Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Exadata Security
Daniel Ignat
Trend – ECS Lead Team
Trend ECS (Expert Customer
Services)
Agenda
Exadata Storage Server – Overview
Exadata Security – Concepts and Methods
Exadata Security – Implementing and Remov...
Exadata Overview
Our local market
Trend ECS (Expert Customer
Services)
Exadata Overview
About Exadata
Trend ECS (Expert Customer
Services)
Exadata Overview
Trend ECS (Expert Customer
Services)
Traditional Database Storage Deployment Exadata Storage Deployment
Exadata Overview
Exadata Security
Trend ECS (Expert Customer
Services)
Exadata Overview
IORM
Trend ECS (Expert Customer
Services)
Description
– Open-Security modes enables access by any DATABASE client to a grid disks
– It is useful for test or development databas...
– When?
– When we need to set up security so that all DATABASES of an Oracle ASM Cluster
have access to specific grid disk...
– When?
– When we need to set up security so that specific DATABASE clients of an Oracle ASM
Cluster have access to specif...
– key (required) => this key (created with CREATE KEY) value must match the
value of the key assigned to the Oracle ASM Cl...
• It is the “Default option” (nothing more to do..)
Exadata Security – Implementing
First method: Open-Security
Trend ECS ...
• Step 1 (Database Server side)
– Shutdown the DATABASES and Oracle ASM instances that will have their security configurat...
• Step 3 (Database Server side)
– Create the /etc/oracle/cell/network-config/cellkey.ora file owned by Oracle
ASM software...
• Step 4 (Cell side)
– Verifying ASM-Scoped Security
Exadata Security – Implementing
Second method: ASM-Scoped Security (e...
• Step 1 (Database Server side)
– Shutdown DATABASES and Oracle ASM instances using affected cells
– Note: You should only...
• Step 3 (Database Server side)
– Create the $ORACLE_HOME/admin/<db_unique_name>/pfile/cellkey.ora file
owned by database ...
• Step 4 (Database Server side)
– Startup Oracle ASM instances and DATABASE instance only after cellkey.ora file
configura...
• Step 1 (Database Server side)
– Shutdown DATABASES and Oracle ASM instances using affected cells
• Step 2 (Cell side)
– ...
• Step 1 (Database Server side)
– Shutdown DATABASES and Oracle ASM instances using affected cells
• Step 2 (Cell side)
– ...
• When is configuring Exadata Security the flow is always from Open-Security to ASM-Scoped
Security to Database-Scope Secu...
Thank you for your time!
Exadata Security
Best Practices
Trend ECS (Expert Customer
Services)
Upcoming SlideShare
Loading in …5
×

6. oracle exadata security trend ecs (final)

2,224 views

Published on

Trend

  • Be the first to comment

  • Be the first to like this

6. oracle exadata security trend ecs (final)

  1. 1. Exadata Security Daniel Ignat Trend – ECS Lead Team Trend ECS (Expert Customer Services)
  2. 2. Agenda Exadata Storage Server – Overview Exadata Security – Concepts and Methods Exadata Security – Implementing and Remove Exadata Security – Best Practices Trend ECS (Expert Customer Services)
  3. 3. Exadata Overview Our local market Trend ECS (Expert Customer Services)
  4. 4. Exadata Overview About Exadata Trend ECS (Expert Customer Services)
  5. 5. Exadata Overview Trend ECS (Expert Customer Services) Traditional Database Storage Deployment Exadata Storage Deployment
  6. 6. Exadata Overview Exadata Security Trend ECS (Expert Customer Services)
  7. 7. Exadata Overview IORM Trend ECS (Expert Customer Services) Description
  8. 8. – Open-Security modes enables access by any DATABASE client to a grid disks – It is useful for test or development database where are no security requirements – This is the default security mode after creating a new storage cell – To use this security mode, you do not set up any security functionality for an Oracle ASM Cluster or a DATABASE client for the grid disks – You do not set up any security KEY files Exadata Security – Concepts and Methods First method: Open Security (Default mode) Trend ECS (Expert Customer Services)
  9. 9. – When? – When we need to set up security so that all DATABASES of an Oracle ASM Cluster have access to specific grid disks – When a particular Oracle ASM Cluster or set of Oracle ASM Clusters can use the cell’s grid disks – When Oracle ASM-Scoped Security is set up for an Oracle ASM Cluster and grid disk, the grid disk are available only to the DATABASES on the Oracle ASM Cluster – We need to setup security KEY files Exadata Security – Concepts and Methods Second method: ASM-Scoped Security mode Trend ECS (Expert Customer Services)
  10. 10. – When? – When we need to set up security so that specific DATABASE clients of an Oracle ASM Cluster have access to specific grid disks – When grid disks are restricted to a set of DATABASE within an Oracle ASM Cluster – This security mode is appropriate when multiple database are accessing cells, and you want to control which database can access specific grid disks that compose Oracle ASM disk groups – First set up ASM-Scoped Security, then set up Database-Scoped Security for specific DATABASE and grid disks – There is one KEY per DATABASE per HOST, and one access control list (ACL) entry per DATABASE on each cell Exadata Security – Concepts and Methods Third method: Database-Scoped Security mode Trend ECS (Expert Customer Services)
  11. 11. – key (required) => this key (created with CREATE KEY) value must match the value of the key assigned to the Oracle ASM Cluster with the CellCLI ASSIGN KEY command – asm (required) => this field must match the value of the Oracle ASM Cluster unique name (DB_UNIQUE_NAME of the Oracle ASM Cluster). This is the name used when configuring grid disks for security with CellCLI CREATE GRIDDISK or ALTER GRIDDISK command – realm (optional) => If is used, then must match the value of the realName attribute of the cells in the realm Exadata Security? – KEY is the answer Understanding the cellkey.ora Trend ECS (Expert Customer Services)
  12. 12. • It is the “Default option” (nothing more to do..) Exadata Security – Implementing First method: Open-Security Trend ECS (Expert Customer Services)
  13. 13. • Step 1 (Database Server side) – Shutdown the DATABASES and Oracle ASM instances that will have their security configuration changed • Step 2 (Cell side) – Create the security KEY using CREATE KEY using CellCLI command to generate random hexadecimal string – Assign the security KEY to the Oracle ASM Cluster DB_UNIQUE_NAME using the ASSIGN KEY from CellCLI command – Set the (availableTo) attribute on the grid disks to contain the Oracle ASM Cluster or Oracle RAC Cluster unique name (DB_UNIQUE_NAME) Exadata Security – Implementing Second method: ASM-Scoped Security Trend ECS (Expert Customer Services)
  14. 14. • Step 3 (Database Server side) – Create the /etc/oracle/cell/network-config/cellkey.ora file owned by Oracle ASM software owner with permission 600 – Startup Oracle ASM instances and DATABASES using affected cell’s Exadata Security – Implementing Second method: ASM-Scoped Security (..continued) Trend ECS (Expert Customer Services)
  15. 15. • Step 4 (Cell side) – Verifying ASM-Scoped Security Exadata Security – Implementing Second method: ASM-Scoped Security (end) Trend ECS (Expert Customer Services)
  16. 16. • Step 1 (Database Server side) – Shutdown DATABASES and Oracle ASM instances using affected cells – Note: You should only set up Database-Scoped Security - AFTER configuring and testing Oracle ASM-Scoped Security • Step 2 (Cell side) – Create the security KEY using the CREATE KEY CellCLI command – Assign the security KEY to the DATABASE unique name using ASSIGN KEY CellCLI command – Set the (availableTo) attribute on the grid disks to contain the DATABASE unique name (DB_UNIQUE_NAME) – Important: Make distinction between Oracle ASM unique name and DATABASE unique name Exadata Security – Implementing Third method: Database-Scoped Security Trend ECS (Expert Customer Services)
  17. 17. • Step 3 (Database Server side) – Create the $ORACLE_HOME/admin/<db_unique_name>/pfile/cellkey.ora file owned by database software owner with read-write permission only to owner (600) Exadata Security – Implementing Third method: Database-Scoped Security (..continued) Trend ECS (Expert Customer Services)
  18. 18. • Step 4 (Database Server side) – Startup Oracle ASM instances and DATABASE instance only after cellkey.ora file configuration is complete for all computers – Verify at the grid disk level Exadata Security – Implementing Third method: Database-Scoped Security (end) Trend ECS (Expert Customer Services)
  19. 19. • Step 1 (Database Server side) – Shutdown DATABASES and Oracle ASM instances using affected cells • Step 2 (Cell side) – Remove any DATABASE clients named in the (availableTo) grid disk attribute for which you want to remove Database-Scoped Security with ALTER GRIDDISK … availableTo=`+ASM` CellCLI command – Unassign the security KEY to the DATABASE using the ASSIGN CellCLI command to set it to the NULL string – Important: You must remove Database-Scoped Security on a grid disk BEFORE removing Oracle ASM-Scoped Security • Step 3 (Database Server side) – Remove the cellkey.ora file located in the $ORACLE_HOME/admin/db_unique_name./pfile directory for the DATABASE client – Startup Oracle ASM instances and DATABASES using affected cells – Note: if you want Open-Security for the grid disks, then you must remove Oracle ASM-Scoped security AFTER removing the Database-Scoped Security Exadata Security – Remove Remove - Database-Scoped Security Trend ECS (Expert Customer Services)
  20. 20. • Step 1 (Database Server side) – Shutdown DATABASES and Oracle ASM instances using affected cells • Step 2 (Cell side) – Remove the Oracle ASM Cluster client named in the (availableTo) grid disk attribute with ALTER GRIDDISK … availableTo=`` CellCLI command – If the Oracle ASM Cluster client is not configured for security with any other grid disks, then you can remove the KEY with the CellCLI ASSIGN KEY command: ASSIGN KEY FOR asm_cluster=`` • Step 3 (Database Server side) – Remove the cellkey.ora file located in the /etc/oracle/cell/network-config directory on each computer host in the Oracle ASM Cluster – Startup Oracle ASM instances and DATABASES using affected cells Exadata Security – Remove Remove - ASM-Scoped Security Trend ECS (Expert Customer Services)
  21. 21. • When is configuring Exadata Security the flow is always from Open-Security to ASM-Scoped Security to Database-Scope Security. Similarly, when removing security, but in a reverse order • All grid disks that belong to the same Oracle ASM disk group have the same Cell-Side grid disk security defined to avoid confusion and errors • All Oracle RAC nodes in an Oracle ASM cluster have the same content, ownership, and security for the Oracle ASM cellkey.ora file • All Oracle RAC nodes in a DATABASE cluster have the same content, ownership, and security for the DATABASE cellkey.ora file • If Database-Scoped Security is implemented, then be sure it is implemented for all DATABASES accessing the grid disks. Do not mix Oracle ASM-Scoped Security and Database-Scoped Security • Use DCLI utility to make configuration changes consistency Exadata Security Best Practices Trend ECS (Expert Customer Services)
  22. 22. Thank you for your time! Exadata Security Best Practices Trend ECS (Expert Customer Services)

×