6. oracle exadata security trend ecs (final)
DESCRIPTION
TrendTRANSCRIPT
Agenda
Exadata Storage Server – Overview
Exadata Security – Concepts and Methods
Exadata Security – Implementing and Remove
Exadata Security – Best Practices
Trend ECS (Expert Customer Services)
Exadata Overview
Trend ECS (Expert Customer Services)
Traditional Database Storage Deployment Exadata Storage Deployment
– Open-Security modes enables access by any DATABASE client to a grid disks
– It is useful for test or development database where are no security requirements
– This is the default security mode after creating a new storage cell
– To use this security mode, you do not set up any security functionality for an Oracle ASM Cluster or a DATABASE client for the grid disks
– You do not set up any security KEY files
Exadata Security – Concepts and Methods
First method: Open Security (Default mode)
Trend ECS (Expert Customer Services)
– When?
– When we need to set up security so that all DATABASES of an Oracle ASM Cluster have access to specific grid disks
– When a particular Oracle ASM Cluster or set of Oracle ASM Clusters can use the cell’s grid disks
– When Oracle ASM-Scoped Security is set up for an Oracle ASM Cluster and grid disk, the grid disk are available only to the DATABASES on the Oracle ASM Cluster
– We need to setup security KEY files
Exadata Security – Concepts and Methods
Second method: ASM-Scoped Security mode
Trend ECS (Expert Customer Services)
– When?
– When we need to set up security so that specific DATABASE clients of an Oracle ASM Cluster have access to specific grid disks
– When grid disks are restricted to a set of DATABASE within an Oracle ASM Cluster
– This security mode is appropriate when multiple database are accessing cells, and you want to control which database can access specific grid disks that compose Oracle ASM disk groups
– First set up ASM-Scoped Security, then set up Database-Scoped Security for specific DATABASE and grid disks
– There is one KEY per DATABASE per HOST, and one access control list (ACL) entry per DATABASE on each cell
Exadata Security – Concepts and Methods
Third method: Database-Scoped Security mode
Trend ECS (Expert Customer Services)
– key (required) => this key (created with CREATE KEY) value must match the value of the key assigned to the Oracle ASM Cluster with the CellCLI ASSIGN KEY command
– asm (required) => this field must match the value of the Oracle ASM Cluster unique name (DB_UNIQUE_NAME of the Oracle ASM Cluster). This is the name used when configuring grid disks for security with CellCLI CREATE GRIDDISK or ALTER GRIDDISK command
– realm (optional) => If is used, then must match the value of the realNameattribute of the cells in the realm
Exadata Security? – KEY is the answer
Understanding the cellkey.ora
Trend ECS (Expert Customer Services)
• It is the “Default option” (nothing more to do..)
Exadata Security – Implementing
First method: Open-Security
Trend ECS (Expert Customer Services)
• Step 1 (Database Server side)
– Shutdown the DATABASES and Oracle ASM instances that will have their security configuration changed
• Step 2 (Cell side)
– Create the security KEY using CREATE KEY using CellCLI command to generate random hexadecimal string
– Assign the security KEY to the Oracle ASM Cluster DB_UNIQUE_NAME using the ASSIGN KEYfrom CellCLI command
– Set the (availableTo) attribute on the grid disks to contain the Oracle ASM Cluster or Oracle RAC Cluster unique name (DB_UNIQUE_NAME)
Exadata Security – Implementing
Second method: ASM-Scoped Security
Trend ECS (Expert Customer Services)
• Step 3 (Database Server side)
– Create the /etc/oracle/cell/network-config/cellkey.ora file owned by Oracle ASM software owner with permission 600
– Startup Oracle ASM instances and DATABASES using affected cell’s
Exadata Security – Implementing
Second method: ASM-Scoped Security (..continued)
Trend ECS (Expert Customer Services)
• Step 4 (Cell side)
– Verifying ASM-Scoped Security
Exadata Security – Implementing
Second method: ASM-Scoped Security (end)
Trend ECS (Expert Customer Services)
• Step 1 (Database Server side)
– Shutdown DATABASES and Oracle ASM instances using affected cells
– Note: You should only set up Database-Scoped Security - AFTER configuring and testing Oracle ASM-Scoped Security
• Step 2 (Cell side)
– Create the security KEY using the CREATE KEY CellCLI command
– Assign the security KEY to the DATABASE unique name using ASSIGN KEY CellCLI command
– Set the (availableTo) attribute on the grid disks to contain the DATABASE unique name (DB_UNIQUE_NAME)
– Important: Make distinction between Oracle ASM unique name and DATABASE unique name
Exadata Security – Implementing
Third method: Database-Scoped Security
Trend ECS (Expert Customer Services)
• Step 3 (Database Server side)
– Create the $ORACLE_HOME/admin/<db_unique_name>/pfile/cellkey.ora file owned by database software owner with read-write permission only to owner (600)
Exadata Security – Implementing
Third method: Database-Scoped Security (..continued)
Trend ECS (Expert Customer Services)
• Step 4 (Database Server side)
– Startup Oracle ASM instances and DATABASE instance only after cellkey.ora file configuration is complete for all computers
– Verify at the grid disk level
Exadata Security – Implementing
Third method: Database-Scoped Security (end)
Trend ECS (Expert Customer Services)
• Step 1 (Database Server side)– Shutdown DATABASES and Oracle ASM instances using affected cells
• Step 2 (Cell side)– Remove any DATABASE clients named in the (availableTo) grid disk attribute for which you
want to remove Database-Scoped Security with ALTER GRIDDISK … availableTo=`+ASM` CellCLI command
– Unassign the security KEY to the DATABASE using the ASSIGN CellCLI command to set it to the NULL string
– Important: You must remove Database-Scoped Security on a grid disk BEFORE removing Oracle ASM-Scoped Security
• Step 3 (Database Server side)– Remove the cellkey.ora file located in the
$ORACLE_HOME/admin/db_unique_name./pfile directory for the DATABASE client
– Startup Oracle ASM instances and DATABASES using affected cells
– Note: if you want Open-Security for the grid disks, then you must remove Oracle ASM-Scoped security AFTER removing the Database-Scoped Security
Exadata Security – Remove
Remove - Database-Scoped Security
Trend ECS (Expert Customer Services)
• Step 1 (Database Server side)
– Shutdown DATABASES and Oracle ASM instances using affected cells
• Step 2 (Cell side)
– Remove the Oracle ASM Cluster client named in the (availableTo) grid disk attribute with ALTER GRIDDISK … availableTo=`` CellCLI command
– If the Oracle ASM Cluster client is not configured for security with any other grid disks, then you can remove the KEY with the CellCLI ASSIGN KEY command: ASSIGN KEY FOR asm_cluster=``
• Step 3 (Database Server side)
– Remove the cellkey.ora file located in the /etc/oracle/cell/network-configdirectory on each computer host in the Oracle ASM Cluster
– Startup Oracle ASM instances and DATABASES using affected cells
Exadata Security – Remove
Remove - ASM-Scoped Security
Trend ECS (Expert Customer Services)
• When is configuring Exadata Security the flow is always from Open-Security to ASM-Scoped Security to Database-Scope Security. Similarly, when removing security, but in a reverse order
• All grid disks that belong to the same Oracle ASM disk group have the same Cell-Side grid disk security defined to avoid confusion and errors
• All Oracle RAC nodes in an Oracle ASM cluster have the same content, ownership, and securityfor the Oracle ASM cellkey.ora file
• All Oracle RAC nodes in a DATABASE cluster have the same content, ownership, and security for the DATABASE cellkey.ora file
• If Database-Scoped Security is implemented, then be sure it is implemented for all DATABASESaccessing the grid disks. Do not mix Oracle ASM-Scoped Security and Database-Scoped Security
• Use DCLI utility to make configuration changes consistency
Exadata Security
Best Practices
Trend ECS (Expert Customer Services)