Using Password Protected RMAN Backups


References-

1.    Creating Duplicate database in RMAN using password-mode encrypted backups (Doc ID 464832.1)




Objective –

1.    RMAN backups on NAS are at risk and can be copied easily on intranet.

2.    They can be restored, and critical information can be fetched easily.

3.    Encryption of these backups is need of the hour.

4.    Need to find a simple yet reliable solution to solve this security breach.




Security risk












Proposed Solution –


RMAN backups are now password protected and we are safe even if backup files are stolen. This feature of Oracle will stop hackers restore our backup files and will ask for a password before restoring onto any other server.



















Real-time sample Use-case

Complete level-0 backup taken on Friday as highlighted – post estimation for s3 storage




















When trying to restore onto a different server(Stage in our case).














After setting password, restore was successful.






















Enabling password protection

Change configuration parameter as follows and set password accordingly before starting backup –

Now when restoring, provide same password with set decryption configuration parameter.

This needs to be done outside run block.




at No comments:

Customizing Shortcut keys in Oracle ebs r12




References-
1.    Customizing Keymapping and Resource Files for Forms on the Web -fmrweb.res, fmrpcweb.res (Doc ID 1367967.1)


Objective –
1.    One of the customer’s requirement is to change shortcut keys when using Oracle forms
2.    Typical example is using shortcut key “F10” instead of traditional “Ctrl+s” for saving/committing changes done in a form.
3.    This document applies to all version of Forms on the web from Forms 6i through Forms 11g.
4.    File fmrpcweb.res is something that needs to be studied and understood before modifying.


Understanding file fmrweb.res
Location – typical ebs r12 environment
/data/prod/apps12/apps/tech_st/10.1.2/forms/admin/resource/US

For 10gR2 (forms version)
UNIX -> ORACLE_HOME/forms/admin/resource/<country>/fmrweb.res

Windows -> ORACLE_HOME\forms\fmrweb.res
FMRWEB.RES is the key definition file for webforms. It follows below convention where every key is mapped to a number –
JFN : JMN : URKS : FFN : URFD
JFN    = Java function number
JMN  = Java modifiers number
URKS = User-readable key sequence (double-quoted)
FFN    = Forms function number
URFD = User-readable function description (double-quoted)


JAVA FUNCTION NUMBER
JAVA FUNCTION NUMBER
Number
Key
Remarks
33
PageUp

34
PageDown

35
End

36
Home

37
LeftArrow

38
UpArrow

39
RightArrow

40
DownArrow

65 - 90
Ctrl+A thru Ctrl+Z
These will always have the control modifier explicitly included, as well as any other modifiers that might be used.
112 - 123
F1 thru F12

9
Tab (Ctrl+I, without the control modifier)

10
Return (Ctrl+J, without the control modifier)




JAVA MODIFIERS NUMBER
Number
Key
Remarks
0
None
Equals to the sum of the values for the modifier keys
1
Shift
2
Control
4
Meta
8
Alt


FORMS FUNCTION NUMBER
The Forms function numbers match the function numbers found in a typical Forms key binding file.

USER-READABLE STRINGS
The double-quoted strings appear when users click [Show Keys] and are used for this purpose only. These strings can be translated as needed. Note that the strings do not affect what happens when end users press the key sequence.



Real-time sample Use-case
Before modifying and files, we need to first check value for profile –
Forms Keyboard Mapping File
Sometimes, a customized file can be used for mapping keys with form functions. This profile stores location of this custom file and will accordingly set mapping.
If the above file is blank, Oracle by default uses fmrweb.res file.

Using "F10” to save/commit changes instead of traditional "Ctrl+S". Below are original settings for saving/committing transaction/changes done in a form.

[applprod@clone US]$ cat fmrweb.res | grep "Ctrl+S"
83   : 2 : "Ctrl+S"         : 36 : "Commit"
[applprod@clone US]$



Decoding above and simplyfing –
83: “S”
2  : “Ctrl”

We first took backup of file fmrweb.res and modified it as follows –
[applprod@clone US]$ cat fmrweb.res | grep "Ctrl+S"
121   : 0 : "F10"         : 36 : "Commit"
[applprod@clone US]$

Decoding above and simplyfing –
121: “F10”
0  : “None”

After reconnecting and clearing web browser cache, we were able to use F10 for saving form changes.


at No comments:

Implications of Autoconfig on RAC setup



About this Document
Background
This document covers overview of SCAN and troubleshooting listener issues. It also covers relation implications of running autoconfig on SCAN listeners.

Intended Audience
This document is primarily meant for database administrators, system administrators, Team Leaders, Technical Managers, etc.

References
SCAN Registration Issue: Services Fail to Register to SCAN Listeners (Doc ID 1448717.1
Bug 12946495: SERVICES FAIL TO REGISTER TO ALL SCAN LISTENERS
12.13 RAC Setup, Why Scan IPs Are Generated Instead of Scan Name In tnsnames.ora (Doc ID 2141287.1)

Assumptions
We are considering ebs environment with minimum base version of database as 11gr2 (11.2.0.1) and onwards.

Understanding SCAN and complications with ebs r12

SCAN was introduced by Oracle starting from 11gr2 and stands for Single Client Access Name. Oracle introduced this new feature in a RAC environment to overcome challenge of changing client-side connection string if there are any changes done on server side. We have set of 3 ips that are resolved by DNS/GNS for end-user connections. SCAN supports Load balancing and Failover, which was earlier handled by pmon process monitoring load on listeners at server side (Server side Load Balancing) and tnsnames.ora (load_balance and failover also known as Client side Load Balancing and failover).

Assuming below architecture

We have a 2 node RAC using set of 2 IPs for EBS environment -
DB Name - ERP_PROD
Instance Name - ERP_PROD1, ERP_PROD2
Listener Names - LISTENER_SCAN1, LISTENER_SCAN2, LISTENER_SCAN3



Troubleshooting Steps

1.         Identifying current SCAN Listener Status and services registered using below –

lsnrctl services LISTENER_SCAN1
(listener has registered both erp_prod1 and erp_prod2 with ready status)
lsnrctl services LISTENER_SCAN2
(listener has registered erp_prod2 only)
lsnrctl services LISTENER_SCAN3
(listener shows no services registered)
  

2.                  Checking parameter REMOTE_LISTENER

This initORA parameter is used to redirect connections from one db node to another. In RAC, this value is typically set to either –
a.  EZCONNECT style string i.e. scan-name:port
b.  REMOTE_LISTENER is set to a tnsnames entry SCAN_LISTENER

3.                  We will check below 2 files-

1.  Tnsnames.ora for SCAN_LISTENER tns-entry.
2.  Sqlnet.ora (our main line of concern will be - NAMES.DIRECTORY_PATH=(EZCONNECT,TNSNAMES))

4.                  Checking last run of Autoconfig-

We will further investigate last run of autoconfig on DB Node. If below files were backed-up before running autoconfig –
1.  Tnsnames.ora
2.  Sqlnet.ora

During startup when parameter remote_listener is read, it will try to figure out value assigned to it by first reading sqlnet.ora. Possible methods in NAMES.DIRECTORY_PATH are read from left to right which is standard Oracle Functionality.
When we have entry like as follows –
NAMES.DIRECTORY_PATH=(TNSNAMES, EZCONNECT))

Tnsnames being read first is given 1st preference because of which tnsname.ora file is read first. If it finds an entry matching “scan-name” given to remote_listener parameter, it will read that entry which may look like as follows after autoconfig –

SCANHOST:1521 =
    (DESCRIPTION=
       (ADDRESS_LIST=
         (ADDRESS=(PROTOCOL=tcp)(HOST=SCANHOST)(PORT=1521))
      )
    )
Whenever pmon will try to perform dynamic service registration, it will search for host name with ‘SCANHOST’ as there is no listener present with that name, it will fail to register instance to scan listeners. SCANHOST resolves 3 unique IP addresses.

Possible Solutions

We have 2 ways to resolve this –

1.                  Prefer EZCONNECT over TNSNAMES(requires DB bounce for pmon/lreg to read changes)-

When we have entry like as follows –
NAMES.DIRECTORY_PATH=(EZCONNECT, TNSNAMES))

EZCONNECT having higher preference than TNSNAMES here, Oracle will resolve SCANHOST with EZCONNECT method. We need to bounce database so that pmon will read these changes again in sqlnet.ora file.

4.                  Using 3 IPs in TNS Entry-

We would have to set 3 Ip addresses as follows in tnsnames.ora.


REMOTE_LISTENERS_SCAN=
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.11.12.13)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.11.12.14)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.11.12.15)(PORT = 1521))
    )

SQL>Alter system set REMOTE_LISTENER='REMOTE_LISTENERS_SCAN' scope=both sid='*';
SQL>Alter system register;


Conclusion

We must Always take backup of below files before running autoconfig to identify impact of autoconfig on the system. For both RAC/Non-RAC environments, if there are issues connecting to database over network, troubleshooting should start with –

1.  Reading listener log,
2.  understanding sqlnet.ora,
3.  connection string being used and its preference in NAMES.DIRECTORY_PATH,
4.  further tracing pmon process during dynamic service registration,
5.  For RAC, checking services properly registered to scan listeners.

Permanent Solution ( requires testing and patch analysis before migrating to production environment)

Found patch Patch 10427234: AUTOCONFIG TO OPTIONALLY GENERATE ADDITIONAL ALIASES FOR SCAN LISTENER.
It further requires below steps to be performed –
1.  Autoconfig after applying patch (apps node)
2.  Execute admkappsutil.pl utility to create the file appsutil.zip
3.  Copy appsutil.zip to db node and unzip under RDBMS_ORACLE_HOME
4.  Autoconfig on db node.


at No comments:
Subscribe to: Posts (Atom)