Starting with Oracle Exadata System Software release 26.1.0, you can implement enhanced storage server security features during initial system deployment on Oracle Exadata system hardware with RoCE Network Fabric (X8M-2 and later systems).

Use the following sequence of steps:

1. Immediately after imaging the Exadata storage servers, change the passwords for the celladmin and cellmonitor OS user accounts.

   For each user, ensure you use the same password across all of the Exadata storage servers.

2. Optionally, disable root SSH access on the Exadata storage servers.

   Run the following CellCLI command on each storage server:

   CellCLI> ALTER CELL accessLevelPerm=remoteLoginEnabledRootLoginDisabled

3. On the server running the OEDA deployment script (install.sh), run the genPasswordHash.sh command and set the password for celladmin.

   Run the following command and specify the celladmin password when prompted:

   # ./genPasswordHash.sh -celladmin
   Enter celladmin password::******
   Re-enter celladmin password:*****

   See also Using the OEDA genPasswordHash Utility.

4. Alter the Exadata XML configuration file (es.xml) to instruct OEDA to perform system deployment operations on the storage servers using the celladmin OS user account instead of root.

   Use the following OEDA Command Line Utility (OEDACLI) commands to alter the XML configuration file:

   oedacli> LOAD FILE NAME=es.xml
   oedacli> ALTER PROPERTY name=USE_CELLADMIN_USER value=true
   oedacli> SAVE ACTION
   oedacli> MERGE ACTIONS
   oedacli> SAVE FILE

5. Perform the initial deployment using the OEDA deployment script (install.sh).

   During system deployment, OEDA performs operations on the storage servers using the celladmin OS user account. The deployment result is exactly the same using celladmin instead of root. However, disabling root SSH access and using celladmin guards against malicious activities being performed during deployment.

   See also Configuring Oracle Exadata Database Machine Using OEDA.

6. After initial system deployment, perform routine storage server administration tasks using the celladmin and cellmonitor OS user accounts. You can optionally configure SSH equivalence for celladmin and cellmonitor to enable passwordless SSH access.

   If root access is absolutely required, you can temporarily allow remote login by setting the cell accessLevelTemp attribute. For example, the following command enables remote login for 30 minutes at the specified time:

   CellCLI> ALTER CELL accessLevelTemp=((accessLevel="remoteLoginEnabled", -
            startTime="2026-06-20T01:01:00-07:00",              -
            duration="30m"))

   Root access should otherwise remain disabled to maintain a strong security posture.