Oracle 12c的ASM新特性是什么

这篇文章主要讲解了“Oracle 12c的ASM新特性是什么”，文中的讲解内容简单清晰，易于学习与理解，下面请大家跟着小编的思路慢慢深入，一起来研究和学习“Oracle 12c的ASM新特性是什么”吧！orapwdfile='+data/HTZXDBPRI/password/orapwhtzxdbpri'force=ydbuniquename=htzxdbpriformat=12sys=oraclesysbackup=oraclesysdg=oraclesyskm=oracleorapwdinput_file='+data/HTZXDBPRI/password/orapwhtzxdbpri'file='+ocr/asm/password/orapwASM'asm=yforce=ysrvctlconfigdb-dhtzxdbpri-asrvctlmodifydb-dhtzxdbpri-pwfile'+data/HTZXDBPRI/password/orapwhtzxdbpri'---密码文件linux区分$ORACLE_SID大小写sysdbaselect*fromv$pwfile_users;--linux：orapw+$ORACLE_SID--windows：pwd+$ORACLE_SID.ora--密码文件存放在ASM中：orapwdfile='+data/lhrracphy/PASSWORD/pwdlhrracphy'force=ydbuniquename=lhrracphyformat=12password=lhrorapwdfile='+data'force=ydbuniquename=lhrracphyformat=12password=lhrorapwdfile='+data/HTZXDBPRI/password/orapwhtzxdbpri'force=ydbuniquename=htzxdbpriformat=12sys=oraclesysbackup=oraclesysdg=oraclesyskm=oracle--使用老密码文件替换新密码文件orapwdinput_file='+data/HTZXDBPRI/password/orapwhtzxdbpri'file='+ocr/asm/password/orapwASM'force=yorapwdinput_file='+data/HTZXDBPRI/password/orapwhtzxdbpri'file='+ocr/asm/password/orapwASM'asm=yforce=y--备份密码文件ASMCMD>pwcopypwdorcl.378.98780432/home/grid/--配置数据库的密码文件srvctlconfigdb-dhtzxdbpri-asrvctlmodifydb-dhtzxdbpri-pwfile'+data/HTZXDBPRI/password/orapwhtzxdbpri'oradim-NEW-sidorcl9i-INTPWDadmin-pfiled:oracleora90databaseinitstorm.ora;C:UsersAdministrator>orapwdfile="E:oracleora8iDATABASEPWDortest.ORA"password=lhr[oracle@robinsondbs]$orapwdfile=$ORACLE_HOME/dbs/orapworclpassword=oracleforce=yasmcmd同样也可以创建密码文件：$asmcmdASMCMD>pwcreateASMCMD[+]>pwcreate--asm+DG/mydir/mypwfile'oracle'-f--format12ASMCMD[+]>pwcreate--dbuniquenameracdb+DG/mydir/mypwfile'oracle'-f--format12其它命令：pwcreate、pwdelete、pwcopy、pwmove、pwset、pwgetASMCMD>pwget--dbuniquenamehtzxdbpri+data/HTZXDBPRI/password/orapwhtzxdbpriASM存储密码文件前提条件是ASM磁盘组的COMPATIBLE.ASM>=12.1selectname,compatibilityfromv$asm_diskgroup;--createnewpasswordinASMorapwdfile='+data/ASM/orapwasm'asm=y--createnewpasswordinASMfromlocationorapwdinput_file='/oraclegrid/dbs/orapwasm'file='+data/ASM/orapwasm'[asm=y]--movepasswordfilefromAasmdiskgrouptoanotherASMCMD>pwmove--asm+CRS/asm/password/orapwasm+data/orapwasmWhen password file is used for Redo Transport Authentication, the password of redo transport user should be same across primary and all its physical and snapshot standby databases. By default SYS user is used to authenticate redo transport sessions when password file is used.Till 12cR1 Dataguard setup, if there is a change in password file of Primary database like Changes in password or Changes in admin privileges, then the password file needs to be copied from Primary database to standby database server and rename it according to standby database Instance name. If the password file of Primary and Standby databases are not same, then errors will be seen.In 12cR2, the password file of standby database gets synchronized automatically when there is a change in Primary database password file. The password file change of Primary will be included in Redo and when the Redo is applied to standby, the synchronization happens in the background.这里延伸几个知识点：1 、 11g中口令文件并不能实现存放于asm共享访问，修改SYS密码，需要再每个RAC节点手动实施同步 ，同样备库的口令文件也要手动进行更新覆盖
2、12.1版本可以实现口令文件ASM共享存储，RAC中只需要一个节点执行alter user sys 就可以实现主库所有节点同步，这点是11g中无法实现。但是备库中口令文件依然需要手动同步主库的口令文件过来覆盖
3 、12.2版本oracle在口令文件ASM共享存储的前提下，实现了口令文件自动同步主备所有节点MOS —
Automatic Password file synchronization in 12.2 Dataguard Standby databaseData Guard Standby Automatic Password file Synchronization in 12.2 (文档 ID 2307365.1)1 概念This feature automatically synchronizes password files across Oracle Data Guard configurations. When the passwords of SYS, SYSDG, and so on, are changed, the password file at the primary database is updated and then the changes are propagated to all standby databases in the configuration.该特性自动同步Oracle数据保护配置中的密码文件。当SYS、SYSDG等的密码发生更改时，主数据库中的密码文件被更新，然后将更改传播到配置中的所有备用数据库。This feature provi免费主机域名des additional automation that further simplifies management of Oracle Data Guard configurations.这个特性提供了额外的自动化，进一步简化了Oracle数据保护配置的管理。Redo Transport Authentication Using a Password FileIn an Oracle Data Guard configuration, all physical and snapshot standby databases must use a copy of the password file from the primary database. That copy is automatically refreshed whenever an administrative privilege (SYSDG, SYSOPER, SYSDBA, and so on) is granted or revoked, and after the password of any user with administrative privileges is changed. The only exception to this is far sync instances. Updated password files must still be manually copied to far sync instances because far sync instances receive redo, but do not apply it. Once the password file is up-to-date at the far sync instance the redo containing the password update at the primary is automatically propagated to any standby databases that are set up to receive redo from that far sync instance. The password file is updated on the standby when the redo is applied.在Oracle数据保护配置中，所有物理和快照备用数据库必须使用来自主数据库的密码文件副本。当管理员权限(SYSDG、SYSOPER、SYSDBA等)被授予或撤销时，该副本将自动刷新，并且任何具有管理员权限的用户的密码发生更改后，该副本将自动刷新。唯一的例外是far sync instances。更新的密码文件必须手动复制到far sync instances，因为far sync instances接收重做，但不应用它。一旦密码文件在远同步实例中是最新的，那么在主服务器上包含密码更新的重做就会自动传播到任何准备far sync instances接收重做的备用数据库。在应用重做时，在备用服务器上更新密码文件。2 实验2.1 tnsname.ora 中配置主备库的网络服务2.2 修改主库sys 用户密码3 参考链接http://docs.oracle.com/database/122/NEWFT/new-features.htm#NEWFT-GUID-A6211BAC-0534-44B9-B988-A7CC2B97044Fhttps://petesdbablog.wordpress.com/2017/03/11/12-2-new-feature-automatically-synchronize-password-files-in-oracle-data-guard/https://uhesse.com/2017/01/10/auto-sync-for-password-files-in-oracle-12c-data-guard/在ORACLE 12C之前大家都知道密码文件是存放在?/dbs或者?/database中,如果要修改修改sysdba权限的用户密码时候,会去修改密码文件,而在rac数据库的sys密码文件是存在各个节点中,这个时候修改sysdba权限的密码就需要在两个节点都要做同样的操作,而对于数据库来说本身是只要在一个节点上修改即可,因为密码是记录在user$中,就是因为密码文件非共享且在各个节点中都有,因此需要在各个节点均要执行修改密码命令,确保密码文件被正常修改。因为rac 密码文件非共享的机制存在,导致修改sysdba权限密码繁琐,有些时候甚至有节点忘记修改,导致需要使用密码文件操作数据库的时候不能正常进行,DG传输日志异常等故障。在ORACLE 12C中为了解决这个问题,引入了密码文件可以存入ASM新特性,从而使得密码文件存储在ASM中实现所有节点共享,从而解决该问题.
ASM存储密码文件前提条件 COMPATIBLE.ASM>= 12.1
查询ASM信息SQL> select * from v$version;BANNER CON_ID——————————————————————————– ———-Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 – 64bit Production 0PL/SQL Release 12.1.0.1.0 – Production 0CORE 12.1.0.1.0 Production 0TNS for Linux: Version 12.1.0.1.0 – Production 0NLSRTL Version 12.1.0.1.0 – Production 0SQL> select NAME,COMPATIBILITY from v$asm_diskgroup;NAME COMPATIBILITY—————————— ————————————————————DATA 12.1.0.0.0查询crs中关于db配置[grid@xifenfei ~]$ srvctl config database -d cdbDatabase unique name: cdbDatabase name: cdbOracle home: /u01/app/oracle/product/12.1/db_1Oracle user: oracleSpfile: +DATA/cdb/spfilecdb.oraPassword file:Domain:Start options: openStop options: immediateDatabase role: PRIMARYManagement policy: MANUALDatabase instance: cdbDisk Groups: DATAServices:这里db的password file为空,即表示使用默认值,也就是为$ORACLE_HOME/dbs/orapwxifenfei创建密码文件存储在ASM中–创建db新密码文件[oracle@xifenfei ~]$ orapwd file=’+data/CDB/orapwdxifenfei’ dbuniquename=’cdb’Enter password for SYS:—-输入sys用户密码–创建asm新密码文件orapwd file=’+data/ASM/orapwasm’ asm=y—-asm=y 表示创建的密码文件为asm的–使用老密码文件创建db/asm新密码文件orapwd input_file=’/oraclegrid/dbs/orapwasm’ file=’+data/ASM/orapwasm’ [asm=y]—-input_file 表示使用老的密码文件创建新的存储在ASM中的密码文件查看ASM中密码文件ASMCMD> showversionASM version : 12.1.0.1.0ASMCMD> pwd+data/cdbASMCMD> ls -l orapwdxifenfeiType Redund Striped Time Sys NamePASSWORD UNPROT COARSE MAY 31 19:00:00 N orapwdxifenfei => +DATA/CDB/PASSWORD/pwdcdb.290.816897265配置crs中password file项[grid@xifenfei ~]$ srvctl modify database -db cdb -pwfile +data/CDB/orapwdxifenfei查询crs中关于db配置[grid@xifenfei ~]$ srvctl config database -d cdbDatabase unique name: cdbDatabase name: cdbOracle home: /u01/app/oracle/product/12.1/db_1Oracle user: oracleSpfile: +DATA/cdb/spfilecdb.oraPassword file: +data/CDB/orapwdxifenfeiDomain:Start options: openStop options: immediateDatabase role: PRIMARYManagement policy: MANUALDatabase instance: cdbDisk Groups: DATAServices:至此数据库启动使用密码ASM中的密码文件完成,补充说明,该方式配置在ASM中的密码文件,只能是通过crs方式启动db才会生效,如果手工使用sqlplus启动数据库不会使用该密码文件,还是使用默认密码文件。这里也就提醒大家操作规范:在RAC环境(包含单节点的GI环境)中,对数据库的启动关闭操作强烈建议使用crs相关命令来完成,而不推荐使用sqlplus命令Oracle Database – Enterprise Edition – Version 12.2.0.1 and later
Information in this document applies to any platform.
Automatic Password file synchronization in 12.2 Dataguard Standby databaseWhen password file is used for Redo Transport Authentication, the password of redo transport user should be same across primary and all its physical and snapshot standby databases. By default SYS user is used to authenticate redo transport sessions when password file is used.Till 12cR1 Dataguard setup, if there is a change in password file of Primary database like Changes in password or Changes in admin privileges, then the password file needs to be copied from Primary database to standby database server and rename it according to standby database Instance name. If the password file of Primary and Standby databases are not same, then errors will be seen.In 12cR2, the password file of standby database gets synchronized automatically when there is a change in Primary database password file. The password file change of Primary will be included in Redo and when the Redo is applied to standby, the synchronization happens in the background.Exception: Far-sync Instances (where the redo will not be applied). We need to manually copy the password file. Once the password file is sync at Far-Sync instance, the redo having password file information will get transmitted to standby which are suppose to receive from Far-sync instance.Example:PRIMARY>select username, sysdba, syso免费主机域名per, sysasm,sysbackup,authentication_type AT from v$pwfile_users;USERNAME SYSDB SYSOP SYSAS SYSBA AT
——————– —– —– —– —– ——–
SYS TRUE TRUE FALSE FALSE PASSWORD
SYSDG FALSE FALSE FALSE FALSE PASSWORD
SYSBACKUP FALSE FALSE FALSE TRUE PASSWORD
SYSKM FALSE FALSE FALSE FALSE PASSWORDSTANDBY>select username, sysdba, sysoper, sysasm,sysbackup,authentication_type AT from v$pwfile_users;USERNAME SYSDB SYSOP SYSAS SYSBA AT
———- —– —– —– —– ——–
SYS TRUE TRUE FALSE FALSE PASSWORD
SYSDG FALSE FALSE FALSE FALSE PASSWORD
SYSBACKUP FALSE FALSE FALSE TRUE PASSWORD
SYSKM FALSE FALSE FALSE FALSE PASSWORDLet’s grant a role to a user at Primary database which will make changes in Password filePRIMARY>Grant SYSOPER to user1;Grant succeeded.PRIMARY>select username, sysdba, sysoper, sysasm,sysbackup,authentication_type AT from v$pwfile_users;USERNAME SYSDB SYSOP SYSAS SYSBA AT
——————– —– —– —– —– ——–
SYS TRUE TRUE FALSE FALSE PASSWORD
SYSDG FALSE FALSE FALSE FALSE PASSWORD
SYSBACKUP FALSE FALSE FALSE TRUE PASSWORD
SYSKM FALSE FALSE FALSE FALSE PASSWORD
USER1 FALSE TRUE FALSE FALSE PASSWORDPassword file of Primary database:-rw-r—–. 1 oracle oinstall 4096 /u01/app/oracle/product/12.2.0/dbhome_1/dbs/orapwprimdbSwitch the logfile, so that the Redo reach its standby databasesPRIMARY>alter system switch logfile;System altered.At standby Media recovery is not active. Verify v$pwfile_users for the granted roleSTANDBY>select username, sysdba, sysoper, sysasm,sysbackup,authentication_type AT from v$pwfile_users;USERNAME SYSDB SYSOP SYSAS SYSBA AT
———- —– —– —– —– ——–
SYS TRUE TRUE FALSE FALSE PASSWORD
SYSDG FALSE FALSE FALSE FALSE PASSWORD
SYSBACKUP FALSE FALSE FALSE TRUE PASSWORD
SYSKM FALSE FALSE FALSE FALSE PASSWORDPassword file of Standby database:-rw-r—–. 1 oracle oinstall 3584 /u01/app/oracle/product/12.2.0/dbhome_2/dbs/orapwstdbydbNewly granted role is not reflected in Standby, lets start Media recovery and then query v$pwfile_users.STANDBY>recover managed standby database disconnect;
Media recovery complete.
STANDBY>select username, sysdba, sysoper, sysasm,sysbackup,authentication_type AT from v$pwfile_users;USERNAME SYSDB SYSOP SYSAS SYSBA AT
———- —– —– —– —– ——–
SYS TRUE TRUE FALSE FALSE PASSWORD
SYSDG FALSE FALSE FALSE FALSE PASSWORD
SYSBACKUP FALSE FALSE FALSE TRUE PASSWORD
SYSKM FALSE FALSE FALSE FALSE PASSWORD
USER1 FALSE TRUE FALSE FALSE PASSWORDPassword file of standby database:-rw-r—–. 1 oracle oinstall 4096 /u01/app/oracle/product/12.2.0/dbhome_2/dbs/orapwstdbydbWe could see after media recovery v$pwfile_users has been updatedoracle数据库软件是获得过最高级别的安全认证，完全超越其它所有数据库软件，并且在可维护性上基于大量的实践需要稳步前行，这里简单列举几个12c 关于password几个新特性。1. 新的password hash算法
2. 新的password verify function
3. 密码文件可以存储到ASM
4. 密码自动从primary同步到standby端在Dataguard环境中
5. 新的密码认证协议以下将介绍其中几个内容：Oracle对Oracle Database 12c中的用户密码哈希进行了改进， 通过使用基于PBKDF2的SHA512哈希算法，而不是简单的SHA1哈希，密码哈希更安全, 从11g起user$.spare4列存储着密码的哈希值。在12.1.0.2版本时spare4列有3部分组成（S:H:T）.12.2时只剩下（S:T ）2部分。S部分和11g时的算法一样，长度60 chars,是基于SHA1的哈希。H部分是基于MD5的哈希，长度为32 chars, 也可能是因为MD5 hash更方便入侵者的暴力破解，在12.2 版本时从Spare4列去掉该部分。T部分是从12.1.0.2版本增加，长度为160 chars, 使用的是基于PBKDF2-based SHA512的算法。该算法后部分32chars 的验证数据部分是随机生成。更加安全。在12c中default profile除了password verify function和11g不同，其它资源限制都是相同的。
不过国防安全要求有个建议值：
RESOURCE NAME LIMIT
PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 5
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_VERIFY_FUNCTION ora12c_strong_verify_function12c新引入了verify function 有ora12c_verify_function, ora12c_strong_verify_function (ora12c_stig_verify_function) ，而且可能在12.1.0.1 ,12.1.0.2, 12.2.0.1 profile默认的verify function名都不一样。比如STIG有以下限制：Password at least 9 charactersat least 2 capital lettersat least 2 small lettersat least 2 digitsat least 2 special characterspassword must differ by at least 4 characters from the old password在Oracle Database 12c之前，密码文件始终位于$ ORACLE_HOME / dbs文件下，即使对于RAC实例和RAC ASM集群也是如此。 对于RAC而言，DBA必须设法保持这一点密码文件在每个节点上同步。现在，在Oracle 12c中，可以将密码文件存储在ASM上。 这意味着一个共享密码文件Oracle RAC数据库为集群中的所有实例共享，与ASM spfile不同，ASM密码文件的访问只有在启动ASM ，并且在磁盘组mount后才可以访问。用于创建密码文件的命令实用程序仍然是相同的：“orapwd”ASM存储密码文件前提条件 COMPATIBLE.ASM>= 12.112cR2中一个有用的增强功能是密码文件在Data Guard环境中自动同步，如果在primary database上更改了sys的密码，并且它自动也在standby database上进行了更改。 在早期版本中必须手动完成的，通常通过使用primary database 密码文件替换standby database上的密码文件。从主库ASM拷贝到文件系统中：ASMCMD> pwcopy +DATA/HISS/PASSWORD/pwdhis.256.918602833/home/grid/使用scp或者其它方式拷贝到备库的主机中并重命名为hiss：$ scp /home/grid/pwdhis.256.91860283310.241.8.9:/home/grid$ mv pwdhis.256.918602833 orapwhiss从备库文件系统拷贝到ASM中：ASMCMD> pwcopy /home/grid/orapwhiss +DATA/HISS/PASSWORD/查询ASM信息SQL>
select*
fromv$version;BANNER CON_ID-------------------------------------------------------------------------------- ----------Oracle
Database12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production 0PL/SQL Release 12.1.0.1.0 - Production 0CORE 12.1.0.1.0 Production 0TNS
forLinux: Version 12.1.0.1.0 - Production 0NLSRTL Version 12.1.0.1.0 - Production 0SQL>
selectNAME,COMPATIBILITY
fromv$asm_diskgroup;NAMECOMPATIBILITY------------------------------ ------------------------------------------------------------DATA 12.1.0.0.0查询crs中关于db配置[grid@orcl ~]$ srvctl config database -d cdbDatabase unique name: cdbDatabase name: cdbOracle home:
/u01/app/oracle/product/12.1/db_1Oracle user: oracleSpfile: +DATA/cdb/spfilecdb.oraPassword
file:
Domain:
Start options:
openStop options: immediateDatabase role: PRIMARYManagement policy: MANUALDatabase instance: cdbDisk Groups: DATAServices:
这里db的password file为空,即表示使用默认值,也就是为$ORACLE_HOME/dbs/orapworcl

创建密码文件存储在ASM中--创建db新密码文件[oracle@orcl ~]$ orapwd
file='+data/CDB/orapwdorcl'dbuniquename='cdb'Enter password
forSYS:
----输入sys用户密码--创建asm新密码文件orapwd
file='+data/ASM/orapwasm'asm=y----asm=y 表示创建的密码文件为asm的--使用老密码文件创建db/asm新密码文件orapwd input_file='/oraclegrid/dbs/orapwasm'file='+data/ASM/orapwasm'[asm=y]----input_file 表示使用老的密码文件创建新的存储在ASM中的密码文件查看ASM中密码文件ASMCMD> showversionASM version : 12.1.0.1.0ASMCMD>
pwd+data/cdbASMCMD>
ls-l orapwdorclType Redund Striped Time Sys NamePASSWORD UNPROT COARSE MAY 31 19:00:00 N orapwdorcl => +DATA/CDB/PASSWORD/pwdcdb.290.816897265配置crs中password file项[grid@orcl ~]$ srvctl modify database -db cdb -pwfile +data/CDB/orapwdorcl查询crs中关于db配置[grid@orcl ~]$ srvctl config database -d cdbDatabase unique name: cdbDatabase name: cdbOracle home:
/u01/app/oracle/product/12.1/db_1Oracle user: oracleSpfile: +DATA/cdb/spfilecdb.oraPassword
file: +data/CDB/orapwdorclDomain:
Start options:
openStop options: immediateDatabase role: PRIMARYManagement policy: MANUALDatabase instance: cdbDisk Groups: DATAServices:
至此数据库启动使用密码ASM中的密码文件完成。补充说明,该方式配置在ASM中的密码文件,只能是通过crs方式启动db才会生效,如果手工使用sqlplus启动数据库不会使用该密码文件,还是使用默认密码文件。这里也就提醒大家操作规范:在RAC环境(包含单节点的GI环境)中,对数据库的启动关闭操作强烈建议使用crs相关命令来完成,而不推荐使用sqlplus命令。感谢各位的阅读，以上就是“Oracle 12c的ASM新特性是什么”的内容了，经过本文的学习后，相信大家对Oracle 12c的ASM新特性是什么这一问题有了更深刻的体会，具体使用情况还需要大家实践验证。这里是云技术，小编将为大家推送更多相关知识点的文章，欢迎关注！

相关推荐: MySQL事务隔离级别的示例分析

这篇文章将为大家详细讲解有关MySQL事务隔离级别的示例分析，小编觉得挺实用的，因此分享给大家做个参考，希望大家阅读完这篇文章后可以有所收获。SQL标准定义了4类隔离级别，包括了一些具体规则，用来限定事务内外的哪些改变是可见的，哪些是不可见的。低级别的隔离级一…