在 Oracle Exadata 数据库云平台上实现 ASM 范围和数据范围的安全性（第 1 部分）

Deiby Gomez (Oracle ACE) 和 Y V RaviKumar（Oracle 认证大师）

简介

Oracle Exadata Storage Server 安全有两种模式：

1.     ASM 范围安全

2.     数据库范围安全

配置数据库范围安全之前，必须先实现 ASM范围安全。

ASM 范围安全：使用 ASM 范围安全，ASM 集群的所有数据库客户端必须访问指定的网格磁盘。

数据库范围安全：使用数据库范围安全，特定数据库可以访问特定的网格磁盘。每个数据库使用一个 cellkey.ora。

实现单元安全
Exadata 单元的安全性是通过识别哪些客户端可以访问单元和网格磁盘来实现的。客户端包括：

1.      Oracle ASM 实例

2.      数据库实例

3.      集群

默认情况下，Oracle Exadata 允许系统中的所有 ASM 集群和数据库访问所有网格磁盘。


ASM 范围安全可能有助于满足以下业务需求：

• 您希望将计算网格划分为多个 Oracle 集群，但允许每个计算网格访问每个单元。
• 您有修补或系统生命周期需求，需要在单个 Oracle Exadata 数据库云平台上安装多个 Oracle Grid Infrastructure。
• 您希望防止非生产 ASM 实例访问生产 Exadata Storage。
• 您希望根据站点安全要求在 Exadata 中物理隔离 I/O 调用。

• ASM 集群 A 中每个单元共享两个网格磁盘。
• ASM 集群 B 中每个单元共享一个网格磁盘以存储单实例数据库。
• ASM 集群 B 中每个单元共享另一组两个网格磁盘以存储 RAC 实例数据库。

ASM 范围安全配置：

1.  关闭 Oracle 数据库、ASM 和 Grid Infrastructure。注意，在数据库云平台上，您需要在 ASM 集群中的每个服务器上执行此步骤。

使用 root 用户：

[root@exadb01 ~]# crsctl stop crs

使用 oracle 用户：

[oracle@exadb01 ~]$ ps -ef | grep pmon
oracle 3490 1 0 04:49 ? 00:00:00 asm_pmon_+ASM
oracle 3739 1 0 04:50 ? 00:00:00 ora_pmon_xdbvm
oracle 3912 3392 0 04:50 pts/2 00:00:00 grep pmon

 
[oracle@exadb01 ~]$ srvctl stop database -d xdbvm

 
[oracle@exadb01 ~]$ ps -ef | grep pmon
oracle 3490 1 0 04:49 ? 00:00:00 asm_pmon_+ASM
oracle 4139 3392 0 04:51 pts/2 00:00:00 grep pmon

 
[oracle@exadb01 ~]$ srvctl stop diskgroup -g DATA
[oracle@exadb01 ~]$ srvctl stop diskgroup -g RECO
[oracle@exadb01 ~]$ srvctl stop asm
 

[oracle@exadb01 ~]$ ps -ef | grep pmon
oracle 4215 3392 0 04:52 pts/2 00:00:00 grep pmon

 

2. 使用 CREATE KEY CellCLI 命令生成安全密钥。此命令在任何单元上只执行一次。通过 celladmin 用户登录到单元服务器 1 (Cell01)。 

3. 使用 ASSIGN KEY 命令将安全密钥分配给您希望 Oracle ASM 集群访问的所有单元上的 Oracle ASM 集群。 

 

在单元服务器 2 (Cell02) 中重复此操作

CellCLI> alter cell realmName=my_realm

Cell cell02 successfully altered

CellCLI> assign key for +ASM='8804b0e5bb8f6a4d10a0e17843e60c1'

Key for +ASM successfully created

（或者）使用 DCLI 命令即可在一条命令中对所有单元执行此操作：

Ø  dcli -c cell01,cell02 "cellcli -e assign key for +ASM='Insert Key Value'

4. 检查单元服务器 1 (Cell01) 中可用的网格磁盘

 

5. 使用 CREEATE GRIDDISK 或 ALTER GRIDDISK 命令在希望 Oracle ASM 集群访问的指定网格磁盘上配置安全性。

[oracle@exadb01 ~]$ dcli -g ./cell_group "cellcli -e \alter griddisk all availableTo=\'+ASM\'"

The authenticity of host 'cell01 (192.168.56.101)' can't be
established.
RSA key fingerprint is 39:e3:37:14:23:4c:6e:eb:08:9f:c6:07:d7:55:7e:e0.
Are you sure you want to continue connecting (yes/no)?The authenticity
of host 'cell02 (192.168.56.102)' can't be established.
RSA key fingerprint is 39:e3:37:14:23:4c:6e:eb:08:9f:c6:07:d7:55:7e:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning:Permanently added 'cell01,192.168.56.101' (RSA) to the list of
known hosts.
celladmin@cell01's password:Please type 'yes' or 'no':
Warning:Permanently added 'cell02,192.168.56.102' (RSA) to the list of
known hosts.
celladmin@cell02's password:
cell01:GridDisk DATA_CD_disk01_cell01 successfully altered
cell01:GridDisk DATA_CD_disk02_cell01 successfully altered
cell01:GridDisk DATA_CD_disk03_cell01 successfully altered
cell01:GridDisk DATA_CD_disk04_cell01 successfully altered
cell01:GridDisk DATA_CD_disk05_cell01 successfully altered
cell01:GridDisk DATA_CD_disk06_cell01 successfully altered
cell01:GridDisk DATA_CD_disk07_cell01 successfully altered
cell01:GridDisk DATA_CD_disk08_cell01 successfully altered
cell01:GridDisk DATA_CD_disk09_cell01 successfully altered
cell01:GridDisk DATA_CD_disk10_cell01 successfully altered
cell01:GridDisk DATA_CD_disk11_cell01 successfully altered
cell01:GridDisk DATA_CD_disk12_cell01 successfully altered
cell01:GridDisk RECO_CD_disk01_cell01 successfully altered
cell01:GridDisk RECO_CD_disk02_cell01 successfully altered
cell01:GridDisk RECO_CD_disk03_cell01 successfully altered
cell01:GridDisk RECO_CD_disk04_cell01 successfully altered
cell01:GridDisk RECO_CD_disk05_cell01 successfully altered
cell01:GridDisk RECO_CD_disk06_cell01 successfully altered
cell01:GridDisk RECO_CD_disk07_cell01 successfully altered
cell01:GridDisk RECO_CD_disk08_cell01 successfully altered
cell01:GridDisk RECO_CD_disk09_cell01 successfully altered
cell01:GridDisk RECO_CD_disk10_cell01 successfully altered
cell01:GridDisk RECO_CD_disk11_cell01 successfully altered
cell01:GridDisk RECO_CD_disk12_cell01 successfully altered
cell02:GridDisk DATA_CD_disk01_cell02 successfully altered
cell02:GridDisk DATA_CD_disk02_cell02 successfully altered
cell02:GridDisk DATA_CD_disk03_cell02 successfully altered
cell02:GridDisk DATA_CD_disk04_cell02 successfully altered
cell02:GridDisk DATA_CD_disk05_cell02 successfully altered
cell02:GridDisk DATA_CD_disk06_cell02 successfully altered
cell02:GridDisk DATA_CD_disk07_cell02 successfully altered
cell02:GridDisk DATA_CD_disk08_cell02 successfully altered
cell02:GridDisk DATA_CD_disk09_cell02 successfully altered
cell02:GridDisk DATA_CD_disk10_cell02 successfully altered
cell02:GridDisk DATA_CD_disk11_cell02 successfully altered
cell02:GridDisk DATA_CD_disk12_cell02 successfully altered
cell02:GridDisk RECO_CD_disk01_cell02 successfully altered
cell02:GridDisk RECO_CD_disk02_cell02 successfully altered
cell02:GridDisk RECO_CD_disk03_cell02 successfully altered
cell02:GridDisk RECO_CD_disk04_cell02 successfully altered
cell02:GridDisk RECO_CD_disk05_cell02 successfully altered
cell02:GridDisk RECO_CD_disk06_cell02 successfully altered
cell02:GridDisk RECO_CD_disk07_cell02 successfully altered
cell02:GridDisk RECO_CD_disk08_cell02 successfully altered
cell02:GridDisk RECO_CD_disk09_cell02 successfully altered
cell02:GridDisk RECO_CD_disk10_cell02 successfully altered
cell02:GridDisk RECO_CD_disk11_cell02 successfully altered
cell02:GridDisk RECO_CD_disk12_cell02 successfully altered
[oracle@exadb01 ~]$

6. 检查单元服务器 1 (Cell01) 中的状态和可用属性。

7. 检查单元服务器 2 (Cell02) 中的状态和可用属性

 
8. 使用生成的安全密钥构造 celleky.ora 文件。将 cellkey.ora 文件复制到 ASM 集群中每个主机上的 /etc/oracle/cell/network-config/directory 中。

[oracle@exadb01 ~]$ pwd

/home/oracle

[oracle@exadb01 ~]$ touch cellkey.ora

[oracle@exadb01 ~]$ vi cellkey.ora

[oracle@exadb01 ~]$ cat cellkey.ora

key=8804b0e5bb8f6a4d10a0e17843e60c1

asm=+ASM

#realm=my_realm

[oracle@exadb01 ~]$

 
复制到所需位置 (/etc/oracle/cell/network-config/)

[oracle@exadb01 ~]$ cp cellkey.ora /etc/oracle/cell/network-config/

[oracle@exadb01 ~]$ cd /etc/oracle/cell/network-config

[oracle@exadb01 network-config]$ chmod 640 cellkey.ora

[oracle@exadb01 network-config]$ vi cellkey.ora

[oracle@exadb01 ~]$ cat cellkey.ora

key=8804b0e5bb8f6a4d10a0e17843e60c1

asm=+ASM

realm=my_realm

9. 启动集群服务之前，先启动 Oracle ASM 实例和 Oracle 数据库实例。

 
10. 登录到数据库并检查数据库可访问性。

 

11. 从单元服务器检查密钥。

单元服务器 1 (Cell01)：

CellCLI> list key

+ASM 8804b0e5bb8f6a4d10a0e17843e60c1


单元服务器 2 (Cell02)：

CellCLI> list key

+ASM 8804b0e5bb8f6a4d10a0e17843e60c1