Skip navigation.

APPS Blogs

Oracle Identity & Access Management (IDAM) 11gR2 PS3 – 11.1.2.3 is now available

Online Apps DBA - Thu, 2015-05-21 09:35
  Oracle Identity & Access Management 11g R2 PS3 (11.1.2.3) is now available (released on 18th May 2015) Documentation for Identity & Access Management 11gR2 PS3 11.1.2.3.0 is here Download Oracle IdM 11gR2 PS3 (11.1.2.3) software from here     Products available as part of Identity & Access Management 11gR2 Ps3 (11.1.2.3) are Oracle Access […] The post Oracle Identity & Access Management (IDAM) 11gR2 PS3...

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Free Video : Troubleshoot Fusion Application : FAAdmin User is unable to create new users

Online Apps DBA - Mon, 2015-05-18 08:44
Last week We launched our YouTube Channel covering videos related to Oracle Apps, Fusion Middleware,  Fusion Applications, and database and since then 70 new users subscribed . Today we added new video related to Oracle Fusion Applications issue that we encountered for one of our customer (Contact Us if you need any help to install and manage Oracle Fusion […] The post Free Video : Troubleshoot Fusion Application : FAAdmin User is unable...

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Oracle Fusion Middleware (FMW) 11.1.1.9 now available : Documentation & Download

Online Apps DBA - Fri, 2015-05-15 13:19
Oracle Fusion Middleware (FMW) 11.1.1.9 is now available (released on 13th May 2015). Documentation for Oracle FMW 11.1.1.9 is at here You can download Oracle Fusion Middleware 11.1.1.9 from respective component   Following Fusion Middleware Components are release as part of Fusion Middleware 11.1.1.9 update Oracle Jdevloper & ADF Oracle Business Intelligence Enterprise Edition (OBIEE) […] The post Oracle Fusion Middleware (FMW)...

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

OAM/WebGate troubleshooting : WebGate on Apache/OHS Unable to read the configuration file

Online Apps DBA - Thu, 2015-05-14 04:15
This post is from one of customer engagement where we implemeted and now support complete Oracle Identity & Access Management ( Contact Us If you are looking for Oracle Support or Implementation Partner) .  When you protect a resource on Oracle Access Manager (OAM) you configure WebGate on WebServer (OHS, Apache or IIS) acting as Policy Enforcement Point (PEP). In OAM […] The post OAM/WebGate troubleshooting : WebGate on Apache/OHS...

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

<div dir="ltr" style="text-align: left;

Vikram Das - Wed, 2015-05-13 17:11
Jim pinged me with this error today:
on ./adgendbc.sh i get4:19 PMCreating the DBC file...java.sql.SQLRecoverableException: No more data to read from socket raised validating GUEST_USER_PWDjava.sql.SQLRecoverableException: No more data to read from socket4:19 PMUpdating Server Security Authenticationjava.sql.SQLException: Invalid number format for port numberDatabase connection to jdbc:oracle:thin:@host_name:port_number:database failed4:19 PMto this point, this is what i've tried.4:19 PMclean, autoconfid on db tier, autoconfig on cm same results4:20 PMbounced db and listener.. same thing.. nothing i've done has made a difference
I noticed that when this error was coming the DB alert log was showing:
Wed May 13 18:50:51 2015Exception [type: SIGSEGV, Address not mapped to object] [ADDR:0x8] [PC:0x10A2FFBC8, joet_create_root_thread_group()+136] [flags: 0x0, count: 1]Errors in file /evnapsd1/admin/diag/rdbms/evnapsd1/evnapsd1/trace/evnapsd1_ora_14528.trc  (incident=1002115):ORA-07445: exception encountered: core dump [joet_create_root_thread_group()+136] [SIGSEGV] [ADDR:0x8] [PC:0x10A2FFBC8] [Address not mapped to object] []Incident details in: /evnapsd1/admin/diag/rdbms/evnapsd1/evnapsd1/incident/incdir_1002115/evnapsd1_ora_14528_i1002115.trc
Metalink search revealed this article:
Java Stored Procedure Fails With ORA-03113 And ORA-07445[JOET_CREATE_ROOT_THREAD_GROUP()+145] (Doc ID 1995261.1)
It seems that the post patch steps for a PSU OJVM patch were not done.  We followed the steps given in above note were note completed. We completed these and adgendbc.sh completed successfully after that.

1.set the following init parameters so that JIT and job process do not start.

If spfile is used:

SQL> alter system set java_jit_enabled = FALSE;
SQL> alter system set "_system_trig_enabled"=FALSE;
SQL> alter system set JOB_QUEUE_PROCESSES=0;

2. Startup instance in restricted mode and run postinstallation step.

SQL> startup restrict

3.Run the postinstallation steps of OJVM PSU(Step 3.3.2 from readme)PostinstallationThe following steps load modified SQL files into the database. For an Oracle RAC environment, perform these steps on only one node.
  1. Install the SQL portion of the patch by running the following command. For an Oracle RAC environment, reload the packages on one of the nodes.
2. cd $ORACLE_HOME/sqlpatch/192820153. sqlplus /nolog4. SQL> CONNECT / AS SYSDBA5. SQL> @postinstall.sql
  1. After installing the SQL portion of the patch, some packages could become INVALID. This will get recompiled upon access or you can run utlrp.sql to get them back into a VALID state.
7. cd $ORACLE_HOME/rdbms/admin8. sqlplus /nolog9. SQL> CONNECT / AS SYSDBASQL> @utlrp.sql

4. Reset modified init parameters

SQL> alter system set java_jit_enabled = true;
SQL> alter system set "_system_trig_enabled"=TRUE;
SQL> alter system set JOB_QUEUE_PROCESSES=10;
        -- or original JOB_QUEUE_PROCESSES value

5.Restart instance as normal6.Now execute the Java stored procedure.

Ran adgendbc.sh and it worked fine.
Categories: APPS Blogs

YouTube Sunday : Troubleshoot Fusion Middleware Pre-Requisite Failure : Kernel Setting

Online Apps DBA - Sat, 2015-05-09 19:13
    We’ve started our YouTube Channel covering videos related to Oracle Apps, Fusion Middleware,  Fusion Applications, and database (Subscribe to our Channel by clicking link above to get latest videos). We’ll be posting Videos every Sunday and this weeks Video is on how to fix Oracle Fusion Middleware Installation Pre-Requisite Failure related to kernel setting .     […] The post YouTube Sunday :...

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Oracle Fusion Middleware Training – Win FREE Lesson : Suggest topic to our client

Online Apps DBA - Tue, 2015-05-05 17:42
  We have trained hundred of corporate clients on Oracle Fusion Middleware & Oracle Apps DBA in last 8 years where either customer suggest topics to cover in training or We help them to come up with training topics based on background of team (Apps DBAs, Middleware Admins, Architects and sometime developers).   Something interesting happened this week while […] The post Oracle Fusion Middleware Training – Win FREE Lesson :...

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

R12.2 Single file system

Vikram Das - Wed, 2015-04-29 23:21
With the release of AD and TXK Delta 6, Oracle has provided the feature of single file system on development instances for R12.2. Here's what they have mentioned in support.oracle.com article: Oracle E-Business Suite Applications DBA and Technology Stack Release Notes for R12.AD.C.Delta.6 and R12.TXK.C.Delta.6 (Doc ID 1983782.1)
Enhancements in AD and TXK Delta 6
4. New and Changed FeaturesOracle E-Business Suite Technology Stack and Oracle E-Business Suite Applications DBA contain the following new or changed features in R12.AD.C.Delta.6 and R12.TXK.C.Delta.6.4.1 Support for single file system development environments
  • A normal Release 12.2 online patching environment requires one application tier file system for the run edition, and another for the patch edition. This dual file system architecture is fundamental to the patching of Oracle E-Business Suite Release 12.2 and is necessary for production environments and test environments that are meant to be representative of production. This enhancement makes it possible to have a development environment with a single file system, where custom code can be built and tested. A limited set of adop phases and modes are available to support downtime patching of such a development environment. Code should then be tested in standard dual file system test environments before being applied to production.
More details are provided in Oracle E-Business Suite Maintenance Guide, Chapter: Patching Procedures):
http://docs.oracle.com/cd/E26401_01/doc.122/e22954/T202991T531065.htm#6169002 

Support for Single File System Development Environments
A normal Release 12.2 online patching environment requires two application tier file systems, one for the run edition and another for the patch edition. This dual file system architecture is fundamental to patching of Oracle E-Business Suite Release 12.2, and is necessary both for production environments and test environments that are intended to be representative of production. This feature makes it possible to create a development environment with a single file system, where custom code can be built and tested. The code should then always be tested in a standard dual file system test environment before being applied to production.
You can set up a single file system development environment by installing Oracle E-Business Suite Release 12.2 in the normal way, and then deleting the $PATCH_BASE directory with the command:
$ rm -rf $PATCH_BASE
A limited set of adop phases and modes are available to support patching of a single file system development environment. These are:
·         apply phase in downtime mode·         cleanup phaseSpecification of any other phase or mode will cause adop to exit with an error.
The following restrictions apply to using a single file system environment:
·         You can only use a single file system environment for development purposes.·         You cannot use online patching on a single file system environment.·         You can only convert an existing dual file system environment to a single file system: you cannot directly create a single file system environment via Rapid Install or cloning.·         There is no way to convert a single file system environment back into a dual file system.
·         You cannot clone from a single file system environment.
Categories: APPS Blogs

You Are Trying To Access a Page That Is No Longer Active.The Referring Page May Have Come From a Previous Session. Please Select Home To Proceed

Vikram Das - Wed, 2015-04-15 16:06
Shahed pinged me about this error.  It was coming after logging in.  This R12.1.3 instance had just migrated from an old server to a new one. Once you logged in this error would be displayed:

You Are Trying To Access a Page That Is No Longer Active.The Referring Page May Have Come From a Previous Session. Please Select Home To Proceed

The hits on support.oracle.com were not helpful, but a gave a clue that it may have something to do with session cookie.  So I used Firefox to check http headers.  If you press Ctrl+Shift+K, you will get a panel at the bottom of the browser. Click on Network tab, click on the AppsLocalLogin.jsp and on the right side of the pane, you'll see a cookie tab.

The domain appearing in the cookie tab was from the old server.  So I checked:

select session_cookie_domain from icx_parameters;
olddomain.justanexample.com

So I nullified it:

update icx_parameters set session_cookie_domain=null;

commit;

Restarted Apache

cd $ADMIN_SCRIPTS_HOME
adapcctl.sh stop
adapcctl.sh start

No more error.  I was able to log in and so was Shahed.
Categories: APPS Blogs

Chrome and E-Business Suite

Vikram Das - Wed, 2015-04-15 12:23
Dhananjay came to me today.  He said that his users were complaining about forms not launching after upgrading to the latest version of Chrome. On launching forms they got this error:

/dev60cgi/oracle forms engine Main was not found on this server

I recalled that Google Chrome team had announced that they would not support java going forward. Googling with keywords chrome java brought this page:

https://java.com/en/download/faq/chrome.xml#npapichrome

It states that:

NPAPI support by ChromeThe Java plug-in for web browsers relies on the cross platform plugin architecture NPAPI, which has long been, and currently is, supported by all major web browsers. Google announced in September 2013 plans to remove NPAPI support from Chrome by "the end of 2014", thus effectively dropping support for Silverlight, Java, Facebook Video and other similar NPAPI based plugins. Recently, Google has revised their plans and now state that they plan to completely remove NPAPI by late 2015. As it is unclear if these dates will be further extended or not, we strongly recommend Java users consider alternatives to Chrome as soon as possible. Instead, we recommend Firefox, Internet Explorer and Safari as longer-term options. As of April 2015, starting with Chrome Version 42, Google has added an additional step to configuring NPAPI based plugins like Java to run — see the section Enabling NPAPI in Chrome Version 42 and later below.Enabling NPAPI in Chrome Version 42 and laterAs of Chrome Version 42, an additional configuration step is required to continue using NPAPI plugins.
  1. In your URL bar, enter:
    chrome://flags/#enable-npapi 
  2. Click the Enable link for the Enable NPAPI configuration option.
  3. Click the Relaunch button that now appears at the bottom of the configuration page.
Developers and System administrators looking for alternative ways to support users of Chrome should see this blog, in particular "Running Web Start applications outside of a browser" and "Additional Deployment Options" section.Once Dhananjay did the above steps, Chrome started launching forms again.  He quickly gave these steps to all his users who had upgraded to the latest version of Chrome (version 42) and it started working form them too.Oracle doesn't certify E-Business Suite forms on Chrome.  Only self service pages of E-Business Suite are certified on Google Chrome.
Categories: APPS Blogs

opatch hangs on /sbin/fuser oracle

Vikram Das - Sat, 2015-04-11 18:30
Pipu pinged me today about opatch hanging. The opatch log showed this:

[Apr 11, 2015 5:24:13 PM]    Start fuser command /sbin/fuser $ORACLE_HOME/bin/oracle at Sat Apr 11 17:24:13 EDT 2015

I had faced this issue once before, but was not able to recall what was the solution.  So I started fresh.

As oracle user:

/sbin/fuser $ORACLE_HOME/bin/oracle hung

As root user

/sbin/fuser $ORACLE_HOME/bin/oracle hung

As root user

lsof hung.

Google searches about it brought up a lot of hits about NFS issues.  So I did df -h.

df -h also hung.

So I checked /var/log/messages and found many messages like these:

Apr 11 19:44:42 erpserver kernel: nfs: server share.justanexample.com not responding, still trying

That server has a mount called /R12.2stage that has the installation files for R12.2.
So I tried unmounting it:
umount /R12.2stageDevice Busy
umount -f /R12.2stageDevice Busy
umount -l /R12.2stage
df -h didn't hang any more.
Next I did strace /sbin/fuser $ORACLE_HOME/bin/oracle and it stopped here:
open("/proc/12854/fdinfo/3", O_RDONLY)  = 7fstat(7, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b99de014000read(7, "pos:\t0\nflags:\t04002\n", 1024) = 20close(7)                                = 0munmap(0x2b99de014000, 4096)            = 0getdents(4, /* 0 entries */, 32768)     = 0close(4)                                = 0stat("/proc/12857/", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0open("/proc/12857/stat", O_RDONLY)      = 4read(4, "12857 (bash) S 12853 12857 12857"..., 4096) = 243close(4)                                = 0readlink("/proc/12857/cwd", "11.2.0.4/examples (deleted)"..., 4096) = 27rt_sigaction(SIGALRM, {0x411020, [ALRM], SA_RESTORER|SA_RESTART, 0x327bc30030}, {SIG_DFL, [ALRM], SA_RESTORER|SA_RESTART, 0x327bc30030}, 8) = 0alarm(15)                               = 0write(5, "@\20A\0\0\0\0\0", 8)          = 8write(5, "\20\0\0\0", 4)                = 4write(5, "/proc/12857/cwd\0", 16)       = 16write(5, "\220\0\0\0", 4)               = 4read(6,  
It stopped here. So I did Ctrl+C# # ps -ef |grep 12857oracle   12857 12853  0 Apr10 pts/2    00:00:00 -bashroot     21688  2797  0 19:42 pts/8    00:00:00 grep 12857
Killed this process
# kill -9 12857
Again I did strace /sbin/fuser $ORACLE_HOME/bin/oracle and it stopped at a different process this time that was another bash process.  I killed that process also.
I executed it for 3rd time: strace /sbin/fuser $ORACLE_HOME/bin/oracle
This time it completed.
Ran it without strace
/sbin/fuser $ORACLE_HOME/bin/oracle
It came out in 1 second.
Then I did the same process for lsof
strace lsof
and killed those processes were it was getting stuck.  Eventually lsof also worked.
Pipu retried opatch and it worked fine.
Stale NFS mount was the root cause of this issue.  It was stale because the source server was down for Unix security patching during weekend. 
Categories: APPS Blogs

Come See Integrigy at Collaborate 2015

Come see Integrigy's session at Collaborate 2015 in Las Vegas (http://collaborate.ioug.org/). Integrigy is presenting the following paper:

IOUG #763
Detecting and Stopping Cyber Attacks against Oracle Databases
Monday, April 13th, 9:15 - 11:30 am
North Convention, South Pacific J

If you are going to Collaborate 2015, we would also be more than happy to talk with you about your Oracle security or questions. If you would like to talk with us while at Collaborate, please contact us at info@integrigy.com.

 

Tags: Conference
Categories: APPS Blogs, Security Blogs

adoafmctl.sh hangs

Vikram Das - Fri, 2015-04-03 19:26
Rajesh and Shahed called me about this error where after a reboot of the servers, adoafmctl.sh wouldn't start.  It gave errors like these:

You are running adoafmctl.sh version 120.6.12000000.3 
Starting OPMN managed OAFM OC4J instance ... 
adoafmctl.sh: exiting with status 152 
adoafmctl.sh: check the logfile 
$INST_TOP/logs/appl/admin/log/adoafmctl.txt for more information

adoafmctl.txt showing:ias-component/process-type/process-set:
default_group/oafm/default_group/
Error
--> Process (index=1,uid=349189076,pid=15039)
time out while waiting for a managed process to start
Log:
$INST_TOP/logs/ora/10.1.3/opmn/default_group~oafm~default_group~1
07/31/09-09:14:28 :: adoafmctl.sh: exiting with status 152
================================================================================
07/31/09-09:14:40 :: adoafmctl.sh version 120.6.12000000.3
07/31/09-09:14:40 :: adoafmctl.sh: Checking the status of OPMN managed OAFM OC4J instance
Processes in Instance: SID_machine.machine.domain
-------------------+--------------------+---------+---------
ias-component | process-type | pid | status
-------------------+--------------------+---------+---------
default_group | oafm | N/A | Down
Solution:
1. Shutdown all Middle tier services and ensure no defunct processes exist running the following from the operating system:# ps -ef | grep
If one finds any, kill these processes.2. Navigate to $INST_TOP/ora/10.1.3/opmn/logs/states directory. It contains hidden file .opmndat:# ls -lrt .opmndat3. Delete this file .opmndat after making a backup of it:# rm .opmndat4. Restart the services.

5. Re-test the issue.
This resolved the issue.
Categories: APPS Blogs

R12.2 Documentation link in html format

Vikram Das - Mon, 2015-03-23 19:35
This link has the R12.2 documentation in HTML format:

https://docs.oracle.com/cd/E26401_01/index.htm 
Categories: APPS Blogs

Oracle Fusion Applications 11.1.9 is now available : Contact Us if you need help

Online Apps DBA - Thu, 2015-03-05 15:09
    Fusion Applications version 11.1.9 is now available to download from eDelivery .  Contact Us if you need any help in Fusion Apps Installation or wish to access Fusion Applications 11.1.9 instance hosted at our datacenter . Previous in series Next in seriesRelated Posts for Fusion Apps Oracle Fusion Applications OverviewOracle Fusion Application for […] The post Oracle Fusion Applications 11.1.9 is now available : Contact Us...

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

The EBS Technology Codelevel Checker (available as Patch 17537119) needs to be run on the following nodes

Vikram Das - Sun, 2015-03-01 14:53
I got this error while upgrading an R12.1.3 instance to R12.2.4, when I completed AD.C.Delta 5 patches with November 2014 bundle patches for AD.C and was in the process of applying TXK.C.Delta5 with November 2014 bundle patches for TXK.C :

Validation successful. All expected nodes are listed in ADOP_VALID_NODES table.
[START 2015/03/01 04:53:16] Check if services are down
        [INFO] Run admin server is not down
     [WARNING]  Hotpatch mode should only be used when directed by the patch readme.
  [EVENT]     [START 2015/03/01 04:53:17] Performing database sanity checks
    [ERROR]     The EBS Technology Codelevel Checker (available as Patch 17537119) needs to be run on the following nodes: .
    Log file: /erppgzb1/erpapp/fs_ne/EBSapps/log/adop/adop_20150301_045249.log


[STATEMENT] Please run adopscanlog utility, using the command

"adopscanlog -latest=yes"

to get the list of the log files along with snippet of the error message corresponding to each log file.


adop exiting with status = 1 (Fail)

I was really surprised as I had already run EBS technology codelevel checker (patch 17537119) script checkDBpatch.sh on racnode1.
To investigate I checked inside checkDBpatch.sh and found that it create a table called TXK_TCC_RESULTS.  
SQL> desc txk_tcc_results Name                                      Null?    Type ----------------------------------------- -------- ---------------------------- TCC_VERSION                               NOT NULL VARCHAR2(20) BUGFIX_XML_VERSION                        NOT NULL VARCHAR2(20) NODE_NAME                                 NOT NULL VARCHAR2(100) DATABASE_NAME                             NOT NULL VARCHAR2(64) COMPONENT_NAME                            NOT NULL VARCHAR2(10) COMPONENT_VERSION                         NOT NULL VARCHAR2(20) COMPONENT_HOME                                     VARCHAR2(600) CHECK_DATE                                         DATE CHECK_RESULT                              NOT NULL VARCHAR2(10) CHECK_MESSAGE                                      VARCHAR2(4000)
SQL> select node_name from txk_tcc_results;
NODE_NAME--------------------------------------------------------------------------------RACNODE1
I ran checkDBpatch.sh again, but the patch failed again with previous error:
   [ERROR]     The EBS Technology Codelevel Checker (available as Patch 17537119) needs to be run on the following nodes: .
It was Saturday 5 AM already working through the night.  So I thought, it is better to sleep now and tackle this on Sunday.  On Sunday morning after a late breakfast, I looked at the problem again.  This time, I realized that the error was complaining about racnode1 (in lower case) and the txk_tcc_results table had RACNODE1(in upper case).  To test my hunch, I immediately updated the value:
update txk_tcc_resultsset node_name='racnode1' where node_name='RACNODE1';
commit;
I restarted the patch, and it went through.  Patch was indeed failing because it was trying to look for a lower case value.  I will probably log an SR with Oracle, so that they change their code to make the node_name check case insensitive.

Further, I was curious, why node_name was stored in all caps in fnd_nodes and txk_tcc_results.  The file /etc/hosts had it in lowercase.  I tried the hostname command on linux prompt:

$ hostname
RACNODE1

That was something unusual, as in our environment, hostname always returns the value in lowercase.  So I further investigated.
[root@RACNODE1 ~]# sysctl kernel.hostname
kernel.hostname = RACNODE1

So I changed it

[root@RACNODE1 ~]# sysctl kernel.hostname=RACNODE1
kernel.hostname = racnode1
[root@RACNODE1 ~]# sysctl kernel.hostname
kernel.hostname = racnode1
[root@RACNODE1 ~]#
[root@RACNODE1 ~]# hostname
racnode1
Logged in again to see if root prompt changed:
[root@racnode1 ~]#

I also checked
[root@tsgld5811 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
NOZEROCONF=yes
HOSTNAME=RACNODE1

Changed it here also:
[root@tsgld5811 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
NOZEROCONF=yes
HOSTNAME=racnode1

I also changed it on racnode2.
Categories: APPS Blogs

cannot set user id: Resource temporarily unavailable or Fork: Retry: Resource Temporarily Unavailable

Vikram Das - Tue, 2015-02-24 10:01
Amjad reported this error while trying to login to the server:

cannot set user id: Resource temporarily unavailable

In the past he had reported this error:

Fork: Retry: Resource Temporarily Unavailable

This is due to the fact that the user has run out of free stacks.  In OEL 6.x , the stack setting is not done in /etc/security/limits.conf but in the file:

/etc/security/limits.d/90-nproc.conf

The default content in the file is:

cat /etc/security/limits.d/90-nproc.conf
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.

*          soft    nproc     1024
root       soft    nproc     unlimited

I changed this to:
After$ cat /etc/security/limits.d/90-nproc.conf# Default limit for number of user's processes to prevent# accidental fork bombs.# See rhbz #432903 for reasoning.
*          soft    nproc     16384root       soft    nproc     unlimited$
As soon as this change was made, Amjad was able to login.

Categories: APPS Blogs

Fine Grained Auditing (FGA) and Protecting Oracle E-Business PII Data for Executives

With the recent news about yet another database breach of Personally Identifiable Information (PII), Integrigy had a discussion with a client about how to better protect the PII data of their executives.

The following Fine-Grained-Auditing (FGA) policy started the discussion. The policy below will conditionally log direct connections to the Oracle E-Business Suite database when the PII data of corporate executives is accessed. For example, it will ignore E-Business Suite end-user connections to the database, but will catch people directly connecting to the database from their laptop. However, it will only do so if PII data for executives is accessed:

BEGIN

DBMS_FGA.ADD_POLICY (
   object_schema     =>  'HR',
   object_name       =>  'PER_ALL_PEOPLE_F',
   policy_name       =>  'FGA_PPF_NOT_GUI_AND_OFFICER',
   audit_condition   =>  ' PER_ALL_PEOPLE_F.PERSON_ID IN (
         SELECT PAX.PERSON_ID
         FROM PER_ASSIGNMENTS_X PAX, PER_JOBS J, PER_JOB_DEFINITIONS JD
         WHERE PAX.JOB_ID = J.JOB_ID
         AND J.JOB_DEFINITION_ID = JD.JOB_DEFINITION_ID
         AND UPPER(JD.SEGMENT6) LIKE UPPER(''%EXECUTIVE%''))
         AND NOT (SYS_CONTEXT (''USERENV'',''IP_ADDRESS') IN
         (''IP of your DB server’’, ‘’IP of your cm server’’, 
           ‘’IP of your application server’’) 
        AND SYS_CONTEXT (''USERENV'',''CURRENT_USER'') = ''APPS'' ) ',
   audit_column      =>   NULL,
   handler_schema    =>   NULL,
   handler_module    =>   NULL,
   enable            =>   TRUE,
   statement_types   =>  'SELECT',
   audit_trail       =>   DBMS_FGA.DB,
   audit_column_opts =>   DBMS_FGA.ANY_COLUMNS);

END;

Here is an explanation of the policy above:

  • Audits only direct database activity and ignores database connections from the E-Business Suite user interface, the database server, the web and application servers, as well as the concurrent manager.
  • Audits SELECT activity against PER_ALL_PEOPLE_F or any view based on the table PER_ALL_PEPOPLE_F. PII data exists outside of PER_ALL_PEOPLE_F but this table is the central table within the E-Business Suite that defines a person and thus contains critical PII data such as name, birthdate and National Identifier.
  • Audits ALL columns in the table but could easily be restricted to only specific columns.
  • Audits ONLY those result sets that includes current or ex-employee whose job title has ‘%Executive%' in the Job Title. Note this policy was demonstrated using the Vision demo database. Your Job Key Flexfield definition will be different.
  • FGA comes standard with the Enterprise license of the Oracle database. If you own the Oracle E-Business Suite, you don't need an additional license to use FGA.

The policy above would certainly strengthen an overall database security posture, but it does have several immediate drawbacks:

  • While it does address risks with direct database activity, including the use of the APPS account from a laptop, it will not guard against privileged database users such as DBAs.
  • Spoofing of USRENV attributes is possible which precludes using any USERENV attribute other than the IP address and DB username.
  • Audit data needs security stored and regularly purged. Privileged users may have access to FGA data and policies. Audit data also needs to be retained and purged per corporate policies.
  • Lastly, the performance impact of the policy above would need to be carefully measured. If the policy above were to be implemented, it would need to be seriously tested, especially if modules are to be used such as Oracle Advanced Benefits and/or Payroll.

As part of a database security program, Integrigy recommends that all clients implement defense in depth. No one tool or security feature will protect your data. Oracle Traditional Auditing (TA) as well as FGA policies similar to the above should be implemented, but the both TA and FGA have limitations and trade-offs.

Integrigy recommends that both Oracle TA and FGA be used with database security solutions such as the Oracle Audit Vault and Database Firewall (AVDF), Splunk, Imperva, and IBM Guardium.  Database monitoring and alerting needs to be automated and should done using a commercial tool. You also need to secure and monitor privileged users such as DBAs and database security cannot come at the cost of overall application performance.

Our client conversation about the FGA policy above concluded that while the policy could work, given the variety of different database connections, a better solution would be to utilize a variation of the policy above along with Splunk, which they already own.

If you have questions about the sample FGA policy above or about database security, please contact us at: mailto:info@integrigy.com

References

Tags: AuditingSensitive DataHIPAAOracle E-Business Suite
Categories: APPS Blogs, Security Blogs

OAM 11g: Resource URL

Online Apps DBA - Wed, 2015-02-11 15:37
Just in case if you have a requirement to retrieve the resource URL or the original URL the user accessed during authentication process in OAM 11g, then this post is for you. If you wish to redirect the user to different page post authentication/authorization success or failure and you would like to know the original […] The post OAM 11g: Resource URL appeared first on Oracle : Design, Implement & Maintain.

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Integrigy Database Log and Audit Framework with the Oracle Audit Vault

Most clients do not fully take advantage of their database auditing and logging features. These features are sophisticated and are able to satisfy most organization’s compliance and security requirements. 

The Integrigy Framework for database logging and auditing is a direct result of Integrigy’s consulting experience and will be equally useful to both those wanting to improve their capabilities as well as those just starting to implement logging and auditing.  Our goal is to provide a clear explanation of the native auditing and logging features available, present an approach and strategy for using these features and a straight-forward configuration steps to implement the approach.

Integrigy’s Framework is also specifically designed to help clients meet compliance and security standards such as Sarbanes-Oxley (SOX), Payment Card Industry (PCI), FISMA, and HIPAA.  The foundation of the Framework is PCI DSS requirement 10.2.

Integrigy’s Log and Audit Framework can be easily implemented using the Oracle Audit Vault.  The high-level summary is a follows –

Level 1

Enable database auditing as directed by the Integrigy Framework Level 1 requirements. 

Level 2
  1. Install the Oracle Audit Vault.  If already installed, it is highly recommended to perform a health check as described in Audit Vault Server Configuration Report and Health Check Script (Doc ID 1360138.1).
  2. Configure Oracle database to use Syslog per Integrigy Framework Level 2 requirements.  Set the database initialization parameter AUDIT_TRAIL parameter to equal ‘OS’ and AUDIT_FILE_DEST parameter to desired file in the directory specification.  Last set the initialization parameter AUDIT_SYSLOG_LEVEL to ‘LOCAL1.WARNING’ to generate Syslog formatted log files.
  3. Install and activate the Oracle Audit Vault collector agent OSAUD for operating system files.  Collect Syslog formatted logs located by the AUDIT_FILE_DEST parameter.
Level 3

Protect application log and audit tables by creating standard database audit policies and adding these new policies the Audit Vault Collectors.  Create database alerts based on correlations between standard database events and application audit logs.

Oracle E-Business Suite Example

To use the Oracle Audit Vault with the Oracle E-Business Suite, no additional patches required either for the E-Business Suite or the Oracle database.  This is because the Oracle Audit Vault uses only standard Oracle database functionality. 

There are two steps for Level 3.  The first is to protect the Oracle E-Business Suite audit tables, the second is to build alerts and reports that correlate application and database log information.  To protect the E-Business Log and Audit tables, enable standard auditing on them.  The second step is to define the Audit Vault alerts and reports.

Below is an example of event E12 - Protect Application Audit Data

The sign-on audit tables log user logon and navigation activity for the professional forms user interface.  This data needs to be protected.

Steps
  1. Enable Standard Auditing
  2. Create Audit Vault Alert
  3. Forward to Alert to Syslog (This feature is available as of Oracle AVDF version 12.1.2)

To enable standard auditing:

AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGINS BY ACCESS;

AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGIN_RESPONSIBILITIES BY ACCESS;

AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGIN_RESP_FORMS BY ACCESS;

AUDIT UPDATE, DELETE ON APPLSYS.FND_UNSUCCESSFUL_LOGINS BY ACCESS;

 

To create an alert in Audit Vault:

Audit Vault -> Auditor -> Policy -> Alerts -> Create Alert

 

Name: E12 - Modify audit and logging

Condition:

 :TARGET_OWNER='APPLSYS' AND :EVENT_NAME in ('UPDATE','DELETE') AND :TARGET_OBJECT in ('FND_LOGINS','FND_LOGIN_RESPONSIBILITIES','FND_LOGIN_RESP_FORMS','FND_UNSUCCESSFUL_LOGINS')

Example:

 

                             

If you have questions, please contact us at mailto:info@integrigy.com

Reference Tags: AuditingOracle Audit Vault
Categories: APPS Blogs, Security Blogs