Feed aggregator

The Supply Chain Problem

Mary Ann Davidson - Mon, 2008-04-07 19:46

I recently participated in a Defense Science Board study that examined foreign influence over the supply chain of software. The study noted that, even as vendors need worldwide access to technological talent to enable them to create commercial software solutions benefiting the US Department of Defense, there is an increased risk that the supply chain of software may be compromised by adversaries, such as hostile nation states. Working on that task force brought supply chain issues front and center in my thinking for a number of months.

 

Supply chain security issues are on many people's minds these days.  More and more regulations impact IT operations either directly or indirectly, such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), various breach disclosure laws such as California SB1386, and information security laws like Minnesota's adoption of some of the payment card industry (PCI) standards. (And these are just the US laws.) Customers are being pressured to establish (from documentation to demonstration) they are "more secure" and are in turn pressuring their supply chain - software vendors -  to prove that the enterprise software they provide is secure. Vendors are being asked everything from "What features and functions do you have to help meet regulatory requirements?" to "How do you embed security within your software development lifecycle?"  This is a good thing, and how markets are supposed to work.

 

In the vendor community, there is a low rumble of discontent about our supply chain's current lack of a "secure development lifecycle." I'm not talking about other software suppliers (for example, vendors who supply toolkits or components we embed) though at Oracle, we do vet these suppliers' security practices before we incorporate their technologies into our code. 

 

What I mean by supply chain is the universities who supply CS graduates to IT vendors. There is no "secure development lifecycle" in the vast majority of universities' degree programs - that is, security is not "baked into" graduates of relevant programs (e.g., computer science) throughout their degree programs. And that is a problem, perhaps the problem plaguing the software industry. All the other security remediation taking place in the software supply chain (such as multiple security point solutions, vulnerability analysis services, and patch management offerings) largely stems from the fact that most software was neither designed nor built to be secure. And to that point, developers don't code software from the perspective of an attacker. Many believe security is a task for someone else ("it's behind the firewall so we don't have to worry!"); but their code is a target and will only be more of one in the future.

 

CS majors graduate from long, labor-intensive degree programs without, in most cases, knowing even first principles of secure coding and secure engineering practice. They are not stupid, but ignorant.  They aren't being taught secure development practice because in many cases, their professors do not know it, or do not know the material well enough to teach it, or do not view it as a priority; I've heard a number of professors admit as much. Also, many professors are tenured and thus non-responsive to market forces. They don't have to change because they have the ultimate job security, which means that many can continue to teach Buggy Whip Design 101 instead of moving into the 21st century.  I can say this because I spent the first 18 years of my life living in university towns: my dad was a department chair, associate dean, and then dean of the faculty. I think "tenured" was one of the first words I learned to spell.

 

Last year, I got fed up enough with Oracle having to train otherwise bright and capable CS grads in secure coding 101 that I sent letters to the top 10 or so universities we recruit from (my boss came up with the idea and someone on my team executed on it - teamwork is a wonderful thing). Specifically, we sent the letters to the chairmen of the department of computer science (or equivalent) and copied the deans of the schools with oversight of the CS departments. In the letter, we stated that Oracle expends significant resources training CS graduates in secure coding practices. We described the impact to us and to our customers of avoidable, preventable security defects, and why the insecurity of commercial software is a national security problem. We also pointed out that SANS has developed an assessment for secure coding practice. And we stated that in the future, Oracle would give preference in hiring to those universities that emphasize secure coding practices.

 

I am sorry to state that only one of those universities we wrote to responded to my letter (specifically, one department chairman responded), and the one that did (while stating that they did have courseware pertaining to security practice) wanted funding from Oracle to develop a more robust class. Having grown up at universities, I know very well that universities as a group tend to be really well endowed. In English, this means they have all the money in the world to do things like "teach better" except that as a group, professors' fortunes rise or fall with getting money to Do More Research (quite often, much of which has already been done before, or better).

 

While I appreciate the University of X's CS department chairman getting back to me (and the fact that they had at least some material on secure coding practice), I see no reason to pay them to do work they should be doing, anyway. In particular, paying a university to develop a class on secure coding that only they teach is not going to solve this problem. Nor - despite excellent intentions - are the NSA's Centers of Excellence in Information Assurance going to solve the problem.

 

We need a revolution - an upending of the way we think about security -and that means upsetting the supply chain of software developers.  I suppose I am revolutionary-minded because I am finishing reading a book on the American Revolution (Liberty, by Thomas Fleming), but there is a point beyond which tinkering with existing structures of government is not enough. There is a principle at stake (like "taxation without representation is tyranny").  If the powers that be don't grasp the principle, the only choice is to "secede."  Maybe the principle that I want universities to grasp is the one the Marine Corps has: "Every Marine is a rifleman." Every Marine can fight - they don't "outsource" rifle handling to others if they are attacked. (Imagine how different the IT space would be if every developer thought and coded defensively and every product could self-defend. I bet the average Marine gunny sergeant could whip universities into shape in about 16 weeks or less.)

 

Like some of the publications circulated by the Sons of Liberty in the buildup to the American Revolution, I found my "letter to universities" idea struck a responsive chord. A fellow vendor asked for a copy of the letter. Someone in a quasi-government organization (who was keenly interested in the assurance problem) wanted a copy of the letter to go back to universities to prove to them that their "customers" needed them to change. Two people armed with my letter is a start, but it's not enough to start a revolution.

 

Forthwith, I have taken the liberty (after expunging the name of the university to which it was originally addressed) of PDFing one of my letters to universities from last year, and publishing it on the Oracle web site at: http://www.oracle.com/security/docs/mary-ann-letter.pdf

 

In so doing, I consider this to be both an open letter to my fellow vendors, and an open letter to universities.

 

To the vendor community, just as customers are demanding more of us in security (and rightly so), we must demand more of our suppliers. It is inefficient and wasteful for each of us to train CS graduates in secure coding practice - yet Oracle and many other vendors expect secure coding practice as part of our development processes (and if we aren't doing that, then we need to do it). More to the point, the cultural transformation - that CS graduates are responsible for the security and safety of the code they write - must happen in universities. Take my letter, modify it as you will, and start holding university CS programs' feet to the fire to improve. To quote Ben Franklin after signing the Declaration of Independence: "We must all hang together, or most assuredly we will all hang separately."

 

Also, vendors, if you have secure coding class material, work with the organizations that are trying to fix the problem. SANS, for example, is working on material for faculty members to use in teaching secure coding practice (Oracle is participating in this).  The Department of Homeland Security's Software Assurance Forum (next meeting in early May) has people working on a Common Body of Software Knowledge, as well as other training work. As I write this, I am working through the details of getting a tutorial Oracle developed on SQL injection prevention released to universities gratis. Those who have done it tell me that if you make secure coding courseware available, at least some CS professors will teach it.

 

Vendors can also express their concerns to the Association for Computing Machinery (ACM) - the accreditation body for CS degree programs. (Mahalo nui loa to Scott Charney of Microsoft, who did just that a couple of years ago and got a number of us in industry to sign the letter.) I note that the sooner we can get to a basic secure coding class everyone can use (phase 1), the harder it will be for ACM to refuse to change their accreditation program, especially if enough vendors complain to them. Let's make it easy to say "yes" and hard to say "no."

 

To universities, I cannot but contrast the education of engineers with that of computer science majors. Engineers know that their work product must above all be safe, secure and reliable. They are trained to think this way (not pawn off "safety" on "testers") and their curricula builds and reinforces the techniques and mindset of safe, secure and reliable product. (A civil engineer who ignores the principles of basic structures - a core course - in an upper level class is not going to graduate, and can't dismiss structures as a "legacy problem.")

 

Universities, you must start with a basic secure coding/secure development practice class that is required for all CS majors.* You must then revamp the fabric of every single class so that security becomes part and parcel of each class. If a student's "elegant technical solution" in an upper level class is hackable, the student shouldn't get a great grade: in fact, maybe hackable homework should be grounds for failure - kind of like a bridge design that would collapse under loading would get a failing grade in the Civil Engineering Department. I knew a professor at Stanford who routinely had his students "red team" and "blue team" each other's homework (and his class wasn't even a security class). I'd thank him if I could remember his name. Secure development practice needs to be embedded within the fabric of every class, not just in a single class that students file and forget.

 

Universities, think more broadly about the application of security to your classes. (I have learned more about this problem just since I sent the original letters.) For example, think about all the process engineers designing control systems for pharmaceutical companies, chemical plants, utilities, and more. Do you think that security is embedded within the fabric of each and every course that they take? No, it isn't. (True and scary story from a colleague about a guy who insisted that his PC - which had a control system interface on it - was not Internet accessible. Oh really, what is that instant messaging window doing open on your desktop?) 

 

I also offer a personal anecdote about the difference between "taking a class" and immersing yourself in a language in support of my argument. Many readers (well, the 5 people who read my blog regularly, which includes my parents) know that I love the Hawaiian language. Something delightful happened when I moved beyond reading the Hawaiian language textbook and started making Hawaiian part of my daily life. I read the Bible in Hawaiian instead of English. I read Hawaiian-language books (like the story of Kamapua'a, the Hawaiian pig-god, and the Kumulipo -  the Hawaiian creation chant). I sing along to Hawaiian songs. I found that once I moved beyond "conversational exercises" and immersed more of my life in the language, I started thinking in Hawaiian. (For example, I can form a sentence without stopping to think, "does that noun take an a-form possessive or an o-form possessive?"**) Immersion in a subject or language works because it changes the way you think. Single classes do not work - at least, they don't work if you want to develop fluency or change your mindset.

 

I am hopeful that working together, vendors and universities can help create a revolution from within, for the benefit of all.

 

If change is slow to happen, or there is resistance to change, vendors can also help create an impetus behind this effort by going to legislators - such as those who serve on the House of Representatives Science and Technology Committee - and ask them to consider tying research money (for example, funds dispensed through the National Science Foundation (NSF)) to computer science curricula reform. Perhaps universities' CS departments would have the time and motivation to fix their curricula if they weren't (and I am not making this up) wasting time and grant money on how to wave a cell phone in front of a professor's door to get access to the room.  If all else fails, "money talks." The power of the purse can effect positive change (ask any kid whose allowance is withheld until he learns to clean up his messy room).

 

Since I am on a history kick anyway, I should point out that the US Federal Government has had a significant role in the development of the software industry. The government, especially the Defense Department, successfully used the "power of the purse" to rapidly develop the computer industry in its early stages, and can continue to use its positive influence to change the way universities develop curricula. So anybody who thinks that the entity handing out money (the government) shouldn't help use that lever to help make us more secure (by insisting that universities they fund fix a root cause of IT insecurity) needs a history refresher.

 

Universities are not evil but they are generally not responsive to market forces, due to a) an endless source of research money often not tied to anything approaching pragmatic results and b) tenured faculty that do not have to change because there is no impetus to change nor penalties if they don't change. We as vendors should help them change through both the "carrot" of donating our time, expertise and support for changing the curricula, so that relevant degree programs have the "secure development lifecycle" in producing graduates that we as vendors are expected to have as suppliers, and the "stick" of using accreditation and funding (or funding cutoff) to help force needed change. When Great Britain refused to accede to the principle of "taxation without representation is tyranny," the colonies seceded. We did not get our independence from Great Britain by asking more nicely for it.

 

Our world is more technologically based than ever before. All customers rely on IT as infrastructure, and are being driven by regulation to insist on a "secure software supply chain." Producing secure software does indeed require a secure supply chain, not limited to but including university graduates whose computer-related degree programs have security principles and practices embedded within every element of their degree programs. Perhaps what I have said above is harsh, but I offer it as Tough Love. We simply - and collectively -  must evolve to defensive mindsets delivering defensible code lest none of us survive in a hostile world.

 

"We must all hang together, or most assuredly we will all hang separately."

 

 

Disclaimer: Large portions of the above blog were originally written for an Oracle Magazine column I do regularly, "All Secure." The elegant journalistic term for "self-plagiarism" is "repurposing," and anyway, it's not plagiarism if you steal from yourself.

 

* I'd be remiss in not mentioning a few (among many) bright spots working on the supply chain problem at the university end: Gene Spafford at Purdue (always on anyone's bright spot list and has been for years), Samuel Redwine at James Madison University (who has labored long and mightily on a software security body of knowledge), and Neil Daswani at Stanford (who has published a book Foundations of Security: What Every Programmer Needs To Know available at http://tinyurl.com/33xs6g and who graciously sought me out to give me a copy). I am barely giving these fine gentleman credit for a lot of hard work to improve university curricula in this area, and I know there are others who are also similarly engaged whom I have not credited. Thank you, all.

 

** If you really want to know, o-form possessives are used for things that are inalienable or are your birthright. Emotions, for example (like aloha - love), means of conveyance (like papa he'e nalu - surfboard), parents, gods, are all inalienable and thus take an o-form possessive: He makuahine maika'i ko'u. (I have a good mother.) Things that are alienable or that you acquire (spouse, children) take a-form possessives: He ipo 'olu'olu ka'u. (I have a nice sweetheart.) It was a big day in my life when I could start rattling off sentences without thinking about what kind of possessive to use.

 

For More Information:

 

Book of the Week:

 

Aircraft Carriers at War: A Personal Retrospective of Korea, Vietnam, and the Soviet Confrontation  By Admiral James L. Holloway III, USN (Ret.)

 

http://www.usni.org/store/item.asp?ITEM_ID=1320

 

ADM Holloway (disclaimer: a family friend, so I am justifiably prejudiced in his favor) has had an amazing career: an officer during WWII (present at the Battle of Surigao Straight outlined in Last Stand of the Tin Can Sailors) he then qualified as a naval aviator, serving throughout the Korean and Vietnam Wars.  He also served as Chief of Naval Operations. He is fine leader, a fine person and a long time contributor to naval history and thought. There has been so little written about the Cold War from a military perspective that this book is doubly welcome: written by a great leader and warrior who was there. (Hey, all the reviews are glowing - I am just gilding the lily.)

 

Another true hero has died: Jacob DeShazer, who was one of the Doolittle Raiders who "struck back" at Japan after Pearl Harbor by bombing Tokyo on April 18, 1942. (Japan subsequently decided to "finish" the Pacific fleet at Midway, where they lost the war.)  DeShazer endured unbelievable hardships - torture and deprivation - as a POW of the Japanese but forgave his captors after becoming a Christian, and returned to Japan to serve as a missionary for 30-odd years. Rest in peace, faithful warrior.

 

http://www.nytimes.com/2008/03/23/us/23deshazer.html

 

The Defense Science Board Task Force Report on Mission Impact of Foreign Influence on DoD Software:

 

http://www.acq.osd.mil/dsb/reports/2007-09-Mission_Impact_of_Foreign_Influence_on_DoD_Software.pdf

 

Web site for the House Science and Technology Committee (express yourself!):

 

http://science.house.gov/

 

The educational board of ACM (complain to them!) can be found at:

 

http://www.acm.org/education/panel?pageIndex=1

 

More on the Hawaiian language (including a-form and o-form possessives):

 

http://en.wikipedia.org/wiki/Hawaiian_language

 

The SQL injection tutorial I mentioned (anyone can take it):

 

http://st-curriculum.oracle.com/tutorial/SQLInjection/index.htm 

 

Last - but far from least - the SANS organization web site:

 

http://www.sans.org/




Face front, true believer!

Carl Backstrom - Sun, 2008-04-06 13:29
Well this is interesting Marvel and Oracle.

Gotta love the link direct link to APEX.
Makes the job kinda surreal.

extra points if you know the quote!

Themes and Theme Testing

Carl Backstrom - Fri, 2008-04-04 19:15
I've created an application here that lists out all the themes contained in APEX along with a thumbnail. Each image links to a copy of our theme testing application running that particular theme, the theme testing application is just the regular sample application with extra pages to cover different template and item types.

When we build out themes for APEX we build very generically and the theme testing application is what we use to test against. Feel free to download the theme testing application and use to test your own themes or theme variations against.

Vikas used to host applications showcasing the themes but I figured we (APEX team) should take the time update them with every version change and Theme Testing Application change. Like I've stated before I have almost no moral issues with 'borrowing' a good idea , but I did contact Vikas and ask first ;).

If you think we are missing a use case in that application please drop a line in the comments, or better yet comp one out on apex.oracle.com and put a link in the comments. Remember we build very generically so the themes can handle as many data and usage variations as possible.

Video from Euruko 2008

Raimonds Simanovskis - Fri, 2008-04-04 16:00

I made short video from Euruko 2008 conference where you can see Matz, Koichi, JRuby guys, DrNic ar me as well :)

I posted my presentation slides in my previous post.

Categories: Development

LinkedIn Oracle Contractors Group

Richard Byrom - Thu, 2008-04-03 17:46

Join Contractors on the Oracle LinkedIn and Community Groups I recently created an Oracle Contractors Group on LinkedIn. The purpose of this group is to create a network for contractors to talk to each other as well as discuss and refer work opportunities. If you’re interested in joining sign up to the LinkedIn group and I’ll approve your membership. 

LinkedIn Oracle Contractors Group

OracleAppsBlog - Thu, 2008-04-03 17:46
Categories: APPS Blogs

My presentation on using Ruby with Oracle at Euruko conference

Raimonds Simanovskis - Wed, 2008-04-02 16:00

I gave short presentation about “Using Ruby with Oracle” at European Ruby conference Euruko 2008. You can download presentation slides at their site. My collegue took a video of my presentation so probably after some time I will post it as well :)

Either because of this presentation or maybe just because more people are interested in Ruby on Oracle the number of visits to this blog is fast growing during the last days. Which makes me more motivated to do more investigations in Ruby and Oracle area.

One area of further research could be standardization of different ActiveRecord Oracle adapter patches – otherwise now I have different patches in each project and this becomes quite hard to manage.

Categories: Development

Some updates - Ruby/DTrace, FFMPEG/Medialib

Siva Doe - Mon, 2008-03-31 20:20

It has been quite some time since I last blogged. Been busy with a few interesting projects whose updates had to be blogged about.

First, Ruby. You are all aware that Ruby has been available in Solaris Nevada build 76 onwards. With build 86 onwards, DTrace probes for Ruby is also available. These probes are the work of Joyent.com and now can be used to debug your favorite Ruby/Rails applications. There are examples on Joyent.com site to show you how to use these probes.

Next FFMPEG. We heard from a customer who used FFMPEG to convert a YUV file to MPEG file. They had compiled FFMPEG (on Sparc) using Sun's mediaLib (MLIB). The resultant MPEG file, when played,  had this 'green tint'. More over the conversion was slower, compared to that of an FFMPEG without MLIB. This is indeed strange as one was supposed to get better performance with our mediaLib. With all the help from our MLIB developers, the defect was then found to be in FFMPEG source code, which makes the MLIB calls. A couple of lines were changed and we were back in business. Before, a 30 second YUV file took about 20 seconds to convert into MPEG. It produced a green tint also. Now, it takes just about 10 seconds for the conversion and of course, no green tint. The MLIB patch is now available with Spec Files Extra (SFE) repository.

Semafore? Cannot mount in Exclusive.

Claudia Zeiler - Sat, 2008-03-29 11:26
As Chen says, the challenges always come after 5PM.

I had a Daylight Savings Patch to apply to 2 databases. I think that someone else, was blogging about installing this just recently. The patch is trivial - bring down the database, replace 2 files deep within ORACLE_HOME and bring the database back up. The first install went went off uneventfully, so I figured that I had an idea what I was doing. Then I moved to the second DB and the fun started. The DB wouldn't restart. How can I NOT startup a database? What can be simpler than a STARTUP?

ORA-01102:  cannot mount database in EXCLUSIVE mode

Now that I have a solution it all seems simple.

The problem according to Metalink...

- there is still an "sgadef.dbf" file in the "ORACLE_HOME/dbs"
directory
nope

- the processes for Oracle (pmon, smon, lgwr and dbwr) still exist
no, they are gone..

- shared memory segments and semaphores still exist even though the
database has been shutdown

I got to learn about the unix command ipcs -b, but
nothing owned by oracle,

T ID KEY MODE OWNER GROUP SEGSZ
Shared Memory:
m 1048576 0x7800000a --rw-rw-rw- root system 16777216
m 1048577 0x0d001213 --rw-rw---- root system 1440
m 3 0xffffffff --rw-rw---- root system 4096
T ID KEY MODE OWNER GROUP NSEMS
Semaphores:
s 3145728 0x010000af --ra------- root system 1
s 1 0x6200105e --ra-r--r-- root system 1

- there is a "ORACLE_HOME/dbs/lk" file

and indeed
sculkget: failed to lock /home/oracle/orabase/product/10.2.0/dbs/lkSID exclusive
sculkget: lock held by PID: 299506

though I have yet to figure out what a sculkget is I did find a file that was
skulking around and didn't belong there.


With trepidation I killed the process holding the lock file

kill -9 299506

and removed the lock file


rm /home/oracle/orabase/product/10.2.0/dbs/lkSID

and magic! no more lock, Database starts up normally!

Locks in their place and all is well with the world.

Meanwhile, if anyone else knows what category of animal a

sculkget: message is - I would love to know. There is a singular lack of comment
about it on the web, except as part of this specific problem.

Things I believe in

Rob Baillie - Sat, 2008-03-29 07:35
  • It's easier to re-build a system from its tests than to re-build the tests from their system.

  • You can measure code complexity, adherence to standards and test coverage; you can't measure quality of design.

  • Formal and flexible are not mutually exclusive.

  • The tests should pass, first time, every time (unless you're changing them or the code).

  • Flexing your Right BICEP is a sure-fire way to quality tests.

  • Test code is production code and it deserves the same level of care.

  • Prototypes should always be thrown away.

  • Documentation is good, self documenting code is better, code that doesn't need documentation is best.

  • If you're getting bogged down in the process then the process is wrong.

  • Agility without structure is just hacking.

  • Pairing allows good practices to spread.

  • Pairing allows bad practices to spread.

  • Cycling the pairs every day is hard work.

  • Team leaders should be inside the team, not outside it.

  • Project Managers are there to facilitate the practice of developing software, not to control it.

  • Your customers are not idiots; they always know their business far better than you ever will.

  • A long list of referrals for a piece of software does not increase the chances of it being right for you, and shouldn't be considered when evaluating it.

  • You can't solve a problem until you know what the problem is. You can't answer a question until the question's been asked.

  • Software development is not complex by accident, it's complex by essence.

  • Always is never right, and never is always wrong.

  • Interesting is not the same as useful.

  • Clever is not the same as right.

  • The simplest thing that will work is not always the same as the easiest thing that will work.

  • It's easier to make readable code correct than it is to make clever code readable.

  • If you can't read your tests, then you can't read your documentation.

  • There's no better specification document than the customer's voice.

  • You can't make your brain bigger, so make your code simpler.

  • Sometimes multiple exit points are OK. The same is not true of multiple entry points.

  • Collective responsibility means that everyone involved is individually responsible for everything.

  • Sometimes it's complex because it needs to be; but you should never be afraid to check.

  • If every time you step forward you get shot down you're fighting for the wrong army.

  • If you're always learning you're never bored.

  • There are no such things as "Best Practices". Every practice can be improved upon.

  • Nothing is exempt from testing. Not even database upgrades.

  • It's not enough to collect data, you need to analyse, understand and act upon that data once you have it.

  • A long code freeze means a broken process.

  • A test hasn't passed until it has failed.

  • If you give someone a job, you can't guarantee they'll do it well; If you give someone two jobs you can guarantee they'll do both badly

  • Every meeting should start with a statement on its purpose and context, even if everyone in the meeting already knows.

Multiple Interactive Reports on One Page

Duncan Mein - Fri, 2008-03-28 07:56
If you have been using Interactive Reports since Apex 3.1 landed, you are probably as impressed with them as I am.

The other day I tried to create more than 1 IR on a page and the Wizard prevented me saying "Only 1 Interactive Report can be declared on this page"

I then tired to copy a region that contained an Interactive Report and sure enough I suddenly had 2 IR's on the one page!

Whilst this is probably not supported or suggested, my requirement meant that only 1 IR was to be shown at once (i.e. I had a conditional diaply on both IR)

So if you need to create multiple IR's on the one page but will only display one at run time, copy of a region appears to work!

Service enable integration business services using Oracle Application adapter

Peeyush Tugnawat - Fri, 2008-03-28 07:22

 

To make the business service within E-Business Suite participate in your service oriented integration architecture as a web services. The integration approach used depends upon the requirements and the integration mechanism that is best suited to satisfy the requirements. To use one of the integration function in a SOA based solution (integration or composite process) is relatively simple with the help of Oracle Applications adapter by exposing them as web services. This enhances re-usability, extensibility, and faster design to deploy time frame.

Using EBS adapter has tremendous advantages. It exposes existing EBS Integration Interfaces as Web Services. The adapter inherently uses and leverages open standards, including J2CA, XML, WSIF, WSIL, and WSDL. Most importantly it dramatically reduces the time to design and develop a SOA based integration that interfaces with web service based integration interface for EBS.
Bookmark and Share

Exposed Password in Data Pump

Claudia Zeiler - Thu, 2008-03-27 21:42
I was just looking at a production Data Pump today with a text exposed 'system/password'. I was startled.

Then I remembered that in the last shop Data Pumps involved
  1. Temporarly change the system user password
  2. Run the Data Pump with the temporary password in plain text
  3. Changing the password back.
Now that I think of it, the one involving all that changing is only slightly better than what I saw today.

Does anyone have a suggestion for running Data Pump with a modicum of security? I had no say in the last shop. Here I may not prevail, but at least I'm in a position to make a suggestion if I have one.

Does the solution involve something with a password protected parameter file? Or? Thanks in advance for any suggestions offered.

The beginning of Oracle Denmark

Moans Nogood - Thu, 2008-03-27 20:03
I started working for a bank called Sparekassen SDS 1st of January 1987. They had just bought Oracle, and that's how I ended up in the database world.

In 1990 I joined Oracle Denmark's support organisation under the magnificient leadership of Jannik Ohl.

He was fired by Peter Perregaard in 1998 or so, because they didn't like each other. Until then things were fantastic. After that things were not.

Jannik was replaced by Allan Marker, who was not nearly his equal in any which way you choose to look. Especially when it comes to the art of thinking instead of wondering how you can survive in the corporate culture for the next few months.

But that's how things are. Peter made a mistake, and he regrets it to this day, I'm sure (as in: sure).

So Jannik went into geo-stationary orbit. In other words: He joined the Oracle EMEA organisation (Europe, Middle East, Africa).

When you "go into orbit", ie. join EMEA or some global stuff, you're never heard of again. In space, nobody can hear you scream, as they say.

Until it's time to lay off some bodies. So Jannik, uhm, resigned just now.

Today I served a bit of Miracle beer for my friend Jannik in Oracle Denmark's canteen.

To honour the best boss I ever had.

And to honour one of the most creative minds I've met. Really.

He was the one that came up with the idea of doing serious database stuff in Lalandia (which is why Miracle now do two conferences there a year).

He was the one that told me: "With all this internet stuff and not-being-able-to-call-a-person thing going on in Support, people will pay for extra services that allow them to talk to people and get their problems resolved without too much bullshit" - and we now have 130 Miracle Support customers.

He came up with the idea of having a credit-card thing for Good Oracle Customers (GOC).

Miracle Support shouldn't be allowed to live. It's feeding off the failings of the big vendor support organisations, because they're failing. That's wrong. But it's a fact.

I just hope Jannik doesn't do the boring thing of leaning back and waiting for the early-age pension to arrive. He's not old, he's not spent. We need him.

As for the headline (The beginning of Oracle Denmark) I'll just say this piece of information from an unknown source:

The beginning of Oracle Denmark: Jørgen Balle, Ole Bisgaard, Hanne Cederberg & Jannik started at the same time. Then came Pete Francis, og later Klaus Holse Andersen.

We need more details, folks :-))

Mogens

Columns to String: Comma Separated Values (CSV) (Updated SQL Snippets Tutorial)

Joe Fuda - Thu, 2008-03-27 19:00
The "Columns to String: Comma Separated Values (CSV)" tutorial now includes three new sections, "How to Create a CSV File", "How to Escape Double Quotes, CR, and LF", and "How to Include a Header Line".
...

E-Business Suite Integration: Using Irep to discover available business services

Peeyush Tugnawat - Thu, 2008-03-27 10:40

Bookmark and Share

To plan your soa based integrations, the architects and business users need to know what services are available within ebs that can be leveraged to be a part of your information integration, business process integration or coming up with composite application spanning across enterprise silos.

The first step when planning and designing your integrations should be to use Oracle Irep. This will give you the details of the business services available within EBS and also the details of service end-points. IRep lets users easily discover the appropriate business service interface for integration with any system, application, or business partner.

It is a pre-built central catalog of information about the numerous public integration interfaces delivered with Oracle applications, known as business interfaces.

The key advantages of using Irep are

  • Helps in better integration planning by providing information to make informed decisions

  • Acts as single source of truth for the available business servicesEnhanced re-use of existing components


  • Assurance that you are using supported public interfaces

    Using Irep

    Go to http://irep.oracle.com/

    If you are working on EBS R12: From the Navigator menu, select the Integration Repository responsibility, then click the Integration Repository link that appears.

    Browse IRep : You can browse Irep using the categories of product or by the integration standards you wish to leverage.

     irep-browse

    Search IRep: IRep also lets you search using various search parameters. You can search by interface name, internal name, product family, interface type (concurrent program, web service, XML gateway map etc), product, and business entities.

     irep-search


    In Release 12, the Oracle Integration Repository will ship as part of the E-Business Suite. As your instance is patched, the repository will automatically be updated with content appropriate for the precise revisions of interfaces in your environment. But until Release 12 is available, you can explore an on-line version of the Integration Repository for the 11i10 version of E-Business applications.
    Bookmark and Share

  • New Stuff (3) Start Stop Table item is for real!

    Carl Backstrom - Wed, 2008-03-26 13:47
    This is a small feature but fixes something that has always bugged me.

    In Application Express there is the Start Stop Table item. Which is very useful for form layout especially when building forms with large textarea's.

    The problem was there was no way easy way access the Start Stop Table itself with javascript or CSS since it didn't have any discerning attributes. Well that has all changed in APEX 3.1 as the Start Stop Table gets some of the same attributes as a regular item does.

    Start Stop Table's will get the id attribute set to the Item Name just like regular items , Start Stop Tables will also insert attributes from HTML Form Element Attributes property , agian just like a regular APEX item.

    You can see a very simple usage example here http://apex.oracle.com/pls/otn/f?p=11933:137.

    I can definitely see this being used for some more dynamic and just plain prettier forms and layouts, there are a few spots in the APEX builder slated to get some treatment from this.

    As with my last few posts , and my next couple, this isn't the most WizBang feature but the impact if properly used can be huge.

    RMAN, RAC, ASM, FRA and Archive Logs

    Eric S. Emrick - Wed, 2008-03-26 09:37
    The topic, as the title suggests, concerns RMAN, RAC, ASM and archive logs. This post is rather different than my prior posts, in that, I want to open up a dialogue concerning the subject matter. So, I’ll start the thread by posing a question: Are any of you that run RAC in your production environments backing up your archive logs to an FRA that resides in an ASM disk group (and of course backing up the archive logs to tape from the FRA)? Managing your free space within your FRA is paramount as are judicious backups of the FRA (actually these really go hand in hand). However, I am very interested in your experience. Have you come across and “gotchas”, bad experiences, positive experiences, more robust alternatives, extended solutions, etc.? Being somewhat of a backup and recovery junky, I am extremely interested in your thoughts. Let the dialogue commence!

    Update: 03/26/2008

    A colleague of mine has been doing some testing using RMAN, RAC, ASM, FRA for archive log management. Also, he has tested the integration of DataGuard into this configuration. To be more precise, he has tested using an FRA residing in an ASM disk group as the only local archive log destination. In addition to the local destination, each archive log is sent to the standby destination. Based on his testing this approach is rather robust. The archive logs are backed up via the "BACKUP RECOVERY AREA" command with a regular periodicity. This enables the FRA's internal algorithm to remove archive logs that have been backed up, once the space reaches 80% full. No manual intervention is required to remove the archive logs. Moreover, the archive logs in this configuration will only be automatically deleted from the FRA if both of the following are true: 1) the archive log has been backed up satisfying the retention policy and 2) the archive log has been sent to the standby. When there is a gap issue with the standby database, the archive logs are read from the FRA and sent to the standby. It works real nice!

    E-Business Suite Integration Components

    Peeyush Tugnawat - Wed, 2008-03-26 05:14

    Bookmark and Share


    It is important to understand different integration components available within EBS to make informed decision about using one or more for your SOA integration project. Selecting one or more of them depends upon the requirements and the interaction pattern determined to be best fit for the service oriented architecture based integration.
    Following are the integration mechanisms available within e-Business suite.

    Oracle XML Gateway: E-Business Suite utilizes the Oracle Workflow Business Event System to support event-based XML message creation and consumption. It can consume events raised by the Oracle E-Business Suite and can subscribes to inbound events for processing. It can be leveraged for Business-to-Business (B2B) and Application-to-Application (A2A) integration scenarios. Majority of messages delivered with the Oracle E-Business Suite are mapped using the Open Application Group (OAG) standard.

    Business Events: The Oracle Workflow Business Event System is an application service that leverages the Oracle Advanced Queuing (AQ) infrastructure to communicate business events between systems. There are more than 1000 built in events with in EBS that can be leveraged for event-based integration of business processes.


    Concurrent Programs: A concurrent program is an instance of an execution file. Concurrent programs use a concurrent program executable to locate the correct execution file. Several concurrent programs may use the same execution file to perform their specific tasks, each having different parameter defaults.

    Interface Tables: Interface tables are intermediate tables into which the data is inserted first. Once the data gets inserted into the interface tables, the data is validated, and then transferred to the base tables. Base tables are real application tables that reside in the application database. The data that resides in the interface tables is transferred to the base tables using concurrent programs. Interface views provide a way to retrieve data from Oracle Applications. By using views, you can get synchronous data access to Oracle Applications.

    PL/SQL APIs: These are stored procedures that enable you to insert and update data in Oracle Applications.
    Oracle e-Commerce (EDI) Gateway: Oracle e-Commerce Gateway provides a common, standards-based approach for Electronic Data Interchange (EDI) integration between Oracle Applications and third party applications. It is the EDI integration enabler for Oracle Applications.


    Bookmark and Share

    Objects Remain In Their Original Tablespaces After Run Oatm

    Madan Mohan - Wed, 2008-03-26 04:51
    Migrated to the new tablespaces using OATM but there are objects left behind in original tablespaces. There were no errors reported during tablespace migration.

    SQL> select tablespace_name, count(1) from dba_Segments group by tablespace_name;
    TABLESPACE_NAME COUNT(1)
    ------------------------------ ----------
    APPLSYSD 1
    APPLSYSX 1
    COMD 26
    COMX 47
    CTXD 77
    EDWREP 88
    EDWREPX 31
    PVD 1
    PVX 1

    SQL> select segment_name, segment_type from dba_segments
    2* where tablespace_name='APPLSYSD'
    SEGMENT_NA SEGMENT_TYPE
    ---------- ------------------
    20.42 SPACE HEADER

    Cause
    *******

    One of the circumstances under which a 'SPACE HEADER' segment gets created is if a 'dictionary managed' tablespace is migrated to 'locally managed' (see dbms_space_admin.tablespace_migrate_to_local()).

    The space header segment contains the extent bitmap and is allocated during the migration of the tablespace. Since there is no reserved space after the file header (as with locally managed tablespaces) the bitmap segment will be allocated somewhere in the "data" area of the datafile. During its creation the segment will pick up some of the storage attributes (e.g. MAXEXTENTS) from the default storage clause of the tablespace. Once the segment has been created it can neither be dropped nor changed.

    Fix
    ****

    You can ignore these "left-over" objects. Please go ahead and drop old tablespaces

    Pages

    Subscribe to Oracle FAQ aggregator