Sunday, October 19, 2014

CVE-2012-1675 listener poisoning

Our team  was asked to see how CVE_2012_1675 affected us?


On our old infrastructure we use static registration and no default 1521 port nor dynamic registration, on a new machine SSC we make use of dynamic registration, ...



On a dev machine with a DB called HP_TEST  in 11.2.0.4 PSU 2 I did following


alter system set local_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=SSC_DEV)(PORT=1521))'



this generates in the listener.log on the SSC_DEV 

TNS-01184: Listener rejected registration or update of service handler "DEDICATED"
TNS-01185: Registration attempted from a remote node




which makes sense it is a different machine after all, how could it be local 


on the DEV machine  

alter system set remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=SSC_DEV)(PORT=1521))'


On the SSC_DEV


LSNRCTL for Solaris: Version 11.2.0.4.0 - Production on 15-OCT-2014 16:14:59

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Solaris: Version 11.2.0.4.0 - Production
Start Date                01-SEP-2014 16:44:30
Uptime                    43 days 23 hr. 30 min. 29 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/grid/product/11.2.0.4/grid/network/admin/listener.ora
Listener Log File         /u01/app/grid/diag/tnslsnr/ssc_dev/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ssc_dev)(PORT=1521)))
Services Summary...
Service "+ASM" has 1 instance(s).
  Instance "+ASM", status READY, has 1 handler(s) for this service...
Service "HPTEST" has 1 instance(s).
  Instance "HPTEST", status READY, has 1 handler(s) for this service...
The command completed successfully


 the instance registered with that listener ....


So yes the exploit is possible but requires to put remote_listener parameter


There are a couple of workaround one is to use COST (Class of Secure Transport) see MOS note Doc ID 1453883.1
But this solution requires to setup a wallet etc when using RAC which we do in our new SSC infrastructure so we decided to go for the >= 11.2.0.4 solution 


Byputting following in the listener. ora this is called Valid Node Checking for Registration (Doc ID 1600630.1)



After setting following in listener.ora and reloading the config

# CVE-2012-1675
VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON
REGISTRATION_INVITED_NODES_LISTENER=(SSC_DEV)



 lsnrctl reload LISTENER

LSNRCTL for Solaris: Version 11.2.0.4.0 - Production on 15-OCT-2014 16:16:03

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
The command completed successfully
lsnrctl status

LSNRCTL for Solaris: Version 11.2.0.4.0 - Production on 15-OCT-2014 16:16:09

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Solaris: Version 11.2.0.4.0 - Production
Start Date                01-SEP-2014 16:44:30
Uptime                    43 days 23 hr. 31 min. 39 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/grid/product/11.2.0.4/grid/network/admin/listener.ora
Listener Log File         /u01/app/grid/diag/tnslsnr/ssc_dev/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=SSC_DEV)(PORT=1521)))
Services Summary...
Service "+ASM" has 1 instance(s).
  Instance "+ASM", status READY, has 1 handler(s) for this service...
The command completed successfully
/u01/app/grid/product/11.2.0.4/grid/network/admin$ lsnrctl status

LSNRCTL for Solaris: Version 11.2.0.4.0 - Production on 15-OCT-2014 16:16:18

Copyright (c) 1991, 2013, Oracle.  All rights reserved.



this isn't possible anymore and following error is encountered while trying to do

15-OCT-2014 16:16:09 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=SSC_DEV)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647552)) * status * 0
Listener(VNCR option 1) rejected Registration request from destination
15-OCT-2014 16:16:14 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service ""


15-OCT-2014 16:16:09 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=SSC_DEV)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647552)) * status * 0
Listener(VNCR option 1) rejected Registration request from destination
15-OCT-2014 16:16:14 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service ""


voila, hope this helps 



Wednesday, September 17, 2014

blog posts

I am way behind with blog posts for the moment bit too busy ;(

more to come


Philippe

Thursday, July 31, 2014

QFSDP July 2014 new : confusion version numbering

this week I applied the QFSDP of july on the SSC T4 at the customer

One thing that struck me was following :


before on the oracle db home

ssc01dbdat01z01:~$ opatch lspatches
18497417;CRS PATCH FOR EXADATA (APR2014 - 11.2.0.4.6) : (18497417)
18293775;DATABASE PATCH FOR EXADATA (APR2014 - 11.2.0.4.6) : (18293775)


Quite obvious that this is BP6

after

18522515;OCW Patch Set Update : 11.2.0.4.3 (18522515)
18825509;DATABASE PATCH FOR EXADATA (JUL2014 - 11.2.0.4.9) : (18825509)




Very confusion not ?  first of all OCW (Oracle Cluster Ware ) instead of CRS patch but also a different version number





But apparently according to  

Wednesday, July 9, 2014

UKOUG TECH 14 here I come

Just received a mail from UKOUG today


I am very exited I will do a joint presentation with Bjoern Rost name : The Renaissance of SPARC.

and will do another presentation :

What we had to unlearn and learn when moving from M9000 to Super Cluster. 

the title says it all ;-)


hope to see you in Liverpool


Tuesday, June 24, 2014

Rac One + Data Guard + Broker on Sparc Super Cluster : a passionate marriage part 1 (DBCA)

The project where I am currently working on involves a Sparc Super Cluster (SSC) and migrating databases from M9000 hardware to this nice machine.

A SSC is basically a SPARC  based exadata, you get all the advantages of the exadata and a lot more ... lot of versataliy using SPARC; IO Domains , Zones, CPU Capping on the compute nodes ... You can assign CPU's to zones that don't use underlying Exadata storage cells as database storage, but just regular SAN or NAS storage ....

Several versions of SSC exist the customer has the version with 4 T4-4 that is 4 times 4 cpus with 8 cores each with 8 threads per core ....a lot of processing power.


The customer decided to make use of Data Guard and Rac One.
EM 12c R3 (probably R4 with go live)









For me Rac One is something new as is Data Guard Broker,  on Rac Databases, I configured it on single instance databases years ago but always preferred the manual sql way to do switchovers etc ... however if you want to use EM 12c to do switchovers, etc, there is no alternative the broker must be used.

I will split the installation of RAC One  and Data Guard over several blogposts, basically it will become a series on how to setup


The first part will discuss the setup of RAC one
The second part will discuss how to get the data copied over to the standby host.
The third part will discuss how to get this integrated in the data guard broker

So here we go


Ok you created your first RAC One  database with the the database creation assistants as shown here under.


















Sofar everything is the same however here we see some specifics to the SSC (don't know for exadata )






Logs.sql will add the redo logs for both threads
Create_bct.sql è put block change tracking on
Recreate_temp.sql è recreates a bigfile temporary tablespace

Cluster_interconnect.sql “tries” to set the interconnect but fails to do so correctly, it bases itself on the gv$ tables and since only one instance is up this doesn’t work as expected, more over a RAC One Instance can run on every node and isn’t bound to a node you can end up with INST_1 running on node2 and vice versa.


Set_use_large_pages.sql  è sets obligatory use of memory pages to false, and suggests to set it to TRUE after checking the os, however I believe contrary to Linux on Solaris this is done automagically, this should be translucent, excuse the phun internal joke with the c

Set_fra_size.sql èsets the fra to 90% of the diskgroup TO BE CHANGED if running more then one instance from that DG, in our case there will be about 40 instances running, something I want to reduce significantly and make use of resource_manager and IORM

Exadata_miscellaneous.sql è
@/u01/app/oracle/product/11.2.0.4/dbhome_1/rdbms/admin/catbundle.sql exa apply
insert into resource_io_calibrate$ values (CURRENT_TIMESTAMP,CURRENT_TIMESTAMP, 0,0,200,0,0);
BEGIN DBMS_AUDIT_MGMT.set_audit_trail_location(audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,audit_trail_location_value => 'SYSAUX');  END;
/
BEGIN DBMS_AUDIT_MGMT.set_audit_trail_location(audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD,audit_trail_location_value => 'SYSAUX');  END;

for the rest everything is the same as you can see here...






for future DG implementation we append _SSC01 to the db_unique_name








Wait a bit and the Rac One Db is ready


the highlighted template set some parameters that are specific to the super cluster



It looks like the cluster_interconnects_parameter set by set_cluster_interconnects.sql is not working as expected, it makes use of the gv$ tables and with RAC One information about the 2nd thread is only there during a relocation … therefore the parameter is not set for the other instance.

Following init.ora parameters were set for exadata :
_file_size_increase_increment=2143289344
_enable_numa_support=FALSE

This is how the init.ora looks like after the RAC One install

DGTEST_2.__db_cache_size= 3019898880
DGTEST_1.__db_cache_size=3019898880
DGTEST_2.__java_pool_size=67108864
DGTEST_1.__java_pool_size=67108864
DGTEST_2.__large_pool_size=33554432
DGTEST_1.__large_pool_size=33554432
DGTEST_1.__oracle_base='/u01/app/oracle'#ORACLE_BASE set from environment
DGTEST_2.__pga_aggregate_target=2147483648
DGTEST_1.__pga_aggregate_target=2147483648
DGTEST_2.__sga_target=4294967296
DGTEST_1.__sga_target=4294967296
DGTEST_2.__shared_io_pool_size=0
DGTEST_1.__shared_io_pool_size=0
DGTEST_2.__shared_pool_size= 1006632960
DGTEST_1.__shared_pool_size=1006632960
DGTEST_2.__streams_pool_size=0
DGTEST_1.__streams_pool_size=0
*._enable_numa_support=FALSE
*._file_size_increase_increment=2143289344
*.archive_lag_target=0
*.audit_sys_operations=TRUE
*.audit_trail='db'
*.cluster_database=true
*.cluster_interconnects=''
DGTEST_1.cluster_interconnects=''
*.compatible='11.2.0.4.0'
*.control_files='+DATA_APRO/dgtest_ssc01/controlfile/current.261.850563521'
*.db_block_checking='false'
*.db_block_checksum='typical'
*.db_block_size=8192
*.db_create_file_dest='+DATA_APRO'
*.db_create_online_log_dest_1='+DATA_APRO'
*.db_domain=''
*.db_files=1024
*.db_lost_write_protect='typical'
*.db_name='DGTEST'
*.db_recovery_file_dest='+RECO_APRO'
*.db_recovery_file_dest_size=1102053376000#90% of Total Space in FRA Disk Group *.db_unique_name='DGTEST_SSC01'
*.diagnostic_dest='/u01/app/oracle'
*.fal_client='DGTEST_SSC01'
*.fal_server='dgtest_ssc02_redo'
*.fast_start_mttr_target=300
*.filesystemio_options='setall'
*.global_names=TRUE
*.log_archive_config='dg_config=(DGTEST_SSC01,dgtest_ssc02)'
*.log_archive_dest_1='LOCATION=USE_DB_RECOVERY_FILE_DEST VALID_FOR=(ALL_LOGFILES,ALL_ROLES)'
*.log_archive_dest_state_2='ENABLE'
DGTEST_2.log_archive_format='%t_%s_%r.dbf'
DGTEST_1.log_archive_format='%t_%s_%r.dbf'
*.log_archive_max_processes=4
*.log_archive_min_succeed_dest=1
DGTEST_2.log_archive_trace=0
DGTEST_1.log_archive_trace=0
*.log_buffer=134217728
*.open_cursors=1000
*.os_authent_prefix=''
*.parallel_adaptive_multi_user=FALSE
*.parallel_execution_message_size=16384
*.parallel_max_servers=240
*.parallel_min_servers=0
*.parallel_threads_per_cpu=1
*.pga_aggregate_target=2147483648
*.processes=1024
*.recyclebin='on'
*.remote_listener='ssc01scan01-orapro:1521'
*.remote_login_passwordfile='exclusive'
*.sessions=1131
*.sga_target=4294967296
*.sql92_security=TRUE
*.standby_file_management='AUTO'
*.use_large_pages='FALSE'#Change use_large_pages to ONLY, after verifying the nr.hugepages requirement








Sunday, June 15, 2014

ougf more impressions day 2

After the marvellous social eating fest and some after party beer

Day 2 of OUGF was there I attended Graham Woods session

 The I went to the next building to see Ann Sjökvist's presentations about SE 12c, which I really enjoyed and I was not alone ....













Then time was there to go to the SE World Round Table in a ....Lapish Kota, which was great and better then Ann, Jan and I could have imagined.
Juha Hellman from Oracle Finland was the first to present and interact with the audience and highlighted that the Sparc T5 processors are really a bargain for SE





















We had different approaches on the subject Jans take was more "needs analysis" while mine was more "spoiled kid working with EE all his life what do I loose and how can I try to add those missing things". Two different approaches that the audience really liked. 

Jan also had a great take on the TCL ( Total Cost of Loss) what is your data worth and how the protect you ...


Then My friend Oyvind was on talking about his first experience with exadata, he had a packed room ... and a room laughing when he explained what PM's are named after by dba's ... "proxies" ;-)








ilmar kerm playing with my camera ;-)




everything unfortunately has an end and the end was near, OUGF 2014 was Finnish

so how can we close this one better then with a jump picture ...


Helli, Ursula, Cooper, Ann, Petri, Marko and all of the others I forgot
thanks you very much for having me it was a great event !! well organised and great to see all those familiar (f)aces again.
Hopefully see you next year...or sooner on another Usergroup Conference 


Wednesday, June 11, 2014

Oracle Ace Associate

Yesterday I received some great news I was given the Ace Associate Acreditation, I am really honoured thank you Osama Mustafa and Brendan Tierney for submitting my candidature.