Database Reference
In-Depth Information
Despite the -auto_login_local improvement, the basic problem of the wallet being under the control of the Oracle
software owner account still remains. A trivial attack on the Oracle wallet would still be to delete or corrupt the wallet
from the DB using JAVA_ADMIN, and in fact it is still possible to modify the wallet so that it will work from a remote
location quite easily. Because the Oracle software owner also owns the wallet, a DB session can be used to delete
the wallet. If the wallet is being used to log on for security monitoring, then that monitoring will no longer work.
The security power hierarchy should be such that root secures Oracle, and Oracle secures the application, which is
effectively a firewall between the users and the database. The Oracle wallet is using Oracle to secure Oracle, which is
its basic flaw.
Maintaining access to the database from the operating system is critical so that root can manage the DB
without interference from the DB itself. On that note, I was a little concerned to read that Oracle was planning
to move away from operating system access to the DB, and specifically to PDBs. I have noticed that there are
sometimes localized rumors like this, which then turn out to be false. I think, and strongly hope, that rumors of
direct access's death are exaggerated.
Unix Access to SYS in 12c
Oracle has always enabled local operating system access. Such access comes through the
connect internal
command and the
/ as sysdba
option. But how to access PDB directly from Unix? Can we still do that? First, what
about Unix access to the CDB?
If you find that your 12c database does not allow
/ as sysdba
to the CDB, it could be due to multi-threading
being switched on. 12c introduces a multi-threading option to take advantage of the CDB/PDB architecture
efficiencies (note: this is different from shared server in previous releases). Let's investigate multi-threading in 12c.
How can we tell if our 12c DB is using multi-threading? Try to log on as /
[oracle@orlin ~]$ sqlplus / as sysdba
SQL*Plus: Release 12.1.0.1.0 Production on Sun Dec 22 23:35:27 2013
Copyright (c) 1982, 2013, Oracle. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Run the following grep command, and if you only gain a few lines as a result then the DB is combining multiple
threads into single processes. If multi-threading is not being used you will see over 20 processes. For example, the
following is multi-threaded:
[oracle@orlin ~]$ ps -ef | grep [o]ra_
oracle 28452 1 0 23:30 ? 00:00:00 ora_pmon_orcl3
oracle 28454 1 0 23:30 ? 00:00:00 ora_psp0_orcl3
oracle 28456 1 0 23:30 ? 00:00:04 ora_vktm_orcl3
oracle 28460 1 0 23:30 ? 00:00:01 ora_u004_orcl3
oracle 28466 1 2 23:30 ? 00:00:15 ora_u005_orcl3
oracle 28472 1 0 23:30 ? 00:00:00 ora_dbw0_orcl3
Let's get a bit more scientific and check the relevant parameter directly. The parameter is named
threaded
execution
, and here is one way to check its current value:
SYS@orcl3>sqlplus sys/a@192.168.1.3/orcl3 as sysdba
SQL*Plus: Release 12.1.0.1.0 Production on Sun Dec 22 23:45:08 2013
Copyright (c) 1982, 2013, Oracle. All rights reserved.
