Wednesday, June 29, 2005

JDeveloper & ADF: Free for Development

Looks nice, this JDeveloper & ADF Pricing model, a new license model, shifting towards use, not development.
However, will HTML DB V2 become not-free? Is Oracle just playing with license terms and conditions, and thus creating FUD? We'll see - this looks like a nice touch; sorry for everyone that paid the license fees recently, pushed by Oracle reps closing the fiscal year.

Web Developer Extension

If you ever do some Web development, take a serious look at the Web Developer Extension. You will wonder how you ever delivered code without it!

Thursday, June 09, 2005

Oracle and TimesTen

Now, after Oracle aquired Peoplesoft, it's time for Oracle and TimesTen. Real-time data management software - should I buy communication stock?

Watch out II

Surprise, surprise!
Niall left a comment on the original post (thank you, Niall), pointing out the fact that spaces (or, presumably, the lack thereof!) can mess up a tnsnames.ora file.
So, I tried to tidy up the original post, to include spaces in the output as well, thus allowing to a copy-'n-paste job. Believe me, those spaces were in the source! Blogger just chooses to ignore them (space saving, I presume). Anyway, using the sequence it should now look OK.

I saw some brackets on places they might cause misunderstanding, and tried to tidy that up as well. Long story short: lost track of how many spaces and brackets were required, and ended up testing both entries once more, and looks here:

Attempting to contact (description = (address=(protocol=BEQ)(PROGRAM=OrAcLe) (ARGV0=oracleDB920) (ARGS='(DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=BEQ)))')) (CONNECT_DATA =(SID=DB920)))
OK (20 msec)


Please note, there is no platform that has an executable, called OrAcLe, and yet the test succeeds, where it failed before!

Sunday, June 05, 2005

Enterprise Security VIII: Getting there....

Phew! Finally got the ldapbind issue out of the way. The solution was simple: define LD_LIBRARY_PATH. I never did, as I did not anticipate writing programs on this platform.
That will tech me!

So, if you ever run into messages like:
ldapbind: error while loading shared libraries: libclntsh.so.10.1: cannot open shared object file: No such file or directory, remember this:
export LD_LIBRARY_PATH=$ORACLE_HOME/lib
and your ldapbind will probably result in a:
bind successfull

To be continued...

As a replacement to setting up your own Certificate Authority, take a look at this handy utility, GOSSL. I am setting up a web server in test right now, and will update with the results. Currently, it's looking good: Windows (2003 server) and Internet Explorerer (V6) have no problems with the new CA certificate, generated by GOSSL, nor with the server certificate.
Firefox still claims the server certificate is broken, although the CA is happily accepted.

Watch for updates - openssl used to be a part of the Oracle Apache installs (see your %ORACLE_HOME%\Apache\openssl directory) and is of course a far more lightweight -and thus more elegant, in my opinion- way to accomplish generation of CA and other digital certificates.
As more often the case, Oracle succeeded in creating an elephant from an ant.

Wednesday, June 01, 2005

Enterprise Security VII: Finishing

More certificates...
I still need a client certificate, and I ran into some problems with that. I do not have abundant memory on my server, so I tend to shutdown services I do not use on a regular basis, and just leave the 10g and 9i instances running.
So, what I actually had done, was:
/o/ias10/bin/emctl stop iasconsole
/o/ias10/opmn/bin/opmnctl stopall

thinking
/o/ias10/opmn/bin/opmnctl startall
/o/ias10/bin/emctl start iasconsole

would reverse that. And even though the Enterprise Manager control for the Certificate Autority shows it's up and running, the screen itself will not come up. You can try to stop and start, using OEM, until hell freezes over, but it won't give in. There is no other way I have found than:
/o/ias10/oca/bin/ocactl start
and enter the password (I did default to welcome1 all over, so that one works).
Once I did get that to work, getting a certificate was done in a jiffy.
By the way, there is something like the Oracle PKI Utility or orapki, that you might want to use to create certificates in wallets. Saves you from setting up Applications Servers, Certificate Authorities and all that. If I had known that earlier... that ought to teach me to read the documentation....

Network changes
Now that I have certificates for both server and client, I need to configure both the server and the client.
Server configuration
On the server side, all I need to do is indicate where the wallet is to be found. This is accomplished by the following addition to sqlnet.ora:
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 0
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /etc/wallets/oracle10)
)
)


and by changing the listener.ora file. Add these lines:
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /etc/wallets/oracle10)
)
)

and make sure the listener can also resolve secured requests, add the following to the listener description list:
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = csdb01.cs.nl)(PORT = 2484))

Port 2484 is a default, suggested by Oracle. Stop and start the listener after these changes, and check with lsnrctl status; I want to see the endpoint with secure TCP:
Listening Endpoints Summary...
(DESCRIPTION= .[snipped ].
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=csdb01.cs.nl)(PORT=2484)))


Rest assured, you can all do this by using the Net Configuration Assistant, see the Oracle Advanced Security Administrator's Guide for more details.

Client configuration
On the client, changes are similar; change the sqlnet.ora file to include the wallet location:
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\Documents and Settings\frankbo\ORACLE\WALLETS)
)
)


Make sure the client can use SSL secured TCP:
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)
Mark the SSL version (SSL V3.0)
SSL_VERSION = 0
Require authentication:
SSL_CLIENT_AUTHENTICATION = TRUE
And match the server name DN (I'll come to that!):
SSL_SERVER_DN_MATCH = YES

That concludes the sqlnet.ora changes. Now for the tnsnames.ora:
O1003.CS.NL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.1.199)(PORT = 2484))
)
(CONNECT_DATA = (SERVICE_NAME = o10gR1))
(SECURITY=(SSL_SERVER_CERT_DN="cn=o10gR1,cn=OracleContext,dc=nl,dc=cs"))
)

I highlighted the changes in red: I want to use SSL secured TCP (tcps), on another port than the standard 15xx range (2484), and I want to match the server dn - it's in the Server Certificate , I requested and installed earlier. Copy this dn exactly!

Testing
Now that this is all done, it's time to test, and hopefully you will see what I saw:

Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS
)(HOST = 192.168.1.199)(PORT = 2484))) (CONNECT_DATA = (SERVICE_NAME = o10gR1))
(SECURITY=(SSL_SERVER_CERT_DN=cn=o10gR1,cn=OracleContext,dc=nl,dc=cs)))
OK (80 msec)


C:\>sqlplus system@o1003
SQL*Plus: Release 10.1.0.2.0 - Production on Wed Jun 1 20:12:41 2005
Copyright (c) 1982, 2004, Oracle. All rights reserved.

Enter password:

Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL>

Now, for the next step - Authentication through Certificates!