This chapter describes configuration tasks you can perform to increase security and other configuration tasks you must perform before using Oracle Multimedia and other Oracle options. Where appropriate, the chapter provides references to other guides for those configuration tasks.
This chapter contains these topics:
Configuring External Job Support for the Scheduler on Windows
Configuring Advanced Replication on Windows
Note:
Directory path examples in this chapter follow Optimal Flexible Architecture (OFA) guidelines. If you specified non-OFA compliant directories during installation, then your directory paths will differ. See Appendix B, "Optimal Flexible Architecture", in Oracle Database Installation Guide for Microsoft Windows for more information.By default, all newer Windows operating systems enable the Windows Firewall to block virtually all TCP network ports to incoming connections. As a result, any Oracle products that listen for incoming connections on a TCP port will not receive any of those connection requests, and the clients making those connections will report errors.
Depending upon which Oracle products are installed and how they are used, some postinstallation configuration of the Windows Firewall might be required for the products to be functional on these operating systems.
This section contains these topics:
Table 4-1 lists the Oracle Database 10g Release 1 (10.1) or later executables that listen on TCP ports on Windows. If they are in use and accepting connections from a remote client computer, then Oracle recommends that you add them to the Windows Firewall exceptions list to ensure correct operation. Except as noted, they can be found in ORACLE_HOME
\bin
.
Note:
If multiple Oracle homes are in use, then several firewall exceptions may be needed for the same executable: one for each home from which that executable loads.You must configure exceptions for the Windows Firewall if your system meets all of the following conditions:
Oracle server-side components are installed on a Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows 2008 R2, Windows Server 2012 or Windows Server 2012 R2 system. The list of components includes the Oracle Database, Oracle Grid Infrastructure, network listeners, or any Web servers or services.
The Windows system in question accepts connections from other machines over the network. If no other machines will be connecting to the Windows system to access the Oracle software, then no postinstallation configuration steps are required and the Oracle software will function as expected.
The Windows system in question is configured to run the Windows Firewall. If the Windows Firewall is not enabled, then no postinstallation configuration steps are required.
If all of the above conditions are met, then the Windows Firewall must be configured to allow successful incoming connections to the Oracle software. To enable Oracle software to accept connection requests, Windows Firewall needs to be configured by either opening up specific static TCP ports in the firewall or by creating exceptions for specific executables so they can receive connection requests on any ports they choose. This firewall configuration can be done by one of the following methods:
From the Control Panel, select Windows Firewall. In the Windows Firewall application, select the Exceptions tab and then click either Add Program or Add Port to create exceptions for the Oracle software.
From the command prompt, use the netsh
firewall add...
command.
When Windows notifies you that a foreground application is attempting to listen on a port, and gives you the opportunity to create an exception for that executable. If you choose the create the exception in this way, the effect is the same as creating an exception for the executable either through Control Panel or from the command line.
The following sections list the Oracle Database 11g Release 2 executables that listen on TCP ports on Windows, along with a brief description of the executable. It is recommended that these executables (if in use and accepting connections from a remote, client computer) be added to the exceptions list for the Windows Firewall to ensure correct operation. In addition, if multiple Oracle homes are in use, firewall exceptions may need to be created for the same executable, for example, oracle.exe, multiple times, once for each Oracle home from which that executable loads.
For basic database operation and connectivity from remote clients (SQL*Plus, OCI, ODBC, OLE DB applications, and so on), the following executables must be added to the Windows Firewall exception list:
Oracle_home
\bin\oracle.exe
- Oracle Database executable
Oracle_home
\bin\tnslsnr.exe
- Oracle Listener
For remote monitoring capabilities to be available for a database on Windows, the following executables must be added to the Windows Firewall exception list:
Oracle_home
\bin\emagent.exe
- Oracle Database Control
Oracle_home
\jdk\bin\java.exe-
Java Virtual Machine
After installing the Oracle Database Examples, the following executables must be added to the Windows Firewall exception list:
Oracle_home
\opmn\bin\opmn.exe
- Oracle Process Manager
Oracle_home
\jdk\bin\java.exe
- Java Virtual Machine
If your Oracle database interacts with non-Oracle software through a gateway, then you must add the gateway executable to the Windows Firewall exception list. Table 4-1 table lists the gateway executables used to access non-Oracle software.
Table 4-1 Oracle Executables Requiring Windows Firewall Exceptions
File Name | Executable Name |
---|---|
|
Oracle Services for Microsoft Transaction Server |
|
Oracle Database Gateway for Sybase |
|
Oracle Database Gateway for Teradata |
|
Oracle Database Gateway for SQL Server |
|
Oracle Database Gateway for DRDA |
|
Oracle Database Gateway for APPC |
|
Oracle Database Gateway for APPC |
|
Oracle Database Gateway for WebSphere MQ |
|
Oracle Database Gateway for WebSphere MQ |
|
Oracle Database Gateway for ODBC |
If you installed the Oracle grid infrastructure software on the nodes in your cluster, then you can enable the Windows Firewall only after adding the following executables and ports to the Firewall exception list. The Firewall Exception list must be updated on each node.
Grid_home
\bin\gpnpd.exe
- Grid Plug and Play daemon
Grid_home
\bin\oracle.exe
- Oracle ASM executable (if using Oracle ASM for storage)
Grid_home
\bin\racgvip.exe
- Virtual Internet Protocol Configuration Assistant
Grid_home
\bin\evmd.exe
- OracleEVMService
Grid_home
\bin\crsd.exe
- OracleCRService
Grid_home
\bin\ocssd.exe
- OracleCSService
Grid_home
\bin\octssd.exe
- Cluster Time Synchronization Service daemon
Grid_home
\bin\mDNSResponder.exe
- multicast-DNS Responder Daemon
Grid_home
\bin\gipcd.exe
- Grid IPC daemon
Grid_home
\bin\gnsd.exe
- Grid Naming Service daemon
Grid_home
\bin\ohasd.exe
- OracleOHService
Grid_home
\bin\TNSLSNR.EXE
- SCAN listener and local listener for Oracle Database and Oracle ASM
Grid_home
\opmn\bin\ons.exe
- Oracle Notification Service
Grid_home
\jdk\jre\bin\java.exe
- Java Virtual Machine
In additional to all the previously listed exceptions, if you use any of the Oracle software listed in, then you must create an exception for Windows Firewall for the associated executable.
Postinstallation configuration for the Windows Firewall must be undertaken if all of the following conditions are met:
Oracle server-side components are installed.
These components include the Oracle Database, network listeners, and any Web servers or services.
The computer services connections from other computers over a network.
If no other computers connect to the computer with the Oracle software, then no postinstallation configuration steps are required and the Oracle software will function as expected.
The Windows Firewall is enabled.
If the Windows Firewall is not enabled, then no postinstallation configuration steps are required.
You can configure Windows Firewall by opening specific static TCP ports in the firewall or by creating exceptions for specific executables so that they are able to receive connection requests on any ports they choose. To configure the firewall, from the Control Panel, select Windows Firewall and then select Exceptions or enter netsh firewall add...
at the command line.
Alternatively, Windows will inform you if a foreground application is attempting to listen on a port, and it will ask you if you want to create an exception for that executable. If you choose to do so, then the effect is the same as creating an exception for the executable either in the Control Panel or from the command line.
Note:
Windows 2008 and later operating systems do not provide any information on applications attempting to listen on a port. Instead, a security audit event is logged to signal that an application is blocked.If you cannot establish certain connections even after granting exceptions to the executables listed in Table 4-1, then follow these steps to troubleshoot the installation:
Examine Oracle configuration files (such as *.conf
files), the Oracle key in the Windows registry, and network configuration files in ORACLE_HOME
\network\admin
.
Pay particular attention to any executable listed in ORACLE_HOME
\network\admin\listener.ora
in a PROGRAM=
clause. Each of these must be granted an exception in the Windows Firewall, because a connection can be made through the TNS Listener to that executable.
Examine Oracle trace files, log files, and other sources of diagnostic information for details on failed connection attempts. Log and trace files on the database client computer may contain useful error codes or troubleshooting information for failed connection attempts. The Windows Firewall log file on the server may contain useful information as well.
If the preceding troubleshooting steps do not resolve a specific configuration issue on Windows XP Service Pack 2, then provide the output from command netsh firewall show state verbose=enable
to Oracle Support for diagnosis and problem resolution.
See Also:
for information on Windows Firewall troubleshooting
http://support.microsoft.com/kb/875357
for more information on Windows Firewall configuration
Oracle Database installs with many default accounts. Database Configuration Assistant locks and expires most default database accounts upon successful installation. Oracle recommends changing all user passwords immediately after installation.
See Also:
Oracle Database Administrator's Guide for more information on default database accounts and passwordsOracle recommends that you configure Oracle Database files, directories, and registry settings to allow only authorized database administrators (DBAs) to have full control. If you created a database using Database Configuration Assistant or upgraded a database using Oracle Database Upgrade Assistant, then no further action is required.
This section describes the permissions automatically set by Oracle Universal Installer, Database Configuration Assistant, and Oracle Database Upgrade Assistant and the steps to set these permissions manually.
This section contains these topics:
Setting Windows Registry Security
See Also:
Your operating system documentation for more information about modifying NTFS file system and Windows registry settingsBeginning with Oracle9i Release 2 (9.2), Oracle Universal Installer, Database Configuration Assistant, and Database Upgrade Assistant set file permissions when Oracle Database software is installed or upgraded.
This section contains these topics:
During Oracle Database installation, by default Oracle Universal Installer installs software in ORACLE_HOME
. Oracle Universal Installer sets the following permissions to this directory, and all files and directories under this directory:
Administrators
- Full control
System
- Full control
Authenticated Users
- Read, Execute, and List Contents
Important:
If these accounts already exist and possess more restrictive permissions, then the most restrictive permissions are retained. If accounts other thanAdministrators
, System
, and Authenticated
Users
already exist, then the permissions for these accounts are removed.During database configuration, Database Configuration Assistant installs files and directories in the following default locations, where database_name
is the database name or SID
:
ORACLE_BASE
\admin\
database_name
(administration file directories)
ORACLE_BASE
\oradata\
database_name
(database file directories)
ORACLE_BASE
\oradata\
database_name
(redo log files and control files)
ORACLE_HOME
\database
(SPFILE
SID
.ORA
)
Database Configuration Assistant sets the following permissions to these directories, and all files and directories under these directories:
Administrators
- Full Control
System
- Full Control
Important:
If these accounts already exist and possess more restrictive permissions, then the most restrictive permissions are retained. If accounts other thanAdministrators
and System
already exist, then the permissions for these accounts are removed.When an older version of the database is upgraded to Oracle Database 10g Release 1 (10.1) or later, Database Upgrade Assistant installs software in the following directories, where database_name
is the database name or SID
:
ORACLE_BASE
\admin\
database_name
(administration files)
ORACLE_BASE
\oradata\
database_name
(database file directories)
ORACLE_BASE
\oradata\
database_name
(redo log files and control files)
ORACLE_BASE
\
ORACLE_HOME
\database
(SPFILE
SID
.ORA
)
Database Upgrade Assistant sets the following permissions to these directories, and all files and directories under these directories:
Administrators
- Full Control
System
- Full Control
Important:
If these accounts already exist and possess more restrictive permissions, then the most restrictive permissions are retained. If accounts other thanAdministrators
and System
already exist, then the permissions for these accounts are removed.Beginning with Oracle Database 11g Release 2 (11.2), Database Upgrade Assistant can also configure Enterprise Manager. If the "Enable daily backup" option is selected while configuring Enterprise Manager, then Database Upgrade Assistant shows a separate screen asking for Fast Recovery Area. Database Upgrade Assistant will try to create the directory structure in whatever file system location is specified if it does not exist. It will put the same set of file permissions to this location. The default location shown by DBUA for fast recovery area is:
ORACLE_BASE
\recovery_area
See Also:
"Oracle ACFS and File Access and Administration Security" section of Oracle Automatic Storage Management Administrator's Guide for more information about using Oracle ACFS and administration securityTo ensure that only authorized users have full file system permissions:
Go to Windows Explorer.
Set the following permissions for each directory or file:
Directory | Group and Permissions |
---|---|
ORACLE_HOME |
|
ORACLE_BASE \admin\ database_name |
|
ORACLE_BASE \oradata\ database_name |
|
ORACLE_HOME \database\spfile SID .ora |
|
Note:
Oracle Database uses the Windows LocalSystem built-in security account. Therefore, file permissions must be granted to theSystem
account of the local computer Oracle Database.See Also:
Your operating system online help for more information about how to modify NTFS file system and registry settingsOracle recommends that you remove write permissions from users who are not Oracle Database DBAs or system administrators in HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE
of the Windows registry.
To remove write permissions:
Open the registry.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE
.
Select Permissions from the Security main menu.
The Registry Key Permissions dialog appears.
Remove write permissions from any users who are not Oracle Database DBAs or system administrators. Note that the SYSTEM
account must have Full Control, since this is the account with which Oracle Database runs.
Ensure that user accounts that must run Oracle applications have read privileges.
Choose OK.
This release includes Oracle Scheduler (the Scheduler) which provides enterprise scheduling functionality. External jobs performed by the user are started using the OracleJobScheduler
SID
service. This service is disabled by default. To use the external jobs functionality, the administrator must set the user name and password for the user account under which this service must run and enable the service.
Restricting execution of external jobs to a low-privileged user prevents unauthorized database users from gaining operating system level privileges, but it also places restrictions on the kinds of jobs that can be run. Jobs requiring a higher level of operating system privileges cannot be run by this mechanism.
Enabling and starting the OracleJobScheduler
SID
service is required only for compatibility with Oracle Database 10g Release 1 and Release 2, for local external jobs that do not use credentials. This service is not required if all local external jobs use credentials. For improved security, Oracle recommends that all local external jobs use credentials.
See Also:
Oracle Database Administrator's Guide for more information about external jobsOracle Multimedia (formerly interMedia) is a feature that enables Oracle Database to store, manage, and retrieve images. It also helps DICOM format medical images and other DICOM data, audio, video, or other heterogeneous media data in an integrated fashion with other enterprise information. Oracle Multimedia extends Oracle Database reliability, availability, and data management to multimedia content in traditional, Internet, electronic commerce, medical, and media-rich applications.
If you install Standard Edition, Standard Edition One, or Enterprise Edition, then Database Configuration Assistant starts automatically at the end of installation. If you choose any Database Configuration Assistant installation type other than Customized, then Oracle Multimedia does not require manual configuration. All tasks described in this section are performed automatically.
If you select Customized installation, then Database Configuration Assistant will guide you through configuration of Oracle Multimedia.
If you are creating and configuring a database manually, then you can configure Oracle Multimedia as follows:
Start SQL*Plus:
C:\> sqlplus /NOLOG
Connect to Oracle Database with account SYSDBA
:
SQL> CONNECT / AS SYSDBA
Start the database (if necessary):
SQL> STARTUP
Run script ordinst.sql
:
SQL> ORACLE_HOME\ord\admin\ordinst.sql SYSAUX SYSAUX
Run script iminst.sql
:
SQL> ORACLE_HOME\ord\im\admin\catim.sql
Exit SQL*Plus:
SQL> EXIT
Note:
If you manually copy your Oracle8ilistener.ora
and tnsnames.ora
files into your Oracle Database network directory, then you must modify network configuration files tnsnames.ora
and listener.ora
on your server to enable external routine calls to work and Oracle Multimedia to function properly. Follow the procedure in Oracle Net Services Administrator's Guide.Oracle Text enables text queries through SQL and PL/SQL from most Oracle interfaces. By installing Oracle Text with an Oracle Database server, client tools such as SQL*Plus and Pro*C/C++ are able to retrieve and manipulate text in Oracle Database.
Oracle Text manages textual data in concert with traditional data types in Oracle Database. When text is inserted, updated, or deleted, Oracle Text automatically manages the change.
If you install Oracle Text from the media and do not have a previous release of Oracle Text installed, then Oracle Database is already configured for use with Oracle Text if one of the following is true:
You created the database by using Database Configuration Assistant in standalone mode, and selected Typical database creation type.
The database is a starter database that you created by performing the following sequence of steps:
Select Oracle Database 11g in the Select a Product to Install window.
Select Typical Installation in the Select Installation Method window.
See Also:
Oracle Database Installation Guide for Microsoft Windows for more information about creating a starter database
If none of these is true, then you must configure Oracle Database for use with Oracle Text by using "Configuring Oracle Text Using Database Configuration Assistant".
Upgrading Oracle Text from a Previous Release
If you install Oracle Text from the 11.2 media and have a previous release of Oracle Text (formerly called interMedia Text) already installed, then the executables for USER_FILTER are now executed from ORACLE_HOME
\ctx\bin.
Therefore, after the upgrade, you must issue the following sql command as database user SYS, SYSTEM,
or CTXSYS,
to get a list of USER_FILTER executables. These executables must be copied from ORACLE_HOME
\bin
to ORACLE_HOME
\ctx\bin
:
SQL> SELECT IXV_VALUE FROM CTXSYS.CTX_INDEX_VALUES WHERE IXV_CLASS='FILTER' AND IXV_OBJECT='USER_FILTER' AND IXV_ATTRIBUTE='COMMAND';
Configuring Oracle Text Using Database Configuration Assistant
To use Database Configuration Assistant to configure Oracle Database for use with Oracle Text at the time you create the database, simply select Oracle Text as the option to configure when prompted.
To configure the database at a later time:
Start Database Configuration Assistant.
From the Start menu, select Programs, then select Oracle - HOME_NAME, then select Configuration and Migration Tools and then select Database Configuration Assistant.
Select Configure database options in a database.
Select the database to modify when prompted.
Select Oracle Text as the option to configure when prompted.
Oracle Spatial makes storage, retrieval, and manipulation of spatial data easier and more intuitive to users.
One example of spatial data is a road map. A road map is a two-dimensional object that contains points, lines, and polygons representing cities, roads, and political boundaries such as states. A road map represents geographic information. Locations of cities, roads, and political boundaries are projected onto a two-dimensional display or piece of paper, preserving relative positions and relative distances of objects.
If you install Oracle Spatial through Enterprise Edition, then no manual configuration is required. All Oracle Spatial configuration tasks are performed automatically.
If you install both Oracle Spatial and Oracle Database together through Enterprise Edition or Standard Edition Custom installation, then Database Configuration Assistant starts automatically at the end of installation. If you choose Custom installation and select Create new database, then the assistant asks if Oracle Spatial is to be configured automatically.
If you install Oracle Spatial during a separate installation from Enterprise Edition, then you must either start Database Configuration Assistant and select Configure database options in a database or configure Oracle Spatial manually.
To configure Oracle Spatial manually:
Start SQL*Plus at the command prompt:
C:\> sqlplus /NOLOG
Connect to Oracle Database with account SYSDBA
:
SQL> CONNECT / AS SYSDBA
Start the database (if necessary):
SQL> STARTUP
Run script ordinst.sql
:
SQL> ORACLE_HOME\ord\admin\ordinst.sql SYSAUX SYSAUX
Connect to the database as user SYSTEM:
SQL> CONNECT SYSTEM
Enter password: system_password
Run script mdinst.sql
:
SQL> ORACLE_HOME\md\admin\mdinst.sql
Exit SQL*Plus:
SQL> EXIT
Note:
Scriptmdinst.sql
has a variable %MD_SYS_PASSWORD%
that Oracle Universal Installer will instantiate at installation time. Therefore, if you have changed the mdsys user's password, then during a manual installation remember to update script mdinst.sql with that password.Oracle Database installs replication packages and procedures automatically rather than as a separate manual process. There are many configuration and usage possibilities with Advanced Replication.
This section describes how to manually configure Advanced Replication in Oracle Database. Follow the instructions only if you add Advanced Replication to an installation of Oracle Database that was not previously configured with this feature.
See Also:
Oracle Database Advanced Replication for more information about Advanced Replication and for definitions of master sites and materialized view sitesConfiguring Advanced Replication consists of the following steps:
Recommended tablespace and rollback segment requirements for Advanced Replication are shown in Table 4-3.
Table 4-3 Advanced Replication Tablespace/Rollback Segment Requirements
Tablespace/Rollback Segment | Minimum Free Space |
---|---|
SYSTEM |
20 MB |
UNDO TABLESPACE |
10 MB |
RBS |
5 MB |
TEMP |
10 MB |
USERS |
No specific requirement |
Note:
Replication triggers and procedures are stored here.If you use Advanced Replication, then certain parameter values must be added to the initialization parameter file, and others must be set to recommended values. Parameter names and values for the master site and materialized view sites are shown in Table 4-4.
Table 4-4 Advanced Replication Initialization Parameters
Parameter Name | Recommended Value | Site |
---|---|---|
|
50 MB |
master |
|
300 seconds |
master |
|
TRUE |
master |
|
4 |
master |
|
Add 9 to current value |
master |
|
2 Note |
master |
|
2 |
materialized view |
Depends on number of n-way sites.
If you use Advanced Replication and intend to set up a large number of replicated objects, then you are required to monitor the following data dictionary tables with the SQL SELECT
command:
ARGUMENT$
IDL_CHAR$
IDL_UB1$
IDL_UB2$
IDL_SB4$
I_ARGUMENT1
I_SOURCE1I$
SOURCE$
TRIGGER
If necessary, increase storage parameters to accommodate storage requirements of large numbers of replicated objects.