1. Owner's Guide
  2. Security and Maintenance of Recovery Appliance
  3. User Security on Recovery Appliance

10 User Security on Recovery Appliance

Increase the security of your data and system by limiting user access and developing strong password security policies.

Default User Accounts for Oracle Zero Data Loss Recovery Appliance

The following table lists the default users and passwords for the Oracle Zero Data Loss Recovery Appliance components. All default passwords should be changed after installation of the Recovery Appliance.

Table 9-1 Default Users and Passwords for Oracle Zero Data Loss Recovery Appliance

Component User Name and Password

Compute servers

Operating system users:

  • root/welcome1

  • oracle/We1come$

  • dbmadmin/welcome

  • dbmmonitor/welcome

  • raext/(locked and blocked from SSH access)

  • railm/(locked and blocked from SSH access)

  • Password for the GRUB boot loader: sos1Exadata

Database users:

  • SYS/We1come$

  • SYSTEM/We1come$

  • raext/(externally authenticated)

  • ralim/(externally authenticated)

  • rasys/change^Me2

OSB tape backup application users:

  • admin/welcome1

  • oracle/welcome1

  • encryption key wallet/welcome1

Storage servers

  • root/welcome1

  • celladmin/welcome

  • cellmonitor/welcome

  • CELLDIAG

    CELLDIAG is an Exadata storage software user, not an operating system user.

    The password of the CELLDIAG user is reset to a random password during the "Apply Security Fixes" step of Oracle Exadata Deployment Assistant. If this step is not run, then the default password is Welcome12345.

  • Password for the GRUB boot loader: sos1Exadata

RoCE Network Fabric

  • root/welcome1

InfiniBand Network Fabric switches

  • root/welcome1

  • nm2user/changeme

  • ilom-admin/ilom-admin

  • ilom-operator/ilom-operator

Ethernet switches

admin/welcome1

Note: Secure the enable mode password and secret values for the admin user.

Power distribution units (PDUs)

  • admin/welcome1

    The password for the admin user is adm1n if you reset the PDU to factory default settings.

Compute server ILOMs

  • root/welcome1

  • MSUser

    Management Server (MS) uses this account to manage ILOM and reset it if it detects a hang.

    Do not modify this account. This account is to be used by MS only.

    Each time MS starts up, it deletes the previous MSUser account and re-creates the account with a randomly generated password.

    The MSUser password is not persisted anywhere. If you need to change account passwords regularly, you can restart MS to change the password of the MSUser account.

Storage server ILOMs

  • root/welcome1

  • MSUser

    See the description above for details about this user.

InfiniBand Network Fabric ILOMs

  • ilom-admin/ilom-admin

  • ilom-operator/ilom-operator

  • root/welcome1

Note:

After the Recovery Appliance has been deployed, the installation process disables all root SSH keys and expires all user passwords as a security measure for your system. If you do not want the SSH keys disabled or the passwords expired, advise the installation engineer before the deployment.

See Also:

"Changing Component Passwords" to learn how to change the passwords for the Recovery Appliance components.

Default Password Requirements

Oracle Exadata Deployment Assistant (OEDA) implements a default password policy on Oracle Exadata Database Machine.

The last step of OEDA, "Secure Oracle Exadata Database Machine", implements the following password requirements:

  • Dictionary words are not valid or accepted.
  • Character classes for passwords are uppercase letters, lowercase letters, digits, and special characters.
  • Passwords must contain characters from all four character classes. Passwords using only one, two, or three character classes are not allowed.
  • The minimum length of a password is eight characters.
  • Pass-phrases are allowed. A pass-phrase should contain at least three words, be 16 to 40 characters in length, and contain different character classes.
  • A new password cannot be similar to old passwords. There must be at least eight characters in the new password that were not present in the old password.
  • A maximum of three consecutive characters of the same value can be used in a password.
  • A maximum of four consecutive characters of the same character class can be used in a password. For example, abcde1#6B cannot be used as a password because it uses five consecutive lower case letters.

Default Security Settings Enacted by OEDA

Oracle Exadata Deployment Assistant (OEDA) includes a step to increase hardware security on Recovery Appliance.

The last step of OEDA implements the following security policies:

  • For all newly created operating system users on the compute servers and storage servers, the following password-aging values are set:
    • The maximum number of days for a password is 60 days.
    • The minimum amount of time between password changes is 24 hours.
    • The number of days of alerts before a password change is seven days.
    • All non-root users must change their password at their next log in.
  • An operating system user account is temporarily locked for 10 minutes after one failed log in attempt.
  • An operating system user account is locked after five failed attempts.

  • For the root user, SSH equivalency is removed for all compute servers and storage servers.

  • The following permissions are set by OEDA:

    • The Automatic Diagnostic Repository (ADR) base directory, $ADR_BASE, has SUID (Set owner User ID) on the diag directory and its sub-directories.
    • The celladmin user group has read and write permissions on the $ADR_BASE.