Oracle Password Repository

I checked this tool today :

This tool provide a simple way of not hardcoding passwords in shell scripts. Hardcoding passwords in shell scripts is a bad practice. The source code may be shared by many developers, may resides on unsecure servers (CVS), may be printed, etc… The passwords may change often too.

This tool uses a simple file to stores the passwords encrypted. Well, I urge you to secure this file to make it non-accessible for others.

I am not going to decode nor rate the encryption algorythm, the fact is, you do not have clear text passwords. It could be also possible to have clear text password in a separate text file, which would not be that less secure, but it is ugly.

To make it clear (I hope), it is a 2-ways encryption, so if you have access to the file and the source code of the algorythm, you can crack the password. Sounds weak? Well, Oracle Proxy Users with Internet Directory, Application Server, Portal and all those products are not much different. The only 100% passwordless solution I am aware of is the external OS identification.

Well, that said, let’s look how it works.

# ./configure
# make
# make install

let’s create the repository

$ export OPRREPOS=$ORACLE_HOME/dbs/oprrepos
$ opr -c

store the password for scott on LSC01

$ opr -a LSC01 SCOTT lsc
please enter the password :
please re-enter the password :
entry (LSC01, scott, lsc) added.

let’s test

$ sqlplus scott/$(opr -r LSC01 SCOTT)@LSC01

SQL*Plus: Release - Production on Tue Jul 25 13:51:48 2006

Copyright (c) 1982, 2005, Oracle.  All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release - Production
With the Partitioning, OLAP and Data Mining options

This is quite convenient. I will use this to store the RMAN password to connect to the RMAN repository in my backup scripts

Installation Oracle on Suse Linux Enterprise 10

How neat is Suse!

I downloaded the DVD SLES10 on At the installation time, appart from Gnome, Development, X Window, there are a few new categories. One of them is called Oracle Database, and guess what, it installs all what I needed for Oracle. It creates an oracle account, with oinstall as primary group and dba as secondary group, it sets usefull things like ORACLE_HOME.

Ok, let’s unlock the account

chltlxlsc1:~ # usermod -s /bin/bash oracle
chltlxlsc1:~ # passwd oracle
Changing password for oracle.
New Password:
Reenter New Password:
Password changed.

Ok, let’s install. SLES10 is not recognized as a certified OS yet. The DISPLAY thing has to be manually set too.

oracle@chltlxlsc1:~> ./runInstaller  -ignoreSysPrereqs
Starting Oracle Universal Installer...

Checking installer requirements...

Checking operating system version: must be redhat-3, SuSE-9, 
redhat-4, UnitedLinux-1.0, asianux-1 or asianux-2
                                      Failed <<<<

>>> Ignoring required pre-requisite failures. Continuing...

this is one of the friendliest installation I have ever made…

indian readers

I am aware indian and pakistan ISP did block access to blogspot blogs. There are some workaround available on google, for example to access my site from Pakistan, you may be able to use pkblogs

I am quite sad about this, I used to have a lot of access from India in the past (according to, and this is quite a limiting move for the indian Internet community.

Update: only relevant to my old blogger blog

oracle partner workshop : database 10g

Last month I had an application server seminar I blogged in SOA . Yesterday it was database 10g day.

First we had exactly the same talk about EMEA marketing, vision, partner and blabla for one hour. I did not expect to hear this comparison between Oracle Database and the C: prompt (origin) and fusion and mswin (ultimative achievement)… I almost told him than the C: prompt was not the first think to appear in MSDOS, but the A: prompt, well, if I will say it next time 😉

We heared about partitioning, parallel query, real application cluster, flashback database, undo management, in about 250 powerpoint slides and not a single line of sql in the whole presentation. Well, not willing to blame the teacher, I just felt losing my time listening to this superficial presentation of oracle database.

About the things I found interesting :
– Using the listener as http server. Especially interesting is to use lsnrctl star to start the listener (just joking).

  (HOST=chltlxlsc1) (PORT=8080)) (presentation=http)

$ lsnrctl star http
LSNRCTL for Linux: Version - Production 

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Starting .../bin/tnslsnr: please wait...

TNSLSNR for Linux: Version - Production
System parameter file is .../network/admin/listener.ora
Log messages written to .../network/log/http.log
( (PORT=8080))  
(presentation=http) (session=raw))

than I should be able with the package DBMS_EPG to administer the website

– An Excel plugin : well, if your marketing department is hooked on excel, there is a plugin which enable you some connectivity within your spreadsheet. You can download it on otn for free on BI Spreadsheet Addin. I did not try it yet, but it did look sexy.

– As last month, the pause has been enjoyable. Fine starters, great cat fish, delicious dessert


EXP / IMP has a quite a lot of bugs and limitations.

Today I had a trouble with a function based index first, generating ORA-942 table does not exist on import. I also had an error with AQ.

I have a few invalid objects too :

before exp, on source system (tru64/

SQL> select count(*) from dba_objects where status='INVALID';

after imp, on target system (rh4/

SQL> select count(*) from dba_objects where status='INVALID';

let’s recompile

SQL> @?/rdbms/admin/utlrp

SQL> select count(*) from dba_objects where status='INVALID';

… better, but still too much !

I probably did hit bug 3169196 too. The workaround is delicious :

<b>manually clean the data dictionary</b>

Well, I am going to drop the destination database and try again…

Oracle 7 Apero

Today we definitely shutdown our last productive Oracle7 database. Quite good news actually, I can now use set newp none, sqlplus “/ as sysdba” in all my scripts, svrmgrl is no longer needed (well, sometimes in 8i to do abort, but this is rare), and we garbage a hudge bin of reference manuals and cds!

And it is a good atmosphere, we talk about the good old time and this long life with no support and no change.

We have about 20% Oracle8i, 70% Oracle9i and 10% Oracle10g right now.


mod_plsql is an oracle module for Apache. Let’s do it from A to Z.

I install HTTP server. In 10g, it is located on the companion cd and requires a separate oracle home.

I copy my tnsnames.ora in COMPANIONHOME/network/admin

Then, I configure COMPANIONHOME/Apache/modplsql/conf/dads.conf

&lt;Location /helloworld&gt;
  SetHandler pls_handler
  PlsqlDatabaseUsername         scott
  PlsqlDatabasePassword         tiger
  PlsqlDatabaseConnectString    LSC01

I create my procedure
create or replace procedure helloworld is begin htp.bold('hello world'); end;

I start my Apache server
$ORACLE_HOME/opmn/bin/opmnctl startproc ias-component=HTTP_Server

I open my browser
firefox http://localhost:7780/helloworld/scott.helloworld

So easy!


The seminar yesterday focused on SOA, Service Oriented Architecture. Teacher Michel Hascoët gave us an impressive demo with his notebook and JDeveloper; the SOA Workshop is usually taking four days, and for us he did it in one day.

Ok, first ADF. With JDeveloper, he created with just a few clicks a connection to a database, dropped two screens, one for browsing customers, one for editing a customer, and just by clicking “run”, the application started in a browser.

Later, we saw the BPEL process manager in JDeveloper. I have been quite impressed. Well, I am a vi man after all, and I am typically quite sceptical about click-click-click and it works. What is really sexy in the BPEL approach is that the application is built in a natural way. You just define process, like you would do “if (y==2)”, or “x=1” in vi, but in a good-looking fashion. At the end, the application is self-documented, and this is a real bonus, because the next developer in task for your project will understand your work immediatly.

As Michel pointed out, the key point to success is the data format. If you can exchange Data from one application to another, than building a new process is just a matter of a few clicks.

In the afternoon, we had a look at BAM, the Oracle Business Activity Monitor. This Windows tool (needs a windows server and an internet explorer client) let you build graphs and send alerts according to rules and sensors you can define in JDeveloper. Michel believes this tool will be rewritten by Oracle in a near future to comply with the OS strategy of Oracle, understand Java.

At the end of the day, we have been watching a OWSM demo. Oracle Web Service Manager is a security product for your application. Instead of connecting to your OC4J component directly (with http), you actually access a Proxy server, where you can eventually add authentication with a directory server like OID and authorization, than access the OC4J url, which can be behind a firewall.

Learn more :


I posted yesterday some of my aliases. My favorite (and most obfuscated) one is the following (for bash)

eval $(awk -F: '/^[+a-zA-Z]/{l=tolower($1); sub("^+","",l); print "alias "l"=47x="$2";PATH=${PATH//$ORACLE_HOME/$x}; ORACLE_HOME=$x; ORACLE_SID="$1"; echo ORACLE_SID="$1"; 47; "}' /etc/oratab 2&gt;/dev/null)

I am setting my path and a default sid/home in my .profile

[ -z "$ORACLE_SID" ] &amp;&amp; export ORACLE_SID=LSC01
export ORACLE_HOME=$(sed -n "s/:.$//;s/^$ORACLE_SID://p" /etc/oratab)
export PATH

Than in my eval command above set an alias for each line in /etc/oratab

# /etc/oratab

so here is the list of my dynamically generated aliases

alias asm1='x=/home/oracle/oracle/product/10.2.0/db_2; PATH=${PATH//$ORACLE_HOME/$x}; ORACLE_HOME=$x; ORACLE_SID=+ASM1; echo ORACLE_SID=+ASM1;'
alias crs='x=/app/oracle/product/10.2.0/crs; PATH=${PATH//$ORACLE_HOME/$x};ORACLE_HOME=$x; ORACLE_SID=crs; echo ORACLE_SID=crs;'
alias lsc01='x=/app/oracle/oracle/product/10.2.0/db_2; PATH=${PATH//$ORACLE_HOME/$x};ORACLE_HOME=$x; ORACLE_SID=LSC01; echo ORACLE_SID=LSC01;'
alias rac1='x=/home/oracle/oracle/product/10.2.0/db_2; PATH=${PATH//$ORACLE_HOME/$x}; ORACLE_HOME=$x; ORACLE_SID=RAC1; echo ORACLE_SID=RAC1;'
alias rac2='x=/home/oracle/oracle/product/10.2.0/db_2; PATH=${PATH//$ORACLE_HOME/$x}; ORACLE_HOME=$x; ORACLE_SID=RAC2;echo ORACLE_SID=RAC2;'

One alias I also like to set is a switch-user alias + keep settings and profile !
alias oracle='su - oracle -c "DISPLAY=$DISPLAY ORACLE_HOME=$ORACLE_HOME ORACLE_SID=$ORACLE_SID PATH=$PATH bash --rcfile ~lsc/.bashrc"'

I also have exotic, less recommendable, aliases…

alias +='sqlplus -L /'
alias -- -='cd -'
alias ..='cd ..'
alias ...='cd ../..'
alias ....='cd ../../..'
alias .....='cd ../../../..'
alias ......='cd ../../../../..'
alias .......='cd ../../../../../..'
alias ........='cd ../../../../../../..'

I also have a very handy function, called p

p() {
    sqlplus -L -s "/ as sysdba" &lt;&lt;EOF  | sed -n 's/@ //p'
set echo off lin 9999 trimsp on feedb off head off pages 0 tab off
col name for a25
select '@',name, value from v\$parameter2 where upper(name) like upper('%$1%');
P() {
    sqlplus -L -s "/ as sysdba" &lt;&lt;EOF  | sed -n 's/@ //p'
set echo off lin 9999 trimsp on feedb off head off pages 0 tab off
col name for a25
select '@',ksppinm name,ksppstvl value FROM x\$ksppi join x\$ksppcv using (inst_id,indx) where upper(ksppinm) like upper('%$1%');

so I can check the parameter directly from the shell

$ P shared_pool_size
_io_shared_pool_size      4194304
shared_pool_size          0
__shared_pool_size        83886080

I also use KSH sometimes, there I have a slicly different version of my aliases…

OCM preparation

The OCM 10g Upgrade is currently under development, and the OCM 10g exam should be available in May.

How will I prepare for the 10g OCM?

  • Part I, get confident with the environment :
    According to, the exam will be on redhat AS3 with DB RHAS3 is not free. If I had not RH in my company, I would then probably use WhiteBox Linux or a similar RedHat clone to get an environment as close as possible to the lab. It seems very important to me is to get the same terminals (Gnome) and the same Browser (Mozilla 1.6).

    I am trained to customized my environment within seconds. For example, I like to have a bookmark for 10G Book List, one for the Reference, one for SQL Reference, one for PL/SQL Packages Ref and one for RMAN Reference. So within one click, I can reach the appropriate book. I also like to shortcut most of my commands… I like to type pmon instead of ps -ef |grep ora_pmon and so I defined some aliases. I am able to define those below plus a few more obscure ones in less than one minute.

    alias abort='echo shutdown abort|sqlplus -L -s / as sysdba'
    alias alert='vi $ORACLE_HOME/admin/$ORACLE_SID/bdump/alert_$ORACLE_SID.log'
    alias nomount='echo startup nomount quiet|sqlplus -L -s / as sysdba'
    alias ora='cd $ORACLE_HOME'
    alias pmon='ps -ef | grep [p]mon'
    alias startup='echo startup quiet|sqlplus -L -s / as sysdba'
    alias sysdba='sqlplus -L / as sysdba'
    alias tns='cd $ORACLE_HOME/network/admin'

    I have read man vi until my eyes hurt. I have trained using GNOME keyboard shortcuts until my finger skin burnt.

    I have shortcut to set my oracle homes, and I am proficient with Unix commands.

    With the few commands I defined, I am able to do most maintenance tasks and to call the oracle binaries like sqlplus faster than Lucky Luke.

    I have read the SQL reference manual, the reference manual, and the RMAN reference manual.
    I can type in less than two minutes the complete syntax for creating a database. I am familiar with the most commonly used character sets. I can create tablespaces, add and remove files (well, removing logfile and tempfiles only in 10gR1).

    I have a bulletproof backup and recovery strategy. I know how to check critical ORA- message in the alert log, I can identify the missing files / directories on disk, I can recover from any error.

    I know -almost- every listener.ora, sqlnet.ora (except the security related ones), and tnsnames.ora. I can create sqlnet.ora, listener.ora, tnsnames.ora, start and stop my listener within one minute.

  • Part II, read the specification
    I print the documentation and I make sure I have understood the objectives. I try every scenario. In order to save time during the preparation, I am using scripts, so that I can generate a few databases quickly. For each scenario, I am generating errors. If you train with a collegue, try to generate the most surprising database corruption for your collegue at each scenario 😉

    There is a RAC scenario. I have received an Egenera blade to test Oracle Real Application Cluster, with up to 8 nodes. I documented in a previous post the steps I followed to install RAC on my notebook before receiving the Egenera hardware : Suse10 10gR2 Laptop Rac.

    … invest enough time … do not schedule it too early … search for articles in Oracle magazine

  • Part III, relax
    It is a nice challenge. Do sleep enough before the exam. Book a quiet hotel at least one day before. Do not work on the day before. Just rest.

  • Oracle Application Server

    One month ago, I attended an Oracle Application Server course in Geneva, Switzerland. We were a group of 3 students and the 5-days lesson has been extremly interesting and intense. Starting at 9am, we used to finish at 5:30pm or later.

    At LC Systems, we have a few customers using OAS, that is why I did jump into this non-database product cursus.

    As I experienced in the course, it is quite different from Oracle Database. Technically speaking, you do not need much database know-how to administer an application server.

    There are basically two parts. One is the Infrastructure. It contains a Directory Server (LDAP) which is stored physically on a database. As for the Grid Control, you can just click Next->Next->Next->Install to have it up and running (if you are lucky). You do not specify the size of the memory, the location of the files, the logging mode, nothing. Just the database passwords.

    The second part is called the Middle Tier. It contains a J2EE engine. There you can “hotplug” your application : portal, forms, reports, discoverer…

    The consistency, availability, backup strategy are not as clearly defined as in the db world I know. In the “online backup” mode, you should just hope that nothing is going to modify the xml configuration files at the time you edit them. If your file system is getting full of logs, it can well happen that your config file get truncated. If you think you are not modifying anything during the backup, it could well be Oracle itself that updates the xml files. What did also sound dubious to me is the point in time recovery. It sounds like : “Well, I will try to recover until time your repository with rman, and if I found your backup sets on the disk, it may work. If the config changed since that time, well, this is probably not the best thing to try…”

    The security concept made me hurl more than one time. For example Portal. There is a superuser called PORTAL in the Oracle Internet Directory (OID). To my surprise, you can see his database password in clear text in the OID. This user has, no joke, DBA role in the database. You can “revoke” the DBA role from PORTAL in the Application Server Console, but, believe me, it does not revoke the DBA at the db level. The mod_plsql enables you to encrypt passwords in files. This is a 2-ways encryption, I doubt the algorythm is very strong. The concept rather rely on “No one should ever log-in neither on the application server (with telnet) nor on the repository database (with sqlplus).

    This morning I passed my 1Z0-311 exam with success (0 error).

    oracle secure backup is out

    Oracle Secure Backup is out. It enables the use encryption of backup on tapes, it can help you to save on media library costs (no need from a media manager any more).

    Well, I am curious how many customer will take the challenge to migrate from tivoli or netbackup to oracle secure backup…

    OCP Column

    There is a new INSIDE OCP column in the Oracle Magazine this month (May-June 2006 Edition).

    It is about the Application Server exam. In the magazine, it is referenced as 1Z1-311, but the beta phase ended half a year ago, so the exam is now production 1Z0-311. I could guess most answers, and I hope I can succeed at first try, which is no sure thing. Anyway, I will try it next Friday at Oracle University in Baden/Zurich.

    New PC

    I bought a new PC at Eastern. I have installed 100Gb partition for Linux and 100Gb for Windows. I tried Fedora Core 5 and OpenSuse 10.0, in 64bit mode.

    I currently spend most of my “free” time to prepare the OCA Application Server certification, next friday (28th).

    Tonight I borrowed a game from a friend : Unreal Tournament 2004. I haven’t play such a game since a long time, and I must say, I enjoyed it very much. I am just overtired now. The graphic is fast, it is easy to master (well, I played at the novice level) and it is something I would never recommend to my kids ! Just shooting everywhere …

    Well, they are just too young now, but Dora is really mastering Memory Game and she can even write her name when she achieved a high score! Yesterday she had her fourth birthday.

    isqlplus and sqlplusw desupport

    isqlplus and sqlplusw (gui sqlplus windows) will be desupported in 2010. Read Note 359855.1 and Note 359859.1 on Metalink.

    Oracle recommends migrating to Raptor (SQLDeveloper) or to Application Express (HTMLDB) or command line sqlplus.

    Oracle Support apparently does not know that Raptor changed name before going to production, well, names change so often, it is difficult to know them all!

    dba workshop

    Last week I gave an internal 2-days dba course. All three students had good experience of filesystem backup and unix, but hardly any oracle experience.

    I figured out recovery is more complex than I thought! By explaining to other, how often do you realise do you do not know the answer yourself? It has been very educative to me too…

    First inconsistency I discovered :
    I tried to simulate a disaster by removing all controlfiles, redologs, datafiles. I expected the students to notice “something”. But, O Surprise, the db kept running, nothing written in alert logs, it was possible to create and drop tables, nothing went wrong (but they were no files). Probably the OS has not notified the file were no more there, and Oracle opened the files already. Strange. Even SHUTDOWN has been successful! But of course STARTUP did not work.

    Next time I prepare a B&R workshop, I must invest time to check that a disaster is effective!

    Second inconsistency:

    Report unrecoverable datafiles and validate backups. I wrote this in the rman technology forum this morning: REPORT NEED BACKUP is not suffisant to have consistent backups, nor RESTORE VALIDATE DATABASE!

    More inconsistencies :
    somehow, when users are doing backups with nocatalog and try to restore with the recovery manager catalog, it is not working. Well, it is not that surprising, but it really increases the difficulty of recovery procedures!

    However, those “inconsitencies” were good in this informal training, feedback from students was positive, we did “survive” all those problems and they realised RMAN recovery is not as simple as RMAN backup…