How to Install Oracle 19c Client on CIS Hardened Red Hat Image

Reading Time: 6 minutes

The Center for Internet Security (CIS) produces many security-hardened images that embed several security features into a standardized build. Using such features introduces a few gotchas, especially when installing any Oracle product.

This procedure will explain preparing a CIS hardened image to install in the Oracle database client using X11 forwarding. It will explain how to prep the environment, set local environment variables, and a step-by-step guide to installing Oracle 19c Client using XQuartz. I will be using AWS to demonstrate the process.

Step 1 – Launch a CIS Image from the AWS Marketplace

Log into your AWS account and navigate to the CIS hardened Linux image of your choice. In this demo I will be using this exact image:

Once booted it’s recommended to run a yum update.

yum update -y

Step 2 – Create a 100GB EBS Volume

In the AWS console, browse to EC2 > Storage and create a 100GB GP2 disk. This must be attached to the instance created in Step 1

Step 3 – Attach and Format the partitions in Linux

Ensure you are logged in as root.

On AWS you log in as ec2-user first using the .pem file you created at Launching the Instance in step 1.

Switch to the root user by typing:

sudo su - 

As root, you must complete the following tasks.

  • Locate the EBS volume you attached in Step 2
[[email protected] ~]# lsblk
nvme0n1     259:2    0  100G  0 disk
├─nvme0n1p1 259:3    0    1M  0 part
└─nvme0n1p2 259:4    0  100G  0 part /
nvme1n1     259:0    0   20G  0 disk
nvme2n1     259:1    0  100G  0 disk 

From this example, you can see my instance has a 20GB root volume, a 100GB volume, and another 100GB EBS volume called nvme2n1

  • Create a mount point
sudo mkdir /oracle
  • Check to make sure no filesystem already exists
file -s /dev/nvme2n1
  • Create an XFS filesystem on the EBS volume
mkfs -t xfs /dev/nvme2n1
  • Make the filesystem persistent by adding it to /etc/fstab
UUID="<my-uuid>" /oracle               xfs defaults,nofail
  • Reboot the instance to test or type sudo mount -a

Step 4 – Create a SwapFile

Oracle requires a swapfile to install, I’m not really sure why, but this is a pre-requisite, if this step is missed the installer will not launch.

In this example, I have created a swap file that is 1GB in size. It is located on the first 100GB partition that comes with the AMI.

  • Check if you already have a swap file using the free -m command:
[[email protected] ~]#  free -m
              total        used        free      shared  buff/cache   available
Mem:          31633         734       28680        1080        2218       29488
Swap:         0              0         0
  • Create a 1GB swap file
sudo dd if=/dev/zero of=/swap_file bs=1GB count=1
chmod 600 /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
swapon -s
  • Add the following to the fstab to make changes persistent at reboot
sudo vi /etc/fstab
  • Add this entry to the new line
/swapfile swap swap defaults 0 0

Step 5 – Expand tempfs

Oracle requires over 412MB tempfs to install the client, which is even more for the full versions of the Oracle database. The easiest way to do this is to extend your tempfs from fstab.

Add this line to your /etc/fstab

tmpfs /tmp tmpfs rw,nosuid,nodev,noexec,relatime,size=1G 0 0

Step 6 – Prep Local System Environment

We recommend adding system environment variables to streamline the oracle installation process. You must also set your TMPDIR to an alternative location because CIS hardened images do not allow the execution of files in /tmp

  • Edit /etc/environment

Note: As you can see I have also added environmental variables for HVR, I will be using this to offload data from Oracle to AWS RDS. These variables are not needed if you have no intention of using HVR.

  • Create a symbolic link to the new temp folder. I will be offloading my /tmp to /opt/tmp. This is to prevent installation failures caused by CIS hardening
sudo ln -s /tmp /opt/tmp

Step 7 – Prep X11 Forwarding

The Oracle installer for Red Hat requires X11 forwarding to install oracle from a GUI. This is a pain in the ass but its something that needs to be done.

  • Edit your ssh_config to allow X11 forwarding by adding or amending these parameters.

Host *
	GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
	ForwardX11Trusted yes
# Send locale-related environment variables
  • Install the following packages
sudo yum install xclock libX* xdpyinfo unzip -y
  • Test X11 forwarding by running xclock. Simply type xclock and you should see:
Oracle, How to Install Oracle 19c Client on CIS Hardened Red Hat Image

If you experience any issues you will need to troubleshoot the problem. X11 is fussy and often the hardest thing to get working.

Step 8 – Prep X11 forwarding via a Jumpbox (SSH tunneling) [Optional]

There is a good chance that you can access your AWS instances via a jump box or bastion host. If that is the case, you need to prep X11 and use SSH tunneling to relay the output to your local X11 client.

Make sure you have an X11 client installed locally. I use xQuartz for mac.

  • SSH to the environment jump box:
ssh -XYA <ip address>
  • SSH to server
ssh -XYA <server ip address>
  • You now have to copy the .Xauthority file to a temp directory:
mkdir /tmp/$(whoami) 
cp .Xauthority /tmp/$(whoami) 
chmod 755 /tmp/$(whoami)/.Xauthority 

$(whoami) will input your Linux username

echo $DISPLAY will show you the display port to use later

  • Connect as the oracle user –
sudo su - oracle

Change to the user home directory and then cp the .Xauthority file:

cd ~ 
cp /tmp/[YOUR USERNAME]/.Xauthority . (don’t forget the '.') 
export DISPLAY=<your display port eg. localhost:10.0>

Step 9 – Install Oracle 19c Client

Now everything is prepped and you can install the oracle client. Make sure you are logged in as the oracle user.

Navigate to $ORACLE_HOME


Ensure that $ORACLE_HOME is owned by the Oracle user

sudo chown oracle:oracle -R .

Download the Oracle 19c Client from here.

The easiest way to get the file onto the server is by uploading it to an S3 bucket and then using the AWS CLI to copy it to the local file system.

aws s3 cp s3://<my-s3-bucket>/<my-prefix>/ .

Ensure TMP is set

export TMP=/opt/tmp/

Now install Oracle

sh $ORACLE_HOME/client/runInstaller

This should spin up an X11 Installer for Oracle

Starting Oracle Universal Installer...

Checking Temp space: must be greater than 415 MB.   Actual 78182 MB    Passed
Checking swap space: must be greater than 150 MB.   Actual 16383 MB    Passed
Checking monitor: must be configured to display at least 256 colors.    Actual 16777216    Passed
Preparing to launch Oracle Universal Installer from /opt/tmp/OraInstall2022-06-20_02-13-34PM. Please wait ...

Step 10 – Install Oracle via the installation GUI

Here is the step-by-step guide

  • Select Administrator as the type of installation, click Next
Oracle, How to Install Oracle 19c Client on CIS Hardened Red Hat Image
  • set the oracle base to /oracle/app/oracle
  • set software location to /oracle/app/oracle/product/19.0.0/client_1
Oracle, How to Install Oracle 19c Client on CIS Hardened Red Hat Image
  • Set Inventory Directory to /oracle/app/orainventory
  • Ensure the group is set to oinstall
Oracle, How to Install Oracle 19c Client on CIS Hardened Red Hat Image
  • Check if your settings are correct and click install
Oracle, How to Install Oracle 19c Client on CIS Hardened Red Hat Image
  • The installation will take a few minutes
Oracle, How to Install Oracle 19c Client on CIS Hardened Red Hat Image
  • Execute the local scripts as requested in the pop out window
Oracle, How to Install Oracle 19c Client on CIS Hardened Red Hat Image
  • Open a new terminal window on the server and log in as root
  • Navigate to /oracle/app/orainventory
  • run the command sh
[[email protected] ~]# cd /oracle/app/oraInventory/
[[email protected] oraInventory]# sh
Changing permissions of /oracle/app/oraInventory.
Adding read,write permissions for group.
Removing read,write,execute permissions for world.

Changing groupname of /oracle/app/oraInventory to oinstall.
The execution of the script is complete.
[[email protected] oraInventory]#

Go back to the installer and click OK

That’s it, Oracle 19c Client is installed

Oracle, How to Install Oracle 19c Client on CIS Hardened Red Hat Image

Oracle 19c client is now installed. I’m sure you agree that this seems overly complicated and I really hope that the oracle addresses the complexity of the installation process in the future.

As always, please like, comment and share.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *