SlideShare une entreprise Scribd logo
1  sur  22
Télécharger pour lire hors ligne
Exadata Security
Daniel Ignat
Trend – ECS Lead Team
Trend ECS (Expert Customer
Services)
Agenda
Exadata Storage Server – Overview
Exadata Security – Concepts and Methods
Exadata Security – Implementing and Remove
Exadata Security – Best Practices
Trend ECS (Expert Customer
Services)
Exadata Overview
Our local market
Trend ECS (Expert Customer
Services)
Exadata Overview
About Exadata
Trend ECS (Expert Customer
Services)
Exadata Overview
Trend ECS (Expert Customer
Services)
Traditional Database Storage Deployment Exadata Storage Deployment
Exadata Overview
Exadata Security
Trend ECS (Expert Customer
Services)
Exadata Overview
IORM
Trend ECS (Expert Customer
Services)
Description
– Open-Security modes enables access by any DATABASE client to a grid disks
– It is useful for test or development database where are no security requirements
– This is the default security mode after creating a new storage cell
– To use this security mode, you do not set up any security functionality for an Oracle
ASM Cluster or a DATABASE client for the grid disks
– You do not set up any security KEY files
Exadata Security – Concepts and Methods
First method: Open Security (Default mode)
Trend ECS (Expert Customer
Services)
– When?
– When we need to set up security so that all DATABASES of an Oracle ASM Cluster
have access to specific grid disks
– When a particular Oracle ASM Cluster or set of Oracle ASM Clusters can use the
cell’s grid disks
– When Oracle ASM-Scoped Security is set up for an Oracle ASM Cluster and grid disk,
the grid disk are available only to the DATABASES on the Oracle ASM Cluster
– We need to setup security KEY files
Exadata Security – Concepts and Methods
Second method: ASM-Scoped Security mode
Trend ECS (Expert Customer
Services)
– When?
– When we need to set up security so that specific DATABASE clients of an Oracle ASM
Cluster have access to specific grid disks
– When grid disks are restricted to a set of DATABASE within an Oracle ASM Cluster
– This security mode is appropriate when multiple database are accessing cells, and
you want to control which database can access specific grid disks that compose
Oracle ASM disk groups
– First set up ASM-Scoped Security, then set up Database-Scoped Security for specific
DATABASE and grid disks
– There is one KEY per DATABASE per HOST, and one access control list (ACL) entry per
DATABASE on each cell
Exadata Security – Concepts and Methods
Third method: Database-Scoped Security mode
Trend ECS (Expert Customer
Services)
– key (required) => this key (created with CREATE KEY) value must match the
value of the key assigned to the Oracle ASM Cluster with the CellCLI ASSIGN KEY
command
– asm (required) => this field must match the value of the Oracle ASM Cluster
unique name (DB_UNIQUE_NAME of the Oracle ASM Cluster). This is the name used
when configuring grid disks for security with CellCLI CREATE GRIDDISK or
ALTER GRIDDISK command
– realm (optional) => If is used, then must match the value of the realName
attribute of the cells in the realm
Exadata Security? – KEY is the answer
Understanding the cellkey.ora
Trend ECS (Expert Customer
Services)
• It is the “Default option” (nothing more to do..)
Exadata Security – Implementing
First method: Open-Security
Trend ECS (Expert Customer
Services)
• Step 1 (Database Server side)
– Shutdown the DATABASES and Oracle ASM instances that will have their security configuration
changed
• Step 2 (Cell side)
– Create the security KEY using CREATE KEY using CellCLI command to generate random
hexadecimal string
– Assign the security KEY to the Oracle ASM Cluster DB_UNIQUE_NAME using the ASSIGN KEY
from CellCLI command
– Set the (availableTo) attribute on the grid disks to contain the Oracle ASM Cluster or Oracle
RAC Cluster unique name (DB_UNIQUE_NAME)
Exadata Security – Implementing
Second method: ASM-Scoped Security
Trend ECS (Expert Customer
Services)
• Step 3 (Database Server side)
– Create the /etc/oracle/cell/network-config/cellkey.ora file owned by Oracle
ASM software owner with permission 600
– Startup Oracle ASM instances and DATABASES using affected cell’s
Exadata Security – Implementing
Second method: ASM-Scoped Security (..continued)
Trend ECS (Expert Customer
Services)
• Step 4 (Cell side)
– Verifying ASM-Scoped Security
Exadata Security – Implementing
Second method: ASM-Scoped Security (end)
Trend ECS (Expert Customer
Services)
• Step 1 (Database Server side)
– Shutdown DATABASES and Oracle ASM instances using affected cells
– Note: You should only set up Database-Scoped Security - AFTER configuring and testing Oracle
ASM-Scoped Security
• Step 2 (Cell side)
– Create the security KEY using the CREATE KEY CellCLI command
– Assign the security KEY to the DATABASE unique name using ASSIGN KEY CellCLI command
– Set the (availableTo) attribute on the grid disks to contain the DATABASE unique name
(DB_UNIQUE_NAME)
– Important: Make distinction between Oracle ASM unique name and DATABASE unique name
Exadata Security – Implementing
Third method: Database-Scoped Security
Trend ECS (Expert Customer
Services)
• Step 3 (Database Server side)
– Create the $ORACLE_HOME/admin/<db_unique_name>/pfile/cellkey.ora file
owned by database software owner with read-write permission only to owner (600)
Exadata Security – Implementing
Third method: Database-Scoped Security (..continued)
Trend ECS (Expert Customer
Services)
• Step 4 (Database Server side)
– Startup Oracle ASM instances and DATABASE instance only after cellkey.ora file
configuration is complete for all computers
– Verify at the grid disk level
Exadata Security – Implementing
Third method: Database-Scoped Security (end)
Trend ECS (Expert Customer
Services)
• Step 1 (Database Server side)
– Shutdown DATABASES and Oracle ASM instances using affected cells
• Step 2 (Cell side)
– Remove any DATABASE clients named in the (availableTo) grid disk attribute for which you
want to remove Database-Scoped Security with ALTER GRIDDISK …
availableTo=`+ASM` CellCLI command
– Unassign the security KEY to the DATABASE using the ASSIGN CellCLI command to set it to the
NULL string
– Important: You must remove Database-Scoped Security on a grid disk BEFORE removing Oracle
ASM-Scoped Security
• Step 3 (Database Server side)
– Remove the cellkey.ora file located in the
$ORACLE_HOME/admin/db_unique_name./pfile directory for the DATABASE client
– Startup Oracle ASM instances and DATABASES using affected cells
– Note: if you want Open-Security for the grid disks, then you must remove Oracle ASM-Scoped
security AFTER removing the Database-Scoped Security
Exadata Security – Remove
Remove - Database-Scoped Security
Trend ECS (Expert Customer
Services)
• Step 1 (Database Server side)
– Shutdown DATABASES and Oracle ASM instances using affected cells
• Step 2 (Cell side)
– Remove the Oracle ASM Cluster client named in the (availableTo) grid disk attribute with
ALTER GRIDDISK … availableTo=`` CellCLI command
– If the Oracle ASM Cluster client is not configured for security with any other grid disks, then you
can remove the KEY with the CellCLI ASSIGN KEY command: ASSIGN KEY FOR
asm_cluster=``
• Step 3 (Database Server side)
– Remove the cellkey.ora file located in the /etc/oracle/cell/network-config
directory on each computer host in the Oracle ASM Cluster
– Startup Oracle ASM instances and DATABASES using affected cells
Exadata Security – Remove
Remove - ASM-Scoped Security
Trend ECS (Expert Customer
Services)
• When is configuring Exadata Security the flow is always from Open-Security to ASM-Scoped
Security to Database-Scope Security. Similarly, when removing security, but in a reverse order
• All grid disks that belong to the same Oracle ASM disk group have the same Cell-Side grid disk
security defined to avoid confusion and errors
• All Oracle RAC nodes in an Oracle ASM cluster have the same content, ownership, and security
for the Oracle ASM cellkey.ora file
• All Oracle RAC nodes in a DATABASE cluster have the same content, ownership, and security for
the DATABASE cellkey.ora file
• If Database-Scoped Security is implemented, then be sure it is implemented for all DATABASES
accessing the grid disks. Do not mix Oracle ASM-Scoped Security and Database-Scoped Security
• Use DCLI utility to make configuration changes consistency
Exadata Security
Best Practices
Trend ECS (Expert Customer
Services)
Thank you for your time!
Exadata Security
Best Practices
Trend ECS (Expert Customer
Services)

Contenu connexe

Tendances

Distributed Point-in-Time Recovery with Postgres | PGConf.Russia 2018 | Eren ...
Distributed Point-in-Time Recovery with Postgres | PGConf.Russia 2018 | Eren ...Distributed Point-in-Time Recovery with Postgres | PGConf.Russia 2018 | Eren ...
Distributed Point-in-Time Recovery with Postgres | PGConf.Russia 2018 | Eren ...Citus Data
 
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour  Oct 2019Troubleshooting Tips and Tricks for Database 19c - EMEA Tour  Oct 2019
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019Sandesh Rao
 
Ppt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdfPpt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdfMelody Liu
 
AWS 환경에서 MySQL BMT
AWS 환경에서 MySQL BMTAWS 환경에서 MySQL BMT
AWS 환경에서 MySQL BMTI Goo Lee
 
Oracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideOracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideCourtney Llamas
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
 
Memcached Presentation
Memcached PresentationMemcached Presentation
Memcached PresentationAsif Ali
 
Oracle dba 12c training syllabus
Oracle dba 12c training syllabusOracle dba 12c training syllabus
Oracle dba 12c training syllabusMonster Courses
 
Install edq on linux
Install edq on linuxInstall edq on linux
Install edq on linuxOsama Mustafa
 
Analyzing and Interpreting AWR
Analyzing and Interpreting AWRAnalyzing and Interpreting AWR
Analyzing and Interpreting AWRpasalapudi
 
Microsoft Windows Server 2022 Overview
Microsoft Windows Server 2022 OverviewMicrosoft Windows Server 2022 Overview
Microsoft Windows Server 2022 OverviewDavid J Rosenthal
 
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallIntroducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallTroy Kitch
 
Exadata SMART Monitoring - OEM 13c
Exadata SMART Monitoring - OEM 13cExadata SMART Monitoring - OEM 13c
Exadata SMART Monitoring - OEM 13cAlfredo Krieg
 

Tendances (20)

Distributed Point-in-Time Recovery with Postgres | PGConf.Russia 2018 | Eren ...
Distributed Point-in-Time Recovery with Postgres | PGConf.Russia 2018 | Eren ...Distributed Point-in-Time Recovery with Postgres | PGConf.Russia 2018 | Eren ...
Distributed Point-in-Time Recovery with Postgres | PGConf.Russia 2018 | Eren ...
 
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour  Oct 2019Troubleshooting Tips and Tricks for Database 19c - EMEA Tour  Oct 2019
Troubleshooting Tips and Tricks for Database 19c - EMEA Tour Oct 2019
 
Ppt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdfPpt dbsec-oow2013-avdf
Ppt dbsec-oow2013-avdf
 
Oracle SGA 介紹
Oracle SGA 介紹Oracle SGA 介紹
Oracle SGA 介紹
 
AWS 환경에서 MySQL BMT
AWS 환경에서 MySQL BMTAWS 환경에서 MySQL BMT
AWS 환경에서 MySQL BMT
 
Oracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideOracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners Guide
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
 
Memcached Presentation
Memcached PresentationMemcached Presentation
Memcached Presentation
 
Treinamento Data Guard
Treinamento Data GuardTreinamento Data Guard
Treinamento Data Guard
 
Oracle dba 12c training syllabus
Oracle dba 12c training syllabusOracle dba 12c training syllabus
Oracle dba 12c training syllabus
 
Install edq on linux
Install edq on linuxInstall edq on linux
Install edq on linux
 
Analyzing and Interpreting AWR
Analyzing and Interpreting AWRAnalyzing and Interpreting AWR
Analyzing and Interpreting AWR
 
Microsoft Windows Server 2022 Overview
Microsoft Windows Server 2022 OverviewMicrosoft Windows Server 2022 Overview
Microsoft Windows Server 2022 Overview
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
Redundância de Servidor de Arquivos
Redundância de Servidor de ArquivosRedundância de Servidor de Arquivos
Redundância de Servidor de Arquivos
 
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database FirewallIntroducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database Firewall
 
Les 12 fl_db
Les 12 fl_dbLes 12 fl_db
Les 12 fl_db
 
Dba
DbaDba
Dba
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
Exadata SMART Monitoring - OEM 13c
Exadata SMART Monitoring - OEM 13cExadata SMART Monitoring - OEM 13c
Exadata SMART Monitoring - OEM 13c
 

Similaire à 6. oracle exadata security trend ecs (final)

IOUG Collaborate 18 - ASM Concepts, Architecture and Best Practices
IOUG Collaborate 18 - ASM Concepts, Architecture and Best PracticesIOUG Collaborate 18 - ASM Concepts, Architecture and Best Practices
IOUG Collaborate 18 - ASM Concepts, Architecture and Best PracticesPini Dibask
 
Oracle 12c New Features_RAC_slides
Oracle 12c New Features_RAC_slidesOracle 12c New Features_RAC_slides
Oracle 12c New Features_RAC_slidesSaiful
 
les_01_arch_presentation_asm_oracle_rac_
les_01_arch_presentation_asm_oracle_rac_les_01_arch_presentation_asm_oracle_rac_
les_01_arch_presentation_asm_oracle_rac_tricantino1973
 
Oracle Flex ASM - What’s New and Best Practices by Jim Williams
Oracle Flex ASM - What’s New and Best Practices by Jim WilliamsOracle Flex ASM - What’s New and Best Practices by Jim Williams
Oracle Flex ASM - What’s New and Best Practices by Jim WilliamsMarkus Michalewicz
 
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software ReleaseIsabella789
 
Exadata master series_asm_2020
Exadata master series_asm_2020Exadata master series_asm_2020
Exadata master series_asm_2020Anil Nair
 
O Racle Asm Best Practices Presentation
O Racle Asm Best Practices PresentationO Racle Asm Best Practices Presentation
O Racle Asm Best Practices Presentationeraz
 
Presentation announcing oracle secure backup 10.3
Presentation   announcing oracle secure backup 10.3Presentation   announcing oracle secure backup 10.3
Presentation announcing oracle secure backup 10.3xKinAnx
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacksAlkin Tezuysal
 
(ATS6-APP09) ELN configuration management with ADM
(ATS6-APP09) ELN configuration management with ADM(ATS6-APP09) ELN configuration management with ADM
(ATS6-APP09) ELN configuration management with ADMBIOVIA
 
Making MySQL highly available using Oracle Grid Infrastructure
Making MySQL highly available using Oracle Grid InfrastructureMaking MySQL highly available using Oracle Grid Infrastructure
Making MySQL highly available using Oracle Grid InfrastructureIlmar Kerm
 
10g rac asm
10g rac asm10g rac asm
10g rac asmVictor
 
How oracle 12c flexes its muscles against oracle 11g r2 final
How oracle 12c flexes its muscles against oracle 11g r2 finalHow oracle 12c flexes its muscles against oracle 11g r2 final
How oracle 12c flexes its muscles against oracle 11g r2 finalAjith Narayanan
 
MySQL DBA OCP 1Z0-883
MySQL DBA OCP 1Z0-883MySQL DBA OCP 1Z0-883
MySQL DBA OCP 1Z0-883Kwaye Kant
 
Well-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionWell-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionAmazon Web Services
 

Similaire à 6. oracle exadata security trend ecs (final) (20)

IOUG Collaborate 18 - ASM Concepts, Architecture and Best Practices
IOUG Collaborate 18 - ASM Concepts, Architecture and Best PracticesIOUG Collaborate 18 - ASM Concepts, Architecture and Best Practices
IOUG Collaborate 18 - ASM Concepts, Architecture and Best Practices
 
Oracle 12c New Features_RAC_slides
Oracle 12c New Features_RAC_slidesOracle 12c New Features_RAC_slides
Oracle 12c New Features_RAC_slides
 
les_01_arch_presentation_asm_oracle_rac_
les_01_arch_presentation_asm_oracle_rac_les_01_arch_presentation_asm_oracle_rac_
les_01_arch_presentation_asm_oracle_rac_
 
les_01_core.ppt
les_01_core.pptles_01_core.ppt
les_01_core.ppt
 
D81242GC20_les01.pptx
D81242GC20_les01.pptxD81242GC20_les01.pptx
D81242GC20_les01.pptx
 
Oracle Flex ASM - What’s New and Best Practices by Jim Williams
Oracle Flex ASM - What’s New and Best Practices by Jim WilliamsOracle Flex ASM - What’s New and Best Practices by Jim Williams
Oracle Flex ASM - What’s New and Best Practices by Jim Williams
 
Les 01 core
Les 01 coreLes 01 core
Les 01 core
 
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
 
Exadata master series_asm_2020
Exadata master series_asm_2020Exadata master series_asm_2020
Exadata master series_asm_2020
 
O Racle Asm Best Practices Presentation
O Racle Asm Best Practices PresentationO Racle Asm Best Practices Presentation
O Racle Asm Best Practices Presentation
 
Oracle database 12c asm administration
Oracle database 12c asm administrationOracle database 12c asm administration
Oracle database 12c asm administration
 
Presentation announcing oracle secure backup 10.3
Presentation   announcing oracle secure backup 10.3Presentation   announcing oracle secure backup 10.3
Presentation announcing oracle secure backup 10.3
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacks
 
(ATS6-APP09) ELN configuration management with ADM
(ATS6-APP09) ELN configuration management with ADM(ATS6-APP09) ELN configuration management with ADM
(ATS6-APP09) ELN configuration management with ADM
 
Making MySQL highly available using Oracle Grid Infrastructure
Making MySQL highly available using Oracle Grid InfrastructureMaking MySQL highly available using Oracle Grid Infrastructure
Making MySQL highly available using Oracle Grid Infrastructure
 
Oracle on Solaris
Oracle on SolarisOracle on Solaris
Oracle on Solaris
 
10g rac asm
10g rac asm10g rac asm
10g rac asm
 
How oracle 12c flexes its muscles against oracle 11g r2 final
How oracle 12c flexes its muscles against oracle 11g r2 finalHow oracle 12c flexes its muscles against oracle 11g r2 final
How oracle 12c flexes its muscles against oracle 11g r2 final
 
MySQL DBA OCP 1Z0-883
MySQL DBA OCP 1Z0-883MySQL DBA OCP 1Z0-883
MySQL DBA OCP 1Z0-883
 
Well-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionWell-Architected for Security: Advanced Session
Well-Architected for Security: Advanced Session
 

Plus de Doina Draganescu

Plus de Doina Draganescu (20)

Tech strategies keynote combined mpeck ro_v2
Tech strategies keynote combined mpeck  ro_v2Tech strategies keynote combined mpeck  ro_v2
Tech strategies keynote combined mpeck ro_v2
 
Prez szabolcs
Prez szabolcsPrez szabolcs
Prez szabolcs
 
Maximize business agility and it efficiency with enterpr mpeck ro_v3
Maximize business agility and it efficiency with enterpr mpeck ro_v3Maximize business agility and it efficiency with enterpr mpeck ro_v3
Maximize business agility and it efficiency with enterpr mpeck ro_v3
 
Extending and improving bps romania 30th of nov 2010
Extending and improving bps   romania 30th of nov 2010Extending and improving bps   romania 30th of nov 2010
Extending and improving bps romania 30th of nov 2010
 
E2.0 fmw for apps ro 2010 11-30 v.02
E2.0 fmw for apps ro 2010 11-30 v.02E2.0 fmw for apps ro 2010 11-30 v.02
E2.0 fmw for apps ro 2010 11-30 v.02
 
Better insight 2010 nov 30 bucharest
Better insight 2010 nov 30 bucharestBetter insight 2010 nov 30 bucharest
Better insight 2010 nov 30 bucharest
 
Poze
PozePoze
Poze
 
Full page fax print5
Full page fax print5Full page fax print5
Full page fax print5
 
Full page fax print7
Full page fax print7Full page fax print7
Full page fax print7
 
Full page fax print6
Full page fax print6Full page fax print6
Full page fax print6
 
Full page fax print4
Full page fax print4Full page fax print4
Full page fax print4
 
Full page fax print3
Full page fax print3Full page fax print3
Full page fax print3
 
Full page fax print 2
Full page fax print 2Full page fax print 2
Full page fax print 2
 
Full page fax print1
Full page fax print1Full page fax print1
Full page fax print1
 
Full page fax print
Full page fax printFull page fax print
Full page fax print
 
Intel on hw
Intel on hwIntel on hw
Intel on hw
 
E blast intel
E blast intelE blast intel
E blast intel
 
Intel keynote
Intel keynoteIntel keynote
Intel keynote
 
Intel
IntelIntel
Intel
 
3. oracle day crm_azt_v3_0
3. oracle day crm_azt_v3_03. oracle day crm_azt_v3_0
3. oracle day crm_azt_v3_0
 

6. oracle exadata security trend ecs (final)

  • 1. Exadata Security Daniel Ignat Trend – ECS Lead Team Trend ECS (Expert Customer Services)
  • 2. Agenda Exadata Storage Server – Overview Exadata Security – Concepts and Methods Exadata Security – Implementing and Remove Exadata Security – Best Practices Trend ECS (Expert Customer Services)
  • 3. Exadata Overview Our local market Trend ECS (Expert Customer Services)
  • 4. Exadata Overview About Exadata Trend ECS (Expert Customer Services)
  • 5. Exadata Overview Trend ECS (Expert Customer Services) Traditional Database Storage Deployment Exadata Storage Deployment
  • 6. Exadata Overview Exadata Security Trend ECS (Expert Customer Services)
  • 7. Exadata Overview IORM Trend ECS (Expert Customer Services) Description
  • 8. – Open-Security modes enables access by any DATABASE client to a grid disks – It is useful for test or development database where are no security requirements – This is the default security mode after creating a new storage cell – To use this security mode, you do not set up any security functionality for an Oracle ASM Cluster or a DATABASE client for the grid disks – You do not set up any security KEY files Exadata Security – Concepts and Methods First method: Open Security (Default mode) Trend ECS (Expert Customer Services)
  • 9. – When? – When we need to set up security so that all DATABASES of an Oracle ASM Cluster have access to specific grid disks – When a particular Oracle ASM Cluster or set of Oracle ASM Clusters can use the cell’s grid disks – When Oracle ASM-Scoped Security is set up for an Oracle ASM Cluster and grid disk, the grid disk are available only to the DATABASES on the Oracle ASM Cluster – We need to setup security KEY files Exadata Security – Concepts and Methods Second method: ASM-Scoped Security mode Trend ECS (Expert Customer Services)
  • 10. – When? – When we need to set up security so that specific DATABASE clients of an Oracle ASM Cluster have access to specific grid disks – When grid disks are restricted to a set of DATABASE within an Oracle ASM Cluster – This security mode is appropriate when multiple database are accessing cells, and you want to control which database can access specific grid disks that compose Oracle ASM disk groups – First set up ASM-Scoped Security, then set up Database-Scoped Security for specific DATABASE and grid disks – There is one KEY per DATABASE per HOST, and one access control list (ACL) entry per DATABASE on each cell Exadata Security – Concepts and Methods Third method: Database-Scoped Security mode Trend ECS (Expert Customer Services)
  • 11. – key (required) => this key (created with CREATE KEY) value must match the value of the key assigned to the Oracle ASM Cluster with the CellCLI ASSIGN KEY command – asm (required) => this field must match the value of the Oracle ASM Cluster unique name (DB_UNIQUE_NAME of the Oracle ASM Cluster). This is the name used when configuring grid disks for security with CellCLI CREATE GRIDDISK or ALTER GRIDDISK command – realm (optional) => If is used, then must match the value of the realName attribute of the cells in the realm Exadata Security? – KEY is the answer Understanding the cellkey.ora Trend ECS (Expert Customer Services)
  • 12. • It is the “Default option” (nothing more to do..) Exadata Security – Implementing First method: Open-Security Trend ECS (Expert Customer Services)
  • 13. • Step 1 (Database Server side) – Shutdown the DATABASES and Oracle ASM instances that will have their security configuration changed • Step 2 (Cell side) – Create the security KEY using CREATE KEY using CellCLI command to generate random hexadecimal string – Assign the security KEY to the Oracle ASM Cluster DB_UNIQUE_NAME using the ASSIGN KEY from CellCLI command – Set the (availableTo) attribute on the grid disks to contain the Oracle ASM Cluster or Oracle RAC Cluster unique name (DB_UNIQUE_NAME) Exadata Security – Implementing Second method: ASM-Scoped Security Trend ECS (Expert Customer Services)
  • 14. • Step 3 (Database Server side) – Create the /etc/oracle/cell/network-config/cellkey.ora file owned by Oracle ASM software owner with permission 600 – Startup Oracle ASM instances and DATABASES using affected cell’s Exadata Security – Implementing Second method: ASM-Scoped Security (..continued) Trend ECS (Expert Customer Services)
  • 15. • Step 4 (Cell side) – Verifying ASM-Scoped Security Exadata Security – Implementing Second method: ASM-Scoped Security (end) Trend ECS (Expert Customer Services)
  • 16. • Step 1 (Database Server side) – Shutdown DATABASES and Oracle ASM instances using affected cells – Note: You should only set up Database-Scoped Security - AFTER configuring and testing Oracle ASM-Scoped Security • Step 2 (Cell side) – Create the security KEY using the CREATE KEY CellCLI command – Assign the security KEY to the DATABASE unique name using ASSIGN KEY CellCLI command – Set the (availableTo) attribute on the grid disks to contain the DATABASE unique name (DB_UNIQUE_NAME) – Important: Make distinction between Oracle ASM unique name and DATABASE unique name Exadata Security – Implementing Third method: Database-Scoped Security Trend ECS (Expert Customer Services)
  • 17. • Step 3 (Database Server side) – Create the $ORACLE_HOME/admin/<db_unique_name>/pfile/cellkey.ora file owned by database software owner with read-write permission only to owner (600) Exadata Security – Implementing Third method: Database-Scoped Security (..continued) Trend ECS (Expert Customer Services)
  • 18. • Step 4 (Database Server side) – Startup Oracle ASM instances and DATABASE instance only after cellkey.ora file configuration is complete for all computers – Verify at the grid disk level Exadata Security – Implementing Third method: Database-Scoped Security (end) Trend ECS (Expert Customer Services)
  • 19. • Step 1 (Database Server side) – Shutdown DATABASES and Oracle ASM instances using affected cells • Step 2 (Cell side) – Remove any DATABASE clients named in the (availableTo) grid disk attribute for which you want to remove Database-Scoped Security with ALTER GRIDDISK … availableTo=`+ASM` CellCLI command – Unassign the security KEY to the DATABASE using the ASSIGN CellCLI command to set it to the NULL string – Important: You must remove Database-Scoped Security on a grid disk BEFORE removing Oracle ASM-Scoped Security • Step 3 (Database Server side) – Remove the cellkey.ora file located in the $ORACLE_HOME/admin/db_unique_name./pfile directory for the DATABASE client – Startup Oracle ASM instances and DATABASES using affected cells – Note: if you want Open-Security for the grid disks, then you must remove Oracle ASM-Scoped security AFTER removing the Database-Scoped Security Exadata Security – Remove Remove - Database-Scoped Security Trend ECS (Expert Customer Services)
  • 20. • Step 1 (Database Server side) – Shutdown DATABASES and Oracle ASM instances using affected cells • Step 2 (Cell side) – Remove the Oracle ASM Cluster client named in the (availableTo) grid disk attribute with ALTER GRIDDISK … availableTo=`` CellCLI command – If the Oracle ASM Cluster client is not configured for security with any other grid disks, then you can remove the KEY with the CellCLI ASSIGN KEY command: ASSIGN KEY FOR asm_cluster=`` • Step 3 (Database Server side) – Remove the cellkey.ora file located in the /etc/oracle/cell/network-config directory on each computer host in the Oracle ASM Cluster – Startup Oracle ASM instances and DATABASES using affected cells Exadata Security – Remove Remove - ASM-Scoped Security Trend ECS (Expert Customer Services)
  • 21. • When is configuring Exadata Security the flow is always from Open-Security to ASM-Scoped Security to Database-Scope Security. Similarly, when removing security, but in a reverse order • All grid disks that belong to the same Oracle ASM disk group have the same Cell-Side grid disk security defined to avoid confusion and errors • All Oracle RAC nodes in an Oracle ASM cluster have the same content, ownership, and security for the Oracle ASM cellkey.ora file • All Oracle RAC nodes in a DATABASE cluster have the same content, ownership, and security for the DATABASE cellkey.ora file • If Database-Scoped Security is implemented, then be sure it is implemented for all DATABASES accessing the grid disks. Do not mix Oracle ASM-Scoped Security and Database-Scoped Security • Use DCLI utility to make configuration changes consistency Exadata Security Best Practices Trend ECS (Expert Customer Services)
  • 22. Thank you for your time! Exadata Security Best Practices Trend ECS (Expert Customer Services)