Masters in Database security

Similar Messages

• Configuring Database Security Store is failing

  Guys,
  I am trying to configure Database Security Store while installing 11gR2 (OIM, OAM, SOA) and wlst.sh script is failing. Here is the format I am giving.
  $MW_HOME/oracle_common/common/bin/wlst.sh $ORACLE_HOME/common/tools/configureSecurityStore.py -d $IAM_DOMAIN_LOCATION -m create -c IAM -p $ORA_PASS
  Here is the error message i am getting.
  Problem invoking WLST - Traceback (innermost last):
  File "/apps/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py ", line 15, in ?
  ImportError: no module named security
  Please let me know how to resolve this issue.
  PS: I created a new domain with 7002 for OIM, OAM & SOA as 7001 is being used by OID domain. And trying to run the above command with 7002 domain name and getting this error.

  This is a bug.
  Run a search for wlst.sh in your environment and call the wlst.sh from oracle_common/common/bin not from wl_server/common/bin.
  You can look for this (Doc ID 1493576.1) in Oracle support.
  Thanks,
  Ram

• Assigning role to role doesn't work when applying Database security model

  I applied Oracle Database security model for BI Publisher.
  then I create some roles and users and assigned roles to users in Oracle Database.
  i also assigned appropriate folders to each role in BI Publisher.
  the users with direct roles worked successfully but i got problem when i assigned roles to a super role, and assigned this role to a super user.
  the super user could only access guest folder.
  Please help me.
  thanks.
  Daniel
  Edited by: user13344498 on Jul 5, 2010 11:13 PM

  Add a Role to a Role:
  1. From the Security Center, select Roles and Permissions; this will invoke the
  Security Center page. Here you can see the list of existing roles and permissions.
  2. Select the Add Roles icon for the Role.
  3. Select the desired role from the Available Roles list and use the Move shuttle
  button to move it to the Included Roles.
  this is from "Oracle® Business Intelligence Publisher User's Guide Release 10.1.3.2 Part No. B40017-01" book, but the security model is BI Publisher Security.

• Web form and database security risk

  I'd like to develop an Oracle Form or APEX Form where people don't have to login to use it. Like a registration form on our website, where anyone can fill it out. Ideally, the information entered into the form would be saved to an Oracle table (could use a flat file if database security is an issue). I'm a developer and don't know a lot about the security side.
  I'm thinking we would need a static IP address and an Oracle public password that doesn't expire, since the public doesn't have to login to use the form.
  Is this possible and is it a database or network security risk ?

  An APEX page can certainly be configured to not require authentication (that's pretty standard for the login/ registration page). There is no need for an "Oracle public password." There are accounts in the Oracle database that APEX uses but that no human needs to know the password for. If that's what you mean by "Oracle public password" then, yes, you do. But that would be the case no matter what authentication and authorization scheme you use in APEX.
  A static IP address for your web server is likely a good idea. It's possible to have DNS work with dynamic IP addresses but that's probably not what you want.
  Justin

• ORA-00001: unique constraint during "Configure Database Security Store for OIM Domain"

  Hi Guru's,
  I am following the below steps for OIM 11.1.2.1 with SOA 11.1.1.7 Installation and facing below error during step "Configure Database Security Store for OIM Domain".
  Installed Database 11.2.0.3
  Installed RCU (Here I used two versions.
       RCU 11.1.2   - Used IDAM prefix for (Metadata Services, OPSS, OIM)
       RCU 11.1.1.7 - Used SOA prefix for(Metadata Services,SOA Infrastructure, User Messaging service)
  Installed JDK 7 (Java 1.7)
  Installed WL 10.3.6 (MW_HOME-/u01/Middleware/fmw, WL_HOME=/u01/Middleware/fmw/wlserver_10.3)
  Installed FMW 11.1.2.1 for OIM. (ORACLE_HOME=Oracle_IDM1)
  Installed FMW 11.1.1.7 for SOA (ORACLE_HOME=Oracle_SOA1)
  WL Domain creation.  (Domain Name – idam_domain1)
  Configure Database Security Store for OIM Domain.
  Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (IDAM_OPSS.IDX_JPS_RDN_PDN) violated
  Also followed the below bug solution, but issue still occurs.
  Bug 16690836 : CONFIGURE DATABASE SECURITY STORE (CONFIGURESECURITYSTORE.PY) SCRIPT IS FAILING
  @ 1. Delete the Schemas using RCU.
  @ 2. Recreate the OAM schemas.
  @ 3. Reinstall the WLS and OAM software.
  @ 4. Run config.sh to create a new domain.
  @ 5. Run setDomainEnv.sh from user_projects/domains/<Domain_name>/bin
  @ 6. Run the configureSecurityStore.py from same window.
  Not sure if anyone tried with different steps that fixed the issue? Could you please help.
  Thanks
  VG

  Hi Gurus, I got the solution from Oracle. SOA 11.1.1.7.0 shouldn't be used with Identity Management 11.1.2.1.0(11GR1-PS1) version. Identity Management 11.1.2.1.0(11GR1-PS1) is bundled with SOA 11.1.1.6.0. When used this SOA version, Installation went smooth. Thanks VG

• Masters in Database Administration

  Hi,
  I work as a oracle dba. Have certified on 10g.
  I wanted to know about the degree Masters in Database administration, Data Modelling and Data Warehousing.
  What exactly is covered under these courses.
  As to which universites would be good to do it from.
  Any universities in India offer them ?
  Thanks.

  Hi A/K
  I wanted to know about the degree Masters in Database administration, Data Modelling and Data Warehousing.
  Are you thinking about the Oracle Certified Master ? Or some training courses on those topics?
  Database administration > http://en.wikipedia.org/wiki/Database_administrator
  Data Modelling read that> http://en.wikipedia.org/wiki/Data_modeling
  Data Warehousing > http://en.wikipedia.org/wiki/Data_warehouse
  What exactly is covered under these courses.
  See the previous links
  As to which universites would be good to do it from.
  Are you working for a company then get them to paid for the Oracle training courses especially if relevant with your work/.
  Any universities in India offer them ?
  No idea..... but try to google on that...

• Web and Database Security - SQL Inject info

  Web and Database Security - SQL Injection.
  Here is a whitepaper on The Dangers of Dynamic Content (SQL Injection)
  http://www.issadvisor.com/viewtopic.php?t=125
  SQL Injection. 3 parts. The first part discusses the basics of how to test
  web applications for SQL injection vulnerabilities. The second part goes into
  the specifics of how to manually identify and test for SQL injection
  vulnerabilities. And the third part describes how to exploit SQL injection to
  retrieve data from the database.
  http://www.issadvisor.com/viewtopic.php?t=123
  Understanding this critical security issue, helps web developers that leverage
  database must design and make their applications more secure.
  Hopefully these two links are informative and useful. Please pass them on.

  An APEX page can certainly be configured to not require authentication (that's pretty standard for the login/ registration page). There is no need for an "Oracle public password." There are accounts in the Oracle database that APEX uses but that no human needs to know the password for. If that's what you mean by "Oracle public password" then, yes, you do. But that would be the case no matter what authentication and authorization scheme you use in APEX.
  A static IP address for your web server is likely a good idea. It's possible to have DNS work with dynamic IP addresses but that's probably not what you want.
  Justin

• How do I use Oracle Database Security in my HTML DB App?

  I have an existing client server application that each user has a database account. These accounts are set up currently to allow and disallow appropriate access to data via Database Rolls. I want to augment the client server application with a HTML DB application and want to use the already created database accounts. Can this be done?

  Chris,
  HTML DB parses the SQL and PL/SQL in your application as the "parse as" schema, or owner, of the application. The new database session created for each page view runs for the connected user HTMLDB_PUBLIC_USER (for DADs with stored credentials) or for the user authenticated by the basic authentication challenge (your situation).
  You can access the USER pseudo-column within the session to set audit columns with the name of the connected user. This is not the name of the application schema.
  Basic Authentication is not the only way to authenticate against database accounts. You can easily implement a login page of your own with a PL/SQL process that checks the user's credentials against the database account. Our team implemented HTML DB extensions to (and ultimately replacements for) a very complex Forms-based system having an architecture probably very similar to yours. In this environment we would set the APP_USER item to the authenticated username and use it for audit columns and for authorization checks within the application. During this 2-year project, we adopted a couple of best practices that you might want to consider: 1) All DML is performed using table-level APIs (which are easy to generate automatically), and 2) Table-level APIs are called only from transaction-level APIs, which often involve multiple calls to table-level APIs. We would implement all authorization checks at the transaction level, either within the APIs themselves, or also on the HTML DB controls around them (buttons, processes, etc.). Abstracting the security rules away from the database objects allowed them to be formulated in terms of business processes and relates them more closely to the logical data model.
  That's an approach you can think about. If you do continue to use basic authentication and direct or role-enabled object privileges, you can still make your DML, triggers, and APIs user-aware as I noted above or by using invoker's rights packages/procedures.
  Finally, HTML DB is not a client-server emulation tool. Its security model facilitates flexible and secure database access appropriate for a declarative development environment (possible hosted) and application deployment to web-based users.
  Do let us know if we can help with specific issues as you go forward.
  Scott

• Options to connect SQL Server database securely

  Hello All,
  I am working on one of desktop application and requires very high security features related to database. One thing I require is do not want to store connection string in computer where application is installed i.e(App.Config) file.
  Also do not want to store it securely because during connection establish anyone can sniff the traffic and may capture whole connection string and so SQL server.
  One solution to my problem is build web service layer so that we do not need to concern about database connection. However as I am in middle of development, this option seems last hope for me.
  So I required help about another options that can fulfill my requirement security about SQL server connection string and database.
  Anyone having any idea?
  Regards,
  Dharmesh Solanki

  Hi dmsolanki,
  This forum is to discuss problems of C# development. Your question is not related to the topic of this forum. So I suggestion you post the question in the SQL SERVER forums at
  http://social.msdn.microsoft.com/Forums/en-US/home?forum=sqlsecurity
  It is appropriate and more experts will assist you.
  Thanks.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Users using server with netinfo database security. Better/Worse than Ldap?

  Hello, I have a small department of Mac users and I am in the process of setting them up to access a new Mac os/x 10.4 server. I created the accounts for the users in the local netinfo database with access rights granted to network shares via groups. Everything works well and the users connect to the server from their clients and mount drives. However I did setup a few users with the ldap portion of the server as a test and once I modify their Macs to connect to the server via ldap this works fine too. My question is will I loose features if I just use the netinfo database for logins? The server is only supplying afp logins and shares plus ftp access. I do plan on using the software update service and also vpn eventually. We have other servers that supply dhcp and dns info for our environment.
  Thank for any info.
  Doug

  It may not be a concern in your environment, but I can't imagine why you wouldn't want to just start out with LDAP. Compared to NetInfo it's designed to provide better interoperability, it performs and scales better in larger installations, and provides better security via access controls. Also, by making your directory network-accessible, you can take advantage of features like automounting share points, preferences management, and mobile user accounts.

• Doument Access - using Portal security or Document Database security

  I originally posted this on the Security Form, but realized that it might be solved using the PDK.
  I have a table in my database that contains information about a document (Name, Rev, Author, groups that have access). I want users to login to my portal and in a portlet, I want them to be able to click which docs they have access to see; based on who they are logged on as.
  Would I use the PDK for this? If I use portal security, I think I will be maintaining the security twice (database and portal).

            Hi Wendell,
            There is a patch available for this known problem. Please contact BEA support and
            ask for patch CR075892_70.jar for WLS 7.0.
            Thanks!
            Deb
            Wendell Nichols <[email protected]> wrote:
            >I have the opposite problem. My ejb always is denied access to the adapter
            >resource. I'm a Weblogic novice, (but the adapter works on other servers,
            >I'm testing on WL to ensure it works there).
            >How do I get the minimum security in place to test my adapter?
            

• Database security using VPD

  Hi,
  I am trying to implement Virtual Private Database policy to restrict the user data access.
  I am creating this with Scott schema with 11g R1.
  While accessing DBMS_RLS package I am getting below error.
  SQL> begin
    2  dbms_rls.add_policy  (
    3    user,
    4    'department_secrets',
    5    'choosable policy name',
    6    user,
    7    'pck_vpd.predicate',
    8    'select,update,delete');
    9  end;
  10  /
  dbms_rls.add_policy  (
  ERROR at line 2:
  ORA-06550: line 2, column 1:
  PLS-00201: identifier 'DBMS_RLS' must be declared
  ORA-06550: line 2, column 1:
  PL/SQL: Statement ignoredCan someone help me to identify what's the issue here?

  Mak1980 wrote:
  Just wanted to know why we have to give grant to this package as this is also one of the Oracle supplied package like UTL_FILE and others.The DBMS_RLS package allows SQL injection in simplistic terms. The VPDB user function defined for the policy, changes the SQL statement by adding predicates to it that needs to be met. This allows certain rows to be hidden from the code that issued that SQL statement - and that code and user/developer is totally oblivious that SQL statements send to the database are changed by the VPDB function.
  How does it make sense to allow public access to all schemas to perform this type of SQL injection?
  Robust security is about giving code and users the absolute minimum set of privs needed, for that code/user to do the required job.
  UTL_FILE is no different. It allows the code/user to step outside of Oracle schema and database, and directly into operating system's file system. What is the first step in pwning a server? Getting backdoor code onto that server for execution. And UTL_FILE allows exactly that.

• List Database – Security Reporting and Administration Users

  Dear Expert,
  I’m working with BW 2004’s Security Component , I try to find a database table in SE16 that it contain the follow field: Role with your component by Authorization Object. My scope is identify what role is a Secure Reporting Users and Secure Administration Users.
  The role has  S_RS_COMP and S_RS_COMP1 are Reporting Users. Moreover, the role has Reporting Users S_RS_ADMIWB, S_RS_IOBJ, S_RS_ISOUR, S_RS_ISRCM and S_RS_MRPO
  Thank for your help,
  Luis

  se16-->AGR_HIER
  AGR_* will be tables for Roles. Tables SMEN_* are for user favorites.
  You can find the information you want in table AGR_HIER.
  In this table you can select the role,
  In the field REPORT, select RRMX ,this will show you all roles with their workbooks.
  AGR_NAME = ROLE (technical name)
  REPORT= RRMX
  Hope it Helps
  Chetan
  @CP..

• Database security with PUBLIC EXECUTE privileges for Application Express

  I recently tried installing APEX into an existing database containing a data warehouse. Security on this database is quite controlled and PUBLIC EXECUTE to SYS owned objects had been removed. Ie there was no PUBLIC EXECUTE on:
  DBMS_LOB
  UTL_HTTP
  UTL_FILE
  UTL_SMTP
  UTL_RAW.
  When I tried to install APEX, I got all kinds of errors and logged a TAR. The analyst told me to grant execute to public to the above SYS owned objects. This contradicts the "Policies" in 10G Grid control and the Metalink Notes 131752.1 &
  Note:247093.1.
  Can these execute privileges be changed to another user in the htmlDB
  application such as FLOWS_FILES? Or HTMLDB_PUBLIC_USER? What is the security reccomendations for Oracle Application Express? Calling any product managers out there....

  Developers/users have started clicking around and are now getting errors. There is a function called CUSTOM_AUTH and one called CUSTOM_HASH which do not compile. They have complain about not seeing UTL_RAW so had been relying on PUBLIC synonyms. here's the 1 function:
  create or replace function custom_hash (p_username in varchar2, p_password in varchar2)
                           return varchar2
                           is
                           l_password varchar2(4000);
                           l_salt varchar2(4000) := '2ZVKZMILYMGVFRFXOZIVZ72RJNJY8V';
                           begin
                           -- This function should be wrapped, as the hash algorhythm is exposed here.
                           -- You can change the value of l_salt or the method of which to call the
                           -- DBMS_OBFUSCATOIN toolkit, but you much reset all of your passwords
                           -- if you choose to do this.
                           l_password := utl_raw.cast_to_raw(dbms_obfuscation_toolkit.md5
                           (input_string => p_password || substr(l_salt,10,13) || p_username ||
                           substr(l_salt, 4,10)));
                           return l_password;
                           end;

• Resource for Forms/Database Security

  My company is taking the Oracle plunge in the next 2 weeks and I really need to find some good books, or resources to get off on the right foot.
  The first thing I would like to deal with is security. I need to figure out how to allow some users to update a field while denying other users. I need to know what kind of information I will need to know.
  Right now the scope of the project is to create an applictaion in Forms and Reports to run the business. Then we will also be working with HTMLDB, Designer, Portals, and other Oracle tools. So the problem is that I can create a table in the database to hold security settings, but I want the settings for Roles and Access rights to persist through all objects.
  Can ALL of the security be done on the database itself???? or will we need to do coding on the Forms and Reports also??
  Basically I need someone to point me to the right resource to start implementing security on the database and Forms, since that is the first step (in my opinion) in developing a good application.

  All security can be done in the database. However, you probably want to have the security rules in your Forms as well. If your Forms are totally open for any action (insert, update, delete), the user will only get an error message when hitting the Save button. Only then are the database securities checked.
  Usually the Form also checks if a user is allowed, e.g., to update a record. If not, in the Form you will set the record to non-updateable. That way the user immediately gets an error message, even before trying to save the changes.
  Another approach is to have only ONE database user with all privileges for the application. Application users and authorization rules are stored in application tables. When you start the application, you automatically log in with a database username and password that are hidden or encoded in some way. Then the user logs in with the username and password that are stored in the application. This approach is very common in web environments.
  I need to figure out how to allow some users to update a field while denying other usersI would never go as far as applying security on field level. That may become an administrative nightmare.