The views expressed on this blog are my own and do not necessarily reflect the views of Oracle

January 27, 2014

The ASM password directory

Password file authentication for Oracle Database or ASM can work for both local and remote connections. In Oracle version 12c, the password files can reside in an ASM disk group. The ASM metadata structure for managing the passwords is the ASM Password Directory - ASM metadata file number 13.

Note that the password files are accessible only after the disk group is mounted. One implication of this is that no remote SYSASM access to ASM and no remote SYSDBA access to database is possible, until the disk group with the password file is mounted.

The password file

The disk group based password file is managed by ASMCMD commands, ORAPWD tool and SRVCTL commands. The password file can be created with ORAPWD and ASMCA (at the time ASM is configured). All other password file manipulations are performed with ASMCMD or SRVCTL commands.

The COMPATIBLE.ASM disk group attribute must be set to at least 12.1 for the disk group where the password is to be located. The SYSASM privilege is required to manage the ASM password file and the SYSDBA privilege is required to manage the database password file.

Let's create the ASM password file in disk group DATA.

First make sure the COMPATIBLE.ASM attribute is set to the minimum required value:

$ asmcmd lsattr -G DATA -l compatible.asm
Name            Value
compatible.asm  12.1.0.0.0

Create the ASM password file:

$ orapwd file='+DATA/orapwasm' asm=y
Enter password for SYS: *******
$

Get the ASM password file name:

$ asmcmd pwget --asm
+DATA/orapwasm

And finally, find the ASM password file location and fully qualified name:

$ asmcmd find +DATA "*" --type password
+DATA/ASM/PASSWORD/pwdasm.256.837972683
+DATA/orapwasm

From this we see that +DATA/orapwasm is an alias to the actual file that has a special (+[DISK GROUP NAME]/ASM/PASSWORD) placeholder.

The ASM password directory

The ASM metadata structure for managing the disk group based passwords is the ASM Password Directory - ASM metadata file number 13. Note that the password file is also managed by the ASM File Directory, like any other ASM based file. I guess this redundancy just highlights the importance of the password file.

Let's locate the ASM Password Directory. As that is file number 13, we can look it up in the ASM File Directory. That means, we first need to locate the ASM File Directory itself. The pointer to the first AU of the ASM File Directory is in the disk header of disk 0, in the field f1b2locn:

First match the disk numbers to disk paths for disk group DATA:

$ asmcmd lsdsk -p -G DATA | cut -c12-21,78-88
Disk_Num  Path
      0  /dev/sdc1
      1  /dev/sdd1
      2  /dev/sde1
      3  /dev/sdf1

Now get the starting point of the disk directory:

$ kfed read /dev/sdc1 | grep f1b1locn
kfdhdb.f1b1locn:                     10 ; 0x0d4: 0x0000000a

This is telling us that the file directory starts at AU 10 on that disk. Now look up block 13 in AU 10 - that will be the directory entry for ASM file 13, i.e. the ASM Password Directory.

$ kfed read /dev/sdc1 aun=10 blkn=13 | egrep "au|disk" | head
kfffde[0].xptr.au:                   47 ; 0x4a0: 0x0000002f
kfffde[0].xptr.disk:                  2 ; 0x4a4: 0x0002
kfffde[1].xptr.au:                   45 ; 0x4a8: 0x0000002d
kfffde[1].xptr.disk:                  1 ; 0x4ac: 0x0001
kfffde[2].xptr.au:                   46 ; 0x4b0: 0x0000002e
kfffde[2].xptr.disk:                  3 ; 0x4b4: 0x0003
kfffde[3].xptr.au:           4294967295 ; 0x4b8: 0xffffffff
kfffde[3].xptr.disk:              65535 ; 0x4bc: 0xffff
...

The output is telling us that the ASM Password Directory is in AU 47 on disk 2 (with copies in AU 45 on disk 1, and AU 46 on disk 3). Note that the ASM Password Directory is triple mirrored, even in a normal redundancy disk group.

Now look at AU 47 on disk 2:

$ kfed read /dev/sde1 aun=47 blkn=1 | more
kfbh.endian:                          1 ; 0x000: 0x01
kfbh.hard:                          130 ; 0x001: 0x82
kfbh.type:                           29 ; 0x002: KFBTYP_PASWDDIR
...
kfzpdb.block.incarn:                  3 ; 0x000: A=1 NUMM=0x1
kfzpdb.block.frlist.number:  4294967295 ; 0x004: 0xffffffff
kfzpdb.block.frlist.incarn:           0 ; 0x008: A=0 NUMM=0x0
kfzpdb.next.number:                  15 ; 0x00c: 0x0000000f
kfzpdb.next.incarn:                   3 ; 0x010: A=1 NUMM=0x1
kfzpdb.flags:                         0 ; 0x014: 0x00000000
kfzpdb.file:                        256 ; 0x018: 0x00000100
kfzpdb.finc:                  837972683 ; 0x01c: 0x31f272cb
kfzpdb.bcount:                       15 ; 0x020: 0x0000000f
kfzpdb.size:                        512 ; 0x024: 0x00000200
...

The ASM metadata block type is KFBTYP_PASWDDIR, i.e. the ASM Password Directory. We see that it points to ASM file number 256 (kfzpdb.file=256). From the earlier asmcmd find command we already know the actual password file is ASM file 256 in disk group DATA:

$ asmcmd ls -l +DATA/ASM/PASSWORD
Type      Redund  Striped  Time             Sys  Name
PASSWORD  HIGH    COARSE   JAN 27 18:00:00  Y    pwdasm.256.837972683

Again, note that the ASM password file is triple mirrored (Redund=HIGH) even in a normal redundancy disk group.

Conclusion

Starting with ASM version 12c we can store ASM and database password files in an ASM disk group. The ASM password can be created at the time of Grid Infrastructure installation or later with the ORAPWD command. The disk group based password files are managed with ASMCMD, ORAPWD and SRVCTL commands.