Implementing ASM-Scoped & Database-Scoped Security on Oracle Exadata Database Machine (Part 1)


Deiby Gomez (Oracle ACE) & Y V RaviKumar (Oracle Certified Master)


Introduction

 

Oracle Exadata Storage Server security has two modes:

 

1.     ASM-Scoped Security

2.     Database-Scoped Security

 

ASM-Scoped Security must be implemented before Database-Scoped Security can be configured.

 


ASM-Scoped Security: Using ASM-Scoped Security, all database clients of an ASM cluster have to access specified Griddisks.


Database-Scoped Security: Using Database-Scoped Security, specific databases have access to specific Griddisks. You will use one cellkey.ora per database.

 

Implementing Cell Security
Security for Exadata Cell is enforced by identifying which clients can access cells and grid disks. Clients include:

 

1.     Oracle ASM instances

2.     Database instances

3.     Clusters

 

By default Oracle Exadata allows all ASM clusters and databases in the system access to all grid disks.


ASM-scoped security can be beneficial under the following business requirements:

  

  • When you want to carve your compute grid into multiple Oracle clusters but allow each of your compute grid to access each cell.
  • When you have patching or systems life-cycle requirements in which multiple Oracle Grid Infrastructure installations on a single Oracle Exadata Database Machine.
  • When you want to prevent non-production ASM instances from accessing production Exadata Storage.
  • When you wish to physically isolate I/O calls in Exadata based on site security requirements.

ASM-Scoped & Database-Scoped example architecture:

  • ASM Cluster A shares two grid disks per cell.
  • ASM Cluster B shares one grid disk per cell to store single Instance Database.
  • ASM Cluster B shares another set of two grid disks per cell to store RAC Instance Database.

 

Exadata-ASM-SecFig1


 Configuration of ASM-Scoped Security:


  1. Shutdown the Oracle database, ASM and Grid Intrastructure. Note that on a Database Machine you would need to perform this step on every server in the ASM Cluster.

 

Using root user:

 

[root@exadb01 ~]# crsctl stop crs

 

Using oracle user:

 

[oracle@exadb01 ~]$ ps -ef | grep pmon
oracle 3490 1 0 04:49 ? 00:00:00 asm_pmon_+ASM
oracle 3739 1 0 04:50 ? 00:00:00 ora_pmon_xdbvm
oracle 3912 3392 0 04:50 pts/2 00:00:00 grep pmon

 
[oracle@exadb01 ~]$ srvctl stop database -d xdbvm

 
[oracle@exadb01 ~]$ ps -ef | grep pmon
oracle 3490 1 0 04:49 ? 00:00:00 asm_pmon_+ASM
oracle 4139 3392 0 04:51 pts/2 00:00:00 grep pmon

 
[oracle@exadb01 ~]$ srvctl stop diskgroup -g DATA
[oracle@exadb01 ~]$ srvctl stop diskgroup -g RECO
[oracle@exadb01 ~]$ srvctl stop asm
 

[oracle@exadb01 ~]$ ps -ef | grep pmon
oracle 4215 3392 0 04:52 pts/2 00:00:00 grep pmon

 

2. Generate a security key using the CREATE KEY CellCLI command. Execute this command once only on any cell. Login to Cell Server 1 (Cell01) through celladmin user. 

 

Exadata-ASM-SecFig2

 

Exadata-ASM-SecFig3


3. Use the ASSIGN KEY command to assign the security key to the Oracle ASM Cluster on all the cells you want the Oracle ASM cluster to access. 


 

Exadata-ASM-SecFig4

 

Repeat in Cell Server 2 (Cell02)


CellCLI> alter cell realmName=my_realm

Cell cell02 successfully altered

 

Exadata-ASM-SecFig5

 

 

 

CellCLI> assign key for +ASM='8804b0e5bb8f6a4d10a0e17843e60c1'

Key for +ASM successfully created

 

(OR) use DCLI command to execute for all cells in one command:

 

Ø  dcli -c cell01,cell02 "cellcli -e assign key for +ASM='Insert Key Value'



4. Check the available Griddisks in Cell Server 1 (Cell01)

 

 

Exadata-ASM-SecFig6


5. Use CREEATE GRIDDISK or ALTER GRIDDISK command to configure security on the specified grid disks that you want the Oracle ASM cluster to access.

[oracle@exadb01 ~]$ dcli -g ./cell_group "cellcli -e \alter griddisk all availableTo=\'+ASM\'"

 

The authenticity of host 'cell01 (192.168.56.101)' can't be
established.

RSA key fingerprint is 39:e3:37:14:23:4c:6e:eb:08:9f:c6:07:d7:55:7e:e0.
Are you sure you want to continue connecting (yes/no)? The authenticity
of host 'cell02 (192.168.56.102)' can't be established.

RSA key fingerprint is 39:e3:37:14:23:4c:6e:eb:08:9f:c6:07:d7:55:7e:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'cell01,192.168.56.101' (RSA) to the list of
known hosts.

celladmin@cell01's password: Please type 'yes' or 'no':
Warning: Permanently added 'cell02,192.168.56.102' (RSA) to the list of
known hosts.

celladmin@cell02's password:
cell01: GridDisk DATA_CD_disk01_cell01 successfully altered
cell01: GridDisk DATA_CD_disk02_cell01 successfully altered
cell01: GridDisk DATA_CD_disk03_cell01 successfully altered
cell01: GridDisk DATA_CD_disk04_cell01 successfully altered
cell01: GridDisk DATA_CD_disk05_cell01 successfully altered
cell01: GridDisk DATA_CD_disk06_cell01 successfully altered
cell01: GridDisk DATA_CD_disk07_cell01 successfully altered
cell01: GridDisk DATA_CD_disk08_cell01 successfully altered
cell01: GridDisk DATA_CD_disk09_cell01 successfully altered
cell01: GridDisk DATA_CD_disk10_cell01 successfully altered
cell01: GridDisk DATA_CD_disk11_cell01 successfully altered
cell01: GridDisk DATA_CD_disk12_cell01 successfully altered
cell01: GridDisk RECO_CD_disk01_cell01 successfully altered
cell01: GridDisk RECO_CD_disk02_cell01 successfully altered
cell01: GridDisk RECO_CD_disk03_cell01 successfully altered
cell01: GridDisk RECO_CD_disk04_cell01 successfully altered
cell01: GridDisk RECO_CD_disk05_cell01 successfully altered
cell01: GridDisk RECO_CD_disk06_cell01 successfully altered
cell01: GridDisk RECO_CD_disk07_cell01 successfully altered
cell01: GridDisk RECO_CD_disk08_cell01 successfully altered
cell01: GridDisk RECO_CD_disk09_cell01 successfully altered
cell01: GridDisk RECO_CD_disk10_cell01 successfully altered
cell01: GridDisk RECO_CD_disk11_cell01 successfully altered
cell01: GridDisk RECO_CD_disk12_cell01 successfully altered
cell02: GridDisk DATA_CD_disk01_cell02 successfully altered
cell02: GridDisk DATA_CD_disk02_cell02 successfully altered
cell02: GridDisk DATA_CD_disk03_cell02 successfully altered
cell02: GridDisk DATA_CD_disk04_cell02 successfully altered
cell02: GridDisk DATA_CD_disk05_cell02 successfully altered
cell02: GridDisk DATA_CD_disk06_cell02 successfully altered
cell02: GridDisk DATA_CD_disk07_cell02 successfully altered
cell02: GridDisk DATA_CD_disk08_cell02 successfully altered
cell02: GridDisk DATA_CD_disk09_cell02 successfully altered
cell02: GridDisk DATA_CD_disk10_cell02 successfully altered
cell02: GridDisk DATA_CD_disk11_cell02 successfully altered
cell02: GridDisk DATA_CD_disk12_cell02 successfully altered
cell02: GridDisk RECO_CD_disk01_cell02 successfully altered
cell02: GridDisk RECO_CD_disk02_cell02 successfully altered
cell02: GridDisk RECO_CD_disk03_cell02 successfully altered
cell02: GridDisk RECO_CD_disk04_cell02 successfully altered
cell02: GridDisk RECO_CD_disk05_cell02 successfully altered
cell02: GridDisk RECO_CD_disk06_cell02 successfully altered
cell02: GridDisk RECO_CD_disk07_cell02 successfully altered
cell02: GridDisk RECO_CD_disk08_cell02 successfully altered
cell02: GridDisk RECO_CD_disk09_cell02 successfully altered
cell02: GridDisk RECO_CD_disk10_cell02 successfully altered
cell02: GridDisk RECO_CD_disk11_cell02 successfully altered
cell02: GridDisk RECO_CD_disk12_cell02 successfully altered
[oracle@exadb01 ~]$

6. Check the status and available property in Cell Server 1. (Cell01)

 

Exadata-ASM-SecFig7



7. Check the status and available property in Cell Server 2 (Cell02)

 

 

Exadata-ASM-SecFig8

 
8. construct a celleky.ora file using the generated security key. Copy the cellkey.ora file into the /etc/oracle/cell/network-config/directory on every host in the ASM cluster.

 

[oracle@exadb01 ~]$ pwd

/home/oracle

 

[oracle@exadb01 ~]$ touch cellkey.ora

[oracle@exadb01 ~]$ vi cellkey.ora

[oracle@exadb01 ~]$ cat cellkey.ora

key=8804b0e5bb8f6a4d10a0e17843e60c1

asm=+ASM

#realm=my_realm

[oracle@exadb01 ~]$

 
Copy to desired location (/etc/oracle/cell/network-config/)

 

[oracle@exadb01 ~]$ cp cellkey.ora /etc/oracle/cell/network-config/

[oracle@exadb01 ~]$ cd /etc/oracle/cell/network-config

[oracle@exadb01 network-config]$ chmod 640 cellkey.ora

[oracle@exadb01 network-config]$ vi cellkey.ora

[oracle@exadb01 ~]$ cat cellkey.ora

key=8804b0e5bb8f6a4d10a0e17843e60c1

asm=+ASM

realm=my_realm


9. Start Oracle ASM Instance & Oracle Database Instance before starting cluster services.

 

Exadata-ASM-SecFig9

 
10.  Login to the database and check the database accessibility.

 

Exadata-ASM-SecFig10

 

11.  Check the key from the Cell Servers.

Cell Server 1 (Cell01):

 

CellCLI> list key

+ASM 8804b0e5bb8f6a4d10a0e17843e60c1


Cell Server 2 (Cell02:

 

CellCLI> list key

+ASM 8804b0e5bb8f6a4d10a0e17843e60c1

 

Deiby Gómez is an Expert DBA, with experience in Oracle Exadata Database Machine and High Availability Solutions . He gives conferences frequently on distinct Oracle events in Guatemala, among them OTN LAD Tour, Java Day, First Symposium of Oracle and many Universities. Oracle ACE since 2013. Deiby is the first Guatemalan to publish articles in Oracle LAD and constantly publishes articles on his blog www.oraclefromguatemala.com.gt.

Yenugula Venkata RaviKumar is a DBA with over 15 years of experience specialized in high availability database environments (RAC, Data Guard, among others), tuning and performance, migrations, backup and recovery, Oracle Exadata v1/v2/v3, expert in operating systems such as AIX, HP-UX y Linux . He has participated as lecturer in several Oracle events in India where he currently resides. He obtained an Oracle Certified Master (OCM) from Oracle Corporation in 2009.