This chapter describes the users and groups user environment and management environment settings to complete before you install Oracle Database and Grid Infrastructure for a standalone server. It contains the following topics:
Depending on if this is the first time Oracle software is being installed on your system and on the products that you are installing, you may have to create several operating system groups and users.
If you prefer to allocate operating system user privileges so that you can use one administrative user and one group for operating system authentication for all administrative privileges, then you can use the oracle
user as the installation owner, and use one group as the primary group for any user requiring administrative privileges for Oracle ASM, and Oracle Database administration. This group must also be the Oracle Inventory group. To simplify using the defaults for Oracle tools the group name should be oinstall
.
You can also create custom configuration groups and users based on job role separation that divide access privileges.
Log in as root
, and use the instructions in the following sections to locate or create the Oracle Inventory group and a Oracle software owner user:
Determining If the Oracle Inventory and Oracle Inventory Group Exists
Creating the Oracle Inventory Group If an Oracle Inventory Does Not Exist
Creating Job Role Separation Database Operating System Groups and Users
When you install Oracle software on the system for the first time, Oracle Universal Installer creates the oraInst.loc
file. This file identifies the name of the Oracle Inventory group (typically, oinstall
) and the path of the Oracle Inventory directory.
You can configure one group to be the access control group for Oracle Inventory, for database administrators (OSDBA), and for all other access control groups used by Oracle software for operating system authentication. However, if you use one group to provide operating system authentication for all system privileges, then this group must be the primary group for all users to whom you want to grant administrative system privileges.
If you have an existing central Oracle Inventory, then ensure that you use the same Oracle Inventory for all Oracle software installations, and ensure that all Oracle software users you intend to use for installation have permissions to write to this directory.
To determine if the Oracle Inventory group exists, perform the following steps:
An oraInst.loc
file has content similar to the following:
inventory_loc=central_inventory_location inst_group=group
In the preceding example, central_inventory_location is the location of the Oracle Central Inventory, and group is the name of the group that has permissions to write to the central inventory.
To determine if the oraInst.loc
file exists, enter the following command:
# more /var/opt/oracle/oraInst.loc
If the oraInst.loc
file exists, then the output from this command is similar to the following:
inventory_loc=/u01/app/oraInventory inst_group=oinstall
Use the command grep
groupname
/etc/group
to confirm that the group specified as the Oracle Inventory group still exists on the system. For example:
# grep oinstall /etc/group oinstall:x:1000:grid,oracle
If the oraInst.loc
file does not exist, then create the Oracle Inventory group by entering the following command:
# /usr/sbin/groupadd -g 54321 oinstall
A job role separation configuration of Oracle Database and Oracle ASM is a configuration with groups and users to provide separate groups for operating system authentication.
Review the following restrictions for users created to own Oracle software:
Oracle recommends that you create one software owner to own each Oracle software installation. See "Oracle Software Owner For Each Oracle Software Product" for more information.
To create separate Oracle software owners and separate operating system privileges groups for different Oracle software installations, note that each of these users must have the Oracle central inventory group (oraInventory
) as their primary group. Members of this group have write privileges to the Oracle central inventory (oraInventory
) directory, and are also granted permissions for various Oracle Restart resources and directories in the Oracle Restart home to which DBAs need write access, and other necessary privileges. In Oracle documentation, this group is represented as oinstall
in code examples. See "Creating the Oracle Inventory Group If an Oracle Inventory Does Not Exist".
Oracle software installation owner users must also have the OSDBA group of the database, the OSDBA group of the Oracle Grid Infrastructure home (if you create it), and (if you create them) the OSOPER, OSBACKUPDBA, OSDGDBA, and OSKMDBA groups as secondary groups. Oracle software owners require membership to the OSDBA group of the Oracle Grid infrastructure home so that database instances can log on to Oracle ASM.
The Oracle Database, and the Oracle Grid Infrastructure for a standalone server installation owner users (oracle
and grid
respectively) must belong to the Oracle Inventory group (oinstall
).
Each Oracle software owner must be a member of the same central inventory group. Oracle recommends that you do not have more than one central inventory for Oracle installations. If an Oracle software owner has a different central inventory group, then you may corrupt the central inventory.
The Oracle Grid Infrastructure for a standalone server installation owner user (grid
) must be in the OSDBA group of every database home.
The following sections provide an overview about users and groups to divide access privileges by job roles:
You can create a single user (for example, oracle
) to own both Oracle Database, and Oracle Grid Infrastructure for a standalone server installations. However, Oracle recommends that you create one software owner to own each Oracle software installation (typically, oracle
, for the database software and grid
for the Oracle Restart owner user).
You must create at least one software owner the first time you install Oracle software on the system.
Note:
In Oracle documentation, a user created to own only Oracle Grid Infrastructure software installations is called thegrid
user. A user created to own either all Oracle installations, or only Oracle database installations, is called the oracle
user.Create the following operating system groups, if you are installing Oracle Database:
The OSDBA group (typically, dba
)
You must create this group the first time you install Oracle Database software on the system. This group identifies operating system user accounts that have database administrative privileges (the SYSDBA
privilege).
The OSOPER group for Oracle Database (typically, oper
)
This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of database administrative privileges for starting up and shutting down the database (the SYSOPER
privilege). This group cannot directly connect as SYSOPER
, unless explicitly granted. However, they have the privileges granted by the SYSOPER
privilege. By default, members of the OSDBA group have all privileges granted by the SYSOPER
privilege.
Starting with Oracle Database 12c release 1 (12.1), in addition to the OSOPER privilege to start and shut down the database, you can create new administrative privileges that are more task-specific and less privileged than the OSDBA/SYSDBA system privileges to support specific administrative privileges tasks required for everyday database operation. Users granted these system privileges are also authenticated through operating system group membership.
You do not have to create these specific group names, but during installation you are prompted to provide operating system groups whose members are granted access to these system privileges. You can assign the same group to provide authentication for these privileges, but Oracle recommends that you provide a unique group to designate each privilege.
The OSDBA subset job role separation privileges and groups consist of the following:
The OSBACKUPDBA group for Oracle Database (typically, backupdba
)
Create this group if you want a separate group of operating system users to have a limited set of database backup and recovery related administrative privileges (the SYSBACKUP
privilege).
Add the Oracle software installation owner to the OSBACKUPDBA group.
The OSDGDBA group for Oracle Data Guard (typically, dgdba
)
Create this group if you want a separate group of operating sytem users to have a limited set of privileges to administer and monitor Oracle Data Guard (the SYSDG privilege).
Add the Oracle software installation owner to the OSDGDBA group
The OSKMDBA group for encyption key management (typically, kmdba
)
Create this group if you want a separate group of operating sytem users to have a limited set of privileges for encryption key management such as Oracle Wallet Manager management (the SYSKM privilege).
If you want to have an OSKMDBA group for Oracle Database, then the Oracle software installation owner must be a member of this group.
Create the following operating system groups if you are installing Oracle Grid Infrastructure:
The OSDBA group for Oracle ASM (typically, asmdba
)
The OSDBA group for Oracle ASM can be the same group used as the OSDBA group for the database, or you can create a separate OSDBA group for Oracle ASM to provide administrative access to Oracle ASM instances.
The Oracle Grid Infrastructure software owner (typically, grid
) must be a member of the OSDBA group. Membership in the OSDBA group enables access to the files managed by Oracle ASM. If you have a separate OSDBA group for Oracle ASM, then the Oracle Restart software owner must be a member of the OSDBA group for each database and the OSDBA group for Oracle ASM.
The OSASM group for Oracle ASM Administration (typically, asmadmin
)
Create this group as a separate group if you want to have separate administration privileges groups for Oracle ASM and Oracle Database administrators. Members of this group are granted the SYSASM system privileges to administer Oracle ASM. In Oracle documentation, the operating system group whose members are granted SYSASM
privileges is called the OSASM group, and in command lines, is referred to as asmadmin
.
Oracle ASM can support multiple databases. If you have multiple databases on your system, and use multiple OSDBA groups so that you can provide separate SYSDBA privileges for each database, then you should create a group whose members are granted the OSASM/SYSASM administrative privileges, and create a grid infrastructure user (grid
) that does not own a database installation, so that you separate Oracle Grid Infrastructure SYSASM administrative privileges from a database administrative privileges group.
Members of the OSASM group can use SQL to connect to an Oracle ASM instance as SYSASM
using operating system authentication. The SYSASM
privileges permit mounting and dismounting of disk groups, and other storage administration tasks. SYSASM
privileges provide no access privileges on an RDBMS instance.
If you do not designate a separate group as the OSASM group, then the OSDBA group you define is also, by default, the OSASM group.
The OSOPER group for Oracle ASM (typically, asmoper
)
This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of Oracle instance administrative privileges (the SYSOPER
for ASM privilege), including starting up and stopping the Oracle ASM instance. By default, members of the OSASM group also have all privileges granted by the SYSOPER for ASM privilege.
If you want to have an OSOPER group for Oracle ASM, then the Oracle Grid Infrastructure owner must be a member of this group.
See Also:
Oracle Database Administrator's Guide for more information about the OSDBA, OSASM, OSOPER, OSBACKUPDBA, OSDGDBA, and OSKMDBA groups, and the SYSDBA
, SYSASM
, SYSOPER
, SYSBACKUP
, SYSDG
, and SYSKM
privileges
The "Managing Administrative Privileges" section in Oracle Database Security Guide
The following sections describe how to create the required operating system user and groups:
Creating the OSDBA Group for Oracle Automatic Storage Management
Creating the OSOPER Group for Oracle Automatic Storage Management
Creating the OSASM Group for Oracle Automatic Storage Management
Note:
After you create the required operating system groups described in this section, you must add the Oracle software owner user (typically, oracle
) to these groups, otherwise these groups will not be available as an option in Oracle Universal Installer while performing the database installation.
The UIDs and GIDs mentioned in this section are illustrative only. Oracle recommends that you do not use the UID and GID defaults. Instead, provide common assigned group and user IDs, and confirm that they are unused before you create or modify groups and users.
If necessary, contact your system administrator before using or modifying an existing user or group.
You must create an OSDBA group in the following circumstances:
An OSDBA group does not exist, for example, if this is the first installation of Oracle Database software on the system
An OSDBA group exists, but you want to give a different group of operating system users database administrative privileges for a new Oracle Database installation
Create the OSDBA group using the group name dba
, unless a group with that name already exists:
# /usr/sbin/groupadd -g 54322 dba
Create an OSOPER group only to identify a group of operating system users with a limited set of database administrative privileges (SYSOPER
operator privileges). For most installations, it is sufficient to create only the OSDBA group. If you want to use an OSOPER group, then you must create it in the following circumstances:
If an OSOPER group does not exist; for example, if this is the first installation of Oracle Database software on the system
If an OSOPER group exists, but you want to give a different group of operating system users database operator privileges in a new Oracle installation
Create the OSOPER group using the group name oper
, unless a group with that name already exists:
# /usr/sbin/groupadd -g 54323 oper
Create the OSBACKUPDBA group using the group name backupdba
, unless a group with that name already exists:
# /usr/sbin/groupadd -g 54324 backupdba
Create the OSDGDBA group using the group name dgdba,
unless a group with that name already exists:
# /usr/sbin/groupadd -g 54325 dgdba
Create the OSKMDBA group using the groups name kmdba
unless a group with that name already exists:
# /usr/sbin/groupadd -g 54326 kmdba
If you require, create a new OSDBA group for Oracle ASM using the group name asmdba
unless a group with that name already exists:
# /usr/sbin/groupadd -g 54327 asmdba
If you require, create an OSOPER group for Oracle ASM with the group name asmoper
unless a group with that name already exists:
# /usr/sbin/groupadd -g 54328 asmoper
If you require, create an OSASM group using the group name asmadmin
unless a group with that name already exists:
# /usr/sbin/groupadd -g 54329 asmadmin
Depending on whether you want to create a new user, or use an existing user, see the following sections:
If an Oracle software owner user does not exist; for example, if this is the first installation of Oracle software on the system.
If an Oracle software owner user exists, but you want to use a different operating system user, with different group membership, to give database administrative privileges to those groups in a new Oracle Database installation.
If you have created an Oracle software owner for Oracle Grid Infrastructure, such as grid
, and you want to create a separate Oracle software owner for Oracle Database software, such as oracle
.
To determine if an Oracle software owner user named oracle
or grid
exists, enter commands similar to the following:
# id -a oracle # id grid
If the oracle
user exists, then the output from this command is similar to the following:
uid=54321(oracle) gid=54321(oinstall) groups=54322(dba),54323(oper)
If the grid
user exists, then the output from this command is similar to the following:
uid=54322(grid) gid=54321(oinstall) groups=54321(oinstall),54329(asmadmin),54327(asmdba),54322(dba)
Determine whether you want to use an existing user, or create a new user. To use the existing user, ensure that the user's primary group is the Oracle Inventory group and that it is a member of the appropriate OSDBA and OSOPER groups. Depending on your choice, see one of the following sections for more information:
Note:
If necessary, contact your system administrator before using or modifying an existing user.If the Oracle software owner user (oracle
or grid
) does not exist, or if you require a new Oracle software owner user, then create it as described in this section (in this case to create the oracle
user).
In the following procedure, use the user name oracle
unless a user with that name exists:
To create an oracle
user, enter a command similar to the following:
# /usr/sbin/useradd -u 54321 -g oinstall -G dba,asmdba,backupdba,dgdba,kmdba oracle
In the preceding command:
The -u option specifies the user ID. Using this command flag is optional because the system can provide you with an automatically generated user ID number. However, Oracle recommends that you specify a number. You must note the user ID number because you need it during preinstallation.
The -g
option specifies the primary group, which must be the Oracle Inventory group, for example oinstall
.
The -G
option specifies the secondary groups, which must include the OSDBA group, and, if required, the ASMDBA, OSOPER, OSBACKUPDBA, OSDGDBA, and OSKMDBA groups, for example, dba
, asmdba
, oper
, backupdba
, dgdba
, and kmdba
.
Set the password of the oracle
user:
# passwd -r files oracle
If the oracle
user exists, but its primary group is not oinstall
, or it is not a member of the appropriate OSDBA, OSOPER, or OSDBA for ASM groups, then modify the user group settings for the user oracle
.
Specify the primary group using the -g
option and any required secondary group using the -G
option:
# /usr/sbin/usermod -g oinstall -G dba,asmdba,backupdba,dgdba,kmdba[,oper] oracle
Oracle does not support modifying an existing installation owner. See "About Oracle Installations with Job Role Separation" for a complete list of restrictions.
If you are on a remote terminal, and the local system has only one visual (which is typical), then use the following syntax to set your user account DISPLAY
environment variable:
Bourne, Korn, and Bash shells:
$ export DISPLAY=hostname:0
C shell:
$ setenv DISPLAY hostname:0
For example, if you are using the Bash shell and if your host name is local_host
, then enter the following command:
$ export DISPLAY=local_host:0
To ensure that X11 forwarding does not cause the installation to fail, create a user-level SSH client configuration file for the Oracle software owner user, as follows:
Using any text editor, edit or create the software installation owner's ~/.ssh/config
file.
Ensure that the ForwardX11
attribute in the ~/.ssh/config
file is set to no
. For example:
Host * ForwardX11 no
Ensure that the permissions on the ~/.ssh
are secured to the oracle
or grid
user. For example:
$ ls -al .ssh total 28 drwx------ 2 oracle oinstall 4096 Jun 21 2012 drwx------ 19 oracle oinstall 4096 Jun 21 2012 -rw-r--r-- 1 oracle oinstall 1202 Jun 21 2012 authorized_keys -rwx------ 1 oracle oinstall 668 Jun 21 2012 id_dsa -rwx------ 1 oracle oinstall 601 Jun 21 2012 id_dsa.pub -rwx------ 1 oracle oinstall 1610 Jun 21 2012 known_hosts
Note:
If you are installing additional Oracle Database 12c products in an existing Oracle home, then stop all processes, including the listener and database, running in the Oracle home. You must complete this task to enable Oracle Universal Installer to relink certain executables and libraries.Consider the following before you install Oracle Grid Infrastructure for a standalone server, or Oracle Database:
If you plan to use Oracle Restart, then you must install Oracle Grid Infrastructure for a standalone server before you install and create the database. When you perform a database installation, the database must use the same listener created during the Oracle Grid Infrastructure for a standalone server installation, thereafter you do not have to perform the steps listed in this section.
The default listener and any additional listeners must run from the Oracle Grid Infrastructure home. See "Configuring Oracle Software Owner Environment" to continue.
If you have an existing Oracle Database 12c running on Oracle ASM, then stop any existing Oracle ASM instances. After you finish installing Oracle Grid Infrastructure for a standalone server, start the Oracle ASM instance again.
If you create a database during the software installation, then most installation types configure and start a default Oracle Net listener using TCP/IP port 1521
and the IPC key value EXTPROC
. If an existing Oracle Net listener process is using the same port or key value, Oracle Universal Installer looks for the next available port (for example, 1522
) and configures and starts the new listener on this available port.
To determine if an existing listener process is running and to shut it down, if necessary:
Switch user to oracle
:
# su - oracle
Enter the following command to determine if a listener process is running and to identify its name and the Oracle home directory in which it is installed:
$ ps -ef | grep tnslsnr
This command displays information about the Oracle Net listeners running on the system:
... oracle_home1/bin/tnslsnr LISTENER -inherit
In this example, oracle_home1
is the Oracle home directory where the listener is installed and LISTENER
is the listener name.
Note:
If no Oracle Net listeners are running, then see "Configuring Oracle Software Owner Environment" to continue.Set the ORACLE_HOME
environment variable to specify the appropriate Oracle home directory for the listener:
Bourne, Bash, or Korn shell:
$ ORACLE_HOME=oracle_home1
$ export ORACLE_HOME
C or tcsh shell:
% setenv ORACLE_HOME oracle_home1
Enter the following command to identify the TCP/IP port number and IPC key value that the listener is using:
$ $ORACLE_HOME/bin/lsnrctl status listenername
Note:
If the listener uses the default nameLISTENER
, then you do not have to specify the listener name in this command.Enter a command similar to the following to stop the listener process:
$ $ORACLE_HOME/bin/lsnrctl stop listenername
Repeat this procedure to stop all listeners running on this system.
You must run Oracle Universal Installer from the oracle
or grid
account. However, before you start Oracle Universal Installer, you must configure the environment of the oracle
or grid
user. To configure the environment, you must:
Caution:
Use shell programs supported by your operating system vendor. If you use a shell program that is not supported by your operating system, then you can encounter errors during installation.To set the Oracle software owners' environments, follow these steps, for each software owner (oracle
, grid
). The following procedure lists the steps for the oracle
user only:
Start a new X terminal session (xterm
).
Enter the following command to ensure that X Window applications can display on this system:
$ xhost + RemoteHost
where RemoteHost
is the fully qualified remote host name. For example:
$ xhost + somehost.example.com
If you are not logged in as the user, then switch to the software owner user you are configuring. For example, as the oracle
user.
$ su - oracle
To determine the default shell for the oracle
user, enter the following command:
$ echo $SHELL
Open the user's shell startup file in any text editor:
Bash shell (bash
):
$ vi .bash_profile
Bourne shell (sh
) or Korn shell (ksh
):
$ vi .profile
C shell (csh
or tcsh
):
% vi .login
Enter or edit the following line, specifying a value of 022 for the default file mode creation mask:
umask 022
Save the file and exit from the text editor.
To run the shell startup script, enter one of the following commands:
Bash shell:
$ . ./.bash_profile
Bourne or Korn shell:
$ . ./.profile
C shell:
% source ./.login
If you are not installing the software on the local computer, then run the following command on the remote computer to set the DISPLAY
variable:
Bourne, Bash or Korn shell:
$ export DISPLAY=local_host:0.0
C shell:
% setenv DISPLAY local_host:0.0
In this example, local_host
is the host name or IP address of the system (your workstation, or another client) on which you want to display the installer.
Run the following command on the remote system to check if the SHELL
and the DISPLAY
environment variables are set correctly:
echo $SHELL echo $DISPLAY
To change the display location from the default display to a remote system display, run the following command on the local computer:
$ xhost + RemoteHost
To verify that the X applications display is set properly, run an X11-based program that comes with the operating system such as xclock
.
$ xclock
Note:
xclock
is not included as part of the default Oracle Solaris installation. xclock
is located in /usr/bin/xclock
, after you install the x11/xclock
package.If the DISPLAY
environment variable is set correctly, then you can see xclock
on your computer screen. If you get any display errors see "X Window Display Errors". If xclock
does not start, then contact your system administrator.
If the /tmp
directory has less than 1 GB of free disk space, then identify a file system with at least 1 GB of free space and set the TMP
and TMPDIR
environment variables to specify a temporary directory on this file system:
To determine the free disk space on each mounted file system use the following command:
# df -k /tmp
If necessary, enter commands similar to the following to create a temporary directory on the file system that you identified, and set the appropriate permissions on the directory:
$ sudo - s # mkdir /mount_point/tmp # chmod 775 /mount_point/tmp # exit
Enter commands similar to the following to set the TMP
and TMPDIR
environment variables:
Bourne, Bash, or Korn shell:
$ TMP=/mount_point/tmp $ TMPDIR=/mount_point/tmp $ export TMP TMPDIR
C shell:
% setenv TMP /mount_point/tmp % setenv TMPDIR /mount_point/tmp
If you have had an existing installation on your system, and you are using the same user account to install this installation, then unset the ORACLE_HOME
, ORACLE_BASE
, ORACLE_SID
, TNS_ADMIN
environment variables and any other environment variable set for the Oracle installation user that is connected with Oracle software homes.
Enter the following commands to ensure that the ORACLE_HOME
, ORACLE_BASE
, ORACLE_SID
and TNS_ADMIN
environment variables are not set:
Bourne, Bash, or Korn shell:
$ unset ORACLE_HOME $ unset ORACLE_BASE $ unset ORACLE_SID $ unset TNS_ADMIN
C shell:
% unsetenv ORACLE_HOME % unsetenv ORACLE_BASE % unsetenv ORACLE_SID % unsetenv TNS_ADMIN
Use the following command to check the PATH
environment variable:
$ echo $PATH
Ensure that the $ORACLE_HOME/bin
path is removed from your PATH
environment variable.
Note:
If theORACLE_HOME
environment variable is set, then Oracle Universal Installer uses the value that it specifies as the default path for the Oracle home directory. If you set the ORACLE_BASE
environment variable, then Oracle recommends that you unset the ORACLE_HOME
environment variable and choose the default path suggested by Oracle Universal Installer.To verify that the environment has been set correctly, enter the following commands:
$ umask $ env | more
Verify that the umask command displays a value of 22
, 022
, or 0022
and that the environment variables you set in this section have the correct values.
During an Oracle Grid Infrastructure installation, Oracle Universal Installer prompts you to run scripts with superuser (or root
) privileges to complete several system configuration tasks. You can either run these root scripts manually as root
when prompted, or during installation you can provide configuration information and passwords using one of the following root privilege delegation options:
Use root user credentials
Provide the superuser (or root
) password. This option runs the root scripts automatically as the root
user.
Use Sudo
Sudo is a UNIX and Linux utility that allows members of the sudoers group privileges to run individual commands as root
. To enable Sudo, have a system administrator with the appropriate privileges configure a user that is a member of the sudoers list, and provide the username and password when prompted during installation.
See Also:
Step 9, "Root Script Execution Configuration" screen in the "Installing Oracle Grid Infrastructure for a Standalone Server with a New Database Installation" section.