8. – Open-Security modes enables access by any DATABASE client to a grid disks
– It is useful for test or development database where are no security requirements
– This is the default security mode after creating a new storage cell
– To use this security mode, you do not set up any security functionality for an Oracle
ASM Cluster or a DATABASE client for the grid disks
– You do not set up any security KEY files
Exadata Security – Concepts and Methods
First method: Open Security (Default mode)
Trend ECS (Expert Customer
Services)
9. – When?
– When we need to set up security so that all DATABASES of an Oracle ASM Cluster
have access to specific grid disks
– When a particular Oracle ASM Cluster or set of Oracle ASM Clusters can use the
cell’s grid disks
– When Oracle ASM-Scoped Security is set up for an Oracle ASM Cluster and grid disk,
the grid disk are available only to the DATABASES on the Oracle ASM Cluster
– We need to setup security KEY files
Exadata Security – Concepts and Methods
Second method: ASM-Scoped Security mode
Trend ECS (Expert Customer
Services)
10. – When?
– When we need to set up security so that specific DATABASE clients of an Oracle ASM
Cluster have access to specific grid disks
– When grid disks are restricted to a set of DATABASE within an Oracle ASM Cluster
– This security mode is appropriate when multiple database are accessing cells, and
you want to control which database can access specific grid disks that compose
Oracle ASM disk groups
– First set up ASM-Scoped Security, then set up Database-Scoped Security for specific
DATABASE and grid disks
– There is one KEY per DATABASE per HOST, and one access control list (ACL) entry per
DATABASE on each cell
Exadata Security – Concepts and Methods
Third method: Database-Scoped Security mode
Trend ECS (Expert Customer
Services)
11. – key (required) => this key (created with CREATE KEY) value must match the
value of the key assigned to the Oracle ASM Cluster with the CellCLI ASSIGN KEY
command
– asm (required) => this field must match the value of the Oracle ASM Cluster
unique name (DB_UNIQUE_NAME of the Oracle ASM Cluster). This is the name used
when configuring grid disks for security with CellCLI CREATE GRIDDISK or
ALTER GRIDDISK command
– realm (optional) => If is used, then must match the value of the realName
attribute of the cells in the realm
Exadata Security? – KEY is the answer
Understanding the cellkey.ora
Trend ECS (Expert Customer
Services)
12. • It is the “Default option” (nothing more to do..)
Exadata Security – Implementing
First method: Open-Security
Trend ECS (Expert Customer
Services)
13. • Step 1 (Database Server side)
– Shutdown the DATABASES and Oracle ASM instances that will have their security configuration
changed
• Step 2 (Cell side)
– Create the security KEY using CREATE KEY using CellCLI command to generate random
hexadecimal string
– Assign the security KEY to the Oracle ASM Cluster DB_UNIQUE_NAME using the ASSIGN KEY
from CellCLI command
– Set the (availableTo) attribute on the grid disks to contain the Oracle ASM Cluster or Oracle
RAC Cluster unique name (DB_UNIQUE_NAME)
Exadata Security – Implementing
Second method: ASM-Scoped Security
Trend ECS (Expert Customer
Services)
14. • Step 3 (Database Server side)
– Create the /etc/oracle/cell/network-config/cellkey.ora file owned by Oracle
ASM software owner with permission 600
– Startup Oracle ASM instances and DATABASES using affected cell’s
Exadata Security – Implementing
Second method: ASM-Scoped Security (..continued)
Trend ECS (Expert Customer
Services)
16. • Step 1 (Database Server side)
– Shutdown DATABASES and Oracle ASM instances using affected cells
– Note: You should only set up Database-Scoped Security - AFTER configuring and testing Oracle
ASM-Scoped Security
• Step 2 (Cell side)
– Create the security KEY using the CREATE KEY CellCLI command
– Assign the security KEY to the DATABASE unique name using ASSIGN KEY CellCLI command
– Set the (availableTo) attribute on the grid disks to contain the DATABASE unique name
(DB_UNIQUE_NAME)
– Important: Make distinction between Oracle ASM unique name and DATABASE unique name
Exadata Security – Implementing
Third method: Database-Scoped Security
Trend ECS (Expert Customer
Services)
17. • Step 3 (Database Server side)
– Create the $ORACLE_HOME/admin/<db_unique_name>/pfile/cellkey.ora file
owned by database software owner with read-write permission only to owner (600)
Exadata Security – Implementing
Third method: Database-Scoped Security (..continued)
Trend ECS (Expert Customer
Services)
18. • Step 4 (Database Server side)
– Startup Oracle ASM instances and DATABASE instance only after cellkey.ora file
configuration is complete for all computers
– Verify at the grid disk level
Exadata Security – Implementing
Third method: Database-Scoped Security (end)
Trend ECS (Expert Customer
Services)
19. • Step 1 (Database Server side)
– Shutdown DATABASES and Oracle ASM instances using affected cells
• Step 2 (Cell side)
– Remove any DATABASE clients named in the (availableTo) grid disk attribute for which you
want to remove Database-Scoped Security with ALTER GRIDDISK …
availableTo=`+ASM` CellCLI command
– Unassign the security KEY to the DATABASE using the ASSIGN CellCLI command to set it to the
NULL string
– Important: You must remove Database-Scoped Security on a grid disk BEFORE removing Oracle
ASM-Scoped Security
• Step 3 (Database Server side)
– Remove the cellkey.ora file located in the
$ORACLE_HOME/admin/db_unique_name./pfile directory for the DATABASE client
– Startup Oracle ASM instances and DATABASES using affected cells
– Note: if you want Open-Security for the grid disks, then you must remove Oracle ASM-Scoped
security AFTER removing the Database-Scoped Security
Exadata Security – Remove
Remove - Database-Scoped Security
Trend ECS (Expert Customer
Services)
20. • Step 1 (Database Server side)
– Shutdown DATABASES and Oracle ASM instances using affected cells
• Step 2 (Cell side)
– Remove the Oracle ASM Cluster client named in the (availableTo) grid disk attribute with
ALTER GRIDDISK … availableTo=`` CellCLI command
– If the Oracle ASM Cluster client is not configured for security with any other grid disks, then you
can remove the KEY with the CellCLI ASSIGN KEY command: ASSIGN KEY FOR
asm_cluster=``
• Step 3 (Database Server side)
– Remove the cellkey.ora file located in the /etc/oracle/cell/network-config
directory on each computer host in the Oracle ASM Cluster
– Startup Oracle ASM instances and DATABASES using affected cells
Exadata Security – Remove
Remove - ASM-Scoped Security
Trend ECS (Expert Customer
Services)
21. • When is configuring Exadata Security the flow is always from Open-Security to ASM-Scoped
Security to Database-Scope Security. Similarly, when removing security, but in a reverse order
• All grid disks that belong to the same Oracle ASM disk group have the same Cell-Side grid disk
security defined to avoid confusion and errors
• All Oracle RAC nodes in an Oracle ASM cluster have the same content, ownership, and security
for the Oracle ASM cellkey.ora file
• All Oracle RAC nodes in a DATABASE cluster have the same content, ownership, and security for
the DATABASE cellkey.ora file
• If Database-Scoped Security is implemented, then be sure it is implemented for all DATABASES
accessing the grid disks. Do not mix Oracle ASM-Scoped Security and Database-Scoped Security
• Use DCLI utility to make configuration changes consistency
Exadata Security
Best Practices
Trend ECS (Expert Customer
Services)
22. Thank you for your time!
Exadata Security
Best Practices
Trend ECS (Expert Customer
Services)
