SAP ECC on Oracle Setup Guide In Dev
Follow these instructions to replicate data from SAP ECC running on an Oracle database to your destination.
Prerequisites
To connect Fivetran to your Oracle ECC database, you need:
- A Fivetran account with an Enterprise or Business Critical plan
- Oracle 11g R2 - 21c
The Direct connection method is not supported for Oracle 12.1 or below
- Your database host's IP (for example,
1.2.3.4) or domain (for example,your.server.com) - Your database's port (usually
1521for unencrypted connections and2484for encrypted connections using SSL/TLS) - Your database's system identifier (SID)/service name
In addition, you need:
- The Oracle schema name under which the SAP tables and SAP Data Dictionary reside (for example,
SAPSR3)
Setup instructions
Choose connection method
Choose your preferred method for connecting Fivetran to your Oracle database, and then configure the necessary settings for that method. The supported connection methods depend on your deployment model.
For SaaS deployment, we support direct, SSH, private networking, and Proxy Agent connection methods.
For Hybrid Deployment, we support only direct and Proxy Agent connection methods.
Connect directly
Fivetran connects directly to your Oracle database. This is the simplest connection method to set up, requiring minimal configuration.
This connection method is not supported for Oracle 12.1 or below. For these versions, you must choose SSH tunnel, private networking, or Proxy Agent instead.
To connect directly, you must do the following:
Enable TLS on your Oracle database. Follow Oracle's instructions to enable TLS on your database either with a client wallet or without a client wallet.
Configure your firewall and/or other access control systems to allow incoming connections to your Oracle database host and port (usually
1521) from Fivetran's IPs for your database's region. How you do this will vary based on how your Oracle database is hosted (cloud platform, on-premises, etc.).
Connect via SSH
Available only for SaaS deployment.
Fivetran connects to a separate server in your network that provides an SSH tunnel to your Oracle database. You must connect through SSH if your database is in an inaccessible subnet.
To connect using SSH tunnel, you must do the following:
Configure an SSH tunnel between Fivetran and your Oracle database. For more information, see our SSH connection setup documentation.
The SSH tunnel setup requires adding Fivetran's SSH public key to the
authorized_keysfile on your SSH tunnel host. Copy the public key from the connector setup form, which is visible when you select Connect via an SSH tunnel in the Connection method drop-down.(Optional) Enable TLS on your Oracle database if you want to use end-to-end encryption using TLS. Follow Oracle's instructions to enable TLS on your database either with a client wallet or without a client wallet.
Connect using private networking
Available only for SaaS deployment.
Private networking enables communication between private networks and services without exposing traffic to the public internet. Private networking is the most secure connection method.
You must have a Business Critical plan to use private networking.
We support the following providers:
AWS PrivateLink – used for VPCs and AWS-hosted or on-premises services. For more information about setting up a private networking connection using AWS PrivateLink, see our AWS PrivateLink setup documentation.
Azure Private Link – used for Virtual Networks (VNets) and Azure-hosted or on-premises services. For more information about setting up a private networking connection using Azure Private Link, see our Azure PrivateLink setup documentation.
Google Cloud Private Service Connect – used for VPCs and Google-hosted or on-premises services. For more information about setting up a private networking connection using Google Cloud Private Service Connect, see our Google Cloud Private Service Connect setup documentation.
Connect using Proxy Agent
Available for SaaS deployment and Hybrid Deployment.
Fivetran connects to your database through the Proxy Agent, providing secure communication between Fivetran processes and your database host. The Proxy Agent is installed in your network and creates an outbound network connection to the Fivetran-managed SaaS.
To learn more about the Proxy Agent, how to install it, and how to configure it, see our Proxy Agent documentation.
Optionally, enable TLS on your Oracle database if you want end-to-end encryption between the Proxy Agent and your Oracle listener. Follow Oracle's instructions to enable TLS on your database either with a client wallet or without a client wallet.
Create user
Create a database user for Fivetran's exclusive use.
Connect to the Oracle database that hosts your SAP ECC system as a user with administrative privileges.
Execute the following SQL commands to create a user for Fivetran and grant it permission to connect to your database. Replace
<username>,<password>, and<profile_name>with a username, password, and profile name of your choice.Usernames in Oracle are case-sensitive. For example,
fivetranis not the same user asFIVETRAN.You must have at least 10 sessions for your Fivetran user.
CREATE PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10 IDLE_TIME 35; CREATE USER <username> IDENTIFIED BY <password>; ALTER USER <username> PROFILE <profile_name>; GRANT CREATE SESSION TO <username>;Check your profile name with the following query:
SELECT USERNAME, PROFILE FROM DBA_USERS WHERE USERNAME='<username>';Create a local user in the pluggable database (PDB) that contains your SAP schema. For multitenant container databases, execute these commands at the PDB level (
ALTER SESSION SET CONTAINER=<PDB>).You must have at least 10 sessions for your Fivetran user.
CREATE PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10 IDLE_TIME 35; CREATE USER <username> IDENTIFIED BY <password>; ALTER USER <username> PROFILE <profile_name>; GRANT CREATE SESSION TO <username>;Check your profile name with the following query:
SELECT USERNAME, PROFILE FROM DBA_USERS WHERE USERNAME='<username>';
Grant read-only access
Grant the Fivetran user read-only access to the Oracle metadata and SAP tables you want to sync.
Oracle databases use uppercase letters by default unless the values are surrounded by double quotes.
For multitenant container databases, execute these grants at the PDB level (ALTER SESSION SET CONTAINER=<PDB>).
Grant Oracle read-only access
Grant the Fivetran user access to the DBA_SEGMENTS system view. We use this view to optimize initial import queries.
GRANT SELECT ON DBA_SEGMENTS TO <username>;
The additional Oracle permissions required to read redo logs are covered in the Configure Binary Log Reader step.
Grant SAP Data Dictionary access
In addition to the system view grants above, grant SELECT on the SAP Data Dictionary tables. We read these to discover virtual tables, resolve their physical containers, and unpack pool, cluster, and long text rows. Replace SAPSR3 with your SAP schema name.
GRANT SELECT ON SAPSR3.DD02L TO <username>;
GRANT SELECT ON SAPSR3.DD02T TO <username>;
GRANT SELECT ON SAPSR3.DD03L TO <username>;
GRANT SELECT ON SAPSR3.DD16S TO <username>;
GRANT SELECT ON SAPSR3.DDNTF TO <username>;
GRANT SELECT ON SAPSR3.DDNTT TO <username>;
Grant SELECT on SAP source tables
Grant SELECT on each physical Oracle table that backs the virtual SAP tables you want to sync. For transparent tables, the physical table has the same name as the virtual SAP table. For pool, cluster, and long text tables, grant SELECT on the physical container backing each virtual table, not on the virtual table itself. See the SAP table type support section for the mapping between virtual tables and their physical containers. Replace SAPSR3 with your SAP schema name.
GRANT SELECT ON SAPSR3.<physical_table> TO <username>;
If you grant SELECT ANY TABLE to the Fivetran user, no per-table grants are needed.
Configure Binary Log Reader
Enable Binary Log Reader
To enable Binary Log Reader, do the following:
Connect to your Oracle ECC database as a user with administrative privileges.
If
ARCHIVELOGmode is not enabled on your database, enableARCHIVELOGmode. For multitenant container databases, execute these commands at the CDB level (ALTER SESSION SET CONTAINER=CDB$ROOT).We recommend that you set
ARCHIVE_LAG_TARGETto a non-zero value to reduce the lag in changes being synced.Enabling
ARCHIVELOGmode requires the Oracle instance to be briefly taken offline. To learn more, see Oracle's Managing Archived Redo Log Files documentation.SHUTDOWN IMMEDIATE; STARTUP MOUNT; ALTER DATABASE ARCHIVELOG; ALTER DATABASE OPEN;Configure Oracle RMAN to retain backups and archive logs for at least 24 hours. We recommend retaining data for seven days.
CONFIGURE RETENTION POLICY TO RECOVERY WINDOW OF 7 DAYS;(Recommended) Set the
DB_RECOVERY_FILE_DEST_SIZEparameter to a value that matches your available disk space, because expired and obsolete log and backup files can quickly fill your disk. For more information, see Oracle's DB_RECOVERY_FILE_DEST_SIZE documentation.Enable database-level minimal supplemental logging. For multitenant container databases, execute this command at the CDB level.
ALTER DATABASE ADD SUPPLEMENTAL LOG DATA;If you are also enabling supplemental logging at the table-level for
PRIMARY KEYcolumns or forALLcolumns on tables that include a primary key, enable it only after the table is created. Do not include the supplemental logging clause within theCREATE TABLEstatement, as Oracle may not properly log the primary key columns in such cases. Instead, create the table first and then enable supplemental logging using anALTER TABLEcommand. For example,CREATE TABLE "<schema>"."<table>" ... (<columns>, ...); ALTER TABLE "<schema>"."<table>" ADD SUPPLEMENTAL LOG DATA (<PRIMARY KEY | ALL>) COLUMNS;Grant the following
SELECTpermissions to the Fivetran user. For multitenant container databases, execute these commands at the PDB level (ALTER SESSION SET CONTAINER=<PDB>).-- Required: Archived redo log and general Binary Log Reader grants GRANT SELECT ON SYS.COL$ TO <username>; GRANT SELECT ON SYS.V_$DATABASE TO <username>; GRANT SELECT ON SYS.V_$ARCHIVED_LOG TO <username>; GRANT SELECT ON SYS.V_$TRANSACTION TO <username>; GRANT SELECT ON SYS.V_$PARAMETER TO <username>; GRANT SELECT ON SYS.V_$ENCRYPTED_TABLESPACES TO <username>; GRANT SELECT ON SYS.V_$TABLESPACE TO <username>; -- For Oracle 11g, skip the SYS.V_$PDBS grant. The V_$PDBS view is available only in Oracle 12c and later. GRANT SELECT ON SYS.V_$PDBS TO <username>; -- Optional: Online redo log grants GRANT SELECT ON SYS.V_$LOG TO <username>; GRANT SELECT ON SYS.V_$LOGFILE TO <username>;Binary Log Reader requires access to archived redo logs. Online redo log access is optional; access to archived redo logs alone is sufficient for Binary Log Reader. If you don't need online redo log access, you can skip the optional grants above and the online redo log steps in the configure redo log file access step below.
(Optional) If your database uses partitioned tables, grant the Fivetran user permission to capture from partitioned tables. For multitenant container databases, execute these commands at the PDB level (
ALTER SESSION SET CONTAINER=<PDB>).GRANT SELECT ON SYS.TABPART$ TO <username>; GRANT SELECT ON SYS.TABCOMPART$ TO <username>; GRANT SELECT ON SYS.TABSUBPART$ TO <username>;Configure redo log file access (archived and online redo) based on how your Oracle database stores logs.
If your Oracle database is not configured with the fast recovery area, the archive log directory may remain constant (for example,
/u01/app/oracle/product/19c/dbhome_1). If your archive log directory remains constant, you must manually create a DIRECTORY object so Fivetran can access log files without requiring dynamic directory management.Run the following commands to create the
DIRECTORYobject for archive redo logs. For multitenant container databases, execute these commands at the PDB level.Binary Log Reader reads the archive log path from the
V$ARCHIVED_LOGview. The value you specify for<your-archive-log-directory-full-path>must exactly match the path inV$ARCHIVED_LOGand is case-sensitive.To find the correct archive log directory path, run the command
SELECT NAME FROM V$ARCHIVED_LOG WHERE ROWNUM = 1;. The result returns the full path of an archived log file, for example,C:\ORACLE\ARCH\ORCL\ARC00001.001. Use the directory portion of this path, without the file name, as the value for<your-archive-log-directory-full-path>.CREATE DIRECTORY FIVETRAN_LOGDIR AS '<your-archive-log-directory-full-path>'; GRANT READ ON DIRECTORY FIVETRAN_LOGDIR TO <username>;(Optional) Run the following commands to create the
DIRECTORYobject for online redo logs.Binary Log Reader reads the online redo log path from the
V$LOGFILEview. The value you specify for<your-online-redo-directory-full-path>must exactly match the path inV$LOGFILEand is case-sensitive.To find the correct online log directory path, run the command
SELECT MEMBER FROM V$LOGFILE WHERE TYPE = 'ONLINE' AND ROWNUM = 1;. The result returns the full path of an online redo log file, for example,C:\ORACLE\ORADATA\ORCL\REDO01.LOG. Use the directory portion of this path, without the file name, as the value for<your-online-redo-directory-full-path>.CREATE DIRECTORY FIVETRAN_ONLINE_LOGDIR AS '<your-online-redo-directory-full-path>'; GRANT READ ON DIRECTORY FIVETRAN_ONLINE_LOGDIR TO <username>;If multiple members are configured in redo log groups with different paths, run the above commands for each unique online redo path. For example, if two members have two different paths, such as
/opt/oracle/oradata/ORCLCDB/redo01.logand/opt/oracle/redo_member2/redo01_b.log, then you must create twoDIRECTORYobjects and grant read access to both:CREATE DIRECTORY FIVETRAN_ONLINE_LOGDIR1 AS '/opt/oracle/oradata/ORCLCDB'; GRANT READ ON DIRECTORY FIVETRAN_ONLINE_LOGDIR1 TO <username>; CREATE DIRECTORY FIVETRAN_ONLINE_LOGDIR2 AS '/opt/oracle/redo_member2'; GRANT READ ON DIRECTORY FIVETRAN_ONLINE_LOGDIR2 TO <username>;
If your Oracle database is configured with the fast recovery area, the archive log directory changes dynamically each day (for example,
/u01/app/oracle/fast_recovery_area/ORCLCDB/archivelog/2025_01_25). To avoid manually creatingDIRECTORYobjects ahead of time, grant the Fivetran user permission to create and drop them dynamically for each sync. Choose one of the following methods:Method 1: Grant direct privileges
Grant the Fivetran user permission to create and drop
DIRECTORYobjects. For multitenant container databases, execute these commands at the PDB level.GRANT CREATE ANY DIRECTORY TO <username>; GRANT DROP ANY DIRECTORY TO <username>;Method 2: Install a predefined package
If you prefer not to grant direct privileges, you can use the following stored procedure package (
FIVETRAN_BFILE) to controlDIRECTORYobject creation and deletion. Ensure to replace<username>with your Fivetran username. Connect as theSYSuser (or another user withDBAprivileges) to create the package. For multitenant container databases, execute these commands at the PDB level.CREATE OR REPLACE PACKAGE FIVETRAN_BFILE AUTHID DEFINER AS PROCEDURE dir_create(dirobj_name VARCHAR2, directory_name VARCHAR2); PROCEDURE dir_remove(dirobj_name VARCHAR2); END FIVETRAN_BFILE; / CREATE OR REPLACE PACKAGE BODY FIVETRAN_BFILE AS FUNCTION normalize_path(p_path VARCHAR2) RETURN VARCHAR2 IS v_path VARCHAR2(4000); BEGIN v_path := TRIM(p_path); v_path := RTRIM(v_path, '/'); IF v_path IS NULL THEN RAISE_APPLICATION_ERROR(-20001, 'Directory path must not be null'); END IF; IF INSTR(v_path, '..') > 0 THEN RAISE_APPLICATION_ERROR(-20003, 'Directory path must not contain ..'); END IF; IF INSTR(v_path, CHR(0)) > 0 THEN RAISE_APPLICATION_ERROR(-20004, 'Directory path contains invalid characters'); END IF; RETURN v_path; END normalize_path; PROCEDURE dir_create(dirobj_name VARCHAR2, directory_name VARCHAR2) IS v_obj VARCHAR2(128); v_path VARCHAR2(4000); v_user VARCHAR2(256); BEGIN v_obj := DBMS_ASSERT.SIMPLE_SQL_NAME(TRIM(dirobj_name)); v_path := normalize_path(directory_name); EXECUTE IMMEDIATE 'CREATE OR REPLACE DIRECTORY ' || v_obj || ' AS ' || DBMS_ASSERT.ENQUOTE_LITERAL(v_path); v_user := SYS_CONTEXT('USERENV', 'SESSION_USER'); EXECUTE IMMEDIATE 'GRANT READ ON DIRECTORY ' || v_obj || ' TO ' || DBMS_ASSERT.SIMPLE_SQL_NAME(v_user); END; PROCEDURE dir_remove(dirobj_name VARCHAR2) IS v_obj VARCHAR2(128); BEGIN v_obj := DBMS_ASSERT.SIMPLE_SQL_NAME(TRIM(dirobj_name)); EXECUTE IMMEDIATE 'DROP DIRECTORY ' || v_obj; END; END FIVETRAN_BFILE; / CREATE OR REPLACE PUBLIC SYNONYM PKG_FIVETRAN_BFILE FOR SYS.FIVETRAN_BFILE; GRANT EXECUTE ON PKG_FIVETRAN_BFILE TO <username>;Optional: restrict to specific base directories
If you want additional security, you can limit
DIRECTORYobject creation and removal to only your archive log base paths. Add theis_allowed_pathfunction to the package body and call it insidedir_createanddir_remove. Replace the example paths with the actual parent directories where your archive logs reside.Online redo log access is optional. If you granted privileges for online redo logs in the grant the
SELECTpermissions step above, include the online redo log directory paths in theis_allowed_pathlist.CREATE OR REPLACE PACKAGE BODY FIVETRAN_BFILE AS FUNCTION normalize_path(p_path VARCHAR2) RETURN VARCHAR2 IS v_path VARCHAR2(4000); BEGIN v_path := TRIM(p_path); v_path := RTRIM(v_path, '/'); IF v_path IS NULL THEN RAISE_APPLICATION_ERROR(-20001, 'Directory path must not be null'); END IF; IF INSTR(v_path, '..') > 0 THEN RAISE_APPLICATION_ERROR(-20003, 'Directory path must not contain ..'); END IF; IF INSTR(v_path, CHR(0)) > 0 THEN RAISE_APPLICATION_ERROR(-20004, 'Directory path contains invalid characters'); END IF; RETURN v_path; END normalize_path; FUNCTION is_allowed_path(p_path VARCHAR2) RETURN BOOLEAN IS BEGIN RETURN p_path = '/u01/app/oracle/fast_recovery_area/example_path' OR p_path LIKE '/u01/app/oracle/fast_recovery_area/example_path/%' OR p_path = '+RECO/ORACLE/ARCHIVELOG/example_path' OR p_path LIKE '+RECO/ORACLE/ARCHIVELOG/example_path/%'; END is_allowed_path; PROCEDURE dir_create(dirobj_name VARCHAR2, directory_name VARCHAR2) IS v_obj VARCHAR2(128); v_path VARCHAR2(4000); v_user VARCHAR2(256); BEGIN v_obj := DBMS_ASSERT.SIMPLE_SQL_NAME(TRIM(dirobj_name)); v_path := normalize_path(directory_name); IF NOT is_allowed_path(v_path) THEN RAISE_APPLICATION_ERROR(-20005, 'Directory path ' || v_path || ' is not in the allowed list'); END IF; EXECUTE IMMEDIATE 'CREATE OR REPLACE DIRECTORY ' || v_obj || ' AS ' || DBMS_ASSERT.ENQUOTE_LITERAL(v_path); v_user := SYS_CONTEXT('USERENV', 'SESSION_USER'); EXECUTE IMMEDIATE 'GRANT READ ON DIRECTORY ' || v_obj || ' TO ' || DBMS_ASSERT.SIMPLE_SQL_NAME(v_user); END; PROCEDURE dir_remove(dirobj_name VARCHAR2) IS v_obj VARCHAR2(128); v_path VARCHAR2(4000); BEGIN v_obj := DBMS_ASSERT.SIMPLE_SQL_NAME(TRIM(dirobj_name)); BEGIN SELECT DIRECTORY_PATH INTO v_path FROM ALL_DIRECTORIES WHERE DIRECTORY_NAME = UPPER(v_obj); EXCEPTION WHEN NO_DATA_FOUND THEN RAISE_APPLICATION_ERROR(-20006, 'Directory object ' || v_obj || ' does not exist or is not visible'); END; IF NOT is_allowed_path(v_path) THEN RAISE_APPLICATION_ERROR(-20005, 'Directory path ' || v_path || ' is not in the allowed list'); END IF; EXECUTE IMMEDIATE 'DROP DIRECTORY ' || v_obj; END; END FIVETRAN_BFILE; /If your Oracle database uses a fast recovery area, archive logs rotate into date-stamped subdirectories (for example,
.../archivelog/2025_01_25). TheLIKE '/your/base/path/%'clause inis_allowed_pathcovers all subdirectories automatically, so you only need to add the top-level path.(Optional) If your Oracle database uses TDE, grant the following permissions to the Fivetran database user. For multitenant (CDB/PDB) environments, grant them at the CDB level to a CDB-level user instead.
GRANT SELECT ON SYS.V_$ENCRYPTION_WALLET to <username>;If column-level encryption is used:
GRANT SELECT ON SYS.ENC$ to <username>;Additionally, you must make the TDE wallet file path accessible through BFILE. Use one of the redo log directory-access methods from step 8, such as pre-created
DIRECTORYobjects for fixed paths, dynamic directory creation withCREATE ANY DIRECTORYandDROP ANY DIRECTORY, or thePKG_FIVETRAN_BFILEpackage.(Optional) If your Oracle database stores redo logs in ASM, do the following.
During log capture, we copy redo logs (archived or online) from ASM to an intermediate staging directory on the database host file system and read them from there. You must create this staging directory regardless of whether ASM uses a Fast Recovery Area (FRA). For more information about how Binary Log Reader works with ASM, see our Automatic Storage Management (ASM) documentation.
Create a staging directory on the database host file system (for example,
/u01/app/oracle/fivetran) to stage the redo logs copied from ASM. The operating system user (for example,oracle) must have read and write permissions on this staging directory.Create an Oracle
DIRECTORYobject that references this staging directory, and grant the Fivetran database user read and write access to it. For multitenant container databases, execute these commands at the PDB level.- Do not specify an ASM disk group path in the
staging_directory_path. - You don't need to use the exact name
FIVETRAN_ASM_STG_DIR, but we recommend using a name prefixed withFIVETRAN_ASM_STG_DIRfor easier identification during troubleshooting.
CREATE DIRECTORY FIVETRAN_ASM_STG_DIR AS '<staging_directory_path>'; GRANT READ, WRITE ON DIRECTORY FIVETRAN_ASM_STG_DIR TO <username>;- Do not specify an ASM disk group path in the
Grant the following permissions to the Fivetran database user. These permissions are required for us to access and copy the redo logs from ASM to the staging directory. For multitenant container databases, execute these commands at the PDB level.
GRANT EXECUTE ON SYS.DBMS_FILE_TRANSFER TO <username>; GRANT EXECUTE ON SYS.UTL_FILE TO <username>;
Set the
DB_BLOCK_CHECKSUMparameter toTYPICALorFULL. Binary Log Reader requires block checksums to verify the integrity of redo log data blocks.ALTER SYSTEM SET DB_BLOCK_CHECKSUM = TYPICAL;Grant
EXECUTEprivilege on theDBMS_RANDOMpackage to the Fivetran user if the user does not already have this privilege. This privilege is typically granted to users through thePUBLICrole. Binary Log Reader requires this privilege to improve the performance of large table imports.For multitenant container databases, execute this command at the PDB level.
GRANT EXECUTE ON SYS.DBMS_RANDOM TO <username>;
Finish Fivetran configuration
Complete the connector setup by entering the required information in the Fivetran setup form.
In your connection setup form, enter a Destination schema prefix. This prefix applies to each replicated schema and cannot be changed once your connection is created.
In the Destination schema names field, choose the naming convention you want Fivetran to use for the schemas, tables, and columns in your destination:
- Source naming: Preserves the original schema, table, and column names from the source system in your destination, and ignores the Destination schema prefix specified in the setup form. However, when multiple connections share the same source schema name (for example,
public), Fivetran stores their tables in the same destination schema. Tables with duplicate names may lead to overwrites and data inconsistencies. Be sure to use unique table names across connections that write to the same schema. - Fivetran naming: Standardizes the schema, table, and column names in your destination according to the Fivetran naming conventions.
If you want to modify your selection, make sure you do it before you start the initial sync.
Depending on your selection, we either prefix the connection name to each replicated schema or use the source schema names instead.
- Source naming: Preserves the original schema, table, and column names from the source system in your destination, and ignores the Destination schema prefix specified in the setup form. However, when multiple connections share the same source schema name (for example,
In the Host field, enter your database host's IP (for example,
1.2.3.4) or URL (for example,your.server.com).In the Port field, enter your database's port number. The port number is usually
1521for unencrypted connections and2484for encrypted connections using SSL/TLS.In the User field, enter the username of the Fivetran-specific user that you created.
In Oracle, usernames are case-sensitive. Make sure to enter the exact username.
In the Password field, enter the password for the Fivetran-specific user.
In the SID/Service Name/PDB field, enter your database's SID, service name, or PDB service name.
If you're using a multitenant container database (CDB) and want to replicate PDB tables, enter the PDB service name in this field.
In the SAP Schema field, enter the Oracle schema name that contains your SAP tables and SAP Data Dictionary (for example,
SAPSR3). This must match the schema you used in theGRANT SELECT ON SAPSR3.DD*statements above.From the Connection method drop-down, select how Fivetran connects to your database and enter the required information. The available options depend on your deployment model — Hybrid Deployment offers only Connect directly and Connect via Proxy Agent.
Connect directly
- For Hybrid Deployment, if you enabled TLS on your database in Step 1 - Choose connection method, keep the Require TLS toggle turned ON.
Connect via an SSH tunnel (Not applicable to Hybrid Deployment)
- In the SSH Host field, enter the hostname or IP address of the SSH server. Do not use a load balancer IP address or hostname.
- In the SSH Port field, enter the port used by the SSH server.
- In the SSH User field, enter the username of the SSH user.
- If you enabled TLS on your database in Step 1 - Choose connection method, keep the Require TLS through Tunnel toggle turned ON.
Ensure that you have added the Fivetran SSH Public Key to the
authorized_keysfile on your SSH tunnel host when configuring the SSH tunnel.Connect via private networking (Not applicable to Hybrid Deployment)
- Fivetran enables TLS for private networking connections by default. To disable it, set the Require TLS when using Private Networking toggle to OFF.
Connect via Proxy Agent
- Select an existing Proxy Agent or configure a new one.
- For SaaS deployment, if you enabled TLS on your database in Step 1 - Choose connection method, keep the Require TLS when using Proxy Agent toggle turned ON.
- For Hybrid Deployment, if you enabled TLS on your database in Step 1 - Choose connection method, keep the Require TLS toggle turned ON.
(Optional) Set the Using TDE Encryption toggle to ON if your Oracle database uses Transparent Data Encryption (TDE). For example, any replicated tables or columns are encrypted.
Enter the following, as applicable:
- TDE Wallet Password - Required only for a password-based software wallet.
- CDB User and CDB Password - For multitenant (CDB) databases, provide CDB-level credentials; leave blank for non-CDB databases.
- CDB SID/Service Name - For multitenant databases, enter the CDB root service name (not the PDB); leave blank for non-CDB databases.
- Local Auto-Login Wallet User Name/Host Name - Required only for local Auto-Login wallets; provide the OS user and the host name used when the wallet was created.
(Optional) Set the Using Symbolic Links toggle to ON if any directory path in Oracle, such as archive/redo log directories or the TDE wallet location, includes a symbolic link. This option lets you add one or more path mappings to specify how each symbolic link path corresponds to its real file system path.
Then click Add mapping to enter values in the following fields:- Source Directory Path - The path containing the symbolic link.
- Mapped Physical Path - The real path on the file system that the symbolic link points to.
For example, if
/var/foois a symbolic link to/yyy/zzz, and the log directory is/var/foo/xxx, set Source Directory Path to/var/fooand Mapped Physical Path to/yyy/zzz. The real directory path in this case is/yyy/zzz/xxx.For Oracle running on Windows, you don't need to enable Using Symbolic Links. Windows resolves symbolic links natively, so Binary Log Reader does not require any path mappings.
(Optional) Set the Using ASM toggle to ON so we can read redo logs stored in ASM.
- In the ASM Staging Directory Path field, enter the directory path to store the temporary files created while capturing changes from an Oracle database that uses ASM with Binary Log Reader. Do not use a symbolic link for the staging directory. For more information about how Binary Log Reader works with ASM, see our Automatic Storage Management (ASM) documentation.
(Not applicable to Hybrid Deployment) Copy the Fivetran's IP addresses (or CIDR) that you must safelist in your firewall.
Click Save & Test. Fivetran tests and validates the connection to your Oracle database. Upon successful completion of the setup tests, you can sync your data.
Select tables to sync
After the setup tests pass, Fivetran takes you to the connection's Schema tab and opens the Select new tables to sync dialog. At this stage, no tables are selected by default.
Each connection supports one SAP schema. To replicate tables from multiple SAP schemas, create a separate connection for each schema.
In the Search by table name field, enter one or more virtual SAP table names or patterns, then press Enter.
You can use any of the following search methods:
- Enter exact table names, such as
BSEG,MARA,T001, orSTXL. - Enter multiple comma-separated table names or patterns.
- Enter wildcard patterns using
*or?, such asB*,T00*,*SEG, orBSE?.
Each search term must contain at least two alphanumeric characters. Supported special characters are
*,?,_,-,., and/.- Enter exact table names, such as
In the search results, expand the SAP schema if needed.
Select the checkbox next to each virtual SAP table you want to sync. To select all displayed tables in a schema, select the schema-level checkbox.
Click Add table or Add tables.
To add more tables, click Add new table and repeat the previous steps.
When you're done adding tables, click Start Initial Sync.
We automatically resolve the physical container behind each virtual table. You do not need to add RFBLG, ATAB, CDCLS, KAPOL, or other container tables yourself.
You can change your table selection anytime on your connection's Schema tab.
Setup tests
Fivetran runs the following setup tests:
- Connecting to SSH tunnel - Checks whether Fivetran can connect through the SSH tunnel, if you selected Connect via an SSH tunnel.
- Connecting to host - Checks whether Fivetran can connect to your Oracle database host.
- Validating certificate - Checks whether Fivetran can validate the database certificate when TLS is enabled.
- Validating system view access - Checks whether the Fivetran user can access the required Oracle system views.
- Validating supported database - Checks whether your Oracle database version and platform are supported.
- Confirming the database has archived logs in the local file system - Checks whether archived redo logs are available in the local file system. If you enable Using ASM, we run Validating ASM configuration instead.
- Validating database compatibility - Checks whether the database is compatible with Binary Log Reader.
- Validating supplemental logging configuration - Checks whether supplemental logging is enabled.
- Validating access to redo log - Checks whether Fivetran can access redo logs.
- Validating DB_BLOCK_CHECKSUM configuration - Checks whether
DB_BLOCK_CHECKSUMis set toTYPICAL,FULL, orTRUE. - Validating DBMS_RANDOM permission - Checks whether the Fivetran user has
EXECUTEpermission onDBMS_RANDOM. - Validating TDE configuration - Checks the TDE configuration, if you enable Using TDE Encryption.
- Validating SAP schema - Checks whether the schema entered in the SAP Schema field exists and whether the Fivetran user can read the SAP Data Dictionary tables (
DD02L,DD02T,DD03L,DD16S,DDNTF, andDDNTT). We don't validate per-table grants at this stage.
If you selected Connect via Proxy Agent, Fivetran also checks the Proxy Agent status.