Tag Archives: Trivadis Security eXperts

Oracle CPU / PSU Announcement January 2017

Oracle has published the first Critical Patch Update in 2017. It’s quite a huge update with not less than 270 new security vulnerability fixes across the Oracle products. For the Oracle Database itself are 5 security fixes available respectively 2 security fixes for the Oracle Database Server and 3 security fixes for Oracle Secure Backup and Oracle Big Data Graph.
Neither of the two vulnerabilities for Oracle Databases are remotely exploitable without authentication. None of these fixes are applicable to client-only installations.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0. The following components are affected:

  • OJVM
  • RDBMS Security / Local Logon

Over all the PSU for Oracle Database Server itself is relatively small. The tests for the Trivadis CPU-Report will show if there are any issues with this PSU respectively SPU.

It seems that a bunch of Patch’s are not yet available. Oracle list the follow Post Release Patches beside the PSU and SPU for Oracle Database Server 11.2.0.4.

Patch Number Patch Platform Availability
24968615 Database Proactive Bundle Patch 12.1.0.2.170117 HP-UX Itanium (64-Bit) & AIX (64-Bit) Expected: Wednesday 18-Jan-2017
25395111 Oracle Application Testing Suite BP 12.5.0.1 All Platforms Expected: Wednesday 18-Jan-2017
25115951 Microsoft Windows BP 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
25112498 Oracle JavaVM Component Microsoft Windows Bundle Patch 12.1.0.2.170117 Windows 32-Bit and x86-64 Expected: Tuesday 24-Jan-2017
24918318 Quarterly Full Stack download for Exadata (Jan2017) BP 12.1.0.2 Linux x86-64 and Solaris x86-64 Expected: Thursday 26-Jan-2017
24918333 Quarterly Full Stack download for SuperCluster (Jan2017) BP 12.1.0.2 Solaris SPARC 64-Bit Expected: Thursday 26-Jan-2017

More details about the patch will follow soon on the Oracle Security Pages.

Losing the Oracle Wallet for Enterprise User Security

Having a reliable backup solution for your Transparent Data Encryption (TDE) or Enterprise User Security (EUS) Wallets, is beyond discussion. Nevertheless it can happen that you lose or corrupt the Oracle Wallet. With Transparent Data Encryption (TDE), this is really bad luck, because you can not access your encrypted data. Losing an EUS wallet is on the other side not really an issue. You can remove the database from your EUS LDAP directory (Oracle Unified Directory OUD or Oracle Internet Directory OID) and re-register the database. Although this is the fastest solution, it has some constraints. Un-register and re-register the database, means losing the EUS mappings. Alternatively you can manually create a new empty Oracle Wallet and reset the Database password using dbca.

Ok, first lets create a new empty wallet using mkstore:

oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -create
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter password:               
   
Enter password again:

Alternatively you can use orapki to create an empty wallet. orapki is easier to use in scripts and supports auto login local wallets with -auto_login_local:

oracle@urania:/u00/app/oracle/ [TDB11A] orapki wallet create -wallet $ORACLE_BASE/admin/TDB11A/wallet/ -pwd <password> -auto_login
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Create an entry for the Database distinguished names (DN). This step is somehow necessary because dbca -regenerateDBPassword just creates the password entry but no new dn entry:

oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -createEntry ORACLE.SECURITY.DN cn=TDB11A_SITE1,cn=OracleContext,dc=postgasse,dc=org
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Create an entry for the database password:

oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -createEntry ORACLE.SECURITY.PASSWORD manager
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Recreate the database registration password using dbca: 

oracle@urania:/u00/app/oracle/ [TDB11A] dbca -silent -configureDatabase -sourceDB TDB11A \
> -sysDBAUserName sys -sysDBAPassword </password><password> \
> -regenerateDBPassword true \
> -dirServiceUserName cn=orcladmin -dirServicePassword </password><password> \
> -walletPassword </password><password>
Preparing to Configure Database
6% complete
13% complete
66% complete
Completing Database Configuration
100% complete
Look at the log file "/u00/app/oracle/cfgtoollogs/dbca/TDB11A_SITE1/TDB11A11.log" for further details.

Verify the new password in the Oracle Wallet:

oracle@urania:/u00/app/oracle/ [TDB11A] mkstore -wrl $ORACLE_BASE/admin/TDB11A/wallet -viewEntry ORACLE.SECURITY.PASSWORD
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:               
   
ORACLE.SECURITY.PASSWORD = S6usUGSNb#P1

This password can now be used to verify the LDAP Bind with ldapsearch using the database DN and the password:

oracle@urania:/u00/app/oracle/ [TDB11A] ldapsearch -h localhost -p 1389  \
> -D 'cn=TDB11A_SITE1,cn=OracleContext,dc=postgasse,dc=org' -w S6usUGSNb#P1 \
> -b 'cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=postgasse,dc=org' '(objectclass=*)'
cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=postgasse,dc=org
orclVersion=102000
objectClass=top
objectClass=orclContainer
objectClass=orclDBSecConfig
objectClass=orclDBSecConfig10i
orclDBVersionCompatibility=90000
cn=OracleDBSecurity
orclDBOIDAuthentication=PASSWORD

...

Or finally check login via SQLPlus as EUS user:

oracle@urania:/u00/app/oracle/ [TDB11A] sqh

SQL*Plus: Release 11.2.0.4.0 Production on Wed Sep 14 10:22:28 2016

Copyright (c) 1982, 2013, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options

SQL> conn soe
Enter password: 
Connected.
SQL> @sousrinf
Database Information
--------------------
- DB_NAME		: TDB11A
- DB_DOMAIN		: postgasse.org
- INSTANCE		: 1
- INSTANCE_NAME 	: TDB11A
- SERVER_HOST		: urania
-
Authentification Information
----------------------------
- SESSION_USER		: EUS_USER
- PROXY_USER		:
- AUTHENTICATION_METHOD : PASSWORD
- IDENTIFICATION_TYPE	: GLOBAL SHARED
- NETWORK_PROTOCOL	:
- OS_USER		: oracle
- AUTHENTICATED_IDENTITY: SOE
- ENTERPRISE_IDENTITY	: cn=soe,cn=People,dc=postgasse,dc=org
-
Other Information
-----------------
- ISDBA 		: FALSE
- CLIENT_INFO		:
- PROGRAM		: sqlplus@urania.postgasse.org (TNS V1-V3)
- MODULE		: SQL*Plus
- IP_ADDRESS		:
- SID			: 410
- SERIAL#		: 925
- SERVER		: DEDICATED
- TERMINAL		: pts/2

PL/SQL procedure successfully completed.

Depending on your Oracle Directory it may happen, that you run into ORA-28030. This can happen, if you password profile on the directory server has Reset Password on Next Login defined. To work around this issue you have to temporarily disable Reset Password on Next Login in the password profile. This issue is also discussed in the MOS Note 558119.1 ORA-28030 After Regenerating Wallet Password Using dbca.

Oracle CPU / PSU Pre-Release Announcement July 2016

Oracle has published the Pre-Release Announcement for the July 2016 Critical Patch Update. It’s quite a huge update with not less than 276 security vulnerability fixes across the Oracle products. For the Oracle Database itself are 9 security fixes
available. Dies ist wiederum eines der größeren Critical Patch Update for databases. It does contain bug fix for some major security issues. Five of the vulnerabilities are remotely exploitable without authentication. The security bug fixes are for the Oracle Database Server as well for client-only installations. That means three of the security fixes are for client-only installations.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0. The following components are affected:

  • Application Express
  • Data Pump Import
  • Database Vault
  • DB Sharding
  • JDBC
  • OJVM
  • Portable Clusterware
  • RDBMS Core

We will see all the details next Tuesday when Oracle is officially releasing official Critical Patch Update for July 2016. Next week I’ll have a closer look and do some test installations.

More details about the patch will follow soon on the Oracle Security Pages.

Trivadis Schwaben Gipfel – Die neue EU Datenschutzverordnung

Just finished my first presentation at the Trivadis Schwaben-Gipfel in Stuttgart together with Florian van Keulen and Aleksander Widera. It is about the new European General Data Protection Regulation (EU GDPR) and some few considerations on its impact on Databases. The slides are available for download  Schwaben-Gipfel Die neue EU Datenschutz Verordnung.pdf.

Some impression for the event and my presentation.

CnUDdNeWgAATJ9i

Change LDAPS Port for OUD

Due to a typo I’ve configured the wrong port for the LDAPS connection handler on my OUD instance. But this is actually not a problem and can be corrected easily. First let’s verify the current settings of the LDAPS connection handler.

oracle@urania:~/ [oud_eus] dsconfig -h localhost -p 4444 -D "cn=Directory Manager" \
-j $ORACLE_HOME/OUD/config/pwd.txt --trustAll --no-prompt \
get-connection-handler-prop --handler-name "LDAPS Connection Handler"

Property               : Value(s)
-----------------------:-------------------------------------------------------
allow-ldap-v2          : true
allow-start-tls        : false
allowed-client         : -
denied-client          : -
enabled                : true
keep-stats             : true
key-manager-provider   : JKS
listen-address         : 0.0.0.0
listen-port            : 1689
ssl-cert-nickname      : -
ssl-cipher-suite       : jvm, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
                       : SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
                       : SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
                       : SSL_DH_anon_WITH_DES_CBC_SHA,
                       : SSL_DH_anon_WITH_RC4_128_MD5
ssl-client-auth-policy : optional
ssl-protocol           : -
trust-manager-provider : JKS
use-ssl                : true

Set the new listen-port to 1636 using dsconfig for the LDAPS connection handler.

oracle@urania:~/ [oud_eus] dsconfig -h localhost -p 4444 -D "cn=Directory Manager" \
-j $ORACLE_HOME/OUD/config/pwd.txt --trustAll \
set-connection-handler-prop --handler-name "LDAPS Connection Handler" \
--set listen-port:1636 --no-prompt

Unfortunately, a restart of the OUD instance is required to use the new settings. This can be done using stop-ds. For better readability I left out a large part of the output in the following example.

oracle@urania:~/ [oud_eus] stop-ds --restart
Stopping Server...

[12/Jul/2016:23:15:09 +0200] category=CORE severity=NOTICE msgID=458887 msg=The Directory Server has started successfully
[12/Jul/2016:23:15:09 +0200] category=CORE severity=NOTICE msgID=458891 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID 458887):  The Directory Server has started successfully

Use again dsconfig to get the new settings of the LDAPS connection handler. As you can see the listen-port is now set to 1636.

oracle@urania:~/ [oud_eus] dsconfig -h localhost -p 4444 -D "cn=Directory Manager" \
-j $ORACLE_HOME/OUD/config/pwd.txt --trustAll --no-prompt \
get-connection-handler-prop --handler-name "LDAPS Connection Handler"

Property               : Value(s)
-----------------------:-------------------------------------------------------
allow-ldap-v2          : true
allow-start-tls        : false
allowed-client         : -
denied-client          : -
enabled                : true
keep-stats             : true
key-manager-provider   : JKS
listen-address         : 0.0.0.0
listen-port            : 1636
ssl-cert-nickname      : -
ssl-cipher-suite       : jvm, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
                       : SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
                       : SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
                       : SSL_DH_anon_WITH_DES_CBC_SHA,
                       : SSL_DH_anon_WITH_RC4_128_MD5
ssl-client-auth-policy : optional
ssl-protocol           : -
trust-manager-provider : JKS
use-ssl                : true

Or just do a ldapsearch against the new LDAPS port.

oracle@urania:~/ [oud_eus] ldapsearch -h localhost -p 1636 -D "cn=Directory Manager" \
--useSSL --trustAll -j $ORACLE_HOME/OUD/config/pwd.txt \
-s base -b 'dc=postgasse,dc=org' 'objectclass=*'

dn: dc=postgasse,dc=org
orclversion: 90400
dc: postgasse
orclsubscriberfullname: postgasse
objectclass: top
objectclass: orclSubscriber
objectclass: domain

Of course it is possible with this method to change other parameter of the different connection handler.

Information on dsconfig can be found in the Oracle® Fusion Middleware Administering Oracle Unified Directory 11g Release 2 (11.1.2) A.2.4 dsconfig. See more OraDBA sticky notes.

Change default JAVA_HOME for OUD Instance

I just had a situation where I had to change the JAVA_HOME for my Oracle Unified Directory (OUD) instance. Although this is quite simple, this blog post serves as my “sticky note”.

During the setup of my OUD instance I’ve set the wrong JAVA_HOME. I’ve used JDK 1.8 instead recommended JRE 1.7. OUD does work well with Java 1.8, but it is just not a “certified configuration”. You never know which bug is coming next 😉 . Because my OUD Instance is used productive, I decided to change it back to JRE 1.7 Update 101. If you OUD server runs a couple of months, Java has to be updated regularly anyway due to vulnerabilities.

The JVM and Java arguments for each command is specified in properties file, which is in the INSTANCE_DIR/OUD/config/java.properties. To adjust the JVM settings, the OUD Instance must of course be stopped. New setting will then be applied with dsjavaproperties.

First set the proper default Java Home. I will use JRE 1.7 Update 101.

oracle@urania:~/ [oud_eus] vi $ORACLE_HOME/OUD/config/java.properties


default.java-home=/u00/app/oracle/product/java/jre1.7.0_101

Stop the Directory Server using stop-ds.

oracle@urania:~/ [oud_eus] stop-ds
Stopping Server...

[12/Jul/2016:17:43:28 +0200] category=BACKEND severity=NOTICE msgID=9896306 msg=The backend cn=OIDCompatibility,cn=Workflow Elements,cn=config is now taken offline
[12/Jul/2016:17:43:28 +0200] category=BACKEND severity=NOTICE msgID=9896306 msg=The backend cn=OracleContext0,cn=Workflow elements,cn=config is now taken offline
[12/Jul/2016:17:43:29 +0200] category=BACKEND severity=NOTICE msgID=9896306 msg=The backend cn=userRoot,cn=Workflow Elements,cn=config is now taken offline
[12/Jul/2016:17:43:29 +0200] category=BACKEND severity=NOTICE msgID=9896306 msg=The backend cn=virtualAcis,cn=Workflow Elements,cn=config is now taken offline
[12/Jul/2016:17:43:29 +0200] category=CORE severity=NOTICE msgID=458955 msg=The Directory Server is now stopped

Apply new java configuration with dsjavaproperties.

oracle@urania:~/ [oud_eus] dsjavaproperties 
The operation was successful.  The server commands will use the java arguments
and java home specified in the properties file located in
/u00/app/oracle/product/middleware/oud_instances/oud_eus/OUD/config/java.properties

Start the Directory Server using start-ds.

oracle@urania:~/ [oud_eus] start-ds
[12/Jul/2016:17:44:09 +0200] category=CORE severity=INFORMATION msgID=132 msg=The Directory Server is beginning the configuration bootstrapping process
[12/Jul/2016:17:44:11 +0200] category=CORE severity=NOTICE msgID=458886 msg=Oracle Unified Directory 11.1.2.3.160419 (build 20160315213404Z, R1603151302) starting up
[12/Jul/2016:17:44:17 +0200] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381717 msg=Installation Directory:  /u00/app/oracle/product/middleware/oud_11.1.2.3.0
[12/Jul/2016:17:44:17 +0200] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381719 msg=Instance Directory:      /u00/app/oracle/product/middleware/oud_instances/oud_eus/OUD
[12/Jul/2016:17:44:17 +0200] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381713 msg=JVM Information: 1.7.0_101-b14 by Oracle Corporation, 64-bit architecture, 121634816 bytes heap size
[12/Jul/2016:17:44:17 +0200] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381714 msg=JVM Host: urania.postgasse.org, running Linux 4.1.12-37.4.1.el6uek.x86_64 amd64, 3875069952 bytes physical memory size, number of processors available 2
[12/Jul/2016:17:44:17 +0200] category=RUNTIME_INFORMATION severity=NOTICE msgID=20381715 msg=JVM Arguments: "-Xms130m", "-Xmx130m", "-Dorg.opends.server.scriptName=start-ds"
[12/Jul/2016:17:44:17 +0200] category=ACCESS_CONTROL severity=INFORMATION msgID=12582978 msg=Added 16 Global Access Control Instruction (ACI) attribute types to the access control evaluation engine
[12/Jul/2016:17:44:18 +0200] category=BACKEND severity=INFORMATION msgID=9437595 msg=Local DB backend OracleContext0 does not specify the number of lock tables: defaulting to 97
[12/Jul/2016:17:44:18 +0200] category=BACKEND severity=INFORMATION msgID=9437594 msg=Local DB backend OracleContext0 does not specify the number of cleaner threads: defaulting to 24 threads
[12/Jul/2016:17:44:18 +0200] category=BACKEND severity=INFORMATION msgID=9437615 msg=Local DB backend OracleContext0 does not specify the percentage of the heap space to allocate to the database cache: defaulting to 35 percent
[12/Jul/2016:17:44:18 +0200] category=BACKEND severity=INFORMATION msgID=9437613 msg=Local DB backend OracleContext0 does not specify the size of the file handle cache: sizing automatically to use 100 file descriptors
[12/Jul/2016:17:44:19 +0200] category=JEB severity=NOTICE msgID=8847402 msg=The database backend cn=OracleContext0,cn=Workflow elements,cn=config containing 82 entries has started
[12/Jul/2016:17:44:19 +0200] category=ACCESS_CONTROL severity=INFORMATION msgID=12582962 msg=Added 5 Access Control Instruction (ACI) attribute types found in context "cn=OracleContext,dc=postgasse,dc=org" to the access control evaluation engine
[12/Jul/2016:17:44:19 +0200] category=BACKEND severity=INFORMATION msgID=9437595 msg=Local DB backend virtualAcis does not specify the number of lock tables: defaulting to 97
[12/Jul/2016:17:44:19 +0200] category=JEB severity=NOTICE msgID=8847402 msg=The database backend cn=virtualAcis,cn=Workflow Elements,cn=config containing 0 entries has started
[12/Jul/2016:17:44:20 +0200] category=BACKEND severity=INFORMATION msgID=9437595 msg=Local DB backend userRoot does not specify the number of lock tables: defaulting to 97
[12/Jul/2016:17:44:20 +0200] category=BACKEND severity=INFORMATION msgID=9437594 msg=Local DB backend userRoot does not specify the number of cleaner threads: defaulting to 24 threads
[12/Jul/2016:17:44:20 +0200] category=BACKEND severity=INFORMATION msgID=9437615 msg=Local DB backend userRoot does not specify the percentage of the heap space to allocate to the database cache: defaulting to 35 percent
[12/Jul/2016:17:44:20 +0200] category=BACKEND severity=INFORMATION msgID=9437613 msg=Local DB backend userRoot does not specify the size of the file handle cache: sizing automatically to use 100 file descriptors
[12/Jul/2016:17:44:20 +0200] category=JEB severity=NOTICE msgID=8847402 msg=The database backend cn=userRoot,cn=Workflow Elements,cn=config containing 141 entries has started
[12/Jul/2016:17:44:21 +0200] category=BACKEND severity=INFORMATION msgID=9437595 msg=Local DB backend OIDCompatibility does not specify the number of lock tables: defaulting to 97
[12/Jul/2016:17:44:21 +0200] category=BACKEND severity=INFORMATION msgID=9437594 msg=Local DB backend OIDCompatibility does not specify the number of cleaner threads: defaulting to 24 threads
[12/Jul/2016:17:44:21 +0200] category=BACKEND severity=INFORMATION msgID=9437615 msg=Local DB backend OIDCompatibility does not specify the percentage of the heap space to allocate to the database cache: defaulting to 35 percent
[12/Jul/2016:17:44:21 +0200] category=BACKEND severity=INFORMATION msgID=9437613 msg=Local DB backend OIDCompatibility does not specify the size of the file handle cache: sizing automatically to use 100 file descriptors
[12/Jul/2016:17:44:22 +0200] category=JEB severity=NOTICE msgID=8847402 msg=The database backend cn=OIDCompatibility,cn=Workflow Elements,cn=config containing 29 entries has started
[12/Jul/2016:17:44:22 +0200] category=ACCESS_CONTROL severity=INFORMATION msgID=12582962 msg=Added 10 Access Control Instruction (ACI) attribute types found in context "cn=OracleContext" to the access control evaluation engine
[12/Jul/2016:17:44:22 +0200] category=ACCESS_CONTROL severity=INFORMATION msgID=12582962 msg=Added 1 Access Control Instruction (ACI) attribute types found in context "cn=OracleSchemaVersion" to the access control evaluation engine
[12/Jul/2016:17:44:22 +0200] category=EXTENSIONS severity=INFORMATION msgID=1048797 msg=DIGEST-MD5 SASL mechanism using a server fully qualified domain name of: urania.postgasse.org
[12/Jul/2016:17:44:22 +0200] category=CORE severity=INFORMATION msgID=731 msg=LDAP Connection Handler 0.0.0.0 port 1389 does not specify the number of request handler threads: sizing automatically to use 8 threads
[12/Jul/2016:17:44:22 +0200] category=CORE severity=INFORMATION msgID=731 msg=LDAP Connection Handler 0.0.0.0 port 1636 does not specify the number of request handler threads: sizing automatically to use 8 threads
[12/Jul/2016:17:44:22 +0200] category=CORE severity=INFORMATION msgID=720 msg=No worker queue thread pool size specified: sizing automatically to use 24 threads
[12/Jul/2016:17:44:23 +0200] category=PROTOCOL severity=NOTICE msgID=2556180 msg=Started listening for new connections on Administration Connector 0.0.0.0 port 4444
[12/Jul/2016:17:44:23 +0200] category=PROTOCOL severity=NOTICE msgID=2556180 msg=Started listening for new connections on LDAP Connection Handler 0.0.0.0 port 1389
[12/Jul/2016:17:44:23 +0200] category=PROTOCOL severity=NOTICE msgID=2556180 msg=Started listening for new connections on LDAP Connection Handler 0.0.0.0 port 1636
[12/Jul/2016:17:44:23 +0200] category=CORE severity=NOTICE msgID=458887 msg=The Directory Server has started successfully
[12/Jul/2016:17:44:23 +0200] category=CORE severity=NOTICE msgID=458891 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID 458887):  The Directory Server has started successfully

Information on dsjavaproperties can be found in the Oracle® Fusion Middleware Administering Oracle Unified Directory 11g Release 2 (11.1.2) A.2.5 dsjavaproperties.

More short blog posts are marked as sticky notes in the future. I have enough Ideas for future short post or sticky notes. But time to write them is an other story…

Using Kerberos in Oracle Standard Edition

Since the release of Oracle 12cR1 mid 2013 the network encryption and strong authentication services has been removed from the Oracle Advanced Security Option. Both feature are now available for any licensed editions. Corresponding section in the Oracle Licensing Guide for 11g R2 and 12c R1 has been updated.

Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.

Oracle Network Encryption does work quite well for Standard or Enterprise Edition even with the Instant Client. But there is no Kerberos support available Oracle 11.2.0.4 Standard Edition or any other 11g SE release. This can be verified on the command line with the command adapters:

oracle@urania:/u00/app/oracle/product/11.2.0.4se/lib/ [TDB11B] adapters

Installed Oracle Net transport protocols are:

    IPC
    BEQ
    TCP/IP
    SSL
    RAW
    SDP/IB

Installed Oracle Net naming methods are:

    Local Naming (tnsnames.ora)
    Oracle Directory Naming
    Oracle Host Naming
    Oracle Names Server Naming

Installed Oracle Advanced Security options are:

    RC4 40-bit encryption
    RC4 56-bit encryption
    RC4 128-bit encryption
    RC4 256-bit encryption
    DES40 40-bit encryption
    DES 56-bit encryption
    3DES 112-bit encryption
    3DES 168-bit encryption
    AES 128-bit encryption
    AES 192-bit encryption
    AES 256-bit encryption
    MD5 crypto-checksumming
    SHA-1 crypto-checksumming

There is a MOS Note 2145731.1 which describes how to enable the Radius adapter. The same method can be used to enable Kerberos as well, event if an other MOS Note 2028070.1 specifies that Kerberos is not available in Standard Edition.

Radius and Kerberos adapters is part of the object file nautab.o. In $ORACLE_HOME/lib are two object files. nautab.o and the nautab_ee.o.dbl:

oracle@urania:~/ [TDB11B] ls -al $ORACLE_HOME/lib/naut*
-rw-r--r--. 1 oracle users 4864 Jul 15  2013 /u00/app/oracle/product/11.2.0.4se/lib/nautab_ee.o.dbl
-rw-r--r--. 1 oracle users 4520 Jul  1 18:01 /u00/app/oracle/product/11.2.0.4se/lib/nautab.o

To get Kerberos support you just have to replace the nautab.o with nautab_ee.o.dbl…:

oracle@urania:~/ [TDB11B] cp $ORACLE_HOME/lib/nautab.o $ORACLE_HOME/lib/nautab_se.o.dbl
oracle@urania:~/ [TDB11B] cp $ORACLE_HOME/lib/nautab_ee.o.dbl $ORACLE_HOME/lib/nautab.o

oracle@urania:~/ [TDB11B] ls -al $ORACLE_HOME/lib/naut*
-rw-r--r--. 1 oracle users 4864 Jul 15  2013 /u00/app/oracle/product/11.2.0.4se/lib/nautab_ee.o.dbl
-rw-r--r--. 1 oracle users 4864 Jul  1 19:54 /u00/app/oracle/product/11.2.0.4se/lib/nautab.o
-rw-r--r--. 1 oracle users 4520 Jul  1 19:54 /u00/app/oracle/product/11.2.0.4se/lib/nautab_se.o.dbl

… and relink the binaries:

oracle@urania:~/ [TDB11B] relink all
writing relink log to: /u00/app/oracle/product/11.2.0.4se/install/relink.log

As you can see the command adapters now shows Radius and Kerberos adapters:

oracle@urania:~/ [TDB11B] adapters

Installed Oracle Net transport protocols are:

    IPC
    BEQ
    TCP/IP
    SSL
    RAW
    SDP/IB

Installed Oracle Net naming methods are:

    Local Naming (tnsnames.ora)
    Oracle Directory Naming
    Oracle Host Naming
    Oracle Names Server Naming

Installed Oracle Advanced Security options are:

    RC4 40-bit encryption
    RC4 56-bit encryption
    RC4 128-bit encryption
    RC4 256-bit encryption
    DES40 40-bit encryption
    DES 56-bit encryption
    3DES 112-bit encryption
    3DES 168-bit encryption
    AES 128-bit encryption
    AES 192-bit encryption
    AES 256-bit encryption
    MD5 crypto-checksumming
    SHA-1 crypto-checksumming
    Kerberos v5 authentication
    RADIUS authentication

As of now kerberos can be configured and used as usual. If for a reason okinit and oklist are also required, they must be copied from an existing Oracle 11g Enterprise Edition installation. By default they are not part of a Standard Edition. So let’s copy the binaries and the corresponding message files:

] cp 11.2.0.4/bin/okinit 11.2.0.4se/bin/okinit 
oracle@urania:/u00/app/oracle/product/ [TDB11B] cp 11.2.0.4/bin/oklist 11.2.0.4se/bin/oklist
oracle@urania:/u00/app/oracle/product/ [TDB11B] cp 11.2.0.4/bin/okinit 11.2.0.4se/bin/okinit
oracle@urania:/u00/app/oracle/product/ [TDB11B] cp 11.2.0.4/bin/okdstry 11.2.0.4se/bin/okdstry
oracle@urania:/u00/app/oracle/product/ [TDB11B] cp 11.2.0.4/network/mesg/naukus.msb 11.2.0.4se/network/mesg/naukus.msb
oracle@urania:/u00/app/oracle/product/ [TDB11B] cp 11.2.0.4/network/mesg/naukus.msg 11.2.0.4se/network/mesg/naukus.msg

Now you can use Kerberos as you want. You just have to struggle with the usual kerberos issues and bugs 🙂 But more on them here kerberos.

References

Some links related to this topic.

  • Oracle® Database Licensing Information User Manual 12c Release 1 (12.1) Oracle Advanced Security
  • Oracle® Database Licensing Information 11g Release 2 (11.2) Oracle Advanced Security
  • How To Enable Radius Adapter In Oracle Database 11g Standard Edition [2145731.1]
  • Kerberos Authentication On Standard Edition [2028070.1]
  • Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC [1304004.1]

Ad: Der Oracle DBA – Handbuch für die Administration der Oracle Database 12c

Der Oracle DBAThe 2nd revised edition of the Der Oracle DBA will finally be released in a couple of days. Pre-Orders are already possible. It took quite a while until the publication of this release. Work on the second edition began as early as a year ago. This edition is again written in German and published by Hanser.

Who are the authors? Several colleagues of mine at Trivadis Mirko Hotzy, Christian Antognini, Markus Flechtner, Andreas Karlin and Daniel Steiger as well as Andrea Held, Marek Adar, Ronny Egner und Angelika Gallwitz and myself.

For my part, I wrote the chapter on database security. A PDF with the preface, first chapter “Schnelleinstieg”, table of content and index is available as preview. Additional information, in particular on Oracle Database Security will be posted on this side.

DOAG Databank 2016

Just finished my presentation about Enterprise User Security at the DOAG Datenbank 2016 in Düsseldorf. It is about how to set up and use Enterprise User Security with Oracle Unified Directory. The slides are available for download  DOAG__EUS_mit_OUD_Oehrli.pdf. Thanks to Florian I can also offer some, ok one “impressions” from my presentation 🙂 As promised in my presentation, I’ll post a few more information from my engineering and tests on Oracle Unified Directory in the next weeks. All of them will be tagged with Oracle Unified Directory.

Foto_Praesentation

DOAG SIG Security Mannheim 2016

Bit more than two weeks ago I finished my presentation about Security Probleme und deren Risikobewertung at the DOAG SIG Security in Mannheim. It is about Database and Data Classification, Risk Assessment and how Risks could be minimized. The slides are available for download  DOAG_SIG_Security_Security_Wieviel_darf_es_sein.pdf.