HOL9762: Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11 Ramesh Nagappan Senior Principal Software Engineer, Oracle Yu Wang Principal Software Engineer, Oracle Xiaosong Zhu Senior Software Engineer, Oracle Gang Wang Software Development Manager, Oracle
26
Embed
Yu Wang Principal Software Engineer, Oracle - Huihoodocs.huihoo.com/.../2014/HOL9762-Oracle-Database-12c-Data...Solari… · and Multitenancy on Oracle Solaris 11 Ramesh Nagappan
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
HOL9762: Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11 Ramesh Nagappan Senior Principal Software Engineer, Oracle
Yu Wang Principal Software Engineer, Oracle
Xiaosong Zhu Senior Software Engineer, Oracle
Gang Wang Software Development Manager, Oracle
2
Table of Contents
Introduction ............................................................................................................................................................. 2 Prerequisites ............................................................................................................................................................ 2 Hardware/Software Requirements .......................................................................................................................... 2 Environment Configuration .................................................................................................................................... 2 Notes for Users ....................................................................................................................................................... 3 Exercise 1: Using Solaris Zones to Set up a Multitenant Database Environment (20 Minutes) ............................ 4 Exercise 2: Exploring Oracle Database 12c Multitenant (20 Minutes) ................................................................ 16 Exercise 3: Using Oracle Transparent Data Encryption with Solaris Cryptographic Framework (20 Minutes) . 22 Summary ............................................................................................................................................................... 26 See Also ................................................................................................................................................................ 26 About the Authors ................................................................................................................................................. 26
Introduction
Database multitenancy helps customers reduce IT costs by simplifying consolidation, provisioning, upgrades,
and more. However, it brings concerns about data security because the computing and storage resources are
shared to different users.
In this lab, you will explore different isolation and encryption approaches for securing multitenancy of Oracle
Database on Oracle Solaris 11: Solaris Zones, Oracle Solaris ZFS encryption, Oracle Database 12c pluggable
databases(PDB) and Oracle Advanced Security Transparent Data Encryption (TDE). Meanwhile, you also learn
about how TDE works with Solaris Cryptographic Framework.
Prerequisites
This hands-on lab assumes you have some basic knowledge about the following technologies.
Administration of Oracle Solaris or a similar UNIX or Linux OS
Oracle Database administration
SQL programming
Hardware/Software Requirements
Memory requirement: 8 GB
Disk space requirement: 50 GB
Oracle VM Virtualbox 4.3.14 (host OS: Windows 7/8, Oracle Enterprise Linux)
Operating System: Solaris 11.2
Oracle Database 12c Enterprise Edition
Oracle Database 11gr2 Enterprise Edition
Environment Configuration
3
Solaris 11.2 for x86 installed in Oracle VM Virtualbox 4.3.14
Pre-configured non-global zones:
o dbzone1: Oracle Database 12c Enterprise Edition pre-installed
o dbzone2: Oracle Database 11gr2 Enterprise Edition pre-installed
OS user name/password:
o labuser/solaris11
o root/solaris11
o oracle/solaris11
Database user name/password:
o SYS/solaris11
Notes for Users
The lab prefers the GNOME desktop environment over Oracle Solaris 11 (with desktop packages installed).
In order to open a terminal window in GNOME, right-click any point on the background of the desktop, and
select Open Terminal in the pop-up menu (as shown in Figure 1).
Figure 1. Open a terminal in Solaris 11
4
Exercise 1: Using Solaris Zones to Set up a
Multitenant Database Environment (20 Minutes)
In this exercise, you will use the Solaris Zones to set up a multitenant environment for different versions of
Oracle Databases.
What is multitenancy?
As one of essential characteristics of cloud computing, multitenancy is an architectural and operational
approach enabling IT providers to share infrastructure resources, deliver database or software functionality as a
service to one or more consumers (tenants). The resource control and data isolation are critical for this
multitenant architecture which can be implemented differently for different service models (IaaS, PaaS and
SaaS).
Nowadays, many providers are using KVM, Xen or other hypervisor based virtualization technologies to deploy
databases for multitenant usage. However, a hypervisor based virtualization usually has high overhead which
may limit the number of VMs that a physical machine can create. Therefore, we recommend you to use a
Solaris Zone which is an OS based light container with very small footprint. It can be used to not only deploy
multiple high performance database services, but also isolate the data effectively.
What is a Solaris Zone? A Solaris Zone is an implementation of operating system-level virtualization technology for x86 and SPARC
systems. A Solaris zone is the combination of system resource controls and the boundary separation. Zones act
as completely isolated virtual servers within a single operating system instance. By consolidating multiple sets
of application services onto one system and by placing each into isolated virtual server containers, system
administrators can reduce cost and provide most of the same protections of separate machines on a single
machine.
Step 1: Start the preinstalled non-global zones
1. After logging in to Solaris 11 by using the username/password: labuser/solaris11, click the right mouse
button on the desktop and choose Open Terminal to bring up a terminal window (as shown in Figure 1).
In the opened terminal, switch to root/solaris11 in order to do zone administration. labuser@hol9762:~$ su -
As you can see the processor set, zonepool1-pset is created with 1 processor which is associated with the pool
zonepool1. And zonepool1 is bind with dbzone1.
3. Check the processors available in non-global zones.
Open a new terminal, and switch to root before trying to log in to dbzone1. labuser@hol9762:~$ su -
Password:
Oracle Corporation SunOS 5.11 11.2 June 2014
You have new mail.
root@hol9762:~#
Log in to the dbzone1. root@hol9762:~# zlogin dbzone1
In the terminal for dbzone1, check the CPUs assigned to it. root@dbzone1:~# psrinfo
0 on-line since 08/25/2014 04:30:44
As you can see, there’s one processor dedicated to dbzone1.
Open a new terminal, and switch to root before trying to log in to dbzone2. labuser@hol9762:~$ su -
Password:
Oracle Corporation SunOS 5.11 11.2 June 2014
You have new mail.
root@hol9762:~#
10
Log in to dbzone2. root@hol9762:~# zlogin dbzone2
Check the CPUs assigned to the zone dbzone2 by typing the command below. Three processors are working for
dbzone2 now. root@dbzone2:~# psrinfo
1 on-line since 08/25/2014 04:30:46
2 on-line since 08/25/2014 04:30:46
3 on-line since 08/25/2014 04:30:46
4. Since we will use dbzone1 to run Oracle Database12c in Exercise 2, let’s assign more processors to dbzone1.
In the terminal of global zone, change the pool configuration by assigning 3 processors to the zonepool1. root@hol9762:~# poolcfg -c 'modify pset zonepool1-pset (uint pset.min=3; uint pset.max=3)'
Instantiate the configuration. root@hol9762:~# pooladm -c
Print out the currently running pools configuration again. root@hol9762:~# pooladm
system default
string system.comment
int system.version 1
boolean system.bind-default true
string system.poold.objectives wt-load
pool zonepool1
int pool.sys_id 1
boolean pool.active true
boolean pool.default false
int pool.importance 1
string pool.comment
pset zonepool1-pset
pool pool_default
int pool.sys_id 0
boolean pool.active true
boolean pool.default true
int pool.importance 1
string pool.comment
pset pset_default
pset zonepool1-pset
int pset.sys_id 1
boolean pset.default false
uint pset.min 3
uint pset.max 3
string pset.policy minmax
string pset.restype cpu
string pset.reslist
string pset.units population
uint pset.load 3
uint pset.size 3
string pset.comment
cpu
int cpu.sys_id 1
string cpu.comment
string cpu.status on-line
11
cpu
int cpu.sys_id 0
string cpu.comment
string cpu.status on-line
cpu
int cpu.sys_id 2
string cpu.comment
string cpu.status on-line
pset pset_default
int pset.sys_id -1
boolean pset.default true
uint pset.min 1
uint pset.max 65536
string pset.policy minmax
string pset.restype cpu
string pset.reslist
string pset.units population
uint pset.load 64
uint pset.size 1
string pset.comment
cpu
int cpu.sys_id 3
string cpu.comment
string cpu.status on-line
Two processors are added to the dbzone1, we can also check the CPU information in the non-global zones
In the terminal of dbzone1, verify that check there are 3 processors available. root@dbzone1:~# psrinfo
0 on-line since 08/25/2014 04:30:44
1 on-line since 08/25/2014 04:30:46
2 on-line since 08/25/2014 04:30:46
In the terminal of dbzone2, you can see that only one processor left. root@dbzone2:~# psrinfo
3 on-line since 08/25/2014 04:30:46
Step 5: Assign memory to non-global zones
In Solairs 11.2, rcapd daemon is used for memory caps and its administration. You can control resident
set size (RSS) usage of a zone by setting the capped-memory resource when you configure the zone.
1. In the terminal of global zone, type the command below to show the zone configuration of dbzone1 for the
memory caps. root@hol9762:~# zonecfg -z dbzone1 info
…
capped-memory:
physical: 2G
2. In the terminal of dbzone1, check the physical memory assigned to the zone root@dbzone1:~# prtconf |grep Memory
prtconf: devinfo facility not available
Memory size: 2048 Megabytes
12
3.Use zonecfg to change the zone configuration needs a reboot of the zone. However, we can use another
command to change the memory cap dynamically without rebooting the zone.
In the terminal of the global zone, type the following command. root@hol9762:~# rcapadm -z dbzone1 -m 4G
In the terminal for dbzone1, check the physical memory assigned the dbzone1 again. root@dbzone1:~# prtconf |grep Mem
prtconf: devinfo facility not available
Memory size: 4096 Megabytes
Step 6: Start the preinstalled databases, and check the process isolation
1. Start the Oracle Database 12c installed in dbzone1.
Switch to the user of oracle before starting up the Oracle Database 12c in the terminal of dbzone1. root@dbzone1:~# su - oracle
Password:
Oracle Corporation SunOS 5.11 11.2 April 2014
oracle@dbzone1:~$
Check the environment setting for the database. oracle@dbzone1:~$ env |grep ORACLE
ORACLE_SID=cdb1
ORACLE_BASE=/u01/app/oracle
ORACLE_HOME=/u01/app/oracle/12.1.0/dbhome_1
Start the listener. oracle@dbzone1:~$ lsnrctl start
LSNRCTL for Solaris: Version 12.1.0.2.0 - Production on 25-AUG-2014 15:17:32
Copyright (c) 1991, 2014, Oracle. All rights reserved.
4. Create the tablespaces, users, and grant privileges for PDB12. Execute the following commands one by one. SQL> ALTER SESSION SET CONTAINER=pdb12;
Session altered.
SQL> CREATE TABLESPACE users DATAFILE '/dbpool1/users.dbf' SIZE 20M AUTOEXTEND ON NEXT 1M SEGMENT
SPACE MANAGEMENT AUTO;
5. Create a table and insert some records. SQL> CREATE TABLE employee (first_name VARCHAR2(32),last_name VARCHAR2(32),empID NUMBER,
credit_card CHAR(16)) TABLESPACE users;
SQL> INSERT INTO employee VALUES ('gary','wang',15923,'6201345768476366');
SQL> INSERT INTO employee VALUES ('yu','wang',15984,'4380558852114471');
SQL> INSERT INTO employee VALUES ('chris','zhu',15933,'5201237476346909');
SQL> SELECT * FROM employee;
SQL> COMMIT;
SQL> ALTER PLUGGABLE DATABASE pdb12 CLOSE;
Step 4: Create a new PDB in an encrypted file system In Oracle Database 12c, PDBs can provide data isolation by using separated disks and storage to store their own
data. However, there are risks when the disks are stolen or maliciously accessed. If some unauthorized people
get the disks, they will be able to get the sensitive data directly from the OS level, such as files and disk devices
20
instead of database level. Some disk scan tools (such as dd) can be used to scan the whole disk to find out the
sensitive information.
Therefore, the data-at-rest protection must be presented in order to prevent sensitive data disclosure.
1. In the terminal, exit sqlplus if needed. Then type the following command to scan the tablespace file. SQL> exit;
You will be able to get the results like the following. …
chris
5201237476346909,
wang
4380558852114471,
gary
wang
6201345768476366
…
This means unauthorized users can directly get the sensitive data from the tablespace files.
Or you can switch to the terminal of the global zone (with root@hol9762). Type the following command to
scan the disk for sensitive information. (Note: It may take several minutes to get the results.) root@hol9762:~# dd if=/dev/dsk/c2t2d0 | strings | grep 52012374
5201237476346909,
4194304+0 records in
4194304+0 records out
2. ZFS encryption can be used to solve this problem. Switch to the terminal of dbzone1, create an encrypted file
system by using command below. oracle@dbzone1:/$ sudo zfs create -o encryption=on dbpool2/protected
3. Connect to the database as SYSDBA. oracle@dbzone1:~$ sqlplus / as sysdba
4. To create and open a new PDB, named PDB13, in this encrypted filesystem, type the following commands: SQL> CREATE PLUGGABLE DATABASE pdb13 ADMIN USER PDB_ADMIN IDENTIFIED BY solaris11
Repeat the actions in Step 3 to create tablespace, users and tables.
5. Create the tablespaces, users, and grant privileges for pdb13. Execute following commands one by one. SQL> ALTER SESSION SET CONTAINER=pdb13;
Session altered.
SQL> CREATE TABLESPACE users DATAFILE '/dbpool2/protected/users.dbf' SIZE 20M AUTOEXTEND ON NEXT
1M SEGMENT SPACE MANAGEMENT AUTO;
6. Create a table and insert some records: SQL> CREATE TABLE employee (first_name VARCHAR2(32),last_name VARCHAR2(32),empID NUMBER,
credit_card CHAR(16)) TABLESPACE users;
21
SQL> INSERT INTO employee VALUES ('gary','wang',15923,'6201345768476366');
SQL> INSERT INTO employee VALUES ('yu','wang',15984,'4380558852114471');
SQL> INSERT INTO employee VALUES ('chris','zhu',15933,'5201237476346909');
SQL> SELECT * FROM employee;
SQL> COMMIT;
SQL> ALTER PLUGGABLE DATABASE pdb13 CLOSE;
7. Switch to the terminal of the global zone (with prompt root@hol9762). Type the following command to scan
the disk for sensitive information. (Note: It may take several minutes to finish, you can continue to do the
following lab while waiting for the result.) root@hol9762:~# dd if=/dev/dsk/c2t3d0 | strings | grep 52012374
You won’t succeed because the disk (c2t3d0)’s been encrypted.
Summary
In this exercise, you have created some pluggable databases (PDB) in Oracle Database 12c. Each of the PDBs is
attached to a dedicated disk in order to isolate tablespace files. You have also learned about how to use ZFS
encryption to protect the sensitive information in a PDB.
22
Exercise 3: Using Oracle Transparent Data
Encryption with Solaris Cryptographic Framework
(20 Minutes)
In this exercise, you will explore Oracle Advanced Security Transparent Data Encryption (TDE) and learn how
to transparently encrypt sensitive data stored in the tablespace shown in Figure 4. In the mean time, you will see
how the Oracle Database integrates with Solaris Cryptographic Framework to manage the hardware based
keystore (HSM, i.e. Hardware Security Module) on Solaris11.
Figure 4. Oracle Advanced Security Transparent Data Encryption
What is Oracle Advanced Security Transparent Data Encryption?
Oracle Advanced Security Transparent Data Encryption (TDE) stops would-be attackers from bypassing the
database and reading sensitive information from storage by enforcing data-at-rest encryption in the database
layer. Applications and users authenticated to the database continue to have access to application data
transparently (no application code or configuration changes are required), while attacks from OS users
attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information
from acquired disks or backups are denied access to the clear text data.
Out of the box, TDE provides industry standard strong encryption for the database, full key lifecycle
management, and integrated support for Oracle Database tools and technologies. TDE enables encryption of
database columns or entire application tablespaces.
Transparent Data Encryption fully supports Oracle Multitenant.
23
What is Solaris Cryptographic Framework?
The Solaris Cryptographic Framework provides cryptographic services to users and applications through
commands, a user-level programming interface, a kernel programming interface, and user-level and kernel-level
frameworks. The Solaris Cryptographic Framework provides these cryptographic services to applications and
kernel modules in a manner seamless to the end user, and brings direct cryptographic services to the end user.
The Oracle Solaris Cryptographic Framework provides a common store of algorithms and PKCS #11 libraries
to handle cryptographic requirements.
What is a token?
A token is a PKCS#11 concept, which is representing the logical view of a cryptographic device. Sometimes a
“token” is a “keystore”. For example, a “Oracle Crypto Accelerator 4000 board ” card in a PCI slot is a token
(hardware token). Solaris PKCS#11 Softtoken is another example of token.
What is a slot?
A slot is a PKCS#11 concept, which is representing a logical reader that potentially contains a token. For
example, Hardware slot is a slot which is bound to and dedicated to a hardware device; Softtoken slot is a software
cryptographic provider with an on-disk keystore.
What is a Metaslot? The Metaslot is a new additional slot to the Solaris Cryptographic Framework. It provides the virtual union of capabilities
of all other slots in the framework. Instead of having to deal with many slots, an application can simply choose the
Metaslot, which have access to features of all slots currently plugged into the Solaris Cryptographic Framework. It also
does the tedious work of managing sessions and objects on different slots so an application can use the best slot for a
particular mechanism without having to move objects and sessions back and forth. The Metaslot behavior conforms to the
PKCS#11 Standard. Applications should treat it as if it were any PKCS#11 slot with normal PKCS#11 semantics.
Step 1: Master key management using Solaris PKCS#11 Softtoken
1. Click the right mouse button on the desktop and choose Open Terminal to bring up a terminal window.
2. Log into the dbzone1 if needed. labuser@hol9762:~$ su –
Password:
root@hol9762:~# zlogin dbzone1
3. Configure metaslot to use Sun Software PCKS#11 Softtoken by default root@dbzone1:~# cryptoadm enable metaslot token="Sun Software PKCS#11 Softtoken"
4. Copy Solaris libpkcs11.so to the PKCS#11 library directory which is needed by Oracle Database 12c. root@dbzone1:~# mkdir -p /opt/oracle/extapi/64/hsm/sun/1.0.0/lib
2. Create a table in the encrypted tablespace, which automatically encrypts all data objects in it. SQL> CREATE TABLE employee(first_name VARCHAR2(32),last_name VARCHAR2(32),empID
5. Use dd to scan the database file. You won’t be able to get any sensitive information. oracle@dbzone1:~$dd if=/u01/app/oracle/oradata/cdb1/pdb11/usershol.dbf | strings
Note: You can also create more TDE master encryption keys for the future use of other PDBs. Please refer to
Oracle Database Advanced Security Guide for the detailed information.
Why choose Oracle HSM to integrate with Solaris PKCS#11?
Oracle Database 12c supports the use of PKCS#11 based HSM keystore as Oracle Wallet. Using Solaris
PKCS#11 softtoken based Oracle Wallet secures the master key from duplication and copying during database
and filesystem backups. If being deployed on physical machines (such as Oracle SPARC T5 servers) with
hardware cryptographic accelerator, Solaris PKCS#11 can seamlessly integrate the hardware accelerator to
make database encryption much faster.
Summary
In this exercise, you have integrated Solaris Cryptographic Framework with Oracle Wallet to manage the
hardware based keystore (HSM) on Oracle Database 12c. Also, you’ve tried the features of Oracle database
Transparent Data Encryption, learned about how to encrypt sensitive data with TDE Transparent Tablespace.
26
Summary
You have successfully completed the " Oracle Database 12c Data Protection and Multitenancy on Oracle
Solaris 11" hands-on lab! You have explored different isolation and encryption approaches for securing
multitenancy when using Oracle Database 12c on Oracle Solaris 11: Oracle Solaris Zones, Oracle Database 12c
pluggable databases(PDB), Oracle Advanced Security Transparent Data Encryption (TDE) and Oracle Solaris
ZFS encryption. You have also learned about how TDE works with Solaris Cryptographic Framework.
See Also
High Performance Security For Oracle Database and Fusion Middleware Applications using SPARC
T4
Managing ZFS File Systems in Oracle® Solaris 11.2
Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource
Management
Oracle Solaris Administration: Network Interfaces and Network Virtualization
Oracle Database Advanced Security Guide
About the Authors
Ramesh Nagappan is a Senior Principal Engineer at Oracle Corporation, (Previously at Sun Microsystems). He
works on security integration for SuperCluster platform and focused on Cloud security, Network and
Application security and Applied Cryptography for Applications, XML Web Services and Identity Management
technologies.
Yu Wang presently works for Oracle’s ISV Engineering group as a Principal Software Engineer. His duties
include supporting local ISVs and evangelizing about Oracle Solaris and Java technologies.
Xiaosong (Chris) Zhu is a Senior Software Engineer working for Oracle’s ISV Engineering group. She is
concentrated on Solaris and C/C++. Her duties include doing Solaris evangelizing and supporting local ISVs to
run C/C++ applications best on Oracle Solaris and SPARC servers.
Gang (Gary) Wang, manager of Oracle’s ISV Engineering group, leads ISV Engineering team in Beijing
helping ISVs in China, Japan, and Korea to make their applications run best on Oracle Solaris, Oracle servers,