Feed aggregator

Using LetsEncrypt on Amazon Linux

Jeff Kemp - Thu, 2017-07-27 22:00

sslapexFor a number of years now I’ve been using LetsEncrypt to provide free SSL certificates for the Apex applications I provide. These certificates last for 90 days and are renewed automatically by a simple script on my server.

By the way – if you’re not already using https for your public-facing Apex applications, you should, okay – even if your site doesn’t have data entry.

Each LetsEncrypt certificate can cover multiple subdomains. They don’t currently support wildcard domains (e.g. *.example.com) but they are planning to add this next year (2018).

To install LetsEncrypt I ran the following on my Amazon Linux instance (note – this is my web server, not my database server):

cd /opt
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto -v --debug

(when prompted at the last step I typed “c” to cancel the subsequent steps)

It wasn’t easy at first because I got a number of errors which I’d google (or search the community forum) and eventually find reasonable answers. I’ve had to reinstall a number of times, as the OS is patched regularly and certbot is updated from time to time.

I use Apache to provide about a dozen virtual hosts and therefore the automated installation option didn’t work for me. Instead, I’ve got lines like these in each VirtualHost:

<VirtualHost *:443>
 ServerName subdomain.mydomain.com
 ServerAlias subdomain.mydomain.com
 SSLEngine on
 SSLCertificateFile "/etc/letsencrypt/live/mydomain.com/cert.pem"
 SSLCertificateKeyFile "/etc/letsencrypt/live/mydomain.com/privkey.pem"
 SSLCertificateChainFile "/etc/letsencrypt/live/mydomain.com/chain.pem"
 ...
</VirtualHost>

To register a certificate I used the following command as root (all one line):

/opt/letsencrypt/letsencrypt-auto
certonly --webroot -w /var/www/html
-d mydomain.com,www.mydomain.com,sub1.mydomain.com,sub2.mydomain.com

This generates all the keys and certificates and stores them locally. No private keys ever leave the server. This command is using SAN to combine multiple subdomains in one certificate. I run this command again separately for each domain.

To renew all my certificates I run the following command as root:

/opt/letsencrypt/letsencrypt-auto renew -n --no-self-upgrade
service httpd restart

This will automatically skip any certificates that are not yet due to expire. I’ve put the above script in a file which is run by cron on a monthly basis.

0 20 1 * * /path-to-script/renewall.sh

To get usage info on the options:

/opt/letsencrypt/letsencrypt-auto --help

Since it’s free, one cannot expect support from LetsEncrypt directly if there are issues; however, there is an active LetsEncrypt support community which can be helpful at times.

But it’s certainly made a big difference to my bottom line, and provided a bit of peace-of-mind to my users.

Related


Filed under: Other Tagged: amazon-web-services, letsencrypt, server-config, SSL

REF Cursors

Tom Kyte - Thu, 2017-07-27 20:06
I don't know if this is possible but here goes. I only want to used 1 stored procedure for a crystal reports. I want to pass a parameter to the stored procedure so that it will only display on ref cursor. Code looks like this. The first cursor show...
Categories: DBA Blogs

How to fix the execution plan for remote sql

Tom Kyte - Thu, 2017-07-27 20:06
We used a lot of remote sql through database links. Is there a way to fix the execution plan? Is sql baseline, sqlprofile, outline working for remote sql statements through database links? Thanks!
Categories: DBA Blogs

Upgrading to Oracle WebCenter Content or Portal 12c: If not now, when?

Fishbowl Solutions will be kicking off a webinar series starting next Thursday, August 3rd. Our first webinar topic will be “5 Key Reasons to Upgrade to Oracle WebCenter Content or Portal 12c”. Why did we pick this topic, and why is this topic relevant now? Those are both good questions, especially if you are a well-informed WebCenter customer and you know that 12c was released almost 2 years ago.

To answer those questions, please let me start by stating that Fishbowl Solutions has performed many WebCenter upgrades over the years. While each one may have been different in size and scope, we have seen some common reasons/themes emerge from what drove customers to start their upgrade when they did.

Why upgrade to WebCenter 12c Now?
  • Get Current with Support and Maintenance
    • Premier and Extended support for 10g customers has elapsed. Most of the customers we talk to know this, but they might not know that they can do an upgrade directly from 10g to 12c. When you consider that Premier support for WebCenter Content and Portal 11g elapses in December of 2018, it makes sense to go directly to 12c instead of 11g. You can review Oracle’s Support Policies for Fusion Middleware here.
  • Explore Cloud Options for Content Management
    • With the release of 12c, Oracle introduced ways to integrate and share content between Oracle WebCenter on premise and the Oracle Content and Experience Cloud. This provided an easy way for organizations to share and collaborate on documents. If your organization is still deciding on your roadmap for content management – on premise, hybrid, cloud first – 12c provides the capabilities to explore use cases for the cloud while maintaining your content on premise.
  • Content and System Consolidation
    • Some legacy WebCenter customers come to the realization that they have too many instances of the system in place, as well as disparate/duplicate content being managed. Instead of trying to audit each one of their individual systems and fix or change any metadata issues, security groups, etc., they decide that doing an upgrade rectifies a lot of these problems, and enables them to get rid of content no longer needing management or retention.
  • Growing List of Environment & Technology Dependencies
    • Perhaps your organization wants to move the latest version of Oracle Database, but you can’t because your legacy WebCenter system utilizes an older version. Unless you upgrade WebCenter, your organization as a whole may be impacted by not being able to utilize the newest version of associated or dependent technologies.
  • User Expectations – Better User Experience
    • WebCenter Content and Portal 12c provide a better user experience for users and administrators. Since organizations want everyone to experience these better interfaces, they start to consider who the actual users of the system are, and they build an experience designed for each of those user personas. So while the upgrade to 12c would have improved the overall experience, organizations use the upgrade to design the best experience possible to ensure widespread adoption and overall use.

We will discuss each of these in more detail during the webinar next Thursday. You can find more information and register for the webinar here.

We hope you can join us.

 

The post Upgrading to Oracle WebCenter Content or Portal 12c: If not now, when? appeared first on Fishbowl Solutions.

Categories: Fusion Middleware, Other

CPADMIN Utility Now Available for EBS 12.2.3, 12.2.4, 12.2.5

Steven Chan - Thu, 2017-07-27 12:21

I recently profiled the CPADMIN utility for EBS 12.2.6 that consolidates various CP management functions into a single menu-based tool.  This ADADMIN-style utility can:

  • View Concurrent Manager status
  • Clean CP tables
  • Set Concurrent Manager diagnostics
  • Start, stop, or verify an individual Concurrent Manager
  • Rebuild Concurrent Manager views
  • Move request files
  • Analyze requests
  • Configure request log/out file directory locations

This tool has been backported to EBS 12.2.3, 12.2.4, and 12.2.5 via Patch 24408550:

In case you missed it, this tool is also available for EBS 12.1.3.

Related Articles

Categories: APPS Blogs

Words I Don’t Use, Part 2: “Holistic”

Cary Millsap - Thu, 2017-07-27 11:51
The second “word I do not use” is holistic.

When people use the word “holistic” in my industry (Oracle), it means that they’re paying attention to not just an individual subcomponent of a system, but to a whole system, including (I hope) even the people it serves.

But trying to differentiate technology services by saying “we take a holistic view of your system” is about like differentiating myself by saying I’ll wear clothes to work. Saying “holistic” would make it look like I’ve only just recently become aware that optimizing a system’s individual subsystems is not a reliable way to optimize the system itself. This should not be a distinctive revelation.

Alfresco 5.2 our DMS of choice!

Yann Neuhaus - Thu, 2017-07-27 06:46
Introduction

Nowadays companies have to deal with lots of electronic documents, some of them being mission critical. Insurances, Banks and Pharma industries are good candidates for ECM/DMS solutions since they produce and deal with lots of documentations, contracts and receipts. Usually the largest ECM/DMS infrastructures can be found at those customers which initiate large digitalization processes. However even for smaller businesses, managing e-documents like sales quotations, offers, answers to RFIs and RFPs becomes mission critical. Indeed, while creating such quotations and offers, collaboration is often requested between salesmen and eventually with the technical department too. The ECM/DMS solutions must offer the means to share and work together on the same document. Unfortunately these documents are, most of the time, simply lying around on a basic Windows Share, if the users even took the time to copy the documents on this share. As a result, there is no concurrency management, preventing any data loss and the “locking strategy” is quite simple: “last wrote … won”. It’s even incredible to see how many “larger” companies still work like that. All companies follow the digitalization trends but sometimes in a quite elementary way.

So basically what prevents the usage of a ECM/DMS solution in all companies? From my point of view, most of the time ECM/DMS projects are wrongly sized and approached. Indeed, each customer has lots of good intentions at the begin of the project. Therefore instead of focusing on the essentials, project responsible want to implement almost everything, and may be too much:

  • workflow management
  • complex user/group management and security rules
  • full text indexing
  • infrastructure redundancy
  • full integration in existing solutions
  • complex business processes (mixing up BPM and ECM/DMS)
  • aso … aso …

As a result the proposed ECM/DMS solutions can become quite complex to set up and quite expensive in terms of licenses. That’s exactly where those kinds of projects usually get stuck and die. We want to do too much, it gets too complex, so let’s do nothing! :-)

Is there a way and a technology which allows to start smoothly in the ECM/DMS area?

Why a DMS?

First of all, let’s summarize again which core functionalities we need from a DMS. In other words, what do we want to achieve with such a solution?

As a salesman, and in particular as a Chief Sales Officer, I need to keep a clear track of all changes. Indeed, while editing/changing documents, and in particular quotations, we should keep traces of each modifications. Release management and traceability is a “must have” nowadays. Document validation (workflow processes) would be nice to have in a second step.

Of course in the current context of cyber-attacks, I need a high security level. I also need to protect the documents against unauthorized users: we do not want/need all people in the company to know the sales engineering policy. Furthermore, we do not want viruses encrypting all our documents lying on a simple Windows Share. If the ECM/DMS solutions request identifications to the system to proceed with CheckOut/CheckIn procedures to work on documents the virus has almost no chance to access easily all files.

If this CheckOut/CheckIn procedure is included in the Microsoft Office suite, it won’t even decrease the efficiency of the users or of the salesmen. Users are always afraid when they have to do more that simple double clicks :-)

Why Alfresco?

As explained in the introduction, the costs and the over sizing of ECM/DMS projects may sometimes kill them before they even born.

Alfresco is an Open Source ECM/DMS solution allowing to implement quite quickly and easily the core needed functions without license costs. Of course, the Enterprise version offers some additional features like:

  • content encryption at rest and encrypted configuration files
  • clustering
  • synchronization of content between Cloud and On-Premises installations

At dbi services, since we are ECM/DMS experts we decided to implement Alfresco on our own. However, the setup and documentation of such a solution can be limited to several days, not weeks or years. We do not need bunch of senior technical experts and presales over several months to set it up, like for some un-named ERP solutions :-)

Out of the box, and in particular with the version 5.x, Alfresco really covers 100% of what I do expect from an ECM/DMS, as a salesman:

  • integrated release management
  • protection and management of concurrency between users
  • protection against viruses since some identification is needed and you can always revert a previous version if needed
  • easy drag & drop functionality to copy documents/folders into alfresco

Below, an example of the smooth integration of Alfresco in each Small and Medium Businesses environment using MS Office. With a smooth integration in MS Office it is now possible to directly work on a document and save it into alfresco without having to “CheckOut/CheckIn” it, since this operation is integrated in the Office connector. Below an example of the integration of Alfresco in MS Office once a so called “SharePoint online location” (compatible with alfresco) has been created. you can directly open the documents in Word from the Alfresco repository (checkin/checkout happens in the background) :

alfresco_5.2_open_MS_Office_4

Another example of smooth integration in the MS or Mac world, the drag and drop feature from the file browser directly in the Alfresco browser using any Web browser :

alfresco_5.2_drag_and_drop_4

It is even possible to save a newly created MS Office document directly into Alfresco, the integration has been really maximized in the last Alfresco release (5.x).

Another strong advantage of Alfresco is basically coming from the Open Source culture. Despite the fact that some companies still have the feeling that they have to pay expensive software licenses, it may sometimes be possible to think about the “service only” model. This approach, used by Open Source software, allows the product to improve and growth through contributors offering their services around the product. That’s the case for dbi services providing support around Alfresco which allows a professional usage of the solution. In the same idea, lots of contributors developed some Alfresco extensions allowing to improve the core functionalities and to integrate the product in lots of other solutions or products (i.e. in ERP solutions like Odoo, SAP, Salesforce, aso…). Some of these add-ons that were developed by the community are even integrated directly into the next Alfresco releases to improve the product (HTML5 Previewer, Trashcan Cleaner, aso…).

Providing the complete set of required core features, easy to deploy, manage and administrate, cost efficient and extensible, Alfresco has become a kind of optimum choice for our company development while insuring the quality of our Sales activities.

Conclusion

As for each IT project, we do strongly advice to follow a pragmatic way, ideally proceeding with POCs (Proof Of Concepts), in order to validate, step by step, the solution. Furthermore, it is advised to focus on essential functionalities first, avoiding huge and complex specifications giving the impression that we will never reach the end of the project.

Combining efficiency and security and providing the required features, Alfresco was the most competitive price/feature solution which helped us to growth as we did over the last years. The last version we just migrated to (version 5.2) did even increase the user acceptance since the integration into the usual office tools has been seriously improved.

 

Cet article Alfresco 5.2 our DMS of choice! est apparu en premier sur Blog dbi services.

Database Link security question

Tom Kyte - Thu, 2017-07-27 01:46
I am unclear on the security issues, if any, when creating a database link. If I, as a DBA role, create a public database link to a remote database, and a regular (connect) user uses the link in a query, how are rights granted to the objects across ...
Categories: DBA Blogs

Shell Script and SQL Loader

Tom Kyte - Thu, 2017-07-27 01:46
Hi, We load data by calling sql loader from shell script. here we are getting below issues in loading data 1. not all Bind variable bound 2. data Exceeds maximum length Here is the Sample Control File ----- LOAD DATA INFILE '$FILE' APPEND...
Categories: DBA Blogs

How to Reclaim Space After NULLing LOBs

Tom Kyte - Thu, 2017-07-27 01:46
On this table that contains BLOBs and up to today filled up a 32GB tablespace, I removed a large percentage of BLOBs by setting them to NULL with an UPDATE statement (leaving the remaining columns untouched of course). No space was actually freed so ...
Categories: DBA Blogs

Function with DML & DDL

Tom Kyte - Thu, 2017-07-27 01:46
Hi, can we write DML and DDL statements inside a function(stored procedures)?
Categories: DBA Blogs

Can i make Output parameters as optional - i dont want to send out parameters while executing stored procedure

Tom Kyte - Thu, 2017-07-27 01:46
Below is my simple dummy procedure <code> create or replace procedure sp_dummy ( p_options NUmber, cursorparam1 OUT sys_refcursor, cursorparam2 OUT sys_refcursor ) AS begin open cursorparam1 for select sys...
Categories: DBA Blogs

Accessing Pivotal Cloud Foundry droplet file system when "cf ssh" isn't enabled

Pas Apicella - Thu, 2017-07-27 00:03
In order to view your application layout you can simply use "cf ssh" to log into the container and then view the files created as part of the droplet. The problem is "cf ssh" isn't always enabled bye the Ops team so what is your alternative in cloud foundry?

You can use "cf curl" to invoke an endpoint using the application GUID as shown in the steps below.

** cf ssh demo **

pasapicella@pas-macbook:~/temp/droplets$ cf ssh pas-swagger-demo
vcap@ef9e4e93-0df9-47a7-5351-dccf:~$ ls -lartF
total 16
-rw-r--r-- 1 vcap vcap  675 Apr  9  2014 .profile
-rw-r--r-- 1 vcap vcap 3637 Apr  9  2014 .bashrc
-rw-r--r-- 1 vcap vcap  220 Apr  9  2014 .bash_logout
drwxr-xr-x 2 vcap vcap    6 Jun 14 03:32 deps/
drwxr-xr-x 1 vcap root   72 Jun 14 03:32 app/
-rw-r--r-- 1 vcap vcap 1087 Jun 14 03:32 staging_info.yml
drwxr-xr-x 2 vcap vcap    6 Jun 14 03:32 logs/
drwx------ 1 vcap vcap   76 Jun 14 03:32 ./
drwxr-xr-x 1 root root   18 Jul 26 23:45 ../
drwxr-xr-x 4 vcap vcap   92 Jul 26 23:48 tmp/
vcap@ef9e4e93-0df9-47a7-5351-dccf:~$

** Steps **

1. Download droplet as follows

Format:

   cf curl /v2/apps/`cf app {appname} --guid`/droplet/download > droplet.tar.gz

Example:

pasapicella@pas-macbook:~/temp/droplets$ cf curl /v2/apps/`cf app pas-swagger-demo --guid`/droplet/download > droplet.tar.gz

To determine the app name you can either use Applications manager UI or use "cf apps" to get the app name


2. This will take some time due to the size of the droplet but when done verify you have this on the file system

pasapicella@pas-macbook:~/temp/droplets$ ls -la
total 150736
drwxr-xr-x   3 pasapicella  staff       102 Jul 27 14:20 .
drwxr-xr-x  23 pasapicella  staff       782 Jul 27 14:19 ..
-rw-r--r--   1 pasapicella  staff  77173173 Jul 27 14:23 droplet.tar.gz

3. Gunzip followed by tar -xvf and you will then have a file system replicator of what your application droplet looks like in CF

pasapicella@pas-macbook:~/temp/droplets$ d
total 313408
drwxr-xr-x   2 pasapicella  staff         68 Jun 14 13:32 deps/
drwxr-xr-x   6 pasapicella  staff        204 Jun 14 13:32 app/
drwxr-xr-x   2 pasapicella  staff         68 Jun 14 13:32 tmp/
-rw-r--r--   1 pasapicella  staff       1087 Jun 14 13:32 staging_info.yml
drwxr-xr-x   2 pasapicella  staff         68 Jun 14 13:32 logs/
drwxr-xr-x  23 pasapicella  staff        782 Jul 27 14:19 ../
-rw-r--r--   1 pasapicella  staff  160460800 Jul 27 14:23 droplet.tar
drwxr-xr-x   8 pasapicella  staff        272 Jul 27 14:25 ./


You really only want to do this to see how your application was staged on the file system as the buildpack may have changed some files or added files based on what you deployed. This is not how you would debug an application but rather view what the file system looks like for your application itself and what content exists in the files should the buildpack have changed file content for example.

Categories: Fusion Middleware

Calling Batch Level Of Service

Anthony Shorten - Wed, 2017-07-26 18:38

As a followup to my Batch Level Of Service article, I want to illustrate how to call your new algorithm from other scripts and as part of query zones.

In the base product we ship a Business Service, F1-BatchLevelOfService, that allows a script or query zone to call the Batch Level Of Service algorithm attached to a Batch Control, if it exists, to return the level of service. I should point out that if a Batch Level Of Service algorithm is not configured on the Batch Control, this call will return the Disabled state.

The schema for this service is shown below (please use the View Schema feature on your version for later versions):

Level of Service Schema

To use this service you need to populate the batchControlId input parameter when calling the service for the service to return the message and levelOfService.

Now, how do you call this in other objects:

  • Service Scripts - Include the F1-BatchLevelOfService service as a Data Area attached to the script and use invokeBS to call the business service. For example:

move "parm/batchControlId" to "F1-BatchLevelOfService/input/batchControlId";
invokeBS 'F1-BatchLevelOfService' using "F1-BatchLevelOfService";

  • Query Portal - Use the source=bs tag in your column with a call to the F1-BatchLevelOfService service passing the column that contains the Batch Control Id. For example:

source=BS bs='F1-BatchLevelOfService' input=[input/batchControlId=C1] output=output/levelOfService

Additionally you can use F1-ReturnMessage to format the message which is returned as well.

Here is an example of the columns used in a query portal:

Example Use of Batch Level Of Service

Unable to locally verify the issuer's authority

Vikram Das - Wed, 2017-07-26 16:10
Chuka pinged me when he got this error in Qualys logs after installation of qualys agent on a server

2017-07-24 15:23:08.497 [qualys-cloud-agent][232147]:[Information]:Finished curl request
2017-07-24 15:23:08.497 [qualys-cloud-agent][232147]:[Error]:Http request failed:Peer certificate cannot be authenticated with given CA certificates: SSL certificate problem: unable to get local issuer certificate
2017-07-24 15:23:08.497 [qualys-cloud-agent][232147]:[Error]:Http request failed: error code: 0
2017-07-24 15:23:08.497 [qualys-cloud-agent][232147]:[Error]:CAPI request failed:
2017-07-24 15:23:08.497 [qualys-cloud-agent][232147]:[Error]:CAPI event failed

2017-07-24 15:23:08.500 [qualys-cloud-agent][232147]:[Information]:Next event: INTERVAL_EVENT_CAPI, time left: 100 seconds

I suggested that we try setting http_proxy and https_proxy environment variables and check with wget and curl

We did that and got the error:

Unable to locally verify the issuer's authority

On access.redhat.com, I found https://access.redhat.com/solutions/37323 that described a similar issue on RHEL5, we are on OEL6:

Getting "Unable to locally verify the issuer's authority" error from wget in RHEL 5
 SOLUTION VERIFIED - Updated February 6 2013 at 11:52 AM - 
Environment
  • Red Hat Enterprise Linux (RHEL) 5.5
Issue
  • When downloading from certain SSL URLs, wget throws the error "Unable to locally verify the issuer's authority".
ResolutionRoot Cause
  • The openssl /etc/pki/tls/certs/ca-bundle.crt file in RHEL 5.5 is outdated.
Diagnostic Steps
Reproduction steps:

$ wget https://www.internetx.com/
--2010-07-24 15:30:14-- https://www.internetx.com/
Resolving www.internetx.com... 85.236.36.48, 2001:4178:2:10::54, 2001:4178:2:10::55, ...
Connecting to www.internetx.com|85.236.36.48|:443... connected.
ERROR: cannot verify www.internetx.com's certificate, issued by '/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA':
Unable to locally verify the issuer's authority.
To connect to www.internetx.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
So we compared the size of the file  /etc/ssl/certs/ca-certificates.crt on a working server and this server.  Sure enough the file size was different.  On further investigation we found that there was a backup called ca-bundle.crt.newrpm that had the correct size.  So we took a backup of ca-bundle.crt and replaced it with the newer file.  The error stopped coming.  Even though the ca-certificates rpm version was same on both servers, someone had replaced the ca-bundle.crt file with the older version.  We would have to investigate, why that was done, before this solution can be implemented, as it is possible that the new certificates.crt file broke something, because of which it was replaced by the older version.  We should always have the latest ca-bundle.crt, so that we have the latest root certificates from the Certificate Authorities.
Categories: APPS Blogs

Easy Dashboard using nothing but APEX, Font APEX and SQL!

Joel Kallman - Wed, 2017-07-26 14:37
A customer from Tennessee recently asked for help in creating a simple dashboard in their Oracle APEX application.  In the PHP system they were coming from, they had a dashboard that looked like the following:



Most people think of dashboards as a nice cockpit panel containing charts and graphics.  While this example doesn't perfectly fit that description, it can be classified as a report that is summarized, and any elements which need attention are presented in a different color.

I've implemented similar solutions in the past, selecting an image reference in the SELECT clause of my report query, and then referencing this image reference as the column value.  But this time, I first solicited the opinion of Shakeeb Rahman, the Design Lead for Oracle APEX, and he provided me a better solution.  Using a simple combination of SQL and Font APEX, this can be easily and elegantly solved!

For this example, I created a new table CITY_STATUSES

create table city_statuses (
city_name varchar2(100) primary key,
status1 number,
status2 number,
status3 number);

I populated it with data, and then I created a new application with an Interactive Report on the table.  The query of the Interactive Report was simply:

select city_name,
status1,
status2,
status3
from city_statuses

and my initial report looked like:



In my example, 1 is a good condition, 0 is a warning, and -1 indicates that an action must be taken.

Universal Theme
Universal Theme is a responsive, versatile, and customizable user interface for your Application Express apps.  The Universal Theme in Oracle APEX 5.1 includes Font APEX, a drop-in replacement for Font Awesome, but with better graphics and more of them (courtesy of master graphic artist Bob Daly).  You can learn more about the Universal Theme at https://apex.oracle.com/ut, and you can learn more about Font APEX at https://apex.oracle.com/fontapex.

Shakeeb recommended I use Font APEX and the Universal Theme helper classes to solve this problem.  The helper classes can be used to set the colors on any custom component.  You can find these Universal Theme helper classes at https://apex.oracle.com/ut -> Reference -> Color and Status Modifiers.  What's nice about these colors is that they are coordinated with the Theme Roller in APEX.  If you change the global success color in Theme Roller, the icon color will also be updated.

To solve this specific problem for the dashboard, I selected two additional columns in the SELECT clause for each STATUS column:
  1. status_icon - String representing the icon class and modifier class
  2. status_description - Description of the status icon, for accessibility purposes.  This is very important, because we are changing from a discrete value in the report to an icon and a color.  Without the description column, this information will be inaccessible.
For the icons and modifiers, I used:
  • Success: fa-check-circle-o u-success-text
  • Warning: fa-exclamation-triangle u-warning-text
  • Error: fa-exception u-danger-text
The SolutionFor each status column in my SELECT clause, I added a corresponding icon and description column:


 select city_name,
status1,
status2,
status3,
case status1
when 1 then 'fa-check-circle-o u-success-text'
when 0 then 'fa-exclamation-triangle u-warning-text'
when -1 then 'fa-exception u-danger-text'
end status1_icon,
case status1
when 1 then 'OK'
when 0 then 'Warning'
when -1 then 'Danger'
end status1_description,
case status2
when 1 then 'fa-check-circle-o u-success-text'
when 0 then 'fa-exclamation-triangle u-warning-text'
when -1 then 'fa-exception u-danger-text'
end status2_icon,
case status2
when 1 then 'OK'
when 0 then 'Warning'
when -1 then 'Danger'
end status2_description,
case status3
when 1 then 'fa-check-circle-o u-success-text'
when 0 then 'fa-exclamation-triangle u-warning-text'
when -1 then 'fa-exception u-danger-text'
end status3_icon,
case status3
when 1 then 'OK'
when 0 then 'Warning'
when -1 then 'Danger'
end status3_description
from city_statuses

After saving the updated query for the Interactive Report, I edited these columns in Page Designer and changed the property Type from Plain Text to Hidden Column.

Then, for the columns STATUS1, STATUS2 and STATUS3, in Page Designer I changed the property HTML Expression to:

<span class="fa #STATUS1_ICON#" title="#STATUS1_DESC#"></span>

Obviously, replace STATUS1 with the correct corresponding column name. I adjusted the heading and column alignment of each column to center, and voila!  It couldn't be easier.



If for some reason you want to make the icons even larger, no problem!  Simply add the fa-2x modifier in the HTML expression (after #STATUS1_ICON#).

Experiment with the modifiers of Font APEX at https://apex.oracle.com/fontapex.  Choose your icon, vary the size, animation, modifier, and status.  Just don't go crazy - we don't want to see the world's APEX apps introduce the equivalent of the <marquee> tag again.

Shakeeb presented the Universal Theme, these modifiers, and much more in a recorded Webinar from ODTUG.

P.S.  While you might be tempted to simplify the query and use an inline PL/SQL function in the WITH clause of the query, you most likely will encounter error "ORA-32034: unsupported use of WITH clause".  This is because the Interactive Report will enclose your original query in a subquery, and in general, inline PL/SQL functions in subqueries are intentionally prohibited by the Oracle Database.

ABC Fine Wine & Spirits Modernizes the Customer Experience with Oracle Retail

Oracle Press Releases - Wed, 2017-07-26 11:00
Press Release
ABC Fine Wine & Spirits Modernizes the Customer Experience with Oracle Retail Leveraging Oracle Retail Xstore Point-of-Service as an Omnichannel Platform

Redwood Shores, Calif.—Jul 26, 2017

Today, Oracle announced that ABC Fine Wine & Spirits has upgraded the Oracle Retail Xstore Point-of-Service with the help of SkillNet Solutions. ABC Fine Wine & Spirits differentiates their shopping experience with a superior product assortment, outstanding service and competitive pricing by empowering its associates with modern and intuitive tools. ABC Fine Wine & Spirits operates 130 stores across Florida, selling beer, wine, spirits, cigars and gourmet food items.

“We are continuously assessing how our stores and services meet our customers’ needs. We are committed to providing the best overall shopping experience possible. We place our customers at the center of our operations and initiatives,” said Robert Summers, CFO and CIO, ABC Fine Wine & Spirits. “With the implementation of Oracle Retail solutions, we are providing an intuitive modern shopping experience that also protects our customers with EMV compliance and PCI approvals.”

“Recognizing the value and impact that upgrading their systems would bring to their customer experience across channels, ABC Fine Wine & Spirits strategically opted to move to a more recent release of the solution to take advantage of new innovations offered by Oracle,” said Charlie Daggs, Vice President, SkillNet Solutions. “We worked closely with ABC Fine Wine & Spirits to optimize the upgraded solution and create a sustainable path to benefit from mobile and cross channel functionality.”

“Our team was able to deliver the pilot in 7 months with SkillNet. We wanted to leverage the new functionality of the Oracle Retail Xstore Point-of-Service solution as quickly as possible,” said Tina Burleigh, Director of Store Systems, ABC Fine Wine & Spirits. “With the implementation, we were able to reduce our number of customizations by over 80%.”

“By leveraging Oracle Retail Xstore Point-of-Service as a platform to connect with customers, ABC Fine Wine & Spirts can execute a superior shopping experience. With the latest innovations in our Xstore Point-of-Service, ABC Fine Wine & Spirits can provide a single, 360-degree view of its customers in real time for all touchpoints to facilitate more meaningful engagements,” said Ray Carlin, Senior Vice President and General Manager, Oracle Retail.

About Oracle Retail

Oracle provides retailers with a complete, open, and integrated suite of best-of-breed business applications, cloud services, and hardware that are engineered to work together and empower commerce. Leading fashion, grocery, and specialty retailers use Oracle solutions to anticipate market changes, simplify operations and inspire authentic brand interactions. For more information, visit our website at oracle.com/retail.

About Oracle

The Oracle Cloud delivers hundreds of SaaS applications and enterprise-class PaaS and IaaS services to customers in more than 195 countries and territories while processing 55 billion transactions a day. For more information about Oracle (NYSE:ORCL), please visit us at oracle.com.

About ABC Fine Wine & Spirits

Orlando-based ABC Fine Wine & Spirits is Florida’s oldest and largest wine and spirits retailer. Founded in 1936 in Orlando by Jack Holloway, the company is in its third generation of family leadership, with CEO Charles Bailes III and Executive Vice President Jess Bailes leading the organization. ABC operates over one hundred locations throughout Florida. www.abcfws.com.

Trademarks

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Oracle Mobile Cloud Service (MCS) and Integration Cloud Service (ICS): How secure is your TLS connection?

Amis Blog - Wed, 2017-07-26 08:27

In a previous blog I have explained which what cipher suites are, the role they play in establishing SSL connections and have provided some suggestions on how you can determine which cipher suite is a strong cipher suite. In this blog post I’ll apply this knowledge to look at incoming connections to Oracle Mobile Cloud Service and Integration Cloud Service. Outgoing connections are a different story altogether. These two cloud services do not allow you control of cipher suites to the extend as for example Oracle Java Cloud Service and you are thus forced to use the cipher suites Oracle has chosen for you.

Why should you be interested in TLS? Well, ‘normal’ application authentication uses tokens (like SAML, JWT, OAuth). Once an attacker obtains such a token (and no additional client authentication is in place), it is more or less free game for the attacker. An important mechanism which prevents the attacker from obtaining the token is TLS (Transport Layer Security). The strength of the provided security depends on the choice of cipher suite. The cipher suite is chosen by negotiation between client and server. The client provides options and the server chooses the one which has its preference.

Disclaimer: my knowledge is not at the level that I can personally exploit the liabilities in different cipher suites. I’ve used several posts I found online as references. I have used the OWASP TLS Cheat Sheet extensively which provides many references for further investigation should you wish.

Method Cipher suites

The supported cipher suites for the Oracle Cloud Services appear to be (on first glance) host specific and not URL specific. The APIs and exposed services use the same cipher suites. Also the specific configuration of the service is irrelevant we are testing the connection, not the message. Using tools described here (for public URL’s https://www.ssllabs.com/ssltest/ is easiest) you can check if the SSL connection is secure. You can also check yourself with a command like: nmap –script ssl-enum-ciphers -p 443 hostname. Also there are various scripts available. See for some suggestions here.

I’ve looked at two Oracle Cloud services which are available to me at the moment:

Results

It was interesting to see the supported cipher suites for Mobile Cloud Service and Integration Cloud Service are the same and also the supported cipher suites for the services and APIs are the same. This could indicate Oracle has public cloud wide standards for this and they are doing a good job at implementing it!

Supported cipher suites

TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)

TLS 1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)

TLS 1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK

Liabilities in the cipher suites

You should not read this as an attack against the choices made in the Oracle Public Cloud for SSL connections. Generally the cipher suites Oracle chose to support are pretty secure and there is no need to worry unless you want to protect yourself against groups like the larger security agencies. When choosing your cipher suite in your own implementations outside the mentioned Oracle cloud products, I would go for stronger cipher suites than which are provided. Read here.

TLS 1.0 support

TLS 1.0 is supported by the Oracle Cloud services. This standard is outdated and should be disabled. Read the following for some arguments of why you should do this. It is possible Oracle choose to support TLS 1.0 since some older browsers (really old ones like IE6) do not support TLS 1.1 and 1.2 yet. This is a consideration of compatibility versus security.

TLS_RSA_WITH_3DES_EDE_CBC_SHA might be a weak cipher

There are questions whether TLS_RSA_WITH_3DES_EDE_CBC_SHA could be considered insecure (read here, here and here why). Also SSLLabs says it is weak. You can mitigate some of the vulnerabilities by not using CBC mode, but that is not an option in the Oracle cloud as GCM is not supported (see more below). If a client indicates he only supports TLS_RSA_WITH_3DES_EDE_CBC_SHA, this cipher suite is used for the SSL connection making you vulnerable to collision attacks like sweet32. Also it uses a SHA1 hash which can be considered insecure (read more below).

Weak hashing algorithms

There are no cipher suites available which provide SHA384 hashing. Only SHA256 and SHA. SHA1 (SHA) is considered insecure (see here and here. plenty of other references to this can be found easily).

No GCM mode support

GCM provides data authenticity (integrity) and confidentiality checking. It is more efficient and performant compared to CBC mode. CBC only provides authenticity/integrity but no confidentiality checking. GCM uses a so-called nonce. You cannot use the same nonce to encrypt data with the same key twice.

Wildcard certificates are used

As you can see in the screenshot below, the certificate used for my Mobile Cloud Service contains a wildcard: *.mobileenv.us2.oraclecloud.com.

This means the same certificate is used for all Mobile Cloud Service hosts in a data center unless specifically overridden. See here Rule – Do Not Use Wildcard Certificates. They violate the principle of least privilege. If you decide to implement two-way SSL, I would definitely consider using your own certificates since you want to avoid trust on the data center level. They also violate the EV Certificate Guidelines. Since the certificate is per data center, there is no difference between the certificate used for development environments compared to production environments. In addition, everyone in the same data center will use the same certificate. Should the private key be compromised (of course Oracle will try not to let this happen!), this will be an issue for the entire data center and everyone using the default certificate.

Oracle provides the option to use your own certificates and even recommends this. See here. This allows you to manage your own host specific certificate instead of the one used by the data center.

Choice of keys

Only RSA and ECDHE keys are used and no DSA/DSS keys. Also the ECDHE keys are given priority above the RSA keys. ECDHE gives forward secrecy. Read more here. DHE however is preferred above ECDHE (see here) since ECDHE uses Elliptic Curves and there are doubts they are really secure. Read here and here. Oracle does not provide DHE support in their list of cipher suites.

Strengths of the cipher suites

Is it all bad? No, definitely not! You can see Oracle has put thought into choosing their cipher suites and only provide a select list. Maybe it is possible to request stronger cipher suites to be enabled by contacting Oracle support.

Good choice of encryption algorithm

AES is the preferred encryption algorithm (here). WITH_AES_256 is supported which is a good thing. WITH_AES_128 is also supported. This one is obviously weaker, but it is not really terrible that it is still used and for compatibility reasons, OWASP even recommends TLS_RSA_WITH_AES_128_CBC_SHA as cipher suite (also SHA1!) so they are not completely against it.

Good choice of ECDHE curve

The ECDHE curve used is the default most commonly used secp256r1 which is equivalent to 3072 bits RSA. OWASP recommends > 2048 bits so this is ok.

No support for SSL2 and SSL3

Of course SSL2 and SSL3 are not secure anymore and usage should not be allowed.

So why these choices? Considerations

I’ve not been involved with these choices and have not talked to Oracle about this. In summary, I’m just guessing at the considerations.

I can imagine the cipher suites have been chosen to create a balance between compatibility, performance and security. Also, they could be related to export restrictions / government regulations. The supported cipher suites do not all require the installation of JCE (here) but some do. For example usage of AES_256 and ECDHE require the JCE cryptographic provider but AES_128 and RSA do not. Also of course compatibility is taken into consideration. The list of supported cipher suites are common cipher suites supported by most web browsers (see here). When taking performance into consideration (although this is hardware dependent, certain cipher suites perform better on ARM processors, others better on for example Intel), using ECDHE is not at all strange while not using GCM might not be a good idea (try for example the following: gnutls-cli –benchmark-ciphers). For Oracle using a single certificate for your data center with a wildcard is of course an easy and cheap default solution.

Recommendations
  • Customers should consider using their own host specific certificates instead of the default wildcard certificate.
  • Customers should try to put constraints on their clients. Since the public cloud offers support for weak ciphers, the negotiation between client and server determines the cipher suite (and thus strength) used. If the client does not allow weak ciphers, relatively strong ciphers will be used. It of course depends if you are able to do this since if you would like to provide access to the entire world, controlling the client can be a challenge. If however you are integrating web services, you are more in control (unless of course a SaaS solution has limitations).
  • Work with Oracle support to see what is possible and where the limitations are.
  • Whenever you have more control, consider using stronger cipher suites like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

The post Oracle Mobile Cloud Service (MCS) and Integration Cloud Service (ICS): How secure is your TLS connection? appeared first on AMIS Oracle and Java Blog.

Telecom Brokerage Fuels Rapid Growth with NetSuite

Oracle Press Releases - Wed, 2017-07-26 08:00
Press Release
Telecom Brokerage Fuels Rapid Growth with NetSuite Master agent nets triple-digit gains in sales productivity and commissionable revenue with move to cloud ERP

SAN MATEO, Calif.—Jul 26, 2017

Oracle NetSuite Global Business Unit, one of the world’s leading providers of cloud-based financials / ERP, HR, Professional Services Automation (PSA) and omnichannel commerce software suites, announced today that TBI (Telecom Brokerage Inc.), the nation's largest master agent and technology services distributor, has continued its rapid growth since graduating to NetSuite from QuickBooks and an industry-specific solution called RPM Telco. TBI relies on NetSuite to run end-to-end processes, spanning financials, quoting, order management, billing, customer relationship management (CRM) and project management. Additionally, NetSuite’s powerful and flexible SuiteCloud development platform has enabled TBI to embed the commissions it receives from carriers and share them with its IT service provider selling partners, all from within the NetSuite platform.

Since implementing NetSuite in July 2014, TBI sales productivity has soared 133 percent. Commissionable revenue has doubled, while the workforce has grown 80 percent to 180 employees. The company has improved efficiency and visibility across the business while strengthening its partnerships.

Founded in 1991, TBI offers enterprise IT solutions in voice, data, internet and cloud from more than 85 carriers, including Verizon, Comcast, AT&T, CenturyLink and Spectrum. As the company grew in a hot IT market, it needed to streamline complex operational processes and become more efficient for its selling partners. TBI evaluated Microsoft Dynamics, Sage, SugarCRM and Salesforce.com before selecting NetSuite as the optimal platform for its next phase of growth.

“Our business has seen explosive growth that’s a byproduct of the sector — but also our ability to adapt to market changes with real-time business intelligence in NetSuite,” said Jeff Newton, VP of Enterprise Sales and IT at TBI. “NetSuite has given us a level of visibility we never envisioned. We can better manage our customers’ experience based on how efficiently orders move through our system.”

TBI initially looked at NetSuite to replace QuickBooks and provide CRM capabilities. It soon realized, however, that it could also move its mission-critical commissioning functions from RPM Telco into a single NetSuite environment. Working with NetSuite Solution Provider Gurus Solutions and the NetSuite SuiteCloud development platform, TBI further customized unique processes within commissioning and its operational support departments. Visibility into commissioning and order tracking is now shared with its selling partners directly in NetSuite’s unified platform.

“It’s a very complex and mission-critical workflow to get commissions to agents. We were effectively putting our business on the line by moving commissioning into NetSuite,” Newton said. “I can say our migration from RPM Telco to NetSuite has made this the most successful technology move TBI has ever undertaken.”

With NetSuite, TBI is now able to continue its rapid growth trajectory. “As we look to grow our business in new sectors and verticals, NetSuite is not a limiting factor whatsoever,” Newton said. “It scales with the business.”

TBI has gained the following benefits since implementing NetSuite:

  • Strong partner relationships. With NetSuite Advanced Partner Center, TBI’s more than 3,000 partner users can track commissions, orders and financial data in NetSuite, as well as run reports, open tickets and troubleshoot issues.
  • Business efficiency. TBI has minimized the inefficient “swivel chair” syndrome of piecing together information across disparate applications, enabling its personnel to focus on customer service and driving sales.
  • Real-time visibility. Reporting and analytics on a single source of data in NetSuite give TBI real-time insights into key business metrics that are critical to continuously optimizing business models and processes.
  • Project management. TBI relies on the NetSuite Project Management module to help manage engagements with IT service provider partners, from planning and contract management through to implementation.
  • Agile and flexible development platform. TBI has taken advantage of the customization capabilities of the NetSuite SuiteCloud Development Platform and NetSuite partner solutions, including HubSpot for marketing automation and 8x8 and Five9 for enterprise contact center, to build an agile cloud ecosystem.
  About SuiteCloud

NetSuite’s SuiteCloud is a comprehensive offering of cloud-based products, development tools and services designed to help customers and commercial software developers take advantage of the significant economic benefits of cloud computing. Based on NetSuite, the industry's leading provider of cloud-based financials / ERP software suites, SuiteCloud enables customers to run their core business operations in the cloud, and software developers to target new markets quickly with newly-created mission-critical applications built on top of mature and proven business processes.

The SuiteCloud Developer Network (SDN) is a comprehensive developer program for independent software vendors (ISVs) who build apps for SuiteCloud. All available SuiteApps are listed on SuiteApp.com, a single-source online marketplace where NetSuite customers can find applications to meet specific business process or industry-specific needs. For more information on SuiteCloud and the SDN program, please visit www.netsuite.com/developers.

About Oracle NetSuite Global Business Unit

Oracle NetSuite Global Business Unit pioneered the Cloud Computing revolution in 1998, establishing the world's first company dedicated to delivering business applications over the internet. Today, Oracle NetSuite Global Business Unit provides a suite of cloud-based financials / Enterprise Resource Planning (ERP), HR and omnichannel commerce software that runs the business of companies in more than 100 countries. For more information, please visit http://www.netsuite.com.

Follow Oracle NetSuite Global Business Unit’s Cloud blog, Facebook page and @NetSuite Twitter handle for real-time updates.

Contact Info
Christine Allen
Oracle NetSuite Global Business Unit
603-743-4534
pr@netsuite.com
About Oracle

The Oracle Cloud offers complete SaaS application suites for ERP, HCM and CX, plus best-in-class database Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) from data centers throughout the Americas, Europe and Asia. For more information about Oracle (NYSE:ORCL), please visit us at oracle.com.

Trademarks

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Talk to a Press Contact

Christine Allen

  • 603-743-4534

SQL Developer Database Export Error

Tom Kyte - Wed, 2017-07-26 07:26
Hello. I'm using SQLDeveloper for coping my database from one server to another. So I choose Tools->Database Export..., then connection and couple of options (like this one https://docs.oracle.com/cd/E17781_01/server.112/e18804/impexp.htm#BABHFHGH). ...
Categories: DBA Blogs

Pages

Subscribe to Oracle FAQ aggregator