5 Configuring Users, Groups and Environments for Oracle Grid Infrastructure and Oracle RAC

The Oracle Installation User can be either a local user or a ___domain user.

To install the Oracle Grid Infrastructure or Oracle Database software, you must use either a local or ___domain user that is a member of the Administrators group. This user is the Oracle Installation User.

If you use a local user account for installing Oracle Grid Infrastructure or Oracle Real Application Clusters (Oracle RAC), then:

• The user account must exist on all nodes in the cluster.

• The user name and password must be the same on all nodes.

• OUI displays a warning message.

If you use a ___domain user account for installing Oracle Grid Infrastructure or Oracle Real Application Clusters (Oracle RAC), then:

• The ___domain user must be explicitly declared as a member of the local Administrators group on each node in the cluster. It is not sufficient if the ___domain user has inherited membership from another group.

• The user performing the installation must be in the same ___domain on each node. For example, you cannot have use the DBADMIN\dba1 user on the first node and the RACDBA\dba1 user on the second node.

• A local user of the same name cannot exist on any of the nodes. For example if you use RACDBA\dba1 as the installation user, none of the nodes can have a local NODE1\dba1 user account.

If you use different users to install Oracle Grid Infrastructure and Oracle RAC, then the user that installs Oracle RAC must be a member of the ASMDBA and ASMADMIN groups to access the Oracle Automatic Storage Management (Oracle ASM) Disks.

During installation of Oracle Grid Infrastructure, you can specify an optional Oracle Home user associated with the Oracle Grid home.

For example, assume that you use an Administrator user named OraSys to install the software (Oracle Installation user), then you can specify the ORADOMAIN\OraGrid ___domain user as the Oracle Home user for this installation. The specified Oracle Home ___domain user must exist before you install the Oracle Grid Infrastructure software.

The Oracle Home user for the Oracle Grid Infrastructure installation can be either the Windows built-in account (LocalSystem) or an existing user. If you specify an existing user as the Oracle Home user, then the Windows User Account you specify must be a ___domain user or Group Managed Service Account (gMSA) user. When you use an Oracle Home User, a secure wallet in Oracle Cluster Registry (created automatically) stores the Oracle Home User name and password information. If you decide not to create an Oracle Home user, then the Windows built-in account is used as Oracle Home User.

For Oracle Grid Infrastructure 12c release 12.1.0.1, if you choose the Oracle Grid Infrastructure Management Repository option during installation, then use of an Oracle Home user is mandatory. Similarly, if you perform a software-only installation of Oracle Grid Infrastructure, then you must choose a Windows Domain User account to configure the Oracle Grid Infrastructure Management Repository after installation.

During installation, the installer creates the software services and configures the Access Control Lists (ACLs) based on the information you provided about the Oracle Home User. See the section "Setting File Permissions" in Oracle Database Platform Guide for Microsoft Windows for more information.

When you specify an Oracle Home user, the installer configures that user as the Oracle Service user for all software services that run from the Oracle home. The Oracle Service user is the operating system user that the Oracle software services run as, or the user from which the services inherit privileges.

During installation of Oracle RAC, you can either use a Windows built-in account or specify an optional, non-Administrator user that is a Windows ___domain user to be the Oracle Home User associated with the Oracle RAC home.

The Oracle Home User for Oracle RAC can be different from the Oracle Home User you specified during the Oracle Grid Infrastructure installation. If a Windows ___domain user account is chosen, then it should be an existing ___domain user account with no administration privileges.

For Oracle RAC installations, Oracle recommends that you use a Windows ___domain user (instead of Windows built-in account) as the Oracle Home User for enhanced security.

The services created for the Oracle RAC software run using the privileges of the Oracle Home User for Oracle RAC, or the Local System built-in Windows account if you did not specify an Oracle Home User during installation. Oracle Universal Installer (OUI) creates multiple operating system groups, such as the ORA_DBA group, on all nodes. The user performing the installation is automatically added to those groups necessary for proper database administration. For more information about the Oracle Home User implementation for Oracle Database, see Oracle Database Platform Guide for Microsoft Windows.

For an administrator-managed database, you have the option of storing Oracle Home User password in a secure wallet (stored in Oracle Cluster Registry). Use the following CRSCTL command to create this secure wallet for storing the Windows operating system user name and password:

crsctl add wallet -osuser -passwd

If the wallet (stored in Oracle Cluster Registry) exists, then Oracle administration tools automatically use the password from the wallet without prompting the administrator to enter the password of Oracle Home User for performing administrative operations.

A policy-managed database mandates the storage of Oracle Home User password in the wallet (stored in Oracle Cluster Registry). When a policy-managed database is created, DBCA automatically creates the wallet, if one does not exist.

You must create an Oracle Home User in certain circumstances.

• If an Oracle Home User exists, but you want to use a different operating system user, with different group membership, to give database administrative privileges to those groups in a new Oracle Database installation

• If you have created an Oracle Home User for Oracle Grid Infrastructure, such as grid, and you want to create a separate Oracle Home User for Oracle Database software, such as oracle

• Restrictions and Guidelines for Oracle Home Users
  Review the following restrictions and guidelines for Oracle Home Users for Oracle software installations.
• Determining if an Oracle Home User Exists
  You must decide to use an existing user, or create a new user.
• Creating an Oracle Home User
  Use the Manage User Accounts window to create a new user.
• Using an Existing Oracle Software Owner User
  If the user you have decided to use as an Oracle Home user exists, then you can use this user as the Oracle Home user for a different installation.

When the Oracle software installation completes, you will have one of the following configurations:

You must have a group whose members are given access to write to the Oracle Inventory directory, which is the central inventory record of all Oracle software installations on a server.

When you install Oracle software on the system for the first time, Oracle Universal Installer (OUI) creates the directories for the Oracle central inventory. OUI also creates the Oracle Inventory group, ORA_INSTALL. The ORA_INSTALL group contains all the Oracle Home users for all Oracle homes on the server. The ___location of the Oracle central inventory on Windows is always %SYSTEM_DRIVE%\Program Files\Oracle\Inventory.

Whether you are performing the first installation of Oracle software on this server, or are performing an installation of additional Oracle software on the server, you do not need to create the Oracle central inventory or the ORA_INSTALL group. You cannot change the name of the Oracle Inventory group - it is always ORA_INSTALL.

Members of the Oracle Inventory group have write privileges to the Oracle central inventory directory, and are also granted permissions for various Oracle Clusterware resources, OCR keys, directories in the Oracle Clusterware home to which DBAs need write access, and other necessary privileges. All Oracle software install users must be members of the Oracle Inventory group. Members of this group can talk to Cluster Synchronization Service (CSS).

When you install either Oracle Grid Infrastructure or Oracle RAC, the user groups listed in the following table are created, if they do not already exist.

During installation, the gridconfig.bat script creates the services and groups on each node of the cluster. The installed files and permissions are owned by the Oracle Installation user, and require the Administrator privilege.

Oracle creates and populates the groups listed in this table during installation to ensure proper operation of Oracle products. You can manually add other users to these groups to assign these database privileges to other Windows users.

Members of the ORA_DBA group can use operating system authentication to administer all Oracle databases installed on the server. Members of the ORA_HOMENAME_DBA, where HOMENAME is the name of a specific Oracle installation, can use operating system authentication to manage only the databases that run from that Oracle home.

A job role separation configuration of Oracle Database and Oracle ASM is a configuration with groups and users to provide separate groups for operating system authentication.

• About Job Role Separation Operating System Privileges Groups and Users
  With Oracle Database job role separation, each Oracle Database installation has separate operating system groups to provide authentication for system privileges on that Oracle Database, so multiple databases can be installed on the cluster without sharing operating system authentication for system privileges. In addition, each Oracle software installation is associated with an Oracle Installation user, to provide operating system user authentication for modifications to Oracle Database binaries.
• Oracle Software Owner for Each Oracle Software Product
  Oracle recommends that you use the following operating system groups and users for all installations where you specify separate Oracle Home Users:
• Standard Oracle Database Groups for Job Role Separation
  The Oracle Database supports multiple operating system groups to provide operating system authentication for database administration system privileges.
• Extended Oracle Database Groups for Job Role Separation
  Starting with Oracle Database 12c Release 1 (12.1), in addition to the SYSOPER system privilege to start and shut down the database, you can create new administrative privileges that are more task-specific and less privileged than the ORA_DBA group (or SYSDBA system privilege) to support specific administrative privileges tasks required for everyday database operation. Users granted these system privileges are also authenticated through operating system group membership.
• Oracle ASM Groups for Job Role Separation
  The SYSASM, SYSOPER for ASM, and SYSDBA for ASM system privileges enables the separation of the Oracle ASM storage administration privileges from SYSDBA.
• Changes in Oracle ASM System Privileges When Upgrading to Oracle Grid Infrastructure 12c Release 1 (12.1.0.2)
  When upgrading from Oracle Grid Infrastructure release 12.1.0.1 to release 12.1.0.2, the upgrade process automatically updates the group memberships and the disk ACLs for Oracle ASM privileges.

You can use role-allocated groups and users that is compliant with an Optimal Flexible Architecture (OFA) deployment.

Assumptions:

• The user installing the Oracle Grid Infrastructure software is named RACDOMAIN\grid. This user was created before starting the installation.

  The option to use the Windows Built-in Account was selected for the Oracle Home user for Oracle Grid Infrastructure.

• The name of the home directory for the Oracle Grid Infrastructure installation is OraGrid12c.

• The user installing the Oracle RAC software is named oracle. This user was created before starting the installation.

  During installation of Oracle RAC, an Oracle Home user named RACDOMAIN\oradba1 is specified. The oradba1 user is a Windows ___domain user that was created before the installation was started.

  The name of the Oracle home for the Oracle RAC installation is OraRAC12c_home1.

• You have a second, Oracle Database installation (not Oracle RAC) on this server. The installation was performed by the oracle user. The Oracle Home user is oradba2, and this user was not created before starting the installation.

  The Oracle Home name is OraDB12c_home1.

• Both the Oracle databases and Oracle Clusterware are configured to use Oracle ASM for data storage.

After installing the Oracle software, you have the following groups and users:

If there are no users listed for an operating system group, then that means the group has no members after installation.

The installer uses environment variables set for the Oracle Installation User.

• Before starting the Oracle Grid Infrastructure installation, ensure the %TEMP% environment variable is set correctly.
  See "Checking the Available TEMP Disk Space".

You must insure that operations that are performed on multiple nodes can be performed during installation of the Oracle Grid Infrastructure software.

1. Determine if User Account Control (UAC) remote restrictions have been disabled for the local installation user. If you are using a ___domain user for installation, then skip this step.
   Check the value of the LocalAccountTokenFilterPolicy registry entry for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. The value should be set to 1. If this registry entry does not exist, then, do the following:
   1. Click Start, click Run, type regedit, and then press Enter.
   2. Navigate to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
   3. On the Edit menu, select New, and then click DWORD Value.
   4. Type LocalAccountTokenFilterPolicy and then press Enter.
   5. Right-click LocalAccountTokenFilterPolicy, then click Modify.
   6. In the Value data box, type 1, then click OK.
   7. Exit the registry editor.
   By setting the value of LocalAccountTokenFilterPolicy to 1, a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection with an elevated token, enabling the user to perform administrative tasks. If you do not disable the UAC remote restrictions for administrative users, then when installing Oracle Grid Infrastructure on multiple nodes you might encounter the following error:

   INS-40937 The following hostnames are invalid

2. Before running OUI, from the node where you intend to run the installer, verify that the user account you are using for the installation is configured as a member of the Administrators group on each node in the cluster.
   Enter the following command for each node that is a part of the cluster where nodename is the node name:

   net use \\nodename\C$

3. If you will be using other disk drives in addition to the C: drive, then repeat the net use command for every node in the cluster, substituting the drive letter for each drive you plan to use.
4. Verify the installation user is configured to update the Windows registry on each node in the cluster.
   1. Run regedit from the Run menu or the command prompt.
   2. From the File menu select Connect Network Registry.
   3. In the 'Enter the object name…' edit box enter the name of a remote node in the cluster, then click OK.
   4. Wait for the node to appear in the registry tree.

To ensure that only trusted applications run on your computer, Windows Server 2008 and Windows Server 2008 R2 provide User Account Control.

If you have enabled the User Account Control security feature, then depending on how you have it configured, OUI prompts you for either your consent or your credentials when installing Oracle Database. Provide either the consent or your Windows Administrator credentials as appropriate.

You must have Administrator privileges to run some Oracle tools, such as DBCA, NETCA, and OPatch, or to run any tool or application that writes to any directory within the Oracle home. If User Account Control is enabled and you are logged in as the local Administrator, then you can successfully run each of these commands. However, if you are logged in as "a member of the Administrators group," then you must explicitly run these tools with Windows Administrator privileges.

All of the Oracle shortcuts that require Administrator privileges are automatically run as an "Administrator" user when you click the shortcuts. However, if you run the previously mentioned tools from a Windows command prompt, then you must run them from an Administrator command prompt.

OPatch does not have a shortcut and must be run from an Administrator command prompt.

OUI uses several directories during installation of Oracle Grid Infrastructure.

• Temporary Directories
  To install properly across all nodes, OUI uses the temporary folders defined within Microsoft Windows.
• Grid Home Directory
  The directory that Oracle Grid Infrastructure is installed in is the Grid home.
• Oracle Base Directory
  During installation, you are prompted to specify an Oracle base ___location, which is owned by the user performing the installation. You can choose a ___location with an existing Oracle home, or choose another directory ___location that does not have the structure for an Oracle base directory.
• Oracle Inventory Directory
  The Oracle Inventory directory is the central inventory ___location for all Oracle software installed on a server.

Review directory path requirements for Oracle Grid Infrastructure Home directory.

• It is located in a path outside existing Oracle homes, including Oracle Clusterware homes.

• It is not located in a user home directory.

• If you create the path before installation, then the Oracle Installation user for Oracle Grid Infrastructure can create the directories in the path.

Oracle recommends that you install Oracle Grid Infrastructure on local homes, rather than using a shared home on shared storage.

For installations with Oracle Grid Infrastructure only, Oracle recommends that you create a path compliant with Oracle Optimal Flexible Architecture (OFA) guidelines, so that Oracle Universal Installer (OUI) can select that directory during installation.

The Oracle base directory for the Oracle Installation User for Oracle Grid Infrastructure is the ___location where diagnostic and administrative logs, and other logs associated with Oracle ASM and Oracle Clusterware are stored.

If the directory or path you specify during installation for the Grid home does not exist, then OUI creates the directory.

You must have the following hardware and software configured to enable cluster nodes to be managed with IPMI:

• Each cluster member node requires a Baseboard Management Controller (BMC) running firmware compatible with IPMI version 1.5 or greater, which supports IPMI over local area networks (LANs), and configured for remote control using LAN.

  Note:

  On servers running Windows Server 2008, you may have to upgrade the basic I/O system (BIOS), system firmware, and BMC firmware before you can use IPMI. Refer to Microsoft Support Article ID 950257 (http://support.microsoft.com/kb/950257) for details.

• Each cluster member node requires an IPMI driver installed on each node.

• The cluster requires a management network for IPMI. This can be a shared network, but Oracle recommends that you configure a dedicated network.

• Each cluster member node's Ethernet port used by BMC must be connected to the IPMI management network.

• Each cluster member must be connected to the management network.

• Some server platforms put their network interfaces into a power saving mode when they are powered off. In this case, they may operate only at a lower link speed (for example, 100 megabyte (MB), instead of 1 GB). For these platforms, the network switch port to which the BMC is connected must be able to auto-negotiate down to the lower speed, or IPMI will not function properly.

You can configure the Baseboard Management Controller (BMC) for Dynamic Host Configuration Protocol (DHCP), or for static IP addresses.

Oracle recommends that you configure the BMC for dynamic IP address assignment using DHCP. To use this option, you must have a DHCP server configured to assign the BMC IP addresses.

For Oracle Clusterware to communicate with the BMC, the IPMI driver must be installed permanently on each node, so that it is available on system restarts.

On Windows systems, the implementation assumes the Microsoft IPMI driver (ipmidrv.sys) is installed, which is included with the Windows Server 2008 and later versions of the Windows operating system. The driver is included as part of the Hardware Management feature, which includes the driver and the Windows Management Interface (WMI).

• Configuring the Hardware Management Component
  Hardware management is installed using the Add/Remove Windows Components Wizard.