On Exadata, by default, all ASM and exadata databases have access to all griddisk on cell servers. This is called open-security mode. Hence, to implement cell security features on Exadata, so that ASMs and databases can be restricted to access only allowed grid disks on the cell servers, we have two levels of securities:
1. ASM-scoped Security
2. Database-scoped Security
ASM-Scoped Security
Steps to create ASM-Scoped Security:
1. sqlplus ‘/as sysasm’
2. check ASM DB unique name
show parameter unique
3. Stop CRS services on each compute nodes
srvctl stop database –d <db_name>
crsctl stop crs
4. connect to any Exadata cell server
cellcli>create key
5. a. Copy the key, generated by above command
b. Create a cellkey.ora file at on one of the compute nodes and place it at home directory
with GI owner user.
c. cellkey.ora file contains:
key=<generated_key>
asm=<ASM db_unique_name>
#realm=my_realm
6. Assign the key to ASM
dcli –l root –g ~/cell_group “celllci –e assign key for ‘ASM’=’<key>’
7. Alter griddisk and make them available to the +ASM
dcli –l root –g ~/cell_group “cellcli –e alter griddisk all availableTo=\’+ASM\’”
In the above command, all the griddisk are allocated to +ASM. We can opt to choose only
subsets of the grid disks.
8. Copy cellkey.ora file to /etc/oracle/cell/network-config folder on each compute node and
set permission to 600.
dcli –l root ~/dbs_group “cellcli –l grid –f /home/oracle/cellkey.ora –d \
/etc/oracle/cell/network-config/’
dcli –l root ~/dbs_group “cellcli –l grid –f chmod 600 /etc/oracle/cell/network-config/’
9. Start CRS on each compute node
crsctl start crs
This completes the ASM-Scoped security configuration
Database-Scoped Security
Steps to create Database-Scoped Security:
1. Shutdown database & CRS services on all compute nodes
crsctl stop crs
2. Connect to any Exadata cell server and generate two keys, one for each database (Suppose
we are configuring this for PROD & DEV database)
cellcli> create key
cellcli> create key
3. Create a cellkey.ora file under $ORACLE_HOME/admin/<db_name>/pfile directory on each
compute nodes for each database you are configuring. Create the directories if it doesn’t
exist. Cellkey.ora file will contain:
key=<generated_key>
asm=<ASM db_unique_name>
4. Change permission level for cellkey.ora file
chown oracle:oinstall $ORACLE_HOME/admin/<db_name>/pfile/cellkey.ora
chmod 640 $ORACLE_HOME/admin/<db_name>/pfile/cellkey.ora
change the owner & permission for other database’s cellkey.ora file as well.
5. Assign keys to cell servers
dcli –l root –g ~/cell_group “cellcli –e assign key for <db1_name>=’<key>’, \
<db2_name>=’key’”
6. Validate the key using cellcli & dcli
dcli –l root –g ~/cell_group “cellcli –e list key”
7. Alter the grid disks and assign them to the databases as per
Cellcli>alter griddisk <griddisk_name>,<griddisk_name> avaialbleTo=’+asm,<db1_name>’
Note: The availableTo=’+asm’ argument is mandatory.
8. Validate the gridisk, once the above assignment is completed
dcli –l root –g ~/cell_group “cellcli –e list griddisk attributes name,availableTo
9. Start crs & DB services on all compute nodes
1. ASM-scoped Security
2. Database-scoped Security
ASM-Scoped Security
- Access is restricted at Exadata grid disk level
- Allows or restricts ASM instances to and from access specific Exadata grid disk
- Allows isolating grid disk storage for separate clustered environment.
- Benefits when you want your Exadata production storage environment to be completely separate from non-production environment and have requirement of patching activity on multiple GI environment on a single Exadata Machine.
Steps to create ASM-Scoped Security:
1. sqlplus ‘/as sysasm’
2. check ASM DB unique name
show parameter unique
3. Stop CRS services on each compute nodes
srvctl stop database –d <db_name>
crsctl stop crs
4. connect to any Exadata cell server
cellcli>create key
5. a. Copy the key, generated by above command
b. Create a cellkey.ora file at on one of the compute nodes and place it at home directory
with GI owner user.
c. cellkey.ora file contains:
key=<generated_key>
asm=<ASM db_unique_name>
#realm=my_realm
6. Assign the key to ASM
dcli –l root –g ~/cell_group “celllci –e assign key for ‘ASM’=’<key>’
7. Alter griddisk and make them available to the +ASM
dcli –l root –g ~/cell_group “cellcli –e alter griddisk all availableTo=\’+ASM\’”
In the above command, all the griddisk are allocated to +ASM. We can opt to choose only
subsets of the grid disks.
8. Copy cellkey.ora file to /etc/oracle/cell/network-config folder on each compute node and
set permission to 600.
dcli –l root ~/dbs_group “cellcli –l grid –f /home/oracle/cellkey.ora –d \
/etc/oracle/cell/network-config/’
dcli –l root ~/dbs_group “cellcli –l grid –f chmod 600 /etc/oracle/cell/network-config/’
9. Start CRS on each compute node
crsctl start crs
This completes the ASM-Scoped security configuration
Database-Scoped Security
- Allow to restrict or access database to access specific grid disks
- Useful when multiple database access same ASM cluster
- ASM-Scoped security must be configured before Database-Scoped security is implemented.
Steps to create Database-Scoped Security:
1. Shutdown database & CRS services on all compute nodes
crsctl stop crs
2. Connect to any Exadata cell server and generate two keys, one for each database (Suppose
we are configuring this for PROD & DEV database)
cellcli> create key
cellcli> create key
3. Create a cellkey.ora file under $ORACLE_HOME/admin/<db_name>/pfile directory on each
compute nodes for each database you are configuring. Create the directories if it doesn’t
exist. Cellkey.ora file will contain:
key=<generated_key>
asm=<ASM db_unique_name>
4. Change permission level for cellkey.ora file
chown oracle:oinstall $ORACLE_HOME/admin/<db_name>/pfile/cellkey.ora
chmod 640 $ORACLE_HOME/admin/<db_name>/pfile/cellkey.ora
change the owner & permission for other database’s cellkey.ora file as well.
5. Assign keys to cell servers
dcli –l root –g ~/cell_group “cellcli –e assign key for <db1_name>=’<key>’, \
<db2_name>=’key’”
6. Validate the key using cellcli & dcli
dcli –l root –g ~/cell_group “cellcli –e list key”
7. Alter the grid disks and assign them to the databases as per
Cellcli>alter griddisk <griddisk_name>,<griddisk_name> avaialbleTo=’+asm,<db1_name>’
Note: The availableTo=’+asm’ argument is mandatory.
8. Validate the gridisk, once the above assignment is completed
dcli –l root –g ~/cell_group “cellcli –e list griddisk attributes name,availableTo
9. Start crs & DB services on all compute nodes
That completes Database-scoped security on exadata griddisks.
Ref:
Expert Oracle Exadata by Kerry Osborne, Randy Johnson, and Tanel Poder
Oracle Exadata Recipes by John Clarke
Bye,
Saurabh
No comments:
Post a Comment