Author Archives: Stefan

Oracle CPU / PSU Advisory October 2018

Oracle has recently published the Critical Patch Update Advisory for the October 2018. It’s once more quite a heavy update with not less than 301 security vulnerability fixes across the Oracle products. The Oracle database is relatively prominently represented with 3 security vulnerabilities and a maximal CVSS rating of 9.8. The problem CVE-2018-3259 with such a high CVSS rating is related to OJVM and affects all Oracle releases on various platforms. In addition, two of the vulnerabilities are remotely exploitable without authentication. None of the security bug fixes are for client-only installations. So you just have to patch your database servers.

Oracle Unified Directory itself is not mentioned in the Oracle Critical Patch Update Advisory. But the MOS note 2385785.1 Information And Bug Listing of Oracle Unified Directory Bundle Patches: 12.2.1.3.x (12cR2PS3) Version does provide information on the latest bundle patch for OUD. Beside this patch, There are updates for Oracle WebLogic and Oracle Java as well (see links below).

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.8. The following components are affected:

  • Oracle Text
  • Java VM
  • Rapid Home Provisioning

Oracle Java VM is not installed by default. It is therefore recommended that you check your database environment to see if it is necessary to apply this critical patch update.

For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 56 fixes for vulnerabilities. Several of the vulnerabilities may be remotely exploitable without authentication and are rated with the highest CVSS rating of 9.8.

A few links related to this Critical Patch Update.

Oracle Security at Trivadis TechEvent Fall 2018

A few days ago the semi-annual Trivadis TechEvent took place. As always, it was a great IT event where Trivadis employees and customers had the opportunity to exchange and discuss a variety of topics. I had the pleasure to give one lecture about Oracle 18c New Security Features as well one on Oracle Enterprise User Security, Kerberos and Oracle Unified directory. In the meantime, both presentations have been published via SlideShare.

Oracle 18c new Security Features

Abstract: The aim of the presentation is to discuss the various security enhancements which has been introduced with Oracle Release 18c. But which features are worth a closer look at? In what context do the new features and option do make sense? How can security be improved in general with Oracle database 18c? Where does it make sense to invest in additional database options? The aim of this lecture is to answer these and other questions around Oracle Database 18c security.

The demos for this presentation is rather small but also available as GitHub Gist oehrlis/EUS_demos.md.

Oracle EUS, Kerberos, SSL and OUD a guideline

Abstract: The configuration of a central user administration for Oracle DB is basically simple. The challenge is to integrate the different technologies in a meaningful and stable IT environment. Oracle EUS together with OUD, Kerberos or SSL can be implemented autonomously or in combination with existing directory services or an IAM solution. In addition to the technical challenges, other aspects such as users, roles and the security concept in general also play an important role. Within the scope of this lecture, the measures are discussed in order to establish a central user administration for Oracle.

The demos for this presentation is available as GitHub Gist oehrlis/EUS_demos.md.

Oracle Unified Directory Access Log Parsing System ALPS

For one of my customers I had to analyse the log files of Oracle Unified Directory from time to time. In particular the access log file. During my research I came across the MOS note 2042620.1 and the Access Log Parsing System or short ALPS. ALPS is a small and handy tool to analyse OUD and OUDSEE access logs. Written in Java it does run an a couple of different environments. The requirements to run it are rather simple. Just make sure you still have Java 8. 🙂

A few features:

  • Graphical dashboard providing an overview of LDAP operations, connections, operations per seconds and elapsed times.
  • Information on connection with longest etimes
  • Analysis of LDAP operationen e.g. operations over time, most frequent search base, filters, attributes and more.
  • Connections and client adresses.
  • Overview of the result codes that occurred.
  • Log reader to browse through the logfiles.
  • Log replay
  • Load of individual log files, zip archives or entire log directories. Loading multiple access log files allows to simultaneous analysis of access logs from replicated OUD instances. Although this is some kind of a workaround.

The following print screen does show an ALPS dashboard. The access log has been taken from my OUD EUS AD proxy instance, which I did used during my TechEvent presentation on OUD and EUS. Not really a heavily loaded OUD instance.

An other view of the LDAP operations around 09:30. The time I’ve rund the demo and created the instance 🙂

In the context of OUD 12c there are currently some limitations. Oracle changed the default log publisher to the Oracle Loggers using the ODL format. ALPS can not yet handle the new format. If you plan to analyse OUD access or admin logs you still have to use the legacy log publishers. Beside this, a small info message can cause, that your log’s are not recognised by ALPS. OUD 12c add’s the following info to the header of new log files.

This logger has been deprecated. Recommended to use Oracle Loggers
[14/Sep/2018:09:28:23 +0000] CONNECT CONN_POOL conn=0 protocol=LDAP extension=proxy1 from=te2018_oud.postgasse.org/172.17.0.4 to=mneme.postgasse.org/192.168.56.70 s_conn=0
...

Just remove the line starting with This logger has been deprecated... and ALPS is fine again. Beside fixing this issue, I do have a couple of more wishes for the next release of ALPS.

  • Officially support for new ODL format log files.
  • Support for log files from different sources. e.g. from multiple OUD instance in an replicated environment. The current version of ALPS allows to load multiple files, but there is no possibility to distinct the log file source.

Using ALPS to analysis OUD or ODSEE access logs will help to reduce you’re workload, so you have time to enjoy the real alps.

Oracle Unified Directory SSLHandshakeException with Java 1.8.0_181

A couple of days ago I did update my Oracle Unified Directory Docker images with the latest bundle patch for OUD as well the latest java version. With the new Docker images I was about to reproduce a use case from a customer. Everything actually worked at first glance, but after a while I did realise, that my OUD Docker remains in status “unhealthy”. It seems that my status script is not able to get a clear status of the OUD instance. In particular the command “status” does fail.

oracle@oud3:~/ [oud_docker] status --trustall \
-D "cn=Directory Manager" -j $PWD_FILE

Error reading configuration. Details:
javax.naming.CommunicationException: 0.0.0.0:4444 [Root exception is 
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
No subject alternative names present]

I’ve tried to drill down the root cause of this issue, but haven’t been successfully. After a hint from a workmate, I took a look into the release notes of Java 1.8.0 update 181. It looks like the latest java 1.8.0 update includes security improvements for LDAP support.

Changes
core-libs/javax.naming
➜ Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.

To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

Define this system property (or set it to true) to disable endpoint identification algorithms.

JDK-8200666 (not public)

My first intention was to adjust the java.properties and disable endpoint identification just for status. But I was not successful. As a workaround I’ve set the java arguments -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true with the environment variable OPENDS_JAVA_ARGS. This seems to work as expected. 

oracle@oud3:~/ [oud_docker] export OPENDS_JAVA_ARGS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
oracle@oud3:~/ [oud_docker] status --trustall \
  -D "cn=Directory Manager" -j $PWD_FILE

--- Server Status ---
Server Run Status:        Started
Open Connections:         1

--- Server Details ---
Host Name:                oud3
Administrative Users:     cn=Directory Manager
Installation Path:        /u00/app/oracle/product/fmw12.2.1.3.0/oud
Instance Path:            /u01/instances/oud_docker/OUD
Version:                  Oracle Unified Directory 12.2.1.3.180626
Java Version:             1.8.0_181
Administration Connector: Port 4444 (LDAPS)

--- Connection Handlers ---
Address:Port : Protocol               : State
-------------:------------------------:---------
--           : LDIF                   : Disabled
0.0.0.0:161  : SNMP                   : Disabled
0.0.0.0:1389 : LDAP (allows StartTLS) : Enabled
0.0.0.0:1636 : LDAPS                  : Enabled
0.0.0.0:1689 : JMX                    : Disabled

--- Data Sources ---
Base DN:     cn=OracleContext
Backend ID:  OIDCompatibility
Entries:     34
Replication: Disabled

Base DN:     cn=OracleContext,dc=example,dc=com
Backend ID:  OracleContext0
Entries:     17
Replication: Disabled

Base DN:     cn=OracleSchemaVersion
Backend ID:  OIDCompatibility
Entries:     3
Replication: Disabled

Base DN:     cn=virtual acis
Backend ID:  virtualAcis
Entries:     0
Replication: Disabled

Base DN:     dc=example,dc=com
Backend ID:  userRoot
Entries:     1
Replication: Disabled

This workaround temporarily disable the endpoint identification, although the correct method would be to fix and use it. For now there is a MOS bug related to this issue. This enhance the chance that this will be fixed in a future release. Till then you can easily workaround setting the environment variable.

A few links related to this short blog post:

  • Blog post on Oracle Unified Directory on Docker
  • MOS Bug 28525374 SSLHANDSHAKEEXCEPTION WHEN CREATING OUD INSTANCE WITH JAVA 1.8.0_181
  • MOS Note OUD – How To Configure the Default JVM and Java Arguments with Environment Variables or by Modification of the java.properties File 2220584.1
  • My genuine Docker build scripts for Oracle Unified Directory on GitHub (oehrlis/docker)
  • Oracle Docker build scripts for Oracle Unified Directory on GitHub (oracle/docker-images) yep from me too 🙂

OUDbase environment scripts for Oracle Unified Directory Part 1

Almost two years ago I started writing environment scripts for my Oracle Unified Directory installations. At the beginning there were only 2-3 scripts, from which at some point a small project on GitHub emerged. A lot has changed since my blog post Environment Scripts for OUD. The current version of OUDbase (v1.5.5) has a number of useful functions that make working with OUD on the command line much easier. This is one reason it is time to write about OUDbase once again. Or better to start a small blog series.

Features at a Glance

At the end of the day, it’s just a script that sets a series of aliases and environment variables. But this script does exactly what it should, it simplifies the work of the administrator. Initially it has been developed for Oracle Unified Directory (OUD), but to a certain degree other Oracle directory server and tools like Oracle Unified Directory Services Manager (OUDSM), Oracle Directory Server Enterprise Edition (ODSEE) and Oracle Internet Directory (OID) are supported as well.

  • Support of various Oracle directory servers and tools
  • Support for Oracle directory servers on Docker
  • Small foot print and minimal requirements
  • Simple and quick installation
  • Auto-configure for common environments and Oracle homes
  • Provide a kind of OFA environment for Oracle directory servers
  • Flexible environment handling eg. easy switching between different environments
  • Alias definitions
  • Platform-independent
  • More flexible and powerful than… wait, there is not oraenv for Oracle directory servers 🙂
  • Customization of environment variables and aliases globally or per instance
  • Miscellaneous templates for cron.d, logrotate.d, systemd service and instance creation

In particular OUDbase provides the following scripts:

  • oudtab as a central configuration file for instance names, ports and directory types
  • oudenv.sh script to source and set the environment
  • oud_backup.sh script to backup specific or all Oracle Unified Directory instances
  • oud_export.sh script to export specific or all Oracle Unified Directory instances
  • oud_status.sh script to check the status of an Oracle Unified Directory instance including replication status
  • oud12c_eus template and scripts to create an Oracle Unified Directory server with Enterprise User Security integration
  • oud12c_eus_ad_proxy template and scripts to create an Oracle Unified Directory proxy server with Enterprise User Security and MS Active Directory integration
  • generic template and scripts as base for customisation

Requirements

OUDbase is modest. You just need a bash shell to run it and tar/gzip to install it. This is also one of the reasons why it perfectly fits on OUD Docker images. Although you do not run several directory servers in one Docker container, it is convenient to work on the command line. A little further up I mentioned that OUDBase is platform-independent. At least one operating system, which does not support bash out of the box. Guess which one? Yes, exactly Microsoft Windows. Basically, OUDbase should also run on MS Windows if bash is installed there. However, this has not yet been tested.

Installation

Before you can start the installation of OUDbase, you have to download the latest version from the GitHub repository oehrlis/oudbase. OUDbase is available as TAR file or as shell installation script. The shell script itself is regular Bash script with additional payload. This means that the TAR file is appended directly at the end of the script. Since the embedded TAR is base64 encoded, the installation script can be sent by mail without any problems. If you are interested in how to do this I recommend the How-To Add a Binary Payload to your Shell Scripts written by Mitch Frazier / Linux Journal.

The script does relay on the directory structure optimal flexible architecture (OFA) introduced by Oracle a couple of years ago. Starting from an ORACLE_BASE path, the installation script evaluates the required parameters based on OFA. If you do use a different structure you can give the necessary directory path via parameters. The following code block does show the oudbase_install.sh usage.

oracle@oudad:/u00/app/oracle/ [oud_ad] ./oudbase_install.sh -h
Start of oudbase_install.sh (Version v1.5.5) with -h
processing commandline parameter
Usage, oudbase_install.sh [-hav] [-b ]
[-i ] [-B ]
[-m ] [-f ] [-j ]

-h Usage (this message)
-v enable verbose mode
-a append to profile eg. .bash_profile or .profile
-b ORACLE_BASE Directory. Mandatory argument. This
directory is use as OUD_BASE directory
-o OUD_BASE Directory. (default $ORACLE_BASE).
-d OUD_DATA Directory. (default /u01 if available otherwise $ORACLE_BASE).
This directory has to be specified to distinct persistant data from software
eg. in a docker containers
-A Base directory for OUD admin (default $OUD_DATA/admin)
-B Base directory for OUD backups (default $OUD_DATA/backup)
-i Base directory for OUD instances (default $OUD_DATA/instances)
-m Oracle home directory for OUD binaries (default $ORACLE_BASE/products)
-f Oracle Fusion Middleware home directory. (default $ORACLE_BASE/products)
-j JAVA_HOME directory. (default search for java in $ORACLE_BASE/products)

Logfile : /u01/log/oudbase_install.log

The following table does provide an overview of installation path, environment variables, parameters and there default values.

Parameter ENV Variable Default Value Description
-v n/a n/a Enable verbose mode
-a n/a n/a Append to profile eg. .bash_profile or .profile
-b $ORACLE_BASE /u00/app/oracle Mandatory argument. This directory is use as ORACLE_BASE from which all other directories are evaluated.
-b $ORACLE_BASE /u00/app/oracle Mandatory argument. This directory is use as ORACLE_BASE from which all other directories are evaluated.
-o $OUD_BASE $ORACLE_BASE OUDbase base directory where the scripts, config etc. will be installed. Usually this is the same directory as used for ORACLE_BASE. Due to some legacy requirement this can be separate directory.
-d $OUD_DATA /u01 or $ORACLE_BASE Directory to store the persistant data eg. the OUD instance homes, backup and admin directories etc. It defaults /u01 if available otherwise $ORACLE_BASE. This directory has to be specified to distinct persistant data from software eg. in a docker containers.
-A $OUD_ADMIN_BASE $OUD_DATA/admin Base directory for an instance specific admin directory, similar to the admin directory of Oracle databases.
-B $OUD_BACKUP_BASE $OUD_DATA/backup Base directory for an instance specific directory to store backup’s and LDIF exports.
-i $OUD_INSTANCE_BASE $OUD_DATA/instances Base directory for the OUD instance homes.
-m $ORACLE_HOME $ORACLE_BASE/products Oracle home directory for binaries. The installation script does search below this path for the corresponding binaries.
-f $ORACLE_FMW_HOME $ORACLE_BASE/products Oracle Fusion Middleware home directory when separating the OUD and OUDSM binaries. The installation script does search below this path for the corresponding binaries.
-j $JAVA_HOME $ORACLE_BASE/products Location of the java home. The installation script does search below this path for the corresponding java binaries.

The installation script will guess the required parameter based on OFA. All parameter specified at the command line will be stored for future use in oudenv_core.conf. If something went wrong during installation, you always have the option of adjusting them manually.

Let’s create an installation as an example. We will use /u00/app/oracle as ORACLE_BASE, /u01 as OUD_DATA and /u00/app/oracle/product/fmw12.2.1.3.0 as ORACLE_HOME. Below you find the command and an excerpt of the output. Ok actually everything except the output of the TAR command.

oracle@oudad:/tmp/ [oud_ad] ./oudbase_install.sh -v -b /u00/app/oracle -d /u01 -m /u00/app/oracle/product/fmw12.2.1.3.0
2018-07-16_20:45:46 START: Start of oudbase_install.sh (Version v1.5.5) with -v -b /u00/app/oracle -d /u01 -m /u00/app/oracle/product/fmw12.2.1.3.0
2018-07-16_20:45:46 INFO : processing commandline parameter
2018-07-16_20:45:46 INFO : Define default values
2018-07-16_20:45:46 INFO : Using the following variable for installation
2018-07-16_20:45:46 INFO : ORACLE_BASE = /u00/app/oracle
2018-07-16_20:45:46 INFO : OUD_BASE = /u00/app/oracle/local/oudbase
2018-07-16_20:45:46 INFO : LOG_BASE = /u01/log
2018-07-16_20:45:46 INFO : ETC_CORE = /u00/app/oracle/local/oudbase/etc
2018-07-16_20:45:46 INFO : ETC_BASE = /u01/etc
2018-07-16_20:45:46 INFO : OUD_DATA = /u01
2018-07-16_20:45:46 INFO : OUD_INSTANCE_BASE = /u01/instances
2018-07-16_20:45:46 INFO : OUD_ADMIN_BASE = /u01/admin
2018-07-16_20:45:46 INFO : OUD_BACKUP_BASE = /u01/backup
2018-07-16_20:45:46 INFO : ORACLE_PRODUCT =
2018-07-16_20:45:46 INFO : ORACLE_HOME = /u00/app/oracle/product/fmw12.2.1.3.0
2018-07-16_20:45:46 INFO : ORACLE_FMW_HOME = /u00/app/oracle/product/fmw12.2.1.3.0
2018-07-16_20:45:46 INFO : JAVA_HOME = /usr/java/jdk1.8.0_172
2018-07-16_20:45:46 INFO : SCRIPT_FQN = /tmp/oudbase_install.sh
2018-07-16_20:45:46 INFO : Installing OUD Environment
2018-07-16_20:45:46 INFO : Create required directories in ORACLE_BASE=/u00/app/oracle
2018-07-16_20:45:46 INFO : Create Directory /u01/log
2018-07-16_20:45:46 INFO : Create Directory /u01/etc
2018-07-16_20:45:46 INFO : Create Directory /u00/app/oracle/local
2018-07-16_20:45:46 INFO : Create Directory /u01/admin
2018-07-16_20:45:46 INFO : Create Directory /u01/backup
2018-07-16_20:45:46 INFO : Create Directory /u01/instances
2018-07-16_20:45:46 INFO : Create Directory /u00/app/oracle/local/oudbase
2018-07-16_20:45:46 INFO : Backup existing config files
2018-07-16_20:45:47 INFO : Backup oudtab to oudtab.save
2018-07-16_20:45:47 INFO : Backup oud.<em>DEFAULT</em>.conf to oud.<em>DEFAULT</em>.conf.save
2018-07-16_20:45:47 INFO : Start processing the payload
2018-07-16_20:45:47 INFO : Payload is available as of line 470.
2018-07-16_20:45:47 INFO : Extracting payload into /u00/app/oracle/local
2018-07-16_20:45:47 INFO : Payload is set to base64. Using base64 decode before untar.
...
2018-07-16_20:45:47 INFO : Store customization in core config file /u00/app/oracle/local/oudbase/etc/oudenv_core.conf
2018-07-16_20:45:47 INFO : save customization for OUD_DATA (/u01)
2018-07-16_20:45:47 INFO : save customization for ORACLE_BASE (/u00/app/oracle)
2018-07-16_20:45:47 INFO : save customization for ORACLE_HOME (/u00/app/oracle/product/fmw12.2.1.3.0)
2018-07-16_20:45:47 INFO : Please manual adjust your .bash_profile to load / source your OUD Environment
2018-07-16_20:45:47 INFO : using the following code
#Check OUD_BASE and load if necessary
if [ "${OUD_BASE}" = "" ]; then
if [ -f "${HOME}/.OUD_BASE" ]; then
. "${HOME}/.OUD_BASE"
else
echo "ERROR: Could not load ${HOME}/.OUD_BASE"
fi
fi

#define an oudenv alias
alias oud='. ${OUD_BASE}/bin/oudenv.sh'

#source oud environment
. /u00/app/oracle/local/oudbase/bin/oudenv.sh
2018-07-16_20:45:47 INFO : update your .OUD_BASE file /home/oracle/.OUD_BASE
2018-07-16_20:45:47 END : of oudbase_install.sh

As you can see from the output above, you just have to source .OUD_BASE and ${OUD_BASE}/bin/oudenv.sh to start using OUDbase. The installation script either provides an example of what you need to add to your .bash_profile or adjusts it directly by specifying the parameter -a.

#Check OUD_BASE and load if necessary
if [ "${OUD_BASE}" = "" ]; then
if [ -f "${HOME}/.OUD_BASE" ]; then
. "${HOME}/.OUD_BASE"
else
echo "ERROR: Could not load ${HOME}/.OUD_BASE"
fi
fi

#define an oudenv alias
alias oud='. ${OUD_BASE}/bin/oudenv.sh'

#source oud environment
. /u00/app/oracle/local/oudbase/bin/oudenv.sh

The next time you login, you’ll see the status of you OUD instance. If you do not have an OUDTAB file, OUDbase will create one for you based on existing OUD instances, Oracle homes etc.

If you haven’t yet installed any Oracle software or created an OUD instance OUDbase can not guess your environment. Therefore you have to manually create an OUDTAB file.

WARN : oudtab (/u00/app/oracle/local/oudbase/etc/oudtab) does not exist or is empty. Create a new one.
WARN : No OUD Instance yet available or defined.

Conclusion

The first blog post of the serie on the OUDbase environment scripts should give you first impression. The installation is straight forward and simple. In the next blog post I’ll show how you can configure and customize OUDbase. Beside a couple of use cases, I’ll provide a deeper insight into environment variables, aliases and scripts. So stay tuned. If you can not wait get the latest version of OUDbase from GitHub and start using it. By the way, my Docker build scripts are configured to use OUDbase.

References

Below you find a few references related to the topics discussed in this post:

Oracle CPU / PSU Pre-Release Announcement July 2018

Today Oracle has published the Pre-Release Announcement for the July 2018 Critical Patch Update. It’s quite a heavy update with not less than 334 security vulnerability fixes across the Oracle products. The Oracle database is relatively prominently represented with 3 security vulnerabilities and a maximal CVSS rating of 9.8. Of the vulnerabilities is remotely exploitable without authentication. But none of the security bug fixes is for client-only installations. So you just have to patch your database servers.

Oracle Unified Directory itself is not mentioned in the Oracle Critical Patch Update Pre-Release Announcement. But since there are updates for Oracle WebLogic, Oracle Java and Oracle Internet Directory, I assume there will follow a patch update for Oracle Unified Directory in a couple of days.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.8. The following components are affected:

  • Core RDBMS
  • Java VM
  • Oracle Spatial (jackson-databind)

We will see all the details next Tuesday when Oracle is officially releasing the Critical Patch Update for July 2018. Next week I’ll have a closer look and do some test installations. I am particularly interested in why there is a patch for Oracle Database Server 18.2. Still just Oracle Cloud and Exadata or will we soon see an Oracle Database release 18c for on-premises?

More details about the patch will follow soon on the Oracle Security Pages.

DOAG 2018 SIG Security – Oracle Unified Directory on Docker

A couple of days ago I did had the opportunity to give a presentation on Oracle Unified Directory on Docker at the DOAG SIG Security day in Stuttgart. It was a great opportunity to discuss how OUD engineering can be simplified using Docker. As proof how easy this can be, I set up and configured an OUD AD proxy in a short demo.

 

Besides the demo the following topics were discussed:

  • Docker in a nutshell
  • Requirements to setup Oracle Unified Directory in Docker
  • Oracle Unified Directory installation
  • Build an Oracle Unified Directory Docker image
  • Discuss the Dockerfile and build scripts
  • Digression on how to make Docker images smaller
  • Use the Oracle Unified Directory Docker image
  • Discuss the instance status and create scripts
  • Use cases for Oracle Unified Directory in Docker
  • Demo setup Oracle Unified Directory with Enterprise User Security and Active Directory proxy

With an Oracle Unified Directory Docker images and the OUD Base template scripts it took just a couple of minutes to setup and configure Enterprise User Security with an Oracle Unified Directory AD proxy. More complex use cases including high availability, replication etc. will take a bit more time, but it can also be automated.

The presentation and information related to event:

Some references and links related to this blog post and the presentation:

Oracle 18c new Security Features

Today I had the opportunity to give a presentation on Oracle 18c new Security Features at the SOUG day in Baden. It was a great opportunity to discuss the security enhancements in the latest Oracle database release. This release introduces some new security features that simplify the secure operation of on-premises or cloud-based databases. Especially the new central managed user with MS Active Directory.

Based on first experiences and insights, the following topics have been discussed:

  • Create schema only accounts
  • Integration of Active Directory services with Oracle Database
  • Encrypt sensitive credential data in the data dictionary
  • Write Unified Audit Trail records to SYSLOG or the Windows event viewer
  • Use Oracle Data Pump to export and import the Unified Audit Trail
  • Authentication and certification parameters
  • Enterprise User Security Manager (EUSM)
  • User defined master encryption key
  • Keystore for each Pluggable Database
  • User defined master encryption key
  • Enhancements to Oracle Database Vault simulation mode
  • Grant Data Pump-Database Vault authorizations to roles
  • Oracle Database Vault support for Oracle Database Replay

The Killer feature in this release is definitely the centrally managed user with its simple MS Active Directory integration. It is an ideal solution to simplify the user management in small / midsize environments. For larger and more complex environments it makes more sense to engineer central user management using Oracle Enterprise User Security. Many other improvements are due to Oracle’s cloud strategy. Necessary and meaningful but not earth-shattering.

The presentation is available in English over the following links:

Oracle Unified Directory systemd unit file

About a year ago I explained in the blog post Start OUD Servers on Boot using systemd how to start Oracle Unified Directory automatically on system startup. In the meantime a lot has changed, so has my unit file. The simple unit file actually worked quite well. Until the time came when I installed an updated Java version for OUD. At this point I did realize, that it is not really optimal to have the JAVA_HOME respectively OPENDS_JAVA_HOME in the unit file. It all happened on a system where I didn’t have root access. OUD couldn’t be started any more using systemd, because the Java home path in the unit file was no longer correct. A change request and a few days later the problem was solved. Nevertheless this was a good opportunity to optimize the OUD unit file and get rid of static information. JAVA_HOME does not explicitly have to be specified when starting OUD. It is usually specified within the java.properties see also blog post Change default JAVA_HOME for OUD Instance.

What has been changed in the current unit file?

  • Environment The environment variable OPENDS_JAVA_HOME has been completely be removed. start-ds does use the JAVA_HOME specified by the java.properties.
  • WorkingDirectory The working directory has been set to the OUD instance home.
  • PIDFile Since the service type is forking, this directive is used to set the path of the PID file for the OUD instance. The file contains the process ID number of the directory server process respectively JVM which is monitored.
  • Restart Systemd will attempt to automatically restart the service on-failure.
  • RestartSec Amount of time to wait before attempting to restart the service.
  • SuccessExitStatus stop-ds does send a SIGTERM to the JVM to stop the directory server. This generates an exit code 143. By default, systemd interprets this as an error. By setting SuccessExitStatus we can overwrite this behavior and accept 143 or SIGTERM as successful.
  • User and Group Has been set to oud/oud rather than oracle/osdba. User and group for OUD highly depends on your environment.

Below you see the revised version of the OUD unit file. The OUD instance home path has been replaced with the placeholder OUD_INSTANCE_HOME.

[Unit]
Description=OUD Instance
Wants=network.target
After=network.target

[Service]
Type=forking
User=oud
Group=oud
WorkingDirectory=OUD_INSTANCE_HOME/OUD
PIDFile=OUD_INSTANCE_HOME/OUD/logs/server.pid
ExecStart=OUD_INSTANCE_HOME/OUD/bin/start-ds --quiet
ExecStop=OUD_INSTANCE_HOME/OUD/bin/stop-ds --quiet
ExecReload=OUD_INSTANCE_HOME/OUD/bin/stop-ds --restart --quiet
RestartSec=42s
Restart=on-failure
SuccessExitStatus=143 SIGTERM
TimeoutSec=300
StandardOutput=syslog+console
StandardError=syslog+console

[Install]
WantedBy=multi-user.target

This updated unit file is also part of the latest version of OUD Base, my environment scripts for OUD. If you want to use it, you have to replace OUD_INSTANCE_HOME with your specific OUD instance home path.

export OUD_INSTANCE="oudtest"
export OUD_INSTANCE_HOME="/u00/app/oud/instances/$OUD_INSTANCE"
export $cdl="/u00/app/oud/local"
export $cda="/u00/app/oud/admin/$OUD_INSTANCE"
cat $cdl/oudbase/templates/etc/oud_instance.service \
  >$cda/etc/oud_$OUD_INSTANCE.service
sed -i "s|OUD_INSTANCE_HOME|/app/oud/instances/$OUD_INSTANCE|" \
  $cda/etc/oud_$OUD_INSTANCE.service
cat $cda/etc/oud_$OUD_INSTANCE.service

Enable the new unit file by coping it to the systemd folder /etc/systemd/system. 

sudo cp $cda/etc/oud_$OUD_INSTANCE.service \
  /etc/systemd/system/oud_$OUD_INSTANCE.service

Run systemctl daemon-reload and enable the new service.

sudo systemctl daemon-reload
sudo systemctl enable oud_$OUD_INSTANCE.service

You OUD instance can now be started / stopped with systemctl as explained in the first blog post about OUD and systemd.

Some references and links related to this blog post:

Reduce PDF size in Mac OS Preview

Once and a while I have to create PDF’s out of my PowerPoint presentations. The same a couple of weeks ago when I finished my presentation on Oracle Transparent Sensitive Data Protection at the SOUG day in Baden-Dättwill. I prefer to do this with a minimal amount of extra tools. So no AcrobatReader, GostScript etc. The built-in functionality for printing and saving as PDF is generally sufficient. However, from time to time the output gets quite large. Ok, I could reduce the images size in my PowerPoint presentations. But then I’ll either have low quality images in my presentation or I have to maintain two presentation files, one for high quality and the other for distribution.

One could now object that nowadays space is no longer a problem. Yes, yes, “space, the final frontier…” 🙂 But that’s an other story. It is still handy to have PDF with a reasonable size. The PowerPoint file for the SOUG presentation is not too large (7.8 MB). But the generated PDF is an impressive 24MB.

Workflow to generate a PDF file out of PowerPoint document:

  1. Create PDF using PowerPoint Print/Save as PDF…
  2. Open PDF using MacOS Preview and export using quarz filter to reize

Resizing PDF’s can be done out of the box with MacOS Preview. Just use the menu File/Export… and select the quarry filter to resize the document. (See picture)
MacOS Preview, Export PDF

The resulting PDF file is small enough (approx. 4MB). But the image quality is way below optimal. Images with fine details, font etc. are reduced too much, so that details are only poorly visible. This is due to how the default quartz filter optimise the images. The compression quality and ImageSizeMax are rather “comprehensive”. But it is an easy task to create some custom Quartz filters for a less intense compression. Just take the default Quarz filter definition file as a template.

Create a new folder for the user defined filters:

mkdir $HOME/Library/Filters

Create new files for good, better and best image compression:

cp "/System/Library/Filters/Reduce File Size.qfilter" \
	$HOME/Library/Filters/reduce_file_size_good.qfilter
cp "/System/Library/Filters/Reduce File Size.qfilter" \
	$HOME/Library/Filters/reduce_file_size_better.qfilter
cp "/System/Library/Filters/Reduce File Size.qfilter" \
	$HOME/Library/Filters/reduce_file_size_best.qfilter

Edit the three files with your favourite text editor and adjust the values for Compression Quality, ImageSizeMax and Name for the filter. For my three levels I do use the following values.

Name Compression Quality ImageSizeMax File
Reduce File Size Good 0.25 842 reduce_file_size_good.qfilter
Reduce File Size Better 0.5 1684 reduce_file_size_better.qfilter
Reduce File Size Best 0.75 3508 reduce_file_size_best.qfilter

See also the excerpt from one of the Quartz filter files:

...
		<key>ImageSettings</key>
			<dict>
				<key>Compression Quality</key>
				<real>0.75</real>
				<key>ImageCompression</key>
				<string>ImageJPEGCompress</string>
				<key>ImageScaleSettings</key>
				</dict>
				<dict>
					<key>ImageScaleFactor</key>
					<real>0.5</real>
					<key>ImageScaleInterpolate</key>
					<true></true>
					<key>ImageSizeMax</key>
					<integer>3508</integer>
					<key>ImageSizeMin</key>
					<integer>128</integer>
...
	<key>FilterType</key>
	<integer>1</integer>
	<key>Name</key>
	<string>Reduce File Size Best</string>

The next time you start Preview and export a PDF you see the new Quarz filters. For the presentation on Oracle Transparent Sensitive Data Protection and its PDF with 24MB I did use the filter for better image quality. The resulting PDF is about 4.4MB and the graphics for the maximum data security architecture (MDSA) still have an acceptable quality.
Preview export PDF new Quarz filters

As you can see from the links below, I didn’t think that up myself. Any way, this post is more a summary and a personal note for the next time I have to export a PDF.

Files and References

Below you find a few references related to reduce file size of PDF using preview including my Quarz filter files: