Oracle Application Server 10g Architecture and Administration - Single Sign-On (SSO)With Single Sign-On, a client can sign onto the application once and be automatically authenticated forother components within the application server, as well as to external applications if properly set up.SSO provides a central authentication repository rather than having a separate authentication for eachapplication on the server. SSO uses the Infrastructure instance to validate users as they move fromapplication to application without forcing them to reauthenticate.The SSO component interacts with the Oracle HTTP Server (OHS) and allows the formatting of SingleSign-On information as an open source Apache header. Note that SSO only functions within the domainof your Oracle system. Many distributed e-commerce systems communicate with third-party portals,and SSO cannot be extended to service these external clients. For example, an Oracle e-commerce sitemight need to process a payment request with Cybercash, and Cybercash would require its ownindependent SSO mechanism. Hence, many Application Server 10g administrators must develop XMLData Type Definition (DTD) protocols for communication with external third-party systems.We will discuss SSO and other components of Application Server 10g security in great detail in Chapter12.Oracle Internet DirectoryThe Oracle Internet Directory (OID) is a Lightweight Directory Access Protocol (LDAP) directory servicethat provides centralized storage of information about users, applications, and resources in yourenterprise. Coupled with SSO, OID allows end users to sign on one time and use their predefined OIDcredential (set up by the DBA). This credential defines those components of Application Server 10g withwhich the end user is allowed to interface.Because it is LDAP-compliant, OID can be viewed as a simple lookup mechanism for web services. Forexample, LDAP entries can be used instead of entries in the traditional tnsnames.ora file, therebyallowing connectivity for clients anywhere on your network. This technique has replaced the obsoleteOracle*Names tool as a method for defining services for Oracle.In sum, OID is an easy-to-configure tool for defining end-user access with Application Server 10g.Because it is tightly coupled with SSO and advanced security, OID is a critical component of Oraclesecurity management. OID is managed with a GUI called Oracle Directory Manager (ODM). We willdiscuss this tool for managing data access rules in great detail in Chapter 12, along with other securitytopics.Metadata Repository (Infrastructure)The metadata repository is a critical component of Application Server 10g because it allows for acommon management interface between multiple instances of Application Server 10g and the othercomponents. The metadata repository is commonly referred to as the Infrastructure, which is commonto all Application Server 10g farms and components that share a common definition. We will discuss theInfrastructure in great detail in Chapter 3.
Oracle Management Server (OMS)With the Oracle Management Server, administrators can include the Application Server in a centrallymanaged configuration using Oracle Enterprise Manager (OEM--a separate product). OMS is acomponent of the Oracle Enterprise Manager console, used to manage Application Server 10g instances,databases, and other components. The foremost feature of OMS is its ability to store OEM data insidethe metadata repository. This storage ability of OMS allows administrators to share server configurationinformation, scheduled events and jobs, and notifications of failures. To start OMS, you use the emctlcommand and issue the emctl start oms command to start the web servers and OMS processes.Because OMS is the “glue” that binds all of the Application Server 10g components together, we will bevisiting OMS functionality throughout this book. OMS provides the important functions of useradministration, and manages the flow of information between the OEM console and all managed nodes.OEM allows for any server to become a managed node by installing an Oracle intelligent agent (OIA),thereby making it accessible with the central administrative GUI. An OIA is a daemon process thatinterfaces with the database and operating system on each server within each Application Server 10gfarm. The intelligent agent performs localized execution of tasks as directed by the OMS, and for Oracleservers, the OIA performs time-based database monitoring. The concept of managed nodes adds powerto OEM, allowing the Application Server 10g DBA to quickly apply configuration changes to many servercomponents.TopLinkFor Java developers, TopLink provides a mechanism for making Java objects persistent across sessions.In object-oriented (OO) languages such as Java, C#, or C++, objects can be instantiatedand destroyedaccording to the needs of the program.The problem is that OO languages like Java create objects in the RAM heap, and upon termination of theprogram, all of the program’s objects are destroyed. Oracle Application Server TopLink 10g is apersistence framework that enables object persistence by supplying routines that can be invoked tostore Java objects in relational database tables (in any relational database that supports JDBC). Inaddition, TopLink provides a GUI tool, the Mapping Workbench, that greatly simplifies the task ofmapping Java objects and their attributes to database tables. TopLink also provides powerful featureslike a query framework, object-level transaction support, relationship mappings, object caching, andmuch more. Prior to TopLink, the programmer would have to write custom JDBC code to store andretrieve the Java object’s attributes to/from a relational table. This is not only extremely time consumingand error prone but also difficult to change. TopLink is built on top of JDBC but does not requiredevelopers to use JDBC (or even SQL!). TopLink supports all J2EE compliant application servers, and canbe used to store object data from standard Java objects, as well as entity beans. Please refer to theOracle Application Server TopLink 10g documentation for more information.1. What is SSO used for ?
OracleAS Single-Sign On server enables a user to log into multiples applications registered with theOracle Application Server with a single username and password. SSO server retrieve the userinformation from OID. The management time is drastically reduced.2. What is the SSL ?The SSL (Secure Sockets Layer) is a well-known communication protocol that enables you to sendmessages securely across the Internet.3. Which are the SSO components ?OracleAS SSO Server: enable you to use "authenticate one, log in many times" featureOID: OID id the repository for the SSO4. Which are the 2 type of applications which can be managed by SSO ?Partner Applications: If you can log in to one partner application through the SSO Server, you can log into all partner applications registered with that server.External Applications: "authenticate one, log in many times" feature is not enabled. The externalapplications (and not SSO Server) are responsible for user authentication.5. What is a Private Key Cryptography ?Private Key encryption uses one key, that is used to both encrypt and decrypt messages. This is alsocalled symmetric encryption.6. What is a Public Key Cryptography ?Public-key cryptography (or PKI), also known as asymmetric cryptography, is a form of cryptography inwhich a user has a pair of cryptographic keys—a public key and a private key. The private key is keptsecret, while the public key may be widely distributed. The keys are related mathematically, but theprivate key cannot be practically derived from the public key. This is more secure than the Private KeyCryptography.7. What is an Oracle Wallet ?An Oracle wallet is a password-protected container used to store authentication and signing credentials,including private keys, certificates, and trusted certificates needed by SSL.RMAN1. What is RMAN ?2. Why use RMAN ?3. Where does RMAN store the metadata information about the backups ?
4. Which are the components of RMAN ?5. Which are the advantages of each RMAN metadata repositories ?6. Which are the disadvantages of each RMAN metadata repositories ?1. What is RMAN ?RMAN (Recovery Manager) is the recommended tool for Oracle database backup, restore and recoveryoperations. RMAN is an Oracle product.2. Why use RMAN ?RMAN supports both cold (offline) and hot (online) backupThe RMAN online backup is easier to take than an online user-managed backupDoes block level backup and recoveryRMAN command language is platform independentThe online backup doesnt put the tablespace in "backup mode", so no extra redo logs are not generated3. Where does RMAN store the metadata information about the backups ?In RMAN Catalog Repository (created on a database schema) or in the control files of the targetdatabase. Personally, I prefer to use the control file because the result is the same, but there is lessadministrative work for this.4. Which are the components of RMAN ?RMAN software: RMAN executable software could be find in $ORACLE_HOME/bin directoryProcesses: RMAN creates processes to perform different activities, such as backups, restore andrecoveryTarget database: The target database is the database RMAN connect to backup, restore, recoverinformation from (in)Recovery Catalog Database: Store the metadata for the RMAN activities. It doesnt store the backup ofthe target database. The target control files also could keep the RMAN metadata.RMAN channel: The RMAN Channel provide a mean of communication between the server and theoperating system. Using more channels increase the speed of the RMAN activities.Backup Set: A Backup Set store one or more physical files or backup pieces. You cannot split a file acrossdifferent backup sets or mix archived logs and datafiles into one backup set.
Image Copy: Is a replica of the physical files in uncompressed form. Because of this the images copiescould be used to restore the data files using RMAN or operating system commands.1. Which is the default RMAN configuration ?2. How could I restore the actual configuration to the default value ?3. Using substitution variables4. Configure RETENTION POLICY5. Configure DEFAULT DEVICE TYPE6. Configure CONTROLFILE AUTOBACKUP1. Which is the default RMAN configuration ?show all;RMAN configuration parameters are:CONFIGURE RETENTION POLICY TO REDUNDANCY 1; # defaultCONFIGURE BACKUP OPTIMIZATION OFF; # defaultCONFIGURE DEFAULT DEVICE TYPE TO DISK; # defaultCONFIGURE CONTROLFILE AUTOBACKUP OFF; # defaultCONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE DISK TO %F; # defaultCONFIGURE DEVICE TYPE DISK PARALLELISM 1 BACKUP TYPE TO BACKUPSET; # defaultCONFIGURE DATAFILE BACKUP COPIES FOR DEVICE TYPE DISK TO 1; # defaultCONFIGURE ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE DISK TO 1; # defaultCONFIGURE MAXSETSIZE TO UNLIMITED; # defaultCONFIGURE ENCRYPTION FOR DATABASE OFF; # defaultCONFIGURE ENCRYPTION ALGORITHM AES128; # defaultCONFIGURE ARCHIVELOG DELETION POLICY TO NONE; # defaultCONFIGURE SNAPSHOT CONTROLFILE NAME TO /oracle/10gOHome/dbs/snapcf_db10.f; # defaultNOTES:The parameters which are currently modified are in bold.
The changes in the RMAN configuration are saved automatically in the control file/ RMAN catalog.2. How could I restore the actual configuration to the default value ?CONFIGURE RETENTION POLICY CLEAR;CONFIGURE BACKUP OPTIMIZATION CLEAR;CONFIGURE DEFAULT DEVICE TYPE CLEAR;CONFIGURE CONTROLFILE AUTOBACKUP CLEAR;CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE DISK CLEAR;CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE SBT CLEAR;CONFIGURE DEVICE TYPE DISK CLEAR;CONFIGURE DATAFILE BACKUP COPIES FOR DEVICE TYPE DISK CLEAR;CONFIGURE DATAFILE BACKUP COPIES FOR DEVICE TYPE SBT CLEAR;CONFIGURE ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE DISK CLEAR;CONFIGURE ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE SBT CLEAR;CONFIGURE CHANNEL DEVICE TYPE DISK CLEAR;CONFIGURE CHANNEL DEVICE TYPE SBT CLEAR;CONFIGURE MAXSETSIZE CLEAR;CONFIGURE SNAPSHOT CONTROLFILE NAME CLEAR;3. Using substitution variablesRMAN can make use of substitution variables in creating format strings to generate UNIQUE file names.If the file names are not unique the files will be overwritten and the data will be lost.Format Description%d specifies the database name.%u specifies an 8-character name constituted by compressed representations of the backup setnumber and the time the backup set was created.%p specifies the backup piece number within the backup set. This value starts at 1 for each backupset and is incremented by 1 as each backup piece is created.
%c Specifies the copy number of the backup piece within a set of duplexed backup pieces. If you didnot issue the set duplex command, then this variable will be 1 for regular backup sets and 0 for proxycopies. If you issued set duplex, the variable identifies the copy number: 1, 2, 3, or 4.%U Specifies a convenient shorthand for %u_%p_%c that guarantees uniqueness in generatedbackup filenames. If you do not specify a format, RMAN uses %U by default.%t specifies the backup set timestamp. The combination of %s and %t can be used to form a uniquename for the backup set.%s specifies the backup set number. This number is a counter in the control file that is incrementedfor each backup set. The counter value starts at 1 and is unique for the lifetime of the control file. If yourestore a backup control file, then duplicate values can result. Also, CREATE CONTROLFILE initializes thecounter back to 1.4. Configure RETENTION POLICYCONFIGURE RETENTION POLICY TO RECOVERY WINDOW OF 30 DAYS;>> After 30 days the backup will become OBSOLETE. CONFIGURE RETENTION POLICY TO REDUNDANCY 3;>> The latest 3 backups will NOT be OBSOLETE. The others will be.When configuring a retention policy, RMAN will NOT cause backups to be automatically deleted.REPORT OBSOLETE; -> List the backups (on disk) that have become obsolete with the current retentionpolicy.DELETE OBSOLETE; -> Delete the obsolete backup files.deletenoprompt obsolete;NOTES:crosscheck backup; -> check if the backup files exist physically on the diskcrosscheck copy; -> check if the files of a copy operation exist physically on the disklist backup; -> To list all backup sets, backup pieceslist expired backup; -> To identify those backups that were not found during a crosscheckDELETE EXPIRED BACKUP; ->To delete the information about the expired backups in the RMANrepositoryDELETE EXPIRED COPY; ->To delete the information about the expired copies in the RMAN repository
5. Configure DEFAULT DEVICE TYPECONFIGURE DEFAULT DEVICE TYPE TO DISK; --> by defaultCONFIGURE DEFAULT DEVICE TYPE TO SBT;This is overridden by the RUN command, or by DEVICE TYPE on the BACKUP command itself.6. Configure CONTROLFILE AUTOBACKUP (starting from 9i)CONFIGURE CONTROLFILE AUTOBACKUP ON;CONFIGURE CONTROLFILE AUTOBACKUP OFF; --> by defaultRMAN writes both the CONTROLFILE and the SPFILE (if the database was started with an SPFILE) to thesame backup piece.To set the location of the Control file backup:CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE DISK TO/oracle/RMAN_backup/%F;The %F tag is essential for RMAN to be able to restore the file without a recovery catalog.TKPROF Utility TKPROF Utility is not a tuning utility is just an utility to read the trace file. So, one time we have thetrace file of one session we can use the TKPROF to read the trace file and to see what happen in thatsession. Here are the steps in using TKPROF utility:1. Enable Oracle database to gather statistics (on session or system level)ALTER SYSTEM SET timed_statistics = true;ALTER SESSION SET timed_statistics = true;2. Find the SID, SERIAL# for a specific session you want to monitorSELECT username, sid, serial#, program FROM v$session WHERE username = <User_Name>;3. Enable the tracing for this session ( must be logged as SYSDBA )EXECUTE dbms_system.set_sql_trace_in_session (<sid>, <serial#>, true);4. Identify the directory where the trace file is generatedSELECT value FROM v$parameter WHERE name=user_dump_dest;5. Identify the name of the trace file which is generated
SELECT s.username, s.SID, s.serial#, s.PROGRAM, p.spidFROM v$session s,v$process pWHERE p.addr = s.paddr and s.username = <User_Name>; The name of the trace file is <oracle_sid>_ora_<p.spid>.trc6. Disable the tracing for this session ( must be logged as SYSDBA )EXECUTE dbms_system.set_sql_trace_in_session (<sid>, <serial#>, false);7. CONVERT the trace file into a readable formatcd $ORACLE_HOME/admin/<oracle_sid>/udumptkproftrace_file.trc Readable_File.txtNow the Readable_File.txt contains information like:The execution plan also is included in the trace file.pwd - The "pwd" command displays the current directorypwd/home/oraclewhich - The "which" command displays the full path of (shell) commands.which zip/oracle/db/11.2/bin/zipls - The "ls" command list directory contents
ls -altrtotal 112-rw-r--r-- 1 oracle dba 310 Feb 15 2008 smit.transaction-rw-r--r-- 1 oracle dba 171 Feb 15 2008 smit.script-rw-r--r-- 1 oracle dba 1440 Feb 15 2008 smit.logdrwxr-x--- 3 oracle dba 256 Feb 15 2008 .java-rw-r--r-- 1 oracle dba 875 Feb 18 2008 sqlnet.log-rw------- 1 oracle dba 55 May 17 14:42 .vi_historydrwxr-xr-x 2 oracle dba 256 May 19 14:13 .p-rw-r--r-- 1 oracle dba 356 May 27 14:29 .rhosts-rw------- 1 oracle dba 212 May 28 10:33 old.Xauthoritydrwx------ 2 oracle dba 256 May 28 12:32 .sshdrwxr----- 3 oracle dba 256 Jul 4 11:38 oradiag_oracledrwxr-xr-x 6 bin bin 256 Jul 8 14:55 ..drwxr-xr-x 2 oracle dba 4096 Jul 15 21:39 .vnc-rw------- 1 oracle dba 263 Jul 15 21:39 .Xauthoritydrwxr-xr-x 7 oracle dba 4096 Jul 15 21:39 .-rwxr----- 1 oracle dba 868 Jul 27 19:32 .profile-rw------- 1 oracle dba 10866 Aug 2 09:59 .sh_historycp - The "cp" command is used to copy files and directoriescp [option] SOURCE DESTcp file1.txt file2.txtcp * /archive (the source = * ---> from current directory; the destination = /archive )cp /archive/* . (the source =/archive/* ; the destination is = . --->the current directory)
mv - The "mv" command is used to move or rename files and directoriesmv file1.txt file2.txtmv * /archive (the source = * ---> from current directory; the destination = /archive )mv /archive/* . (the source =/archive/* ; the destination is = . --->the current directory)rm - The "rm" command is used to delete files and directorieslsDir1 file1.txtrm file1.txtlsDir1rm -R Dir1lsYou can use -R in order to remove a directory.cd - The "cd" command is used to change directories/home/oracle/myDir>pwd/home/oracle/myDir/home/oracle/myDir>cd ..//home/oracle>cd myDir/home/oracle/myDir>mkdir - The "mkdir" command is used to create new directoriesmkdirMydirfind - The "find" command can be used to find the location of specific filesfind $ORACLE_HOME -name listener.ora/oracle/db/11.2/network/admin/samples/listener.oraumask - The "umask" command can be used to set the creation file permisions for an (OS) user
The umask value is subtracted from the default permissions (666) to give the final/ real permission:666 : Default permission002 : - umask value664 : final permissionchmod - The "chmod" command can be used to change the file permisionschmod 777 myfile.txtOwner Group The others Permission 7 7 7 read + write + execute 6 6 6 write + execute 5 5 5 read + execute 4 4 4 read only 2 2 2 write only 1 1 1 execute onlychown - The "chown" command is used to change the ownership of fileschownoracle:dbatnsnames.orachown -R oracle:dba /oracle/baseps - The "ps" command lists current process informationps -ef | grepsmonkill - The "kill" command stop a specific OS processkill -9 30093009 is the process IDuname - The "uname" commands can be used to get information about the hostuname -aAIX dev2rac 3 5 00C7FE6E4C00AIX = the OS
dev2rac = hostname3 = OS release5 = OS versiongzip - The Linux/ UNIX/ AIX version of zip utilitygzip file1gunzip file1.gzcompress - Another Linux/ UNIX/ AIX utility used to compress a file.compress file1uncompress file1.ZSize of databaseSELECT SUM (a.log_space + b.data_space + c.tempspace) "Total_DB_Size (G)" FROM (SELECT ROUND (SUM (BYTES/1024/1024/1024), 2) data_space FROM dba_data_files) b, (SELECT ROUND (SUM (BYTES*members/1024/1024/1024), 2) log_space FROM v$log) a, (SELECT NVL(ROUND(SUM(BYTES/1024/1024/1024),2), 0) tempspace FROM dba_temp_files) c;Snap Shot infomationSELECT snap_id, TO_CHAR (snap_time, DD.MM.YYYY HH24:MI:SS) "Date/Time",session_id,serial#FROM stats$snapshotORDER BY snap_timedesc;
Oracle trace in database: enable/disable, levelLevel 1How is enabled(Current session)ALTER SESSION SET sql_trace = true;ALTER SESSION SET TRACEFILE_IDENTIFIER=<TRACEID>;Level 2(Another session)selectsid, serial# from v$session where ...SID SERIAL#---- ----------11 13442executedbms_system.set_sql_trace_in_session (<SID>, <SERIAL#>, true);Database level2.0 databasea) modifyinit.ora by adding sql_trace = true;b) ALTER SYSTEM SET SQL_TRACE = TRUE SCOPE=MEMORY;(ifspfile is used);___________________________________________________________Comments:a) The default name for a trace files is INSTANCE_PID_ora_TRACEID.trc where:· INSTANCE is the name of the Oracle instance;· PID is the operating system process ID (V$PROCESS.OSPID);· TRACEID is a character string of your choosing.
b) Don’t forget to Enable Timed Statistics before enabling tracing (is mandatory): ALTER SYSTEM SET TIMED_STATISTICS = TRUEc) The output trace file is written to user_dump_dest directory.( SHOW PARAMETERS user_dump_dest : to see the value of user_dump_dest initialization parameter.)d) The trace output is quite unreadable. Oracle provides a utility (TKProf) to interpret the output (trace)file