Repair OID Server Properties Page

You can set and review your Oracke Identity Server setting in the 11g Enterprise Manager console for ODSM by opening the EM console for a server and clicking through to the Identity and Access Server oid1.  Once you’re on the EM page for the Oracle Identity Manager, click on Oracle Internet Directory drop-down, then select Administration, then Server Properties.  If all is well, you change things like anonymous binds and the LDAP ports.  When it’s broken the console will complain about null values that it won’t let you change.  

If you encounter that, log into the host as the ODSM binary owner and move into your $ORACLE_INSTANCE/bin directory – the location of your opmnctl executable.

You’ll need to use this syntax, adjusted for your world:

opmnctl updatecomponentregistration
-adminHost hostname
-adminPort weblogic_port
-adminUsername weblogic_admin
-componentType OID
-componentName compName
-Port non-sslport
-Sport sslport

You’ll end up with a giant string that looks something like this:

opmnctl updatecomponentregistration -adminHost <full-qualified hostname> -adminPort 7001 -adminUsername weblogic -componentType OID -componentName oid1 -port 49200 -sport 49201

When it completes it burps out “Command succeeded”.

Restart your Admin Server and OID processes (opmnctl stopall, opmnctl startall) to pick up the change.

Posted in LDAP, ODSM Oracle Directory Services Manager, opmnctl, updatecomponentregistration | Leave a comment

Edit ldifwrite output

You can export an LDAP tree for ODSM using the ldifwrite utility with this syntax:

ldifwrite basedn=”dc=oracle,dc=com” ldiffile=$HOME/ldifprod.lst connect=orcl verbose=true

 

Careful: Lines that start with a space are concatenated into the line before during ldif import.  Resist the temptation to unwrap those lines to make your file easier for people to read.

For instance, let’s say this appears in your ldifwrite file:

dn: cn=orcla,cn=OracleContext,dc=oracle,dc=com
orclnetdescstring: (DESCRIPTION=(ADDRESS_LIST=(address=(protocol=tcp)(port=152
 1)(host=demohost)))(CONNECT_DATA=(SID=orcla)))
objectclass: orclNetService
objectclass: top
orclnetdescname: 000:cn=DESCRIPTION_0
cn: orcla

The LDAP import tool will concatenate the third line (starting with ” 1)(host=”) onto the end of the second line during import.

Your formatting help, dear human, will break it.

 

 

Posted in LDAP, ODSM Oracle Directory Services Manager | Leave a comment

Configure BI Publisher for OEM 12.1.0.4 Fast!

My biggest complaint about earlier versions of OEM came from the poor integration of BI Publisher with Enterprise Manager.  The Information Publisher said boldly that I/P will be discontinued in favor of BI Publisher.  That sounded pretty serious so I made the effort to install it.

The installation was difficult, the canned reports were mostly worthless, and the OEM and BI Publisher security models were completely separate.  BI Publisher used the WebLogic security model and you were forced to reproduce the relevant user accounts in the WLS Admin Server console.  That can’t be right!

I shared my frustration with the OEM team at Oracle.  Adeesh Fulay and his staff listened and, with the release of 12.1.0.4,  they responded with an integration that’s exceeded my expectations in every way.

Before version 12.1.0.4 the BI Publisher installation was a totally separate installation.  You’d download, patch, and install BI Publisher as if it were an independent module on your WLS. It still is, of course, but with 12.1.0.4 the BI Publisher downloads and installs as part of your EM installation – not as an afterthought or bolt-on.

That was a significant move in the right direction.  BI Publisher is still not configured with the rest your vanilla EM installation.   I want to show you how simple the configuration is.   You execute the configureBIP script, provide two passwords, and watch it run for a very few minutes.  Honestly, it’s that simple.

oemdemo.edu:oms \> configureBIP
 Configuring BI Publisher Version "11.1.1.7.0" to work with Enterprise Manager
 Logging started at /orabase/Middleware/oms/cfgtoollogs/bip/bipca_20140726151829.log.
 Before this command is run, a backup of Enterprise Manager should be performed using the :emctl exportconfig oms: command. Have you made a valid backup of Enterprise Manager (yes/no) [no] ? yes
 Enter sysdba user name (sys):sys
 Enter sysdba user password:
 Enter Administration Server user password:
 Configuring BI Publisher in Oracle Home located in /orabase/Middleware/Oracle_BI1 ...
 Processing command line ....
 Repository Creation Utility - Checking Prerequisites
 Checking Global Prerequisites
 Repository Creation Utility - Checking Prerequisites
 Checking Component Prerequisites
 Repository Creation Utility - Creating Tablespaces
 Validating and Creating Tablespaces
 Repository Creation Utility - Create
 Repository Create in progress.
 Percent Complete: 0
 Percent Complete: 10
 Percent Complete: 30
 Percent Complete: 50
 Percent Complete: 50
 Percent Complete: 100
 Repository Creation Utility: Create - Completion Summary
 Database details:
 Connect Descriptor : (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=oemdemo.edu)(PORT=1521)))(CONNECT_DATA=(SID=suzy)))
 Connected As : sys
 Prefix for (prefixable) Schema Owners : SYSMAN
 RCU Logfile : /orabase/Middleware/oms/cfgtoollogs/bip/emBIPLATFORM.log
 Component schemas created:
 Component Status Logfile
 Business Intelligence Platform Success /orabase/Middleware/oms/cfgtoollogs/bip/biplatform.log
Repository Creation Utility - Create : Operation Completed
 Successfully created SYSMAN_BIPLATFORM schema...
 Enter an integer between 9701 and 49152 for the BI Publisher HTTP server port. (9701):
 Enter an integer between 9702 and 49152 for the BI Publisher HTTPS server port. (9702):
 Extending domain with BI Publisher. This operations can take some time. Do not interrupt this command while it is running...
 Locking Enterprise Manager ...
 OMS Console is locked. Access the console over HTTPS ports.
 Restart OMS.
 Restarting Enterprise Manager ...
 Stopping Enterprise Manager, this can take some time ...
 Starting Enterprise Manager. This operation can take some time. Do not interrupt this command while it is running.
 OMS Started Successfully
 BI Publisher server named :BIP: running at https://oemdemo.edu:9702/xmlpserver.
 Registering BI Publisher with Enterprise Manager and deploying reports...
 Performing automatic backup of Enterprise Manager using the command :emctl exportconfig oms:.
 Successfully backed up Enterprise Manager. The backup file is located in the INSTANCE_HOME sysman backup directory.
 Successfully setup BI Publisher with Enterprise Manager

 

Posted in BI Publisher, EM 12.1.0/4, OEM 12c | Tagged , | Leave a comment

EMCTL Blackout Scripts

The uptime metrics for my group are based on the times OEM has recorded for each target.  Timely blackouts, of course, are essential to keeping the numbers up and (more importantly) preventing Target Down notifications from being sent out.

Initially I’d develpoed EM CLI scripts to create and remove the blackouts.  That solution was crisp, well-characterized, and scalable with one huge problem:  for convenience the blackout script should execute from host containing the target and not all of my hosts have EM CLI client installed.  The OEM agent is deployable and patchable from your management server, but EM CLI client is not.

Let’s think about how OEM blackouts work.  When you create a blackout through the console, your management server contacts the EM Agent and tells it to ignore metrics for the target.  The process is identical when you create a blackout with EM CLI  (CLI uses the same code base as the OMS, so this shouldn’t be a surprise).

Fortunately you can also create and stop blackouts using EMCTL.

This solution consists of two shell scripts, one to create and start the blackout and anther to stop the blackout  when you’re ready.

#!/bin/ksh
#set -x
######################################################################
# File: blackout_database.ksh
# Purpose: Create an ad hoc database system blackout using emctl 
######################################################################
# Variables
# ====================================================================
if [ `uname` = Linux ]; then
   export ECHO="/bin/echo -e"
else
   export ECHO="echo"
fi
if [ -f /opt/oracle/agent12c/agent_inst/bin/emctl ]; then
  EMCTL=/opt/oracle/agent12c/agent_inst/bin/emctl
else
   $ECHO "\nCould not find the emctl utility on this box\n\n"
   exit 0
fi

HOSTNAME=`hostname | cut -d. -f1`
WORKFILE=/tmp/database_blackout_work01.lst
function CleanUpFiles {
[ $WORKFILE ] && rm -f ${WORKFILE}
}
# ====================================================================
# Run-time procedure
# ====================================================================
CleanUpFiles
$ECHO "\n\nThese databases are currently registered with the local OEM agent:\n"
$EMCTL config agent listtargets | grep oracle_database | cut -d, -f1 | sed -e 's/\[//' >${WORKFILE}
echo "Never_mind" >>${WORKFILE}
PS3="Select the database target to blackout for the next four hours > "
select thisSID in `cat ${WORKFILE}`; do
   if [ ${thisSID} == "Never_mind" ]; then
      exit 0
   else
      $ECHO "\nCreating the blackout for ${thisSID} ...\n" 
      BO_NAME=Blackout_${thisSID}
      $EMCTL start blackout ${BO_NAME} ${thisSID}:oracle_database -d 04:00
      sleep 3
      $ECHO "\nBlackout status:\n" 
      $EMCTL status blackout ${BO_NAME}
      CleanUpFiles
      exit 0
   fi
done

Tasks:

  1. Determine which oracle_database targets are known to the local agent.  Databases that aren’t registered in OEM don’t need a blackout.
  2. Dump that list of databases into a work file and then add an escape option (Never_mind) to be used in the menu that is created next.
  3. Change the prompt, temporarily to solicit a selection from the list generated from the work file.  Notice that I arbitrarily assigned a  four hour duration (the -d flag)
  4. Give the blackout a standard name, create it, and then ensure that it’s working.

Run-time example of that script will make those steps easier to visualize:

> blackout_database.ksh
These databases are currently registered with the local OEM agent:
1) orcl2t
2) orcl3k
3) Never_mind
Select the database target to blackout for the next four hours > 1
Creating the blackout for orcl2t ...
Oracle Enterprise Manager Cloud Control 12c Release 3 
Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved.
Blackout Blackout_orcl2t added successfully
EMD reload completed successfully
Blackout status:
Oracle Enterprise Manager Cloud Control 12c Release 3 
Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved.
Blackoutname = Blackout_orcl2t
Targets = (orcl2t:oracle_database,)
Time = ({2014-07-23|15:14:23|240 Min,|} )
Expired = False

The flipside is even less complicated.

#!/bin/ksh
#set -x
######################################################################
# File: stop_database_blackout.ksh
# Purpose: Stop blackouts for a particular database
######################################################################
# Variables
# ====================================================================
if [ `uname` = Linux ]; then
 export ECHO="/bin/echo -e"
else
 export ECHO="echo"
fi
if [ -f /opt/oracle/agent12c/agent_inst/bin/emctl ]; then
 EMCTL=/opt/oracle/agent12c/agent_inst/bin/emctl
else
 $ECHO "\nCould not find the emctl utility on this box\n\n"
 echo 0
fi
HOSTNAME=`hostname | cut -d. -f1`
WORKFILE=/tmp/database_blackout_work01.lst
function CleanUpFiles {
[ $WORKFILE ] && rm -f ${WORKFILE}
}
# ====================================================================
# Run-time procedure
# ====================================================================
CleanUpFiles
$ECHO "\n\nThese databases are currently registered with the local OEM agent:\n"
$EMCTL config agent listtargets | grep oracle_database | cut -d, -f1 | sed -e 's/\[//' >${WORKFILE}
echo "Never_mind" >>${WORKFILE}
PS3="Select the OEM database target to take out of blackout mode > "
select thisSID in `cat ${WORKFILE}`; do
 if [ ${thisSID} == "Never_mind" ]; then
    exit 0
 else
    BO_NAME=Blackout_${thisSID}
    $ECHO "\nChecking for OEM blackout ${BO_NAME} ...\n" 
    if [ `$EMCTL status blackout | grep ${BO_NAME} | wc -l` -eq 0 ]; then
      $ECHO "There is no OEM blackout named ${BO_NAME}\n\n"
      CleanUpFiles
      exit 0
    else
       $ECHO "\nStopping blackout ${BO_NAME} ..." 
       $EMCTL stop blackout ${BO_NAME} 
       sleep 3
       $ECHO "\nVerifying status of all blackouts on ${HOSTNAME}\n" 
       $EMCTL status blackout
       CleanUpFiles
       exit 0
    fi
  fi 
done

 

Here’s what that one looks like at runtime:

> stop_database_blackout.ksh
These databases are currently registered with the local OEM agent:
1) orcl2t
2) orcl3k
3) Never_mind
Select the OEM database target to take out of blackout mode > 1
Checking for OEM blackout Blackout_orcl2t ...
Stopping blackout Blackout_orcl2t ...
Oracle Enterprise Manager Cloud Control 12c Release 3 
Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved.
Blackout Blackout_orcl2t stopped successfully
EMD reload completed successfully
Verifying status of all blackouts on mydemohost.edu
Oracle Enterprise Manager Cloud Control 12c Release 3 
Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved.
No Blackout registered.

Dang, that’s handy.  Let’s see if we can get those numbers up!

One last thing:  EMCTL is not able to delete blackouts in 12.1.0.3.  You still need to visit the console or run a cleanup through EM CLI.  Perhaps this feature has been added in 12.1.0.4 …

Posted in emctl, OEM 12c, OEM Blackout | Leave a comment

Opatchauto for OEM Management Servers

The quarterly PSU and any one-off patches are installed with the opatch utility for your management servers.  If your environment consists of a single OMS, executing opatchauto apply will execute all of the tasks required to install the patch on the management server and provide you with SQL to update the repository database.  When you have more than one server, that same command runs an analysis of your environment and generates detailed sequential instructions you must run at the command line.  I’ll share the results of applying the database plugin update to my OMS’s below.  PSU’s follow exactly the same pattern.

First stage is the analysis:

[Jul 15, 2014 7:44:52 AM] Collect Patch Data: In Progress...
[Jul 15, 2014 7:44:53 AM] Collect Patch Data: Completed.
[Jul 15, 2014 7:44:53 AM] Collect Target Data: In Progress...
[Jul 15, 2014 7:44:53 AM] Collect Target Data: Completed.
[Jul 15, 2014 7:44:53 AM] --------------------------------------------------------------------------------------------------------------------------------------------

EM is configured with local OMS instance along with 2 remote OMS instance(s), it is a Multi-OMS environment, and no HA configuration;

The configuration shows only targets and servers that run OMS instance(s).
Local OMS information
Listen address : oramgmt01.demo.edu
Listen port : 7202
Managed server : EMGC_OMS1
Deployed applications : OCMRepeater
emgc
DMS Application
empbs
wsil-wls
wsm-pm

Remote OMS information
Remote OMS 1
Listen address : oramgmt02.demo.edu
Listen port : 7202
Managed server : EMGC_OMS2
Deployed applications : OCMRepeater
emgc
DMS Application
empbs
wsil-wls
wsm-pm
Remote OMS 2
Listen address : oramgmt03.demo.edu
Listen port : 7202
Managed server : EMGC_OMS3
Deployed applications : OCMRepeater
emgc
DMS Application
empbs
wsil-wls
wsm-pm

Repository details
Connect descriptor : (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=em03p-scan)(PORT=1521)))(LOAD_BALANCE=ON)(CONNECT_DATA=(SERVICE_NAME=suzy)))


Core OMS Oracle Home
/orabase/Middleware/oms
List of plugin Oracle Homes
oracle_sysman_xa1 : /orabase/Middleware/plugins/oracle.sysman.xa.oms.plugin_12.1.0.4.0
oracle_sysman_mos1 : /orabase/Middleware/plugins/oracle.sysman.mos.oms.plugin_12.1.0.5.0
netapp_storage_sys1 : /orabase/Middleware/plugins/netapp.storage.sys.oms.plugin_12.1.0.1.0
OraHome11 : /orabase/Middleware/plugins/oracle.sysman.emas.oms.plugin_12.1.0.5.0
OraHome12 : /orabase/Middleware/plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0
OraHome1 : /orabase/Middleware/plugins/bm.vmware.vsph.oms.plugin_12.1.0.8.0
--------------------------------------------------------------------------------------------------------------------------------------------
[Jul 15, 2014 7:44:53 AM] Validate Configuration: In Progress...
[Jul 15, 2014 7:44:53 AM] Checking the status of weblogic admin server for OMS instance domain...
[Jul 15, 2014 7:44:54 AM] State of the weblogic admin server "EMGC_ADMINSERVER" for OMS instance domain is : RUNNING
[Jul 15, 2014 7:44:54 AM] GCDomain AdminServer status check: [PASSED]
[Jul 15, 2014 7:44:54 AM] Checking the status of OMS repository...
[Jul 15, 2014 7:44:54 AM] Status of the OMS repository is : UP
[Jul 15, 2014 7:44:54 AM] OMS repository status check: [PASSED]
[Jul 15, 2014 7:44:54 AM] Checking whether software library is configured....
[Jul 15, 2014 7:44:54 AM] Software library is correctly configured.
[Jul 15, 2014 7:44:54 AM] Checking whether software library is configured....Software library configuration check: [PASSED]
[Jul 15, 2014 7:44:54 AM] Validate Configuration: Completed.
[Jul 15, 2014 7:44:54 AM] Running apply prerequisite checks for patch(es) "18649366" and Oracle Home "/orabase/Middleware/plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0"...
[Jul 15, 2014 7:44:58 AM] Patches "18649366" are successfully analyzed for Oracle Home "/orabase/Middleware/plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0"
[Jul 15, 2014 7:44:58 AM] System patch location: /oramedia/cloud_control/12103_patches/18649366
(Oracle home:sub-patches list to be applied)
/orabase/Middleware/plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0: 18649366
[Jul 15, 2014 7:44:59 AM] Copying all logs to: /orabase/Middleware/oms/cfgtoollogs/opatch/2014-07-15_07-43-36AM_SystemPatch_18649366_1
[Jul 15, 2014 7:44:59 AM] opatchauto has successfully completed all prerequisite checks in 'analyze' mode. For steps to be executed in non-analyze mode, Please refer the below generated HTML (or) text files for details.
[Jul 15, 2014 7:45:00 AM] HTML output: /orabase/Middleware/oms/cfgtoollogs/opatch/2014-07-15_07-43-36AM_SystemPatch_18649366_1/html_output/execution.html
[Jul 15, 2014 7:45:00 AM] Text file output: /orabase/Middleware/oms/cfgtoollogs/opatch/2014-07-15_07-43-36AM_SystemPatch_18649366_1/text_output/execution.txt

Open the execution.html in a browser and open terminal windows for each of your OMS servers. The instructions, as you can, are explicit about what to run and where to run it. Pay attention to the OMS state as you go. The OMS’s must be down for one part and up for another.  

 

 

Installation Instructions for Application of Patch 18649366 on OMS System.

Generated at Tue, 15 Jul 2014 07:44:59 by oracle on host oramgmt01.demo.edu for apply operation using OPlan version 12.1.0.1.3.

There are 29 entities in OMS system.

Overview of the System

Important Note: The following diagrammatically represents the system configuration information collected by Oracle. Oracle recommends that you carefully examine this data and verify that it is complete and correct. If you see any discrepancies between the graphic and your actual system configuration, do not follow the instructions outlined in this document. Instead, follow the patch installation instructions provided in the patch README ..

There are 29 entities in OMS system.

 

Apply Patch In-Place using OPatch Command in Non-rolling Mode

  • Advantages: Shorter patching time; offers best diagnosability of issues during patching.
  • Disadvantages: Loss of service while patching; greater number of steps; slower recovery from failures
  • Total number of steps required: 27
    • During the full availability of services: 24
    • During the downtime of all services: 3

Important Note:

  • The steps generated below must be run using bash shell.

Summary: Steps for Manual Patch Apply

 

 

 

 

 

 

 

 

Detailed Manual Patch Apply Steps

 

Step 1: Patch Pre-Apply Phase (All services will be up)

Step 1.1: Download patch to host

Download patch to host

As the oracle user on the host oramgmt02.demo.edu run the following command:

[oracle@oramgmt02.demo.edu]$

NOTE: If your patch is in shared location for all the OMS instances, Please skip execution of this step.

mkdir -p /media/patches;scp -r oramgmt01.demo.edu:/media/patches/18649366 /media/patches/18649366

Step 1.2: Download patch to host

Download patch to host

As the oracle user on the host oramgmt03.demo.edu run the following command:

[oracle@oramgmt03.demo.edu]$

NOTE: If your patch is in shared location for all the OMS instances, Please skip execution of this step.

mkdir -p /media/patches;scp -r oramgmt01.demo.edu:/media/patches/18649366 /media/patches/18649366

Step 1.3: Patch-Prereqs-Title

Patch-Prereqs-Message

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

/orabase/Middleware/oms/OPatch/opatchauto checkApplicable -ph /media/patches/18649366 -oh /orabase/Middleware/oms -invPtrLoc /orabase/Middleware/oms/oraInst.loc

Step 1.4: Patch-Prereqs-Title

Patch-Prereqs-Message

As the oracle user on the host oramgmt02.demo.edu run the following command:

[oracle@oramgmt02.demo.edu]$

/orabase/Middleware/oms/OPatch/opatchauto checkApplicable -ph /media/patches/18649366 -oh /orabase/Middleware/oms -invPtrLoc /orabase/Middleware/oms/oraInst.loc

Step 1.5: Patch-Prereqs-Title

Patch-Prereqs-Message

As the oracle user on the host oramgmt03.demo.edu run the following command:

[oracle@oramgmt03.demo.edu]$

/orabase/Middleware/oms/OPatch/opatchauto checkApplicable -ph /media/patches/18649366 -oh /orabase/Middleware/oms -invPtrLoc /orabase/Middleware/oms/oraInst.loc

Step 2: Patch Apply Phase (All services will be down)

Step 2.1: Patch Apply Phase on oramgmt01.demo.edu
Step 2.1.1: Apply patch to OracleHome

Apply patch to OracleHome

As the oracle user on the host oramgmt01.demo.edu run the following commands:

[oracle@oramgmt01.demo.edu]$

echo /media/patches/18649366/18649366 >> /orabase/Middleware/oms/.phBaseFile.txt

[oracle@oramgmt01.demo.edu]$

/orabase/Middleware/oms/OPatch/opatch napply -phBaseFile /orabase/Middleware/oms/.phBaseFile.txt -invPtrLoc /orabase/Middleware/oms/oraInst.loc -oh /orabase/Middleware/plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0

[oracle@oramgmt01.demo.edu]$

rm /orabase/Middleware/oms/.phBaseFile.txt

Step 2.2: Patch Apply Phase on oramgmt02.demo.edu
Step 2.2.1: Apply patch to OracleHome

Apply patch to OracleHome

As the oracle user on the host oramgmt02.demo.edu run the following commands:

[oracle@oramgmt02.demo.edu]$

echo /media/patches/18649366/18649366 >> /orabase/Middleware/oms/.phBaseFile.txt

[oracle@oramgmt02.demo.edu]$

/orabase/Middleware/oms/OPatch/opatch napply -phBaseFile /orabase/Middleware/oms/.phBaseFile.txt -invPtrLoc /orabase/Middleware/oms/oraInst.loc -oh /orabase/Middleware/plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0

[oracle@oramgmt02.demo.edu]$

rm /orabase/Middleware/oms/.phBaseFile.txt

Step 2.3: Patch Apply Phase on oramgmt03.demo.edu
Step 2.3.1: Apply patch to OracleHome

Apply patch to OracleHome

As the oracle user on the host oramgmt03.demo.edu run the following commands:

[oracle@oramgmt03.demo.edu]$

echo /media/patches/18649366/18649366 >> /orabase/Middleware/oms/.phBaseFile.txt

[oracle@oramgmt03.demo.edu]$

/orabase/Middleware/oms/OPatch/opatch napply -phBaseFile /orabase/Middleware/oms/.phBaseFile.txt -invPtrLoc /orabase/Middleware/oms/oraInst.loc -oh /orabase/Middleware/plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0

[oracle@oramgmt03.demo.edu]$

rm /orabase/Middleware/oms/.phBaseFile.txt

Step 3: Post Patch Apply Phase (All services will be up)

Step 3.1: Post Patch Apply Phase on oramgmt01.demo.edu
Step 3.1.1: Run emctl applypatch

Run emctl applypatch

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

/orabase/Middleware/oms/bin/emctl applypatch repos -patchHome /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/.patch_storage/18649366_May_14_2014_23_40_18/original_patch -pluginHome /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0

Step 3.1.2: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/CreateDbService.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.3: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/ExportData.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.4: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/provsidb.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.5: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/upgradegi.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.6: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/provprereqs.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.7: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/PatchSADB.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.8: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/RMANRestore.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.9: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/DBThinProv.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.10: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/DNFSProvisioning.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.11: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/downgradegi.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.12: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/DbProvUpgradeDeploymentProcedure.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.13: Run emctl oms register procedures to update MRS

Run emctl oms register procedures to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service procedures -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/procedures/provrac.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.14: Run emctl oms register swlib to update MRS

Run emctl oms register swlib to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service swlib -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/swlib -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.15: Run emctl oms register targetType to update MRS

Run emctl oms register targetType to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service targetType -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/targetType/has.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.16: Run emctl oms register default_collection to update MRS

Run emctl oms register default_collection to update MRS

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

NOTE: Please replace %EM_REPOS_PASSWORD% with credential for OMS repository SYSMAN user.

/orabase/Middleware/oms/bin/emctl register oms metadata -service default_collection -debug -file /orabase/Middleware/oms/../plugins/oracle.sysman.db.oms.plugin_12.1.0.5.0/metadata/default_collection/has.xml -pluginId oracle.sysman.db -sysman_pwd %EM_REPOS_PASSWORD%

Step 3.1.17: Mark patch automation

Mark in Oracle Home inventory that the automation of the system patch is completed

As the oracle user on the host oramgmt01.demo.edu run the following command:

[oracle@oramgmt01.demo.edu]$

/orabase/Middleware/oms/OPatch/opatchauto commit -id 18649366 -oh /orabase/Middleware/oms -invPtrLoc /orabase/Middleware/oms/oraInst.loc

Step 3.2: Post Patch Apply Phase on oramgmt02.demo.edu
Step 3.2.1: Mark patch automation

Mark in Oracle Home inventory that the automation of the system patch is completed

As the oracle user on the host oramgmt02.demo.edu run the following command:

[oracle@oramgmt02.demo.edu]$

/orabase/Middleware/oms/OPatch/opatchauto commit -id 18649366 -oh /orabase/Middleware/oms -invPtrLoc /orabase/Middleware/oms/oraInst.loc

Step 3.3: Post Patch Apply Phase on oramgmt03.demo.edu
Step 3.3.1: Mark patch automation

Mark in Oracle Home inventory that the automation of the system patch is completed

As the oracle user on the host oramgmt03.demo.edu run the following command:

[oracle@oramgmt03.demo.edu]$

/orabase/Middleware/oms/OPatch/opatchauto commit -id 18649366 -oh /orabase/Middleware/oms -invPtrLoc /orabase/Middleware/oms/oraInst.loc

 

Posted in Uncategorized | 2 Comments

Keeping a Tidy Software Library – Saved Patches

As we’ve started using the Life Cycle Management Pack we’ve started to accumulate some baggage in our Software Library.  You can find yours by going to the Saved Patches page under the Patches and Provisioing menu.

saved_patches_01

 

You can get the same results with emcli search_patches -swlib.  Pipe it through sort -n to display in patch number order. 

> emcli search_patches -swlib | sort -n

You can also dump those results to a csv file for reporting (or blogging) like this:

> emcli search_patches -swlib -format=name:csv | sort -n
Patch Name Description Release Platform Classification Product
6880880 OPatch patch of version 11.1.0.10.1 for Oracle software releases 11.1.0.x (JULY 2013) Oracle 11.1.0.0.0 Oracle Solaris on SPARC (64-bit) General Universal Installer
6880880 OPatch patch of version 11.1.0.11.0 for Oracle software releases 11.1.0.x (JUL 2014) Oracle 11.1.0.0.0 IBM AIX on POWER Systems (64-bit) General Universal Installer
6880880 OPatch patch of version 11.1.0.11.0 for Oracle software releases 11.1.0.x (JUL 2014) Oracle 11.1.0.0.0 Linux x86-64 General Universal Installer
6880880 OPatch patch of version 11.2.0.3.5 for Oracle software releases 11.2.0.x (APRIL 2013) Oracle 11.2.0.0.0 IBM: Linux on POWER Systems General Universal Installer
6880880 OPatch patch of version 11.2.0.3.6 for Oracle software releases 11.2.0.x (DEC 2013) Oracle 11.2.0.0.0 IBM AIX on POWER Systems (64-bit) General Universal Installer
6880880 OPatch patch of version 11.2.0.3.6 for Oracle software releases 11.2.0.x (DEC 2013) Oracle 11.2.0.0.0 Linux x86-64 General Universal Installer
6880880 OPatch patch of version 12.1.0.1.2 for Oracle software releases 12.1.0.x (OCT 2013) Oracle 12.1.0.1.0 Linux x86-64 General Universal Installer
12426828 SMARTUPDATE 3.3 INSTALLER PLACEHOLDER WLS 10.3.5 Generic Platform General Oracle WebLogic Server
16619892 DATABASE PATCH SET UPDATE 11.2.0.3.7 (INCLUDES CPUJUL2013) Oracle 11.2.0.3.0 IBM AIX on POWER Systems (64-bit) Superseded Oracle Database Family
16619892 DATABASE PATCH SET UPDATE 11.2.0.3.7 (INCLUDES CPUJUL2013) Oracle 11.2.0.3.0 Linux x86-64 Superseded Oracle Database Family
16902043 DATABASE PATCH SET UPDATE 11.2.0.3.8 (INCLUDES CPUOCT2013) Oracle 11.2.0.3.0 IBM AIX on POWER Systems (64-bit) Security Oracle Database Family
16902043 DATABASE PATCH SET UPDATE 11.2.0.3.8 (INCLUDES CPUOCT2013) Oracle 11.2.0.3.0 Linux x86-64 Security Oracle Database Family
17082366 DATABASE PATCH SET UPDATE 11.1.0.7.17 (INCLUDES CPUOCT2013) Oracle 11.1.0.7.0 IBM AIX on POWER Systems (64-bit) Security Oracle Database Family
17272731 GRID INFRASTRUCTURE PATCH SET UPDATE 11.2.0.3.8 (INCLUDES DB PSU 11.2.0.3.8) Oracle 11.2.0.3.0 Linux x86-64 Security Oracle Database Family
17506428 EM-AGENT BUNDLE PATCH 12.1.0.3.3 Cloud Control (Agent) 12.1.0.3.0 Generic Platform General Enterprise Manager Base Platform
18031668 DATABASE PATCH SET UPDATE 11.2.0.4.2 (INCLUDES CPUAPR2014) Oracle 11.2.0.4.0 Linux x86-64 Security Oracle Database Family
18031683 DATABASE PATCH SET UPDATE 11.2.0.3.10 Oracle 11.2.0.3.0 Linux x86-64 Security Oracle Database Family
18031726 DATABASE PATCH SET UPDATE 11.1.0.7.19 (INCLUDES CPUAPR2014) Oracle 11.1.0.7.0 IBM AIX on POWER Systems (64-bit) Security Oracle Database Family
18039625 EM DB PLUGIN BUNDLE PATCH 12.1.0.5.2 (AGENT SIDE – DISCOVERY) DB Plug-In (Agent) 12.1.0.5.0 Generic Platform Recommended Enterprise Manager for Oracle Database
18139678 GRID INFRASTRUCTURE PATCH SET UPDATE 11.2.0.3.10 (INCLUDES DB PSU 11.2.0.3.10) Oracle 11.2.0.3.0 Linux x86-64 Security Oracle Database Family
18139695 DATABASE SECURITY PATCH UPDATE 11.2.0.3.0 (CPUAPR2014) Oracle 11.2.0.3.0 Linux x86-64 Security Oracle Database Family
18294467 EM-AGENT BUNDLE PATCH 12.1.0.3.8 Cloud Control (Agent) 12.1.0.3.0 Generic Platform Recommended Enterprise Manager Base Platform
18356442 EM DB PLUGIN BUNDLE PATCH 12.1.0.5.4 (AGENT MONITORING) DB Plug-In (Agent) 12.1.0.5.0 Generic Platform Recommended Enterprise Manager for Oracle Database
18522513 DATABASE PATCH SET UPDATE 11.1.0.7.20 (INCLUDES CPUJUL2014) Oracle 11.1.0.7.0 Linux x86-64 Security Oracle Database Family
18649366 EM DB PLUGIN BUNDLE PATCH 12.1.0.5.6 DB Plug-In (OMS) 12.1.0.5.0 Generic Platform General Enterprise Manager for Oracle Database
18649402 EM-AGENT BUNDLE PATCH 12.1.0.3.10 Cloud Control (Agent) 12.1.0.3.0 Generic Platform General Enterprise Manager Base Platform
18706472 GRID INFRASTRUCTURE SYSTEM PATCH 11.2.0.4.3 Oracle 11.2.0.4.0 Linux x86-64 Security Oracle Database Family
18706488 GRID INFRASTRUCTURE PATCH SET UPDATE 11.2.0.3.11 (INCLUDES DB PSU 11.2.0.3.11) Oracle 11.2.0.3.0 Linux x86-64 Security Oracle Database Family
18708140 EM DB PLUGIN BUNDLE PATCH 12.1.0.5.6 (AGENT SIDE) DB Plug-In (Agent) 12.1.0.5.0 Generic Platform General Enterprise Manager for Oracle Database

Then, if you are adventurous (I am not), you can remove a patch from the Software Library with emcli delete_patches verb.  After several minutes of copying and pasting fields from search_patches results for required values -patch_name, – release, and -platform into the delete_patches command I wasn’t able to get it to work.  

The GUI works great.  

  • On the Saved Patches page, select the patch you want to remove
  • Press the Big Red X and confirm your choice
  • Be careful not to click on the Patch Name hyperlink — click anywhere else on that line to select the patch and also to activate the Big Red X.

 

 

 

 

Posted in OEM 12c, Patching | Leave a comment

Evaluating Quarterly Risk Matrices

Oracle provides risk matrices for all of its products with the quarterly Patch Set Update (PSU). This article provides some guidance about the Database Risk Matrix can be interpreted, but the interpretation and implementation decisions rest with the Oracle professional and their corporate security staff.

Each Database Risk Matrix lists specific risk vectors treated in the current patchset. Analysis of the Risk Matrix for your environment should be base on the potential impact of those risk vectors on your systems.

Risk Exploits

Risk exploits are discovered from a variety of sources: Oracle employees, users, security specialist firms, and hackers themselves. Exploits are posted to public websites as they are discovered.

The Database Risk Matrix lists each exploit with scores assigned on several risk vectors to help you evaluate the risk in your environment as illustrated in Figure 1. 

Link to the Jul2014PSU page:

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

 

RiskMatrix_Illustration1

Risk Matrix Elements

Each risk is defined and scored using industry standard evaluation criteria and posted to the Risk Matrix and associated Notes.

CVE#

Comment Vulnerability and Exposure (CVE) numbers are assigned and cataloged on the CVE site as: “International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures. CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.”

The Oracle Risk Matrices reference all exploits by CVE reference number acts as a starting point for your analysis. Each vulnerability is registered with the National Vulnerability Database as they are discovered. This publicly available database is online at http://nvd.nist.gov.

Component and Protocol

The impacted Oracle component and the affected protocol are listed next. This combination can be used to quickly determine whether the risk applies to your environment. For instance, risks listed through vulnerabilities in the RDBMS Parallel Query option can be ignored if you don’t use it in your environment. You can also use these two columns to target patching when the opposite situation exists (decisioj to patch only databases with parallel query option, f.e.).

Package and/or Privilege Required

This column can define limits of a potential exploit. Exploits requiring advanced privileges (DBA role or SELECT ANY OBJECT, for instance) can be offset by managing and monitoring the privilege directly. Exploits requiring simple or no privileges pose the broadest risk.

Remote Exploit without Authorization

Yes, this category of threat is as dangerous as it sounds. Typical database security protects your environment to a large extent when authorization is required to exploit the vulnerability. A ‘No’ in this column indicates that anyone with network access can hack your database.

CVSS Version 2.0 Risks

The Common Vulnerability Scoring System (CVSS) was developed and is supported by network and hardware vendors to provide a consistent objective tool for risk evaluation. Scores range from 0 – 10, with 10 being the most dangerous. CVSS scores are based toward protecting root access, so risks posing the greatest threat to root functionality score highest. Databases generally provide protection against root-level attacks so CVSS Base Scores for Oracle databases generally receive mid- to low-level scores. Do not rely solely on the Base Score to determine your patching strategy.

Element in the CVSS section can be grouped into technical and impact values.

Technical Risk Elements – Access Vector, Complexity, and Authentication

Access Vector

Threats are generally exercised through network connections or may be exploited locally, either on the server or from within the database.

Access Complexity

The complexity of the threat may have a direct bearing on the urgency you associate with a particular threat. There is an active publishing movement on the web sharing details of new exploits as they are invented. Since many attacks originate inside an organization’s firewall, ‘Low’ access complexity hacks may pose a greater risk than ‘High’ complexity threats in many organizations.

Authentication

Security at each level of your infrastructure is designed to prevent attacks by requiring authentication to enter the network, log into a server, and access a database. This risk aspect gauges the likely effectiveness of authentication.

Impact Values – Confidentiality, Integrity, Availability

All three of these elements provide insight into the potential affect on the confidentiality of your data, the integrity of the data or the hacker’s ability to change it, and system availiability. Each element is rated None, Partial, and Complete. Oracle’s definitions in Appendix 1 provide more detail and explanation of these scores.

Supported Versions Affected

Supported database releases affected by each threat and resolved by the patchset are listed in this column.

Notes

Reference to off-matrix Notes are made in the last column.

 

A Model for Analysis

In my environment we gather all the information in a spreadsheet consisting of separate block for each line of Database Risk Matrix for each Critical Patch Update. The spreadsheet provides documentation of the analysis and recommendations forming the patch strategy

RiskMatrix_Illustration2

Step 1 – Paste the Risk Matrix
Pasting the actual line from the risk matrix into the spreadsheet provides a consistent, convenient reference for analysis.

Step 2 – Gather References
Each CVE reference has a corresponding page on the National Vulnerability website. For example, the CVE# for this illustration is referenced in the URL below:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3137

We copy the vague description from the NVD website onto the spreadsheet so we have a description of the threat on copy. A Google search for ‘CVE-2012-3137’ yielded 37,600 links as this article was drafted, so much more information is available online.

We also paste the Risk Matrix Notes into this block.

Step 3- Perform the Analysis and Perform Research
Sometimes the easiest way is to start at the outside columns and work your way in.
• Do you use the component named?
• Is the specific protocol used in your environment? Threats are often isolated to specific licensed and advanced options.
• Do your applications utilize the package or grant the privilege listed?
• Are you running any of the database versions listed?
• Do any of the notes relate to your environment or affect your evaluation of the risk?

If the risk pertains to your environment, evaluate the Technical Aspects of the risk.
• How difficult does it appear to make the attack in your environment?
• Does it apply to authenticated users or the general public?
Finally, determine the criticality of the risk by evaluating the potential impact on your data and decide how much additional information you need to make your recommendation.

Step 4 – Summarize your Analysis
Your answers to the analysis above should be documented in the Analysis section of the spreadsheet. List any open items that require further consideration.

Step 5 – Make a Recommendation
Your evaluation of the quarterly security patch could form the basis of your patching solution or it may be used for documentation for system security audits. Your judgement is the most important factor because you know your environment better than anyone else.

Maintaining at Secure Environment

The analysis in this article covered the quarterly threat evaluation process. Remember, as you perform your analysis, all CPU/PSU patchsets are cumulative. Many companies do not apply each quarterly patch. As a result, threats for each new patchset should be evaluated in addition ‘open’ risk exploits that were left unpatched from earlier CPUs.

Finally, apply the latest CPU/PSU any time you upgrade a database or install fresh binaries. New bugs are discovered daily and you should assume that any installation binaries will contain bugs. Take the time to run opatch.

 

Appendix 1

Source: MOS Note 394487.1 “Use of Common Vulnerability Scoring System (CVSS) by Oracle”

Interpretation Of ‘Complete’
CVSS rates Confidentiality, Integrity and Availability impacts as None, Partial or Complete. The definition of Complete is defined in terms of the impact to the “system”. Oracle products run on an operating system, so the system can be considered to be:
• Just the Oracle software running on a machine; or
• All software running on the machine.
The former interpretation makes sense in environments where the only important information is maintained by Oracle software. For example, a machine installed with Oracle software and a minimal operating system whose only purpose is to run that software. A vulnerability that leads to operating system super-user privileges provides little benefit over a vulnerability that leads to super-user privileges for just the Oracle software.
The latter interpretation makes sense for scenarios in which Oracle software is not the only application on a machine. In this scenario, a vulnerability that leads to operating system super-user privileges compromises all applications. A vulnerability that leads to super-user privileges for just the Oracle software is less severe.
A sampling of CVSS ratings for vulnerabilities on NIST’s NVD web site reveals that different interpretations of Complete are being used, but that the latter is more common. Oracle has adopted the latter interpretation to be consistent with the general use of CVSS.

Addition Of Partial+ Rating
Oracle provides additional information on Partial ratings as follows:
• Partial, which maps to the Limited value used in CPUs prior to the adoption of CVSS; and
• Partial+, which maps to the Wide value used in CPUs prior to the adoption of CVSS.
The definition of Limited and Wide used in Critical Patch Updates before the adoption of CVSS are:
• Limited – The exploit affects a limited range of resources, e.g. a specific database table.
• Wide – The exploit affects a wide range of resources, e.g. all database tables.
We will use these definitions as a starting point for Partial and Partial+. We are not changing the CVSS base metric scoring system. However, customers have all the required information to recalculate the CVSS score with Partial+ ratings changed to Complete, if that is more appropriate for their environment. Customers who do not wish to deal with this level of complexity can simply treat Partial+ as Partial.

 

References

Common Vulnerability Scoring System standards guide on the Forum for Incident Response and Security Team (FIRST)
  http://www.first.org/cvss/cvss-guide.html (latest version of standard)
  http://www.first.org/cvss/v1/guide.html (CVSS version 1.0)
National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD)
  http://nvd.nist.gov/
CVSS Calculator on NIST NVD web site
  http://nvd.nist.gov/cvss.cfm?calculator&version=2 (CVSS version 2.0)
  http://nvd.nist.gov/cvss.cfm?calculator (CVSS version 1.0)

 

 

 

Posted in Patching | Tagged , , , | Leave a comment