6. oracle exadata security trend ecs (final)

Exadata SecurityDaniel IgnatTrend – ECS Lead Team

Trend ECS (Expert Customer Services)

Agenda

Exadata Storage Server – Overview

Exadata Security – Concepts and Methods

Exadata Security – Implementing and Remove

Exadata Security – Best Practices


Exadata Overview

Our local market


Exadata Overview

About Exadata


Exadata Overview


Traditional Database Storage Deployment Exadata Storage Deployment

Exadata Overview

Exadata Security


Exadata Overview

IORM


Description

– Open-Security modes enables access by any DATABASE client to a grid disks

– It is useful for test or development database where are no security requirements

– This is the default security mode after creating a new storage cell

– To use this security mode, you do not set up any security functionality for an Oracle ASM Cluster or a DATABASE client for the grid disks

– You do not set up any security KEY files


First method: Open Security (Default mode)


– When?

– When we need to set up security so that all DATABASES of an Oracle ASM Cluster have access to specific grid disks

– When a particular Oracle ASM Cluster or set of Oracle ASM Clusters can use the cell’s grid disks

– When Oracle ASM-Scoped Security is set up for an Oracle ASM Cluster and grid disk, the grid disk are available only to the DATABASES on the Oracle ASM Cluster

– We need to setup security KEY files


Second method: ASM-Scoped Security mode


– When?

– When we need to set up security so that specific DATABASE clients of an Oracle ASM Cluster have access to specific grid disks

– When grid disks are restricted to a set of DATABASE within an Oracle ASM Cluster

– This security mode is appropriate when multiple database are accessing cells, and you want to control which database can access specific grid disks that compose Oracle ASM disk groups

– First set up ASM-Scoped Security, then set up Database-Scoped Security for specific DATABASE and grid disks

– There is one KEY per DATABASE per HOST, and one access control list (ACL) entry per DATABASE on each cell


Third method: Database-Scoped Security mode


– key (required) => this key (created with CREATE KEY) value must match the value of the key assigned to the Oracle ASM Cluster with the CellCLI ASSIGN KEY command

– asm (required) => this field must match the value of the Oracle ASM Cluster unique name (DB_UNIQUE_NAME of the Oracle ASM Cluster). This is the name used when configuring grid disks for security with CellCLI CREATE GRIDDISK or ALTER GRIDDISK command

– realm (optional) => If is used, then must match the value of the realNameattribute of the cells in the realm

Exadata Security? – KEY is the answer

Understanding the cellkey.ora


• It is the “Default option” (nothing more to do..)

Exadata Security – Implementing

First method: Open-Security


• Step 1 (Database Server side)

– Shutdown the DATABASES and Oracle ASM instances that will have their security configuration changed

• Step 2 (Cell side)

– Create the security KEY using CREATE KEY using CellCLI command to generate random hexadecimal string

– Assign the security KEY to the Oracle ASM Cluster DB_UNIQUE_NAME using the ASSIGN KEYfrom CellCLI command

– Set the (availableTo) attribute on the grid disks to contain the Oracle ASM Cluster or Oracle RAC Cluster unique name (DB_UNIQUE_NAME)


Second method: ASM-Scoped Security



– Create the /etc/oracle/cell/network-config/cellkey.ora file owned by Oracle ASM software owner with permission 600

– Startup Oracle ASM instances and DATABASES using affected cell’s


Second method: ASM-Scoped Security (..continued)



– Verifying ASM-Scoped Security


Second method: ASM-Scoped Security (end)



– Shutdown DATABASES and Oracle ASM instances using affected cells

– Note: You should only set up Database-Scoped Security - AFTER configuring and testing Oracle ASM-Scoped Security


– Create the security KEY using the CREATE KEY CellCLI command

– Assign the security KEY to the DATABASE unique name using ASSIGN KEY CellCLI command

– Set the (availableTo) attribute on the grid disks to contain the DATABASE unique name (DB_UNIQUE_NAME)

– Important: Make distinction between Oracle ASM unique name and DATABASE unique name


Third method: Database-Scoped Security



– Create the $ORACLE_HOME/admin/<db_unique_name>/pfile/cellkey.ora file owned by database software owner with read-write permission only to owner (600)


Third method: Database-Scoped Security (..continued)



– Startup Oracle ASM instances and DATABASE instance only after cellkey.ora file configuration is complete for all computers

– Verify at the grid disk level


Third method: Database-Scoped Security (end)


• Step 1 (Database Server side)– Shutdown DATABASES and Oracle ASM instances using affected cells

• Step 2 (Cell side)– Remove any DATABASE clients named in the (availableTo) grid disk attribute for which you

want to remove Database-Scoped Security with ALTER GRIDDISK … availableTo=`+ASM` CellCLI command

– Unassign the security KEY to the DATABASE using the ASSIGN CellCLI command to set it to the NULL string

– Important: You must remove Database-Scoped Security on a grid disk BEFORE removing Oracle ASM-Scoped Security

• Step 3 (Database Server side)– Remove the cellkey.ora file located in the

$ORACLE_HOME/admin/db_unique_name./pfile directory for the DATABASE client

– Startup Oracle ASM instances and DATABASES using affected cells

– Note: if you want Open-Security for the grid disks, then you must remove Oracle ASM-Scoped security AFTER removing the Database-Scoped Security

Exadata Security – Remove

Remove - Database-Scoped Security



– Shutdown DATABASES and Oracle ASM instances using affected cells


– Remove the Oracle ASM Cluster client named in the (availableTo) grid disk attribute with ALTER GRIDDISK … availableTo=`` CellCLI command

– If the Oracle ASM Cluster client is not configured for security with any other grid disks, then you can remove the KEY with the CellCLI ASSIGN KEY command: ASSIGN KEY FOR asm_cluster=``


– Remove the cellkey.ora file located in the /etc/oracle/cell/network-configdirectory on each computer host in the Oracle ASM Cluster

– Startup Oracle ASM instances and DATABASES using affected cells

Exadata Security – Remove

Remove - ASM-Scoped Security


• When is configuring Exadata Security the flow is always from Open-Security to ASM-Scoped Security to Database-Scope Security. Similarly, when removing security, but in a reverse order

• All grid disks that belong to the same Oracle ASM disk group have the same Cell-Side grid disk security defined to avoid confusion and errors

• All Oracle RAC nodes in an Oracle ASM cluster have the same content, ownership, and securityfor the Oracle ASM cellkey.ora file

• All Oracle RAC nodes in a DATABASE cluster have the same content, ownership, and security for the DATABASE cellkey.ora file

• If Database-Scoped Security is implemented, then be sure it is implemented for all DATABASESaccessing the grid disks. Do not mix Oracle ASM-Scoped Security and Database-Scoped Security

• Use DCLI utility to make configuration changes consistency

Exadata Security

Best Practices


Thank you for your time!

Exadata Security

Best Practices


6. oracle exadata security trend ecs (final)

Documents

realm exadata security

security requirements

security configuration

security functionality

oracle asm unique

cell exadata security

oracle asm cluster unique

default security mode