TWO WAY SSL

How it works in a simple view

Several implementations are done with 2 way ssl certificates, but still wondering how it works?

Two-way ssl means that a client and a server communicates on a verified connection with each other. The verifying is done by certificates to identify. A server and a client has implemented a private key certificate and a public key certificate.

These are the basic components necessary for communicate 2-way SSL over https.

(more...)

AWS – Build your own Oracle Linux 7 AMI in the Cloud

I always like to know what is installed in the servers that I need to use for databases or Weblogic installs. Whether it is in the Oracle Cloud or in any other Cloud. One way to know is to build your own image that will be used to start your instances. My latest post was about building my own image for the Oracle Cloud (IAAS), but I could only get it to work with Linux (more...)

SSL/TLS: How to choose your cipher suite

For SSL/TLS connections, cipher suites determine for a major part how secure the connection will be. A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings (here). But what does this mean and how do you choose a secure cipher suite? The area of TLS is quite extensive and I cannot cover it in its entirety in a single (more...)

orapwd gives OPW-00029 Password complexity failed in #Oracle 12.2

When I tried to create a password file for a 12.2 database, it initially failed with my favorite (simple) password:

[oracle@uhesse dbs]$ orapwd file=$ORACLE_HOME/dbs/orapwprima password=oracle

OPW-00029: Password complexity failed for SYS user : Password must contain at least 8 characters.

Two options to resolve this: Either provide a password that passes the complexity check, like:

[oracle@uhesse dbs]$ orapwd file=$ORACLE_HOME/dbs/orapwprima password=Very_Complex§1

Or create the password file in 12.1 format (default being 12.2 format)

 (more...)

JDBC, Linux and Entropy

Some troubles — especially those happening only sporadically — are not so easy to shoot and call for a deeper understanding of the matter. In the following real-world example this means: SQL*Net Tracing and some knowledge about the inner workings of the server’s operating system, particularly random number generation. This case was suited well to demonstrate an approach to trouble-shoot […]

Password Last Change Time

I read that the PTIME column in the SYS.USER$ table shows when a user’s password was last changed so I decided to try it out in an Oracle 10 database:

SQL> SELECT VERSION FROM PRODUCT_COMPONENT_VERSION
  2  WHERE PRODUCT LIKE 'Oracle Database%'
  3  /

VERSION
--------------------
10.2.0.3.0

SQL>


I noted the time and created a user:

SQL> SELECT TO_CHAR(SYSDATE,'DD-MON-YYYY HH24:MI:SS')
  2  DATE_AND_TIME1 FROM DUAL
  3  /

DATE_AND_TIME1
(more...)

Ubuntu: visudo problem / NOPASSWD option does not work for commands

It is always the same:
After installing a new Linux commands like
/usr/sbin/s2disk
/sbin/reboot
only work with entering your password everytime (or precisely: after every reboot).
This can be changed with visudo:
export EDITOR=vi; visudo
 Inside the /etc/sudoers.conf you will see:
# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
And this is the problem:
First idea is to double the line
root    (more...)

Update WordPress Installations to >4.7.2

This post is applicable for hosted wordpress installations where auto-updates are disabled. Yesterday, I noticed there was blog post "Hacked by Unknown" on Askdba blog. Post was written by White Hat Hacker who exploited the Content injection vulnerability in 4.7.0 and 4.7.1. This vulnerability allows any visitor (unauthorized user) to assume role to edit/create blog…

ADF BC Groovy Expression Security Policy Configuration

Today I'm going to explain how to configure Groovy expression security policy. This could be helpful, if you dont want to change trustMode property to trusted everywhere across the app, but looking for single configuration point.

My sample app - GroovyPermissionApp.zip, contains bind variable with expression reference pointing towards custom method located in AM implementation class:


JDEV 12.2.1.2 returns compilation error for Groovy expression, can't resolve applicationModule property:


Such kind (more...)

A performance deep dive into column encryption

Actually, this is a follow up post from my performance deep dive into tablespace encryption. After having investigated how tablespace encryption works, this blogpost is looking at the other encryption option, column encryption. A conclusion that can be shared upfront is that despite they basically perform the same function, the implementation and performance consequences are quite different.

Column encryption gives you the ability to choose to encrypt per individual column, that’s kind of obvious. However, (more...)

Enable HyperFIDO U2F Key on Linux

Recently, I bought the Hypersecu HyperFIDO K5 Key to help me secure access to several websites and services with U2F (“Universal Two-Factor Authorization”). This works fine on Windows, but with Linux things get a little complicated: The key isn’t accessible to all users by default. This has to be activated using udev rules, which is widely […]

Oracle database 12.1.0.2.170117 (januari 2017 PSU) and TDE wallets

Recently, I was trying to setup TDE. Doing that I found out the Oracle provided documentation isn’t overly clear, and there is a way to do it in pre-Oracle 12, which is done using ‘alter system’ commands, and a new-ish way to do it in Oracle 12, using ‘administer key management’ commands. I am using version 12.1.0.2.170117, so decided to use the ‘administer key management’ commands. This blogpost is about an (more...)

Building a Hyper-V Environment for SharePoint / Cyberinc Entitlements Server Prototype – Part 3

In my previous post, I covered the installation of SQL Server 2016 SP1 for our Hyper-V environment. After that is completed, we are ready to install SharePoint Server 2016. That’s what I’ll be covering here. Firstly, you need to download a copy of the software. At the time of writing this post, SharePoint Server 2016 is available from Microsoft. That’s the version I’ve downloaded for installation on the VM.

Installing the Prerequisites

To start the (more...)

Linux: keyring-password for wlan needed / legitimate wlan login

Each time i resume my notebook after a suspend to disk-cycle the connection to WLAN hangs with the following message:

 (Die Systemrichtlinien verhinder das Bearbeiten von Netzwerkeinstellungen für alle Benutzer / Enter password for default keyring to unlock)
I tried to fix this via network-manager with adding the hook at the checkbox "Alle Benutzer dürfen dieses Netzwerk verwenden", but this did not help at all.
The point is, that after resuming my login keyring wants (more...)

Building a Hyper-V Environment for SharePoint / Cyberinc Entitlements Server Prototype – Part 2

In the previous post in this series, I created the Hyper-V VM environment (running Windows Server 2012 R2) I’ll be using to build SharePoint Server 2016 on. The next step is to install either SQL Server 2014 or SQL Server 2016 for the database server requirements. Because I’m a geeky sort of guy and have to be on the bleeding edge, I’m going to use SQL Server 2016 with SP1, which is available from Microsoft (more...)

Building a Hyper-V Environment for SharePoint / Cyberinc Entitlements Server Prototype – Part 1

One of the areas I’ve been investigating as a technical architect at www.archtis.com is using the Cyberinc Entitlements Server (CES) to provide attribute based access control (ABAC) access to documents stored in SharePoint. It’s an area we haven’t tested at all before, so it was important to build a prototype environment to satisfy ourselves that it really does work the way we want it to. At the time of writing this post, CES (more...)

Oracle DBSAT first experience

dbsat_chart

Last year in October Oracle released the Oracle Database Security Assessment Tool (DBSAT) to analyzes database configurations and security policies to improve the security in your environment.

Real benefits

  • quickly identify security configuration errors in the database environment
  • lauch Security best practices
  • increase the security level of your Oracle Databases
  • reduce the attack and exposure risk

What does DBSAT check

  • User Accounts, Privileges and Roles
  • Authorization Control
  • Data Encryption
  • Fine-grained Access Control
  • Auditing Policies
  • Database (more...)

Escape Special Characters APEX Demo

A few weeks ago I wrote more detail than expected regarding escaping of special characters.

I thought I'd add a simple demonstration, for reference.

Consider the following query, with variations of escaped column output.
with data as 
(select q'[G'day,]'||chr(10)
||'Scott<strong>loves</strong>'
||'<br>APEX<script></script>' as string
from dual)
select
-- UI default
string dflt
-- where no tags expected
,apex_escape.html(string) protected
-- good for most things
,apex_escape.html_whitelist(string) whitelisted
-- replace line feeds with HTML line break. (more...)

Re-evaluating APEX Authorization Schemes

Authorization schemes in Oracle APEX are used to control access to page, buttons, and all sorts of other components.

In my experience, these are best defined at a privilege level, where the same privilege could be allocated to multiple business roles, but that's for another post.

In this post, I want to mention a cool API function called apex_authorization.reset_cache, which helps control the behaviour of these authorization schemes.

Preface

While googling something else (more...)

Trusted Information Sharing – ABAC Architecture

In my previous post, I introduced you to the two concepts of Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). ABAC resolves a number of the limitations associated with RBAC, as I discussed in that post. In this post, I wanted to drill into the architecture underlying ABAC a little bit more.

In simple terms, there are four main parts of the ABAC architecture. These are:

  • The Policy Decision Point (PDP) – this (more...)