Saturday, April 24, 2010

Some people are brave - others are chickenshit

Yesterday I received a farewell email from my dear colleague David Calcano. After years with Accenture he is moving into a total different area, leaving us with all the mess of Oracle and SOA.

I always admired folks who know more than I do, and the more they know more than me the more I dream of becoming like them. And then they turn out to be brave enough and do something completely different.

I will keep on my radar - and I know that with people like David on board they can only succeed!

And now back to the scared and meek folks who just keep on doing the same - me ;-)

VMWare hick-up

Although I am busy moving to Oracle VM I needed to access one of my systems on VMWare on my laptop which I had not used for a while.

The console of VMWare did not load. Ok - I though his might be due to some networks which I had disabled on Windows. Enabled them - no result. Checking the VMWare services I found out that the VMWare Host Agent was not running. So I restarted it. Crashed again.

Obviously the next step is to check the Windows event viewer. To my surprise the System Log could not be displayed.

Needless to say I had to fix this first. Clear the Log typically solves this and I was lucky this time.
Back to the VMWare Host Agent. Started it agian - still crashes. I found the following error:

The VMware Host Agent service terminated with service-specific error 4294967295 (0xFFFFFFFF).

Checking the VMWare log.

Log for VMware Server, pid=7444, version=2.0.2, build=build-203138, option=Release, section=2
[2010-04-24 12:20:34.264 'App' 2600 info] Current working directory: C:\ProgramData\VMware\VMware Server
[2010-04-24 12:20:34.265 'App' 2600 info] Trying blklistsvc
[2010-04-24 12:20:34.265 'App' 2600 info] Trying cimsvc
[2010-04-24 12:20:34.266 'App' 2600 info] Trying directorysvc
[2010-04-24 12:20:34.266 'App' 2600 info] Trying hostsvc
[2010-04-24 12:20:34.727 'App' 2600 panic] error: not well-formed (invalid token)
[2010-04-24 12:20:34.728 'App' 2600 panic] backtrace:(backtraces not supported)
[2010-04-24 12:20:34.728 'App' 2600 info] Win32 service stopped

Googling for a solution, the datasources.xml could be corrupt. I checked it and indeed - only garbage in there. Renamed this file and restarted the VMWare Host Agent.

Now everything works. Finally I can get back to my VMWare server and restart my age-old Oracle Enterprise Manager Grid Control.

Friday, April 23, 2010

How Database Vault really works

I was worried as I ran into a problem with the Database Vault security. I configured a new realm in a database where the Oracle E-Business Suite is running. The main idea was to have a user for the OBIEE that should have only limited access.

Together with some colleagues we made sure that the OBIEE user had the correct grants on some tables and views inside the EBS schema (APPS, AR, GMS, PA). I created the realm and added the OBIEE user as a participant.
Everything seemed to work. Then I disabled the realm and even removed the OBIEE user from the realm, but still Oracle Answers was capable of accessing the APPS schema objects.

Took me a day and finally I reread the manual. I understood my error.

The purpose of the DBV is to lockout users with system privileges, such as the SYS or SYSTEM user.
Now the account of the OBIEE user does not have these system privileges except CREATE SESSION.
In order to access any object the OBIEE user relies on discretionary grants (e.g. the AR user grants select on HZ_CUST_ACCOUNTS).
By this the OBIEE userR does not need the realm as this is granted.

The intention of the DBV is not focusing on users as OBIEE user but on all users who have system privileges.

From the Oracle manual:

... Oracle Database Vault does not replace the discretionary access control model in the existing Oracle database. It functions as a layer on top of this model for both realms and command rules. ...