ADF for the Enterprise and beyond – 3-day conference for senior developers and application architects

SNAGHTML5d1bacOn May 21st, 22nd and 23rd – AMIS and Oracle join forces for a three day event around enterprise application development with Oracle Fusion Middleware. The event targets senior (ADF) developers and application architects. It addresses many of the themes currently or shortly relevant to any organization: multi device UI, mobility, security, agile & automated software engineering, performance & scalability, user experience, web & mobile oriented architecture and cloud. It will discuss and demonstrate Oracle’s (more...)

IT Defence in Depth

The Heartbleed bug has shown that security vulnerabilities can pop up everywhere. Unfortunately, many IT organizations depend on a single security layer to secure their network – and as the ineffectiveness of the Maginot Line proved, that is a risky strategy. You need multiple security layers – what soldiers call Defence in Depth.Security LayersThis illustration is from my weekly Technology That Fits newsletter – sign up here.

HeartBleed and Oracle

There are a lot of people asking about Heartbleed and how it has impacted the web.
Oracle has published  MOS Note 1645479.1 that talks about all the products impacted and if and when fixes will be available.
The following blog post is also a good reference about the vulnerability.  https://blogs.oracle.com/security/entry/heartbleed_cve_2014_0160_vulnerability



Deep Dive: Oracle WebCenter Tips and Traps!

I'm currently at IOUG Collaborate 2014 in Las Vegas, and I recently finished my 2-hour deep dive into WebCenter. I collected a bunch of tips & tricks in 5 different areas: metadata, contribution, consumption, security, and integrations:


As usual, a lot of good presentations this year, but the Collaborate Mobile App makes it a bit tough to find them...

Bezzotech will be at booth (more...)

Set up https (SSL) for Weblogic and OBIEE

I have been blogging about the integration between Oracle eBS and Oracle BI EE. Apart from the integration, there are are few assumptions: Oracle eBS is installed Oracle BI is installed Oracle eBS and Oracle BI are compatible with each other (http vs. https) All necessary Oracle eBS patches are installed R11 check R12 included […]

ADF Alert – Facelets Vulnerability in ADF 11g R2 and 12c

If you are running your application in ADF 11g R2 or 12c environment and using facelets - you should double check, if a source code for the facelet pages is not accessible through the URL. There is another security vulnerability in ADF 11g R2, documented here - Alert for ADF Security - JSF 2.0 Vulnerability in ADF 11g R2. Apparently this is a patch from Oracle for JSF 2.0 vulnerability and also there (more...)

Alert for ADF Security – JSF 2.0 Vulnerability in ADF 11g R2

You must be concerned about your system security, if you are running ADF runtime based on ADF 11.1.2.1.0 - 11.1.2.4.0 versions. These versions are using JSF 2.0 with known security vulnerability - Two Path Traversal Defects in Oracle's JSF2 Implementation. This vulnerability allows to download full content of WEB-INF through any browser URL. There is a fix, but this fix is not applied by JDeveloper IDE (more...)

#EM12c Browser Security – Certificate Installation

One thing that bugs me is browser security.  When I access Oracle Enterprise Manager 12c (OEM12c) through a browser and get the certificate error (Image 1), it just pushes my buttons.   Why not ship a valid certificate with OEM12c?  In reality, the problem is not with OEM12c; it is actually with the browser you choose to use.  In my case, I use Google Chrome a lot with OEM12c.  So how (more...)

Pre-digested authentication

A bit of a follow-up to my previous post on Digest authentication.

The fun thing about doing the hard yards to code up the algorithm is that you get a deeper level of understanding about what's going on. Take these lines:

    v_in_str := utl_raw.cast_to_raw(i_username||':'||i_realm||':'||i_password);
    v_ha1 := lower(DBMS_OBFUSCATION_TOOLKIT.md5(input => v_in_raw));

Every time we build the "who we are" component for this site, we start with exactly the same (more...)

PL/SQL, UTL_HTTP and Digest Authentication

For the first time in what seems like ages, I've actually put together a piece of code worth sharing. It's not that I haven't been working, but just that it has all been very 'in-house' specific.

However I had a recent requirement to use a web service that makes use of Digest Authentication. If you have look at the UTL_HTTP SET_AUTHENTICATION subprogram, it only addresses Basic authentication (and, apparently, Amazon S3 which looks intriguing).

In (more...)

The WebLogic Server and Trust Stores


I will describe how you configure trust stores for the WebLogic Server.

Overview

Chain of trust

When a SSL server certificate is issued by a CA it is signed by a another certificate. Normally this will be an intermediate certificated, that is again signed by the CAs root certificate. So there is a chain of trust between the (more...)

BPM workspace: Scripted security

When implementing BPM processes, for each deployed BPM process an application role is created in the policy store. To enable users to work with the processes, groups are assigned to these application roles. Users are ofcourse assigned to their respective groups. Management of the BPM process application roles is available in Enterpsie Manager Fusion Middleware Control or the BPM workspace.

Let’s first use Fusion Middleware Control. We need to go to the security section.

em_menu_secuirty_approles

Choose (more...)

EM Cloud Control: Agent Patch fails: Current user not file owner

When I was patching all of our agents on our linux nodes with the latest PSU (12.1.0.3.5), I encountered an error with one linux node.

PREREQ_NAME: Performer check
PREREQ_DESC: Check if current performer are the file owner of /apps/oracle/product/agent12c/core/12.1.0.3.0.
PREREQ_TYPE:APPLICABILITY
PREREQ_STATUS:FAILED
PREREQ_MESG: Current user tony from Normal Oracle Home Credentials is not the file owner of /apps/oracle/product/agent12c/core/12.1.0.3.0.

Somehow privilege delegation hasn’t been applied (more...)

The Balance of Business

In every business, there is a balance between business goals and various impediments.

The Balance of Business

You need to make sure that you don’t allow legal, QA, security and other internally-focused concerns tip the scale towards paralysis. There is more in this week’s edition of my newsletter “Technology That Fits” – sign up here.

You don’t know what happens

Suddenly, our offshore colleagues could not access the database. We scrambled to find a solution, and and it soon transpired that the central security function had rolled out out a security policy upgrade the night before. Unfortunately, our offshore colleagues were connected to the network in an uncommon way, so the new security policy cut them off.

You don’t know what will happen when you change a system. Enterprise IT landscapes have reached a complexity (more...)

Clusterware 12c and Restricted Service Registration for RAC

Topic: This post is about exploring the mechanisms used by Oracle Clusterware 12.1.0.1 to restrict remote service registration, i.e. the 12c new feature "Restricting Service Registration for Oracle RAC Deployments"

Why is this useful? This improvement of 12c clusterware and listeners over the 11.2 version is useful mainly for security purposes, for example as a measure against TNS poisoning attacks (see also CVE-2012-1675), and it is particularly relevant for (more...)

Learning Devise for Rails

(blogarhythm ~ Points of Authority / Linkin Park)

I recently got my hands on a review copy of Learning Devise for Rails from Packt and was quite interested to see if it was worth a recommendation (tldr: yes).

A book like this has to be current. Happily this edition covers Rails 4 and Devise 3, and code examples worked fine for me with the latest point releases.

The book is structured primarily as a (more...)

Upgrading EM12c to 12.1.0.3: Active Directory Authentication Quirks

We recently upgraded our EM12c 12.1.0.2 installation to 12.1.0.3. This service was configured to authenticate logins against our Active Directory server via LDAP. However, after upgrading we found that authentication stopped working, even after recreating the Active Directory Authenticator (as required). I could see the list of users from AD, but could not authenticate them in EM!

In this post I'm going to share what we did to diagnose (more...)

Oracle Database Security Assessment

Data Security has taken a front seat in terms of IT Security lately. Database security is an area of information security that is concerned with the use of security controls to protect databases. Organizations are trying to protect their databases from both internal and external threats. 

In this regard, Oracle has put up an online Database Security Assessment on their website. You may now check how secure your database is by answering few simple (more...)

How integration guys created a data security nightmare

There has been a policy in integration that has stored up a really great challenge of data security, and by great I don't mean 'fantastic' I mean 'aw crap'.  Its a policy that was done for the best of reasons and one that really will in future represent a growing challenge to Big Data and federated information. The policy can be described as this: Users authenticate with Apps, Apps