I have written previously on how much I dislike password maintenance. Every chance I get to enable PKI certificate authentication, I take it. Most of my career I have worked in environments where certificate authentication was expected, if not explicitly required, so it wasn't a big leap for me to look at configuring Oracle APEX … Continue reading APEX Authentication with a Smart Card – Part 1 (Web Server)
This guide includes step-by-step instructions to install and configure the Apache HTTPD, Tomcat, Oracle REST Data Services, and Oracle Application Express (APEX) technology stack within a simple, highly available infrastructure. It also describes basic HTTP Header-based user authentication and authorization configuration within an APEX application built within the stack.
One thing that going over this material again and again over the last few weeks has driven home for me, especially as our customer considers how best to implement their various choices for development frameworks, is just how much of a fairy tale the promises of middle-tier application servers turned out out to be in terms of processing business logic.
This quick “how to” document highlights configuration steps and parameters to enable PKI authentication between the Oracle Database Client for Windows and an Oracle Database. It was written to detail configuration parameters for the Oracle Wallet to use the Department of Defense Common Access Card (CAC) and U.S. Federal Government PIV cards as an external … Continue reading Configuring SSL for Oracle Client Authentication and Encryption with DoD Common Access Cards Using Microsoft Certificate Store
My company is going to be on the lookout for a new junior DBA in the near future, and I thought I would try something different in the interview process this time around...
Every once in a while over the years I have been asked, “Why don’t you patch the Java JDK included in an Oracle Home directory?”
An example of a method for scanning the Oracle data dictionary for potential PII data and automating specific responses, such as encrypting of columns or alerting the DBA, when new data is found.
What if you have a lot of potential PII data and you need to enforce some additional safeguards on it? How do I make this information actionable, and better yet how do I automate that action as much as possible?
This is the last post in this series, in which I have described configurations for the server wallet, server networking, client networking, and database. If you have completed all of the steps I laid out, then you are ready to test your SSL connection using your smart card. TNS Ping over TCPS First confirm that … Continue reading Database Authentication with a Smart Card – Part 5 (Testing)
In parts one, two, and three of this series I looked at configuring the database server and client software for smart card authentication. In this post I will discuss required updates to the database initialization parameters, how to gather the necessary information to create the externally authenticated database user, and how to create the user. … Continue reading Database Authentication with a Smart Card – Part 4 (Database)
In Part 1 and Part 2 of this series I described the process for configuring the server wallet, sqlnet.ora, and listener.ora files. In this post I will discuss how to configure the client for SSL authentication with a smart card. At this point it is assumed that an Oracle Client has already been installed. The … Continue reading Database Authentication with a Smart Card – Part 3 (Client)
In my previous post I discussed the first steps in the configuration of an Oracle database for user authentication using a smart card, such as the DoD Common Access Card (CAC). Along with some general considerations for setting up SSL/TLS authentication, I went over the construction of the database server's Oracle Wallet. In this post … Continue reading Database Authentication with a Smart Card – Part 2 (Server)
I hate changing passwords every so many days. Seems like I no sooner get all of my passwords reset than it is time to start changing them again. Working in a government environment, one of those things that I tried to figure out for years was how to log on to a database using my … Continue reading Database Authentication with a Smart Card – Part 1 (Wallet)
I'm going to post this as a reminder to myself as much as anything else. A couple of times - most recently this week - I've had to apply patches for Oracle APEX into various databases that I work with and received the following error almost as soon as the apxpatch.sql script started to run: … Continue reading APEX Patches and NLS_LENGTH_SEMANTICS
A co-worker of mine recently had a dilemma. He needed to have a scheduler job chain in one schema trigger a second scheduler job chain in another schema when it completed. He had already come up with some ideas on how to accomplish this with a variety of home-grown solutions and he wanted to run … Continue reading AQ Basics
While perusing recent postings on the Ask Tom web site, I chanced across this one, entitled "Frustrated DBA", in which John asks the following question: "Is it just me or does doing the "typical DBA" tasks like installing, patching, backing up, checking backups, monitoring databases, creating users, checking space and other mundane tasks get boring … Continue reading The Frustrated DBA
A few years ago I started keeping most of my system documentation in APEX websheets. It's great for keeping things organized and readily available no matter how I'm accessing my work network (on-site, VPN, etc.). A lot of my installation documents have embedded screenshots, and the png files are attached to the websheet as annotations. … Continue reading How to Load Large WebSheets into APEX
I have used Oracle APEX in various capacities since version 3. Since Oracle introduced their packaged applications in version 4 I have played around with most of them from time to time and currently use several of them in my daily work. P-Track, ORAchk, WebSheets and others make my job a lot easier, and the new … Continue reading APEX Mystery Solved
What needs to be done? At this point it is important to stop and consider that if you have read my previous posts in this series and followed all the links that I recommended then you will have read a lot of other people's documentation and best practices. With a little luck you may have … Continue reading The Database, Your Way
What needs to be done? In my last two posts I discussed the rules of the road in relation to designing and implementing an Oracle database information system, and how to evaluate compliance and overall security posture. In this post I will discuss the basic Oracle license, which has been known to cause a lot … Continue reading License to Drive
A filter that allows incoming database connections to be approved or rejected based on the values of their sys_context parameters.
What needs to be done? In my last post I talked about the legal rules of the road in regards to designing and implementing a database information system, starting from the top level and driving down to the nitty gritty step-by-step hardening instructions, including the STIG. Once the applicable rules are understood, it is important … Continue reading Passing the Test
What needs to be done? Before a driver heads out on the road, it is important for him or her to know the rules. Not just common sense stuff like "don't drive on the wrong side of the road", but the actual rules and laws that govern what you're about to do, like obeying a … Continue reading The Rules of the Road
It's a new year, and therefore time to start a new series of posts. This year I will be looking at how to secure Oracle on a limited budget (or more commonly a non-existant one), with an emphasis on what can be done for little or no additional cost beyond the basic hardware and software … Continue reading And Now for Something Completely Different…
One of the most problematic STIG checklist items is this one: Rule Title: Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations. STIG ID: DG0067-ORACLE11 Rule ID: SV-24641r1_rule Vuln ID: V-3812 Severity: CAT I Vulnerability Discussion: Database passwords stored … Continue reading Database Account Password Storage