1. Owner's Guide
  2. Security and Maintenance of Recovery Appliance
  3. Keeping the Recovery Appliance Secure

12 Keeping the Recovery Appliance Secure

This chapter describes policies and procedures to keep Recovery Appliance secure.

Securing the Hardware

After installation of Oracle Zero Data Loss Recovery Appliance, the hardware should be secured.

Hardware can be secured by restricting access to the hardware and recording the serial numbers. Oracle recommends the following practices to restrict access:

  • Install Oracle Zero Data Loss Recovery Appliance and related equipment in a locked, restricted-access room.

  • Lock the rack door unless service is required on components within the rack.

  • Restrict access to hot-pluggable or hot-swappable devices because the components can be easily removed by design. See

  • Store spare field-replaceable units (FRUs) or customer-replaceable units (CRUs) in a locked cabinet. Restrict access to the locked cabinet to authorized personnel.

  • Mark all significant items of computer hardware, such as FRUs.

  • Keep hardware activation keys and licenses in a secure location that is easily accessible to the system managers in the case of a system emergency.

  • Record the serial numbers of the components in Oracle Zero Data Loss Recovery Appliance, and keep a record in a secure place. All components in Oracle Zero Data Loss Recovery Appliance have a serial number.

Related Topics

Getting the Rack Serial Number

Use the ipmitool utility to get the serial number for the rack.

When interacting with Oracle Support Services, the CSI number for a rack is based on the rack serial number.

  1. Log in to one of the servers in the rack as the root user.
  2. Use ipmitool to get the serial number for the rack.
    # ipmitool sunoem cli "show /SP system_identifier"
Connected. Use ^D to exit.
-> show /SP system_identifier

 /SP
    Properties:
        system_identifier = Exadata Database Machine X2-8xxxxAKyyyy


-> Session closed
Disconnected

Getting the Serial Numbers for Rack Components

The CheckHWnFWProfile command can be used to display the serial number of most of the system components.

  1. Log in to one of the servers in the rack as the root user.
  2. On each server in the rack, use CheckHWnFWProfile with the -S option to display the serial number of the components for that server.
    # /opt/oracle.SupportTools/CheckHWnFWProfile -S > /tmp/CheckHWnFWProfile_hostname.txt

    The result is specific to each server, so the command must be performed on every node. The following is a partial example of the output:

    Server_Model=ORACLE_SERVER_X8-2L
====START SERIAL NUMBERS====
==Motherboard, from dmidecode==
--System serial--
1904XCA000
--Motherboard serial--
469996N+0000RD01RN
--Chassis serial--
1900XCA000
--Rack serial--
AK00400000
==Infiniband HCA==
ID:      CX354A - ConnectX-3 QSFP
PN:      7046442
EC:      XX
SN:      465000K-1800000000
V0:      PCIe Gen3 x8
==Motherboard, RAM etc from ipmitool==
FRU Device Description : Builtin FRU Device (LUN 0 ID 0)
...
 Product Name          : ILOM
 Product Version       : 4.0.4.38.a

FRU Device Description : BMC
...
 Product Name          : ILOM
  Product Version       : 4.0.4.38.a

FRU Device Description : /SYS (LUN 0 ID 3)
...
 Product Part Number   : 8200669
 Product Serial        : 1900XCA000

FRU Device Description : DBP (LUN 0 ID 210)
 
 Board Part Number     : 7341141
 Board Extra           : Rev 09

FRU Device Description : HDD0 (LUN 0 ID 47)
 Device not present (Requested sensor, data, or record not found)

FRU Device Description : HDD1 (LUN 0 ID 48)
 Device not present (Requested sensor, data, or record not found)

...

FRU Device Description : MB (LUN 0 ID 4)
 Board Mfg Date        : Sun Jan 20 16:57:00 2019
 Board Mfg             : Oracle Corporation
...

FRU Device Description : MB/BIOS (LUN 0 ID 5)
...

FRU Device Description : MB/CPLD (LUN 0 ID 8)
 Product Manufacturer  : Oracle Corporation
 Product Name          : Power Control FPGA
 Product Version       : FW:3.9

FRU Device Description : M2R0/SSD0 (LUN 0 ID 211)
 Device not present (Requested sensor, data, or record not found)

FRU Device Description : M2R1/SSD0 (LUN 0 ID 212)
 Device not present (Requested sensor, data, or record not found)

FRU Device Description : MB/NET0 (LUN 0 ID 43)
 Product Manufacturer  : INTEL
 Product Name          : 1G Ethernet Controller
...

FRU Device Description : MB/P0 (LUN 0 ID 16)
 Product Manufacturer  : Intel
 Product Name          : Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
...

FRU Device Description : MB/P0/D0 (LUN 0 ID 24)
 Product Manufacturer  : Samsung
 Product Name          : 16384MB DDR4 SDRAM DIMM
...

FRU Device Description : MB/P0/D1 (LUN 0 ID 25)
 Device not present (Requested sensor, data, or record not found)

FRU Device Description : MB/P0/D2 (LUN 0 ID 26)
 Product Manufacturer  : Samsung
 Product Name          : 16384MB DDR4 SDRAM DIMM
...


FRU Device Description : MB/P1 (LUN 0 ID 17)
 Product Manufacturer  : Intel
 Product Name          : Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
...

FRU Device Description : MB/P1/D0 (LUN 0 ID 36)
 Product Manufacturer  : Samsung
 Product Name          : 16384MB DDR4 SDRAM DIMM
...
FRU Device Description : PS0 (LUN 0 ID 63)
...
FRU Device Description : PS1 (LUN 0 ID 64)
...
FRU Device Description : SP/NET0 (LUN 0 ID 1)
...
FRU Device Description : SP/NET1 (LUN 0 ID 2)
...
FRU Device Description : /UUID (LUN 0 ID 6)
...
FRU Device Description : TOP_LEVEL_CH (LUN 0 ID 251)
 Chassis Type          : Rack Mount Chassis
 Chassis Part Number   : 8200669
 Chassis Serial        : 1900XCA0000
 Chassis Extra         : chassis_name:ORACLE SERVER X8-2L

FRU Device Description : TOP_LEVEL_PROD (LUN 0 ID 250)
 Product Manufacturer  : Oracle Corporation
 Product Name          : Exadata X8-2
 Product Part Number   : Exadata X8-2
 Product Serial        : AK00430000

====END SERIAL NUMBERS====

Getting the Rack Serial Number for a Cisco 9336C or 9348 Switch

Use the show license host-id command on the switch to get the serial number.

  1. Connect to the switch from a server with SSH equivalency configured, or log in as the admin user.
  2. Obtain the serial number for the switch by entering the show license host-id command.

    The host ID is also referred to as the device serial number.

    # switch# show license host-id
License hostid: VDH=FLA12345678

    Use the entire ID that appears after the equal sign (=). In this example, the host ID is FLA12345678.

Getting the Rack Serial Number for a Sun Datacenter InfiniBand Switch 36

Use the showfruinfo command on the switch to get the serial number.

  1. Log in to the switch as root.
    $ ssh root@switch_name
  2. Use the showfruinfo command to view the serial number for the switch.
    root@ib-switch-> showfruinfo 
Sun_Man1R:
UNIX_Timestamp32 : Fri Mar 19 16:29:59 2010
Sun_Fru_Description : ASSY,NM2-GW
Vendor_ID_Code : 11 E1
Vendor_ID_Code_Source : 01
Vendor_Name_And_Site_Location : 4577 CELESTICA CORP. SAN JOSE CA US
Sun_Part_Number : 5111402
Sun_Serial_Number : 0110SJC-1010NG0040
Serial_Number_Format : 4V3F1-2Y2W2X4S
Initial_HW_Dash_Level : 03
Initial_HW_Rev_Level : 50
Sun_Fru_Shortname : NM2 gateway
Sun_Hazard_Class_Code : Y
Sun_SpecPartNo : 885-1655-01 
Sun_FRU_LabelR:
Sun_Serial_Number : AK000XXXX2
FRU_Part_Dash_Number : 541-4188-01

Getting the Serial Number for a Cisco 4948 Ethernet Switch

Use the sh inventory command on the switch to get the serial number.

  1. Log in to the Cisco Ethernet switch.
  2. Obtain the serial number for the switch and its components by entering the sh inventory command.
    # Switch# sh inventory
NAME: "Switch System", DESCR: "Cisco Systems, Inc. WS-C4948 1 slot switch "
PID:                   , VID:      , SN: FOX0000G0B6
NAME:  "Linecard(slot 1)", DESCR: "10/100/1000BaseT (RJ45), 1000BaseX (SFP) 
 Supervisor with 48 10/100/1000BASE-T ports and 4 1000BASE-"
PID: WS-C4948          , VID: V09  , SN: FOX0000G0B6
NAME: "Power Supply 1", DESCR: "Power Supply ( AC 300W )"
PID: PWR-C49-300AC     , VID:      , SN: QCS0000B1XR
NAME: "Power Supply 2", DESCR: "Power Supply ( AC 300W )"
PID: PWR-C49-300AC     , VID:      , SN: QCS0000B1X5

Securing the Software

Frequently, hardware security is implemented through software measures.

Implement the following guidelines to protect hardware and software:

  • Change all default passwords when the system is installed at the site. Recovery Appliance uses default passwords for initial installation and deployment that are widely known. A default password could allow unauthorized access to the equipment. Devices such as the network switches have multiple user accounts. Be sure to change all account passwords on the components in the rack.

  • Limit use of the root super user account. Use non-root access when possible. Create and use Integrated Lights Out Manager (ILOM) user accounts for individual users to ensure a positive identification in audit trails, and less maintenance when administrators leave the team or company.

  • Restrict physical access to USB ports, network ports, and system consoles. Servers and network switches have ports and console connections, which provide direct access to the system.

  • Restrict the capability to restart the system over the network.

  • Create named admin_users to manage the hosts.

  • Disable direct root and oracle access.

  • Create named db_users for administration and monitoring.

  • Disable remote sys access.

  • Disable remote rasys access.

TLS Overview

Configuring TLS between a Recovery Appliance and clients.

When implementing the TLS-encrypted transport from the database server (client) to the Recovery Appliance, prepare the clients before you adjust the Recovery Appliance.

Configuring TLS Data Security on the Client

This section provides the steps required to configure TLS Data Security on the Client.

The client requires some modifications to support TLS. The Recovery Appliance can use https encryption alone, in dual mode http/https, or without encryption http, the default.

Configuring Protected Databases to Support TLS

If you want to continue using non-TLS, update the RMAN settings by adding to CONFIGURE CHANNEL DEVICE TYPE "_RA_NO_SSL=TRUE" 

CONFIGURE CHANNEL DEVICE TYPE
'SBT_TAPE' PARMS 
'SBT_LIBRARY=/u01/app/oracle/product/19.0.0.0/dbhome_1/lib/libra.so,
ENV=(_RA_NO_SSL=TRUE,RA_WALLET=location=file:/<path>
     credential_alias=RADB01,_RA_TRACE_LEVEL=1000)' FORMAT '%U_%d';

If you want to start using TLS, you need to perform the following steps.

  1. Find the TCPS alias (example: zdlra_tcps) from Recovery Appliance host and copy it to tnsnames.ora file on client database.

  2. Update wallet, or create new one if previous one was created by mkstore. Create new wallet using orapki. For example: 

    orapki wallet create -wallet $ORACLE_HOME/dbs/Sydney

  3. Copy raCA.pem from Recovery Appliance host to client database and import it into wallet created or updated above. 

    orapki wallet add -wallet $ORACLE_HOME/dbs/sydney -trusted_cert -cert $ORACLE_HOME/dbs/sydney/raCA.pem

  4. Update wallet to -auto_login. 

    orapki wallet create -wallet $ORACLE_HOME/dbs/sydney -auto_login

  5. Create credential with new alias TCPS and ravpc user 

    mkstore -wrl /u01/app/oracle/product/19.0.0.0/dbhome_1/dbs/sydney -createCredential zdlra7_tcps ravpc welcome123

  6. Connect RMAN and update “CONFIGURE CHANNEL DEVICE” adding wallet info 

    rman target / catalog ravpc/welcome123@zdlra7_tcps

Validating TLS Usage

The following commands assist in monitoring the various TLS objects.

  • racli run check --check_name=tls_health
  • racli run diagnostics --tag=tls
  • racli run diagnostics --tag=tls_high

Configuring TLS Data Security on the Recovery Appliance

This section provides the steps for configuring TLS Data Security on the Recovery Appliance.

RACLI commands configure the TLS (Transport Layer Security). The Recovery Appliance can use https encryption alone, in dual mode http/https, or without encryption http, the default.

Note:

Self-signed certificates should not be used long-term or for production. The recommendation is to use a certificate signed by your Certification Authority.

The port numbers can be customized. The default ports for encryption are:

  • TCPS: 2484
  • HTTPS: 8002
  • REPL_TCPS: 2485

The default ports for non-encrypted operation are:

  • TCP: 1521
  • HTTP: 8001
  • REPL_TCP: 1522

Create Certificate and Import into Wallet

  1. Create the certificates that are used to secure the communication. You can create the signed certificate, the trust certificate, or both at once.

    racli create certificate –-country=<VALUE> 
–-state=<VALUE> --location=<VALUE> –-organization=<VALUE>
–-organization_unit=<VALUE> –-email_address=<VALUE> 
[ –-trusted_cert_valid=<VALUE> ][ –-signed_cert_valid=<VALUE> ]

    The optional –-trusted_cert_valid specifies the validation days for the trusted certificate. The default value is 3650 days (10 years).

    The optional –-signed_cert_valid specifies validation days for the signed certificate. The default value is 365 days (1 year).

    Note:

    The –-signed_cert_valid cannot be larger than the –-trusted_cert_valid.

  2. Import the certificate into the wallet.

    racli add certificate
{ [--trusted_cert=<VALUE>] | [--signed_cert=<VALUE>] | [--self-signed]

    The optional --trusted_cert specifies the full path of the root/signing chain. For example --trusted_cert=/radump/abc/raCA.pem

    The optional --signed_cert specifies the full path of the signed certificate in the trusted store.

    The optional --self-signed specifies that Recovery Appliance will look for both certificates from designated locations. This works best for certificates created by "racli create certificate".

  3. Verify that the certificates are available.

    racli list certificate

    This displays a list of all trusted certificates and signed certificates in the raa_certs database table.

Enable TLS Encryption on the Recovery Appliance

The "racli alter network" command configures TCPS & HTTPS, and TCP & HTTP. It has three encryption modes of operation.

  • Enable TLS Encryption: This enables dual mode TCP/TCPS and HTTP/HTTPS, and will use default ports unless otherwise specified. 

    racli alter network 
-–service=ra_server –-encrypt=enable
[ --tcps_port=<VALUE> ]
[ --https_port=<VALUE> ]
[ --repl_tcps_port=<VALUE> ]

  • Disable TLS Encryption: This enables TCP and HTTP, and will use their default ports unless otherwise specified. 

    racli alter network 
-–service=ra_server –-encrypt=disable
[ --tcp_port=<VALUE> ]
[ --http_port=<VALUE> ]
[ --repl_tcp_port=<VALUE> ]

  • Enable Only TLS Encryption: This enables only TCPS and HTTPS. The TCP and HTTP are disabled. Default ports are used unless otherwise specified. 

    racli alter network 
-–service=ra_server –-encrypt=only
[ --tcps_port=<VALUE> ]
[ --https_port=<VALUE> ]
[ --repl_tcps_port=<VALUE> ]

Validating TLS Usage

The following commands assist in monitoring the various TLS objects.

  • racli run check --check_name=tls_health
  • racli run diagnostics --tag=tls
  • racli run diagnostics --tag=tls_high

Maintaining a Secure Environment

After security measures are implemented, they must be maintained to keep the system secure.

Software, hardware and user access need to be updated and reviewed periodically. For example, organizations should review the users and administrators with access to Recovery Appliance to verify if the levels of access and privilege are appropriate. Without review, the level of access granted to individuals may increase unintentionally due to role changes or changes to default settings. It is recommended that access rights for operational and administrative tasks be reviewed to ensure that each user's level of access is aligned to their roles and responsibilities.

Refer to User Accounts in the Recovery Appliance Environment.

Organizations are encouraged to utilize tools to detect unauthorized changes, configuration drift, and prepare for security updates. Oracle Enterprise Manager provides an integrated solution for managing operational issues for hardware, deployed applications, and services.

Maintaining Network Security

Follow these guidelines to ensure the security of local and remote access to the system:

  • Network switch configuration files should be managed offline, and access to the configuration file should be limited to authorized administrators. The configuration file should contain descriptive comments for each setting. Consider keeping a static copy of the configuration file in a source code control system.

    For more information on network switch configuration, refer to the vendor documentation for the network switch.

  • Review the client access network to ensure that secure host and Integrated Lights Out Manager (ILOM) settings are in effect. Review the settings periodically to ensure that they remain intact.

  • Use only signed certificates from the Certification Authority.

  • Set time-outs for extended sessions and set privilege levels.

  • Use authentication, authorization, and accounting (AAA) features for local and remote access to a network switch.

  • Use the port mirroring/switch port analyzer (SPAN) capability of the switch for intrusion detection system (IDS) access.

  • Implement port security to limit access based upon a MAC address (MAC ACL).

  • Require users to use strong passwords by setting minimum password complexity rules and password expiration policies.

  • Enable logging and send logs to a dedicated secure log host.

  • Configure logging to include accurate time information, using NTP and timestamps.

  • Review logs for possible incidents and archive them in accordance with the organization's security policy.