| Oracle® Health Sciences Omics Data Bank Secure Installation and Configuration Guide Release 1.0.1 Part Number E27536-02 |
|
| View PDF |
| Oracle® Health Sciences Omics Data Bank Secure Installation and Configuration Guide Release 1.0.1 Part Number E27536-02 |
|
| View PDF |
Secure Installation and Configuration Guide
Release 1.0.1
E27536-02
April 2012
The following sections describe Oracle Health Sciences Omics Data Bank (ODB) installation requirements and process.
ODB supports the following operating systems for database tier:
Linux x86/x86-64
Oracle SPARC Solaris 64
AIX
ODB supports the following operating systems for client tier:
Microsoft Windows
Linux x86/x86-64
Oracle SPARC Solaris 64
AIX
You must follow the following security principals
One of the principles of good security practice is to keep all software versions and patches up to date.
Oracle continually improves its software and documentation. Critical Patch Updates are the primary means of releasing security fixes for Oracle products to customers with valid support contracts. They are released on the Tuesday closest to the 17th day of January, April, July and October. We highly recommend customers to apply these patches as soon as they are released.
Although the importance of passwords is well known, the following basic rule of security management is worth repeating:
Ensure all your passwords are strong passwords.
You can strengthen passwords by creating and using password policies for your organization. For guidelines on securing passwords and for additional ways to protect passwords, refer to the Oracle® Database Security Guide specific to the database release you are using.
You should modify the following passwords to use your policy-compliant strings:
Passwords for the database default accounts, such as SYS and SYSTEM.
Passwords for the database application-specific schema accounts, such as HDM.
Password for the database listener. You should not configure a password for the database listener as that will enable remote administration. For more information, refer to the section "Removing the Listener Password" of Oracle® Database Net Services Reference 11g Release 2 (11.2)
The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Overly ambitious granting of responsibilities, roles, grants — especially early on in an organization's life cycle when people are few and work needs to be done quickly — often leaves a system wide open for abuse. User privileges should be reviewed periodically to determine relevance to current job responsibilities.
Before you begin ODB installation, you must complete the following preinstallation steps:
Install Oracle Database 11.2.0.2.0 according to platform-specific installation instructions available at http://www.oracle.com/pls/db112/portal.portal_db?selected=11&frame=
Set the database character set to Unicode (AL32UTF8)
Verify that the oracle parameter nls_length_semantics is set to CHAR.
Using SQLPLUS connect as SYS user.
Execute the following command:
Show parameter nls_length_semantics
If nls_length_semantics parameter is not set to CHAR, execute the following command:
Alter system set nls_length_semantics=CHAR scope=spfile;
If you have modified nls_length_semantics parameter, restart the database instance.
Install Oracle Health Sciences Cohort Explorer 1.0.0.1
Oracle Health Sciences Omics Data Bank relies on third party products to provide information about specimens. Oracle Health Sciences Omics Data Bank provides out of the box integration with Oracle Health Sciences Cohort Explorer 1.0.0.1 as a source of specimens. If you intend to use another third party source of specimen, some customization of Oracle Health Sciences Omics Data Bank is required. Refer to Oracle Health Sciences Omics Data Bank Programmers Guide for details.
If you plan to use Oracle Health Sciences Cohort Explorer 1.0.0.1 as a source of specimen, you must install it before you install Oracle Health Sciences Omics Data Bank. If you plan to install database tier of Oracle Health Sciences Cohort Explorer in the same database as Oracle Health Sciences Omics Data Bank database tier, you must install them in separate schemas. You can also install Oracle Health Sciences Cohort Explorer database tier and Oracle Health Sciences Omics Data Bank database tier in different database instances.
Note:
If you want use the Oracle Database file system to store files in a secure way, refer to the Oracle Health Sciences Omics Data Bank Secure File Storage Guide.The Oracle Health Sciences Omics Data Bank consists of two major components:
Database tier - Omics Data Model which includes tables, views, sequences, PL/SQL packages, indexes, and so on.
Client tier - includes loaders for reference and results data. Loaders use different technologies, for example, Java and SQL Loaders rely on PL/SQL packages install in database tier. Every loader has a shell script (for Unix/Linux) and batch script (for Windows) to launch the loader.
The following sections describe security considerations and installation process for database tier.
This section describes Oracle Health Sciences Omics Data Bank database objects and database options:
The Oracle Health Sciences Omics Data Bank contains database objects. You can use DDL scripts and PL/SQL procedures and functions to create database objects and DML scripts to create seed data. These files are part of the media pack.
While installing and configuring Oracle Database Server, follow the guidelines in Oracle® Database 2 Day + Security Guide 11g Release 2 (11.2)
The Oracle Database has options that provide additional security features. Oracle Health Sciences Omics Data Bank may include data that falls under HIPAA guidelines in the United States and similar guidelines elsewhere. These features can help you comply with those guidelines.
Oracle Health Sciences Omics Data Bank includes data that may fall under HIPAA or other regulations outside the United States. These data are highly sensitive and only those with a need to know should have access to it. To prevent DBAs and others from seeing the data, it is recommended that Oracle Database Vault be used to limit access to the Oracle Health Sciences Omics Data Bank schema to the Oracle Health Sciences Omics Data Bank user to prevent DBAs and other "superuser" accounts from accessing the data. Note that Database Vault requires a separate license.
Oracle Audit Vault automates the audit collection, monitoring, and reporting process, turning audit data into a key security resource for detecting unauthorized activity.
Consider using this feature to satisfy compliance regulations such as SOX, PCI, and HIPAA, and to mitigate security risks. Note that Oracle Audit Vault requires a separate license.
Transparent Data Encryption is one of the three components of the Oracle Advanced Security option for Oracle Database 11g Release 2 Enterprise Edition. It provides transparent encryption of stored data to support your compliance efforts. If you employ Transparent Data Encryption, applications do not have to be modified and continue to work seamlessly as before. Data is automatically encrypted when it is written to disk and automatically decrypted when accessed by the application. Key management is built in, eliminating the complex task of creating, managing and securing encryption keys. Note that the Advanced Security Option is licensed separately from the database.
Perform the following steps to install the database tier:
Download Oracle Health Sciences Omics Data Bank 1.0 from the Media Pack and unzip into a directory. For example, odb_install_files on a system that would be used for your client tier.
Create a schema in which Omics Data Bank will be installed, for example, odm.
Assuming that you have used odm name for the Omics data model, grant requisite privileges by executing the following commands:
grant CREATE INDEXTYPE to odm;
grant CREATE PROCEDURE to odm;
grant CREATE SEQUENCE to odm;
grant CREATE SESSION to odm;
grant CREATE SYNONYM to odm;
grant CREATE any TABLE to odm;
grant CREATE TYPE to odm;
grant CREATE VIEW to odm;
grant CONNECT, RESOURCE to odm;
grant create database link to odm;
grant select any dictionary to odm;
grant create any directory to odm;
Important:
You must not grant DBA access to odm user.If you are installing on an Exadata Database, execute install_ODB_exadata.sql. For any other system, execute install_ODB.sql.
For both the scripts, following are the parameters:
Username to connect to the schema
Password to connect to the schema
SID or the Service name
Index Tablespace: tablespace used for all indexes and keys
LOB Tablespace: tablespace used for all CLOB fields in ODM schema
Promoter Offset Region: offset before the coding segment of Genes that do not have promote annotations. Stored as default value for W_EHA_SPECIES.PROMOTER_OFFSET
Note:
The Omics Data bank Schema user should have sufficient privileges on the Index Tablespace, and LOB Tablespace.If you want to use Oracle Text feature of the database for Omics Data Bank 1.0.1, Oracle recommends that you execute context_index.sql after the schema installation for Omics Data Bank.
Before executing this script, you must grant the execution privilege to the user for CTXSYS.CTX_DDL package. By default the CTXSYS account is locked. Unlock CTXSYS account and grant access to the ODB user schema (executed as SYSTEM user).
Execute the following statements
alter user ctxsys identified by password account unlock;
CONNECT ctxsys/ctxsys@dbname
GRANT EXECUTE ON ctx_ddl TO ODM;
Using SQLPLUS connect as ODB user.
Execute context_index.sql.
Enter the name of the Tablespace for Context as parameter.
Note:
The Omics Data bank Schema user should have sufficient privileges on the Context Tablespace.Once the install_ODB.sql or install_ODB_exadata.sql is executed successfully, you will see the following in Omics Data Model schema:
All tables or views in the Oracle Health Sciences Omics Data Bank. For more information, refer to Oracle Health Sciences Omics Data Bank Electronic Technical Reference Manual available on My Oracle Support at https://support.oracle.com
ODB_UTIL package
PROBE_LOADER package
HUGO_RESULT_LOAD package
ODB_RESULT_UTIL package
LOAD_PATHWAY procedure
Ensure that all the objects in the Omics Data Bank schema are compiled.
You must insert a row into W_EHA_DATASOURCE table describing the source of specimens.
If you are using Oracle Health Sciences Cohort Explorer 1.0.0.1 as a source of specimens, execute the following insert statement as a Omics Data Model schema user:
Insert into W_EHA_DATASOURCE (ROW_WID,DATASOURCE_CD,DATASOURCE_NM,DATASOURCE_DESC,SCHEMA_NAME,DB_LINK_NAME,W_INSERT_DT,W_UPDATE_DT,ETL_PROC_WID,ENTERPRISE_ID) values (W_EHA_DATASOURCE_S.nextval,'CDM','CDM','<<put any description>>','<<Cohort Explorer Schema user>>','<<db link for Cohort Explorer Instance, if it is installed in a separate database>>',sysdate,null, W_EHA_ETL_PROC_S.nextval,null);
If you are using any other external source of specimen, execute the following command:
Insert into W_EHA_DATASOURCE (ROW_WID,DATASOURCE_CD,DATASOURCE_NM,DATASOURCE_DESC,SCHEMA_NAME,DB_LINK_NAME,W_INSERT_DT,W_UPDATE_DT,ETL_PROC_WID,ENTERPRISE_ID) values (W_EHA_DATASOURCE_S.nextval,'<<external source code>>','<<External Source Name>>','<<External Source Description>>','<<External Source Schema user>>','<<db link for External Source Instance, if it is installed in a separate database>>',sysdate,null, W_EHA_ETL_PROC_S.nextval,null);
If the cohort Explorer schema is installed on the same database instance as Omics Data Model, you must give select grants on W_EHA_SPECIMEN_PATIENT_H from Cohort Data Model schema table by executing the following:
GRANT SELECT ON W_EHA_SPECIMEN_PATIENT_H TO odm;
The command assumes that odm name is used for Omics Data Model.
If the cohort Explorer schema is on a different database instance , you must create a DBLink between Omics Data Model Schema user and the cohort Explorer schema user.
You cannot perform the following operations using Database Link:
Grant privileges on remote objects
Execute DESCRIBE operations on some remote objects
Analyze remote objects
Define or enforce referential integrity
Obtain non default roles on a remote database
Execute hash query joins that use shared server connections
Use a current user link without authentication through SSL, password, or NT native authentication
Note:
Oracle recommends that you install Cohort Data Model on the same database instance as the Omics Data Model.If query use cases require access to additional tables from Cohort Data Model schema, you must give select grants to Omics Data Model Schema user for all such tables.
Execute odb_revoke_grants.sql to remove unnecessary grants from Omics Data Model schema. This script should be executed by a user with DBA privileges.
You can install Oracle Health Sciences Omics Data Bank client tier either on Unix or Linux or Windows.
If you install Oracle Health Sciences Omics Data Bank client tier on Windows, you must set up Oracle Wallet with Omics Data Model schema credentials mandatorily. If you are installing client tier on Unix or Linux, setting up Oracle Wallet is optional.
Perform the following steps to install Java and PL/SQL loaders:
Download Java runtime 1.6.0_29 from http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html#jre-6u29-oth-JPR and install it on the system to be used as client tier.
Ensure that the path for Java 1.6.0_29 in folder is set in the environment variable.
Java-based loader are located in odm_install_files/Java Loader
PL/SQL-based loaders are located in odm_install_files/SQL Loader
Note:
If you plan to run multiple loaders, ensure that you run each loader from a separate directory. You would need to copy the sh/bat to another directory to run them in parallel.Perform the following steps to set up Oracle Wallet:
Add the following code to tnsnames.ora in $ORACLE_HOME\NETWORK\ADMIN:
DB001_Wallet = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = <hostname>)(PORT = <port>)) ) (CONNECT_DATA = (SERVICE_NAME = < service name>) ) )
Note:
Set the SERVICE_NAME, PORT and HOST values in this code to point to your database installation.You can create Oracle Wallet either on client or middle tier. Execute the following commands on command prompt:
>mkdir wallets
>mkstore -wrl <wallet_location> -create -nologo
Enter password: <type a 8 alphanumeric-character password>
Enter password again:<retype above password>
>cd wallets
>dir
Volume in drive D is Data
Volume Serial Number is C###
Directory of <wallet_location>
11/24/2011 09:24 PM <DIR> .
11/24/2011 09:24 PM <DIR> ..
11/24/2011 09:13 PM 3,965 cwallet.sso
11/24/2011 09:13 PM 3,888 ewallet.p12
The last command should list two files created by running mkstore -create, cwallet.sso and ewallet.p12.
Create database connection credentials in the wallet by using the following syntax at the command line:
mkstore -wrl <wallet_location> -createCredential <db_connect_string> <username>
Enter the password when prompted.
Note:
For every user credential added to the wallet, you must create a new dataset name in tnsnames.ora.For every user credential added to the wallet, you must create a new dataset name in tnsnames.ora.
In the client sqlnet.ora file, enter the WALLET_LOCATION parameter and set it to the directory location of the wallet you created in Step 2.
For example, WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=D:\wallets)))SQLNET.WALLET_OVERRIDE = TRUE
Execute the following command to test connectivity through SQLPlus:
>sqlplus /@DB001_Wallet
SQL*Plus: Release 11.2.0.1.0 Production on Fri Nov 25 15:54:35 2011
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL>
Oracle makes no express or implied warranty, including but not limited to warranties regarding the accuracy, completeness, merchantability, or fitness for a particular purpose, with respect to third party data loaded into this application or the results of any functions of the application using such data. It may be used for information purposes only, and no medical, clinical or other health related decisions may be based upon such results. You are solely responsible for your use of the third party data, including your right to use the data for your purposes.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Oracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Oracle Health Sciences Omics Data Bank, Release 1.0.1
E27536-02
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle America, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.
 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|