ACE Director Alum Daniel Morgan, founder of Morgan's Library, is scheduling
complimentary technical Workshops on Database Security for the first 30
Oracle Database customers located anywhere in North America, EMEA, LATAM, or
APAC that send an email to
asra_us@oracle.com. Request a Workshop for
your organization today.
Purpose
This package provides the APIs to administer service Access Control List (ACL) that are used to control access to DB services by external Virtual Machines (VMs) or host networks.
There are two types of ACL: Exadirect and IP. Exadirect ACL is used to grant access to VMs; where as, IP ACL is used to grant access to host networks.
Exadirect APIs are prefixed by 'ed_'.
IP APIs are prefixed by 'ip_'.
APIs w/o prefix are generic.
AUTHID
DEFINER
Constants
Name
Data Type
Value
DOMAIN_MASK
-- Hostname mask: *.???.???...???
VARCHAR2(80)
'\*(\.[^\.\:\/\*]+)*'
HOSTNAME_MASK
-- Hostname mask: ???.???.???...???
VARCHAR2(80)
'[^\.\:\/\*]+(\.[^\.\:\/\*]+)*'
IP_ADDR_MASK
-- IP address mask: xxx.xxx.xxx.xxx
VARCHAR2(80)
'([[:digit:]]+\.){3}[[:digit:]]+'
IP_SUBNET_MASK
-- IP submet mask: xxx.xxx...*
VARCHAR2(80)
'([[:digit:]]+\.){0,3}\*'
Data Types
-- Used in batch operation. TYPE table_type IS TABLE OF VARCHAR(300) INDEX BY BINARY_INTEGER;
Commit changes to the DB ACL table and propagate them to all access control points in the DB cluster. Exadirect ACL updates are only propagated if DB ACL control is enabled.
Enable DB ACL control, load and propagate the initial ACLs to all access control points in the DB cluster. By default, DB ACL control is disabled and all access to secure network interfaces are denied.
dbms_sfw_acl_admin.ed_enable_acl;
exec dbsfwuser.dbms_sfw_acl_admin.ed_enable_acl;
BEGIN dbsfwuser.dbms_sfw_acl_admin.ed_enable_acl; END;
*
ERROR at line 1:
ORA-20013: Must be running on EXADATA
ORA-06512: at "DBSFWUSER.DBMS_SFW_ACL_ADMIN", line 342
ORA-06512: at line 1
Get all VM UUIDs for the specified service. This call will be used by mgmt Stack to cleanup stalled service after the service has been removed by DBA. This call will be used in conjunction with remove_acl_svc_by_uuid.
dbms_sfw_acl_admin.ed_get_aces_by_svc(
p_service_name IN VARCHAR2,
p_vm_uuids OUT SYS_REFCURSOR);
BEGIN
IF dbsfwuser.dbms_sfw_acl_admin.ed_is_acl_enabled THEN
dbms_output.put_line('ACL is enabled');
ELSE
dbms_output.put_line('ACL is not enabled');
END IF;
END;
/
dbms_sfw_acl_admin.ip_add_ace(
p_service_name IN VARCHAR2,
p_host IN VARCHAR2); -- can be a hostname, dotted-decimal IPv4 or hexadecimal IPv6 address.
-- wildcard "*" for IPv4 and CIDR format allowed.
