CTE on Oracle ACFS Overview
CTE enables data protection of Oracle Automatic Storage Management Cluster File System (Oracle ACFS) on secvm
volumes as part of the Oracle ASM stack. Oracle ACFS configured with secvm
block devices is intended for use solely by the Oracle RAC application set to store related Oracle generated data such as:
-
Oracle-generated related database files:
-
database datafile
-
control files
-
redo log files
-
archive log files
-
-
Oracle-generated database backup files:
-
hot/cold
-
rman
-
datapump exports
-
-
Oracle-generated database TDE local wallet files
CTE on ACFS only provides encryption. It does not provide access control.
For other files such as manually created shell scripts that require staging in a shared storage device, use other shared storage setups such as Veritas shared storage or share NFS mount.
Oracle RAC | Oracle RAC |
---|---|
Oracle ACFS (File System) | Oracle ADVM (Volume Manager) |
Oracle ASM (Storage Manager) | SecVM |
On Oracle, ACFS is layered on ASM disks, which in turn are built on secvm
block devices. secvm
is a proprietary device driver that supports GuardPoint protection to raw devices. secvm is inserted in between the device driver and the device itself.
Key Managers and SecVM
Server-side administrators must ensure that all secvm
guards for an Oracle cluster use the same policies for encryption and access control.
Host Groups and Identical Keys and Policies
Thales recommends that you deploy host groups to ensure that identical policies and keys are applied on all nodes of the ACFS cluster. This is faster and less error-prone.
Restrictions and Caveats
-
Thales does not support
secfs
layered on ACFS. -
Oracle ACFS encryption in conjunction with
secvm
encryption might impact performance.