Oracle MVA

Tales from a Jack of all trades

Archive for June 2010

Configure a Database Audit Store for System Components

leave a comment »

The documentation for configuring a database audit store for system components is wrong. When you populate the audit store password in the secret store, docs tell you to run this command:

$ORACLE_HOME/jdk/bin/java -classpath
$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_cert.jar:
$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_core.jar:
$ORACLE_HOME/jdbc/lib/ojdbc5.jar:
$ORACLE_HOME/modules/oracle.iau_11.1.1/fmw_audit.jar:
$ORACLE_HOME/modules/oracle.pki_11.1.1/oraclepki.jar
-Doracle.home=$ORACLE_HOME -Doracle.instance=$ORACLE_INSTANCE
-Dauditloader.jdbcString=jdbc:oracle:thin:@host:port:sid
-Dauditloader.username=username
-Dstore.password=true
-Dauditloader.password=password
oracle.security.audit.ajl.loader.StandaloneAuditLoader

It should be this instead:

$ORACLE_HOME/jdk/bin/java -classpath
      $MW_HOME/oracle_common/modules/oracle.osdt_11.1.1/osdt_cert.jar:
      $MW_HOME/oracle_common/modules/oracle.osdt_11.1.1/osdt_core.jar:
      $ORACLE_HOME/jdbc/lib/ojdbc5.jar:
      $MW_HOME/oracle_common/modules/oracle.iau_11.1.1/fmw_audit.jar:
      $MW_HOME/oracle_common/modules/oracle.pki_11.1.1/oraclepki.jar
      -Doracle.home=$ORACLE_HOME
      -Doracle.instance=$ORACLE_INSTANCE
      -Dauditloader.jdbcString=jdbc:oracle:thin:@host:port:sid
      -Dauditloader.username=username
      -Dstore.password=true
      -Dauditloader.password=password
      oracle.security.audit.ajl.loader.StandaloneAuditLoader

Hope this helps.

Advertisements

Written by Jacco H. Landlust

June 17, 2010 at 3:40 pm

“ignore” means “please restart the process”

leave a comment »

I just wasted lots of my precious time (and the time of a support officer at Oracle).  When loading a repository using RCU I got an error mentioning that the TSPURGE package was not valid. The option I got were “ignore” and “stop”. Looking some more into the error it turns out that the tspurge package (in ODS schema) relies on DBMS_JOB. The grant to public for DBMS_JOB was removed on the security advice from OEM though. Just granting execute privileges on DBMS_JOB to the ODS user and hitting “ignore” results in a faulty repository (even though RCU claims all went perfectly). So, “ignore” means “please restart the process from the start”. It’s very interesting that Oracle’s own RCU tool doesn’t handle the security settings suggested by Oracle though.

Written by Jacco H. Landlust

June 15, 2010 at 4:07 pm