Oracle Solaris 11 - Ad Valoremkonferenciak.advalorem.hu/uploads/files/INFR_Vegh_Karoly.pdf · Oracle Solaris 11.3 •Next Generation Virtualization –Simple administration –Leverages

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Oracle Solaris 11 Security. Speed. Simplicity.

Karoly Vegh Principal Systems Consultant


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3


COMPLETE.

DataBase integration

Virtualization OpenStack OS

4

Secure


• Security and Compliance

• Virtualization and Cloud

• Oracle SW integration

Oracle Confidential – Internal/Restricted/Hig

5


Security and Compliance


6


End to End Cryptography

• Cryptographic platform automatically accelerates Java, Oracle Database, OpenSSL, and custom applications

• Cryptographic protection of data at rest and in motion

• High performance hardware based cryptography, near 0% overhead

• Meet compliance obligations with high performance disk encryption

• Integrates with Oracle Key Manger

Secure Application: Oracle Solaris Cryptoframework

Applications

Java

Oracle Database

Operating System Utilities

Storage

Virtualization

Firmware

7


EU Global Data Protection Regulation

Regulation/Law not a Directive

Immediate effect on 28 EU members after 2 year transition period

Does not require any enabling legislation to be passed by

governments

Extends the scope to all foreign companies processing data of EU

residents

Unify Data Protection within the EU with a single law


Oracle SuperCluster Security Technologies Compute Storage Network Database

Secure Isolation

§ Physical

§ Electrical

§ Hypervisor-Mediated

§ Kernel-Mediated

§ Physical

§ ASM Instances

§ ZFS Data Sets

§ Physical (Ethernet)

§ Ethernet VLANs

§ InfiniBand Partitions

§ Multitenant

§ Instances

§ Schema

§ Labels

Access Control

§ RBAC / Privileges

§ LDOM Administration

§ Zone Administration

§ ZFS ACLs

§ Exadata Security

§ NFS Security

§ IP Filter / iptables

§ Switch ACLs

§ Audit Vault and Database Firewall

§ Roles and Privileges

§ Real Application

Security

§ Database Vault

Data Protection

§ Immutable Zones

§ Read-Only Mounts

§ ZFS Administration

§ ZFS Encryption

§ LOFI Encryption

§ TDE

§ SSH

§ SSL / TLS

§ IPsec / IKE

§ Virtual Private DB

§ Data Masking

§ Redaction

Monitoring and Auditing

§ Solaris Auditing

§ Linux Auditing

§ BART / AIDE

§ ZFS Storage Appliance Logs

§ Exadata Storage Auditing

§ IP Filter / iptables

§ Switch Logs

§ Database Auditing

§ Audit Vault and

Database Firewall


Easy

Compliance

One Step

Compliance Reporting

Stay

compliant

A More Compliant Deployment How can we report my compliance status to my auditors?

10

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Simple Compliance Reporting

11


• Evaluations

– Common Criteria validated: EAL4 (highest for commercial SW) • EAL5 ist PRISM@NSA

• Data OnTap, VMWare Vsphere is EAL2

– FIPS 140-2 validated Crypto (govermental and industrial sector: correctly implementing cryptographic algorithms) • (often procurement requirement)

An Assured Platform What external security validations does Oracle test against?

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 13

Secure OpenStack-Based IaaS

• Secure services

– Minimum privileges

• Data at Rest

– ZFS Encryption

• Data in Motion

– Secure Migration

• Network

– Data link Protection

• Application

– Read only VM

Oracle Solaris Oracle Solaris Oracle Solaris

Zone Zone

Zone Zone

Zone

Zone

Zone

Zone


Virtualization and Cloud


14

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 15

Solaris Virtualization vs. the Competition OS and Virtualization – Engineered Together

RHEL Native Zone or Kernel Zone Guest

VMware

HP

Traditional Hypervisors Separate, isolated, slow

Native Zones, Kernel Zones, OVM Engineered, performant, robust, secure

Zero Performance overhead

Oracle Solaris Host OS

Hardware

Dee

p In

tegr

atio

n


Oracle Solaris 11

Seamless Transition from Oracle Solaris 10

16

V2V

P2V

Oracle Solaris Zones System Preflight

Checker

• Minimal transition effort:

– Reduce risk with automated checks before you move

– Tools move you quickly and simply

– Transition in minutes

Solaris 10 Zone

FUSION APPLICATIONS

Oracle Solaris 10

Solaris 10 Zone

DATABASE

DATABASE

Oracle Solaris 10

Solaris Zone

FUSION APPLICATIONS


• Protect at every level:

– Environment: Unique Read Only virtualization

– Memory: ADI on the chip

– Network: Embedded network protection

– Data at rest: ZFS encryption

– Data on the move: End to End Encryption

• No performance impact: Auto-offloading of CPU-intensive security functions

• Protect against malicious and unintentional acts

17

Enterprise Class Built-in Security Defense in Depth

None Flexible Fixed Strict

/, /usr, /lb, … Writeable Read Only Read Only Read Only

/etc Writeable Writeable Read Only Read Only

/var Writeable Writeable Writeable Read Only

other Writeable Read Only Read Only Read Only

Oracle Solaris

Solaris Zone

DATABASE

Solaris Zone

WEBLOGIC SERVER

VNIC VNIC

ZFS

PNIC PNIC


Top US Wireless Service Provider Oracle Database-as-a-Service Private Cloud

18

Solution

• 26 T5-8s

• 22 T5-4s

• 3 data centers

• 2 secure areas for PCI compliance

Results

• Saved $500 per VM vs. x86/Red Hat

• Total saving $20,000,000

• 12:1 consolidation ratio

• Flexibility for easy provisioning with Solaris Zones

FUSION MIDDLEWARE WEBLOGIC SUITE

SOLARIS


Oracle Solaris 11.3

• Next Generation Virtualization

– Simple administration

– Leverages Oracle Solaris resource management and network virtualization

– Seamless P2V and V2P

– Locked-down root file system for both guest and host

– Run “any” version, forward and backward compatibility

– Recognized as a License Boundary

19

Solaris Kernel Zones OS and Virtualization – Engineered Together

Infiniband Fabric

10GbE Network

Solaris 11.4 Zone Solaris 11.3 Zone

DATABASE

Solaris 11.2 Zone

WEBLOGIC SERVER

Virtual Router

SRU9


Horizon

Cloud Management

Zones and Kernel Zones

Nova Compute Virtualization

Elastic Virtual Switch

Neutron Cloud Networking

ZFS File System

Cinder/Swift Cloud Storage

Unified Archives

Glance Image Deployment

Full OpenStack Distribution Integrated with Oracle Solaris


OpenStack Across Oracle’s Portfolio

Horizon Centralized Cloud Management

Oracle Solaris, Oracle Linux, Oracle VM

Nova / Ironic Self-Service Compute

and Bare Metal

Oracle Solaris, Oracle Linux, Oracle Virtual

Networking

Neutron Software Defined

Networking

Oracle Solaris, Oracle Linux, Oracle ZFSSA, Oracle FS1,

Oracle Tape Solutions, Oracle Axiom

Cinder / Swift / Manilla Cloud Scale Storage

Oracle Solaris, Oracle Linux, Oracle VM Templates, Oracle

Database 12c

Heat / Glance Murano / Trove

Platform as a Service

Built into the Infrastructure

21


Cloud Ready Data Retention

22

SL8500

Large US Web Technology Provider

SWIF

T HSM

Object Storage


Oracle Database Integration


23

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 24

Unique Advantages of Oracle Solaris for Oracle Database

• DTrace intagration

• SQL views

• End-to-end performance analytics

Real Time

Analytics

• Locking Mechanism in KernelSpace

• Performance improvements via Platform Choice

RAC offloading

• Memory optimizations for Oracle Database: SGA resize

• No Downtime

Optimized Shared

Memory

• Cryptooffloading

• Zero performance impact

Transparent Data

Encryption

Oracle Confidential – Internal


CPU

Full MT-hot kernel, scales to 100s of cores and 1,000s of HW threads Support for Critical Threads features in T4 chip 5x performance improvement of high-resolution timer Multi-processing and multi-threading support for Oracle DB Multi-CPU binding for NUMA-aware interrupt distribution Multi CPU binding for pools

Memory

Large Page support Optimized Shared Memory (OSM) NUMA I/O Framework Fast DB Restart Latency-aware kernel memory allocator (x86, SPARC) Re-architecture of Virtual Memory sub-system (VM 2) Userland Fast-Memory Registration and Shared Protection Domain Read-only access to In-Memory Columnar Data In-Memory time stamps Up to 20x faster SGA fill times with VM2 and OSM integration Memory reservation pools

File System Userland file system for DB, Oracle File Server support

I/O

Support for low-latency Infiniband: RDSv3, SDP Direct I/O with concurrent writes Network Resource Management for RDSv3, Prioritized flows for TCP/IP IB I/O Resiliency

Examples of Optimizations for Oracle DB The Tip of the Iceberg

Key: Solaris 11.2 New in Solaris 11.3


Observability Enhanced observability for segmentation faults Read-out of libdtrace by Oracle 12c Fine-grain IB performance stats for RDSv3 and OFUV

Reliability and Availability

Dynamic reconfiguration notifications for DB for resources rebalancing FMA callback for bad hardware Alternative Path Migration (APM) fail-over for RDSv3 Hot add and remove of IB HCA

Performance

Improved PGA performance 2x faster DB Start and Stop Kernel lock acceleration for Oracle RAC SR-IOV support for OVM SPARC

Multi-tenancy Zones: Secure isolation, lowest latency virtualization; Kernel Zones PDBs: Reservation of multiple virtual address spaces

Security Transparent crypto off-load for SPARC and x86; Immutable kernel and global zones

Examples of Optimizations for Oracle DB The Tip of the Iceberg

Key: Solaris 11.2 New in Solaris 11.3


Up to 20x faster SGA Allocation

Optimized for Oracle

27

12 12 16 29 69 166 81 155 305

609

1221

3122

0

500

1000

1500

2000

2500

3000

3500

128GB 256GB 512GB 1TB 2T 5T

Seco

nd

s to

Fu

ll SG

A A

lloca

tio

n

SGA Size

TIME TO FULL SGA ALLOCATION Oracle Solaris 11.3, 2M pages RHEL 7.0, 2M pages


Security and Compliance key takeaways

• Encryption built-in • Certified against external common security standards • Compliant out of the box • Compliance report made easy • Access Security through and through, as a systems foundation • Minimum privileges for all Services

28


Virtualization key takeaways

• Integrated, built-in, additional costs: 0. • High Density consolidation, Zero overhead • License boundary • Investment protection (upgrade path) • Real Cost savings (Verizon) • The only read-only virtualization • Kernel Zones • Full OpenStack Distribution integrated in Oracle Solaris

29


Oracle DB Integration key takeaways

• SW in Silicon • Memory Subsystem improvements specifically for the DB • Automatic Thread Optimization • RAC Offloading • SGA resizing without downtime • Fullstack Observability with DTrace

30


✓Secure and Compliant

✓Simple Management

✓Affordable Virtualisation

✓Cloud Features

✓Oracle SW Integrated

Your Enterprise Cloud

Oracle Solaris 11.3 – Security. Speed. Simplicity.

31

YOUR APP


AIX System Administrators Trained in a Week

Oracle Solaris 11 Training

UNIX System V-based operating systems

Get Started: IBM AIX to Oracle Solaris 11 Migration Fundamentals (30 min)

Get Trained: Oracle Solaris 11 System Administration for Experienced UNIX Administrators (5-days)

Get Certified

32

https://apex.oracle.com/pls/apex/f?p=44785:24:0:::24:P24_CONTENT_ID,P24_PREV_PAGE:8933,1

http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=458&get_params=p_track_id:Sol11IC

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 33

Oracle Solaris 11 - Ad Valoremkonferenciak.advalorem.hu/uploads/files/INFR_Vegh_Karoly.pdf · Oracle Solaris 11.3 •Next Generation Virtualization –Simple administration –Leverages

Documents