2. Stefan Oehrli
Platform Architect, Trainer and Partner at Trivadis
• Since 1997 active in various IT areas
• Since 2008 with Trivadis AG
• More than 20 years of experience in Oracle databases
Focus: Protecting data and operating databases securely
• Security assessments and reviews
• Database security concepts and their implementation
• Oracle Backup & Recovery concepts and troubleshooting
• Oracle Enterprise User Security, Advanced Security, Database Vault, …
• Oracle Directory Services
Co-author of the book The Oracle DBA (Hanser, 2016/07)
@stefanoehrli www.oradba.ch
3. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant3
Agenda
• Challenges
• Database Security in a Nutshell
• Trivadis Lab
• Get this thing going
• Summary
5. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant5
Challenges
You just want to test that particular cool new feature…
• Testing in a prod env may not be the best choice.
• Getting a test system could take weeks.
• Order process
• Funding
• Cloud-based test systems are also not always quickly available.
• Cloud Credits
• Not always online
• Performing integrated tests where multiple systems are
involved. E.g. DB Server, Directory Server, etc.
To sum up: Testing new features can be quite a challenge.
6. Database Security
in a Nutshell
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant6
7. Maximal Data Security Architecture
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant7
8. Maximal Data Security Architecture
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant8
9. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant9
Kerberos Authentication
• Uses a trusted authentication system KDC ( not KGB… ☺ )
• Kerberos requires three parties
1. Key Distribution Center (KDC) with Authentication
Service (AS) and Ticket Assignment Service (TGS)
2. Service, Service Principle (SPN) that provides a service
3. Client requesting access
• Oracle describes it as "strong" authentication
• Part of the Oracle ASO until mid-2013
• Basis for a range of tools and services
• Windows Servers and Active Directory
• KDC is integrated in
MS Active Directory
Service Ticket
Acknowledge session
Keytab
File
10. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant10
Enterprise User Security
• EUS stores user credentials and permissions in one
central location e.g. LDAP Directory
• OID Oracle Internet Directory
• OUD Oracle Unified Directory
• Simplification of administration through
centralization
• One location for assigning authorizations
• Traceability, clarity
• Setup as Standalone Directory Server (OID or OUD)
11. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant11
Enterprise User Security
• EUS stores user credentials and permissions in one
central location e.g. LDAP Directory
• OID Oracle Internet Directory
• OUD Oracle Unified Directory
• Simplification of administration through
centralization
• One location for assigning authorizations
• Traceability, clarity
• Setup as Standalone Directory Server (OID, OUD)
• Setup with DIP integration (OID or OUD)
12. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant12
Enterprise User Security
• EUS stores user credentials and permissions in one
central location e.g. LDAP Directory
• OID Oracle Internet Directory
• OUD Oracle Unified Directory
• Simplification of administration through
centralization
• One location for assigning authorizations
• Traceability, clarity
• Setup as Standalone Directory Server (OID, OUD)
• Setup with DIP integration (OID or OUD)
• Setup as AD Proxy (OUD only)
13. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant13
Centrally Managed User
• New security feature introduced with Oracle18c
• Centrally Managed User CMU…
… does not require an additional Oracle
directory
… enables the administration of users directly
in MS Active Directory
… does not require an additional license but
Oracle EE or XE not SE
• Supports common authentication methods e.g.
Password, Kerberos and PKI / SSL authentication
• Requires a password filter and an AD schema
extension
• Requires an AD service account
14. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant14
Bucket List for the Engineering Lab
❑ Oracle Database Server with the latest Oracle Binaries
❑ Test Database preferable with Container database and single
tenant database
❑ Some fancy test schema.
❑ Optional additional Oracle Database Server with other releases.
❑ Oracle Unified Directory Server to setup an LDAP and configure
EUS or Oracle Names resolution.
❑ Active Directory Server matching my fancy test schema
somehow
❑ KDC for Kerberos Authentication
❑ ….
16. Trivadis LAB
• Virtualbox based test and engineering environment
• Infrastruktur as Code with Vagrant
• Vagrant Scripts available in GitHub Repository
https://github.com/oehrlis/trivadislabs.com
• Requires Vagrant, Virtualbox and the various images, software etc.
• HashiCorp Vagrant https://www.vagrantup.com
• Oracle VM Virtualbox https://www.virtualbox.org/wiki/Downloads
• Different VM for different applications
• win2016ad.trivadislabs.com Windows 2016 Active Directory
• ol7oud12.trivadislabs.com Oracle Unified Directory Server 12c
• ol7db19.trivadislabs.com Oracle DB Server mit 19c (TDB190C und TDB190S)
• ol7db18.trivadislabs.com Oracle DB Server mit 18c (TDB180C und TDB180S)
• As well VMs for Oracle DB Server 12c and 11g
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant16
17. Trivadis LAB Demo Environment
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant17
18. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant18
Trivadis LAB Structure
• All VM share a common config and script folder
• Generic setup scripts
• Vagrant config file vagrant.yml
• Folder mounted as /vagrant_common
• Dedicate folder for Lab and demo scripts
• Folder mounted as /vagrant_labs
• Dedicate vagrant folder for each VM
• Location of the vagrant file
• Software like Oracle binaries / RU
• Specific Setup and configuration scripts
• Folder mounted as /vagrant
Common config and scripts
Lab and demos scripts
12g DB VM specific stuff
18c DB VM specific stuff
19c DB VM specific stuff
OUD VM specific stuff
Windows VM specific stuff
19. Trivadis LAB Company
• Fictitious company Trivadis Lab with users, departments, etc.
• Available as organization in Active Directory Server
• Available as TVD_HR schema in the database
which is based on Oracle’s HR schema
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant19
20. • Loaded in each Vagrant file to “load” config
# Configuration valid for AD server
win2016ad:
box: StefanScherer/windows_2016
vm_name: win2016ad
# - Configuration ----------------------------------------------------
params = YAML.load_file '../common/config/vagrant.yml'
# shared configuration
var_default_password= params['common']['default_password']
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant20
Vagrant Config File
• YAML based configuration file vagrant.yml
• Define common but also VM specific stuff like hostname, IP addresses, VM names, DB Version
scripts and much more
• Can be sourced with 00_init_environment.sh to load values from Vagrant config file
21. Common Config Scripts
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant21
Generic configuration scripts. Primarily used for OUD and DB VMs
• 00_init_environment.sh Init script to source the Vagrant config values as variables
• 01_common_setup_os_db.sh Configure OS of DB VM
• 01_common_setup_os_oud.sh Configure OS of OUD VM
• 10_install_binaries.sh Wrapper script to install Oracle binaries. oradba_init
scripts from GitHub are used to do the installation
• 11_install_basenv.sh Wrapper script to install Trivadis BasEnvTM
• 12_config_tnsadmin.sh Configure TNS Admin related stuff
• 20_create_databases.sh Wrapper script to setup the Oracle DB’s
• 80_create_tvd_hr_pdb1.sql SQL script to install TVD_HR schema in a Container DB
• 81_create_tvd_hr.sql SQL script to install TVD_HR schema
22. Vagrant File
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant22
• Each VM hast its own Vagrant file Vagrantfile
• The file contains all information how the VM should be setup
• VM memory and CPU configuration
• Shared folder configuration
• Setup respectively provisioning scripts
• Configuration is loaded from the Vagrant config file vagrant.yml
• Corresponding values are loaded as variables
• A few things can easily be configured. Complex disk and network configuration a bit tricky
• the easiest thing is to just look at a file…
23. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant23
DB VM Build Process
• VM is based on the official Oracle Vagrant box
• Resources 4GB, 2 CPU and a simple disk
• Setup from OS config up to DB creation:
• 01_common_setup_os_db.sh
• 10_install_binaries.sh
• 11_install_basenv.sh
• 12_config_tnsadmin.sh
• 20_create_databases.sh
• Up and ready in about 20min depending on
network speed and Host performance
24. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant24
OUD VM Build Process
• VM is based on the official Oracle Vagrant box
• Resources 1GB, 1 CPU and a simple disk
• Setup OS config and binary installation:
• 01_common_setup_os_oud.sh
• 10_install_binaries.sh
• Currently on OUD instance configuration
• Up and ready in about 10min depending on
network speed and Host performance
25. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant25
Windows AD VM Build Process
• VM is based on Stefan Scherer windows_2016
box on the Vagrant cloud
• Resources 1GB, 1 CPU and a simple disk
• 01_install_ad.ps1
• 02_install_chocolatey.ps1
• 10_config_ad.ps1
• 11_config_dns.ps1
• 12_config_ca.ps1
• 20_install_tools.ps1
• 30_config_cmu.ps1
• 40_install_oracle_client.ps1
• 99_sum_up_ad.ps1
• Up and ready in about 10min depending on
network speed and Host performance
26. Requirements in Detail
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant26
• Vagrant Scripts available in GitHub Repository https://github.com/oehrlis/trivadislabs.com
• Vagrant CLI Vagrant https://www.vagrantup.com
• Vagrant Plugin vagrant-reload used for releoad / reboot during provisioning of VM
• Vagrant Box or base images.
• These will be downloaded during initial config of VM
• Windows base Image is about 4G and will take while
• Oracle VM Virtualbox https://www.virtualbox.org/wiki/Downloads
• Oracle Binaries and Patch as ZIP files
• Check the *.download files for the download information and links
• Last but not least a little memory, disk and CPU resources
27. Get this thing going
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant27
28. Trivadis LAB Demo Environment
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant28
Setup takes a while…
29. • Copy the corresponding Oracle software into the ../software directories
• Initial starting and provisioning of the VM (win2016ad, ol7db18, ol7db19 ol7oud12,…)
• Clone Git Repository
git clone https://github.com/oehrlis/trivadislabs.com.git
cd win2016ad
vagrant up
Vagrant in a Nutshell
• Access via vagrant ssh / rdp
vagrant ssh
sudo su – oracle
vagrant rdp
13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant29
31. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant31
Bucket List for the Engineering Lab
✓ Oracle Database Server with the latest Oracle Binaries
✓ Test Database preferable with Container database and single
tenant database
✓ Some fancy test schema.
✓ Optional additional Oracle Database Server with other releases.
✓ Oracle Unified Directory Server to setup an LDAP and configure
EUS or Oracle Names resolution.
✓ Active Directory Server matching my fancy test schema
somehow
✓ KDC for Kerberos Authentication
❑ ….
32. 13.09.2019 TechEvent 2019 - DB, CMU and EUS engineering with vagrant32
Summary
• Vagrant allows to building reproducible Lab environments
• A lot is possible but not yet everything
• Complex network configuration
• Highly customized storage configuration
• There are still a few miles to go to have all 100% automated
• The current setup allows to focus on engineering…
… without spending hours on setups.
• If you screw it up just rebuild it!
• Sending dozens of GB of VM files is no longer necessary.
• Contribution to the Trivadis LAB is welcome.
Get ready! Become a pro in EUS, CMU, Kerberos, etc.