Dear
Readers,
My
name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the
monthly contract or deal price every month.
When the contract ends, and we re-sign the contract, I will again give
you 10% of the monthly contract price.
This will go on until the company no longer employs or contracts me or
my agents to look after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Oracle
Database Preinstallation – Part 8
Creating Database
Operating System Groups and Users with Job Role Separation
Remember to add the oracle
software owner (oracle, oinstall, or similar), to the required operating system
groups, after you have created them.
This is to ensure that Oracle Universal Installer (OUI) will pick them
up as an option, during the database part of the installation.
Provide common User IDs
(UID)’s and Group IDs (GID)’s, and confirm that they are unused before you
create or modify groups and users with these ID’s. If you are unsure, the system administrator
may be able to explain.
Creating the
Oracle Inventory Group
You need to create this group
when you install the Oracle software on the system for the first time. During the installation of the software OUI,
will create the oraInst.loc file. This
file will contain the name of the Oracle inventory group, which may be
“oinstall”, and of course the path of the Oracle Inventory directory.
It is possible to configure
one group as the access control group for Oracle Inventory, for the database
administrators “OSDBA”, and for all the other access control groups that are
used by Oracle software for operating system authentication. The result of this approach is that this
group must then be the primary group for all users that are granted
administrative privileges. Obviously this
has security implications. Anyway to get
started you will need to login as “root”, and determine if the Oracle Inventory
Group exists. If it does not exist, then
you will Create the Oracle Inventory Group.
Determining if
the Oracle Inventory Group Exists
Look in the oraInst.loc file
and look at the content. You should find
something similar to this:
Inventory_loc=<”location
of the Oracle Central Inventory”>
Inst_group=<”name of the
group that has permissions to write to the central inventory”>
If you find an existing
Oracle Inventory, then you should use the same Oracle Inventory for all Oracle
Software Installations. You must make
sure that all the Oracle software users, that will perform installations, have
permissions to write to this directory.
Verify that the Oracle
Inventory Groups exists:
$ grep oinstall /etc/group
Verify that the oraInst.loc
file exists:
$ more /etc/oraInst.loc
Output example:
Inventory_loc=/u01/app/oraInventory
Inst_group=oinstall
Creating the
Oracle Inventory Group
If you determine that the
Oracle Inventory group does not exist, then you can create it. If the Oracle Inventory group does exist,
then you will find that the /etc/oraInst.loc file exists.
$ /usr/sbin/groupadd oinstall
Creating the
OSDBA Group for Database Installations
If you find that the OSDBA
group does not exist, because this is the first installation of Oracle Database
software on the system. Or you may find
that the OSDBA group does exist, but you want to create a new OSDBA group, so
that you can give a group of operating system users database administrative
privileges, for a new or different Oracle database Installation.
If any of the above reasons
are valid then you can go ahead and create the OSDBA group. If there is no group with the name “dba”,
then you can give the new group the name “dba”.
$ /usr/sbin/groupadd -g 502 dba
Creating the
OSOPER Group for Oracle Automatic Storage Management
If you decide that you will
use a separate OSOPER group for ASM, then you can create it. If the group name “asmoper” does not exist,
then you can call this group “asmoper”.
$ /usr/sbin/groupadd -g 505
asmoper
Creating the
Oracle Software Owner User
There may be three different
reasons why you may want to create the Oracle Software Owner User.
1) You have determined that
an Oracle software owner user does not exist.
This would be expected if this was the first installation of Oracle
software on the system or server.
2) The Oracle software owner
user does exist. However you have
decided to use a different operating system user, which will be granted
different group memberships. This
scenario could enable you to give database administrative privileges to those
different groups, in a new Oracle database installation. This will separate the privileges between the
two databases, between different Operating System users, and prevent users from
accidently logging onto the wrong database, and performing administrative
functions.
3) You may have created an
Oracle software owner for Oracle Grid Infrastructure, for example “grid”, and
you want to create a separate Oracle software owner for the Oracle Database
software, such as “oracle”.
Determining if an
Oracle Software Owner User Exists
If you know that the software
owner would be either “oracle” or “grid”, then you can check if they exist like
this:
$ id oracle
uid=301(oracle) gid=301(oinstall)
groups=302(dba),303(oper)
$ id grid
uid=7001(grid) gid=7001(oinstall)
groups=7001(oinstall),7002(asmadmin),7003(asmdba),7006(dba)
Verify that the Oracle
software owner has the Oracle Inventory group (oinstall), as its primary group.
Verify that the user is also a
member of the appropriate groups, for example: OSDBA, ASMDBA, OSBACKUPDBA,
OSDGDBA, OSKMDBA etc. These group
memberships must be allocated according to the security and infrastructure
design that you have in place or have created for this implementation.
Now you need to decide whether
you are going to create a new Oracle Software Owner User, or if you are going
to modify and existing Oracle Software Owner User, to bring the group
assignments etc in line with your plan.
If you are going to modify an existing user, it is always better to
first check with your System Administrator, if changing the credentials of a
specific user will have any impact on other areas on the server.
Creating an
Oracle Software Owner User
If the user “oracle” does not
exist, then create the user with the name “oracle”.
$ /usr/sbin/useradd -u 502 -g
oinstall -G dba,asmdba oracle
=> -u specifies the user
ID. If you leave this option out, then
the operating system will automatically generate a user ID. You must make a note of the oracle user ID,
because you will need it again, later on in the pre-installation.
=> -g specifies the
primary group, which must be the Oracle Inventory group, which will typically
be “oinstall”.
=> -G specifies the
secondary groups, separated by commas.
The OSDBA group must be included, and depending on the requirements, the
OSOPER, and ASMDBA groups as well.
Now all you need to do is to
set the password of the new user.
$ passwd oracle
Modifying an
Existing Oracle Software Owner User
Let’s say you have found the
Oracle Software Owner User “oracle”, however its primary group is not
“oinstall”, and it is not a member of the OSDBA, or OSOPER groups. Also you have confirmed with the system
administrator, that it is ok to change this operating system user. The you can go ahead and change it. Notice how you will specify the primary group
with the -g option, and the seconday groups with the -G option.
$ /usr/sbin/usermod -g
oinstall -G dba,asmdba,oper oracle
Franz
Devantier,
Need
a database health check?
devantierf@gmail.com
Classifieds
No comments:
Post a Comment