ACE Director Alum Daniel Morgan, founder of Morgan's Library, is scheduling
complimentary technical Workshops on Database Security for the first 30
Oracle Database customers located anywhere in North America, EMEA, LATAM, or
APAC that send an email to
asra_us@oracle.com. Request a Workshop for
your organization today.
Purpose
This package provides the APIs to administer service Access Control List (ACL) that are used to control access to DB services by external Virtual Machines (VMs) or host networks.
There are two types of ACL: Exadirect and IP. Exadirect ACL is used to grant access to VMs; where as, IP ACL is used to grant access to host networks.
Exadirect APIs are prefixed by 'ed_'.
IP APIs are prefixed by 'ip_'.
APIs w/o prefix are generic.
AUTHID
DEFINER
Constants
Name
Data Type
Value
DOMAIN_MASK
-- Hostname mask: *.???.???...???
VARCHAR2(80)
'\*(\.[^\.\:\/\*]+)*'
HOSTNAME_MASK
-- Hostname mask: ???.???.???...???
VARCHAR2(80)
'[^\.\:\/\*]+(\.[^\.\:\/\*]+)*'
IP_ADDR_MASK
-- IP address mask: xxx.xxx.xxx.xxx
VARCHAR2(80)
'([[:digit:]]+\.){3}[[:digit:]]+'
IP_SUBNET_MASK
-- IP submet mask: xxx.xxx...*
VARCHAR2(80)
'([[:digit:]]+\.){0,3}\*'
Data Types
-- Used in batch operation. TYPE table_type IS TABLE OF VARCHAR(300) INDEX BY BINARY_INTEGER;
Dependencies
ACL$_OBJ
DUAL
V_$PDBS
CDB_SERVICE$
EXADIRECT_ACL
XS$ACE_LIST
DBA_XS_ACES
IP_ACL
XS$ACE_TYPE
DBA_XS_ACLS
PLITBLM
XS$NAME_LIST
DBA_XS_OBJECTS
SERVICE$
XS_ACL
DBMS_ASSERT
V_$DATABASE
XS_ADMIN_UTIL
DBMS_STANDARD
V_$PARAMETER
XS_SECURITY_CLASS
Documented
Yes
Exceptions
Error Code
Reason
ORA-20001
exadirect_sgid_in_used
ORA-20002
exadirect_dup_svc_and_uuid
ORA-20003
exadirect_null_service
ORA-20004
exadirect_null_uuid
ORA-20005
exadirect_unknown
ORA-20006
exadirect_bad_sgid
ORA-20007
exadirect_ids_mismatch
ORA-20008
exadirect_insufficient_priv
ORA-20009
ip_host_exists
ORA-20010
ip_invalid_host
ORA-20011
ip_no_host
ORA-20012
container_not_root
ORA-20013
not_exadata (must be running on an Exadata)
ORA-20014
Service <service_name> not found in current container
Commit changes to the DB ACL table and propagate them to all access control points in the DB cluster. Exadirect ACL updates are only propagated if DB ACL control is enabled.
Enable DB ACL control, load and propagate the initial ACLs to all access control points in the DB cluster. By default, DB ACL control is disabled and all access to secure network interfaces are denied.
dbms_sfw_acl_admin.ed_enable_acl;
exec dbsfwuser.dbms_sfw_acl_admin.ed_enable_acl;
BEGIN dbsfwuser.dbms_sfw_acl_admin.ed_enable_acl; END;
*
ERROR at line 1:
ORA-20013: Must be running on EXADATA
ORA-06512: at "DBSFWUSER.DBMS_SFW_ACL_ADMIN", line 342
ORA-06512: at line 1
Get all VM UUIDs for the specified service. This call will be used by mgmt Stack to cleanup stalled service after the service has been removed by DBA. This call will be used in conjunction with remove_acl_svc_by_uuid.
dbms_sfw_acl_admin.ed_get_aces_by_svc(
p_service_name IN VARCHAR2,
p_vm_uuids OUT SYS_REFCURSOR);
BEGIN
IF dbsfwuser.dbms_sfw_acl_admin.ed_is_acl_enabled THEN
dbms_output.put_line('ACL is enabled');
ELSE
dbms_output.put_line('ACL is not enabled');
END IF;
END;
/ F
dbms_sfw_acl_admin.ip_add_ace(
p_service_name IN VARCHAR2,
p_host IN VARCHAR2); -- can be a hostname, dotted-decimal IPv4 or hexadecimal IPv6 address.
-- wildcard "*" for IPv4 and CIDR format allowed.
exec dbsfwuser.dbms_sfw_acl_admin.ip_add_ace('pdbprod', '192.168.42.15');
*
Error at line 1:
ORA-20014: Service pdbprod not found in current container
