Saturday, May 24, 2008

How to Secure Oracle 10g/11g Enterprise Manager for SSL

Recently a poster on the Oracle Forums (forums.oracle.com) asked a question on how to secure Oracle 10g Database Control for Enterprise Manager (OEM) with SSL. I had to do this for some military customers when we migrated to secured networks for Oracle 10g.


According to the Oracle documentation and various tips from Oracle Metalink, Oracle uses wallets to provide the ability to secure OEM via SSL layer.

The emctl secure commands provide the tools to setup the wallet based security with SSL to lock down the Oracle 10g Database or Grid Control environment.

Reference
Oracle® Enterprise Manager Advanced Configuration
10g Release 2 (10.2)

The emctl secure agent utility performs the following actions:

* Obtains an Oracle Wallet from the Management Service that contains a unique
digital certificate for the Management Agent. This certificate is required in order for
the Management Agent to conduct SSL communication with the secure
Management Service.

* Obtains an Agent Key for the Management Agent that is registered with the
Management Service.

* Configures the Management Agent so it is available on your network over HTTPS
and so it uses the Management Service HTTPS upload URL for all its
communication with the Management Service.

To enable Enterprise Manager Framework Security for the Management Agent:

1. Ensure that your Management Service and the Management Repository are up
and running.
2. Change directory to the following directory:


AGENT_HOME/bin (UNIX)
AGENT_HOME\bin (Windows)


3. Stop the Management Agent:


PROMPT> ./emctl stop agent


4. Enter the following command:


PROMPT> ./emctl secure agent (UNIX)
PROMPT> emctl secure agent (Windows)


The emctl secure agent utility prompts you for the Agent Registration Password, authenticates the password against the Management Service, and reconfigures the Management Agent to use Enterprise Manager Framework Security.

Note:
Alternatively, you can enter the command all on one line, but if you enter the
command on one line, the password you enter will be displayed on the screen as
you type:


PROMPT> ./emctl secure agent agent_registration_pwd (UNIX)
PROMPT> emctl secure agent agent_registration_pwd (Windows)


Here is sample output for the various options for emctl secure command:


C:\>emctl secure
Oracle Enterprise Manager 10g Database Control Release 10.2.0.1.0

Copyright (c) 1996, 2005 Oracle Corporation. All rights reserved.

Usage :
secure oms -sysman_pwd -reg_pwd [-hos
t ] [-reset] [-secure_port ]
secure agent
secure em
secure dbconsole []
secure setpwd
secure status [oms url]
secure lock | unlock

In this case, I have Oracle 10g on Windows XP with Database Control for EM.
Here is an example:

C:\>emctl secure dbconsole oracle oracle karma

Oracle Enterprise Manager 10g Database Control Release 10.2.0.1.0
Copyright (c) 1996, 2005 Oracle Corporation. All rights reserved.

http://karma:5500/em/console/aboutApplication

Checking Repository... Done.
Checking Repository for an existing Enterprise Manager Root Key... Done.
Generating Enterprise Manager Root Key (this takes a minute)... Done.
Fetching Root Certificate from the Repository... Done.
Generating Registration Password Verifier in the Repository... Done.
Updating HTTPS port in emoms.properties file... Done.
Generating Java Keystore...Certificate was added to keystore
Certificate reply was installed in keystore
Done.
Securing OMS ... Done.
Generating Oracle Wallet Password for Agent.... Done.
Generating wallet for Agent ... Done.
Copying the wallet for agent use... Done.
Storing agent key in repository... Done.
Storing agent key for agent ... Done.
Configuring Agent...
Configuring Agent for HTTPS... Done.
EMD_URL set in C:\oracle\product\10.2.0\db_1/karma_orcl/sysman/config/emd.prop
ties
Configuring Agent ... Done.
Configuring Key store.. Done.

Saturday, May 17, 2008

Virtualization with Oracle 11gR1 and Oracle VM

I am excited about the Oracle focus on virtualization for database servers.

As a consultant, I like using virtual servers to use for test servers on my laptop which comes in handy for demos and testing.

Here are details from the Oracle Virtual Site:



Installing and Configuring Oracle Enterprise Linux 5 with Oracle Database 11g Release 1 as a Paravirtualized Machine (PVM) on an Oracle VM Server

I encourage fellow Oracle professionals to explore the future with the Oracle virtual server technology!

Wednesday, May 14, 2008

Support for third party database migrations to Oracle Using SQL Developer

As you all may or may not be aware of, in the past year or so, I have been busy writing a book on database migrations to Oracle 10g/11g using the freely available migration tools from Oracle. Originally these tools were in the form of what is called the Oracle Migration Workbench or OMWB for short. In 2006, Oracle released a development environment called SQL Developer.

Oracle has added migration tools to their flagship development product called SQL Developer which used to be called Raptor in the first beta version that will be the focus for migration and development tasks.

However, there are a few gotchas with SQL Developer tool in terms of third party migrations. Oracle as of yet after discussions with product management at Oracle on the SQL Developer team has no support in SQL Developer yet for IBM DB2 UDB and Informix migrations to Oracle using SQL Developer. SO, in spite of what Oracle may say, you still need to use the Oracle Migration Workbench if you wish to migrate off of IBM DB2 UDB or Informix to Oracle. After a brief chat with Sue Harper whom is the product manager at Oracle for SQL Developer, she was kind enough to let me know that support is coming eventually within SQL Developer in a future release to support Informix and IBM DB2 migrations to Oracle.