Configuring Data Security for Exadata Storage Servers

4.4 Configuring Data Security for Exadata Storage Servers

Data security for Oracle Exadata Storage Servers is implemented by controlling which Oracle Automatic Storage Management (Oracle ASM) clusters and Oracle Database clients can access specific grid disks on storage cells.

By default, all Oracle Database and Oracle ASM instances have access to all grid disks on the storage servers. The storage for each database is provided by Oracle ASM. You can have multiple clustered or unclustered databases running in your Oracle Exadata Database Machine. You can also have more than one Oracle ASM cluster. An Oracle ASM cluster is a collection of interconnected nodes, each with an Oracle ASM instance, operating as a unified cluster. An Oracle ASM cluster presents a shared pool of storage to one or more Oracle Database instances that are also operating on the nodes.

About Exadata Storage Server Security Modes
Oracle Exadata System Software security allows open security, ASM-scoped security, or DB-scoped security.
Best Practices for ASM-Scoped Security and DB-Scoped Security
While setting up security, it is imperative that the configuration is the same across all the storage servers.
About Security Keys
Oracle Exadata System Software uses keys to identify clients and determine access rights to the grid disks.
Setting Up ASM-Scoped Security on Oracle Exadata Storage Servers
Configuring ASM-scoped security requires actions to be performed on both the database servers and storage servers.
Setting Up DB-Scoped Security on Oracle Exadata Database Machine
When configuring DB-scoped security, you perform actions on both the database and storage servers.
Changing Security Keys for ASM-Scoped Security or DB-Scoped Security
You can change the keys used with ASM-scoped security or DB-scoped security.
Enabling Cell-to-Cell Operations
If you have configured ASM-scoped security or DB-scoped security for your Oracle Exadata Database Machine, then you must configure access control to ensure direct cell-to-cell operations are not restricted.
Removing ASM-Scoped Security or DB-Scoped Security
If you want to revert to an open security model, you must remove DB-scoped security for grid disks before removing ASM-scoped security.

Parent topic: Keeping the Oracle Exadata Secure

4.4.1 About Exadata Storage Server Security Modes

Oracle Exadata System Software security allows open security, ASM-scoped security, or DB-scoped security.

Open Security

The default security mode is open security, where any database client has access to all the grid disks. Open security mode is useful for test or development databases where there are no security requirements. This is the default security mode after creating a new storage cell.

ASM-Scoped Security

Using ASM-scoped security you can restrict access to only the grid disks used by the Oracle ASM disk groups associated with a Oracle ASM cluster. All Oracle Database instances associated with that Oracle ASM cluster have access to the disk groups and underlying grid disks. Grid disks used in disk groups belonging to a different Oracle ASM cluster are not be accessible to these instances.

Use ASM-scoped security when you want all databases and Oracle ASM instances in a cluster to have access to the grid disks that comprise the Oracle ASM disk groups used by the cluster. This includes the case when there is only one database in an Oracle ASM cluster.

Figure 4-1 ASM-Scoped Security

Description of "Figure 4-1 ASM-Scoped Security"

DB-Scoped Security

Using DB-scoped security, you can restrict access for an Oracle Database instance to a specific set of grid disks. The database instance must have access to all the grid disks used by the Oracle ASM disk groups for the database. The grid disks used by these Oracle ASM disk groups cannot be used by any other Oracle ASM disk group.

DB-scoped security mode is appropriate when multiple databases are accessing the grid disks. DB-scoped security allows you to limit database access to only the grid disks that are used by the Oracle ASM disk groups associated with the database.

Description of sagug_031-db-scoped-security.eps follows

Description of the illustration sagug_031-db-scoped-security.eps

Parent topic: Configuring Data Security for Exadata Storage Servers

4.4.2 Best Practices for ASM-Scoped Security and DB-Scoped Security

While setting up security, it is imperative that the configuration is the same across all the storage servers.

To have consistent Oracle Exadata System Software security, ensure the following:

Configure the same cell-side grid disk security for all grid disks that belong to the same Oracle ASM disk group to avoid confusion and errors.
Ensure that all Oracle Real Application Clusters (Oracle RAC) servers in an Oracle ASM cluster have the same content, ownership, and security for the Oracle ASM cellkey.ora file.
Ensure that all Oracle RAC servers in a database cluster have the same content, ownership, and security for the database cellkey.ora file.
If DB-scoped security is implemented, then ensure it is implemented for all databases accessing the grid disks. Do not mix ASM-scoped security and DB-scoped security for any grid disks.
Use the dcli utility to make configuration changes to ensure consistency and eliminate potential user errors.

Related Topics

Using the dcli Utility

Parent topic: Configuring Data Security for Exadata Storage Servers

4.4.3 About Security Keys

Oracle Exadata System Software uses keys to identify clients and determine access rights to the grid disks.

To determine which clients have access to a grid disk, a key is generated using CellCLI and stored in a read-only file that is accessible only by the clients. The CellCLI CREATE KEY command generates a random hexadecimal string for use as a security key. This key is stored in a cellkey.ora file on the client side, and assigned to the targets on the storage servers using the ASSIGN KEY command.

Note:

The client name or Oracle ASM cluster name not case-sensitive. For example, ASM1 and asm1 are treated as the same value.

The CREATE KEY command can be run on any cell. You should only run this command when you need to create a new unique key. If you are configuring ASM-scoped security, then only a single security key is needed for each Oracle ASM cluster. If you are configuring DB-scoped security, then one key is needed for each Oracle ASM cluster and an additional security key is needed for each database client.

For ASM-scoped security, the cellkey.ora file is only accessible by the Oracle ASM cluster and its database clients. For DB-scoped security multiple security keys are used. One key is assigned to the Oracle ASM cluster, and one key is assigned to each database client. These security keys are stored in separate cellkey.ora files, and each file is accessible only by the client.

The cellkey.ora file contains entries that configure security among Oracle ASM, database clients and cells. The key and asm values in the cellkey.ora files on the Oracle ASM and database host computers must match the values assigned to the clients on the cells.

The cellkey.ora file contains the following fields:

key — This field is required.
- For ASM-scoped security, this key must match the value of the key assigned to the Oracle ASM cluster with the CellCLI ASSIGN KEY command.
- For DB-scoped security, this key must match the value of the key assigned to the database client with the CellCLI ASSIGN KEY command.
asm — This field is required.

This field contains a unique identifier for each Oracle ASM cluster. This value must be unique among all the clusters that access the storage servers in the storage grid. This value is used in the ASSIGN KEY command run on each cell, and the ALTER GRIDDISK and CREATE GRIDDISK commands used to configure grid disks to allow access from only a specific Oracle ASM cluster.

Note:
The asm field is used when configuring both ASM-scoped security and DB-scoped security.

Access to the cellkey.ora file is controlled by operating system privileges.

For Oracle ASM clients, the file is stored in the /etc/oracle/cell/network-config directory, and is readable by the Oracle Grid Infrastructure software owner and the group to which the user belongs.
For DB-scoped security, there is a cellkey.ora for Oracle ASM, readable only by the Oracle Grid Infrastructure software owner, and additional cellkey.ora files for each database client. For the database clients, the file is stored in the pfile directory of the Oracle home directory for each database. The cellkey.ora file for a database is readable only by the operating system user that owns the Oracle Database software installation.

Note:
The Oracle Grid Infrastructure and Oracle Database software must by owned by different operating system users to implement DB-scoped security.

Figure 4-2 Security Keys and cellkey.ora Files

Description of "Figure 4-2 Security Keys and cellkey.ora Files"

On the storage servers, you use the ASSIGN KEY command to store the security keys in an access control list (ACL) for the cells. You use the ALTER GRIDDISK command to set the access rights for individual grid disks with the AvailableTo attribute. In order to access a grid disk, the security key of the cell ACL must match the security key of the client and the unique name of the client must be included in the AvailableTo attribute of the grid disk.

The identifying names used for the Oracle ASM and database must be unique. However, in some environments, there is more than one database with the same value for the DB_UNIQUE_ID. Each database uses a different Oracle ASM cluster for storage. Starting with Oracle Exadata System Software release 12.2.1.1.0, you can define ASM-scoped security based on Oracle ASM clusters. You use the ASMCLUSTER keyword with the ASSIGN KEY command. When you use the ASMCLUSTER keyword, the database name is qualified by the Oracle ASM unique identifier, creating a unique ID for each database, even if they have the same DB_UNIQUE_ID. Within each Oracle ASM cluster, the database names still have to be unique.

If you configure ASM-scoped security or DB-scoped security, then you also need to configure security keys to enable cell-to-cell operations. You create a key for each storage server, or cell, and assign that key as a local key for the cell using the ASSIGN KEY FOR LOCAL CELL command. You then assign the keys for the other cells that perform cell-to-cell operations with the current cell using the ASSIGN KEY FOR REMOTE CELL command.

Example 4-5 Creating a Security Key for Exadata Storage Security

Use the following command on any storage server to generate a unique security key. This key will be used to configure ASM-scoped security or DB-scoped security.

CellCLI> CREATE KEY
         66e12adb996805358bf82258587f5050

Example 4-6 cellkey.ora File Entries

This example shows the entries for the cellkey.ora file.

key=66e12adb996805358bf82258587f5050
asm=cluster1

4.4.4 Setting Up ASM-Scoped Security on Oracle Exadata Storage Servers

Configuring ASM-scoped security requires actions to be performed on both the database servers and storage servers.

The steps here are for configuring ASM-scoped security for a single Oracle ASM cluster and the databases that are clients of that Oracle ASM cluster. The examples in these steps assume that the Oracle ASM software owner is the user grid.

Shut down the Oracle Database and Oracle ASM instances.
On one of the storage servers, use the CellCLI CREATE KEY command to generate a random hexadecimal string. The command can be run on any storage server.
```
CellCLI> CREATE KEY

66e12adb996805358bf82258587f5050
```
Copy the key to the cellkey.ora file on one of the database servers.
1. Create a cellkey.ora in the home directory of the software owner, for example, /home/grid/cellkey.ora.
2. Using the format shown below, where cluster1 is an alias for the Oracle ASM cluster, add the key to the cellkey.ora file.
  The alias must be unique among all the clusters that access the storage servers. The Oracle Clusterware cluster name can be used if the clusters have unique names.
```
key=66e12adb996805358bf82258587f5050
asm=cluster1
```
Use the ASSIGN KEY command to assign the security key to the Oracle ASM cluster client on all the storage servers that you want the Oracle ASM cluster to access, for example:
```
CellCLI> ASSIGN KEY FOR ASMCLUSTER 'cluster1'='66e12adb996805358bf82258587f5050'
```
The above command must be repeated on all storage servers that you want the Oracle ASM cluster to access, or you can use a dcli command, as shown here:
```
dcli -g cell_group -l celladmin "cellcli -e \"ASSIGN KEY FOR ASMCLUSTER 'cluster1'=
'66e12adb996805358bf82258587f5050'\""
```
Configure security on the grid disks on all the storage servers that you want the Oracle ASM cluster to access.
You can configure the security key either when creating grid disks, or with the ALTER GRIDDISK command.
- To create new grid disks with security configured, use a command similar to the following where cluster1 is the unique name for the Oracle ASM client:
```
CellCLI> CREATE GRIDDISK ALL PREFIX=sales, size=75G, -
         availableTo='cluster1'
```
- To change security on existing grid disks, use a command similar to the following on every storage server. In the following example, cluster1 is the unique name for the Oracle ASM client. The grid disks specified in this command must include all the grid disks used by the Oracle ASM disk groups.
```
CellCLI> ALTER GRIDDISK sales_CD_01_cell01, sales_CD_02_cell01,           -
         sales_CD_03_cell01, sales_CD_04_cell01, sales_CD_05_cell01,      -
         sales_CD_06_cell01                                               -
         availableTo='cluster1'
```
In the preceding commands, the alias used, for example, cluster1, is a unique and consistent value on all the storage servers and among all the clusters. When you specify a value for availableTo, then only the clients configured with the same alias in the cellkey.ora file have access to the grid disks. If there is no value for the availableTo attribute, then any client has access to those grid disks.

Verify the key assignment on the storage servers.

CellCLI> LIST KEY

CellCLI> LIST GRIDDISK ATTRIBUTES name,availableTo

Copy the cellkey.ora file created in Step 3 to the /etc/oracle/cell/network-config directory on each database server.
In the following command, dbs_group is a file that contains the names of the database servers that are clients of the Oracle ASM cluster.
```
dcli -g dbs_group -l grid -f /home/grid/cellkey.ora -d /etc/oracle/cell/
network-config/cellkey.ora
```
On each database server, configure the permissions for the cellkey.ora.
- If you use role-separated management for all Oracle software, then set the permissions on the file to be read-only by the owner and the group. Change the group ownership for the file to the oinstall group that contains the installation users for both Oracle Grid Infrastructure (grid) and Oracle Database (oracle).
  
  You can use dcli to configure the file on multiple servers with a single command.
```
dcli -g dbs_group -l root chown grid:oinstall /etc/oracle/cell/
network-config/cellkey.ora 

dcli -g dbs_group -l grid chmod 440 /etc/oracle/cell/network-config/cellkey.ora
```
- If you use a single installation user for all Oracle software, then set the permissions on the file to be read-only by the software owner (for example, oracle).
```
chown oracle:oinstall /etc/oracle/cell/network-config/cellkey.ora
chmod 400 /etc/oracle/cell/network-config/cellkey.ora
```
On the database servers, restart Oracle Clusterware, the Oracle ASM instances, and the Oracle Database instances.
The commands to stop and start Oracle Clusterware are:
```
# crsctl stop crs
# crsctl start crs
```
Then restart the Oracle ASM and Oracle Database instances if they are not started automatically.
Remove the temporary cellkey.ora file created in Step 3.

4.4.5 Setting Up DB-Scoped Security on Oracle Exadata Database Machine

When configuring DB-scoped security, you perform actions on both the database and storage servers.

These steps are for configuring DB-scoped security for a single Oracle ASM cluster and the databases that are clients of that Oracle ASM cluster. The examples in these steps assume that the Oracle ASM software owner is the user grid and each Oracle Database home is owned by a different operating system user.

To configure DB-scoped security, the following conditions must exist:

The combination of the Oracle Database client unique name and the Oracle ASM Cluster used by the database client must be unique in your environment.
The Oracle Grid Infrastructure software installation and each Oracle Database software installation must be owned by different operating system users.
Each database client must have distinct Oracle ASM disk groups. The grid disks used by Oracle ASM disk groups can only be assigned to one Oracle ASM disk group.

Get the DB_UNIQUE_NAME for each database. Names are case-sensitive.
```
SQL> SELECT db_unique_name FROM V$DATABASE;
```
Shut down the databases and Oracle ASM instances for the Oracle ASM cluster.

On one of the storage servers, use the CellCLI CREATE KEY command to generate a key for Oracle ASM and a key for each Oracle Database client.

The command can be run on any storage server.

CellCLI> CREATE KEY
        66e12adb996805358bf82258587f5050

CellCLI> CREATE KEY
        f3f21c625ff41ef479a1bb033e0839e5

CellCLI> CREATE KEY
        cf03b74de32a67a6c1ec87b9da72bd47

Copy the key for Oracle ASM to the cellkey.ora file on one of the database servers.
1. Create a cellkey.ora in the home directory of the Oracle Grid Infrastructure software owner, for example, /home/grid/cellkey.ora.
2. Using the format shown below, where asm1 is an alias for the Oracle ASM cluster, add the key to the cellkey.ora file.
  The alias must be unique among all the clusters that access the storage servers. The Oracle Clusterware cluster name can be used if the clusters have unique names.
```
key=66e12adb996805358bf82258587f5050
asm=asm1
```
Copy the key for each Oracle Database client to a cellkey.ora file in the user directory of the Oracle home software owner on one of the database servers.
1. Create a cellkey.ora in the home directory of each Oracle Database software owner, for example, /home/db1user/cellkey.ora and /home/db2user/cellkey.ora.
2. Add the security key for each database client to the cellkey.ora file.
  Using the format shown here, where asm1 is an alias for the Oracle ASM cluster used by the database client. In this example, each database client uses the same Oracle ASM cluster.
```
$ cat /home/db1user/cellkey.ora
key=f3f21c625ff41ef479a1bb033e0839e5
asm=asm1
$ cat /home/db2user/cellkey.ora
key=cf03b74de32a67a6c1ec87b9da72bd47
asm=asm1
```
Note:
The asm field is used for both ASM-scoped security and DB-scoped security.
Use the ASSIGN KEY command to assign the security key for the Oracle ASM client on all the storage servers that you want the Oracle ASM cluster to access, for example:
```
CellCLI> ASSIGN KEY FOR 'asm1'='66e12adb996805358bf82258587f5050'
```
The above command must be repeated on all storage servers, or you can use a dcli command, as shown here:
```
dcli -g cell_group -l root "cellcli -e \"ASSIGN KEY FOR 'asm1'=
'66e12adb996805358bf82258587f5050'\""
```
Use the ASSIGN KEY command to assign the security key for each Oracle Database client on all the storage servers that contain grid disks used by the Oracle ASM disk groups of that database, for example:
```
CellCLI> ASSIGN KEY FOR 'db1'='f3f21c625ff41ef479a1bb033e0839e5'

CellCLI> ASSIGN KEY FOR 'db2'='cf03b74de32a67a6c1ec87b9da72bd47'
```
The above command must be repeated on all storage servers, or you can use a dcli command, as shown here, where cell_group_db1 contains a list of the storage servers used by the first database and cell_group_db2 contains the list of storage servers used by the second database:
```
dcli -g cell_group_db1 -l root "cellcli -e \"ASSIGN KEY FOR 'db1'=
'f3f21c625ff41ef479a1bb033e0839e5'\""

dcli -g cell_group_db2 -l root "cellcli -e \"ASSIGN KEY FOR 'db2'=
'cf03b74de32a67a6c1ec87b9da72bd47'\""
```
Configure security on the grid disks on all the storage servers that you want the database clients to access.
You can configure the security key either when creating grid disks, or with the ALTER GRIDDISK command.
- To create new grid disks with security configured, use a command similar to the following where asm1 is the unique name for the Oracle ASM client, and db1 and db2 are the unique names for the database clients:
```
CellCLI> CREATE GRIDDISK data1_CD_00_cell01,data1_CD_01_cell01, -
data1_CD_02_cell01 size=75G, availableTo='asm1,db1'

CellCLI> CREATE GRIDDISK reco1_CD_00_cell01,reco1_CD_01_cell01, -
reco1_CD_02_cell01 size=75G, availableTo='asm1,db1'

CellCLI> CREATE GRIDDISK data2_CD_00_cell01,data2_CD_01_cell01, -
data2_CD_02_cell01 size=75G, availableTo='asm1,db2'

CellCLI> CREATE GRIDDISK reco2_CD_00_cell01,reco2_CD_01_cell01, -
reco2_CD_02_cell01 size=75G, availableTo='asm1,db2'
```
- To change security on existing grid disks, use a command similar to the following on every storage server. In the following example, asm1 is the unique name for the Oracle ASM client, and db1 and db2 are the unique names for the database clients. The grid disks specified in this command must include all the grid disks used by the Oracle ASM disk groups for each database client.
```
CellCLI> ALTER GRIDDISK data1_CD_00_cell01, data1_CD_01_cell01, -
data1_CD_02_cell01, reco1_CD_00_cell01, reco1_CD_01_cell01, reco1_CD_02_cell01, -
availableTo='asm1,db1'

CellCLI> ALTER GRIDDISK data2_CD_00_cell01, data2_CD_01_cell02, -
data2_CD_02_cell01, reco2_CD_00_cell01, reco2_CD_01_cell01, reco2_CD_02_cell01, -
availableTo='asm1,db2'
```
When you specify a value for availableTo, then only the clients configured with the same key assigned to that alias in their cellkey.ora file have access to the grid disks. If there is no value for the availableTo attribute, then any client has access to those grid disks.

Verify the key assignment on the storage servers.

CellCLI> LIST KEY
        asm1    66e12adb996805358bf82258587f5050
        db1     f3f21c625ff41ef479a1bb033e0839e5
        db2     cf03b74de32a67a6c1ec87b9da72bd47

CellCLI> LIST GRIDDISK ATTRIBUTES name,availableTo WHERE availableTo=!''
         DATA1_CD_00_cell01     asm1,db1
         DATA1_CD_01_cell01     asm1,db1
         DATA1_CD_02_cell01     asm1,db1
         DATA2_CD_00_cell01     asm1,db2
         DATA2_CD_01_cell01     asm1,db2
         DATA2_CD_02_cell01     asm1,db2
...

Copy the cellkey.ora file created in step 4 to the /etc/oracle/cell/network-config directory on each database server.
In the following command, dbs_group is a file that contains the names of the database servers that are clients of the Oracle ASM cluster.
```
dcli -g dbs_group -l grid -f /home/grid/cellkey.ora -d /etc/oracle/cell/
network-config/cellkey.ora
```
On each database server, set the permissions for the cellkey.ora file for Oracle ASM to be read-only by the file owner and the group.
You can use dcli to configure the file permissions multiple servers with a single command. In the following example, dbs_group is a file that contains a list of all the database servers that are clients of the Oracle ASM cluster.
```
dcli -g dbs_group -l grid chmod 640 /etc/oracle/cell/network-config/
cellkey.ora
```
Copy each cellkey.ora file created in step 5 to its $ORACLE_HOME/admin/db_unique_name/pfile directory on each database server.
In the following command, db1_group is a file that contains the names of the database servers that host the database instances for the db1 database, and dbuser1 is the operating system user that owns the $ORACLE_HOME/admin/db1 directory.
```
dcli -g db1_group -l dbuser1 -f /home/dbuser1/cellkey.ora 
-d $ORACLE_HOME/admin/db1/pfile/cellkey.ora
```
In this example, db2_group is a file that contains the names of the database servers that host the database instances for the database with the unique database name of db2, and dbuser2 is the operating system user that owns the $ORACLE_HOME/admin/db2 directory.
```
dcli -g db2_group -l dbuser2 -f /home/dbuser2/cellkey.ora 
-d $ORACLE_HOME/admin/db2/pfile/cellkey.ora
```
On each database server, set the permissions the permissions for the cellkey.ora file in each Oracle database home to be accessible by only the file owner.
You can use dcli to configure the file permissions multiple servers with a single command. In the following example, db1_group is a file that contains the names of the database servers that host the database instances for the database with the unique database name of db1, and dbuser1 is the operating system user that owns the $ORACLE_HOME/admin/db1 directory.
```
dcli -g db1_group -l dbuser1 chmod 600 $ORACLE_HOME/admin/
db1/pfile/cellkey.ora
```
In this example, db2_group is a file that contains the names of the database servers that host the database instances for the database with the unique database name of db2, and dbuser2 is the operating system user that owns the $ORACLE_HOME/admin/db2 directory.
```
dcli -g db2_group -l dbuser2 chmod 600 $ORACLE_HOME/admin/db2/pfile/
cellkey.ora
```
On the database servers, restart Oracle Clusterware, the Oracle ASM instances, and the Oracle Database instances.
The commands to stop and start Oracle Clusterware are:
```
# crsctl stop crs
# crsctl start crs
```
Then restart the Oracle ASM and Oracle Database instances if they are not started automatically by Oracle Clusterware.
Remove the temporary cellkey.ora files created in step 4 and step 5.

4.4.6 Changing Security Keys for ASM-Scoped Security or DB-Scoped Security

You can change the keys used with ASM-scoped security or DB-scoped security.

Upgrading ASM-Scoped Security Key for ASMCLUSTER
Starting with Oracle Exadata System Software release 12.2.1.1.0, you can define ASM-scoped security based on Oracle ASM clusters.
Changing the Assigned Key Value for ASM-Scoped Security
You can change the key value used for an Oracle ASM client configured to use ASM-scoped security.
Changing the Assigned Key Value for DB-Scoped Security
You can change the key value used by an Oracle Database client configured to use DB-scoped security.

Parent topic: Configuring Data Security for Exadata Storage Servers

4.4.6.1 Upgrading ASM-Scoped Security Key for ASMCLUSTER

Starting with Oracle Exadata System Software release 12.2.1.1.0, you can define ASM-scoped security based on Oracle ASM clusters.

The identifying names used for the Oracle ASM and database instances must be unique. However, in some environments, there is more than one database with the same value for the DB_UNIQUE_ID. If each database uses a different Oracle ASM cluster for storage, then you can use the ASMCLUSTER keyword when assigning the security key to specify that access should be limited to the specified Oracle ASM cluster.

When you use the ASMCLUSTER keyword, the database name is qualified by the Oracle ASM unique identifier, creating a unique ID for each database, even if they have the same DB_UNIQUE_ID. Within each Oracle ASM cluster, the database names still have to be unique.

Note:

Do not use the ASMCLUSTER keyword when assigning keys if you are using DB-scoped security. Only use the ASMCLUSTER keyword for ASM-scoped security.

If you have ASM-scoped security configured, but want to change the keys to be ASMCLUSTER keys, perform the following steps:

Obtain the key value that you want to upgrade to an ASMCLUSTER key.

$ dcli -c dm01cel01,dm01cel02,dm01cel03 cellcli -e list key
dm01cel01:      asm1   118af47c57ab8da650ab67d5587fe728
dm01cel02:      asm1   118af47c57ab8da650ab67d5587fe728
dm01cel03:      asm1   118af47c57ab8da650ab67d5587fe728

Re-issue the ASSIGN KEY command using the same key value but adding the ASMCLUSTER keyword.
```
$ dcli -c dm01cel01,dm01cel02,dm01cel03 "cellcli -e assign key for ASMCLUSTER
 \'asm1\'=\'118af47c57ab8da650ab67d5587fe728\'"
```
The name and key are removed from the ASM-scoped security list, and added as an Oracle ASM cluster client. Grid disks with this Oracle ASM client in their ACL can remain online for this operation.

Verify the keys have been upgraded to ASMCLUSTER keys.

$ dcli -c dm01cel01,dm01cel02,dm01cel03 cellcli -e list key
dm01cel01:      asm1   118af47c57ab8da650ab67d5587fe728      ASMCLUSTER
dm01cel02:      asm1   118af47c57ab8da650ab67d5587fe728      ASMCLUSTER
dm01cel03:      asm1   118af47c57ab8da650ab67d5587fe728      ASMCLUSTER

Parent topic: Changing Security Keys for ASM-Scoped Security or DB-Scoped Security

4.4.6.2 Changing the Assigned Key Value for ASM-Scoped Security

You can change the key value used for an Oracle ASM client configured to use ASM-scoped security.

Shut down the Oracle Database and Oracle ASM instances for which you are changing the security configuration.
Use the CellCLI CREATE KEY command to generate a random hexadecimal string. The command can be run on any cell.
```
CellCLI> CREATE KEY

          f3d15c0c5e854345bcb3c2b678b1de45
```
Update the cellkey.ora file.
1. On one of the database servers, copy the /etc/oracle/cell/network-config/cellkey.ora file to the grid owner home directory, for example, /home/grid/cellkey.ora,
2. Update the file to use the new key for the Oracle ASM client.
```
key=f3d15c0c5e854345bcb3c2b678b1de45
asm=asm1
```
Copy the cellkey.ora file to /etc/oracle/cell/network-config on each database server, overwriting the existing file.
In the following command, dbs_group is a file that contains the names of the database servers that are clients of the Oracle ASM cluster, and grid is the software owner for the Oracle ASM installation.
```
dcli -g dbs_group -l grid -f /home/grid/cellkey.ora -d /etc/oracle/cell/
network-config/cellkey.ora
```
Make sure the permissions for the cellkey.ora in /etc/oracle/cell/network-config are configured so that only the Oracle Grid Infrastructure software owner has access to the file.
Make sure the owner of the file is the Oracle Grid Infrastructure software owner. If the current file permissions are not rw------- (600), then modify the permissions, as shown in the following command:
```
dcli -g dbs_group -l grid chmod 600 /etc/oracle/cell/network-config/cellkey.ora
```
Use the ASSIGN KEY command to update the security key assigned to the Oracle ASM cluster client on all the cells that contains grid disks used by the Oracle ASM cluster.
Use the same identifier and key value for the Oracle ASM client that is used in the cellkey.ora file on the database servers.
```
dcli -g cell_group -l root "cellcli -e \"ASSIGN KEY FOR 'asm1'='f3d15c0c5e8543
45bcb3c2b678b1de45'
```
Starting with Oracle Exadata System Software release 12.2.1.1.0, add the ASMCLUSTER keyword to the ASSIGN KEY command if the security is based only on Oracle ASM clusters. Specify the Oracle ASM cluster name for the unique name for the key. For example:
```
CellCLI> ASSIGN KEY FOR ASMCLUSTER '+asm1' -
         ='f3d15c0c5e854345bcb3c2b678b1de45
```
Note:
If you are using DB-scoped security, do not add the ASMCLUSTER keyword to the ASSIGN KEY command.
On the database servers, restart Oracle Clusterware, the Oracle ASM instances, and the Oracle Database instances.
The commands to stop and start Oracle Clusterware are:
```
# crsctl stop crs
# crsctl start crs
```
Then restart the Oracle ASM and Oracle Database instances if they are not started automatically by Oracle Clusterware.
Remove the temporary cellkey.ora files created in step 3.

Related Topics

Upgrading ASM-Scoped Security Key for ASMCLUSTER

Parent topic: Changing Security Keys for ASM-Scoped Security or DB-Scoped Security

4.4.6.3 Changing the Assigned Key Value for DB-Scoped Security

You can change the key value used by an Oracle Database client configured to use DB-scoped security.

Shut down the Oracle Database instances for which you are changing the security configuration.
Use the CellCLI CREATE KEY command to generate a random hexadecimal string.
This command can be run on any cell.
```
CellCLI> CREATE KEY

          fa292e11b31b210c4b7a24c5f1bb4d32
```
Update the cellkey.ora file for the database client.
1. On one of the database servers, copy the $ORACLE_HOME/admin/db_unique_name/pfile/cellkey.ora file to the user directory for the Oracle software owner, for example, /home/oradba1/cellkey.ora.
2. Update the file to use the new key for the database client.
```
key=fa292e11b31b210c4b7a24c5f1bb4d32
asm=asm1
```
Copy the cellkey.ora file to $ORACLE_HOME/admin/db_unique_name/pfile on each database server, overwriting the existing file.
In the following command, dba1_group is a file that contains the names of the database servers that host instances of the database client, and oradba1 is the software owner for the Oracle Database installation.
```
dcli -g dba1_group -l oradba1 -f /home/oradba1/cellkey.ora -d $ORACLE_HOME/admin/
db_unique_name/pfile/cellkey.ora
```
Make sure the permissions for the cellkey.ora in $ORACLE_HOME/admin/db_unique_name/pfile are configured so that only the Oracle Database software owner has access to the file.
Make sure the owner of the file is the Oracle Database software owner. If the current file permissions are not rw------- (600), then modify the permissions, as shown in the following command:
```
dcli -g dba1_group -l oradba1 chmod 600 $ORACLE_HOME/admin/db_unique_name/
pfile/cellkey.ora
```
Use the ASSIGN KEY command to update the security key assigned to the Oracle Database client on all the cells that contains grid disks used by the database.
Use the DB_UNIQUE_NAME for the database and the new key value for the database client.
```
dcli -g cell_group -l celladmin "cellcli -e \"ASSIGN KEY FOR 'db_unique_name'=
'fa292e11b31b210c4b7a24c5f1bb4d32'
```
On the database servers, restart the Oracle Database instances.
Remove the temporary cellkey.ora file created in step 3.

4.4.7 Enabling Cell-to-Cell Operations

If you have configured ASM-scoped security or DB-scoped security for your Oracle Exadata Database Machine, then you must configure access control to ensure direct cell-to-cell operations are not restricted.

To ensure cells have access to other cells when they need to communicate directly with one another, for example for offload operations, you need to set up cell keys for each cell.

Configuring Simple Cell Access
You can use a single key for both inbound and outbound cell-to-cell traffic.
Configuring LOCAL and REMOTE Cell Keys
You can configure each cell to have a unique key and to accept multiple remote cell keys for granting access.
Changing Between Simple Cell Keys and LOCAL and REMOTE Keys
You must remove the existing cell keys before assigning any new keys with a different format. This protects you from inadvertently breaking your configuration by having different remote and local keys on the storage servers.

Parent topic: Configuring Data Security for Exadata Storage Servers

4.4.7.1 Configuring Simple Cell Access

You can use a single key for both inbound and outbound cell-to-cell traffic.

To ensure cells have access to other cells when they need to communicate directly with one another, for offload operations for example, you can create a single key. Assign that key to all cells using the simple version of the ASSIGN KEY command.

It is not necessary to use the ALTER GRIDDISK command to update the availableTo attribute for the cell key. The cells use the existing access control policy by making sure the originating client is identified at the remote target cell.

Perform these steps only if you have already configured ASM-Scoped Security or DB-Scoped Security.

Generate a random hexadecimal string.
This command can be run on any cell.
```
CellCLI> CREATE KEY
      fa292e11b31b210c4b7a24c5f1bb4d32
```

Assign the key to each cell.

CellCLI> ASSIGN KEY FOR CELL 'fa292e11b31b210c4b7a24c5f1bb4d32'

To update all cells with a single command, use dcli.

dcli -g mycells -l celladmin "cellcli -e assign key for cell \'fa292e11b31b210c4b7a24c5f1bb4d32\'"

Parent topic: Enabling Cell-to-Cell Operations

4.4.7.2 Configuring LOCAL and REMOTE Cell Keys

You can configure each cell to have a unique key and to accept multiple remote cell keys for granting access.

To ensure cells have access to other cells when they need to communicate directly with one another, for offload operations for example, you create cell keys. You can create a single key used by all cells, or you can assign a unique key to individual cells using the LOCAL and REMOTE keywords.

You might want to use multiple cell keys temporarily during rekeying, or if you want to limit access to specific cells. In this case, you need to specify LOCAL or REMOTE in the ASSIGN KEY command.

Perform these steps only if you have already configured ASM-Scoped Security or DB-Scoped Security.

Generate a random hexadecimal string for each cell.

These commands can be run on any cell.

Cellcli> CREATE KEY
      fa292e11b31b210c4b7a24c5f1bb4d3

Cellcli> CREATE KEY
      b67d5587fe728118af47c57ab8da650a

Cellcli> CREATE KEY
      118af47c57ab8da650ab67d5587fe728

On each cell, set the key for the local cell.

Specify a unique identifier for each cell, for example, cell01, cell02, and so on.


[celladmin@dm01cel01 ~]$ cellcli -e assign key for local cell -
'cell01'='fa292e11b31b210c4b7a24c5f1bb4d3'
[celladmin@dm01cel02 ~]$ cellcli -e assign key for local cell -
'cell02'='b67d5587fe728118af47c57ab8da650a'
[celladmin@dm01cel03 ~]$ cellcli -e assign key for local cell -
'cell03'='118af47c57ab8da650ab67d5587fe728'

Set the cell keys that the local cell will accept.

For each cell that you want to grant access to the local cell, use the ASSIGN KEY FOR REMOTE CELL command and specify the local key of that cell. You can specify any name for the remote keys.

[celladmin@dm01cel01 ~]$ cellcli -e assign key for remote cell -
'rcell02'='b67d5587fe728118af47c57ab8da650a', -
'rcell03'='118af47c57ab8da650ab67d5587fe728'

[celladmin@dm01cel02 ~]$ cellcli -e assign key for remote cell -
'rcell01'='fa292e11b31b210c4b7a24c5f1bb4d3', -
'rcell03'='118af47c57ab8da650ab67d5587fe728'


[celladmin@dm01cel03 ~]$ cellcli -e assign key for remote cell -
'rcell01'='fa292e11b31b210c4b7a24c5f1bb4d3', -
'rcell02'='b67d5587fe728118af47c57ab8da650a'

Verify that the keys are set on each storage server.

CellCLI> LIST KEY
       db1        c25a62472a160e28bf15a29c162f1d74
       asm1       118af47c57ab8da650ab67d5587fe728      ASMCLUSTER
       cell01     fa292e11b31b210c4b7a24c5f1bb4d32      LOCAL-CELL
       rcell02    b67d5587fe728118af47c57ab8da650a      REMOTE-CELL
       rcell03    118af47c57ab8da650ab67d5587fe728      REMOTE-CELL

Parent topic: Enabling Cell-to-Cell Operations

4.4.7.3 Changing Between Simple Cell Keys and LOCAL and REMOTE Keys

You must remove the existing cell keys before assigning any new keys with a different format. This protects you from inadvertently breaking your configuration by having different remote and local keys on the storage servers.

If you attempt to assign a LOCAL or REMOTE key to an existing cell key (that is, you have run the simple ASSIGN KEY FOR CELL command, and you want to switch to the explicit LOCAL or REMOTE keys), you will get the following error:

CELL-02911: Remove existing CELL key before assigning LOCAL CELL key

Similarly, if you attempt run ASSIGN KEY FOR CELL when local or remote cell keys already exist, you will get the following error:

CELL-02912: Remove all existing LOCAL and REMOTE CELL keys before assigning a CELL key.
 Use LIST KEY FOR CELL to show all LOCAL and REMOTE CELL keys, then use ASSIGN KEY to assign an 
empty value to each.

You must remove all existing LOCAL and REMOTE cell keys before assigning a simple cell key.

View the configured keys on each storage server.

For simple cell keys, you would see results similar to the following:

CellCLI> LIST KEY
       db1        c25a62472a160e28bf15a29c162f1d74
       asm1       b4095e91d67bbf68d2e2fbe1fc50530f      ASMCLUSTER
       cellkey    fa292e11b31b210c4b7a24c5f1bb4d32      CELL

For local and remote cell keys, you would see results similar to the following:

CellCLI> LIST KEY
       db1        c25a62472a160e28bf15a29c162f1d74
       asm1       b4095e91d67bbf68d2e2fbe1fc50530f      ASMCLUSTER
       cell01     fa292e11b31b210c4b7a24c5f1bb4d32      LOCAL-CELL
       rcell02    b67d5587fe728118af47c57ab8da650a      REMOTE-CELL
       rcell03    118af47c57ab8da650ab67d5587fe728      REMOTE-CELL

Remove the existing cell keys.

For simple cell keys, use a command similar to the following:

dcli -g mycells -l celladmin "cellcli -e assign key for cell 'cell01'=''"

For local and remote cell keys:

Remove the local key on each cell.

[celladmin@dm01cel01 ~]$ cellcli -e assign key for local cell 'cell01'=''
[celladmin@dm01cel02 ~]$ cellcli -e assign key for local cell 'cell02'=''
[celladmin@dm01cel03 ~]$ cellcli -e assign key for local cell 'cell03'=''

Run the following commands from any server to remove the remote keys on each cell:

dcli -g mycells -l celladmin "cellcli -e assign key for remote cell 'rcell01'=''" 
dcli -g mycells -l celladmin "cellcli -e assign key for remote cell 'rcell02'=''"
dcli -g mycells -l celladmin "cellcli -e assign key for remote cell 'rcell03'=''"

Recreate the keys in the desired format.
1. To change simple cell keys to local and remote keys, follow the steps in Configuring LOCAL and REMOTE Cell Keys
2. To change local and remote cell keys to a simple cell key, follow the steps in Configuring Simple Cell Access.

Parent topic: Enabling Cell-to-Cell Operations

4.4.8 Removing ASM-Scoped Security or DB-Scoped Security

If you want to revert to an open security model, you must remove DB-scoped security for grid disks before removing ASM-scoped security.

Before making updates to the security on cells, you must shut down the Oracle Database and Oracle ASM instances. After all of the changes to security configuration are complete, start the Oracle Database and Oracle ASM instances.

Removing DB-Scoped Security
Removing ASM-Scoped Security
After you have removed DB-scoped security, you can remove ASM-scoped security if you want open security for the grid disks on the storage servers.

Parent topic: Configuring Data Security for Exadata Storage Servers

4.4.8.1 Removing DB-Scoped Security

To remove DB-scoped security on grid disks, perform the following procedure:

Shut down the Oracle Database and Oracle ASM instances.
Remove any database clients named in the availableTo attribute of the grid disks for which you want to remove DB-scoped security. Example 4-7 provides examples of how to do this.

Note:
If you removing DB-scoped security for a database client for only some of the grid disks, but not all, do not complete any further steps.
If a database client is not configured for security with any other grid disks, then you can remove the key assigned to the database client on the storage servers. Use the CellCLI ASSIGN KEY command.
In the following command, db_client is the name of the database client. To the right of the equal sign are two single quote characters with no space between them.
```
CellCLI> ASSIGN KEY FOR 'db_client'=''
```
Repeat this step on each storage server (cell) for which the database client no longer needs DB-scoped security.
On each database server, remove the cellkey.ora file located in the $ORACLE_HOME/admin/db_unique_name/pfile/ directory for the database client.

Verify the key assignment has been updated on the storage servers.

CellCLI> LIST KEY
        asm1    66e12adb996805358bf82258587f5050
        db2     cf03b74de32a67a6c1ec87b9da72bd47

CellCLI> LIST GRIDDISK ATTRIBUTES name,availableTo WHERE availableTo=!''
         DATA1_CD_00_cell01     asm1
         DATA1_CD_01_cell01     asm1
         DATA1_CD_02_cell01     asm1
         DATA2_CD_00_cell01     asm1,db2
         DATA2_CD_01_cell01     asm1,db2
         DATA2_CD_02_cell01     asm1,db2
...

Restart the Oracle Database and Oracle ASM instances.

Example 4-7 Removing Database Clients from Grid Disks

The following command removes all database clients from a group of grid disks:

CellCLI> ALTER GRIDDISK DATA1_CD_00_cell01, DATA1_CD_01_cell01,                  -
         DATA1_CD_02_cell01, RECO1_CD_00_cell01, RECO1_CD_01_cell01,             -
         RECO1_CD_02_cell01                                                      -
         availableTo='asm1'

If there are multiple database clients configured for DB-scoped security, for example db1, db2, and db3, and you only want to remove security for one client (db1), you can use a command similar to the following for a group of grid disks:

CellCLI> ALTER GRIDDISK sales_CD_04_cell01, sales_CD_05_cell01,                  -
         sales_CD_06_cell01, sales_CD_07_cell01, sales_CD_08_cell01,             -
         sales_CD_09_cell01,                                                     -
         availableTo='+asm,db2,db3'

The following example removes all database clients from all grid disks:

ALTER GRIDDISK ALL availableTo='+asm'

Note:

If you want open security for the grid disks and storage servers, then you must remove ASM-scoped security after removing DB-scoped security.

Related Topics

Removing ASM-Scoped Security

Parent topic: Removing ASM-Scoped Security or DB-Scoped Security

4.4.8.2 Removing ASM-Scoped Security

After you have removed DB-scoped security, you can remove ASM-scoped security if you want open security for the grid disks on the storage servers.

Shut down the Oracle Database and Oracle ASM instances.
Use the LIST KEY command to view the unique alias used for the Oracle ASM client.
Run this command on any storage server where ASM-scoped security is configured for the Oracle ASM client.
```
CellCLI> LIST KEY
        asm1    66e12adb996805358bf82258587f5050
        db2     cf03b74de32a67a6c1ec87b9da72bd47
```
Remove the Oracle ASM client named in the availableTo attribute of the grid disks for which you want to remove ASM-scoped security.

Use the alias from step 2. Example 4-8 provides examples of how to do this.
If the Oracle ASM client is not configured for security with any other grid disks, then you can remove the key assigned to the Oracle ASM client on the storage servers. Use the CellCLI ASSIGN KEY command.
1. Determine if the Oracle ASM client in step 2 shows the ASMCLUSTER designation to the right of the key value.
2. Use the ASMCLUSTER keyword in the ASSIGN KEY command only if the Oracle ASM client is listed as an ASMCLUSTER.
In the following command, asm_cluster is the alias from step 2. To the right of the equal sign are two single quote characters with no space between them.
```
CellCLI> ASSIGN KEY FOR ASMCLUSTER 'asm_cluster'=''
```
Run this command on all storage servers on which the key was assigned to the Oracle ASM client. You can alternatively use a command similar to the following:
```
dcli -g cell_group -l celladmin "cellcli -e \"ASSIGN KEY FOR ASMCLUSTER 'asm_cluster'=''\""
```
Update or delete the cellkey.ora file.

View the cellkey.ora file located in the /etc/oracle/cell/network-config/ directory on each database server.

If the Oracle ASM client for which you are removing ASM-scoped security is the only client listed in the file, then remove the cellkey.ora file on all servers with the same file contents.

If there is more than one Oracle ASM client listed in the cellkey.ora file, then perform the following steps:
1. Remove the entry for the Oracle ASM client for which you are removing ASM-scoped security.
2. For all servers that list the Oracle ASM client in the cellkey.ora file, copy this file to those servers, or update the file on those servers.

Verify the key assignment has been updated on the storage servers.

CellCLI> LIST KEY

CellCLI> LIST GRIDDISK ATTRIBUTES name,availableTo WHERE availableTo != ''

Restart the Oracle Database and Oracle ASM instances.

Example 4-8 Removing the Oracle ASM Client from Grid Disks

The following command removes the Oracle ASM client from all grid disks on a cell:

CellCLI> ALTER GRIDDISK ALL availableTo=''

The following command removes the Oracle ASM client from all grid disks on a group of cells:

dcli -g cell_group -l celladmin "cellcli -e \"ALTER GRIDDISK ALL availableTo=''\""

The following command removes the Oracle ASM client from a group of grid disks on a cell:

CellCLI> ALTER GRIDDISK sales_CD_01_cell01, sales_CD_02_cell01,       -
         sales_CD_03_cell01, sales_CD_04_cell01, sales_CD_05_cell01,  -
         sales_CD_06_cell01                                          
         availableTo=''