Enhancement Request : SSL listener and OEM

#em12c still does not support SSL ! Encrypting network connection (https, ssh, sftp) is common sense in today’s business. In Enhancement Request 6512390, Created 19-Oct-2007, the customer requested support for SSL. Most recent update : it is postponed to 13cR2 at least ! *** 09/14/12 04:04 am DISCUSSION ***As we kick off 13c release, cleaning… Continue reading Enhancement Request : SSL listener and OEM

old-hash, SHA-1, SHA-2/512

Until pretty recently, only the dubious unsalted proprietary algorithm was available to store Oracle passwords. A bunch of tool where at the time able to decode any 6-8 characters in no time, and the rainbow approach was to precalculate all possibles passwords for a specific user. Those time are not really for away, only starting… Continue reading old-hash, SHA-1, SHA-2/512

grant select on sys tables

I prefer to use a powerful named user with dba rather than sys. It is more conform to the security policies in place regarding accounting of administrator operations. Very occasionaly, my user get ORA-1031 insufficient privileges even if I have the dba role. Amoung others, I have “PURGE DBA_RECYCLEBIN” and DBMS_STREAMS_AUTH.GRANT_ADMIN_PRIVILEGE update, 2012-07-24 For purge… Continue reading grant select on sys tables

This system is for the use of authorized users only.

How to bypass the login banners? There is actually more than one banner to bypass. One of the them is the message of the day banner, commonly located in /etc/motd. Typically friendly, example in AIX **************************************************************************** * * * * * Welcome to AIX Version 6.1! * * * * * * Please see the… Continue reading This system is for the use of authorized users only.

TNSNAMES and Active Directory

It is highly probable you already have MS AD in your company. Probably you use a local tnsnames.ora. Apart from setting a Oracle Internet Directory or Oracle Virtual Directory, there is one more option that you may want to consider : AD. Ok, here is a bit of a road map : – Schema Extension… Continue reading TNSNAMES and Active Directory

how to run UTL_TCP, UTL_SMTP and the like in 11g

After we upgrade a db to 11g someone complained about an ORA-24248: XML DB extensible security not installed I thought, it should be easy to revert to 10g mechanism. Probably wrong after reading Marco : The default behavior for access control to network utility packages has been changed to disallow network operations to all nonprivileged… Continue reading how to run UTL_TCP, UTL_SMTP and the like in 11g

List of table and column privileges, including those via roles

I could not find this quickly enough in google so I wrote it myself. The list of table privileges, with a connect by subquery. COL roles FOR a60 COL table_name FOR a30 col privilege for a9 set lin 200 trims on pages 0 emb on hea on newp none SELECT * FROM ( SELECT CONNECT_BY_ROOT… Continue reading List of table and column privileges, including those via roles

on materialized view constraints

Oracle is pretty strong at enforcing constraint. Table for this blog post: create table t(x number primary key, y number); For instance if you alter table t add check (y insert into t values (1,2000); insert into t values (1,2000) Error at line 1 ORA-02290: check constraint (SCOTT.SYS_C0029609) violated I believe this code to be… Continue reading on materialized view constraints

On using Toad against a database

I got this question once again today in a previous post. What’s wrong by using Toad against a database? The worst case scenario: – some non-technical staff is clicking around in your production database with read-write access 🙁 The best-case scenario : – nobody has access to your database 🙂 Here is a short list… Continue reading On using Toad against a database

track ddl change (part 2)

I wrote about tracking ddl changes with a trigger there : track ddl changes Another option is to use auditing. A new and cool alternative is to use enable_ddl_logging (11gR2). This will track all ddl’s in the alert log ALTER SYSTEM SET enable_ddl_logging=TRUE Then later you issue create table t(x number) and you see in… Continue reading track ddl change (part 2)

[alert] Oracle agents on AIX may not work in 2011 with OMS10g

Fuadar recently wrote : Grid Control 10.2.0.5 AIX Alert … Basically, if you have an 10g oms Server (any OS / any release) and aix agents (any release), and according to Note 1171558.1, communication between [10g] Oracle Management Service and [AIX] Management Agents will break due to a default self-signed certificate expiring in 31 Dec… Continue reading [alert] Oracle agents on AIX may not work in 2011 with OMS10g

jdbc ssl

I already wrote about jdbc hello world and listener with tcps. Let’s combine both technologies ! TCPS.java import java.util.Properties; import java.security.Security; import java.sql.*; import javax.net.ssl.*; public class TCPS { public static void main(String argv[]) throws SQLException { String url = “jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(Host=dbsrv001)(Port=12345))(CONNECT_DATA=(SID=DB01)))”; Properties props = new Properties(); props.setProperty(“user”, “scott”); props.setProperty(“password”, “tiger”); props.setProperty(“javax.net.ssl.trustStore”,”cwallet.sso”); props.setProperty(“javax.net.ssl.trustStoreType”,”SSO”); Security.addProvider(new oracle.security.pki.OraclePKIProvider()); DriverManager.registerDriver(new… Continue reading jdbc ssl

to ftp or to sftp

Ftp is seen as an old-time unsecure protocol. Many shops nowadays have switched or are switching to sftp. I will try to point out some differences : Compatibility: none. the protocol is completly different. Multiple graphical clients however do support both mode. But the basic “ftp” client will not work with sftp. Ascii mode: only… Continue reading to ftp or to sftp

track DDL changes

Why is my package being invalidated? This is the question I asked myself a few times those days. In order to find out what is happening in my schema, I created this simple DDL trigger which tracks all DDL changes in my schema. CREATE TABLE AUDIT_DDL ( d date, OSUSER varchar2(255), CURRENT_USER varchar2(255), HOST varchar2(255),… Continue reading track DDL changes

alter user identified by values in 11g

I wrote about dba_users changes in 11g . When spooling alter user commands in 11g, it is important to understand the mechanism. Oracle 11g supports both sensitive and insensitive passwords. When issuing an CREATE/ALTER USER IDENTIFIED BY PASSWORD, both the insensitive and the sensitive hashes are saved. SQL> create user u identified by u; User… Continue reading alter user identified by values in 11g

How to resolve ORA-09925 ?

This morning I had to solve an ORA-09925: Unable to create audit trail file and it was not as straightforward as usual… There is a note 69642.1 on Metalink, [edit]which is now up to date for 10gR2[/edit]. 1) AUDIT_FILE_DEST is not writable $ env _=/usr/bin/env ORACLE_SID=FOO TERM=dtterm ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_3 PWD=/u01/app/oracle/product/10.2.0/db_3 $ $ORACLE_HOME/bin/sqlplus -L “/ as sysdba”… Continue reading How to resolve ORA-09925 ?

the password is not longer displayed in dba_users.password in 11g

By reading Pete Finnigan’s Oracle security weblog today, I discovered that the password is no longer displayed in DBA_USERS in 11g. select username,password from dba_users where username=’SCOTT’; USERNAME PASSWORD ——– —————————— SCOTT select name,password from sys.user$ where name=’SCOTT’; NAME PASSWORD —– —————————— SCOTT F894844C34402B67 on the one hand, it is good for the security. On… Continue reading the password is not longer displayed in dba_users.password in 11g

Configure OID with SSL

First you need to install OID. Check the Installation Guide, the Doc and download the Software. If you do not need the dbconsole, stop it (emctl stop dbconsole) and remove the oracle_home/hostname_sid directory Once you have a running OID, test it with ldapsearch. For this workshop, I use two servers and two usernames. Having the… Continue reading Configure OID with SSL

user identified externally with SSL certificate

Today I configured my database to identify users with certificates. Check my previous post listener with tcps to find out how to configure a listener with SSL, which is a requisite. Ok, I have a listener.ora and a tnsnames.ora with SSL. I do not need a sqlnet.ora, the default values work. listener.ora LISTENER= (DESCRIPTION_LIST= (DESCRIPTION=… Continue reading user identified externally with SSL certificate

check if using tcp or tcps

yesterday I wrote howto listener ssl. To check the protocol : SQL> select sys_context( ‘USERENV’,’NETWORK_PROTOCOL’) PROTOCOL from dual; PROTOCOL ——– tcps

listener with tcps

How can you use SSL to encrypt your network traffic? Here is how I did it. Install Oracle Certification Authority 10.1.4 you need a CA to approve a certification request Install Oracle Database 10gR2 Enterprise Edition with Advanced Security Options Start Wallet Manager from Database Oracle Home, start $ORACLE_HOME/bin/owm create a new Wallet define a… Continue reading listener with tcps

Restrict network access to listener

If I have a limited number of db clients which are authorized to access my listener, I can restrict access to my listener by setting only two parameters in sqlnet.ora. TCP.VALIDNODE_CHECKING = yes TCP.INVITED_NODES = (dbclient001,chltlxlsc1) chltlxlsc1 is my db server, I include it in the list, it is required to start the listener locally.… Continue reading Restrict network access to listener

sqlnet.wallet_override=true

I recently posted about Oracle Password Repository (OPR). I did get a comment from Andreas Piesk about something similar in Oracle, the wallet. Let’s do a quick test. First, I create a .sqlnet.ora in my home directory (I do not want to mess up the system-wide sqlnet.ora). $ cat /home/lsc/.sqlnet.ora SQLNET.WALLET_OVERRIDE=TRUE WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/lsc))) I now create… Continue reading sqlnet.wallet_override=true

Oracle Password Repository

I checked this tool today : http://sourceforge.net/projects/opr This tool provide a simple way of not hardcoding passwords in shell scripts. Hardcoding passwords in shell scripts is a bad practice. The source code may be shared by many developers, may resides on unsecure servers (CVS), may be printed, etc… The passwords may change often too. This… Continue reading Oracle Password Repository

dbms_sheduler jobs

I read in blog from Pete Finnigan about the potential security hole in DBMS_SCHEDULER package. DBMS_SCHEDULER as a new alternative for DBMS_JOB by Patrick Sinke Note that on some OS, like AIX5L / oracle 10.2.0.2, the job runs as ORACLE, not as NOBODY

security bug revealed

Pete Finnigan just mentioned a bug, which allow any user in any oracle version to get dba privilege Imperva discovers a critical access control bypass in login bug. This is incredible! Well, Pete urged you to apply CPU2006January asap.