Dontcheff

The Oracle Cloud Infrastructure Mobile App

In Autonomous, DBA, OCI on September 1, 2021 at 06:46

Being on summer vacation without my laptop, I still have access to my OCI tenancy via the mobile app by simply using my phone.

The OCI mobile app is available for both Apple iOS and Android. With the app, we can check the resources and view alarms, billing, days elapsed and limits.

First, you have to download the app – search for “Oracle Cloud Infrastructure”:

After you login in to the mobile app, you get the following screen from where you can either modify the settings of your profile or/and view your resources, billing status, alarms and limits:

Indeed, we cannot do much besides viewing some of your resources and billing charges (you cannot drill down). And for now, I can see only my ADW and ATP databases, not AJD or APEX.

But, at least I can check if my databases were stopped before I left for vacation:

For faster sign-in to the mobile app, you can enable automatic sign-in. Automatic sign-in uses an API key to authenticate you when you access the app, keeping you signed in until you sign out. Each user has a limit of 3 API keys. If your account has reached this limit, you can’t use this feature in the mobile app until you delete one of the existing API keys. You can use the Console to delete API signing keys. My virtual private vault count is zero – so I could not enable automatic sign-in:

It is also possible to switch the regions (my default is Frankfurt as you can see from above) and you can set the mobile app to use UTC time or local time.

Life, Grace and Rollover time of passwords in the Oracle Database

In DBA, Oracle database, Security and auditing on August 6, 2021 at 10:26

The latest Release Update of Oracle Database 19c, namely 19.12, comes with two new features: Oracle memory speed support for PMEM devices and gradual database password rollover for applications. The gradual database password rollover is backported from Oracle 21c.

I still remember very well the times when changing the password of a databases schema/user required shutting down both the database and the application and this practice has not really changed much until now. You can change database credentials without downtime thanks to proxy users:

Password rolling change before Oracle 21c

With the latest RU of 19c, there is a way to do this online. And of course also with 21c.

Now, there is a password rollover time period when the user can log in using either the old password or the new password. Here is how it works.

Oracle Database 19.12 introduces a new parameter related to the already existing PASSWORD_LIFE_TIME and PASSWORD_GRACE_TIME parameters called PASSWORD_ROLLOVER_TIME.

Note the default and the minimum and maximum values for the 3 parameters above. All numbers show days.

In order to enable the feature, we have to modify first the user profile with a non-zero limit for PASSWORD_ROLLOVER_TIME. This allows the database password of the application user to be changed to a new one and at the same time the old password can be used for the time specified by the PASSWORD_ROLLOVER_TIME. During the rollover period of time defined by PASSWORD_ROLLOVER_TIME, the application user/schema can use both the old password and the new password. When the rollover time expires (that is 1a), only the new password can be used.

After a password is created for a new user or the password is being changed, then the password follows a life cycle and grace period in four phases: 1a&1b, 2, 3 an 4:

We can query DBA_USERS to find the user’s account status from the ACCOUNT_STATUS column (check the screenshot on the top of the post). It is important to point out that after the rollover period has begun, we can still change the password: with or without the REPLACE clause. The rollover start time is fixed at the time when the user changes the password. The start time is not affected by further password changes during the password rollover period. 

Here is how I could connect to the database with 2 different passwords after the initial profile re-configuration:

If needed, we can quit the rollover time period at any time with the following command:

ALTER USER JULIAN EXPIRE PASSWORD ROLLOVER PERIOD;

We cannot configure the gradual database password rollover for the following connection types:

  • Direct logins for Oracle Real Application Security users
  • Kerberos-, certificate-, or RADIUS-based externally authenticated connections
  • Centrally managed user (CMU) connections
  • Administrative connections that use external password files
  • The Oracle Data Guard connection between the primary and the standby

For more on the topic check Rodrigo Jorge’s post Gradual Database Password Rollover brings new backdoor opportunities to find out how to prevent from possible hackers when using this new feature or if interested in the internals, check Understanding internally how 21c Gradual Database Password Rollover works.

A good example on how to use the feature is given by Mouhamadou Diaw in his blog post Oracle 21c Security: Gradual Database Password Rollover

And here is something from Oracle v4:

It is OK for DBAs to make mistakes

In DBA on July 26, 2021 at 18:42

At OpenWorld 2016, one of the presentations I gave was entitled “My 13 DBA mistakes in 13 years“. Seldom I see so many smiley faces in the audience.

Earlier, in 2009 at the BGOUG, Plamen Zyumbyulev and I gave a very similar talk called “Don’t do like they do. People would make fun of you“. We were both quoting mistakes we have done while working with the databases.

In my opinion, it ok for DBAs to make mistakes – it just happens from time to time. It can happen during the day, during oncall and it happens also to the very best ones.

I have heard from some DBAs that they have never made any mistakes. May be. Who knows. But when spending years and years of database administration once in a while it is OK to press the wrong button or type the wrong command. Or the right command and press the right button but … in the wrong window 🙂

For me, the transition from DBA to Senior DBA comes at the moment when you start admitting your mistakes. I believe this is the borderline.

Here is a good collection of mistakes DBAs have made but first my top 3 ones 🙂 I mean my mistakes.

  1. New patcheset – I think 9.2.0.6 or something. I patched the RMAN catalog database running on a standalone server. So far, so good. All done. Perfect! I wanted to remove the patchset binaries afterwards. Simple rm –rf  * Then I got a phone call from the Unix admin: Julian: are you connected to ..? Cold sweat. I noticed screens were changes one after each other. Then even before typing pwd I knew I was root and I would see that single slash – live and learn. We had to reinstall the OS and recreate the RMAN catalog database.
  2. In a production database I saw a user called ABC – not too many tables, I thought it was some test schema remained from who knows what and where. Then: drop user cascade; Why didn’t I asked what that schema was and who created it and what it was used for! The answer I got (after the schema was dropped) was the worst I could expect. Like the worst of the worst. Luckily, for some reason I ran a schema export before the drop. I have never ever as DBA run an import so quickly in my life 🙂
  3. Heavily loaded 24×7 OLTP database – I got call that a filesystem was 99% full – it had only UNDO tablespace files. One of them rather huge. Something I have done so many times: recreate the UNDO online:

Only one problem: I deleted with rm the wrong UNDO file – imagine what happened – all databases which work within one business application got messed up – at least transitions were failing. I still remember the reaction of the datacenter manager when with a pale face I went to report what happened: “This is just a website Julian – no human lifes are at stake – go and fix it”. We managed to fix it without shutting the databases down but I had another DBA behind me following what I am typing. Afterwards, most of us were often watching each other when doing something important – 4 eyes are always better than 2.

What is the biggest mistake you made in production? by Tara Kizer

5 DBA Mistakes That Can Cost You Your Job by Robert Davis

Confessions of a DBA: My worst mistake by Phil Factor

Don’t Just Do Something, Stand There! Avoiding Junior DBA Mistakes by Jim Czuprynski

Top 6 MySQL DBA Mistakes by Rob Gravelle

Common Mistakes of DBA in MS SQL Server by Evgeniy Gribkov

The 3 DBA Mistakes You Don’t Know You Are Making by Thomas LaRock

And here are interesting videos to watch: Top 10 DBA Mistakes: Horror Stories!