Clusterware 12c and Restricted Service Registration for RAC

Topic: This post is about exploring the mechanisms used by Oracle Clusterware 12.1.0.1 to restrict remote service registration, i.e. the 12c new feature "Restricting Service Registration for Oracle RAC Deployments"

Why is this useful? This improvement of 12c clusterware and listeners over the 11.2 version is useful mainly for security purposes, for example as a measure against TNS poisoning attacks (see also CVE-2012-1675), and it is particularly relevant for (more...)

Learning Devise for Rails

(blogarhythm ~ Points of Authority / Linkin Park)

I recently got my hands on a review copy of Learning Devise for Rails from Packt and was quite interested to see if it was worth a recommendation (tldr: yes).

A book like this has to be current. Happily this edition covers Rails 4 and Devise 3, and code examples worked fine for me with the latest point releases.

The book is structured primarily as a (more...)

Upgrading EM12c to 12.1.0.3: Active Directory Authentication Quirks

We recently upgraded our EM12c 12.1.0.2 installation to 12.1.0.3. This service was configured to authenticate logins against our Active Directory server via LDAP. However, after upgrading we found that authentication stopped working, even after recreating the Active Directory Authenticator (as required). I could see the list of users from AD, but could not authenticate them in EM!

In this post I'm going to share what we did to diagnose (more...)

Oracle Database Security Assessment

Data Security has taken a front seat in terms of IT Security lately. Database security is an area of information security that is concerned with the use of security controls to protect databases. Organizations are trying to protect their databases from both internal and external threats. 

In this regard, Oracle has put up an online Database Security Assessment on their website. You may now check how secure your database is by answering few simple (more...)

How integration guys created a data security nightmare

There has been a policy in integration that has stored up a really great challenge of data security, and by great I don't mean 'fantastic' I mean 'aw crap'.  Its a policy that was done for the best of reasons and one that really will in future represent a growing challenge to Big Data and federated information. The policy can be described as this: Users authenticate with Apps, Apps

Unable to change WS Policy Store to “App Server Connection” in JDeveloper

Today when trying different settings with Basic Authentication and SOA Suite, I wanted to from the embedded OWSM Policy Repository of JDeveloper to the one stored on the application server. In JDeveloper you can do that through preferences (Tools | Preferences). See this blog for more details.

Click on the App Server Connection option and choose an existing connection through the Connections drop-down or add a new one by clicking New.

NewImage

 

Unfortunately (more...)

The Age of Transparency

It seems that Boing just lost a 4 billion dollar deal to supply fighter jets to Brazil, because the Brazilians were miffed that the NSA spied on them.

You also live in a transparent world. If the NSA was unable to weed out Edward Snowdon in their hiring procedure, do (more...)

Finally connected the dots …

My son (10) has been asking about VPNs a lot lately. Which I thought was because of all of the news lately about the NSA. I ended up showing him tunnel bear, which he quickly installed on his laptop and iPhone. I complimented my son for his interest in security (more...)

My vJUG Session: Don’t Be That Guy! Developer Security Awareness

I've been invited to talk at the vJUG which is the newest JUG around. A virtual JUG reaching out to interested Java Developers over all time zones and locations. The  aim is to get the greatest minds and speakers of the Java industry giving talks and presentations for this community, (more...)

Control Your Information

It appears that international credit bureau company Experian was inadvertently selling private information to online criminals posing as “private investigators”. These criminals then used Social Security numbers, birthdays and drivers license records to commit identify theft. Ironically, Experian is also selling protection against identity theft to private customers…

Do you know (more...)

Oracle Forms and Java 7u51

Java 7u51 is scheduled for release in January. It will have some consequences for you Forms installation that you need to address.

As far as I know there is no problems with using 7u51 on the server side, only on the client side.

Overview

Jar signing

7u51 requires you to sign all RIAs (Applets and Web Start applications).

Oracle already signs the standard jar (more...)

WebLogic Server and entropy

After input from Jacco H. Landlust and Edwin Biemond I have rewritten my post about entropy.

Overview

Entropy pool

In computing you often need random numbers. They are used for encrypting stuff but also for lots of other things.

For Linux servers random numbers are default provided by the /dev/random device. /dev/random is a pool of random bits (more...)

A System for Oracle Users and Privileges with Automatic Expiry Dates

Tired of tracking down all the users in the database to deactivate them when they cease to exist, or change roles, or fulfill their temporary need to the database? Or, tracking down privileges you granted to existing users at the end of their requested period? The solution is to think (more...)

Last Successful Login Time in SQL*Plus in Oracle 12c

If you have been working with Oracle 12c, you may have missed a little something that appeared without mush fanfare but has some powerful implications. Let's see it with a small example--connecting with SQL*Plus.

C:\> sqlplus arup/arup

SQL*Plus: Release 12.1.0.1.0 Production on Mon Aug 19 14:17:45 (more...)

Fix for oradebug disable auditing available (11.2.0.3/11.2.0.4/12.1.0.1)

2 days ago I gave a presentation “Oracle 12c from the attackers perspective” at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug “disable auditing” problem is available since 9 months.

Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA (more...)

Tightening Security with SELECT ANY DICTIONARY in Oracle 12c

Developers and users sometimes request the SELECT ANY DICTIONARY system privilege to enable them to view various data dictionary tables.  This may be fine for querying DBA_TABLES, etc, but the Oracle data dictionary contains a LOT of information.  Some of the views/tables are compromising from a security standpoint. (more...)

How One Man Killed the Cloud

While I was not surprised that the U.S. intelligence agencies monitor web activity, I was surprised at the scale revealed by the Edward Snowdon leaks.

If there are still American cloud providers that do not routinely provide the NSA with wholesale access to their customers’ data, it will only (more...)

Create a CA, issue server/client certificates and test them via Apache

Here is a quick way of creating your own CA and issue server and client certificates via OpenSSL.

I will test the certificates via the Apache HTTP Server by configuring one and two-way SSL.

I use Oracle Linux 5.

You should of cause only use this for test scenarios.

Install (more...)

BI Mobile Security Toolkit for 11.1.1.7.0

The Oracle Business Intelligence Mobile Security Toolkit 11.1.1.7 for Apple iPad (iOS 5 & 6) is now available for download at http://goo.gl/Mq6rI


The Oracle BI Mobile Security Toolkit "provides the ability to generate a signed version of the Oracle BI Mobile HD application. The toolkit (more...)

Protect the Apache HTTP Server against CRIME SSL/TLS attacks

It is now possible to protect Apache on both Windows and Red Hat servers against CRIME SSL/TLS attacks.

I have updated my Hardening the Apache HTTP Server post accordingly.