HeartBleed and Oracle

There are a lot of people asking about Heartbleed and how it has impacted the web.
Oracle has published  MOS Note 1645479.1 that talks about all the products impacted and if and when fixes will be available.
The following blog post is also a good reference about the vulnerability.  https://blogs.oracle.com/security/entry/heartbleed_cve_2014_0160_vulnerability

Deep Dive: Oracle WebCenter Tips and Traps!

I'm currently at IOUG Collaborate 2014 in Las Vegas, and I recently finished my 2-hour deep dive into WebCenter. I collected a bunch of tips & tricks in 5 different areas: metadata, contribution, consumption, security, and integrations:

As usual, a lot of good presentations this year, but the Collaborate Mobile App makes it a bit tough to find them...

Bezzotech will be at booth (more...)

The Art of Exploiting Injection Flaws

Sid is doing his popular course, The Art of Exploiting Injection Flaws, at this year’s Black Hat. You can find more details here. Definitely highly recommended.

Pre-digested authentication

A bit of a follow-up to my previous post on Digest authentication.

The fun thing about doing the hard yards to code up the algorithm is that you get a deeper level of understanding about what's going on. Take these lines:

    v_in_str := utl_raw.cast_to_raw(i_username||':'||i_realm||':'||i_password);
    v_ha1 := lower(DBMS_OBFUSCATION_TOOLKIT.md5(input => v_in_raw));

Every time we build the "who we are" component for this site, we start with exactly the same (more...)

PL/SQL, UTL_HTTP and Digest Authentication

For the first time in what seems like ages, I've actually put together a piece of code worth sharing. It's not that I haven't been working, but just that it has all been very 'in-house' specific.

However I had a recent requirement to use a web service that makes use of Digest Authentication. If you have look at the UTL_HTTP SET_AUTHENTICATION subprogram, it only addresses Basic authentication (and, apparently, Amazon S3 which looks intriguing).

In (more...)

The WebLogic Server and Trust Stores

I will describe how you configure trust stores for the WebLogic Server.


Chain of trust

When a SSL server certificate is issued by a CA it is signed by a another certificate. Normally this will be an intermediate certificated, that is again signed by the CAs root certificate. So there is a chain of trust between the (more...)

The Balance of Business

In every business, there is a balance between business goals and various impediments.

The Balance of Business

You need to make sure that you don’t allow legal, QA, security and other internally-focused concerns tip the scale towards paralysis. There is more in this week’s edition of my newsletter “Technology That Fits” – sign up here.

You don’t know what happens

Suddenly, our offshore colleagues could not access the database. We scrambled to find a solution, and and it soon transpired that the central security function had rolled out out a security policy upgrade the night before. Unfortunately, our offshore colleagues were connected to the network in an uncommon way, so the new security policy cut them off.

You don’t know what will happen when you change a system. Enterprise IT landscapes have reached a complexity (more...)

Clusterware 12c and Restricted Service Registration for RAC

Topic: This post is about exploring the mechanisms used by Oracle Clusterware to restrict remote service registration, i.e. the 12c new feature "Restricting Service Registration for Oracle RAC Deployments"

Why is this useful? This improvement of 12c clusterware and listeners over the 11.2 version is useful mainly for security purposes, for example as a measure against TNS poisoning attacks (see also CVE-2012-1675), and it is particularly relevant for (more...)

Learning Devise for Rails

(blogarhythm ~ Points of Authority / Linkin Park)

I recently got my hands on a review copy of Learning Devise for Rails from Packt and was quite interested to see if it was worth a recommendation (tldr: yes).

A book like this has to be current. Happily this edition covers Rails 4 and Devise 3, and code examples worked fine for me with the latest point releases.

The book is structured primarily as a (more...)

Upgrading EM12c to Active Directory Authentication Quirks

We recently upgraded our EM12c installation to This service was configured to authenticate logins against our Active Directory server via LDAP. However, after upgrading we found that authentication stopped working, even after recreating the Active Directory Authenticator (as required). I could see the list of users from AD, but could not authenticate them in EM!

In this post I'm going to share what we did to diagnose (more...)

Oracle Database Security Assessment

Data Security has taken a front seat in terms of IT Security lately. Database security is an area of information security that is concerned with the use of security controls to protect databases. Organizations are trying to protect their databases from both internal and external threats. 

In this regard, Oracle has put up an online Database Security Assessment on their website. You may now check how secure your database is by answering few simple (more...)

Unable to change WS Policy Store to “App Server Connection” in JDeveloper

Today when trying different settings with Basic Authentication and SOA Suite, I wanted to from the embedded OWSM Policy Repository of JDeveloper to the one stored on the application server. In JDeveloper you can do that through preferences (Tools | Preferences). See this blog for more details.

Click on the App Server Connection option and choose an existing connection through the Connections drop-down or add a new one by clicking New.



Unfortunately (more...)

The Age of Transparency

It seems that Boing just lost a 4 billion dollar deal to supply fighter jets to Brazil, because the Brazilians were miffed that the NSA spied on them.

You also live in a transparent world. If the NSA was unable to weed out Edward Snowdon in their hiring procedure, do (more...)

Finally connected the dots …

My son (10) has been asking about VPNs a lot lately. Which I thought was because of all of the news lately about the NSA. I ended up showing him tunnel bear, which he quickly installed on his laptop and iPhone. I complimented my son for his interest in security (more...)

Control Your Information

It appears that international credit bureau company Experian was inadvertently selling private information to online criminals posing as “private investigators”. These criminals then used Social Security numbers, birthdays and drivers license records to commit identify theft. Ironically, Experian is also selling protection against identity theft to private customers…

Do you know (more...)

Oracle Forms and Java 7u51

Java 7u51 is scheduled for release in January. It will have some consequences for you Forms installation that you need to address.

As far as I know there is no problems with using 7u51 on the server side, only on the client side.


Jar signing

7u51 requires you to sign all RIAs (Applets and Web Start applications).

Oracle already signs the standard jar (more...)

WebLogic Server and entropy

After input from Jacco H. Landlust and Edwin Biemond I have rewritten my post about entropy.


Entropy pool

In computing you often need random numbers. They are used for encrypting stuff but also for lots of other things.

For Linux servers random numbers are default provided by the /dev/random device. /dev/random is a pool of random bits (more...)

A System for Oracle Users and Privileges with Automatic Expiry Dates

Tired of tracking down all the users in the database to deactivate them when they cease to exist, or change roles, or fulfill their temporary need to the database? Or, tracking down privileges you granted to existing users at the end of their requested period? The solution is to think (more...)

Last Successful Login Time in SQL*Plus in Oracle 12c

If you have been working with Oracle 12c, you may have missed a little something that appeared without mush fanfare but has some powerful implications. Let's see it with a small example--connecting with SQL*Plus.

C:\> sqlplus arup/arup

SQL*Plus: Release Production on Mon Aug 19 14:17:45 (more...)