Category Archives: Security

Update: AVDF installation fails on HP server with Smart Array

A couple of days ago I’ve wrote about some problems when installing Oracle Audit Vault and Database Firewall 12.1.2 on HP server with Smart Array Disk Controller. The problem is still not resolved, but in the meantime Oracle has open a Bug and added some Metalink Notes related to this issue.

  • AVDF 12.1.1 Installation Fails On HP server with Smart Array Disk Controller [1587742.1]
  • Unable To Install AVDF Server With HP Smart Array [1680134.1]
  • AVDF installation ISO [1680961.1]
  • Bug 18940816 AVDF SERVER FAILS TO INSTALL ON HP DL380 GEN8 WITH CCISS!C0D0 ERROR

The contents of MOS note 1680134.1 and 1680961.1 are certainly known to the regular readers of OraDBA. The workaround and procedure are the same as I’ve posted a couple of days ago. Oracle created MOS notes based on my blog post AVDF installation fails on HP server with Smart Array Disk Controller and AVDF installation ISO. In this case, my posts are somehow useful. 🙂 The Bug mentioned above is unfortunately not publicly available. I’ll provide more information as soon as it is available.

AVDF installation fails on HP server with Smart Array Disk Controller

I’ve successfully set up a couple of AVDF installation on different VM Server as well on HP Blade or Rack servers. On the VM server I never had any problems. For the installation of AVDF 12.1.1.x on HP servers BL465c Gen8 or DL380p Gen8, there were always warnings during partitioning of the disks. So far it was never an issue to just continue the installation. With AVDF 12.1.2 this has changed. On some HP servers with smart array disk controller the installation fails because of problems with the drivers respectively device names.

Earlier installation of AVDF like 12.1.1.3.0 simply complained about not enough space.

AVDF_12.1.1.3.0_setup02

OK, 0GB is a bit less for setting up an AVDF Server :-), nevertheless ignoring the error still worked. AVDF 12.1.1.2 as well AVDF 12.1.1.3 could be successfully setup using the cciss Driver for HP Smart Array. As of AVDF 12.1.2 the error is not that friendly any more.

AVDF_12.1.2.0.0_setup02

The title of the error “Error Parsing Kickstart Config” indicates that there is an issue at an early stage of the system setup. It is worth having a deeper look into the kickstart configuration file. The kickstart file can be found in the initrd.img image on the AVDF installation ISO. See AVDF installation ISO for how to extract the kickstart file.

In the kickstart file we can see at line 62, that a pre-script is executed to create the partition commands. This pre-script is a python script which does create a temporary file (/tmp/partition-include) with the partition commands based on the available disks. The partition command itself is then included at line 36.

35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
########## Partition the disk ##############
%include /tmp/partition-include

# Create logical volume group - this is where all volumes will reside
volgroup vg_root pv.01
# Now create the volumes, a.k.a logical partitions. The data partions (/var/lib/oracle) is grown
# up to the specified size. The rest of the FS is left unallocated.
#
# You must make changes to ruby_lib/dbfw/dbfw_fstab.rb if you change the FS specification.
#
logvol swap --fstype swap --vgname=vg_root --size=4096 --name=lv_swap
logvol / --fstype ext3 --fsoptions="noatime" --vgname=vg_root --size=7000 --name=lv_root
logvol /images --fstype ext3 --fsoptions="noexec,nodev,nosuid,noatime" --vgname=vg_root --size=15000 --name=lv_images
logvol /usr/local/dbfw --fstype ext3 --fsoptions="noatime" --vgname=vg_root --size=1000 --name=lv_local_dbfw
logvol /usr/local/dbfw/tmp --fstype ext3 --fsoptions="noexec,nodev,nosuid,noatime" --vgname=vg_root --size=9000 --name=lv_local_dbfw_tmp
logvol /home --fstype ext3 --fsoptions="noexec,nodev,nosuid,noatime" --vgname=vg_root --size=1000 --name=lv_home
logvol /tmp --fstype ext3 --fsoptions="nodev,nosuid,noatime" --vgname=vg_root --size=2000 --name=lv_tmp
logvol /var/log --fstype ext3 --fsoptions="noexec,nodev,nosuid,noatime" --vgname=vg_root --size=6000 --name=lv_var_log
logvol /var/tmp --fstype ext3 --fsoptions="noexec,nodev,nosuid,noatime" --vgname=vg_root --size=6000 --name=lv_var_tmp
logvol /var/www --fstype ext3 --fsoptions="nodev,nosuid,noatime" --vgname=vg_root --size=1000 --name=lv_var_www
logvol /var/www/tmp --fstype ext3 --fsoptions="nodev,nosuid,noatime" --vgname=vg_root --size=1000 --name=lv_var_www_tmp
logvol /var/lib/oracle --fstype ext3 --fsoptions="noatime" --vgname=vg_root --size=20000 --name=lv_oracle
logvol /var/dbfw --fstype ext3 --fsoptions="noatime" --vgname=vg_root --size=10000 --name=lv_var_dbfw

# Tasks performed before installation
%pre

python /kickstart/partitions.py 2> /tmp/partitions_error
if [ $? -ne 0 ]; then
DISKERROR=$(/bin/cat /tmp/partitions_error)
fi

Having a look into the file /tmp/partition-include reveals the wrong partition command which leads to the error mentioned earlier. As you can see below the disks are specified with –ondisk=cciss!c0d0 rather than –ondisk=cciss/c0d0. The python script which builds the partition commands, has issues with the device names. Actually, for an HP smart array disk, the corresponding driver should be loaded so that the devices are visible as sd*. The root cause could be the missing driver or an error in the python script. I’ve opened a service request with oracle Support for further analysis.
AVDF_12.1.2.0.0_setup04

Workarounds

For the moment I just see the following two workarounds.

  • First install and configure AVDF 12.1.1.3 and perform an upgrade to AVDF 12.1.2.
  • Install AVDF 12.1.2 with an alternative kickstart file respectively partition commands

The first workaround is straightforward. It just takes a bit more time. For the second workaround you may create a new AVDF ISO image, but this is way to complex. It is much simpler to manually specify the boot options and provide an alternative kickstart file on an internal web server. The kickstart file is the same as for the regular AVDF 12.1.2 installation, it just has a fixed partition section. For that I have taken the partitioning commands from the file /tmp/partition-include and removed the –ondisk parameter. I’ll provide my kickstart file as an example for download. But do not use it directly the partitioning section must be adapted to your environment.
Action plan for the workaround:

  1. Create an alternative kickstart file with correct partition commands for your environment
  2. Put the kickstart file on a Webserver which is accessible by the AVDF Server
  3. Boot from AVDF 12.1.2 ISO image with custom boot parameter

My custom boot option did look like the following command. The IP address is the address of my web server.

vmlinuz noipv6 initrd=initrd.img ramdisk_size=8192 ks=http://192.128.1.40/avdf.cfg

Conclusion

This problem is quite annoying, especially if you have already done the installation on another physical or virtual servers several times. The workaround is basically simple. With a bit enhanced Linux knowledge and a web server, one has quickly created an installation with an alternative kickstart file. Nevertheless I highly recommend to open a service request with Oracle when you have similar issues with your hardware during the setup of a productive AVDF 12.1.2 environment.

References

Further information on this topic.

Audit Vault and Database Firewall 12.1.2

Oracle has just released a new Release of its Oracle Audit Vault and Database Firewall. The new release is immediately available on Oracle’s Software Delivery Cloud. It look’s like Oracle added a bunch of Enterprise-Grade Features like iSCSI SAN Disk, NFS Storage as well as SYSLOG integration. Starting with this Release, the Audit Vault Repository is again protected by Database Vault.

The installation / update is done in the same manner as the other versions AVDF. Download the ISO, reboot the AVDF server and initiate an upgrade. But be carefully to not initiate an installation. This would erase your system and data.

A bit unusual that the ISO image was split into two parts. They have to be merged prior to use.

  1. Unzip Images avs-installer-disc-12.1.2.0.0.iso00, avs-installer-disc-12.1.2.0.0.iso01
  2. Combine the two files to create a single .iso

Combine the two files to create a single .iso on Windows:

copy /b avs-installer-disc-12.1.2.0.0.iso00+avs-installer-disc-12.1.2.0.0.iso01
avs-installer-disc-12.1.2.0.0.iso

Combine the two files to create a single .iso on Linux:

cat avs-installer-disc-12.1.2.0.0.iso00 \
avs-installer-disc-12.1.2.0.0.iso01 > avs-installer-disc-12.1.2.0.0.iso

Oracle Audit Vault and Database Firewall 12.1.2 New Features

According to the Release Notes, the following features are available as of 12.1.2:

  • Configure the Audit Vault Server to use an external iSCSI SAN server to store the audit event repository and system data
  • The Audit Vault Agent is updated automatically when the Audit Vault Server is upgraded or a patch is applied
  • Store archive data in a Network File Share (NFS) location
  • Entitlement reports include data specific to Oracle Database 12c
  • Database Vault is automatically enabled and configured in the Oracle Database embedded in the Audit Vault Server. This further strengthens security by restricting privileged access to the Oracle Database for all users including those with administrative access
  • Password hashing has been upgraded to a more secure standard. Change your passwords after upgrade to take advantage of the more secure hash
  • The Audit Vault Agent deployment procedure has been simplified. Registering a host in the Audit Vault Server automatically generates an Agent activation key, and therefore, the step requesting Agent activation is no longer required
  • Adding and updating a secured target location has been simplified in the Audit Vault Server administrator console UI
  • Define policy alerts to be forwarded to syslog
  • Download diagnostics log files from the Audit Vault Server UI
  • The Audit Vault Agent is supported on 32-bit Linux and Windows platforms
  • Oracle Database 9i is supported for Database Firewall
  • MySQL 5.6 is supported on the Database Firewall
  • Migration Path to Migrate Oracle Audit Vault 10.3 to AVDF 12.1.2. See MOS Note 1666742.1

References

Some links related to this post.

As soon as the download of the images is done, I’ll start to test the new release on my test AVDF Server. So stay tuned…

Update: Oracle and OpenSSL ‘Heartbleed’ vulnerability

While writing a post about the new Critical Patch Advisory I’ve discovered, that Oracle made the Information about the OpenSSL Vulnerability publicly available. The information in MOS Note 1645479.1 has been moved to OpenSSL Security Bug – Heartbleed CVE-2014-0160.

Until now it looks like that Oracle Databases are not affected since they do not use OpenSSL. On the other hand products like Oracle Wallet Manager and EM Base Platform are still under investigation. We’ll know more once Oracle has completed its investigations.

Oracle released CPU / PSU April 2014

As announced last week in my post Oracle CPU / PSU Pre-Release Announcement April 2014, Oracle has now released the Critical Patch Updates for April 2014. Overall this CPU contains 104 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database it contains only 2 security fixes, whereas one of the fixes has a very high CVSS rating. But this only affects installations on Windows. On these platform it is recommended to install the patch bundle as soon as possible. Nevertheless it is certainly advisable to install the patches on Unix/Linux-based systems

As somehow expectable, Oracle did not add any information about the OpenSSL issue to it’s current Critical Patch Advisory. I assume this is because the vulnerability was announced a few days ago. As discussed in my post Oracle and OpenSSL ‘Heartbleed’ vulnerability, Oracle is tracking information about this issue in MOS Note 1645479.1 OpenSSL Security Bug-Heartbleed.

CPU Release Dates

The next four Critical Patch Updates will be released at the following dates:

  • 15 July 2014
  • 14 October 2014
  • 20 January 2015
  • 14 April 2015

References

As usual there are a bunch of links and MOS Notes around the critical patch update available:

  • Oracle Critical Patch Update Advisory – April 2014
  • Patch Set Update and Critical Patch Update April 2014 Availability Document [1618213.1]
  • Oracle Critical Patch Update April 2014 Documentation Map [1637289.1]
  • Critical Patch Update April 2014 Database Known Issues [1615881.1]
  • Critical Patch April 2014 Database Patch Security Vulnerability Molecule Mapping [1615882.1]
  • Critical Patch Update April 2014 Oracle Fusion Middleware Known Issues [1618208.1]
  • Oracle Critical Patch Updates and Security Alerts on OTN

Oracle and OpenSSL ‘Heartbleed’ vulnerability

Earlier this week the OpenSSL Project as well US-CERT informed about a Security Vulnerability in OpenSSL. See OpenSSL Security Advisory or US-CERT Alert (TA14-098A) The vulnerability may affect Oracle Products as well, since some of them do use OpenSSL. So far Oracle did not provide dedicate information on it’s public Critical Patch Updates and Security Alerts web page. But there is a MOS Note 1645479.1 OpenSSL Security Bug-Heartbleed, which contains a list of affected products. It seems to get regularly updated. Nevertheless you have to open a service request to get information on possible workarounds or get a patch.

Fortunately not all products always use the latest versions. Thus, in Oracle Audit Vault and Database Firewall still OpenSSL 0.9.8 in use.

[support@melete ~]$ openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

References

Some links related to the OpenSSL Heartbleed issues.

Oracle CPU / PSU Pre-Release Announcement April 2014

Today Oracle has published the Pre-Release Announcement of the CPU Advisory for April 2014. This Critical Patch Update contains 103 new security vulnerability fixes for several Oracle products. There are only a few days since the publication of the vulnerability CVE-2014-0160 known as “Heartbleed”. Therefore I assume, that this patch update does not yet address the corresponding vulnerability.

Nevertheless it seems that it contains bug fix for some major security issues. From the Oracle database point of view it is a small update. There are only two security bug fix for the Oracle Database Server and no for client-only installations. But one of the vulnerabilities does have a CVSS rating of 8.5 and affects the Core RDBMS. The vulnerabilities of Oracle Java SE are even higher and rated with a 10.0 out of 10.0.

We will see all the details next Tuesday when Oracle is officially releasing official Critical Patch Update for April 2014. Next week I’ll have a closer look and do some test installations.

More details about the patch will follow soon on the Oracle Security Pages.