AWS Custom Engine Versions for Amazon RDS Custom for Oracle – Sightseeing Tour Part 2/3 – Connectivity and what you get

This is the second part of the blog post series about AWS Custom Engine Versions for Amazon RDS Custom for Oracle. In this part we take a look how we can connect to the Oracle database host and to the database itself by a tool like the Oracle SQL Developer. The blog post series:

Connect as Schema User

The username and the password for the SQl*Plus connect are the ones you have added as Master username and Master password during CEV RDB instance creation process. The database endpoint is visible in the RDS instance details. Example when the client has network access to the database instance host – routing and security group are set. Details how to connect: Creating an Oracle DB instance and connecting to a database on an Oracle DB instance – Amazon Relational Database Service (amazonaws.com)

SQL*Plus Connect on Command Line as ADMIN

ADMIN has roles like dba and datapump_exp_full_database, take care about this password.

[ec2-user@ip-10-192-20-83 ~]$ sqlplus 'admin@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rds-cev-oracle-1915-db01.ch1234567.eu-central-1.rds.amazonaws.com)(PORT=1521))(CONNECT_DATA=(SID=DB01)))'

SQL*Plus: Release 21.0.0.0.0 - Production on Mon May 16 19:43:03 2022
Version 21.6.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.15.0.0.0

SQL>

Secrets Manager

During the RDS CEV instance creation process, there is no option to add any SSH key.The only one password what you can set is the Master Password for the database instance for a first connect. From our first blog post, we know that the EC2 instance name is db-Q6ELCPBQUYBZXZSLTVTFZWZJLM. The second part of the string can be used as filter in the Secrets Manager.

Two secrets are listed:

do-not-delete-rds-custom-ssh-privatekey-db-<db-random-id>-<random-id> For EC2 instance SSH access as user ec2-user
do-not-delete-rds-custom-db-<db-random-id>-<random-id> For Oracle database connect as user RDSADMIN (high privileged)

 

To get the values, just select the secret and press the Release secret value button. Example for the password for the Oracle RDSADMIN user – for the SSH user you will get the private SSH key.

SQL*Plus Connect on Command Line as RDSADMIN

[ec2-user@ip-10-192-20-83 ~]$ sqlplus 'rdsadmin@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rds-cev-oracle-1915-db01.ch1234567.eu-central-1.rds.amazonaws.com)(PORT=1521))(CONNECT_DATA=(SID=DB01)))'

SQL*Plus: Release 21.0.0.0.0 - Production on Mon May 16 19:48:15 2022
Version 21.6.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.

Enter password:
Last Successful login time: Mon May 16 2022 19:48:14 +00:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.15.0.0.0

SQL>

SSH Access to the Oracle host as ec2-user, change to rdsdb and login AS SYSDBA

[ec2-user@ip-10-192-20-83 ~]$ ssh -i .ssh/id_rsa_oracle_cev rds-cev-oracle-1915-db01.ch1234567.eu-central-1.rds.amazonaws.com
Last login: Mon May 16 20:01:59 2022 from ip-10-192-20-83.eu-central-1.compute.internal
AWS RDS Custom Default AMI

[ec2-user@ip-10-192-21-156 ~]$ sudo su - rdsdb
Last login: Mon May 16 19:39:15 UTC 2022 on pts/0

-bash-4.2$ . oraenv
ORACLE_SID = [DB01] ?
The Oracle base has been set to
Resetting ORACLE_BASE to its previous value or ORACLE_HOME
The Oracle base has been set to /rdsdbbin/oracle

-bash-4.2$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Mon May 16 20:02:49 2022
Version 19.15.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.


Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.15.0.0.0

SQL>

What you get

Login and db* DBBASENV Output

[ec2-user@ip-10-192-21-156 ~]$ sudo su - rdsdb
Last login: Mon May 16 20:41:43 UTC 2022 on pts/2

TYPE (Cluster|DG)  : SID/PROCESS  STATUS      HOME      [2022-05-16 21:03:58]
-----------------------------------------------------------------------------
Dummy rdbms_ee     : rdbms19      n/a         /rdsdbbin/oracle

DB-instance (N|N)  : DB01         open        /rdsdbbin/oracle

Listener           : L_DB01_001   up          /rdsdbbin/oracle


rdsdb@ip-10-192-21-156:~/ [rdbms19] DB01

----------------------------------------------------------- 2022-05-16 21:04:02
DB_NAME        : DB01
DB_UNIQUE_NAME : DB01_A
DBID           : 1735959514
DATAFILE_SIZE  : 1G
MEMORY_SIZE    : 11.41G SGA / .4G PGA (11.41G memory_target)
FRA_SIZE       : 1G
UPTIME         : 2022-05-14 21:03 (2d 0h 0m)
INSTANCE_STATUS: NORMAL
OPEN_MODE      : READ WRITE
USERS/SESSIONS : Non-Oracle: 1/2 , Oracle: 1/2
DATABASE_ROLE  : PRIMARY
LOG_MODE       : ARCHIVELOG
CHARACTERSET   : US7ASCII
ORACLE_HOME    : /rdsdbbin/oracle
ORACLE_VERSION : 19.15.0.0.0
-------------------------------------------------------------------------------

 

Architecture

Even with 19c, you will get a single instance database, no Multitenant Option is enabled.

SQL> show con_name

CON_NAME
------------------------------
DB01

SQL> CREATE PLUGGABLE DATABASE PDB01 ADMIN USER pdbdmin IDENTIFIED BY kermitthefrog;
CREATE PLUGGABLE DATABASE PDB01 ADMIN USER t1 IDENTIFIED BY t1
*
ERROR at line 1:
ORA-65090: operation only allowed in a container database

Characterset

The characterset is US7ASCII – I don’t see or found a way to change it during CEV instance creation process.

SQL> SELECT value$ FROM sys.props$ WHERE name = 'NLS_CHARACTERSET' ;

VALUE$
--------------------------------------------------------------------------------
US7ASCII

Redo Log Files

Four redo log groups, each with one file only – no mirroring.

SQL> SELECT group#, member FROM v$logfile ORDER BY 1;

GROUP# MEMBER
---------- ------------------------------------------------------------
1 /rdsdbdata/db/DB01_A/onlinelog/o1_mf_1_k80674k8_.log
2 /rdsdbdata/db/DB01_A/onlinelog/o1_mf_2_k80674vb_.log
3 /rdsdbdata/db/DB01_A/onlinelog/o1_mf_3_k806755x_.log
4 /rdsdbdata/db/DB01_A/onlinelog/o1_mf_4_k80675vr_.log

Control File

One file only.

SQL> SELECT name FROM v$controlfile;

NAME
--------------------------------------------------------------------------------
/rdsdbdata/db/DB01_A/controlfile/control-01.ctl

Block Devices

File System

Oracle binaries are on mountpoint /rdsdbbin, the controlfile, datafile, ADR logs etc. on /rdsdbdata.

-bash-4.2$ df -m
Filesystem                      1M-blocks  Used Available Use% Mounted on
devtmpfs                             7759     0      7759   0% /dev
tmpfs                               15566  7008      8558  46% /dev/shm
tmpfs                                7783     1      7783   1% /run
tmpfs                                7783     0      7783   0% /sys/fs/cgroup
/dev/nvme0n1p1                       9950  4020      5812  41% /
/dev/nvme3n1                        25071 13579     10196  58% /rdsdbbin
/dev/mapper/dbdata01-lvdbdata01     40170  2580     37164   7% /rdsdbdata
tmpfs                                1557     0      1557   0% /run/user/61001
tmpfs                                1557     0      1557   0% /run/user/61005

File Owner

Owner of the Oracle related files is OS user rdsdb.

-bash-4.2$ ls -la
total 52
drwxr-xr-x 10 rdsdb database 4096 May 14 20:53 .
dr-xr-xr-x 20 root root 4096 May 14 20:51 ..
drwxr-xr-x 3 rdsdb database 4096 May 14 18:33 admin
drwxr-x--- 3 rdsdb database 4096 May 14 18:46 audit
drwxr-xr-x 3 rdsdb database 4096 May 14 18:54 cfgtoollogs
drwxr-xr-x 2 rdsdb database 4096 May 14 18:26 checkpoints
drwxrwxr-x 23 rdsdb database 4096 May 14 18:26 diag
drwxr-xr-x 2 rdsdb database 16384 May 14 18:22 lost+found
drwxr-xr-x 7 rdsdb database 4096 May 15 06:01 oraInventory
lrwxrwxrwx 1 rdsdb database 34 May 14 18:26 oracle -> /rdsdbbin/oracle.19.custom.r1.EE.1
drwxr-xr-x 71 rdsdb database 4096 May 14 20:57 oracle.19.custom.r1.EE.1
lrwxrwxrwx 1 root root 15 May 14 20:53 scripts -> /etc/rds/dbbin/

Parameters

The database parameters are based on the AWS default.custom-oracle-ee-19 parameters group and cannot be changed in the AWS console.

 

Backup

AWS uses the general RDS backup mechanism with disk snapshots. Visible in the database alertlog. There are no RMAN information about database backups in the controlfile.

2022-05-16T21:22:36.923471+00:00
ALTER DATABASE BACKUP CONTROLFILE TO '/rdsdbdata/tmp/backup_control_file' REUSE
Completed: ALTER DATABASE BACKUP CONTROLFILE TO '/rdsdbdata/tmp/backup_control_file' REUSE
2022-05-16T21:22:37.082329+00:00
ALTER DATABASE BEGIN BACKUP
Completed: ALTER DATABASE BEGIN BACKUP
2022-05-16T21:22:38.030903+00:00
ALTER DATABASE END BACKUP
Completed: ALTER DATABASE END BACKUP
RMAN> list backup of database;

specification does not match any backup in the repository

RMAN> list backup of controlfile;

List of Backup Sets
===================

BS Key Type LV Size Device Type Elapsed Time Completion Time
------- ---- -- ---------- ----------- ------------ ---------------
1 Full 8.55M DISK 00:00:01 14-MAY-22
BP Key: 1 Status: AVAILABLE Compressed: NO Tag: TAG20220514T211337
Piece Name: /rdsdbbin/oracle/dbs/c-1735959514-20220514-00
Control File Included: Ckp SCN: 746724 Ckp time: 14-MAY-22

OS Release

-bash-4.2$ cat /etc/oracle-release
Oracle Linux Server release 7.9

Oracle Database Security Assessment

I did a quick run with dbsat after the initial setup. Here is the overview of the findings. There are no high risks. If you are interested in the details, the html file is on my github repository https://github.com/martinberger-ch/aws-cev-oracle.git.

Summary Part 2/3

To connect to a privileged database user like ADMIN which was defined during the CEV instance creation process is very easy. For all other connects you have to consider the Secret Manager and release password or SSH key. We have 2022, and AWS creates still single instances. C’mon guys, we want to have multi-tenancy in place. To create a snapshot instead an RMAN backup is the well know method for RDS. I am still searching where to change the initial NLS characterset. According the AWS EBS documentation, storage is replicated inside the Availability Zone to prevent data loss. The storage is encrypted by  an user managed key. Good new from the database security front, DBSAT has no high risks found.