Tag Archives: 12.1.0.1.0

Oracle 12c new password verify function

Even with Oracle Database 12c, the quality of the database passwords is not enforced by default. A password verify function with the corresponding password resource limits has to be developed individually. As a basis one can use the script  utlpwdmg.sql to setup the default password resource limits. The script is provided by Oracle and is used to update the default profile. It has been updated for Oracle Database 12c, but it still does not run automatically when creating a database. The 12c DBCA is missing a flag or a radio button to select something like extended standard security settings as this was known from 11g.

New Password Resource Limits

Without modification,  utlpwdmg.sql updates the profile DEFAULT, which is the default profile for all users. The following limits are the same as of Oracle Database 11g except a different password verify function.

Resource Name Limit Description
PASSWORD_LIFE_TIME 180 Sets the number of days the user can use his current password.
PASSWORD_GRACE_TIME 7 Sets the number of days that a user has to change his password before it expires.
PASSWORD_REUSE_TIME UNLIMITED Sets the number of days before which a password cannot be reused.
PASSWORD_REUSE_MAX UNLIMITED Sets the number of password changes required before the current password can be reused.
FAILED_LOGIN_ATTEMPTS 10 Specify the number of failed attempts to log in to the user account before the account is locked.
PASSWORD_LOCK_TIME 1 Specify the number of days an account will be locked after the specified number of consecutive failed login attempts.
PASSWORD_VERIFY_FUNCTION ora12c_verify_function PL/SQL password complexity verification function to enforce password complexity.

In the comment of the script you find other password resource limits. Recommendations from Center for Internet Security (CIS Oracle 11g).

Resource Name Limit
PASSWORD_LIFE_TIME 90
PASSWORD_GRACE_TIME 3
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 20
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION ora12c_verify_function

Recommendations from Department of Defense Database Security Technical Implementation Guide (STIG v8R1).

Resource Name Limit
PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 5
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_VERIFY_FUNCTION ora12c_strong_verify_function

New Functions

The function has been cleaned up by Oracle. As before, there are the two functions verify_function (10g) and verify_function_11G (11g). New there are four more functions for 12c, ora12c_verify_function and ora12c_strong_verify_function and two helper functions complexity_check and string_distance.

string_distance

This function calculates the Levenshtein distance between two strings ‘s’ and ‘t’ or a bit simpler how much do two strings differ from each other. The Levenshtein algorithms has already be used in the old verify_function_11G. It is now just a function for itself to be easier used in custom password verify functions.

differ := string_distance(old_password, password);

complexity_check

This function verifies the complexity of a password string. Beside the password string it accepts a few value to describe the complexity. Nothing basically new but it makes it a bit easier to define custom password verify functions.

  • chars – All characters (i.e. string length)
  • letter – Alphabetic characters A-Z and a-z
  • upper – Uppercase letters A-Z
  • lower – Lowercase letters a-z
  • digit – Numeric characters 0-9
  • special – All characters not in A-Z, a-z, 0-9 except DOUBLE QUOTE which is a password delimiter

Verify if the password has at least 8 characters, 1 letter and 1 digit.

    IF NOT complexity_check(password, chars => 8, letter => 1, digit => 1) THEN
      RETURN(FALSE);
    END IF;

Verify if the password has at least 9 characters, 2 upper/lower case character, 2 digits and 2 special characters.

   IF NOT complexity_check(password, chars => 9, UPPER => 2, LOWER => 2,
                           digit => 2, special => 2) THEN
      RETURN(FALSE);
   END IF;

ora12c_verify_function

This function is the new 12c password verify function. It enforce a similar respectively slightly stronger password complexity as verify_function_11G. verify_function_11G just checked for DB_NAME or ORACLE with 1 to 100 attached. e.g. oracle1 or oracle83. With the new function DB_NAME or ORACLE may not be part of the password at all. The following is verified

  • Password at least 8 characters
  • at least 1 letters
  • at least 1 digits
  • must not contain database name
  • must not contain user name or reverse user name
  • must not contain oracle
  • must not be too simple like welcome1
  • password must differ by at least 3 characters from the old password

ora12c_strong_verify_function

This function is provided to give stronger password complexity. It considers recommendations of the Department of Defense Database (STIG) with the following limits.

  • Password at least 9 characters
  • at least 2 capital letters
  • at least 2 small letters
  • at least 2 digits
  • at least 2 special characters
  • password must differ by at least 4 characters from the old password

References

Links all around Critical Patch Update:

Conclusion

Oracle Database 12c brings a slightly enhanced  utlpwdmg.sql script which can much easier be adapted to custom requirements. Nevertheless a DBA has to define a password verify function himself or run  utlpwdmg.sql. Oracle does not enforce passwords by default. It is recommended to define different profiles for different user groups e.g. DBA, App Users, Schema Owner etc. and to use as well a password verify function. The examples in  utlpwdmg.sql can and must be adapted to fulfill minimal security requirements.

Oracle 12c New Security Features

I’ve just uploaded the slides for my lecture Oracle 12c new security features, as I had promised this in my previous posts. (See also DOAG 2013 Datenbank or DOAG SIG Security). The slides is a consolidation of my presentations on the New Security Features in latest generation of Oracle Database and does no reflect 1:1 the slides at the different events.

Yet a short summary of new security features

  • Oracle Data Redaction, Advanced Security feature to prevent display of sensitive data.
  • Support for Secure Hash Algorithm SHA-2 for DBMS_CRYPTO and the password hash.
  • New unified auditing and audit policies.
  • Privilege Analysis, to analyse who is using which privileges and clean up authorization.
  • New administration privileges like SYSBACKUP, SYSDG and SYSKM to reduce the dependence on SYSDBA and improve separation of duty.
  • Database Vault persistent protections, DB Vault does not longer depend on executables.

There is much more just on security. The full list of new features is available in the New Features Guide 12c Release 1 (12.1). Oracle 12c is a release with so many security innovations since long time. So let’s discuss the good, the bad and the mad….

If you plan to take a training have a look at the Trivadis Oracle Database 12c Techno Circle.

Oracle Database 12c

Oracle still hasn’t officially announce the new Oracle Database 12c release. But since OTN database overview has been changed to 12c, I guess it is now somehow official. As rumors hinted, one of the main innovations are pluggable databases now named multitenant. Other important new features and products are:

  • Adaptive Execution Plans
  • Application Continuity
  • Automatic Data Optimization (ADO)
  • Data Guard Far Sync
  • Data Redaction
  • Global Data Services
  • Heat Map
  • Multitenant (Pluggable Databases)
  • Pattern Matching
  • SQL Translation Framework

The full list of new features is available in the New Features Guide 12c Release 1 (12.1)

I’ve already had the chance to look into the New Security Features. (See also DOAG 2013 Datenbank or DOAG SIG Security) Therefore I’ll post more details on New Security Features in the next day’s and weeks. If you already plan to take a training have a look at the Trivadis Oracle Database 12c Techno Circle. Or are you already planning an upgrade? Then it is worth to have a look at Mike Dietrich’s Upgrade, Migrate and Consolidate to Oracle Database 12c slides.

References and Links

Some of the links are currently just partially available. It looks like Oracle is updating different links respectively references.

Howto change SYSMAN password in 12C Cloud Control

I was on leave for the past few weeks. After digging through tons of e-mails I finally found time to look into EM 12 Cloud Control. Unfortunately, I’ve forgotten my SYSMAN password and the EM 12c test installation is no longer running. As you say: “Holidays where one forgets everything, must be good holidays.”

So far so good, but what about my problems. Lets start with EM 12c which is not running. I started the VM from scratch. After login in over ssh I’ve realized that the EM 12c infrastructure is running. To my surprise the installer configured the start / stop script gcstartup in /etc/init.d and the corresponding rc directories. The script exists already since EM 10g but I’ve never used it. Unfortunately nobody created the start / stop script for the database and the listener. As soon as starting them manually I’ve just have to bounce the EM 12c to be up and ready again. It is not enough to just start the database. Restarting or starting the OMS is also necessary due to the fact that the OMS is not started when the database is not available during the startup of EM 12c. Oracle described this in a MOS Note EM Cloud Control 12c OMS not able to start after server reboot [1367876.1]

My second problem is quite a common issue. You’ll find some notes on how to change the SYSMAN password for EM 10/11g, DB Console and new as well for EM 12c. Basically it is done in a similar way as in EM 11g. It is just a little easier because it is not necessary to do the change in two steps. You may use use emctl to change the SYSMAN password for the OMS infrastructure and well the database account. That’s also what you can specify the SYS password when using emctl.

  1. Stop all OMS: emctl stop oms
  2. Change the password: emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd sys user password -new_pwd new sysman password
  3. Stop the Admin server and restart all OMS: emctl stop oms -all; emctl start oms

An example output:

emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd manager -new_pwd tiger
Oracle Enterprise Manager Cloud Control 12c Release 12.1.0.1.0
Copyright (c) 1996, 2011 Oracle Corporation. ALL rights reserved.
Changing passwords IN backend ...
Passwords changed IN backend successfully.
Updating repository password IN Credential Store...
Successfully updated Repository password IN Credential Store.
Restart ALL the OMSs USING 'emctl stop oms -all' AND 'emctl start oms'.
Successfully changed repository password.

More information on these topic’s can be found in the following MOS notes:

  • 12C Cloud Control: Steps to Modify the SYSMAN Password at OMS and Repository [1365930.1]
  • How to Change the Password of SYSMAN User in 10g and 11g Grid Control? [270516.1]
  • EM Cloud Control 12c OMS not able to start after server reboot [1367876.1]

2nd Update: Howto install Oracle Enterprise Manager Cloud Control 12c Release 1

This is my second update of my post on Howto install Oracle Enterprise Manager Cloud Control 12c Release 1 and there for as well on Update: Howto install Oracle Enterprise Manager Cloud Control 12c Release 1. Ok not more technical detail but I just found a few more MOS Notes related to EM 12c. The interesting part is mentioned in the first note. Oracle planned to release EM12c for Solaris SPARC as well Solaris x86 later this year.

  • Release Schedule of Current Enterprise Manager Releases and Patch Sets [793512.1]
  • How to Install Enterprise Manager Cloud Control Agent 12.1.0.1 (12c) using the RPM Method? [1363031.1]

Update: Howto install Oracle Enterprise Manager Cloud Control 12c Release 1

In the past few days Oracle has released a bunch of MOS Notes about Enterprise Manager Cloud Control 12c. If you plan an installation it is worthwhile to take a look inside. I have updated my initial post Howto install Oracle Enterprise Manager Cloud Control 12c Release 1 with a list of Oracle documentation and MOS Notes or just checkout the notes below:

  • How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c) [1359176.1]
  • EM12c: How to install Enterprise Manager Cloud Control 12c Agent [1360183.1]
  • How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c)
    using Software-only Method [1364002.1]
  • How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c)
    using Software-only Silent Install Method with Response File [ID 1364025.1]
  • FAQ: Enterprise Manager Cloud Control 12c Install / Upgrade Frequently Asked Questions [1363863.1]
  • Enterprise Manager Cloud Control 12c Installation
    List of the Log Files and Commands to Zip them into One Zip Archive [1363779.1]
  • Enterprise Manager Cloud Control 12c Agent Installation
    List of the Log Files and Commands to Zip them into One Zip Archive [1367301.1]

Howto install Oracle Enterprise Manager Cloud Control 12c Release 1

Requirements

First of all lets start with the requirements. Which OS and database is supported for the OMS, Agent and repository database? The documentation is a bit thin on this topic (Oracle® Enterprise Manager Cloud Control Release Notes Prerequisites) and refers to the Metalink Certification Matrix.

Supported OS for the OMS and Agent are currently only the following Linux x86-64:

  • Oracle Linux 5 Update 2+
  • Asianux 3
  • Red Hat Enterprise Linux 5 Update Level 2+
  • SLES 11

Details about the required package is available in the Oracle® Enterprise Manager Cloud Control Basic Installation Guide Package Requirements for Oracle Management Service.

The OMS repository is currently certified with the following database release:

  • Oracle 11.2.0.3.0 (somehow not yet or not anymore in the MOS certification matrix)
  • Oracle 11.2.0.2.0
  • Oracle 11.2.0.1.0
  • Oracle 11.1.0.7.0
  • Oracle 10.2.0.5.0

The Prerequisites of chapter 6 Installing Enterprise Manager System in Oracle® Enterprise Manager Cloud Control Basic Installation Guide lists a few one-off Patch when using a 11.2.0.1.0 database. In general I would any way recommend to use the latest release as well the latest PSU.

The minimal hardware requirements for the OMS is a bit more than earlier releases. The table is just copy from Oracle® Enterprise Manager Cloud Control Basic Installation Guide Meeting Hardware Requirements.

Small Medium Large
1 OMS, < =1000 targets, <100 agents 2 OMSes for < =10,000 targets and <1000 agents >2 OMSes, >=10,000 targets, >=1000 agents
CPU Cores/Host 2 4 8
RAM 4 GB 6 DB 8 GB
RAM with ADP, JVMD 6 GB 10 DB 14 GB
Oracle WebLogic Server JVM Heap Size 512 MB 1 DB 2 GB
Hard Disk Space 7 GB 7 DB 7 GB
Hard Disk Space with ADP, JVMD 10 GB 12 DB 14 GB

Test Environment

To test Enterprise Manager Cloud Control I decide to use as usual a VM on my notebook. This means that the repository DB, OMS and Agent to run in a single VM. Based on the requirements above I end up with the following setup.

Hardware/VM Configuration:

  • VMWare Fusion 4.0.2
  • 2 Core’s
  • 4 GB Ram
  • 4 VM Disk not pre-allocated (20GB root, 4GB swap, 2*20GB data and software
  • 1 Network Interface

OS Configuration:

  • Oracle Enterprise Linux x86-64bit 5 update 6
  • OS has been setup through kickstart with these additional packages. Full KS file is attached to the blog post
  • oracle-validated, kernel-headers, sysstat, setarch, rng-utils
  • Kernel parameter should be set by oracle-validated

Repository Database:

  • Oracle Enterprise Edition 11.2.0.3.0
  • Database Components JVM, XDB, Multimedia (could probably be stripped down)
  • Init.ora parameter dedicated to EM12C:
    • SGA_TARGET=2G
    • SHARED_POOL_SIZE=600M
    • PGA_AGGREGATE_TARGET=1G
    • PROCESSES=300
    • JOB_QUEUE_PROCESSES=20
    • SESSION_CACHED_CURSORS=300
    • MEMORY_TARGET => should not be used

Software

next to the operating system and database software you need only the two zip files (em12_linux64_disk1of2.zip, em12_linux64_disk2of2.zip) from OTN to install EM12C. It is no longer necessary to search for Patch’s, WLS or JDK’s and download them. The software package for EM12C include everything you need to install the OMS and Agents.

Installation

Now that the test environment and repository database is ready lets start the installation. According to the presentation Oracle Enterprise Manager 12.1 – Cloud Control Upgrade it should be much easier. However the setup will start as usual with the RunInstaller.

./runInstaller

The installer starts as usual with the welcome screen and the optional question of the an e-Mail account to get informed about updates and security issues. The color layout of the dialog boxes has changed slightly. Otherwise, business as usual
EM12c Dialog 1

On the second screen you may specify your MOS credentials to instantly download the latest updates. Just hope that there are not yet any ;-)
EM12c Dialog 2

In the third step the installer check’s the system prerequisites. Failed step’s can be fixed and be retested or just ignored. Because I’ve installed the RPM oracle_validated all dependent packages are installed some kernel parameters are adjusted.
EM12c Dialog 3

On the third step you have to specify the installation type and location of the middleware. For my test case I just select simple installation and /u00/app/oracle/product/middleware as the middlware home
EM12c Dialog 4

The WLS Administrator credentials and the repository connection details have to be specified on the fifth screen.
EM12c Dialog 5

Just right after you press next the installer connect’s to the repository database and check’s if the database can be used as EM repository. First it checks if there is a default CBO stats gathering job. You may let the installer fix this by pressing yes.
EM12c Dialog 5a

Second it checks the database configuration parameter and space setting. The information provided here do not have to be fixed immediately. The adjustments can be done after the installation of EM. In my first installation I’ve had a few failing prerequisites more. Since I set the init.ora parameter according the section above only three are left. I’ll fix all three of them after the installation. OK, redo size of 300M on my test VM I will just ignore.
EM12c Dialog 5b

Screen six sum up all information provide so fare before the installation starts.
EM12c Dialog 7

The installation it self is presented in a nice new way. For each installation step there is a direct link to its log file.
EM12c Dialog 7a

If something fail, you can immediately verify the issue by clicking the link to the log. As soon you fixed the issue, you can rerun the failed step. In my case the VM run out of memory (Physical and Swap) and the OMS could not be started.
EM12c Dialog 7b

I’ve extend the swap space up to 4G and restarted the step.
EM12c Dialog 7c

Done…. The last screen of the installation display the link information for the EM Cloud Control Console and the Administration URL. All information is also available in the file setupinfo.txt.
EM12c Dialog 8

First impression

Connecting the first time with EM console allows you to select you preferred EM Home page based on you role. E.g there is one for EM Administrators which looks quite similar to the old home page. Other home pages a displaying immediately information important to a Database Administration, WLS Administrator, Support personnel or other.

As a first step I’ve added a DB Target to get more information displayed in my EM. I’ve just run a bit out of time, thats why I haven’t yet more screen shots to display. I’ll provide a few more later.

Round up

All together the installation of EM Cloud Control 12c is much easier than installing one of the earlier releases. Oracle finally packed all together in one software package and one installer. I do not have to care anymore about the right JDK or WLS version. They are just installed. The side effect on this is that also on the OS everything is installed on the same place. Where at 10g and 11g separate directories has been used for OMS and agent, they are now below the middleware directory. Which is not really an issue, you only need to adjust any scripts and environment variables.

Apart from the simple installation procedure, I also like the small improvements while checking the prerequisites. Things which have to be fixed can be fixed immediately. Others, which are required to run the OMS, but not to finish the installation, can be fixed afterwards.

The only drawback I see after my first short tests are the quite high CPU and memory needs. For a regular system, this is not really a problem. But for a road warrior where all testing is done on a notebook, a VM with a 4-6GB is quite an issue.

References

A collection of links to MOS Notes and Oracle documentation about Enterprise Manager Cloud Control 12c (12.1.0.1.0):

  • Oracle Technology Network Oracle Enterprise Manager 12c
  • Enterprise Manager Cloud Control Documentation 12c Release 1 (12.1)
  • MOS Note: How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c) [1359176.1]
  • MOS Note: EM12c: How to install Enterprise Manager Cloud Control 12c Agent [1360183.1]
  • MOS Note: How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c)
    using Software-only Method [1364002.1]
  • MOS Note: How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c)
    using Software-only Silent Install Method with Response File [ID 1364025.1]
  • MOS Note: FAQ: Enterprise Manager Cloud Control 12c Install / Upgrade Frequently Asked Questions [1363863.1]
  • MOS Note: Enterprise Manager Cloud Control 12c Installation
    List of the Log Files and Commands to Zip them into One Zip Archive [1363779.1]
  • MOS Note: Enterprise Manager Cloud Control 12c Agent Installation
    List of the Log Files and Commands to Zip them into One Zip Archive [1367301.1]