Oct 31 2017

Unified Auditing in Oracle 12c

Category: Administration,Database SecurityFatih Acar @ 10:30

Unified Auditing is new audit feature came with Oracle 12c version. You have to do enable Unified Auditing to use after install database. Unified Auditing come as disabled by default.

In previous releases of Oracle Database, there were separate audit trails for individual components:

  • SYS.AUD$ for the database audit trail,
  • SYS.FGA_LOG$ for fine-grained auditing,
  • DVSYS.AUDIT_TRAIL$ for Oracle Database Vault, Oracle Label Security, and so on.

In 12c, these audit trails are all unified into one, viewable from the UNIFIED_AUDIT_TRAIL data dictionary view for single-instance installations or Oracle Database Real Application Clusters environments.

Auditable Components With Unified Auditing

  • Audit Any Role
  • Application Context Values
  • Oracle Database Real Application Security Events
  • Oracle Recovery Manager Events
  • Oracle Database Vault Events
  • Oracle Label Security Events
  • Oracle Data Mining Events
  • Oracle Data Pump Events
  • Oracle SQL*Loader Direct Load Path Events
  • Operating System Audit Records into the Unified Audit Trail

The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view, and is available in both single-instance and Oracle Database Real Application Clusters environments. In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role.

When the database is writeable, audit records are written to the unified audit trail. If the database is not writable, then audit records are written to new format operating system files in the $ORACLE_BASE/audit/$ORACLE_SID directory.

You can use mixed mode auditing enables both traditional (that is, the audit facility from releases earlier than Release 12c) and the new audit facilities (unified auditing). In mixed mode, you can use the new unified audit facility alongside the traditional auditing facility. In pure unified auditing, you only use the unified audit facility.

As in previous releases, the traditional audit facility is driven by the AUDIT_TRAIL initialization parameter. Only for mixed mode auditing, you should set this parameter to the appropriate traditional audit trail. This traditional audit trail will then be populated with audit records, along with the unified audit trail. When you upgrade your database to the current release, traditional auditing is preserved, and the new audit records are written to the traditional audit trail.

Enable Unified Auditing

You can check current status with below query.


SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER='Unified Auditing';

If VALUE is TRUE, Unified Auditing is enabled.

You have to shutdown all running database process (database,listener) to activate Unified Auditing before run script. If you use Oracle RAC, you have to run script on all of nodes.


SQL> shutdown immediate;
SQL> exit;

[oracle@testdb ~]$ lsnrctl stop LISTENER

[oracle@testdb ~]$ cd $ORACLE_HOME/rdbms/lib/
[oracle@testdb lib]$ make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME  

SQL> startup;
SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER='Unified Auditing'; 

The VALUE has to be TRUE.

Continue reading “Unified Auditing in Oracle 12c”

468 total views, 10 views today

Tags: Database Administration, Database Security, Oracle 12c, Oracle 12c Security


Oct 12 2017

Oracle 12c R2 (12.2.0.1) Real Time Apply Data Guard Installation on Oracle Linux 7.3

Category: Administration,Backup And RecoveryFatih Acar @ 11:11

Oracle Data Guard ensures high availability, data protection, and disaster recovery for enterprise data. Oracle Data Guard provides a comprehensive set of services that create, maintain, manage, and monitor one or more standby databases to enable production Oracle databases to survive disasters and data corruptions. Oracle Data Guard maintains these standby databases as copies of the production database.Then, if the production database becomes unavailable because of a planned or an unplanned outage, Oracle Data Guard can switch any standby database to the production role, minimizing the downtime associated with the outage. Oracle Data Guard can be used with traditional backup, restoration, and cluster techniques to provide a high level of data protection and data availability.

With Oracle Data Guard, administrators can optionally improve production database performance by offloading resource-intensive backup and reporting operations to standby systems.

Types of standby databases are Physical standby database, Logical standby database and Snapshot standby database.

I will demonstrate Physical standby database as working real time apply at this document. Most used type is Physical standby database type. You can investigate other types of standby database from Oracle docs.

I used Oracle RAC database as primary side and I used single instance database with asm file system as secondary side (Data Guard).

Firstly, you have to adjust system parameters of operating system on secondary side and create asm disks. After, you can start to install of grid infrastructure. You can create disk groups for DATA and FRA disk groups after install grid. After grid installation, you can install Oracle Data Guard database on grid infrastructure and ASM disks as software only. Finally you can restore and recover standby database from primary side and you can start synchronization apply after add standby redo log. I divide the stages of installation five steps.

You can find primary side (Oracle 12c RAC) installation steps here. I will use this infrastructure as primary side.

First Step : Configure Operation System on Secondery Side

1. Upgrade Packages

yum upgrade

yum install oracleasm-support

Continue reading “Oracle 12c R2 (12.2.0.1) Real Time Apply Data Guard Installation on Oracle Linux 7.3”

684 total views, 16 views today

Tags: Oracle 12c, Oracle Administration, Oracle Backup and Restore, Oracle Data Guard


Oct 10 2017

TNS-12547: TNS:lost contact and Linux Error: 32: Broken pipe While Connect Oracle 12c Data Guard

Category: Errors and SolutionsFatih Acar @ 15:39

I installed Oracle 12c Data Guard, everything was okey. But, I got an error like below when I wanted to connect data guard database with Toad or SQL Developer. tnsping was okey.

Error

SQL Developer :

Status : Failure -Test failed: IO Error: Got minus one from a read call

Listener.log

10-OCT-2017 15:01:16 * (CONNECT_DATA=(CID=(PROGRAM=SQL Developer)(HOST=__jdbc__)(USER=testuser))(SERVICE_NAME=TDG)(CID=(PROGRAM=SQL Developer)(HOST=__jdbc__)(USER=testuser))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.24)(PORT=49834)) * establish * TDG * 12518
TNS-12518: TNS:listener could not hand off client connection
TNS-12547: TNS:lost contact
TNS-12560: TNS:protocol adapter error
TNS-00517: Lost contact
Linux Error: 32: Broken pipe

Solution

If you have grid user to manage listener, you have to give permission on $ORACLE_HOME/bin/oracle executable file. You have to give chmod 6751 permission. This provides that grid user can execute oracle file like oracle user. Oracle open process on OS when you connect to database. If you connect from remote with using listener, listener owner (grid) will want to open new process on OS but grid user cannot open process with using $ORACLE_HOME/bin/oracle file due to do not have permission. So you have to give 6751 permission to use $ORACLE_HOME/bin/oracle file.

[root@tdg bin] chmod 6751 oracle

You can see the same problem at 11g and 12c version of Oracle Data Guard. When oracle rac installation or single instance installation with grid, oracle automatically change permission of $ORACLE_HOME/bin/oracle file to 6751.

1,950 total views, 50 views today

Tags: Oracle 12c, Oracle Administration, Oracle Error Solutions


Mar 03 2017

Oracle 12c R2 Downloadable Now

Category: AdministrationFatih Acar @ 16:27

You can download Oracle 12c R2 database now. Only Linux x64 and Solaris Operation Systems supported for now.

You can download with below link;

http://www.oracle.com/technetwork/database/enterprise-edition/downloads/index.html

Also you can find new features about of Oracle 12c R2 with below links;

https://docs.oracle.com/database/122/

https://blogs.oracle.com/sql/entry/12_things_developers_will_love

1,535 total views, no views today

Tags: Oracle 12c, Oracle Administration


May 26 2016

Oracle 12c : RMAN New Features and Enhancements

Category: Administration,Backup And RecoveryFatih Acar @ 10:45

 1. Fine Grained Recovery

With Oracle Database 12c, you can use a simple RECOVER TABLE command to perform a point-in-time recovery of a table/partition without having to go through a manual point-in-time recovery process. This command automatically performs the following steps: creation of the auxiliary instance, table recovery, exporting of the object, and importing it into the production database.

2. Support For Multitenant Databases

Oracle Database 12c offers this unprecedented consolidation feature called Oracle Multitenant. This capability simplifies database consolidation and management by enabling many individual pluggable databases (PDBs) to be “plugged-into” and supported within a container database (CDB).  Data protection is greatly simplified because you can perform backup and recovery at the CDB level, which includes and protects all the associated PDBs. For additional flexibility, you can still choose to perform backup and recovery for an individual PDB or a selected group of PDBs.

3. Improved RMAN Duplication (Cloning) Performance

Duplicating an Oracle database can be performed in many ways. Today, customers use both Oracle features such as RMAN DUPLICATE or storage-based snapshot and cloning technologies. RMAN duplication can be performed by using an existing backup or by directly duplicating the database using ACTIVE DUPLICATE.  Prior to Oracle Database 12c,  the ACTIVE DUPLICATE process used production database processes to send image copies across the network. This could be a time-consuming activity because the duplication process is directly proportional to the database size. Now, with 12c, the database duplication process has been improved, with the use of backup sets instead of image copies. As a result, the database size is relatively smaller because RMAN skips unused blocks, committed undo blocks etc. Plus, you can use compression and multi-section options for even faster duplication. Moreover, auxiliary channels from the destination site are used to PULL the backups over the network, as opposed to the PUSH method, used prior to 12c.

4. Faster Recovery in a Data Guard or Active Data Guard Environment

You may already be aware of some cool RMAN features that are supported with Active Data Guard – for example, direct Block Media Recovery from the standby. However, in the event of either primary or standby datafile corruption (e.g. due to media errors), the traditional recovery process would be to copy the backup over the network and perform a restore/recovery.  With Oracle Database 12c, there is a new RMAN keyword called “FROM SERVICE” whereby you can perform restores directly from the standby or from the primary (depending on which site has issues). This command creates a backup set and streams it over the network. This new process dramatically reduces the overall recovery time.

5. Expansion of Multi-Eection Support

Prior to Oracle Database12c, parallelizing a single data file using MULTI SECTION was only supported with a level 0 backup or a full backup set. From 12c, Multi section is now supported with incremental backups as well as image copy backups.

6. Simplified Cross-Platform Migration

Migrating the database from one platform to another can be performed in many ways. Oracle supports both database-level migration and tablespace-level migration. Database-level migration requires the endian type to be same on the source and destination platforms. Using tablespace migration, you can migrate across platforms and across endian formats. Oracle 12c introduces new keywords – FROM PLATFORM and TO PLATFORM. Using these keywords, RMAN takes care of converting the endian-ness,  so that the overall process is simplified. Depending on the availability requirements, tablespace migration can be performed with either long downtime or reduced downtime processes.

a) When using a longer downtime model, you place the tablespace(s) in read-only mode, take the full backup, and restore at the destination. You also take the metadata export of the tablespace at the source and then apply at the destination. Once you’re done, the tablespaces are made readable/writable at the destination.

b) When using a reduced downtime model, you can keep your source database running for a longer time by doing incremental backups to the destination. Only the last step involves the procedure mentioned in (a).

7. Separation of Duty

A new role SYSBACKUP is introduced to separate backup administrator tasks from the SYS role. You can use this administrative privilege to perform backup and recovery operations from either RMAN or from SQL*Plus.



8. SQL interface in RMAN

Beginning with Oracle Database12c, you no longer have to switch between the SQL*Plus interface and RMAN interface. The RMAN interface now supports SQL commands so you can directly run the commands from within RMAN.

Source : Oracle Documents

4,700 total views, 10 views today

Tags: Oracle 12c, Oracle Administration, Oracle Rman Backup