Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
2 likes211 views
The document discusses implementing comprehensive security in a multitenant cloud environment using Oracle SuperCluster. It covers Oracle SuperCluster cybersecurity building blocks like secure isolation, access control, data protection and monitoring. It then discusses implementing secure service architectures on Oracle SuperCluster for single and multiple service workloads. Finally, it discusses approaches for securely consolidating multiple tenants on Oracle SuperCluster through physical and logical isolation techniques.
![Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 42 42
Zone Isola8on
Domain Isola8on
System Isola8on
RDS v3
RDS v3
iSCSI
NFS v4
Infiniband Network 40GbE
[Full/Limited Membership]
10GbE Network
[Client Access]
Electrical Isola8on
TLSv1.2
App Domain DB
Domain
TLSv1.2
Oracle ZFS Storage
Encrypted ZFS Data Sets
bin, configs, backups, logs
Oracle Exadata Storage Cells
ASM Scoped Security Disk Group(s)
Transparent Data Encryp8on
Layered Security
Read-Only Immutable Zones
Dedicated IB Par88on
Fine Grained RBAC
IP Filter Firewalls
IPSec/IKE Channels
Centralized Audit
Oracle Key
Manager
Secure Connec8on
VLAN-A
VLAN-B
Secure Connec8on Tenant-A
Tenant-B
Secure Multitenancy
Cloud Provider Viewpoint](https://image.slidesharecdn.com/con7978-superclustersecurity-v1-170816013830/85/Secure-Multi-tenancy-on-Private-Cloud-Environment-Oracle-SuperCluster-42-320.jpg)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
- 6. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 6 § ZS3 Mixed-use Storage • 160 TB (raw) storage for Virtual Machine and system data § QDR InfiniBand Unified Ultra-fast Network • 40GB/s QDR InfiniBand IO backplane § M7 Servers for Databases & ApplicaHons • 1 or 2 M7 Chassis per system (Elas8c Configura8ons) • 2 Physical Domains per M7 chassis, 1 - 4 processors ea. • Up to 8TB RAM per rack § Exadata Storage Servers for Oracle Database § From 3 to 11 per configura8on (Flex. Config.) § High Capacity (96TB raw disk ea.) § Extreme Flash (12.8TB raw flash ea.) SuperCluster M7: Hardware Architecture SuperCluster M7 8/15/17
- 7. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 7 Oracle SuperCluster Common Components COMPUTE STORAGE NETWORK DATABASE
- 8. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 8 Oracle SuperCluster Cybersecurity Focus Areas Secure Isola8on Access Control Data Protec8on Monitoring and Audi8ng COMPUTE STORAGE NETWORK DATABASE
- 9. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 9 Secure Isolation For Any Requirement SPARC M7 Database Domain #1 Physical Domain #1 OracleDatabase12c Pluggable Database Pluggable Database Pluggable Database Pluggable Database Application DomainRoot Domain Database IO Domain Database Domain #2 Physical Domain #2 Application IO Domain Oracle WebLogic Server Oracle WebLogic Server Oracle Database 12c Schema Schema Oracle Fusion Middleware Solaris Zone #1 Oracle Database 12c Solaris Zone #2 Oracle Database 12c
- 10. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 10 Operating System Operating System Physical Server Zone A Client Access Network Client A-1 Zone C VLAN C Database C-1 Client C-1 IPsec / TLS Zone B Database A-1 IPMPA-1 VLAN A-1-0 VLAN A-1-1 Database B-1 Adding Cryptographic Isolation Layer 2 VNIC and VLAN Isolation IPMPB-1 VNIC B-1-0 VNIC B-1-1 net1 net0 Client B-1 VLAN A Network B Secure Network Isolation – Ethernet
- 11. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 11 Secure Network Isolation – InfiniBand ASM Disk Groups ASM Disk Group A-1 ASM Disk Group A-2 Oracle Exadata Storage Servers ZFS Data Sets ZFS Data Set C-1 ZFS Data Set D-1 Sun ZFS Storage Appliance InfiniBand Network Partition: 0xFFFF Protocol: RDSv3 Partition: 0x8503 Protocol: NFS / IPoIB Oracle VM Server for SPARC Database Domain Oracle Solaris 11 Zone (Zone A) Oracle Database 12c Release 1 Instance A-1 Oracle Database 12c Release 1 Instance A-2 Application Domain Zone C Oracle WebLogic Server 12c Instance C-1 Zone D Oracle WebLogic Server 12c Instance D-1 Partition: 0x0503 Partition: 0x0503
- 12. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 12 End to End Access Control Compute Strong Authen8ca8on Role-based Access Control Privileged User Access Control Storage ASM Security NFS Access Controls iSCSI Access Controls Network Boundary Hardening Network Par88oning Packet Filtering Database Strong Authen8ca8on Role-based Access Control Privileged User Access Control
- 13. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 13 End to End Data Protection Database Domain SPARC M7 Cryptography, Application Data Integrity Zone A Oracle Database A-1 Client Access Network TLS InfiniBand Network Partition Intel AES-NI Hardware Assisted Cryptography Client A-1 Oracle PKCS#11 Wallet (Oracle Solaris PKCS#11 Softtoken) SSL Certificate A-1 Oracle Solaris Cryptographic Framework ASM Disk Groups Disk Group A-1 Oracle Exadata Storage Servers Encrypted Tablespaces ZFS Data Sets Data Sets A-1 Encrypted Backups Export Files Sun ZFS Storage Appliance RDSv3 NFSv4 TDE Master Key A-1
- 15. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 15 Single Service Workload Oracle SuperCluster Example Sample Secure ConfiguraHon Steps • Implement Security Hardening • Apply Security Updates • Enhance Opera8ng System Security – An8-Malware Protec8ons – Authen8ca8on and Access Policies – System Security Audi8ng Policy – Configura8on Compliance Scanning • Enhance Database Security – Enable Encrypted Communica8ons – Configure Transparent Data Encryp8on – Configure Database Vault – Database Security Audi8ng Policy • Enhance Management Security – Change Default Passwords – Replace Self-Signed Cer8ficates InfiniBand Network Oracle Exadata Storage Servers Oracle Solaris 11 Oracle Solaris 11 SPARC M7 Server SPARC M7 Server ASMASMClient Access Network TLS TLS Oracle Database 12c Release 1 Oracle Database 12c Release 1 RAC Cluster Disk Group A Disk Group B Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace ASM Cluster RDSv3 RDSv3
- 16. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 16 Single Service Tier Consolidation Oracle SuperCluster Example - Database Sample Secure ConfiguraHon Steps • Implement Single Service Workload Recommenda8ons • Enhance Opera8ng System Security – Implement Database-specific Users/Roles – Implement POSIX Isola8on of Instances – Implement Non-Global Zones (op8onal) – Implement Resource Controls • Enhance Storage Security – Implement Exadata Storage Security – Implement Resource Controls InfiniBand Network Oracle Exadata Storage Servers Oracle Solaris 11 Oracle Solaris 11 SPARC M7 Server SPARC M7 Server ASMASMClient Access Network TLS TLS Tablespace Tablespace Tablespace Tablespace Tablespace ASM Cluster Oracle Database 12c Release 1 Oracle Database 12c Release 1 TLS Tablespace Tablespace RDSv3 RDSv3 RDSv3 DiskGroupDiskGroupDiskGroup Oracle Database 12c Release 1
- 17. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 17 Multiple Service Tier Consolidation AddiHonal Security Controls and Technologies COMPUTE Hypervisor Media8on Solaris Non-Global Zones Immutable Global and Non-Global Zones Solaris RBAC and Fine- Grained Privileges STORAGE Encrypted ZFS Data Sets and Volumes iSCSI and ASM Authen8ca8on iSCSI , NFS and ASM Access Controls NETWORK Full and Limited Membership InfiniBand Par88ons Solaris IP Filter and IPsec/IKE
- 18. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 18 Multiple Service Tier Consolidation Oracle SuperCluster Example #1 Web Tier Network IPoIB/SDP InfiniBand Network Partition Exadata Tier Network RDSv3 InfiniBand Network Partition Client Access Network TLS 10GbE Network Database Tier Network IPoIB/SDP InfiniBand Network Partition Oracle Traffic Director Cluster OTD Zone 1 Oracle Traffic Director 11g OTD Zone 2 Oracle Traffic Director 11g Oracle WebLogic Server Cluster WLS Zone 1 Oracle WebLogic Server 12c Oracle WebLogic Server 12c WLS Zone 2 Oracle WebLogic Server 12c Oracle WebLogic Server 12c Oracle Database Cluster DB Zone 1 Oracle Database 12c Release 1 DB Zone 2 Oracle Database 12c Release 1 Physical Server 1 Application Domain 1 Application Domain 2 Database Domain 1 Physical Server 2 Application Domain 1 Application Domain 2 Database Domain 1
- 19. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 19 Multiple Service Tier Consolidation Oracle SuperCluster Example #2 InfiniBand Network Partition #1 SPARC M7 Hardware Assisted Cryptography and Application Data Integrity Client Access Network Database Domain Oracle Solaris Cryptographic Framework Zone C Oracle Database 12c Release 1 Oracle PKCS#11 Wallet (Oracle Solaris PKCS#11 Softtoken) SSL Certificate TDE Master Key Intel AES-NI Hardware Assisted Cryptography ASM Disk Groups Oracle Exadata Storage ServersENCRYPTED Tablespaces ZFS Volumes/Data Sets ENCRYPTED Sun ZFS Storage Appliance Binaries Configurations BackupsApplication Domain Zone B Oracle WebLogic Server 12c Oracle Solaris Cryptographic Framework Zone A Oracle Traffic Director 11g TLS InfiniBand Network Partition #2 RDSv3 InfiniBand Network Partition #3 iSCSI, NFS TLS TLS
- 21. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 21 Application DomainApplication Domain SPARC M7 Server Database DomainDatabase Domain SPARC M7 Server Client Access Network (10 GbE) RAC (DB1) Oracle Database 12c Release 1 Immutable Zone 1 Oracle Database 12c Release 1 Immutable Zone 2 Exadata Storage Servers ZFS Storage Appliance
- 22. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 22 Application DomainApplication Domain SPARC M7 Server Database DomainDatabase Domain SPARC M7 Server Client Access Network (10 GbE) RAC (DB1) Oracle Database 12c Release 1 Immutable Zone 1 Oracle Database 12c Release 1 Immutable Zone 2 Exadata Storage Servers ZFS Storage Appliance Tenant Specific VLANs Tenant Specific VLANs Tenant Specific VLANs Tenant Specific VLANs Tenant Specific IB Partitions Tenant Specific IB Partitions Tenant Specific IB Partitions • Physical and Logical Compute Isolation – Individual tenants and their respective service tiers can be isolated using a combination of physical and logical methods including physical domains, logical domains, I/O domains, and Solaris zones. • Logical Network Isolation – Tenants are assigned dedicated logical network interfaces to segment their traffic from others on the same physical platform as well as traffic flowing between architectural service tiers. Methods to achieve isolation include Ethernet VLANs and InfiniBand partitions.
- 23. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 23 Application DomainApplication Domain SPARC M7 Server Database DomainDatabase Domain SPARC M7 Server Client Access Network (10 GbE) Solaris Immutable Non-Global Zones Oracle Database 12c Release 1 Immutable Zone 1 Oracle Database 12c Release 1 Immutable Zone 2 Exadata Storage Servers ZFS Storage Appliance • Tamperproof Execution Environment – Defends against accidental and malicious tampering of sensitive operating system and tenant-specific binaries, configuration files, etc. • Role-based Access Control – Tenant administrators are assigned restricted rights profiles that strictly limit access to security sensitive functions. Solaris Immutable Global Zone Solaris Immutable Global Zone
- 24. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 24 Application DomainApplication Domain SPARC M7 Server Database DomainDatabase Domain SPARC M7 Server Oracle Database 12c Release 1 Immutable Zone 1 Oracle Database 12c Release 1 Immutable Zone 2 Exadata Storage Servers ZFS Storage Appliance • Comprehensive Packet Filtering – Network access to tenant environments is strictly controlled using a default deny firewall policy managed by the service provider. • Complete End to End Network Encryption – Data in transit is always protected using a combination of Secure Shell, HTTPS (SSL/TLS) and IPsec. IPsec is used to protect all internal traffic flowing between non-global zones. IPsec IP Filter IPsec IP Filter IPsec Secure Shell (SSH) HTTPS IP Filter IP FilterIP FilterIP Filter
- 25. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 25 Application DomainApplication Domain SPARC M7 Server Database DomainDatabase Domain SPARC M7 Server Client Access Network (10 GbE) Exadata Storage Servers ZFS Storage Appliance • Restricted Tenant Access to Storage – Administrative access to Exadata Storage Servers and the ZFS Storage Appliance is prohibited from within tenant non-global zones. • Security Hardened Storage Appliances – Exadata Storage Servers and the ZFS Storage Appliance leverage a security hardened configuration to reduce the attack surface and prohibit unauthorized access. Solaris Immutable Non-Global Zones Oracle Database 12c Release 1 Immutable Zone 1 Oracle Database 12c Release 1 Immutable Zone 2
- 26. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 26 Application DomainApplication Domain SPARC M7 Server Database DomainDatabase Domain SPARC M7 Server Client Access Network (10 GbE) Solaris Immutable Non-Global Zones11g R2 database Immutable Zone 1 oracle 11g R2 database Immutable Zone 2 oracle Exadata Storage Servers ZFS Storage Appliance • Comprehensive Data Protection – Data at rest protection, enabled by Oracle Transparent Data Encryption, secures access to tenant data, using unique, tenant-managed keys. • Restricted Access to Exadata Storage – Mutual authentication is used to assign database storage resources to specific tenant environments, clusters, or individual databases. Encrypted Tablespaces Encrypted Tablespaces Encrypted Tablespaces Transparent Data Encryption and ASM Database Scoped Security
- 27. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 27 Application DomainApplication Domain SPARC T5-8 Server Database DomainDatabase Domain SPARC M7 Server Client Access Network (10 GbE) Solaris Immutable Non-Global Zones Oracle Database 12c Release 1 Immutable Zone 1 Oracle Database 12c Release 1 Immutable Zone 2 Exadata Storage Servers ZFS Storage Appliance Encrypted Tablespaces Encrypted Tablespaces Encrypted Tablespaces Transparent Data Encryption and ASM Database Scoped Security ZFS Pool (Zone 1) rpool /u01 /common ZFS Pool (Zone 2) rpool /u01 /common • Comprehensive Data Protection – Solaris non-global zones, installed applications and files are protected at rest using hardware-accelerated ZFS encryption with tenant-specific keys. • Restricted Access to ZFS Storage – Storage resources are logically isolated, leverage mutual authentication and are assigned directly to tenant non-global zones.
- 28. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 28 SPARC T5-8 ServerSPARC T5-8 Server Application DomainApplication Domain Database DomainDatabase Domain Client Access Network (10 GbE) Exadata Storage Servers ZFS Storage Appliance 11g R2 database Immutable Zone 2 oracle Fusion MIDDLEWARE Immutable Zone 4b oracle Fusion MIDDLEWARE Immutable Zone 4a oracle rpool /u01 /common ZFS Pool (Zone 1a) rpool /u01 /common ZFS Pool (Zone 1b) rpool /u01 /common ZFS Pool (Zone 3) rpool /u01 /common ZFS Pool (Zone 4b) rpool /u01 /common ZFS Pool (Zone 4a) rpool /u01 /common ZFS Pool (Zone 2) RAC (DB1) 11g R2 database Immutable Zone 1b oracle 11g R2 database Immutable Zone 1a oracle 11g R2 database Immutable Zone 3 oracle (Zone 2) DB4 (Zone 1) DB1 (Zone 1) DB2 (Zone 1) DB3 (Zone 3) DB4 (Zone 3) DB5
- 29. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 29 Application DomainApplication Domain SPARC T5-8 Server Database DomainDatabase Domain SPARC M7 Server Client Access Network (10 GbE) Solaris Immutable Non-Global Zones Oracle Database 12c Release 1 Immutable Zone 1 Oracle Database 12c Release 1 Immutable Zone 2 Exadata Storage Servers ZFS Storage Appliance Encrypted Tablespaces Encrypted Tablespaces Encrypted Tablespaces Transparent Data Encryption and ASM Database Scoped Security ZFS Pool (Zone 1) rpool /u01 /common ZFS Pool (Zone 2) rpool /u01 /common • Centralized Auditing – Tenant-specific non-global zones are uniformly audited using a centralized policy defined and managed by the service provider. All audit trail data is stored in the Solaris global zone in an encrypted ZFS dataset and is not accessible by individual tenants. • Role-based Access Control – Access to provider or tenant-specific audit trail data is controlled using a highly restricted Solaris role. /audit_pool
- 30. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 30 SPARC M7 ServerSPARC M7 Server Application DomainApplication Domain Database DomainDatabase Domain Client Access Network (10 GbE) Exadata Storage Servers ZFS Storage Appliance Oracle Database 12c Release 1 Immutable Zone 2 Oracle Fusion Middleware Immutable Zone 4b Oracle Fusion Middleware Immutable Zone 4a rpool /u01 /common ZFS Pool (Zone 1a) rpool /u01 /common ZFS Pool (Zone 1b) rpool /u01 /common ZFS Pool (Zone 3) rpool /u01 /common ZFS Pool (Zone 4b) rpool /u01 /common ZFS Pool (Zone 4a) rpool /u01 /common ZFS Pool (Zone 2) RAC (DB1) Oracle Database 12c Release 1 Immutable Zone 3 (Zone 2) DB4 (Zone 1) DB1 (Zone 1) DB2 (Zone 1) DB3 (Zone 3) DB4 (Zone 3) DB5 Oracle Database 12c Release 1 Immutable Zone 1a Oracle Database 12c Release 1 Immutable Zone 1b
- 31. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 31 Multiple Tenant Consolidation Oracle SuperCluster Example – Tenant Viewpoint Sample Secure ConfiguraHon Steps • Implement Mul8ple Service Workload Recommenda8ons • Enhance Opera8ng System Security – Restrict Tenant Access to Solaris Zones – Implement Tenant Administrator Role – Implement Immutable Non-Global Zone – Implement Immutable Global Zone – Implement Immutable Firewall Policy – Implement Immutable Audi8ng Policy • Enhance Network Security – Implement IPsec/IKE for RAC Interconnect with Tenant Specific Keys – Implement IP Filter on Applica8on Zones – Restrict Tenant Access to SuperCluster Management Network and Services Client Access Network Oracle Database Cluster (RAC) Tenant Specific Immutable Zone Oracle Database Tenant Specific Immutable Zone Oracle Database RDSv3 IPoIB SDP IPoIB SDP TLS SSH Oracle WebLogic Cluster Tenant Specific Immutable Zone Oracle WebLogic Tenant Specific Immutable Zone Oracle WebLogic Tenant Specific VLANs Tenant Specific InfiniBand Network Partition Tenant-Specific Internal Communications Oracle Exadata Storage Servers RDSv3 Oracle Exadata Storage and RAC Specific Communications Tenant Specific Disk Group(s) Exadata Storage Partition InfiniBand Network ZFS Volumes/Data Sets Oracle Sun ZFS Storage Appliance Binaries Configurations Backups Logs Tenant-Specific NAS Storage NFS iSCSI Immutable Global Zone Immutable Global Zone
- 32. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 32 Multiple Tenant Consolidation Oracle SuperCluster Example – Provider Viewpoint Client Access Network Application Domain Database Domain SPARC M7 Server Tenant A Zone 2 Oracle Database Tenant B Zone 2 Oracle Database Tenant B Zone 1 Application Tenant A Zone 1 Application VLAN B Tenant B HTTPS VLAN A HTTPS Tenant A RDSv3 Tenant B Network Partition Tenant A Network Partition NFSv4 iSCSI Application B Storage Application A Storage Database A Storage Database B Storage Sun ZFS Storage Appliance InfiniBand Network Tenant A Disk Groups Tenant B Disk Groups Exadata Storage Servers
- 33. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 33 Multiple Tenant Centralized Key Management Oracle SuperCluster and Oracle Key Manager Example – Provider Viewpoint
- 36. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 36 Oracle SuperCluster Security Capability Summary Compute Storage Network Database Secure Isolation ! Physical ! Electrical ! Hypervisor-Mediated ! Kernel-Mediated ! Physical ! ASM Instances ! ZFS Data Sets ! Physical (Ethernet) ! Ethernet VLANs ! InfiniBand Partitions ! Multitenant ! Instances ! Schema ! Labels Access Control ! RBAC / Privileges ! LDOM Administration ! Zone Administration ! ZFS ACLs ! Exadata Security ! NFS Security ! IP Filter / iptables ! Switch ACLs ! Audit Vault and Database Firewall ! Roles and Privileges ! Real Application Security ! Database Vault Data Protection ! Immutable Zones ! Read-Only Mounts ! ZFS Administration ! ZFS Encryption ! LOFI Encryption ! TDE ! SSH ! SSL / TLS ! IPsec / IKE ! Virtual Private DB ! Data Masking ! Redaction Monitoring and Auditing ! Solaris Auditing ! Linux Auditing ! BART / AIDE ! ZFS Storage Appliance Logs ! Exadata Storage Auditing ! IP Filter / iptables ! Switch Logs ! Database Auditing ! Audit Vault and Database Firewall
- 37. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 37 Oracle SuperCluster Security Summary Complete Tested ! ! ! ! Integrated Trusted
- 39. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 39 Further Information • Oracle SuperCluster Home Page h=ps://www.oracle.com/engineered-systems/supercluster/index.html • Oracle SuperCluster Security White Papers – Oracle SuperCluster T5-8 Plamorm Security Principles and Capabili8es h=p://www.oracle.com/technetwork/server-storage/sun-sparc-enterprise/documenta8on/ o13-052-osc-t5-8-security-1989641.pdf – Secure Database Consolida8on Using the Oracle SuperCluster T5-8 Plamorm h=p://www.oracle.com/technetwork/server-storage/sun-sparc-enterprise/documenta8on/ o13-053-securedb-osc-t5-8-1990064.pdf – Oracle SuperCluster T5-8 Security Technical Implementa8on Guide (STIG) Valida8on and Best Prac8ces on Database Servers h=p://www.oracle.com/technetwork/server-storage/hardware-solu8ons/s8g-sparc- supercluster-1841833.pdf
- 41. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 41 Multiple Tenant Consolidation Oracle SuperCluster Example – Tenant Viewpoint (Alternate) SSL SSL Client Access Network Oracle Database Cluster (RAC) Tenant Specific Immutable Zone Oracle Database Tenant Specific Immutable Zone Oracle Database RDSv3 IPoIB IPoIB SSL SSH Oracle WebLogic Cluster Tenant Specific Immutable Zone Oracle WebLogic Tenant Specific Immutable Zone Oracle WebLogicTenant Specific VLANs External Tenant Specific InfiniBand Network Partition Storage and RAC Use Only Tenant-Specific Internal Communications Oracle Exadata Storage Servers RDSv3 Oracle Exadata Storage and RAC Specific Communications Tenant Specific Disk Group(s) Exadata Storage Partition InfiniBand Network ZFS Volumes/Data Sets Oracle Sun ZFS Storage Appliance Binaries Configurations Backups Logs Tenant-Specific NAS Storage iSCSITenant Specific VLAN Multi-Tier Traffic
- 43. Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 43 Oracle Key Manager – Key Management Appliance • Oracle Key Manager Appliance for SuperCluster – Simple automa8c installa8on and integrates with SuperCluster Management Network – No OS/driver administra8on or maintenance is required – Dedicated key management and key transport (service) networks – Conforms to stringent federal security cer8fica8ons (FIPS 140-2 level 3) – Secure Key Management via RBAC with Segrega8on for du8es – SuperCluster Tenant Key Management using Key Groups and Key Group Policies • Supports all SuperCluster hosted Encryp8on End-points via Solaris PKCS#11 KMS – ZFS Encryp8on, Oracle Transparent Data Encryp8on – Java, Fusion Middleware and Fusion Applica8ons (Via PKCS#11) OKM 3