Tag Archives: Trivadis Content

Blog posts also posted on the Trivadis Blog (TriBlog)

GDPR and Database Security Speeches

The new EU GDPR and Database Security in general keeps me busy. I’ve updated the list of speeches and events for the next couple of month. It’s an interesting mix between GDPR, Oracle Database Security and MS SQL Server 2016 security. Depending on the feedback of the Call For Papers for the DOAG Conference and the Oracle OpenWorld there will probably be more. But for now I’ll definitely give a full day training on Oracle Database 12c Security at the Education day on DOAG Conference.

Upcoming events

Have you missed an event? In this case check out the download page or blog post categorized with speaking. If possible, I’ll provide all information online?

DOAG Webinar Oracle 12.2 New Security Features

A couple of days ago I’ve successfully finished the DOAG Webinar on Oracle 12c Release 2 new Security Feature. It was a great opportunity to discuss the security enhancements in the latest Oracle database release. This release introduces some new security features that simplify the secure operation of on-premises or cloud-based databases. Especially the online encryption of tablespaces with TDE.

Based on initial experiences and insights, the following topics have been discussed:

  • Authentication
  • Authorization
  • Database Auditing with Unified Audit
  • Encryption with Transparent Data Encryption
  • As well as an overview of further innovations in database security

The slides and the recording of the webinar is available in German over the following links:

Start OUD Servers on Boot using systemd

Starting Oracle Unified Directory on system boot is essential for production environment. Unfortunately OUD just provides a script to create the init.d script. But newer system in general use systemd initialise and startup. Nevertheless, creating a custom unit file for OUD is simple and straightforward. First, let’s create a regular init.d script with the create-rc-script from oud. The created custom script can be used as template for the systemd unit file.

create-rc-script does allow a couple of parameter to specify the script name, OS user for OUD and the JAVA_HOME. The following example of create-rc-script does show how to create a regular start script for OUD instance oud_ad_proxy.

export OUD_HOME=/u00/app/oracle/instances/oud_ad_proxy
export JAVA_HOME=/u00/app/oracle/product/jdk1.7.0_141

cd $OUD_HOME/OUD/bin
create-rc-script -f oud_ad_proxy.sh -u oracle -j $JAVA_HOME

This does create the following bornshell script for init.d.

#!/bin/sh
#
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
#
#
# chkconfig: 345 90 30
# description: Oracle Unified Directory startup script
#


# Set the path to the Oracle Unified Directory instance to manage
INSTALL_ROOT="/u00/app/oracle/instances/oud_ad_proxy/OUD"
export INSTALL_ROOT

# Specify the path to the Java installation to use
OPENDS_JAVA_HOME="/u00/app/oracle/product/jdk1.7.0_141"
export OPENDS_JAVA_HOME

# Determine what action should be performed on the server
case "${1}" in
start)
  /bin/su - oracle -- "${INSTALL_ROOT}/bin/start-ds" --quiet
  exit ${?}
  ;;
stop)
  /bin/su - oracle -- "${INSTALL_ROOT}/bin/stop-ds" --quiet
  exit ${?}
  ;;
restart)
  /bin/su - oracle -- "${INSTALL_ROOT}/bin/stop-ds" --restart --quiet
  exit ${?}
  ;;
*)
  echo "Usage:  $0 { start | stop | restart }"
  exit 1
  ;;
esac

The same start / stop commands can now be used in the unit file. So let’s create a new custom unit file in /etc/systemd/system. The unit file is named according the old instance.

sudo vi /etc/systemd/system/oud_ad_proxy.service

Add the following content to the new unit file.

[Unit]
Description=OUD AD Proxy Instance oud_ad_proxy
Wants=network.target
After=network.target

[Service]
Type=forking
User=oracle
Group=osdba
Environment=OPENDS_JAVA_HOME="/u00/app/oracle/product/jdk1.7.0_141"
ExecStart=/u00/app/oracle/instances/oud_ad_proxy/OUD/bin/start-ds --quiet
ExecStop=/u00/app/oracle/instances/oud_ad_proxy/OUD/bin/stop-ds --quiet
ExecReload=/u00/app/oracle/instances/oud_ad_proxy/OUD/bin/stop-ds --restart --quiet
StandardOutput=syslog

[Install]
WantedBy=multi-user.target

As soon as we have the new unit file we have to enable the service.

sudo systemctl enable oud_ad_proxy.service

Start the OUD instance using systemctl.

sudo systemctl start oud_ad_proxy.service

Stop the OUD instance using systemctl.

sudo systemctl stop oud_ad_proxy.service

Display the status of the OUD service.

sudo systemctl status oud_ad_proxy.service

 oud_ad_proxy.service - OUD AD Proxy Instance oud_ad_proxy
   Loaded: loaded (/etc/systemd/system/oud_ad_proxy.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2017-05-16 22:41:09 CEST; 28s ago
  Process: 18300 ExecStop=/u00/app/oracle/instances/oud_ad_proxy/OUD/bin/stop-ds --quiet (code=exited, status=0/SUCCESS)
  Process: 18397 ExecStart=/u00/app/oracle/instances/oud_ad_proxy/OUD/bin/start-ds --quiet (code=exited, status=0/SUCCESS)
 Main PID: 18477 (java)
   CGroup: /system.slice/oud_ad_proxy.service
           └─18477 /u00/app/oracle/product/jdk1.7.0_141/jre/bin/java -server -Dorg.opends.server.scriptName=start-ds org.opends.server.core.DirectoryServer --configClass org.opends.server.extensions.ConfigFileHandler -...

May 16 22:41:01 euterpe systemd[1]: Starting OUD AD Proxy Instance oud_ad_proxy...
May 16 22:41:09 euterpe systemd[1]: Started OUD AD Proxy Instance oud_ad_proxy.

Some references and links to MOS Notes:

EU GDPR, MS SQL Server 2016 and Oracle Security

I’ve just updated the list of my public appearances and planned events. For once, no just Oracle Events 🙂 I’ll speak about the new EU GDPR and its impact on databases in a Trivadis regional customer event together with my colleague Stephan Hurni. Beside this two events I’ll hold a webinar on Oracle 12c Release 2 new security features. This webinar is organised by DOAG.

Unfortunately all these events are in german. No matter, I’m about to register the one or other topic at upcoming Call For Papers. If the speeches get approved I’ll update my list of public appearance.

Oracle CPU / PSU Announcement April 2017

Last night Oracle released there new Critical Patch Update. From the DB perspective it is a rather small patch update. It just includes 2 fixes for security vulnerabilities on Oracle database 11.2.0.4 and 12.1.0.2. None of the vulnerabilities are remote exploitable without authentication but one fix is also for client only installations. The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server 11.2.0.4 on Windows is 7.2 The following components are affected:

  • OJVM
  • SQL*Plus / Local Logon

According to MOS Note 2228898.1 Patch Set Update and Critical Patch Update April 2017 Availability Document, there should also be a OJVM PSU for Oracle 12.2.0.1. But the Patch 25811364 is not yet available.

For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 31 fixes for vulnerabilities. Some of the vulnerabilities where some are remote exploitable without authentication and are rated with the highest CVSS rating of 10.0.

More details about the patch will follow soon on the Oracle Security Pages.

Oracle 12.2.0.1 On-Premises soon available

It seems that Oracle brings us the new release with the first “spring rays”. Tonight Oracle has Updates the MOS Note 742060.1 Release Schedule of Current Database Releases. It now includes as well sections for Oracle public cloud releases, on-premises engineered systems as well on-premises server releases. In particular the section on-premises server release has now a release date for Oracle 12.2.0.1. According to this, Oracle 12.2.0.1 will be available for Linux x86-64, Solaris SPARC and Solaris x86-64 by mid of march. For the other platforms like Windows, AIX etc we have to wait until Q2. As posted earlier the documentation for the new release is available since a couple of weeks. There is no reason not to start with the engineering work for the new release.

By the way, there are some other changes as well on this MOS Note. The attentive reader has seen, that Oracle has again extended their Free Extended Support for 11.2.0.4 until Dec 31, 2018. Unfortunately there are some contradictions with other MOS Notes like 161818.1 and 1067455.1. On these notes the Free Extended Supports ends earlier. You probabely should clarify your support status before planing to keep your 11.2.0.4 production database until end of 2018.

Some references and links to MOS Notes:

Oracle CPU / PSU Announcement January 2017

Oracle has published the first Critical Patch Update in 2017. It’s quite a huge update with not less than 270 new security vulnerability fixes across the Oracle products. For the Oracle Database itself are 5 security fixes available respectively 2 security fixes for the Oracle Database Server and 3 security fixes for Oracle Secure Backup and Oracle Big Data Graph.
Neither of the two vulnerabilities for Oracle Databases are remotely exploitable without authentication. None of these fixes are applicable to client-only installations.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0. The following components are affected:

  • OJVM
  • RDBMS Security / Local Logon

Over all the PSU for Oracle Database Server itself is relatively small. The tests for the Trivadis CPU-Report will show if there are any issues with this PSU respectively SPU.

It seems that a bunch of Patch’s are not yet available. Oracle list the follow Post Release Patches beside the PSU and SPU for Oracle Database Server 11.2.0.4.

Patch Number Patch Platform Availability
24968615 Database Proactive Bundle Patch 12.1.0.2.170117 HP-UX Itanium (64-Bit) & AIX (64-Bit) Expected: Wednesday 18-Jan-2017
25395111 Oracle Application Testing Suite BP 12.5.0.1 All Platforms Expected: Wednesday 18-Jan-2017
25115951 Microsoft Windows BP 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
25112498 Oracle JavaVM Component Microsoft Windows Bundle Patch 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
24918318 Quarterly Full Stack download for Exadata (Jan2017) BP 12.1.0.2 Linux x86-64 and Solaris x86-64 Expected: Thursday 26-Jan-2017
24918333 Quarterly Full Stack download for SuperCluster (Jan2017) BP 12.1.0.2 Solaris SPARC 64-Bit Expected: Thursday 26-Jan-2017

More details about the patch will follow soon on the Oracle Security Pages.