Re: OPS Sequences: nocache == order ??
1) I think that the tpc numbers are done represented in Transactons Per Minute (TPM/C) and not Per second. So event with 50 tpm/c it means around 8000 tps. 2) Inserting 13000 rows with direct I/O doesn't mean you did 13000 transactions. It could be one transaction 3) I have seen the theoretical limit, but if I recall correctly it was the number of SCN numbers that was generated. That way they can calculate how long it takes before the SCN number will wrap (it is only 48 bits). That is way in the future. Anjo. On Saturday 07 September 2002 04:08, you wrote: One of our accelerator control system developers, an Oracle neophyte, claims to have achieved 13,000 tps writing to a RAID 5 array. I did set up the database, but most of the credit goes to him for exploring the OCI direct I/O options. I have no verified the rate, but I have no reason whatsoever to doubt him. This is on older four processor sun box. We've now traded in the lone a-1000 ,attached two T3's, and turned on archive logging. I had him retest and he said it was quicker than before . It's still RAID 5. If you are wondering why RAID 5, we have another little 659.9 Terabyte database and thousands of machines in compute farms to process the associated data. That project has first choice, and the rest of us make do with what's left. I too am curious where this theoretical limit of 16384 comes from. Theoretical as it no matter what hardware one chose this limit could not be surpassed? Ian MacGregor Stanford Linear Accelerator Center [EMAIL PROTECTED] -Original Message- Sent: Friday, September 06, 2002 4:38 PM To: Multiple recipients of list ORACLE-L On Wednesday 04 September 2002 09:53, Tim Gorman wrote: Thinking more about it last night... Since Oracle's theoretical limit is 16384 commits per second, I imagine that you could safely make the sequence recycle at (or 16384 or 9) and limit the number of digits contributed by the sequence to 4-5... Really? What have they done in the past to get those astronomical TPS numbers on some of their bencmarks? I'm pretty sure they were in excess of that number. IIRC, they were done on an nCube using OPS and about 400 CPUs. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Anjo Kolk INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS Sequences: nocache == order ??
Ok,
It is saturday morning (brain is working at half power), I have looked at this
function and at the original requirement and see a problem (may be 2).
1) The time of the multiple instances needs to be in sync with each other. If
not, it could be that the 2nd instance has an earlier time and insert a
record with a lower number after an insert of a higher number. So the real
order is lost (that was a requirement).
2) Given the fact that the sequence numbers may be cached, even when the
time is in sync, depending on the cached sequence numbers you could still
end up with one instance inserting a number with a higher sequence number
before the other instance with a lower sequence number in the same time
(at seconds level).
So if the requirements aren't so strict, why not drop the 'no order' and bump
the cache ?
Again, I may have missed something.
Anjo.
On Wednesday 04 September 2002 08:28, you wrote:
Mladen,
Is there any way to have developers/users access the sequence via a
function, instead of accessing the sequence directly?
If so, then perhaps you could modify the sequence to add the temporal
component, while maintaining the use of a cached sequence for uniqueness?
Such as: SQL create or replace function gen_seqq(in_seq in number)
2 return number
3 as
4 v_return_nbr number;
5 begin
6 select
to_number(to_char(sysdate,'MMDDHH24MISS')||ltrim(to_char(in_seq,'00
00'))) 7 into v_return_nbr
8 from dual;
9 return v_return_nbr;
10* end gen_seqq;
SQL /
Function created.
SQL create table x (y number);
Table created.
SQL create sequence xq;
Sequence created.
SQL insert into x values (gen_seqq(xq.nextval));
1 row created.
SQL
Big and ugly numbers yes, but I think some folks get a strange thrill out
of 20-digit numbers.
It fits the requirement of being temporal (to the second, at least) and
unique. You can throw in HSECS from V$TIMER if someone gets picky enough
to want to go to the centi-second level as well. Yeah, and you can throw
in USERENV('INSTANCEID') too, just for some real OPS/RAC-ness! Best of
all, it fits the DBA-half of your brain by being fully cacheable and
non-pinging...
...of course, you can embed the use of the SEQUENCE object inside the
function; I left it on the outside in this example just to make it more
flexible with regard to which sequence object it uses...
If they don't like the idea of using a stored function to get the sequence
number, then tell 'em that it's more ANSI standard that way and it's
database independent. That gets 'em every time...
Hope this helps...
-Tim
- Original Message -
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Sent: Tuesday, September 03, 2002 5:54 PM
Unfortunately, we have an application dependency and I was required
to come up with a quick dirty fix. Thanks for your reply.
On 2002.09.03 19:10 Anjo Kolk wrote:
If you run OPS and specify order, it works like no cache.
My question to you: Why cripple OPS and your business performance by
having this requirement ? Spending a few bucks to get rid of this
dependency will improve the performance, until you run in to the next
problem ;-)
Anjo.
On Wednesday 04 September 2002 00:00, you wrote:
I'm managing an OPS configuration (4x HP 9000/N, HP-UX 11/64 , RDBMS
8.1.7.1)
and I'm having an application dependency on a temporal order of
sequence numbers.
With OPS that becomes a problem because each node caches a set of
sequence numbers
(20 by default). Oracle has an option, specifically for that
situation, namely ORDER.
My question is whether ORDER is the same thing as NOCACHE and whether
it is possible
to have a NOCACHE sequence which will return numbers in an incorrect
order (larger number
before the smaller one).
Please, o OPS gods and godesses, help me out and I'll sacrifice you a
beer when I see you.
Mladen Gogala
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Anjo Kolk
INET: [EMAIL PROTECTED]
Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051
San Diego, California-- Public Internet access / Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Mladen Gogala
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Mladen Gogala
INET: [EMAIL PROTECTED]
Fat City Network Services-- (858) 538-5051 FAX: (858)
RE: OPS Sequences: nocache == order ??
As I said I didn't verify his figures nor confirm he understands what constitutes a transaction. I'll endeavor to do so. The system collects data from monitors measuring the health of various test accelerator equipment. The telemetry is buffered before being inserted so that multiple readings could be pushed to the database as a single transaction which buoys Anjo's thought that 13,000 rows per second are being inserted not 13,000 tps. Ian MacGregor Stanford Linear Accelerator Center [EMAIL PROTECTED] -Original Message- Sent: Saturday, September 07, 2002 1:13 AM To: Multiple recipients of list ORACLE-L 1) I think that the tpc numbers are done represented in Transactons Per Minute (TPM/C) and not Per second. So event with 50 tpm/c it means around 8000 tps. 2) Inserting 13000 rows with direct I/O doesn't mean you did 13000 transactions. It could be one transaction 3) I have seen the theoretical limit, but if I recall correctly it was the number of SCN numbers that was generated. That way they can calculate how long it takes before the SCN number will wrap (it is only 48 bits). That is way in the future. Anjo. On Saturday 07 September 2002 04:08, you wrote: One of our accelerator control system developers, an Oracle neophyte, claims to have achieved 13,000 tps writing to a RAID 5 array. I did set up the database, but most of the credit goes to him for exploring the OCI direct I/O options. I have no verified the rate, but I have no reason whatsoever to doubt him. This is on older four processor sun box. We've now traded in the lone a-1000 ,attached two T3's, and turned on archive logging. I had him retest and he said it was quicker than before . It's still RAID 5. If you are wondering why RAID 5, we have another little 659.9 Terabyte database and thousands of machines in compute farms to process the associated data. That project has first choice, and the rest of us make do with what's left. I too am curious where this theoretical limit of 16384 comes from. Theoretical as it no matter what hardware one chose this limit could not be surpassed? Ian MacGregor Stanford Linear Accelerator Center [EMAIL PROTECTED] -Original Message- Sent: Friday, September 06, 2002 4:38 PM To: Multiple recipients of list ORACLE-L On Wednesday 04 September 2002 09:53, Tim Gorman wrote: Thinking more about it last night... Since Oracle's theoretical limit is 16384 commits per second, I imagine that you could safely make the sequence recycle at (or 16384 or 9) and limit the number of digits contributed by the sequence to 4-5... Really? What have they done in the past to get those astronomical TPS numbers on some of their bencmarks? I'm pretty sure they were in excess of that number. IIRC, they were done on an nCube using OPS and about 400 CPUs. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Anjo Kolk INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: MacGregor, Ian A. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS Sequences: nocache == order ??
On Wednesday 04 September 2002 09:53, Tim Gorman wrote: Thinking more about it last night... Since Oracle's theoretical limit is 16384 commits per second, I imagine that you could safely make the sequence recycle at (or 16384 or 9) and limit the number of digits contributed by the sequence to 4-5... Really? What have they done in the past to get those astronomical TPS numbers on some of their bencmarks? I'm pretty sure they were in excess of that number. IIRC, they were done on an nCube using OPS and about 400 CPUs. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS Sequences: nocache == order ??
One of our accelerator control system developers, an Oracle neophyte, claims to have achieved 13,000 tps writing to a RAID 5 array. I did set up the database, but most of the credit goes to him for exploring the OCI direct I/O options. I have no verified the rate, but I have no reason whatsoever to doubt him. This is on older four processor sun box. We've now traded in the lone a-1000 ,attached two T3's, and turned on archive logging. I had him retest and he said it was quicker than before . It's still RAID 5. If you are wondering why RAID 5, we have another little 659.9 Terabyte database and thousands of machines in compute farms to process the associated data. That project has first choice, and the rest of us make do with what's left. I too am curious where this theoretical limit of 16384 comes from. Theoretical as it no matter what hardware one chose this limit could not be surpassed? Ian MacGregor Stanford Linear Accelerator Center [EMAIL PROTECTED] -Original Message- Sent: Friday, September 06, 2002 4:38 PM To: Multiple recipients of list ORACLE-L On Wednesday 04 September 2002 09:53, Tim Gorman wrote: Thinking more about it last night... Since Oracle's theoretical limit is 16384 commits per second, I imagine that you could safely make the sequence recycle at (or 16384 or 9) and limit the number of digits contributed by the sequence to 4-5... Really? What have they done in the past to get those astronomical TPS numbers on some of their bencmarks? I'm pretty sure they were in excess of that number. IIRC, they were done on an nCube using OPS and about 400 CPUs. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: MacGregor, Ian A. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS Sequences: nocache == order ??
A day late and a dollar short but here's my $.02 Order will give you the temporal sequencing. Nocache should but it's not certain. Cached numbers are stored in the SYSTEM tablespace and can be retrieved in an atemporal order. I can't give you any specifics, but that's what Oracle says. Nocached numbers are generated at call time but that doesn't mean that they'll be stored in the database in temporal order. Order means that the number will be generated and stored in temporal order. As you can guess, this slows things up a bit. You will almost certainly see an increase in locking with ordered sequences. It can also happen with nocache. We recently went through an exercise of looking at every sequence in our database, about 400 altogether, to see if they needed to be ordered and cached. None of them needed to be ordered. Your requirement is unusual. If the sequence was being hit once an hour or so we decided to nocache it (save churning the SYSTEM tablespace). But our defaults are cache and noorder. HTH Gogala, Mladen To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] MGogala cc: @oxhp.com Subject: OPS Sequences: nocache == order ?? Sent by: root 09/03/2002 06:00 PM Please respond to ORACLE-L I'm managing an OPS configuration (4x HP 9000/N, HP-UX 11/64 , RDBMS 8.1.7.1) and I'm having an application dependency on a temporal order of sequence numbers. With OPS that becomes a problem because each node caches a set of sequence numbers (20 by default). Oracle has an option, specifically for that situation, namely ORDER. My question is whether ORDER is the same thing as NOCACHE and whether it is possible to have a NOCACHE sequence which will return numbers in an incorrect order (larger number before the smaller one). Please, o OPS gods and godesses, help me out and I'll sacrifice you a beer when I see you. Mladen Gogala -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Thomas Day INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS Sequences: nocache == order ??
Neat
idea. Thanks!
-Original Message-From: Tim Gorman
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 04, 2002 2:28
AMTo: Multiple recipients of list ORACLE-LSubject: Re:
OPS Sequences: nocache == order ??
Mladen,
Is there any way to have developers/users access
the sequence via a function, instead of accessing the sequence
directly?
If so, then perhaps you could modify the sequence
to addthe temporal component, while maintaining the use of a cached
sequence for uniqueness? Such as:
SQL create or replace function
gen_seqq(in_seq in number)
2return number 3
as 4 v_return_nbr number;
5 begin 6
selectto_number(to_char(sysdate,'MMDDHH24MISS')||ltrim(to_char(in_seq,'')))
7
intov_return_nbr
8 from dual;
9 return
v_return_nbr;10* end gen_seqq;SQL /
Function created.
SQL create table x (y
number);
Table created.
SQL create sequence xq;
Sequence created.
SQL insert into x values
(gen_seqq(xq.nextval));
1 row created.
SQL
Big and ugly numbers yes, but I think some folks
get a strange thrill out of 20-digit numbers.
It fits the requirement of being temporal (to the
second, at least) and unique. You can throw in HSECS from V$TIMER if
someone gets picky enough to want to go to the centi-second level as
well. Yeah, and you can throw in USERENV('INSTANCEID') too, just for
some real OPS/RAC-ness! Best of all, it fits the DBA-half of your brain
by being fully cacheable and non-pinging...
...of course, you can embed the use of the
SEQUENCE object inside the function; I left it on the "outside" in this
example just to make it more flexible with regard to which sequence object it
uses...
If they don't like the idea of using a stored
function to get the sequence number, then tell 'em that "it's more ANSI
standard that way" and it's "database independent". That gets 'em every
time...
Hope this helps...
-Tim
- Original Message -
From: "Mladen Gogala" [EMAIL PROTECTED]
To: "Multiple recipients of list ORACLE-L"
[EMAIL PROTECTED]
Sent: Tuesday, September 03, 2002 5:54
PM
Subject: Re: OPS Sequences: nocache == order
??
Unfortunately, we have an application dependency and I was
required to come up with a quick dirty fix. Thanks for your
reply. On 2002.09.03 19:10 Anjo Kolk wrote:
If you run OPS and specify order, it works like no cache.
My question to you: "Why cripple OPS and your
business performance by having this requirement ?" Spending a
few bucks to get rid of this dependency will improve the
performance, until you run in to the next problem ;-)
Anjo.
On Wednesday 04 September 2002 00:00, you wrote:
I'm managing an OPS configuration (4x HP 9000/N, HP-UX 11/64 ,
RDBMS 8.1.7.1) and I'm having an
application dependency on a temporal order of sequence
numbers. With OPS that becomes a problem because each node
caches a set of sequence numbers (20 by
default). Oracle has an option, specifically for that situation,
namely "ORDER". My question is whether ORDER is the
same thing as NOCACHE and whether it is possible
to have a NOCACHE sequence which will return numbers in an incorrect
order (larger number before the smaller
one). Please, o OPS gods and godesses, help me out and I'll
sacrifice you a beer when I see you.
Mladen Gogala -- Please
see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Anjo Kolk
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858)
538-5051 FAX: (858) 538-5051 San Diego,
California -- Public Internet access
/ Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT
spelling of 'ListGuru') and in the message BODY, include a line
containing: UNSUB ORACLE-L (or the name of mailing list you want
to be removed from). You may also send the HELP command for
other information (like subscribing).--
Mladen Gogala -- Please see the official ORACLE-L
FAQ: http://www.orafaq.com --
Author: Mladen Gogala INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051
FAX: (858) 538-5051 San Diego,
California -- Public Internet access
/ Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message to:
[EMAIL PROTECTED] (note EXACT
spelling of 'ListGuru') and in the message BODY, include a line
containing: UNSUB ORACLE-L (or the name of mailing list you want to be
removed from). You may also send the HELP command for other
information (like subscribing).
Re: OPS Sequences: nocache == order ??
Thinking more about it last night...
Since Oracle's theoretical limit is 16384 commits
per second, I imagine that you could safely make the sequence recycle at
(or 16384 or 9)and limit the number of digits contributed by the
sequence to4-5...
Also, you can get rid of the "wasteful" query on
DUAL by including either X$DUAL (referencing previous ORACLE-L threads
onDUAL vs X$DUALplus good related stuff on http://www.optimaldba.com) or just use
centi-second info from V$TIMER instead of X$DUAL. Either way makes for
zero logical reads and (most importantly) zero physical reads thus zero
pings...
- Original Message -
From:
Gogala, Mladen
To: Multiple recipients of list ORACLE-L
Sent: Wednesday, September 04, 2002 9:03
AM
Subject: RE: OPS Sequences: nocache ==
order ??
Neat
idea. Thanks!
-Original Message-From: Tim Gorman
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 04, 2002
2:28 AMTo: Multiple recipients of list
ORACLE-LSubject: Re: OPS Sequences: nocache == order
??
Mladen,
Is there any way to have developers/users
access the sequence via a function, instead of accessing the sequence
directly?
If so, then perhaps you could modify the
sequence to addthe temporal component, while maintaining the use of a
cached sequence for uniqueness? Such as:
SQL create or replace function
gen_seqq(in_seq in number)
2return number 3
as 4 v_return_nbr
number; 5 begin 6
selectto_number(to_char(sysdate,'MMDDHH24MISS')||ltrim(to_char(in_seq,'')))
7
intov_return_nbr
8 from
dual; 9 return
v_return_nbr;10* end gen_seqq;SQL /
Function created.
SQL create table x (y
number);
Table created.
SQL create sequence xq;
Sequence created.
SQL insert into x values
(gen_seqq(xq.nextval));
1 row created.
SQL
Big and ugly numbers yes, but I think some
folks get a strange thrill out of 20-digit numbers.
It fits the requirement of being temporal (to
the second, at least) and unique. You can throw in HSECS from V$TIMER
if someone gets picky enough to want to go to the centi-second level as
well. Yeah, and you can throw in USERENV('INSTANCEID') too, just for
some real OPS/RAC-ness! Best of all, it fits the DBA-half of your
brain by being fully cacheable and non-pinging...
...of course, you can embed the use of the
SEQUENCE object inside the function; I left it on the "outside" in
this example just to make it more flexible with regard to which sequence
object it uses...
If they don't like the idea of using a stored
function to get the sequence number, then tell 'em that "it's more ANSI
standard that way" and it's "database independent". That gets 'em
every time...
Hope this helps...
-Tim
- Original Message -
From: "Mladen Gogala" [EMAIL PROTECTED]
To: "Multiple recipients of list ORACLE-L"
[EMAIL PROTECTED]
Sent: Tuesday, September 03, 2002 5:54
PM
Subject: Re: OPS Sequences: nocache == order
??
Unfortunately, we have an application dependency and I was
required to come up with a quick dirty fix. Thanks for your
reply. On 2002.09.03 19:10 Anjo Kolk
wrote:If you run OPS and specify order, it works
like no cache. My question to you: "Why cripple
OPS and your business performance by having this requirement
?" Spending a few bucks to get rid of this dependency will
improve the performance, until you run in to the next problem ;-)
Anjo.
On Wednesday 04 September 2002 00:00, you
wrote: I'm managing an OPS configuration (4x HP 9000/N,
HP-UX 11/64 , RDBMS 8.1.7.1) and I'm
having an application dependency on a temporal order of sequence
numbers. With OPS that becomes a problem because
each node caches a set of sequence numbers
(20 by default). Oracle has an option, specifically for that
situation, namely "ORDER". My question
is whether ORDER is the same thing as NOCACHE and whether it is
possible to have a NOCACHE sequence which will return
numbers in an incorrect order (larger number
before the smaller one). Please, o OPS gods and
godesses, help me out and I'll sacrifice you a beer when I
see you. Mladen Gogala
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- Author: Anjo Kolk INET: [EMAIL PROTECTED]
Fat City Network Services -- (858)
538-5051 FAX: (858) 538-5051 San Diego,
California -- Public Internet
access / Mailing Lists
RE: OPS Sequences: nocache == order ??
It looks like when option "ORDER" is used Oracle guarantees the generated values will be in order since the "CACHE" option will be ignored by Oracle even if it was requested. This is in the parallel mode. Look at note: Note:1031850.6 Waleed -Original Message-From: Gogala, Mladen [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 03, 2002 6:00 PMTo: Multiple recipients of list ORACLE-LSubject: OPS Sequences: nocache == order ?? I'm managing an OPS configuration (4x HP 9000/N, HP-UX 11/64, RDBMS 8.1.7.1) and I'm having an application dependency on a temporal order of sequence numbers. With OPS that becomes a problem because each node caches a set of sequence numbers (20 by default). Oracle has an option, specifically for that situation, namely "ORDER". My question is whether ORDER is the same thing as NOCACHE and whether it is possible to have a NOCACHE sequence which will return numbers in an incorrect order (larger number before the smaller one). Please, o OPS gods and godesses, help me out and I'll sacrifice you a beer when I see you. Mladen Gogala
Re: OPS Sequences: nocache == order ??
If you run OPS and specify order, it works like no cache. My question to you: Why cripple OPS and your business performance by having this requirement ? Spending a few bucks to get rid of this dependency will improve the performance, until you run in to the next problem ;-) Anjo. On Wednesday 04 September 2002 00:00, you wrote: I'm managing an OPS configuration (4x HP 9000/N, HP-UX 11/64 , RDBMS 8.1.7.1) and I'm having an application dependency on a temporal order of sequence numbers. With OPS that becomes a problem because each node caches a set of sequence numbers (20 by default). Oracle has an option, specifically for that situation, namely ORDER. My question is whether ORDER is the same thing as NOCACHE and whether it is possible to have a NOCACHE sequence which will return numbers in an incorrect order (larger number before the smaller one). Please, o OPS gods and godesses, help me out and I'll sacrifice you a beer when I see you. Mladen Gogala -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Anjo Kolk INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS Sequences: nocache == order ??
Yes, but when analyzed, it turns out that NOCACHE will also yield ordered results. What I'm interested in are internal differences in behavior. My assumption is that with ORDER oracle queries the instances directly, while NOCACHE will simply read/write everything from the disk. On 2002.09.03 18:38 Khedr, Waleed wrote: It looks like when option ORDER is used Oracle guarantees the generated values will be in order since the CACHE option will be ignored by Oracle even if it was requested. This is in the parallel mode. Look at note: Note:1031850.6 Waleed -Original Message- Sent: Tuesday, September 03, 2002 6:00 PM To: Multiple recipients of list ORACLE-L I'm managing an OPS configuration (4x HP 9000/N, HP-UX 11/64 , RDBMS 8.1.7.1) and I'm having an application dependency on a temporal order of sequence numbers. With OPS that becomes a problem because each node caches a set of sequence numbers (20 by default). Oracle has an option, specifically for that situation, namely ORDER. My question is whether ORDER is the same thing as NOCACHE and whether it is possible to have a NOCACHE sequence which will return numbers in an incorrect order (larger number before the smaller one). Please, o OPS gods and godesses, help me out and I'll sacrifice you a beer when I see you. Mladen Gogala -- Mladen Gogala -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS Sequences: nocache == order ??
The way I see it is: If you specify ORDER then the only way Oracle can enforce this is getting it from the dictionary which means no caching will be implemented. If you need the data to be ordered then (in my opinion) it's better to declare what you need by using option ORDER. Using option NOCACHE alone believing it will give you the same functionality will not be guaranteed from one release to the other. Waleed -Original Message- Sent: Tuesday, September 03, 2002 7:29 PM To: Multiple recipients of list ORACLE-L Yes, but when analyzed, it turns out that NOCACHE will also yield ordered results. What I'm interested in are internal differences in behavior. My assumption is that with ORDER oracle queries the instances directly, while NOCACHE will simply read/write everything from the disk. On 2002.09.03 18:38 Khedr, Waleed wrote: It looks like when option ORDER is used Oracle guarantees the generated values will be in order since the CACHE option will be ignored by Oracle even if it was requested. This is in the parallel mode. Look at note: Note:1031850.6 Waleed -Original Message- Sent: Tuesday, September 03, 2002 6:00 PM To: Multiple recipients of list ORACLE-L I'm managing an OPS configuration (4x HP 9000/N, HP-UX 11/64 , RDBMS 8.1.7.1) and I'm having an application dependency on a temporal order of sequence numbers. With OPS that becomes a problem because each node caches a set of sequence numbers (20 by default). Oracle has an option, specifically for that situation, namely ORDER. My question is whether ORDER is the same thing as NOCACHE and whether it is possible to have a NOCACHE sequence which will return numbers in an incorrect order (larger number before the smaller one). Please, o OPS gods and godesses, help me out and I'll sacrifice you a beer when I see you. Mladen Gogala -- Mladen Gogala -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Khedr, Waleed INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS Sequences: nocache == order ??
Unfortunately, we have an application dependency and I was required to come up with a quick dirty fix. Thanks for your reply. On 2002.09.03 19:10 Anjo Kolk wrote: If you run OPS and specify order, it works like no cache. My question to you: Why cripple OPS and your business performance by having this requirement ? Spending a few bucks to get rid of this dependency will improve the performance, until you run in to the next problem ;-) Anjo. On Wednesday 04 September 2002 00:00, you wrote: I'm managing an OPS configuration (4x HP 9000/N, HP-UX 11/64 , RDBMS 8.1.7.1) and I'm having an application dependency on a temporal order of sequence numbers. With OPS that becomes a problem because each node caches a set of sequence numbers (20 by default). Oracle has an option, specifically for that situation, namely ORDER. My question is whether ORDER is the same thing as NOCACHE and whether it is possible to have a NOCACHE sequence which will return numbers in an incorrect order (larger number before the smaller one). Please, o OPS gods and godesses, help me out and I'll sacrifice you a beer when I see you. Mladen Gogala -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Anjo Kolk INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Mladen Gogala -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS Sequences: nocache == order ??
I agree with Anoj, you need to talk to the business folks to remove this dependency. Else you may encounter waits/queues on getting the next sequence numbers. One of the benfits in OPS and in RAC is the sequence cache option, because each instance will not have to query the Oracle's fast cache areas for the next sequence or wait in queue to get the next number. Any ways if you see slowness you now where to look! Reply-To: [EMAIL PROTECTED] To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Date: Tue, 03 Sep 2002 15:54:06 -0800 Unfortunately, we have an application dependency and I was required to come up with a quick dirty fix. Thanks for your reply. On 2002.09.03 19:10 Anjo Kolk wrote: If you run OPS and specify order, it works like no cache. My question to you: Why cripple OPS and your business performance by having this requirement ? Spending a few bucks to get rid of this dependency will improve the performance, until you run in to the next problem ;-) Anjo. On Wednesday 04 September 2002 00:00, you wrote: I'm managing an OPS configuration (4x HP 9000/N, HP-UX 11/64 , RDBMS 8.1.7.1) and I'm having an application dependency on a temporal order of sequence numbers. With OPS that becomes a problem because each node caches a set of sequence numbers (20 by default). Oracle has an option, specifically for that situation, namely ORDER. My question is whether ORDER is the same thing as NOCACHE and whether it is possible to have a NOCACHE sequence which will return numbers in an incorrect order (larger number before the smaller one). Please, o OPS gods and godesses, help me out and I'll sacrifice you a beer when I see you. Mladen Gogala -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Anjo Kolk INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Mladen Gogala -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Murali Vallath Oracle Certified DBA http://www8.ewebcity.com/muralivallath/ http://www.summerksyus.com/ _ Chat with friends online, try MSN Messenger: http://messenger.msn.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Murali Vallath INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS Sequences: nocache == order ??
Mladen,
Is there any way to have developers/users access
the sequence via a function, instead of accessing the sequence
directly?
If so, then perhaps you could modify the sequence
to addthe temporal component, while maintaining the use of a cached
sequence for uniqueness? Such as:
SQL create or replace function
gen_seqq(in_seq in number)
2return number 3
as 4 v_return_nbr number;
5 begin 6
selectto_number(to_char(sysdate,'MMDDHH24MISS')||ltrim(to_char(in_seq,'')))
7
intov_return_nbr
8 from dual;
9 return v_return_nbr;10*
end gen_seqq;SQL /
Function created.
SQL create table x (y number);
Table created.
SQL create sequence xq;
Sequence created.
SQL insert into x values
(gen_seqq(xq.nextval));
1 row created.
SQL
Big and ugly numbers yes, but I think some folks
get a strange thrill out of 20-digit numbers.
It fits the requirement of being temporal (to the
second, at least) and unique. You can throw in HSECS from V$TIMER if
someone gets picky enough to want to go to the centi-second level as well.
Yeah, and you can throw in USERENV('INSTANCEID') too, just for some real
OPS/RAC-ness! Best of all, it fits the DBA-half of your brain by being
fully cacheable and non-pinging...
...of course, you can embed the use of the SEQUENCE
object inside the function; I left it on the "outside" in this example
just to make it more flexible with regard to which sequence object it
uses...
If they don't like the idea of using a stored
function to get the sequence number, then tell 'em that "it's more ANSI standard
that way" and it's "database independent". That gets 'em every
time...
Hope this helps...
-Tim
- Original Message -
From: "Mladen Gogala" [EMAIL PROTECTED]
To: "Multiple recipients of list ORACLE-L"
[EMAIL PROTECTED]
Sent: Tuesday, September 03, 2002 5:54
PM
Subject: Re: OPS Sequences: nocache == order
??
Unfortunately, we have an application dependency and I was required
to come up with a quick dirty fix. Thanks for your reply.
On 2002.09.03 19:10 Anjo Kolk wrote:
If you run OPS and specify order, it works like no cache.
My question to you: "Why cripple OPS and your business performance
by having this requirement ?" Spending a few bucks to get rid of
this dependency will improve the performance, until you run in to
the next problem ;-)Anjo.
On Wednesday 04
September 2002 00:00, you wrote: I'm managing an OPS
configuration (4x HP 9000/N, HP-UX 11/64 , RDBMS
8.1.7.1) and I'm having an application dependency on a
temporal order of sequence numbers. With OPS
that becomes a problem because each node caches a set of sequence
numbers (20 by default). Oracle has an option,
specifically for that situation, namely "ORDER".
My question is whether ORDER is the same thing as NOCACHE and whether it
is possible to have a NOCACHE sequence which
will return numbers in an incorrect order (larger
number before the smaller one). Please, o
OPS gods and godesses, help me out and I'll sacrifice you a beer
when I see you. Mladen Gogala
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- Author: Anjo Kolk INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX:
(858) 538-5051 San Diego,
California -- Public Internet access /
Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT
spelling of 'ListGuru') and in the message BODY, include a line
containing: UNSUB ORACLE-L (or the name of mailing list you want to
be removed from). You may also send the HELP command for
other information (like subscribing).--
Mladen Gogala -- Please see the official ORACLE-L FAQ:
http://www.orafaq.com --
Author: Mladen Gogala INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858)
538-5051 San Diego, California
-- Public Internet access / Mailing Lists
To
REMOVE yourself from this mailing list, send an E-Mail message to:
[EMAIL PROTECTED] (note EXACT
spelling of 'ListGuru') and in the message BODY, include a line
containing: UNSUB ORACLE-L (or the name of mailing list you want to be
removed from). You may also send the HELP command for other
information (like subscribing).
RE: OPS 7.3.4 - how to ?
Requirements: 1. Database must be reconfigured/rebuilt. 2. All datafiles must reside on RAW devices. No autogrowth potential. 3. Several UNIX parameters will require modification to accommodate the increased traffic between the two instances. 4. TNSNAMES and LISTENER .ORA files will require additional entries for changed instance names. Is that a good start for you? Thank You Stephen P. Karniotis Product Architect Compuware Corporation Direct: (248) 865-4350 Mobile: (248) 408-2918 Email: [EMAIL PROTECTED] Web:www.compuware.com -Original Message- Sent: Tuesday, August 13, 2002 5:38 AM To: Multiple recipients of list ORACLE-L oops ... It's digital UNIX (a sort of predcessor of the Tru64, ig i understood correctly) , don't know exactly which version. Thanks ! DBAndrey * 03-9254520 * 058-548133 * mailto:[EMAIL PROTECTED] -Original Message- Sent: Monday, August 12, 2002 8:58 PM To: Multiple recipients of list ORACLE-L What platform? What OS? Thank You Stephen P. Karniotis Product Architect Compuware Corporation Direct: (248) 865-4350 Mobile: (248) 408-2918 Email: [EMAIL PROTECTED] Web:www.compuware.com -Original Message- Sent: Monday, August 12, 2002 1:08 PM To: Multiple recipients of list ORACLE-L Dear gurus ! I have to create an OPS 7.3.4 database (yes, there are still Oracle7 installations out there). Actually we are migrating our current OPS DB to another storage (EMC). So , the software is installed , i just need to create the DB. I can not find which scripts to run after the create database (i.e. catproc.sql , catexp.sql). Does anyone have a list of such scripts to run for OPS , please? Also , are there any known gotchas for OPS 7.3.4 setup ? I plan to export the exisiting DB, to create the new DB (with the same name of the DB and the instances as the original ones) and then to import. Is it OK ? TIA. DBAndrey * 03-9254520 * 058-548133 * mailto:[EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Andrey Bronfin INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Karniotis, Stephen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Andrey Bronfin INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Karniotis, Stephen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT
RE: OPS 7.3.4 - how to ?
oops ... It's digital UNIX (a sort of predcessor of the Tru64, ig i understood correctly) , don't know exactly which version. Thanks ! DBAndrey * 03-9254520 * 058-548133 * mailto:[EMAIL PROTECTED] -Original Message- Sent: Monday, August 12, 2002 8:58 PM To: Multiple recipients of list ORACLE-L What platform? What OS? Thank You Stephen P. Karniotis Product Architect Compuware Corporation Direct: (248) 865-4350 Mobile: (248) 408-2918 Email: [EMAIL PROTECTED] Web:www.compuware.com -Original Message- Sent: Monday, August 12, 2002 1:08 PM To: Multiple recipients of list ORACLE-L Dear gurus ! I have to create an OPS 7.3.4 database (yes, there are still Oracle7 installations out there). Actually we are migrating our current OPS DB to another storage (EMC). So , the software is installed , i just need to create the DB. I can not find which scripts to run after the create database (i.e. catproc.sql , catexp.sql). Does anyone have a list of such scripts to run for OPS , please? Also , are there any known gotchas for OPS 7.3.4 setup ? I plan to export the exisiting DB, to create the new DB (with the same name of the DB and the instances as the original ones) and then to import. Is it OK ? TIA. DBAndrey * 03-9254520 * 058-548133 * mailto:[EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Andrey Bronfin INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Karniotis, Stephen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Andrey Bronfin INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS 7.3.4 - how to ?
OSF/1 on Alpha? - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 11:38 AM oops ... It's digital UNIX (a sort of predcessor of the Tru64, ig i understood correctly) , don't know exactly which version. Thanks ! DBAndrey * 03-9254520 * 058-548133 * mailto:[EMAIL PROTECTED] -Original Message- Sent: Monday, August 12, 2002 8:58 PM To: Multiple recipients of list ORACLE-L What platform? What OS? Thank You Stephen P. Karniotis Product Architect Compuware Corporation Direct: (248) 865-4350 Mobile: (248) 408-2918 Email: [EMAIL PROTECTED] Web: www.compuware.com -Original Message- Sent: Monday, August 12, 2002 1:08 PM To: Multiple recipients of list ORACLE-L Dear gurus ! I have to create an OPS 7.3.4 database (yes, there are still Oracle7 installations out there). Actually we are migrating our current OPS DB to another storage (EMC). So , the software is installed , i just need to create the DB. I can not find which scripts to run after the create database (i.e. catproc.sql , catexp.sql). Does anyone have a list of such scripts to run for OPS , please? Also , are there any known gotchas for OPS 7.3.4 setup ? I plan to export the exisiting DB, to create the new DB (with the same name of the DB and the instances as the original ones) and then to import. Is it OK ? TIA. DBAndrey * 03-9254520 * 058-548133 * mailto:[EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Andrey Bronfin INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Karniotis, Stephen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Andrey Bronfin INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Alexandre Gorbatchev INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS 7.3.4 - how to ?
Alpha ... Thanks. DBAndrey * 03-9254520 * 058-548133 * mailto:[EMAIL PROTECTED] -Original Message- Sent: Tuesday, August 13, 2002 4:24 PM To: Multiple recipients of list ORACLE-L OSF/1 on Alpha? - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, August 13, 2002 11:38 AM oops ... It's digital UNIX (a sort of predcessor of the Tru64, ig i understood correctly) , don't know exactly which version. Thanks ! DBAndrey * 03-9254520 * 058-548133 * mailto:[EMAIL PROTECTED] -Original Message- Sent: Monday, August 12, 2002 8:58 PM To: Multiple recipients of list ORACLE-L What platform? What OS? Thank You Stephen P. Karniotis Product Architect Compuware Corporation Direct: (248) 865-4350 Mobile: (248) 408-2918 Email: [EMAIL PROTECTED] Web: www.compuware.com -Original Message- Sent: Monday, August 12, 2002 1:08 PM To: Multiple recipients of list ORACLE-L Dear gurus ! I have to create an OPS 7.3.4 database (yes, there are still Oracle7 installations out there). Actually we are migrating our current OPS DB to another storage (EMC). So , the software is installed , i just need to create the DB. I can not find which scripts to run after the create database (i.e. catproc.sql , catexp.sql). Does anyone have a list of such scripts to run for OPS , please? Also , are there any known gotchas for OPS 7.3.4 setup ? I plan to export the exisiting DB, to create the new DB (with the same name of the DB and the instances as the original ones) and then to import. Is it OK ? TIA. DBAndrey * 03-9254520 * 058-548133 * mailto:[EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Andrey Bronfin INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Karniotis, Stephen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Andrey Bronfin INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Alexandre Gorbatchev INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Andrey Bronfin INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists
RE: OPS 7.3.4 - how to ?
We have been successfully running 7.3.4 OPS for some time. It's been a rock-solid version for us. The only extra script we ran was ora_rdbms:catparr.sql (We're on Alpha/OpenVMS ) Good luck! Barb -Original Message- Sent: Monday, August 12, 2002 1:08 PM To: Multiple recipients of list ORACLE-L Dear gurus ! I have to create an OPS 7.3.4 database (yes, there are still Oracle7 installations out there). Actually we are migrating our current OPS DB to another storage (EMC). So , the software is installed , i just need to create the DB. I can not find which scripts to run after the create database (i.e. catproc.sql , catexp.sql). Does anyone have a list of such scripts to run for OPS , please? Also , are there any known gotchas for OPS 7.3.4 setup ? I plan to export the exisiting DB, to create the new DB (with the same name of the DB and the instances as the original ones) and then to import. Is it OK ? TIA. DBAndrey * 03-9254520 * 058-548133 * mailto:[EMAIL PROTECTED] -- -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Baker, Barbara INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS 7.3.4 - how to ?
What platform? What OS? Thank You Stephen P. Karniotis Product Architect Compuware Corporation Direct: (248) 865-4350 Mobile: (248) 408-2918 Email: [EMAIL PROTECTED] Web:www.compuware.com -Original Message- Sent: Monday, August 12, 2002 1:08 PM To: Multiple recipients of list ORACLE-L Dear gurus ! I have to create an OPS 7.3.4 database (yes, there are still Oracle7 installations out there). Actually we are migrating our current OPS DB to another storage (EMC). So , the software is installed , i just need to create the DB. I can not find which scripts to run after the create database (i.e. catproc.sql , catexp.sql). Does anyone have a list of such scripts to run for OPS , please? Also , are there any known gotchas for OPS 7.3.4 setup ? I plan to export the exisiting DB, to create the new DB (with the same name of the DB and the instances as the original ones) and then to import. Is it OK ? TIA. DBAndrey * 03-9254520 * 058-548133 * mailto:[EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Andrey Bronfin INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Karniotis, Stephen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS and redos
Thank you Scott for supplying a well-written summary of SCN usage within OPS nodes. I was interested in If the gap in the log sequence gets to big Oracle will force the idle node to do log switches I was not aware of that and whilst I believe you, I cannot see what the reason behind it is. Have you any thoughts on why it is set like that I suppose it is quite easy to test if you happen to have a OPS development setup handy (which I do not at the moment) John -Original Message- Sent: 02 July 2002 19:44 To: Multiple recipients of list ORACLE-L Fawzia, What are you querying to get the SCN information. I would also be curious where you read about the recovery issues in OPS environment? Oracle maintains what is called a snapshot SCN and global SCN. The snapshot SCN is usually maintained in the SGA and the global SCN is maintained by the DLM. All transactions committed in an OPS environment use the global SCN and that SCN is always incrementing even in if both instances are idle. In an OPS environment it is possible for multiple transactions on different nodes to commit with the same SCN but each transaction will commit with an SCN that is greater whether these transactions are on the same node or different nodes. The bottom line is that Oracle basically treats SCN's with committed transactions the same whether it is a single instance or OPS. The snapshot SCN is used for queries and the snapshot SCN could be older than current or global SCN. This SCN only effects queries not DML. The only issue here is using this snapshot SCN could give read consistency on transactions that where committed on the on the other node. an example Time 10:00:00 - Node2 issues DML and commits updates deptno from 10 to 11 committed with current SCN 1000, current SCN is now incremented to 1001 Time 10:00:01 - Node1 issues a select on deptno and sees 10 (should see 11 because the transaction was commmited) because the snapshot SCN is 998 and the transaction was committed with newer SCN we must perform a read consistent read. PMON is the process that synchs current or global SCN with the snapshot SCN and PMON usually does this every 3 seconds so if you issue the query Time 10:00:05 (5 seconds after the commit) - Node1 issues the select on deptno and now sees 11. This is because PMON sync-ed up the snapshot SCN with the current or global SCN and now my SCN for my query is newer than the SCN the transaction you committed with so there is no need to perform a CR you can just use the current version. The above issue is really only a problem is a system if you have a lot of DML on 1 node and a lot of selects on the other node. It this is an issue you can set MAX_COMMIT_PROPAGATION_DELAY=0 and this will force the queries to always use the current or global SCN and now you should see the committed data as soon as it is committed because both the DML and queries are use the current or global SCN. I find odd that you have SCN of 500 and 2000. The way Oracle maintains SCN's in an OPS environment shouldn't allow for this large of a gap in SCN's. This looks more like log sequence numbers not SCN's. If these are indeed log sequence then this gap is not an issue. Recovery is based more on SCN's not log sequence numbers. If the gap in the log sequence gets to big Oracle will force the idle node to do log switches and if you are archiving you will see archive logs 1 OS block in size. When Oracle does this you should a KK #34;Redo log Kick#34; lock being allocated. Hope this helps, Scott --- #34;Malik, Fawzia#34; lt;[EMAIL PROTECTED]gt; wrote: gt; gt; gt; Hi gurus, gt; gt; I have a query..Basically we have an OPS set up here gt; (8.0.6) and I have gt; noticed that the scn on node A is 500 and the scn on gt; node B is 2000. I am gt; concerned about this w.r.t recovery- surely this gt; would be an issue ??I gt; logged a call with oracle and they said it wasnt an gt; issue, but then I read gt; in a document that it WAS an issue and could gt; potentially lose everything gt; between 500 abd 2000..and that the workaround would gt; be to add more logs to A gt; or to modify the check point interval gt; gt; Please can you advise?? gt; gt; Rgds gt; gt; Fawzia gt; gt; gt; ** gt; Information in this email is confidential and may be gt; privileged. gt; It is intended for the addressee only. If you have gt; received it in error, gt; please notify the sender immediately and delete it gt; from your system. gt; You should not otherwise copy it, retransmit it or gt; use or disclose its gt; contents to anyone. gt; Thank you for your co-operation. gt; ** gt; gt; -- gt; Please see the official ORACLE-L FAQ: gt; http://www.orafaq.com gt; -- gt; Author: Malik, Fawzia gt; INET: [EMAIL PROTECTED] gt; gt; Fat City Network Services-- (858) 538-5051 FAX: gt; (858) 538-5051 gt; San Diego,
RE: OPS and redos
John, I actually have never sat down tested to see when Oracle actually does the redo kick. I do have a OPS and RAC test environment so I may have to see how big the GAP gets before Oracle starts doing log archive switches on the idle node. The only reason I have heard why Oracle does this kick is to keep on-line redo logs archiving off of idle instances, while other active instances generate redo and archive on-line logs. The intent is to keep archive streams from all participating instances close to each other in time, so that a set of archived logs for all redo streams/instances can easily be identified and managed for backup or recovery. Also used in executing the ALTER SYSTEM ARCHIVE LOG CURRENT command, which is used to cause all instances to archive their current logs. I know Anjo has some detail on this feature. So he may be able to provide more information. Scott --- [EMAIL PROTECTED] wrote: gt; Thank you Scott for supplying a well-written summary gt; of SCN usage within OPS gt; nodes. gt; gt; I was interested in #34;If the gap in the log sequence gt; gets to big Oracle will gt; force the idle node to do log switches #34; gt; gt; I was not aware of that and whilst I believe you, I gt; cannot see what the gt; reason behind it is. Have you any thoughts on why it gt; is set like that gt; I suppose it is quite easy to test if you happen to gt; have a OPS development gt; setup handy (which I do not at the moment) gt; gt; John gt; gt; -Original Message- gt; Sent: 02 July 2002 19:44 gt; To: Multiple recipients of list ORACLE-L gt; gt; gt; Fawzia, What are you querying to get the SCN gt; information. I would also be curious where you read gt; about the recovery issues in OPS environment? Oracle gt; maintains what is called a snapshot SCN and global gt; SCN. The snapshot SCN is usually maintained in the gt; SGA gt; and the global SCN is maintained by the DLM. All gt; transactions committed in an OPS environment use the gt; global SCN and that SCN is always incrementing even gt; in gt; if both instances are idle. In an OPS environment it gt; is possible for multiple transactions on different gt; nodes to commit with the same SCN but each gt; transaction gt; will commit with an SCN that is greater whether gt; these gt; transactions are on the same node or different gt; nodes. gt; The bottom line is that Oracle basically treats gt; SCN's gt; with committed transactions the same whether it is a gt; single instance or OPS. gt; gt; The snapshot SCN is used for queries and the gt; snapshot gt; SCN could be older than current or global SCN. This gt; SCN only effects queries not DML. The only issue gt; here gt; is using this snapshot SCN could give read gt; consistency gt; on transactions that where committed on the on the gt; other node. gt; gt; an example gt; gt; Time 10:00:00 - Node2 issues DML and commits updates gt; deptno from 10 to 11 committed with current SCN gt; 1000, gt; current SCN is now incremented to 1001 gt; gt; Time 10:00:01 - Node1 issues a select on deptno and gt; sees 10 (should see 11 because the transaction was gt; commmited) because the snapshot SCN is 998 and the gt; transaction was committed with newer SCN we must gt; perform a read consistent read. gt; gt; PMON is the process that synchs current or global gt; SCN gt; with the snapshot SCN and PMON usually does this gt; every gt; 3 seconds gt; gt; so if you issue the query gt; Time 10:00:05 (5 seconds after the commit) - Node1 gt; issues the select on deptno and now sees 11. This is gt; because PMON sync-ed up the snapshot SCN with the gt; current or global SCN and now my SCN for my query is gt; newer than the SCN the transaction you committed gt; with gt; so there is no need to perform a CR you can just use gt; the current version. gt; gt; The above issue is really only a problem is a system gt; if you have a lot of DML on 1 node and a lot of gt; selects on the other node. It this is an issue you gt; can gt; set MAX_COMMIT_PROPAGATION_DELAY=0 and this will gt; force gt; the queries to always use the current or global SCN gt; and now you should see the committed data as soon as gt; it is committed because both the DML and queries are gt; use the current or global SCN. gt; gt; I find odd that you have SCN of 500 and 2000. The gt; way gt; Oracle maintains SCN's in an OPS environment gt; shouldn't gt; allow for this large of a gap in SCN's. This looks gt; more like log sequence numbers not SCN's. If these gt; are gt; indeed log sequence then this gap is not an issue. gt; Recovery is based more on SCN's not log sequence gt; numbers. gt; gt; If the gap in the log sequence gets to big Oracle gt; will gt; force the idle node to do log switches and if you gt; are gt; archiving you will see archive logs 1 OS block in gt; size. When Oracle does this you should a KK gt; #34;Redo gt; log Kick#34; lock being allocated. gt; gt; Hope this helps, gt; gt; Scott gt; gt; --- #34;Malik, Fawzia#34; gt; amp;lt;[EMAIL
Re: OPS and redos
Fawzia, Oracle it self will keep an eye on that also. It will kick the other instance if it falls behind. So that the redo file will be switched. Anjo. Malik, Fawzia wrote: Hi gurus, I have a query..Basically we have an OPS set up here (8.0.6) and I have noticed that the scn on node A is 500 and the scn on node B is 2000. I am concerned about this w.r.t recovery- surely this would be an issue ??I logged a call with oracle and they said it wasnt an issue, but then I read in a document that it WAS an issue and could potentially lose everything between 500 abd 2000..and that the workaround would be to add more logs to A or to modify the check point interval Please can you advise?? Rgds Fawzia ** Information in this email is confidential and may be privileged. It is intended for the addressee only. If you have received it in error, please notify the sender immediately and delete it from your system. You should not otherwise copy it, retransmit it or use or disclose its contents to anyone. Thank you for your co-operation. ** -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Malik, Fawzia INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Anjo Kolk INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS and redos
Fawzia, What are you querying to get the SCN information. I would also be curious where you read about the recovery issues in OPS environment? Oracle maintains what is called a snapshot SCN and global SCN. The snapshot SCN is usually maintained in the SGA and the global SCN is maintained by the DLM. All transactions committed in an OPS environment use the global SCN and that SCN is always incrementing even in if both instances are idle. In an OPS environment it is possible for multiple transactions on different nodes to commit with the same SCN but each transaction will commit with an SCN that is greater whether these transactions are on the same node or different nodes. The bottom line is that Oracle basically treats SCN's with committed transactions the same whether it is a single instance or OPS. The snapshot SCN is used for queries and the snapshot SCN could be older than current or global SCN. This SCN only effects queries not DML. The only issue here is using this snapshot SCN could give read consistency on transactions that where committed on the on the other node. an example Time 10:00:00 - Node2 issues DML and commits updates deptno from 10 to 11 committed with current SCN 1000, current SCN is now incremented to 1001 Time 10:00:01 - Node1 issues a select on deptno and sees 10 (should see 11 because the transaction was commmited) because the snapshot SCN is 998 and the transaction was committed with newer SCN we must perform a read consistent read. PMON is the process that synchs current or global SCN with the snapshot SCN and PMON usually does this every 3 seconds so if you issue the query Time 10:00:05 (5 seconds after the commit) - Node1 issues the select on deptno and now sees 11. This is because PMON sync-ed up the snapshot SCN with the current or global SCN and now my SCN for my query is newer than the SCN the transaction you committed with so there is no need to perform a CR you can just use the current version. The above issue is really only a problem is a system if you have a lot of DML on 1 node and a lot of selects on the other node. It this is an issue you can set MAX_COMMIT_PROPAGATION_DELAY=0 and this will force the queries to always use the current or global SCN and now you should see the committed data as soon as it is committed because both the DML and queries are use the current or global SCN. I find odd that you have SCN of 500 and 2000. The way Oracle maintains SCN's in an OPS environment shouldn't allow for this large of a gap in SCN's. This looks more like log sequence numbers not SCN's. If these are indeed log sequence then this gap is not an issue. Recovery is based more on SCN's not log sequence numbers. If the gap in the log sequence gets to big Oracle will force the idle node to do log switches and if you are archiving you will see archive logs 1 OS block in size. When Oracle does this you should a KK #34;Redo log Kick#34; lock being allocated. Hope this helps, Scott --- #34;Malik, Fawzia#34; lt;[EMAIL PROTECTED]gt; wrote: gt; gt; gt; Hi gurus, gt; gt; I have a query..Basically we have an OPS set up here gt; (8.0.6) and I have gt; noticed that the scn on node A is 500 and the scn on gt; node B is 2000. I am gt; concerned about this w.r.t recovery- surely this gt; would be an issue ??I gt; logged a call with oracle and they said it wasnt an gt; issue, but then I read gt; in a document that it WAS an issue and could gt; potentially lose everything gt; between 500 abd 2000..and that the workaround would gt; be to add more logs to A gt; or to modify the check point interval gt; gt; Please can you advise?? gt; gt; Rgds gt; gt; Fawzia gt; gt; gt; ** gt; Information in this email is confidential and may be gt; privileged. gt; It is intended for the addressee only. If you have gt; received it in error, gt; please notify the sender immediately and delete it gt; from your system. gt; You should not otherwise copy it, retransmit it or gt; use or disclose its gt; contents to anyone. gt; Thank you for your co-operation. gt; ** gt; gt; -- gt; Please see the official ORACLE-L FAQ: gt; http://www.orafaq.com gt; -- gt; Author: Malik, Fawzia gt; INET: [EMAIL PROTECTED] gt; gt; Fat City Network Services-- (858) 538-5051 FAX: gt; (858) 538-5051 gt; San Diego, California-- Public Internet gt; access / Mailing Lists gt; gt; To REMOVE yourself from this mailing list, send an gt; E-Mail message gt; to: [EMAIL PROTECTED] (note EXACT spelling of gt; 'ListGuru') and in gt; the message BODY, include a line containing: UNSUB gt; ORACLE-L gt; (or the name of mailing list you want to be removed gt; from). You may gt; also send the HELP command for other information gt; (like subscribing). __ Do You
Re: OPS DBA work (was dumb question)
Title: Message Og det er ikke engang lgn. Bjrn Engsig wrote: With the caveat, that I am a consultant and not actually a DBA, I would argue very strongly, that the OPS DBA needs quite some extra understanding, knowledge and experience compared to one managing a single instance Oracle. In particular: - Performance problems, primarily due to poor application design/development, that are seen in single instance are likely to be one to two orders of magnitude worse in OPS. Hence, the DBA needs a much better application understanding. - There are Oracle features (e.g. free list groups) that must be used with OPS and which rarely are needed single instance. - Recovery scenarios are more complex - You must use raw devices (except on platforms with inhertance from Digital Corp), which can add complexity - A frequent requirement of OPS systems is better uptimes than for single instance, which is a very non-trivial task. The whole stack is far more complex, and even though the possibility to have two or more independent nodes sound really great in theory, the practical assurance, that they are in fact completely independent is difficult. And if they aren't independent, they are likely to have worse uptimes than the single instance! - And I probably forgot something, so it is far more than knowing the GC_ parameters, which, BTW, by itself isn't that simple! - Also, BTW, note that except for a few things, RAC doesn't make your life easier than OPS! Thanks, Bjrn. Shreeni wrote: Hi John, Thx for the input. I really appreciate it. I was just kind of stumped when I was asked not once but several times and places, to point out the diff between an OPS DBA and a "regular" DBA that I am. Thanks again Shreeni Shreenivasa Rao e-Z ing Technologies, Inc.. 41-43 Beekman Street, 3rd Floor New York, NY 10038. Tel: (212)233-9861 xt.241 Fax: (212)233-9862 Cell:(917)861-4966 lsama@e-zingtech.com *** **Your IT Solutions Provider *** *** http://www.e-zingtech.com *** Under Bill s.1618 Title III passed by the 105th U.S. Congress this mail can not be considered spam as long as we include contact information and a remove link for removal from our mailing list. To be removed from our mailing list reply with remove in the subject heading and your email address in the body. Include complete address and/or domain to be removed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Hallas John Sent:Monday, February 04, 2002 4:05 AM To: Multiple recipients of listORACLE-L Subject: OPS DBA work (was dumbquestion) Shreeni, Themangement of a OPS system does not require any extra skills or facilities. Areas that are different or need more attention from a standalone instance include the following : Management and tuning of internode communication.Specifically reducing the level of pinging - use of GC% init.oravariables Requirement for different start up scripts (exclusiveand shared modes) Someadditional work when duplicating databases using RMAN Perhaps more involvement with application and sysadmin teams to determine load balancing factors Iam sure there are others (probably ones Ishould be doing that I am not) Thesimplest thing to remember about OPS is that there is only 1 set of datafilesand therefore tables, despite the number of instances that may be using thosedatafiles.Thispoint is occasionally madeto thosewhob elieve that we have a fully resilient setup. HTH John -Original Message- From: Shreeni [ mailto:[EMAIL PROTECTED] ] Sent: 04 February 2002 00:40 To: Multiple recipients of list ORACLE-L Subject: Dumb question Hi List, To ask a dumb question, is there any special way to run exp/imp on Oracle Parallel server on Solaris ?? Is parallel server DBA different than a "regular" DBA ?? :) TIA Shreeni Shreenivasa Rao e- Z ing Technologies, Inc.. 41-43 Beekman Street, 3rd Floor New York, NY 10038. Tel: (212)233-9861 xt.241 Fax: (212)233-9862 Cell:(917)861-4966 lsama@e-zingtech.com *** **Your IT Solutions Provider *** *** http://www.e-zingtech.com *** Under Bill s.1618 Title III passed by the 105th U.S. Congress this mail can not be considered spam
Re: OPS DBA work (was dumb question)
Title: Message With the caveat, that I am a consultant and not actually a DBA, I would argue very strongly, that the OPS DBA needs quite some extra understanding, knowledge and experience compared to one managing a single instance Oracle. In particular: - Performance problems, primarily due to poor application design/development, that are seen in single instance are likely to be one to two orders of magnitude worse in OPS. Hence, the DBA needs a much better application understanding. - There are Oracle features (e.g. free list groups) that must be used with OPS and which rarely are needed single instance. - Recovery scenarios are more complex - You must use raw devices (except on platforms with inhertance from Digital Corp), which can add complexity - A frequent requirement of OPS systems is better uptimes than for single instance, which is a very non-trivial task. The whole stack is far more complex, and even though the possibility to have two or more independent nodes sound really great in theory, the practical assurance, that they are in fact completely independent is difficult. And if they aren't independent, they are likely to have worse uptimes than the single instance! - And I probably forgot something, so it is far more than knowing the GC_ parameters, which, BTW, by itself isn't that simple! - Also, BTW, note that except for a few things, RAC doesn't make your life easier than OPS! Thanks, Bjrn. Shreeni wrote: Hi John, Thx for the input. I really appreciate it. I was just kind of stumped when I was asked not once but several times and places, to point out the diff between an OPS DBA and a "regular" DBA that I am. Thanks again Shreeni Shreenivasa Rao e-Z ing Technologies, Inc.. 41-43 Beekman Street, 3rd Floor New York, NY 10038. Tel: (212)233-9861 xt.241 Fax: (212)233-9862 Cell:(917)861-4966 lsama@e-zingtech.com *** **Your IT Solutions Provider *** *** http://www.e-zingtech.com *** Under Bill s.1618 Title III passed by the 105th U.S. Congress this mail can not be considered spam as long as we include contact information and a remove link for removal from our mailing list. To be removed from our mailing list reply with remove in the subject heading and your email address in the body. Include complete address and/or domain to be removed. -Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Hallas John Sent:Monday, February 04, 2002 4:05 AM To: Multiple recipients of listORACLE-L Subject: OPS DBA work (was dumbquestion) Shreeni, Themangement of a OPS system does not require any extra skills or facilities. Areas that are different or need more attention from a standalone instance include the following : Management and tuning of internode communication.Specifically reducing the level of pinging - use of GC% init.oravariables Requirement for different start up scripts (exclusiveand shared modes) Someadditional work when duplicating databases using RMAN Perhaps more involvement with application and sysadmin teams to determine load balancing factors Iam sure there are others (probably ones Ishould be doing that I am not) Thesimplest thing to remember about OPS is that there is only 1 set of datafilesand therefore tables, despite the number of instances that may be using thosedatafiles.Thispoint is occasionally madeto thosewhob elieve that we have a fully resilient setup. HTH John -Original Message- From: Shreeni [mailto:[EMAIL PROTECTED]] Sent: 04 February 2002 00:40 To: Multiple recipients of list ORACLE-L Subject: Dumb question Hi List, To ask a dumb question, is there any special way to run exp/imp on Oracle Parallel server on Solaris ?? Is parallel server DBA different than a "regular" DBA ?? :) TIA Shreeni Shreenivasa Rao e-Z ing Technologies, Inc.. 41-43 Beekman Street, 3rd Floor New York, NY 10038. Tel: (212)233-9861 xt.241 Fax: (212)233-9862 Cell:(917)861-4966 lsama@e-zingtech.com *** **Your IT Solutions Provider *** *** http://www.e-zingtech.com *** Under Bill s.1618 Title III passed by the 105th U.S. Congress this mail can not be considered spam as long as we include contact information and a remove link for removal from our mailing list. To be removed from our mailing list reply with remove in the subject heading and your email address in the body. Include complete address and/or domain to be removed.
RE: OPS DBA work (was dumb question)
Title: Message Bjorn, I don't have any issues with what you say - in fact it really agrees mostly with what I stated. You have added 2 important factors though, better application knowledge and use of raw file systems. I use Compaq Tru64 so that does not require raw files systems but other o/s certainly do. I think you were a bit unfair to suggest thatI meant you only needed to check a few init.ora parameters out ( 'it is far more than knowing the GC_ parameters' ). I am fully aware of the need to look at freelists and freelist groups - I encompassed that in my statement 'Management and tuning of internode communication. Specifically reducing the level of pinging - use of GC% init.ora variables' Anyway I don't think we are that far away from each other Regards John -Original Message-From: Bjørn Engsig [mailto:[EMAIL PROTECTED]]Sent: 05 February 20021 2:25To: Multiple recipients of list ORACLE-LSubject: Re: OPS DBA work (was dumb question) With the caveat, that I am a consultant and not actually a DBA, I would argue very strongly, that the OPS DBA needs quite some extra understanding, knowledge and experience compared to one managing a single instance Oracle. In particular:- Performance problems, primarily due to poor application design/development, that are seen in single instance are likely to be one to two orders of magnitude worse in OPS. Hence, the DBA needs a much better application understanding.- There are Oracle features (e.g. free list groups) that must be used with OPS and which rarely are needed single instance.- Recovery scenarios are more complex- You must use raw devices (except on platforms with inhertance from Digital Corp), which can add complexity- A frequent requirement of OPS systems is better uptimes than for single instance, which is a very non-trivial task. The whole stack is far more complex, and even though the possibility to have two or more independent nodes sound really great in theory, the practical assurance, that they are in fact completely independent is difficult. And if they aren't independent, they are likely to have worse uptimes than the single instance!- And I probably forgot something, so it is far more than knowing the GC_ parameters, which, BTW, by itself isn't that simple!- Also, BTW, note that except for a few things, RAC doesn't make your life easier than OPS!Thanks, Bjørn.Shreeni wrote: Hi John, Thx for the input. I really appreciate it. I was just kind of stumped when I was asked not once but several times and places, to point out the diff between an OPS DBA and a "regular" DBA that I am. Thanks again Shreeni Shreenivasa Raoe-Z ing Technologies, Inc..41-43 Beekman Street, 3rd FloorNew York, NY 10038.Tel: (212)233-9861 xt.241Fax: (212)233-9862Cell:(917)861-4966lsama@e-zingtech.com *Your IT Solutions Provider*** *** http://www.e-zingtech.com ***Under Bill s.1618 Title III passed by the 105th U.S. Congress this mail cannot be considered spam as long as we include contact information and a remove link for removal from our mailing list. To be removed from our mailing list reply with remove in the subject heading and your email address in the body. Include complete address and/or domain to be removed. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hallas JohnSent: Monday, February 04, 2002 4:05 AMTo: Multiple recipients of list ORACLE-LSubject: OPS DBA work (was dumb question) Shreeni, The mangement of a OPS system does not require any extra skills or facilities. Areas that are different or need more attention from a standalone instance include the following : Management and tuning of internode communication. Specifically reducing the level of pinging - use of GC% init.ora variables Requirement for different start up scripts (exclusive and shared modes) Some additional work when duplicating databases using RMAN Perhaps more involvement with application and sys admin teams to determine load balancing factors Iam sure there are others (probably ones I should be doing that I am not) The simplest thing to remember about OPS is that there is only 1 set of datafiles and therefore tables, despite the number of instances that may be using those datafiles.Thispoint is occasionally madeto thosewhob elieve that we have a fully resilient set up. HTH John -Original Message-From: Shreeni [mailto:[EMAIL PROTECTED]]Sent: 04 February 20
Re: OPS DBA work (was dumb question)
Title: Message You're right John - my comments were clearly more of a general nature than specific followup to your statements. The cool thing is that I expect to get lots of nice business to do if/when people start following Larry's vision: Many nodes of cheap hardware with Linux and RAC on top:-) Rgds, Bjrn. Hallas John wrote: Bjorn, I don't have any issues with what you say - in fact it really agrees mostly with what I stated. You have added 2 important factors though, better application knowledge and use of raw file systems. I use Compaq Tru64 so that does not require raw files systems but other o/s certainly do. I think you were a bit unfair to suggest that I meant you only needed to check a few init.ora parameters out ( 'it is far more than knowing the GC_ parameters' ). I am fully aware of the need to look at freelists and freelist groups - I encompassed that in my statement ' Management and tuning of internode communication. Specifically reducing the level of pinging - use of GC% init.ora variables ' Anyway I don't think we are that far away from each other Regards John -Original Message- From: Bjrn Engsig [mailto:[EMAIL PROTECTED]] Sent: 05 February 20021 2:25 To: Multiple recipients of list ORACLE-L Subject: Re: OPS DBA work (was dumb question) With the caveat, that I am a consultant and not actually a DBA, I would argue very strongly, that the OPS DBA needs quite some extra understanding, knowledge and experience compared to one managing a single instance Oracle. In particular: - Performance problems, primarilydue to poor application design/development, that are seen in single instanceare likely to be one to two orders of magnitude worse in OPS. Hence, theDBA needs a much better application understanding. - There are Oraclefeatures (e.g. free list groups) that must be used with OPS and which rarelyare needed single instance. - Recovery scenarios are morecomplex - You must use raw devices (except on platforms with inhertancefrom Digital Corp), which can add complexity - A frequent requirementof OPS systems is better uptimes than for single instance, which is a verynon-trivial task. The whole stack is far more complex, and even thoughthe possibility to have two or more independent nodes sound really great intheory, the practical assurance, that they are in fact completely independentis difficult. And if they aren't independent, they are likely to haveworse uptimes than the single instance! - And I probably forgotsomething, so it is far more than knowing the GC_ parameters, which, BTW, byitself isn't that simple! - Also, BTW, note that except for a fewthings, RAC doesn't make your life easier than OPS! Thanks,Bjrn. Shreeni wrote: Hi John, Thx for the input. I really appreciate it. I was just kind of stumped when I was asked not once but several times and places, to point out the diff between an OPS DBA and a "regular" DBA that I am. Thanks again Shreeni Shreenivasa Rao e-Z ing Technologies, Inc.. 41-43 Beekman Street, 3rd Floor New York, NY 10038. Tel: (212)233-9861 xt.241 Fax: (212)233-9862 Cell:(917)861-4966 lsama@e-zingtech.com *** **Your IT Solutions Provider *** *** http://www.e-zingtech.com *** Under Bill s.1618 Title III passed by the 105th U.S. Congress this mail can not be considered spam as long as we include contact information and a remove link for removal from our mailing list. To be removed from our mailing list reply with remove in the subject heading and your email address in the body. Include complete address and/or domain to be removed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On BehalfOf Hallas John Sent: Monday, February 04, 2002 4:05AM To: Multiple recipients of list ORACLE-L Subject:OPS DBA work (was dumb question) Shreeni, The mangement of a OPS system does not requireany extra skills or facilities. Areas that are different or need moreattention from a standalone instance include the following: Management and tuning of internode communication.Specifically reducing the level of pinging - use of GC% init.oravariables Requirement for different start up scripts(exclusive and shared modes) Some additional work when duplicating databasesusing RMAN Perhaps more i
RE: OPS DBA work (was dumb question)
Title: Message Hi John, Thx for the input. I really appreciate it. I was just kind of stumped when I was asked not once but several times and places, to point out the diff between an OPS DBA and a "regular" DBA that I am. Thanks again Shreeni Shreenivasa Raoe-Zing Technologies, Inc..41-43 Beekman Street, 3rd FloorNew York, NY 10038.Tel: (212)233-9861 xt.241Fax: (212)233-9862Cell:(917)861-4966lsama@e-zingtech.com *Your IT Solutions Provider*** *** http://www.e-zingtech.com ***Under Bill s.1618 Title III passed by the 105th U.S. Congress this mail cannot be considered spam as long as we include contact information and a remove link for removal from our mailing list. To be removed from our mailing list reply with remove in the subject heading and your email address in the body. Include complete address and/or domain to be removed. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hallas JohnSent: Monday, February 04, 2002 4:05 AMTo: Multiple recipients of list ORACLE-LSubject: OPS DBA work (was dumb question) Shreeni, The mangement of a OPS system does not require any extra skills or facilities. Areas that are different or need more attention from a standalone instance include the following : Management and tuning of internode communication. Specifically reducing the level of pinging - use of GC% init.ora variables Requirement for different start up scripts (exclusive and shared modes) Some additional work when duplicating databases using RMAN Perhaps more involvement with application and sys admin teams to determine load balancing factors Iam sure there are others (probably ones I should be doing that I am not) The simplest thing to remember about OPS is that there is only 1 set of datafiles and therefore tables, despite the number of instances that may be using those datafiles.Thispoint is occasionally madeto thosewhob elieve that we have a fully resilient set up. HTH John -Original Message-From: Shreeni [mailto:[EMAIL PROTECTED]]Sent: 04 February 2002 00:40To: Multiple recipients of list ORACLE-LSubject: Dumb question Hi List, To ask a dumb question, is there any special way to run exp/imp on Oracle Parallel server on Solaris ?? Is parallel server DBA different than a "regular" DBA ?? :) TIA Shreeni Shreenivasa Raoe-Zing Technologies, Inc..41-43 Beekman Street, 3rd FloorNew York, NY 10038.Tel: (212)233-9861 xt.241Fax: (212)233-9862Cell:(917)861-4966lsama@e-zingtech.com *Your IT Solutions Provider*** *** http://www.e-zingtech.com ***Under Bill s.1618 Title III passed by the 105th U.S. Congress this mail cannot be considered spam as long as we include contact information and a remove link for removal from our mailing list. To be removed from our mailing list reply with remove in the subject heading and your email address in the body. Include complete address and/or domain to be removed. =This electronic message contains information from the mmO2 plc Group which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately.= BEGIN:VCARD VERSION:2.1 N:Kodikal Bhaskar Rao;Shreenivasa;R FN:Shreenivasa Rao NICKNAME:Seena ORG:e-Zing Technologies Inc TITLE:Oracle DBA TEL;WORK;VOICE:(212) 233-9861 TEL;HOME;VOICE:(732) 326-1899 TEL;CELL;VOICE:732-670-7066 TEL;WORK;FAX:(212) 233-9862 ADR;WORK:;;41-43, Beekman Street;NY;NY;10010;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:41-43, Beekman Street=0D=0ANY, NY 10010=0D=0AUnited States of America ADR;HOME:;;741, Cheryl Dr;Iselin;NJ;08830-3110;USA LABEL;HOME;ENCODING=QUOTED-PRINTABLE:741, Cheryl Dr=0D=0AIselin, NJ 08830-3110=0D=0AUSA X-WAB-GENDER:2 URL;HOME:http://www.sritri.com URL;WORK:http://www.e-zingtech.com BDAY:19630202 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] REV:20011230T034250Z END:VCARD
RE: OPS$ / default accounts
In other words, there arguing about who is writing the code (the fun part)
and who is writing the book (the not so fun part)...
Sorry J, I couldn't resist...
-Original Message-
Sent: Thursday, January 31, 2002 4:46 PM
To: Multiple recipients of list ORACLE-L
Yes, Andy Duncan and I are collaborating on one.
Jared
James McCann [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/31/02 12:50 PM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:RE: OPS$ / default accounts
Jared,
I'll have a go when I get the chance.
Did I hear someone on the list mention that you are bringing out an
Oracle/Perl book?
Jim
-Original Message-
[EMAIL PROTECTED]
Sent: 31 January 2002 18:39
To: Multiple recipients of list ORACLE-L
For those of you that use Perl and DBI, here's a script to check for
default
passwords. If you feel like extending the password list ( hint, hint ), I
wouldn't
mind a bit.
Jared
#!/export/home/oracle/perl/bin/perl
# odpc.pl
# oracle default password check
# Jared Still
# [EMAIL PROTECTED]
use warnings;
use DBI;
use strict;
use Getopt::Long;
my %optctl = ();
Getopt::Long::GetOptions(
\%optctl,
database=s,
username=s,
password=s,
sysdba!,
sysoper!,
z,h,help);
my($db, $username, $password, $connectionMode);
if (
$optctl{h}
|| $optctl{z}
|| $optctl{help}
) {
Usage(0);
}
$connectionMode = 0;
if ( $optctl{sysoper} ) { $connectionMode = 4 }
if ( $optctl{sysdba} ) { $connectionMode = 2 }
if ( ! defined($optctl{database}) ) {
Usage(1);
die database required\n;
}
$db=$optctl{database};
if ( ! defined($optctl{username}) ) {
Usage(1);
die username required\n;
}
$username=$optctl{username};
$password = $optctl{password};
my $dbh = DBI-connect(
'dbi:Oracle:' . $db,
$username, $password,
{
RaiseError = 1,
AutoCommit = 0,
ora_session_mode = $connectionMode
}
);
die Connect to $db failed \n unless $dbh;
# this is a hash of common default accounts and
# the default passwords in hex form
# to extend the list, just use this SQL
#
# select username, password
# from dba_users
#
# use the resulting password for accounts that
# you know are using the default password.
# change the password on a test database is
# necessary to get the correct data.
my %defusers = (
CTXSYS = '24ABAB8B06281B4C',
DBSNMP = 'E066D214D5421CCC',
LBACSYS= 'AC9700FD3F1410EB',
MDSYS = '72979A94BAD2AF80',
OAS_PUBLIC = '9300C0977D7DC75E',
OLAPDBA= '1AF71599EDACFB00',
OLAPSYS= '3FB8EF9DB538647C',
ORDPLUGINS = '88A2B2C183431F00',
ORDSYS = '7EFA02EC7EA6B86F',
OUTLN = '4A3BA55E08595C81',
SYS= 'D4C5016086B2DC6A',
SYSTEM = 'D4DF7931AB130E37',
TRACESVR = 'F9DA8977092B7B81',
WEBSYS = 'A97282CE3D94E29E',
WKSYS = '545E13456B7DDEA0'
);
my $MySql=select username, password from dba_users ;
$MySql .= q{ where username in('} . join(q{','}, keys %defusers) . q{')};
#print sql: $MySql\n;
my $sth = $dbh-prepare($MySql);
use vars qw{$rv};
my $rv = $sth-execute || die error with statement $MySql \n;
while( my $hash = $sth-fetchrow_hashref ) {
#print username: $hash-{USERNAME} password: $hash-{PASSWORD}\n;
if ( exists $defusers{$hash-{USERNAME}} ) {
if ( $defusers{$hash-{USERNAME}} eq $hash-{PASSWORD} ) {
printf(Account %-20s is using a default password\n,
$hash-{USERNAME});
}
}
}
$dbh-disconnect;
sub Usage {
my $exitval = shift;
use File::Basename;
my $basename = basename($0);
print qq{
usage: $basename Oracle Default Password Checker
-database ORACLE_SID
-username DBA account
-password account password
use one of the following options
to connect as SYSOPER or SYSDBA
[-sysdba || -sysoper]
};
exit $exitval;
}
James McCann [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/31/02 08:42 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L
[EMAIL PROTECTED]
cc:
Subject:RE: OPS$ / default accounts
Speaking of default accounts with default passwords, here is my list that
I
check for. Anyone want to compare notes :) i.e. have I missed any?
Thanks,
Jim
perfstat/perfstat
TRACESVR ??? is only used with 7.x Databases
REPADMIN ???
CTXSYS/CTXSYS
DBSNMP/DBSNMP
INTERNAL/ORACLE
MDSYS/MDSYS
MTSSYS/MTSSYS
ORDPLUGINS/ORDPLUGINS
ORDSYS/ORDSYS
OUTLN/OUTLN
SYS/CHANGE_ON_INSTALL
SYSTEM/MANAGER
SCOTT/TIGER
-Original Message-
Kirti
Sent: 31 January 2002 15:25
To: Multiple recipients of list ORACLE-L
Stephane,
Thanks. Yes, we are properly fenced
None of the databases have those default accounts with default passwords.
We do not use OEM and that agent. Passwords of critical accounts get
changed
regularly and often. Database user ids are generated approved by Data
Security group before DBAs can add them
RE: OPS$ / default accounts
You might also want to check out this web site http://www.pentest-limited.com/default-user.htm Steve -Original Message- Sent: Thursday, January 31, 2002 9:41 AM To: Multiple recipients of list ORACLE-L James McCann wrote: Speaking of default accounts with default passwords, here is my list that I check for. Anyone want to compare notes :) i.e. have I missed any? Thanks, Jim perfstat/perfstat TRACESVR ??? is only used with 7.x Databases REPADMIN ??? CTXSYS/CTXSYS DBSNMP/DBSNMP INTERNAL/ORACLE MDSYS/MDSYS MTSSYS/MTSSYS ORDPLUGINS/ORDPLUGINS ORDSYS/ORDSYS OUTLN/OUTLN SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER SCOTT/TIGER There are many others in the various demos which may or may not have been run. Here here my additional passwords (when no password is specified, it means that the default is identical to the username) BTW it's TRACESVR/TRACE and REPADMIN/REPADMIN List compiled by searching 8.1.7 and 9i directories. RMAN/XX VRR1 VIDEOUSER USER0 to USER9 TEST SECDEMO SAMPLES PUBSUB PRIMARY POWERCARTUSER PO OSE$HTTP$ADMIN/FOO ORDMEDIADEMO ODS OCITEST MOREAU MONITOR MODTEST/YES MMO2 MILLER MIGRATE MFG MDSYS JONES/STEEL JOE/WELCOME (Logminer ;-) ?) JMSUSER IMAGEUSER GPLD GPFD FND FINANCE EVENT DUMMY DEPLOYER DEMO8 CSMIG COMPANY CLARK/CLOTH CDEMOUCB CDEMORID CDEMOCOR CDEMO82 BLAKE/PAPER AURORA$ORB$UNAUTHENTICATED/INVALID AURORA$JIS$UTILITY$ AUDIOUSER AQUSER AQJAVA ADLDEMO ADAMS/WOOD You can add TEST/TEST, DBA, ADMIN, ORACLE etc. to the list. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Steve Main INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$ / default accounts
On closer examination it appears that some of the hash values for the passwords may be incorrect. The hash for SYSTEM is correct, but the hash for MDSYS is incorrect. Jared [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/01/02 02:19 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: OPS$ / default accounts Thank you Steve, this is a great resource, as it will save duplicating effort. I'll go update my script now... Jared Steve Main [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/01/02 01:51 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: OPS$ / default accounts You might also want to check out this web site http://www.pentest-limited.com/default-user.htm Steve -Original Message- Sent: Thursday, January 31, 2002 9:41 AM To: Multiple recipients of list ORACLE-L James McCann wrote: Speaking of default accounts with default passwords, here is my list that I check for. Anyone want to compare notes :) i.e. have I missed any? Thanks, Jim perfstat/perfstat TRACESVR ??? is only used with 7.x Databases REPADMIN ??? CTXSYS/CTXSYS DBSNMP/DBSNMP INTERNAL/ORACLE MDSYS/MDSYS MTSSYS/MTSSYS ORDPLUGINS/ORDPLUGINS ORDSYS/ORDSYS OUTLN/OUTLN SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER SCOTT/TIGER There are many others in the various demos which may or may not have been run. Here here my additional passwords (when no password is specified, it means that the default is identical to the username) BTW it's TRACESVR/TRACE and REPADMIN/REPADMIN List compiled by searching 8.1.7 and 9i directories. RMAN/XX VRR1 VIDEOUSER USER0 to USER9 TEST SECDEMO SAMPLES PUBSUB PRIMARY POWERCARTUSER PO OSE$HTTP$ADMIN/FOO ORDMEDIADEMO ODS OCITEST MOREAU MONITOR MODTEST/YES MMO2 MILLER MIGRATE MFG MDSYS JONES/STEEL JOE/WELCOME (Logminer ;-) ?) JMSUSER IMAGEUSER GPLD GPFD FND FINANCE EVENT DUMMY DEPLOYER DEMO8 CSMIG COMPANY CLARK/CLOTH CDEMOUCB CDEMORID CDEMOCOR CDEMO82 BLAKE/PAPER AURORA$ORB$UNAUTHENTICATED/INVALID AURORA$JIS$UTILITY$ AUDIOUSER AQUSER AQJAVA ADLDEMO ADAMS/WOOD You can add TEST/TEST, DBA, ADMIN, ORACLE etc. to the list. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Steve Main INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS$ / default accounts
[EMAIL PROTECTED] wrote: Thank you Steve, this is a great resource, as it will save duplicating effort. I'll go update my script now... Jared If I may suggest something, Jared, I am a bit of a Perl illiterate (shame! shame!) but it looks to me that you supply the dbname on the command line. I think that it would be great if you could, possibly optionally, check all tnsnames.ora entries. For what I have heard of the text processing capabilities of perl, and for having done it in C, it shouldn't be too difficult and would be much appreciated by large shops. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS$ / default accounts
The code below retrieves all the tnsnames on the system on which it is run
(at least for Solaris which is all I run)
HTH!
#!/usr/local/bin/perl -w
#use strict;
use CGI::Carp qw{fatalsToBrowser};
use DBI;
@data_sources = DBI-data_sources('Oracle');
$i = 0;
while (defined $data_sources[$i]) {
print (--$data_sources[$i]\n);
$i++;
}
Stephane Faroult wrote:
[EMAIL PROTECTED] wrote:
Thank you Steve, this is a great resource, as it
will save duplicating effort.
I'll go update my script now...
Jared
If I may suggest something, Jared, I am a bit of a Perl illiterate
(shame! shame!) but it looks to me that you supply the dbname on the
command line. I think that it would be great if you could, possibly
optionally, check all tnsnames.ora entries. For what I have heard of the
text processing capabilities of perl, and for having done it in C, it
shouldn't be too difficult and would be much appreciated by large shops.
--
Regards,
Stephane Faroult
Oriole Ltd
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Stephane Faroult
INET: [EMAIL PROTECTED]
Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051
San Diego, California-- Public Internet access / Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Charlie Mengler Maintenance Warehouse
[EMAIL PROTECTED] 10641 Scripps Summit Ct.
858-831-2229 San Diego, CA 92131
You can lead some people to knowledge, but you can't make them think!
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Charlie Mengler
INET: [EMAIL PROTECTED]
Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051
San Diego, California-- Public Internet access / Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
RE: OPS$ / default accounts
Thank you Steve, this is a great resource, as it will save duplicating effort. I'll go update my script now... Jared Steve Main [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/01/02 01:51 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: OPS$ / default accounts You might also want to check out this web site http://www.pentest-limited.com/default-user.htm Steve -Original Message- Sent: Thursday, January 31, 2002 9:41 AM To: Multiple recipients of list ORACLE-L James McCann wrote: Speaking of default accounts with default passwords, here is my list that I check for. Anyone want to compare notes :) i.e. have I missed any? Thanks, Jim perfstat/perfstat TRACESVR ??? is only used with 7.x Databases REPADMIN ??? CTXSYS/CTXSYS DBSNMP/DBSNMP INTERNAL/ORACLE MDSYS/MDSYS MTSSYS/MTSSYS ORDPLUGINS/ORDPLUGINS ORDSYS/ORDSYS OUTLN/OUTLN SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER SCOTT/TIGER There are many others in the various demos which may or may not have been run. Here here my additional passwords (when no password is specified, it means that the default is identical to the username) BTW it's TRACESVR/TRACE and REPADMIN/REPADMIN List compiled by searching 8.1.7 and 9i directories. RMAN/XX VRR1 VIDEOUSER USER0 to USER9 TEST SECDEMO SAMPLES PUBSUB PRIMARY POWERCARTUSER PO OSE$HTTP$ADMIN/FOO ORDMEDIADEMO ODS OCITEST MOREAU MONITOR MODTEST/YES MMO2 MILLER MIGRATE MFG MDSYS JONES/STEEL JOE/WELCOME (Logminer ;-) ?) JMSUSER IMAGEUSER GPLD GPFD FND FINANCE EVENT DUMMY DEPLOYER DEMO8 CSMIG COMPANY CLARK/CLOTH CDEMOUCB CDEMORID CDEMOCOR CDEMO82 BLAKE/PAPER AURORA$ORB$UNAUTHENTICATED/INVALID AURORA$JIS$UTILITY$ AUDIOUSER AQUSER AQJAVA ADLDEMO ADAMS/WOOD You can add TEST/TEST, DBA, ADMIN, ORACLE etc. to the list. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Steve Main INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS$
Deshpande, Kirti wrote: We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do this, but we have to, and that's another topic... We also use a specific auth prefix. Now, can someone show me how a Windoze user, 'GOD' get in the database when I do not have a user, 'Auth_PrefixGOD' in my database. I say, I have nothing to worry about this setup as long as 'GOD' user in my database is controlled appropriately via roles, grants, profile etc Sure, if I had auth_prefixGOD in the database, I will be looking for another job Right? - Kirti The problem as I see it is that it's fairly easy to get the names of users on a database. The number of databases you can connect to using dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can query ALL_USERS. I must say that I am truly hopeless with any Microsoft OS, so you could safely let me with admin rights on the box when I feel at my most mischievous. But imagine I come with Linux on my laptop, I plug (like many 'nomad' users often do) into your network, manage to connect (as a less-than-nothing user), check the user list, spot something looking like a prefix, and use this information to add with linuxconf a suitably named account to my machine? I am certain that in your case everything is correctly fenced, but I have met many many many databases where the standard in terms of grants was 'TO PUBLIC', and where database links were PUBLIC as well, and usually connected to the other database as the owner of most tables (even as DBA). IMHO, if you really want to be secure, you must first know Oracle and your environment well, and also audit sensitive information. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS$
Rachel Carmichael wrote: yep... any account set up as identified externally should have its privileges scrutinized CAREFULLY and you should not grant any of the default roles, Connect, Resource and most especially NOT DBA. Rachel, I assume that you mean 'when remote_os_authent is set to TRUE', in which case I fully agree with you. Otherwise, my position is : a) Keep remote_os_authent to FALSE b) Use an ops$oracle or similar account as DBA for maintenance tasks you regularly run through cron or similar - you will not have any hard-coded password anywhere c) When people want to create database links to your database, create a SPECIFIC account for it, with minimal privileges d) Educate your users e) Educate your users f) Educate your users -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
A user can be both, requiring a passwd and os authenticated. You can create a user identified externally then change its passwd. With this method, you have sqlplus client access requiring username/passwd and server access with no passwd required for cron jobs, etc. timpcreate user ops$junk identified externally; User created. timpalter user ops$junk identified by junk; User altered. timpgrant create session to ops$junk; Grant succeeded. timpconnect ops$junk/junk Connected. From the server, log into user junk, set db environment, sqlplus / and you are in :) Not sure if Oracle intended for externally to work in both cases. Gene [EMAIL PROTECTED] 01/30/02 09:05PM okay if the prefix string is set to an empty string, then the OS username is the same name as that used to sign in to the client. So if you have an empty prefix, and someone logs onto their PC as SYSTEM then if they do sqlplus, they should be able to get into the system account. Except... system isn't set as identified externally they'd have to enter the password right? Jared?? but any Oracle account you create as identified externally (meaning the OS does the password validation, Oracle presumes the security is there) can log onto the database by setting the client login to that name --- Smith, Ron L. [EMAIL PROTECTED] wrote: Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http
Re: OPS$
I understood that but the point is, unless the account has both DBA privileges AND is identified externally, the problem doesn't exist as such --- Jared Still [EMAIL PROTECTED] wrote: The SYSTEM account was just an example, it could be any account with DBA privileges. With current versions of Oracle I haven't found any 'backdoors' such as the one that existed in Oracle 7.x, though I may keep looking. Jared On Wednesday 30 January 2002 18:05, Rachel Carmichael wrote: okay if the prefix string is set to an empty string, then the OS username is the same name as that used to sign in to the client. So if you have an empty prefix, and someone logs onto their PC as SYSTEM then if they do sqlplus, they should be able to get into the system account. Except... system isn't set as identified externally they'd have to enter the password right? Jared?? but any Oracle account you create as identified externally (meaning the OS does the password validation, Oracle presumes the security is there) can log onto the database by setting the client login to that name --- Smith, Ron L. [EMAIL PROTECTED] wrote: Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff
Re: OPS$
Stephane, Yes, sorry, I didn't make that clear. Before setting remote_os_authent to true, you should carefully think about what you are trying to accomplish with it and be very sure that you are not opening up gaping holes in your security. I also think that you should repeat steps d through f several more times :) Rachel --- Stephane Faroult [EMAIL PROTECTED] wrote: Rachel Carmichael wrote: yep... any account set up as identified externally should have its privileges scrutinized CAREFULLY and you should not grant any of the default roles, Connect, Resource and most especially NOT DBA. Rachel, I assume that you mean 'when remote_os_authent is set to TRUE', in which case I fully agree with you. Otherwise, my position is : a) Keep remote_os_authent to FALSE b) Use an ops$oracle or similar account as DBA for maintenance tasks you regularly run through cron or similar - you will not have any hard-coded password anywhere c) When people want to create database links to your database, create a SPECIFIC account for it, with minimal privileges d) Educate your users e) Educate your users f) Educate your users -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
hm, interesting, veddy interesting.. thanks! --- Gene Sais [EMAIL PROTECTED] wrote: A user can be both, requiring a passwd and os authenticated. You can create a user identified externally then change its passwd. With this method, you have sqlplus client access requiring username/passwd and server access with no passwd required for cron jobs, etc. timpcreate user ops$junk identified externally; User created. timpalter user ops$junk identified by junk; User altered. timpgrant create session to ops$junk; Grant succeeded. timpconnect ops$junk/junk Connected. From the server, log into user junk, set db environment, sqlplus / and you are in :) Not sure if Oracle intended for externally to work in both cases. Gene [EMAIL PROTECTED] 01/30/02 09:05PM okay if the prefix string is set to an empty string, then the OS username is the same name as that used to sign in to the client. So if you have an empty prefix, and someone logs onto their PC as SYSTEM then if they do sqlplus, they should be able to get into the system account. Except... system isn't set as identified externally they'd have to enter the password right? Jared?? but any Oracle account you create as identified externally (meaning the OS does the password validation, Oracle presumes the security is there) can log onto the database by setting the client login to that name --- Smith, Ron L. [EMAIL PROTECTED] wrote: Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing
RE: OPS$
I don't think you are living in a dream world... the key parameter you set (that ensures the security) is remote_os_authent=false If you set that false in Unix, you can do basically the same thing you are doing in NT, and you can only log in using external authentication if you are actually logged onto the machine that the database is on. --- Seefelt, Beth [EMAIL PROTECTED] wrote: I know I'm probably one of the few NT weenies on the list so I hope I don't get too much guff from the unix guys... Disabling remote_os_authent and using external authentication are not mutually exclusive, and its not completely devoid of security in NT. Consider this configuration remote_os_authent=false osauth_prefix_domain=true sqlnet.authentication_services=(nts) Now I can create externally authenticated database accounts, prefixed with the domain name instead of OPS$. When they connect to the database Oracle will authenticate them via Kerberos or NTLM, so their password doesn't even have to be passed over the network. And they are authenticated by the domain, so creating a rogue server and creating a user account with the same name still isn't going to get you authenticated, unless you can set the password on the rogue machine to the same password as the domain account. Or am I living in a rose colored dream world? Beth -Original Message- Sent: Wednesday, January 30, 2002 5:55 PM To: Multiple recipients of list ORACLE-L Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and so long as your authentication demands an OPS$ or basically any other non null string of characters, who cares? OPS$SYSTEM is not going to wind up being a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL, then you've got a problem. The long and short of it is that the OPS security is only as good as the box it is serving. If you're on any computer with C level security or higher, there is nothing wrong with using OPS$ as you are using operating system level security. So, if, for example, you are using VMS, MVS, CDC, Cray, or anything us old folks might have used 10 years ago, OPS$ is terrific. If your operating system is making Bill Gates richer, you have no security to speak of. The question you want to ask yourself is how good is your front-end security? -Original Message- Sent: Wednesday, January 30, 2002 4:26 PM To: Multiple recipients of list ORACLE-L Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists
Re: OPS$
one of the nicer little features of 9i is that those accounts come locked when you build the database. The set of privileges for each has also been greatly restricted. --- Stephane Faroult [EMAIL PROTECTED] wrote: Deshpande, Kirti wrote: We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do this, but we have to, and that's another topic... We also use a specific auth prefix. Now, can someone show me how a Windoze user, 'GOD' get in the database when I do not have a user, 'Auth_PrefixGOD' in my database. I say, I have nothing to worry about this setup as long as 'GOD' user in my database is controlled appropriately via roles, grants, profile etc Sure, if I had auth_prefixGOD in the database, I will be looking for another job Right? - Kirti The problem as I see it is that it's fairly easy to get the names of users on a database. The number of databases you can connect to using dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can query ALL_USERS. I must say that I am truly hopeless with any Microsoft OS, so you could safely let me with admin rights on the box when I feel at my most mischievous. But imagine I come with Linux on my laptop, I plug (like many 'nomad' users often do) into your network, manage to connect (as a less-than-nothing user), check the user list, spot something looking like a prefix, and use this information to add with linuxconf a suitably named account to my machine? I am certain that in your case everything is correctly fenced, but I have met many many many databases where the standard in terms of grants was 'TO PUBLIC', and where database links were PUBLIC as well, and usually connected to the other database as the owner of most tables (even as DBA). IMHO, if you really want to be secure, you must first know Oracle and your environment well, and also audit sensitive information. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
Oh, Sure.. I have seen that in the past (with 7.2.3.0). Actually, at my current job, we had one 'very special' database (built by an Oracle Consultant), where the Prod Schema owner was an OPS$ account. How conveeenient! The Contractor DBA who managed it when I joined, told me that that Oracle password in the database for this OPS$ account was changed and it did not match the OS level password, so we were okay =:-O In the months followed, we rebuilt the database... - Kirti -Original Message- Sent: Thursday, January 31, 2002 7:15 AM To: Multiple recipients of list ORACLE-L A user can be both, requiring a passwd and os authenticated. You can create a user identified externally then change its passwd. With this method, you have sqlplus client access requiring username/passwd and server access with no passwd required for cron jobs, etc. timpcreate user ops$junk identified externally; User created. timpalter user ops$junk identified by junk; User altered. timpgrant create session to ops$junk; Grant succeeded. timpconnect ops$junk/junk Connected. From the server, log into user junk, set db environment, sqlplus / and you are in :) Not sure if Oracle intended for externally to work in both cases. Gene -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
OK, so there are risks. I will make sure OPS$ORACLE has restricted access. New question. In 8.1.6 I have set everything up the same as I did in 7.3.4 but when I try to run SQL*PLUS as sqlplus / I get invalid user name / password. I am searching the sorry documentaion CD but I havn't found the difference. Can anyone help? Thanks! Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$ / default accounts
Speaking of default accounts with default passwords, here is my list that I check for. Anyone want to compare notes :) i.e. have I missed any? Thanks, Jim perfstat/perfstat TRACESVR ??? is only used with 7.x Databases REPADMIN ??? CTXSYS/CTXSYS DBSNMP/DBSNMP INTERNAL/ORACLE MDSYS/MDSYS MTSSYS/MTSSYS ORDPLUGINS/ORDPLUGINS ORDSYS/ORDSYS OUTLN/OUTLN SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER SCOTT/TIGER -Original Message- Kirti Sent: 31 January 2002 15:25 To: Multiple recipients of list ORACLE-L Stephane, Thanks. Yes, we are properly fenced None of the databases have those default accounts with default passwords. We do not use OEM and that agent. Passwords of critical accounts get changed regularly and often. Database user ids are generated approved by Data Security group before DBAs can add them to databases (so others do not know and can not guess who has what id), and they request reports of access privileges when least expected. So, it's all how you manage your set up. When I joined this company I was going nuts about such things (remote_os_authent, default links by virtue of Oracle Names etc), but as I learned the environment I was comfortable.. And it is helping us more than creating problems and concerns. Cheers ! - Kirti -Original Message- Sent: Thursday, January 31, 2002 2:20 AM To: Multiple recipients of list ORACLE-L Deshpande, Kirti wrote: We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do this, but we have to, and that's another topic... We also use a specific auth prefix. Now, can someone show me how a Windoze user, 'GOD' get in the database when I do not have a user, 'Auth_PrefixGOD' in my database. I say, I have nothing to worry about this setup as long as 'GOD' user in my database is controlled appropriately via roles, grants, profile etc Sure, if I had auth_prefixGOD in the database, I will be looking for another job Right? - Kirti The problem as I see it is that it's fairly easy to get the names of users on a database. The number of databases you can connect to using dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can query ALL_USERS. I must say that I am truly hopeless with any Microsoft OS, so you could safely let me with admin rights on the box when I feel at my most mischievous. But imagine I come with Linux on my laptop, I plug (like many 'nomad' users often do) into your network, manage to connect (as a less-than-nothing user), check the user list, spot something looking like a prefix, and use this information to add with linuxconf a suitably named account to my machine? I am certain that in your case everything is correctly fenced, but I have met many many many databases where the standard in terms of grants was 'TO PUBLIC', and where database links were PUBLIC as well, and usually connected to the other database as the owner of most tables (even as DBA). IMHO, if you really want to be secure, you must first know Oracle and your environment well, and also audit sensitive information. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: James McCann INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
what a concept... changing production passwords! hm, I knew I liked your company as my phone provider :) --- Deshpande, Kirti [EMAIL PROTECTED] wrote: Stephane, Thanks. Yes, we are properly fenced None of the databases have those default accounts with default passwords. We do not use OEM and that agent. Passwords of critical accounts get changed regularly and often. Database user ids are generated approved by Data Security group before DBAs can add them to databases (so others do not know and can not guess who has what id), and they request reports of access privileges when least expected. So, it's all how you manage your set up. When I joined this company I was going nuts about such things (remote_os_authent, default links by virtue of Oracle Names etc), but as I learned the environment I was comfortable.. And it is helping us more than creating problems and concerns. Cheers ! - Kirti -Original Message- Sent: Thursday, January 31, 2002 2:20 AM To: Multiple recipients of list ORACLE-L Deshpande, Kirti wrote: We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do this, but we have to, and that's another topic... We also use a specific auth prefix. Now, can someone show me how a Windoze user, 'GOD' get in the database when I do not have a user, 'Auth_PrefixGOD' in my database. I say, I have nothing to worry about this setup as long as 'GOD' user in my database is controlled appropriately via roles, grants, profile etc Sure, if I had auth_prefixGOD in the database, I will be looking for another job Right? - Kirti The problem as I see it is that it's fairly easy to get the names of users on a database. The number of databases you can connect to using dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can query ALL_USERS. I must say that I am truly hopeless with any Microsoft OS, so you could safely let me with admin rights on the box when I feel at my most mischievous. But imagine I come with Linux on my laptop, I plug (like many 'nomad' users often do) into your network, manage to connect (as a less-than-nothing user), check the user list, spot something looking like a prefix, and use this information to add with linuxconf a suitably named account to my machine? I am certain that in your case everything is correctly fenced, but I have met many many many databases where the standard in terms of grants was 'TO PUBLIC', and where database links were PUBLIC as well, and usually connected to the other database as the owner of most tables (even as DBA). IMHO, if you really want to be secure, you must first know Oracle and your environment well, and also audit sensitive information. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
i can just see it now, user ids generated by the security group, there must be lots of little yellow stickers on everyone's pc :) [EMAIL PROTECTED] 01/31/02 10:25AM Stephane, Thanks. Yes, we are properly fenced None of the databases have those default accounts with default passwords. We do not use OEM and that agent. Passwords of critical accounts get changed regularly and often. Database user ids are generated approved by Data Security group before DBAs can add them to databases (so others do not know and can not guess who has what id), and they request reports of access privileges when least expected. So, it's all how you manage your set up. When I joined this company I was going nuts about such things (remote_os_authent, default links by virtue of Oracle Names etc), but as I learned the environment I was comfortable.. And it is helping us more than creating problems and concerns. Cheers ! - Kirti -Original Message- Sent: Thursday, January 31, 2002 2:20 AM To: Multiple recipients of list ORACLE-L Deshpande, Kirti wrote: We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do this, but we have to, and that's another topic... We also use a specific auth prefix. Now, can someone show me how a Windoze user, 'GOD' get in the database when I do not have a user, 'Auth_PrefixGOD' in my database. I say, I have nothing to worry about this setup as long as 'GOD' user in my database is controlled appropriately via roles, grants, profile etc Sure, if I had auth_prefixGOD in the database, I will be looking for another job Right? - Kirti The problem as I see it is that it's fairly easy to get the names of users on a database. The number of databases you can connect to using dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can query ALL_USERS. I must say that I am truly hopeless with any Microsoft OS, so you could safely let me with admin rights on the box when I feel at my most mischievous. But imagine I come with Linux on my laptop, I plug (like many 'nomad' users often do) into your network, manage to connect (as a less-than-nothing user), check the user list, spot something looking like a prefix, and use this information to add with linuxconf a suitably named account to my machine? I am certain that in your case everything is correctly fenced, but I have met many many many databases where the standard in terms of grants was 'TO PUBLIC', and where database links were PUBLIC as well, and usually connected to the other database as the owner of most tables (even as DBA). IMHO, if you really want to be secure, you must first know Oracle and your environment well, and also audit sensitive information. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Gene Sais INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
We change production password too, but not that often. But I have a DB level trigger that logs each login and captures OSuser too. Then I have a report that is run by my good friend cron telling me who is logging in as what. So, if we find somebody, their managers get informed, mentioned in the weekly meetings and schema password is changed. Now, our developers know the big brother is watching and yes we do capture any and all DDLs that run on the system (along with osuser), so we can go back and see who did what. This is not intended for policing, but mainly to see if someone did something without telling us. Raj __ Rajendra Jamadagni MIS, ESPN Inc. Rajendra dot Jamadagni at ESPN dot com Any opinion expressed here is personal and doesn't reflect that of ESPN Inc. QOTD: Any clod can have facts, but having an opinion is an art! *1 This e-mail message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank you. *1
RE: OPS$
Yellow is out, we use our Company colors now. Black/red/white color stickers (with the V-check mark) ;) - Kirti -Original Message- Sent: Thursday, January 31, 2002 10:51 AM To: Multiple recipients of list ORACLE-L i can just see it now, user ids generated by the security group, there must be lots of little yellow stickers on everyone's pc :) [EMAIL PROTECTED] 01/31/02 10:25AM Stephane, Thanks. Yes, we are properly fenced None of the databases have those default accounts with default passwords. We do not use OEM and that agent. Passwords of critical accounts get changed regularly and often. Database user ids are generated approved by Data Security group before DBAs can add them to databases (so others do not know and can not guess who has what id), and they request reports of access privileges when least expected. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS$
I just remembered why remote_os_authent was so insecure in v7 sqlnet v2: you could become SYSTEM just by setting USER_ID=SYSTEM in Oracle.ini, but the SYSTEM user did *not* need to be identified externally. That's what was so insecure. I've just been trying to see if any similar insecurities still exist. ( geez I love English :) So far, no. Jared Jared Still [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 07:45 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ Sounds about right to me. The security part, that is. :) Jared On Wednesday 30 January 2002 19:25, Seefelt, Beth wrote: I know I'm probably one of the few NT weenies on the list so I hope I don't get too much guff from the unix guys... Disabling remote_os_authent and using external authentication are not mutually exclusive, and its not completely devoid of security in NT. Consider this configuration remote_os_authent=false osauth_prefix_domain=true sqlnet.authentication_services=(nts) Now I can create externally authenticated database accounts, prefixed with the domain name instead of OPS$. When they connect to the database Oracle will authenticate them via Kerberos or NTLM, so their password doesn't even have to be passed over the network. And they are authenticated by the domain, so creating a rogue server and creating a user account with the same name still isn't going to get you authenticated, unless you can set the password on the rogue machine to the same password as the domain account. Or am I living in a rose colored dream world? Beth -Original Message- Sent: Wednesday, January 30, 2002 5:55 PM To: Multiple recipients of list ORACLE-L Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and so long as your authentication demands an OPS$ or basically any other non null string of characters, who cares? OPS$SYSTEM is not going to wind up being a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL, then you've got a problem. The long and short of it is that the OPS security is only as good as the box it is serving. If you're on any computer with C level security or higher, there is nothing wrong with using OPS$ as you are using operating system level security. So, if, for example, you are using VMS, MVS, CDC, Cray, or anything us old folks might have used 10 years ago, OPS$ is terrific. If your operating system is making Bill Gates richer, you have no security to speak of. The question you want to ask yourself is how good is your front-end security? -Original Message- Sent: Wednesday, January 30, 2002 4:26 PM To: Multiple recipients of list ORACLE-L Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L
Re: OPS$ / default accounts
James McCann wrote: Speaking of default accounts with default passwords, here is my list that I check for. Anyone want to compare notes :) i.e. have I missed any? Thanks, Jim perfstat/perfstat TRACESVR ??? is only used with 7.x Databases REPADMIN ??? CTXSYS/CTXSYS DBSNMP/DBSNMP INTERNAL/ORACLE MDSYS/MDSYS MTSSYS/MTSSYS ORDPLUGINS/ORDPLUGINS ORDSYS/ORDSYS OUTLN/OUTLN SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER SCOTT/TIGER There are many others in the various demos which may or may not have been run. Here here my additional passwords (when no password is specified, it means that the default is identical to the username) BTW it's TRACESVR/TRACE and REPADMIN/REPADMIN List compiled by searching 8.1.7 and 9i directories. RMAN/XX VRR1 VIDEOUSER USER0 to USER9 TEST SECDEMO SAMPLES PUBSUB PRIMARY POWERCARTUSER PO OSE$HTTP$ADMIN/FOO ORDMEDIADEMO ODS OCITEST MOREAU MONITOR MODTEST/YES MMO2 MILLER MIGRATE MFG MDSYS JONES/STEEL JOE/WELCOME (Logminer ;-) ?) JMSUSER IMAGEUSER GPLD GPFD FND FINANCE EVENT DUMMY DEPLOYER DEMO8 CSMIG COMPANY CLARK/CLOTH CDEMOUCB CDEMORID CDEMOCOR CDEMO82 BLAKE/PAPER AURORA$ORB$UNAUTHENTICATED/INVALID AURORA$JIS$UTILITY$ AUDIOUSER AQUSER AQJAVA ADLDEMO ADAMS/WOOD You can add TEST/TEST, DBA, ADMIN, ORACLE etc. to the list. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$ / default accounts
Hey All, Anyone remember how to change the DBSNMP password? I know I can change it in the db easily enough, but how does the server/DBSNMP listener process know what the new password is? Must be stored in an OS file someplace. I was just poking around trying to figure it out. The docs have the answer hidden someplace and Google is not responding to search requests. Just curious. And Jim, the first thing I do when I come upon an instance with these default accounts established, is to lock them (alter user account lock) so that someone cannot connect using them. Thanks! Tom Mercadante Oracle Certified Professional -Original Message- Sent: Thursday, January 31, 2002 11:43 AM To: Multiple recipients of list ORACLE-L Speaking of default accounts with default passwords, here is my list that I check for. Anyone want to compare notes :) i.e. have I missed any? Thanks, Jim perfstat/perfstat TRACESVR ??? is only used with 7.x Databases REPADMIN ??? CTXSYS/CTXSYS DBSNMP/DBSNMP INTERNAL/ORACLE MDSYS/MDSYS MTSSYS/MTSSYS ORDPLUGINS/ORDPLUGINS ORDSYS/ORDSYS OUTLN/OUTLN SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER SCOTT/TIGER -Original Message- Kirti Sent: 31 January 2002 15:25 To: Multiple recipients of list ORACLE-L Stephane, Thanks. Yes, we are properly fenced None of the databases have those default accounts with default passwords. We do not use OEM and that agent. Passwords of critical accounts get changed regularly and often. Database user ids are generated approved by Data Security group before DBAs can add them to databases (so others do not know and can not guess who has what id), and they request reports of access privileges when least expected. So, it's all how you manage your set up. When I joined this company I was going nuts about such things (remote_os_authent, default links by virtue of Oracle Names etc), but as I learned the environment I was comfortable.. And it is helping us more than creating problems and concerns. Cheers ! - Kirti -Original Message- Sent: Thursday, January 31, 2002 2:20 AM To: Multiple recipients of list ORACLE-L Deshpande, Kirti wrote: We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do this, but we have to, and that's another topic... We also use a specific auth prefix. Now, can someone show me how a Windoze user, 'GOD' get in the database when I do not have a user, 'Auth_PrefixGOD' in my database. I say, I have nothing to worry about this setup as long as 'GOD' user in my database is controlled appropriately via roles, grants, profile etc Sure, if I had auth_prefixGOD in the database, I will be looking for another job Right? - Kirti The problem as I see it is that it's fairly easy to get the names of users on a database. The number of databases you can connect to using dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can query ALL_USERS. I must say that I am truly hopeless with any Microsoft OS, so you could safely let me with admin rights on the box when I feel at my most mischievous. But imagine I come with Linux on my laptop, I plug (like many 'nomad' users often do) into your network, manage to connect (as a less-than-nothing user), check the user list, spot something looking like a prefix, and use this information to add with linuxconf a suitably named account to my machine? I am certain that in your case everything is correctly fenced, but I have met many many many databases where the standard in terms of grants was 'TO PUBLIC', and where database links were PUBLIC as well, and usually connected to the other database as the owner of most tables (even as DBA). IMHO, if you really want to be secure, you must first know Oracle and your environment well, and also audit sensitive information. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: James McCann INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list,
RE: OPS$ / default accounts
It goes in snmp_rw.ora snmp.connect.SID.password = dbsnmppwd snmp.connect.SID.password = dbsnmppwd -Original Message- Sent: Thursday, January 31, 2002 12:41 PM To: Multiple recipients of list ORACLE-L Hey All, Anyone remember how to change the DBSNMP password? I know I can change it in the db easily enough, but how does the server/DBSNMP listener process know what the new password is? Must be stored in an OS file someplace. I was just poking around trying to figure it out. The docs have the answer hidden someplace and Google is not responding to search requests. Just curious. And Jim, the first thing I do when I come upon an instance with these default accounts established, is to lock them (alter user account lock) so that someone cannot connect using them. Thanks! Tom Mercadante Oracle Certified Professional -Original Message- Sent: Thursday, January 31, 2002 11:43 AM To: Multiple recipients of list ORACLE-L Speaking of default accounts with default passwords, here is my list that I check for. Anyone want to compare notes :) i.e. have I missed any? Thanks, Jim perfstat/perfstat TRACESVR ??? is only used with 7.x Databases REPADMIN ??? CTXSYS/CTXSYS DBSNMP/DBSNMP INTERNAL/ORACLE MDSYS/MDSYS MTSSYS/MTSSYS ORDPLUGINS/ORDPLUGINS ORDSYS/ORDSYS OUTLN/OUTLN SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER SCOTT/TIGER -Original Message- Kirti Sent: 31 January 2002 15:25 To: Multiple recipients of list ORACLE-L Stephane, Thanks. Yes, we are properly fenced None of the databases have those default accounts with default passwords. We do not use OEM and that agent. Passwords of critical accounts get changed regularly and often. Database user ids are generated approved by Data Security group before DBAs can add them to databases (so others do not know and can not guess who has what id), and they request reports of access privileges when least expected. So, it's all how you manage your set up. When I joined this company I was going nuts about such things (remote_os_authent, default links by virtue of Oracle Names etc), but as I learned the environment I was comfortable.. And it is helping us more than creating problems and concerns. Cheers ! - Kirti -Original Message- Sent: Thursday, January 31, 2002 2:20 AM To: Multiple recipients of list ORACLE-L Deshpande, Kirti wrote: We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do this, but we have to, and that's another topic... We also use a specific auth prefix. Now, can someone show me how a Windoze user, 'GOD' get in the database when I do not have a user, 'Auth_PrefixGOD' in my database. I say, I have nothing to worry about this setup as long as 'GOD' user in my database is controlled appropriately via roles, grants, profile etc Sure, if I had auth_prefixGOD in the database, I will be looking for another job Right? - Kirti The problem as I see it is that it's fairly easy to get the names of users on a database. The number of databases you can connect to using dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can query ALL_USERS. I must say that I am truly hopeless with any Microsoft OS, so you could safely let me with admin rights on the box when I feel at my most mischievous. But imagine I come with Linux on my laptop, I plug (like many 'nomad' users often do) into your network, manage to connect (as a less-than-nothing user), check the user list, spot something looking like a prefix, and use this information to add with linuxconf a suitably named account to my machine? I am certain that in your case everything is correctly fenced, but I have met many many many databases where the standard in terms of grants was 'TO PUBLIC', and where database links were PUBLIC as well, and usually connected to the other database as the owner of most tables (even as DBA). IMHO, if you really want to be secure, you must first know Oracle and your environment well, and also audit sensitive information. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: James McCann INET: [EMAIL PROTECTED] Fat City Network Services--
RE: OPS$ / default accounts
change it in snmp.ora which is in clear text on the Unix server. protect that file! --- Mercadante, Thomas F [EMAIL PROTECTED] wrote: Hey All, Anyone remember how to change the DBSNMP password? I know I can change it in the db easily enough, but how does the server/DBSNMP listener process know what the new password is? Must be stored in an OS file someplace. I was just poking around trying to figure it out. The docs have the answer hidden someplace and Google is not responding to search requests. Just curious. And Jim, the first thing I do when I come upon an instance with these default accounts established, is to lock them (alter user account lock) so that someone cannot connect using them. Thanks! Tom Mercadante Oracle Certified Professional -Original Message- Sent: Thursday, January 31, 2002 11:43 AM To: Multiple recipients of list ORACLE-L Speaking of default accounts with default passwords, here is my list that I check for. Anyone want to compare notes :) i.e. have I missed any? Thanks, Jim perfstat/perfstat TRACESVR ??? is only used with 7.x Databases REPADMIN ??? CTXSYS/CTXSYS DBSNMP/DBSNMP INTERNAL/ORACLE MDSYS/MDSYS MTSSYS/MTSSYS ORDPLUGINS/ORDPLUGINS ORDSYS/ORDSYS OUTLN/OUTLN SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER SCOTT/TIGER -Original Message- Kirti Sent: 31 January 2002 15:25 To: Multiple recipients of list ORACLE-L Stephane, Thanks. Yes, we are properly fenced None of the databases have those default accounts with default passwords. We do not use OEM and that agent. Passwords of critical accounts get changed regularly and often. Database user ids are generated approved by Data Security group before DBAs can add them to databases (so others do not know and can not guess who has what id), and they request reports of access privileges when least expected. So, it's all how you manage your set up. When I joined this company I was going nuts about such things (remote_os_authent, default links by virtue of Oracle Names etc), but as I learned the environment I was comfortable.. And it is helping us more than creating problems and concerns. Cheers ! - Kirti -Original Message- Sent: Thursday, January 31, 2002 2:20 AM To: Multiple recipients of list ORACLE-L Deshpande, Kirti wrote: We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do this, but we have to, and that's another topic... We also use a specific auth prefix. Now, can someone show me how a Windoze user, 'GOD' get in the database when I do not have a user, 'Auth_PrefixGOD' in my database. I say, I have nothing to worry about this setup as long as 'GOD' user in my database is controlled appropriately via roles, grants, profile etc Sure, if I had auth_prefixGOD in the database, I will be looking for another job Right? - Kirti The problem as I see it is that it's fairly easy to get the names of users on a database. The number of databases you can connect to using dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can query ALL_USERS. I must say that I am truly hopeless with any Microsoft OS, so you could safely let me with admin rights on the box when I feel at my most mischievous. But imagine I come with Linux on my laptop, I plug (like many 'nomad' users often do) into your network, manage to connect (as a less-than-nothing user), check the user list, spot something looking like a prefix, and use this information to add with linuxconf a suitably named account to my machine? I am certain that in your case everything is correctly fenced, but I have met many many many databases where the standard in terms of grants was 'TO PUBLIC', and where database links were PUBLIC as well, and usually connected to the other database as the owner of most tables (even as DBA). IMHO, if you really want to be secure, you must first know Oracle and your environment well, and also audit sensitive information. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ:
Re: OPS$ / default accounts
scary --- Stephane Faroult [EMAIL PROTECTED] wrote: James McCann wrote: Speaking of default accounts with default passwords, here is my list that I check for. Anyone want to compare notes :) i.e. have I missed any? Thanks, Jim perfstat/perfstat TRACESVR ??? is only used with 7.x Databases REPADMIN ??? CTXSYS/CTXSYS DBSNMP/DBSNMP INTERNAL/ORACLE MDSYS/MDSYS MTSSYS/MTSSYS ORDPLUGINS/ORDPLUGINS ORDSYS/ORDSYS OUTLN/OUTLN SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER SCOTT/TIGER There are many others in the various demos which may or may not have been run. Here here my additional passwords (when no password is specified, it means that the default is identical to the username) BTW it's TRACESVR/TRACE and REPADMIN/REPADMIN List compiled by searching 8.1.7 and 9i directories. RMAN/XX VRR1 VIDEOUSER USER0 to USER9 TEST SECDEMO SAMPLES PUBSUB PRIMARY POWERCARTUSER PO OSE$HTTP$ADMIN/FOO ORDMEDIADEMO ODS OCITEST MOREAU MONITOR MODTEST/YES MMO2 MILLER MIGRATE MFG MDSYS JONES/STEEL JOE/WELCOME (Logminer ;-) ?) JMSUSER IMAGEUSER GPLD GPFD FND FINANCE EVENT DUMMY DEPLOYER DEMO8 CSMIG COMPANY CLARK/CLOTH CDEMOUCB CDEMORID CDEMOCOR CDEMO82 BLAKE/PAPER AURORA$ORB$UNAUTHENTICATED/INVALID AURORA$JIS$UTILITY$ AUDIOUSER AQUSER AQJAVA ADLDEMO ADAMS/WOOD You can add TEST/TEST, DBA, ADMIN, ORACLE etc. to the list. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS$
To add further, what I have read is, on Windows NT, being able to edit the registry, could allow one to change the ORA_PWFILE value, and point to their own password file. Hence, access to the registry should be resticted. Raj Jared.Still@r adisys.com To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent by: cc: root@fatcity.Subject: Re: OPS$ com January 31, 2002 12:20 PM Please respond to ORACLE-L I just remembered why remote_os_authent was so insecure in v7 sqlnet v2: you could become SYSTEM just by setting USER_ID=SYSTEM in Oracle.ini, but the SYSTEM user did *not* need to be identified externally. That's what was so insecure. I've just been trying to see if any similar insecurities still exist. ( geez I love English :) So far, no. Jared Jared Still [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 07:45 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ Sounds about right to me. The security part, that is. :) Jared On Wednesday 30 January 2002 19:25, Seefelt, Beth wrote: I know I'm probably one of the few NT weenies on the list so I hope I don't get too much guff from the unix guys... Disabling remote_os_authent and using external authentication are not mutually exclusive, and its not completely devoid of security in NT. Consider this configuration remote_os_authent=false osauth_prefix_domain=true sqlnet.authentication_services=(nts) Now I can create externally authenticated database accounts, prefixed with the domain name instead of OPS$. When they connect to the database Oracle will authenticate them via Kerberos or NTLM, so their password doesn't even have to be passed over the network. And they are authenticated by the domain, so creating a rogue server and creating a user account with the same name still isn't going to get you authenticated, unless you can set the password on the rogue machine to the same password as the domain account. Or am I living in a rose colored dream world? Beth -Original Message- Sent: Wednesday, January 30, 2002 5:55 PM To: Multiple recipients of list ORACLE-L Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and so long as your authentication demands an OPS$ or basically any other non null string of characters, who cares? OPS$SYSTEM is not going to wind up being a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL, then you've got a problem. The long and short of it is that the OPS security is only as good as the box it is serving. If you're on any computer with C level security or higher, there is nothing wrong with using OPS$ as you are using operating system level security. So, if, for example, you are using VMS, MVS, CDC, Cray, or anything us old folks might have used 10 years ago, OPS$ is terrific. If your operating system is making Bill Gates richer, you have no security to speak of. The question you want to ask yourself is how good is your front-end security? -Original Message- Sent: Wednesday, January 30, 2002 4:26 PM To: Multiple recipients of list ORACLE-L Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM
RE: OPS$ / default accounts
For those of you that use Perl and DBI, here's a script to check for
default
passwords. If you feel like extending the password list ( hint, hint ), I
wouldn't
mind a bit.
Jared
#!/export/home/oracle/perl/bin/perl
# odpc.pl
# oracle default password check
# Jared Still
# [EMAIL PROTECTED]
use warnings;
use DBI;
use strict;
use Getopt::Long;
my %optctl = ();
Getopt::Long::GetOptions(
\%optctl,
database=s,
username=s,
password=s,
sysdba!,
sysoper!,
z,h,help);
my($db, $username, $password, $connectionMode);
if (
$optctl{h}
|| $optctl{z}
|| $optctl{help}
) {
Usage(0);
}
$connectionMode = 0;
if ( $optctl{sysoper} ) { $connectionMode = 4 }
if ( $optctl{sysdba} ) { $connectionMode = 2 }
if ( ! defined($optctl{database}) ) {
Usage(1);
die database required\n;
}
$db=$optctl{database};
if ( ! defined($optctl{username}) ) {
Usage(1);
die username required\n;
}
$username=$optctl{username};
$password = $optctl{password};
my $dbh = DBI-connect(
'dbi:Oracle:' . $db,
$username, $password,
{
RaiseError = 1,
AutoCommit = 0,
ora_session_mode = $connectionMode
}
);
die Connect to $db failed \n unless $dbh;
# this is a hash of common default accounts and
# the default passwords in hex form
# to extend the list, just use this SQL
#
# select username, password
# from dba_users
#
# use the resulting password for accounts that
# you know are using the default password.
# change the password on a test database is
# necessary to get the correct data.
my %defusers = (
CTXSYS = '24ABAB8B06281B4C',
DBSNMP = 'E066D214D5421CCC',
LBACSYS= 'AC9700FD3F1410EB',
MDSYS = '72979A94BAD2AF80',
OAS_PUBLIC = '9300C0977D7DC75E',
OLAPDBA= '1AF71599EDACFB00',
OLAPSYS= '3FB8EF9DB538647C',
ORDPLUGINS = '88A2B2C183431F00',
ORDSYS = '7EFA02EC7EA6B86F',
OUTLN = '4A3BA55E08595C81',
SYS= 'D4C5016086B2DC6A',
SYSTEM = 'D4DF7931AB130E37',
TRACESVR = 'F9DA8977092B7B81',
WEBSYS = 'A97282CE3D94E29E',
WKSYS = '545E13456B7DDEA0'
);
my $MySql=select username, password from dba_users ;
$MySql .= q{ where username in('} . join(q{','}, keys %defusers) . q{')};
#print sql: $MySql\n;
my $sth = $dbh-prepare($MySql);
use vars qw{$rv};
my $rv = $sth-execute || die error with statement $MySql \n;
while( my $hash = $sth-fetchrow_hashref ) {
#print username: $hash-{USERNAME} password: $hash-{PASSWORD}\n;
if ( exists $defusers{$hash-{USERNAME}} ) {
if ( $defusers{$hash-{USERNAME}} eq $hash-{PASSWORD} ) {
printf(Account %-20s is using a default password\n,
$hash-{USERNAME});
}
}
}
$dbh-disconnect;
sub Usage {
my $exitval = shift;
use File::Basename;
my $basename = basename($0);
print qq{
usage: $basename Oracle Default Password Checker
-database ORACLE_SID
-username DBA account
-password account password
use one of the following options
to connect as SYSOPER or SYSDBA
[-sysdba || -sysoper]
};
exit $exitval;
}
James McCann [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/31/02 08:42 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:RE: OPS$ / default accounts
Speaking of default accounts with default passwords, here is my list that
I
check for. Anyone want to compare notes :) i.e. have I missed any?
Thanks,
Jim
perfstat/perfstat
TRACESVR ??? is only used with 7.x Databases
REPADMIN ???
CTXSYS/CTXSYS
DBSNMP/DBSNMP
INTERNAL/ORACLE
MDSYS/MDSYS
MTSSYS/MTSSYS
ORDPLUGINS/ORDPLUGINS
ORDSYS/ORDSYS
OUTLN/OUTLN
SYS/CHANGE_ON_INSTALL
SYSTEM/MANAGER
SCOTT/TIGER
-Original Message-
Kirti
Sent: 31 January 2002 15:25
To: Multiple recipients of list ORACLE-L
Stephane,
Thanks. Yes, we are properly fenced
None of the databases have those default accounts with default passwords.
We do not use OEM and that agent. Passwords of critical accounts get
changed
regularly and often. Database user ids are generated approved by Data
Security group before DBAs can add them to databases (so others do not
know
and can not guess who has what id), and they request reports of access
privileges when least expected.
So, it's all how you manage your set up. When I joined this company I was
going nuts about such things (remote_os_authent, default links by virtue
of
Oracle Names etc), but as I learned the environment I was comfortable..
And
it is helping us more than creating problems and concerns.
Cheers !
- Kirti
-Original Message-
Sent: Thursday, January 31, 2002 2:20 AM
To: Multiple recipients of list ORACLE-L
Deshpande, Kirti wrote:
We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't
do
this, but we have to, and that's another topic...
We also use a specific auth prefix.
Now, can someone show me how a Windoze user, 'GOD' get in the database
when
RE: OPS$ / default accounts
Big list. Didn't think of searching the directories. That would have been easier and better than searching the docs, as I did, Doh! I'll have to write a procedure to rename/lock them if they exist, Jim -Original Message- Faroult Sent: 31 January 2002 17:41 To: Multiple recipients of list ORACLE-L James McCann wrote: Speaking of default accounts with default passwords, here is my list that I check for. Anyone want to compare notes :) i.e. have I missed any? Thanks, Jim perfstat/perfstat TRACESVR ??? is only used with 7.x Databases REPADMIN ??? CTXSYS/CTXSYS DBSNMP/DBSNMP INTERNAL/ORACLE MDSYS/MDSYS MTSSYS/MTSSYS ORDPLUGINS/ORDPLUGINS ORDSYS/ORDSYS OUTLN/OUTLN SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER SCOTT/TIGER There are many others in the various demos which may or may not have been run. Here here my additional passwords (when no password is specified, it means that the default is identical to the username) BTW it's TRACESVR/TRACE and REPADMIN/REPADMIN List compiled by searching 8.1.7 and 9i directories. RMAN/XX VRR1 VIDEOUSER USER0 to USER9 TEST SECDEMO SAMPLES PUBSUB PRIMARY POWERCARTUSER PO OSE$HTTP$ADMIN/FOO ORDMEDIADEMO ODS OCITEST MOREAU MONITOR MODTEST/YES MMO2 MILLER MIGRATE MFG MDSYS JONES/STEEL JOE/WELCOME (Logminer ;-) ?) JMSUSER IMAGEUSER GPLD GPFD FND FINANCE EVENT DUMMY DEPLOYER DEMO8 CSMIG COMPANY CLARK/CLOTH CDEMOUCB CDEMORID CDEMOCOR CDEMO82 BLAKE/PAPER AURORA$ORB$UNAUTHENTICATED/INVALID AURORA$JIS$UTILITY$ AUDIOUSER AQUSER AQJAVA ADLDEMO ADAMS/WOOD You can add TEST/TEST, DBA, ADMIN, ORACLE etc. to the list. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: James McCann INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$ / default accounts
It only exists if the Oracle Agent is running. In my case, it (the agent) is not running, so I don't have the file. (and I'm on NT, so we all know, there is no protection required! :) ) Tom Mercadante Oracle Certified Professional -Original Message- Sent: Thursday, January 31, 2002 1:26 PM To: Multiple recipients of list ORACLE-L change it in snmp.ora which is in clear text on the Unix server. protect that file! --- Mercadante, Thomas F [EMAIL PROTECTED] wrote: Hey All, Anyone remember how to change the DBSNMP password? I know I can change it in the db easily enough, but how does the server/DBSNMP listener process know what the new password is? Must be stored in an OS file someplace. I was just poking around trying to figure it out. The docs have the answer hidden someplace and Google is not responding to search requests. Just curious. And Jim, the first thing I do when I come upon an instance with these default accounts established, is to lock them (alter user account lock) so that someone cannot connect using them. Thanks! Tom Mercadante Oracle Certified Professional -Original Message- Sent: Thursday, January 31, 2002 11:43 AM To: Multiple recipients of list ORACLE-L Speaking of default accounts with default passwords, here is my list that I check for. Anyone want to compare notes :) i.e. have I missed any? Thanks, Jim perfstat/perfstat TRACESVR ??? is only used with 7.x Databases REPADMIN ??? CTXSYS/CTXSYS DBSNMP/DBSNMP INTERNAL/ORACLE MDSYS/MDSYS MTSSYS/MTSSYS ORDPLUGINS/ORDPLUGINS ORDSYS/ORDSYS OUTLN/OUTLN SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER SCOTT/TIGER -Original Message- Kirti Sent: 31 January 2002 15:25 To: Multiple recipients of list ORACLE-L Stephane, Thanks. Yes, we are properly fenced None of the databases have those default accounts with default passwords. We do not use OEM and that agent. Passwords of critical accounts get changed regularly and often. Database user ids are generated approved by Data Security group before DBAs can add them to databases (so others do not know and can not guess who has what id), and they request reports of access privileges when least expected. So, it's all how you manage your set up. When I joined this company I was going nuts about such things (remote_os_authent, default links by virtue of Oracle Names etc), but as I learned the environment I was comfortable.. And it is helping us more than creating problems and concerns. Cheers ! - Kirti -Original Message- Sent: Thursday, January 31, 2002 2:20 AM To: Multiple recipients of list ORACLE-L Deshpande, Kirti wrote: We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do this, but we have to, and that's another topic... We also use a specific auth prefix. Now, can someone show me how a Windoze user, 'GOD' get in the database when I do not have a user, 'Auth_PrefixGOD' in my database. I say, I have nothing to worry about this setup as long as 'GOD' user in my database is controlled appropriately via roles, grants, profile etc Sure, if I had auth_prefixGOD in the database, I will be looking for another job Right? - Kirti The problem as I see it is that it's fairly easy to get the names of users on a database. The number of databases you can connect to using dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can query ALL_USERS. I must say that I am truly hopeless with any Microsoft OS, so you could safely let me with admin rights on the box when I feel at my most mischievous. But imagine I come with Linux on my laptop, I plug (like many 'nomad' users often do) into your network, manage to connect (as a less-than-nothing user), check the user list, spot something looking like a prefix, and use this information to add with linuxconf a suitably named account to my machine? I am certain that in your case everything is correctly fenced, but I have met many many many databases where the standard in terms of grants was 'TO PUBLIC', and where database links were PUBLIC as well, and usually connected to the other database as the owner of most tables (even as DBA). IMHO, if you really want to be secure, you must first know Oracle and your environment well, and also audit sensitive information. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing
RE: OPS$ / default accounts
Jared,
I'll have a go when I get the chance.
Did I hear someone on the list mention that you are bringing out an
Oracle/Perl book?
Jim
-Original Message-
[EMAIL PROTECTED]
Sent: 31 January 2002 18:39
To: Multiple recipients of list ORACLE-L
For those of you that use Perl and DBI, here's a script to check for
default
passwords. If you feel like extending the password list ( hint, hint ), I
wouldn't
mind a bit.
Jared
#!/export/home/oracle/perl/bin/perl
# odpc.pl
# oracle default password check
# Jared Still
# [EMAIL PROTECTED]
use warnings;
use DBI;
use strict;
use Getopt::Long;
my %optctl = ();
Getopt::Long::GetOptions(
\%optctl,
database=s,
username=s,
password=s,
sysdba!,
sysoper!,
z,h,help);
my($db, $username, $password, $connectionMode);
if (
$optctl{h}
|| $optctl{z}
|| $optctl{help}
) {
Usage(0);
}
$connectionMode = 0;
if ( $optctl{sysoper} ) { $connectionMode = 4 }
if ( $optctl{sysdba} ) { $connectionMode = 2 }
if ( ! defined($optctl{database}) ) {
Usage(1);
die database required\n;
}
$db=$optctl{database};
if ( ! defined($optctl{username}) ) {
Usage(1);
die username required\n;
}
$username=$optctl{username};
$password = $optctl{password};
my $dbh = DBI-connect(
'dbi:Oracle:' . $db,
$username, $password,
{
RaiseError = 1,
AutoCommit = 0,
ora_session_mode = $connectionMode
}
);
die Connect to $db failed \n unless $dbh;
# this is a hash of common default accounts and
# the default passwords in hex form
# to extend the list, just use this SQL
#
# select username, password
# from dba_users
#
# use the resulting password for accounts that
# you know are using the default password.
# change the password on a test database is
# necessary to get the correct data.
my %defusers = (
CTXSYS = '24ABAB8B06281B4C',
DBSNMP = 'E066D214D5421CCC',
LBACSYS= 'AC9700FD3F1410EB',
MDSYS = '72979A94BAD2AF80',
OAS_PUBLIC = '9300C0977D7DC75E',
OLAPDBA= '1AF71599EDACFB00',
OLAPSYS= '3FB8EF9DB538647C',
ORDPLUGINS = '88A2B2C183431F00',
ORDSYS = '7EFA02EC7EA6B86F',
OUTLN = '4A3BA55E08595C81',
SYS= 'D4C5016086B2DC6A',
SYSTEM = 'D4DF7931AB130E37',
TRACESVR = 'F9DA8977092B7B81',
WEBSYS = 'A97282CE3D94E29E',
WKSYS = '545E13456B7DDEA0'
);
my $MySql=select username, password from dba_users ;
$MySql .= q{ where username in('} . join(q{','}, keys %defusers) . q{')};
#print sql: $MySql\n;
my $sth = $dbh-prepare($MySql);
use vars qw{$rv};
my $rv = $sth-execute || die error with statement $MySql \n;
while( my $hash = $sth-fetchrow_hashref ) {
#print username: $hash-{USERNAME} password: $hash-{PASSWORD}\n;
if ( exists $defusers{$hash-{USERNAME}} ) {
if ( $defusers{$hash-{USERNAME}} eq $hash-{PASSWORD} ) {
printf(Account %-20s is using a default password\n,
$hash-{USERNAME});
}
}
}
$dbh-disconnect;
sub Usage {
my $exitval = shift;
use File::Basename;
my $basename = basename($0);
print qq{
usage: $basename Oracle Default Password Checker
-database ORACLE_SID
-username DBA account
-password account password
use one of the following options
to connect as SYSOPER or SYSDBA
[-sysdba || -sysoper]
};
exit $exitval;
}
James McCann [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/31/02 08:42 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:RE: OPS$ / default accounts
Speaking of default accounts with default passwords, here is my list that
I
check for. Anyone want to compare notes :) i.e. have I missed any?
Thanks,
Jim
perfstat/perfstat
TRACESVR ??? is only used with 7.x Databases
REPADMIN ???
CTXSYS/CTXSYS
DBSNMP/DBSNMP
INTERNAL/ORACLE
MDSYS/MDSYS
MTSSYS/MTSSYS
ORDPLUGINS/ORDPLUGINS
ORDSYS/ORDSYS
OUTLN/OUTLN
SYS/CHANGE_ON_INSTALL
SYSTEM/MANAGER
SCOTT/TIGER
-Original Message-
Kirti
Sent: 31 January 2002 15:25
To: Multiple recipients of list ORACLE-L
Stephane,
Thanks. Yes, we are properly fenced
None of the databases have those default accounts with default passwords.
We do not use OEM and that agent. Passwords of critical accounts get
changed
regularly and often. Database user ids are generated approved by Data
Security group before DBAs can add them to databases (so others do not
know
and can not guess who has what id), and they request reports of access
privileges when least expected.
So, it's all how you manage your set up. When I joined this company I was
going nuts about such things (remote_os_authent, default links by virtue
of
Oracle Names etc), but as I learned the environment I was comfortable..
And
it is helping us more than creating problems and concerns.
Cheers !
- Kirti
-Original Message-
Sent: Thursday, January 31, 2002 2:20 AM
To: Multiple recipients of list ORACLE-L
Deshpande, Kirti wrote
RE: OPS$ / default accounts
Yes, Andy Duncan and I are collaborating on one.
Jared
James McCann [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/31/02 12:50 PM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:RE: OPS$ / default accounts
Jared,
I'll have a go when I get the chance.
Did I hear someone on the list mention that you are bringing out an
Oracle/Perl book?
Jim
-Original Message-
[EMAIL PROTECTED]
Sent: 31 January 2002 18:39
To: Multiple recipients of list ORACLE-L
For those of you that use Perl and DBI, here's a script to check for
default
passwords. If you feel like extending the password list ( hint, hint ), I
wouldn't
mind a bit.
Jared
#!/export/home/oracle/perl/bin/perl
# odpc.pl
# oracle default password check
# Jared Still
# [EMAIL PROTECTED]
use warnings;
use DBI;
use strict;
use Getopt::Long;
my %optctl = ();
Getopt::Long::GetOptions(
\%optctl,
database=s,
username=s,
password=s,
sysdba!,
sysoper!,
z,h,help);
my($db, $username, $password, $connectionMode);
if (
$optctl{h}
|| $optctl{z}
|| $optctl{help}
) {
Usage(0);
}
$connectionMode = 0;
if ( $optctl{sysoper} ) { $connectionMode = 4 }
if ( $optctl{sysdba} ) { $connectionMode = 2 }
if ( ! defined($optctl{database}) ) {
Usage(1);
die database required\n;
}
$db=$optctl{database};
if ( ! defined($optctl{username}) ) {
Usage(1);
die username required\n;
}
$username=$optctl{username};
$password = $optctl{password};
my $dbh = DBI-connect(
'dbi:Oracle:' . $db,
$username, $password,
{
RaiseError = 1,
AutoCommit = 0,
ora_session_mode = $connectionMode
}
);
die Connect to $db failed \n unless $dbh;
# this is a hash of common default accounts and
# the default passwords in hex form
# to extend the list, just use this SQL
#
# select username, password
# from dba_users
#
# use the resulting password for accounts that
# you know are using the default password.
# change the password on a test database is
# necessary to get the correct data.
my %defusers = (
CTXSYS = '24ABAB8B06281B4C',
DBSNMP = 'E066D214D5421CCC',
LBACSYS= 'AC9700FD3F1410EB',
MDSYS = '72979A94BAD2AF80',
OAS_PUBLIC = '9300C0977D7DC75E',
OLAPDBA= '1AF71599EDACFB00',
OLAPSYS= '3FB8EF9DB538647C',
ORDPLUGINS = '88A2B2C183431F00',
ORDSYS = '7EFA02EC7EA6B86F',
OUTLN = '4A3BA55E08595C81',
SYS= 'D4C5016086B2DC6A',
SYSTEM = 'D4DF7931AB130E37',
TRACESVR = 'F9DA8977092B7B81',
WEBSYS = 'A97282CE3D94E29E',
WKSYS = '545E13456B7DDEA0'
);
my $MySql=select username, password from dba_users ;
$MySql .= q{ where username in('} . join(q{','}, keys %defusers) . q{')};
#print sql: $MySql\n;
my $sth = $dbh-prepare($MySql);
use vars qw{$rv};
my $rv = $sth-execute || die error with statement $MySql \n;
while( my $hash = $sth-fetchrow_hashref ) {
#print username: $hash-{USERNAME} password: $hash-{PASSWORD}\n;
if ( exists $defusers{$hash-{USERNAME}} ) {
if ( $defusers{$hash-{USERNAME}} eq $hash-{PASSWORD} ) {
printf(Account %-20s is using a default password\n,
$hash-{USERNAME});
}
}
}
$dbh-disconnect;
sub Usage {
my $exitval = shift;
use File::Basename;
my $basename = basename($0);
print qq{
usage: $basename Oracle Default Password Checker
-database ORACLE_SID
-username DBA account
-password account password
use one of the following options
to connect as SYSOPER or SYSDBA
[-sysdba || -sysoper]
};
exit $exitval;
}
James McCann [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/31/02 08:42 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L
[EMAIL PROTECTED]
cc:
Subject:RE: OPS$ / default accounts
Speaking of default accounts with default passwords, here is my list that
I
check for. Anyone want to compare notes :) i.e. have I missed any?
Thanks,
Jim
perfstat/perfstat
TRACESVR ??? is only used with 7.x Databases
REPADMIN ???
CTXSYS/CTXSYS
DBSNMP/DBSNMP
INTERNAL/ORACLE
MDSYS/MDSYS
MTSSYS/MTSSYS
ORDPLUGINS/ORDPLUGINS
ORDSYS/ORDSYS
OUTLN/OUTLN
SYS/CHANGE_ON_INSTALL
SYSTEM/MANAGER
SCOTT/TIGER
-Original Message-
Kirti
Sent: 31 January 2002 15:25
To: Multiple recipients of list ORACLE-L
Stephane,
Thanks. Yes, we are properly fenced
None of the databases have those default accounts with default passwords.
We do not use OEM and that agent. Passwords of critical accounts get
changed
regularly and often. Database user ids are generated approved by Data
Security group before DBAs can add them to databases (so others do not
know
and can not guess who has what id), and they request reports of access
privileges when least expected.
So, it's all how you manage your set up. When I joined this company I was
going nuts about such things (remote_os_authent, default
Re: OPS$
anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
Even so, they are still limited by the permissions given to OPS$ORACLE. Right? Ron -Original Message- Sent: Wednesday, January 30, 2002 1:26 PM To: Multiple recipients of list ORACLE-L anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS$
They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS$
Smith, Ron L. wrote: Can you explain that? You have me scared now. Ron, Do not forget the postulate 'if you set remote_os_authent to TRUE'. This is not the default (although it has not always been, but it dates back to SQL*Net V1) -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and so long as your authentication demands an OPS$ or basically any other non null string of characters, who cares? OPS$SYSTEM is not going to wind up being a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL, then you've got a problem. The long and short of it is that the OPS security is only as good as the box it is serving. If you're on any computer with C level security or higher, there is nothing wrong with using OPS$ as you are using operating system level security. So, if, for example, you are using VMS, MVS, CDC, Cray, or anything us old folks might have used 10 years ago, OPS$ is terrific. If your operating system is making Bill Gates richer, you have no security to speak of. The question you want to ask yourself is how good is your front-end security? -Original Message- Sent: Wednesday, January 30, 2002 4:26 PM To: Multiple recipients of list ORACLE-L Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bellows, Bambi INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may
RE: OPS$
We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do this, but we have to, and that's another topic... We also use a specific auth prefix. Now, can someone show me how a Windoze user, 'GOD' get in the database when I do not have a user, 'Auth_PrefixGOD' in my database. I say, I have nothing to worry about this setup as long as 'GOD' user in my database is controlled appropriately via roles, grants, profile etc Sure, if I had auth_prefixGOD in the database, I will be looking for another job Right? - Kirti -Original Message- Sent: Wednesday, January 30, 2002 4:45 PM To: Multiple recipients of list ORACLE-L Smith, Ron L. wrote: Can you explain that? You have me scared now. Ron, Do not forget the postulate 'if you set remote_os_authent to TRUE'. This is not the default (although it has not always been, but it dates back to SQL*Net V1) -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
Oops, shouldn't have said anything. This was on older versions of Oracle. I just tried to reproduce it on 8.1.7, and it would not let me in as SYSTEM via remote_os_authent. Jared Smith, Ron L. [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 02:25 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: OPS$ Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
Bambi, Do you ( or anyone else for that matter ) have an example of how to setup remote_os_authent so that it is insecure? With Sqlnet v1 and early v2 I think, all you had to do was set the value of USER_ID in oracle.ini. e.g. USER_ID = jkstill where 'jkstill' is identified externally. I have been able to setup an account on a remote database that allows me to login via ' sqlplus /@ifsdev ', but only into an account that matches my NT client login name. If you know how to do this so that another account such as SYSTEM could be logged into via a backdoor as in days of yore, I'd sure like to see it. If for no other reason than just to make sure I never set up a database/client to work that way. :) Jared Bellows, Bambi [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 02:55 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: OPS$ Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and so long as your authentication demands an OPS$ or basically any other non null string of characters, who cares? OPS$SYSTEM is not going to wind up being a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL, then you've got a problem. The long and short of it is that the OPS security is only as good as the box it is serving. If you're on any computer with C level security or higher, there is nothing wrong with using OPS$ as you are using operating system level security. So, if, for example, you are using VMS, MVS, CDC, Cray, or anything us old folks might have used 10 years ago, OPS$ is terrific. If your operating system is making Bill Gates richer, you have no security to speak of. The question you want to ask yourself is how good is your front-end security? -Original Message- Sent: Wednesday, January 30, 2002 4:26 PM To: Multiple recipients of list ORACLE-L Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists
Re: OPS$
For Oracle security issues, check out the site http://documents.iss.net/literature/DatabaseScanner/reports/oracle/OraPolicy.pdf Plus, also there was one by Kevin Loney about security. I forget the site. Raj Rachel Carmichael To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] wisernet100@cc: yahoo.com Subject: Re: OPS$ Sent by: root@fatcity. com January 30, 2002 02:25 PM Please respond to ORACLE-L anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
okay if the prefix string is set to an empty string, then the OS username is the same name as that used to sign in to the client. So if you have an empty prefix, and someone logs onto their PC as SYSTEM then if they do sqlplus, they should be able to get into the system account. Except... system isn't set as identified externally they'd have to enter the password right? Jared?? but any Oracle account you create as identified externally (meaning the OS does the password validation, Oracle presumes the security is there) can log onto the database by setting the client login to that name --- Smith, Ron L. [EMAIL PROTECTED] wrote: Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS$
www.kevinloney.com --- [EMAIL PROTECTED] wrote: For Oracle security issues, check out the site http://documents.iss.net/literature/DatabaseScanner/reports/oracle/OraPolicy.pdf Plus, also there was one by Kevin Loney about security. I forget the site. Raj Rachel Carmichael To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] wisernet100@cc: yahoo.com Subject: Re: OPS$ Sent by: root@fatcity. com January 30, 2002 02:25 PM Please respond to ORACLE-L anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538
RE: OPS$
yep... any account set up as identified externally should have its privileges scrutinized CAREFULLY and you should not grant any of the default roles, Connect, Resource and most especially NOT DBA. --- Deshpande, Kirti [EMAIL PROTECTED] wrote: We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do this, but we have to, and that's another topic... We also use a specific auth prefix. Now, can someone show me how a Windoze user, 'GOD' get in the database when I do not have a user, 'Auth_PrefixGOD' in my database. I say, I have nothing to worry about this setup as long as 'GOD' user in my database is controlled appropriately via roles, grants, profile etc Sure, if I had auth_prefixGOD in the database, I will be looking for another job Right? - Kirti -Original Message- Sent: Wednesday, January 30, 2002 4:45 PM To: Multiple recipients of list ORACLE-L Smith, Ron L. wrote: Can you explain that? You have me scared now. Ron, Do not forget the postulate 'if you set remote_os_authent to TRUE'. This is not the default (although it has not always been, but it dates back to SQL*Net V1) -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS$
I know I'm probably one of the few NT weenies on the list so I hope I don't get too much guff from the unix guys... Disabling remote_os_authent and using external authentication are not mutually exclusive, and its not completely devoid of security in NT. Consider this configuration remote_os_authent=false osauth_prefix_domain=true sqlnet.authentication_services=(nts) Now I can create externally authenticated database accounts, prefixed with the domain name instead of OPS$. When they connect to the database Oracle will authenticate them via Kerberos or NTLM, so their password doesn't even have to be passed over the network. And they are authenticated by the domain, so creating a rogue server and creating a user account with the same name still isn't going to get you authenticated, unless you can set the password on the rogue machine to the same password as the domain account. Or am I living in a rose colored dream world? Beth -Original Message- Sent: Wednesday, January 30, 2002 5:55 PM To: Multiple recipients of list ORACLE-L Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and so long as your authentication demands an OPS$ or basically any other non null string of characters, who cares? OPS$SYSTEM is not going to wind up being a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL, then you've got a problem. The long and short of it is that the OPS security is only as good as the box it is serving. If you're on any computer with C level security or higher, there is nothing wrong with using OPS$ as you are using operating system level security. So, if, for example, you are using VMS, MVS, CDC, Cray, or anything us old folks might have used 10 years ago, OPS$ is terrific. If your operating system is making Bill Gates richer, you have no security to speak of. The question you want to ask yourself is how good is your front-end security? -Original Message- Sent: Wednesday, January 30, 2002 4:26 PM To: Multiple recipients of list ORACLE-L Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX
Re: OPS$
The SYSTEM account was just an example, it could be any account with DBA privileges. With current versions of Oracle I haven't found any 'backdoors' such as the one that existed in Oracle 7.x, though I may keep looking. Jared On Wednesday 30 January 2002 18:05, Rachel Carmichael wrote: okay if the prefix string is set to an empty string, then the OS username is the same name as that used to sign in to the client. So if you have an empty prefix, and someone logs onto their PC as SYSTEM then if they do sqlplus, they should be able to get into the system account. Except... system isn't set as identified externally they'd have to enter the password right? Jared?? but any Oracle account you create as identified externally (meaning the OS does the password validation, Oracle presumes the security is there) can log onto the database by setting the client login to that name --- Smith, Ron L. [EMAIL PROTECTED] wrote: Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists
Re: OPS$
Sounds about right to me. The security part, that is. :) Jared On Wednesday 30 January 2002 19:25, Seefelt, Beth wrote: I know I'm probably one of the few NT weenies on the list so I hope I don't get too much guff from the unix guys... Disabling remote_os_authent and using external authentication are not mutually exclusive, and its not completely devoid of security in NT. Consider this configuration remote_os_authent=false osauth_prefix_domain=true sqlnet.authentication_services=(nts) Now I can create externally authenticated database accounts, prefixed with the domain name instead of OPS$. When they connect to the database Oracle will authenticate them via Kerberos or NTLM, so their password doesn't even have to be passed over the network. And they are authenticated by the domain, so creating a rogue server and creating a user account with the same name still isn't going to get you authenticated, unless you can set the password on the rogue machine to the same password as the domain account. Or am I living in a rose colored dream world? Beth -Original Message- Sent: Wednesday, January 30, 2002 5:55 PM To: Multiple recipients of list ORACLE-L Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and so long as your authentication demands an OPS$ or basically any other non null string of characters, who cares? OPS$SYSTEM is not going to wind up being a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL, then you've got a problem. The long and short of it is that the OPS security is only as good as the box it is serving. If you're on any computer with C level security or higher, there is nothing wrong with using OPS$ as you are using operating system level security. So, if, for example, you are using VMS, MVS, CDC, Cray, or anything us old folks might have used 10 years ago, OPS$ is terrific. If your operating system is making Bill Gates richer, you have no security to speak of. The question you want to ask yourself is how good is your front-end security? -Original Message- Sent: Wednesday, January 30, 2002 4:26 PM To: Multiple recipients of list ORACLE-L Can you explain that? You have me scared now. -Original Message- Sent: Wednesday, January 30, 2002 4:00 PM To: Multiple recipients of list ORACLE-L They can also set their username to 'SYSTEM'. Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/30/02 11:25 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:Re: OPS$ anyone can name their pc oracle and then connect in if you set remote_os_authent --- Smith, Ron L. [EMAIL PROTECTED] wrote: Does anyone have any information on security problems using the OPS$ account? Ron -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Smith, Ron L. INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS Internal Secrets? WAS:: RE: Michael Jenkins (Nextel)
Oooh!! Gives new meaning to having the right sin-tax. Henry -Original Message- Sent: Thursday, October 04, 2001 6:42 PM To: Multiple recipients of list ORACLE-L Wow!!!.including everything on the so-called SQL*Sluts??? slobber. On topic Oracle Question: Using oracle JDeveloper, is there any way to use a method Class.Method without having to load the *entire* Class? -Original Message- Sent: Thursday, October 04, 2001 6:18 PM To: Multiple recipients of list ORACLE-L The top-secret diary of Lawrence Ellison. -Original Message- Sent: Thursday, October 04, 2001 4:50 PM To: Multiple recipients of list ORACLE-L Sounds interesting! What, pray tell, are in the documents? Wow...internal OPS secrets? -Original Message- Sent: Thursday, October 04, 2001 3:51 PM To: Multiple recipients of list ORACLE-L Michael - This is Brian McGraw, from the OPS class. Please email me - I found the documents that we discussed. Brian -- -- | Brian McGraw -- Oracle DBA | | Central Alabama Oracle Users Group | || | mailto:[EMAIL PROTECTED] | | http://bmcgraw.home.mindspring.com | -- -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Brian McGraw INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mohan, Ross INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jenkins, Michael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mohan, Ross INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Henry Poras INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS Internal Secrets? WAS:: RE: Michael Jenkins (Nextel)
The top-secret diary of Lawrence Ellison. -Original Message- Sent: Thursday, October 04, 2001 4:50 PM To: Multiple recipients of list ORACLE-L Sounds interesting! What, pray tell, are in the documents? Wow...internal OPS secrets? -Original Message- Sent: Thursday, October 04, 2001 3:51 PM To: Multiple recipients of list ORACLE-L Michael - This is Brian McGraw, from the OPS class. Please email me - I found the documents that we discussed. Brian -- -- | Brian McGraw -- Oracle DBA | | Central Alabama Oracle Users Group | || | mailto:[EMAIL PROTECTED] | | http://bmcgraw.home.mindspring.com | -- -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Brian McGraw INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mohan, Ross INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jenkins, Michael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS Internal Secrets? WAS:: RE: Michael Jenkins (Nextel)
Wow!!!.including everything on the so-called SQL*Sluts??? slobber. On topic Oracle Question: Using oracle JDeveloper, is there any way to use a method Class.Method without having to load the *entire* Class? -Original Message- Sent: Thursday, October 04, 2001 6:18 PM To: Multiple recipients of list ORACLE-L The top-secret diary of Lawrence Ellison. -Original Message- Sent: Thursday, October 04, 2001 4:50 PM To: Multiple recipients of list ORACLE-L Sounds interesting! What, pray tell, are in the documents? Wow...internal OPS secrets? -Original Message- Sent: Thursday, October 04, 2001 3:51 PM To: Multiple recipients of list ORACLE-L Michael - This is Brian McGraw, from the OPS class. Please email me - I found the documents that we discussed. Brian -- -- | Brian McGraw -- Oracle DBA | | Central Alabama Oracle Users Group | || | mailto:[EMAIL PROTECTED] | | http://bmcgraw.home.mindspring.com | -- -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Brian McGraw INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mohan, Ross INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jenkins, Michael INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mohan, Ross INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: RE: OPS instalation - pretty urgent
Cyral, The frame is nothing more than the component that holds the equipment. Oracle can support upto 256 instances in a RS6000/SP environment. I have setup 16 instances on 16 nodes in SP environment and have seen upto 100 instances on 100 nodes. This is the long answer to you question which is yes. Scott --- Cyril Thankappan [EMAIL PROTECTED] wrote: Hi I am sorry if someone has replied this But can someone PLEASE tell me if IBM supports OPS across their SP frames. or only support OPS WITHIN SINGLE SP frame? Thanks -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Cyril Thankappan INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Scott INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Re: OPS: Where's the installer
The 8.1.6 and above Enterprise Edition comes with the Parallel Server Option (along with the advanced replication etc.. in the same 'page'!) -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Cyril Thankappan INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: RE: OPS instalation - pretty urgent
Hi I am sorry if someone has replied this But can someone PLEASE tell me if IBM supports OPS across their SP frames. or only support OPS WITHIN SINGLE SP frame? Thanks -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Cyril Thankappan INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS instalation - pretty urgent
!! Please do not post Off Topic to this List !! Actually, failover (TAF - for connection, session, and select) works fine without MTS. I've built six 8i OPS systems in the last year or so using TAF without MTS. (None had direct Java clients though.) MTS is not required for the older multiple descriptions in a description list type of load balancing that has been around since Oracle7. The 8i method (load_balance=on) is much more flexible and simpler to configure though. Actually, almost all of the 8i OPS systems I've done used Tuxedo middleware. Since connections were already multiplexed through Tuxedo, we didn't need MTS for that. We let Tux do the load balancing and manage some of the failover also - so we could transparently (to the client) resubmit failed update, insert, and delete transactions. Tux query processes and other connections (reports, etc.) that performed only queries just used Net8 TAF to reduce the complexity at the Tux layer. I haven't used Oracle Connection Manager except in a few experiments some time ago, but believe that it does require MTS. And... if you don't need MTS, you don't need dispatcher cross-registration. -Don Granaman [OraSaurus - Honk if you remember UFI!] - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Thursday, September 13, 2001 3:45 PM !! Please do not post Off Topic to this List !! Don, failover, dispatcher cross registration and server load balancing require MTS. Second, I'm not on AIX, that is why I was guessing about semaphores. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Don Granaman INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: RE: OPS instalation - pretty urgent
!! Please do not post Off Topic to this List !! Hi SOrry about this.. But I have actually seen the Net8 (shipped with Oracle 8.1.7 client CD) using Oracle 8.1.6 Enterprise Edition Database Server, where the failover works WITHOUT mts. However, Gopal, can you please clarify whether IBM insists on implementing OPS ONLY WITHIN a frame? Kindly note, my question is WHETHER we can implement OPS (Real Application Clusters) across two IBM frames. Thanks a lot -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Cyril Thankappan INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS instalation - pretty urgent
!! Please do not post Off Topic to this List !! Hi, on AIX platforms, Oracle actually uses it's post wait driver architecture. It's a substitute for the operating system's semaphores. The background is that due to an exhaustive overhead dealing with OS semaphores (context switch), Oracle handles the waits within the (Oracle) kernel space instead of handing over the control to the OS's kernel space. See Steve Adam's Oracle Internals book. | Regards, | | Stefan Jahnke | | BOV AG | | @:D2 Vodafone, Abt.: FBOM | | Tel.: 0211/533-4893| K Gopalakrishnan schrieb: !! Please do not post Off Topic to this List !! Hi, You are right. IBM uses a light weight process (post wait driver??) instead of typical System V semaphores. It is dynamically allocated and you don't need to explicitly set them in sys config files (Right John??) Best Regards, K Gopalakrishnan Bangalore, INDIA -Original Message- Mladen Sent: Thursday, September 13, 2001 1:45 PM To: Multiple recipients of list ORACLE-L !! Please do not post Off Topic to this List !! Don, failover, dispatcher cross registration and server load balancing require MTS. Second, I'm not on AIX, that is why I was guessing about semaphores. Here are my versions: SQL*Plus: Release 8.1.7.0.0 - Production on Thu Sep 13 15:36:53 2001 (c) Copyright 2000 Oracle Corporation. All rights reserved. Enter password: Connected to: Oracle8i Enterprise Edition Release 8.1.7.1.0 - 64bit Production With the Partitioning and Parallel Server options JServer Release 8.1.7.1.0 - 64bit Production SQL HP-UX pdev1-a B.11.00 U 9000/800 I admit that my advice might be a little bit off when it comes to IBM. HP uses semaphores and we do have tons of those. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Gogala, Mladen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: K Gopalakrishnan INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). - This Mail has been checked for Viruses Attention: Encrypted mails can NOT be checked! ** Diese Mail wurde auf Viren geprueft Hinweis: Verschluesselte mails koennen NICHT auf Viren geprueft werden! - -- -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stefan Jahnke INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS instalation - pretty urgent
!! Please do not post Off Topic to this List !! Gopal et al, One of the main differences between Oracle on HP-UX/Solaris/Sequent and Oracle on IBM is their use of the Post-wait driver which uses a 'test-and-set' lightweight mechanisn instead of semaphores. The other difference (in this OS memory structure area) is that Shared Memory segments need not be configured - there is of course an internal limit. I have never encountered this limit though). This greatly reduces the risk of having to restart the OS when adding databases to an existing box and the /etc/system needs to be changed. I don't want to start on the ease/strength/maturity of AIX's Logical Volume Manager lest I trigger off a your-OS-vs-mine war! John Kanagaraj Oracle Applications DBA DB Soft Inc Work : (408) 970 7002 Listen to great, commercial-free christian music 24x7x365 at http://www.klove.com ** The opinions and facts contained in this message are entirely mine and do not reflect those of my employer or customers ** You are right. IBM uses a light weight process (post wait driver??) instead of typical System V semaphores. It is dynamically allocated and you don't need to explicitly set them in sys config files (Right John??) Best Regards, K Gopalakrishnan Bangalore, INDIA -Original Message- Mladen Sent: Thursday, September 13, 2001 1:45 PM To: Multiple recipients of list ORACLE-L !! Please do not post Off Topic to this List !! Don, failover, dispatcher cross registration and server load balancing require MTS. Second, I'm not on AIX, that is why I was guessing about semaphores. Here are my versions: SQL*Plus: Release 8.1.7.0.0 - Production on Thu Sep 13 15:36:53 2001 (c) Copyright 2000 Oracle Corporation. All rights reserved. Enter password: Connected to: Oracle8i Enterprise Edition Release 8.1.7.1.0 - 64bit Production With the Partitioning and Parallel Server options JServer Release 8.1.7.1.0 - 64bit Production SQL HP-UX pdev1-a B.11.00 U 9000/800 I admit that my advice might be a little bit off when it comes to IBM. HP uses semaphores and we do have tons of those. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Gogala, Mladen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: K Gopalakrishnan INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS: Where's the installer
!! Please do not post Off Topic to this List !! Pablo - I'm not familiar w/ AIX, but on Solaris, you don't see the OPS option until the DLM has been installed on the OS. Brian Pablo ksksksk wrote: !! Please do not post Off Topic to this List !! Hi again I've got Oracle 8.1.6 EE for AIX. I run the installer but I don't see any option named Parallel Server Do I have the correct CD? Where is OPS? TIA ___ Do You Yahoo!? Yahoo! Messenger: Comunicación instantánea gratis con tu gente - http://messenger.yahoo.es -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: =?iso-8859-1?q?Pablo=20ksksksk?= INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- -- | Brian McGraw -- Oracle DBA | | Central Alabama Oracle Users Group | || | mailto:[EMAIL PROTECTED] | | http://bmcgraw.home.mindspring.com | -- -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Brian McGraw INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS instalation - pretty urgent
!! Please do not post Off Topic to this List !! Don, failover, dispatcher cross registration and server load balancing require MTS. Second, I'm not on AIX, that is why I was guessing about semaphores. Here are my versions: SQL*Plus: Release 8.1.7.0.0 - Production on Thu Sep 13 15:36:53 2001 (c) Copyright 2000 Oracle Corporation. All rights reserved. Enter password: Connected to: Oracle8i Enterprise Edition Release 8.1.7.1.0 - 64bit Production With the Partitioning and Parallel Server options JServer Release 8.1.7.1.0 - 64bit Production SQL HP-UX pdev1-a B.11.00 U 9000/800 I admit that my advice might be a little bit off when it comes to IBM. HP uses semaphores and we do have tons of those. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Gogala, Mladen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS instalation - pretty urgent
!! Please do not post Off Topic to this List !! Private vs. public redo log threads mainly influence the instance startup time, nothing more. Instance nimber x will look for a private redo log thread x and if it doesn't find it, it will start looking for an unused public redo log thread. You can make a public redo log thread orivate by disabling it and then re-enabling it without the keyword GLOBAL. With rollback segments, it's a different issue. You should have private rollback segments, in their separate tablespaces so that no two instances access the same tablespace for rollback segments. Bear in mind that as of 8.1.7 when an instance needs a read consistent image of a block, it will ask the instance that owns the exclusive lock to produce one and then ship it over the interconnect (hypefabric or clic in my case). That means that rollback segments will be very heavily used (unless, and this is for the real conossieurs, the cache fusion was disabled by setting _cr_server to FALSE.) As for the releasable locks, they are very CPU intensive, and instance will use an incredible amounts of the CPU time. If that is a problem, allocate permanent instead of the releasable locks. You will have to read the manuals to understand this one. -Original Message- From: Pablo ksksksk [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 12, 2001 8:00 PM To: Multiple recipients of list ORACLE-L Subject: RE: OPS instalation - pretty urgent Hi Mladen Thanks for the answer. I'm already doing some reading... I'd like to ask you some questions about your answer Here I go. Please be nice if I'm wrong 1)Log threads have to be private to each instance, right? there's no Public thread I think. 2)Is it usual to use PUBLIC rollback segments in OPS, or people just preffer PRIVATE ones. and Why? is there a performance issue involved? 3)I really don't know what you mean with this: Start with static locking(hashed, GC_FILES_TO_LOCKS) and turn it to releasable for the high concurrency tables (if it's hard to explain, don't worry I'll try to find it out) 4)Why do you say I'll need MTS? That depends on the number of users using the system right? Thanks for your time. I appreciate it. Uh, oh! Did you just say OPS? First of all, go to Oracle and ask them for EXACTLY the OS version you need and the required OS patches. Second, plan your configuration: private rollback segments, private log threads, locally managed tablespaces, you should know exactly how much space do you need for SYSTEM, how many 1GB log files you need, etc, etc. You are probably aware that everything has to reside on the raw devices. Find a good SA to carve up your disk drives to fit your needs. Start with static locking (hashed, GC_FILES_TO_LOCKS) and turn it to releasable for the high concurrency tables. Configure large pool for the MTS connections, you'll need it. Ask oracle IBM whether you need any specific OS parameter to be set (AIO, nonpageable memory, post-wait extensions), make sure that you have a truckload of semaphore sets and 50 times more semaphores. Don't be stinting on the shared memory size. Download all relevant manuals from metalink, print them out on your bosses favorite laserjet and read them. Remember the following phone number: (800) 223-1711. Take vacation when you're done. ___ Do You Yahoo!? Yahoo! Messenger: Comunicación instantánea gratis con tu gente - http://messenger.yahoo.es -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: =?iso-8859-1?q?Pablo=20ksksksk?= INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Gogala, Mladen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS instalation - pretty urgent
!! Please do not post Off Topic to this List !! Hi, You are right. IBM uses a light weight process (post wait driver??) instead of typical System V semaphores. It is dynamically allocated and you don't need to explicitly set them in sys config files (Right John??) Best Regards, K Gopalakrishnan Bangalore, INDIA -Original Message- Mladen Sent: Thursday, September 13, 2001 1:45 PM To: Multiple recipients of list ORACLE-L !! Please do not post Off Topic to this List !! Don, failover, dispatcher cross registration and server load balancing require MTS. Second, I'm not on AIX, that is why I was guessing about semaphores. Here are my versions: SQL*Plus: Release 8.1.7.0.0 - Production on Thu Sep 13 15:36:53 2001 (c) Copyright 2000 Oracle Corporation. All rights reserved. Enter password: Connected to: Oracle8i Enterprise Edition Release 8.1.7.1.0 - 64bit Production With the Partitioning and Parallel Server options JServer Release 8.1.7.1.0 - 64bit Production SQL HP-UX pdev1-a B.11.00 U 9000/800 I admit that my advice might be a little bit off when it comes to IBM. HP uses semaphores and we do have tons of those. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Gogala, Mladen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: K Gopalakrishnan INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS instalation - pretty urgent
Uh, oh! Did you just say OPS? First of all, go to Oracle and ask them for EXACTLY the OS version you need and the required OS patches. Second, plan your configuration: private rollback segments, private log threads, locally managed tablespaces, you should know exactly how much space do you need for SYSTEM, how many 1GB log files you need, etc, etc. You are probably aware that everything has to reside on the raw devices. Find a good SA to carve up your disk drives to fit your needs. Start with static locking (hashed, GC_FILES_TO_LOCKS) and turn it to releasable for the high concurrency tables. Configure large pool for the MTS connections, you'll need it. Ask oracle IBM whether you need any specific OS parameter to be set (AIO, nonpageable memory, post-wait extensions), make sure that you have a truckload of semaphore sets and 50 times more semaphores. Don't be stinting on the shared memory size. Download all relevant manuals from metalink, print them out on your bosses favorite laserjet and read them. Remember the following phone number: (800) 223-1711. Take vacation when you're done. -Original Message- From: Pablo ksksksk [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 12, 2001 6:33 PM To: Multiple recipients of list ORACLE-L Subject: OPS instalation - pretty urgent Hi it's the first time I'm going to install an OPS (Oracle 8.1.6 and AIX 4.3). What things should I take care of? (patches, some tips, etc) Where can I find some documentation (besides Oracle Concept Manual), can someone point me good docs? TIA ___ Do You Yahoo!? Yahoo! Messenger: Comunicación instantánea gratis con tu gente - http://messenger.yahoo.es -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: =?iso-8859-1?q?Pablo=20ksksksk?= INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Gogala, Mladen INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS instalation - pretty urgent
Sorry I forgot to ask this one too: In the manual says that one OPS advantage is High Avaiability, now, in a client-server application,if node1 goes down, how do clients that ussually connect to node1 access the DB now? How do they know that node1 is down and that now they have to connect through node2? Thanks ___ Do You Yahoo!? Yahoo! Messenger: Comunicación instantánea gratis con tu gente - http://messenger.yahoo.es -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: =?iso-8859-1?q?Pablo=20ksksksk?= INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: OPS instalation - pretty urgent
Hi Mladen Thanks for the answer. I'm already doing some reading... I'd like to ask you some questions about your answer Here I go. Please be nice if I'm wrong 1)Log threads have to be private to each instance, right? there's no Public thread I think. 2)Is it usual to use PUBLIC rollback segments in OPS, or people just preffer PRIVATE ones. and Why? is there a performance issue involved? 3)I really don't know what you mean with this: Start with static locking(hashed, GC_FILES_TO_LOCKS) and turn it to releasable for the high concurrency tables (if it's hard to explain, don't worry I'll try to find it out) 4)Why do you say I'll need MTS? That depends on the number of users using the system right? Thanks for your time. I appreciate it. Uh, oh! Did you just say OPS? First of all, go to Oracle and ask them for EXACTLY the OS version you need and the required OS patches. Second, plan your configuration: private rollback segments, private log threads, locally managed tablespaces, you should know exactly how much space do you need for SYSTEM, how many 1GB log files you need, etc, etc. You are probably aware that everything has to reside on the raw devices. Find a good SA to carve up your disk drives to fit your needs. Start with static locking (hashed, GC_FILES_TO_LOCKS) and turn it to releasable for the high concurrency tables. Configure large pool for the MTS connections, you'll need it. Ask oracle IBM whether you need any specific OS parameter to be set (AIO, nonpageable memory, post-wait extensions), make sure that you have a truckload of semaphore sets and 50 times more semaphores. Don't be stinting on the shared memory size. Download all relevant manuals from metalink, print them out on your bosses favorite laserjet and read them. Remember the following phone number: (800) 223-1711. Take vacation when you're done. ___ Do You Yahoo!? Yahoo! Messenger: Comunicación instantánea gratis con tu gente - http://messenger.yahoo.es -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: =?iso-8859-1?q?Pablo=20ksksksk?= INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: OPS instalation - pretty urgent
I'll add my 2 cents worth here... I think perhaps the esteemed Mladen is exaggerating a wee bit ;-) In addition to the Oracle 8i Concepts Manual, you will want to read the Oracle 8i Parallel Server Concepts Manual - http://otn.oracle.com/docs/products/oracle8i/doc_library/817_doc/paraserv.817/a7 6968/toc.htm - and the Oracle 8i Parallel Server Administration, Deployment, and Performance Guide - http://otn.oracle.com/docs/products/oracle8i/doc_library/817_doc/paraserv.817/a7 6970/toc.htm - and perhaps a few white papers specific to OPS on AIX (sorry, I don't have specific references for AIX). The blueprints at www.eECOstructure.com have quite a bit of platform-specific information about OPS - including AIX. It may take a pith helmet and a machete to wade through everything else and find it though. For failover of client connections, you will want to use the capabilities of Net8 - assuming that you are using Net8 for these connections. Relevant references include the aforementioned OPS manuals and the Net8 Administrator's Guide - http://otn.oracle.com/docs/products/oracle8i/doc_library/817_doc/network.817/a76 933/toc.htm as well as a few particularly relevant notes on MetaLink (search on transparent application failover). I agreed with: private rollback segments, private log threads (required), etc. I good SA is critical - you will become the closest of partners in this adventure! As for the SYSTEM tablespace, perhaps a bit more than for a non-OPS installation, but it mostly depends on the same factors as an exclusive Oracle system. Unless you have specific needs in SYSTEM for replication, auditing, and such, just use 300-500 MB if you can afford the space. You probably won't need it all, but you might need up to 200 MB or so, depending on the application and installed/enabled options. You do not necessarily need 1 GB redo log files for OPS - it depends on the nature of your system just as in any other Oracle layout. 50x more semaphores? Where did this come from?!? I thought that AIX used the post-wait kernel extensions instead of semaphores, but it has been years since I've done AIX. I've built a number of 7.x, 8.0.x, and 8.1.x OPS systems (all on Sun recently though) and never had to do anything like 50x semaphores! 2x+50 semaphores perhaps, but not 50x! As for MTS, uh... hmmm...well... I'd rather pass, but thanks anyway. My personal prejudice perhaps and it isn't OPS specific. I've built about a dozen OPS systems in the last three years, some were truly huge (e.g. clustered Sun E10Ks), and not one used MTS. The choice of MTS or not depends (again) largely on non-OPS specific constraints. I would change one other thing. Take vacation before you start! If you have never done OPS before and are not very familiar with the OS, Oracle, and application OPS-specific issues and/or do not have an SA that is familiar with OPS on AIX, then you have a fairly steep learning curve and a long project ahead! Especially if this is for any kind of critical system and the intended use of OPS is for anything other than a strict active-passive availability solution, the system is OLTP or a hybrid, and you don't yet have a very solid grasp yet on how to make the application behave well in an OPS environment. You will likely be ready (overdue?) for another vacation when you're done! I'm not trying to scare you off or be condescending, but the original question sounded a little like someone with 80 hours in a single engine Cessna 4-seater climbing into the cockpit of a SR-76 Blackbird and asking How do I start this critter? -Don Granaman [certifiable (OPS) OraSaurus] - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Wednesday, September 12, 2001 6:12 PM Uh, oh! Did you just say OPS? First of all, go to Oracle and ask them for EXACTLY the OS version you need and the required OS patches. Second, plan your configuration: private rollback segments, private log threads, locally managed tablespaces, you should know exactly how much space do you need for SYSTEM, how many 1GB log files you need, etc, etc. You are probably aware that everything has to reside on the raw devices. Find a good SA to carve up your disk drives to fit your needs. Start with static locking (hashed, GC_FILES_TO_LOCKS) and turn it to releasable for the high concurrency tables. Configure large pool for the MTS connections, you'll need it. Ask oracle IBM whether you need any specific OS parameter to be set (AIO, nonpageable memory, post-wait extensions), make sure that you have a truckload of semaphore sets and 50 times more semaphores. Don't be stinting on the shared memory size. Download all relevant manuals from metalink, print them out on your bosses favorite laserjet and read them. Remember the following phone number: (800) 223-1711. Take vacation when you're done. -Original Message- From: Pablo ksksksk [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 12, 2001 6:33
Re: OPS on a single machine ?
Hi, thanks alot for all the information. It is ok if it is not officially supported by Oracle since I need the configuration just for testing. The future purpose is an installation at a client's side to have one instance optimized for OLTP and one for reporting. But they have to access the same physical database. So, OPS seemed to be perfect. I guess I'll just try to install it at home over the weekend. | Regards, | | Stefan Jahnke | | BOV AG | | @:D2 Vodafone, Abt.: FBOM | | Tel.: 0211/533-4893| Scott schrieb: Setfan, In OPS or RAC the locking is controlled by the DLM which is only communicated through the interconnect. The interconnect can be public or private. Private interconnects are highly recommended. Access to the data blocks by each instance is controlled by the DLM. DLM's communicate to each other via the interconnect. An instance cannot access a block without obtaining a PCM lock 1st(PCM locks are managed by the DLM). If the instance is doing a read the PCM lock is shared and all instances doing a read will also obtain a share lock. However if the instance is doing a DML then that instance will get an xclusive lock and that is the only instance that can access that block. If another instance requires that block then that instance has to request the holding instance to release the lock(Global enqueue). The holding instance writes the block back to disk the lock is released and the requesting instance now gets the PCM lock in a status (shared or xclusive) depending of the whether the activity is a select or DML. Now some of the disk I/O associated with DML changes in 9i because of cache fusion. You will also need the Cluster Manager that comes with your OS so Oracle can establish the communications between the nodes. Even if you want to install OPS an single node you still need the CM. Without the CM and OPS you cannot have 2 instances concurrently accessing the same disks. It doesn't matter whether the instances are on the same machine or not. Scott --- Stefan Jahnke [EMAIL PROTECTED] wrote: Hi, I'm just making assumptions. According to an Oracle guy, with OPS on 8.1.7, the instances communicate via 2 different ways. One way is via network connections (process to process communication). The other way is via locking blocks and propagating it via distr. lock manager. So, according to what he said, the instance is also taking a look at the disk directly and checking the block it wants to read (it's a raw device, so there won't be a file system). What I don't know is, how are the locks propagated ? Is there a shared datastructure (kind of a lock list) that can be accessed by both instances (and how is it maintained and accessed?) or does the instance check the status of the block directly ? Hallas John schrieb: That's an interesting concept. Won't there be problems with file sharing. Once the first instance has started will the 2nd one be allowed access to the datafiles?. I don't know much about raw files but I suspect that would be the problem area. -Original Message- From: Stefan Jahnke [mailto:[EMAIL PROTECTED]] Sent: 04 September 01 08:40 To: Multiple recipients of list ORACLE-L Subject: OPS on a single machine ? Hi, I was wondering if it is possible to set up OPS on a single machine. Maybe like this: 1 disk as a raw device, then set up an instance to use the raw device and set up parallel server's second instance to use the raw device, too. Before I go through the hassle just to find out that it doesn't work, did anybody try this before ? (I'm on SuSE 7.2, Oracle 8.1.7 with OPS option) -- | Regards, | | Stefan Jahnke | | BOV AG | | @:D2 Vodafone, Abt.: FBOM | | Tel.: 0211/533-4893| -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stefan Jahnke INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). ** This email and any attachments may be confidential and the subject of legal
RE: OPS on a single machine ?
Title: RE: OPS on a single machine ? That's an interesting concept. Won't there be problems with file sharing. Once the first instance has started will the 2nd one be allowed access to the datafiles?. I don't know much about raw files but I suspect that would be the problem area. -Original Message- From: Stefan Jahnke [mailto:[EMAIL PROTECTED]] Sent: 04 September 01 08:40 To: Multiple recipients of list ORACLE-L Subject: OPS on a single machine ? Hi, I was wondering if it is possible to set up OPS on a single machine. Maybe like this: 1 disk as a raw device, then set up an instance to use the raw device and set up parallel server's second instance to use the raw device, too. Before I go through the hassle just to find out that it doesn't work, did anybody try this before ? (I'm on SuSE 7.2, Oracle 8.1.7 with OPS option) -- | Regards, | | Stefan Jahnke | | BOV AG | | @:D2 Vodafone, Abt.: FBOM | | Tel.: 0211/533-4893 | -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stefan Jahnke INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). ** This email and any attachments may be confidential and the subject of legal professional privilege. Any disclosure, use, storage or copying of this email without the consent of the sender is strictly prohibited. Please notify the sender immediately if you are not the intended recipient and then delete the email from your inbox and do not disclose the contents to another person, use, copy or store the information in any medium. **
Re: OPS on a single machine ?
Hi, I'm just making assumptions. According to an Oracle guy, with OPS on 8.1.7, the instances communicate via 2 different ways. One way is via network connections (process to process communication). The other way is via locking blocks and propagating it via distr. lock manager. So, according to what he said, the instance is also taking a look at the disk directly and checking the block it wants to read (it's a raw device, so there won't be a file system). What I don't know is, how are the locks propagated ? Is there a shared datastructure (kind of a lock list) that can be accessed by both instances (and how is it maintained and accessed?) or does the instance check the status of the block directly ? Hallas John schrieb: That's an interesting concept. Won't there be problems with file sharing. Once the first instance has started will the 2nd one be allowed access to the datafiles?. I don't know much about raw files but I suspect that would be the problem area. -Original Message- From: Stefan Jahnke [mailto:[EMAIL PROTECTED]] Sent: 04 September 01 08:40 To: Multiple recipients of list ORACLE-L Subject: OPS on a single machine ? Hi, I was wondering if it is possible to set up OPS on a single machine. Maybe like this: 1 disk as a raw device, then set up an instance to use the raw device and set up parallel server's second instance to use the raw device, too. Before I go through the hassle just to find out that it doesn't work, did anybody try this before ? (I'm on SuSE 7.2, Oracle 8.1.7 with OPS option) -- | Regards, | | Stefan Jahnke | | BOV AG | | @:D2 Vodafone, Abt.: FBOM | | Tel.: 0211/533-4893| -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stefan Jahnke INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). ** This email and any attachments may be confidential and the subject of legal professional privilege. Any disclosure, use, storage or copying of this email without the consent of the sender is strictly prohibited. Please notify the sender immediately if you are not the intended recipient and then delete the email from your inbox and do not disclose the contents to another person, use, copy or store the information in any medium. ** - This Mail has been checked for Viruses Attention: Encrypted mails can NOT be checked! ** Diese Mail wurde auf Viren geprueft Hinweis: Verschluesselte mails koennen NICHT auf Viren geprueft werden! - -- | Regards, | | Stefan Jahnke | | BOV AG | | @:D2 Vodafone, Abt.: FBOM | | Tel.: 0211/533-4893| -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stefan Jahnke INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
