IT Solutions: October 2013

Removing cell security on the cells is fairly simple. In order to remove cell security on the griddisks, we need to remove database-scoped security first, before removing asm-scoped security.

To implement cell security, please refer to my previous post Securing Exadata Machine

Steps to remove Database-Scoped Security:

Ø Stop CRS & DB services

Ø Remove database client’s name from the availableTo attributes from a set of griddisks

dcli –l root –g ~/cell_group “cellcli –e alter griddisk <griddisk_names> availableTo=’+asm’”

Ø If no other griddisk is assigned to any other database client then we can remove the key assigned to a database.

dcli –l root –g ~/cell_group “cellcli –e assign key for <db_name>=’ ‘”

Ø remove the cellkey.ora file from $ORACLE_HOME/admin/db_unique_name/pfile/ directory

Ø Remove the database from the availableTo attribute

dcli –l root –g ~/cell_group “cellcli –e alter griddisk all availableTo=’+asm’

Ø Restart CRS & DB services

Removing ASM-Scoped Security

ASM-Scoped security is removed once database-scoped security is removed from the cell storage. After removing asm-scoped security, there would be open-security for griddisks on cells.

Steps to remove ASM-Scoped Security:

Ø Stop CRS & DB services

Ø Remove Oracle ASM client’s name from the availableTo attributes from a set of griddisks

dcli –l root –g ~/cell_group “cellcli –e alter griddisk <griddisk_names> availableTo=’ ’”

Ø If no other griddisk is assigned to any other ASM cluster client then we can remove the key assigned to a database.

dcli –l root –g ~/cell_group “cellcli –e assign key for <asm_cluster>=’ ‘”

Ø remove the cellkey.ora file from /etc/oracle/cell/network-config/ directory from each compute nodes

Ø Remove Oracle ASM fro`m the availableTo attribute

dcli –l root –g ~/cell_group “cellcli –e alter griddisk all availableTo=’ ’”

Ø Restart CRS & DB services

Ref:

Expert Oracle Exadata by Kerry Osborne, Randy Johnson, and Tanel Poder

Oracle Exadata Recipes by John Clarke

Bye,

Saurabh

On Exadata, by default, all ASM and exadata databases have access to all griddisk on cell servers. This is called open-security mode. Hence, to implement cell security features on Exadata, so that ASMs and databases can be restricted to access only allowed grid disks on the cell servers, we have two levels of securities:

1. ASM-scoped Security
2. Database-scoped Security

ASM-Scoped Security

Access is restricted at Exadata grid disk level
Allows or restricts ASM instances to and from access specific Exadata grid disk
Allows isolating grid disk storage for separate clustered environment.
Benefits when you want your Exadata production storage environment to be completely separate from non-production environment and have requirement of patching activity on multiple GI environment on a single Exadata Machine.

Steps to create ASM-Scoped Security:
1. sqlplus ‘/as sysasm’

2. check ASM DB unique name
show parameter unique

3. Stop CRS services on each compute nodes
srvctl stop database –d <db_name>
crsctl stop crs

4. connect to any Exadata cell server
cellcli>create key

5. a. Copy the key, generated by above command
b. Create a cellkey.ora file at on one of the compute nodes and place it at home directory
with GI owner user.
c. cellkey.ora file contains:
key=<generated_key>
asm=<ASM db_unique_name>
#realm=my_realm

6. Assign the key to ASM
dcli –l root –g ~/cell_group “celllci –e assign key for ‘ASM’=’<key>’

7. Alter griddisk and make them available to the +ASM
dcli –l root –g ~/cell_group “cellcli –e alter griddisk all availableTo=\’+ASM\’”
In the above command, all the griddisk are allocated to +ASM. We can opt to choose only
subsets of the grid disks.

8. Copy cellkey.ora file to /etc/oracle/cell/network-config folder on each compute node and
set permission to 600.
dcli –l root ~/dbs_group “cellcli –l grid –f /home/oracle/cellkey.ora –d \
/etc/oracle/cell/network-config/’
dcli –l root ~/dbs_group “cellcli –l grid –f chmod 600 /etc/oracle/cell/network-config/’

9. Start CRS on each compute node
crsctl start crs
This completes the ASM-Scoped security configuration

Database-Scoped Security

Allow to restrict or access database to access specific grid disks
Useful when multiple database access same ASM cluster
ASM-Scoped security must be configured before Database-Scoped security is implemented.

Steps to create Database-Scoped Security:
1. Shutdown database & CRS services on all compute nodes
crsctl stop crs

2. Connect to any Exadata cell server and generate two keys, one for each database (Suppose
we are configuring this for PROD & DEV database)
cellcli> create key
cellcli> create key

3. Create a cellkey.ora file under $ORACLE_HOME/admin/<db_name>/pfile directory on each
compute nodes for each database you are configuring. Create the directories if it doesn’t
exist. Cellkey.ora file will contain:
key=<generated_key>
asm=<ASM db_unique_name>

4. Change permission level for cellkey.ora file
chown oracle:oinstall $ORACLE_HOME/admin/<db_name>/pfile/cellkey.ora
chmod 640 $ORACLE_HOME/admin/<db_name>/pfile/cellkey.ora
change the owner & permission for other database’s cellkey.ora file as well.

5. Assign keys to cell servers
dcli –l root –g ~/cell_group “cellcli –e assign key for <db1_name>=’<key>’, \
<db2_name>=’key’”

6. Validate the key using cellcli & dcli
dcli –l root –g ~/cell_group “cellcli –e list key”

7. Alter the grid disks and assign them to the databases as per
Cellcli>alter griddisk <griddisk_name>,<griddisk_name> avaialbleTo=’+asm,<db1_name>’
Note: The availableTo=’+asm’ argument is mandatory.

8. Validate the gridisk, once the above assignment is completed
dcli –l root –g ~/cell_group “cellcli –e list griddisk attributes name,availableTo

9. Start crs & DB services on all compute nodes

That completes Database-scoped security on exadata griddisks.

Ref:

Expert Oracle Exadata by Kerry Osborne, Randy Johnson, and Tanel Poder

Oracle Exadata Recipes by John Clarke

Bye,

Saurabh

IT Solutions

Sunday, October 27, 2013

Removing Exadata Cell Security

Friday, October 25, 2013

Securing Exadata Machine