Native Network Encryption and SSL/TLS are not part of the Advanced Security Option

 

security_image1_smallI had a little surprise the other day. I was asked to set up a SSL/TLS connection to a database and I refused, saying it would break our license agreement as we don’t have the Advanced Security Option. I opened the 11gR2 licensing manual to include a link in my email response and found this.

“Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.”

I checked the 11gR1, and 10gR2 docs also. Sure enough, it was removed from the Advanced Security Option from 10gR2 onward (check out update below). Check out the 10g licensing doc here, specifically the last paragraph in that linked section.

The documentation on this configuration is split among a number of manuals, most of which still say it is part of the Advanced Security Option. That made me a little nervous, so I raised an SR with Oracle to confirm the licensing situation and file bug reports against the docs to correct the inconsistency. Their response was it is definitely free and the docs are being amended to bring them in line with the licensing manual. Happy days! :)

Lessons learned here are:

  • Skim through the licensing manual for every new release to see what bits are now free.
  • Don’t trust the technical docs for licensing information. Always cross check with the licensing manual and assume that’s got the correct information. If in doubt, raise an SR to check.

As far as the configuration is concerned, I had never written about this functionality before, so I thought I should do backfill articles on it.

The documentation for TCP/IP with SSL/TCP is rather convoluted, so you could be forgiven for thinking it was rocket science. Actually, it’s pretty simple to set up. It was only after I finished doing it I found a reference to the following MOS note.

It would have saved me a lot of bloody time if the documentation included this. I would never have bothered to write the article in the first place!

cloudFor a lot of people, encrypting database connections is probably not that big a deal. If your databases and application servers are sitting behind a firewall in a “safe” part of your network, then why bother?

If there are direct database connections crossing network zones, that’s a different matter! Did anyone mention “cloud”? If you need to connect to your cloud databases from application servers or client tool sitting on-premise, I guess encrypted database connections are pretty high up your list of requirements, or at least they should be. Good job it is free now. :)

It seems I’m not the only person behind the times on this licensing change. The Amazon AWS RDS for Oracle documentation has made the same mistake. I’ve written to them to ask them to correct this page also. :)

Cheers

Tim…

Update: Simon, Jacco, Franck and Patrick all pointed out this licensing change was due to this security exploit. It was made public during 11.2, but the license change was made retrospectively back to 10.2. I don’t feel so bad about it now. :)

Update2: I’ve added a link to the Native Network Encryption stuff, based on the comment by Markus.

Oracle Midlands : Event #10

 

Just a quick heads-up about the next Oracle Midlands event. It’s good to encourage new speakers, so Mike is giving this new, unknown kid a shot at the limelight. I hope you will all come along to show your support.

om10

Cheers

Tim…

Oracle Enterprise Manager Cloud Control 12c Release 5 (12.1.0.5) : My first two installations

 

em-12cI’ve done a couple of play installations of EM12c 12.1.0.5, just to get a feel for it. You can see the result of that here.

From an installation perspective, everything was pretty similar to the previous releases. I tried the installation on both OL5 and OL6, in both cases using 12c as the database repository. No dramas there.

A couple of things of note.

  1. The 12c repository template database is a Non-CDB architecture.
  2. The Weblogic installation uses Java6.

Interesting…

The next step is to try some upgrades from EM 12.1.0.4 (on DB 11.2.0.4) to EM 12.1.0.5, which is what I’ll need for my upgrades at work. The testing is quite time consuming and boring, but it’s got to be done before I can unleash this on the company. :)

Cheers

Tim…

PS. Remember to download from edelivery.oracle.com (in a couple of days) for your production installations. Apparently there is a difference to the license agreement.

Feedback from the Oracle documentation team

 

feedbackI got some feedback from the Oracle documentation team, based on my recent post.

GUIDs

One of the concerns I raised was about how the GUIDs would be used in different releases of the documentation. Although I don’t like the look of the GUIDs, I can understand why they might be more convenient that trying to think of a neat, descriptive, human readable slug. My concern was the GUID might be unique for every incarnation of the same page. That is, a new GUID for the same page for each patchset, DB version and/or minor text correction. That would make it really hard to flick between versions, as you couldn’t predict what the page was called in each variant.

It seems my worries were unfounded. The intention is the GUID of a specific page will stay the same, regardless of patchset, DB version or document correction. That’s great news!

Broken Links

The team are trying to put some stuff in place to correct the broken links. I think I might know who is developing this solution. :)

The quick fix will be to direct previously broken links to the table of contents page of the appropriate manual. Later, they will attempt to provide topic-to-topic links. No promises here, but it sounds promising.

Conclusion

I’m going to continue to fix the broken links on my site as I want to maintain the direct topic links in the short term, but this sounds like really good news going forward.

It also sounds like the documentation team are feeling our pain and putting stuff in place to prevent this happening in future, which is fantastic news! :)

Note to self: It’s much better to engage with the right people and discuss the issue, rather than just bitch about stuff.

Cheers

Tim…

Oracle Enterprise Manager Cloud Control 12c Release 5 (12.1.0.5) – Just Born

 

em-12cOracle Enterprise Manager Cloud Control 12c Release 5 (12.1.0.5) was announced a few days ago. I woke up today and checked the interwebs and it’s actually available for download.

I must admit I’m a little nervous about the upgrade. I had a few bad times with upgrades in the early days of Grid Control and Cloud Control and that has left me with a little bit of voodoo lurking in the back of my mind. The last couple of upgrades have been really easy, so I’m sure it will be fine, but that voodoo…

I’ll download it now and do a clean install. Then do a couple of practice upgrades. If all that goes well, I’ll schedule a date to sacrifice a chicken, raise a zombie from the dead to do my bidding, then do the real upgrade.

Cheers

Tim…

Update. Looking at the certification matrix, the repository is now certified on 12.1.0.2, as well as 11.2.0.4 and 11.2.0.3.

Update 2. Pete mentioned in the comments that 12.1.0.2 has been certified for the Cloud Control repository since march, with some restrictions. So it’s not new to this release. See the comments for details.

Update 3. Remember to download from edelivery.oracle.com (in a couple of days) for your production installations. Apparently there is a difference to the license agreement.

Oracle Documentation URLs : What I would like to see!

 

Broken-LinkAfter my recent rant about broken URLs, I thought it would be sensible to say something a little more constructive, so this is what I would do if I were asked to structure the documentation. Other opinions are valid. :)

Base URL: I’m assuming the base URL for the database documentation will never change again from it’s current value.

Version: Next comes a version. Personally I would have a separate version for every patchset, so you can easily flick between them to see the variations in the documentation, but I would also have a concept of the “latest” for each major release and the “overall latest” version of the page, so you can always link to the most up to date version of the document if you want. That means, whatever happens with new releases, you will always have the link pointing to the latest page for that feature, unless of course the feature has been removed. All previous version of the docs will remain and the URLs will still be valid. Believe it or not, sometimes people really do need to read the old documentation!

Book: Some indicator of the book the page belongs to. Oracle are already doing this with things like “DBSEG” for Database Security Guide. This must never change!

Page: A slug representing the page. It would be nice if these were human readable, like “audit_admin”, but if they want to use those crappy GUIDs, that’s fine, provided that they are cast in stone as the ID for that page, regardless of version forever. The GUID must not be unique for each version of the page, or it makes it impossible to easily switch between the same page for different database versions.

Internal anchors: Some of the internal anchors in pages have some odd behaviour now. You click a link, which takes you to the correct part of the page, but the URL bar still shows the top-level page URL. As a result, if you grab the URL for a link in your blog, you are not really pointing to the correct place on the page. So you have to find the original link you clicked and copy that, so you are really getting to the link you want. Very annoying! Internal anchors should be consistent, visible and live forever. If you want to change the anchor, you can add a new one in addition to the old one. Nothing wrong with that! Once again, the ugly GUIDs are acceptable here, but only if the GUID for an anchor never changes, so to read the same section of text in another DB version, you only have to change the version part of the URL.

As an example of all this, let’s think about the “Administering the Audit Trail” page from the 12c documentation and show how this could be handled going forward.

  • “/12.1.0.1/DBSEG/audit_admin.htm”
  • “/12.1.0.2/DBSEG/audit_admin.htm”
  • “/12.1-latest/DBSEG/audit_admin.htm” : Points to 12.1.0.2 unless a newer patchset is released for the 12.1 release.
  • “/12.2.0.1/DBSEG/audit_admin.htm”
  • “/12.2-latest/DBSEG/audit_admin.htm” : Points to 12.2.0.1 until a newer patchset is released for the 12.2 release.
  • “/latest/DBSEG/audit_admin.htm” : Points to the very latest version of the page. The latest patchset for the latest release (12.2.0.1, 13.1.0.1 etc.).

This would allow all versions of the docs to coexist. You could switch between them easily, as in most cases, the only thing to you ever need to change is the version number. A perfect example of this can be seen in the MySQL documentation, which is organised beautifully. It’s so simple the pages include version links so you can switch between version with a single click.

I appreciate there are situations where things would not run to plan, like when features are removed, or expanded to the point where pages are split into several new pages etc. These could still be catered for if a sensible approach were taken, like the original page becoming a “link page” to all the expanded content.

I would not expect Oracle to retro-fit all the old documentation, as that would be a massive task and break even more links, but something more sensible and future-proof needs to happen compared to what we have seen in recent years, which to be brutally frank has been a clusterfuck on a monumental scale!

I know Oracle are taking steps to address this issue. I just hope their solution is not more smoke and mirrors and actually starts to resemble a basic filing system!

Cheers

Tim…

Any DBAs out there thinking of Optimal Flexible Architecture (OFA)? :)

Update: Apart from being ugly, I have no real problem with the GUID. My only worry is Oracle will assign a new GUID for a page for each version (typo correction, release, DB version etc.) of the same page, thus making the whole switching between DB versions by altering one part of the URL impossible. If they do this constant change of the GUIDs, it will also result on one of two things.

  1. If the old version of the page is not kept forever, you will have yet more broken links.
  2. If pages are kept forever, that’s better, but if a new GUID is created for every small revision of the same page (within a database release/version), you will continue to point to the old uncorrected page, which will lower the quality of your links.

So the GUIDs themselves are the problem. It’s how they “could” be used that “could” be the problem. Think about the possible scenarios during the lifespan of a single section of the documentation and I think you will see how disastrous this could be.

 

Databases Running in the Cloud

 

cloudI’ve been playing around with running databases in the cloud recently. It’s quite simplistic stuff, just to get a feel for it and investigate the possibilities of using it for some projects at work. Here’s what I’ve got so far.

Overview:

Oracle:

MySQL:

SQL Server:

It’s hard to differentiate between the cloud providers if you are just using them to provide a VM and self managing a system on it. It’s just another box provider.

In contrast the DBaaS offerings are much more interesting. I really like what Amazon are doing with RDS for Oracle/MySQL/SQL Server. I think these would work very well for *our* MySQL and SQL Server installations, which tend to be quite simple. I’m not sure I can live with some of the restrictions for RDS for Oracle, but that’s probably because I’m a snobby DBA type, who thinks he knows best. :) The DBaaS for SQL Server on Azure is also really nice. You get less control than the RDS version, but maybe that’s a good thing.

You might have noticed I’ve not written much about Oracle Cloud yet. I should be getting a trial of the platform this month, so I will be able to fill in those gaps then.

Cheers

Tim…

Oracle : Do you even internet? (broken links again)

 

Broken-LinkI mentioned in a recent post that Oracle are often guilty of changing URLs, which breaks all the documentation links in your site. Someone replied with this link. I knew I had a lot of clean-up to do, but I expected most of it to be old URLs, like stuff pointing to 8i, 9i etc.

I’ve just been looking and vast swathes of links have been changed in the 12.1 docs. In some cases, articles I wrote a couple of weeks ago are screwed. The reference manual is guilty of this big time!

  • Before: http://docs.oracle.com/database/121/REFRN/refrn10140.htm
  • After: http://docs.oracle.com/database/121/REFRN/GUID-70035A22-E031-4975-A51C-871AE1F2F260.htm#REFRN23823

Check this one out too.

  • Before: http://docs.oracle.com/database/121/SUTIL/release_changes.htm#BABEJJAA
  • After: http://docs.oracle.com/database/121/SUTIL/GUID-F4EE2A42-3986-4597-9088-A506173ABABF.htm#GUID-0FC02CF3-D149-4EA9-AE3E-CB869921CF40__BABEJJAA

I’m not even going to make them links, because they will probably change again next week. :(

URLs DO NOT CHANGE!

This is really basic internet stuff. If you must change them, you have to put proper redirects in place so people can still get to your content FOREVER!

I’ve written about Oracle doing this before (here and here).

I’m always trying to encourage people to get involved in the community, but how can they possibly write good content if it is riddled with broken links to the docs? Going back to repair old content is soul destroying, so don’t make them do it!

Oracle. Please, please, please learn how to internet!

Cheers

Tim…

PS. Check out the MySQL documentation. It is arranged so neatly and you can flick between versions so simply. I know the documentation is much smaller, but something like this must be possible with some planning!

Update: I’ve written something a little more constructive on this subject here.

APEX 5.0 Rollout

 

apexLast month there was a frenzy of activity when APEX 5.0 was released. I had been having a dabble with the Early Adopter for a while, but I felt the need to do a local install.

The only slight issue I had was with static files and that was down to me not RTFMing properly. :) Patrick Wolf wrote about this issue recently here.

Having not had any problems while I was playing with APEX 5.0, I started the task of upgrading all the installations at work. We don’t do any major development, just basic CRUD screens and interactive reports, so it wasn’t too high profile a task. Anyway, the upgrades went smoothly and everything is running on APEX 5.0 now. Happy days! :)

Of course, if you are doing some complicated stuff that is pivotal to your business, you probably need to be a bit more meticulous about your planning and testing than I was, but it’s pretty good news that of the 20+ installations, none had any upgrade problems. :)

I’ve played around with ORDS 3.0 before the GA release.

We currently use the Oracle HTTP Server to front our stuff for historic reasons. I guess the next move will be to implement ORDS, but I’m not sure when that will happen…

Cheers

Tim…

 

Oracle Midlands : Event #9

 

oracle-midlandsThe traffic on the way to Oracle Midlands Event #9 was a complete nightmare! There are a bunch of roadworks around the city that are making the traffic movement really problematic at the moment. Added to that, the always slow M6 was causing tailbacks along the Aston Express Way into the city. The traffic islands were all blocked, with people blocking exits and jumping red lights in a desperate attempt to get on them. Fortunately I started in plenty of time so I arrived with a few minutes to spare. Phew!

First up was Joel Goodman speaking about “Oracle Distributed Transactions”. This was actually quite a scary talk because it showed me both how much I don’t know and how much I’ve forgotten over the years. I’m getting old! There were a few raised eyebrows when he discussed the automatic and manual recovery of in-doubt transactions. I think a few people will be reviewing their recovery procedures. :) Joel is always good value as a presenter and as a walking Oracle encyclopedia!

The break, which included samosas and a prize draw, gave me the opportunity to chat to a few people, including @Kelloggs_ville. We had spoken at the start of the event, but in true Tim Hall style, I hadn’t made the connection between the real person and the Twitter picture. :) Don Stieler knows my skills in this respect. :)

Next up was Richard Harrison, a regular Oracle Midlands attendee and a previous “Lightning Talk” speaker. His session was on “Data Pump Tips & Tricks”. This talk really highlights to me the value of watching sessions on stuff you already know. Everyone has a different experience of the Oracle product set. Everyone has had to try and solve different problems using it. As a result, everyone is capable of putting a unique spin on the subject. I came away with a bunch of stuff I hadn’t considered before, which I will probably go back and retro-fit into some of my articles. Judging by the number of people scribbling away, I think other people were of a similar mind. :) Richard’s session was predominantly demo-based, a man after my own heart. :) I think this was Richard’s first full-length presentation and I’m hoping this will be the first of many!

I’m really getting a kick out of seeing how Oracle Midlands develops. Mike has done a truly amazing job of lining up great speakers and I feel like the group of attendees are bonding more with each event. I came away from the event feeling really hyper and enthusiastic about Oracle. It’s good to be reminded how much more there is to learn and to feel connected to other Oracle geeks. :)

Mike’s already got the speakers for the next couple of events lined up. The next one is by some new kid on the block called Jonathan Lewis. :) The one after is by Christian Antognini. Amazing!
redstacktechBig thanks to Mike for keeping this train rolling. Thanks to everyone who keeps turning up and showing their support. This stuff can only happen if you keep coming! Thanks to the speakers for taking the time out to come and educate us. Big thanks also to Red Stack Technology (my new favourite company :) ) for sponsoring the event, so it can remain free! I’ll be seeing some of you folks at the UKOUG Systems Event later today! :)

See you soon!

Cheers

Tim…