Tag Archives: Trivadis Content

Blog posts also posted on the Trivadis Blog (TriBlog)

Oracle CPU / PSU Announcement January 2017

Oracle has published the first Critical Patch Update in 2017. It’s quite a huge update with not less than 270 new security vulnerability fixes across the Oracle products. For the Oracle Database itself are 5 security fixes available respectively 2 security fixes for the Oracle Database Server and 3 security fixes for Oracle Secure Backup and Oracle Big Data Graph.
Neither of the two vulnerabilities for Oracle Databases are remotely exploitable without authentication. None of these fixes are applicable to client-only installations.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0. The following components are affected:

  • OJVM
  • RDBMS Security / Local Logon

Over all the PSU for Oracle Database Server itself is relatively small. The tests for the Trivadis CPU-Report will show if there are any issues with this PSU respectively SPU.

It seems that a bunch of Patch’s are not yet available. Oracle list the follow Post Release Patches beside the PSU and SPU for Oracle Database Server 11.2.0.4.

Patch Number Patch Platform Availability
24968615 Database Proactive Bundle Patch 12.1.0.2.170117 HP-UX Itanium (64-Bit) & AIX (64-Bit) Expected: Wednesday 18-Jan-2017
25395111 Oracle Application Testing Suite BP 12.5.0.1 All Platforms Expected: Wednesday 18-Jan-2017
25115951 Microsoft Windows BP 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
25112498 Oracle JavaVM Component Microsoft Windows Bundle Patch 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
24918318 Quarterly Full Stack download for Exadata (Jan2017) BP 12.1.0.2 Linux x86-64 and Solaris x86-64 Expected: Thursday 26-Jan-2017
24918333 Quarterly Full Stack download for SuperCluster (Jan2017) BP 12.1.0.2 Solaris SPARC 64-Bit Expected: Thursday 26-Jan-2017

More details about the patch will follow soon on the Oracle Security Pages.

Using TouchID for sudo on macOS Sierra

A couple of days ago, I’ve received my new 15″ Mac Book Pro. So far I’m quite happy. Ok the the circumstance, that I have to carry around a bunch of adapters. I’m waiting for the first projector at customers with USB-C connection. But thats an other story. Initially I thought, that I will not use the new Touch Bar that much. But I must admit that it’s quite handy from time to time. In particular the Touch ID to unlock the Mac Book Pro.

During my day to day work, I’m using the terminal quite a lot. This also includes the use of sudo. Why not using the Touch ID, to run a privileged command with sudo rather than typing the password. Good idea, unfortunately this is not possible out of the box in macOS Sierra. A Google search has revealed two possible solutions respectively projects on GitHub.

  • Replace the sudo with a customised version of sudo, which does support Touch ID (see sudo-touchid
  • Add a customised PAM module, which does support the Touch ID (see pam_touchid

I have decided to test the custom PAM module, because it seems, that this alternative has less impact on the operating system. The configuration is straight forward and includes the following steps:

  • Build the project using Xcode
  • Copy the PAM module to a custom location
  • Update the sudo configuration

As mentioned in a comments on GitHub, sudo over ssh does not work with this PAM module (see pam_touchid appears to break sudo over SSH) pam_touchid.m requires a small modification. In particular the following if statement has to be added at the top of the method pam_sm_authenticate.

if (getenv("SSH_TTY"))
return PAM_IGNORE;

In case of a sudo authentication request over SSH the module will do nothing. Sudo will fall back to the regular PAM modules. So lets start Xcode to adjust pam_touchid.m and build pam_touchid.so.2.
Build PAM Module
Create a custom directory for the PAM module, copy pam_touchid.so.2 and adjust the owner and privileges.

sudo mkdir -p /usr/local/lib/pam/
sudo cp pam_touchid.so.2 /usr/local/lib/pam/
sudo chown root:wheel /usr/local/lib/pam/pam_touchid.so.2
sudo chmod 444 /usr/local/lib/pam/pam_touchid.so.2

Update the sudo configuration and add auth sufficient pam_touchid.so reason="execute a command as another user" to the top of the file.

sudo vi /etc/pam.d/sudo

cat /etc/pam.d/sudo
# sudo: auth account password session
auth sufficient pam_touchid.so reason="execute a command as another user"
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so

As soon as you start a new terminal session, you can use your Touch ID to authenticate sudo. Below you see an example of sudo hostname to get the current hostname.
TouchID
As mentioned in the realm of the PAM Touch ID project, you have to be sure what your doing. If it is the first time you use Xcode and Terminal, it is probably better to not change your sudo authentication.

Thanks to Hamza Sood for this PAM module.

Environment Scripts for OUD

At Trivadis we do have the TVD-BasEnv™ to standardizes and simplifies the handling of environments for Oracle database and application server landscapes. This inspired me to create something similar for Oracle Unified Directory environments. Although current versions of TVD-BasEnv™ already support OUD and OID environment. I’ve had the situation, where I need some small and slimmed down environment scripts for dedicated OUD test servers. TVD-BasEnv™ is rather complex and brings a lot of nice features for Oracle Database environments with ASM, RAC, DataGuard and more stuff which is in general not required on a simple OUD server.

My OUD Base is basically just the oudenv.sh script, some configuration files and a bunch of aliases. The directory structure for the OUD binaries, scripts and configuration files is similar to what we use in TVD-BasEnv™ and based on OFA. It is written in bash and tested on my Oracle Linux VM’s and Raspberry Pi’s with Raspbian Jessy. It should also run on any other bash environment. Um, well OUD and Raspberry Pi? Yes I’ll explain this soon in an other blog post.

Setup the Environment

In general I do use a dedicated OS user for my Oracle installations. To keep it simple and clear I name it oracle. The following commands are run on my Raspberry Pi and therefore as OS user pi. Please adjust it accordingly. Create the user and the corresponding OS groups as pi user with sudo.

pi@oud2go:~ $ sudo adduser oracle
Adding user oracle ...
Adding new group oracle (1001) ...
Adding new user oracle (1001) with group oracle ...
Creating home directory /home/oracle ...
Copying files from /etc/skel ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for oracle
Enter the new value, or press ENTER for the default
	Full Name []: oracle
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y
pi@oud2go:~ $ sudo addgroup oinstall
Adding group oinstall (GID 1002) ...
Done.
pi@oud2go:~ $ sudo addgroup osdba
Adding group osdba (GID 1003) ...
Done.
pi@oud2go:~ $ sudo adduser oracle oinstall
Adding user oracle to group oinstall ...
Adding user oracle to group oinstall
Done.
pi@oud2go:~ $ sudo adduser oracle osdba
Adding user oracle to group osdba ...
Adding user oracle to group osdba
Done.

Create an ORACLE_BASE directory which is used for OUD and provide access to OS user oracle.

pi@pi2go:~ $ sudo mkdir -p /u00/app/oracle
pi@pi2go:~ $ sudo chown -R oracle:oinstall /u00/app/oracle

My OUD Base is available as Bash Install script with an embedded TAR ( oudbase_install.sh) or as plain TAR file ( oudbase_install.tgz). If you use the TAR file a few manuell configuration steps are required.

Install using oudbase_install.sh

This installation is straightforward as you can see in the usage.

2016-10-15_11:41:58  START: Start of oudbase_install.sh (Version 0.1) with 
2016-10-15_11:41:58  INFO : Usage, oudbase_install.sh [-hv] [-b <oracle_base>] 
2016-10-15_11:41:58  INFO :   [-i <oracle_instance_base>] [-m <oracle_home_base>] [-B <oud_backup_base>]
2016-10-15_11:41:58  INFO : 
2016-10-15_11:41:58  INFO :   -h                          Usage (this message)
2016-10-15_11:41:58  INFO :   -v                          enable verbose mode
2016-10-15_11:41:58  INFO :   -b <oracle_base>            ORACLE_BASE Directory. Mandatory argument.
2016-10-15_11:41:58  INFO :   -i <oracle_instance_base>   Base directory for OUD instances (default $ORACLE_BASE/instances)
2016-10-15_11:41:58  INFO :   -m <oracle_home_base>       Base directory for OUD binaries (default $ORACLE_BASE/middleware)
2016-10-15_11:41:58  INFO :   -B <oud_backup_base>        Base directory for OUD backups (default $ORACLE_BASE/backup)
2016-10-15_11:41:58  INFO : 
2016-10-15_11:41:58  INFO : Logfile : /u00/app/oracle/local/log/oudbase_install.log
2016-10-15_11:41:58  ERR  : Exit Code 1. Wrong amount of arguments. See usage for correct one.

We will just provide the ORACLE_BASE and use the default values for all other settings. 

oracle@pi2go:~ $ ./oudbase_install.sh -v -b /u00/app/oracle
2016-10-15_11:44:03  START: Start of oudbase_install.sh (Version 0.1) with -v -b /u00/app/oracle
2016-10-15_11:44:03  INFO : processing commandline parameter
2016-10-15_11:44:03  Installing OUD Environment
2016-10-15_11:44:03  Create required directories in ORACLE_BASE=/u00/app/oracle
2016-10-15_11:44:03  Create Directory /u00/app/oracle/etc
2016-10-15_11:44:03  Create Directory /u00/app/oracle/local
2016-10-15_11:44:03  Create Directory /u00/app/oracle/backup
2016-10-15_11:44:03  Create Directory /u00/app/oracle/middleware
2016-10-15_11:44:03  Create Directory /u00/app/oracle/instances
2016-10-15_11:44:03  Extracting file into /u00/app/oracle/local
bin/
bin/oud_export.sh
bin/oud_backup.sh
bin/oudenv.sh
bin/oudbase_install.sh
bin/oud_status.sh
config/
certificates/
doc/
etc/
etc/oudtab
etc/oudenv.conf
etc/oud._DEFAULT_.conf
lib/
log/
log/oud_status.log
log/oud_export.log
log/oud_backup.log
log/oudbase_install.log
templates/
templates/cron.d/
templates/cron.d/oud
templates/.bash_profile
templates/ldif/
templates/ldif/oud_pi_init.ldif
templates/logrotate.d/
templates/logrotate.d/oud
2016-10-15_11:44:03  Please manual adjust your .profile to load / source your OUD Environment
2016-10-15_11:44:03  END  : of oudbase_install.sh

You have to change your bash profile to make sure that the environment is loaded. Just add the following lines.

oracle@pi2go:~ $ vi .profile
# Check OUD_BASE and load if necessary
if [ "${OUD_BASE}" = "" ]
  then
    if [ -f "${HOME}/.OUD_BASE" ]
      then
        . "${HOME}/.OUD_BASE"
      else
        echo "ERROR: Could not load ${HOME}/.OUD_BASE"
    fi
fi

# define an oudenv alias
alias oud='. ${OUD_BASE}/bin/oudenv.sh'

# source oud environment
. ${OUD_BASE}/bin/oudenv.sh

During the next logon you have the OUD Base available

Manual installation using oudbase_install.tgz

Ok, it is not really more complex just un-tar the file in a directory. Normally it is $ORACLE_BASE/local. Other directory probably have to be specified in the config file.

oracle@pi2go:~ $ cd /u00/app/oracle/
oracle@pi2go:~ $ mkdir local
oracle@pi2go:~ $ cd local
oracle@pi2go:~ $ tar zxvf oudbase_install.tgz

You also have to change your bash profile as mentioned above.

Examples

A few example how to use OUD Base to simplify OUD management.

Change environment to OUD instance oud_pi. 

oracle@pi2go:~/ [oud_pi] oud_pi
Source environment for OUD Instance oud_pi
--------------------------------------------------------------
 Instance Name   : oud_pi
 Instance Home   : /u00/app/oracle/instances/oud_pi
 Oracle Home     : /u00/app/oracle/middleware/oud_11.1.2.3
 Instance Status : up
 LDAP Port       : 1389
 LDAPS Port      : 1636
 Admin Port      : 4444
 Replication Port: 8989
--------------------------------------------------------------

List available / running OUD instances using oudup or via alias u.

oracle@pi2go:~/ [oud_pi] oudup
TYPE INSTANCE   STATUS PORT HOME
---- ---------- ------ ---- ----------------------------------
OUD  oud_pi     up     4444 /u00/app/oracle/instances/oud_pi

Configuration and Architecture

Config Files

The OUD Base does have the following configuration files.

File Description
.OUD_BASE This is a simple file in the user home directory. It includes the pointer to the OUD Base directory. This file is used to initiate $OUD_BASE.
oudtab oudtab is a simple file which includes all OUD instance and there ports eg. default LDAP port, admin port, SSL port and replication port.
oudenv.conf This is the main configuration file for environment variables and aliases. It is loaded when an environment is set or changed. Location of oudenv.conf is $ETC_BASE.
oud._DEFAULT_.conf This configuration file for custom environment variables. Location of oud._DEFAULT_.conf is $ETC_BASE.
oud._INSTANCE_.conf This configuration file for custom environment variables for a dedicated OUD instance eg. oud_pi Location of oud._oud_pi_.conf is $ETC_BASE.

Directories and its variables

The following directory, environment variables and aliases are defined and used in OUD Base. Most of them are inspired by OFA (Oracle Flexible Architecture) and TVD-BasEnv™.

ENV Variable Alias Path Description
$ORACLE_BASE, $cdob cdob /u00/app/oracle Base directory for the oracle binaries
$OUD_BASE, $cdl cdl $ORACLE_BASE/local OUD Base directory with the scripts, config etc
cdl.bin $ORACLE_BASE/bin Scripts directory in OUD_BASE
$ETC_BASE, $etc etc, cdl.etc $ORACLE_BASE/etc OUD Base configuration directory
$LOG_BASE, $log log, cdl.log $ORACLE_BASE/log OUD Base log directory
$ORACLE_BASE/doc OUD Base documentation directory
$ORACLE_BASE/config Local directory for configuration files, LDIF etc to build an OUD instance
$ORACLE_BASE/certificates Local directory for certificates
$ORACLE_HOME, $cdh cdh $ORACLE_BASE/middleware/oud_11.1.2.3 Oracle Unified Directory binaries eg. 11.1.2.3
$JAVA_HOME /usr/lib/jvm/jre-1.7.0-oracle-1.7.0.101-1jpp.1.el7.x86_64 Java used for OUD
$OUD_INSTANCE_BASE, $cdib cdib $ORACLE_BASE/instances Base directory for the instance homes
oud_pi Alias to set environment for OUD instance oud_pi
$OUD_INSTANCE_HOME, $cdih cdih $ORACLE_BASE/instances/oud_pi OUD Instance Home directory for Instance oud_pi
$cdic cdic $OUD_INSTANCE_HOME/OUD/config Config directory for OUD instance oud_pi
$cdil cdil $OUD_INSTANCE_HOME/OUD/logs Log directory for OUD instance oud_pi

Variables

Variable besides the ones mentioned above.

Variable Description
$OUD_INSTANCE Name of the current OUD instance
$OUD_INST_LIST List of OUD instances taken from $OUDTAB
$PWD_FILE Password file for the OUD instance eg. ${ETC_BASE}/$OUD_INSTANCE_pwd.txt or ${ETC_BASE}/pwd.txt
$PORT OUD instance port taken from oudtab file
$PORT_ADMIN OUD instance admin port taken from oudtab file
$PORT_REP OUD instance replication port taken from oudtab file
$PORT_SSL OUD instance SSL port taken from oudtab file
$OUDTAB oudtab config file eg. ${ETC_BASE}/oudtab

Aliases

Alias Description
dsc dsconfig including hostname, $PORT_ADMIN and $PWD_FILE
dsrs dsreplication status
oud_pi OUD Base does generate an alias for each OUD instance based on its name. This allows to easily change the environment from one to an other OUD instance.
oud INSTANCE Use oud INSTANCE name to change the environment to a particular OUD instance
taa tea will do a tail -f on the OUD instance access log
tae tea will do a tail -f on the OUD instance error log
tas tea will do a tail -f on the OUD instance server.out log
tarep tea will do a tail -f on the OUD instance replication log
task task does run a manage-tasks with hostname, port etc parameter
u u runs oudup to display the current OUD Instances
vio vio opens the oudtab file eg. ${ETC_BASE}/oudtab

Conclusion

Although there is the possibility to use property files for OUD I’m still happy, that I have a bunch of aliases to set or change a few directories. Eg. jump to the log directory, view config files etc. Feel free to use the OUD Base as it is on your OUD environments at your own risk. It simplifies a few settings in particular if you have multiple OUD instance on one system. You may change, modify the scripts as you like. I can not guarantee, that the scripts do not have any errors or bugs. Please test before you start using them on a production environment.

Files and References

Below you find a few references related to Raspberry Pi, USB OTG or Oracle Unified Directory:

Oracle 12 Release 2 Documentation available

Oracle just released the documentation for Oracle 12c Release 2. It seems that most of the new security features are available as discussed in my presentation at DOAG SIG Security in Düsseldorf on the 18th of october. See docs.oracle.com for the documentation bookshelf.

Yet a short summary of new security features

Encryption

  • TDE Tablespace Live Conversion
  • Fully Encrypted Database
  • Support for ARIA, SEED, and GOST Encryption Algorithms in TDE
  • TDE Tablespace Offline Conversion

Enforcing Application Security in the Database

  • RAS Session Privilege Scoping
  • RAS Column Privilege Enhancements
  • RAS Schema Level Policy Administration
  • RAS Integration with OLS

Improving Security Manageability, Administration, and Integration

  • Oracle Virtual Private Database Predicate Audit
  • Oracle Database Vault Policy
  • Oracle Database Vault Simulation Mode Protection
  • Oracle Database Vault Common Realms and Command Rules for Oracle Multitenant
  • Privilege Analysis Enhancements
  • Privilege Analysis Results Comparison
  • Redaction: Different Data Redaction Policy Expressions
  • Redaction: New Functions Allowed in Data Redaction Policy Expressions
  • Redaction: Additional Data Redaction Transformations
  • Automatic KDC Discovery When Configuring OCI Clients
  • Automatic Provisioning of Kerberos Keytab for Oracle Databases
  • Role-Based Conditional Auditing
  • Inherit Remote Privileges

Improving Security Posture of the Database

  • SYSRAC – Separation of Duty for Administering Real Application Clusters
  • Transparent Sensitive Data Protection Feature Integration
  • Requiring Strong Password Verifiers by Default

Improving User Authentication and Management

  • Automatic Locking of Inactive User Accounts

Modernizing Network Authentication and Encryption

  • Kerberos-Based Authentication for Direct NFS

There is much more just on security. The full list of new features is available in the New Features Guide 12c Release 2 (12.2). In particular the new features for TDE are worth, having a closer look. So let’s discuss the good, the bad and the mad….

If you plan to take a training have a look at the Trivadis Training. We will announce a Trivadis Oracle Database 12c Release 2 Techno Circle as soon as the software for 12c Release 2 is officially released.

Using Kerberos in Oracle Standard Edition

Since the release of Oracle 12cR1 mid 2013 the network encryption and strong authentication services has been removed from the Oracle Advanced Security Option. Both feature are now available for any licensed editions. Corresponding section in the Oracle Licensing Guide for 11g R2 and 12c R1 has been updated.

Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.

Oracle Network Encryption does work quite well for Standard or Enterprise Edition even with the Instant Client. But there is no Kerberos support available Oracle 11.2.0.4 Standard Edition or any other 11g SE release. This can be verified on the command line with the command adapters:

oracle@urania:/u00/app/oracle/product/11.2.0.4se/lib/ [TDB11B] adapters

Installed Oracle Net transport protocols are:

    IPC
    BEQ
    TCP/IP
    SSL
    RAW
    SDP/IB

Installed Oracle Net naming methods are:

    Local Naming (tnsnames.ora)
    Oracle Directory Naming
    Oracle Host Naming
    Oracle Names Server Naming

Installed Oracle Advanced Security options are:

    RC4 40-bit encryption
    RC4 56-bit encryption
    RC4 128-bit encryption
    RC4 256-bit encryption
    DES40 40-bit encryption
    DES 56-bit encryption
    3DES 112-bit encryption
    3DES 168-bit encryption
    AES 128-bit encryption
    AES 192-bit encryption
    AES 256-bit encryption
    MD5 crypto-checksumming
    SHA-1 crypto-checksumming

There is a MOS Note 2145731.1 which describes how to enable the Radius adapter. The same method can be used to enable Kerberos as well, event if an other MOS Note 2028070.1 specifies that Kerberos is not available in Standard Edition.

Radius and Kerberos adapters is part of the object file nautab.o. In $ORACLE_HOME/lib are two object files. nautab.o and the nautab_ee.o.dbl:

oracle@urania:~/ [TDB11B] ls -al $ORACLE_HOME/lib/naut*
-rw-r--r--. 1 oracle users 4864 Jul 15  2013 /u00/app/oracle/product/11.2.0.4se/lib/nautab_ee.o.dbl
-rw-r--r--. 1 oracle users 4520 Jul  1 18:01 /u00/app/oracle/product/11.2.0.4se/lib/nautab.o

To get Kerberos support you just have to replace the nautab.o with nautab_ee.o.dbl…:

oracle@urania:~/ [TDB11B] cp $ORACLE_HOME/lib/nautab.o $ORACLE_HOME/lib/nautab_se.o.dbl
oracle@urania:~/ [TDB11B] cp $ORACLE_HOME/lib/nautab_ee.o.dbl $ORACLE_HOME/lib/nautab.o

oracle@urania:~/ [TDB11B] ls -al $ORACLE_HOME/lib/naut*
-rw-r--r--. 1 oracle users 4864 Jul 15  2013 /u00/app/oracle/product/11.2.0.4se/lib/nautab_ee.o.dbl
-rw-r--r--. 1 oracle users 4864 Jul  1 19:54 /u00/app/oracle/product/11.2.0.4se/lib/nautab.o
-rw-r--r--. 1 oracle users 4520 Jul  1 19:54 /u00/app/oracle/product/11.2.0.4se/lib/nautab_se.o.dbl

… and relink the binaries:

oracle@urania:~/ [TDB11B] relink all
writing relink log to: /u00/app/oracle/product/11.2.0.4se/install/relink.log

As you can see the command adapters now shows Radius and Kerberos adapters:

oracle@urania:~/ [TDB11B] adapters

Installed Oracle Net transport protocols are:

    IPC
    BEQ
    TCP/IP
    SSL
    RAW
    SDP/IB

Installed Oracle Net naming methods are:

    Local Naming (tnsnames.ora)
    Oracle Directory Naming
    Oracle Host Naming
    Oracle Names Server Naming

Installed Oracle Advanced Security options are:

    RC4 40-bit encryption
    RC4 56-bit encryption
    RC4 128-bit encryption
    RC4 256-bit encryption
    DES40 40-bit encryption
    DES 56-bit encryption
    3DES 112-bit encryption
    3DES 168-bit encryption
    AES 128-bit encryption
    AES 192-bit encryption
    AES 256-bit encryption
    MD5 crypto-checksumming
    SHA-1 crypto-checksumming
    Kerberos v5 authentication
    RADIUS authentication

As of now kerberos can be configured and used as usual. If for a reason okinit and oklist are also required, they must be copied from an existing Oracle 11g Enterprise Edition installation. By default they are not part of a Standard Edition. So let’s copy the binaries and the corresponding message files:

] cp 11.2.0.4/bin/okinit 11.2.0.4se/bin/okinit 
oracle@urania:/u00/app/oracle/product/ [TDB11B] cp 11.2.0.4/bin/oklist 11.2.0.4se/bin/oklist
oracle@urania:/u00/app/oracle/product/ [TDB11B] cp 11.2.0.4/bin/okinit 11.2.0.4se/bin/okinit
oracle@urania:/u00/app/oracle/product/ [TDB11B] cp 11.2.0.4/bin/okdstry 11.2.0.4se/bin/okdstry
oracle@urania:/u00/app/oracle/product/ [TDB11B] cp 11.2.0.4/network/mesg/naukus.msb 11.2.0.4se/network/mesg/naukus.msb
oracle@urania:/u00/app/oracle/product/ [TDB11B] cp 11.2.0.4/network/mesg/naukus.msg 11.2.0.4se/network/mesg/naukus.msg

Now you can use Kerberos as you want. You just have to struggle with the usual kerberos issues and bugs 🙂 But more on them here kerberos.

References

Some links related to this topic.

  • Oracle® Database Licensing Information User Manual 12c Release 1 (12.1) Oracle Advanced Security
  • Oracle® Database Licensing Information 11g Release 2 (11.2) Oracle Advanced Security
  • How To Enable Radius Adapter In Oracle Database 11g Standard Edition [2145731.1]
  • Kerberos Authentication On Standard Edition [2028070.1]
  • Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC [1304004.1]

Ad: Der Oracle DBA – Handbuch für die Administration der Oracle Database 12c

Der Oracle DBAThe 2nd revised edition of the Der Oracle DBA will finally be released in a couple of days. Pre-Orders are already possible. It took quite a while until the publication of this release. Work on the second edition began as early as a year ago. This edition is again written in German and published by Hanser.

Who are the authors? Several colleagues of mine at Trivadis Mirko Hotzy, Christian Antognini, Markus Flechtner, Andreas Karlin and Daniel Steiger as well as Andrea Held, Marek Adar, Ronny Egner und Angelika Gallwitz and myself.

For my part, I wrote the chapter on database security. A PDF with the preface, first chapter “Schnelleinstieg”, table of content and index is available as preview. Additional information, in particular on Oracle Database Security will be posted on this side.

Oracle Software Appliances and Bash Shellshock

Late September a vulnerability in the bash Shell has been published. The vulnerability also known as shellshock, was classified as extremely critical. Anyway, in the meantime security patch has been released for the different operating systems and bash implementations. A bugfix is also available for Oracle Enterprise Linux, which is used as operating system of the two Oracle software appliances Oracle Audit Vault and Database Firewall and Oracle Key Vault. Oracle has published two My Oracle Support Notes which describe how the patch must be installed on the appliance software. The installation is quite straightforward. Get the patch from the Oracle’s public yum repository and install it on the appliance. 🙂 But be aware, that the two appliance are still runing Oracle Enterprise Linux 5.

Steps to copy, install and verify the bash shell bugfix:

[support@melete ~]$ su -
Password: 

[root@melete ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

[root@melete ~]# rpm -Uvh /tmp/bash-3.2-33.el5_11.4.x86_64.rpm 
warning: /tmp/bash-3.2-33.el5_11.4.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
Preparing...                ########################################### [100%]
   1:bash                   ########################################### [100%]

[root@melete ~]# rpm -qa | grep -i bash 
bash-3.2-33.el5_11.4

[root@melete ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

References

Some links related to the bash shellshock vulnerability.

Deploying an Agent from a Windows 12.1.0.4 OMS fails

I’ve just setup a new Oracle Enterprise Manager Cloud Control 12.1.0.4 on Windows Server 2008 R2 for Customer. It’s a small one system setup, which will be used to monitor a few Oracle Databases on Windows and Linux. After the successful setup I’ve tried to deploy agents from the console, using the AgentPull. I have already performed this several times successfully. But somehow it does not work with 12.1.0.4. It fails while creating the plugin archive…

Creation of the plugin archive “e:/oracle/product/gc_inst/em/EMGC_OMS1/sysman/agentpush//plugins/windows_x64/12.1.0.4.0_PluginsOneoffs_233.zip” failed. Check the log file e:/oracle/product/gc_inst/em/EMGC_OMS1/sysman/agentpush/logs/EMAgentPushLogger.log for more details

Solution

It seems, that 12.1.0.4 on windows does have issues creating the agent image when OMS_HOME is on a different drive than SCRATCHPATH.
In my installation the OMS_HOME is on drive D: whereas SCRATCHPATH is on drive C:. The solution is straight forward. I’ve just have to reconfigure the SCRATCHPATH in ssPaths_msplats.properties.

cd $OMS_HOME\oui\prov\resources\
cp ssPaths_msplats.properties ssPaths_msplats.properties.bck

vi ssPaths_msplats.properties

SCRATCHPATH=C:/tmpada

SCRATCHPATH=D:/tmpada

As soon as this has change you may re-deploy the agent from the console.

References

More details to this issue can be found in the MOS note and the related Bug / Patch:

  • EM 12c R4: Installing / Deploying An Agent from a Windows 12.1.0.4 OMS fails when the OMS ORACLE_HOME is not installed on the ‘C:’ drive [1681463.1]
  • GET_AGENTIMAGE SHOULD WORK WHEN OMSHOME IS IN DRIVE DIFFERENT FROM SCRATCHPATH 18938561

Oracle 12.1.0.2.0 Patchset released

About a week ago Oracle has released the first patchset 12.1.0.2.0 for Oracle 12c Release 1. So far the patch set is only available for Linux x86-64bit, Oracle Solaris SPARC 64bit and Oracle Solaris x86-64bit. You may download the Patchset on Oracle Software Delivery Cloud eDelivery.oracle.com, on Oracle Technology Network Oracle Database 12c Release 1 or on My Oracle Support as Patchset 17694377.

To download the full patch set you will have to download altogether 8 files. But in most cases you are interested in the first two ZIP files, which you need for the oracle Database. The other files are for Oracle Grid Infrastructure, Oracle Database Client, Oracle Gateways, Oracle Examples or Oracle GSM.

A bit special for this Patchset is, that it is only available as Oracle Enterprise Edition. Oracle Standard Edition and Standard Edition One will be available at a later stage. More information on this topic on MOS Note 1905806.1.

I will post more information on other platforms or editions as soon as it is available.

New Features

The first patch set for Oracle 12c Release 1 does mainly include a bunch of new feature for Oracle Pluggable Database, Caching and In-memory. Below a you find a list of the new features included in this patch set. Ludovico, a work colleague has already written a blog post about Oracle Database 12c in-memory option, a quick overview a few days ago.

  • Advanced Index Compression
  • Approximate Count Distinct
  • Attribute Clustering
  • Automatic Big Table Caching
  • FDA Support for CDBs
  • Full Database Caching
  • In-Memory Aggregation
  • In-Memory Column Store
  • JSON Support
  • New FIPS 140 Parameter for Encryption
  • PDB CONTAINERS Clause
  • PDB File Placement in OMF
  • PDB Logging Clause
  • PDB Metadata Clone
  • PDB Remote Clone
  • PDB Snapshot Cloning Additional Platform Support
  • PDB STANDBYS Clause
  • PDB State Management Across CDB Restart
  • PDB Subset Cloning
  • Rapid Home Provisioning
  • Zone Maps

Reference

A collection of a few important Metalink Notes, readme and other links related to Patchset 12.1.0.2.0: