User equiv and "oracle" lockdown
Date: Mon, 22 Sep 2014 14:27:28 -0500
Message-ID: <AD8FE6616C097545A4C9A8B0792909AC41110F906B_at_DNBEXCH01.dnbint.net>
Does anyone know all areas where user equivalency for the account "oracle" is necessary in a RAC system, let's say 11g and above on Linux RH?
The reason I ask is that our security team is now refusing to have this set up and even though I passed snipets from Oracle doc which states "it must be set", they're balking and sending snipets from RedHat doc saying that's unwise.
Without user equiv for "oracle" I believe the following will break/have issues:
* Proper management agent monitoring. The agent needs to know it's a RAC to properly monitor the configuration. I don't have specific examples, just oddity with agent behavior when user equiv isn't set properly.
- All "cluvfy" uses will fail. Most are interactive uses but the management agent uses it too for cluster verification. So in a way almost all our ability to validate the cluster will be unavailable.
- All installs, patches, upgrades will fail or least be a complete hack. Rolling patch application would never be possible, I assume.
I know the cluster will still work without user equiv as I've run into enough existing systems where the DBA didn't do it properly or didn't properly add new nodes. Is there anything else that would break/be a major pain? Since documentation proof isn't enough I need to explain in (my) painful detail of why we need it.
Dave Herring
-- http://www.freelists.org/webpage/oracle-lReceived on Mon Sep 22 2014 - 21:27:28 CEST