SSL certificates in the Oracle Database without surprisesNelson Calero
Presentation delivered on UKOUG conference in December 2019.
Abstract: Nowadays database installations are required to use secure connections to communicate with clients, from connecting to the database listener to interact with external services (for example to send emails from the database).
Also since a couple of years ago, it has been required to use stronger protocols like TLS 1.2 (SHA2 algorithm), which requires extra configuration in older database releases.
This presentation shows how SSL certificates work from a DBA perspective, which tools are available and examples of configuring and troubleshooting their usage from the Oracle database. It also explores the implications and how to implement TLS 1.2 and common errors found in real life usage.
Automate your oracle cloud infrastructure operations v2.0 - OOW19Nelson Calero
Updated version for Oracle Open World 2019 of the same presentation done at Collaborate 2019
Abstract:
Oracle Cloud provides APIs and command-line utilities for handling your infrastructure in the cloud without using the web console. In addition, there are orchestration tools such as Terraform for building, changing, and versioning your infrastructure, enabling automation and configuration management. This session introduces Oracle Cloud Infrastructure services and APIs through examples from a DBA perspective: looking to minimize manual interventions when creating instances and containers, deploying a cluster with the Terraform Kubernetes installer, and backing up your databases. This presentation is an updated version of last year’s, including Oracle Cloud Infrastructure new-generation services and tools.
Automate your Oracle Cloud Infrastructure operationNelson Calero
The Oracle Cloud provides APIs and CLI utilities to handle your infrastructure in the cloud without using the web console. In addition, there are orchestration tools such as Terraform to build, change and version your infrastructure.
This presentation introduces to the topic through examples, minimizing manual interventions: creating instances and containers, using the REST api and opc tool, deploying a cluster using the project terraform-kubernetes-installer, and backing up your databases.
Automate the operation of your Oracle Cloud infrastructure v2.0Nelson Calero
Presentation delivered in Collaborate 19 conference in April 2019 in San Antonio
Abstract: The Oracle Cloud provides APIs and command line utilities to handle your infrastructure in the cloud without using the web console. In addition, there are orchestration tools such as Terraform to build, change and version your infrastructure, allowing automation and configuration management.
This session introduces to OCI services and APIs through examples from a DBA perspective, looking to minimize manual interventions when creating instances and containers, deploying a cluster using the project terraform-kubernetes-installer, and backing up your databases.
This is an updated version of a similar session a did last year, now focused on OCI new generation services and tools.
SSL certificates in the Oracle Database without surprisesNelson Calero
Presentation delivered on UKOUG conference in December 2019.
Abstract: Nowadays database installations are required to use secure connections to communicate with clients, from connecting to the database listener to interact with external services (for example to send emails from the database).
Also since a couple of years ago, it has been required to use stronger protocols like TLS 1.2 (SHA2 algorithm), which requires extra configuration in older database releases.
This presentation shows how SSL certificates work from a DBA perspective, which tools are available and examples of configuring and troubleshooting their usage from the Oracle database. It also explores the implications and how to implement TLS 1.2 and common errors found in real life usage.
Automate your oracle cloud infrastructure operations v2.0 - OOW19Nelson Calero
Updated version for Oracle Open World 2019 of the same presentation done at Collaborate 2019
Abstract:
Oracle Cloud provides APIs and command-line utilities for handling your infrastructure in the cloud without using the web console. In addition, there are orchestration tools such as Terraform for building, changing, and versioning your infrastructure, enabling automation and configuration management. This session introduces Oracle Cloud Infrastructure services and APIs through examples from a DBA perspective: looking to minimize manual interventions when creating instances and containers, deploying a cluster with the Terraform Kubernetes installer, and backing up your databases. This presentation is an updated version of last year’s, including Oracle Cloud Infrastructure new-generation services and tools.
Automate your Oracle Cloud Infrastructure operationNelson Calero
The Oracle Cloud provides APIs and CLI utilities to handle your infrastructure in the cloud without using the web console. In addition, there are orchestration tools such as Terraform to build, change and version your infrastructure.
This presentation introduces to the topic through examples, minimizing manual interventions: creating instances and containers, using the REST api and opc tool, deploying a cluster using the project terraform-kubernetes-installer, and backing up your databases.
Automate the operation of your Oracle Cloud infrastructure v2.0Nelson Calero
Presentation delivered in Collaborate 19 conference in April 2019 in San Antonio
Abstract: The Oracle Cloud provides APIs and command line utilities to handle your infrastructure in the cloud without using the web console. In addition, there are orchestration tools such as Terraform to build, change and version your infrastructure, allowing automation and configuration management.
This session introduces to OCI services and APIs through examples from a DBA perspective, looking to minimize manual interventions when creating instances and containers, deploying a cluster using the project terraform-kubernetes-installer, and backing up your databases.
This is an updated version of a similar session a did last year, now focused on OCI new generation services and tools.
Mirantis OpenStack 5.0 brings together the convenience of Fuel with the latest release of OpenStack, Icehouse. This presentation shows what's new, and what you can expect.
SSL, more strictly called Transport Layer Security (TLS), is a means to encrypt data that is in flight between software components, whether within your data center or between that and your end users' devices. This prevents eavesdroppers seeing confidential information, such as credit card numbers or database passwords, and ensures that components are communicating with who they they think they are. So why isn't SSL/TLS used for all electronic communications? Firstly it is, almost by definition, "slightly tricky" to configure and errors are not terribly informative when things don't work (why would you help a hacker?!). Secondly there is a performance overhead for running TLS, although with modern hardware this is probably less of a concern than it used to be.
This session describes how to configure TLS at all layers within a Fusion Middleware stack - from the front-end Oracle HTTP Server, right through to communications with the database.
This platform was first given by Simon Haslam (eProseed UK) and Jacco Landlust (ING) at the OGh Fusion Middleware Experience event in February 2016.
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...DevDay.org
OpenStack is an open source cloud computing platform providing infrastructure as a service (IaaS). The presentation will encapsulate the contents of OpenStack, amplified by practical demo and simple but effective guidelines to access OpenStack.
———
Speaker: Chi Le – Head of Infrastructure System at Da Nang ICT Infrastructure Development Center
CIS 2015- Building IAM for OpenStack- Steve MartinelliCloudIDSummit
Keystone is the IAM project for OpenStack, and as such has to handle many different methods of deployment - On-Prem, Hybrid, Hosted - at many differing levels of scale. Some deployments are no more than a VM used for development purposes, while others are 100,000s of cores across multiple data centers and continents. This session will cover details of Keystone, what can be accomplished with it today, how OpenStack integrates with your enterprise identity solution, the OpenStack model of access management today and our plans for the future.
This is a descriptive Cloud computing training using the popular Openstack software tool to build and manage various cloud platforms. The major topics are Overview and Introduction to Openstack, Openstack Architecture, Attributes of cloud, Virtualization, Infrastructure of Cloud, Machine Detection process, Single-node and Multi-node Computing. The course further trains you on Installation, Configuration and Implementation of Openstack Services like RDO, Keystone, Horizon, Nova, Glance and Neutron, Virtualbox Installation, Redhat Openstack Installation and various Openstack Deployment Frameworks.
WWW.softwaretrainingmaterials.blogspot.com
While traditional on-prem systems have always been a target from internal and external attackers, recent times have seen increased attacks on Hadoop cloud deployments. Hadoop systems are going to be increasingly targeted due to the large volume of data that it stores. Many Hadoop installations on cloud are publicly accessible without any security measures which pose threat to exfiltration of large datasets and possibly crypto-mining on this infrastructure with its huge distributed compute capability.
Apache Knox provides multiple layers of security related to authentication, service-level authorization and web application security controls out of the box for multiple Hadoop components.
Apache Knox provides configuration to prevent common OWASP Top 10 security risks e.g. Cross-site Request Forgery (CSRF), Cross Site Scripting (XSS), MIME Content Type sniffing, Clickjacking, etc. We will also discuss controls like HTTP Strict Transport Security which prevents SSL Downgrade attacks and CORS filter for allowing applications to make cross domain requests only to specifically allowed hosts through XHR. Support to include/exclude Cipher suites and exclude SSL protocols enables compliance with hardening guidelines provided by CIS for application servers.
Knox has several supported authentication mechanisms with Kerberos underneath e.g. LDAP over SSL, AD, PAM based auth for Unix users, integration with Identity Providers like Okta, etc. Also, capabilities like Trusted Proxy, Single Sign-On auth, Hostmap Provider, Identity Assertion Provider, Client Authentication enhances the overall security posture.
We will also cover the typical kill-chain methodology tailored to Hadoop ecosystem which will help formulate the preventive measures against future compromises.
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
Keystone supports four different types of tokens, UUID, PKI, PKIZ, and Fernet. Let’s take a deep dive into:
Understanding token formats
Pros and Cons of each format in Production
Performance across multiple data centers
Token revocation workflow for each of the formats
Horizon usage of the different token types
We previously deployed UUID and PKI in Production and are now moving towards the latest format, Fernet. We would like to share our lessons learned with different formats and help you decide on which format is suitable for your cloud.
There are a variety of options for standing up an OpenStack private cloud platform. In this webinar, we will discuss existing design patterns for deploying OpenStack and their relative strengths and weaknesses.
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Stephen Gordon
This deck begins with a high-level overview of where OpenStack Compute (Nova) fits into the overall OpenStack architecture, as demonstrated in Red Hat Enterprise Linux OpenStack Platform. Before illustrating how OpenStack Compute interacts with other OpenStack components.
The session will also provide a grounding in some common Compute terminology and a deep-dive look into key areas of OpenStack Compute, including the:
Compute APIs.
Compute Scheduler.
Compute Conductor.
Compute Service.
Compute Instance lifecycle.
Intertwined with the architectural information are details on horizontally scaling and dividing compute resources as well as customization of the Compute scheduler. You’ll also learn valuable insights into key OpenStack Compute features present in OpenStack Icehouse.
In the Juno summit, Symantec presented it's perspective on securing Keystone. Security is really a mindset and process. We proposed a layered security approach starting with the process for securing Keystone architecture, followed by securing the environment where Keystone is deployed and configured. Since then we have been implementing those security measures in our production environment. In this talk, we will discuss exactly how we have made our Keystone deployment secure and what we have learnt along the way.
Mirantis OpenStack 5.0 brings together the convenience of Fuel with the latest release of OpenStack, Icehouse. This presentation shows what's new, and what you can expect.
SSL, more strictly called Transport Layer Security (TLS), is a means to encrypt data that is in flight between software components, whether within your data center or between that and your end users' devices. This prevents eavesdroppers seeing confidential information, such as credit card numbers or database passwords, and ensures that components are communicating with who they they think they are. So why isn't SSL/TLS used for all electronic communications? Firstly it is, almost by definition, "slightly tricky" to configure and errors are not terribly informative when things don't work (why would you help a hacker?!). Secondly there is a performance overhead for running TLS, although with modern hardware this is probably less of a concern than it used to be.
This session describes how to configure TLS at all layers within a Fusion Middleware stack - from the front-end Oracle HTTP Server, right through to communications with the database.
This platform was first given by Simon Haslam (eProseed UK) and Jacco Landlust (ING) at the OGh Fusion Middleware Experience event in February 2016.
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...DevDay.org
OpenStack is an open source cloud computing platform providing infrastructure as a service (IaaS). The presentation will encapsulate the contents of OpenStack, amplified by practical demo and simple but effective guidelines to access OpenStack.
———
Speaker: Chi Le – Head of Infrastructure System at Da Nang ICT Infrastructure Development Center
CIS 2015- Building IAM for OpenStack- Steve MartinelliCloudIDSummit
Keystone is the IAM project for OpenStack, and as such has to handle many different methods of deployment - On-Prem, Hybrid, Hosted - at many differing levels of scale. Some deployments are no more than a VM used for development purposes, while others are 100,000s of cores across multiple data centers and continents. This session will cover details of Keystone, what can be accomplished with it today, how OpenStack integrates with your enterprise identity solution, the OpenStack model of access management today and our plans for the future.
This is a descriptive Cloud computing training using the popular Openstack software tool to build and manage various cloud platforms. The major topics are Overview and Introduction to Openstack, Openstack Architecture, Attributes of cloud, Virtualization, Infrastructure of Cloud, Machine Detection process, Single-node and Multi-node Computing. The course further trains you on Installation, Configuration and Implementation of Openstack Services like RDO, Keystone, Horizon, Nova, Glance and Neutron, Virtualbox Installation, Redhat Openstack Installation and various Openstack Deployment Frameworks.
WWW.softwaretrainingmaterials.blogspot.com
While traditional on-prem systems have always been a target from internal and external attackers, recent times have seen increased attacks on Hadoop cloud deployments. Hadoop systems are going to be increasingly targeted due to the large volume of data that it stores. Many Hadoop installations on cloud are publicly accessible without any security measures which pose threat to exfiltration of large datasets and possibly crypto-mining on this infrastructure with its huge distributed compute capability.
Apache Knox provides multiple layers of security related to authentication, service-level authorization and web application security controls out of the box for multiple Hadoop components.
Apache Knox provides configuration to prevent common OWASP Top 10 security risks e.g. Cross-site Request Forgery (CSRF), Cross Site Scripting (XSS), MIME Content Type sniffing, Clickjacking, etc. We will also discuss controls like HTTP Strict Transport Security which prevents SSL Downgrade attacks and CORS filter for allowing applications to make cross domain requests only to specifically allowed hosts through XHR. Support to include/exclude Cipher suites and exclude SSL protocols enables compliance with hardening guidelines provided by CIS for application servers.
Knox has several supported authentication mechanisms with Kerberos underneath e.g. LDAP over SSL, AD, PAM based auth for Unix users, integration with Identity Providers like Okta, etc. Also, capabilities like Trusted Proxy, Single Sign-On auth, Hostmap Provider, Identity Assertion Provider, Client Authentication enhances the overall security posture.
We will also cover the typical kill-chain methodology tailored to Hadoop ecosystem which will help formulate the preventive measures against future compromises.
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
Keystone supports four different types of tokens, UUID, PKI, PKIZ, and Fernet. Let’s take a deep dive into:
Understanding token formats
Pros and Cons of each format in Production
Performance across multiple data centers
Token revocation workflow for each of the formats
Horizon usage of the different token types
We previously deployed UUID and PKI in Production and are now moving towards the latest format, Fernet. We would like to share our lessons learned with different formats and help you decide on which format is suitable for your cloud.
There are a variety of options for standing up an OpenStack private cloud platform. In this webinar, we will discuss existing design patterns for deploying OpenStack and their relative strengths and weaknesses.
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Stephen Gordon
This deck begins with a high-level overview of where OpenStack Compute (Nova) fits into the overall OpenStack architecture, as demonstrated in Red Hat Enterprise Linux OpenStack Platform. Before illustrating how OpenStack Compute interacts with other OpenStack components.
The session will also provide a grounding in some common Compute terminology and a deep-dive look into key areas of OpenStack Compute, including the:
Compute APIs.
Compute Scheduler.
Compute Conductor.
Compute Service.
Compute Instance lifecycle.
Intertwined with the architectural information are details on horizontally scaling and dividing compute resources as well as customization of the Compute scheduler. You’ll also learn valuable insights into key OpenStack Compute features present in OpenStack Icehouse.
In the Juno summit, Symantec presented it's perspective on securing Keystone. Security is really a mindset and process. We proposed a layered security approach starting with the process for securing Keystone architecture, followed by securing the environment where Keystone is deployed and configured. Since then we have been implementing those security measures in our production environment. In this talk, we will discuss exactly how we have made our Keystone deployment secure and what we have learnt along the way.
Webinář "Konsolidace Oracle DB na systémech s procesory M7, včetně migrace z konkurenčních serverových platforem"
Prezentuje Josef Šlahůnek, Oracle
9.3.2016
http://www.opitz-consulting.com
In der Oracle Database 12c Release 1 gibt es neue Features im Bereich SQL Tuning. Ein Beispiel sind "Adaptive Plans", wo sich der Ausführungsplan noch zur Ausführungszeit aufgrund der tatsächlichen Datenmenge ändern kann.
In seinem Vortrag beim DOAG Regio Treffen NRW zum T hema Datenbank stellte unser Project Manager Dr. ANdreas Wagener einige der neuen Features vor, teilweise auch mit Live Demos.
This session will provide a guide to Alfresco truststores and keystores. Several live examples will be shown, including the replacement of existing cryptographic stores or certificates. Additionally, a troubleshooting configuration guide for mTLS communication will be provided.
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
In this baller talk, we will be addressing the elephant in the room that no one ever wants to look at or talk about: security. We generally never want to talk about configuring security because if we do, we allocate risk of penetration by exposing ourselves to exploitation. However, this leads to a lot of confusion around proper Kafka security best practices and how to appropriately lock down a cluster when you are starting out. In this talk we will demystify the elephant in the room without deconstructing it limb by limb. We will give you a notion of how to configure the following for BOTH clients and servers: * TLS or Kerberos Authentication * Encrypt your network traffic via TLS * Perform authorization via access control lists (ACLs) We will also demonstrate the above with a GitHub repo you can try out for yourself. Lastly, we will present a reference implementation of oauth if that suits your fancy. All in all you should walk away with a pretty decent understanding of the necessary aspects required for a secure Kafka environment.
A pragmatic approach to using public / private certificates in keystores in Java.
Presentation starts with a technical, but simplified explanation of security, certificates and keystores. Then it introduces best practices regarding use and maintainance of these resources.
Afterwards practical howtos (eg. making certificates, keystores, ..) and a demo-application, using 2-way SSL are shown. The presentation ends with some tips and tricks regarding troubleshooting.
WebLogic in Practice: SSL ConfigurationSimon Haslam
This presentation describes SSL certificate concepts and how to configure them within WebLogic. It was delivered by myself and Jacco Landlust (@oraclemva) at the UKOUG Tech13 conference.
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3Adel Karimi
Identifying groups of attackers with similar tools or behaviors is useful for profiling and discovering the connections between them. This talk will explore how I collect JA3, a SSL/TLS client fingerprint, to profile attackers and internet-wide SSL/TLS scans. The talk will provide some interesting observations and the first identified attempt to evade SSL/TLS client fingerprinting!
Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
If you think they are easy, you are (probably) doing them wrong. A presentation about issues with TLS and X.509 certificates for Tampere security people (TreSec, @TreSecCommunity) meetup on 21st of March 2018.
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...ScyllaDB
Scylla includes multiple features that collectively provide a robust security model. Most recently we announced support for encryption-at-rest in Scylla Enterprise. This enables you to lock-down your data even in multi-tenant and hybrid deployments of Scylla. Join Tzach and Dejan for an overview of security in Scylla and to see how you can approach it holistically using the array of Scylla capabilities. He will review Scylla Security features, from basic to more advanced, including:
Reducing your attack surface
Authorization & Authentication
Role-Based Access Control
Encryption at Transit
Encryption at Rest, in 2019.1.1 and beyond
LDAP authentication is a common requirement for any enterprise software. It gives users consistent login procedures across multiple components of the IT infrastructure, while centralizing the control of access rights. Scylla Enterprise now supports authentication via LDAP. We will look into how to configure Scylla Enterprise for LDAP interaction and how to fine-tune access control through it.
Shameful secrets of proprietary network protocolsSlawomir Jasek
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
Similar to OTN tour 2015 Experience in implementing SSL between oracle db and oracle clients (20)
Oracle Cloud ERP - where is My Data?
All about Oracle integration products and Cloud ERP:
* What are the ways to deliver it - all 3 options and obvious choice for our project
- File Based Data Import
- Web Services
* Can I trust the ERP statuses?
- Custom reporting using BI Publisher
- Security implications
* Lessons learned
- What works out of the box (provision SOA CS and, patch it)
- Security challenges
Tēmas : Trace File analyzer, live demo.
Valoda: Latviešu
Ar katru jaunu versiju Oracle ģenerē vairāk un vairāk diagnostiskās informācijas un bieži ir grūti sekot, kur tiek ierakstīta atbilstoša informācija. Vēlāk arī parādās jautājums, kā šo visu uzkopt, lai visa pieejamā vieta neaizietu nevajadzīgām lietām. Parādīšu un pastāstīšu par savu pieredzi ar TFA rīku trace/log failu pavaldīšanā, konfigurēšanā, kā arī par citām tā iespējām un zemūdens akmeņiem.
Aleksejs Nemirovskis - Manage your data using oracle BDAAndrejs Vorobjovs
Manage Your Data, Using Oracle Big Data Appliance - Tips & Tricksngest, process and manage the data, using Oracle Big Data Appliance (end-to-end BigData solution from Oracle):
- Oracle BDA architecture and componets overview - Oracle platform, Cloudera CDH, Clodera Manager and specific Oracle components;
- Advantages and additional value of an Oracle BDA;
- Challenges, faced inside whole stack (BDA, Cloudera);
- Challenges, which came from original Hadoop EcoSystem;
- Customer case (anonymized): how to utilize a power of an Oracle BDA, including external Informatica Big Data Management tool.
in LATVIAN language: Viens no galvenajiem datubāzes administratora uzdevumiem ir veikt datubāzes backup un prast no tā atjaunot datubāzi. Mysql bezmaksas versija nepiedāvā datubāzes administratoram ļoti daudz izvēles. Sava prezentācija es pastāstīšu par šādiem rīkiem:
-- MySQLdump
-- Percona XtraBackup
-- Mysql enterprise backup (MEB)
--Un citiem rīkiem kas palīdz man veikt db backup
Latvian Oracle User Group (LVOUG) ir neatkarīga organizācija, kas apvieno Oracle lietotājus, profesionāļus un citus interesantus Latvijā. Tās mērķis ir veicināt informācijas, zināšanu un pieredzes apmaiņu starp grupas dalībniekiem, informēt par Oracle produktu uzlabojumiem un jauninājumiem kā arī nodrošināt atgriezenisko saiti ar Oracle.
Par grupas dalībnieku var kļūt jebkurš interesents.
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories. Andrejs Vorobjovs
Tēmas apraksts: Middleware atjaunināšana līdz FMW 12c. Reālu projektu pieredze. Salīdzinoši nesen tika publicēta Oracle FMW 12c produktu līnija. Šoreiz gribu padalīties ar atjaunināšanas līdz Oracle FWM 12c pieredzi. Pamatu pamati, zemūdens akmeņi un tehniskie triki, kas var palīdzēt jums ietaupīt laiku un var būt arī saglabāt nervus.
Тема (РУ): Обновление Middleware до FMW 12c. Опыт реальных проектов.Описание: Относительно недавно вышла в свет линейка продуктов Oracle FMW 12c. В этот раз я хочу поделиться своим опытом обновления до Oracle FWM 12c.
Прописные истины, подводные камни и технические хитрости, которые помогут сберечь ваше время и, возможно и нервы.
Description(ENG): Relatively recently Orcale FMW 12c product line has been published.Today I would like to share my experience of middleware upgrade to Oracle FWM 12c.
Basics, pitfalls and technical tricks, that can save your time and nerves, may be.
Mysql ir populārākā atvērta koda datubāze un tajā ir vairāk nekā 400 parametri, bet nepieciešams uzstādīt /izmainīt tikai dažus no tiem, lai jūs nesaskartos ar problēmām jau pirmajā dienā. Šajā prezentācijā stāstīšu par parametriem, kuri ietekme datu drošību, datu atjaunošanu un datu konsistenci.
Izmantojiet iespēju piedalīties plašākajā IT nozares konferencē Baltijā Riga Dev Day 2016, kas jau otro gadu no 2. līdz 4. martam norisināsies Rīgā.
Ko iegūsiet?
Praktiski pielietojamu informāciju par IT nozares aktuālākajām un jaunākajām tēmām – mobilo ierīču aplikāciju izstrādi, Java/JVM, JavaScript jaununiem, Oracle datu bāzes risinājumiem un modernākajām tehnoloģijām.
OTN tour 2015 – это семинар с участием авторитетных международных спикеров, направленный на привлечение участников с целью обмена знаниями и опытом в области применения передовых технологий. Конференция прошла 27 ноября в конференц-зале ресторана Stargorod и стала первой из серии мероприятий такого рода.
How Oracle Certification helped to advance my career" - in that presentation I will talk about how Oracle Certification helped me to archive where I am now and give hints on how the best to use it.
-- We can do an expert panel with Alex on
How Social Media can help to advance your professional career.
And motivation from Jury Velikanov
"How Oracle Certification helped to advance my career" - in that presentation I will talk about how Oracle Certification helped me to archive where I am now and give hints on how the best to use it.
OTN tour 2015 benchmarking oracle io performance with Orion by Alex GorbachevAndrejs Vorobjovs
Every time Alex demonstrates charts he produces during IO benchmarks with ORION tool (Oracle I/O Numbers), he hears "Wow! How do you build these?" In this session Alex will teach how to benchmark your storage subsystem and capacity and how to stress test it to the limits. You will learn how easy it is to setup ORION benchmark and collect I/O performance characteristics of your platform and assess scalability of small random I/Os, impact of writes on I/Operformance, impact of different RAID levels, how backups can affect your OTLP traffic, performance of outer areas of disks vs inner areas, and compare SSD with HDD performance. ORION tests are very repeatable so it's a great measuring tool in your Measure, Analyze, Change, Measure cycle.
OTN tour 2015 Oracle Enterprise Manager 12c – Proof of ConceptAndrejs Vorobjovs
Why we are talking about this
How – minimal survival kit
Database provisioning:
Database provisioning
Pluggable database provisioning
Schema provisioning
Middleware provisioning:
New instance installation
Instance cloning
Integration provisioning
Restrictions
Conclusion
Q&A
Peteris Arajs
Technology Architecture Associate Manager at Accenture
More than 15 years experience in IT industry with main focus to:
- DB design, analysis, development and performance tuning
- Oracle eBusiness Suite
- Oracle Middleware
Also experienced in all stages of software development life cycle (SDLC) from business requirements and technical definitions to development, testing and production support.
Alex Nemirovskis
Technology Architecture Associate Manager at Accenture
More than 19 years experience in IT industry with main focus to:
- DB design, analysis, development and performance tuning
- DWH / ETL / BI / Analytics
- Oracle ADF
Also experienced in all stages of software development life cycle (SDLC) from business requirements and technical definitions to development, testing and production support.
This is an introduction to the modern cloud technology landscape and what it takes to migrate Oracle databases to the cloud and operate them there. The attendees will learn about cloud concepts and what are the various options of running databases in the cloud Infrastructure as a Service (IaaS) or Platform as a Service (PaaS).
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
3. RAC Cluster
Project overview
SSL Listener
SEC Listener
SCAN Listeners
Developers & End
users / tools directly
connecting to DB
Main application
technology stack
OBIEE, WLS, Forms,
Reports
Integrations
Other DBs, Essbase,
Ora Net Clients
SSL Listener
SEC Listener
SSL Listener
SEC Listener
4. How does SSL/TLS work?
How does SSL/TLS work? from http://security.stackexchange.com/ => here
How does SSL work? What is an SSL handshake? from http://www.symantec.com/ => here
Transport Layer Security from https://en.wikipedia.org/ => here
5. SSL session overview (1 way)
ServerInitial request (to https://domainname.com)
Hello .... SSLv2, SSLv3, TLSv1, .... ciphers, hash function
● Server Certificate
● Server Private Key
Server Certificate (signed by Certificate Authority)
Public Key + Domain Name (subject) + Org name ....● List of Trusted
CA certificates
Establish trust ...
Agree on the symmetric encryption key ...
premaster secret
master secret & generate session keys
Use session key and agreed encryption cipher to
send data ...
6. SSL session overview (2 way)
Server
● Server Certificate
● Server Private Key● List of Trusted
CA certificates
Establish trust ...
Agree on the symmetric encryption key ...
master secret & generate session keys
Use session key and agreed encryption cipher to
send data ...
premaster secret
● Client Certificate
● Client Private Key
● List of Trusted
CA certificates
7. ● There are 3 options to obtain an SSL certificate
a. Generate your own self-signed certificate (from https://www.linux.com here)
b. Request certificate from your organisation CA
c. Request certificate from public CA
■ VeriSign
■ GeoTrust
■ ... https://en.wikipedia.org/wiki/Certificate_authority
● In A & B you or your organisation controls hashing and encryption protocols
● However no clients will recognize certificate by default
● In option C you will need to make sure your client versions supports protocols
dictated by external CA
a. Recent example => Many CAs announced that they will not support SHA-1 forcing SHA256/SHA-2
implementation
Certificate Authorities & Certificates
14. 3 Different Oracle Listeners configurations
● Default Listener (insecure)
○ Username/password are encrypted
● Secure Listener
○ Use encryption the same way as SSL Listener
○ No authentication phase (SSL handshake)
● SSL Listener
○ Use encryption
○ Could be configured with 1 way or 2 ways authentication
25. SSL & Oracle Clients setup (OCI)
Using the orapki Utility to Manage PKI Elements
https://docs.oracle.com/database/121/DBSEG/asoappf.htm#DBSEG610
26. $ ls -l /u01/app/oracle/SSL/cert/*
total 16
-rw-r--r--@ 1 yvel 5000 1365 Aug 21 2014 cwallet.sso
-rw-r--r--@ 1 yvel 5000 1288 Aug 21 2014 ewallet.p12
oracle@host:/home/oracle> orapki wallet display -wallet /u01/app/oracle/SSL/cert ; date
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=PROD
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Wed Sep 9 16:27:36 PDT 2015
oracle@kpfp2:/home/oracle>
orapki wallet create -wallet $WALLET -auto_login -pwd $v_pwd
orapki wallet remove -wallet $WALLET -trusted_cert_all -pwd $v_pwd
orapki wallet display -wallet $WALLET -pwd $v_pwd
orapki wallet jks_to_pkcs12 -wallet $WALLET -keystore /full/path/to/certificate.jks -jkspwd <pwd>
orapki wallet add -wallet $WALLET -trusted_cert -cert GIAG2.crt -pwd $v_pwd
SSL & Oracle Clients setup (OCI)
27. SSL & Oracle Clients setup (OCI)
$ openssl pkcs12 -info -in /u01/app/oracle/SSL/cert/ewallet.p12
Enter Import Password:
MAC Iteration 1024
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
Certificate bag
Bag Attributes
localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 04
subject=/C=US/O=MyOrg Inc/CN=MyOrg Internet Authority G2
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
...
PKCS 12 => https://en.wikipedia.org/wiki/PKCS_12
It defines an archive file format for storing many cryptography objects as a single file. It is
commonly used to bundle a private key with its X.509 certificate.
28. ● JDBC Clients
○ Have it own default certificate store with preloaded trusted CA list
$ v_java_cert=/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security/cacerts
$ keytool -list -keystore $v_java_cert -storepass changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 93 entries
digicertassuredidrootca, Apr 16, 2008, trustedCertEntry,
Certificate fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
comodorsaca, May 12, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
thawtepremiumserverca, May 26, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66
...
$ keytool -exportcert -alias digicertassuredidrootca -keystore $v_java_cert -storepass changeit -
file test.crt -rfc
$ keytool -printcert -file test.crt
Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: ce7e0e517d846fe8fe560fc1bf03039
Valid from: Thu Nov 09 16:00:00 PST 2006 until: Sun Nov 09 16:00:00 PST 2031
Certificate fingerprints:
MD5: 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
SSL & Oracle Clients setup (JBDC)
29. SSL & Oracle Clients setup (JDBC)
● A JRE client must be updated with the JCE to enable
TLS_RSA_WITH_AES_256_CBC_SHA cipher.
○ Download appropriate JCE archive with 2 jar files
○ Copy the jar files to $JAVA_HOME/jre/lib/security/ directory
● The JCE could be obtained from the URL below depending on a JRE version
○ 1.6 JCE
○ 1.7 JCE
○ 1.8 JCE
31. RAC Cluster
Variety of clients and versions to cover ...
SSL Listener
SEC Listener
SCAN Listeners
Developers & End
users using tools
directly connecting to
DB
Main application
technology stack
OBIEE, WLS, Forms,
Reports
Integrations
Other DBs, Essbase,
Ora Net Clients
SSL Listener
SEC Listener
SSL Listener
SEC Listener
1. 2.3.
32. Some components used old Oracle Clients
● Essbase
○ Blend in 11.1.0.7 Oracle Client
○ Challenging to update
● OBIEE
○ Presentation layer use 11.1.0.7 Oracle Client
33. SSL Listener & TCP Buffer
Problem definition
Initial:
● DB Instances doesn't register DB Services with a remote SCAN
listeners, after a new certificate has been added to server wallet
Current:
● All SSL connections from one node hangs connecting to any SSL
enabled listeners that runs on a remote node if a listener is able to
send data out quickly enough
34. SSL Listener & TCP Buffer
SSL Listener works if ….
a) strace-ing the listener process
b) turning debug logging up to a high level in the listener
c) Running the listener on a non-bonded interface
d) Having the listener increase its send buffer size from 16k (default)
to 32k or 64k on the socket
d1) We can also do this at the OS level via `echo "4096 32768 4194304" >
/proc/sys/net/ipv4/tcp_wmem'
35. SSL Listener & TCP Buffer
Normal / Expected processing
sPORT:sIP - cIP:cPORT
TCP socketTCP socket buffer
Process
owner of the socket
O_NONBLOCK
W3 W2 W1
DATA
Data writes
O_NONBLOCK
sPORT:sIP - cIP:cPORTProcess
owner of the socket
DATA
Kernel waits a bit for more data and sends it out
Buffer is full. Kernel sends EAGAIN back
5k 1k 3k
3k
W3b
2k
W3bEAGAIN
sPORT:sIP - cIP:cPORTProcess
owner of the socket
The process code handles error and keep sending the rest of the data until successful
3k
W3b
3k
Kernel refuses writes until buffer is free
36. Oracle Listener - fails to process EAGAIN
TCP socketTCP socket buffer
O_NONBLOCK
Data writes
O_NONBLOCK
sPORT:sIP - cIP:cPORTSSL Listener DATA
Buffer is full. Kernel sends EAGAIN back
3k
W3b
2k
W3bEAGAIN
sPORT:sIP - cIP:cPORTSSL Listener
Listener never re-sends the W3b part Kernel ready to process writes after some time
Oracle Listener ssl handshake function fails to process EAGAIN errors
sPORT:sIP - cIP:cPORTSSL Listener DATA
Buffer is full. Kernel sends EAGAIN back
2k
W3b
3k
W3b
The W3b part is dropped
Where is client's
response?
W3b
The W3b part is dropped
SSL Listener & TCP Buffer
38. RAC Cluster
Variety of clients and versions to cover ...
SSL Listener
SEC Listener
SCAN Listeners
Developers & End
users using tools
directly connecting to
DB
Main application
technology stack
OBIEE, WLS, Forms,
Reports
Integrations
Other DBs, Essbase,
Ora Net Clients
SSL Listener
SEC Listener
SSL Listener
SEC Listener