paused`" ### Step 2: Confirm archive log mode and `FORCE_LOGGING` Oracle Data Guard requires the primary database to be in archive log mode with force logging enabled: ``` sqlplus / as sysdba SQL> SELECT log_mode, force_logging FROM v$database; ``` Expected output: ``` LOG_MODE FORCE_LOGGING ------------ ------------- ARCHIVELOG YES ``` If force logging is not enabled, run: ``` SQL> ALTER DATABASE FORCE LOGGING; ``` ### Step 3: Create password and parameter files Create a password file using `orapwd`. Retrieve the SYS password from AWS Secrets Manager. ``` # Non-CDB $ORACLE_HOME/bin/orapwd file=/rdsdbdata/config/orapwORCL password= entries=10 # Multitenant $ORACLE_HOME/bin/orapwd file=/rdsdbdata/config/orapwRDSCDB password= entries=10 ``` Create a parameter file from the source database: ``` sqlplus / as sysdba SQL> CREATE PFILE='/tmp/initORCL.ora' FROM SPFILE; -- Non-CDB SQL> CREATE PFILE='/tmp/initRDSCDB.ora' FROM SPFILE; -- Multitenant ``` ### Step 4: Perform RMAN backup or use active duplication You have two options for creating the standby database: #### Option A: RMAN online backup (recommended for most scenarios) Create a backup directory and backup the database: ``` mkdir -p /rdsdbdata/backup rman target / RMAN> run { backup as compressed backupset filesperset 2 format '/rdsdbdata/backup/db_%U' database; sql 'alter system archive log current'; backup as compressed backupset filesperset 50 format '/rdsdbdata/backup/arch_%U' archivelog all; } RMAN> backup current controlfile for standby format '/rdsdbdata/backup/standby.ctl'; ``` **Note** For multitenant, the database keyword backs up the entire CDB including all PDBs automatically. #### Option B: Active duplication (alternative method) Skip the backup step and use RMAN active duplication to build the standby directly over the network. This eliminates the need for backup storage and file transfers. After configuring TNS and listeners (see below), run: ``` RMAN> DUPLICATE TARGET DATABASE FOR STANDBY FROM ACTIVE DATABASE DORECOVER; ``` This guidance focuses on Option A (backup-based), but Option B is a valid alternative. ### Step 5: Transfer files to EC2 Choose your preferred file transfer method. This guidance uses Amazon S3 for examples. **Using Amazon S3:** **Example For Non-CDB:** ``` # Copy files to Amazon S3 from the RDS Custom instance aws s3 cp /rdsdbdata/backup s3:/// --recursive aws s3 cp /tmp/initORCL.ora s3:/// aws s3 cp /rdsdbdata/config/orapwORCL s3:/// # On EC2, download files aws s3 cp s3:///backup /u01/app/oracle/backup/ --recursive aws s3 cp s3:///initORCL.ora $ORACLE_HOME/dbs/ aws s3 cp s3:///orapwORCL $ORACLE_HOME/dbs/ ``` **Example For Multitenant:** ``` # Copy files to Amazon S3 from the RDS Custom instance aws s3 cp /rdsdbdata/backup s3:/// --recursive aws s3 cp /tmp/initRDSCDB.ora s3:/// aws s3 cp /rdsdbdata/config/orapwRDSCDB s3:/// # On EC2, download and rename files to use ORCL naming aws s3 cp s3:///backup /u01/app/oracle/backup/ --recursive aws s3 cp s3:///initRDSCDB.ora $ORACLE_HOME/dbs/initORCL.ora aws s3 cp s3:///orapwRDSCDB $ORACLE_HOME/dbs/orapwORCL ``` ### Step 6: Edit parameter file on EC2 Edit `$ORACLE_HOME/dbs/initORCL.ora` on the EC2 instance and make these critical changes: 1. **Update database name**: For multitenant, change all occurrences of `RDSCDB` to `ORCL` 1. **Change db\$1unique\$1name**: From `ORCL_A` (or `RDSCDB_A`) to `ORCL_B` 1. **Convert RDS Custom paths to EC2 paths**: Replace `/rdsdbdata/` with `/u01/app/oracle/` 1. ****Remove RDS Custom-specific parameters**** + `dg_broker_config_file1` and `dg_broker_config_file2` (if present) + `standby_file_management` (if present) + `spfile` (we'll create a new `SPFILE` later) + Any `log_archive_dest` parameters pointing to standby destinations 1. **Adjust memory parameters** based on your EC2 instance size (optional but recommended) **Path mappings:** **Non-CDB:** + `/rdsdbdata/db/ORCL_A/datafile/` → `/u01/app/oracle/oradata/ORCL/datafile/` + `/rdsdbdata/db/ORCL_A/controlfile/` → `/u01/app/oracle/oradata/ORCL/controlfile/` + `/rdsdbdata/db/ORCL_A/onlinelog/` → `/u01/app/oracle/oradata/ORCL/onlinelog/` + `/rdsdbdata/admin/ORCL/adump` → `/u01/app/oracle/admin/ORCL/adump` **Multitenant:** + `/rdsdbdata/db/cdb/RDSCDB/datafile/` → `/u01/app/oracle/oradata/ORCL/cdb/datafile/` + `/rdsdbdata/db/cdb/pdbseed/` → `/u01/app/oracle/oradata/ORCL/pdbseed/datafile/` + `/rdsdbdata/db/pdb/RDSCDB_A/` → `/u01/app/oracle/oradata/ORCL/pdb/datafile/` + `/rdsdbdata/db/cdb/RDSCDB_A/controlfile/` → `/u01/app/oracle/oradata/ORCL/controlfile/` + `/rdsdbdata/admin/RDSCDB/adump` → `/u01/app/oracle/admin/ORCL/adump` **Important**: For multitenant, ensure `enable_pluggable_database`=`TRUE` is present in the parameter file. ### Step 7: Create `SPFILE` and restore standby database Start the instance and create SPFILE: ``` sqlplus / as sysdba SQL> STARTUP NOMOUNT PFILE='$ORACLE_HOME/dbs/initORCL.ora'; SQL> CREATE SPFILE='/u01/app/oracle/admin/ORCL/pfile/spfileORCL.ora' FROM PFILE='$ORACLE_HOME/dbs/initORCL.ora'; SQL> SHUTDOWN IMMEDIATE; ``` Create symbolic link: ``` ln -sfn /u01/app/oracle/admin/ORCL/pfile/spfileORCL.ora $ORACLE_HOME/dbs/spfileORCL.ora ``` Start the instance and restore: ``` SQL> STARTUP NOMOUNT; rman target / ``` If backup files are in a different path than the source, catalog them first: ``` RMAN> catalog start with '/u01/app/oracle/backup/'; ``` Restore standby control file and mount: ``` RMAN> restore standby controlfile from '/u01/app/oracle/backup/standby.ctl'; RMAN> alter database mount; ``` If data file paths differ (e.g., using ASM), use `SET NEWNAME`: ``` RMAN> run { set newname for database to '+DATA/%b'; restore database; switch datafile all; } ``` Otherwise, simply restore: ``` RMAN> restore database; ``` Recover the database to the last available sequence: ``` RMAN> list backup of archivelog all; RMAN> recover database until sequence ; ``` **Note** For multitenant, RMAN automatically restores and recovers all PDBs. You do not need to restore each PDB separately. ### Step 8: Configure TNS and listeners On both instances, add TNS entries to `tnsnames.ora`: **Example Non-CDB:** ``` ORCL_A = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = )(PORT = 1521)) (CONNECT_DATA = (SID = ORCL))) ORCL_B = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = )(PORT = 1521)) (CONNECT_DATA = (SID = ORCL))) ``` **Example Multitenant:** ``` RDSCDB_A = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = )(PORT = 1521)) (CONNECT_DATA = (SID = RDSCDB))) ORCL_B = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = )(PORT = 1521)) (CONNECT_DATA = (SID = ORCL))) ``` Configure listeners on both instances. On RDS Custom, append to `listener.ora`: **Example For Non-CDB:** ``` SID_LIST_L_ORCL_DG=(SID_LIST = (SID_DESC = (SID_NAME = ORCL)(GLOBAL_DBNAME = ORCL) (ORACLE_HOME = /rdsdbbin/oracle.19.custom.r1.EE.1))) L_ORCL_DG=(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(PORT = 1521)(HOST = ))) ``` **Example For Multitenant:** ``` SID_LIST_L_RDSCDB_DG=(SID_LIST = (SID_DESC = (SID_NAME = RDSCDB)(GLOBAL_DBNAME = RDSCDB) (ORACLE_HOME = /rdsdbbin/oracle.19.custom.r1.EE-CDB.1))) L_RDSCDB_DG=(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(PORT = 1521)(HOST = ))) ``` Start the listener: ``` $ORACLE_HOME/bin/lsnrctl start L_ORCL_DG # or L_RDSCDB_DG for multitenant ``` On EC2, create `$ORACLE_HOME/network/admin/listener.ora`: ``` SID_LIST_L_ORCL_DG=(SID_LIST = (SID_DESC = (SID_NAME = ORCL)(GLOBAL_DBNAME = ORCL) (ORACLE_HOME = /u01/app/oracle/product/19.0.0/dbhome_1))) L_ORCL_DG=(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(PORT = 1521)(HOST = ))) ``` Start the listener: ``` $ORACLE_HOME/bin/lsnrctl start L_ORCL_DG ``` **Note** You can use the existing listener on RDS Custom if preferred, but creating a separate Data Guard listener provides better isolation. **Important** If `tnsping` or `listener` connectivity fails, check `iptables` rules on EC2. Many EC2 Linux instances have default `iptables` rules that block port 1521. Add a rule: `sudo iptables -I INPUT 5 -p tcp --dport 1521 -j ACCEPT` ### Step 9: Enable Data Guard broker and configuration On both instances, enable the Data Guard broker: ``` sqlplus / as sysdba SQL> ALTER SYSTEM SET dg_broker_start=true; ``` On the RDS Custom primary, connect to the Data Guard broker and create the configuration: ``` dgmgrl / ``` **Example For Non-CDB:** ``` DGMGRL> CREATE CONFIGURATION my_dg_config AS PRIMARY DATABASE IS ORCL_A CONNECT IDENTIFIER IS ORCL_A; DGMGRL> ADD DATABASE ORCL_B AS CONNECT IDENTIFIER IS ORCL_B MAINTAINED AS PHYSICAL; ``` **Example For Multitenant:** ``` DGMGRL> CREATE CONFIGURATION my_dg_config AS PRIMARY DATABASE IS RDSCDB_A CONNECT IDENTIFIER IS RDSCDB_A; DGMGRL> ADD DATABASE ORCL_B AS CONNECT IDENTIFIER IS ORCL_B MAINTAINED AS PHYSICAL; ``` Set static connect identifiers and enable: **Example For Non-CDB:** ``` DGMGRL> edit database orcl_a set property StaticConnectIdentifier='(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(PORT=1521)(HOST=))(CONNECT_DATA=(SID=ORCL)(SERVER=DEDICATED)))'; DGMGRL> edit database orcl_b set property StaticConnectIdentifier='(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(PORT=1521)(HOST=))(CONNECT_DATA=(SID=ORCL)(SERVER=DEDICATED)))'; DGMGRL> ENABLE CONFIGURATION; ``` **Example For Multitenant:** ``` DGMGRL> edit database rdscdb_a set property StaticConnectIdentifier='(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(PORT=1521)(HOST=))(CONNECT_DATA=(SID=RDSCDB)(SERVER=DEDICATED)))'; DGMGRL> edit database orcl_b set property StaticConnectIdentifier='(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(PORT=1521)(HOST=))(CONNECT_DATA=(SID=ORCL)(SERVER=DEDICATED)))'; DGMGRL> ENABLE CONFIGURATION; ``` **Note** Data Guard broker is optional but recommended for easier management. For simple migrations, you can configure Data Guard manually without the broker. **Note** When you enable Data Guard for a CDB, it automatically protects all PDBs. Redo generated by any PDB is shipped to the standby and applied to the corresponding PDB on the standby. ### Step 10: Configure standby redo logs and start recovery On the EC2 standby instance, add standby redo log files (n\$11 where n is the number of online redo log groups): ``` ALTER DATABASE ADD STANDBY LOGFILE ('slog1.rdo') SIZE 128M; ALTER DATABASE ADD STANDBY LOGFILE ('slog2.rdo') SIZE 128M; ALTER DATABASE ADD STANDBY LOGFILE ('slog3.rdo') SIZE 128M; ALTER DATABASE ADD STANDBY LOGFILE ('slog4.rdo') SIZE 128M; ALTER DATABASE ADD STANDBY LOGFILE ('slog5.rdo') SIZE 128M; ``` **Note** For multitenant, standby redo logs are created at the CDB level and are shared by all PDBs. Configure FAL parameters on the standby: **Example For Non-CDB:** ``` SQL> alter system set fal_server = 'ORCL_A'; SQL> alter system set fal_client = 'ORCL_B'; ``` **Example For Multitenant:** ``` SQL> alter system set fal_server = 'RDSCDB_A'; SQL> alter system set fal_client = 'ORCL_B'; ``` Start managed recovery: ``` SQL> recover managed standby database disconnect from session; ``` Monitor the apply lag: ``` SQL> SELECT name, value FROM v$dataguard_stats WHERE name = 'apply lag'; ``` **Detailed monitoring and management of Data Guard synchronization:** Monitoring Data Guard is critical to ensure successful migration. Here are comprehensive monitoring techniques: 1. **Monitor Data Guard statistics:** ``` -- Comprehensive Data Guard statistics SQL> SELECT name, value, unit, time_computed, datum_time FROM v$dataguard_stats ORDER BY name; ``` Key metrics to monitor: + transport lag: Time difference between when redo was generated on primary and received on standby + apply lag: Time difference between when redo was generated and applied on standby + apply rate: Rate at which redo is being applied (MB/sec) + redo received: Total redo received by standby + redo applied: Total redo applied by standby 1. **Monitor archive log shipping:** On the primary (RDS Custom): ``` -- Check archive log generation rate SQL> SELECT TO_CHAR(first_time, 'YYYY-MM-DD HH24') AS hour, COUNT(*) AS log_count, ROUND(SUM(blocks * block_size)/1024/1024/1024, 2) AS size_gb FROM v$archived_log WHERE first_time > SYSDATE - 1 GROUP BY TO_CHAR(first_time, 'YYYY-MM-DD HH24') ORDER BY hour; -- Check archive log destination status SQL> SELECT dest_id, status, error, destination FROM v$archive_dest WHERE status != 'INACTIVE'; ``` On the standby (EC2): ``` -- Check archive log apply status SQL> SELECT sequence#, first_time, next_time, applied FROM v$archived_log WHERE applied = 'NO' ORDER BY sequence#; -- Check archive log gap SQL> SELECT thread#, low_sequence#, high_sequence# FROM v$archive_gap; ``` 1. **Monitor managed recovery process:** ``` -- Check if managed recovery is running SQL> SELECT process, status, thread#, sequence#, block#, blocks FROM v$managed_standby WHERE process LIKE 'MRP%' OR process LIKE 'RFS%'; -- Check recovery progress SQL> SELECT process, status, sequence#, TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp FROM v$managed_standby ORDER BY process; ``` 1. **Monitor redo apply rate for multitenant:** For multitenant databases, monitor apply rate per PDB: ``` -- Check redo apply rate per container SQL> SELECT con_id, name, ROUND(SUM(value)/1024/1024, 2) AS redo_applied_mb FROM v$con_sysstat cs, v$containers c WHERE cs.con_id = c.con_id AND cs.name = 'redo size' GROUP BY con_id, name ORDER BY con_id; ``` 1. **Monitor standby redo logs:** ``` -- Check standby redo log status SQL> SELECT group#, thread#, sequence#, bytes/1024/1024 AS size_mb, status FROM v$standby_log ORDER BY group#; -- Check if standby redo logs are being used SQL> SELECT group#, thread#, sequence#, status, archived FROM v$standby_log WHERE status = 'ACTIVE'; ``` 1. **Estimate synchronization completion:** Calculate the remaining time based on apply rate: ``` -- Calculate estimated time to catch up SQL> SELECT ROUND((SELECT value FROM v$dataguard_stats WHERE name = 'apply lag')/60, 2) AS lag_minutes, ROUND((SELECT value FROM v$dataguard_stats WHERE name = 'apply rate')/1024, 2) AS apply_rate_mbps, ROUND( (SELECT value FROM v$dataguard_stats WHERE name = 'apply lag') / NULLIF((SELECT value FROM v$dataguard_stats WHERE name = 'apply rate'), 0) / 60, 2 ) AS estimated_catchup_minutes FROM dual; ``` #### Common Data Guard synchronization issues: ##### Issue 1: High apply lag Symptoms: ``` SQL> SELECT name, value FROM v$dataguard_stats WHERE name = 'apply lag'; NAME VALUE -------------------------------- ----- apply lag +00 01:30:00 ``` Causes and solutions: + **Insufficient CPU/IO on standby**: Upgrade EC2 instance type or increase EBS IOPS + **Network bandwidth limitation**: Use enhanced networking or higher bandwidth instance types + **Multiple PDBs with high transaction rate**: Consider increasing redo apply parallelism (requires Active Data Guard license) ``` -- Increase apply parallelism (requires Active Data Guard) SQL> ALTER DATABASE RECOVER MANAGED STANDBY DATABASE CANCEL; SQL> ALTER DATABASE RECOVER MANAGED STANDBY DATABASE USING CURRENT LOGFILE PARALLEL 4 DISCONNECT FROM SESSION; ``` ##### Issue 2: Archive log gap Symptoms: ``` SQL> SELECT * FROM v$archive_gap; THREAD# LOW_SEQUENCE# HIGH_SEQUENCE# ------- ------------- -------------- 1 1234 1240 ``` Solution: ``` -- FAL (Fetch Archive Log) will automatically fetch missing logs -- Verify FAL parameters are set correctly SQL> SHOW PARAMETER fal_server SQL> SHOW PARAMETER fal_client -- Manually register missing archive logs if needed -- On primary, check if logs still exist SQL> SELECT name FROM v$archived_log WHERE sequence# BETWEEN 1234 AND 1240; -- If logs are missing on primary, you may need to rebuild the standby ``` ##### Issue 3: Redo transport failure Symptoms: ``` SQL> SELECT dest_id, status, error FROM v$archive_dest WHERE dest_id = 2; DEST_ID STATUS ERROR ------- --------- ---------------------------------------- 2 ERROR ORA-16191: Primary log shipping client not logged on standby ``` Solution: ``` -- Check network connectivity -- Verify TNS configuration -- Check listener status on standby -- Restart log transport SQL> ALTER SYSTEM SET log_archive_dest_state_2 = 'DEFER'; SQL> ALTER SYSTEM SET log_archive_dest_state_2 = 'ENABLE'; ``` ##### Issue 4: Managed recovery not applying redo Symptoms: ``` SQL> SELECT process, status FROM v$managed_standby WHERE process = 'MRP0'; PROCESS STATUS --------- ------------ MRP0 WAIT_FOR_LOG ``` Solution: ``` # Check if archive logs are arriving ls -ltr /u01/app/oracle/oradata/ORCL/arch/ # Check alert log for errors tail -100 $ORACLE_BASE/diag/rdbms/orcl_b/ORCL/trace/alert_ORCL.log # Restart managed recovery sqlplus / as sysdba SQL> ALTER DATABASE RECOVER MANAGED STANDBY DATABASE CANCEL; SQL> ALTER DATABASE RECOVER MANAGED STANDBY DATABASE DISCONNECT FROM SESSION; ``` **For Multitenant**, you can also check the status of each PDB on the standby: ``` SQL> SELECT con_id, name, open_mode, restricted FROM v$pdbs; ``` Expected output (PDBs in `MOUNTED` state on standby): ``` CON_ID NAME OPEN_MODE RES ---------- ------------------------------ ---------- --- 2 PDB$SEED MOUNTED 3 ORCLDB MOUNTED ``` **Note** On a physical standby, PDBs remain in `MOUNTED` state during managed recovery. ### Step 11: Perform the switchover Once you are satisfied that the standby is fully synchronized and ready, perform the switchover. For multitenant, the switchover will switch the entire CDB (all PDBs) from the RDS Custom primary to the EC2 standby. On the RDS Custom primary instance, connect to the Data Guard broker and validate both databases are ready for switchover: **Example For Non-CDB:** ``` DGMGRL> VALIDATE DATABASE ORCL_A; DGMGRL> VALIDATE DATABASE ORCL_B; ``` **Example For Multitenant:** ``` DGMGRL> VALIDATE DATABASE RDSCDB_A; DGMGRL> VALIDATE DATABASE ORCL_B; ``` Both should show `Ready for Switchover: Yes` Switch over from the RDS Custom primary to the EC2 standby: ``` DGMGRL> SWITCHOVER TO ORCL_B; ``` Verify the switchover is successful: ``` DGMGRL> SHOW CONFIGURATION VERBOSE; ``` The EC2 instance (`ORCL_B`) is now the primary database, and the RDS Custom instance is the physical standby. ### Step 12: Open PDBs (multitenant only) After the switchover, the CDB on EC2 is open in READ WRITE mode, but all PDBs are in MOUNTED state. You must open them manually. Connect to the new primary on EC2: ``` sqlplus / as sysdba SQL> SELECT name, open_mode, database_role, cdb FROM v$database; ``` Expected output: ``` NAME OPEN_MODE DATABASE_ROLE CDB --------- -------------------- ---------------- --- ORCL READ WRITE PRIMARY YES ``` Check the current PDB status: ``` SQL> SELECT con_id, name, open_mode, restricted FROM v$pdbs; ``` Expected output (PDBs in `MOUNTED` state - example with one PDB named `ORCLDB`): ``` CON_ID NAME OPEN_MODE RES ---------- ------------------------------ ---------- --- 2 PDB$SEED READ ONLY NO 3 ORCLDB MOUNTED ``` Open all PDBs: ``` SQL> ALTER PLUGGABLE DATABASE ALL OPEN; ``` Pluggable database altered. Verify all PDBs are now open in `READ WRITE` mode: ``` SQL> SELECT con_id, name, open_mode, restricted FROM v$pdbs; ``` Expected output: ``` CON_ID NAME OPEN_MODE RES ---------- ------------------------------ ---------- --- 2 PDB$SEED READ ONLY NO 3 ORCLDB READ WRITE NO ``` ### Step 13: Configure PDB auto-open on startup (multitenant only) Configure PDBs to automatically open when the CDB starts using the save state method (recommended for Oracle 19c): ``` SQL> ALTER PLUGGABLE DATABASE ALL SAVE STATE; Pluggable database altered. ``` Verify the saved state: ``` SQL> SELECT con_name, instance_name, state FROM dba_pdb_saved_states; ``` Verify PDB services are registered with the listener: ``` lsnrctl services ``` Expected output should show services for the CDB and each PDB. If services aren't showing: ``` SQL> ALTER SYSTEM REGISTER; ``` Then check again with `lsnrctl services`. ### Step 14: Remove RDS Custom objects Because this is now a self-managed database on EC2, you should remove RDS Custom specific users and objects. The cleanup process differs slightly between non-CDB and multitenant architectures. **Important** Before dropping RDS-specific users and tablespaces, verify that no application objects exist under these schemas: ``` SQL> SELECT owner, object_type, COUNT(*) FROM dba_objects WHERE owner IN ('RDSADMIN', 'RDS_DATAGUARD') AND object_name NOT LIKE 'RDS%' AND object_name NOT LIKE 'SYS_%' GROUP BY owner, object_type; ``` If any application objects are found, migrate them to appropriate application schemas before proceeding. **Non-CDB cleanup:** ``` sqlplus / as sysdba -- Drop RDS-specific users SQL> DROP USER RDSADMIN CASCADE; SQL> DROP USER RDS_DATAGUARD CASCADE; -- Drop RDS-specific directories SQL> DROP DIRECTORY OPATCH_INST_DIR; SQL> DROP DIRECTORY OPATCH_LOG_DIR; SQL> DROP DIRECTORY OPATCH_SCRIPT_DIR; -- Drop the RDSADMIN tablespace SQL> DROP TABLESPACE RDSADMIN INCLUDING CONTENTS AND DATAFILES; -- Verify removal SQL> SELECT username FROM dba_users WHERE username LIKE '%RDS%'; ``` Expected output: `no rows selected` **Multitenant cleanup:** In a multitenant environment, RDS Custom creates common users in `CDB$ROOT` that are visible across all PDBs. You must clean up from `CDB$ROOT`. ``` sqlplus / as sysdba -- Verify you are in CDB$ROOT SQL> SHOW CON_NAME; -- Check for RDS-specific common users (including C## prefixed users) SQL> SELECT username, common, con_id FROM cdb_users WHERE username LIKE 'RDS%' OR username LIKE 'C##RDS%' ORDER BY username; -- Drop non-common users SQL> DROP USER RDSADMIN CASCADE; SQL> DROP USER RDS_DATAGUARD CASCADE; -- If any C## common users exist -- Example (adjust based on your findings): -- SQL> DROP USER C##RDS_DATAGUARD CASCADE; -- Drop RDS-specific directories SQL> DROP DIRECTORY OPATCH_INST_DIR; SQL> DROP DIRECTORY OPATCH_LOG_DIR; SQL> DROP DIRECTORY OPATCH_SCRIPT_DIR; -- Drop the RDSADMIN tablespace SQL> DROP TABLESPACE RDSADMIN INCLUDING CONTENTS AND DATAFILES; -- Verify removal from CDB$ROOT SQL> SELECT username FROM dba_users WHERE username LIKE '%RDS%'; -- Verify removal from each PDB (example with one PDB named ORCLDB) SQL> ALTER SESSION SET CONTAINER = ORCLDB; SQL> SELECT username FROM dba_users WHERE username LIKE '%RDS%'; ``` Expected output for all queries: no rows selected ### Step 15: Configure automatic startup Verify the `SPFILE` is being used: ``` sqlplus / as sysdba SQL> SHOW PARAMETER spfile; ``` If the `spfile` path is correct, no action is needed. If not, create one: ``` SQL> CREATE SPFILE FROM MEMORY; ``` Restart the database: ``` SQL> SHUTDOWN IMMEDIATE; SQL> STARTUP; ``` For multitenant, open all PDBs (they should auto-open if you saved state earlier): ``` SQL> SELECT con_id, name, open_mode FROM v$pdbs; ``` If PDBs are not open, open them manually: ``` SQL> ALTER PLUGGABLE DATABASE ALL OPEN; ``` Edit `/etc/oratab`: ``` vi /etc/oratab ``` Change the line for `ORCL` from `N` to `Y`: ``` ORCL:/u01/app/oracle/product/19.0.0/dbhome_1:Y ``` ### Step 16: Final validation Perform comprehensive validation on the migrated database. **Example For Non-CDB:** ``` sqlplus / as sysdba -- Verify database role and status SQL> SELECT name, open_mode, log_mode, database_role FROM v$database; -- Check database size SQL> SELECT SUM(bytes)/1024/1024/1024 AS size_gb FROM dba_data_files; -- Verify all objects are valid SQL> SELECT owner, object_type, COUNT(*) FROM dba_objects WHERE status = 'INVALID' GROUP BY owner, object_type; -- Verify data files SQL> SELECT name, status FROM v$datafile; -- Test application connectivity SQL> SELECT username, machine, program FROM v$session WHERE username IS NOT NULL; ``` **Example For Multitenant:** ``` sqlplus / as sysdba -- Verify CDB status SQL> SELECT name, open_mode, log_mode, cdb, database_role FROM v$database; -- Verify all PDBs are open SQL> SELECT con_id, name, open_mode, restricted FROM v$pdbs; -- Check total CDB size SQL> SELECT SUM(bytes)/1024/1024/1024 AS total_size_gb FROM cdb_data_files; -- Check size per PDB SQL> SELECT p.name AS pdb_name, ROUND(SUM(d.bytes)/1024/1024/1024, 2) AS size_gb FROM v$pdbs p JOIN cdb_data_files d ON p.con_id = d.con_id GROUP BY p.name,p.con_id ORDER BY p.con_id; -- Verify all objects are valid across all PDBs SQL> SELECT con_id, owner, object_type, COUNT(*) FROM cdb_objects WHERE status = 'INVALID' GROUP BY con_id, owner, object_type; -- Verify PDB services are registered SQL> SELECT name FROM v$services ORDER BY name; Test application connectivity: # Non-CDB sqlplus /@:1521/ORCL # Multitenant (connect to PDB) sqlplus /@:1521/ ``` Test application connectivity: ``` # Non-CDB sqlplus /@:1521/ORCL # Multitenant (connect to PDB) sqlplus /@:1521/ ``` ### Step 17: Clean up backup files After successful validation, remove backup files and detach the backup volume if using a separate EBS volume: ``` rm -rf /u01/app/oracle/backup/* ``` If using a separate EBS volume for backups: ``` # Unmount the volume sudo umount /u01/app/oracle/backup # Detach and delete the EBS volume from AWS Console or CLI aws ec2 detach-volume --volume-id aws ec2 delete-volume --volume-id ``` ### Step 18: Resume RDS Custom automation If you plan to keep the RDS Custom instance running as a fallback during a validation period, resume the automation: ``` aws rds modify-db-instance \ --db-instance-identifier my-custom-instance \ --automation-mode full \ --region us-east-1 ``` ## Troubleshooting common issues This section covers common issues you may encounter during migration for both RMAN duplication and Oracle Data Guard approaches, covering both non-CDB and multitenant architectures. ### ORA-09925: Unable to create audit trail file **Cause:** The audit directory specified in `audit_file_dest` parameter doesn't exist on the target EC2 instance. **Solution:** Ensure the audit directory exists and has proper permissions: ``` mkdir -p /u01/app/oracle/admin/ORCL/adump chown -R oracle:oinstall /u01/app/oracle/admin/ORCL chmod -R 755 /u01/app/oracle/admin/ORCL ``` ### ORA-01261: Parameter `db_create_file_dest` destination string cannot be translated **Cause:** The directory specified in `db_create_file_dest` parameter doesn't exist on the target EC2 instance. **Solution:** For non-CDB: ``` mkdir -p /u01/app/oracle/oradata/ORCL chown -R oracle:oinstall /u01/app/oracle/oradata/ORCL chmod -R 755 /u01/app/oracle/oradata/ORCL ``` For multitenant: ``` mkdir -p /u01/app/oracle/oradata/ORCL/pdb/datafile chown -R oracle:oinstall /u01/app/oracle/oradata/ORCL chmod -R 755 /u01/app/oracle/oradata/ORCL ``` ### ORA-01804: Failure to initialize timezone information This error can occur when dropping the `RDSADMIN` user if the RDS source has a higher timezone version than what's installed in your EC2 \$1ORACLE\$1HOME. **Solution:** 1. Check the timezone versions: ``` SELECT * FROM v$timezone_file; SELECT PROPERTY_NAME, PROPERTY_VALUE FROM database_properties WHERE PROPERTY_NAME LIKE '%DST%'; ``` 1. As a workaround, set the timezone file environment variable to match what your \$1ORACLE\$1HOME has available: ``` ls $ORACLE_HOME/oracore/zoneinfo/timezlrg_*.dat export ORA_TZFILE=$ORACLE_HOME/oracore/zoneinfo/timezone_40.dat ``` Adjust the number to match the version available in your installation. 1. Retry the drop: ``` sqlplus / as sysdba SQL> DROP USER RDSADMIN CASCADE; ``` ### Cross-RU migration issues (different Release Updates) **Cause:** The target EC2 instance has a different Oracle Release Update (RU) or one-off patches than the source RDS Custom instance, causing compatibility errors during or after migration. **Common errors:** + ORA-00600 internal errors during redo apply (Data Guard) + ORA-39700 database must be opened with `UPGRADE` option + Dictionary inconsistencies after migration + Invalid objects in `DBA_REGISTRY` or `DBA_OBJECTS` **Solution:** **Best practice - Match RU versions and one-off patches exactly:** 1. Check the exact RU version on both source and target: ``` -- On both source and target SQL> SELECT * FROM v$version; SQL> SELECT patch_id, patch_uid, version, action, status, description FROM dba_registry_sqlpatch ORDER BY action_time DESC; ``` 1. Verify the \$1ORACLE\$1HOME patch level: ``` # On both instances $ORACLE_HOME/OPatch/opatch lsinventory ``` 1. If versions don't match, align them before migration by applying or rolling back patches as needed. 1. If you must proceed with mismatched RUs, run datapatch after migration: ``` cd $ORACLE_HOME/OPatch ./datapatch -verbose ``` 1. Check for invalid objects and recompile: ``` SQL> @?/rdbms/admin/utlrp.sql SQL> SELECT owner, object_type, COUNT(*) FROM dba_objects WHERE status = 'INVALID' GROUP BY owner, object_type; ``` ### Network connectivity issues **Cause:** Security groups, network ACLs, or `iptables` blocking the Oracle listener port. **Solution:** 1. Verify security groups allow the port bidirectionally 1. Check iptables on EC2: ``` sudo iptables -L INPUT -n -v ``` 1. Add rule if needed: ``` # Insert rule before the REJECT rule (typically position 5) sudo iptables -I INPUT 5 -p tcp --dport 1521 -j ACCEPT # For enhanced security, allow only from specific source IPs sudo iptables -I INPUT 5 -p tcp -s --dport 1521 -j ACCEPT # Save rules permanently sudo service iptables save ``` 1. Test connectivity: ``` telnet 1521 tnsping DB_SOURCE tnsping DB_TARGET ``` ### PDBs not opening after migration (multitenant only) **Cause:** This is expected behavior. After RMAN duplication or Data Guard switchover, the CDB is open but PDBs are in `MOUNTED` state. **Solution:** Open them manually: ``` SQL> ALTER PLUGGABLE DATABASE ALL OPEN; ``` If a specific PDB fails to open, check the alert log for errors: ``` tail -100 $ORACLE_BASE/diag/rdbms/orcl/ORCL/trace/alert_ORCL.log ``` Common causes include missing data files or path mapping issues. ### PDB data files not found or path mismatch (multitenant only) **Cause:** The migration didn't map all source paths correctly, especially for OMF-based PDB data files. **Solution:** 1. Check which data files are missing: ``` SQL> SELECT name, status FROM v$datafile WHERE status != 'ONLINE'; ``` 1. If the files were placed in the wrong directory, rename them in the control file: ``` SQL> ALTER DATABASE RENAME FILE '/wrong/path/datafile.dbf' TO '/correct/path/datafile.dbf'; ``` 1. To prevent this, always verify the source data file paths with `SELECT con_id, name FROM v$datafile ORDER BY con_id;` before configuring the parameter file. ### PDB services not registering with listener (multitenant only) **Cause:** The listener is not aware of the PDB services after opening PDBs. **Solution:** 1. Force service registration: ``` SQL> ALTER SYSTEM REGISTER; ``` 1. If services still don't appear, check the `local_listener` parameter: ``` SQL> SHOW PARAMETER local_listener; ``` Ensure it points to the correct listener address. If needed, update it: ``` SQL> ALTER SYSTEM SET local_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=)(PORT=1521))'; SQL> ALTER SYSTEM REGISTER; ``` 1. Verify with: ``` lsnrctl services ``` ### PDBs not auto-opening after CDB restart (multitenant only) **Cause:** PDB save state was not configured. **Solution:** Verify that PDB save state was configured: ``` SQL> SELECT con_name, instance_name, state FROM dba_pdb_saved_states; ``` If no rows are returned, save the state: ``` SQL> ALTER PLUGGABLE DATABASE ALL OPEN; SQL> ALTER PLUGGABLE DATABASE ALL SAVE STATE; ``` ### Data Guard redo transport not working **Cause:** Network connectivity issues, incorrect TNS configuration, or FAL parameters not set. **Solution:** 1. Verify the standby is in MOUNT mode: ``` SQL> SELECT status FROM v$instance; ``` 1. Check fal\$1server and fal\$1client are set correctly on the standby: ``` SQL> SHOW PARAMETER fal_server SQL> SHOW PARAMETER fal_client ``` 1. Verify network connectivity: ``` tnsping ORCL_A # or RDSCDB_A for multitenant ``` 1. Check the log\$1archive\$1dest\$12 parameter on the primary points to the standby (if configured manually without broker). **Data Guard apply lag increasing with multiple PDBs (multitenant only)** **Cause:** For CDBs with multiple PDBs, redo apply can be slower due to the volume of changes across all containers. **Solution:** 1. Check the apply rate: ``` SQL> SELECT name, value, unit FROM v$dataguard_stats WHERE name IN ('apply rate', 'apply lag'); ``` 1. Consider increasing parallelism for redo apply (requires Active Data Guard license): ``` SQL> ALTER DATABASE RECOVER MANAGED STANDBY DATABASE CANCEL; SQL> ALTER DATABASE RECOVER MANAGED STANDBY DATABASE USING CURRENT LOGFILE PARALLEL 4 DISCONNECT FROM SESSION; ``` 1. Verify there are no resource constraints (CPU, I/O) on the standby instance. **RMAN archive log backup fails with ORA-19625** **Cause:** RDS Custom automation has purged older archive logs from disk, but RMAN's control file still has records of them. **Solution:** 1. Crosscheck and clean up stale archive log entries: ``` RMAN> CROSSCHECK ARCHIVELOG ALL; RMAN> DELETE NOPROMPT EXPIRED ARCHIVELOG ALL; ``` 1. Re-run just the archive log backup: ``` RMAN> RUN { SQL 'ALTER SYSTEM ARCHIVE LOG CURRENT'; BACKUP AS COMPRESSED BACKUPSET FILESPERSET 50 FORMAT '/rdsdbdata/backup/arch_%U' ARCHIVELOG ALL; } ``` ### Common user drop fails in multitenant (multitenant only) **Cause:** Common users (prefixed with C\$1\$1) must be dropped with the `CONTAINER=ALL` clause. **Solution:** ``` -- For common users SQL> DROP USER C##RDS_DATAGUARD CASCADE CONTAINER=ALL; -- For non-common users in CDB$ROOT SQL> DROP USER RDSADMIN CASCADE; ``` Verify you're connected to `CDB$ROOT`: ``` SQL> SHOW CON_NAME; ``` ## Post-migration tasks After successful migration, complete these additional tasks to ensure your self-managed Oracle database on EC2 is production-ready. **Update application connection strings** **For Non-CDB:** + Point your applications to the new EC2 instance endpoint + Update connection strings to use the EC2 instance IP or hostname + Test all application functionality thoroughly **For Multitenant:** + Point your applications to the new EC2 instance PDB service names (e.g., ORCLDB or your specific PDB names) + Ensure applications connect to the correct PDB, not the CDB + Update connection strings to use PDB service names + Test all application functionality for each PDB Example connection strings: ``` # Non-CDB jdbc:oracle:thin:@:1521/ORCL # Multitenant (connect to PDB) jdbc:oracle:thin:@:1521/ORCLDB ``` **Configure backup strategy** Set up a comprehensive backup strategy for your self-managed database: **RMAN backups:** + Configure automated RMAN backup scripts for full, incremental, and archive log backups + Set up backup retention policies based on your recovery point objectives (RPO) + Store backups on Amazon S3 for durability and cost-effectiveness + Regularly test backup restoration procedures **AWS Backup:** + Use [AWS Backup](https://aws.amazon.com/backup/) for EBS volume snapshots + Configure backup schedules and retention policies + Enable cross-region backup copies for disaster recovery **For Multitenant:** + RMAN backups of the CDB automatically include all PDBs + You can also back up individual PDBs if needed + Consider PDB-specific backup schedules based on business requirements Example RMAN backup script: ``` #!/bin/bash export ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1 export ORACLE_SID=ORCL export PATH=$ORACLE_HOME/bin:$PATH rman target / << EOF run { backup as compressed backupset database plus archivelog; delete noprompt obsolete; } exit; EOF ``` **Set up monitoring** Implement comprehensive monitoring for your EC2-hosted Oracle database: **Amazon CloudWatch** + Set up CloudWatch metrics for EC2 instance health, disk usage, and custom Oracle metrics + Create CloudWatch alarms for critical thresholds + Use CloudWatch Logs for database alert log monitoring **Oracle Enterprise Manager (OEM):** + If available, configure OEM for database monitoring + Set up performance monitoring and diagnostics + Configure automated alerts for critical events **Third-party tools:** + Consider tools like Datadog, New Relic, or Prometheus for database monitoring + Integrate with your existing monitoring infrastructure **Key metrics to monitor:** + Tablespace usage + Archive log space + Invalid objects + Session counts + Wait events + CPU and memory utilization + I/O performance **For Multitenant:** + Monitor both CDB-level and PDB-level metrics + Set up alerts for PDB resource usage and quotas + Track PDB-specific performance metrics **Configure security groups and network ACLs** Review and tighten security for the EC2 instance: **Security groups:** + Restrict database port access to only authorized application servers and bastion hosts + Remove any overly permissive rules created during migration + Document security group rules and their purposes **Network ACLs:** + Configure VPC network ACLs for additional security layers + Implement defense-in-depth security strategy **SSH access:** + Limit SSH access to specific IP ranges or use AWS Systems Manager Session Manager + Disable password authentication and use key-based authentication only + Implement multi-factor authentication (MFA) for privileged access **Encryption:** + Enable encryption at rest for EBS volumes + Enable encryption in transit for database connections using Oracle Native Network Encryption or TLS + Rotate encryption keys regularly **Implement high availability** If your workload requires high availability, consider implementing: **Oracle Data Guard:** + Configure a new standby database on another EC2 instance for disaster recovery + For multitenant, Data Guard protects the entire CDB including all PDBs + The standby can be in a different Availability Zone or Region + Implement automated failover mechanisms using scripts or third-party tools **AWS Multi-AZ deployment:** + Deploy standby instances in different Availability Zones + Use Amazon Route 53 for DNS failover + Implement application-level connection pooling with failover support **Backup and recovery:** + Maintain regular backups with tested restore procedures + Document recovery time objectives (RTO) and recovery point objectives (RPO) + Conduct regular disaster recovery drills **Perform thorough application testing** Before decommissioning the RDS Custom instance: **Functional testing:** + Verify all application features work correctly + Test all database-dependent functionality + Validate data integrity and consistency **Performance testing:** + Compare performance metrics with the RDS Custom baseline + Identify and address any performance regressions + Optimize queries and indexes as needed **Load testing:** + Test the database under expected peak loads + Verify resource utilization stays within acceptable limits + Identify and address any bottlenecks **Failover testing (if HA is configured):** + Test failover scenarios + Verify application reconnection logic + Measure actual RTO and RPO **Backup and restore testing:** + Verify backup and restore procedures work correctly + Test point-in-time recovery + Validate backup integrity **For Multitenant:** + Test each PDB independently + Verify PDB isolation and resource allocation + Test PDB-specific operations (clone, unplug/plug, etc.) **Decommission RDS Custom instance** After a successful validation period (typically 1-2 weeks): 1. **Final backup**: Take a final backup of the RDS Custom instance for archival purposes ``` # Create final snapshot aws rds create-db-snapshot \ --db-instance-identifier my-custom-instance \ --db-snapshot-identifier my-custom-instance-final-snapshot \ --region us-east-1 ``` 1. **Document the migration**: Update runbooks and documentation with the new EC2 configuration 1. **Delete the RDS Custom instance**: Use the AWS Console or CLI to delete the instance ``` # Delete RDS Custom instance without final snapshot (if already created above) aws rds delete-db-instance \ --db-instance-identifier my-custom-instance \ --skip-final-snapshot \ --region us-east-1 # Or create a final snapshot before deletion aws rds delete-db-instance \ --db-instance-identifier my-custom-instance \ --final-db-snapshot-identifier my-custom-instance-final-snapshot \ --region us-east-1 ``` 1. **Clean up resources**: Remove associated snapshots, parameter groups, and option groups if no longer needed 1. **Update documentation**: Ensure all operational documentation reflects the new EC2-based architecture ## Comparison: RMAN Active Duplication vs Oracle Data Guard The following table summarizes the key differences between the two migration options: | **Aspect** | **RMAN Active Duplication** | **Oracle Data Guard** | | --- | --- | --- | | **Source database availability** | Online during entire duplication | Online during entire process | | **Downtime** | Minutes (final cutover only) | Seconds to minutes (switchover) | | **Complexity** | Lower | Higher | | **Migration duration** | Single duplication operation | Initial setup \$1 continuous sync | | **Continuous synchronization** | No | Yes | | **Fallback capability** | Manual (keep source running) | Built-in (automatic) | | **Testing before cutover** | Limited (test after duplication) | Full testing possible (standby can be tested) | | **Network bandwidth** | High during duplication | Moderate (continuous) | | **Source database impact** | Minimal (read operations) | Minimal (redo shipping) | | **Best for** | Most migrations, straightforward cutover | Mission-critical, near-zero downtime required | | **Non-CDB support** | Yes | Yes | | **Multitenant support** | Yes (entire CDB) | Yes (entire CDB) | | **Post-migration PDB state** | CDB open, PDBs MOUNTED | CDB open, PDBs MOUNTED | | **Requires RMAN** | Yes | Yes (for initial backup in backup-based approach) | | **Requires Data Guard** | No | Yes | | **Skill level required** | Intermediate | Advanced | | **Cutover process** | Redirect applications to EC2 | Switchover command \$1 redirect applications | ## Comparison: Non-CDB vs Multitenant migration The following table summarizes the key differences between migrating non-CDB and multitenant databases: | **Aspect** | **Non-CDB migration** | **Multitenant (CDB with PDBs) migration** | | --- | --- | --- | | **Database type** | Single-instance non-CDB (e.g., ORCL) | CDB (source: RDSCDB, target: ORCL) with CDB\$1ROOT \$1 PDB\$1SEED \$1 one or more PDBs | | **Migration scope** | Single database | Entire CDB (all PDBs included automatically) | | **RMAN duplication scope** | Duplicates single database | Duplicates entire CDB (all containers) | | **Data Guard scope** | Protects single database | Protects entire CDB (all PDBs included automatically) | | **Parameter file** | Standard init parameters | Must include enable\$1pluggable\$1database=TRUE | | **Post-migration database state** | Database opens in READ WRITE mode | CDB opens in READ WRITE mode; PDBs remain in MOUNTED state | | **PDB opening** | N/A | Must manually open all PDBs with ALTER PLUGGABLE DATABASE ALL OPEN | | **PDB auto-open on startup** | N/A | Must configure PDB save state or startup trigger | | **Validation** | Single database checks | Must validate CDB and each PDB individually | | **RDS-specific cleanup** | Drop users/objects from single database | Drop common users from CDB\$1ROOT (cascades to PDBs); handle C\$1\$1 users | | **TNS/Listener configuration** | Single service for database | CDB service \$1 individual PDB services dynamically registered | | **Application connection strings** | Connect to single database | Connect to individual PDB services (not CDB) | | **Backup strategy** | Backup single database | Backup entire CDB (includes all PDBs) or individual PDBs | | **Resource management** | Database-level resource management | CDB-level and PDB-level resource management with Resource Manager | | **Complexity** | Lower complexity | Higher complexity due to multiple containers and OMF paths | ## Best practices and recommendations This section provides comprehensive best practices for successful migration from RDS Custom for Oracle to EC2. ### Pre-migration planning 1. Conduct a thorough assessment: Before starting the migration, perform a comprehensive assessment of your environment: + **Database inventory**: Document all databases, their sizes, architectures (non-CDB vs multitenant), and dependencies + **Application dependencies**: Identify all applications connecting to the database and their connection methods + **Performance baseline**: Capture performance metrics (CPU, memory, I/O, network) for comparison post-migration + **Backup and recovery requirements**: Document RPO (Recovery Point Objective) and RTO (Recovery Time Objective) + **Compliance requirements**: Identify any regulatory or compliance requirements that may affect the migration 1. Choose the right EC2 instance type: Select an EC2 instance type based on your workload characteristics: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/RDS-Custom-for-Oracle-end-of-support.html) **Instance sizing guidelines:** + Start with the same instance class as your RDS Custom instance + Monitor resource utilization during a test migration + Consider using AWS Compute Optimizer for recommendations + Plan for 20-30% headroom for growth and peak loads 1. Design your storage architecture: **EBS volume types:** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/RDS-Custom-for-Oracle-end-of-support.html) **Storage layout recommendations:** ``` # Recommended layout for production databases /u01/app/oracle # Oracle software (50-100 GB, gp3) /u01/app/oracle/oradata # Data files (sized for database, gp3 or io2) /u01/app/oracle/arch # Archive logs (separate volume, gp3) /u01/app/oracle/backup # Backups (separate volume, gp3, can be detached post-migration) ``` **Benefits of separate volumes:** + Independent IOPS allocation + Easier capacity management + Simplified backup and snapshot strategies + Better performance isolation 1. Establish a rollback plan: Always have a rollback strategy: + **Keep RDS Custom instance running** during validation period (1-2 weeks recommended) + **Maintain regular backups** of both source and target + **Document rollback procedures** including connection string changes + **Test rollback process** in a non-production environment + **Define rollback criteria** (performance degradation, data inconsistency, application errors) ### Migration execution best practices 1. **Timing your migration:** Choose the optimal time window: + **Low-traffic periods**: Weekends, holidays, or off-peak hours + **Maintenance windows**: Align with scheduled maintenance if possible + **Avoid month-end/quarter-end**: These periods typically have high transaction volumes + **Consider time zones**: For global applications, choose a time that minimizes impact across regions 1. **Communication plan:** Establish clear communication: + **Stakeholder notification**: Inform all stakeholders at least 2 weeks in advance + **Application teams**: Coordinate with application teams for connection string updates + **Status updates**: Provide regular updates during migration + **Escalation path**: Define clear escalation procedures for issues + **Post-migration communication**: Confirm successful completion and any follow-up actions 1. **Validation checkpoints:** Implement validation at each stage: **Pre-migration validation:** ``` -- Capture object counts SQL> SELECT object_type, COUNT(*) FROM dba_objects GROUP BY object_type ORDER BY object_type; -- Capture tablespace usage SQL> SELECT tablespace_name, ROUND(SUM(bytes)/1024/1024/1024, 2) AS size_gb FROM dba_data_files GROUP BY tablespace_name; -- Capture user counts SQL> SELECT COUNT(*) FROM dba_users; -- For multitenant, capture PDB information SQL> SELECT con_id, name, open_mode FROM v$pdbs; ``` **Post-migration validation:** ``` -- Verify object counts match SQL> SELECT object_type, COUNT(*) FROM dba_objects GROUP BY object_type ORDER BY object_type; -- Verify no invalid objects SQL> SELECT owner, object_type, object_name FROM dba_objects WHERE status = 'INVALID'; -- Verify tablespace usage SQL> SELECT tablespace_name, ROUND(SUM(bytes)/1024/1024/1024, 2) AS size_gb FROM dba_data_files GROUP BY tablespace_name; -- Verify database size matches SQL> SELECT SUM(bytes)/1024/1024/1024 AS total_size_gb FROM dba_data_files; -- For multitenant, verify all PDBs are open SQL> SELECT con_id, name, open_mode FROM v$pdbs; ``` 1. **Performance validation:** Compare performance metrics before and after migration: ``` -- Capture AWR snapshots before migration (on RDS Custom) SQL> EXEC DBMS_WORKLOAD_REPOSITORY.CREATE_SNAPSHOT; -- After migration (on EC2), compare metrics SQL> SELECT snap_id, begin_interval_time, end_interval_time FROM dba_hist_snapshot ORDER BY snap_id DESC FETCH FIRST 10 ROWS ONLY; -- Generate AWR report for comparison SQL> @?/rdbms/admin/awrrpt.sql ``` Key metrics to compare: + Average active sessions + DB time per transaction + Physical reads per second + Logical reads per second + Redo size per second + User calls per second + Parse time per execute ### Post-migration optimization 1. After migration, optimize database performance: 1. **Database performance tuning:** **Gather statistics:** ``` -- Gather dictionary statistics SQL> EXEC DBMS_STATS.GATHER_DICTIONARY_STATS; -- Gather fixed object statistics SQL> EXEC DBMS_STATS.GATHER_FIXED_OBJECTS_STATS; -- Gather schema statistics SQL> EXEC DBMS_STATS.GATHER_SCHEMA_STATS('SCHEMA_NAME', cascade=>TRUE); -- For multitenant, gather statistics for each PDB SQL> ALTER SESSION SET CONTAINER = PDB_NAME; SQL> EXEC DBMS_STATS.GATHER_DATABASE_STATS(cascade=>TRUE); ``` **Optimize memory parameters:** ``` -- Enable Automatic Memory Management (if not already enabled) SQL> ALTER SYSTEM SET MEMORY_TARGET = 24G SCOPE=SPFILE; SQL> ALTER SYSTEM SET MEMORY_MAX_TARGET = 28G SCOPE=SPFILE; SQL> SHUTDOWN IMMEDIATE; SQL> STARTUP; -- Or use Automatic Shared Memory Management SQL> ALTER SYSTEM SET SGA_TARGET = 16G SCOPE=SPFILE; SQL> ALTER SYSTEM SET PGA_AGGREGATE_TARGET = 8G SCOPE=SPFILE; ``` **Configure result cache:** ``` -- Enable result cache for frequently accessed queries SQL> ALTER SYSTEM SET RESULT_CACHE_MAX_SIZE = 1G; SQL> ALTER SYSTEM SET RESULT_CACHE_MODE = MANUAL; ``` 1. Storage optimization: **Enable compression:** ``` -- For tables with infrequent updates ALTER TABLE large_table MOVE COMPRESS FOR OLTP; -- For archive/historical data ALTER TABLE archive_table MOVE COMPRESS FOR ARCHIVE HIGH; -- Rebuild indexes after compression ALTER INDEX index_name REBUILD ONLINE; ``` **Implement partitioning:** ``` -- For large tables, consider partitioning -- Example: Range partitioning by date CREATE TABLE sales_partitioned ( sale_id NUMBER, sale_date DATE, amount NUMBER ) PARTITION BY RANGE (sale_date) ( PARTITION sales_2024 VALUES LESS THAN (TO_DATE('2025-01-01', 'YYYY-MM-DD')), PARTITION sales_2025 VALUES LESS THAN (TO_DATE('2026-01-01', 'YYYY-MM-DD')), PARTITION sales_2026 VALUES LESS THAN (MAXVALUE) ); ``` 1. Implement monitoring and alerting: **CloudWatch custom metrics:** Create a script to publish Oracle metrics to CloudWatch: ``` #!/bin/bash # publish_oracle_metrics.sh INSTANCE_ID=$(ec2-metadata --instance-id | cut -d " " -f 2) REGION=$(ec2-metadata --availability-zone | cut -d " " -f 2 | sed 's/[a-z]$//') # Get tablespace usage TABLESPACE_USAGE=$(sqlplus -s / as sysdba << EOF SET PAGESIZE 0 FEEDBACK OFF VERIFY OFF HEADING OFF ECHO OFF SELECT ROUND(MAX(percent_used), 2) FROM ( SELECT tablespace_name, ROUND((used_space/tablespace_size)*100, 2) AS percent_used FROM dba_tablespace_usage_metrics ); EXIT; EOF ) # Publish to CloudWatch aws cloudwatch put-metric-data \ --region $REGION \ --namespace "Oracle/Database" \ --metric-name "TablespaceUsage" \ --value $TABLESPACE_USAGE \ --unit Percent \ --dimensions InstanceId=$INSTANCE_ID,Database=ORCL # Add more metrics as needed (sessions, wait events, etc.) ``` **Set up CloudWatch alarms:** ``` # Create alarm for high tablespace usage aws cloudwatch put-metric-alarm \ --alarm-name oracle-high-tablespace-usage \ --alarm-description "Alert when tablespace usage exceeds 85%" \ --metric-name TablespaceUsage \ --namespace Oracle/Database \ --statistic Maximum \ --period 300 \ --evaluation-periods 2 \ --threshold 85 \ --comparison-operator GreaterThanThreshold \ --alarm-actions arn:aws:sns:region:account-id:topic-name ``` 1. Security hardening: **Database security:** ``` -- Enforce password complexity ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME 90 PASSWORD_GRACE_TIME 7 PASSWORD_REUSE_TIME 365 PASSWORD_REUSE_MAX 5 FAILED_LOGIN_ATTEMPTS 5 PASSWORD_LOCK_TIME 1; -- Enable audit ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE=SPFILE; SHUTDOWN IMMEDIATE; STARTUP; -- Audit critical operations AUDIT ALL ON SYS.AUD$ BY ACCESS; AUDIT CREATE USER BY ACCESS; AUDIT DROP USER BY ACCESS; AUDIT ALTER USER BY ACCESS; AUDIT CREATE SESSION BY ACCESS WHENEVER NOT SUCCESSFUL; ``` **Network security:** ``` # Restrict SSH access sudo vi /etc/ssh/sshd_config # Set: PermitRootLogin no # Set: PasswordAuthentication no # Configure firewall sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" port port="1521" protocol="tcp" accept' sudo firewall-cmd --reload # Enable Oracle Native Network Encryption # Edit sqlnet.ora SQLNET.ENCRYPTION_SERVER = REQUIRED SQLNET.ENCRYPTION_TYPES_SERVER = (AES256, AES192, AES128) SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256, SHA384, SHA512) ``` 1. Backup and recovery strategy: **Implement comprehensive backup strategy:** ``` #!/bin/bash # rman_backup.sh - Daily incremental backup script export ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1 export ORACLE_SID=ORCL export PATH=$ORACLE_HOME/bin:$PATH # Backup to local disk rman target / << EOF RUN { ALLOCATE CHANNEL ch1 DEVICE TYPE DISK FORMAT '/u01/app/oracle/backup/inc_%U'; BACKUP INCREMENTAL LEVEL 1 DATABASE PLUS ARCHIVELOG; DELETE NOPROMPT OBSOLETE; CROSSCHECK BACKUP; DELETE NOPROMPT EXPIRED BACKUP; } EXIT; EOF # Copy backups to S3 aws s3 sync /u01/app/oracle/backup/ s3://my-oracle-backups/$(date +%Y%m%d)/ \ --storage-class STANDARD_IA \ --exclude "*" \ --include "inc_*" \ --include "arch_*" # Clean up local backups older than 7 days find /u01/app/oracle/backup/ -name "inc_*" -mtime +7 -delete find /u01/app/oracle/backup/ -name "arch_*" -mtime +7 -delete ``` **Schedule backups with cron:** ``` # Edit crontab crontab -e # Add backup schedule # Full backup on Sunday at 2 AM 0 2 * * 0 /home/oracle/scripts/rman_full_backup.sh >> /home/oracle/logs/backup_full.log 2>&1 # Incremental backup Monday-Saturday at 2 AM 0 2 * * 1-6 /home/oracle/scripts/rman_incremental_backup.sh >> /home/oracle/logs/backup_inc.log 2>&1 # Archive log backup every 4 hours 0 */4 * * * /home/oracle/scripts/rman_archivelog_backup.sh >> /home/oracle/logs/backup_arch.log 2>&1 ``` ### Cost optimization **1. Right-sizing:** After migration, monitor and optimize costs: + **Use AWS Cost Explorer** to analyze EC2 and EBS costs + **Enable AWS Compute Optimizer** for instance type recommendations + **Review CloudWatch metrics** to identify underutilized resources + **Consider Reserved Instances** or Savings Plans for predictable workloads **2. Storage optimization:** + **Implement lifecycle policies** for S3 backups (move to Glacier after 30 days) + **Delete unused EBS snapshots** regularly + **Use gp3 instead of gp2** for cost savings with same performance + **Detach and delete backup volumes** after migration completes **3. Automation:** + **Automate start/stop** of non-production databases during off-hours + **Use AWS Systems Manager** for patch management + **Implement auto-scaling** for read replicas if using Data Guard ## Conclusion This prescriptive guidance provided detailed migration strategies for moving your Oracle databases from Amazon RDS Custom for Oracle to self-managed Oracle databases on Amazon EC2. With the RDS Custom for Oracle service deprecation effective March 31, 2027, it's important to plan and execute your migration well in advance. **Key takeaways** **Migration options:** + **RMAN Active Duplication**: Best for most migrations, keeps source database online during duplication, requires only brief cutover window for application redirection + **Oracle Data Guard**: Best for mission-critical workloads requiring near-zero downtime, providing continuous synchronization and built-in switchover capability **Architecture support:** + Both migration options support non-CDB (traditional single-instance) and multitenant (CDB with PDBs) architectures + For multitenant, both methods automatically handle the entire CDB including all PDBs in a single operation + PDBs require manual opening and auto-open configuration post-migration **Critical success factors:** + Proper network configuration and connectivity between source and target + Exact version compatibility (major version, minor version, Release Update, and one-off patches) + Adequate network bandwidth for data transfer (RMAN) or redo shipping (Data Guard) + Understanding that RMAN active duplication keeps source online - only brief cutover needed + Thorough testing and validation before decommissioning the source + Comprehensive post-migration tasks including backup, monitoring, and security configuration **Next steps:** 1. Assess your database architecture (non-CDB or multitenant) 1. Choose the appropriate migration option based on your downtime tolerance and complexity requirements 1. Complete all prerequisite steps including EC2 instance setup and network configuration 1. Follow the detailed migration steps for your chosen option 1. Perform thorough validation and testing 1. Complete post-migration tasks to ensure production readiness 1. Decommission the RDS Custom instance after successful validation **Additional resources** + [Amazon RDS Custom for Oracle User Guide](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom.html) + [Oracle Database Documentation](https://docs.oracle.com/en/database/) + [Oracle RMAN Documentation](https://docs.oracle.com/en/database/oracle/oracle-database/19/bradv/) + [Oracle Data Guard Documentation](https://docs.oracle.com/en/database/oracle/oracle-database/19/sbydb/) + [AWS Database Migration Service](https://aws.amazon.com/dms/) + [AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/) **Support** For assistance with your migration: + Contact AWS Support through the AWS Management Console + Consult with Oracle support for database-specific questions ## **Document information** **Last updated:** March 2026 **Contributors:** + Sharath Chandra Kampili, Database Specialist Solutions Architect, Amazon Web Services + Ibrahim Emara, Database Specialist Solution Architect, Amazon Web Services + Vetrivel Subramani, Database Specialist Solution Architect, Amazon Web Services # RDS Custom for Oracle workflow **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). The following diagram shows the typical workflow for RDS Custom for Oracle. ![\[RDS Custom for Oracle architecture components\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/RDS_Custom_architecture_v2.png) The steps are as follows: 1. Upload your database software to your Amazon S3 bucket. For more information, see [Step 3: Upload your installation files to Amazon S3](custom-cev.preparing.md#custom-cev.preparing.s3). 1. Create an RDS Custom for Oracle custom engine version (CEV) from your media. Choose either the CDB architecture or the traditional non-CDB architecture. For more information, see [Creating a CEV](custom-cev.create.md). 1. Create an RDS Custom for Oracle DB instance from a CEV. For more information, see [Creating an RDS Custom for Oracle DB instance](custom-creating.md#custom-creating.create). 1. Connect your application to the DB instance endpoint. For more information, see [Connecting to your RDS Custom DB instance using SSH](custom-creating.md#custom-creating.ssh) and [Connecting to your RDS Custom DB instance using Session Manager](custom-creating.ssm.md). 1. (Optional) Access the host to customize your software. 1. Monitor notifications and messages generated by RDS Custom automation. ## Database installation files Your responsibility for media is a key difference between Amazon RDS and RDS Custom. Amazon RDS, which is a fully managed service, supplies the Amazon Machine Image (AMI) and database software. The Amazon RDS database software is preinstalled, so you need only choose a database engine and version, and create your database. For RDS Custom, you supply your own media. When you create a custom engine version, RDS Custom installs the media that you provide. RDS Custom media contains your database installation files and patches. This service model is called Bring Your Own Media (BYOM). ## Custom engine versions for RDS Custom for Oracle An RDS Custom for Oracle custom engine version (CEV) is a binary volume snapshot of a database version and AMI. By default, RDS Custom for Oracle uses the most recent AMI that Amazon EC2 makes available. You can also choose to reuse an existing AMI. ### CEV manifest After you download Oracle database installation files from Oracle, you upload them to an Amazon S3 bucket. When you create your CEV, you specify the file names in a JSON document called a CEV manifest. RDS Custom for Oracle uses the specified files and the AMI to create your CEV. RDS Custom for Oracle provides JSON manifest templates with our recommended .zip files for each supported Oracle Database release. For example, the following template is for the 19.17.0.0.0 RU. ``` { "mediaImportTemplateVersion": "2020-08-14", "databaseInstallationFileNames": [ "V982063-01.zip" ], "opatchFileNames": [ "p6880880_190000_Linux-x86-64.zip" ], "psuRuPatchFileNames": [ "p34419443_190000_Linux-x86-64.zip", "p34411846_190000_Linux-x86-64.zip" ], "otherPatchFileNames": [ "p28852325_190000_Linux-x86-64.zip", "p29997937_190000_Linux-x86-64.zip", "p31335037_190000_Linux-x86-64.zip", "p32327201_190000_Linux-x86-64.zip", "p33613829_190000_Linux-x86-64.zip", "p34006614_190000_Linux-x86-64.zip", "p34533061_190000_Linux-x86-64.zip", "p34533150_190000_Generic.zip", "p28730253_190000_Linux-x86-64.zip", "p29213893_1917000DBRU_Generic.zip", "p33125873_1917000DBRU_Linux-x86-64.zip", "p34446152_1917000DBRU_Linux-x86-64.zip" ] } ``` You can also specify installation parameters in the JSON manifest. For example, you can set nondefault values for the Oracle base, Oracle home, and the ID and name of the UNIX/Linux user and group. For more information, see [JSON fields in the CEV manifest](custom-cev.preparing.md#custom-cev.preparing.manifest.fields). ### CEV naming format Name your RDS Custom for Oracle CEV using a customer-specified string. The name format is the following, depending on your Oracle Database release: + `19.customized_string` + `18.customized_string` + `12.2.customized_string` + `12.1.customized_string` You can use 1–50 alphanumeric characters, underscores, dashes, and periods. For example, you might name your CEV `19.my_cev1`. ### Oracle multitenant architecture in RDS Custom for Oracle The Oracle multitenant architecture enables an Oracle database to function as a container database (CDB). A CDB includes zero, one, or many customer-created pluggable databases (PDBs). A PDB is a portable collection of schemas and objects that appears to an application as a traditional non-CDB. When you create an RDS Custom for Oracle CEV, you specify the either the CDB or non-CDB architecture. You can create an RDS Custom for Oracle CDB only when the CEV that you used to create it uses the Oracle multitenant architecture. For more information, see [Working with custom engine versions for Amazon RDS Custom for Oracle](custom-cev.md). ## Creating a DB instance for RDS Custom for Oracle After you create your CEV, it's available for use. You can create multiple CEVs, and you can create multiple RDS Custom for Oracle DB instances from any CEV. You can also change the status of a CEV to make it available or inactive. You can either create your RDS Custom for Oracle DB instance with the Oracle multitenant architecture (`custom-oracle-ee-cdb` or `custom-oracle-se2-cdb` engine type) or with the traditional non-CDB architecture (`custom-oracle-ee` or `custom-oracle-se2` engine type). When you create a container database (CDB), it contains one pluggable database (PDB) and one PDB seed. You can create additional PDBs manually using Oracle SQL. To create your RDS Custom for Oracle DB instance, use the `create-db-instance` command. In this command, specify which CEV to use. The procedure is similar to creating an Amazon RDS DB instance. However, some parameters are different. For more information, see [Configuring a DB instance for Amazon RDS Custom for Oracle](custom-creating.md). ## Database connection Like an Amazon RDS DB instance, an RDS Custom DB instance resides in a virtual private cloud (VPC). Your application connects to the Oracle database using an Oracle listener. If your database is a CDB, you can use the listener `L_RDSCDB_001` to connect to the CDB root and to a PDB. If you plug a non-CDB into a CDB, make sure to set `USE_SID_AS_SERVICE_LISTENER = ON` so that migrated applications keep the same settings. When you connect to a non-CDB, the master user is the user for the non-CDB. When you connect to a CDB, the master user is the user for the PDB. To connect to the CDB root, log in to the host, start a SQL client, and create an administrative user with SQL commands. ## RDS Custom customization You can access the RDS Custom host to install or customize software. To avoid conflicts between your changes and the RDS Custom automation, you can pause the automation for a specified period. During this period, RDS Custom doesn't perform monitoring or instance recovery. At the end of the period, RDS Custom resumes full automation. For more information, see [Pausing and resuming your RDS Custom DB instance](custom-managing.customizing-env.md#custom-managing.pausing). # Database architecture for Amazon RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). RDS Custom for Oracle supports both the Oracle multitenant and non-multitenant architecture. **Topics** + [ ## Supported Oracle database architectures ](#custom-oracle.db-architecture.types) + [ ## Supported engine types ](#custom-oracle.db-architecture.engine-types) + [ ## Supported features in the Oracle multitenant architecture ](#custom-oracle.db-architecture.features) ## Supported Oracle database architectures The Oracle multitenant architecture, also called the CDB architecture, allows an Oracle database to function as a container database (CDB). A CDB includes pluggable databases (PDBs). A PDB is a collection of schemas and objects that appears to an application as a traditional Oracle database. For more information, see [Introduction to the Multitenant Architecture](https://docs.oracle.com/en/database/oracle/oracle-database/19/multi/introduction-to-the-multitenant-architecture.html) in the *Oracle Multitenant Administrator’s Guide*. The CDB and non-CDB architectures are mutually exclusive. If an Oracle database isn't a CDB, it's a non-CDB and so can't contain PDBs. In RDS Custom for Oracle, only Oracle Database 19c supports the CDB architecture. Thus, if you create DB instances using previous Oracle database releases, you can create only non-CDBs. For more information, see [Multitenant architecture considerations](custom-creating.md#custom-creating.overview). ## Supported engine types When you create an Amazon RDS Custom for Oracle CEV or DB instance, choose either a CDB engine type or a non-CDB engine type: + `custom-oracle-ee-cdb` and `custom-oracle-se2-cdb` These engine types specify the Oracle multitenant architecture. This option is available only for Oracle Database 19c. When you create an RDS for Oracle DB instance using the multitenant architecture, your CDB includes the following containers: + CDB root (`CDB$ROOT`) + PDB seed (`PDB$SEED`) + Initial PDB You can create more PDBs using the Oracle SQL command `CREATE PLUGGABLE DATABASE`. You can't use RDS APIs to create or delete PDBs. + `custom-oracle-ee` and `custom-oracle-se2` These engine types specify the traditional non-CDB architecture. A non-CDB can't contain pluggable databases (PDBs). For more information, see [Multitenant architecture considerations](custom-creating.md#custom-creating.overview). ## Supported features in the Oracle multitenant architecture An RDS Custom for Oracle CDB instance supports the following features: + Backups + Restoring and point-time-restore (PITR) from backups + Read replicas + Minor version upgrades # Feature availability and support for RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). In this topic, you can find a summary of the RDS Custom for Oracle feature availability and support for quick reference. **Topics** + [ ## AWS Region and database version support for RDS Custom for Oracle ](#custom-reqs-limits.RegionVersionAvailability) + [ ## Database version support for RDS Custom for Oracle ](#custom-reqs-limits.db-version) + [ ## Edition and licensing support for RDS Custom for Oracle ](#custom-oracle-feature-support.editions) + [ ## DB instance class support for RDS Custom for Oracle ](#custom-reqs-limits.instances) + [ ## Option group support for RDS Custom for Oracle ](#custom-oracle-feature-support.option-groups) ## AWS Region and database version support for RDS Custom for Oracle Feature availability and support vary across specific versions of each database engine, and across AWS Regions. For more information on version and Region availability of RDS Custom for Oracle, see [Supported Regions and DB engines for RDS Custom](Concepts.RDS_Fea_Regions_DB-eng.Feature.RDSCustom.md). ## Database version support for RDS Custom for Oracle RDS Custom for Oracle supports the following Oracle database versions: + Oracle Database 19c + Oracle Database 18c + Oracle Database 12c Release 2 (12.2) + Oracle Database 12c Release 1 (12.1) ## Edition and licensing support for RDS Custom for Oracle RDS Custom for Oracle supports Enterprise Edition (EE) and Standard Edition 2 (SE2) on the BYOL model. Note the following limitations for Standard Edition 2: + Oracle Data Guard isn't supported. Thus, you can't create Oracle read replicas. + You can only use DB instance classes that have 16 or fewer vCPUs (up to 4xlarge). + A CDB instance on Standard Edition 2 supports a maximum of 3 tenant databases. + You can't migrate data between Enterprise Edition and Standard Edition 2. ## DB instance class support for RDS Custom for Oracle RDS Custom for Oracle supports the following DB instance classes. If you create a DB instance on Standard Edition 2, you can only use instance classes with 16 or fewer vCPUs (up to 4x large). | Type | Size | | --- | --- | | db.m7i | db.m7i.large \$1 db.m7i.xlarge \$1 db.m7i.2xlarge \$1 db.m7i.4xlarge \$1 db.m7i.8xlarge \$1 db.m7i.12xlarge \$1 db.m7i.16xlarge \$1 db.m7i.24xlarge \$1 db.m7i.48xlarge \$1 db.m7i.metal-24xl \$1 db.m7i.metal-48xl | | db.m6i | db.m6i.large \$1 db.m6i.xlarge \$1 db.m6i.2xlarge \$1 db.m6i.4xlarge \$1 db.m6i.8xlarge \$1 db.m6i.12xlarge \$1 db.m6i.16xlarge \$1 db.m6i.24xlarge \$1 db.m6i.32xlarge \$1 db.m6i.metal | | db.m6id | db.m6id.metal | | db.m6in | db.m6in.metal | | db.m5 | db.m5.large \$1 db.m5.xlarge \$1 db.m5.2xlarge \$1 db.m5.4xlarge \$1 db.m5.8xlarge \$1 db.m5.12xlarge \$1 db.m5.16xlarge \$1 db.m5.24xlarge | | db.r7i | db.r7i.large \$1 db.r7i.xlarge \$1 db.r7i.2xlarge \$1 db.r7i.4xlarge \$1 db.r7i.8xlarge \$1 db.r7i.12xlarge \$1 db.r7i.16xlarge \$1 db.r7i.24xlarge \$1 db.r7i.48xlarge \$1 db.r7i.metal-24xl \$1 db.r7i.metal-48xl | | db.r6i | db.r6i.large \$1 db.r6i.xlarge \$1 db.r6i.2xlarge \$1 db.r6i.4xlarge \$1 db.r6i.8xlarge \$1 db.r6i.12xlarge \$1 db.r6i.16xlarge \$1 db.r6i.24xlarge \$1 db.r6i.32xlarge \$1 db.r6i.metal | | db.r6id | db.r6id.metal | | db.r6in | db.r6in.metal | | db.r5b | db.r5b.large \$1 db.r5b.xlarge \$1 db.r5b.2xlarge \$1 db.r5b.4xlarge \$1 db.r5b.8xlarge \$1 db.r5b.12xlarge \$1 db.r5b.16xlarge \$1 db.r5b.24xlarge | | db.r5 | db.r5.large \$1 db.r5.xlarge \$1 db.r5.2xlarge \$1 db.r5.4xlarge \$1 db.r5.8xlarge \$1 db.r5.12xlarge \$1 db.r5.16xlarge \$1 db.r5.24xlarge | | db.x2iedn | db.x2iedn.xlarge \$1 db.x2iedn.2xlarge \$1 db.x2iedn.4xlarge \$1 db.x2iedn.8xlarge \$1 db.x2iedn.16xlarge \$1 db.x2iedn.24xlarge \$1 db.x2iedn.32xlarge \$1 db.x2iedn.metal | | db.x2idn | db.x2idn.metal | | db.x2iezn | db.x2iezn.2xlarge \$1 db.x2iezn.4xlarge \$1 db.x2iezn.6xlarge \$1 db.x2iezn.8xlarge \$1 db.x2iezn.12xlarge \$1 db.x2iezn.metal | | db.t3 | db.t3.medium \$1 db.t3.large \$1 db.t3.xlarge \$1 db.t3.2xlarge | ## Option group support for RDS Custom for Oracle You can specify an option group when you create or modify an RDS Custom for Oracle DB instance. For more information, see [Working with option groups in RDS Custom for Oracle](custom-oracle-option-groups.md). # RDS Custom for Oracle requirements and limitations **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). In this topic, you can find a summary of the Amazon RDS Custom for Oracle feature availability and requirements for quick reference. **Topics** + [ ## General requirements for RDS Custom for Oracle ](#custom-reqs-limits.reqs) + [ ## General limitations for RDS Custom for Oracle ](#custom-reqs-limits.limits) + [ ## CEV and AMI limitations for RDS Custom for Oracle ](#custom-reqs-limits.cev-limits) + [ ## Unsupported settings for create and modify workflows ](#custom-reqs-limits.unsupported-settings) + [ ## DB instance quotas for your AWS account ](#custom-reqs-limits.quotas) ## General requirements for RDS Custom for Oracle Make sure to meet the following requirements for Amazon RDS Custom for Oracle: + You have access to [My Oracle Support](https://support.oracle.com/portal/) and [Oracle Software Delivery Cloud](https://edelivery.oracle.com/osdc/faces/Home.jspx) to download the supported list of installation files and patches for RDS Custom for Oracle. If you use an unknown patch, custom engine version (CEV) creation fails. In this case, contact the RDS Custom support team and ask it to add the missing patch. For more information, see [Step 2: Download your database installation files and patches from Oracle Software Delivery Cloud](custom-cev.preparing.md#custom-cev.preparing.download). + You have access to Amazon S3. You need this service for the following reasons: + You upload your Oracle installation files to S3 buckets. You use the uploaded installation files to create your RDS Custom CEV. + RDS Custom for Oracle uses scripts downloaded from internally defined S3 buckets to perform actions on your DB instances. These scripts are necessary for onboarding and RDS Custom automation. + RDS Custom for Oracle uploads certain files to S3 buckets located in your customer account. These buckets use the following naming format: `do-not-delete-rds-custom-`*account\$1id*-*region*-*uuid*. For example, you might have a bucket named `do-not-delete-rds-custom-123456789012-us-east-1-12a3b4`. For more information, see [Step 3: Upload your installation files to Amazon S3](custom-cev.preparing.md#custom-cev.preparing.s3) and [Creating a CEV](custom-cev.create.md). + You use the DB instance classes listed in [DB instance class support for RDS Custom for Oracle](custom-oracle-feature-support.md#custom-reqs-limits.instances) to create your RDS Custom for Oracle DB instances. + Your RDS Custom for Oracle DB instances run Oracle Linux 8 (recommended) or Oracle Linux 7. If you require Oracle Linux 7, contact Support. For more information, see [Considerations for RDS Custom for Oracle database upgrades](custom-upgrading-considerations.md). + You specify the gp2, gp3, or io1 solid state drives for Amazon EBS storage. The maximum storage size is 64 TiB. + You have an AWS KMS key to create an RDS Custom for Oracle DB instance. For more information, see [Step 1: Create or reuse a symmetric encryption AWS KMS key](custom-setup-orcl.md#custom-setup-orcl.cmk). + You have the AWS Identity and Access Management (IAM) role and instance profile required for creating RDS Custom for Oracle DB instances. For more information, see [Step 4: Configure IAM for RDS Custom for Oracle](custom-setup-orcl.md#custom-setup-orcl.iam-vpc). + The AWS Identity and Access Management (IAM) user that creates a CEV or RDS Custom DB instance has the required permissions for IAM, CloudTrail, and Amazon S3. For more information, see [Step 5: Grant required permissions to your IAM user or role](custom-setup-orcl.md#custom-setup-orcl.iam-user). + You supply your own virtual private cloud (VPC) and security group configuration. For more information, see [Step 6: Configure your VPC for RDS Custom for Oracle](custom-setup-orcl.md#custom-setup-orc.vpc-config). + You supply a networking configuration that RDS Custom for Oracle can use to access other AWS services. For specific requirements, see [Step 4: Configure IAM for RDS Custom for Oracle](custom-setup-orcl.md#custom-setup-orcl.iam-vpc). ## General limitations for RDS Custom for Oracle The following limitations apply to RDS Custom for Oracle: + You can't modify the DB instance identifier of an existing RDS Custom for Oracle DB instance. + You can't specify the Oracle multitenant architecture for any release except Oracle Database 19c. + You can't create multiple Oracle databases on a single RDS Custom for Oracle DB instance. + You can’t stop your RDS Custom for Oracle DB instance or its underlying Amazon EC2 instance. Billing for an RDS Custom for Oracle DB instance can't be stopped. + You can't use automatic shared memory management because RDS Custom for Oracle supports automatic memory management only. For more information, see [Automatic Memory Management](https://docs.oracle.com/en/database/oracle/oracle-database/19/admin/managing-memory.html#GUID-04EFED7D-D1F1-43C3-B78F-0FF9AFAC02B0) in the *Oracle Database Administrator’s Guide*. + Make sure not to change the `DB_UNIQUE_NAME` for the primary DB instance. Changing the name causes any restore operation to become stuck. + You can't make more than 20 snapshot copies at the same time in the same Region. + You can't use the `describe-reserved-db-instances` API for RDS Custom for Oracle DB instances. For limitations specific to modifying an RDS Custom for Oracle DB instance, see [Modifying your RDS Custom for Oracle DB instance](custom-managing.modifying.md). For replication limitations, see [General limitations for RDS Custom for Oracle replication](custom-rr.reqs-limitations.md#custom-rr.limitations). ## CEV and AMI limitations for RDS Custom for Oracle The following limitations apply to RDS Custom for Oracle CEVs and AMIs: + You can't provide your own AMI for use in an RDS Custom for Oracle CEV. You can specify either the default AMI, which uses Oracle Linux 8, or an AMI that has been previously used by an RDS Custom for Oracle CEV. **Note** RDS Custom for Oracle releases a new default AMI when common vulnerabilities and exposures are discovered. No fixed schedule is available or guaranteed. RDS Custom for Oracle tends to publish a new default AMI every 30 days. + You can't modify a CEV to use a different AMI. + You can't create a CDB instance from a CEV that uses the `custom-oracle-ee` or `custom-oracle-se2` engine types. The CEV must use `custom-oracle-ee-cdb` or `custom-oracle-se2-cdb`. + RDS Custom for Oracle doesn't currently allow you to upgrade the OS of your RDS Custom for Oracle DB instance with RDS API calls. As a workaround, you can update your OS manually with the following command: `sudo yum update --security`. ## Unsupported settings for create and modify workflows When you create or modify an RDS Custom for Oracle DB instance, you can't do the following: + Change the number of CPU cores and threads per core on the DB instance class. + Turn on storage autoscaling. + Set backup retention to `0`. + Configure Kerberos authentication. + Specify your own DB parameter group or option group. + Turn on Performance Insights. + Turn on automatic minor version upgrade. ## DB instance quotas for your AWS account Make sure that the combined number of RDS Custom and Amazon RDS DB instances doesn't exceed your quota limit. For example, if your quota for Amazon RDS is 40 DB instances, you can have 20 RDS Custom for Oracle DB instances and 20 Amazon RDS DB instances. # Setting up your environment for Amazon RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). Before you create an Amazon RDS Custom for Oracle DB instance, perform the following tasks. **Topics** + [ ## Step 1: Create or reuse a symmetric encryption AWS KMS key ](#custom-setup-orcl.cmk) + [ ## Step 2: Download and install the AWS CLI ](#custom-setup-orcl.cli) + [ ## Step 3: Extract the CloudFormation templates for RDS Custom for Oracle ](#custom-setup-orcl.cf.downloading) + [ ## Step 4: Configure IAM for RDS Custom for Oracle ](#custom-setup-orcl.iam-vpc) + [ ## Step 5: Grant required permissions to your IAM user or role ](#custom-setup-orcl.iam-user) + [ ## Step 6: Configure your VPC for RDS Custom for Oracle ](#custom-setup-orc.vpc-config) ## Step 1: Create or reuse a symmetric encryption AWS KMS key *Customer managed keys* are AWS KMS keys in your AWS account that you create, own, and manage. A customer managed symmetric encryption KMS key is required for RDS Custom. When you create an RDS Custom for Oracle DB instance, you supply the KMS key identifier. For more information, see [Configuring a DB instance for Amazon RDS Custom for Oracle](custom-creating.md). You have the following options: + If you have an existing customer managed KMS key in your AWS account, you can use it with RDS Custom. No further action is necessary. + If you already created a customer managed symmetric encryption KMS key for a different RDS Custom engine, you can reuse the same KMS key. No further action is necessary. + If you don't have an existing customer managed symmetric encryption KMS key in your account, create a KMS key by following the instructions in [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*. + If you're creating a CEV or RDS Custom DB instance, and your KMS key is in a different AWS account, make sure to use the AWS CLI. You can't use the AWS console with cross-account KMS keys. **Important** RDS Custom doesn't support AWS managed KMS keys. Make sure that your symmetric encryption key grants access to the `kms:Decrypt` and `kms:GenerateDataKey` operations to the AWS Identity and Access Management (IAM) role in your IAM instance profile. If you have a new symmetric encryption key in your account, no changes are required. Otherwise, make sure that your symmetric encryption key's policy grants access to these operations. For more information, see [Step 4: Configure IAM for RDS Custom for Oracle](#custom-setup-orcl.iam-vpc). For more information about configuring IAM for RDS Custom for Oracle, see [Step 4: Configure IAM for RDS Custom for Oracle](#custom-setup-orcl.iam-vpc). ## Step 2: Download and install the AWS CLI AWS provides you with a command-line interface to use RDS Custom features. You can use either version 1 or version 2 of the AWS CLI. For information about downloading and installing the AWS CLI, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). Skip this step if either of the following is true: + You plan to access RDS Custom only from the AWS Management Console. + You have already downloaded the AWS CLI for Amazon RDS or a different RDS Custom DB engine. ## Step 3: Extract the CloudFormation templates for RDS Custom for Oracle To simplify setup, we strongly recommend that you use CloudFormation templates to create CloudFormation stacks. If you plan to configure IAM and your VPC manually, skip this step. **Topics** + [ ### Step 3a: Download the CloudFormation template files ](#custom-setup-orcl.cf.dl-templates) + [ ### Step 3b: Extract custom-oracle-iam.json ](#custom-setup-orcl.cf.downloading.ca-role) + [ ### Step 3c: Extract custom-vpc.json ](#custom-setup-orcl.cf.downloading.ca-pn) ### Step 3a: Download the CloudFormation template files A CloudFormation template is a declaration of the AWS resources that make up a stack. The template is stored as a JSON file. **To download the CloudFormation template files** 1. Open the context (right-click) menu for the link [custom-oracle-iam.zip](samples/custom-oracle-iam.zip) and choose **Save Link As**. 1. Save the file to your computer. 1. Repeat the previous steps for the link [custom-vpc.zip](samples/custom-vpc.zip). If you already configured your VPC for RDS Custom, skip this step. ### Step 3b: Extract custom-oracle-iam.json Open the `custom-oracle-iam.zip` file that you downloaded, and then extract the file `custom-oracle-iam.json`. The beginning of the file looks like the following. ``` { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "EncryptionKey": { "Type": "String", "Default": "*", "Description": "KMS Key ARN for encryption of data managed by RDS Custom and by DB Instances." } }, "Resources": { "RDSCustomInstanceServiceRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "AWSRDSCustomInstanceRole-${AWS::Region}" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ] },... ``` ### Step 3c: Extract custom-vpc.json **Note** If you already configured an existing VPC for RDS Custom for Oracle, skip this step. For more information, see [Configure your VPC manually for RDS Custom for Oracle](#custom-setup-orcl.vpc). Open the `custom-vpc.zip` file that you downloaded, and then extract the file `custom-vpc.json`. The beginning of the file looks like the following. ``` { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "PrivateVpc": { "Type": "AWS::EC2::VPC::Id", "Description": "Private VPC Id to use for RDS Custom DB Instances" }, "PrivateSubnets": { "Type": "List", "Description": "Private Subnets to use for RDS Custom DB Instances" }, "RouteTable": { "Type": "String", "Description": "Route Table that must be associated with the PrivateSubnets and used by S3 VPC Endpoint", "AllowedPattern": "rtb-[0-9a-z]+" } }, "Resources": { "DBSubnetGroup": { "Type": "AWS::RDS::DBSubnetGroup", "Properties": { "DBSubnetGroupName": "rds-custom-private", "DBSubnetGroupDescription": "RDS Custom Private Network", "SubnetIds": { "Ref": "PrivateSubnets" } } },... ``` ## Step 4: Configure IAM for RDS Custom for Oracle You use an IAM role or IAM user (known as an IAM entity) to create an RDS Custom DB instance using the console or AWS CLI. This IAM entity must have the necessary permissions for instance creation. You can configure IAM using either CloudFormation or manual steps. **Important** We strongly recommend that you configure your RDS Custom for Oracle environment using CloudFormation. This technique is the easiest and least error-prone. **Topics** + [ ### Configure IAM using CloudFormation ](#custom-setup-orcl.cf.config-iam) + [ ### Create your IAM role and instance profile manually ](#custom-setup-orcl.iam) ### Configure IAM using CloudFormation When you use the CloudFormation template for IAM, it creates the following required resources: + An instance profile named `AWSRDSCustomInstanceProfile-region` + A service role named `AWSRDSCustomInstanceRole-region` + An access policy named `AWSRDSCustomIamRolePolicy` that is attached to the service role **To configure IAM using CloudFormation** 1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/). 1. Start the Create Stack wizard, and choose **Create Stack**. 1. On the **Create stack** page, do the following: 1. For **Prepare template**, choose **Template is ready**. 1. For **Template source**, choose **Upload a template file**. 1. For **Choose file**, navigate to, then choose **custom-oracle-iam.json**. 1. Choose **Next**. 1. On the **Specify stack details** page, do the following: 1. For **Stack name**, enter **custom-oracle-iam**. 1. Choose **Next**. 1. On the **Configure stack options page**, choose **Next**. 1. On the **Review custom-oracle-iam** page, do the following: 1. Select the ****I acknowledge that CloudFormation might create IAM resources with custom names**** check box. 1. Choose **Submit**. CloudFormation creates the IAM roles that RDS Custom for Oracle requires. In the left panel, when **custom-oracle-iam** shows **CREATE\$1COMPLETE**, proceed to the next step. 1. In the left panel, choose **custom-oracle-iam**. In the right panel, do the following: 1. Choose **Stack info**. Your stack has an ID in the format **arn:aws:cloudformation:*region*:*account-no*:stack/custom-oracle-iam/*identifier***. 1. Choose **Resources**. You should see the following: + An instance profile named **AWSRDSCustomInstanceProfile-*region*** + A service role named **AWSRDSCustomInstanceRole-*region*** When you create your RDS Custom DB instance, you need to supply the instance profile ID. ### Create your IAM role and instance profile manually Configuration is easiest when you use CloudFormation. However, you can also configure IAM manually. For manual setup, do the following: + [Step 1: Create the IAM role AWSRDSCustomInstanceRoleForRdsCustomInstance](#custom-setup-orcl.iam.create-role). + [Step 2: Add an access policy to AWSRDSCustomInstanceRoleForRdsCustomInstance](#custom-setup-orcl.iam.add-policy). + [Step 2: Add an access policy to AWSRDSCustomInstanceRoleForRdsCustomInstance](#custom-setup-orcl.iam.create-profile). + [Step 4: Add AWSRDSCustomInstanceRoleForRdsCustomInstance to AWSRDSCustomInstanceProfile](#custom-setup-orcl.iam.add-profile). #### Step 1: Create the IAM role AWSRDSCustomInstanceRoleForRdsCustomInstance In this step, you create the role using the naming format `AWSRDSCustomInstanceRole-region`. Using the trust policy, Amazon EC2 can assume the role. The following example assumes that you have set the environment variable `$REGION` to the AWS Region in which you want to create your DB instance. ``` aws iam create-role \ --role-name AWSRDSCustomInstanceRole-$REGION \ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ] }' ``` #### Step 2: Add an access policy to AWSRDSCustomInstanceRoleForRdsCustomInstance When you embed an inline policy in an IAM role, the inline policy is used as part of the role's access (permissions) policy. You create the `AWSRDSCustomIamRolePolicy` policy that permits Amazon EC2 to send and receive messages and perform various actions. The following example creates the access policy named `AWSRDSCustomIamRolePolicy`, and adds it to the IAM role `AWSRDSCustomInstanceRole-region`. This example assumes that you have set the following environment variables: `$REGION` Set this variable to the AWS Region in which you plan to create your DB instance. `$ACCOUNT_ID` Set this variable to your AWS account number. `$KMS_KEY` Set this variable to the Amazon Resource Name (ARN) of the AWS KMS key that you want to use for your RDS Custom DB instances. To specify more than one KMS key, add it to the `Resources` section of statement ID (Sid) 11. ``` aws iam put-role-policy \ --role-name AWSRDSCustomInstanceRole-$REGION \ --policy-name AWSRDSCustomIamRolePolicy \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "1", "Effect": "Allow", "Action": [ "ssm:DescribeAssociation", "ssm:GetDeployablePatchSnapshotForInstance", "ssm:GetDocument", "ssm:DescribeDocument", "ssm:GetManifest", "ssm:GetParameter", "ssm:GetParameters", "ssm:ListAssociations", "ssm:ListInstanceAssociations", "ssm:PutInventory", "ssm:PutComplianceItems", "ssm:PutConfigurePackageResult", "ssm:UpdateAssociationStatus", "ssm:UpdateInstanceAssociationStatus", "ssm:UpdateInstanceInformation", "ssm:GetConnectionStatus", "ssm:DescribeInstanceInformation", "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": [ "*" ] }, { "Sid": "2", "Effect": "Allow", "Action": [ "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", "ec2messages:GetEndpoint", "ec2messages:GetMessages", "ec2messages:SendReply" ], "Resource": [ "*" ] }, { "Sid": "3", "Effect": "Allow", "Action": [ "logs:PutRetentionPolicy", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:'$REGION':'$ACCOUNT_ID':log-group:rds-custom-instance*" ] }, { "Sid": "4", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::do-not-delete-rds-custom-*/*" ] }, { "Sid": "5", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "cloudwatch:namespace": [ "RDSCustomForOracle/Agent" ] } } }, { "Sid": "6", "Effect": "Allow", "Action": [ "events:PutEvents" ], "Resource": [ "*" ] }, { "Sid": "7", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": [ "arn:aws:secretsmanager:'$REGION':'$ACCOUNT_ID':secret:do-not-delete-rds-custom-*", "arn:aws:secretsmanager:'$REGION':'$ACCOUNT_ID':secret:rds-custom!oracle-do-not-delete-*" ] }, { "Sid": "8", "Effect": "Allow", "Action": [ "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::do-not-delete-rds-custom-*" ] }, { "Sid": "9", "Effect": "Allow", "Action": "ec2:CreateSnapshots", "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/AWSRDSCustom": "custom-oracle" } } }, { "Sid": "10", "Effect": "Allow", "Action": "ec2:CreateSnapshots", "Resource": [ "arn:aws:ec2:*::snapshot/*" ] }, { "Sid": "11", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:'$REGION':'$ACCOUNT_ID':key/'$KMS_KEY'" ] }, { "Sid": "12", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "*", "Condition": { "StringLike": { "ec2:CreateAction": [ "CreateSnapshots" ] } } }, { "Sid": "13", "Effect": "Allow", "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueUrl" ], "Resource": "arn:aws:sqs:'$REGION':'$ACCOUNT_Id':do-not-delete-rds-custom-*", "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-oracle" } } } ] }' ``` #### Step 3: Create the RDS Custom instance profile AWSRDSCustomInstanceProfile An instance profile is a container that includes a single IAM role. RDS Custom uses the instance profile to pass the role to the instance. If you use the CLI to create a role, you create the role and instance profile as separate actions, with potentially different names. Create your IAM instance profile as follows, naming it using the format `AWSRDSCustomInstanceProfile-region`. The following example assumes that you have set the environment variable `$REGION` to the AWS Region in which you want to create your DB instance. ``` aws iam create-instance-profile \ --instance-profile-name AWSRDSCustomInstanceProfile-$REGION ``` #### Step 4: Add AWSRDSCustomInstanceRoleForRdsCustomInstance to AWSRDSCustomInstanceProfile Add your IAM role to the instance profile that you previously created. The following example assumes that you have set the environment variable `$REGION` to the AWS Region in which you want to create your DB instance. ``` aws iam add-role-to-instance-profile \ --instance-profile-name AWSRDSCustomInstanceProfile-$REGION \ --role-name AWSRDSCustomInstanceRole-$REGION ``` ## Step 5: Grant required permissions to your IAM user or role Make sure that the IAM principal (user or role) that creates the CEV or RDS Custom DB instance has either of the following policies: + The `AdministratorAccess` policy + The `AmazonRDSFullAccess` policy with required permissions for Amazon S3 and AWS KMS, CEV creation, and DB instance creation **Topics** + [ ### IAM permissions required for Amazon S3 and AWS KMS ](#custom-setup-orcl.s3-kms) + [ ### IAM permissions required for creating a CEV ](#custom-setup-orcl.cev) + [ ### IAM permissions required for creating a DB instance from a CEV ](#custom-setup-orcl.db) ### IAM permissions required for Amazon S3 and AWS KMS To create CEVs or RDS Custom for Oracle DB instances, your IAM principal needs to access Amazon S3 and AWS KMS. The following sample JSON policy grants the required permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreateS3Bucket", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutBucketPolicy", "s3:PutBucketObjectLockConfiguration", "s3:PutBucketVersioning" ], "Resource": "arn:aws:s3:::do-not-delete-rds-custom-*" }, { "Sid": "CreateKmsGrant", "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:DescribeKey" ], "Resource": "*" } ] } ``` ------ For more information about the `kms:CreateGrant` permission, see [AWS KMS key management](Overview.Encryption.Keys.md). ### IAM permissions required for creating a CEV To create a CEV, your IAM principal needs the following additional permissions: ``` s3:GetObjectAcl s3:GetObject s3:GetObjectTagging s3:ListBucket mediaimport:CreateDatabaseBinarySnapshot ``` The following sample JSON policy grants the additional permissions necessary to access bucket *my-custom-installation-files* and its contents. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AccessToS3MediaBucket", "Effect": "Allow", "Action": [ "s3:GetObjectAcl", "s3:GetObject", "s3:GetObjectTagging", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-custom-installation-files", "arn:aws:s3:::my-custom-installation-files/*" ] }, { "Sid": "PermissionForByom", "Effect": "Allow", "Action": [ "mediaimport:CreateDatabaseBinarySnapshot" ], "Resource": "*" } ] } ``` ------ You can grant similar permissions for Amazon S3 to caller accounts using an S3 bucket policy. ### IAM permissions required for creating a DB instance from a CEV To create an RDS Custom for Oracle DB instance from an existing CEV, the IAM principal needs the following additional permissions. ``` iam:SimulatePrincipalPolicy cloudtrail:CreateTrail cloudtrail:StartLogging ``` The following sample JSON policy grants the permissions necessary to validate an IAM role and log information to an AWS CloudTrail. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ValidateIamRole", "Effect": "Allow", "Action": "iam:SimulatePrincipalPolicy", "Resource": "*" }, { "Sid": "CreateCloudTrail", "Effect": "Allow", "Action": [ "cloudtrail:CreateTrail", "cloudtrail:StartLogging" ], "Resource": "arn:aws:cloudtrail:*:*:trail/do-not-delete-rds-custom-*" } ] } ``` ------ ## Step 6: Configure your VPC for RDS Custom for Oracle Your RDS Custom DB instance is in a virtual private cloud (VPC) based on the Amazon VPC service, just like an Amazon EC2 instance or Amazon RDS instance. You provide and configure your own VPC. Unlike RDS Custom for SQL Server, RDS Custom for Oracle doesn't create an access control list or security groups. You must attach you own security group, subnets, and route tables. You can configure your virtual private cloud (VPC) using either CloudFormation or a manual process. **Important** We strongly recommend that you configure your RDS Custom for Oracle environment using CloudFormation. This technique is the easiest and least error-prone. **Topics** + [ ### Configure your VPC using CloudFormation (recommended) ](#custom-setup-orcl.cf.config-vpc) + [ ### Configure your VPC manually for RDS Custom for Oracle ](#custom-setup-orcl.vpc) ### Configure your VPC using CloudFormation (recommended) If you've already configured your VPC for a different RDS Custom engine, and want to reuse the existing VPC, skip this step. This section assumes the following: + You've already used CloudFormation to create your IAM instance profile and role. + You know your route table ID. For a DB instance to be private, it must be in a private subnet. For a subnet to be private, it must not be associated with a route table that has a default internet gateway. For more information, see [Configure route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon VPC User Guide*. When you use the CloudFormation template for your VPC, it creates the following resources: + A private VPC + A subnet group named `rds-custom-private` + The following VPC endpoints, which your DB instance uses to communicate with dependent AWS services: + `com.amazonaws.region.ec2messages` + `com.amazonaws.region.events` + `com.amazonaws.region.logs` + `com.amazonaws.region.monitoring` + `com.amazonaws.region.s3` + `com.amazonaws.region.secretsmanager` + `com.amazonaws.region.ssm` + `com.amazonaws.region.ssmmessages` If you're creating a Multi-AZ deployment: + `com.amazonaws.region.sqs` **Note** For a complex networking setup with existing accounts, we recommend that you configure access to dependent services manually if access doesn't already exist. For more information, see [Make sure your VPC can access dependent AWS services](#custom-setup-orcl.vpc.endpoints). **To configure your VPC using CloudFormation** 1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/). 1. Start the Create Stack wizard, and choose **Create Stack** and then **With new resources (standard)**. 1. On the **Create stack** page, do the following: 1. For **Prepare template**, choose **Template is ready**. 1. For **Template source**, choose **Upload a template file**. 1. For **Choose file**, navigate to, then choose `custom-vpc.json`. 1. Choose **Next**. 1. On the **Specify stack details** page, do the following: 1. For **Stack name**, enter **custom-vpc**. 1. For **Parameters**, choose the private subnets to use for RDS Custom DB instances. 1. Choose the private VPC ID to use for RDS Custom DB instances. 1. Enter the route table associated with the private subnets. 1. Choose **Next**. 1. On the **Configure stack options page**, choose **Next**. 1. On the **Review custom-vpc** page, choose **Submit**. CloudFormation configures your private VPC. In the left panel, when **custom-vpc** shows **CREATE\$1COMPLETE**, proceed to the next step. 1. (Optional) Review the details of your VPC. In the **Stacks** pane, choose **custom-vpc**. In the right pane, do the following: 1. Choose **Stack info**. Your stack has an ID in the format **arn:aws:cloudformation:*region*:*account-no*:stack/custom-vpc/*identifier***. 1. Choose **Resources**. You should see a subnet group named **rds-custom-private** and several VPC endpoints that use the naming format **vpce-*string***. Each endpoint corresponds to an AWS service that RDS Custom needs to communicate with. For more information, see [Make sure your VPC can access dependent AWS services](#custom-setup-orcl.vpc.endpoints). 1. Choose **Parameters**. You should see the private subnets, private VPC, and the route table that you specified when you created the stack. When you create a DB instance, you need to supply the VPC ID and subnet group. ### Configure your VPC manually for RDS Custom for Oracle As an alternative to automating VPC creation with CloudFormation, you can configure your VPC manually. This option might be best when you have a complex networking setup that uses existing resources. **Topics** + [ #### Make sure your VPC can access dependent AWS services ](#custom-setup-orcl.vpc.endpoints) + [ #### Configure the instance metadata service ](#custom-setup-orcl.vpc.imds) #### Make sure your VPC can access dependent AWS services RDS Custom sends communication from your DB instance to other AWS services. Make sure the following services are accessible from the subnet in which you create your RDS Custom DB instances: + Amazon CloudWatch (`com.amazonaws.region.monitoring`) + Amazon CloudWatch Logs (`com.amazonaws.region.logs`) + Amazon CloudWatch Events (`com.amazonaws.region.events`) + Amazon EC2 (`com.amazonaws.region.ec2` and `com.amazonaws.region.ec2messages`) + Amazon S3 (`com.amazonaws.region.s3`) + AWS Secrets Manager (`com.amazonaws.region.secretsmanager`) + AWS Systems Manager (`com.amazonaws.region.ssm` and `com.amazonaws.region.ssmmessages`) If creating Multi-AZ deployments + Amazon Simple Queue Service (`com.amazonaws.region.sqs`) If RDS Custom can't communicate with the necessary services, it publishes the following events: ``` Database instance in incompatible-network. SSM Agent connection not available. Amazon RDS can't connect to the dependent AWS services. ``` ``` Database instance in incompatible-network. Amazon RDS can't connect to dependent AWS services. Make sure port 443 (HTTPS) allows outbound connections, and try again. "Failed to connect to the following services: s3 events" ``` To avoid `incompatible-network` errors, make sure that VPC components involved in communication between your RDS Custom DB instance and AWS services satisfy the following requirements: + The DB instance can make outbound connections on port 443 to other AWS services. + The VPC allows incoming responses to requests originating from your RDS Custom DB instance. + RDS Custom can correctly resolve the domain names of endpoints for each AWS service. If you already configured a VPC for a different RDS Custom DB engine, you can reuse that VPC and skip this process. #### Configure the instance metadata service Make sure that your instance can do the following: + Access the instance metadata service using Instance Metadata Service Version 2 (IMDSv2). + Allow outbound communications through port 80 (HTTP) to the IMDS link IP address. + Request instance metadata from `http://169.254.169.254`, the IMDSv2 link. For more information, see [Use IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) in the *Amazon EC2 User Guide*. RDS Custom for Oracle automation uses IMDSv2 by default, by setting `HttpTokens=enabled` on the underlying Amazon EC2 instance. However, you can use IMDSv1 if you want. For more information, see [Configure the instance metadata options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html) in the *Amazon EC2 User Guide*. # Working with custom engine versions for Amazon RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). A *custom engine version (CEV)* for Amazon RDS Custom for Oracle is a binary volume snapshot of a database engine and specific Amazon Machine Image (AMI). By default, RDS Custom for Oracle uses the latest available AMI managed by RDS Custom, but you can specify an AMI that was used in a previous CEV. You store your database installation files in Amazon S3. RDS Custom uses the installation files and the AMI to create your CEV for you. **Topics** + [ # Preparing to create a CEV ](custom-cev.preparing.md) + [ # Creating a CEV ](custom-cev.create.md) + [ # Modifying CEV status ](custom-cev.modify.md) + [ # Viewing CEV details for Amazon RDS Custom for Oracle ](custom-cev.view.md) + [ # Deleting a CEV ](custom-cev.delete.md) # Preparing to create a CEV **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). To create a CEV, access the installation files and patches that are stored in your Amazon S3 bucket for any of the following releases: + Oracle Database 19c + Oracle Database 18c + Oracle Database 12c Release 2 (12.2) + Oracle Database 12c Release 1 (12.1) For example, you can use the April 2021 RU/RUR for Oracle Database 19c, or any valid combination of installation files and patches. For more information on the versions and Regions supported by RDS Custom for Oracle, see [RDS Custom with RDS for Oracle](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RDS_Fea_Regions_DB-eng.Feature.RDSCustom.html#Concepts.RDS_Fea_Regions_DB-eng.Feature.RDSCustom.ora). **Topics** + [ ## Step 1 (Optional): Download the manifest templates ](#custom-cev.preparing.templates) + [ ## Step 2: Download your database installation files and patches from Oracle Software Delivery Cloud ](#custom-cev.preparing.download) + [ ## Step 3: Upload your installation files to Amazon S3 ](#custom-cev.preparing.s3) + [ ## Step 4 (Optional): Share your installation media in S3 across AWS accounts ](#custom-cev.preparing.accounts) + [ ## Step 5: Prepare the CEV manifest ](#custom-cev.preparing.manifest) + [ ## Step 6 (Optional): Validate the CEV manifest ](#custom-cev.preparing.validating) + [ ## Step 7: Add necessary IAM permissions ](#custom-cev.preparing.iam) ## Step 1 (Optional): Download the manifest templates A *CEV manifest* is a JSON document that includes the list of database installation .zip files for your CEV. To create a CEV, do the following: 1. Identify the Oracle database installation files that you want to include in your CEV. 1. Download the installation files. 1. Create a JSON manifest that lists the installation files. RDS Custom for Oracle provides JSON manifest templates with our recommended .zip files for each supported Oracle Database release. For example, the following template is for the 19.17.0.0.0 RU. ``` { "mediaImportTemplateVersion": "2020-08-14", "databaseInstallationFileNames": [ "V982063-01.zip" ], "opatchFileNames": [ "p6880880_190000_Linux-x86-64.zip" ], "psuRuPatchFileNames": [ "p34419443_190000_Linux-x86-64.zip", "p34411846_190000_Linux-x86-64.zip" ], "otherPatchFileNames": [ "p28852325_190000_Linux-x86-64.zip", "p29997937_190000_Linux-x86-64.zip", "p31335037_190000_Linux-x86-64.zip", "p32327201_190000_Linux-x86-64.zip", "p33613829_190000_Linux-x86-64.zip", "p34006614_190000_Linux-x86-64.zip", "p34533061_190000_Linux-x86-64.zip", "p34533150_190000_Generic.zip", "p28730253_190000_Linux-x86-64.zip", "p29213893_1917000DBRU_Generic.zip", "p33125873_1917000DBRU_Linux-x86-64.zip", "p34446152_1917000DBRU_Linux-x86-64.zip" ] } ``` Each template has an associated readme that includes instructions for downloading the patches, URLs for the .zip files, and file checksums. You can use these templates as they are or modify them with your own patches. To review the templates, download [custom-oracle-manifest.zip](samples/custom-oracle-manifest.zip) to your local disk and then open it with a file archiving application. For more information, see [Step 5: Prepare the CEV manifest](#custom-cev.preparing.manifest). ## Step 2: Download your database installation files and patches from Oracle Software Delivery Cloud When you have identified the installation files that you want for your CEV, download them to your local system. The Oracle Database installation files and patches are hosted on Oracle Software Delivery Cloud. Each CEV requires a base release, such as Oracle Database 19c or Oracle Database 12c Release 2 (12.2), and an optional list of patches. **To download the database installation files for Oracle Database** 1. Go to [https://edelivery.oracle.com/](https://edelivery.oracle.com/) and sign in. 1. In the search box, enter **Oracle Database Enterprise Edition** or **Oracle Database Standard Edition 2** and choose **Search**. 1. Choose one of the following base releases: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-cev.preparing.html) 1. Choose **Continue**. 1. Clear the **Download Queue** check box. 1. Choose the option that corresponds to your base release: + **Oracle Database 19.3.0.0.0 - Long Term Release**. + **Oracle Database 18.0.0.0.0** + **Oracle Database 12.2.0.1.0**. + **Oracle Database 12.1.0.2.0**. 1. Choose **Linux x86-64** in **Platform/Languages**. 1. Choose **Continue**, and then sign the Oracle License Agreement. 1. Choose the .zip file that corresponds to your database release: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-cev.preparing.html) 1. Download your desired Oracle patches from `updates.oracle.com` or `support.oracle.com` to your local system. You can find the URLs for the patches in the following locations: + The readme files in the .zip file that you downloaded in [Step 1 (Optional): Download the manifest templates](#custom-cev.preparing.templates) + The patches listed in each Release Update (RU) in [Release notes for Amazon Relational Database Service (Amazon RDS) for Oracle](https://docs.aws.amazon.com/AmazonRDS/latest/OracleReleaseNotes) ## Step 3: Upload your installation files to Amazon S3 Upload your Oracle installation and patch files to Amazon S3 using the AWS CLI. The S3 bucket that contains your installation files must be in the same AWS Region as your CEV. Examples in this section use the following placeholders: + `install-or-patch-file.zip` – Oracle installation media file. For example, p32126828\$1190000\$1Linux-x86-64.zip is a patch. + `amzn-s3-demo-destination-bucket` – Your Amazon S3 bucket designated for your uploaded installation files. + `123456789012/cev1` – An optional prefix in your Amazon S3 bucket. + `amzn-s3-demo-source-bucket` – An Amazon S3 bucket where you can optionally stage files. **Topics** + [ ### Step 3a: Verify that your S3 bucket is in the correct AWS Region ](#custom-cev.preparing.s3.verify-region) + [ ### Step 3b: Make sure that your S3 bucket policy has the correct permissions ](#custom-cev.preparing.s3.verify-policy) + [ ### Step 3c: Upload your files using the cp or sync commands ](#custom-cev.preparing.s3.upload) + [ ### Step 3d: List the files in your S3 bucket ](#custom-cev.preparing.s3.list) ### Step 3a: Verify that your S3 bucket is in the correct AWS Region Verify that your S3 bucket is in the AWS Region where you plan to run the `create-custom-db-engine-version` command. ``` aws s3api get-bucket-location --bucket amzn-s3-demo-destination-bucket ``` ### Step 3b: Make sure that your S3 bucket policy has the correct permissions You can create a CEV from scratch or from a source CEV. If you plan to create new CEV from source CEVs, make sure that your S3 bucket policy has the correct permissions: 1. Identify the S3 bucket reserved by RDS Custom. The bucket name has the format `do-not-delete-rds-custom-account-region-string`. For example, the bucket might be named `do-not-delete-rds-custom-123456789012-us-east-1-abc123EXAMPLE`. 1. Make sure that the following permission is appended to your S3 bucket policy. Replace `do-not-delete-rds-custom-123456789012-us-east-1-abc123EXAMPLE` with the name of your bucket. ``` { "Sid": "AWSRDSCustomForOracleCustomEngineVersionGetObject", "Effect": "Allow", "Principal": { "Service": "custom.rds.amazonaws.com" }, "Action": [ "s3:GetObject", "s3:GetObjectTagging" ], "Resource": "arn:aws:s3:::do-not-delete-rds-custom-123456789012-us-east-1-abc123EXAMPLE/CustomEngineVersions/*" }, ... ``` ### Step 3c: Upload your files using the cp or sync commands Choose either of the following options: + Use `aws s3 cp` to upload a single .zip file. Upload each installation .zip file separately. Don't combine the .zip files into a single .zip file. + Use `aws s3 sync` to upload a directory. **Example** The following example uploads `install-or-patch-file.zip` to the `123456789012/cev1` folder in the RDS Custom Amazon S3 bucket. Run a separate `aws s3` command for each .zip that you want to upload. For Linux, macOS, or Unix: ``` 1. aws s3 cp install-or-patch-file.zip \ 2. s3://amzn-s3-demo-destination-bucket/123456789012/cev1/ ``` For Windows: ``` 1. aws s3 cp install-or-patch-file.zip ^ 2. s3://amzn-s3-demo-destination-bucket/123456789012/cev1/ ``` **Example** The following example uploads the files in your local *cev1* folder to the *123456789012/cev1* folder in your Amazon S3 bucket. For Linux, macOS, or Unix: ``` aws s3 sync cev1 \ s3://amzn-s3-demo-destination-bucket/123456789012/cev1/ ``` For Windows: ``` aws s3 sync cev1 ^ s3://amzn-s3-demo-destination-bucket/123456789012/cev1/ ``` **Example** The following example uploads all files in `amzn-s3-demo-source-bucket` to the **`123456789012/cev1`** folder in your Amazon S3 bucket. For Linux, macOS, or Unix: ``` aws s3 sync s3://amzn-s3-demo-source-bucket/ \ s3://amzn-s3-demo-destination-bucket/123456789012/cev1/ ``` For Windows: ``` aws s3 sync s3://amzn-s3-demo-source-bucket/ ^ s3://amzn-s3-demo-destination-bucket/123456789012/cev1/ ``` ### Step 3d: List the files in your S3 bucket The following example uses the `s3 ls` command to list the files in your RDS Custom Amazon S3 bucket. ``` aws s3 ls \ s3://amzn-s3-demo-destination-bucket/123456789012/cev1/ ``` ## Step 4 (Optional): Share your installation media in S3 across AWS accounts For the purposes of this section, the Amazon S3 bucket that contains your uploaded Oracle installation files is your *media bucket*. Your organization might use multiple AWS accounts in an AWS Region. If so, you might want to use one AWS account to populate your media bucket and a different AWS account to create CEVs. If you don't intend to share your media bucket, skip to the next section. This section assumes the following: + You can access the account that created your media bucket and a different account in which you intend to create CEVs. + You intend to create CEVs in only one AWS Region. If you intend to use multiple Regions, create a media bucket in each Region. + You're using the CLI. If you're using the Amazon S3 console, adapt the following steps. **To configure your media bucket for sharing across AWS accounts** 1. Log in to the AWS account that contains the S3 bucket into which you uploaded your installation media. 1. Start with either a blank JSON policy template or an existing policy that you can adapt. The following command retrieves an existing policy and saves it as *my-policy.json*. In this example, the S3 bucket containing your installation files is named *amzn-s3-demo-bucket*. ``` aws s3api get-bucket-policy \ --bucket amzn-s3-demo-bucket \ --query Policy \ --output text > my-policy.json ``` 1. Edit the media bucket permissions as follows: + In the `Resource` element of your template, specify the S3 bucket into which you uploaded your Oracle Database installation files. + In the `Principal` element, specify the ARNs for all AWS accounts that you intend to use to create CEVs. You can add the root, a user, or a role to the S3 bucket allow list. For more information, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) in the *AWS Identity and Access Management User Guide*. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "GrantAccountsAccess", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root", "arn:aws:iam::444455556666:user/user-name-with-path", "arn:aws:iam::123456789012:role/role-name-with-path" ] }, "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket", "arn:aws:s3:::amzn-s3-demo-bucket/*" ] } ] } ``` ------ 1. Attach the policy to your media bucket. In the following example, *amzn-s3-demo-bucket* is the name of the S3 bucket that contains your installation files, and *my-policy.json* is the name of your JSON file. ``` aws s3api put-bucket-policy \ --bucket amzn-s3-demo-bucket \ --policy file://my-policy.json ``` 1. Log in to an AWS account in which you intend to create CEVs. 1. Verify that this account can access the media bucket in the AWS account that created it. ``` aws s3 ls --query "Buckets[].Name" ``` For more information, see [aws s3 ls](https://docs.aws.amazon.com/cli/latest/reference/s3/ls.html) in the *AWS CLI Command Reference*. 1. Create a CEV by following the steps in [Creating a CEV](custom-cev.create.md). ## Step 5: Prepare the CEV manifest A CEV manifest is a JSON document that includes the following: + (Required) The list of installation .zip files that you uploaded to Amazon S3. RDS Custom applies the patches in the order in which they're listed in the manifest. + (Optional) Installation parameters that set nondefault values for the Oracle base, Oracle home, and the ID and name of the UNIX/Linux user and group. Be aware that you can’t modify the installation parameters for an existing CEV or an existing DB instance. You also can’t upgrade from one CEV to another CEV when the installation parameters have different settings. For sample CEV manifests, see the JSON templates that you downloaded in [Step 1 (Optional): Download the manifest templates](#custom-cev.preparing.templates). You can also review the samples in [CEV manifest examples](#custom-cev.preparing.manifest.examples). **Topics** + [ ### JSON fields in the CEV manifest ](#custom-cev.preparing.manifest.fields) + [ ### Creating the CEV manifest ](#custom-cev.preparing.manifest.creating) + [ ### CEV manifest examples ](#custom-cev.preparing.manifest.examples) ### JSON fields in the CEV manifest The following table describes the JSON fields in the manifest. | JSON field | Description | | --- | --- | | `MediaImportTemplateVersion` | Version of the CEV manifest. The date is in the format `YYYY-MM-DD`. | | `databaseInstallationFileNames` | Ordered list of installation files for the database. | | `opatchFileNames` | Ordered list of OPatch installers used for the Oracle DB engine. Only one value is valid. Values for `opatchFileNames` must start with `p6880880_`. | | `psuRuPatchFileNames` | The PSU and RU patches for this database. If you include `psuRuPatchFileNames`, `opatchFileNames` is required. Values for `opatchFileNames` must start with `p6880880_`. | | `OtherPatchFileNames` | The patches that aren't in the list of PSU and RU patches. RDS Custom applies these patches after applying the PSU and RU patches. If you include `OtherPatchFileNames`, `opatchFileNames` is required. Values for `opatchFileNames` must start with `p6880880_`. | | `installationParameters` | Nondefault settings for the Oracle base, Oracle home, and the ID and name of the UNIX/Linux user and group. You can set the following parameters: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-cev.preparing.html) | Each Oracle Database release has a different list of supported installation files. When you create your CEV manifest, make sure to specify only files that are supported by RDS Custom for Oracle. Otherwise, CEV creation fails with an error. All patches listed in [Release notes for Amazon Relational Database Service (Amazon RDS) for Oracle](https://docs.aws.amazon.com/AmazonRDS/latest/OracleReleaseNotes) are supported. ### Creating the CEV manifest **To create a CEV manifest** 1. List all installation files that you plan to apply, in the order that you want to apply them. 1. Correlate the installation files with the JSON fields described in [JSON fields in the CEV manifest](#custom-cev.preparing.manifest.fields). 1. Do either of the following: + Create the CEV manifest as a JSON text file. + Edit the CEV manifest template when you create the CEV in the console. For more information, see [Creating a CEV](custom-cev.create.md). ### CEV manifest examples The following examples show CEV manifest files for different Oracle Database releases. If you include a JSON field in your manifest, make sure that it isn't empty. For example, the following CEV manifest isn't valid because `otherPatchFileNames` is empty. ``` { "mediaImportTemplateVersion": "2020-08-14", "databaseInstallationFileNames": [ "V982063-01.zip" ], "opatchFileNames": [ "p6880880_190000_Linux-x86-64.zip" ], "psuRuPatchFileNames": [ "p32126828_190000_Linux-x86-64.zip" ], "otherPatchFileNames": [ ] } ``` **Topics** + [Sample CEV manifest for Oracle Database 12c Release 1 (12.1)](#oracle-cev-manifest-12.1) + [Sample CEV manifest for Oracle Database 12c Release 2 (12.2)](#oracle-cev-manifest-12.2) + [Sample CEV manifest for Oracle Database 18c](#oracle-cev-manifest-18c) + [Sample CEV manifest for Oracle Database 19c](#oracle-cev-manifest-19c) **Example Sample CEV manifest for Oracle Database 12c Release 1 (12.1)** In the following example for the July 2021 PSU for Oracle Database 12c Release 1 (12.1), RDS Custom applies the patches in the order specified. Thus, RDS Custom applies p32768233, then p32876425, then p18759211, and so on. The example sets new values for the UNIX user and group, and the Oracle home and Oracle base. ``` { "mediaImportTemplateVersion":"2020-08-14", "databaseInstallationFileNames":[ "V46095-01_1of2.zip", "V46095-01_2of2.zip" ], "opatchFileNames":[ "p6880880_121010_Linux-x86-64.zip" ], "psuRuPatchFileNames":[ "p32768233_121020_Linux-x86-64.zip" ], "otherPatchFileNames":[ "p32876425_121020_Linux-x86-64.zip", "p18759211_121020_Linux-x86-64.zip", "p19396455_121020_Linux-x86-64.zip", "p20875898_121020_Linux-x86-64.zip", "p22037014_121020_Linux-x86-64.zip", "p22873635_121020_Linux-x86-64.zip", "p23614158_121020_Linux-x86-64.zip", "p24701840_121020_Linux-x86-64.zip", "p25881255_121020_Linux-x86-64.zip", "p27015449_121020_Linux-x86-64.zip", "p28125601_121020_Linux-x86-64.zip", "p28852325_121020_Linux-x86-64.zip", "p29997937_121020_Linux-x86-64.zip", "p31335037_121020_Linux-x86-64.zip", "p32327201_121020_Linux-x86-64.zip", "p32327208_121020_Generic.zip", "p17969866_12102210119_Linux-x86-64.zip", "p20394750_12102210119_Linux-x86-64.zip", "p24835919_121020_Linux-x86-64.zip", "p23262847_12102201020_Linux-x86-64.zip", "p21171382_12102201020_Generic.zip", "p21091901_12102210720_Linux-x86-64.zip", "p33013352_12102210720_Linux-x86-64.zip", "p25031502_12102210720_Linux-x86-64.zip", "p23711335_12102191015_Generic.zip", "p19504946_121020_Linux-x86-64.zip" ], "installationParameters": { "unixGroupName": "dba", "unixGroupId": 12345, "unixUname": "oracle", "unixUid": 12345, "oracleHome": "/home/oracle/oracle.12.1.0.2", "oracleBase": "/home/oracle" } } ``` **Example Sample CEV manifest for Oracle Database 12c Release 2 (12.2)** In following example for the October 2021 PSU for Oracle Database 12c Release 2 (12.2), RDS Custom applies p33261817, then p33192662, then p29213893, and so on. The example sets new values for the UNIX user and group, and the Oracle home and Oracle base. ``` { "mediaImportTemplateVersion":"2020-08-14", "databaseInstallationFileNames":[ "V839960-01.zip" ], "opatchFileNames":[ "p6880880_122010_Linux-x86-64.zip" ], "psuRuPatchFileNames":[ "p33261817_122010_Linux-x86-64.zip" ], "otherPatchFileNames":[ "p33192662_122010_Linux-x86-64.zip", "p29213893_122010_Generic.zip", "p28730253_122010_Linux-x86-64.zip", "p26352615_12201211019DBOCT2021RU_Linux-x86-64.zip", "p23614158_122010_Linux-x86-64.zip", "p24701840_122010_Linux-x86-64.zip", "p25173124_122010_Linux-x86-64.zip", "p25881255_122010_Linux-x86-64.zip", "p27015449_122010_Linux-x86-64.zip", "p28125601_122010_Linux-x86-64.zip", "p28852325_122010_Linux-x86-64.zip", "p29997937_122010_Linux-x86-64.zip", "p31335037_122010_Linux-x86-64.zip", "p32327201_122010_Linux-x86-64.zip", "p32327208_122010_Generic.zip" ], "installationParameters": { "unixGroupName": "dba", "unixGroupId": 12345, "unixUname": "oracle", "unixUid": 12345, "oracleHome": "/home/oracle/oracle.12.2.0.1", "oracleBase": "/home/oracle" } } ``` **Example Sample CEV manifest for Oracle Database 18c** In following example for the October 2021 PSU for Oracle Database 18c, RDS Custom applies p32126855, then p28730253, then p27539475, and so on. The example sets new values for the UNIX user and group, and the Oracle home and Oracle base. ``` { "mediaImportTemplateVersion":"2020-08-14", "databaseInstallationFileNames":[ "V978967-01.zip" ], "opatchFileNames":[ "p6880880_180000_Linux-x86-64.zip" ], "psuRuPatchFileNames":[ "p32126855_180000_Linux-x86-64.zip" ], "otherPatchFileNames":[ "p28730253_180000_Linux-x86-64.zip", "p27539475_1813000DBRU_Linux-x86-64.zip", "p29213893_180000_Generic.zip", "p29374604_1813000DBRU_Linux-x86-64.zip", "p29782284_180000_Generic.zip", "p28125601_180000_Linux-x86-64.zip", "p28852325_180000_Linux-x86-64.zip", "p29997937_180000_Linux-x86-64.zip", "p31335037_180000_Linux-x86-64.zip", "p31335142_180000_Generic.zip" ] "installationParameters": { "unixGroupName": "dba", "unixGroupId": 12345, "unixUname": "oracle", "unixUid": 12345, "oracleHome": "/home/oracle/18.0.0.0.ru-2020-10.rur-2020-10.r1", "oracleBase": "/home/oracle/" } } ``` **Example Sample CEV manifest for Oracle Database 19c** In the following example for Oracle Database 19c, RDS Custom applies p32126828, then p29213893, then p29782284, and so on. The example sets new values for the UNIX user and group, and the Oracle home and Oracle base. ``` { "mediaImportTemplateVersion": "2020-08-14", "databaseInstallationFileNames": [ "V982063-01.zip" ], "opatchFileNames": [ "p6880880_190000_Linux-x86-64.zip" ], "psuRuPatchFileNames": [ "p32126828_190000_Linux-x86-64.zip" ], "otherPatchFileNames": [ "p29213893_1910000DBRU_Generic.zip", "p29782284_1910000DBRU_Generic.zip", "p28730253_190000_Linux-x86-64.zip", "p29374604_1910000DBRU_Linux-x86-64.zip", "p28852325_190000_Linux-x86-64.zip", "p29997937_190000_Linux-x86-64.zip", "p31335037_190000_Linux-x86-64.zip", "p31335142_190000_Generic.zip" ], "installationParameters": { "unixGroupName": "dba", "unixGroupId": 12345, "unixUname": "oracle", "unixUid": 12345, "oracleHome": "/home/oracle/oracle.19.0.0.0.ru-2020-04.rur-2020-04.r1.EE.1", "oracleBase": "/home/oracle" } } ``` ## Step 6 (Optional): Validate the CEV manifest Optionally, verify that manifest is a valid JSON file by running the `json.tool` Python script. For example, if you change into the directory containing a CEV manifest named `manifest.json`, run the following command. ``` python -m json.tool < manifest.json ``` ## Step 7: Add necessary IAM permissions Make sure that the IAM principal that creates the CEV has the necessary policies described in [Step 5: Grant required permissions to your IAM user or role](custom-setup-orcl.md#custom-setup-orcl.iam-user). # Creating a CEV **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can create a CEV using the AWS Management Console or the AWS CLI. Specify either the multitenant or non-multitenant architecture. For more information, see [Multitenant architecture considerations](custom-creating.md#custom-creating.overview). Typically, creating a CEV takes about two hours. After you have created the CEV, you can use it to create or upgrade an RDS Custom DB instance. For more information, see [Creating an RDS Custom for Oracle DB instance](custom-creating.md#custom-creating.create) and [Upgrading an RDS Custom for Oracle DB instance](custom-upgrading-modify.md). **Note** If your DB instance currently uses Oracle Linux 7.9, create a new CEV that uses the latest AMI, which uses Oracle Linux 8. Then modify your instance to use the new CEV. Note the following requirements and limitations for creating a CEV: + The Amazon S3 bucket containing your installation files must be in the same AWS Region as your CEV. Otherwise, the creation process fails. + The CEV name must be in the format `major-engine-version.customized_string`, as in `19.cdb_cev1`. + The CEV name must contain 1–50 alphanumeric characters, underscores, dashes, or periods. + The CEV name can't contain consecutive periods, as in `19..cdb_cev1`. ## Console **To create a CEV** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Custom engine versions**. The **Custom engine versions** page shows all CEVs that currently exist. If you haven't created any CEVs, the page is empty. 1. Choose **Create custom engine version**. 1. In **Engine options**, do the following: 1. For **Engine type**, choose **Oracle**. 1. For **Architecture settings**, optionally choose **Multitenant architecture** to create an Oracle multitenant CEV, which uses the DB engine `custom-oracle-ee-cdb` or `custom-oracle-se2-cdb`. You can create an RDS Custom for Oracle CDB with a Multitenant CEV only. If you don't choose this option, your CEV is a non-CDB, which uses the engine `custom-oracle-ee` or `custom-oracle-se2`. **Note** The architecture that you choose is a permanent characteristic of your CEV. You can't modify your CEV to use a different architecture later. 1. Choose either of the following options: + **Create new CEV** – Create a CEV from scratch. In this case, you must specify a JSON manifest specifying the database binaries. + **Create CEV from source** – In **Specify the CEV that you want to copy**, choose an existing CEV to use as the source CEV. In this case, you can specify a new Amazon Machine Image (AMI), but you can't specify different database binaries. 1. For **Engine version**, choose the major engine version. 1. In **Version details**, do the following: 1. Enter a valid name in **Custom engine version name**. For example, you might enter the name **19.cdb\$1cev1**. 1. (Optional) Enter a description for your CEV. 1. In **Installation media**, do the following: 1. (Optional) For **AMI ID**, either leave the field blank to use the latest service-provided AMI, or enter an AMI that you previously used to create a CEV. To obtain valid AMI IDs, use either of the following techniques: + In the console, choose **Custom engine versions** in the left navigation pane, and choose the name of a CEV. The AMI ID used by the CEV appears in the **Configuration** tab. + In the AWS CLI, use the `describe-db-engine-versions` command. Search the output for `ImageID`. 1. For **S3 location of manifest files**, enter the location of the Amazon S3 bucket that you specified in [Step 3: Upload your installation files to Amazon S3](custom-cev.preparing.md#custom-cev.preparing.s3). For example, enter **s3://my-custom-installation-files/123456789012/cev1/**. **Note** The AWS Region in which you create the CEV must be in the same Region as the S3 bucket. 1. (Create new CEV only) For **CEV manifest**, enter the JSON manifest that you created in [Creating the CEV manifest](custom-cev.preparing.md#custom-cev.preparing.manifest.creating). 1. In the **KMS key** section, select **Enter a key ARN** to list the available AWS KMS keys. Then select your KMS key from the list. An AWS KMS key is required for RDS Custom. For more information, see [Step 1: Create or reuse a symmetric encryption AWS KMS key](custom-setup-orcl.md#custom-setup-orcl.cmk). 1. (Optional) Choose **Add new tag** to create a key-value pair for your CEV. 1. Choose **Create custom engine version**. If the JSON manifest is in an invalid format, the console displays **Error validating the CEV manifest**. Fix the problems, and try again. The **Custom engine versions** page appears. Your CEV is shown with the status **Creating**. The process to create a CEV takes approximately two hours. ## AWS CLI To create a CEV by using the AWS CLI, run the [create-custom-db-engine-version](https://docs.aws.amazon.com/cli/latest/reference/rds/create-custom-db-engine-version.html) command. The following options are required: + `--engine` – Specify the engine type. For a CDB, specify either `custom-oracle-ee-cdb` or `custom-oracle-se2-cdb`. For a non-CDB, specify either `custom-oracle-ee` or `custom-oracle-se2`. You can create CDBs only from a CEV created with `custom-oracle-ee-cdb` or `custom-oracle-se2-cdb`. You can create non-CDBs only from a CEV created with `custom-oracle-ee` or `custom-oracle-se2`. + `--engine-version` – Specify the engine version. The format is *major-engine-version*.*customized\$1string*. The CEV name must contain 1–50 alphanumeric characters, underscores, dashes, or periods. The CEV name can't contain consecutive periods, as in `19..cdb_cev1`. + `--kms-key-id` – Specify an AWS KMS key. + `--manifest` – Specify either `manifest_json_string` or `--manifest file:file_name`. Newline characters aren't permitted in `manifest_json_string`. Make sure to escape double quotes (") in the JSON code by prefixing them with a backslash (\$1). The following example shows the `manifest_json_string` for 19c from [Step 5: Prepare the CEV manifest](custom-cev.preparing.md#custom-cev.preparing.manifest). The example sets new values for the Oracle base, Oracle home, and the ID and name of the UNIX/Linux user and group. If you copy this string, remove all newline characters before you paste it into your command. `"{\"mediaImportTemplateVersion\": \"2020-08-14\",\"databaseInstallationFileNames\": [\"V982063-01.zip\"],\"opatchFileNames\": [\"p6880880_190000_Linux-x86-64.zip\"],\"psuRuPatchFileNames\": [\"p32126828_190000_Linux-x86-64.zip\"],\"otherPatchFileNames\": [\"p29213893_1910000DBRU_Generic.zip\",\"p29782284_1910000DBRU_Generic.zip\",\"p28730253_190000_Linux-x86-64.zip\",\"p29374604_1910000DBRU_Linux-x86-64.zip\",\"p28852325_190000_Linux-x86-64.zip\",\"p29997937_190000_Linux-x86-64.zip\",\"p31335037_190000_Linux-x86-64.zip\",\"p31335142_190000_Generic.zip\"]\"installationParameters\":{ \"unixGroupName\":\"dba\", \ \"unixUname\":\"oracle\", \ \"oracleHome\":\"/home/oracle/oracle.19.0.0.0.ru-2020-04.rur-2020-04.r1.EE.1\", \ \"oracleBase\":\"/home/oracle/\"}}"` + `--database-installation-files-s3-bucket-name` – Specify the same bucket name that you specified in [Step 3: Upload your installation files to Amazon S3](custom-cev.preparing.md#custom-cev.preparing.s3). The AWS Region in which you run `create-custom-db-engine-version` must be the same Region as your Amazon S3 bucket. You can also specify the following options: + `--description` – Specify a description of your CEV. + `--database-installation-files-s3-prefix` – Specify the folder name that you specified in [Step 3: Upload your installation files to Amazon S3](custom-cev.preparing.md#custom-cev.preparing.s3). + `--image-id` – Specify an AMI ID that want to reuse. To find valid IDs, run the `describe-db-engine-versions` command, and then search the output for `ImageID`. By default, RDS Custom for Oracle uses the most recent available AMI. The following example creates an Oracle multitenant CEV named `19.cdb_cev1`. The example reuses an existing AMI rather than use the latest available AMI. Make sure that the name of your CEV starts with the major engine version number. **Example** For Linux, macOS, or Unix: ``` 1. aws rds create-custom-db-engine-version \ 2. --engine custom-oracle-se2-cdb \ 3. --engine-version 19.cdb_cev1 \ 4. --database-installation-files-s3-bucket-name us-east-1-123456789012-custom-installation-files \ 5. --database-installation-files-s3-prefix 123456789012/cev1 \ 6. --kms-key-id my-kms-key \ 7. --description "test cev" \ 8. --manifest manifest_string \ 9. --image-id ami-012a345678901bcde ``` For Windows: ``` 1. aws rds create-custom-db-engine-version ^ 2. --engine custom-oracle-se2-cdb ^ 3. --engine-version 19.cdb_cev1 ^ 4. --database-installation-files-s3-bucket-name us-east-1-123456789012-custom-installation-files ^ 5. --database-installation-files-s3-prefix 123456789012/cev1 ^ 6. --kms-key-id my-kms-key ^ 7. --description "test cev" ^ 8. --manifest manifest_string ^ 9. --image-id ami-012a345678901bcde ``` **Example** Get details about your CEV by using the `describe-db-engine-versions` command. ``` 1. aws rds describe-db-engine-versions \ 2. --engine custom-oracle-se2-cdb \ 3. --include-all ``` The following partial sample output shows the engine, parameter groups, manifest, and other information. ``` 1. { 2. "DBEngineVersions": [ 3. { 4. "Engine": "custom-oracle-se2-cdb", 5. "EngineVersion": "19.cdb_cev1", 6. "DBParameterGroupFamily": "custom-oracle-se2-cdb-19", 7. "DBEngineDescription": "Containerized Database for Oracle Custom SE2", 8. "DBEngineVersionDescription": "test cev", 9. "Image": { 10. "ImageId": "ami-012a345678901bcde", 11. "Status": "active" 12. }, 13. "ValidUpgradeTarget": [], 14. "SupportsLogExportsToCloudwatchLogs": false, 15. "SupportsReadReplica": true, 16. "SupportedFeatureNames": [], 17. "Status": "available", 18. "SupportsParallelQuery": false, 19. "SupportsGlobalDatabases": false, 20. "MajorEngineVersion": "19", 21. "DatabaseInstallationFilesS3BucketName": "us-east-1-123456789012-custom-installation-files", 22. "DatabaseInstallationFilesS3Prefix": "123456789012/cev1", 23. "DBEngineVersionArn": "arn:aws:rds:us-east-1:123456789012:cev:custom-oracle-se2-cdb/19.cdb_cev1/abcd12e3-4f5g-67h8-i9j0-k1234l56m789", 24. "KMSKeyId": "arn:aws:kms:us-east-1:732027699161:key/1ab2345c-6d78-9ef0-1gh2-3456i7j89k01", 25. "CreateTime": "2023-03-07T19:47:58.131000+00:00", 26. "TagList": [], 27. "SupportsBabelfish": false, 28. ... ``` ## Failure to create a CEV If the process to create a CEV fails, RDS Custom issues `RDS-EVENT-0198` with the message `Creation failed for custom engine version major-engine-version.cev_name`, and includes details about the failure. For example, the event prints missing files. You can't modify a failed CEV. You can only delete it, then try again to create a CEV after fixing the causes of the failure. For information about troubleshooting the reasons for CEV creation failure, see [Troubleshooting custom engine version creation for RDS Custom for Oracle](custom-troubleshooting.md#custom-troubleshooting.cev). # Modifying CEV status **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can modify a CEV using the AWS Management Console or the AWS CLI. You can modify the CEV description or its availability status. Your CEV has one of the following status values: + `available` – You can use this CEV to create a new RDS Custom DB instance or upgrade a DB instance. This is the default status for a newly created CEV. + `inactive` – You can't create or upgrade an RDS Custom instance with this CEV. You can't restore a DB snapshot to create a new RDS Custom DB instance with this CEV. You can change the CEV from any supported status to any other supported status. You might change status to prevent the accidental use of a CEV or make a discontinued CEV eligible for use again. For example, you might change the status of your CEV from `available` to `inactive`, and from `inactive` back to `available`. ## Console **To modify a CEV** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Custom engine versions**. 1. Choose a CEV whose description or status you want to modify. 1. For **Actions**, choose **Modify**. 1. Make any of the following changes: + For **CEV status settings**, choose a new availability status. + For **Version description**, enter a new description. 1. Choose **Modify CEV**. If the CEV is in use, the console displays **You can't modify the CEV status**. Fix the problems, and try again. The **Custom engine versions** page appears. ## AWS CLI To modify a CEV by using the AWS CLI, run the [modify-custom-db-engine-version](https://docs.aws.amazon.com/cli/latest/reference/rds/modify-custom-db-engine-version.html) command. You can find CEVs to modify by running the [describe-db-engine-versions](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-engine-versions.html) command. The following options are required: + `--engine engine-type`, where *engine-type* is `custom-oracle-ee`, `custom-oracle-se2`, `custom-oracle-ee-cdb`, or `custom-oracle-se2-cdb` + `--engine-version cev`, where *`cev`* is the name of the custom engine version that you want to modify + `--status`` status`, where *`status`* is the availability status that you want to assign to the CEV The following example changes a CEV named `19.my_cev1` from its current status to `inactive`. **Example** For Linux, macOS, or Unix: ``` 1. aws rds modify-custom-db-engine-version \ 2. --engine custom-oracle-se2 \ 3. --engine-version 19.my_cev1 \ 4. --status inactive ``` For Windows: ``` 1. aws rds modify-custom-db-engine-version ^ 2. --engine custom-oracle-se2 ^ 3. --engine-version 19.my_cev1 ^ 4. --status inactive ``` # Viewing CEV details for Amazon RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can view details about your CEV manifest and the command used to create your CEV by using the AWS Management Console or the AWS CLI. ## Console **To view CEV details** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Custom engine versions**. The **Custom engine versions** page shows all CEVs that currently exist. If you haven't created any CEVs, the page is empty. 1. Choose the name of the CEV that you want to view. 1. Choose **Configuration** to view the installation parameters specified in your manifest. ![\[View the installation parameters for a CEV.\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/cev-configuration-tab.png) 1. Choose **Manifest** to view the installation parameters specified in the `--manifest` option of the `create-custom-db-engine-version` command. You can copy this text, replace values as needed, and use them in a new command. ![\[View the command used to create the CEV.\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/cev-manifest-tab.png) ## AWS CLI To view details about a CEV by using the AWS CLI, run the [describe-db-engine-versions](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-engine-versions.html) command. The following options are required: + `--engine engine-type`, where *engine-type* is `custom-oracle-ee`, `custom-oracle-se2`, `custom-oracle-ee-cdb`, or `custom-oracle-se2-cdb` + `--engine-version major-engine-version.customized_string` The following example creates a non-CDB CEV that uses Enterprise Edition. The CEV name `19.my_cev1` starts with the major engine version number, which is required. **Example** For Linux, macOS, or Unix: ``` 1. aws rds describe-db-engine-versions \ 2. --engine custom-oracle-ee \ 3. --engine-version 19.my_cev1 ``` For Windows: ``` 1. aws rds describe-db-engine-versions ^ 2. --engine custom-oracle-ee ^ 3. --engine-version 19.my_cev1 ``` The following partial sample output shows the engine, parameter groups, manifest, and other information. ``` 1. "DBEngineVersions": [ 2. { 3. "Engine": "custom-oracle-ee", 4. "MajorEngineVersion": "19", 5. "EngineVersion": "19.my_cev1", 6. "DatabaseInstallationFilesS3BucketName": "us-east-1-123456789012-cev-customer-installation-files", 7. "DatabaseInstallationFilesS3Prefix": "123456789012/cev1", 8. "CustomDBEngineVersionManifest": "{\n\"mediaImportTemplateVersion\": \"2020-08-14\",\n\"databaseInstallationFileNames\": [\n\"V982063-01.zip\"\n],\n\"installationParameters\": {\n\"oracleBase\":\"/tmp\",\n\"oracleHome\":\"/tmp/Oracle\"\n},\n\"opatchFileNames\": [\n\"p6880880_190000_Linux-x86-64.zip\"\n],\n\"psuRuPatchFileNames\": [\n\"p32126828_190000_Linux-x86-64.zip\"\n],\n\"otherPatchFileNames\": [\n\"p29213893_1910000DBRU_Generic.zip\",\n\"p29782284_1910000DBRU_Generic.zip\",\n\"p28730253_190000_Linux-x86-64.zip\",\n\"p29374604_1910000DBRU_Linux-x86-64.zip\",\n\"p28852325_190000_Linux-x86-64.zip\",\n\"p29997937_190000_Linux-x86-64.zip\",\n\"p31335037_190000_Linux-x86-64.zip\",\n\"p31335142_190000_Generic.zip\"\n]\n}\n", 9. "DBParameterGroupFamily": "custom-oracle-ee-19", 10. "DBEngineDescription": "Oracle Database server EE for RDS Custom", 11. "DBEngineVersionArn": "arn:aws:rds:us-west-2:123456789012:cev:custom-oracle-ee/19.my_cev1/0a123b45-6c78-901d-23e4-5678f901fg23", 12. "DBEngineVersionDescription": "test", 13. "KMSKeyId": "arn:aws:kms:us-east-1:123456789012:key/ab1c2de3-f4g5-6789-h012-h3ijk4567l89", 14. "CreateTime": "2022-11-18T09:17:07.693000+00:00", 15. "ValidUpgradeTarget": [ 16. { 17. "Engine": "custom-oracle-ee", 18. "EngineVersion": "19.cev.2021-01.09", 19. "Description": "test", 20. "AutoUpgrade": false, 21. "IsMajorVersionUpgrade": false 22. } 23. ] ``` # Deleting a CEV **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can delete a CEV using the AWS Management Console or the AWS CLI. Typically, deletion takes a few minutes. To delete a CEV, it can't be in use by any of the following: + An RDS Custom DB instance + A snapshot of an RDS Custom DB instance + An automated backup of your RDS Custom DB instance ## Console **To delete a CEV** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Custom engine versions**. 1. Choose a CEV whose description or status you want to delete. 1. For **Actions**, choose **Delete**. The **Delete *cev\$1name*?** dialog box appears. 1. Enter **delete me**, and then choose **Delete**. In the **Custom engine versions** page, the banner shows that your CEV is being deleted. ## AWS CLI To delete a CEV by using the AWS CLI, run the [delete-custom-db-engine-version](https://docs.aws.amazon.com/cli/latest/reference/rds/delete-custom-db-engine-version.html) command. The following options are required: + `--engine engine-type`, where *engine-type* is `custom-oracle-ee`, `custom-oracle-se2`, `custom-oracle-ee-cdb`, or `custom-oracle-se2-cdb` + `--engine-version cev`, where *cev* is the name of the custom engine version to be deleted The following example deletes a CEV named `19.my_cev1`. **Example** For Linux, macOS, or Unix: ``` 1. aws rds delete-custom-db-engine-version \ 2. --engine custom-oracle-ee \ 3. --engine-version 19.my_cev1 ``` For Windows: ``` 1. aws rds delete-custom-db-engine-version ^ 2. --engine custom-oracle-ee ^ 3. --engine-version 19.my_cev1 ``` # Configuring a DB instance for Amazon RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can create an RDS Custom DB instance, and then connect to it using Secure Shell (SSH) or AWS Systems Manager. For more information about connecting and logging in to a RDS Custom for Oracle DB instance, see the following topics. + [Connecting to your RDS Custom DB instance using Session Manager](custom-creating.ssm.md) + [Connecting to your RDS Custom DB instance using SSH](#custom-creating.ssh) + [Logging in to your RDS Custom for Oracle database as SYS](custom-creating.sysdba.md) ## Creating an RDS Custom for Oracle DB instance Create an Amazon RDS Custom for Oracle DB instance using either the AWS Management Console or the AWS CLI. The procedure is similar to the procedure for creating an Amazon RDS DB instance. For more information, see [Creating an Amazon RDS DB instance](USER_CreateDBInstance.md). If you included installation parameters in your CEV manifest, then your DB instance uses the Oracle base, Oracle home, and the ID and name of the UNIX/Linux user and group that you specified. The `oratab` file, which is created by Oracle Database during installation, points to the real installation location rather than to a symbolic link. When RDS Custom for Oracle runs commands, it runs as the configured OS user rather than the default user `rdsdb`. For more information, see [Step 5: Prepare the CEV manifest](custom-cev.preparing.md#custom-cev.preparing.manifest). Before you attempt to create or connect to an RDS Custom DB instance, complete the tasks in [Setting up your environment for Amazon RDS Custom for Oracle](custom-setup-orcl.md). ### Console **To create an RDS Custom for Oracle DB instance** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Databases**. 1. Choose **Create database**. 1. In **Choose a database creation method**, select **Standard create**. 1. In the **Engine options** section, do the following: 1. For **Engine type**, choose **Oracle**. 1. For **Database management type**, choose **Amazon RDS Custom**. 1. For **Architecture settings**, do one of the following: + Select **Multitenant architecture** to create a container database (CDB). At creation, your CDB contains one PDB seed and one initial PDB. **Note** The **Multitenant architecture** setting is supported only for Oracle Database 19c. + Clear **Multitenant architecture** to create a non-CDB. A non-CDB can't contain PDBs. 1. For **Edition**, choose **Oracle Enterprise Edition** or **Oracle Standard Edition 2**. 1. For **Custom engine version**, choose an existing RDS Custom custom engine version (CEV). A CEV has the following format: `major-engine-version.customized_string`. An example identifier is `19.cdb_cev1`. If you chose **Multitenant architecture** in the previous step, you can only specify a CEV that uses the `custom-oracle-ee-cdb` or `custom-oracle-se2-cdb` engine type. The console filters out CEVs that were created with different engine types. 1. In **Templates**, choose **Production**. 1. In the **Settings** section, do the following: 1. For **DB instance identifier**, enter a unique name for your DB instance. 1. For **Master username**, enter a username. You can retrieve this value from the console later. When you connect to a non-CDB, the master user is the user for the non-CDB. When you connect to a CDB, the master user is the user for the PDB. To connect to the CDB root, log in to the host, start a SQL client, and create an administrative user with SQL commands. 1. Clear **Auto generate a password**. 1. Choose a **DB instance class**. For supported classes, see [DB instance class support for RDS Custom for Oracle](custom-oracle-feature-support.md#custom-reqs-limits.instances). 1. In the **Storage** section, do the following: 1. For **Storage type**, choose an SSD type: io1, io2, gp2, or gp3. You have the following additional options: + For io1, io2, or gp3, choose a rate for **Provisioned IOPS**. The default is 1000 for io1 and io2 and 12000 for gp3. + For gp3, choose a rate for **Storage throughput**. The default is 500 MiBps. 1. For **Allocated storage**, choose a storage size. The default is 40 GiB. 1. For **Connectivity**, specify your **Virtual private cloud (VPC)**, **DB subnet group**, and **VPC security group (firewall)**. 1. For **RDS Custom security**, do the following: 1. For **IAM instance profile**, choose the instance profile for your RDS Custom for Oracle DB instance. The IAM instance profile must begin with `AWSRDSCustom`, for example *AWSRDSCustomInstanceProfileForRdsCustomInstance*. 1. For **Encryption**, choose **Enter a key ARN** to list the available AWS KMS keys. Then choose your key from the list. An AWS KMS key is required for RDS Custom. For more information, see [Step 1: Create or reuse a symmetric encryption AWS KMS key](custom-setup-orcl.md#custom-setup-orcl.cmk). 1. For **Database options**, do the following: 1. (Optional) For **System ID (SID)**, enter a value for the Oracle SID, which is also the name of your CDB. The SID is the name of the Oracle database instance that manages your database files. In this context, the term "Oracle database instance" refers exclusively to the system global area (SGA) and Oracle background processes. If you don't specify a SID, the value defaults to **RDSCDB**. 1. (Optional) For **Initial database name**, enter a name. The default value is **ORCL**. In the multitenant architecture, the initial database name is the PDB name. **Note** The SID and PDB name must be different. 1. For **Option group**, choose an option group or accept the default. **Note** The only supported option for RDS Custom for Oracle is `Timezone`. For more information, see [Oracle time zone](custom-managing.timezone.md). 1. For **Backup retention period** choose a value. You can't choose **0 days**. 1. For the remaining sections, specify your preferred RDS Custom DB instance settings. For information about each setting, see [Settings for DB instances](USER_CreateDBInstance.Settings.md). The following settings don't appear in the console and aren't supported: + **Processor features** + **Storage autoscaling** + **Password and Kerberos authentication** option in **Database authentication** (only **Password authentication** is supported) + **Performance Insights** + **Log exports** + **Enable auto minor version upgrade** + **Deletion protection** 1. Choose **Create database**. **Important** When you create an RDS Custom for Oracle DB instance, you might receive the following error: The service-linked role is in the process of being created. Try again later. If you do, wait a few minutes and then try again to create the DB instance. The **View credential details** button appears on the **Databases** page. To view the master user name and password for the RDS Custom DB instance, choose **View credential details**. To connect to the DB instance as the master user, use the user name and password that appear. **Important** You can't view the master user password again in the console. If you don't record it, you might have to change it. To change the master user password after the RDS Custom DB instance is available, log in to the database and run an `ALTER USER` command. You can't reset the password using the **Modify** option in the console. 1. Choose **Databases** to view the list of RDS Custom DB instances. 1. Choose the RDS Custom DB instance that you just created. On the RDS console, the details for the new RDS Custom DB instance appear: + The DB instance has a status of **creating** until the RDS Custom DB instance is created and ready for use. When the state changes to **available**, you can connect to the DB instance. Depending on the instance class and storage allocated, it can take several minutes for the new DB instance to be available. + **Role** has the value **Instance (RDS Custom)**. + **RDS Custom automation mode** has the value **Full automation**. This setting means that the DB instance provides automatic monitoring and instance recovery. ### AWS CLI You create an RDS Custom DB instance by using the [create-db-instance](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html) AWS CLI command. The following options are required: + `--db-instance-identifier` + `--db-instance-class` (for a list of supported instance classes, see [DB instance class support for RDS Custom for Oracle](custom-oracle-feature-support.md#custom-reqs-limits.instances)) + `--engine engine-type`, where *engine-type* is `custom-oracle-ee`, `custom-oracle-se2`, `custom-oracle-ee-cdb`, or `custom-oracle-se2-cdb` + `--engine-version cev` (where *`cev`* is the name of the custom engine version that you specified in [Creating a CEV](custom-cev.create.md)) + `--kms-key-id my-kms-key` + `--backup-retention-period days` (where *`days`* is a value greater than `0`) + `--no-auto-minor-version-upgrade` + `--custom-iam-instance-profile AWSRDSCustomInstanceProfile-us-east-1` (where *`region`* is the AWS Region where you are creating your DB instance) The following example creates an RDS Custom DB instance named `my-cfo-cdb-instance`. The database is a CDB with the nondefault name *MYCDB*. The nondefault PDB name is *MYPDB*. The backup retention period is three days. **Example** For Linux, macOS, or Unix: ``` 1. aws rds create-db-instance \ 2. --engine custom-oracle-ee-cdb \ 3. --db-instance-identifier my-cfo-cdb-instance \ 4. --engine-version 19.cdb_cev1 \ 5. --db-name MYPDB \ 6. --db-system-id MYCDB \ 7. --allocated-storage 250 \ 8. --db-instance-class db.m5.xlarge \ 9. --db-subnet-group mydbsubnetgroup \ 10. --master-username myuser \ 11. --master-user-password mypassword \ 12. --backup-retention-period 3 \ 13. --port 8200 \ 14. --kms-key-id my-kms-key \ 15. --no-auto-minor-version-upgrade \ 16. --custom-iam-instance-profile AWSRDSCustomInstanceProfile-us-east-1 ``` For Windows: ``` 1. aws rds create-db-instance ^ 2. --engine custom-oracle-ee-cdb ^ 3. --db-instance-identifier my-cfo-cdb-instance ^ 4. --engine-version 19.cdb_cev1 ^ 5. --db-name MYPDB ^ 6. --db-system-id MYCDB ^ 7. --allocated-storage 250 ^ 8. --db-instance-class db.m5.xlarge ^ 9. --db-subnet-group mydbsubnetgroup ^ 10. --master-username myuser ^ 11. --master-user-password mypassword ^ 12. --backup-retention-period 3 ^ 13. --port 8200 ^ 14. --kms-key-id my-kms-key ^ 15. --no-auto-minor-version-upgrade ^ 16. --custom-iam-instance-profile AWSRDSCustomInstanceProfile-us-east-1 ``` Specify a password other than the prompt shown here as a security best practice. Get details about your instance by using the `describe-db-instances` command. **Example** ``` 1. aws rds describe-db-instances --db-instance-identifier my-cfo-cdb-instance ``` The following partial output shows the engine, parameter groups, and other information. ``` 1. { 2. "DBInstanceIdentifier": "my-cfo-cdb-instance", 3. "DBInstanceClass": "db.m5.xlarge", 4. "Engine": "custom-oracle-ee-cdb", 5. "DBInstanceStatus": "available", 6. "MasterUsername": "admin", 7. "DBName": "MYPDB", 8. "DBSystemID": "MYCDB", 9. "Endpoint": { 10. "Address": "my-cfo-cdb-instance.abcdefghijkl.us-east-1.rds.amazonaws.com", 11. "Port": 1521, 12. "HostedZoneId": "A1B2CDEFGH34IJ" 13. }, 14. "AllocatedStorage": 100, 15. "InstanceCreateTime": "2023-04-12T18:52:16.353000+00:00", 16. "PreferredBackupWindow": "08:46-09:16", 17. "BackupRetentionPeriod": 7, 18. "DBSecurityGroups": [], 19. "VpcSecurityGroups": [ 20. { 21. "VpcSecurityGroupId": "sg-0a1bcd2e", 22. "Status": "active" 23. } 24. ], 25. "DBParameterGroups": [ 26. { 27. "DBParameterGroupName": "default.custom-oracle-ee-cdb-19", 28. "ParameterApplyStatus": "in-sync" 29. } 30. ], 31. ... ``` ## Multitenant architecture considerations If you create an Amazon RDS Custom for Oracle DB instance with the Oracle multitenant architecture (`custom-oracle-ee-cdb` or `custom-oracle-se2-cdb` engine type), your database is a container database (CDB). If you don't specify the Oracle multitenant architecture, your database is a traditional non-CDB that uses the `custom-oracle-ee` or `custom-oracle-se2` engine type. A non-CDB can't contain pluggable databases (PDBs). For more information, see [Database architecture for Amazon RDS Custom for Oracle](custom-oracle.db-architecture.md). When you create an RDS Custom for Oracle CDB instance, consider the following: + You can create a multitenant database only from an Oracle Database 19c CEV. + You can create a CDB instance only if the CEV uses the `custom-oracle-ee-cdb` or `custom-oracle-se2-cdb` engine type. + If you create a CDB instance using Standard Edition 2, the CDB can contain a maximum of 3 PDBs. + By default, your CDB is named `RDSCDB`, which is also the name of the Oracle System ID (Oracle SID). You can choose a different name. + You CDB contains only one initial PDB. The PDB name defaults to `ORCL`. You can choose a different name for your initial PDB, but the Oracle SID and the PDB name can’t be the same. + RDS Custom for Oracle doesn't supply APIs for PDBs. To create additional PDBs, use the Oracle SQL command `CREATE PLUGGABLE DATABASE`. RDS Custom for Oracle doesn't restrict the number of PDBs that you can create. In general, you are responsible for creating and managing PDBs, as in an on-premises deployment. + You can't use RDS APIs to create, modify, and delete PDBs: you must use Oracle SQL statements. When you create a PDB using Oracle SQL, we recommend that you take a manual snapshot afterward in case you need to perform point-in-time recovery (PITR). + You can't rename existing PDBs using Amazon RDS APIs. You also can't rename the CDB using the `modify-db-instance` command. + The open mode for the CDB root is `READ WRITE` on the primary and `MOUNTED` on a mounted standby database. RDS Custom for Oracle attempts to open all PDBs when opening the CDB. If RDS Custom for Oracle can’t open all PDBs, it issues the event `tenant database shutdown`. ## RDS Custom service-linked role A *service-linked role* gives Amazon RDS Custom access to resources in your AWS account. It makes using RDS Custom easier because you don't have to manually add the necessary permissions. RDS Custom defines the permissions of its service-linked roles, and unless defined otherwise, only RDS Custom can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity. When you create an RDS Custom DB instance, both the Amazon RDS and RDS Custom service-linked roles are created (if they don't already exist) and used. For more information, see [Using service-linked roles for Amazon RDS](UsingWithRDS.IAM.ServiceLinkedRoles.md). The first time that you create an RDS Custom for Oracle DB instance, you might receive the following error: The service-linked role is in the process of being created. Try again later. If you do, wait a few minutes and then try again to create the DB instance. ## Installing additional software components on your RDS Custom for Oracle DB instance In a newly created DB instance, your database environment includes Oracle binaries, a database, and a database listener. You might want to install additional software on the host operating system of the DB instance. For example, you might want to install Oracle Application Express (APEX), the Oracle Enterprise Manager (OEM) agent, or the Guardium S-TAP agent. For guidelines and high-level instructions, see the detailed AWS blog post [Install additional software components on Amazon RDS Custom for Oracle](https://aws.amazon.com//blogs/database/install-additional-software-components-on-amazon-rds-custom-for-oracle/). # Connecting to your RDS Custom DB instance using Session Manager **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). After you create your RDS Custom DB instance, you can connect to it using AWS Systems Manager Session Manager. This is the preferred technique when your DB instance isn't publicly accessible. Session Manager allows you to access Amazon EC2 instances through a browser-based shell or through the AWS CLI. For more information, see [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html). ## Console **To connect to your DB instance using Session Manager** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Databases**, and then choose the RDS Custom DB instance to which you want to connect. 1. Choose **Configuration**. 1. Note the **Resource ID** for your DB instance. For example, the resource ID might be `db-ABCDEFGHIJKLMNOPQRS0123456`. 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Instances**. 1. Look for the name of your EC2 instance, and then click the instance ID associated with it. For example, the instance ID might be `i-abcdefghijklm01234`. 1. Choose **Connect**. 1. Choose **Session Manager**. 1. Choose **Connect**. A window opens for your session. ## AWS CLI You can connect to your RDS Custom DB instance using the AWS CLI. This technique requires the Session Manager plugin for the AWS CLI. To learn how to install the plugin, see [Install the Session Manager plugin for the AWS CLI](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html). To find the DB resource ID of your RDS Custom DB instance, use `aws rds [describe-db-instances](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-instances.html)`. ``` aws rds describe-db-instances \ --query 'DBInstances[*].[DBInstanceIdentifier,DbiResourceId]' \ --output text ``` The following sample output shows the resource ID for your RDS Custom instance. The prefix is `db-`. ``` db-ABCDEFGHIJKLMNOPQRS0123456 ``` To find the EC2 instance ID of your DB instance, use `aws ec2 describe-instances`. The following example uses `db-ABCDEFGHIJKLMNOPQRS0123456` for the resource ID. ``` aws ec2 describe-instances \ --filters "Name=tag:Name,Values=db-ABCDEFGHIJKLMNOPQRS0123456" \ --output text \ --query 'Reservations[*].Instances[*].InstanceId' ``` The following sample output shows the EC2 instance ID. ``` i-abcdefghijklm01234 ``` Use the `aws ssm start-session` command, supplying the EC2 instance ID in the `--target` parameter. ``` aws ssm start-session --target "i-abcdefghijklm01234" ``` A successful connection looks like the following. ``` Starting session with SessionId: yourid-abcdefghijklm1234 [ssm-user@ip-123-45-67-89 bin]$ ``` ## Connecting to your RDS Custom DB instance using SSH The Secure Shell Protocol (SSH) is a network protocol that supports encrypted communication over an unsecured network. After you create your RDS Custom DB instance, you can connect to it using an ssh client. For more information, see [Connecting to your Linux instance using SSH](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html). Your SSH connection technique depends on whether your DB instance is private, meaning that it doesn't accept connections from the public internet. In this case, you must use SSH tunneling to connect the ssh utility to your instance. This technique transports data with a dedicated data stream (tunnel) inside an existing SSH session. You can configure SSH tunneling using AWS Systems Manager. **Note** Various strategies are supported for accessing private instances. To learn how to connect an ssh client to private instances using bastion hosts, see [Linux Bastion Hosts on AWS](https://aws.amazon.com/solutions/implementations/linux-bastion/). To learn how to configure port forwarding, see [Port Forwarding Using AWS Systems Manager Session Manager](https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/). If your DB instance is in a public subnet and has the publicly available setting, then no SSH tunneling is required. You can connect with SSH just as would to a public Amazon EC2 instance. To connect an ssh client to your DB instance, complete the following steps: 1. [Step 1: Configure your DB instance to allow SSH connections](#custom-managing.ssh.port-22) 1. [Step 2: Retrieve your SSH secret key and EC2 instance ID](#custom-managing.ssh.obtaining-key) 1. [Step 3: Connect to your EC2 instance using the ssh utility](#custom-managing.ssh.connecting) ### Step 1: Configure your DB instance to allow SSH connections To make sure that your DB instance can accept SSH connections, do the following: + Make sure that your DB instance security group permits inbound connections on port 22 for TCP. To learn how to configure the security group for your DB instance, see [Controlling access with security groups](Overview.RDSSecurityGroups.md). + If you don't plan to use SSH tunneling, make sure your DB instance resides in a public subnet and is publicly accessible. In the console, the relevant field is **Publicly accessible** on the **Connectivity & security** tab of the database details page. To check your settings in the CLI, run the following command: ``` aws rds describe-db-instances \ --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,PubliclyAccessible:PubliclyAccessible}' \ --output table ``` To change the accessibility settings for your DB instance, see [Modifying an Amazon RDS DB instance](Overview.DBInstance.Modifying.md). ### Step 2: Retrieve your SSH secret key and EC2 instance ID To connect to the DB instance using SSH, you need the SSH key pair associated with the instance. RDS Custom creates the SSH key pair on your behalf, using the naming convention `do-not-delete-rds-custom-ssh-privatekey-resource_id-uuid` or `rds-custom!oracle-do-not-delete-resource_id-uuid-ssh-privatekey`. AWS Secrets Manager stores your SSH private key as a secret. Retrieve your SSH secret key using either AWS Management Console or the AWS CLI. If your instance has a public DNS, and you don't intend to use SSH tunneling, then also retrieve the DNS name. You specify the DNS name for public connections. #### Console **To retrieve the secret SSH key** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Databases**, and then choose the RDS Custom DB instance to which you want to connect. 1. Choose **Configuration**. 1. Note the **Resource ID** value. For example, the DB instance resource ID might be `db-ABCDEFGHIJKLMNOPQRS0123456`. 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Instances**. 1. Find the name of your EC2 instance, and choose the instance ID associated with it. For example, the EC2 instance ID might be `i-abcdefghijklm01234`. 1. In **Details**, find **Key pair name**. The pair name includes the DB instance resource ID. For example, the pair name might be `do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c` or `rds-custom!oracle-do-not-delete-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c-ssh-privatekey`. 1. If your EC2 instance is public, note the **Public IPv4 DNS**. For the example, the public Domain Name System (DNS) address might be `ec2-12-345-678-901.us-east-2.compute.amazonaws.com`. 1. Open the AWS Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/). 1. Choose the secret that has the same name as your key pair. 1. Choose **Retrieve secret value**. 1. Copy the SSH private key into a text file, and then save the file with the `.pem` extension. For example, save the file as `/tmp/do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c.pem` or `/tmp/rds-custom!oracle-do-not-delete-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c-ssh-privatekey.pem`. #### AWS CLI To retrieve the SSH private key and save it in a .pem file, you can use the AWS CLI. 1. Find the DB resource ID of your RDS Custom DB instance using `aws rds [describe-db-instances](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-instances.html)`. ``` aws rds describe-db-instances \ --query 'DBInstances[*].[DBInstanceIdentifier,DbiResourceId]' \ --output text ``` The following sample output shows the resource ID for your RDS Custom instance. The prefix is `db-`. ``` db-ABCDEFGHIJKLMNOPQRS0123456 ``` 1. Find the EC2 instance ID of your DB instance using `aws ec2 describe-instances`. The following example uses `db-ABCDEFGHIJKLMNOPQRS0123456` for the resource ID. ``` aws ec2 describe-instances \ --filters "Name=tag:Name,Values=db-ABCDEFGHIJKLMNOPQRS0123456" \ --output text \ --query 'Reservations[*].Instances[*].InstanceId' ``` The following sample output shows the EC2 instance ID. ``` i-abcdefghijklm01234 ``` 1. To find the key name, specify the EC2 instance ID. The following example describes EC2 instance `i-0bdc4219e66944afa`. ``` aws ec2 describe-instances \ --instance-ids i-0bdc4219e66944afa \ --output text \ --query 'Reservations[*].Instances[*].KeyName' ``` The following sample output shows the key name, which uses the naming format `do-not-delete-rds-custom-ssh-privatekey-resource_id-uuid` or `rds-custom!oracle-do-not-delete-resource_id-uuid-ssh-privatekey`. ``` do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c rds-custom!oracle-do-not-delete-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c-ssh-privatekey ``` 1. Save the private key in a .pem file named after the key using `aws secretsmanager`. The following example saves the key `do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c` to a file in your `/tmp` directory. ``` aws secretsmanager get-secret-value \ --secret-id do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c \ --query SecretString \ --output text >/tmp/do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c.pem ``` The following example saves the key `rds-custom!oracle-do-not-delete-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c-ssh-privatekey` to a file in your `/tmp` directory. ``` aws secretsmanager get-secret-value \ --secret-id rds-custom!oracle-do-not-delete-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c-ssh-privatekey \ --query SecretString \ --output text >/tmp/rds-custom!oracle-do-not-delete-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c-ssh-privatekey.pem ``` ### Step 3: Connect to your EC2 instance using the ssh utility Your connection technique depends on whether you are connecting to a private DB instance or connecting to a public instance. A private connection requires you to configure SSH tunneling through AWS Systems Manager. **To connect to an EC2 instance using the ssh utility** 1. For private connections, modify your SSH configuration file to proxy commands to AWS Systems Manager Session Manager. For public connections, skip to Step 2. Add the following lines to `~/.ssh/config`. These lines proxy SSH commands for hosts whose names begin with `i-` or `mi-`. ``` Host i-* mi-* ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'" ``` 1. Change to the directory that contains your .pem file. Using `chmod`, set the permissions to `400`. The following example changes to the `/tmp` directory and sets permissions for .pem file `do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c.pem`. ``` cd /tmp chmod 400 do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c.pem ``` The following example changes to the `/tmp` directory and sets permissions for .pem file `rds-custom!oracle-do-not-delete-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c-ssh-privatekey.pem`. ``` cd /tmp chmod 400 rds-custom!oracle-do-not-delete-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c-ssh-privatekey.pem ``` 1. Run the ssh utility, specifying the .pem file and either the public DNS name (for public connections) or the EC2 instance ID (for private connections). Log in as user `ec2-user`. The following example connects to a public instance using the DNS name `ec2-12-345-678-901.us-east-2.compute.amazonaws.com`. ``` # .pem file using naming prefix do-not-delete ssh -i \ "do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c.pem" \ ec2-user@ec2-12-345-678-901.us-east-2.compute.amazonaws.com # .pem file using naming prefix rds-custom!oracle-do-not-delete ssh -i \ "rds-custom!oracle-do-not-delete-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c-ssh-privatekey.pem" \ ec2-user@ec2-12-345-678-901.us-east-2.compute.amazonaws.com ``` The following example connects to a private instance using the EC2 instance ID `i-0bdc4219e66944afa`. ``` # .pem file using naming prefix do-not-delete ssh -i \ "do-not-delete-rds-custom-ssh-privatekey-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c.pem" \ ec2-user@i-0bdc4219e66944afa # .pem file using naming prefix rds-custom!oracle-do-not-delete ssh -i \ "rds-custom!oracle-do-not-delete-db-ABCDEFGHIJKLMNOPQRS0123456-0d726c-ssh-privatekey.pem" \ ec2-user@i-0bdc4219e66944afa ``` # Logging in to your RDS Custom for Oracle database as SYS **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). After you create your RDS Custom DB instance, you can log in to your Oracle database as user `SYS`, which gives you `SYSDBA` privileges. You have the following login options: + Get the `SYS` password from Secrets Manager, and specify this password in your SQL client. + Use OS authentication to log in to your database. In this case, you don't need a password. ## Finding the SYS password for your RDS Custom for Oracle database Your can log in to your Oracle database as `SYS` or `SYSTEM` or by specifying the master user name in an API call. The password for `SYS` and `SYSTEM` is stored in Secrets Manager. The secret uses the naming format `do-not-delete-rds-custom-resource_id-uuid` or `rds-custom!oracle-do-not-delete-resource_id-uuid`. You can find the password using the AWS Management Console. ### Console **To find the SYS password for your database in Secrets Manager** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the RDS console, complete the following steps: 1. In the navigation pane, choose **Databases**. 1. Choose the name of your RDS Custom for Oracle DB instance. 1. Choose **Configuration**. 1. Copy the value underneath **Resource ID**. For example, you resource ID might be **db-ABC12CDE3FGH4I5JKLMNO6PQR7**. 1. Open the Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/). 1. In the Secrets Manager console, complete the following steps: 1. In the left navigation pane, choose **Secrets**. 1. Filter the secrets by the resource ID that you copied in step 2.d. 1. Choose the secret that uses the naming format **do-not-delete-rds-custom-*resource\$1id*-*uuid*** or **rds-custom\$1oracle-do-not-delete-*resource\$1id*-*uuid***. The *resource\$1id* is the resource ID that you copied in step 2.d. For example, if your resource ID is **db-ABC12CDE3FGH4I5JKLMNO6PQR7** and your UUID is **1234ab**, your secret is named **do-not-delete-rds-custom-db-ABC12CDE3FGH4I5JKLMNO6PQR7-1234ab** or **rds-custom\$1oracle-do-not-delete-db-ABC12CDE3FGH4I5JKLMNO6PQR7-1234ab**. 1. In **Secret value**, choose **Retrieve secret value**. 1. In **Key/value**, copy the value for **password**. 1. Install SQL\$1Plus on your DB instance and log in to your database as `SYS`. For more information, see [Step 3: Connect your SQL client to an Oracle DB instance](CHAP_GettingStarted.CreatingConnecting.Oracle.md#CHAP_GettingStarted.Connecting.Oracle). ## Logging in to your RDS Custom for Oracle database using OS authentication The OS user `rdsdb` owns the Oracle database binaries. You can switch to the `rdsdb` user and log in to your RDS Custom for Oracle database without a password. 1. Connect to your DB instance with AWS Systems Manager. For more information, see [Connecting to your RDS Custom DB instance using Session Manager](custom-creating.ssm.md). 1. Switch to the `rdsdb` user. ``` sudo su - rdsdb ``` 1. Log in to your database using OS authentication. You can use `sqlplus / as sysdba` or the `sql` alias. ``` $ sqlplus / as sysdba SQL*Plus: Release 21.0.0.0.0 - Production on Wed Apr 12 20:11:08 2023 Version 21.9.0.0.0 Copyright (c) 1982, 2020, Oracle. All rights reserved. Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.10.0.0.0 ``` Alternatively, you can use the `sql` alias: ``` $ sql ``` # Managing an Amazon RDS Custom for Oracle DB instance **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). Amazon RDS Custom supports a subset of the usual management tasks for Amazon RDS DB instances. Following, you can find instructions for the supported RDS Custom for Oracle management tasks using the AWS Management Console and the AWS CLI. **Topics** + [ # Working with container databases (CDBs) in RDS Custom for Oracle ](custom-managing.multitenant.md) + [ # Working with high availability features for RDS Custom for Oracle ](custom-managing.ha.md) + [ # Customizing your RDS Custom environment ](custom-managing.customizing-env.md) + [ # Modifying your RDS Custom for Oracle DB instance ](custom-managing.modifying.md) + [ # Changing the character set of an RDS Custom for Oracle DB instance ](custom-managing.character-set.md) + [ # Setting the NLS\$1LANG value in RDS Custom for Oracle ](custom-managing.nlslang.md) + [ ## Support for Transparent Data Encryption ](#custom-managing.tde) + [ # Tagging RDS Custom for Oracle resources ](custom-managing.tagging.md) + [ # Deleting an RDS Custom for Oracle DB instance ](custom-managing.deleting.md) # Working with container databases (CDBs) in RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can either create your RDS Custom for Oracle DB instance with the Oracle multitenant architecture (`custom-oracle-ee-cdb` or `custom-oracle-se2-cdb` engine type) or with the traditional non-CDB architecture (`custom-oracle-ee` or `custom-oracle-se2` engine type). When you create a container database (CDB), it contains one pluggable database (PDB) and one PDB seed. You can create additional PDBs manually using Oracle SQL. ## PDB and CDB names When you create an RDS Custom for Oracle CDB instance, you specify a name for the initial PDB. By default, your initial PDB is named `ORCL`. You can choose a different name. By default, your CDB is named `RDSCDB`. You can choose a different name. The CDB name is also the name of your Oracle system identifier (SID), which uniquely identifies the memory and processes that manage your CDB. For more information about the Oracle SID, see [Oracle System Identifier (SID)](https://docs.oracle.com/en/database/oracle/oracle-database/19/cncpt/oracle-database-instance.html#GUID-8BB8140D-63ED-454E-AAC3-1964F80D102D) in *Oracle Database Concepts*. You can't rename existing PDBs using Amazon RDS APIs. You also can't rename the CDB using the `modify-db-instance` command. ## PDB management In the RDS Custom for Oracle shared responsibility model, you are responsible for managing PDBs and creating any additional PDBs. RDS Custom doesn't restrict the number of PDBs. You can manually create, modify, and delete PDBs by connecting to the CDB root and running a SQL statement. Create PDBs on an Amazon EBS data volume to prevent the DB instance from going outside the support perimeter. To modify your CDBs or PDBs, complete the following steps: 1. Pause automation to prevent interference with RDS Custom actions. 1. Modify your CDB or PDBs. 1. Back up any modified PDBs. 1. Resume RDS Custom automation. ## Automatic recovery of the CDB root RDS Custom keeps the CDB root open in the same way as it keeps a non-CDB open. If the state of the CDB root changes, the monitoring and recovery automation attempts to recover the CDB root to the desired state. You receive RDS event notifications when the root CDB is shut down (`RDS-EVENT-0004`) or restarted (`RDS-EVENT-0006`), similar to the non-CDB architecture. RDS Custom attempts to open all PDBs in `READ WRITE` mode at DB instance startup. If some PDBs can't be opened, RDS Custom publishes the following event: `tenant database shutdown`. # Working with high availability features for RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). RDS Custom for Oracle provides built-in high availability through Multi-AZ deployments. Alternatively, you can use Oracle Data Guard as a customer-managed option based on your use cases. ## Multi-AZ deployments (fully-managed) With Multi-AZ deployments for RDS Custom for Oracle, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone (AZ). The primary DB instance is synchronously replicated across AZs to a standby replica for data redundancy. Multi-AZ deployment is supported in both the Enterprise Edition and the Standard Edition 2. See [Managing a Multi-AZ deployment for RDS Custom for Oracle](custom-oracle-multiaz.md) for details. ## Oracle Data Guard (customer-managed) Alternatively, you can achieve high availability by manually configuring Oracle Data Guard to replicate data between RDS Custom for Oracle DB instances. The primary DB instance automatically synchronizes data to the standby instances. Oracle Data Guard is supported only in the Enterprise Edition. You can configure your high availability environment in the following ways: + Configure standby instances in different AZs to be resilient to AZ failures. + Place your standby databases in mounted or read-only mode. Read-only mode requires an Oracle Active Data Guard license. + Fail over or switch over from the primary database to a standby database with no data loss. + Migrate data by configuring high availability for your on-premises instance, and then failing over or switching over to the RDS Custom for Oracle standby database. To learn how to configure Oracle Data Guard for high availability, see the AWS blog [Build high availability for RDS Custom for Oracle using read replicas](https://aws.amazon.com/blogs/database/build-high-availability-for-amazon-rds-custom-for-oracle-using-read-replicas/). You can perform the following tasks: + Use a virtual private network (VPN) tunnel to encrypt data in transit for your high availability instances. Encryption in transit isn't configured automatically by RDS Custom for Oracle. + Configure Oracle Fast-Failover Observer (FSFO) to monitor your high availability instances. + Allow the observer to perform automatic failover when necessary conditions are met. # Customizing your RDS Custom environment **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). RDS Custom for Oracle includes built-in features that allow you to customize your DB instance environment without pausing automation. For example, you can use RDS APIs to customize your environment as follows: + Create and restore DB snapshots to create a clone environment. + Create read replicas. + Modify storage settings. + Change the CEV to apply release updates For some customizations, such as changing the character set, you can't use the RDS APIs. In these cases, you need to change the environment manually by accessing your Amazon EC2 instance as the root user or logging in to your Oracle database as `SYSDBA`. To customize your instance manually, you must pause and resume RDS Custom automation. This pause ensures that your customizations don't interfere with RDS Custom automation. In this way, you avoid breaking the support perimeter, which places the instance in the `unsupported-configuration` state until you fix the underlying issues. Pausing and resuming are the only supported automation tasks when you modify an RDS Custom for Oracle DB instance. ## General steps for customizing your RDS Custom environment To customize your RDS Custom DB instance, complete the following steps: 1. Pause RDS Custom automation for a specified period using the console or CLI. 1. Identify your underlying Amazon EC2 instance. 1. Connect to your underlying Amazon EC2 instance using SSH keys or AWS Systems Manager. 1. Verify your current configuration settings at the database or operating system layer. You can validate your changes by comparing the initial configuration to the changed configuration. Depending on the type of customization, use OS tools or database queries. 1. Customize your RDS Custom for Oracle DB instance as needed. 1. Reboot your instance or database, if required. **Note** In an on-premises Oracle CDB, you can preserve a specified open mode for PDBs using a built-in command or after a startup trigger. This mechanism brings PDBs to a specified state when the CDB restarts. When opening your CDB, RDS Custom automation discards any user-specified preserved states and attempts to open all PDBs. If RDS Custom can't open all PDBs, the following event is issued: `The following PDBs failed to open: list-of-PDBs`. 1. Verify your new configuration settings by comparing them with the previous settings. 1. Resume RDS Custom automation in either of the following ways: + Resume automation manually. + Wait for the pause period to end. In this case, RDS Custom resumes monitoring and instance recovery automatically. 1. Verify the RDS Custom automation framework If you followed the preceding steps correctly, RDS Custom starts an automated backup. The status of the instance in the console shows **Available**. For best practices and step-by-step instructions, see the AWS blog posts [Make configuration changes to an Amazon RDS Custom for Oracle instance: Part 1](https://aws.amazon.com/blogs/database/part-1-make-configuration-changes-to-an-amazon-rds-custom-for-oracle-instance/) and [Recreate an Amazon RDS Custom for Oracle database: Part 2](https://aws.amazon.com/blogs/database/part-2-recreate-an-amazon-rds-custom-for-oracle-database/). ## Pausing and resuming your RDS Custom DB instance You can pause and resume automation for your DB instance using the console or CLI. ### Console **To pause or resume RDS Custom automation** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Databases**, and then choose the RDS Custom DB instance that you want to modify. 1. Choose **Modify**. The **Modify DB instance** page appears. 1. For **RDS Custom automation mode**, choose one of the following options: + **Paused** pauses the monitoring and instance recovery for the RDS Custom DB instance. Enter the pause duration that you want (in minutes) for **Automation mode duration**. The minimum value is 60 minutes (default). The maximum value is 1,440 minutes. + **Full automation** resumes automation. 1. Choose **Continue** to check the summary of modifications. A message indicates that RDS Custom will apply the changes immediately. 1. If your changes are correct, choose **Modify DB instance**. Or choose **Back** to edit your changes or **Cancel** to cancel your changes. On the RDS console, the details for the modification appear. If you paused automation, the **Status** of your RDS Custom DB instance indicates **Automation paused**. 1. (Optional) In the navigation pane, choose **Databases**, and then your RDS Custom DB instance. In the **Summary** pane, **RDS Custom automation mode** indicates the automation status. If automation is paused, the value is **Paused. Automation resumes in *num* minutes**. ### AWS CLI To pause or resume RDS Custom automation, use the `modify-db-instance` AWS CLI command. Identify the DB instance using the required parameter `--db-instance-identifier`. Control the automation mode with the following parameters: + `--automation-mode` specifies the pause state of the DB instance. Valid values are `all-paused`, which pauses automation, and `full`, which resumes it. + `--resume-full-automation-mode-minutes` specifies the duration of the pause. The default value is 60 minutes. **Note** Regardless of whether you specify `--no-apply-immediately` or `--apply-immediately`, RDS Custom applies modifications asynchronously as soon as possible. In the command response, `ResumeFullAutomationModeTime` indicates the resume time as a UTC timestamp. When the automation mode is `all-paused`, you can use `modify-db-instance` to resume automation mode or extend the pause period. No other `modify-db-instance` options are supported. The following example pauses automation for `my-custom-instance` for 90 minutes. **Example** For Linux, macOS, or Unix: ``` aws rds modify-db-instance \ --db-instance-identifier my-custom-instance \ --automation-mode all-paused \ --resume-full-automation-mode-minutes 90 ``` For Windows: ``` aws rds modify-db-instance ^ --db-instance-identifier my-custom-instance ^ --automation-mode all-paused ^ --resume-full-automation-mode-minutes 90 ``` The following example extends the pause duration for an extra 30 minutes. The 30 minutes is added to the original time shown in `ResumeFullAutomationModeTime`. **Example** For Linux, macOS, or Unix: ``` aws rds modify-db-instance \ --db-instance-identifier my-custom-instance \ --automation-mode all-paused \ --resume-full-automation-mode-minutes 30 ``` For Windows: ``` aws rds modify-db-instance ^ --db-instance-identifier my-custom-instance ^ --automation-mode all-paused ^ --resume-full-automation-mode-minutes 30 ``` The following example resumes full automation for `my-custom-instance`. **Example** For Linux, macOS, or Unix: ``` aws rds modify-db-instance \ --db-instance-identifier my-custom-instance \ --automation-mode full \ ``` For Windows: ``` aws rds modify-db-instance ^ --db-instance-identifier my-custom-instance ^ --automation-mode full ``` In the following partial sample output, the pending `AutomationMode` value is `full`. ``` { "DBInstance": { "PubliclyAccessible": true, "MasterUsername": "admin", "MonitoringInterval": 0, "LicenseModel": "bring-your-own-license", "VpcSecurityGroups": [ { "Status": "active", "VpcSecurityGroupId": "0123456789abcdefg" } ], "InstanceCreateTime": "2020-11-07T19:50:06.193Z", "CopyTagsToSnapshot": false, "OptionGroupMemberships": [ { "Status": "in-sync", "OptionGroupName": "default:custom-oracle-ee-19" } ], "PendingModifiedValues": { "AutomationMode": "full" }, "Engine": "custom-oracle-ee", "MultiAZ": false, "DBSecurityGroups": [], "DBParameterGroups": [ { "DBParameterGroupName": "default.custom-oracle-ee-19", "ParameterApplyStatus": "in-sync" } ], ... "ReadReplicaDBInstanceIdentifiers": [], "AllocatedStorage": 250, "DBInstanceArn": "arn:aws:rds:us-west-2:012345678912:db:my-custom-instance", "BackupRetentionPeriod": 3, "DBName": "ORCL", "PreferredMaintenanceWindow": "fri:10:56-fri:11:26", "Endpoint": { "HostedZoneId": "ABCDEFGHIJKLMNO", "Port": 8200, "Address": "my-custom-instance.abcdefghijk.us-west-2.rds.amazonaws.com" }, "DBInstanceStatus": "automation-paused", "IAMDatabaseAuthenticationEnabled": false, "AutomationMode": "all-paused", "EngineVersion": "19.my_cev1", "DeletionProtection": false, "AvailabilityZone": "us-west-2a", "DomainMemberships": [], "StorageType": "gp2", "DbiResourceId": "db-ABCDEFGHIJKLMNOPQRSTUVW", "ResumeFullAutomationModeTime": "2020-11-07T20:56:50.565Z", "KmsKeyId": "arn:aws:kms:us-west-2:012345678912:key/aa111a11-111a-11a1-1a11-1111a11a1a1a", "StorageEncrypted": false, "AssociatedRoles": [], "DBInstanceClass": "db.m5.xlarge", "DbInstancePort": 0, "DBInstanceIdentifier": "my-custom-instance", "TagList": [] } ``` # Modifying your RDS Custom for Oracle DB instance **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). Modifying an RDS Custom for Oracle DB instance is similar to modifying an Amazon RDS DB instance. You can change settings such as the following: + DB instance class + Storage allocation and type + Backup retention period + Deletion protection + Option group + CEV (see [Upgrading an RDS Custom for Oracle DB instance](custom-upgrading-modify.md)) + Port **Topics** + [ ## Requirements and limitations when modifying your DB instance storage ](#custom-managing.storage-modify) + [ ## Requirements and limitations when modifying your DB instance class ](#custom-managing.instance-class-reqs) + [ ## How RDS Custom creates your DB instance when you modify the instance class ](#custom-managing.instance-class-resources) + [ ## Modifying your RDS Custom for Oracle DB instance ](#custom-managing.modifying.procedure) ## Requirements and limitations when modifying your DB instance storage Consider the following requirements and limitations when you modify the storage for an RDS Custom for Oracle DB instance: + The minimum allocated storage for RDS Custom for Oracle is 40 GiB, and the maximum is 64 TiB. + As with Amazon RDS, you can't decrease the allocated storage. This is a limitation of Amazon EBS volumes. + Storage autoscaling isn't supported for RDS Custom DB instances. + Any storage volumes that you attach manually to your RDS Custom DB instance are outside the support perimeter. For more information, see [RDS Custom support perimeter](custom-concept.md#custom-troubleshooting.support-perimeter). + Magnetic (standard) Amazon EBS storage isn't supported for RDS Custom. You can choose only the io1, io2, gp2, or gp3 SSD storage types. For more information about Amazon EBS storage, see [Amazon RDS DB instance storage](CHAP_Storage.md). For general information about storage modification, see [Working with storage for Amazon RDS DB instances](USER_PIOPS.StorageTypes.md). ## Requirements and limitations when modifying your DB instance class Consider the following requirements and limitations when you modify the instance class for an RDS Custom for Oracle DB instance: + Your DB instance must be in the `available` state. + Your DB instance must have a minimum of 100 MiB of free space on the root volume, data volume, and binary volume. + You can assign only a single elastic IP (EIP) to your RDS Custom for Oracle DB instance when using the default elastic network interface (ENI). If you attach multiple ENIs to your DB instance, the modify operation fails. + All RDS Custom for Oracle tags must be present. + If you use RDS Custom for Oracle replication, note the following requirements and limitations: + For primary DB instances and read replicas, you can change the instance class for only one DB instance at a time. + If your RDS Custom for Oracle DB instance has an on-premises primary or replica database, make sure to manually update private IP addresses on the on-premises DB instance after the modification completes. This action is necessary to preserve Oracle DataGuard functionality. RDS Custom for Oracle publishes an event when the modification succeeds. + You can't modify your RDS Custom for Oracle DB instance class when the primary or read replica DB instances have FSFO (Fast-Start Failover) configured. ## How RDS Custom creates your DB instance when you modify the instance class When you modify your instance class, RDS Custom creates your DB instance as follows: + Creates the Amazon EC2 instance. + Creates the root volume from the latest DB snapshot. RDS Custom for Oracle doesn't retain information added to the root volume after the latest DB snapshot. + Creates Amazon CloudWatch alarms. + Creates an Amazon EC2 SSH key pair if you have deleted the original key pair. Otherwise, RDS Custom for Oracle retains the original key pair. + Creates new resources using the tags that are attached to your DB instance when you initiate the modification. RDS Custom doesn't transfer tags to the new resources when they are attached directly to underlying resources. + Transfers the binary and data volumes with the most recent modifications to the new DB instance. + Transfers the elastic IP address (EIP). If the DB instance is publicly accessible, then RDS Custom temporarily attaches a public IP address to the new DB instance before transferring the EIP. If the DB instance isn't publicly accessible, RDS Custom doesn't create public IP addresses. ## Modifying your RDS Custom for Oracle DB instance You can modify the DB instance class or storage using the console, AWS CLI, or RDS API. ### Console **To modify an RDS Custom for Oracle DB instance** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Databases**. 1. Choose the DB instance that you want to modify. 1. Choose **Modify**. 1. (Optional) In **Instance configuration**, choose a value for **DB instance class**. For supported classes, see [DB instance class support for RDS Custom for Oracle](custom-oracle-feature-support.md#custom-reqs-limits.instances). 1. (Optional) In **Storage**, make the following changes as needed: 1. Enter a new value for **Allocated storage**. It must be greater than the current value, and from 40 GiB–64 TiB. 1. Change the value for **Storage type** to **General Purpose SSD (gp2)**, **General Purpose SSD (gp3)**, **Provisioned IOPS (io1)**, or **Provisioned IOPS (io2)**. 1. If you specified a storage type other than **General Purpose SSD (gp2)**, you can change the **Provisioned IOPS** value. 1. (Optional) In **Additional configuration**, make the following changes as needed: 1. For **Option group**, choose a new option group. For more information, see [Working with option groups in RDS Custom for Oracle](custom-oracle-option-groups.md). 1. Choose **Continue**. 1. Choose **Apply immediately** or **Apply during the next scheduled maintenance window**. 1. Choose **Modify DB instance**. ### AWS CLI To modify the storage for an RDS Custom for Oracle DB instance, use the [modify-db-instance](https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-instance.html) AWS CLI command. Set the following parameters as needed: + `--db-instance-class` – A new instance class. For supported classes, see [DB instance class support for RDS Custom for Oracle](custom-oracle-feature-support.md#custom-reqs-limits.instances). + `--allocated-storage` – Amount of storage to be allocated for the DB instance, in gibibytes. It must be greater than the current value, and from 40–65,536 GiB. + `--storage-type` – The storage type: gp2, gp3, io1, or io2. + `--iops` – Provisioned IOPS for the DB instance, if using the io1, io2, or gp3 storage types. + `--apply-immediately` – Use `--apply-immediately` to apply the storage changes immediately. Or use `--no-apply-immediately` (the default) to apply the changes during the next maintenance window. The following example changes the DB instance class of `my-cfo-instance` to `db.m5.16xlarge`. The command also changes the storage size to `1024` (1 TiB), storage type to `io2`, Provisioned IOPS to `3000`, and option group to `cfo-ee-19-mt`. **Example** For Linux, macOS, or Unix: ``` aws rds modify-db-instance \ --db-instance-identifier my-cfo-instance \ --db-instance-class db.m5.16xlarge \ --storage-type io2 \ --iops 3000 \ --allocated-storage 1024 \ --option-group cfo-ee-19-mt \ --apply-immediately ``` For Windows: ``` aws rds modify-db-instance ^ --db-instance-identifier my-cfo-instance ^ --db-instance-class db.m5.16xlarge ^ --storage-type io2 ^ --iops 3000 ^ --allocated-storage 1024 ^ --option-group cfo-ee-19-mt ^ --apply-immediately ``` # Changing the character set of an RDS Custom for Oracle DB instance **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). RDS Custom for Oracle defaults to the character set US7ASCII. You might want to specify different character sets to meet language or multibyte character requirements. When you use RDS Custom for Oracle, you can pause automation and then change the character set of your database manually. Changing the character set of an RDS Custom for Oracle DB instance has the following requirements: + You can only change the character on a newly provisioned RDS Custom instance that has an empty or starter database with no application data. For all other scenarios, change the character set using DMU (Database Migration Assistant for Unicode). + You can only change to a character set supported by RDS for Oracle. For more information, see [Supported DB character sets](Appendix.OracleCharacterSets.md#Appendix.OracleCharacterSets.db-character-set.supported). **To change the character set of an RDS Custom for Oracle DB instance** 1. Pause RDS Custom automation. For more information, see [Pausing and resuming your RDS Custom DB instance](custom-managing.customizing-env.md#custom-managing.pausing). 1. Log in to your database as a user with `SYSDBA` privileges. 1. Restart the database in restricted mode, change the character set, and then restart the database in normal mode. Run the following script in your SQL client: ``` SHUTDOWN IMMEDIATE; STARTUP RESTRICT; ALTER DATABASE CHARACTER SET INTERNAL_CONVERT AL32UTF8; SHUTDOWN IMMEDIATE; STARTUP; SELECT VALUE FROM NLS_DATABASE_PARAMETERS WHERE PARAMETER = 'NLS_CHARACTERSET'; ``` Verify that the output shows the correct character set: ``` VALUE -------- AL32UTF8 ``` 1. Resume RDS Custom automation. For more information, see [Pausing and resuming your RDS Custom DB instance](custom-managing.customizing-env.md#custom-managing.pausing). # Setting the NLS\$1LANG value in RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). A *locale* is a set of information addressing linguistic and cultural requirements that corresponds to a given language and country. To specify locale behavior for Oracle software, set the `NLS_LANG` environment variable on your client host. This variable sets the language, territory, and character set used by the client application in a database session. For RDS Custom for Oracle, you can set only the language in the `NLS_LANG` variable: the territory and character use defaults. The language is used for Oracle database messages, collation, day names, and month names. Each supported language has a unique name, for example, American, French, or German. If language is not specified, the value defaults to American. After you create your RDS Custom for Oracle database, you can set `NLS_LANG` on your client host to a language other than English. To see a list of languages supported by Oracle Database, log in to your RDS Custom for Oracle database and run the following query: ``` SELECT VALUE FROM V$NLS_VALID_VALUES WHERE PARAMETER='LANGUAGE' ORDER BY VALUE; ``` You can set `NLS_LANG` on the host command line. The following example sets the language to German for your client application using the Z shell on Linux. ``` export NLS_LANG=German ``` Your application reads the `NLS_LANG` value when it starts and then communicates it to the database when it connects. For more information, see [Choosing a Locale with the NLS\$1LANG Environment Variable ](https://docs.oracle.com/en/database/oracle/oracle-database/21/nlspg/setting-up-globalization-support-environment.html#GUID-86A29834-AE29-4BA5-8A78-E19C168B690A) in the *Oracle Database Globalization Support Guide*. ## Support for Transparent Data Encryption RDS Custom supports Transparent Data Encryption (TDE) for RDS Custom for Oracle DB instances. However, you can't enable TDE using an option in a custom option group as you can in RDS for Oracle. You turn on TDE manually. For information about using Oracle Transparent Data Encryption, see [Securing stored data using Transparent Data Encryption](http://docs.oracle.com/cd/E11882_01/network.112/e40393/asotrans.htm#BABFGJAG) in the Oracle documentation. # Tagging RDS Custom for Oracle resources **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can tag RDS Custom resources as with Amazon RDS resources, but with some important differences: + Don't create or modify the `AWSRDSCustom` tag that's required for RDS Custom automation. If you do, you might break the automation. + The `Name` tag is added to RDS Custom resources with prefix value of `do-not-delete-rds-custom` or `rds-custom!oracle-do-not-delete`. Any customer-passed value for the key is overwritten. + Tags added to RDS Custom DB instances during creation are propagated to all other related RDS Custom resources. + Tags aren't propagated when you add them to RDS Custom resources after DB instance creation. For general information about resource tagging, see [Tagging Amazon RDS resources](USER_Tagging.md). # Deleting an RDS Custom for Oracle DB instance **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). **Warning** Deleting a DB instance is a permanent action. You can't recover a DB instance after deletion unless you have a backup or snapshot. When you delete an RDS Custom DB instance, AWS automatically deletes the underlying Amazon EC2 instance and EBS volumes. Don't manually terminate the Amazon EC2 instance or delete the EBS volumes before deleting the DB instance through Amazon RDS. Manual deletion of these resources causes DB instance deletion and final snapshot creation to fail, preventing any possibility of recovery. To delete an RDS Custom DB instance, do the following: + Provide the name of the DB instance. + Clear the option to take a final DB snapshot of the DB instance. + Choose or clear the option to retain automated backups. You can delete an RDS Custom DB instance using the console or the CLI. The time required to delete the DB instance can vary depending on the backup retention period (that is, how many backups to delete) and how much data is deleted. ## Console **To delete an RDS Custom DB instance** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Databases**, and then choose the RDS Custom DB instance that you want to delete. RDS Custom DB instances show the role **Instance (RDS Custom)**. 1. For **Actions**, choose **Delete**. 1. To retain automated backups, choose **Retain automated backups**. 1. Enter **delete me** in the box. 1. Choose **Delete**. ## AWS CLI You delete an RDS Custom DB instance by using the [delete-db-instance](https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-instance.html) AWS CLI command. Identify the DB instance using the required parameter `--db-instance-identifier`. The remaining parameters are the same as for an Amazon RDS DB instance, with the following exceptions: + `--skip-final-snapshot` is required. + `--no-skip-final-snapshot` isn't supported. + `--final-db-snapshot-identifier` isn't supported. The following example deletes the RDS Custom DB instance named `my-custom-instance`, and retains automated backups. **Example** For Linux, macOS, or Unix: ``` aws rds delete-db-instance \ --db-instance-identifier my-custom-instance \ --skip-final-snapshot \ --no-delete-automated-backups ``` For Windows: ``` aws rds delete-db-instance ^ --db-instance-identifier my-custom-instance ^ --skip-final-snapshot ^ --no-delete-automated-backups ``` # Managing a Multi-AZ deployment for RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). In a Multi-AZ DB instance deployment for RDS Custom for Oracle, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone (AZ). The primary DB instance is synchronously replicated across Availability Zones to a standby replica to provide data redundancy. A Multi-AZ DB instance deployment enhances availability during planned system maintenance. If planned database maintenance or unplanned service disruption occurs, Amazon RDS automatically fails over to the up-to-date standby DB instance. Database operations can resume quickly without manual intervention. The primary and standby instances use the same endpoint, whose physical network address transitions to the standby replica as part of the failover process. You don't need to reconfigure your application when a failover occurs. The following diagram shows the Multi-AZ architecture for RDS Custom for Oracle: ![\[Amazon RDS architecture with primary DB instance and standby replica in separate availability zones.\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/custom-oracle-multiaz-architecture.png) The Amazon RDS console shows the Availability Zone of the standby replica (the secondary AZ). You can also use the `describe-db-instances` CLI command or the `DescribeDBInstances` API operation to find the secondary AZ. ## Region and version availability for a Multi-AZ deployment for RDS Custom for Oracle Multi-AZ deployments for RDS Custom for Oracle are supported for the following releases for both Enterprise Edition (EE) and Standard Edition 2 (SE2): + Oracle Database 19c + Oracle Database 12c Release 2 (12.2) + Oracle Database 12c Release 1 (12.1) **Note** Multi-AZ deployments for RDS Custom for Oracle aren't supported on Oracle Database 18c. Multi-AZ deployments for RDS Custom for Oracle are available in all Regions where RDS Custom for Oracle is available. For more information on Region availability of Multi-AZ deployments for RDS Custom for Oracle, see [Supported Regions and DB engines for RDS Custom for Oracle](Concepts.RDS_Fea_Regions_DB-eng.Feature.RDSCustom.md#Concepts.RDS_Fea_Regions_DB-eng.Feature.RDSCustom.ora). ## Limitations for a Multi-AZ deployment in RDS Custom for Oracle Multi-AZ deployments with RDS Custom for Oracle have the following limitations: + If your DB instance was created before June 30, 2025, you can't convert from a Single-AZ to Multi-AZ deployment. Your underlying Custom Engine Version (CEV) was built with an older service-provided AMI that lacks Multi-AZ support. You must migrate your database to a new DB instance using a CEV that you create with a service-provided AMI after June 30, 2025. For details, see [Migration steps for DB instances using CEVs created before June 30, 2025](custom-oracle-multiaz-prerequisites.md#migration-using-older-CEVs). + You can't create cross-Region Multi-AZ deployments. + You can't configure the standby DB instance to accept database read activity. + When you use a Custom Engine Version (CEV) with a Multi-AZ deployment, your standby DB instance uses the same CEV. The standby DB instance can't use a different CEV. + You can't create a read replica on a Multi-AZ deployment instance and you also cannot modify the primary instance of the read replica to have a Multi-AZ deployment. + RDS Custom for Oracle DB instances with Multi-AZ deployment can have increased write and commit latency compared to a Single-AZ deployment. This increase can happen because of the synchronous data replication between DB instances. You might have a change in latency if your deployment fails over to the standby replica, although AWS is engineered with low-latency network connectivity between Availability Zones. ## Creating a Multi-AZ deployment in RDS Custom for Oracle To create an RDS Custom for Oracle DB instance with a Multi-AZ deployment, follow the steps in [Setting up your environment for Amazon RDS Custom for Oracle](custom-setup-orcl.md) to set up your environment with the prerequisites. **Important** To simplify setup, we recommend that you use the latest CloudFormation template file provided in the network setup instructions. For more information, see [Deploying RDS Custom for Oracle with AWS CloudFormation](custom-oracle-multiaz-deployment.md). You can create an RDS Custom for Oracle instance with a Multi-AZ deployment by choosing the **Multi-AZ** option during the database instance creation in the Amazon RDS console. Alternatively, you can specify the `--multi-az` parameter in the Amazon RDS `create-db-instance` command in the AWS CLI. # Prerequisites for a Multi-AZ deployment in RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). A Multi-AZ deployment for RDS Custom for Oracle is different from Multi-AZ for RDS for Oracle. Unlike Multi-AZ for RDS for Oracle, you must meet the prerequisites for RDS Custom for Oracle before you create your Multi-AZ DB instance. This is because RDS Custom runs inside your own account, which requires permissions. Also, you need to create the Multi-AZ instance on the CEV with the latest service-provided AMI, which supports the Multi-AZ deployments. If you don't complete the prerequisites, your Multi-AZ DB instance might fail to run, or automatically revert to a Single-AZ DB instance. For more information about prerequisites, see [Prerequisites for a Multi-AZ deployment in RDS Custom for Oracle](#custom-oracle-multiaz-prerequisites). RDS Custom for Oracle requires specific prerequisites when converting from Single-AZ to Multi-AZ deployment. Incomplete prerequisites cause Multi-AZ setup to fail. Use either manual setup or the latest CloudFormation template file provided in the network setup instructions. For more information, see [Step 3: Extract the CloudFormation templates for RDS Custom for Oracle](custom-setup-orcl.md#custom-setup-orcl.cf.downloading). To complete the prerequisites manually, follow the steps in [Converting a Single-AZ deployment to a Multi-AZ deployment in RDS Custom for Oracle](custom-oracle-multiaz-modify-single-to-multi.md) and note the following: + Make sure your RDS Custom for Oracle DB instance uses a CEV created after June 30, 2025 with the latest service-provided AMI. + Update the Amazon RDS security group inbound and outbound rules to allow port 1120. + Create new Amazon SQS VPC endpoints that allow the Amazon RDS RDS Custom for Oracle DB instance to communicate with Amazon SQS. + Update the Amazon SQS permissions in the instance profile role. **Important** Don't reboot your Multi-AZ primary DB instance manually by logging into the instance without pausing RDS Custom for Oracle automation. ## Migration steps for DB instances using CEVs created before June 30, 2025 If you created your RDS Custom for Oracle DB instance before June 30, 2025, you can't directly modify it to Multi-AZ deployment because the underlying CEV was built with an older service-provided AMI that lacks Multi-AZ support. You must migrate your database to a new instance using a CEV you create after June 30, 2025. Do the following for the migration. 1. **Create CEV from source** with the latest service-provided AMI (after June 30, 2025). 1. **Launch a new DB instance** with the new CEV. 1. **Migrate your database** from the existing DB instance that doesn’t support Multi-AZ deployment to the newly created instance using one of following methods: + [Physical migration of Oracle databases to Amazon RDS Custom using Data Guard](https://aws.amazon.com/blogs//database/physical-migration-of-oracle-databases-to-amazon-rds-custom-using-data-guard/) + [Physical migration of Oracle databases to Amazon RDS Custom using RMAN duplication](https://aws.amazon.com/blogs//database/physical-migration-of-oracle-databases-to-amazon-rds-custom-using-rman-duplication/) # Converting a Single-AZ deployment to a Multi-AZ deployment in RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can convert an existing multi-AZ compatible RDS Custom for Oracle instance from a Single-AZ deployment to a Multi-AZ deployment. When you modify the DB instance, Amazon RDS performs several actions: + Takes a snapshot of the primary DB instance. + Creates new volumes for the standby replica from the snapshot. These volumes initialize in the background, and maximum volume performance is achieved after the data is fully initialized. + Turns on synchronous block-level replication between the primary and standby DB instances. **Important** We recommend that you avoid modifying your RDS Custom for Oracle DB instance from a Single-AZ to a Multi-AZ deployment on a production DB instance during periods of peak activity. AWS uses a snapshot to create the standby instance to avoid downtime when you convert from Single-AZ to Multi-AZ, but performance might be impacted during and after converting to Multi-AZ. This impact can be significant for workloads that are sensitive to write latency. While this capability allows large volumes to quickly be restored from snapshots, it can cause increase in the latency of I/O operations because of the synchronous replication. This latency can impact your database performance. ## Configuring prerequisites to modify a Single-AZ to a Multi-AZ deployment using CloudFormation Follow [Step 3: Extract the CloudFormation templates for RDS Custom for Oracle](custom-setup-orcl.md#custom-setup-orcl.cf.downloading) to setup your VPC and IAM profile again to add SQS VPC endpoint and SQS permission in IAM profile. ## Configuring prerequisites to modify a Single-AZ to a Multi-AZ deployment manually If you choose to configure the prerequisites manually, perform the following tasks. 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/) 1. Choose **Endpoint**. The **Create Endpoint** page appears. 1. For **Service Category**, choose **AWS services**. 1. In **Services**, search for `SQS`. 1. In **VPC**, choose the VPC where your RDS Custom for Oracle DB instance is deployed. 1. In **Subnets**, choose the subnets where your RDS Custom for Oracle DB instance is deployed. 1. In **Security Groups**, choose the security group where your RDS Custom for Oracle DB instance is deployed. 1. For **Policy**, choose **Custom**. 1. In your custom policy, replace the `AWS partition`, `Region`, `accountId`, and `IAM-Instance-role` with your own values. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-oracle" } }, "Action": [ "SQS:SendMessage", "SQS:ReceiveMessage", "SQS:DeleteMessage", "SQS:GetQueueUrl" ], "Resource": "arn:aws:sqs:us-east-1:111122223333:do-not-delete-rds-custom-*", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/{IAM-Instance-role}" } } ] } ``` ------ Update the **Instance profile** with permission to access Amazon SQS. Replace the `AWS partition`, `Region`, and `accountId` with your own values. ``` { "Sid": "13", "Effect": "Allow", "Action": [ "SQS:SendMessage", "SQS:ReceiveMessage", "SQS:DeleteMessage", "SQS:GetQueueUrl" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:do-not-delete-rds-custom-*" } ], "Condition": { "StringLike": { "aws:ResourceTag/AWSRDSCustom": "custom-oracle" } } } ``` Update the Amazon RDS security group inbound and outbound rules to allow port 1120. + In **Security Groups**, choose the group where your RDS Custom for Oracle DB instance is deployed. + For **Inbound Rules**, create a **Custom TCP** rule to allow port `1120` from the source group. + For **Outbound Rules**, create a **Custom TCP** rule to allow port `1120` to the destination group. ## Modify using the RDS console, AWS CLI, or RDS API After you've completed the prerequisites, you can modify an RDS Custom for Oracle DB instance from a Single-AZ to Multi-AZ deployment using the Amazon RDS console, AWS CLI, or Amazon RDS API. ### Console **To modify an existing RDS Custom for Oracle Single-AZ to Multi-AZ deployment** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the Amazon RDS console, choose **Databases**. The **Databases** pane appears. 1. Choose the RDS Custom for Oracle DB instance that you want to modify. 1. For **Actions**, choose **Convert to Multi-AZ deployment**. 1. On the **Confirmation** page, choose **Apply immediately** to apply the changes immediately. Choosing this option doesn't cause downtime, but there is a possible performance impact. Alternatively, you can choose to apply the update during the next maintenance window. For more information, see [Using the schedule modifications setting](USER_ModifyInstance.ApplyImmediately.md). 1. On the **Confirmation** page, choose **Convert to Multi-AZ**. ### AWS CLI To convert to a Multi-AZ DB instance deployment by using the AWS CLI, call the [modify-db-instance](https://docs.aws.amazon.com//cli/latest/reference/rds/modify-db-instance.html) command and set the `--multi-az` option. Specify the DB instance identifier and the values for other options that you want to modify. For information about each option, see [Settings for DB instances](USER_ModifyInstance.Settings.md). **Example** The following code modifies `mycustomdbinstance` by including the `--multi-az` option. The changes are applied during the next maintenance window by using `--no-apply-immediately`. Use `--apply-immediately` to apply the changes immediately. For more information, see [Using the schedule modifications setting](USER_ModifyInstance.ApplyImmediately.md). For Linux, macOS, or Unix: ``` aws rds modify-db-instance \ --db-instance-identifier mycustomdbinstance \ --multi-az \ [--no-apply-immediately | --apply-immediately] ``` For Windows: ``` aws rds modify-db-instance ^ --db-instance-identifier mycustomdbinstance ^ --multi-az ^ [--no-apply-immediately | --apply-immediately] ``` ### RDS API To convert to a Multi-AZ DB instance deployment with the Amazon RDS API, call the [ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html) operation and set the `MultiAZ` parameter to true. # Converting a Multi-AZ deployment to a Single-AZ deployment in RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can modify an existing RDS Custom for Oracle DB instance from a Multi-AZ to a Single-AZ deployment. ## Console **To modify an RDS Custom for Oracle DB instance from a Multi-AZ to Single-AZ deployment** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the Amazon RDS console, choose **Databases**. The **Databases** pane appears. 1. Choose the RDS Custom for Oracle DB instance that you want to modify. 1. For **Multi-AZ deployment**, choose **No**. 1. On the **Confirmation** page, choose **Apply immediately** to apply the changes immediately. Choosing this option doesn't cause downtime, but there is a possible performance impact. Alternatively, you can choose to apply the update during the next maintenance window. For more information, see [Using the schedule modifications setting](USER_ModifyInstance.ApplyImmediately.md). 1. On the **Confirmation** page, choose **Modify DB Instance**. ## AWS CLI To modify a Multi-AZ deployment to a Single-AZ deployment by using the AWS CLI, call the [modify-db-instance](https://docs.aws.amazon.com//cli/latest/reference/rds/modify-db-instance.html) command and include the `--no-multi-az` option. Specify the DB instance identifier and the values for other options that you want to modify. For information about each option, see [Settings for DB instances](USER_ModifyInstance.Settings.md). **Example** The following code modifies `mycustomdbinstance` by including the `--no-multi-az` option. The changes are applied during the next maintenance window by using `--no-apply-immediately`. Use `--apply-immediately` to apply the changes immediately. For more information, see [Using the schedule modifications setting](USER_ModifyInstance.ApplyImmediately.md). For Linux, macOS, or Unix: ``` aws rds modify-db-instance \ --db-instance-identifier mycustomdbinstance \ --no-multi-az \ [--no-apply-immediately | --apply-immediately] ``` For Windows: ``` aws rds modify-db-instance ^ --db-instance-identifier mycustomdbinstance ^ --no-multi-az ^ [--no-apply-immediately | --apply-immediately] ``` ## RDS API To modify a Multi-AZ deployment to a Single-AZ deployment by using the Amazon RDS API, call the [ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html) operation and set the `MultiAZ` parameter to `false`. # Customizing the OS in an RDS Custom for Oracle Multi-AZ deployment **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). With RDS Custom for Oracle Multi-AZ deployments, you can customize the operating system and install third-party software on both primary and standby EC2 instances. Unlike Amazon RDS, RDS Custom for Oracle provides administrative access to the database environment and underlying operating system, allowing you to install monitoring tools, security agents, or custom applications in addition to Oracle databases. When you customize the OS on a Multi-AZ deployment, you're responsible for ensuring that customizations exist on both primary and standby instances. This approach ensures application continuity during Multi-AZ failover and maintains consistent functionality across both instances. ## Requirements for customizing the OS in an RDS Custom for Oracle Multi-AZ deployment Before you customize the OS in a Multi-AZ deployment, be aware of the following requirements: + Install third-party software only on the `/rdsdbdata` mount point. The data volume (`/rdsdbdata`) is the only data that is replicated in a Multi-AZ deployment. The root volume (`/`) is replaced during OS patching, and the binary volume (`/rdsdbbin`) is replaced during database patching. Software installed on the root and binary volumes is lost during patching. + Ensure all customizations comply with AWS and Oracle licensing terms and conditions. + Before you convert from Single-AZ to Multi-AZ, make sure the HugePages settings in `/etc/sysctl.conf` work correctly. ## Identifying EC2 instances in an RDS Custom for Oracle Multi-AZ deployment When customizing your Multi-AZ instances, identify which Amazon EC2 instances serve as the primary and standby for your RDS Custom for Oracle deployment. **To identify primary and standby EC2 instances** 1. Open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Databases**. 1. Choose your Multi-AZ RDS Custom for Oracle DB instance. 1. In the **Configuration** section, note the **Resource ID** (format: `db-nnnnnnn`). 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Instances**. 1. In the search box, enter the Resource ID from step 4. 1. The search results show two instances: your primary and secondary. The instance with the active RDS Custom for Oracle database is the primary. ## Customizing the OS before creating an RDS Custom for Oracle Multi-AZ deployment In this scenario, your current deployment is a Single-AZ DB instance. You can customize the OS and then convert your DB instance to a Multi-AZ deployment. If you're installing third-party software, and you have modified files on multiple volumes, this technique is recommended. **To customize the OS before converting your Single-AZ to Multi-AZ** 1. Connect to the EC2 instance in your Single-AZ deployment using AWS Systems Manager Session Manager or SSH. 1. Perform either of the following customizations: + Install third-party software on the data volume (`/rdsdbdata`). + Customize files on the root volume (`/`). 1. Test your software or root volume customizations to ensure they work correctly. 1. Convert the Single-AZ DB instance to a Multi-AZ deployment by following the instructions in [Converting a Single-AZ deployment to a Multi-AZ deployment in RDS Custom for Oracle](custom-oracle-multiaz-modify-single-to-multi.md). 1. Verify that your customizations exist on both instances in the Multi-AZ deployment. For more information, see [Identifying EC2 instances in an RDS Custom for Oracle Multi-AZ deployment](#cfo-os-maz-identify-instances). ## Customizing the OS after creating an RDS Custom for Oracle Multi-AZ deployment If you have an exiting Multi-AZ deployment, you can deploy your customizations using AWS Systems Manager or using manual techniques. ### Customizing the OS in a Multi-AZ deployment using AWS Systems Manager For existing Multi-AZ DB instances, we recommend Systems Manager as the most reliable way to apply customizations simultaneously to both primary and standby instances. This approach ensures consistency. For a general introduction to this service, see [What is AWS Systems Manager?](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html). To learn how to install software on both DB instances simultaneously, see [Install or update Distributor packages](https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor-working-with-packages-deploy.html). ### Customizing the OS in a Multi-AZ deployment manually In this scenario, your Multi-AZ deployment already exists, but you don't use AWS Systems Manager to deploy the customizations. You can customize your OS manually in either of the following ways: **Customize the OS on the primary instance and replicate the changes** Multi-AZ deployment automatically replicates the `rdsdbdata` volume. You can customize the OS in the following ways: + Install third-party software directly on the `/rdsdbdata` mount point. + To modify files on the root volume (`/`), create files on the data volume and then create a symbolic link from the root volume files to the data volume files. **Customize the OS on the primary and standby instances separately** In this approach, you customize the OS on the primary instance. Then you perform the same customizations on the standby instance. **To customize the OS on the primary instance so that they are replicated automatically** 1. Identify the primary and standby DB instances using the procedure in [Identifying EC2 instances in an RDS Custom for Oracle Multi-AZ deployment](#cfo-os-maz-identify-instances). 1. Connect to the primary EC2 instance using Session Manager or SSH. 1. Use either of the following techniques, depending on your business requirements: **Install third-party software** Install your software on the `/rdsdbdata` mount point. ``` sudo mkdir -p /rdsdbdata/custom-software cd /rdsdbdata/custom-software # Install your software here ``` **Customize the root volume** Create symbolic links from OS configuration files on the root volume to files on the data volume. For example, create file `/rdsdbdata/customizations/sysctl.conf`, and then create a symbolic link at `/etc/sysctl.conf` that points to `/rdsdbdata/customizations/sysctl.conf`. ``` sudo mkdir -p /rdsdbdata/customizations sudo mv /etc/sysctl.conf /rdsdbdata/customizations/sysctl.conf sudo ln -sf /rdsdbdata/customizations/sysctl.conf /etc/sysctl.conf ``` 1. Test your software or root volume customizations to ensure they work correctly. 1. Connect to the standby instance and verify that the synchronous replication has copied your software or root volume customizations to the `/rdsdbdata` directory. ## Customizing the binary volume in an RDS Custom for Oracle Multi-AZ deployment You can apply a database patch to the binary volume (`/rdsdbbin`) in an RDS Custom for Oracle Multi-AZ deployment. You must apply the patch to the primary and standby instances. Consider the following guidelines: + When you perform a one-off patch, we recommend that you create a new CEV with the new one-off patch included in the manifest. + To apply a one-off patch manually, make sure to unzip the one-off patch in both the primary and secondary EC2 instances. Applying the patch and running `datapatch` is required only on the primary Multi-AZ instance. + If you patch the database using a different CEV, the binary volume is replaced. Make sure to include the one-off patch in the manifest of the new CEV. ## Best practices for customizing the OS Follow these best practices when customizing the OS on RDS Custom for Oracle Multi-AZ instances: **Test in non-production environments** Always test customizations in a non-production environment before applying them to production instances. **Document all changes** Maintain detailed documentation of all customizations for future reference and troubleshooting. We recommend that you store your customizations in a script that you can be applied anytime, just in case. **Verify on both instances** Regularly verify that customizations are present and functioning correctly on both primary and standby instances. **Use Systems Manager for consistency** Use Systems Manager for consistent application of changes across instances, especially for existing Multi-AZ deployments. # Deploying RDS Custom for Oracle with AWS CloudFormation **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). Automate your RDS Custom for Oracle deployment using the provided AWS CloudFormation template. Complete the following prerequisites before deploying the resources. ## Prerequisites **Download required Oracle files** You need specific Oracle installation files before you can create the CloudFormationtemplate. Download these files before you deploy. 1. Navigate to [Oracle Database 19c (19.3)](https://www.oracle.com/database/technologies/oracle19c-linux-downloads.html) 1. Locate and download the file `LINUX.X64_193000_db_home.zip` 1. Rename the file to`V982063-01.zip` 1. Download the remaining patches, selecting **Platform or Language** as `Linux x86-64` ### Latest OPatch utility [Patch 6880880](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=6880880) ### January 2023 PSU Patches **Database PSU & RU Patches** + [Patch 34765931](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=34765931) + [Patch 34786990](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=34786990) **Additional Required Patches** + [Patch 35099667](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=35099667) + [Patch 35099674](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=35099674) + [Patch 28730253](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=28730253) + [Patch 29213893](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=29213893) + [Patch 35012866](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=35012866) ### April 2023 PSU Patches **Database PSU & RU Patches** + [Patch 35042068](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=35042068) + [Patch 35050341](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=35050341) **Additional Required Patches** + [Patch 28730253](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=28730253) + [Patch 29213893](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=29213893) + [Patch 33125873](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=33125873) + [Patch 35220732](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=35220732) + [Patch 35239280](https://updates.oracle.com/Orion/PatchDetails/process_form?patch_num=35239280) ### Amazon S3 bucket setup 1. Create an Amazon S3 bucket in your AWS account, or choose an existing bucket. 1. Create a folder structure in the bucket similar to example below. ``` / └── oracle_cev/ ├── V982063-01.zip ├── p6880880_190000_Linux-x86-64.zip ├── p34765931_190000_Linux-x86-64.zip ├── p34786990_190000_Linux-x86-64.zip ├── p35099667_190000_Linux-x86-64.zip ├── p35099674_190000_Generic.zip ├── p28730253_190000_Linux-x86-64.zip ├── p29213893_1918000DBRU_Generic.zip ├── p35012866_1918000DBRU_Linux-x86-64.zip ├── p35042068_190000_Linux-x86-64.zip ├── p35050341_190000_Linux-x86-64.zip ├── p29213893_1919000DBRU_Generic.zip ├── p33125873_1919000DBRU_Linux-x86-64.zip ├── p35220732_190000_Linux-x86-64.zip └── p35239280_190000_Generic.zip ``` 1. Upload all of Oracle files that you previously downloaded to the appropriate folders. ## Deploy RDS Custom for Oracle using AWS CloudFormation ### Step 1: Prepare the CloudFormation template Before you can deploy RDS Custom for Oracle, you need to download and configure the CloudFormation template that creates the necessary prerequisites. **Copy and save the template** 1. Go to [Deploying RDS Custom for Oracle with single and multiple Availability Zones](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html#aws-resource-rds-dbinstance--examples--Deploying_RDS_Custom_for_Oracle_with_single_and_multiple_Availability_Zones) 1. Copy the template in your preferred format (YAML or JSON) 1. Save the file in YAML or JSON format. For example, `rds-custom-oracle-prereqs.yaml` **Launch the stack in the AWS console** 1. Open the AWS Console and navigate to AWS CloudFormation 1. Choose **Create stack** > **With new resources (standard)** 1. Select **Choose an existing template** 1. Select **Upload a template file** > **Choose file** 1. Select the template file you previously downloaded 1. Keep the default parameter values 1. Select **Next** to create the stack **Alternative: Using AWS CLI** Instead of using the console, you can create the stack using the AWS CLI: ``` aws cloudformation create-stack \ --stack-name rds-custom-oracle \ --template-body file://rds-custom-oracle-prereqs.yaml \ --capabilities CAPABILITY_NAMED_IAM ``` ### Step 2: Create the Custom Engine Versions (CEVs) and Amazon RDS instances **Copy and save the template** 1. Go to [Deploying RDS Custom for Oracle with single and multiple Availability Zones](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html#aws-resource-rds-dbinstance--examples--Deploying_RDS_Custom_for_Oracle_with_single_and_multiple_Availability_Zones) 1. Copy the template in your preferred format (YAML or JSON) 1. Update the following parameters in the template if needed: + `BucketName` + `CEVS3Prefix` + Database master password (replace \$1\$1\$1\$1\$1\$1\$1\$1\$1\$1\$1\$1\$1) 1. Save the file in YAML or JSON format ### Step 3: Deploy using the AWS console 1. Open the AWS Console and navigate to AWS CloudFormation 1. Choose **Create stack** > **With new resources (standard)** 1. Select **Choose an existing template** 1. Select **Upload a template file** > **Choose file** 1. Select the template file you previously downloaded 1. Leave the parameters as default values 1. Fill in the parameters as follows: ``` BucketName: rds-custom-id CEVS3Prefix: oracle_cev CEVCreation: Yes ``` 1. Review the configuration and select **Next** to create the stack **Optional: Deploy Using AWS CLI** ``` aws cloudformation create-stack \ --stack-name rds-custom-oracle \ --template-body file://rds-custom-oracle.yaml \ --parameters \ ParameterKey=BucketName,ParameterValue=rds-custom-id \ ParameterKey=CEVS3Prefix,ParameterValue=oracle_cev \ ParameterKey=CEVCreation,ParameterValue=Yes \ --capabilities CAPABILITY_NAMED_IAM ``` ## Deployment resources created The template creates the following resources: + Amazon VPC with public and private subnets + Security groups + Amazon VPC endpoints + IAM roles and policies + AWS KMS key for encryption + Custom Engine Versions (CEVs) + RDS Custom for Oracle instances for both single-AZ and multi-AZ configurations ## Monitor your deployment progress After you create the CloudFormation stack, monitor its progress to ensure successful deployment. The deployment process includes creating Custom Engine Versions (CEVs) and RDS instances. To monitor deployment progress: 1. Open the CloudFormation console. 1. Choose your stack name. 1. Choose the **Events** tab to view progress and identify any errors. **Note** CEV creation typically requires 2-3 hours. After CEV creation completes successfully, Amazon RDS automatically begins creating the Amazon RDS instance. ## Post-Deployment After the stack creation process completes, perform the following post-deployment verification and configuration steps: 1. From the Amazon RDS console page, navigate to **Custom engine versions** to verify CEV creation. 1. Confirm Amazon RDS instances are created and available 1. Test connectivity to the Amazon RDS instances 1. Set up monitoring and backup strategies as needed ## Cleanup To remove all resources, run the following AWS CLI command: ``` aws cloudformation delete-stack --stack-name rds-custom-oracle ``` ## Troubleshooting If you encounter issues during deployment, use the following solutions to resolve common problems. CEV creation fails + Verify all required patches are uploaded to Amazon S3 + Check IAM permissions + Verify the patch versions are correct; see the [Prerequisites](#custom-oracle-prerequisites) for the list of required patches. Amazon RDS instance creation fails + Check VPC/subnet configurations + Verify security group rules + Confirm CEV is available # Working with Oracle replicas for RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can create Oracle replicas for RDS Custom for Oracle DB instances that run Oracle Enterprise Edition. Both container databases (CDBs) and non-CDBs are supported. Standard Edition 2 doesn't support Oracle Data Guard. Creating an RDS Custom for Oracle replica is similar to creating an RDS for Oracle replica, but with important differences. For general information about creating and managing Oracle replicas, see [Working with DB instance read replicas](USER_ReadRepl.md) and [Working with read replicas for Amazon RDS for Oracle](oracle-read-replicas.md). **Topics** + [ ## Overview of RDS Custom for Oracle replication ](#custom-rr.overview) + [ # Guidelines and limitations for RDS Custom for Oracle replication ](custom-rr.reqs-limitations.md) + [ # Promoting an RDS Custom for Oracle replica to a standalone DB instance ](custom-rr.promoting.md) + [ # Configuring a VPN tunnel between RDS Custom for Oracle primary and replica instances ](cfo-standby-vpn-tunnel.md) ## Overview of RDS Custom for Oracle replication The architecture of RDS Custom for Oracle replication is analogous to RDS for Oracle replication. A primary DB instance replicates asynchronously to one or more Oracle replicas. ![\[RDS Custom for Oracle supports Oracle replicas\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/images/read-replica-custom-oracle.png) ### Maximum number of replicas As with RDS for Oracle, you can create up to five managed Oracle replicas of your RDS Custom for Oracle primary DB instance. You can also create your own manually configured (external) Oracle replicas. External replicas don't count toward your DB instance limit. They also lie outside the RDS Custom support perimeter. For more information about the support perimeter, see [RDS Custom support perimeter](custom-concept.md#custom-troubleshooting.support-perimeter). ### Replica naming convention Oracle replica names are based on the database unique name. The format is `DB_UNIQUE_NAME_X`, with letters appended sequentially. For example, if your database unique name is `ORCL`, the first two replicas are named `ORCL_A` and `ORCL_B`. The first six letters, A–F, are reserved for RDS Custom. RDS Custom copies database parameters from your primary DB instance to the replicas. For more information, see [DB\$1UNIQUE\$1NAME](https://docs.oracle.com/database/121/REFRN/GUID-3547C937-5DDA-49FF-A9F9-14FF306545D8.htm#REFRN10242) in the Oracle documentation. ### Replica backup retention By default, RDS Custom Oracle replicas use the same backup retention period as your primary DB instance. You can modify the backup retention period to 1–35 days. RDS Custom supports backing up, restoring, and point-in-time recovery (PITR). For more information about backing up and restoring RDS Custom DB instances, see [Backing up and restoring an Amazon RDS Custom for Oracle DB instance](custom-backup.md). **Note** While creating a Oracle replica, RDS Custom temporarily pauses the cleanup of redo log files. In this way, RDS Custom ensures that it can apply these logs to the new Oracle replica after it becomes available. ### Replica promotion You can promote managed Oracle replicas in RDS Custom for Oracle using the console, `promote-read-replica` AWS CLI command, or `PromoteReadReplica` API. If you delete your primary DB instance, and all replicas are healthy, RDS Custom for Oracle promotes your managed replicas to standalone instances automatically. If a replica has paused automation or is outside the support perimeter, you must fix the replica before RDS Custom can promote it automatically. You can only promote external Oracle replicas manually. # Guidelines and limitations for RDS Custom for Oracle replication **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). When you create RDS Custom for Oracle replicas, not all RDS Oracle replica options are supported. **Topics** + [ ## General guidelines for RDS Custom for Oracle replication ](#custom-rr.guidelines) + [ ## General limitations for RDS Custom for Oracle replication ](#custom-rr.limitations) + [ ## Networking requirements and limitations for RDS Custom for Oracle replication ](#custom-rr.network) + [ ## External replica limitations for RDS Custom for Oracle ](#custom-rr.external-replica-reqs) ## General guidelines for RDS Custom for Oracle replication When working with RDS Custom for Oracle, follow these guidelines: + You can use RDS Custom for Oracle replication only in Oracle Enterprise Edition. Standard Edition 2 isn't supported. + We strongly recommend that you implement a VPN tunnel to encrypt communication between your primary and standby instances. For more information, see [Configuring a VPN tunnel between RDS Custom for Oracle primary and replica instances](cfo-standby-vpn-tunnel.md). + Don't modify the `RDS_DATAGUARD` user. This user is reserved for RDS Custom for Oracle automation. Modifying this user can result in undesired outcomes, such as an inability to create Oracle replicas for your RDS Custom for Oracle DB instance. + Don't change the replication user password. It is required to administer the Oracle Data Guard configuration on the RDS Custom host. If you change the password, RDS Custom for Oracle might put your Oracle replica outside the support perimeter. For more information, see [RDS Custom support perimeter](custom-concept.md#custom-troubleshooting.support-perimeter). The password is stored in AWS Secrets Manager, tagged with the DB resource ID. Each Oracle replica has its own secret in Secrets Manager. The secret uses either of the following naming formats. ``` do-not-delete-rds-custom-db-DB_resource_id-uuid-dg rds-custom!oracle-do-not-delete-DB_resource_id-uuid-dg ``` + Don't change the `DB_UNIQUE_NAME` for the primary DB instance. Changing the name causes any restore operation to become stuck. + Don't specify the clause `STANDBYS=NONE` in a `CREATE PLUGGABLE DATABASE` command in an RDS Custom CDB. This way, if a failover occurs, your standby CDB contains all PDBs. ## General limitations for RDS Custom for Oracle replication RDS Custom for Oracle replicas have the following limitations: + You can't create RDS Custom for Oracle replicas in read-only mode. However, you can manually change the mode of mounted replicas to read-only, and from read-only to mounted. For more information, see the documentation for the [create-db-instance-read-replica](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance-read-replica.html) AWS CLI command. + You can't create cross-Region RDS Custom for Oracle replicas. + You can't change the value of the Oracle Data Guard `CommunicationTimeout` parameter. This parameter is set to 15 seconds for RDS Custom for Oracle DB instances. ## Networking requirements and limitations for RDS Custom for Oracle replication Make sure that your network configuration supports RDS Custom for Oracle replicas. Consider the following: + Make sure to enable port 1140 for both inbound and outbound communication within your virtual private cloud (VPC) for the primary DB instance and all of its replicas. This is required for Oracle Data Guard communication between read replicas. + RDS Custom for Oracle validates the network while creating a Oracle replica. If the primary DB instance and the new replica can't connect over the network, RDS Custom for Oracle doesn't create the replica and places it in the `INCOMPATIBLE_NETWORK` state. + For external Oracle replicas, such as those you create on Amazon EC2 or on-premises, use another port and listener for Oracle Data Guard replication. Trying to use port 1140 could cause conflicts with RDS Custom automation. + The `/rdsdbdata/config/tnsnames.ora` file contains network service names mapped to listener protocol addresses. Note the following requirements and recommendations: + Entries in `tnsnames.ora` prefixed with `rds_custom_` are reserved for RDS Custom when handling Oracle replica operations. When creating manual entries in `tnsnames.ora`, don't use this prefix. + In some cases, you might want to switch over or fail over manually, or use failover technologies such as Fast-Start Failover (FSFO). If so, make sure to manually synchronize `tnsnames.ora` entries from the primary DB instance to all of the standby instances. This recommendation applies to both Oracle replicas managed by RDS Custom and to external Oracle replicas. RDS Custom automation updates `tnsnames.ora` entries on only the primary DB instance. Make sure also to synchronize when you add or remove a Oracle replica. If you don't synchronize the `tnsnames.ora` files and switch over or fail over manually, Oracle Data Guard on the primary DB instance might not be able to communicate with the Oracle replicas. ## External replica limitations for RDS Custom for Oracle RDS Custom for Oracle external replicas, which include on-premises replicas, have the following limitations: + RDS Custom for Oracle doesn't detect instance role changes upon manual failover, such as FSFO, for external Oracle replicas. RDS Custom for Oracle does detect changes for managed replicas. The role change is noted in the event log. You can also see the new state by using the [describe-db-instances](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-instances.html) AWS CLI command. + RDS Custom for Oracle doesn't detect high replication lag for external Oracle replicas. RDS Custom for Oracle does detect lag for managed replicas. High replication lag produces the `Replication has stopped` event. You can also see the replication status by using the [describe-db-instances](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-instances.html) AWS CLI command, but there might be a delay for it to be updated. + RDS Custom for Oracle doesn't promote external Oracle replicas automatically if you delete your primary DB instance. The automatic promotion feature is available only for managed Oracle replicas. For information about promoting Oracle replicas manually, see the white paper [Enabling high availability with Data Guard on Amazon RDS Custom for Oracle](https://d1.awsstatic.com/whitepapers/enabling-high-availability-with-data-guard-on-amazon-rds-custom-for-oracle.pdf). # Promoting an RDS Custom for Oracle replica to a standalone DB instance **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). Just as with RDS for Oracle, you can promote an RDS Custom for Oracle replica to a standalone DB instance. When you promote a Oracle replica, RDS Custom for Oracle reboots the DB instance before it becomes available. For more information about promoting Oracle replicas, see [Promoting a read replica to be a standalone DB instance](USER_ReadRepl.Promote.md). When promoting a replica, note the following guidelines: + Don't initiate a failover while RDS Custom for Oracle is promoting your replica. Otherwise, the promotion workflow could become stuck. + Don't switch over your primary DB instance while RDS Custom for Oracle is promoting your Oracle replica. Otherwise, the promotion workflow could become stuck. + Don't shut down your primary DB instance while RDS Custom for Oracle is promoting your Oracle replica. Otherwise, the promotion workflow could become stuck. + Don't try to restart replication with your newly promoted DB instance as a target. After RDS Custom for Oracle promotes your Oracle replica, it becomes a standalone DB instance and no longer has the replica role. Note the following limitations for RDS Custom for Oracle replica promotion: + You can't promote a replica while RDS Custom for Oracle is backing it up. + You can't change the backup retention period to `0` when you promote your Oracle replica. + You can't promote your replica when it isn't in a healthy state. If you issue `delete-db-instance` on the primary DB instance, RDS Custom for Oracle validates that each managed Oracle replica is healthy and available for promotion. A replica might be ineligible for promotion because automation is paused or it is outside the support perimeter. In such cases, RDS Custom for Oracle publishes an event explaining the issue so that you can repair your Oracle replica manually. The following steps show the general process for promoting a Oracle replica to a DB instance: 1. Stop any transactions from being written to the primary DB instance. 1. Wait for RDS Custom for Oracle to apply all updates to your Oracle replica. 1. Promote your Oracle replica by choosing the **Promote** option on the Amazon RDS console, the AWS CLI command [https://docs.aws.amazon.com/cli/latest/reference/rds/promote-read-replica.html](https://docs.aws.amazon.com/cli/latest/reference/rds/promote-read-replica.html), or the [https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_PromoteReadReplica.html](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_PromoteReadReplica.html) Amazon RDS API operation. Promoting a Oracle replica takes a few minutes to complete. During the process, RDS Custom for Oracle stops replication and reboots your replica. When the reboot completes, the Oracle replica is available as a standalone DB instance. For information about troubleshooting replica promotion, see [Troubleshooting replica promotion for RDS Custom for Oracle](custom-troubleshooting.md#custom-troubleshooting-promote). ## Console **To promote an RDS Custom for Oracle replica to a standalone DB instance** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the Amazon RDS console, choose **Databases**. The **Databases** pane appears. Each Oracle replica shows **Replica** in the **Role** column. 1. Choose the RDS Custom for Oracle replica that you want to promote. 1. For **Actions**, choose **Promote**. 1. On the **Promote Oracle replica** page, enter the backup retention period and the backup window for the newly promoted DB instance. You can't set this value to **0**. 1. When the settings are as you want them, choose **Promote Oracle replica**. ## AWS CLI To promote your RDS Custom for Oracle replica to a standalone DB instance, use the AWS CLI [https://docs.aws.amazon.com/cli/latest/reference/rds/promote-read-replica.html](https://docs.aws.amazon.com/cli/latest/reference/rds/promote-read-replica.html) command. **Example** For Linux, macOS, or Unix: ``` aws rds promote-read-replica \ --db-instance-identifier my-custom-read-replica \ --backup-retention-period 2 \ --preferred-backup-window 23:00-24:00 ``` For Windows: ``` aws rds promote-read-replica ^ --db-instance-identifier my-custom-read-replica ^ --backup-retention-period 2 ^ --preferred-backup-window 23:00-24:00 ``` ## RDS API To promote your RDS Custom for Oracle replica to be a standalone DB instance, call the Amazon RDS API [https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_PromoteReadReplica.html](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_PromoteReadReplica.html) operation with the required parameter `DBInstanceIdentifier`. # Configuring a VPN tunnel between RDS Custom for Oracle primary and replica instances **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). A VPN tunnel is an encrypted connection between two or more devices over a network. To ensure the highest level of security for your Oracle Data Guard instances in RDS Custom for Oracle, we strongly recommend that you implement a VPN tunnel to encrypt communication between your primary and standby instances. The tunnel serves as a safeguard for sensitive data as it travels the network between instances. While this configuration is optional, we recommend it as a best practice to achieve data security and regulatory compliance. Make sure you meet the following prerequisites: + You have root access to the primary and standby hosts. + You have the technical expertise to run the `ipsec` command. **To configure a VPN tunnel between a primary and replica in RDS Custom for Oracle** 1. Add the security groups for both the primary instance and standby instance to the allow list using the following rules: ``` ACTION FLOW SOURCE PROTO PORT ALLOW ingress this-SG 50 (ESP) all (N/A) ALLOW egress this-SG 50 (ESP) all (N/A) ALLOW ingress this-SG 17 (UDP) 500 (IKE) ALLOW egress this-SG 17 (UDP) 500 (IKE) ``` 1. Switch to the root user. ``` $ sudo su – root ``` 1. Run the following commands on both the primary instance and the standby instance to initialize the Network Security Services (NSS) database under the user `root`. ``` ipsec initnss --nssdir /etc/ipsec.d ``` 1. Generate RSA keys as follows: 1. On the primary instance, generate the keys using either of the following `ipsec` commands, depending on your OS version. ``` ipsec newhostkey --nssdir /etc/ipsec.d ## for Oracle Linux Version 8 ipsec newhostkey --output /etc/ipsec.secrets ## for Oracle Linux version 7.9 ``` 1. Obtain the public key, which you need to create the configuration. In the following example, the primary instance is `left` because in `ipsec` parlance, `left` refers to the device you are currently configuring, and `right` refers to the device at the other end of the tunnel. ``` ipsec showhostkey --left --ckaid ckaid-returned-in-last-statement ``` 1. On the standby instance, generate keys for the standby instance. ``` ipsec newhostkey --nssdir /etc/ipsec.d ## for Oracle Linux Version 8 ipsec newhostkey --output /etc/ipsec.secrets ## for Oracle Linux version 7.9 ``` 1. Obtain the public key for the standby instance, which you need to create the configuration. In the following example, the standby instance is `right` because it refers to the device at the other end of the tunnel. ``` ipsec showhostkey --right --ckaid ckaid-returned-in-last-statement ``` 1. Based on the RSA keys that you obtained, generate the configuration. The configuration is identical for both the primary instance and the standby instance. You can find the primary instance IPv4 address and standby instance IPv4 address in the AWS console. On both the primary instance and the standby instance, save the following configuration to the file `/etc/ipsec.d/custom-fb-tunnel.conf`. ``` conn custom-db-tunnel type=transport auto=add authby=rsasig left=IPV4-for-primary leftrsasigkey=RSA-key-generated-on-primary right=IPV4-for-standby rightrsasigkey=RSA-key-generated-on-standby ``` 1. On both the primary instance and the standby instance, start the `ipsec` daemon on both hosts. ``` ipsec setup start ``` 1. Start the tunnel on either the primary instance or the standby instance. The output should look similar to the following. ``` [root@ip-172-31-6-81 ~]# ipsec auto --up custom-db-tunnel 181 "custom-db-tunnel" #1: initiating IKEv2 connection 181 "custom-db-tunnel" #1: sent IKE_SA_INIT request to 172.31.32.196:500 182 "custom-db-tunnel" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19} 003 "custom-db-tunnel" #1: initiator established IKE SA; authenticated peer '3584-bit PKCS#1 1.5 RSA with SHA1' signature using preloaded certificate '172.31.32.196' 004 "custom-db-tunnel" #2: initiator established Child SA using #1; IPsec transport [172.31.6.81-172.31.6.81:0-65535 0] -> [172.31.32.196-172.31.32.196:0-65535 0] {ESP/ESN=>0xda9c4815 <0xb742ca42 xfrm=AES_GCM_16_256-NONE DPD=passive} [root@ip-172-31-6-81 ~]# ``` # Backing up and restoring an Amazon RDS Custom for Oracle DB instance **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). Like Amazon RDS, RDS Custom creates and saves automated backups of your RDS Custom for Oracle DB instance during the backup window of your DB instance. You can also back up your DB instance manually. The procedure is identical to taking a snapshot of an Amazon RDS DB instance. The first snapshot of an RDS Custom DB instance contains the data for the full DB instance. Subsequent snapshots are incremental. Restore DB snapshots using either the AWS Management Console or the AWS CLI. **Topics** + [ # Creating an RDS Custom for Oracle snapshot ](custom-backup.creating.md) + [ # Restoring from an RDS Custom for Oracle DB snapshot ](custom-backup.restoring.md) + [ # Restoring an RDS Custom for Oracle instance to a point in time ](custom-backup.pitr.md) + [ # Deleting an RDS Custom for Oracle snapshot ](custom-backup.deleting.md) + [ # Deleting RDS Custom for Oracle automated backups ](custom-backup.deleting-backups.md) # Creating an RDS Custom for Oracle snapshot **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). RDS Custom for Oracle creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases. When your DB instance contains a container database (CDB), the snapshot of the instance includes the root CDB and all PDBs. When you create an RDS Custom for Oracle snapshot, specify which RDS Custom DB instance to back up. Give your snapshot a name so you can restore from it later. When you create a snapshot, RDS Custom for Oracle creates an Amazon EBS snapshot for every volume attached to the DB instance. RDS Custom for Oracle uses the EBS snapshot of the root volume to register a new Amazon Machine Image (AMI). To make snapshots easy to associate with a specific DB instance, they're tagged with `DBSnapshotIdentifier`, `DbiResourceId`, and `VolumeType`. Creating a DB snapshot results in a brief I/O suspension. This suspension can last from a few seconds to a few minutes, depending on the size and class of your DB instance. The snapshot creation time varies with the size of your database. Because the snapshot includes the entire storage volume, the size of files, such as temporary files, also affects snapshot creation time. To learn more about creating snapshots, see [Creating a DB snapshot for a Single-AZ DB instance for Amazon RDS](USER_CreateSnapshot.md). Create an RDS Custom for Oracle snapshot using the console or the AWS CLI. ## Console **To create an RDS Custom snapshot** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Databases**. 1. In the list of RDS Custom DB instances, choose the instance for which you want to take a snapshot. 1. For **Actions**, choose **Take snapshot**. The **Take DB snapshot** window appears. 1. For **Snapshot name**, enter the name of the snapshot. 1. Choose **Take snapshot**. ## AWS CLI You create a snapshot of an RDS Custom DB instance by using the [create-db-snapshot](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-snapshot.html) AWS CLI command. Specify the following options: + `--db-instance-identifier` – Identifies which RDS Custom DB instance you are going to back up + `--db-snapshot-identifier` – Names your RDS Custom snapshot so you can restore from it later In this example, you create a DB snapshot called *`my-custom-snapshot`* for an RDS Custom DB instance called `my-custom-instance`. **Example** For Linux, macOS, or Unix: ``` 1. aws rds create-db-snapshot \ 2. --db-instance-identifier my-custom-instance \ 3. --db-snapshot-identifier my-custom-snapshot ``` For Windows: ``` 1. aws rds create-db-snapshot ^ 2. --db-instance-identifier my-custom-instance ^ 3. --db-snapshot-identifier my-custom-snapshot ``` # Restoring from an RDS Custom for Oracle DB snapshot **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). When you restore an RDS Custom for Oracle DB instance, you provide the name of the DB snapshot and a name for the new instance. You can't restore from a snapshot to an existing RDS Custom DB instance. A new RDS Custom for Oracle DB instance is created when you restore. The restore process differs in the following ways from restore in Amazon RDS: + Before restoring a snapshot, RDS Custom for Oracle backs up existing configuration files. These files are available on the restored instance in the directory `/rdsdbdata/config/backup`. RDS Custom for Oracle restores the DB snapshot with default parameters and overwrites the previous database configuration files with existing ones. Thus, the restored instance doesn't preserve custom parameters and changes to database configuration files. + The restored database has the same name as in the snapshot. You can't specify a different name. (For RDS Custom for Oracle, the default is `ORCL`.) ## Console **To restore an RDS Custom DB instance from a DB snapshot** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Snapshots**. 1. Choose the DB snapshot that you want to restore from. 1. For **Actions**, choose **Restore snapshot**. 1. On the **Restore DB instance** page, for **DB instance identifier**, enter the name for your restored RDS Custom DB instance. 1. Choose **Restore DB instance**. ## AWS CLI You restore an RDS Custom DB snapshot by using the [ restore-db-instance-from-db-snapshot](https://docs.aws.amazon.com/cli/latest/reference/rds/restore-db-instance-from-db-snapshot.html) AWS CLI command. If the snapshot you are restoring from is for a private DB instance, make sure to specify both the correct `db-subnet-group-name` and `no-publicly-accessible`. Otherwise, the DB instance defaults to publicly accessible. The following options are required: + `db-snapshot-identifier` – Identifies the snapshot from which to restore + `db-instance-identifier` – Specifies the name of the RDS Custom DB instance to create from the DB snapshot + `custom-iam-instance-profile` – Specifies the instance profile associated with the underlying Amazon EC2 instance of an RDS Custom DB instance. The following code restores the snapshot named `my-custom-snapshot` for `my-custom-instance`. **Example** For Linux, macOS, or Unix: ``` aws rds restore-db-instance-from-db-snapshot \ --db-snapshot-identifier my-custom-snapshot \ --db-instance-identifier my-custom-instance \ --custom-iam-instance-profile AWSRDSCustomInstanceProfileForRdsCustomInstance \ --no-publicly-accessible ``` For Windows: ``` aws rds restore-db-instance-from-db-snapshot ^ --db-snapshot-identifier my-custom-snapshot ^ --db-instance-identifier my-custom-instance ^ --custom-iam-instance-profile AWSRDSCustomInstanceProfileForRdsCustomInstance ^ --no-publicly-accessible ``` # Restoring an RDS Custom for Oracle instance to a point in time **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can restore a DB instance to a specific point in time (PITR), creating a new DB instance. To support PITR, your DB instances must have backup retention set to a nonzero value. The latest restorable time for an RDS Custom for Oracle DB instance depends on several factors, but is typically within 5 minutes of the current time. To see the latest restorable time for a DB instance, use the AWS CLI [describe-db-instances](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-instances.html) command and look at the value returned in the `LatestRestorableTime` field for the DB instance. To see the latest restorable time for each DB instance in the Amazon RDS console, choose **Automated backups**. You can restore to any point in time within your backup retention period. To see the earliest restorable time for each DB instance, choose **Automated backups** in the Amazon RDS console. For general information about PITR, see [Restoring a DB instance to a specified time for Amazon RDS](USER_PIT.md). **Topics** + [ ## PITR considerations for RDS Custom for Oracle ](#custom-backup.pitr.oracle) ## PITR considerations for RDS Custom for Oracle In RDS Custom for Oracle, PITR differs in the following important ways from PITR in Amazon RDS: + The restored database has the same name as in the source DB instance. You can't specify a different name. The default is `ORCL`. + `AWSRDSCustomIamRolePolicy` requires new permissions. For more information, see [Step 2: Add an access policy to AWSRDSCustomInstanceRoleForRdsCustomInstance](custom-setup-orcl.md#custom-setup-orcl.iam.add-policy). + All RDS Custom for Oracle DB instances must have backup retention set to a nonzero value. + If you change the operating system or DB instance time zone, PITR might not work. For information about changing time zones, see [Oracle time zone](custom-managing.timezone.md). + If you set automation to `ALL_PAUSED`, RDS Custom pauses the upload of archived redo log files, including logs created before the latest restorable time (LRT). We recommend that you pause automation for a brief period. To illustrate, assume that your LRT is 10 minutes ago. You pause automation. During the pause, RDS Custom doesn't upload archived redo logs. If your DB instance crashes, you can only recover to a time before the LRT that existed when you paused. When you resume automation, RDS Custom resumes uploading logs. The LRT advances. Normal PITR rules apply. + In RDS Custom, you can manually specify an arbitrary number of hours to retain archived redo logs before RDS Custom deletes them after upload. Specify the number of hours as follows: 1. Create a text file named `/opt/aws/rdscustomagent/config/redo_logs_custom_configuration.json`. 1. Add a JSON object in the following format: `{"archivedLogRetentionHours" : "num_of_hours"}`. The number must be an integer in the range 1–840. + Assume that you plug a non-CDB into a container database (CDB) as a PDB and then attempt PITR. The operation succeeds only if you previously backed up the PDB. After you create or modify a PDB, we recommend that you always back it up. + We recommend that you don't customize database initialization parameters. For example, modifying the following parameters affects PITR: + `CONTROL_FILE_RECORD_KEEP_TIME` affects the rules for uploading and deleting logs. + `LOG_ARCHIVE_DEST_n` doesn't support multiple destinations. + `ARCHIVE_LAG_TARGET` affects the latest restorable time. `ARCHIVE_LAG_TARGET` is set to `300` because the recovery point objective (RPO) is 5 minutes. To honor this objective, RDS switches the online redo log every 5 minutes and stores it in an Amazon S3 bucket. If the frequency of the log switch causes a performance issue for your RDS Custom for Oracle database, you can scale your DB instance and storage to one with higher IOPS and throughput. If necessary for your recovery plan, you can adjust the setting of the `ARCHIVE_LAG_TARGET` initialization parameter to a value from 60–7200. + If you customize database initialization parameters, we strongly recommend that you customize only the following: + `COMPATIBLE` + `MAX_STRING_SIZE` + `DB_FILES` + `UNDO_TABLESPACE` + `ENABLE_PLUGGABLE_DATABASE` + `CONTROL_FILES` + `AUDIT_TRAIL` + `AUDIT_TRAIL_DEST` For all other initialization parameters, RDS Custom restores the default values. If you modify a parameter that isn't in the preceding list, it might have an adverse effect on PITR and lead to unpredictable results. For example, `CONTROL_FILE_RECORD_KEEP_TIME` affects the rules for uploading and deleting logs. You can restore an RDS Custom DB instance to a point in time using the AWS Management Console, the AWS CLI, or the RDS API. ## Console **To restore an RDS Custom DB instance to a specified time** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Automated backups**. 1. Choose the RDS Custom DB instance that you want to restore. 1. For **Actions**, choose **Restore to point in time**. The **Restore to point in time** window appears. 1. Choose **Latest restorable time** to restore to the latest possible time, or choose **Custom** to choose a time. If you chose **Custom**, enter the date and time to which you want to restore the instance. Times are shown in your local time zone, which is indicated by an offset from Coordinated Universal Time (UTC). For example, UTC-5 is Eastern Standard Time/Central Daylight Time. 1. For **DB instance identifier**, enter the name of the target restored RDS Custom DB instance. The name must be unique. 1. Choose other options as needed, such as DB instance class. 1. Choose **Restore to point in time**. ## AWS CLI You restore a DB instance to a specified time by using the [ restore-db-instance-to-point-in-time](https://docs.aws.amazon.com/cli/latest/reference/rds/restore-db-instance-to-point-in-time.html) AWS CLI command to create a new RDS Custom DB instance. Use one of the following options to specify the backup to restore from: + `--source-db-instance-identifier mysourcedbinstance` + `--source-dbi-resource-id dbinstanceresourceID` + `--source-db-instance-automated-backups-arn backupARN` The `custom-iam-instance-profile` option is required. The following example restores `my-custom-db-instance` to a new DB instance named `my-restored-custom-db-instance`, as of the specified time. **Example** For Linux, macOS, or Unix: ``` 1. aws rds restore-db-instance-to-point-in-time \ 2. --source-db-instance-identifier my-custom-db-instance\ 3. --target-db-instance-identifier my-restored-custom-db-instance \ 4. --custom-iam-instance-profile AWSRDSCustomInstanceProfileForRdsCustomInstance \ 5. --restore-time 2022-10-14T23:45:00.000Z ``` For Windows: ``` 1. aws rds restore-db-instance-to-point-in-time ^ 2. --source-db-instance-identifier my-custom-db-instance ^ 3. --target-db-instance-identifier my-restored-custom-db-instance ^ 4. --custom-iam-instance-profile AWSRDSCustomInstanceProfileForRdsCustomInstance ^ 5. --restore-time 2022-10-14T23:45:00.000Z ``` # Deleting an RDS Custom for Oracle snapshot **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can delete DB snapshots managed by RDS Custom for Oracle when you no longer need them. The deletion procedure is the same for both Amazon RDS and RDS Custom DB instances. The Amazon EBS snapshots for the binary and root volumes remain in your account for a longer time because they might be linked to some instances running in your account or to other RDS Custom for Oracle snapshots. These EBS snapshots are automatically deleted after they're no longer related to any existing RDS Custom for Oracle resources (DB instances or backups). ## Console **To delete a snapshot of an RDS Custom DB instance** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Snapshots**. 1. Choose the DB snapshot that you want to delete. 1. For **Actions**, choose **Delete snapshot**. 1. Choose **Delete** on the confirmation page. ## AWS CLI To delete an RDS Custom snapshot, use the AWS CLI command [delete-db-snapshot](https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-snapshot.html). The following option is required: + `--db-snapshot-identifier` – The snapshot to be deleted The following example deletes the `my-custom-snapshot` DB snapshot. **Example** For Linux, macOS, or Unix: ``` 1. aws rds delete-db-snapshot \ 2. --db-snapshot-identifier my-custom-snapshot ``` For Windows: ``` 1. aws rds delete-db-snapshot ^ 2. --db-snapshot-identifier my-custom-snapshot ``` # Deleting RDS Custom for Oracle automated backups **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can delete retained automated backups for RDS Custom for Oracle when they are no longer needed. The procedure is the same as the procedure for deleting Amazon RDS backups. ## Console **To delete a retained automated backup** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Automated backups**. 1. Choose **Retained**. 1. Choose the retained automated backup that you want to delete. 1. For **Actions**, choose **Delete**. 1. On the confirmation page, enter **delete me** and choose **Delete**. ## AWS CLI You can delete a retained automated backup by using the AWS CLI command [delete-db-instance-automated-backup](https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-instance-automated-backup.html). The following option is used to delete a retained automated backup: + `--dbi-resource-id` – The resource identifier for the source RDS Custom DB instance. You can find the resource identifier for the source DB instance of a retained automated backup by using the AWS CLI command [describe-db-instance-automated-backups](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-instance-automated-backups.html). The following example deletes the retained automated backup with source DB instance resource identifier `custom-db-123ABCEXAMPLE`. **Example** For Linux, macOS, or Unix: ``` 1. aws rds delete-db-instance-automated-backup \ 2. --dbi-resource-id custom-db-123ABCEXAMPLE ``` For Windows: ``` 1. aws rds delete-db-instance-automated-backup ^ 2. --dbi-resource-id custom-db-123ABCEXAMPLE ``` # Working with option groups in RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). RDS Custom uses option groups to enable and configure additional features. An *option group* specifies features, called options, that are available for an RDS Custom for Oracle DB instance. Options can have settings that specify how the option works. When you associate an RDS Custom for Oracle DB instance with an option group, the specified options and option settings are enabled for this instance. For general information about option groups in Amazon RDS, see [Working with option groups](USER_WorkingWithOptionGroups.md). **Topics** + [ ## Overview of option groups in RDS Custom for Oracle ](#custom-oracle-option-groups.overview) + [ # Oracle time zone ](custom-managing.timezone.md) ## Overview of option groups in RDS Custom for Oracle To enable options for your Oracle database, add them to an option group, and then associate the option group with your DB instance. For more information, see [Working with option groups](USER_WorkingWithOptionGroups.md). **Topics** + [ ### Summary of RDS Custom for Oracle options ](#custom-oracle-option-groups.summary) + [ ### Basic steps for adding an option to an RDS Custom for Oracle DB instance ](#custom-oracle-timezone.overview.steps) + [ ### Creating an option group for in RDS Custom for Oracle ](#custom-oracle-timezone.creating) + [ ### Associating an option group with an RDS Custom for Oracle DB instance ](#custom-oracle-timezone.associating) ### Summary of RDS Custom for Oracle options RDS Custom for Oracle supports the following options for a DB instance. **** | Option | Option ID | Description | | --- | --- | --- | | Oracle time zone | `Timezone` | The time zone used by your RDS Custom for Oracle DB instance. | ### Basic steps for adding an option to an RDS Custom for Oracle DB instance The general procedure for adding an option to your RDS Custom for Oracle DB instance is the following: 1. Create a new option group, or copy or modify an existing option group. 1. Add the option to the option group. 1. Associate the option group with your DB instance when you create or modify it. ### Creating an option group for in RDS Custom for Oracle You can create a new option group that derives its settings from the default option group. You then add one or more options to the new option group. Or, if you already have an existing option group, you can copy that option group with all of its options to a new option group. To learn how to copy an option group, see [Copying an option group](USER_WorkingWithOptionGroups.md#USER_WorkingWithOptionGroups.Copy). The default option groups for RDS Custom for Oracle are the following: + `default:custom-oracle-ee` + `default:custom-oracle-se2` + `default:custom-oracle-ee-cdb` + `default:custom-oracle-se2-cdb` When you create an option group, the settings are derived from the default option group. After you have added the `TIME_ZONE` option, you can then associate the option group with your DB instance. #### Console One way of creating an option group is by using the AWS Management Console. **To create a new option group by using the console** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Option groups**. 1. Choose **Create group**. 1. In the **Create option group** window, do the following: 1. For **Name**, type a name for the option group that is unique within your AWS account. The name can contain only letters, digits, and hyphens. 1. For **Description**, type a brief description of the option group. The description is used for display purposes. 1. For **Engine**, choose any of the following RDS Custom for Oracle DB engines: + **custom-oracle-ee** + **custom-oracle-se2** + **custom-oracle-ee-cdb** + **custom-oracle-se2-cdb** 1. For **Major engine version**, choose a major engine version supported by RDS Custom for Oracle. For more information, see [Supported Regions and DB engines for RDS Custom for Oracle](Concepts.RDS_Fea_Regions_DB-eng.Feature.RDSCustom.md#Concepts.RDS_Fea_Regions_DB-eng.Feature.RDSCustom.ora). 1. To continue, choose **Create**. To cancel the operation instead, choose **Cancel**. #### AWS CLI To create an option group, use the AWS CLI [https://docs.aws.amazon.com/cli/latest/reference/rds/create-option-group.html](https://docs.aws.amazon.com/cli/latest/reference/rds/create-option-group.html) command with the following required parameters. + `--option-group-name` + `--engine-name` + `--major-engine-version` + `--option-group-description` **Example** The following example creates an option group named `testoptiongroup`, which is associated with the Oracle Enterprise Edition DB engine. The description is enclosed in quotation marks. For Linux, macOS, or Unix: ``` aws rds create-option-group \ --option-group-name testoptiongroup \ --engine-name custom-oracle-ee-cdb \ --major-engine-version 19 \ --option-group-description "Test option group for a Custom Oracle CDB" ``` For Windows: ``` aws rds create-option-group ^ --option-group-name testoptiongroup ^ --engine-name custom-oracle-ee-cdb ^ --major-engine-version 19 ^ --option-group-description "Test option group for a Custom Oracle CDB" ``` #### RDS API To create an option group, call the Amazon RDS API [https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateOptionGroup.html](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateOptionGroup.html) operation. ### Associating an option group with an RDS Custom for Oracle DB instance You can associate your option group with a new or existing DB instance: + For a new DB instance, apply the option group when you create the instance. For more information, see [Creating an RDS Custom for Oracle DB instance](custom-creating.md#custom-creating.create). + For an existing DB instance, apply the option group by modifying the instance and attaching the new option group. For more information, see [Modifying your RDS Custom for Oracle DB instance](custom-managing.modifying.md). # Oracle time zone **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). To change the system time zone used by your RDS Custom for Oracle DB instance, use the time zone option. For example, you might change the time zone of a DB instance to be compatible with an on-premises environment, or a legacy application. The time zone option changes the time zone at the host level. Changing the time zone impacts all date columns and values, including `SYSDATE` and `SYSTIMESTAMP`. **Topics** + [ ## Time zone option settings in RDS Custom for Oracle ](#custom-oracle-timezone.Options) + [ ## Available time zones in RDS Custom for Oracle ](#custom-oracle-timezone.Zones) + [ ## Considerations for setting the time zone in RDS Custom for Oracle ](#custom-oracle-timezone.PreReqs) + [ ## Limitations for the time zone setting in RDS Custom for Oracle ](#custom-oracle-timezone.overview.limitations) + [ ## Adding the time zone option to an option group ](#custom-oracle-timezone.Add) + [ ## Removing the time zone option ](#custom-oracle-timezone.remove) ## Time zone option settings in RDS Custom for Oracle Amazon RDS supports the following settings for the time zone option. **** | Option setting | Valid values | Description | | --- | --- | --- | | `TIME_ZONE` | One of the available time zones. For the full list, see [Available time zones in RDS Custom for Oracle](#custom-oracle-timezone.Zones). | The new time zone for your DB instance. | ## Available time zones in RDS Custom for Oracle You can use the following values for the time zone option. **** | Zone | Time zone | | --- | --- | | Africa | Africa/Cairo, Africa/Casablanca, Africa/Harare, Africa/Lagos, Africa/Luanda, Africa/Monrovia, Africa/Nairobi, Africa/Tripoli, Africa/Windhoek | | America | America/Araguaina, America/Argentina/Buenos\$1Aires, America/Asuncion, America/Bogota, America/Caracas, America/Chicago, America/Chihuahua, America/Cuiaba, America/Denver, America/Detroit, America/Fortaleza, America/Godthab, America/Guatemala, America/Halifax, America/Lima, America/Los\$1Angeles, America/Manaus, America/Matamoros, America/Mexico\$1City, America/Monterrey, America/Montevideo, America/New\$1York, America/Phoenix, America/Santiago, America/Sao\$1Paulo, America/Tijuana, America/Toronto | | Asia | Asia/Amman, Asia/Ashgabat, Asia/Baghdad, Asia/Baku, Asia/Bangkok, Asia/Beirut, Asia/Calcutta, Asia/Damascus, Asia/Dhaka, Asia/Hong\$1Kong, Asia/Irkutsk, Asia/Jakarta, Asia/Jerusalem, Asia/Kabul, Asia/Karachi, Asia/Kathmandu, Asia/Kolkata, Asia/Krasnoyarsk, Asia/Magadan, Asia/Manila, Asia/Muscat, Asia/Novosibirsk, Asia/Rangoon, Asia/Riyadh, Asia/Seoul, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Tehran, Asia/Tokyo, Asia/Ulaanbaatar, Asia/Vladivostok, Asia/Yakutsk, Asia/Yerevan | | Atlantic | Atlantic/Azores, Atlantic/Cape\$1Verde | | Australia | Australia/Adelaide, Australia/Brisbane, Australia/Darwin, Australia/Eucla, Australia/Hobart, Australia/Lord\$1Howe, Australia/Perth, Australia/Sydney | | Brazil | Brazil/DeNoronha, Brazil/East | | Canada | Canada/Newfoundland, Canada/Saskatchewan | | Etc | Etc/GMT-3 | | Europe | Europe/Amsterdam, Europe/Athens, Europe/Berlin, Europe/Dublin, Europe/Helsinki, Europe/Kaliningrad, Europe/London, Europe/Madrid, Europe/Moscow, Europe/Paris, Europe/Prague, Europe/Rome, Europe/Sarajevo | | Pacific | Pacific/Apia, Pacific/Auckland, Pacific/Chatham, Pacific/Fiji, Pacific/Guam, Pacific/Honolulu, Pacific/Kiritimati, Pacific/Marquesas, Pacific/Samoa, Pacific/Tongatapu, Pacific/Wake | | US | US/Alaska, US/Central, US/East-Indiana, US/Eastern, US/Pacific | | UTC | UTC | ## Considerations for setting the time zone in RDS Custom for Oracle If you choose to set the time zone for your DB instance, consider the following: + When you add the time zone option, a brief outage occurs while your DB instance is automatically restarted. + If you accidentally set the time zone incorrectly, you must recover your DB instance to its previous time zone setting. For this reason, we strongly suggest that you to use one of the following strategies before you add the time zone option to your instance: + If your RDS Custom for Oracle DB instance uses the default option group, take a snapshot of your DB instance. For more information, see [Creating an RDS Custom for Oracle snapshot](custom-backup.creating.md). + If your DB instance currently uses a nondefault option group, take a snapshot of your DB instance, and then create a new option group with the time zone option. + We strongly recommend that you back up your DB instance manually after applying the `Timezone` option. + We strongly recommend that you to test the time zone option on a test DB instance before you add it to a production DB instance. Adding the time zone option can cause problems with tables that use system date to add dates or times. We recommend that you analyze your data and applications to assess the impact of changing the time zone. ## Limitations for the time zone setting in RDS Custom for Oracle Note the following limitations: + You can't change your timezone directly on your host without moving it outside the support perimeter. To change your database timezone, you must create an option group. + Because the time zone option is a persistent option (but not a permanent option), you can't do the following: + Remove the option from an option group after you add the option. + Modify the time zone setting of the option to a different time zone. + You can't associate multiple option groups with your RDS Custom for Oracle DB instance. + You can't set the time zone for individual PDBs within a CDB. ## Adding the time zone option to an option group The default option groups for RDS Custom for Oracle are the following: + `default:custom-oracle-ee` + `default:custom-oracle-se2` + `default:custom-oracle-ee-cdb` + `default:custom-oracle-se2-cdb` When you create an option group, the settings are derived from the default option group. For general information about option groups in Amazon RDS, see [Working with option groups](USER_WorkingWithOptionGroups.md). ### Console **To add the time zone option to an option group** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Option groups**. 1. Choose the option group that you want to modify, and then choose **Add option**. 1. In the **Add option** window, do the following: 1. Choose **Timezone**. 1. In **Option settings**, choose a time zone. 1. To enable the option on all associated RDS Custom for Oracle DB instances as soon as you add it, for **Apply Immediately**, choose **Yes**. If you choose **No** (the default), the option is enabled for each associated DB instances during its next maintenance window. 1. **Important** If you add the time zone option to an existing option group that is already attached to one or more DB instances, a brief outage occurs while all the DB instances are automatically restarted. 1. When the settings are as you want them, choose **Add option**. 1. Back up the RDS Custom for Oracle DB instances whose time zones were updated. For more information, see [Creating an RDS Custom for Oracle snapshot](custom-backup.creating.md). ### AWS CLI The following example uses the AWS CLI [add-option-to-option-group](https://docs.aws.amazon.com/cli/latest/reference/rds/add-option-to-option-group.html) command to add the `Timezone` option and the `TIME_ZONE` option setting to an option group called `testoptiongroup`. The time zone is set to `America/Los_Angeles`. For Linux, macOS, or Unix: ``` aws rds add-option-to-option-group \ --option-group-name "testoptiongroup" \ --options "OptionName=Timezone,OptionSettings=[{Name=TIME_ZONE,Value=America/Los_Angeles}]" \ --apply-immediately ``` For Windows: ``` aws rds add-option-to-option-group ^ --option-group-name "testoptiongroup" ^ --options "OptionName=Timezone,OptionSettings=[{Name=TIME_ZONE,Value=America/Los_Angeles}]" ^ --apply-immediately ``` ## Removing the time zone option The time zone option is a persistent option, but not a permanent option. You can't remove the option from an option group after you add it. To disassociate the old option group from your DB instance: 1. Create a new option group with an updated `Timezone` option. 1. Associate the new option group with your DB instance when you modify the instance. # Migrating an on-premises database to RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). Before you migrate an on-premises Oracle database to RDS Custom for Oracle, consider the following factors: + The amount of downtime the application can afford + The size of the source database + Network connectivity + A requirement for a fallback plan + The source and target Oracle database version and DB instance OS types + Available replication tools, such as AWS Database Migration Service, Oracle GoldenGate, or third-party replication tools Based on these factors, you can choose physical migration, logical migration, or a combination. If you choose physical migration, you can use the following techniques: RMAN duplication Active database duplication doesn’t require a backup of your source database. It duplicates the live source database to the destination host by copying database files over the network to the auxiliary instance. The RMAN `DUPLICATE` command copies the required files as image copies or backup sets. To learn this technique, see the AWS blog post [Physical migration of Oracle databases to Amazon RDS Custom using RMAN duplication](https://aws.amazon.com/blogs/database/physical-migration-of-oracle-databases-to-amazon-rds-custom-using-rman-duplication/). Oracle Data Guard In this technique, you back up a primary on-premises database and copy the backups to an Amazon S3 bucket. You then copy the backups to your RDS Custom for Oracle standby DB instance. After performing the necessary configuration, you manually switch over your primary database to your RDS Custom for Oracle standby database. To learn this technique, see the AWS blog post [Physical migration of Oracle databases to Amazon RDS Custom using Data Guard](https://aws.amazon.com/blogs/database/physical-migration-of-oracle-databases-to-amazon-rds-custom-using-data-guard/). For general information about logically importing data into RDS for Oracle, see [Importing data into Oracle on Amazon RDS](Oracle.Procedural.Importing.md). # Upgrading a DB instance for Amazon RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can upgrade an Amazon RDS Custom DB instance by modifying it to use a new custom engine version (CEV). For general information about upgrades, see [Upgrading a DB instance engine version](USER_UpgradeDBInstance.Upgrading.md). **Topics** + [ ## Overview of upgrades in RDS Custom for Oracle ](#custom-upgrading.overview) + [ ## Requirements for RDS Custom for Oracle upgrades ](#custom-upgrading-reqs) + [ # Considerations for RDS Custom for Oracle database upgrades ](custom-upgrading-considerations.md) + [ # Considerations for RDS Custom for Oracle OS upgrades ](custom-upgrading-considerations-os.md) + [ # Viewing valid CEV upgrade targets for RDS Custom for Oracle DB instances ](custom-upgrading-target.md) + [ # Upgrading an RDS Custom for Oracle DB instance ](custom-upgrading-modify.md) + [ # Viewing pending database upgrades for RDS Custom DB instances ](custom-upgrading-pending.md) + [ # Troubleshooting an upgrade failure for an RDS Custom for Oracle DB instance ](custom-upgrading-failure.md) ## Overview of upgrades in RDS Custom for Oracle With RDS Custom for Oracle, you can patch either your Oracle database or your DB instance operating system (OS) by creating new CEVs and then modifying your instance to use the new CEV. **Topics** + [ ### CEV upgrade options ](#custom-upgrading.overview.cev-options) + [ ### Patching without CEVs ](#custom-upgrading.overview.no-cevs) + [ ### General steps for patching your DB instance with a CEV ](#custom-upgrading.overview.general-steps) ### CEV upgrade options When you create a CEV for an upgrade, you have the following mutually exclusive options: **Database only** Reuse the Amazon Machine Image (AMI) currently in use by your DB instance, but specify different database binaries. RDS Custom allocates a new binary volume and then attaches it to the existing Amazon EC2 instance. RDS Custom replaces the entire database volume with a new volume that uses your target database version. **OS only** Reuse the database binaries currently in use by your DB instance, but specify a different AMI. RDS Custom allocates a new Amazon EC2 instance, and then attaches the existing binary volume to the new instance. The existing database volume is retained. If you want to upgrade both the OS and database, you must upgrade the CEV twice. You can either upgrade the OS and then the database or upgrade the database and then the OS. **Warning** When you patch your OS, you lose your root volume data and any existing OS customization. Thus, we strongly recommend that you don't use the root volume for installations or for storing permanent data or files. We also recommend that you back up your data before the upgrade. ### Patching without CEVs We strongly recommend that you upgrade your RDS Custom for Oracle DB instance using CEVs. RDS Custom for Oracle automation synchronizes the patch metadata with the database binary on your DB instance. In special circumstances, RDS Custom supports applying a "one-off" database patch directly to the underlying Amazon EC2 instance directly using the OPatch utility. A valid use case might be a database patch that you want to apply immediately, but the RDS Custom team is upgrading the CEV feature, causing a delay. To apply a database patch manually, perform the following steps: 1. Pause RDS Custom automation. 1. Apply your patch to the database binaries on the Amazon EC2 instance. 1. Resume RDS Custom automation. A disadvantage of the preceding technique is that you must apply the database patch manually to every instance that you want to upgrade. In contrast, when you create a new CEV, you can create or upgrade multiple DB instances using the same CEV. ### General steps for patching your DB instance with a CEV Whether you patch the OS or your database, perform the following basic steps: 1. Create a CEV that contains either of the following, depending on whether you're patching the database or OS: + The Oracle Database RU that you want to apply to your DB instance + A different AMI–either the latest available or one that you specify–and an existing CEV to use as a source Follow the steps in [Creating a CEV](custom-cev.create.md). 1. (Optional for database patching) Check available engine version upgrades by running `describe-db-engine-versions`. 1. Start the patching process by running `modify-db-instance`. The status of the instance being patched differs as follows: + While RDS is patching the database, the status of the DB instance changes to **Upgrading**. + While RDS is patching the OS, the status of the DB instance changes to **Modifying**. When the DB instance has the status **Available**, patching is complete. 1. Confirm that your DB instance uses the new CEV by running `describe-db-instances`. ## Requirements for RDS Custom for Oracle upgrades When upgrading your RDS Custom for Oracle DB instance to a target CEV, make sure you meet the following requirements: + The target CEV to which you are upgrading must exist. + You must upgrade either the OS or the database in a single operation. Upgrading both the OS and the database in a single API call isn't supported. + The target CEV must use the installation parameter settings that are in the manifest of the current CEV. For example, you can't upgrade a database that uses the default Oracle home to a CEV that uses a nondefault Oracle home. + For database upgrades, the target CEV must use a new minor database version, not a new major version. For example, you can't upgrade from an Oracle Database 12c CEV to an Oracle Database 19c CEV. But you can upgrade from version 21.0.0.0.ru-2023-04.rur-2023-04.r1 to version 21.0.0.0.ru-2023-07.rur-2023-07.r1. + For OS upgrades, the target CEV must use a different AMI but have the same major version. # Considerations for RDS Custom for Oracle database upgrades **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). If you plan to upgrade your database, consider the following: + The currently supported operating system (OS) version is Oracle Linux 8. To continue receiving the latest security updates and patches from RDS Custom for Oracle, upgrade your DB instances to Oracle Linux 8 by specifying a CEV based on this OS. Oracle Database 12c Release 1 (12.1), Oracle Database Release 2 (12.2), and Oracle Database 19c are the only releases that support Oracle Linux 8. To migrate to the latest Oracle Linux 8 AMI, upgrade your OS to the latest AMI. For more information, see [Upgrading an RDS Custom for Oracle DB instance](custom-upgrading-modify.md). Oracle Linux 7.9 ended support on Dec 31, 2024. To continue running Oracle Linux 7 after the end of support, purchase an Oracle Extended Support license. You're responsible for security updates and must patch your RDS Custom for Oracle instances manually. For more information, see [Lifetime Support Policy: Coverage for Oracle Open Source Service Offerings](https://www.oracle.com/a/ocom/docs/elsp-lifetime-069338.pdf). + When you upgrade the database binaries in your primary DB instance, RDS Custom for Oracle upgrades your read replicas automatically. When you upgrade the OS, however, you must upgrade the read replicas manually. + When you upgrade a container database (CDB) to a new database version, RDS Custom for Oracle checks that all PDBs are open or could be opened. If these conditions aren't met, RDS Custom stops the check and returns the database to its original state without attempting the upgrade. If the conditions are met, RDS Custom patches the CDB root first, and then patches all other PDBs (including `PDB$SEED`) in parallel. After patching completes, RDS Custom attempts to open all PDBs. If any PDBs fail to open, you receive the following event: `The following PDBs failed to open: list-of-PDBs`. If RDS Custom fails to patch the CDB root or any PDBs, the instance is put into the `PATCH_DB_FAILED` state. + You might want to perform a major database version upgrade and a conversion of non-CDB to CDB at the same time. In this case, we recommend that you proceed as follows: 1. Create a new RDS Custom for Oracle DB instance that uses the Oracle multitenant architecture. 1. Plug in a non-CDB into your CDB root, creating it as a PDB. Make sure that the non-CDB is the same major version as your CDB. 1. Convert your PDB by running the `noncdb_to_pdb.sql` Oracle SQL script. 1. Validate your CDB instance. 1. Upgrade your CDB instance. # Considerations for RDS Custom for Oracle OS upgrades **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). When you plan an OS upgrade, consider the following: + You can't provide your own AMI for use in an RDS Custom for Oracle CEV. You can specify either the default AMI, which uses Oracle Linux 8, or an AMI that has been previously used by an RDS Custom for Oracle CEV. **Note** RDS Custom for Oracle releases a new default AMI when common vulnerabilities and exposures are discovered. No fixed schedule is available or guaranteed. RDS Custom for Oracle tends to publish a new default AMI every 30 days. + When you upgrade the OS in your primary DB instance, you must upgrade its associated read replicas manually. + Reserve sufficient Amazon EC2 compute capacity for your instance type in your AZ before you begin patching the OS. When you create a Capacity Reservation, you specify the AZ, number of instances, and instance attributes (including instance type). For example, if your DB instance uses the underlying EC2 instance type r5.large, we recommend that you reserve EC2 capacity for r5.large in your AZ. During OS patching, RDS Custom creates one new host of type db.r5.large, which can become stuck if the AZ lacks EC2 capacity for this instance type. If you reserve EC2 capacity, you lower the risk of blocked patching caused by capacity constraints. For more information, see [On-Demand Capacity Reservations](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-capacity-reservations.html) in the *Amazon EC2 User Guide*. + Back up your DB instance before you upgrade its OS. The upgrade removes your root volume data and any existing OS customizations. + In the shared responsibility model, you're responsible for keeping your OS up to date. RDS Custom for Oracle doesn't mandate which patches you apply to your OS. If your RDS Custom for Oracle is functional, you can use the AMI associated with this CEV indefinitely. # Viewing valid CEV upgrade targets for RDS Custom for Oracle DB instances **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can see existing CEVs on the **Custom engine versions** page in the AWS Management Console. You can also use the [describe-db-engine-versions](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-engine-versions.html) AWS CLI command to find valid CEVs to use when you upgrade your DB instances, as shown in the following example. This example assumes that you created a DB instance using the engine version `19.my_cev1`, and that the upgrade versions `19.my_cev2` and `19.my_cev` exist. ``` aws rds describe-db-engine-versions --engine custom-oracle-ee --engine-version 19.my_cev1 ``` The output resembles the following. The `ImageId` field shows the AMI ID. ``` { "DBEngineVersions": [ { "Engine": "custom-oracle-ee", "EngineVersion": "19.my_cev1", ... "Image": { "ImageId": "ami-2345", "Status": "active" }, "DBEngineVersionArn": "arn:aws:rds:us-west-2:123456789012:cev:custom-oracle-ee/19.my_cev1/12a34b5c-67d8-90e1-2f34-gh56ijk78lm9" "ValidUpgradeTarget": [ { "Engine": "custom-oracle-ee", "EngineVersion": "19.my_cev2", "Description": "19.my_cev2 description", "AutoUpgrade": false, "IsMajorVersionUpgrade": false }, { "Engine": "custom-oracle-ee", "EngineVersion": "19.my_cev3", "Description": "19.my_cev3 description", "AutoUpgrade": false, "IsMajorVersionUpgrade": false } ] ... ``` # Upgrading an RDS Custom for Oracle DB instance **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). To upgrade your RDS Custom for Oracle DB instance, modify it to use a new CEV. This CEV can contain either new database binaries or a new AMI. For example, to upgrade your Oracle Linux 7.9 DB instance to Oracle Linux 8, specify the latest AMI, which uses Oracle Linux 8. To upgrade the database and OS, you must perform two separate upgrades. **Note** If you upgrade the database, RDS Custom automatically upgrades read replicas after it upgrades the primary DB instance. If you upgrade the OS, you must upgrade the replicas manually. Before you begin, review [Requirements for RDS Custom for Oracle upgrades](custom-upgrading.md#custom-upgrading-reqs) and [Considerations for RDS Custom for Oracle database upgrades](custom-upgrading-considerations.md). ## Console **To upgrade an RDS Custom for Oracle DB instance** 1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/). 1. In the navigation pane, choose **Databases**, and then choose the RDS Custom for Oracle DB instance that you want to upgrade. 1. Choose **Modify**. The **Modify DB instance** page appears. 1. For **DB engine version**, choose a new CEV. Do the following: + If you are patching the database, make sure that the CEV specifies database binaries that are different from those used by your DB instance, and doesn't specify an AMI that is different from the AMI currently used by your DB instance. + If you are patching the OS, make sure that the CEV specifies an AMI that is different from the AMI currently used by your DB instance, and doesn't specify different database binaries. **Warning** When you patch your OS, you lose your root volume data and any existing OS customization. 1. Choose **Continue** to check the summary of modifications. Choose **Apply immediately** to apply the changes immediately. 1. If your changes are correct, choose **Modify DB instance**. Or choose **Back** to edit your changes or **Cancel** to cancel your changes. ## AWS CLI The following examples show possible upgrade scenarios. The examples assume that you created an RDS Custom for Oracle DB instance with the following characteristics: + DB instance named `my-custom-instance` + CEV named `19.my_cev1` + Oracle Database 19c using the non-CDB architecture + Oracle Linux 8 using AMI `ami-1234` The latest service-provided AMI is `ami-2345`. You can find AMIs by running the CLI command `describe-db-engine-versions`. **Topics** + [ ### Upgrading the OS ](#custom-upgrading-modify.CLI.os) + [ ### Upgrading the database ](#custom-upgrading-modify.CLI.db) ### Upgrading the OS In this example, you want to upgrade `ami-1234` to `ami-2345`, which is the latest service-provided AMI. Because you are upgrading the OS, the database binaries for `ami-1234` and `ami-2345` must be the same. You create a new CEV named `19.my_cev2` based on `19.my_cev1`. **Example** For Linux, macOS, or Unix: ``` aws rds create-custom-db-engine-version \ --engine custom-oracle-ee \ --engine-version 19.my_cev2 \ --description "Non-CDB CEV based on ami-2345" \ --kms-key-id key-name \ --source-custom-db-engine-version-identifer arn:aws:rds:us-west-2:123456789012:cev:custom-oracle-ee/19.my_cev1/12345678-ab12-1234-cde1-abcde123456789 \ --image-id ami-2345 ``` For Windows: ``` aws rds create-custom-db-engine-version ^ --engine custom-oracle-ee ^ --engine-version 19.my_cev2 ^ --description "Non-CDB CEV based on ami-2345" ^ --kms-key-id key-name ^ --source-custom-db-engine-version-identifer arn:aws:rds:us-west-2:123456789012:cev:custom-oracle-ee/19.my_cev1/12345678-ab12-1234-cde1-abcde123456789 ^ --image-id ami-2345 ``` To upgrade an RDS Custom DB instance, use the [modify-db-instance](https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-instance.html) AWS CLI command with the following parameters: + `--db-instance-identifier` – Specify the RDS Custom for Oracle DB instance to be upgraded. + `--engine-version` – Specify the CEV that has the new AMI. + `--no-apply-immediately` \$1 `--apply-immediately` – Specify whether to perform the upgrade immediately or wait until the scheduled maintenance window. The following example upgrades `my-custom-instance` to version `19.my_cev2`. Only the OS is upgraded. **Example** For Linux, macOS, or Unix: ``` aws rds modify-db-instance \ --db-instance-identifier my-custom-instance \ --engine-version 19.my_cev2 \ --apply-immediately ``` For Windows: ``` aws rds modify-db-instance ^ --db-instance-identifier my-custom-instance ^ --engine-version 19.my_cev2 ^ --apply-immediately ``` ### Upgrading the database In this example, you want to apply Oracle patch p35042068 to your RDS for Oracle DB instance. Because you upgraded your OS in [Upgrading the OS](#custom-upgrading-modify.CLI.os), your DB instance is currently using `19.my_cev2`, which is based on `ami-2345`. You create a new CEV named `19.my_cev3` that also uses `ami-2345`, but you specify a new JSON manifest in the `$MANIFEST` environment variable. Thus, only the database binaries different in your new CEV and the CEV that your instance is currently using. **Example** For Linux, macOS, or Unix: ``` aws rds create-custom-db-engine-version \ --engine custom-oracle-ee \ --engine-version 19.my_cev3 \ --description "Non-CDB CEV with p35042068 based on ami-2345" \ --kms-key-id key-name \ --image-id ami-2345 \ --manifest $MANIFEST ``` For Windows: ``` aws rds create-custom-db-engine-version ^ --engine custom-oracle-ee ^ --engine-version 19.my_cev3 ^ --description "Non-CDB CEV with p35042068 based on ami-2345" ^ --kms-key-id key-name ^ --image-id ami-2345 ^ --manifest $MANIFEST ``` The following example upgrades `my-custom-instance` to engine version `19.my_cev3`. Only the database is upgraded. **Example** For Linux, macOS, or Unix: ``` aws rds modify-db-instance \ --db-instance-identifier my-custom-instance \ --engine-version 19.my_cev3 \ --apply-immediately ``` For Windows: ``` aws rds modify-db-instance ^ --db-instance-identifier my-custom-instance ^ --engine-version 19.my_cev3 ^ --apply-immediately ``` # Viewing pending database upgrades for RDS Custom DB instances **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). You can see pending database upgrades for your Amazon RDS Custom DB instances by using the [describe-db-instances](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-instances.html) or [describe-pending-maintenance-actions](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-pending-maintenance-actions.html) AWS CLI command. However, this approach doesn't work if you used the `--apply-immediately` option or if the upgrade is in progress. The following `describe-db-instances` command shows pending database upgrades for `my-custom-instance`. ``` aws rds describe-db-instances --db-instance-identifier my-custom-instance ``` The output resembles the following. ``` { "DBInstances": [ { "DBInstanceIdentifier": "my-custom-instance", "EngineVersion": "19.my_cev1", ... "PendingModifiedValues": { "EngineVersion": "19.my_cev3" ... } } ] } ``` # Troubleshooting an upgrade failure for an RDS Custom for Oracle DB instance **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). If an RDS Custom DB instance upgrade fails, an RDS event is generated and the DB instance status becomes `upgrade-failed`. You can see this status by using the [describe-db-instances](https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-instances.html) AWS CLI command, as shown in the following example. ``` aws rds describe-db-instances --db-instance-identifier my-custom-instance ``` The output resembles the following. ``` { "DBInstances": [ { "DBInstanceIdentifier": "my-custom-instance", "EngineVersion": "19.my_cev1", ... "PendingModifiedValues": { "EngineVersion": "19.my_cev3" ... } "DBInstanceStatus": "upgrade-failed" } ] } ``` After an upgrade failure, all database actions are blocked except for modifying the DB instance to perform the following tasks: + Retrying the same upgrade + Pausing and resuming RDS Custom automation + Point-in-time recovery (PITR) + Deleting the DB instance **Note** If automation has been paused for the RDS Custom DB instance, you can't retry the upgrade until you resume automation. The same actions apply to an upgrade failure for an RDS-managed read replica as for the primary. For more information, see [Troubleshooting upgrades for RDS Custom for Oracle](custom-troubleshooting.md#custom-troubleshooting-upgrade). # Troubleshooting DB issues for Amazon RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). The shared responsibility model of RDS Custom provides OS shell–level access and database administrator access. RDS Custom runs resources in your account, unlike Amazon RDS, which runs resources in a system account. With greater access comes greater responsibility. In the following sections, you can learn how to troubleshoot issues with Amazon RDS Custom DB instances. **Note** This section explains how to troubleshoot RDS Custom for Oracle. For troubleshooting RDS Custom for SQL Server, see [Troubleshooting DB issues for Amazon RDS Custom for SQL Server](custom-troubleshooting-sqlserver.md). **Topics** + [ ## Viewing RDS Custom events ](#custom-troubleshooting.support-perimeter.viewing-events) + [ ## Subscribing to RDS Custom events ](#custom-troubleshooting.support-perimeter.subscribing) + [ ## Troubleshooting DB instance creation issues ](#custom-troubleshooting.creation-issues) + [ ## Troubleshooting custom engine version creation for RDS Custom for Oracle ](#custom-troubleshooting.cev) + [ ## Fixing unsupported configurations in RDS Custom for Oracle ](#custom-troubleshooting.fix-unsupported) + [ ## Troubleshooting upgrades for RDS Custom for Oracle ](#custom-troubleshooting-upgrade) + [ ## Troubleshooting replica promotion for RDS Custom for Oracle ](#custom-troubleshooting-promote) ## Viewing RDS Custom events The procedure for viewing events is the same for RDS Custom and Amazon RDS DB instances. For more information, see [Viewing Amazon RDS events](USER_ListEvents.md). To view RDS Custom event notification using the AWS CLI, use the `describe-events` command. RDS Custom introduces several new events. The event categories are the same as for Amazon RDS. For the list of events, see [Amazon RDS event categories and event messages](USER_Events.Messages.md). The following example retrieves details for the events that have occurred for the specified RDS Custom DB instance. ``` 1. aws rds describe-events \ 2. --source-identifier my-custom-instance \ 3. --source-type db-instance ``` ## Subscribing to RDS Custom events The procedure for subscribing to events is the same for RDS Custom and Amazon RDS DB instances. For more information, see [Subscribing to Amazon RDS event notification](USER_Events.Subscribing.md). To subscribe to RDS Custom event notification using the CLI, use the `create-event-subscription` command. Include the following required parameters: + `--subscription-name` + `--sns-topic-arn` The following example creates a subscription for backup and recovery events for an RDS Custom DB instance in the current AWS account. Notifications are sent to an Amazon Simple Notification Service (Amazon SNS) topic, specified by `--sns-topic-arn`. ``` 1. aws rds create-event-subscription \ 2. --subscription-name my-instance-events \ 3. --source-type db-instance \ 4. --event-categories '["backup","recovery"]' \ 5. --sns-topic-arn arn:aws:sns:us-east-1:123456789012:interesting-events ``` ## Troubleshooting DB instance creation issues If your environment isn't properly configured or required permissions are missing, you can't create or restore RDS Custom for Oracle DB instances. When you attempt to create or restore a DB instance, Amazon RDS validates your environment and returns specific error messages if it detects any issues. After you resolve all issues, try again to create or restore your RDS Custom for Oracle DB instance. ### Common permissions issues When you create or restore a RDS Custom for Oracle instance, Amazon RDS validates that your environment has the required permissions. If permissions are missing or denied, the operation fails with a specific error message. | Issue type | Error message | Action | | --- | --- | --- | | IAM role access policy | You can't create the DB instance because of incompatible resources. The host environment validation failed for the following permissions: on resource: due to permissions issue with message: User: is not authorized to perform: on resource: because no identity-based policy allows the action. | Ensure that the listed required permissions are present and set to `Allow` in the access policy with the appropriate resources included. | | Permission boundary | You can't create the DB instance because of incompatible resources. The host environment validation failed for the following permissions: on resource: due to permissions issue with message: User: is not authorized to perform: on resource: with an explicit deny in a permissions boundary. | Verify that the permissions boundary attached to the instance role isn't restricting the listed required permissions and resources. | | Service control policy | You can't create the DB instance because of incompatible resources. The host environment validation failed for the following permissions: on resource: due to permissions issue with message: User: is not authorized to perform: on resource: with an explicit deny in a service control policy. | Contact your AWS Organizations administrator and verify that the service control policy attached to your account isn't restricting the listed required permissions and resources. | | Resource control policy | You can't create the DB instance because of incompatible resources. The host environment validation failed for the following permissions: on resource: due to permissions issue with message: User: is not authorized to perform: on resource: with an explicit deny in a resource control policy. | Contact your AWS Organizations administrator and verify that the resource control policy attached to your account isn't restricting the listed required permissions and resources. | | VPC endpoint policy | You can't create the DB instance because of incompatible resources. The host environment validation failed for the following permissions: on resource: due to permissions issue with message: User: is not authorized to perform: on resource: with an explicit deny in a VPC endpoint policy. | Ensure that the required VPC endpoints exist and the policies attached to them aren't restricting the listed required permissions and resources. | ### Networking issues In addition to reviewing [Step 6: Configure your VPC for RDS Custom for Oracle](custom-setup-orcl.md#custom-setup-orc.vpc-config), verify that the following are configured correctly and not restricting access to the required AWS services: **Security group attached to the Amazon EC2 instance** Ensure that the security group allows all necessary inbound and outbound traffic for RDS Custom operations. **Security group attached to your VPC** Verify that VPC security groups permit traffic to and from the required AWS services. **VPC endpoints** Confirm that all required VPC endpoints are properly configured and accessible. **Networking access control lists** Check that network ACLs aren't blocking traffic needed for RDS Custom functionality. ## Troubleshooting custom engine version creation for RDS Custom for Oracle When CEV creation fails, RDS Custom issues `RDS-EVENT-0198` with the message `Creation failed for custom engine version major-engine-version.cev_name`, and includes details about the failure. For example, the event prints missing files. CEV creation might fail because of the following issues: + The Amazon S3 bucket containing your installation files isn't in the same AWS Region as your CEV. + When you request CEV creation in an AWS Region for the first time, RDS Custom creates an S3 bucket for storing RDS Custom resources (such as CEV artifacts, AWS CloudTrail logs, and transaction logs). CEV creation fails if RDS Custom can't create the S3 bucket. Either the caller doesn't have S3 permissions as described in [Step 5: Grant required permissions to your IAM user or role](custom-setup-orcl.md#custom-setup-orcl.iam-user), or the number of S3 buckets has reached the limit. + The caller doesn't have permissions to get files from your S3 bucket that contains the installation media files. These permissions are described in [Step 7: Add necessary IAM permissions](custom-cev.preparing.md#custom-cev.preparing.iam). + Your IAM policy has an `aws:SourceIp` condition. Make sure to follow the recommendations in [AWS Denies access to AWS based on the source IP](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html) in the *AWS Identity and Access Management User Guide*. Also make sure that the caller has the S3 permissions described in [Step 5: Grant required permissions to your IAM user or role](custom-setup-orcl.md#custom-setup-orcl.iam-user). + Installation media files listed in the CEV manifest aren't in your S3 bucket. + The SHA-256 checksums of the installation files are unknown to RDS Custom. Confirm that the SHA-256 checksums of the provided files match the SHA-256 checksum on the Oracle website. If the checksums match, contact [AWS Support](https://aws.amazon.com/premiumsupport) and provide the failed CEV name, file name, and checksum. + The OPatch version is incompatible with your patch files. You might get the following message: `OPatch is lower than minimum required version. Check that the version meets the requirements for all patches, and try again`. To apply an Oracle patch, you must use a compatible version of the OPatch utility. You can find the required version of the Opatch utility in the readme file for the patch. Download the most recent OPatch utility from My Oracle Support, and try creating your CEV again. + The patches specified in the CEV manifest are in the wrong order. You can view RDS events either on the RDS console (in the navigation pane, choose **Events**) or by using the `describe-events` AWS CLI command. The default duration is 60 minutes. If no events are returned, specify a longer duration, as shown in the following example. ``` aws rds describe-events --duration 360 ``` Currently, the MediaImport service that imports files from Amazon S3 to create CEVs isn't integrated with AWS CloudTrail. Therefore, if you turn on data logging for Amazon RDS in CloudTrail, calls to the MediaImport service such as the `CreateCustomDbEngineVersion` event aren't logged. However, you might see calls from the API gateway that accesses your Amazon S3 bucket. These calls come from the MediaImport service for the `CreateCustomDbEngineVersion` event. ## Fixing unsupported configurations in RDS Custom for Oracle In the shared responsibility model, it's your responsibility to fix configuration issues that put your RDS Custom for Oracle DB instance into the `unsupported-configuration` state. If the issue is with the AWS infrastructure, use the console or the AWS CLI to fix it. If the issue is with the operating system or the database configuration, log in to the host to fix it. **Note** This section explains how to fix unsupported configurations in RDS Custom for Oracle. For information about RDS Custom for SQL Server, see [Fixing unsupported configurations in RDS Custom for SQL Server](custom-troubleshooting-sqlserver.md#custom-troubleshooting-sqlserver.fix-unsupported). The following tables includes descriptions of the notifications and events that the support perimeter sends and how to fix them. These notifications and the support perimeter are subject to change. For background on the support perimeter, see [RDS Custom support perimeter](custom-concept.md#custom-troubleshooting.support-perimeter). For event descriptions, see [Amazon RDS event categories and event messages](USER_Events.Messages.md). | Event ID | Configuration | RDS event message | Action | | --- | --- | --- | --- | | `SP-O0000` | Manual unsupported configuration | The RDS Custom DB instance status is set to [Unsupported configuration] because of: *reason*. | To resolve this issue, create an Support case. | **AWS resources (infrastructure)** | Event ID | Configuration | RDS event message | Action | | --- | --- | --- | --- | | SP-O1001 | Amazon Elastic Block Store (Amazon EBS) volumes | The following EBS volumes were added to EC2 instance *ec2\$1id*: *volume\$1id*. To resolve the issue, detach the specified volumes from the instance. | RDS Custom creates two types of EBS volume, besides the root volume created from the Amazon Machine Image (AMI), and associates them with the EC2 instance: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) When you create your DB instance, the storage configurations that you specify configure the data volumes. The support perimeter monitors the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) Use the following CLI command to compare the volume type of the EBS volume details and the RDS Custom for Oracle DB instance details: 
aws rds describe-db-instances \ 
    --db-instance-identifier db-instance-name | grep StorageType
| | SP-O1002 | Amazon Elastic Block Store (Amazon EBS) volumes | EBS volume *volume\$1id* has been detached from EC2 instance [*ec2\$1id*]. You can't detach the original volume from this instance. To resolve the issue, re-attach *volume\$1id* to *ec2\$1id*. | RDS Custom creates two types of EBS volume, besides the root volume created from the Amazon Machine Image (AMI), and associates them with the EC2 instance: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) When you create your DB instance, the storage configurations that you specify configure the data volumes. The support perimeter monitors the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) Use the following CLI command to compare the volume type of the EBS volume details and the RDS Custom for Oracle DB instance details: 
aws rds describe-db-instances \ 
    --db-instance-identifier db-instance-name | grep StorageType
| | SP-O1003 | Amazon Elastic Block Store (Amazon EBS) volumes | The original EBS volume *volume\$1id* attached to EC2 instance *ec2\$1id* has been modified as follows: size [*X*] to [*Y*], type [*N*] to [*M*], or IOPS [*J*] to [*K*]. To resolve the issue, revert the modification. | RDS Custom creates two types of EBS volume, besides the root volume created from the Amazon Machine Image (AMI), and associates them with the EC2 instance: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) When you create your DB instance, the storage configurations that you specify configure the data volumes. The support perimeter monitors the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) Use the following CLI command to compare the volume type of the EBS volume details and the RDS Custom for Oracle DB instance details: 
aws rds describe-db-instances \ 
    --db-instance-identifier db-instance-name | grep StorageType
| | SP-O1004 | Amazon EC2 instance state | Automated recovery left EC2 instance [*ec2\$1id*] in an impaired state. To resolve the issue, see [Troubleshooting instance recovery failures](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html#TroubleshootingInstanceRecovery). | To check the status of a DB instance, use the console or run the following AWS CLI command: 
aws rds describe-db-instances \ 
    --db-instance-identifier db-instance-name |grep DBInstanceStatus
| | SP-O1005 | Amazon EC2 instance attributes | EC2 instance [*ec2\$1id*] was modified as follows: attribute [*att1*] changed from [*val-old*] to [*val-new*], attribute [*att2*] changed from [*val-old*] to [*val-new*]. To resolve the issue, revert to the original value. | | | SP-O1006 | Amazon EC2 instance state | EC2 instance [*ec2\$1id*] was terminated or can't be found. To resolve the issue, delete the RDS Custom DB instance. | The support perimeter monitors EC2 instance state-change notifications. The EC2 instance must always be running. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) | | SP-O1007 | Amazon EC2 instance state | EC2 instance [*ec2\$1id*] was stopped. To resolve the issue, start the instance. | The support perimeter monitors EC2 instance state-change notifications. The EC2 instance must always be running. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) | | SP-1008 | Amazon SQS permission | Permissions are missing for Amazon SQS. Check the permissions for the IAM instance profile, VPC endpoint policy, and dependent service connections, and then try again. | You can resolve this by making sure the IAM profile associated with the host has the following permissions: 
"SQS:SendMessage"
"SQS:ReceiveMessage"
"SQS:DeleteMessage"
"SQS:GetQueueUrl"
| | SP-1009 | Amazon Simple Queue Service (Amazon SQS) | The SQS queue [%s] was deleted and couldn't be recovered. To resolve this issue, recreate the queue. | Recreate the Amazon SQS queue. | **Operating system** | Event ID | Configuration | RDS event message | Action | | --- | --- | --- | --- | | SP-O2001 | RDS Custom agent status | The RDS Custom agent isn't running on EC2 instance [*ec2\$1id*]. Make sure the agent is running on [*ec2\$1id*]. | On RDS Custom for Oracle, the DB instance goes outside the support perimeter if the RDS Custom agent stops. The agent publishes the `IamAlive` metric to Amazon CloudWatch every 30 seconds. An alarm is triggered if the metric hasn't been published for 30 seconds. The support perimeter also monitors the RDS Custom agent process state on the host every 30 minutes. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) When the RDS Custom agent is running again, the `IamAlive` metric is published to Amazon CloudWatch, and the alarm switches to the `OK` state. This switch notifies the support perimeter that the agent is running. | | `SP-O2002` | AWS Systems Manager agent (SSM agent) status | The Systems Manager agent on EC2 instance [*ec2\$1id*] is unreachable. Make sure that you that have correctly configured the network, agent, and IAM permissions. | SSM Agent must always be running. The RDS Custom agent is responsible for making sure that the Systems Manager agent is running. If SSM Agent was terminated and then restarted, the RDS Custom agent publishes the metric `SSM_Agent_Restarted_Or_NotFound` to CloudWatch. The RDS Custom agent has an alarm on the metric `do-not-delete-rds-custom-ssm-agent-restarted-or-notfound-ec2-id` configured to trigger when there has been a restart in each of the previous three minutes. The support perimeter also monitors the process state of SSM Agent on the host every 30 minutes. For more information, see [Troubleshooting SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-ssm-agent.html). | | `SP-O2003` | AWS Systems Manager agent (SSM agent) status | The Systems Manager agent on EC2 instance [*ec2\$1id*] crashed multiple times. For more information, see the SSM Agent troubleshooting documentation. | For more information, see [Troubleshooting SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-ssm-agent.html). | | SP-O2004 | OS time zone | The time zone on EC2 instance [*ec2\$1id*] was changed. To resolve this issue, revert the timezone to the previous setting of [*previous-time-zone*]. Then use an RDS options group to change the time zone. | RDS automation detected that the time zone on the host was changed without the use of an option group. This host-level change can cause RDS automation failures, so the EC2 instance is placed in the `unsupported-configuration` state. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) Your DB instance becomes available within 30 minutes. To prevent moving out of perimeter in the future, modify your timezone through an options group. For more information, see [Oracle time zone](custom-managing.timezone.md). | | SP-O2005 | `sudo` configurations | The sudo configurations on EC2 instance [*ec2\$1id*] lack necessary permissions. To resolve this issue, revert the recent changes to the sudo configurations. | The support perimeter verifies that certain OS users are allowed to run certain commands on the host. It monitors `sudo` configurations and compares them to the supported state. If the `sudo` configurations aren't supported, RDS Custom tries to overwrite them and return to the previous supported state. If the attempt is successful, RDS Custom sends the following notification: RDS Custom successfully overwrote your configuration. If the overwrite isn't successful, your DB instance remains in the unsupported configuration state. To resolve this problem, either revert the changes within the `sudoers.d/` file or fix the permissions. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) After the support perimeter determines that the `sudo` configurations are supported, your RDS Custom for Oracle DB instance becomes available within 30 minutes. | | SP-O2006 | S3 bucket accessibility | RDS Custom automation can't download files from the S3 bucket on EC2 instance [*ec2\$1id*]. Check your networking configuration and make sure the instance allows connections to and from S3. | | | SP-2007 | High Availability Software Solution Version | The HA solution of your instance differs from the expected version. To resolve this issue, create an AWS Support case. | Create an AWS Support case. | **Database** | Event ID | Configuration | RDS event message | Action | | --- | --- | --- | --- | | SP-O3001 | Database archive lag target | The ARCHIVE\$1LAG\$1TARGET parameter on EC2 instance [*ec2\$1id*] is out of the recommended range *value\$1range*. To resolve the issue, set the parameter to a value within value\$1range. | The support perimeter monitors the `ARCHIVE_LAG_TARGET` database parameter to verify that the latest restorable time of the DB instance is within reasonable bounds. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) Your DB instance becomes available within 30 minutes. | | SP-O3002 | Oracle Data Guard role | The database role [*role\$1name*] isn't supported for Oracle Data Guard on EC2 instance [*ec2\$1id*]. To resolve the issue, set the DATABASE\$1ROLE parameter to either PRIMARY or PHYSICAL STANDBY. | The support perimeter monitors the current database role every 15 seconds and sends a CloudWatch notification if the database role has changed. The Oracle Data Guard `DATABASE_ROLE` parameter must be either `PRIMARY` or `PHYSICAL STANDBY`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) After the support perimeter determines that the database role is supported, your RDS Custom for Oracle DB instance becomes available within 15 seconds. | | SP-O3003 | Database health | The SMON process of the Oracle database is in a zombie state. To resolve the issue, manually recover the database on EC2 instance [*ec2\$1id*], open the database, and then immediately back it up. For more help, contact Support. | The support perimeter monitors the DB instance state. It also monitors how many restarts occurred during the previous hour and day. You're notified when the instance is in a state where it still exists, but you can't interact with it. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) After your DB instance restarts, the RDS Custom agent detects that your DB instance is no longer in an unresponsive state. It then notifies the support perimeter to reevaluate your DB instance state. | | SP-O3004 | Database log mode | The database log mode on EC2 instance [*ec2\$1id*] was changed to [*value\$1b*]. To resolve the issue, set the log mode to [*value\$1a*]. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) The RDS Custom agent automatically restarts your DB instance and sets the log mode to `ARCHIVELOG`. Your DB instance becomes available within 30 minutes. | | SP-O3005 | Oracle home path | The Oracle home on EC2 instance [*ec2\$1id*] was changed to *new\$1path*. To resolve the issue, revert the setting to *old\$1path*. | | | SP-O3006 | Database unique name | The database unique name on EC2 instance [*ec2\$1id*] was changed to *new\$1value*. To resolve the issue, revert the name to *old\$1value*. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/custom-troubleshooting.html) The RDS Custom agent automatically restarts your DB instance and sets the log mode to `ARCHIVELOG`. Your DB instance becomes available within 30 minutes. | ## Troubleshooting upgrades for RDS Custom for Oracle Your upgrade of an RDS Custom for Oracle instance might fail. Following, you can find techniques that you can use during upgrades of RDS Custom DB for Oracle DB instances: + Examine the upgrade output log files in the `/tmp` directory on your DB instance. The names of the logs depend on your DB engine version. For example, you might see logs that contain the strings `catupgrd` or `catup`. + Examine the `alert.log` file located in the `/rdsdbdata/log/trace` directory. + Run the following `grep` command in the `root` directory to track the upgrade OS process. This command shows where the log files are being written and determine the state of the upgrade process. ``` ps -aux | grep upg ``` The following shows sample output. ``` root 18884 0.0 0.0 235428 8172 ? S< 17:03 0:00 /usr/bin/sudo -u rdsdb /rdsdbbin/scripts/oracle-control ORCL op_apply_upgrade_sh RDS-UPGRADE/2.upgrade.sh rdsdb 18886 0.0 0.0 153968 12164 ? S< 17:03 0:00 /usr/bin/perl -T -w /rdsdbbin/scripts/oracle-control ORCL op_apply_upgrade_sh RDS-UPGRADE/2.upgrade.sh rdsdb 18887 0.0 0.0 113196 3032 ? S< 17:03 0:00 /bin/sh /rdsdbbin/oracle/rdbms/admin/RDS-UPGRADE/2.upgrade.sh rdsdb 18900 0.0 0.0 113196 1812 ? S< 17:03 0:00 /bin/sh /rdsdbbin/oracle/rdbms/admin/RDS-UPGRADE/2.upgrade.sh rdsdb 18901 0.1 0.0 167652 20620 ? S< 17:03 0:07 /rdsdbbin/oracle/perl/bin/perl catctl.pl -n 4 -d /rdsdbbin/oracle/rdbms/admin -l /tmp catupgrd.sql root 29944 0.0 0.0 112724 2316 pts/0 S+ 18:43 0:00 grep --color=auto upg ``` + Run the following SQL query to verify the current state of the components to find the database version and the options installed on the DB instance. ``` SET LINESIZE 180 COLUMN COMP_ID FORMAT A15 COLUMN COMP_NAME FORMAT A40 TRUNC COLUMN STATUS FORMAT A15 TRUNC SELECT COMP_ID, COMP_NAME, VERSION, STATUS FROM DBA_REGISTRY ORDER BY 1; ``` The output resembles the following. ``` COMP_NAME STATUS PROCEDURE ---------------------------------------- -------------------- -------------------------------------------------- Oracle Database Catalog Views VALID DBMS_REGISTRY_SYS.VALIDATE_CATALOG Oracle Database Packages and Types VALID DBMS_REGISTRY_SYS.VALIDATE_CATPROC Oracle Text VALID VALIDATE_CONTEXT Oracle XML Database VALID DBMS_REGXDB.VALIDATEXDB 4 rows selected. ``` + Run the following SQL query to check for invalid objects that might interfere with the upgrade process. ``` SET PAGES 1000 LINES 2000 COL OBJECT FOR A40 SELECT SUBSTR(OWNER,1,12) OWNER, SUBSTR(OBJECT_NAME,1,30) OBJECT, SUBSTR(OBJECT_TYPE,1,30) TYPE, STATUS, CREATED FROM DBA_OBJECTS WHERE STATUS <>'VALID' AND OWNER IN ('SYS','SYSTEM','RDSADMIN','XDB'); ``` ## Troubleshooting replica promotion for RDS Custom for Oracle You can promote managed Oracle replicas in RDS Custom for Oracle using the console, `promote-read-replica` AWS CLI command, or `PromoteReadReplica` API. If you delete your primary DB instance, and all replicas are healthy, RDS Custom for Oracle promotes your managed replicas to standalone instances automatically. If a replica has paused automation or is outside the support perimeter, you must fix the replica before RDS Custom can promote it automatically. For more information, see [Promoting an RDS Custom for Oracle replica to a standalone DB instance](custom-rr.promoting.md). The replica promotion workflow might become stuck in the following situation: + The primary DB instance is in the state `STORAGE_FULL`. + The primary database can't archive all of its online redo logs. + A gap exists between the archived redo log files on your Oracle replica and the primary database. **To respond to the stuck workflow** 1. Synchronize the redo log gap on your Oracle replica DB instance. 1. Force the promotion of your read replica to the latest applied redo log. Run the following commands in SQL\$1Plus: ``` ALTER DATABASE ACTIVATE STANDBY DATABASE; SHUTDOWN IMMEDIATE STARTUP ``` 1. Contact Support and ask them to move your DB instance to `available` status. # Known issues for Amazon RDS Custom for Oracle **Note** End of support notice: On March 31, 2027, AWS will end support for Amazon RDS Custom for Oracle. After March 31, 2027, you will no longer be able to access the RDS Custom for Oracle console or RDS Custom for Oracle resources. For more information, see [RDS Custom for Oracle end of support](RDS-Custom-for-Oracle-end-of-support.md). When working with RDS Custom for Oracle, note the following issues for DB instances: + Resizing the root or dbbin volumes isn't supported. **Warning** We strongly recommend that you don't resize the root or dbbin volumes manually. We recommend that you store all configurations in the data volume, which persists after patching, and that you resize the volume using only the RDS scale storage API. + Some RDS APIs can be blocked when a database instance is on an older AMI, for example, an AMI that uses Oracle Linux 7. To resolve this issue, patch your DB instance to the latest AMI using OS patching. For more information, see [CEV upgrade options](custom-upgrading.md#custom-upgrading.overview.cev-options). + Before you perform RDS operations, make sure that your AWS account has enough quota for compute and storage. + If the database is in the creation state, and you actively log in to the database or Amazon EC2 host and run commands, database creation might not complete. + Control file multiplexing isn't currently supported because of a read replica issue. Before you create a read replica, make sure to specify only one file name in the `CONTROL_FILES` initialization parameter on the source database. + You can't change the database mode from `PHYSICAL STANDBY` (mounted or read-only) to `SNAPSHOT STANDBY` (converting to read/write). + If an AWS account is part of an AWS Organization with a service control policy (SCP), and the SCP contains a condition key, an RDS Custom for Oracle DB instance might fail to create with the following error: ``` You can't create the DB instance because of incompatible resources. The IAM instance profile role [AWSRDSCustomInstanceRole1-us-east-1] is missing the following permissions: EFFECT [Allow] on ACTION(S) [ssm:DescribeAssociation, ssm:DescribeDocument, ssm:GetConnectionStatus, ssm:GetDeployablePatchSnapshotForInstance, ssmmessages:OpenControlChannel, ssm:GetParameters, ssm:ListInstanceAssociations, ssm:PutConfigurePackageResult, ssmmessages:CreateControlChannel, ssm:GetParameter, ssm:UpdateAssociationStatus, ssm:GetManifest, ssmmessages:CreateDataChannel, ssm:PutInventory, ssm:UpdateInstanceInformation, ssm:DescribeInstanceInformation, ssmmessages:OpenDataChannel, ssm:GetDocument, ssm:ListAssociations, ssm:PutComplianceItems, ssm:UpdateInstanceAssociationStatus] for RESOURCE(S) [], EFFECT [Allow] on ACTION(S) [ec2messages:DeleteMessage, ec2messages:FailMessage, ec2messages:GetEndpoint, ec2messages:AcknowledgeMessage, ec2messages:GetMessages, ec2messages:SendReply] for RESOURCE(S) [], EFFECT [Allow] on ACTION(S) [logs:CreateLogStream, logs:DescribeLogStreams, logs:PutRetentionPolicy, logs:PutLogEvents] ``` To resolve this issue, create a ticket with Support. ## Known issues with database user accounts Note the following issues: + Don't remove database user accounts that begin with the string `RDS`, such as `RDSADMIN` and `RDS_DATAGUARD`. RDS Custom for Oracle uses the `RDS` account for automation. If you remove this user account, RDS Custom moves the instance to the unsupported configuration state. + You can't change the master username for your RDS Custom for Oracle DB instance using the `ModifyDBInstance` API. + RDS Custom for Oracle rotates user account credentials on all DB instances. For more information, see [Rotating RDS Custom for Oracle credentials for compliance programs](custom-security.cred-rotation.md). If you use an on-premises primary/standby configuration, credential rotation might affect the following resources: + Manually created standby RDS Custom for Oracle instances To resolve this issue, drop the manual standby databases, and then create an Oracle read replica using an API call. Manage the secrets manually for the manual standby databases so that they match the source DB instance. + Manually created cross-Region read replicas To resolve this issue, manually keep the secrets so that they match the primary DB instance. ## Known issues with parameter and configuration files + You must configure the `crontab` file after scale compute, OS upgrades, and other operations where RDS Custom replaces the root volume. We highly recommend that you keep a backup of `crontab`. + Note the following guidelines when you configure the `listener.ora` file: + Make sure that every entry in the file is on a single line. This approach avoids issues with indentation during instance creation. + Make sure that `GLOBAL_DBNAME` is equal to the value of `SID_NAME`. + Make sure the value for `LISTENER` follows the naming convention `L_dbname_001`. + Make sure the `listener.ora` file maintains a connection to the database name. RDS Custom uses this connection to verify database startup. If you modify this file incorrectly, operations such as scale compute or patching might fail. The following example shows a `listener.ora` that is configured correctly: ``` ADR_BASE_L_ORCL_001=/rdsdbdata/log/ USE_SID_AS_SERVICE_L_ORCL_001=ON SID_LIST_L_ORCL_001=(SID_LIST = (SID_DESC = (SID_NAME = ORCL)(GLOBAL_DBNAME = ORCL) (ORACLE_HOME = /rdsdbbin/oracle.19.custom.r1.EE.1))) SUBSCRIBE_FOR_NODE_DOWN_EVENT_L_ORCL_001=OFF L_ORCL_001=(DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(PORT = XXXX)(HOST = x.x.x.x))) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(PORT = XXXX)(HOST = 127.0.0.1)))) ``` + Comments aren't supported in a server parameter file or initialization parameter file. + You must declare the following initialization parameters in the server parameter file (`/rdsdbdata/config/oracle_pfile`): + `MEMORY_MAX_TARGET` + `MEMORY_TARGET` + `PGA_AGGREGATE_TARGET` + `PROCESSES` + `SGA_TARGET` + `USE_LARGE_PAGES` If the preceding parameters aren't declared in `/rdsdbdata/config/oracle_pfile`, read replica creation and scale compute might fail. + You can't delete the symbolic links for configuration files such as the server parameter file, audit files, `listener.ora`, `tnsnames.ora`, or `sqlnet.ora`. You also can't modify the directory structure for these files. RDS Custom automation expects these files to exist in a specific directory structure. To create a server parameter file from an initialization parameter file, use the following syntax. ``` CREATE SPFILE='/rdsdbdata/admin/$ORACLE_SID/pfile/spfile$ORACLE_SID.ora' FROM PFILE='/rdsdbdata/config/oracle_pfile'; ```