加载中…
正文 字体大小:

Jun 2008 security patch No: 7150622 install OCM

(2009-03-18 11:41:55)
标签:

it

分类: Oracle DBA

In this Document
  Purpose
  Last Review Date
  Instructions for the Reader
  Troubleshooting Details
  References


 

 

Applies to:

OSS Support Tools - Version: 10.03.01
Intel Based Server LINUX
Jun 2008 security patch No: 7150622 / OCM integrated with molecules

Customer have to install OCM user and instrument OCM objects to the database
even trough selection NO for OCM has been done during patch install and
customer does not set flag to install OCM tool.
.
Installation manual instruct the user to create OCM user and
perform OCM instrumentation without clear statement and user think that OCM
user is created and database instrumented during patch install and not during execution of postinstalation scripts.
.
Reproduction steps:
.
Linux, UNIX 11 DB ver up to 10.2.x.x.
===============
1.) Install patch by selecting 'n' during opatch apply
session
Do you wish to configure OCM at this time? (y/n) n
.
OCM binaries extracted to OH/ccr folder. OCM Setup during patch instalation
has not done. OCM user not created and objects not created.
.
2.) According to installation manual customer guided to perform:
With executing postinstalation steps sugested by instalation
manual(Readme.html - Critical Patch Update Note Release 10.2.0.3 for UNIX
Released: July 15, 2008) the issue appears, by runing instalation step:
------
3.3.3.1 Loading Modified .sql Files into the Database
To load modified .sql files into the database, follow these steps:

If there is a database in the Oracle home that you are patching, start all
database instances running from this Oracle home.

For each database instance running on the Oracle home being patched, connect
to the database using
SQL*Plus. Connect as SYSDBA and run the catcpu.sql script as follows:

cd $ORACLE_HOME/cpu/CPUJul2008
sqlplus /nolog
SQL> CONNECT / AS SYSDBA
SQL> STARTUP
SQL> @catcpu.sql
SQL> QUIT
-------
OCM user is installed and database instrumented.

catcpu.sql sent with the July 2008 CPU called three OCM scripts from the
$ORA_HOME/rdbms/admin directory dbmsocm.sql, prvtocm.sql and execocm.sql in
that order.

The execocm.sql schedule the job and the scheduler tried running it at a
specific time until it completed successfully, which it did after we noticed
the error messages and granted the appropriate permissions to compile the
package(MGMT_DB_LL_METRICS) without errors.
Once it completed successfully, it dropped the job from the schedule
.
ORA-06512: at "SYS.DBMS_ISCHED", line 150
ORA-06512: at "SYS.DBMS_SCHEDULER", line 441

Other issues also appears by installing OCM user on high secure enviroments.
ORA-28003: password verification for the specified password failed
ORA-20001: Password same as or similar to user

Purpose

This note explain the procedures after and during Jun 2008 security patch No: 7150622 instalation in case user is getting error messages in alert log file or not intend to use OCM after CPU jun molecule instalation.

Last Review Date

September 11, 2008

Instructions for the Reader

A Troubleshooting Guide is provided to assist in debugging a specific issue. When possible, diagnostic tools are included in the document to assist in troubleshooting.

Troubleshooting Details

Jun 2008 security patch No: 7150622
OCM integrated and will install unconditionally

1.)If you DO NOT intend to use OCM after patch install 
============================================
The JUL CPU patch installs this feature unconditionally, this is mentioned in the
CPU README.

If you do not intend to use OCM and you get error messages in database like
ORA-01031 : insufficient privileges
ORA-06512 : at "ORACLE_OCM.MGMT_CONFIG", line 135
ORA-06512 : at "ORACLE_OCM.MGMT_CONFIG", line 137
ORA-06512 : at "SYS.DBMS_ISCHED", line 150
ORA-06512 : at "SYS.DBMS_SCHEDULER", line 441
ORA-06512 : at "ORACLE_OCM.MGMT_CONFIG", line 106

you can later drop the ORACLE_OCM user cascade to disable OCM with following steps:

1.) Log to sqlplus as SYS, remove job from the scheduler and execute drop ORACLE_OCM
by running remOCMdisJ.sql script attached to this note :

sqlplus /nolog
connect SYS/passwd_ as sysdba

2.) Crontab entry needs to be removed to disable start of nmz - scheduler process.

List: crontab -l
Edit: crontab -e

Remove crontab entry similar like this:
0,15,30,45 * * * * JAVA_HOME=/oracle/ora11g/jdk /oracle/ora11g/ccr/bin/emCCR -cron -silent start


2.) Intend to use OCM after PATCH INSTALL
======================================
If you intend to use OCM and you get error messages wich indicates permision problems
ex: ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20001: Password same as or similar to username

catocm.sql can be edited before you execute post installation steps and password changed to pass your specific security requirements.

Find the line in catocm.sql and modify the line:

create user ORACLE_OCM identified by "Somelong111PAS" account lock password expire;


3: INTEND to use OCM - ORACLE_OCM.MGMT_DB_LL_METRICS VALIDATION
You get messages in alert.log file like:

ORA-01031 : insufficient privileges
ORA-06512 : at "ORACLE_OCM.MGMT_CONFIG", line 135
ORA-06512 : at "ORACLE_OCM.MGMT_CONFIG", line 137
ORA-06512 : at "SYS.DBMS_ISCHED", line 150
ORA-06512 : at "SYS.DBMS_SCHEDULER", line 441
ORA-06512 : at "ORACLE_OCM.MGMT_CONFIG", line 106

The working of OCM requires execute privileges on UTL_FILE.
If you revoked them later from PUBLIC you are missing this grant. In that
case the solution is to: grant execute on utl_file to oracle_ocm, then
ORACLE_OCM.MGMT_DB_LL_METRICS can likely be validated.

Connect to sqlplus and execute following SQL statements:
sqlplus /nolog
connect SYS/PASSWD_ as sysdba

grant execute on utl_file to oracle_ocm;
ALTER PACKAGE oracle_ocm.MGMT_DB_LL_METRICS compile;
ALTER PACKAGE oracle_ocm.mgmt_config compile;

grant execute on DBMS_SCHEDULER to oracle_ocm;
ALTER PACKAGE oracle_ocm.MGMT_DB_LL_METRICS compile;
ALTER PACKAGE oracle_ocm.mgmt_config compile;

execute ORACLE_OCM.MGMT_DB_LL_METRICS.collect_config_metrics('ORACLE_OCM_CONFIG_DIR',true);

and check if *.ll files created properly

Usually this files are located at $ORACLE_HOME/ccr/hosts/<yourhostname>/state
like <INSTANCENAME.ll> file.

EXEPTIONS regarding to secific systems noticed:

In some security specific database systems as DATABASE VAULT  is, sometimes ORA-600 noticed:
SQL> @/oracle/ora11g/ccr/admin/scripts/execocm.sql
PL/SQL procedure successfully completed.
BEGIN ORACLE_OCM.MGMT_CONFIG.run_now; END;
ERROR at line 1:
ORA-600: internal error code, arguments: [549], [], [], [], [], [], [], []

If this happened check the OCM scheduler process with command:
example: ps -elf | grep nmz
and kill the process

Then perform grant ORACLE_OCM to util_file and DBMS scheduler strictly logged to sqlplus as SYS(described above in step 3-Intend use OCM) and not as sysdba user.

Please check ORACLE_OCM user properly granted(output shoud be 1) with folowing SQL statement.

select GRANTEE,count(*) from dba_tab_privs where
GRANTEE in ('ORACLE_OCM' ,'PUBLIC')and TABLE_NAME='DBMS_SCHEDULER' and
upper(PRIVILEGE) = 'EXECUTE' group by grantee;

then start OCM by running emCCR start.

In case you do not intend to use OCM you can use remOCMdisJ.sql to perform OCM removal and restart the system.

RECOMENDATIONS:

As prerequisite of working OCM within installing molecules patch firstly install and download / install the latest version of the collector
from MetaLink under Patches & Updates. Simple search for patch 5567658.

Here is the short procedure of OCM install:

A.) OLD OCM/CRR REMOVAL PROCEDURE
===============
If collector already installed in db for existing SID perform removal of previous objects from DB.
1. Stop OCM with command
$ ./emCCR stop and perform full backup for $ORACLE_HOME/ccr dir

2. If database collections were done at database level, log into the database with
SQLPLUS and execute as database user SYS:
SQL>@ccr/admin/scripts/dropocm.sql or
in case EBS DB procedure is following:
SQL> !ls -lrt $ORACLE_HOME/ccr/admin/scripts/dropocm.sql
full path execution or:
SQL> @$ORACLE_HOME/ccr/admin/scripts/ebs_dropccr.sql apps

3. Execute :

$ORACLE_HOME/ccr/bin/deployPackages -d $ORACLE_HOME/ccr/inventory/core.jar
(this will stop the scheduler and remove the crontab entry).

4. Remove the directory:
$ rm -rf $ORACLE_HOME/ccr

B.) Install NEWEST OCM
======================
1. Download OCM and extract to Oracle database Home (unzip -d $ORACLE_HOME ocm.zip)
2. Run $ORACLE_HOME/ccr/bin/setupCCR
3. Execute $ORACLE_HOME/ccr/admin/scripts/installCCRSQL.sh collectconfig
This step instruments the database for the collector. It creates the ORACLE_OCM user,
packages and procedures that are needed to do the discovery, collection and upload to MetaLink.

4. Run ORACLE_HOME/ccr/bin/emCCR collect


5. You can verify the installation if you didn't see any errors during the previous steps by
connecting to the database as sysdba and issuing the following queries:


SQL> select * from dba_directories;

[you should see at least ORACLE_OCM_CONFIG_DIR pointing to OH/ccr/hosts/<hostname>/state]


SQL> select owner, object_name, object_type, status
from dba_objects
where owner='ORACLE_OCM';

[all the rows returned should be valid]

HINT :
So, you need to install firstly NEW OCM version. Only after that apply JUNCPU molecule patch.

With this approach many similar issues described above can be avoided.

阅读 评论 收藏 转载 喜欢 打印举报
已投稿到:
  • 评论加载中,请稍候...
发评论

       

    验证码: 请点击后输入验证码 收听验证码

    发评论

    以上网友发言只代表其个人观点,不代表新浪网的观点或立场。

      

    新浪BLOG意见反馈留言板 不良信息反馈 电话:4006900000 提示音后按1键(按当地市话标准计费) 欢迎批评指正

    新浪简介 | About Sina | 广告服务 | 联系我们 | 招聘信息 | 网站律师 | SINA English | 会员注册 | 产品答疑

    新浪公司 版权所有