Category Archives: Oracle

Database Security Product Vapourware

from the posts that I never got around to posting department (originally dated at 26 July 2005)… posting now because Oracle Open World has a bunch of database security products now – and someone might actually implement this :).

I have got a product vapourware idea that has been floating around in my head for a little while. A product that will help protect databases.

The tool will do the following:

1) record checksum for key objects in the database (by default it shoud do the data dictionary). It will allow users to record checksums for all objects, in particular supporting stored procedures, and views. This will help prevent attackers from hiding there tracks. This type of attack has been setup in a proof of concept shown at Red Database Security Services (edit – sorry – not sure of the deep link or if this is still publicly available).
2) check the passwords of users in the database, ensuring that the password quality is good.

I can picture quite easily how to do this in Oracle, can see the feasability of it in SQL Server, and know that every database will provide a data dictionary that will make at least step 1 possible. So – to all you database security vendors out there – please implement.

Setting up Oracle XE to work with IBM WebSphere Portal IWWCM

In order to make the Oracle XE database work with IBM WebSphere Portal IWWCM there are a number of steps to perform.

  1. Ensure that the database is accessible using the Oracle SID (see the early post Oracle SID!=Service name)
  2. Next you will need to increase the number of proceses that can be connected to the instance, as there are a large number of connection pools set up by the system, which the database will need to support. The following command worked in my environment:
        ALTER SYSTEM SET PROCESSES=150 SCOPE=SPFILE;
  3. After having performed these base setup commands and options, you can run the IWWCM migration scripts to migrate existing data.
  4. To ensure that the connection pooling works correctly, you will need to grant the following privileges to public:

    grant select on pending_trans$ to public;
    grant select on dba_2pc_pending to public;
    grant select on dba_pending_transactions to public;

  5. Finally, grant the following privilege to each user to which connections are made from the application server.
        grant execute on dbms_system to <user>;

After having performed these steps you will have an Oracle XE database that will work happily with IWWCM.

Oracle SID != SERVICE_NAME

… or how to setup your Oracle XE database so that JDBC database urls will work like they traditionally have.

For many years Oracle has been telling everyone Oracle SID != SERVICE_NAME.

Java Developers have always smiled and nodded with this statement as the oracle thin client jdbc url would always be something like:

jdbc:oracle:thin:@server:1521:SERVICE_NAME, or
jdbc:oracle:thin:@server:1521:SID 

which would work because databases always either had the SID and SERVICE_NAME as the same, or there was some magic that the Oracle listeners did to make this work.

Somewhere in the past couple of releases of Oracle this transparent mapping has ceased to exist. In particular Oracle 10G XE out of the box doesn’t support this sort of option.

It seems the new preferred way of doing Oracle JDBC URLs is:
jdbc:oracle:thin:@server:1521/SERVICE_NAME.

I discovered this information while working with making a WebSphere Portal instance use Oracle as it’s data repository. The documentation for doing this suggested using the old school SID style of url.  I tried this first as it felt familiar, but things didn't work.  Changing the url to use the PORT/SERVICE_NAME approach looked to mostly work, but didn’t quite spread the changes to everywhere required. I needed to run WPSConfig connect-database to update all the hidden bits of configuration around the portal installation. Unfortunately, this failed as the wpsconfig script calls out to programs that expect the url to follow the old school syntax (the stack trace show an index-out-of-bounds exception while parsing connect srings). I then had to go in and update the configuration on the database to enable connection via the old SID style approach.

This was done by working on the listener.ora file
(C:\oraclexe\app\oracle\product\10.2.0\server\NETWORK\ADMIN) to add in a SID_LIST_LISTENER entry for the database.

This was simply to add:
(SID_DESC =
    (GLOBAL_NAME = XE)
    (SID_NAME = XE)
    (ORACLE_HOME = C:\oraclexe\app\oracle\product\10.2.0\server)
)

to the SID_LIST of the SID_LIST_LISTENER

I ended up with a SID_LIST_LISTENER that looks like this:

SID_LIST_LISTENER =
    (SID_LIST =
        (SID_DESC =
            (SID_NAME = PLSExtProc)
            (ORACLE_HOME = C:\oraclexe\app\oracle\product\10.2.0\server)
            (PROGRAM = extproc)
        )
        (SID_DESC =
            (SID_NAME = CLRExtProc)
            (ORACLE_HOME = C:\oraclexe\app\oracle\product\10.2.0\server)
            (PROGRAM = extproc)
        )
        (SID_DESC =
            (GLOBAL_NAME = XE)
            (SID_NAME = XE)
            (ORACLE_HOME = C:\oraclexe\app\oracle\product\10.2.0\server)
        )
    )

This configuration works with an out of the box Oracle XE installation, and lets me use the jdbc:oracle:thin:@server:1521:SID.