Exadata Cell Security Implementation

Security for Exadata Cell is enforced by identifying which clients can access cells and grid disks. Clients include Oracle ASM instances, database instances, and clusters. By default Exadata allows all ASM clusters and databases in the system access to all grid disks. You can implement cell security control access to grid disks at two levels, by ASM cluster and by database.

ASM Security

With ASM-scoped security, the ASM cluster is authenticated to the storage cell by its DB_UNIQUE_NAME and a security key.

1. Shutdown ASM and DB
——————————————————-
Shut down databases instance

[oracle@exadb ~]$ export ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_1
[oracle@exadb ~]$ export ORACLE_SID=exadb
[oracle@exadb ~]$ cd /u01/app/oracle/product/11.2.0/dbhome_1/bin
[oracle@exadb bin]$ ./sqlplus / as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on Wed Feb 12 13:01:23 2014

Copyright (c) 1982, 2011, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 – 64bit Production
With the Partitioning, Automatic Storage Management, OLAP, Data Mining
and Real Application Testing options

SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.

———————————————————-
Shutdown  ASM instance

[oracle@exadb ~]$ export ORACLE_HOME=/u01/app/oracle/product/11.2.0/grid
[oracle@exadb ~]$ export ORACLE_SID=+ASM
[oracle@exadb ~]$ cd /u01/app/oracle/product/11.2.0/grid/bin
[oracle@exadb bin]$ ./sqlplus / as sysasm

SQL*Plus: Release 11.2.0.3.0 Production on Wed Feb 12 12:54:37 2014

Copyright (c) 1982, 2011, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 – 64bit Production
With the Automatic Storage Management option

SQL> shutdown immediate;
ASM diskgroups dismounted.
ASM instance shutdown.

Create Security Key
———————————————————-
Login to cell node (exacell1) as celladmin user and create security key using cellcli utility. Use create key command only once on any of your cell. We will assign the created key to ASM cluster later.

 [celladmin@exacell1 ~]$ cellcli -e create key
 1c58396e72a7186ed1f75b264fdd2954
 [celladmin@exacell1 ~]$

  Note: This key is not stored anywhere.

Store key
————————————————————
To store and use this key create a file named cellkey.ora under the location (/etc/oracle/cell/network-config) of each DB server on which ASM cluster is configured.

[root@exadb ]# vi /etc/oracle/cell/network-config/cellkey.ora

Write these lines in cellkey.ora file

key=1c58396e72a7186ed1f75b264fdd2954
asm=+ASM
realm=exafarhat_realm

Change ownership
————————————————————–
Set the ownership of the file to the user and group specified during the ASM (grid) installation.

[root@exadb ]# chown ora:dba /etc/oracle/cell/network-config/cellkey.ora

[root@exadb ]# chmod 640 /etc/oracle/cell/network-config/cellkey.ora

Note: you can change the realm as below:
CellCLI> alter cell realmName=exaabc_realm

Assign key to ASM instance
—————————————————————-

CellCLI> ASSIGN KEY FOR +ASM=’1c58396e72a7186ed1f75b264fdd2954′
Key for +ASM successfully created.

Change the grid disk “availableTo” attribute
——————————————————————————————
CellCLI> list griddisk    
         datagd_CD_disk01_cell1  active
         datagd_CD_disk02_cell1  active
         datagd_CD_disk03_cell1  active
         datagd_CD_disk04_cell1  active
         datagd_CD_disk05_cell1  active
         datagd_CD_disk06_cell1  active
         datagd_CD_disk07_cell1  active
         datagd_CD_disk08_cell1  active
         datagd_CD_disk09_cell1  active
         datagd_CD_disk10_cell1  active
         datagd_CD_disk11_cell1  active
         datagd_CD_disk12_cell1  active

CellCLI> alter griddisk datagd_CD_disk01_cell1, datagd_CD_disk02_cell1, datagd_CD_disk03_cell1 , datagd_CD_disk04_cell1,datagd_CD_disk05_cell1, datagd_CD_disk06_cell1,   datagd_CD_disk07_cell1, datagd_CD_disk08_cell1, datagd_CD_disk09_cell1, datagd_CD_disk10_cell1, datagd_CD_disk11_cell1,    datagd_CD_disk12_cell1 availableTO ‘+ASM’

——————————————————————————

—————————————————————————–
Restart database and ASM instance.

Implementing Database Scope Security
—————————————————————————–
This security implementation locks down database access to specific grid disks with in an ASM cluster and useful for controlling access to grid disks when multiple databases share the same ASM cluster. You will use one cellkey.ora per database.

1- Shutdown all DB and ASM instances
2- Create the key for each database in ASM cluster only once and assign to database later
3- For each database create cellkey.ora (same contents as in ASM-scoped above) file using newly key created in step 2 on the location ORAHOME/admin/db_unique_name/pfile. Change ownership also.
4- Retrieve DB_UNIQUE_NAME for database being configured and assign security key. Then change the grid disk attribute “availableTo”

CellCLI> alter griddisk datagd_CD_disk01_cell1, datagd_CD_disk02_cell1, datagd_CD_disk03_cell1 , datagd_CD_disk04_cell1,datagd_CD_disk05_cell1, datagd_CD_disk06_cell1,   datagd_CD_disk07_cell1, datagd_CD_disk08_cell1, datagd_CD_disk09_cell1, datagd_CD_disk10_cell1, datagd_CD_disk11_cell1,    datagd_CD_disk12_cell1 availableTO ‘+ASM,exadb’

——————————————————————————————
Removing  Security:

1- Shutdown ASM and DB instances
2- List the attribute assigned

CellCLI> list griddisk attributes name,availableto
         datagd_CD_disk01_cell1  +ASM,exadb
         datagd_CD_disk02_cell1  +ASM,exadb
         datagd_CD_disk03_cell1  +ASM,exadb
         datagd_CD_disk04_cell1  +ASM,exadb
         datagd_CD_disk05_cell1  +ASM,exadb
         datagd_CD_disk06_cell1  +ASM,exadb
         datagd_CD_disk07_cell1
         datagd_CD_disk08_cell1
         datagd_CD_disk09_cell1
         datagd_CD_disk10_cell1
         datagd_CD_disk11_cell1
         datagd_CD_disk12_cell1

CellCLI>

3- Remove the databases from the availableTo attribute of grid disks
CellCLI> alter griddisk griddiskName availableTo=’+ASM’
4- Security key may be removed from ACL on storage as follows
CellCLI> assign key for exadb=”
Key for exadb successfully dropped
5- remove the cellkey.ora from ORAHOME/admin/db_unique_name/pfile
6- verify exadb is not assigned any grid disks

CellCLI> list griddisk attributes name,availableto
         datagd_CD_disk01_cell1  +ASM
         datagd_CD_disk02_cell1  +ASM
         datagd_CD_disk03_cell1  +ASM
         datagd_CD_disk04_cell1  +ASM
         datagd_CD_disk05_cell1  +ASM
         datagd_CD_disk06_cell1  +ASM
         datagd_CD_disk07_cell1
         datagd_CD_disk08_cell1
         datagd_CD_disk09_cell1
         datagd_CD_disk10_cell1
         datagd_CD_disk11_cell1
         datagd_CD_disk12_cell1
————————————————————–

7- Once the DB-scoped security is removed, you can remove the ASM-scoped security returning the system to open security mode. Remove the ASM unique name from the availableTo attribute of all grid disks.
CellCLI> alter griddisk all availableTo=”
CellCLI> alter griddisk griddiskName availableTo=”
CellCLI> assign key for +ASM=”  — removing assigned key

8- Remove the cellkey.ora file now from /etc/oracle/cell/network-config

Listing Exadata Disks

CellCLI> list griddisk  
         datagd_CD_disk01_cell1  active
         datagd_CD_disk02_cell1  active
         datagd_CD_disk03_cell1  active
         datagd_CD_disk04_cell1  active
         datagd_CD_disk05_cell1  active
         datagd_CD_disk06_cell1  active
         datagd_CD_disk07_cell1  active
         datagd_CD_disk08_cell1  active
         datagd_CD_disk09_cell1  active
         datagd_CD_disk10_cell1  active
         datagd_CD_disk11_cell1  active
         datagd_CD_disk12_cell1  active

CellCLI>