Tag Archives: 12c

Oracle database binaries with perl

Perl and Oracle has not always an easy past. Depending on the OS type and Oracle Version it can be quite nerve racking to compile DBI and DBD::Oracle. In addition to DBD::Oracle there are also other binary Perl modules that are not so easy to compile. On operating systems such as Microsoft Windows it is necessary to invest a little more effort to compile Perl. Alternatively one can use precompiled packages like Active Perl or Strawberry Perl. But this is basically not necessary at all if Oracle is already installed. Since Oracle 10g Perl is part of the Oracle binaries for the client and Database server. Oracle does use it for various tools itself. This allows it to easily create and execute custom perl scripts even on an Oracle Client installation. I do this regularly when I create Oracle Database security reviews. Instead of manually collecting all sorts of information, I’m running a few Perl scripts. This also works if I only have access to an Oracle client installation.

Available Perl Versions

Consequently, the different Oracle versions contains different versions of Perl. With the latest Oracle Database 12c Release 1 it just got update.

  • Oracle 10g Release 2 contains Perl 5.8.3
  • Oracle 10g Release 2 contains Perl 5.10.0
  • Oracle 12c Release 1 contains Perl 5.14.1

As you see this are not realy the latest stable version of Perl. The following Picture show’s the latest release for each branch of Perl.

LatestPerlReleases

Depending on what you want to do with Perl, this is generally not a problem. Nevertheless, it is useful to check what is supported in the corresponding release or not.

With perldoc you’ll get all kind of perl documentation. For instance the user contributed perl modules aka additional perl modules

$ORACLE_HOME/perl/bin/perldoc perllocal

With corelist you’ll get information on core perl modules perl.

$ORACLE_HOME/perl/bin/corelist -a utf8

utf8 was first released with perl 5.006
5.006 undef
5.006001 undef
5.006002 undef
5.007003 1.00
5.008 1.00
5.008001 1.02
5.008002 1.02
5.008003 1.02
5.008004 1.03
5.008005 1.04
5.008006 1.04
5.008007 1.05
5.008008 1.06
5.009 1.02
5.009001 1.02
5.009002 1.04
5.009003 1.06
5.009004 1.06
5.009005 1.07
5.01 1.07

Restrictions

But before you start to develop your big perl applications be aware, that you shouldn’t relay on it. According to the Oracle Metalink Note 342754.1 You should not use it for your own applications.

Note:- Perl and other 3rd party tools such as the Sun JRE are provided in the ORACLE_HOME for Oracle tool usage only. PERL libraries which are part of the Oracle RDBMS CD (Client / Database) are not meant for PERL custom application development, but they are used by various Oracle tools that are shipped along with Oracle RDBMS software such as EM DB Console etc.,

Using it for just a bunch of admin and reports scripts it shouldn’t be a big issues. Especially because you save quite some time when you not have to install Perl and DBD::Oracle yourself.

How tu use it

A few example how to use it will follow later on…

References

Some links related to this post.

  • Perl Source Readme on CPAN with information on the latest version on each branch of Perl
  • DBI – Database independent interface for Perl
  • DBD::Oracle Oracle database driver for the DBI module
  • Oracle Support of PHP, Perl, DBD/DBI and other 3rd party products [342754.1]
  • Active Perl from ActiveState
  • Strawberry Perl

Oracle 12c new password verify function

Even with Oracle Database 12c, the quality of the database passwords is not enforced by default. A password verify function with the corresponding password resource limits has to be developed individually. As a basis one can use the script  utlpwdmg.sql to setup the default password resource limits. The script is provided by Oracle and is used to update the default profile. It has been updated for Oracle Database 12c, but it still does not run automatically when creating a database. The 12c DBCA is missing a flag or a radio button to select something like extended standard security settings as this was known from 11g.

New Password Resource Limits

Without modification,  utlpwdmg.sql updates the profile DEFAULT, which is the default profile for all users. The following limits are the same as of Oracle Database 11g except a different password verify function.

Resource Name Limit Description
PASSWORD_LIFE_TIME 180 Sets the number of days the user can use his current password.
PASSWORD_GRACE_TIME 7 Sets the number of days that a user has to change his password before it expires.
PASSWORD_REUSE_TIME UNLIMITED Sets the number of days before which a password cannot be reused.
PASSWORD_REUSE_MAX UNLIMITED Sets the number of password changes required before the current password can be reused.
FAILED_LOGIN_ATTEMPTS 10 Specify the number of failed attempts to log in to the user account before the account is locked.
PASSWORD_LOCK_TIME 1 Specify the number of days an account will be locked after the specified number of consecutive failed login attempts.
PASSWORD_VERIFY_FUNCTION ora12c_verify_function PL/SQL password complexity verification function to enforce password complexity.

In the comment of the script you find other password resource limits. Recommendations from Center for Internet Security (CIS Oracle 11g).

Resource Name Limit
PASSWORD_LIFE_TIME 90
PASSWORD_GRACE_TIME 3
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 20
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION ora12c_verify_function

Recommendations from Department of Defense Database Security Technical Implementation Guide (STIG v8R1).

Resource Name Limit
PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 5
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_VERIFY_FUNCTION ora12c_strong_verify_function

New Functions

The function has been cleaned up by Oracle. As before, there are the two functions verify_function (10g) and verify_function_11G (11g). New there are four more functions for 12c, ora12c_verify_function and ora12c_strong_verify_function and two helper functions complexity_check and string_distance.

string_distance

This function calculates the Levenshtein distance between two strings ‘s’ and ‘t’ or a bit simpler how much do two strings differ from each other. The Levenshtein algorithms has already be used in the old verify_function_11G. It is now just a function for itself to be easier used in custom password verify functions.

differ := string_distance(old_password, password);

complexity_check

This function verifies the complexity of a password string. Beside the password string it accepts a few value to describe the complexity. Nothing basically new but it makes it a bit easier to define custom password verify functions.

  • chars – All characters (i.e. string length)
  • letter – Alphabetic characters A-Z and a-z
  • upper – Uppercase letters A-Z
  • lower – Lowercase letters a-z
  • digit – Numeric characters 0-9
  • special – All characters not in A-Z, a-z, 0-9 except DOUBLE QUOTE which is a password delimiter

Verify if the password has at least 8 characters, 1 letter and 1 digit.

    IF NOT complexity_check(password, chars => 8, letter => 1, digit => 1) THEN
      RETURN(FALSE);
    END IF;

Verify if the password has at least 9 characters, 2 upper/lower case character, 2 digits and 2 special characters.

   IF NOT complexity_check(password, chars => 9, UPPER => 2, LOWER => 2,
                           digit => 2, special => 2) THEN
      RETURN(FALSE);
   END IF;

ora12c_verify_function

This function is the new 12c password verify function. It enforce a similar respectively slightly stronger password complexity as verify_function_11G. verify_function_11G just checked for DB_NAME or ORACLE with 1 to 100 attached. e.g. oracle1 or oracle83. With the new function DB_NAME or ORACLE may not be part of the password at all. The following is verified

  • Password at least 8 characters
  • at least 1 letters
  • at least 1 digits
  • must not contain database name
  • must not contain user name or reverse user name
  • must not contain oracle
  • must not be too simple like welcome1
  • password must differ by at least 3 characters from the old password

ora12c_strong_verify_function

This function is provided to give stronger password complexity. It considers recommendations of the Department of Defense Database (STIG) with the following limits.

  • Password at least 9 characters
  • at least 2 capital letters
  • at least 2 small letters
  • at least 2 digits
  • at least 2 special characters
  • password must differ by at least 4 characters from the old password

References

Links all around Critical Patch Update:

Conclusion

Oracle Database 12c brings a slightly enhanced  utlpwdmg.sql script which can much easier be adapted to custom requirements. Nevertheless a DBA has to define a password verify function himself or run  utlpwdmg.sql. Oracle does not enforce passwords by default. It is recommended to define different profiles for different user groups e.g. DBA, App Users, Schema Owner etc. and to use as well a password verify function. The examples in  utlpwdmg.sql can and must be adapted to fulfill minimal security requirements.

Oracle 12c New Security Features

I’ve just uploaded the slides for my lecture Oracle 12c new security features, as I had promised this in my previous posts. (See also DOAG 2013 Datenbank or DOAG SIG Security). The slides is a consolidation of my presentations on the New Security Features in latest generation of Oracle Database and does no reflect 1:1 the slides at the different events.

Yet a short summary of new security features

  • Oracle Data Redaction, Advanced Security feature to prevent display of sensitive data.
  • Support for Secure Hash Algorithm SHA-2 for DBMS_CRYPTO and the password hash.
  • New unified auditing and audit policies.
  • Privilege Analysis, to analyse who is using which privileges and clean up authorization.
  • New administration privileges like SYSBACKUP, SYSDG and SYSKM to reduce the dependence on SYSDBA and improve separation of duty.
  • Database Vault persistent protections, DB Vault does not longer depend on executables.

There is much more just on security. The full list of new features is available in the New Features Guide 12c Release 1 (12.1). Oracle 12c is a release with so many security innovations since long time. So let’s discuss the good, the bad and the mad….

If you plan to take a training have a look at the Trivadis Oracle Database 12c Techno Circle.

Howto change SYSMAN password in 12C Cloud Control

I was on leave for the past few weeks. After digging through tons of e-mails I finally found time to look into EM 12 Cloud Control. Unfortunately, I’ve forgotten my SYSMAN password and the EM 12c test installation is no longer running. As you say: “Holidays where one forgets everything, must be good holidays.”

So far so good, but what about my problems. Lets start with EM 12c which is not running. I started the VM from scratch. After login in over ssh I’ve realized that the EM 12c infrastructure is running. To my surprise the installer configured the start / stop script gcstartup in /etc/init.d and the corresponding rc directories. The script exists already since EM 10g but I’ve never used it. Unfortunately nobody created the start / stop script for the database and the listener. As soon as starting them manually I’ve just have to bounce the EM 12c to be up and ready again. It is not enough to just start the database. Restarting or starting the OMS is also necessary due to the fact that the OMS is not started when the database is not available during the startup of EM 12c. Oracle described this in a MOS Note EM Cloud Control 12c OMS not able to start after server reboot [1367876.1]

My second problem is quite a common issue. You’ll find some notes on how to change the SYSMAN password for EM 10/11g, DB Console and new as well for EM 12c. Basically it is done in a similar way as in EM 11g. It is just a little easier because it is not necessary to do the change in two steps. You may use use emctl to change the SYSMAN password for the OMS infrastructure and well the database account. That’s also what you can specify the SYS password when using emctl.

  1. Stop all OMS: emctl stop oms
  2. Change the password: emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd sys user password -new_pwd new sysman password
  3. Stop the Admin server and restart all OMS: emctl stop oms -all; emctl start oms

An example output:

emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd manager -new_pwd tiger
Oracle Enterprise Manager Cloud Control 12c Release 12.1.0.1.0
Copyright (c) 1996, 2011 Oracle Corporation. ALL rights reserved.
Changing passwords IN backend ...
Passwords changed IN backend successfully.
Updating repository password IN Credential Store...
Successfully updated Repository password IN Credential Store.
Restart ALL the OMSs USING 'emctl stop oms -all' AND 'emctl start oms'.
Successfully changed repository password.

More information on these topic’s can be found in the following MOS notes:

  • 12C Cloud Control: Steps to Modify the SYSMAN Password at OMS and Repository [1365930.1]
  • How to Change the Password of SYSMAN User in 10g and 11g Grid Control? [270516.1]
  • EM Cloud Control 12c OMS not able to start after server reboot [1367876.1]

2nd Update: Howto install Oracle Enterprise Manager Cloud Control 12c Release 1

This is my second update of my post on Howto install Oracle Enterprise Manager Cloud Control 12c Release 1 and there for as well on Update: Howto install Oracle Enterprise Manager Cloud Control 12c Release 1. Ok not more technical detail but I just found a few more MOS Notes related to EM 12c. The interesting part is mentioned in the first note. Oracle planned to release EM12c for Solaris SPARC as well Solaris x86 later this year.

  • Release Schedule of Current Enterprise Manager Releases and Patch Sets [793512.1]
  • How to Install Enterprise Manager Cloud Control Agent 12.1.0.1 (12c) using the RPM Method? [1363031.1]

Update: Howto install Oracle Enterprise Manager Cloud Control 12c Release 1

In the past few days Oracle has released a bunch of MOS Notes about Enterprise Manager Cloud Control 12c. If you plan an installation it is worthwhile to take a look inside. I have updated my initial post Howto install Oracle Enterprise Manager Cloud Control 12c Release 1 with a list of Oracle documentation and MOS Notes or just checkout the notes below:

  • How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c) [1359176.1]
  • EM12c: How to install Enterprise Manager Cloud Control 12c Agent [1360183.1]
  • How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c)
    using Software-only Method [1364002.1]
  • How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c)
    using Software-only Silent Install Method with Response File [ID 1364025.1]
  • FAQ: Enterprise Manager Cloud Control 12c Install / Upgrade Frequently Asked Questions [1363863.1]
  • Enterprise Manager Cloud Control 12c Installation
    List of the Log Files and Commands to Zip them into One Zip Archive [1363779.1]
  • Enterprise Manager Cloud Control 12c Agent Installation
    List of the Log Files and Commands to Zip them into One Zip Archive [1367301.1]

Howto install Oracle Enterprise Manager Cloud Control 12c Release 1

Requirements

First of all lets start with the requirements. Which OS and database is supported for the OMS, Agent and repository database? The documentation is a bit thin on this topic (Oracle® Enterprise Manager Cloud Control Release Notes Prerequisites) and refers to the Metalink Certification Matrix.

Supported OS for the OMS and Agent are currently only the following Linux x86-64:

  • Oracle Linux 5 Update 2+
  • Asianux 3
  • Red Hat Enterprise Linux 5 Update Level 2+
  • SLES 11

Details about the required package is available in the Oracle® Enterprise Manager Cloud Control Basic Installation Guide Package Requirements for Oracle Management Service.

The OMS repository is currently certified with the following database release:

  • Oracle 11.2.0.3.0 (somehow not yet or not anymore in the MOS certification matrix)
  • Oracle 11.2.0.2.0
  • Oracle 11.2.0.1.0
  • Oracle 11.1.0.7.0
  • Oracle 10.2.0.5.0

The Prerequisites of chapter 6 Installing Enterprise Manager System in Oracle® Enterprise Manager Cloud Control Basic Installation Guide lists a few one-off Patch when using a 11.2.0.1.0 database. In general I would any way recommend to use the latest release as well the latest PSU.

The minimal hardware requirements for the OMS is a bit more than earlier releases. The table is just copy from Oracle® Enterprise Manager Cloud Control Basic Installation Guide Meeting Hardware Requirements.

Small Medium Large
1 OMS, < =1000 targets, <100 agents 2 OMSes for < =10,000 targets and <1000 agents >2 OMSes, >=10,000 targets, >=1000 agents
CPU Cores/Host 2 4 8
RAM 4 GB 6 DB 8 GB
RAM with ADP, JVMD 6 GB 10 DB 14 GB
Oracle WebLogic Server JVM Heap Size 512 MB 1 DB 2 GB
Hard Disk Space 7 GB 7 DB 7 GB
Hard Disk Space with ADP, JVMD 10 GB 12 DB 14 GB

Test Environment

To test Enterprise Manager Cloud Control I decide to use as usual a VM on my notebook. This means that the repository DB, OMS and Agent to run in a single VM. Based on the requirements above I end up with the following setup.

Hardware/VM Configuration:

  • VMWare Fusion 4.0.2
  • 2 Core’s
  • 4 GB Ram
  • 4 VM Disk not pre-allocated (20GB root, 4GB swap, 2*20GB data and software
  • 1 Network Interface

OS Configuration:

  • Oracle Enterprise Linux x86-64bit 5 update 6
  • OS has been setup through kickstart with these additional packages. Full KS file is attached to the blog post
  • oracle-validated, kernel-headers, sysstat, setarch, rng-utils
  • Kernel parameter should be set by oracle-validated

Repository Database:

  • Oracle Enterprise Edition 11.2.0.3.0
  • Database Components JVM, XDB, Multimedia (could probably be stripped down)
  • Init.ora parameter dedicated to EM12C:
    • SGA_TARGET=2G
    • SHARED_POOL_SIZE=600M
    • PGA_AGGREGATE_TARGET=1G
    • PROCESSES=300
    • JOB_QUEUE_PROCESSES=20
    • SESSION_CACHED_CURSORS=300
    • MEMORY_TARGET => should not be used

Software

next to the operating system and database software you need only the two zip files (em12_linux64_disk1of2.zip, em12_linux64_disk2of2.zip) from OTN to install EM12C. It is no longer necessary to search for Patch’s, WLS or JDK’s and download them. The software package for EM12C include everything you need to install the OMS and Agents.

Installation

Now that the test environment and repository database is ready lets start the installation. According to the presentation Oracle Enterprise Manager 12.1 – Cloud Control Upgrade it should be much easier. However the setup will start as usual with the RunInstaller.

./runInstaller

The installer starts as usual with the welcome screen and the optional question of the an e-Mail account to get informed about updates and security issues. The color layout of the dialog boxes has changed slightly. Otherwise, business as usual
EM12c Dialog 1

On the second screen you may specify your MOS credentials to instantly download the latest updates. Just hope that there are not yet any ;-)
EM12c Dialog 2

In the third step the installer check’s the system prerequisites. Failed step’s can be fixed and be retested or just ignored. Because I’ve installed the RPM oracle_validated all dependent packages are installed some kernel parameters are adjusted.
EM12c Dialog 3

On the third step you have to specify the installation type and location of the middleware. For my test case I just select simple installation and /u00/app/oracle/product/middleware as the middlware home
EM12c Dialog 4

The WLS Administrator credentials and the repository connection details have to be specified on the fifth screen.
EM12c Dialog 5

Just right after you press next the installer connect’s to the repository database and check’s if the database can be used as EM repository. First it checks if there is a default CBO stats gathering job. You may let the installer fix this by pressing yes.
EM12c Dialog 5a

Second it checks the database configuration parameter and space setting. The information provided here do not have to be fixed immediately. The adjustments can be done after the installation of EM. In my first installation I’ve had a few failing prerequisites more. Since I set the init.ora parameter according the section above only three are left. I’ll fix all three of them after the installation. OK, redo size of 300M on my test VM I will just ignore.
EM12c Dialog 5b

Screen six sum up all information provide so fare before the installation starts.
EM12c Dialog 7

The installation it self is presented in a nice new way. For each installation step there is a direct link to its log file.
EM12c Dialog 7a

If something fail, you can immediately verify the issue by clicking the link to the log. As soon you fixed the issue, you can rerun the failed step. In my case the VM run out of memory (Physical and Swap) and the OMS could not be started.
EM12c Dialog 7b

I’ve extend the swap space up to 4G and restarted the step.
EM12c Dialog 7c

Done…. The last screen of the installation display the link information for the EM Cloud Control Console and the Administration URL. All information is also available in the file setupinfo.txt.
EM12c Dialog 8

First impression

Connecting the first time with EM console allows you to select you preferred EM Home page based on you role. E.g there is one for EM Administrators which looks quite similar to the old home page. Other home pages a displaying immediately information important to a Database Administration, WLS Administrator, Support personnel or other.

As a first step I’ve added a DB Target to get more information displayed in my EM. I’ve just run a bit out of time, thats why I haven’t yet more screen shots to display. I’ll provide a few more later.

Round up

All together the installation of EM Cloud Control 12c is much easier than installing one of the earlier releases. Oracle finally packed all together in one software package and one installer. I do not have to care anymore about the right JDK or WLS version. They are just installed. The side effect on this is that also on the OS everything is installed on the same place. Where at 10g and 11g separate directories has been used for OMS and agent, they are now below the middleware directory. Which is not really an issue, you only need to adjust any scripts and environment variables.

Apart from the simple installation procedure, I also like the small improvements while checking the prerequisites. Things which have to be fixed can be fixed immediately. Others, which are required to run the OMS, but not to finish the installation, can be fixed afterwards.

The only drawback I see after my first short tests are the quite high CPU and memory needs. For a regular system, this is not really a problem. But for a road warrior where all testing is done on a notebook, a VM with a 4-6GB is quite an issue.

References

A collection of links to MOS Notes and Oracle documentation about Enterprise Manager Cloud Control 12c (12.1.0.1.0):

  • Oracle Technology Network Oracle Enterprise Manager 12c
  • Enterprise Manager Cloud Control Documentation 12c Release 1 (12.1)
  • MOS Note: How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c) [1359176.1]
  • MOS Note: EM12c: How to install Enterprise Manager Cloud Control 12c Agent [1360183.1]
  • MOS Note: How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c)
    using Software-only Method [1364002.1]
  • MOS Note: How to Install Enterprise Manager Cloud Control 12.1.0.1 (12c)
    using Software-only Silent Install Method with Response File [ID 1364025.1]
  • MOS Note: FAQ: Enterprise Manager Cloud Control 12c Install / Upgrade Frequently Asked Questions [1363863.1]
  • MOS Note: Enterprise Manager Cloud Control 12c Installation
    List of the Log Files and Commands to Zip them into One Zip Archive [1363779.1]
  • MOS Note: Enterprise Manager Cloud Control 12c Agent Installation
    List of the Log Files and Commands to Zip them into One Zip Archive [1367301.1]