Tag: Osama

Connect to Oracle without Tnsnames.ora

Posted on by Osama Mustafa in Database
Regarding to oracle documentation :

TNSNAMES.ORA is a SQL*Net configuration file that defines databases addresses for establishing connections to them. This file normally resides in the ORACLE HOME\NETWORK\ADMIN directory.

Example how connection define :

orcl1 =
 (DESCRIPTION =
   (ADDRESS_LIST =
     (ADDRESS = (PROTOCOL = TCP)(HOST = my-server )(PORT = 1521))
   )
 (CONNECT_DATA =
   (SERVICE_NAME = orcl1)
 )
)

Sometimes you can Bypass the tnsnames.ora and connect to sqlplus without even Create new connection, all you have to do is  put all of the connectivity information in your connection string this type of connection called “EZCONNECT”.

sqlplus username/password@[//]host[:port][/service_name]

 and to enable EZCONNECT you should add the below line in sqlnet.ora which is located in the same directory $ORACLE_HOME/network/admin
check the below examples :

NAMES.DIRECTORY_PATH=(ezconnect, tnsnames)

The Below using the default listener port 1521 :

1- sqlplus scott/tiger@myservername/orcl1

Different Listener port will be like the below :

2-  sqlplus scott/tiger@myservername:1522/orcl1

3-   sqlplus USER/PASSWORD@//myservername:1521/orcl1

and if you want to disable EZCONNECT For Secuirty Reasons add the below line in :

NAMES.DIRECTORY_PATH=( tnsnames)

Thank you
Osama Mustafa

behind the scenes : Oracle Procedure Security

Posted on by Osama Mustafa in Database
One of the main Reason using Oracle PL/SQL procedures for controlling data access, One of the main reasons is insecure coding practices. One of the widely used attack techniques on applications is SQL injection. I write before about SQL injection but since it’s big topic and need to be covered in more than one parts.

as reminder what is the SQL Injection : One of Hacking way to manipulate the SQL statements using web applications for access/query database.  While run Web Application, the programmer may directly use the user input without hide or even any validation. This opens a new way for the attacker to access and retrieve data . By sending specially crafted user input.

You need to know that Any dynamic SQL query using invalidated user inputs are vulnerable to SQL injection. Some methods that developers use to  prevent SQL injection are parameterized queries or stored procedures

the parameterized queries approach is the most secure way against SQL injection than the traditional approach of joining string to build a dynamic SQL string, in the second type usually leads to data format problems, you have to worry about how to encode the parameter and you need each company have it’s own way to do that :

Query_sql = “SELECT * FROM emp where emp_id = :emp_Id”;

A stored procedure is a database object just like table, Group of SQL statement that form a logical unit and perform a particular task to execute it you need to call it using Procedure name mostly is used as container for the code but the question is if i use them in my Code is this make me secure against SQL Injection ?
Answer also is simple Not always because if code not set properly then SQL Injection could be happened again.

CREATE OR REPLACE PROCEDURE Test (Param_1 IN VARCHAR2) AS
       sql VARCHAR;
       code VARCHAR;
BEGIN
   Sql := ‘SELECT emp_id, Emp_Name, Job, Sal WHERE’ +
          ‘ Emp_Name=”’ || Param_1 || ””;
   EXECUTE IMMEDIATE sql INTO code;
END;

the Value Param_1 will taken from user input  concatenated with the string,The user input is enclosed in the single quotes and concatenated to a string to form SQL query.so the problem is related to this  Instead of the parameter being a search string to the SQL query, the user input has become the part of the query as it is enclosed inside the single quotes. If the user enters the values as 1' or '1'='1'.
Then This Stored Procedure is Not secure as we think.

So How to Write Secure Procedure ?

One Answer : Test Your Code and You should know what you write, If you query working fine that not mean its secure and no hacker will get in.

Validate inputs that comes from users, also like i mention before Use parametrized stored procedure with embedded parameters, don’t forget to Use a low privileged users and give right and correct role/Privileges to application users and finally avoid use of dynamic SQL queriesif you have another way.

so as conclusion is if you are using Stored procedure correctly then you are pretty much safe from SQL Injection and always remember when you attend to do this don’t use :

1 – Dynamic SQL inside the Stored procedure.
2 – try to avoid concatenated string.

Thank you
Osama Mustafa


Switchover_status is Not Allowed

Posted on by Osama Mustafa in Database

Check On the Primary database and the following status will appear to you :

SQL> select name ,open_mode, database_role, switchover_status from v$database;

NAME OPEN_MODE DATABASE_ROLE SWITCHOVER_STATUS

MAN MOUNTED PHYSICAL STANDBY NOT ALLOWED

To make sure everything is Ok on both Side Primary and Standby :

SQL> select name ,open_mode, database_role, switchover_status from v$database;

NAME OPEN_MODE DATABASE_ROLE SWITCHOVER_STATUS

MAN READ WRITE PRIMARY TO STANDBY

 Another Check :

On Primary Database :

SQL> select max(sequence#) from v$archived_log;

MAX(SEQUENCE#)

56

At Standby :
SQL> select max(sequence#) from v$log_history;

MAX(SEQUENCE#)

56

You Solve this problem By Fire the below command :

SQL > alter database commit to switchover to physical standby with session shutdown
 
The Above Command Should be Run on Primary Database to Generate Special marker on Online Redolog Headers Which Mean transfer the archive to standby , after that the status should be changed.

Please check the below Link from OTN Forum that describe the same problem also and The Solution is Mentioned already there:

1-  Not allowed status in primary db switch_over status  Press here.
2- Not allowed Issue while DR switchover Press here.

Thank you
Osama Mustafa

Recreate Lost Pfile With Simple Command

Posted on by Osama Mustafa in Database
If you  lost all my files under $ORACLE_HOME/dbs but database is still up and running, check the below :[oracle@192 ~]$ sqlplus / as sysdba

SQL*Plus: Release 10.2.0.5.0 – Production on Fri Mar 15 14:49:58 2013

Copyright (c) 1982, 2010, Oracle.  All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 – Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> spool newfile.ora
SQL>     select name||’=’||value from v$parameter where isdefault = ‘FALSE’;

NAME||’=’||VALUE
——————————————————————————–
processes=150
sga_target=285212672
control_files=/u01/app/oracle/oradata/orcl/control01.ctl, /u01/app/oracle/oradat
a/orcl/control02.ctl, /u01/app/oracle/oradata/orcl/control03.ctl

db_block_size=8192
compatible=10.2.0.1.0
db_file_multiblock_read_count=16
db_recovery_file_dest=/u01/app/oracle/flash_recovery_area
db_recovery_file_dest_size=2147483648
undo_management=AUTO

NAME||’=’||VALUE
——————————————————————————–
undo_tablespace=UNDOTBS2
remote_login_passwordfile=EXCLUSIVE
db_domain=
dispatchers=(PROTOCOL=TCP) (SERVICE=orclXDB)
job_queue_processes=10
background_dump_dest=/u01/app/oracle/admin/orcl/bdump
user_dump_dest=/u01/app/oracle/admin/orcl/udump
core_dump_dest=/u01/app/oracle/admin/orcl/cdump
audit_file_dest=/u01/app/oracle/admin/orcl/adump
audit_trail=TRUE
db_name=orcl

NAME||’=’||VALUE
——————————————————————————–
open_cursors=300
os_authent_prefix=
pga_aggregate_target=94371840

23 rows selected.

SQL> spool off ;

Just edit the new file and startup.

Thank you
Osama Mustafa

FRM-92101 – Oracle EBS

Posted on by Osama Mustafa in Application

The Above Picture is what you see When you are trying to get access to any forms/Screen in oracle EBS if you check the Logs ( $LOG_HOME ) :

formsweb: Forms session exception stack trace:

oracle.forms.engine.RunformException: Forms session failed during startup: no response from runtime process
at oracle.forms.servlet.RunformProcess.connect(Unknown Source)
at oracle.forms.servlet.RunformProcess.dataToRunform(Unknown Source)
at oracle.forms.servlet.RunformSession.dataToRunform(Unknown Source)
at oracle.forms.servlet.ListenerServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)

The Solution is Simple Just Install The below Package from Oracle Site Here , Don’t forget Choose the right one regarding to your OS, And Use the below command :

rpm -ivh openmotif21-2.1.30-11 ……rpm 

Thank you
Osama Mustafa

Step By Step Install Database Vault On 10g

Posted on by Osama Mustafa in Database
Oracle Database Vault restricts access to specific areas in an Oracle database from any user, including users who have administrative access. For example, you can restrict administrative access to employee salaries, customer medical records, or other sensitive information.
You configure Oracle Database Vault to manage the security of an individual Oracle Database instance. You can install Oracle Database Vault on standalone Oracle Database installations, in multiple Oracle homes, and in Oracle Real Application Clusters (Oracle RAC) environments.
Today i will provide step by step how to install Database Vault on Oracle Database 10g, Notice to install it you should upgrade your database at least to 10.2.0.3 to avoid any errors.
Database Vault is very useful to protect your data from users such as DBA who has access to all tables , But the questions is who is control database vault ?
Usually there are two users to control it , Database vault owner this user is granted the DV_Owner role and can manage database role and configurations, the username must be minimum 2 and maximum 30 character , the password for this user should be complex.
another user called : Database Vault manager which is granted DV_ACCTMGR role, and used to manage database user account , this user is created to facilitate separation duties which mean while you install you can only create one user do all this jobs , the username should be minimum 2/maximum 30 character and the password is complex .
The below is screen-shot for installing Database Vault (Notice Database and Listener should be shutdown) :


Thank you 
Osama Mustafa


Oracle Security Case Study

Posted on by Osama Mustafa in Others
Does your security procedure protect your data?

In most of the companies , there is access to Email Systems, Intranet , networks and internet , most of these user are using the application that connected to Database ( assume that it’s Oracle Database).

By Creating Security Procedure to protect database and what this database contain you create hard environment to deal with  since the three compentents are availability,  integrity and secuirty which mean if you increase the security then integrity will not be on the same level and so on,The Oracle database has several layers of security and provides auditing functionality at each level. most of then mention in Oracle Security Section website.

  • Password management : One of the basic steps to Enforce user to follow the rules such as : password expiration, limit password reuse, limit the number of failed logon attempts, force password complexity, lock and expire database accounts
  •     Database Auditing to monitor user activity.
  •     Fine Grained Auditing to define specific conditions necessary for an audit record to be generated, resulting in a more meaningful audit trail
  •     Database Resource Manager to set resource limits and quotas on the amount of various system resources available to users
  •     Roles to manage object privileges
  •      Oracle Label Security for more sophisticated row level security
  •     Data Encryption to provide an additional layer of protection
Which Kind Of Security Plan you follow , Do you think the Basic Steps to Secure Database will be enough or should someone enable auditing , install database firewall …. when you answer consider that more security means it will be hard to deal with application and environment.
tell me your case about the security ? what you think ?
Thank you 
Osama mustafa  

 

Limit The Access To The Database

Posted on by Osama Mustafa in Database
In this Article, i explain how to limit access to database for only one user per schema which mean one concurrent user per schema.

Resource_limit should set to True

SQL> show parameter resource

NAME                                 TYPE        VALUE
———————————— ———– ——————————
resource_limit                       boolean     TURE
resource_manager_plan                string

After change this parameter Bounce database.

Connect to database using sysdba privileges 

sqlplus / as sysdba

create profile Only_one_user limit sessions_per_user 1;

Create New User/modify old one depend on what you want:

create user test identified by test profile Only_one_user;
grant connect to test;

Now Try to connect to this user using more than one terminal, if you did you will receive error

ORA-02391: exceeded simultaneous SESSIONS_PER_USER limit

Thank you
Osama Mustafa

Most Common Dbcontrol issue

Posted on by Osama Mustafa in Database
After while on Different oracle Forums, I notice that people Facing lot of issues with dbcontrol/dbconsole, Today i will post the most common Issue about dbcontrol and how to solve it.

Notice that sometime the Solution will be different Regarding to DB version and OS Version I will Post Some MOS notes that could help you. Sometimes you need to apply Patch and on other hand there’s Workaround.

Error #1 : 

Exception in thread “main” oracle.sysman.emcp.exception.DatabaseUnavailableException: Database instance unavailable

Solution :

  1. -Make Sure you Database is Up and Running.
  2. -Set/export ORACLE_SID.
  3. -Check if Database registered with Listener.

You can get back to this MOS note :
EMCA fails with “SEVERE: Database instance unavailable” [ID 750697.1]

EMCA fails with Database Instance is unavailable. Fix the ORA error thrown and run EM Configuration Assistant again. [ID 1511262.1]

Creating dbconsole 11.2 fails with “Exception in thread “main” oracle.sysman.emcp.exception.DatabaseUnavailableException: Database instance unavailable” on Windows [ID 1332546.1]

Error #2:

Running EMCA fails with “SEVERE: Invalid username/password”

Solution :

  1. -Make Sure You Insert Correct Password.
  2. -In Some Version you can use “Password” 
  3. -Recreate Password File.

You can Get back to this MOS note :
Problem: Running EMCA fails with “SEVERE: Invalid username/password” [ID 744176.1]

EMCA fails with SEVERE: Invalid username/password or database/scan listener not up or database service is not registered with scan listener. [ID 1330272.1]

Error  #3:

WARNING: ORA-01031: insufficient privileges

Solution

You need to check the logs, different error could be appear.

Failed to unlock all EM-related accounts

Alter User Identified By

Also Check MOS Notes :
Troubleshooting the ‘ORA-01031: insufficient privileges’ error when using EMCA to Create or Drop DBconsole [ID 358201.1]

Error #4:

SEVERE: Listener is not up or database service is not registered with it. Start the Listener and register database service and run EM Configuration Assistant again .

Solution :

  1. – set/export ORACLE_SID
  2. -Check your Listener.
  3. -Check if Database Registered.

Check the below MOS note :

Troubleshooting the EMCA Error “ORA-12514” “Listener is not up. Start the Listener and run EM Configuration Assistant again” When Creating or Dropping DBConsole [ID 368591.1]

EMCA Fails With Error “ORA-12541: TNS:no listener” and “Listener is not up. Start the Listener and run EM Configuration Assistant again” [ID 975024.1]

Using Production Data is this Right ?

Posted on by Osama Mustafa in Others
Production Data Contain Sensitive information should not be shared with unauthorized people this data contain financial , Account Number , ATM passwords  … , Most of the company contain Developers team to support applications and modify the code as they need it, But the developers need data to test the code, How to get this data, This the Question ?

I seen lot of Company Use Production Data on development database/Test Database because it’s great for testing,really easy and No cost for doing this but  is this right ? My View On this Topic No production data is allowed on the development. There’s lot of point to discuss to proof exactly what i mean and if it’s necessary to use it then hide it with multiple ways i will talk about it.

There is a lot more chance that the data may be compromised,This data should be removed and sanitized to make it anonymous / De-personalized.I read lot of articles every article explain something different for example This article support using Prod Data. after reading this blog ask yourself one question how the production  make job easier ? by let developer/unauthorized people looking to customer Data !!!!  Different point of view Customer want their data to be secure and the employees want to test the code and something easy and real to use.

Check this The Ponemon Institute has come out with some interesting (and scary) data on data security during development and testing.

 This chart shows what Breach of data. It shows a lot of sensitive data such as card holder data, customer data, credit card information and business confidential information.

Personally I prefer to use a subset or dummy data use Red-Gate Data Generator, 
There’s lot of security issue can be lead by Using Prod data for testing/development such as  severely compromise its confidentiality, even leading to legal action.

Take this example Hannaford Brothers,In March, the Maine-based Hannaford Brothers grocery store chain
announced that 4.2 million customer card transactions had been compromised by the hackers. More than 1800 credit card numbers were immediately used for fraudulent transactions.

after all this examples is it Ok to use Prod Data On test ?  Do you have a legitimate reason?  do you have
Security,Encryption, Firewalls, Breech Detection , Include to that There’s difference Security Rules On prod data and Test Data , Production database For authorized People, Privacy, Auditing,  Roles , Privileges lot of conditions to access it. on the other hand Development data Frequently wide open,Dozens  of employees  have access, Access from many to unlimited places, Home access And you still Want to use Production Data ? Do you programs care or know the difference ?

Some Rules you have to follow :

  • Make your employees aware of the policies and procedures.
  • If it is  possible to not use production data, take that option.use  alternate ways of testing scenarios.
  • Ensure that production data is masked or scrubbed when it is moved out of the production environment.

if it’s necessary to use your Production Data Then Do it right by scrambling (Scrambling is the function of replacing a character (or byte) of data with a different character (or byte) of data) Oracle Provide you with solutions to do that called data masking By write your own function that will Scramble data for you.
another option could be use is encryption (Encryption is a series of algorithms used to encrypt data into nonsensical characters (not in the English alphabet)). There’s Another way you can hide production data NULL’ing Out,Substitution, Gibberish Generation ….

 Finally Using live data in non-production is either illegal or expensive. For the companies using it illegally, it’s only a matter of time before somebody slips up and the practice is discovered

Using live data in non-production is either illegal or expensive. For the companies using it illegally, it’s only a matter of time before somebody slips up and the practice is discovered. For the companies paying extra to keep their developers compliant, they’ll find themselves resistant to new development and undercut by companies who’ve used their data in a strategic way. In the long run, the tiny benefit is just not worth the risk. – See more at: http://www.businesscomputingworld.co.uk/are-you-using-live-customer-data-outside-of-your-production-database/#sthash.8r06L9KL.dpuf

Using live data in non-production is either illegal or expensive. For the companies using it illegally, it’s only a matter of time before somebody slips up and the practice is discovered. For the companies paying extra to keep their developers compliant, they’ll find themselves resistant to new development and undercut by companies who’ve used their data in a strategic way. In the long run, the tiny benefit is just not worth the risk. – See more at: http://www.businesscomputingworld.co.uk/are-you-using-live-customer-data-outside-of-your-production-database/#sthash.8r06L9KL.dpuf

Read Ponemon Institute Report

Thank you
Osama Mustafa