Are there good ERP systems running on oralce DB
- by gath
Guys,
Apart from Oracle Financial and SAP are there other good/highly customizable ERP's running on oracle database?
Search Results
Search found 18454 results on 739 pages for 'oracle thoughts'.
Page 341/739 | < Previous Page | 337 338 339 340 341 342 343 344 345 346 347 348 | Next Page >
-
-
Hybrid Columnar Compression
- by user12620172
You heard me in the past talk about the HCC feature for Oracle databases. Hybrid Columnar Compression is a fantastic, built-in, free feature of Oracle 11Gr2. One used to need an Exadata to make use of it. However, last October, Oracle opened it up and now allows it to work on ANY Oracle DB server running 11Gr2, as long as the storage behind it is a ZFSSA for DNFS, or an Axiom for FC. If you're not sure why this is so cool or what HCC can do for your Oracle database, please check out this presentation. In it, Art will explain HCC, show you what it does, and give you a great idea why it's such a game-changer for those holding lots of historical DB data. Did I mention it's free? Click here: http://hcc.zanghosting.com/hcc-demo-swf.htmlRead the article
-
What is the best way to precompile JSPs using ANT
- by rich
I am trying to figure out the best way to use ANT to precompile JSPs that will be deployed to an Oracle application server. Even though I am deploying to an Oracle app server I would like to avoid using Oracle's version of ANT.Read the article
-
How to sync developer database with central database?
- by Dave
How to do that I am using oracle 10 gRead the article
-
B2B Customer Case Study Presentation at OOW 2012!
- by user701307
Real life B2B customer talking about consolidation to Oracle B2B and SOA Suite. Hear Kevin Kluggage, IT Director, Stryker and me present on consolidating legacy B2B networks on a global B2B infrastructure using Oracle B2B and SOA Suite. This session will discuss B2B industry trends, product overview, Stryker's case study and will elaborate on the benefits of using Oracle B2B to solve your partner integration needs today. Oracle B2B is Drummond Certified and has customers using the product in Supply Chain, Travel, Transport, Healthcare, Hightech and Telecom industries. We are excited about our session, and look forward to see you there! Wed, Oct 3, 3:30 PM – 4:30 PM – Moscone West – 3003CON5003 – Delivering a High-Value Global B2B Network with Oracle SOA Suite 11gRead the article
-
Unlock the Value of Big Data
- by Mike.Hallett(at)Oracle-BI&EPM
Partners should read this comprehensive new e-book to get advice from Oracle and industry leaders on how you can use big data to generate new business insights and make better decisions for your customers. “Big data represents an opportunity averaging 14% of current revenue.” —From the Oracle big data e-book, Meeting the Challenge of Big Data You’ll gain instant access to: Straightforward approaches for acquiring, organizing, and analyzing data Architectures and tools needed to integrate new data with your existing investments Survey data revealing how leading companies are using big data, so you can benchmark your progress Expert resources such as white papers, analyst videos, 3-D demos, and more If you want to be ready for the data deluge, Meeting the Challenge of Big Data is a must-read. Register today for the e-book and read it on your computer or Apple iPad.Read the article
-
Eleven Eleven Eleven Plus Two
- by Larry Wake
You probably already know that Oracle Solaris 11 11/11 was not in fact launched on 11/11/11. We had our reasons, one of the primary ones being that would have collided with Veterans Day. But I'm going to venture a blog post today--even though it's again of course Veterans Day--to catch up on some news for Oracle Solaris 11's second anniversary (plus two days). Most recently, we had lots to talk about at Oracle OpenWorld -- Markus Flierl gives an excellent recap on his blog. Also, you can now download the various Solaris-related presentations that were given this year. Find the list and links at: Focus on Oracle Solaris (http://bit.ly/OOW13-Solaris) If you follow the links above, you'll see there's lots to learn about how to get major benefits from Oracle Solaris 11 today, and you'll also find out about some of the new things we're busily at work on as well. Onward to year three!Read the article
-
Understanding character encoding in typical Java web app
- by Marcus
Some pseudocode from a typical web app: String a = "A bunch of text"; //UTF-16 saveTextInDb(a); //Write to Oracle VARCHAR(15) column String b = readTextFromDb(); //UTF-16 out.write(b); //Write to http response In the first line we create a Java String which uses UTF-16. When you save to Oracle VARCHAR(15) does Oracle also store this as UTF-16? Does the length of an Oracle VARCHAR refer to number of Unicode characters (and not number of bytes)? And then when we write b to the ServletResponse is this being written as UTF-16 or are we by default converting to another encoding like UTF-8?Read the article
-
That's all about nuances
- by user13334359
When I sent a proposal for session "Managing and Troubleshooting MySQL for Oracle DBAs" to MySQL Connect conference org committee it had not any mention of Oracle in its name, but later I was asked to provide more details for former Oracle DBAs who want to use MySQL. I was fast and I said "yes".So my original aim to teach people to troubleshoot MySQL changed to teaching of how different is MySQL from Oracle in troubleshooting aspects. Although both RDBMs have very much in common they are definitely very different. So what I am going to speak about this time is nuances of how MySQL stores data, how it manages locks, why its high availability solutions: MySQL Cluster and Replication have same names as Oracle's, but work differently and more. And, of course, I will tell how to troubleshoot it all.Read the article
-
12??OTN????????
- by OTN-J Master
12??OTN????????????????? (11?8???? 11???????????????) ???????????????????????????????????????URL????????????????RSS???????????????????!https://blogs.oracle.com/otnjp/category/Event ????????????? [12/13(?)] Oracle Tuxedo???????? Oracle Tuxedo???????? ???: 12?13?(?)14:00 ~ 17:30 ???: ??(????????)???: Oracle Tuxedo?????????????C,C++, COBOL??????????????????????????????????????·????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Oracle Tuxedo 12c??????????????????????????????????????????????????2??????????1??Tuxedo 12c?????????????????TSAM, SALT????????????????????2?????????????????????Tuxedo ART????????????????Tuxedo ART?CICS/Batch????????????? >> ??·???????? ??????Read the article
-
??????????? Database Firewall ??????????
- by ???02
??????????? Database Firewall ??????????SQL?????????????????SQL????????????WEB?????HTTP??????SQL??????????????????????????????????????????????SQL????????????????WEB??????????????????????????????????SQL??????????????????????Oracle Database Firewall????????????????????SQL?????SQL?????????·???????????????????????????????????Databese Firewall ???????????????Oracle Database Firewall???????????????????????????????·??SQL???????????????·Database ?????????????????·SQL??????Database??????·????·?????????????????????·Oracle Database Firewall ???????Oracle Databese Firewall ?????????? ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????_DBFW????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???????????????·?????????????????????3?????????????·???????????????????????????????????????????????????????????? ·???????????????????90?????????????????????????????????????????????????????·????????????????????????????????????????????????? ·???????????????????????????????????????????????????????????????????????????????????????????????????????? Web????????????????????????????????????1~4????????????????????———?????———?????????????? 1.????????? : 2.??????(????) : 3.??????(????) : 4.??????? :———?????———?????????????? 1.????????? : ????????????????2.??????(????) : 2011?11?15? 13:00-14:303.??????(????) : 2011?11?17? 15:00-16:304.??????? : ?????????????? ???????????????????????????? ?????? Oracle DirectRead the article
-
????|E????/B2C????
- by Tatsuya Sugi
E?????? ??????????ANA SKY WEB? ?????????????????????????10??1????????????????????? ????? ????? ????? ????????????CO-OP WEB STANDARD? Oracle Coherence?Web????????????100???????????????????????EC??????????Oracle Coherence?????????????????????????????????100?????????????????????????????????????????????????????????????? ????? ????? ??????? ???????????? OracleR Coherence??????????????????????????????????????????????????????????????????IA??????????????????????????????????????????????????????????????? ????? ????????????·???·??? Oracle Coherence?????3???EC????????????????????????????????????????????????????Oracle Consulting????????Oracle Coherence??????????EC???????????????????????????????????????????????????????????????????????? ????? ??????? J.Crew ?????????J.Crew????E??????????????Coherence?????????????????????????????(1?51?) ????Read the article
-
????:???????DBA??Linux,IFRS,??????
- by atsuko.nishihata
?????????????????????????!! 2010?5?25?(?)?????????????????????????????????????IT?????????????????????????? Day?4???????????????????????10???????????????????????????????????????????!! 9:30-10:30 (9:15-????) ???????????? -??????????????? EPM?BI???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 11:00-12:00 (10:45-????) ????????????? ??????Oracle?????????Linux?? ???Oracle??Linux??????????????????????Linux·???????????IT???????????????????????????DBA????Linux????????????????????????????????????????????????????????????Linux????????????10???????????????????????????? 13:30-14:30 (13:15-????) ??????IFRS?????????????? ??????????????????????????????????????????????????IFRS??????????????????????????????????????????????????????????????????????????? 15:00-16:00 (14:45-????) ??????????????!???·?????????? ?????????????????????????????????Oracle??????????????????????????????????????????????????????Oracle??????????????????????????????????????????????????????????? ????????????????!! ·Oracle Direct Seminar????? ·?????????:?????? ·???????????FAQRead the article
-
Mac Os X 10.7 + PHP OCI8 + MAMP PRO
- by Mike
i followed this article: http://www.enavigo.com/2012/01/04/enabling-oracle-oci8-php-extension-on-os-x-snow-leopard/ and im getting this error: Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data. Anytime i try to connect to an oracle database using OCI8. I'm not sure that oci8 is install properly. Can someone provide steps for installation of OCI8 using Mamp Pro?Read the article
-
Mac Os X 10.7 + PHP OCI8 + MAMP PRO + ERR_EMPTY_RESPONSE
- by gorelative
i followed this article: http://www.enavigo.com/2012/01/04/enabling-oracle-oci8-php-extension-on-os-x-snow-leopard/ and im getting this error: Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data. Anytime i try to connect to an oracle database using OCI8. I'm not sure that oci8 is install properly. Can someone provide steps for installation of OCI8 using Mamp Pro?Read the article
-
Oracle9i export error
- by Max
When I rut the following: set ORACLE_SID=orcl exp.exe 'SYS/system as sysdba' full=y log=exp.log file=mydump.dmp in the end i see the following: EXP-00056: ORACLE error 942 encountered ORA-00942: table or view does not exist EXP-00000: Export terminated unsuccessfully what should i do to resolve it? I had 9.2.0.1.0 oracle, after it was installed 2 patches: 9.2.0.7.0 and 9.2.0.8.0Read the article
-
How to achieve zero down time
- by Hiral Lakdavala
For an application we want to achieve zero database and application down time using Active Active configuration. Our dB is Oracle Following are my questions: How can we achieve active active configuration in Oracle? Will introducing Cassandra/HBase(or any other No SQL dbs) cloud help in zero downtime or it is only for fast retrieval of data in a large db? Any other options? Thanks and Regards, HiralRead the article
-
Installing Oracle Client 11.1.0.7 on Windows Server 2008 64-bit. What does "Install Location" and "S
- by Anders
I am trying to install Oracle Client 11.1.0.7 on a Windows Server 2008 64-bit. To some this might not be rocket science but I can't understand what the options under the install screen "Specify Home Details" mean. The defaults given suggest that I use Oracle Base and install software under my own account name. It also suggests that each user should have a separate Oracle Base. This seems counter intuitive to me. I am doing a server install after all. All I want to use the installation for is to connect to an Oracle Database from Reporting Services. Can I safely ignore this and just accept the defaults? What are the implications if I change the location to a common directory?Read the article
-
ORA-00942: table or view does not exist & ORA-01031: insufficient privileges
- by Forza
I can't access any tables on my oracle database. When selecting the table product I get ORA-00942: table or view does not exist I have tried this solution but I don't have sufficiënt rights to add a new user. I get ORA-01031: insufficient privileges I am logged on as ADMIN to oracle application express. The environment we use is windows server 2003. What can I do to 1) access my tables and 2) get back the administration rights I am supposed to have?Read the article
-
How to add linked Oracle server to SQL 2008 Express?
- by David.Chu.ca
I have tried to download Oracle Client 11g both 32 & 64 packages to Windows 2008 R2 with SQL server 2008 Express. However, I still cannot see Oracle provider in SQL server by using sa log in. Not sure if is it possible to do it for SQL Server express 2008? Any advice to do it? I followed installations from this article: Making Linked Server Connection Between SQL Server 64 Bit & Oracle 32 Bit | MS SQL World After installation and reboot the Windows, I still cannot see the Oracle provider in linked provider in SQL server.Read the article
-
Oralce 'sysman' account
- by 403432122
Hi Oracle Gurus In Oracle, 'sysman' is the only most powerful user ? OR Is it one of the most powerful users? Thanks.Read the article
-
using log4net through stored procedures in oracle
- by areeba
hi, My objective is to log in oracle 10g using log4net through stored procedure,but this code isn't working, what am doing wrong??? here is the code which I implemented. string logFilePath = AppDomain.CurrentDomain.BaseDirectory + "log4netconfig.xml"; FileInfo finfo = new FileInfo(logFilePath); log4net.Config.XmlConfigurator.ConfigureAndWatch(finfo); ILog logger = LogManager.GetLogger("Exception.Logging"); try { log4net.ThreadContext.Properties["INNER_EXCEPTION"] = exception.InnerException.ToString(); log4net.ThreadContext.Properties["INNER_EXCEPTION"] = string.Empty; log4net.ThreadContext.Properties["STACK_TRACE"] = exception.StackTrace.ToString(); log4net.ThreadContext.Properties["STACK_TRACE"] = string.Empty; log4net.ThreadContext.Properties["MESSAGE"] = ((H2hException)exception).Message; log4net.ThreadContext.Properties["CODE"] = "err-1010"; log4net.ThreadContext.Properties["MODULE"] = "TP.CoE"; log4net.ThreadContext.Properties["COMPONENT"] = "Component"; log4net.ThreadContext.Properties["ADDITIONAL_MESSAGE"] = "msg"; logger.Debug(""); I am retrieving configuration for log4net from a xml file "log4netconfig.xml" which is as follows. <parameter> <parameterName value="@p_Error_Code" /> <dbType value="VARCHAR2" /> <size value="16" /> <!--<layout type="log4net.Layout.PatternLayout" value="%level" />--> <conversionPattern value="%property{log4net:CODE}"/> </parameter> <parameter> <parameterName value="@p_Error_Message" /> <dbType value="VARCHAR2" /> <size value="255" /> <!--<layout type="log4net.Layout.PatternLayout" value="%logger" />--> <conversionPattern value="%property{log4net:MESSAGE}"/> </parameter> <parameter> <parameterName value="@p_Inner_Exception" /> <dbType value="VARCHAR2" /> <size value="4000" /> <!--<layout type="log4net.Layout.PatternLayout" value="%thread" />--> <conversionPattern value="%property{log4net:INNER_EXCEPTION}"/> </parameter> <parameter> <parameterName value="@p_Module" /> <dbType value="VARCHAR2" /> <size value="225" /> <!--<layout type="log4net.Layout.PatternLayout" value="%message" />--> <conversionPattern value="%property{log4net:MODULE}"/> </parameter> <parameter> <parameterName value="@p_Component" /> <dbType value="VARCHAR2" /> <size value="225" /> <!--<layout type="log4net.Layout.ExceptionLayout" />--> <conversionPattern value="%property{log4net:COMPONENT}"/> </parameter> <parameter> <parameterName value="@p_Stack_Trace " /> <dbType value="VARCHAR2" /> <size value="4000" /> <!--<layout type="log4net.Layout.PatternLayout"/>--> <conversionPattern value="%property{log4net:STACK_TRACE}"/> </parameter> <parameter> <parameterName value=" @p_Additional_Message" /> <dbType value="VARCHAR2" /> <size value="4000" /> <!--<layout type="log4net.Layout.ExceptionLayout" />--> <conversionPattern value="%property{log4net:ADDITIONAL_MESSAGE}"/> </parameter> </appender> kindly give me your feedback and solutions. Thanks in advance.Read the article
-
Configuring WCF to Handle a Signature on a SOAP Message from an Oracle Server
- by AlEl
I'm trying to use WCF to consume a web service provided by a third-party's Oracle Application Server. I pass a username and password and as part of the response the web service returns a standard security tag in the header which includes a digest and signature. With my current setup, I successfully send a request to the server and the web service sends the expected response data back. However, when parsing the response WCF throws a MessageSecurityException, with an InnerException.Message of "Supporting token signatures not expected." My guess is that WCF wants me to configure it to handle the signature and verify it. I have a certificate from the third party that hosts the web service that I should be able to use to verify the signature. It's in the form of -----BEGIN CERTIFICATE----- [certificate garble] -----END CERTIFICATE----- Here's a sample header from a response that makes WCF throw the exception: <?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <dsig:Reference URI="#_51IUwNWRVvPOcz12pZHLNQ22"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue> [DigestValue here] </dsig:DigestValue> </dsig:Reference> <dsig:Reference URI="#_dI5j0EqxrVsj0e62J6vd6w22"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue> [DigestValue here] </dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue> [Signature Value Here] </dsig:SignatureValue> <dsig:KeyInfo> <wsse:SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:Reference URI="#BST-9nKWbrE4LRv6maqstrGuUQ22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </dsig:KeyInfo> </dsig:Signature> <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-9nKWbrE4LRv6maqstrGuUQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> [Security Token Here] </wsse:BinarySecurityToken> <wsu:Timestamp wsu:Id="_dI5j0EqxrVsj0e62J6vd6w22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Created>2010-05-26T18:46:30Z</wsu:Created> </wsu:Timestamp> </wsse:Security> </soap:Header> <soap:Body wsu:Id="_51IUwNWRVvPOcz12pZHLNQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> [Body content here] </soap:Body> </soap:Envelope> My binding configuration looks like: <basicHttpBinding> <binding name="myBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <security mode="TransportWithMessageCredential"> <transport clientCredentialType="None" proxyCredentialType="None" realm="" /> <message clientCredentialType="UserName" algorithmSuite="Default" /> </security> </binding> </basicHttpBinding> I'm new at WCF, so I'm sorry if this is a bit of a dumb question. I've been trying to Google solutions, but there seem to be so many different ways to configure WCF that I'm getting overwhelmed. Thanks in advance!Read the article
-
A New Threat To Web Applications: Connection String Parameter Pollution (CSPP)
- by eric.maurice
Hi, this is Shaomin Wang. I am a security analyst in Oracle's Security Alerts Group. My primary responsibility is to evaluate the security vulnerabilities reported externally by security researchers on Oracle Fusion Middleware and to ensure timely resolution through the Critical Patch Update. Today, I am going to talk about a serious type of attack: Connection String Parameter Pollution (CSPP). Earlier this year, at the Black Hat DC 2010 Conference, two Spanish security researchers, Jose Palazon and Chema Alonso, unveiled a new class of security vulnerabilities, which target insecure dynamic connections between web applications and databases. The attack called Connection String Parameter Pollution (CSPP) exploits specifically the semicolon delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). In today's blog, we are going to first look at what connection strings are and then review the different ways connection string injections can be leveraged by malicious hackers. We will then discuss how CSPP differs from traditional connection string injection, and the measures organizations can take to prevent this kind of attacks. In web applications, a connection string is a set of values that specifies information to connect to backend data repositories, in most cases, databases. The connection string is passed to a provider or driver to initiate a connection. Vendors or manufacturers write their own providers for different databases. Since there are many different providers and each provider has multiple ways to make a connection, there are many different ways to write a connection string. Here are some examples of connection strings from Oracle Data Provider for .Net/ODP.Net: Oracle Data Provider for .Net / ODP.Net; Manufacturer: Oracle; Type: .NET Framework Class Library: - Using TNS Data Source = orcl; User ID = myUsername; Password = myPassword; - Using integrated security Data Source = orcl; Integrated Security = SSPI; - Using the Easy Connect Naming Method Data Source = username/password@//myserver:1521/my.server.com - Specifying Pooling parameters Data Source=myOracleDB; User Id=myUsername; Password=myPassword; Min Pool Size=10; Connection Lifetime=120; Connection Timeout=60; Incr Pool Size=5; Decr Pool Size=2; There are many variations of the connection strings, but the majority of connection strings are key value pairs delimited by semicolons. Attacks on connection strings are not new (see for example, this SANS White Paper on Securing SQL Connection String). Connection strings are vulnerable to injection attacks when dynamic string concatenation is used to build connection strings based on user input. When the user input is not validated or filtered, and malicious text or characters are not properly escaped, an attacker can potentially access sensitive data or resources. For a number of years now, vendors, including Oracle, have created connection string builder class tools to help developers generate valid connection strings and potentially prevent this kind of vulnerability. Unfortunately, not all application developers use these utilities because they are not aware of the danger posed by this kind of attacks. So how are Connection String parameter Pollution (CSPP) attacks different from traditional Connection String Injection attacks? First, let's look at what parameter pollution attacks are. Parameter pollution is a technique, which typically involves appending repeating parameters to the request strings to attack the receiving end. Much of the public attention around parameter pollution was initiated as a result of a presentation on HTTP Parameter Pollution attacks by Stefano Di Paola and Luca Carettoni delivered at the 2009 Appsec OWASP Conference in Poland. In HTTP Parameter Pollution attacks, an attacker submits additional parameters in HTTP GET/POST to a web application, and if these parameters have the same name as an existing parameter, the web application may react in different ways depends on how the web application and web server deal with multiple parameters with the same name. When applied to connections strings, the rule for the majority of database providers is the "last one wins" algorithm. If a KEYWORD=VALUE pair occurs more than once in the connection string, the value associated with the LAST occurrence is used. This opens the door to some serious attacks. By way of example, in a web application, a user enters username and password; a subsequent connection string is generated to connect to the back end database. Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; In the password field, if the attacker enters "xxx; Integrated Security = true", the connection string becomes, Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; Intergrated Security = true; Under the "last one wins" principle, the web application will then try to connect to the database using the operating system account under which the application is running to bypass normal authentication. CSPP poses serious risks for unprepared organizations. It can be particularly dangerous if an Enterprise Systems Management web front-end is compromised, because attackers can then gain access to control panels to configure databases, systems accounts, etc. Fortunately, organizations can take steps to prevent this kind of attacks. CSPP falls into the Injection category of attacks like Cross Site Scripting or SQL Injection, which are made possible when inputs from users are not properly escaped or sanitized. Escaping is a technique used to ensure that characters (mostly from user inputs) are treated as data, not as characters, that is relevant to the interpreter's parser. Software developers need to become aware of the danger of these attacks and learn about the defenses mechanism they need to introduce in their code. As well, software vendors need to provide templates or classes to facilitate coding and eliminate developers' guesswork for protecting against such vulnerabilities. Oracle has introduced the OracleConnectionStringBuilder class in Oracle Data Provider for .NET. Using this class, developers can employ a configuration file to provide the connection string and/or dynamically set the values through key/value pairs. It makes creating connection strings less error-prone and easier to manager, and ultimately using the OracleConnectionStringBuilder class provides better security against injection into connection strings. For More Information: - The OracleConnectionStringBuilder is located at http://download.oracle.com/docs/cd/B28359_01/win.111/b28375/OracleConnectionStringBuilderClass.htm - Oracle has developed a publicly available course on preventing SQL Injections. The Server Technologies Curriculum course "Defending Against SQL Injection Attacks!" is located at http://st-curriculum.oracle.com/tutorial/SQLInjection/index.htm - The OWASP web site also provides a number of useful resources. It is located at http://www.owasp.org/index.php/Main_PageRead the article
-
Improving Manageability of Virtual Environments
- by Jeff Victor
Boot Environments for Solaris 10 Branded Zones Until recently, Solaris 10 Branded Zones on Solaris 11 suffered one notable regression: Live Upgrade did not work. The individual packaging and patching tools work correctly, but the ability to upgrade Solaris while the production workload continued running did not exist. A recent Solaris 11 SRU (Solaris 11.1 SRU 6.4) restored most of that functionality, although with a slightly different concept, different commands, and without all of the feature details. This new method gives you the ability to create and manage multiple boot environments (BEs) for a Solaris 10 Branded Zone, and modify the active or any inactive BE, and to do so while the production workload continues to run. Background In case you are new to Solaris: Solaris includes a set of features that enables you to create a bootable Solaris image, called a Boot Environment (BE). This newly created image can be modified while the original BE is still running your workload(s). There are many benefits, including improved uptime and the ability to reboot into (or downgrade to) an older BE if a newer one has a problem. In Solaris 10 this set of features was named Live Upgrade. Solaris 11 applies the same basic concepts to the new packaging system (IPS) but there isn't a specific name for the feature set. The features are simply part of IPS. Solaris 11 Boot Environments are not discussed in this blog entry. Although a Solaris 10 system can have multiple BEs, until recently a Solaris 10 Branded Zone (BZ) in a Solaris 11 system did not have this ability. This limitation was addressed recently, and that enhancement is the subject of this blog entry. This new implementation uses two concepts. The first is the use of a ZFS clone for each BE. This makes it very easy to create a BE, or many BEs. This is a distinct advantage over the Live Upgrade feature set in Solaris 10, which had a practical limitation of two BEs on a system, when using UFS. The second new concept is a very simple mechanism to indicate the BE that should be booted: a ZFS property. The new ZFS property is named com.oracle.zones.solaris10:activebe (isn't that creative? ). It's important to note that the property is inherited from the original BE's file system to any BEs you create. In other words, all BEs in one zone have the same value for that property. When the (Solaris 11) global zone boots the Solaris 10 BZ, it boots the BE that has the name that is stored in the activebe property. Here is a quick summary of the actions you can use to manage these BEs: To create a BE: Create a ZFS clone of the zone's root dataset To activate a BE: Set the ZFS property of the root dataset to indicate the BE To add a package or patch to an inactive BE: Mount the inactive BE Add packages or patches to it Unmount the inactive BE To list the available BEs: Use the "zfs list" command. To destroy a BE: Use the "zfs destroy" command. Preparation Before you can use the new features, you will need a Solaris 10 BZ on a Solaris 11 system. You can use these three steps - on a real Solaris 11.1 server or in a VirtualBox guest running Solaris 11.1 - to create a Solaris 10 BZ. The Solaris 11.1 environment must be at SRU 6.4 or newer. Create a flash archive on the Solaris 10 system s10# flarcreate -n s10-system /net/zones/archives/s10-system.flar Configure the Solaris 10 BZ on the Solaris 11 system s11# zonecfg -z s10z Use 'create' to begin configuring a new zone. zonecfg:s10z create -t SYSsolaris10 zonecfg:s10z set zonepath=/zones/s10z zonecfg:s10z exit s11# zoneadm list -cv ID NAME STATUS PATH BRAND IP 0 global running / solaris shared - s10z configured /zones/s10z solaris10 excl Install the zone from the flash archive s11# zoneadm -z s10z install -a /net/zones/archives/s10-system.flar -p You can find more information about the migration of Solaris 10 environments to Solaris 10 Branded Zones in the documentation. The rest of this blog entry demonstrates the commands you can use to accomplish the aforementioned actions related to BEs. New features in action Note that the demonstration of the commands occurs in the Solaris 10 BZ, as indicated by the shell prompt "s10z# ". Many of these commands can be performed in the global zone instead, if you prefer. If you perform them in the global zone, you must change the ZFS file system names. Create The only complicated action is the creation of a BE. In the Solaris 10 BZ, create a new "boot environment" - a ZFS clone. You can assign any name to the final portion of the clone's name, as long as it meets the requirements for a ZFS file system name. s10z# zfs snapshot rpool/ROOT/zbe-0@snap s10z# zfs clone -o mountpoint=/ -o canmount=noauto rpool/ROOT/zbe-0@snap rpool/ROOT/newBE cannot mount 'rpool/ROOT/newBE' on '/': directory is not empty filesystem successfully created, but not mounted You can safely ignore that message: we already know that / is not empty! We have merely told ZFS that the default mountpoint for the clone is the root directory. List the available BEs and active BE Because each BE is represented by a clone of the rpool/ROOT dataset, listing the BEs is as simple as listing the clones. s10z# zfs list -r rpool/ROOT NAME USED AVAIL REFER MOUNTPOINT rpool/ROOT 3.55G 42.9G 31K legacy rpool/ROOT/zbe-0 1K 42.9G 3.55G / rpool/ROOT/newBE 3.55G 42.9G 3.55G / The output shows that two BEs exist. Their names are "zbe-0" and "newBE". You can tell Solaris that one particular BE should be used when the zone next boots by using a ZFS property. Its name is com.oracle.zones.solaris10:activebe. The value of that property is the name of the clone that contains the BE that should be booted. s10z# zfs get com.oracle.zones.solaris10:activebe rpool/ROOT NAME PROPERTY VALUE SOURCE rpool/ROOT com.oracle.zones.solaris10:activebe zbe-0 local Change the active BE When you want to change the BE that will be booted next time, you can just change the activebe property on the rpool/ROOT dataset. s10z# zfs get com.oracle.zones.solaris10:activebe rpool/ROOT NAME PROPERTY VALUE SOURCE rpool/ROOT com.oracle.zones.solaris10:activebe zbe-0 local s10z# zfs set com.oracle.zones.solaris10:activebe=newBE rpool/ROOT s10z# zfs get com.oracle.zones.solaris10:activebe rpool/ROOT NAME PROPERTY VALUE SOURCE rpool/ROOT com.oracle.zones.solaris10:activebe newBE local s10z# shutdown -y -g0 -i6 After the zone has rebooted: s10z# zfs get com.oracle.zones.solaris10:activebe rpool/ROOT rpool/ROOT com.oracle.zones.solaris10:activebe newBE local s10z# zfs mount rpool/ROOT/newBE / rpool/export /export rpool/export/home /export/home rpool /rpool Mount the original BE to see that it's still there. s10z# zfs mount -o mountpoint=/mnt rpool/ROOT/zbe-0 s10z# ls /mnt Desktop export platform Documents export.backup.20130607T214951Z proc S10Flar home rpool TT_DB kernel sbin bin lib system boot lost+found tmp cdrom mnt usr dev net var etc opt Patch an inactive BE At this point, you can modify the original BE. If you would prefer to modify the new BE, you can restore the original value to the activebe property and reboot, and then mount the new BE to /mnt (or another empty directory) and modify it. Let's mount the original BE so we can modify it. (The first command is only needed if you haven't already mounted that BE.) s10z# zfs mount -o mountpoint=/mnt rpool/ROOT/zbe-0 s10z# patchadd -R /mnt -M /var/sadm/spool 104945-02 Note that the typical usage will be: Create a BE Mount the new (inactive) BE Use the package and patch tools to update the new BE Unmount the new BE Reboot Delete an inactive BE ZFS clones are children of their parent file systems. In order to destroy the parent, you must first "promote" the child. This reverses the parent-child relationship. (For more information on this, see the documentation.) The original rpool/ROOT file system is the parent of the clones that you create as BEs. In order to destroy an earlier BE that is that parent of other BEs, you must first promote one of the child BEs to be the ZFS parent. Only then can you destroy the original BE. Fortunately, this is easier to do than to explain: s10z# zfs promote rpool/ROOT/newBE s10z# zfs destroy rpool/ROOT/zbe-0 s10z# zfs list -r rpool/ROOT NAME USED AVAIL REFER MOUNTPOINT rpool/ROOT 3.56G 269G 31K legacy rpool/ROOT/newBE 3.56G 269G 3.55G / Documentation This feature is so new, it is not yet described in the Solaris 11 documentation. However, MOS note 1558773.1 offers some details. Conclusion With this new feature, you can add and patch packages to boot environments of a Solaris 10 Branded Zone. This ability improves the manageability of these zones, and makes their use more practical. It also means that you can use the existing P2V tools with earlier Solaris 10 updates, and modify the environments after they become Solaris 10 Branded Zones.Read the article
