Secure Certificate Management in Oracle Application Server

Here’s my cliff notes directions for managing secure certificates using Oracle Wallet Manager. These directions were written for Oracle Application Server 10g(9.0.4) and my not work right with other versions. As always, don’t do it if you don’t understand it.

NOTE: When you generate a certificate request within a wallet you must then import the certificate into the EXACT SAME WALLET! So it is important to not forget the path, or password to the wallet, but also a copy can be made of the wallet by copying the ewallet.p12 and cwallet.sso files from the path where you saved the wallet to another directory.

Generate a certificate request:

  1. On the system you want to display the wallet manager on run
    xhost +serverhostname.
  2. ssh to the system the cert is for.
  3. Export the display to somewhere you can view it
    DISPLAY=localhostname:0.0; export DISPLAY
  4. Start Oracle Wallet Manager from $ORACLE_HOME/bin (should be in the path)
    owm
  5. Select New from the Wallet menu.
  6. Answer No to creating the default location.
  7. Give the wallet a secure password and select OK.
  8. Answer Yes to create a certificate request.
  9. Enter the following information to generate the request. If you’re not sure about some of this info, check with someone at your site who has done cert requests before. It is important that it is all accurate.

  10. Common Name: The fully qualified domain name (e.g. gimli.plymouth.edu)
    Organizational Unit: Typically a department name (e.g. Information Technology Services)
    Organization Name: Your organizations official name (e.g. Plymouth State University)
    Locality/City: Plymouth
    State/Provence: New Hampshire
    Country: United States
    Key Size: (1024 is OK, 2048 is better)

  11. Click OK once these values are all correct.
  12. Click OK in the “Please submit” dialogue.
  13. Select Auto Login from the Wallet menu.
  14. Select Save from the Wallet menu and save the wallet to a safe, non-public directory on your server (being careful not to overwrite another wallet.)
  15. Click on the certificate request in the wallet tree then select Export Certificate Request from the Operations menu and export the request to a file.
  16. Send the certificate request file to the certificate authority to obtain a user certificate.

Importing a Certificate:

  1. Follow the instructions above to connect to the server and export the display.
  2. Transfer the certificate you received from your certificate authority to the server.
  3. Open Oracle Wallet Manager and open the wallet the cert request was created from.
  4. Select Import User Certificate from the Operations menu. DO NOT import the certificate as a trusted certificate.
  5. Select Import Certificate From File and then select the file containing the certificate.
  6. If you are prompted to import the CA certificate, select Yes and follow these steps to get the CA cert:
    1. On a Windows box, rename the certificate to have a .cer extention (which should change the icon.)
    2. Double click on the certificate and select the Certification Path tab.
    3. Select the highest level of the certification path (e.g. Thawte Premium Server CA) and click View Certificate.
    4. Select the Details tab and click Copy to File…
    5. Follow the directions on screen to export the CA certificate as a Base-64 Certificate.
    6. Once exported, copy the CA certificate to the host the wallet is on.
    7. In the Import Trusted Certificate dialogue box, choose Select a file that contains the certificate and click OK.
    8. Select the CA Cert file you have just uploaded and click OK.
  7. The certificate should now have the word Ready next to it. That indicates the certificate is ready to use.
  8. Confirm that Auto Login is checked in the Wallet menu.
  9. Save the wallet by choosing Save from the Wallet menu.
  10. Exit the wallet manager.

From here you’ll have to follow the instructions in the Oracle HTTP Server Administration Guide to complete the SSL setup.

Importing a Renewed Certificate

These directions are for when your certificate authority has renewed your cert based on your previous request.

  1. Follow the instructions above to connect to the server and export the display.
  2. Transfer the certificate you received from your certificate authority to the server.
  3. Open Oracle Wallet Manager and open the wallet the cert request was created from.
  4. Click on the existing certificate, select Remove User Certificate from the Operations menu and click Yes to confirm.
  5. Click on the certificate (now in [Requested] status) from the wallet and select Import User Certificate from the Operations menu.
  6. Select Import Certificate From File and then select the file containing the certificate.
  7. The certificate should now have the word Ready next to it. That indicates the certificate is ready to use.
  8. Confirm that Auto Login is checked in the Wallet menu.
  9. Save the wallet by choosing Save from the Wallet menu.
  10. Exit the wallet manager.

oracle, oracle application server, oas, application administration, system administration, sysadmin

SunFire T2000 Try and Buy

SunFireT2000After being tipped of on the Sun try-and-buy program by Alan Baker, a coworker and cohort, I figured I’d throw my hat into the ring for a chance to test drive a SunFire T2000… and today it arrived.

Here’s what Sun has to say about their program:

Toss your toughest workloads at the multithreaded Sun Fire T2000 server with the Solaris 10 Operating System, and watch it crank up your database and Web application performance.

We’re so confident in the quality and performance of the world’s first eco-responsible server, we’re offering a free 60-day trial, risk-free. If you’re not totally impressed, just send it back at our expense and owe us nothing.

Chances are that you will be dazzled by your trial server and come back for more. The new Sun Fire T2000 server will likely become your multithreaded workload energy-saving powerhouse of choice.

When you apply for the Try and Buy program you get the choice of a four, six, or eight core 1GHz UltraSPARC T1 processor. I chose the eight, not just because bigger is better, but also because it is closest to our production Oracle servers in capacity and price.

So once we can find the time we’ll get 64-bit Oracle installed on there and run it through the paces. On deck are some join, function, lookup intensive datamart creation scripts which currently crush our production server every evening. This should be fun.

Also of interest is Sun’s claim of this server being “the world’s first eco-responsible server”. While I am unlikely to bring in a kilowatt meter to verify these claims, we are a very green university and hey, everyone wants to save a few bucks on electric.

UPDATE: I have now had the chance to test drive some Oracle jobs on this system. Check out my findings here.

oracle, database, database administration, database administrator, dba, dbms, rdbms, sun, solaris, systems administration, system administration, sysadmin, unix, t2000, try and buy, sunfire

Changing Video Settings on SunBlade 100

To change the display resolution or refresh rate on a SunBlade 100 or similar Sun hardware isn’t as easy as it sounds. Or at least it’s not obvious. These directions are for an M64 type graphics accelerator. The steps are similar for other Sun graphics accelerators, but the command will be different (maybe ffbconfig). Check your hardware documentation for details.

These coommands should be run as root. I recommend running these commands via ssh from another system. If you accidentally change the resolution to something that is not supported you won’t be able to see so well to change it back.

To change video settings you’ll first want to find out what the card and display are capable of.

m64config -res ?

This will print the resolution and refresh rate options you have. Where three numbers are listed this represents the horizontal and vertical resolution and refresh rate respectively.

The current configuration will be shown with a [3] next to it. Write down the current resolution and refresh rate. There are a lot to choose from and you’ll want to know you can get back to one that works.

Configurations marked with a [2] are not supported by the video card and will probably not work.

To change the settings run this command with the desired resolution/refresh rate. The now forces the system to change these settings immediately rather than at next refresh.

m64config -res 1024x768x75 now

Your monitor should click and flicker and with luck will then come back at the new resolution. If it doesn’t you can change it back to the old settings by running the m64config command with the orignal settings. You did write the old setting down like I told you to right?

solaris, sun, unix, system administration, sysadmin

Getting Hardware Information in Solaris

Here’s a quick way to find out what hardware is installed in your Solaris system, including RAM, CPUs, PCI cards, and external devices. The output will usually include the size of each memory chip in the system.

The one trick to using this command is to make sure you use the backtick instead of a single quote around the uname -i. The backtick is typically shift tilde and forces the command between the backticks to be executed and substituted in to that part of the command.

/usr/platform/`uname -i`/sbin/prtdiag

prtdiag actually displays system diagnostic information. I’ve used this on Solaris 7 through 10. The best parts is you do not even need to be root to execute this.

For more info on prtdiag check out the man page.

solaris, sun, unix, system administration, sysadmin

Kernel Parameter Settings for Oracle on Solaris

OracleHere is an example of the kernel parameter settings I typically use for Oracle Database on Solaris. This is provided only as an example. You should not implement these settings without understanding what they do!

For a more in-depth explanation of these parameters see my other article Semaphore Settings and Shared Memory for Oracle Database.

You should always consult the Oracle documentation for your platform and release of Oracle for recommended kernel settings.

These settings reside in the /etc/system file on Solaris and must be setup by the root user. Any line beginning with an asterisk (*) is treated as a comment and not processed by the operating system. After these settings are implemented in teh /etc/system file the system will need to be rebooted for them to take affect.

************************************************************
* Example Semaphore and Shared Memory Settings *
* for Oracle on Solaris *
* Written by Jon Emmons *
* www.lifeaftercoffee.com *
************************************************************
* Shared memory settings
set shmsys:shminfo_shmmax=4294967295
* shmmax sets the largest memory segment in bytes
* which can be allocated
set shmsys:shminfo_shmmin=1
* shmmin sets the smalles memory segment in bytes
* which can beallocated
set shmsys:shminfo_shmmni=500
* shmmni defines the maximum number of shared memory
* segments in the entire system
set shmsys:shminfo_shmseg=50
* shmseg defines the maximum number of shared memory
* segments which can be used by one process* Semaphore settings
set semsys:seminfo_semmni=300
* semmni sets the number of semaphore sets available
set semsys:seminfo_semmsl=500
* semmsl sets the number of semaphores per set
set semsys:seminfo_semmns=30000
* semmns sets the total number of semaphores available
* the actual semaphores available will be the lesser of
* (semmni * semmns) or semmns
set semsys:seminfo_semopm=250
* semopm determines the maximum number of operations
* per semop call

database, database administration, database tuning, dba, solaris, system administration, oracle