Oracle Database 21c Standard Edition 2 on AWS User Guide

Overview

This image runs Oracle Database 21c Standard Edition 2, installed from upstream Oracle media. Oracle Database is the only workload on the image, so the platform stays lean, predictable and easy to reason about. The image ships the 21.3.0.0.0 base release.

Oracle Database 21c desupports the traditional non container architecture, so the starter database is a multitenant container database (CDB) named ORCL with one ready to use pluggable database (PDB) named ORCLPDB. Applications connect to the ORCLPDB service; the ORCL container root is used for administration. Standard Edition 2 permits up to three pluggable databases without the multitenant option, so you can create two more PDBs in this container as your estate grows.

The image ships with no shared database credentials. On the first boot of your instance a one shot service generates fresh, strong passwords for the SYS and SYSTEM administrative accounts, unique to that instance, applies them to the running database and writes them to /root/oracle-db-credentials.txt, a file that only the root user can read.

The Oracle binaries, the datafiles, the redo logs and the archive area live on a dedicated storage volume mounted at /opt/oracle. Keeping the database tier on its own volume means storage can be grown, snapshotted and backed up independently of the operating system disk. The Oracle listener runs on port 1521 bound to all interfaces, so SQL Developer, JDBC clients and application servers can connect remotely once your security group allows the port.

This is a headless image. Oracle Database has no web interface in this listing; you administer it over SSH with the sqlplus command line client, and you can connect graphical tools such as Oracle SQL Developer remotely over port 1521.

Standard Edition 2 is the cost effective Oracle Database edition, licensed for servers with a maximum of two sockets. It provides the core Oracle Database engine but not Enterprise only options such as Partitioning, Advanced Compression, Advanced Security, Data Guard, and the Diagnostics and Tuning Packs; the matching Enterprise Edition variant on this listing carries those.

Prerequisites

Before you deploy this image you need:

• An Amazon Web Services account where you can launch EC2 instances
• IAM permissions to launch instances, create security groups, and subscribe to AWS Marketplace products
• An EC2 key pair in the target Region for SSH access to the instance
• A VPC and subnet in the target Region, with a security group allowing inbound port 22 from your management network, and inbound port 1521 from any host that needs to reach the database remotely
• The AWS CLI (version 2) installed locally if you plan to deploy from the command line

Recommended instance type: m5.xlarge (4 vCPU, 16 GB RAM) or larger. Oracle Database sizes its System Global Area from available memory and benefits from additional CPU and RAM for production workloads. Standard Edition 2's two socket licensing limit is well within any single EC2 instance.

Step 1: Launch the Instance from the AWS Marketplace

Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for Oracle Database. Select the cloudimg listing and choose Select, then Continue on the subscription summary.

Pick an instance type of m5.xlarge or larger. Choose your EC2 key pair under Key pair (login). Under Network settings select your VPC and subnet, and either create or select a security group that allows inbound port 22 from your management network and inbound port 1521 from the hosts that need database access. Leave the root volume at the default size or larger; the Oracle data volume is attached automatically from the image.

Select Launch instance. First boot initialisation, which generates the administrative passwords and confirms the database is open, takes a minute or two after the instance state becomes Running and the status checks pass.

Step 2: Launch the Instance from the AWS CLI

The following block launches an instance from the cloudimg Oracle Database Marketplace AMI into an existing subnet and security group. Replace <ami-id> with the AMI ID shown on the Marketplace listing, <key-name> with your EC2 key pair name, <subnet-id> with your subnet ID, and <security-group-id> with a security group that opens inbound ports 22 and 1521.

aws ec2 run-instances \
  --image-id <ami-id> \
  --instance-type m5.xlarge \
  --key-name <key-name> \
  --subnet-id <subnet-id> \
  --security-group-ids <security-group-id> \
  --metadata-options HttpTokens=required \
  --block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":30,"VolumeType":"gp3"}}]' \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=oracle-db-21c-se2-01}]'

The command prints a JSON document on success. Note the instance ID, then retrieve its public address once it is running with aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[].Instances[].PublicIpAddress" --output text.

Step 3: Connect over SSH

Connect over SSH with the key pair you selected and the public IP address from step 2. The SSH login user depends on the operating system of the AMI variant you launched:

AMI variant	SSH login user
Oracle Database 21c SE2 on Oracle Linux 8	ec2-user

ssh <login-user>@<public-ip>

Wait until the instance has passed both EC2 status checks before connecting. The first boot service runs before the SSH daemon is ready, so the administrative passwords are set and the database is open by the time you can log in.

Step 4: Retrieve the Generated Credentials

The first boot service generates fresh SYS and SYSTEM passwords for this instance and writes them, with the connection details, to /root/oracle-db-credentials.txt. The file is readable only by the root user. Display it from your SSH session:

sudo cat /root/oracle-db-credentials.txt

The file looks like this, with unique passwords on your instance:

Oracle Database 21c Standard Edition 2 - Per-Instance Credentials
=================================================================
Generated: Fri May 29 11:12:04 UTC 2026
Instance:  i-0123456789abcdef0

SYSTEM_PASSWORD= <your generated SYSTEM password>
SYS_PASSWORD= <your generated SYS password>

ORACLE_SID=  ORCL      (CDB root, administration)
SERVICE:     ORCLPDB   (pluggable database — connect applications here)
Listener:    port 1521 (TCP)

Connect:
  ssh ec2-user@<instance-ip>
  sudo cat /root/oracle-db-credentials.txt
  sudo su - oracle
  . ~/setEnv.sh
  sqlplus system/<SYSTEM_PASSWORD>@localhost:1521/ORCLPDB

IMPORTANT: These passwords are unique to this instance.
=================================================================

No shared or default database passwords ship in the image. Use the generated SYSTEM password for application and administrative connections, and the SYS password for SYSDBA operations.

Step 5: Confirm the Database Service and the Listener

Oracle Database starts automatically on boot through the oracle-db.service systemd unit, which runs Oracle's dbstart to open the database and start the listener. Confirm the unit is enabled for automatic start at boot:

systemctl is-enabled oracle-db.service

The command prints enabled. A companion one shot unit, oracle-db-21c-firstboot.service, performs the per instance credential rotation on the first boot; confirm it is enabled too:

systemctl is-enabled oracle-db-21c-firstboot.service

Confirm the Oracle listener is accepting connections. It binds to all interfaces on port 1521, so it is reachable both from the instance itself and from remote SQL Developer and JDBC clients once your security group allows the port:

ss -tln | grep ':1521 '

You should see a listening socket on 0.0.0.0:1521. The screenshot below shows the full lsnrctl status output, with the listening endpoint on port 1521 and the ORCL container and orclpdb pluggable database services registered and ready.

Step 6: Confirm the Edition and Version

The database runs as the oracle operating system user, whose login environment sets ORACLE_HOME, ORACLE_SID and the library path. Connect to the container root with operating system authentication and query the version views. The following block reports the product banner, which names the edition, and the instance name, full version and open status:

su - oracle -c 'sqlplus -S -L / as sysdba' <<'SQL'
SET PAGESIZE 50 LINESIZE 120 FEEDBACK OFF
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT instance_name, version_full, status FROM v$instance;
EXIT;
SQL

The banner reads Oracle Database 21c Standard Edition 2 Release 21.0.0.0.0 - Production, and the instance ORCL reports version 21.3.0.0.0 with status OPEN. The screenshot below shows the client version from sqlplus -V together with this banner and instance query.

Step 7: The Container Database and the Pluggable Database

Oracle Database 21c uses the multitenant architecture. The container database ORCL holds one pluggable database, ORCLPDB, which is where your application schemas and data live. Confirm the pluggable database is open in read write mode:

su - oracle -c 'sqlplus -S -L / as sysdba' <<'SQL'
SET PAGESIZE 50 LINESIZE 120 FEEDBACK OFF
COLUMN name FORMAT a12
COLUMN open_mode FORMAT a12
SELECT name, open_mode FROM v$pdbs WHERE name = 'ORCLPDB';
SELECT sysdate AS server_time FROM dual;
EXIT;
SQL

ORCLPDB reports READ WRITE. The pluggable database is configured with saved state, so it opens automatically whenever the container database starts. The screenshot below shows a session that switches into the ORCLPDB container, confirms it is open read write and reads the server time.

Step 8: Connect with SQL*Plus

To run application workloads, connect to the ORCLPDB pluggable database service as the SYSTEM user with the generated password. Switch to the oracle user and source the environment first, then open SQL*Plus. Replace <SYSTEM_PASSWORD> with the value from /root/oracle-db-credentials.txt:

sudo su - oracle
. ~/setEnv.sh
sqlplus system/<SYSTEM_PASSWORD>@localhost:1521/ORCLPDB

Inside SQL*Plus you can create application schemas, tables and data in the pluggable database. The following statements, run at the SQL> prompt, create a table, insert a row and read it back:

CREATE TABLE products (
  id    NUMBER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
  name  VARCHAR2(100),
  price NUMBER(10,2)
);

INSERT INTO products (name, price) VALUES ('Mechanical Keyboard', 89.00);
COMMIT;

SELECT name, price FROM products;

Type EXIT to leave SQL*Plus. To connect to the container root for administration instead, use operating system authentication with sqlplus / as sysdba, or connect over the network as SYS with sqlplus sys/<SYS_PASSWORD>@localhost:1521/ORCL as sysdba.

Step 9: Connect Remotely with SQL Developer or JDBC

The listener accepts remote connections on port 1521. Once your security group allows inbound 1521 from your client, point Oracle SQL Developer, a JDBC driver or any Oracle client at the instance. Use the following connection details, replacing <public-ip> with the instance address and the password with the value from the credentials file:

Host:            <public-ip>
Port:            1521
Service name:    ORCLPDB
Username:        SYSTEM
Password:        <your generated SYSTEM password>

JDBC URL:        jdbc:oracle:thin:@//<public-ip>:1521/ORCLPDB

In SQL Developer, create a new connection, set the Connection Type to Basic, enter the host, port and the ORCLPDB service name, supply the SYSTEM username and generated password, and select Test then Connect. For administrative access to the container root, use the ORCL service name and connect as SYS with the SYSDBA role.

Step 10: The Oracle Data Volume

The Oracle binaries, the datafiles, the redo logs and the archive area are stored under /opt/oracle, which is a dedicated EBS volume separate from the operating system disk. Confirm the mount:

findmnt /opt/oracle

The output shows /opt/oracle is its own ext4 filesystem on a separate device. Check the available space at any time with:

df -h /opt/oracle

Because the database tier is on its own volume you can take an Amazon EBS snapshot of it on its own schedule, and you can grow it independently of the root volume.

Step 11: Managing the Database Service

Oracle Database is managed through systemd as the oracle-db.service unit, which starts the database and the listener automatically on boot, as confirmed in step 5. Check the service status:

systemctl status oracle-db.service --no-pager

Stop, start and restart the service when needed. Stopping the service runs Oracle's dbshut to close the database cleanly, and starting it runs dbstart:

sudo systemctl stop oracle-db.service
sudo systemctl start oracle-db.service
sudo systemctl restart oracle-db.service

The Oracle alert log and listener log live under /opt/oracle/diag. Review the alert log first when diagnosing a startup or runtime problem; locate it with:

sudo su - oracle -c 'find /opt/oracle/diag -name alert_ORCL.log'

Step 12: Backups

Oracle Database includes Recovery Manager (RMAN) for consistent, online backups. Run RMAN as the oracle user against the local instance to take a full backup of the container database and its pluggable databases:

sudo su - oracle
. ~/setEnv.sh
rman target / <<'RMAN'
BACKUP DATABASE PLUS ARCHIVELOG;
RMAN

For logical, schema level exports use Oracle Data Pump against the pluggable database:

expdp system/<SYSTEM_PASSWORD>@localhost:1521/ORCLPDB \
  schemas=APPUSER directory=DATA_PUMP_DIR dumpfile=appuser.dmp

Because /opt/oracle is a dedicated EBS volume, you can also take an EBS snapshot of the volume itself for a point in time copy of the entire database tier. For a crash consistent snapshot, place the database in backup mode or shut it down cleanly first.

Support

cloudimg provides 24/7/365 expert technical support for this image. Guaranteed response within 24 hours, one hour average for critical issues. Contact support@cloudimg.co.uk.

For general Oracle Database administration questions consult the official Oracle Database documentation at https://docs.oracle.com/en/database/oracle/oracle-database/21/.