Tag Archives: 12c

Oracle 12 Release 2 Documentation available

Oracle just released the documentation for Oracle 12c Release 2. It seems that most of the new security features are available as discussed in my presentation at DOAG SIG Security in Düsseldorf on the 18th of october. See docs.oracle.com for the documentation bookshelf.

Yet a short summary of new security features

Encryption

  • TDE Tablespace Live Conversion
  • Fully Encrypted Database
  • Support for ARIA, SEED, and GOST Encryption Algorithms in TDE
  • TDE Tablespace Offline Conversion

Enforcing Application Security in the Database

  • RAS Session Privilege Scoping
  • RAS Column Privilege Enhancements
  • RAS Schema Level Policy Administration
  • RAS Integration with OLS

Improving Security Manageability, Administration, and Integration

  • Oracle Virtual Private Database Predicate Audit
  • Oracle Database Vault Policy
  • Oracle Database Vault Simulation Mode Protection
  • Oracle Database Vault Common Realms and Command Rules for Oracle Multitenant
  • Privilege Analysis Enhancements
  • Privilege Analysis Results Comparison
  • Redaction: Different Data Redaction Policy Expressions
  • Redaction: New Functions Allowed in Data Redaction Policy Expressions
  • Redaction: Additional Data Redaction Transformations
  • Automatic KDC Discovery When Configuring OCI Clients
  • Automatic Provisioning of Kerberos Keytab for Oracle Databases
  • Role-Based Conditional Auditing
  • Inherit Remote Privileges

Improving Security Posture of the Database

  • SYSRAC – Separation of Duty for Administering Real Application Clusters
  • Transparent Sensitive Data Protection Feature Integration
  • Requiring Strong Password Verifiers by Default

Improving User Authentication and Management

  • Automatic Locking of Inactive User Accounts

Modernizing Network Authentication and Encryption

  • Kerberos-Based Authentication for Direct NFS

There is much more just on security. The full list of new features is available in the New Features Guide 12c Release 2 (12.2). In particular the new features for TDE are worth, having a closer look. So let’s discuss the good, the bad and the mad….

If you plan to take a training have a look at the Trivadis Training. We will announce a Trivadis Oracle Database 12c Release 2 Techno Circle as soon as the software for 12c Release 2 is officially released.

Oracle database binaries with perl

Perl and Oracle has not always an easy past. Depending on the OS type and Oracle Version it can be quite nerve racking to compile DBI and DBD::Oracle. In addition to DBD::Oracle there are also other binary Perl modules that are not so easy to compile. On operating systems such as Microsoft Windows it is necessary to invest a little more effort to compile Perl. Alternatively one can use precompiled packages like Active Perl or Strawberry Perl. But this is basically not necessary at all if Oracle is already installed. Since Oracle 10g Perl is part of the Oracle binaries for the client and Database server. Oracle does use it for various tools itself. This allows it to easily create and execute custom perl scripts even on an Oracle Client installation. I do this regularly when I create Oracle Database security reviews. Instead of manually collecting all sorts of information, I’m running a few Perl scripts. This also works if I only have access to an Oracle client installation.

Available Perl Versions

Consequently, the different Oracle versions contains different versions of Perl. With the latest Oracle Database 12c Release 1 it just got update.

  • Oracle 10g Release 2 contains Perl 5.8.3
  • Oracle 10g Release 2 contains Perl 5.10.0
  • Oracle 12c Release 1 contains Perl 5.14.1

As you see this are not realy the latest stable version of Perl. The following Picture show’s the latest release for each branch of Perl.

LatestPerlReleases

Depending on what you want to do with Perl, this is generally not a problem. Nevertheless, it is useful to check what is supported in the corresponding release or not.

With perldoc you’ll get all kind of perl documentation. For instance the user contributed perl modules aka additional perl modules

$ORACLE_HOME/perl/bin/perldoc perllocal

With corelist you’ll get information on core perl modules perl.

$ORACLE_HOME/perl/bin/corelist -a utf8

utf8 was first released with perl 5.006
5.006 undef
5.006001 undef
5.006002 undef
5.007003 1.00
5.008 1.00
5.008001 1.02
5.008002 1.02
5.008003 1.02
5.008004 1.03
5.008005 1.04
5.008006 1.04
5.008007 1.05
5.008008 1.06
5.009 1.02
5.009001 1.02
5.009002 1.04
5.009003 1.06
5.009004 1.06
5.009005 1.07
5.01 1.07

Restrictions

But before you start to develop your big perl applications be aware, that you shouldn’t relay on it. According to the Oracle Metalink Note 342754.1 You should not use it for your own applications.

Note:- Perl and other 3rd party tools such as the Sun JRE are provided in the ORACLE_HOME for Oracle tool usage only. PERL libraries which are part of the Oracle RDBMS CD (Client / Database) are not meant for PERL custom application development, but they are used by various Oracle tools that are shipped along with Oracle RDBMS software such as EM DB Console etc.,

Using it for just a bunch of admin and reports scripts it shouldn’t be a big issues. Especially because you save quite some time when you not have to install Perl and DBD::Oracle yourself.

How tu use it

A few example how to use it will follow later on…

References

Some links related to this post.

  • Perl Source Readme on CPAN with information on the latest version on each branch of Perl
  • DBI – Database independent interface for Perl
  • DBD::Oracle Oracle database driver for the DBI module
  • Oracle Support of PHP, Perl, DBD/DBI and other 3rd party products [342754.1]
  • Active Perl from ActiveState
  • Strawberry Perl

Oracle 12c new password verify function

Even with Oracle Database 12c, the quality of the database passwords is not enforced by default. A password verify function with the corresponding password resource limits has to be developed individually. As a basis one can use the script  utlpwdmg.sql to setup the default password resource limits. The script is provided by Oracle and is used to update the default profile. It has been updated for Oracle Database 12c, but it still does not run automatically when creating a database. The 12c DBCA is missing a flag or a radio button to select something like extended standard security settings as this was known from 11g.

New Password Resource Limits

Without modification,  utlpwdmg.sql updates the profile DEFAULT, which is the default profile for all users. The following limits are the same as of Oracle Database 11g except a different password verify function.

Resource Name Limit Description
PASSWORD_LIFE_TIME 180 Sets the number of days the user can use his current password.
PASSWORD_GRACE_TIME 7 Sets the number of days that a user has to change his password before it expires.
PASSWORD_REUSE_TIME UNLIMITED Sets the number of days before which a password cannot be reused.
PASSWORD_REUSE_MAX UNLIMITED Sets the number of password changes required before the current password can be reused.
FAILED_LOGIN_ATTEMPTS 10 Specify the number of failed attempts to log in to the user account before the account is locked.
PASSWORD_LOCK_TIME 1 Specify the number of days an account will be locked after the specified number of consecutive failed login attempts.
PASSWORD_VERIFY_FUNCTION ora12c_verify_function PL/SQL password complexity verification function to enforce password complexity.

In the comment of the script you find other password resource limits. Recommendations from Center for Internet Security (CIS Oracle 11g).

Resource Name Limit
PASSWORD_LIFE_TIME 90
PASSWORD_GRACE_TIME 3
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 20
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION ora12c_verify_function

Recommendations from Department of Defense Database Security Technical Implementation Guide (STIG v8R1).

Resource Name Limit
PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 5
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_VERIFY_FUNCTION ora12c_strong_verify_function

New Functions

The function has been cleaned up by Oracle. As before, there are the two functions verify_function (10g) and verify_function_11G (11g). New there are four more functions for 12c, ora12c_verify_function and ora12c_strong_verify_function and two helper functions complexity_check and string_distance.

string_distance

This function calculates the Levenshtein distance between two strings ‘s’ and ‘t’ or a bit simpler how much do two strings differ from each other. The Levenshtein algorithms has already be used in the old verify_function_11G. It is now just a function for itself to be easier used in custom password verify functions.

differ := string_distance(old_password, password);

complexity_check

This function verifies the complexity of a password string. Beside the password string it accepts a few value to describe the complexity. Nothing basically new but it makes it a bit easier to define custom password verify functions.

  • chars – All characters (i.e. string length)
  • letter – Alphabetic characters A-Z and a-z
  • upper – Uppercase letters A-Z
  • lower – Lowercase letters a-z
  • digit – Numeric characters 0-9
  • special – All characters not in A-Z, a-z, 0-9 except DOUBLE QUOTE which is a password delimiter

Verify if the password has at least 8 characters, 1 letter and 1 digit.

    IF NOT complexity_check(password, chars => 8, letter => 1, digit => 1) THEN
      RETURN(FALSE);
    END IF;

Verify if the password has at least 9 characters, 2 upper/lower case character, 2 digits and 2 special characters.

   IF NOT complexity_check(password, chars => 9, UPPER => 2, LOWER => 2,
                           digit => 2, special => 2) THEN
      RETURN(FALSE);
   END IF;

ora12c_verify_function

This function is the new 12c password verify function. It enforce a similar respectively slightly stronger password complexity as verify_function_11G. verify_function_11G just checked for DB_NAME or ORACLE with 1 to 100 attached. e.g. oracle1 or oracle83. With the new function DB_NAME or ORACLE may not be part of the password at all. The following is verified

  • Password at least 8 characters
  • at least 1 letters
  • at least 1 digits
  • must not contain database name
  • must not contain user name or reverse user name
  • must not contain oracle
  • must not be too simple like welcome1
  • password must differ by at least 3 characters from the old password

ora12c_strong_verify_function

This function is provided to give stronger password complexity. It considers recommendations of the Department of Defense Database (STIG) with the following limits.

  • Password at least 9 characters
  • at least 2 capital letters
  • at least 2 small letters
  • at least 2 digits
  • at least 2 special characters
  • password must differ by at least 4 characters from the old password

References

Links all around Critical Patch Update:

Conclusion

Oracle Database 12c brings a slightly enhanced  utlpwdmg.sql script which can much easier be adapted to custom requirements. Nevertheless a DBA has to define a password verify function himself or run  utlpwdmg.sql. Oracle does not enforce passwords by default. It is recommended to define different profiles for different user groups e.g. DBA, App Users, Schema Owner etc. and to use as well a password verify function. The examples in  utlpwdmg.sql can and must be adapted to fulfill minimal security requirements.

Oracle 12c New Security Features

I’ve just uploaded the slides for my lecture Oracle 12c new security features, as I had promised this in my previous posts. (See also DOAG 2013 Datenbank or DOAG SIG Security). The slides is a consolidation of my presentations on the New Security Features in latest generation of Oracle Database and does no reflect 1:1 the slides at the different events.

Yet a short summary of new security features

  • Oracle Data Redaction, Advanced Security feature to prevent display of sensitive data.
  • Support for Secure Hash Algorithm SHA-2 for DBMS_CRYPTO and the password hash.
  • New unified auditing and audit policies.
  • Privilege Analysis, to analyse who is using which privileges and clean up authorization.
  • New administration privileges like SYSBACKUP, SYSDG and SYSKM to reduce the dependence on SYSDBA and improve separation of duty.
  • Database Vault persistent protections, DB Vault does not longer depend on executables.

There is much more just on security. The full list of new features is available in the New Features Guide 12c Release 1 (12.1). Oracle 12c is a release with so many security innovations since long time. So let’s discuss the good, the bad and the mad….

If you plan to take a training have a look at the Trivadis Oracle Database 12c Techno Circle.

Howto change SYSMAN password in 12C Cloud Control

I was on leave for the past few weeks. After digging through tons of e-mails I finally found time to look into EM 12 Cloud Control. Unfortunately, I’ve forgotten my SYSMAN password and the EM 12c test installation is no longer running. As you say: “Holidays where one forgets everything, must be good holidays.”

So far so good, but what about my problems. Lets start with EM 12c which is not running. I started the VM from scratch. After login in over ssh I’ve realized that the EM 12c infrastructure is running. To my surprise the installer configured the start / stop script gcstartup in /etc/init.d and the corresponding rc directories. The script exists already since EM 10g but I’ve never used it. Unfortunately nobody created the start / stop script for the database and the listener. As soon as starting them manually I’ve just have to bounce the EM 12c to be up and ready again. It is not enough to just start the database. Restarting or starting the OMS is also necessary due to the fact that the OMS is not started when the database is not available during the startup of EM 12c. Oracle described this in a MOS Note EM Cloud Control 12c OMS not able to start after server reboot [1367876.1]

My second problem is quite a common issue. You’ll find some notes on how to change the SYSMAN password for EM 10/11g, DB Console and new as well for EM 12c. Basically it is done in a similar way as in EM 11g. It is just a little easier because it is not necessary to do the change in two steps. You may use use emctl to change the SYSMAN password for the OMS infrastructure and well the database account. That’s also what you can specify the SYS password when using emctl.

  1. Stop all OMS: emctl stop oms
  2. Change the password: emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd sys user password -new_pwd new sysman password
  3. Stop the Admin server and restart all OMS: emctl stop oms -all; emctl start oms

An example output:

emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd manager -new_pwd tiger
Oracle Enterprise Manager Cloud Control 12c Release 12.1.0.1.0
Copyright (c) 1996, 2011 Oracle Corporation. ALL rights reserved.
Changing passwords IN backend ...
Passwords changed IN backend successfully.
Updating repository password IN Credential Store...
Successfully updated Repository password IN Credential Store.
Restart ALL the OMSs USING 'emctl stop oms -all' AND 'emctl start oms'.
Successfully changed repository password.

More information on these topic’s can be found in the following MOS notes:

  • 12C Cloud Control: Steps to Modify the SYSMAN Password at OMS and Repository [1365930.1]
  • How to Change the Password of SYSMAN User in 10g and 11g Grid Control? [270516.1]
  • EM Cloud Control 12c OMS not able to start after server reboot [1367876.1]

2nd Update: Howto install Oracle Enterprise Manager Cloud Control 12c Release 1

This is my second update of my post on Howto install Oracle Enterprise Manager Cloud Control 12c Release 1 and there for as well on Update: Howto install Oracle Enterprise Manager Cloud Control 12c Release 1. Ok not more technical detail but I just found a few more MOS Notes related to EM 12c. The interesting part is mentioned in the first note. Oracle planned to release EM12c for Solaris SPARC as well Solaris x86 later this year.

  • Release Schedule of Current Enterprise Manager Releases and Patch Sets [793512.1]
  • How to Install Enterprise Manager Cloud Control Agent 12.1.0.1 (12c) using the RPM Method? [1363031.1]

Update: Howto install Oracle Enterprise Manager Cloud Control 12c Release 1

In the past few days Oracle has released a bunch of MOS Notes about Enterprise Manager Cloud Control 12c. If you plan an installation it is worthwhile to take a look inside. I have updated my initial post Howto install Oracle Enterprise Manager Cloud Control 12c Release 1 with a list of Oracle documentation and MOS Notes or just checkout the notes below:

  • How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c) [1359176.1]
  • EM12c: How to install Enterprise Manager Cloud Control 12c Agent [1360183.1]
  • How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c)
    using Software-only Method [1364002.1]
  • How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c)
    using Software-only Silent Install Method with Response File [ID 1364025.1]
  • FAQ: Enterprise Manager Cloud Control 12c Install / Upgrade Frequently Asked Questions [1363863.1]
  • Enterprise Manager Cloud Control 12c Installation
    List of the Log Files and Commands to Zip them into One Zip Archive [1363779.1]
  • Enterprise Manager Cloud Control 12c Agent Installation
    List of the Log Files and Commands to Zip them into One Zip Archive [1367301.1]