AWS odb documentation change
Summary
Updated database user grants to specific admin account, modified SSL configuration guidance with Oracle support reference, added certificate wallet examples in secrets
Security assessment
Changes enforce principle of least privilege by specifying dedicated admin user. Added certificate wallet documentation improves encryption guidance but doesn't address a specific vulnerability. Enhanced SSL references provide better configuration security.
Diff
diff --git a/odb/latest/UserGuide/zero-etl-prerequisites.md b/odb/latest/UserGuide/zero-etl-prerequisites.md index 852d09dff..0ba477471 100644 --- a//odb/latest/UserGuide/zero-etl-prerequisites.md +++ b//odb/latest/UserGuide/zero-etl-prerequisites.md @@ -49,2 +49,2 @@ Grant the following permissions to the replication user. - GRANT SELECT ON any-replicated-table TO "admin_user"; - GRANT LOGMINING to "admin_user"; + GRANT SELECT ON any-replicated-table TO "ODBZEROETLADMIN"; + GRANT LOGMINING to "ODBZEROETLADMIN"; @@ -52,2 +52,3 @@ Grant the following permissions to the replication user. - -- Grant the following permissions for all services. - -- If you use Autonomous Database on Dedicated Infrastructure, replace ODBZEROETLADMIN with GGADMIN. + -- Grant the following permissions to all services. + -- For Oracle Exadata, use the ODBZEROETLADMIN user. For Autonomous Database on Dedicated Infrastructure, + -- use the GGADMIN user. @@ -105 +106,3 @@ Enable supplemental logging on your Oracle database to capture change data. - -- Enable supplemental logging if not already enabled + -- Enable supplemental logging if not already enabled. + -- For Oracle Exadata, enable supplemental logging on both the CDB and PDB. + -- For Autonomous Database on Dedicated Infrastructure, enable supplemental logging on the PDB only. @@ -124 +127 @@ You must manually configure SSL on port 2484. This task involves the following: - * Generating and configuring SSL certificates (see [Certificates](https://docs.oracle.com/en-us/iaas/Content/certificates/home.htm) in the Oracle Cloud Infrastructure documentation) + * Generating and configuring SSL certificates (see [How To Configure SSL/TCPS For Exadata Cloud Database (ExaCC/ExaCS) (Doc ID 2947301.1)](https://support.oracle.com/knowledge/Oracle%20Database%20Products/2947301_1.html) in the My Oracle Support documentation) @@ -178 +181,4 @@ Store your Oracle database credentials in AWS Secrets Manager as follows: -To get your TDE key ID and password, use the technique described in [Supported encryption methods for using Oracle as a source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html#CHAP_Source.Oracle.Encryption). +To get your TDE key ID and password, use the technique described in [Supported encryption methods for using Oracle as a source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html#CHAP_Source.Oracle.Encryption). The following command generates the base64 wallet. + + + base64 -i cwallet.sso > wallet.b64 @@ -184 +189,0 @@ The following example shows a secret for Oracle Exadata. For `asm_service_name`, - "certificateWallet": "base64_encoded_wallet_content", @@ -192 +197,2 @@ The following example shows a secret for Oracle Exadata. For `asm_service_name`, - "tde_password": "tde_password" + "tde_password": "tde_password", + "certificateWallet": "base64_encoded_wallet_content" @@ -201,0 +208,15 @@ The following example shows a secret for Oracle Exadata. For `asm_service_name`, +The following example shows a secret for Autonomous Database on Dedicated Infrastructure. + + + { + "database_info": [ + { + "database_name": "ZETLACD_ZETLADBMORECPU", + "service_name": "ZETLADBMORECPU_high.adw.oraclecloud.com", + "username": "ggadmin", + "password": "secure_password", + "certificateWallet": "base64_encoded_wallet_content" + } + ] + } +