ORA-28086: The data redaction policy expression has an error When Cursor Sharing is Force

Adding a policy using dbms_redact on 11.2.0.4 fails when the cursor sharing is force. The latest PSU available for the DB version has already been applied to the DB. But this didn't resolve the issue. The current patch applied

SQL> select comments from dba_registry_history;

COMMENTS
----------------------------------------
PSU 11.2.0.4.180717

Cursor sharing mode

SQL> show parameter cursor_sharing

NAME            TYPE     VALUE
--------------- -------- ---------
cursor_sharing  string   FORCE

Adding a policy using dbms_redact fails with following error

SQL>  BEGIN
  2    DBMS_REDACT.add_policy(
  3      object_schema => 'asanga',
  4      object_name   => 'cc_details',
  5      column_name   => 'cc_no',
  6      policy_name   => 'redact_card_info',
  7      function_type => DBMS_REDACT.full,
  8      expression  => 'SYS_CONTEXT(''TOP_SEC'',''APP_USER'') <> ''asanga'' or SYS_CONTEXT(''TOP_SEC'',''APP_USER'') IS NULL'
  9    );
 10  END;
 11  /
 BEGIN
*
ERROR at line 1:
ORA-28086: The data redaction policy expression has an error.
ORA-28087: The policy expression has an unsupported (use of) operator 'SYS_CONTEXT'.
ORA-06512: at "SYS.DBMS_REDACT_INT", line 3
ORA-06512: at "SYS.DBMS_REDACT", line 42
ORA-06512: at line 2

As a workaround change the cursor sharing to "exact" and run the add policy.



If cursor sharing mode cannot be changed apply the patch 20693579 which allows DBMS_REDACT.add_policy work even when cursor sharing is set to force.

Related Metalink Notes
Bug 20693579 DBMS_REDACT.ADD_POLICY fails with ORA-28086 when CURSOR_SHARING is force [ID 20693579.8]
Data Redaction Package DBMS_REDACT not valid after upgrading to 11.2.0.4 [ID 1945055.1]
Create Data Redaction Policy returns error ORA-06521: PL/SQL: Error mapping function, ORA-06512: at "SYS.DBMS_REDACT_INT", line 3 [ID 2222699.1]

Secure External Password Store and Oracle Restart with Role Separation

Oracle secure external password store allows storing of password needed for database connection in a client side Oracle wallet. It allows password-less connection to the database and useful in running scripts without having to put the password in them. A secure external password store could be setup as below.
Create a wallet (usually in TNS_ADMIN but could be different location as well)

cd $ORACLE_HOME/network/admin/

orapki wallet create -wallet . -pwd "welcome1" -auto_login_local
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

[oracle@rhel7 admin]$ ls
cwallet.sso  ewallet.p12  samples  shrept.lst  tnsnames.ora

The option "auto_login_local" prevents the wallet being moved to another host and used (1114599.1). It also ties the wallet to the operating system user preventing other users in the same host using the wallet as well (1505040.1). Create a credential, in this case std11g2 is a TNS entry that exists in tnsnames.ora file and asanga and asa are username and password

mkstore -wrl . -createCredential std11g2 asanga asa
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Create credential oracle.security.client.connect_string1

Add the wallet location to sqlnet.ora file and set WALLET_OVERRIDE to true which makes user names and passwords from the wallet to be used for authentication.

more sqlnet.ora
WALLET_LOCATION =
    (SOURCE =
       (METHOD = FILE)
       (METHOD_DATA = (DIRECTORY = /opt/app/oracle/product/11.2.0/dbhome_4/network/admin))
)

SQLNET.WALLET_OVERRIDE = TRUE

The existing credentials could be listed with the following command

mkstore -wrl . -listCredential
Oracle Secret Store Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
List credential (index: connect_string username)
1: std11g2 asanga

With the external secure password store now setup, one could connected to the database without specifying the password as show below

[oracle@rhel7 orawallet]$ sqlplus  /@std11g2

SQL> show user
USER is "ASANGA"

Problem is that when secure external password store is setup for a Oracle restart (Single instance with ASM) database that has role separation (GI installed grid user and DB installed as oracle), the database fails to start during restarts and when srvctl is used. Below for a 11.2.0.4 setup

srvctl start database -d std11g2
PRCR-1079 : Failed to start resource ora.std11g2.db
CRS-5017: The resource action "ora.std11g2.db start" encountered the following error:
ORA-01078: failure in processing system parameters
. For details refer to "(:CLSN00107:)" in "/opt/app/oracle/product/11.2.0/grid_4/log/rhel6m1/agent/ohasd/oraagent_grid//oraagent_grid.log".

CRS-2674: Start of 'ora.std11g2.db' on 'rhel6m1' failed

Below for a 12.1.0.2 setup

srvctl start database -d se2db
PRCR-1079 : Failed to start resource ora.se2db.db
CRS-5017: The resource action "ora.se2db.db start" encountered the following error:
ORA-01078: failure in processing system parameters
ORA-01565: error in identifying file '+DATA/se2db/spfilese2db.ora'
ORA-17503: ksfdopn:10 Failed to open file +DATA/se2db/spfilese2db.ora
ORA-12578: TNS:wallet open failed
. For details refer to "(:CLSN00107:)" in "/opt/app/oracle/diag/crs/rhel7/crs/trace/ohasd_oraagent_grid.trc".

CRS-2674: Start of 'ora.se2db.db' on 'rhel7' failed

MOS notes 1612712.1,1383938.1 says to set the permission to 750 for this issue but it didn't work.



During further investigation of the issue following observations were made.
1. The problem doesn't happen when both grid home and oracle home are installed under one user (usually as oracle user).
2. Problem doesn't happen in RAC environments even if grid home and oracle home are installed as different users (grid home as grid user and oracle home as oracle user)
3. Problem only happens in single instance environments (tested on 12c and 11.2.0.4) where grid home is owned by grid user and oracle home is owned by oracle user.
Looking at the trace file shows that srvctl fails to connect to idle instance to start the database

2016-03-30 11:11:12.474778 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] clsnInstConnection::makeConnectStr UsrOraEnv ,ORACLE_BASE= m_oracleHome /opt/app/oracle/product/12.1.0/dbhome_2 Crshome /opt/app/oracle/product/12.1.0/grid
2016-03-30 11:11:12.474822 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] makeConnectStr = (DESCRIPTION=(ADDRESS=(PROTOCOL=beq)(PROGRAM=/opt/app/oracle/product/12.1.0/dbhome_2/bin/oracle)(ARGV0=oraclese2db)(ENVS='ORACLE_HOME=/opt/app/oracle/product/12.1.0/dbhome_2,ORACLE_SID=se2db,LD_LIBRARY_PATH=,ORACLE_BASE=')(ARGS='(DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=beq)))')(CONNECT_DATA=(SID=se2db))))
2016-03-30 11:11:12.475460 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstAgent::stop non pool pConnxn 1 9434f9e0
2016-03-30 11:11:12.475519 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection::connectInt: server not attached
2016-03-30 11:11:13.498240 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection:connectInt connected
2016-03-30 11:11:13.498315 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection::shutdown mode 4
2016-03-30 11:11:13.499364 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0

2016-03-30 11:11:13.499453 :CLSDYNAM:2930841344: [ora.se2db.db]{0:0:45668} [start] InstConnection::disassociateEdition OCI error 1034

Then the start of the database was tested a wallet created without the "local" option. As mentioned earlier local option prevents wallet being used in another host and is tied to the OS user. On 11.2.0.4

orapki wallet create -wallet . -pwd "welcome1" -auto_login
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

srvctl start database -d std11g2
srvctl status database -d std11g2
Database is running.

On 12.1.0.2

orapki wallet create -wallet . -pwd "welcome1" -auto_login
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

srvctl start database -d se2db
srvctl status database -d se2db
Database is running.

So it appears the problem seem to be use of auto_login_local since there's no issue when using auto_login. Since wallet wasn't moved to a different server, the only reason that could prevent DB from starting with a wallet created with auto_login_local option is if the starting command is executed by a user other than the user tied to the wallet. Right now the wallet has been created as Oracle user and srvctl start was executed as oracle user. So it appears that grid user gets involved in starting the DB even when srvctl is run as oracle user (why the same is not happening in RAC role separated config is under SR)
So the solution in this case was to create an empty wallet as grid user and set permission to 750.

[grid@rhel7 wallet]$ orapki wallet create -wallet . -pwd "welcome1" -auto_login_local
[grid@rhel7 wallet]$ chmod 750 cwallet.sso ewallet.p12
[grid@rhel7 wallet]$ ls -lrt
-rw-rw-rw-. 1 grid   oinstall     0 Apr 15 17:35 ewallet.p12.lck
-rwxr-x---. 1 grid   oinstall    75 Apr 15 17:35 ewallet.p12
-rw-rw-rw-. 1 grid   oinstall     0 Apr 15 17:35 cwallet.sso.lck
-rwxr-x---. 1 grid   oinstall   120 Apr 15 17:35 cwallet.sso

No credentials are added to this wallet as such nothing to list

[grid@rhel7 wallet]$  mkstore -wrl . -listCredential
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
List credential (index: connect_string username)

Used a non-default location to this wallet file and this was added to $ORACLE_HOME/network/admin/sqlnet.ora file(not to $GI_HOME/network/admin/sqlnet.ora)

pwd
/opt/app/oracle/product/12.1.0/dbhome_2/network/admin

more sqlnet.ora
WALLET_LOCATION =
    (SOURCE =
       (METHOD = FILE)
       (METHOD_DATA = (DIRECTORY = /usr/local/wallet))
)

SQLNET.WALLET_OVERRIDE = TRUE

With this setup in place srvctl works fine and database get started automatically after restarts. However password-less access fails as the wallet is owned by grid user

[oracle@rhel7 orawallet]$ sqlplus  /@se2db

ERROR:
ORA-12578: TNS:wallet open failed

To fix this, create another wallet at a different location as Oracle user.

ls /usr/local/wallet/orawallet

-rwxrwx---. 1 oracle oinstall 528 Apr 15 17:20 ewallet.p12
-rwxrwx---. 1 oracle oinstall 573 Apr 15 17:20 cwallet.sso

Create another sqlnet.ora file in the same directory (orawallet). Add this directory path as the wallet location

WALLET_LOCATION =
    (SOURCE =
       (METHOD = FILE)
       (METHOD_DATA = (DIRECTORY = /usr/local/wallet/orawallet))
)

SQLNET.WALLET_OVERRIDE = TRUE

Whenever password-less access using external password store is needed export this location as the TNS_ADMIN and connect.

export TNS_ADMIN=/usr/local/wallet/orawallet
sqlplus  /@se2db

SQL> show user
USER is "ASANGA"

If any database scripts require password-less access before running export the TNS_ADMIN to location where second sqlnet.ora file was set.
Why the auto_login_local fails this way in Oracle restart with role separation is still under SR.

Useful metalink notes
Using a Secure External Password Store with the JDBC Thin Driver [ID 1441745.1]
Using The Secure External Password Store [ID 340559.1]
How To Avoid Expdp And Impdp Passwords Being Visible By "ps" Unix Command? [ID 869825.1]
How To Prevent The Secure Password Store Wallet From Being Moved to Another Host [ID 1114599.1]
Oracle Cluster failed to start with ASM instance getting ORA-00443 [ID 2000868.1]
Database Failed To Start [ID 1922401.1]
Oracle Restart: srvctl fails to start database with error CRS-5010 if RDBMS and Grid under different users [ID 1335607.1]
How to configure SEPS for the pluggable databases [ID 1980698.1]
Bug 11706168 - ORA-00000 during STARTUP with SQLNET.WALLET_OVERRIDE=TRUE [ID 11706168.8]
How To Configure The Secure External Password Store To Allow The Connection To RMAN Catalog? [ID 1383938.1]
ORA-15055 and ORA-12578 on database startup with external wallet store [ID 1612712.1]
How To Check Whether The Wallet Is A Local Auto Login Wallet [ID 1505040.1]

Connect Through - Connect Without Knowing the Password

At times it may be necessary to grant access to a database schema but not necessarily give the password for the login. Granting connect through comes useful in such cases. Below example demonstrate the usage. Assume user appadmin is the main application user and appguest user whom access to appadmin schema will be granted.

SQL> create user appadmin identified by appadmin;
User created.

SQL> create user appguest identified by appguest;
User created.

SQL> grant connect to appadmin;
Grant succeeded.

SQL> grant connect to appguest;
Grant succeeded.

Grant appguest connect through as appadmin

SQL> alter user appadmin grant connect through appguest;
User altered.

With this command user appguest would be able to connect to appadmin without specifiying appadmin password.

SQL>  conn appguest[appadmin]/appguest
Connected.
SQL> show user
USER is "APPADMIN"

Password specified above is the password of the appguest user and the connected schema is the appadmin schema.




For JDBC proxy connections refer the following metalink notes.
How to use Proxy Users to connect to a Database using Credential Mapping or User Injection. [1529978.1]
How to Ensure USER Session Variable Accurately Reflects "real" User When Using Proxy Authentication with JDBC [431202.1]

java.sql.SQLRecoverableException: IO Error: Connection reset and /dev/urandom

Following stack trace could be seen when the application server was starting.

java.sql.SQLRecoverableException: IO Error: Connection reset
        at oracle.jdbc.driver.T4CStatement.executeForDescribe(T4CStatement.java:886)
        at oracle.jdbc.driver.OracleStatement.executeMaybeDescribe(OracleStatement.java:1167)
        at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1289)
        at oracle.jdbc.driver.OracleStatement.executeQuery(OracleStatement.java:1491)
        at oracle.jdbc.driver.OracleStatementWrapper.executeQuery(OracleStatementWrapper.java:406)
        
Caused by: java.net.SocketException: Connection reset
        at java.net.SocketInputStream.read(SocketInputStream.java:168)
        at oracle.net.ns.Packet.receive(Packet.java:300)
        at oracle.net.ns.DataPacket.receive(DataPacket.java:106)
        at oracle.net.ns.NetInputStream.getNextPacket(NetInputStream.java:315)
        at oracle.net.ns.NetInputStream.read(NetInputStream.java:260)
        at oracle.net.ns.NetInputStream.read(NetInputStream.java:185)
        at oracle.net.ns.NetInputStream.read(NetInputStream.java:102)
        at oracle.jdbc.driver.T4CSocketInputStreamWrapper.readNextPacket(T4CSocketInputStreamWrapper.java:124)
        at oracle.jdbc.driver.T4CSocketInputStreamWrapper.read(T4CSocketInputStreamWrapper.java:80)
        at oracle.jdbc.driver.T4CMAREngine.unmarshalUB1(T4CMAREngine.java:1137)
        at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:290)
        at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:192)
        at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:531)
        at oracle.jdbc.driver.T4CStatement.doOall8(T4CStatement.java:193)
        at oracle.jdbc.driver.T4CStatement.executeForDescribe(T4CStatement.java:873)
        ... 6 more

The application servers (6 of them) were running on RHEL 5 (x86_64) and this is a new deployment so there's less activity on the servers. The JDBC drivers were 11.2.0.3.
It seems the JDBC thin clients running on Linux system uses /dev/random for security purposes and the amount of activity (entropy - disorder in the system to be precise) determine how fast /dev/random can deliver random numbers. A good explanation of this is available here. By default JDBC uses /dev/random and could cause JDBC connection creation to hang when the /dev/random cannot generate random numbers fast enough.


One of the solutions (more available on the above mentioned link) is to make JDBC use /dev/urandom which can deliver random numbers with less activity than /dev/random. (According link above these values are "theoretically vulnerable to a cryptographic attack").
JDBC could be made to use /dev/urandom by specifying it as a system property (triple "/" is needed)

-Djava.security.egd=file:///dev/urandom

For some systems alternate formats of the URL may be needed and these are available in the metalink note given below.

Useful metalink notes
ODI Receives Timeout Messages On Linux x86 With Java 1.5 Onwards [ID 1277360.1]
Oracle Service Registry 11.1 Fails To Install with 'java.sql.SQLRecoverableException: IO Error: Connection reset' Error [ID 1343776.1]
JDBC 11.2.0.3 Application Fails With java.sql.SQLRecoverableException: IO Error: Connection reset [ID 1575238.1]
Oracle Service Registry 11.1 Fails To Install with 'java.sql.SQLRecoverableException: IO Error: Connection reset' Error [ID 1343776.1]

Implementing Class of Secure Transport (COST) to Restrict Instance Registration in Oracle 11gR2 SE RAC (Solution mentioned in Oracle Security Alert for CVE-2012-1675)

This post is related to implementing the solution for security vulnerability mentioned in Oracle Security Alert for CVE-2012-1675. There is another post but that is related to version 11gR1 and this one is specific to 11gR2.
The metalink note related to applying the solution in a RAC environment is Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
However this solution fails when tried on a standard edition RAC environment as standard edition Oracle binaries are not linked with TCPS protocol. The standard edition RAC environment created for RHEL 6 is used in this case.
All the steps in section 1 in (1340831.1) up to step 1.4 work same on SE as on EE edition and problem will be encountered trying to implement step 1.5.
As oracle user (since this is a role separated environment) try to set TCPS protocol for the remote listener using scan ips.

show parameter remote_listener

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
remote_listener                      string      rhel6m-scan:1521

This environment only used one scan ip (not recommended by Oracle)

srvctl config scan
SCAN name: rhel6m-scan, Network: 1/192.168.0.0/255.255.255.0/eth0
SCAN VIP name: scan1, IP: /rhel6m-scan/192.168.0.91

Trying to set TCPS will give the following error

SQL> alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.0.91)(PORT=1523)))' scope=both sid='*';
alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.0.91)(PORT=1523)))' scope=both sid='*'
*
ERROR at line 1:
ORA-02097: parameter cannot be modified because specified value is invalid
ORA-00119: invalid specification for system parameter REMOTE_LISTENER
ORA-00130: invalid listener address
'(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.0.91)(PORT=1523))'

Error messages here doesn't help much as it doesn't specifically say which parameter is invalid unlike in 11gR1 which mentioned invalid protocol. It could be tested indeed it's the protocol that is causing the problem by testing the same command with TCP instead of TCPS, in this case it would work without an error

SQL> alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.91)(PORT=1523)))' scope=both sid='*';

System altered.

Solution is to relink the binaries with tcps same as before. Stop all processes running out of the ORACLE_HOME

srvctl stop home -o $ORACLE_HOME -s status -n `hostname -s`

Change into $ORACLE_HOME/lib and make a backup of the existing libntcps11.a file and copy the libntcps11_ee.a.dbl

cp libntcps11.a libntcps11.a.orig
cp libntcps11_ee.a.dbl libntcps11.a

Execute relink all and monitor the log file

$ relink all
writing relink log to: /opt/app/oracle/product/11.2.0/dbhome_1/install/relink.log

Relinking ends with following text

-L/opt/app/oracle/product/11.2.0/dbhome_1/lib
test ! -f /opt/app/oracle/product/11.2.0/dbhome_1/bin/oracle ||\
           mv -f /opt/app/oracle/product/11.2.0/dbhome_1/bin/oracle /opt/app/oracle/product/11.2.0/dbhome_1/bin/oracleO
mv /opt/app/oracle/product/11.2.0/dbhome_1/rdbms/lib/oracle /opt/app/oracle/product/11.2.0/dbhome_1/bin/oracle
chmod 6751 /opt/app/oracle/product/11.2.0/dbhome_1/bin/oracle

It is important to relink all the oracle homes in the cluster if not the error will still persist

SQL> alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.0.91)(PORT=1523)))' scope=both sid='*';
alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.0.91)(PORT=1523)))' scope=both sid='*'
*
ERROR at line 1:
ORA-32008: error while processing parameter update at instance std11g21
ORA-02097: parameter cannot be modified because specified value is invalid
ORA-00119: invalid specification for system parameter REMOTE_LISTENER
ORA-00130: invalid listener address
'(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.0.91)(PORT=1523))'

But to confirm relinking has worked the above command could be executed at instance level

SQL> alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.0.91)(PORT=1523)))' scope=both sid='std11g22';

System altered.

Once all oracle homes are relinked execute the original command.

SQL> alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.0.91)(PORT=1523)))' scope=both sid='*';

System altered.

Rest of the steps in (1340831.1) could be executed without any additional work.
If the libntcps11_ee.a.dbl file is missing it could obtained by extracting the

database/stage/Components/oracle.network.rsf/11.2.0.3.0/1/DataFiles/filegroup5.jar

Related Post
Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle SE RAC Fails (Solution mentioned in Oracle Security Alert for CVE-2012-1675)




Update on 11th November 2015
For database version 11.2.0.4 Oracle has introduced "Valid Node Checking for Registration (VNCR)" as an alternative for implementing COST, if the sole reason for implementing cost is preventing remote registration. MOS note 1340831.1 has been updated with this information. VNCR related information could be found on following docs.
How to Enable VNCR on RAC Database to Register only Local Instances [ID 1914282.1]
Valid Node Checking For Registration (VNCR) [ID 1600630.1]

Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle SE RAC Fails (Solution mentioned in Oracle Security Alert for CVE-2012-1675)

Oracle Security Alert CVE-2012-1675 mentions two metalink notes.
Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1] for RAC systems and Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1] for non-RAC systems. Non-RAC systme works fine in Oracle Enterprise and Standard Edition systems. But the solution given in 1340831.1 for "Oracle RAC versions prior to 11.2 (10.2.0.3 - 11.1)" cannot be implemented in Oracle Standard Edition RAC. After the wallet and the patch 12880299 is applied the metalink notes says to add a line to listener.ora for TCPS protocol and restart the listener. (This environment has seperate homes for ASM and DB and listener runs out of ASM home). Oracle database version is 11.1.0.7.11

LISTENER_RAC1 =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip)(PORT = 1521)(IP = FIRST))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = rac1-vip)(PORT = 1523)(IP = FIRST))
      (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.0.85)(PORT = 1521)(IP = FIRST))
    )
  )

WALLET_LOCATION =
  (SOURCE =
   (METHOD = FILE)
    (METHOD_DATA =
     (DIRECTORY = /opt/app/oracle/product/11.1.0/asm_1/network/admin/cost)
    )
  )

#SECURE_REGISTER_LISTENER_RAC1 = (TCP,TCPS)

It then ask to stop and start the listener on that node. During the start of the listener following error is shown on the command line.

$ASM_HOME/bin/srvctl start listener -n `hostname -s`
rac1:ora.rac1.LISTENER_RAC1.lsnr:
rac1:ora.rac1.LISTENER_RAC1.lsnr:LSNRCTL for Linux: Version 11.1.0.7.0 - Production on 09-MAY-2012 15:01:38
rac1:ora.rac1.LISTENER_RAC1.lsnr:
rac1:ora.rac1.LISTENER_RAC1.lsnr:Copyright (c) 1991, 2008, Oracle.  All rights reserved.
rac1:ora.rac1.LISTENER_RAC1.lsnr:
rac1:ora.rac1.LISTENER_RAC1.lsnr:Starting /opt/app/oracle/product/11.1.0/asm_1/bin/tnslsnr: please wait...
rac1:ora.rac1.LISTENER_RAC1.lsnr:
rac1:ora.rac1.LISTENER_RAC1.lsnr:TNSLSNR for Linux: Version 11.1.0.7.0 - Production
rac1:ora.rac1.LISTENER_RAC1.lsnr:System parameter file is /opt/app/oracle/product/11.1.0/asm_1/network/admin/listener.ora
rac1:ora.rac1.LISTENER_RAC1.lsnr:Log messages written to /opt/app/oracle/diag/tnslsnr/rac1/listener_rac1/alert/log.xml
rac1:ora.rac1.LISTENER_RAC1.lsnr:Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.0.89)(PORT=1521)))
rac1:ora.rac1.LISTENER_RAC1.lsnr:Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=rac1-vip)(PORT=1523)(IP=FIRST)))
rac1:ora.rac1.LISTENER_RAC1.lsnr:TNS-12557: TNS:protocol adapter not loadable
rac1:ora.rac1.LISTENER_RAC1.lsnr: TNS-12560: TNS:protocol adapter error
rac1:ora.rac1.LISTENER_RAC1.lsnr:  TNS-00527: Protocol Adapter not loadable
rac1:ora.rac1.LISTENER_RAC1.lsnr:
rac1:ora.rac1.LISTENER_RAC1.lsnr:
rac1:ora.rac1.LISTENER_RAC1.lsnr:Listener failed to start. See the error message(s) above...
rac1:ora.rac1.LISTENER_RAC1.lsnr:
rac1:ora.rac1.LISTENER_RAC1.lsnr:
rac1:ora.rac1.LISTENER_RAC1.lsnr:LSNRCTL for Linux: Version 11.1.0.7.0 - Production on 09-MAY-2012 15:01:38
rac1:ora.rac1.LISTENER_RAC1.lsnr:
rac1:ora.rac1.LISTENER_RAC1.lsnr:Copyright (c) 1991, 2008, Oracle.  All rights reserved.
rac1:ora.rac1.LISTENER_RAC1.lsnr:
rac1:ora.rac1.LISTENER_RAC1.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=rac1-vip)(PORT=1521)(IP=FIRST)))
rac1:ora.rac1.LISTENER_RAC1.lsnr:TNS-12541: TNS:no listener
rac1:ora.rac1.LISTENER_RAC1.lsnr: TNS-12560: TNS:protocol adapter error
rac1:ora.rac1.LISTENER_RAC1.lsnr:  TNS-00511: No listener
rac1:ora.rac1.LISTENER_RAC1.lsnr:   Linux Error: 111: Connection refused
rac1:ora.rac1.LISTENER_RAC1.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=rac1-vip)(PORT=1523)(IP=FIRST)))
rac1:ora.rac1.LISTENER_RAC1.lsnr:TNS-12557: TNS:protocol adapter not loadable
rac1:ora.rac1.LISTENER_RAC1.lsnr: TNS-12560: TNS:protocol adapter error
rac1:ora.rac1.LISTENER_RAC1.lsnr:  TNS-00527: Protocol Adapter not loadable
rac1:ora.rac1.LISTENER_RAC1.lsnr:
rac1:ora.rac1.LISTENER_RAC1.lsnr:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.85)(PORT=1521)(IP=FIRST)))
rac1:ora.rac1.LISTENER_RAC1.lsnr:TNS-12541: TNS:no listener
rac1:ora.rac1.LISTENER_RAC1.lsnr: TNS-12560: TNS:protocol adapter error
rac1:ora.rac1.LISTENER_RAC1.lsnr:  TNS-00511: No listener
rac1:ora.rac1.LISTENER_RAC1.lsnr:   Linux Error: 111: Connection refused
CRS-0215: Could not start resource 'ora.rac1.LISTENER_RAC1.lsnr'.

On listener.log

System parameter file is /opt/app/oracle/product/11.1.0/asm_1/network/admin/listener.ora
Log messages written to /opt/app/oracle/diag/tnslsnr/rac1/listener_rac1/alert/log.xml
Trace information written to /opt/app/oracle/diag/tnslsnr/rac1/listener_rac1/trace/ora_15792_47190667617024.trc
Trace level is currently 0

Started with pid=15792
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.0.89)(PORT=1521)))
Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=rac1-vip)(PORT=1523)(IP=FIRST)))
TNS-12557: TNS:protocol adapter not loadable
 TNS-12560: TNS:protocol adapter error
  TNS-00527: Protocol Adapter not loadable

No longer listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.0.89)(PORT=1521)))

On crsd.log

2012-05-09 15:01:37.891: [  CRSRES][1510025536] startRunnable: setting CLI values
2012-05-09 15:01:37.895: [  CRSRES][1510025536] Attempting to start `ora.rac1.LISTENER_RAC1.lsnr` on member `rac1`
2012-05-09 15:01:38.920: [  CRSAPP][1510025536] StartResource error for ora.rac1.LISTENER_RAC1.lsnr error code = 1
2012-05-09 15:01:39.240: [  CRSRES][1510025536] Start of `ora.rac1.LISTENER_RAC1.lsnr` on member `rac1` failed.
2012-05-09 15:01:39.255: [  CRSRES][1510025536] rac2 : CRS-1019: Resource ora.rac1.LISTENER_RAC1.lsnr (application) cannot run on rac2

It could be that in SE the Advance Security Option needed to support TCPS is not there.

In the security alert Oracle mentions "Please note that Oracle has added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters and Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Node options so that the directions provided in the Support Notes referenced above can be applied by all Oracle customers without additional cost."

The steps works in a 11.1.0.7.11 Enterprise Edition (EE) RAC without any issue. This could be explained using How To Check if Oracle Advanced Security Option is Installed ? [ID 549989.1] in which it is mentioned "Oracle product development has decided that starting with Oracle 11g Oracle Advanced Security Option will be installed by default when installing Enterprise Edition . There is no way to uninstall or to install it."

Update 31 May 2012
For the steps mentioned in 1340831.1 to work on Oracle SE it requires Oracle binaries to be relinked with the tcps. In this example the listener is running out of ASM home therefore oracle binaries in ASM Home will be relinked with tcps. It is not necessary to relink the Oracle Home if listener is not running out of it
1. cd $ASM_HOME/lib (or $ORACLE_HOME/lib if a separate home for ASM is not used).

2. Make a backup of the current tcps binary

$  cp libntcps11.a libntcps11.a.orig

3. Find libntcps11_ee.a.dbl file in the same lib directory and make a copy of it with the file name libntcps11.a

$ cp libntcps11_ee.a.dbl libntcps11.a

4. To make sure the relink is happening in ASM_HOME set the ORACLE_HOME to ASM_HOME and set relink binary in PATH variable

export ORACLE_HOME=$ASM_HOME
which relink
/opt/app/oracle/product/11.1.0/db_1/bin/relink <-- still using the ORACLE_HOME relink

export PATH=$ORACLE_HOME/bin:$PATH
/opt/app/oracle/product/11.1.0/asm_1/bin/relink

5. Stop all processes running out of ASM_HOME. Since database instance is dependent on asm instance this would mean database instance should be stopped as well. Once all running processes are stopped (except clusterware processes) start the relink with

relink all

and the relink process end with following lines (this is on 11.1.0.7 , on other versions it may be different)

..
..
/app/oracle/product/11.1.0/asm_1/lib
mv -f /opt/app/oracle/product/11.1.0/asm_1/bin/ctxkbtc /opt/app/oracle/product/11.1.0/asm_1/bin/ctxkbtc0
mv ctxkbtc /opt/app/oracle/product/11.1.0/asm_1/bin/ctxkbtc
chmod 751 /opt/app/oracle/product/11.1.0/asm_1/bin/ctxkbtc

Once the relink is complete continue with the steps in the metalink document and the listener will be able to start with TCPS.
If the file libntcps11_ee.a.dbl is missing in $ORACLE_HOME/lib then it could be obtained by extracting the

database/stage/Components/oracle.network.rsf/11.1.0.6.0/1/DataFiles/filegroup7.jar

file in the 11.1.0.6 base installation. Even though the system is upgraded to 11.1.0.7 there's no copy of it in 11.1.0.7 patchset files which mean it is not part of the upgraded processes thus only place to get it is on 11.1.0.6 base instllation.

Linux Root Exploit CVE-2012-0056

A Linux vulnerability has been identified which allows a user to gain root user privilege. This is caused by "failure of the Linux kernel to properly restrict access to the "/proc//mem" file".

Computer world has a detail article about this (Same article available on CIO).

Redhat has a support note regarding this vulnerability and a test code to check if the system is vulnerable.

Oracle Security Alert for Java

Oracle issued a security alert for java which reads "This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products. This vulnerability allows unauthenticated network attacks ( i.e. it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability."

This alert is valid for both (formerly Sun) Oracle JDK as well as jrockit versions 1.5 and 1.6.

For Oracle JDK the patch is available via an updater tool For Jrockit refer metalink note 1291950.1 for relevant patch number.

Patch is a jar file and easy to apply.Set the correct java binary in the PATH and

java -jar fpupdater.jar -u -v
FPUpdater
java.home: /usr/local/java/jdk1.6.0_17/jre
java.vendor: Sun Microsystems Inc.
java.version: 1.6.0_17
os.name: Linux
Checking for update for major: 1.6.0 minor: 17
Retrieved update jar file from tool: /usr/local/java/jdk1.6.0_17/jre/tmpUpdate264186544245683182/tmpUpdate4837341576526462084.jar
Updating files. Please note this can take several minutes to run. Allow FPUpdater tool to complete.
Jar file /usr/local/java/jdk1.6.0_17/jre/lib/rt.jar.fpupdater succesfully verified.
Done backup of rt.jar to /usr/local/java/jdk1.6.0_17/jre/lib/rt.jar.fpupdater
Made working copy of rt.jar: /usr/local/java/jdk1.6.0_17/jre/lib/tmpUpdate8923180845720805243/copyofRt.jar
Jar file /usr/local/java/jdk1.6.0_17/jre/lib/tmpUpdate8923180845720805243/copyofRt.jar succesfully verified.
Moving working copy of rt.jar back to live rt.jar.
Update applied successfully to java.home path : /usr/local/java/jdk1.6.0_17/jre

After the apply verify it with

java -jar fpupdater.jar -t -v
FPUpdater
java.home: /usr/local/java/jdk1.6.0_17/jre
java.vendor: Sun Microsystems Inc.
java.version: 1.6.0_17
os.name: Linux
Verification test available
Verification test beginning, this should take less than one minute..
Verification test passed.
Your Java Runtime is patched for java.home: /usr/local/java/jdk1.6.0_17/jre