11g Feature: Fine-Grained Access Control (FGAC) on Network Services

Hi All!
I was reviewing some features in Oracle and, basically, every single time I review them I find something new. Seems Oracle Databases’ features are near to infinite and we frequently find some that can really add value to our solutions.

So I decided to make a serie of posts with really quick notes about each one of them.
You can see all posts in this serie in my page of posts and some others more.

Ready? Here it goes:

Fine-Grained Access Control (FGAC) on Network Services

Oracle supplies PL/SQL utility packages such as UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP and UTL_INADDR to access to network services. In 11g Oracle have enhanced security available.
Rather than public being granted execute privileges on these packages, now it’s needed to create an ACCESS CONTROL LIST (ACL) in order to use these packages. Some ACL Related Data Dictionary VIEWS are DBA_NETWORK_ACLS and [DBA/USER]_NETWORK_ACL_PRIVILEGES.

> To create ACL:

SQL> begin
DBMS_NETWORK_ACL_ADMIN.create_acl(
acl => 'example.xml',
description=>'EXEMPLE ACL',
principal=>'EXAMPLE',                        
is_grant=>TRUE,
privilege=>'connect');
End;
/

> Once the ACL is created, additional user or privileges can be added using the DBMS_NETWORK_ACL_ADMIN.add_privileges procedure:

SQL> BEGIN
  DBMS_NETWORK_ACL_ADMIN.add_privilege ( 
    acl         =>  'example.xml', 
    principal   => 'SCOTT',
    is_grant    => FALSE, 
    privilege   => 'connect', 
    position    => NULL, 
    start_date  => NULL,
    end_date    => NULL);
  COMMIT;
END;
/

* DBMS_NETWORK_ACL_ADMIN.delete_privileges can be usedto drop privileges and DBMS_NETWORK_ACL_ADMIN.drop_acl to drop ACL.

> To assign ACL to a Network Host:

SQL> begin
DBMS_NETWORK_ACL_ADMIN.assign_acl(
acl => 'example.xml',
host=>'grepora');
End;
/

See you next week!

Advertisements

11g Feature: PLS-00436 Restriction in FORALL Statements Removed

Hi All!
I was reviewing some features in Oracle and, basically, every single time I review them I find something new. Seems Oracle Databases’ features are near to infinite and we frequently find some that can really add value to our solutions.

So I decided to make a serie of posts with really quick notes about each one of them.
You can see all posts in this serie in my page of posts and some others more.

Ready? Here it goes:

11g Feature: PLS-00436 Restriction in FORALL Statements Removed

In 11g, the PLS-00436 restriction has been removed, meaning individual elements of a collection can be referenced with SET and WHERE clauses in a FORALL construction.

Please check the following example, setting text of my_table to ‘Line x’ where x is the line number (also ID column):

DECLARE
  TYPE t_test IS TABLE OF my_table%ROWTYPE;
  l_test t_test;
BEGIN
  SELECT * BULK COLLECT INTO l_test FROM my_table;
  
  FOR i IN l_test.first .. l_test.last LOOP
    l_test(i).text := 'Line ' || i;
  END LOOP;

  FORALL i IN l_test.first .. l_test.last
    UPDATE my_table SET text = l_test(i).text WHERE id = l_test(i).id;
  COMMIT;
END;
/

11g Feature: Skip Locked Syntax in SELECT FOR UPDATE

Hi All!
I was reviewing some features in Oracle and, basically, every single time I review them I find something new. Seems Oracle Databases’ features are near to infinite and we frequently find some that can really add value to our solutions.

So I decided to make a serie of posts with really quick notes about each one of them.
You can see all posts in this serie in my page of posts and some others more.

Ready? Here it goes:

Skip Locked Syntax in SELECT FOR UPDATE

This is an 11g feature, and it’s a bit controversial. Why?
The SELECT FOR UPDATE statement is well known and responsible by several problematic operations, mainly in transactional databases. It’s not rare to face issues like errors below when trying to perform large updates on database:

ORA-30006: resource busy; acquire with WAIT timeout expired
ORA-00054 resource busy and NOWAIT specified

Worse than this, if a select for update task aborts, a zombie process may hold the row locks long term, requiring DBA intervention.

In 11g, the clause SKIP LOCKED has been released, allowing to skip-over any rows that are already locked. Check below for a simple example:

select COLUMN1, COLUMN2 from MYTABLE 
where COLUMN1='DESIRED_VALUE' for update skipped locked;

This is very useful in transaction environments, specially when facing errors mentioned above, however can cause logical corruption.
The reason is obvious, if some rows be in lock, those are not being updated. In this case, if the table has 100 entries where COLUMN1=’DESIRED_VALUE’ but 10 of them are in lock, only 90 will be actually selected, making statement invalid in some circumstances.

This is very useful in transaction environments, specially when facing errors mentioned above, however can cause logical corruption.
The reason is obvious, if some rows be in lock, those are not being updated.

Additional Note: In some cases, increasing the table’s initrans allows more buckets for locking:

alter table MYTABLE move initrans xxxx;

Here is a very interesting post by Jonathan Lewis about it.

See you next week!

Failed to invoke startup class “JRF Startup Class” in OSB or SOA.

Hi guys!!!

After installation of soa-infra or osb, in the first time the the managed server starts, the error occurs:

####     <[ACTIVE] ExecuteThread: '0' for queue: 'weblo gic.kernel.Default (self-tuning)'> <> <> <> <1478002511204>  
at weblogic.management.deploy.classdeployment.ClassDeploymentManager.invokeClass(ClassDeploymentManager.java:274)
at weblogic.management.deploy.classdeployment.ClassDeploymentManager.access$000(ClassDeploymentManager.java:54)
at weblogic.management.deploy.classdeployment.ClassDeploymentManager$1.run(ClassDeploymentManager.java:226)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.management.deploy.classdeployment.ClassDeploymentManager.invokeClassDeployment(ClassDeploymentManager.java:258)
at weblogic.management.deploy.classdeployment.ClassDeploymentManager.runStartupsBeforeAppDeployments(ClassDeploymentManager.java:149)
at weblogic.management.deploy.classdeployment.ClassDeploymentService.start(ClassDeploymentService.java:21)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

SOLUTION:
Just edit the nodemanager.properties file that is inside the $WL_HOME/common/nodemanager.
Find the line with the content “StartScriptEnabled=false” and replace to “StartScriptEnabled=true”

If do you prefer, just run the command:

sed -i ‘s/StartScriptEnabled=false/StartScriptEnabled=true/g’ $WL_HOME/common/nodemanager/nodemanager.properties

Weblogic very slow during startup

Why does my Weblogic Server takes a Long Time to Start?

On Linux or Solaris operating systems, this behavior is very common. Especially in new installations.
There is more information about this behavior in “Doc ID 1574979.1“.

The solution to this problem is very simple.
Just edit the java.security file that is inside the $$JAVA_HOME/jre/lib/security/
Find the line with the content “securerandom.source=file:/dev/urandom” and replace with “securerandom.source=file:/dev/./urandom”.

If do you prefer, just run the command:

sed -i ‘s/securerandom.source=file:\/dev\/urandom/securerandom.source=file:\/dev\/.\/urandom/g’ $JAVA_HOME/jre/lib/security/java.security

 

Reset the AdminServer Password in WebLogic 11g and 12c

Reset the AdminServer Password in WebLogic 11g and 12c:

source $DOMAIN_HOME/bin/setDomainEnv.sh
cd $DOMAIN_HOME/servers/AdminServer/
mv data data-old
cd $DOMAIN_HOME/security
java weblogic.security.utils.AdminAccount weblogic .

Restart the AdminServer.

If the weblogic has the file boot.properties in $DOMAIN_HOME/servers/AdminServer/security/, should be adjusted the credentials of user and password, before restart the AdminServer.

OBS: Check the post on decrypt datasource password, which can also be used to decrypt the credentials of boot.properties file, avoiding making the above procedure, if this file exists.

That’s all for today.
Jackson.

Weblogic JRF files in /tmp

Problem:
In weblogic 11G, there are several JFR files in /tmp directory:

root@app1wsora3 tmp]# pwd; find . -name *.jfr |xargs ls -tlhr
/tmp
-rw——- 1 oracle oinstall 0 Aug 11 18:41 ./2016_06_02_13_50_22_4317/2016_08_11_18_41_43_4317.jfr
-rw——- 1 oracle oinstall 37M Aug 11 18:41 ./2016_06_02_13_50_22_4317/2016_08_01_11_22_51_4317.jfr
-rw——- 1 oracle oinstall 14M Aug 16 09:25 ./2016_06_02_13_50_15_4341/2016_08_16_03_24_12_4341.jfr
-rw——- 1 oracle oinstall 0 Aug 16 12:02 ./2016_06_02_13_50_15_4341/2016_08_16_12_02_02_4341.jfr
-rw——- 1 oracle oinstall 14M Aug 16 12:02 ./2016_06_02_13_50_15_4341/2016_08_16_09_25_39_4341.jfr
-rw——- 1 oracle oinstall 0 Aug 16 12:43 ./2016_06_02_13_50_24_4344/2016_08_16_12_43_28_4344.jfr
-rw——- 1 oracle oinstall 150M Aug 16 12:43 ./2016_06_02_13_50_24_4344/2016_08_16_12_17_36_4344.jfr

These files are from DMS (Dynamic Monitoring Service) and they are created when application server is running.

Continue reading