Bash script: Trusted certificate chains to orapki wallet

I have created a script to add trusted certificate chains to an orapki wallet from the Linux command line, and there is no web browser needed. It reads sites from a list and adds the certificate chains of those sites to an orapki (auto login) wallet.

Usage

Start the script with ./certs_to_wallet.sh <path to wallet> . This will prompt you for a NEW wallet (auto login) creation. The old wallet will be backed-up. In case of permission of password errors, the backup will be restored.

It reads a wallet_sites.lst file from the current directory or the wallet directory. The wallet directory takes preference, so you can have a list of sites per wallet. A site per line will be processed and the certificate chain will be added to the given wallet (the last line should be empty).

Continue reading

Oracle Linux patches for Meltdown and Spectre information

Oracle Linux

Shown are the latest kernel versions as of the 9th of January which have Meltdown and Spectre patches.

Kernel versions can be found when running the `uname -r` command.

After the kernel is installed one can find the kernel/packages changelog and security info with the following commands and see in the page table isolation has been activated:

# yum updateinfo list
# yum updateinfo list cves
# yum updateinfo list kernel-uek
# yum updateinfo list --sec-severity=Important
# yum updateinfo info --sec-severity=Important
CVE-2017-1000407 Important/Sec. kernel-uek-4.1.12-112.14.13.el7uek.x86_64

# dmesg | grep isolation
[ 0.000000] Kernel/User page tables isolation: enabled

# rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
# rpm -q --changelog kernel-uek | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

Oracle Linux version 6

Kernel: 2.6.32-696.18.7 (errata: ELSA-2018-0008), 2018-01-04.

Kernel-uek: 4.1.12-112.14.10 (errata: ELSA-2018-4006), 2018-01-09.

Oracle Linux version 7

Kernel: 3.10.0-693.11.6 (errata: ELSA-2018-0007), 2018-01-04.

Kernel-uek: 4.1.12-112.14.10 (errata: ELSA-2018-4006), 2018-01-04.

Oracle VM version 3.4

Xen: 4.4.4-155.0.12.el6 (errata: OVMSA-2018-0006), 2018-01-08.

Continue reading

tnsping (and others) take at least 5 seconds (or longer)

I ran into a situation where tnsping and other connections like ssh and such took at least 5 seconds (5000 msec) to establish:

Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = host.domain.local)(PORT = 1521))
                                     (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ORCL)))
OK (5010 msec)

Also connecting to ‘host.domain.local’ with ssh took about 5 seconds. At first I thought it had to with sshd and some authentication options which had to timeout first, but than I discovered tnsping also waits 5 seconds. When connecting to the ip address it took 0 msec… aha… a DNS thing?! Continue reading

OEL 6.9 PVM guests on Oracle VM 3.4.3 won’t start

I recently upgraded by OVM to 3.4.3(.1511), but now my Oracle Enterprise Linux 6.9 PVM guests won’t start up any more. They don’t finish the ‘Starting automount’ in the boot / startup screen. It does not fail, it just won’t continue.

There is nothing special in the /etc/fstab I guess… : Continue reading

Server error: ‘The backing device /dev/mapper/xyz is not allowed to contain partitions’ on OracleVM

Ok, I added a new disk (well old actually, but new for the machine) to my Oracle VM server. It discovered it (or do it manually) and I wanted to create a new repository on it. Unfortunately it came with the following error:

Server error: 'The backing device /dev/mapper/3500a075109146bee is not allowed to contain partitions'

Continue reading

Oracle Grid 12c and Linux 7: PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm

When you run Oracle Grid 12c ‘cluvfy stage -pre crsinst’ on Linux 7 (Oracle Enterprise Linux 7.2 in my case) you will get the following error:

Starting check for /dev/shm mounted as temporary file system ...

ERROR:

PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm
PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm
PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm
PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm

Check for /dev/shm mounted as temporary file system failed

When you do a ‘df -h’ you will see that ‘/dev/shm’ actually is mounted:

Filesystem Size Used Avail Use% Mounted on
devtmpfs 24G 0 24G 0% /dev
tmpfs    24G 0 24G 0% /dev/shm

This is due to a bug (Doc ID 2065603.1) which comes from the case that the cluvfy check does not check the actual mount of the file system, but looks for the persistence line of this mount in ‘/etc/fstab’ like it did in Linux 6. In Linux 7 you get this tmpfs mount by default.

Continue reading

Add a larger disk and remove smaller disk from LVM, online!

Goal: To add new larger disk to LVM, move data and remove old smaller one

When using Oracle VM in my work, a disk can be enlarged in Oracle VM manager for a virtual machine. But because of an internal loop-mount on the XEN hypervisor level, the disk-file which is presented to the virtual machine as a disk, is not able to ‘pass on’ it’s resize information to the OS. This requires an unmount and mount of the disk-file on hypervisor level, or in simple words: a reboot of the virtual machine… yikes! Continue reading

*ALL* Oracle database patches… Linux and Windows… (on Metalink)

Linux and Windows…

Quick Reference To Patch Numbers For Database PSU, SPU(CPU) And Bundle Patches [ID 1454618.1]
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1454618.1

This document is replaced by Note 2118136.2:
Download Reference for Oracle Database/GI PSU, SPU(CPU), Bundle Patches, Patchsets and Base Releases [ID 2118136.2]
https://support.oracle.com/epmos/faces/DocumentDisplay?id=2118136.2

…more Windows

Oracle Database, Networking and Grid Agent Patches for Microsoft Platforms [ID 161549.1]
https://support.oracle.com/epmos/faces/DocumentDisplay?id=161549.1

THATS IT!

Happy patching!

Booting Oracle VM / Linux (ISOs) with UEFI ‘bios’ does not work

It seems Oracle VM (<=3.3.1 *) and Oracle Linux (<= 5.10/6.6 *) both install ISOs and installed OS’s are not capable of booting when UEFI on the bare-metal hardware is used. I have seen two configurations now where this happened, one using a USB HDD drive capable providing a ISO to boot from as CD/DVD (Zalman ZM-VE300)  and one HP iLO4 (http and local ISO) ‘remote’ booting. Continue reading

OpenSSL Heartbleed Oracle fixed version is 1.0.1e-16.el6_5.7

When one is looking for the OpenSSL fix 1.0.1g for Oracle (Red Hat) Linux 6, the fixed package version is ‘1.0.1e-16.el6_5.7’. I think this a bit misleading, because OpenSSL 1.0.1e is subject to the bug (CVE-2014-0160). But from the Red Hat site: and Orcale MetaLink (MOS Note 1663998.1): “Version openssl-1.0.1e-16.el6_5.7 included a fix backported from openssl-1.0.1g.

Some simple OS tests can produce a false-positive to heartbleed tests, becasue it could look only for text other than 1.0.1g.

Update…

To update to the ‘latest’ OpenSSL version, enable the [OL6_latest] repository en ‘yum update openssl’:

Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-15.el6 will be updated
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update
--> Finished Dependency Resolution
(etc...)

Testing for processes using OpenSSL

One can test if processes are using OpenSSL (not a heartbleed vulnerability test), by issuing one of these two following commands:

$ lsof | awk 'NR==1 || $0~/libssl.so.1.0.1e/'
$ grep libssl.so.1.0.1 /proc/*/maps |cut -d/ -f3 |sort -u |xargs -r -- ps uf

More info

OpenSSL Security Bug – Heartbleed / CVE-2014-0160

Document written at April the 18th, 2014…

Happy blee, uh, testing and patching!