4 Postinstallation Configuration Tasks on Windows

This chapter describes configuration tasks you can perform to increase security and other configuration tasks you must perform before using Oracle Multimedia and other Oracle options. Where appropriate, the chapter provides references to other guides for those configuration tasks.

This chapter contains these topics:

Windows Firewall

By default, all newer Windows operating systems enable the Windows Firewall to block virtually all TCP network ports to incoming connections. As a result, any Oracle products that listen for incoming connections on a TCP port will not receive any of those connection requests, and the clients making those connections will report errors.

Depending upon which Oracle products are installed and how they are used, some postinstallation configuration of the Windows Firewall might be required for the products to be functional on these operating systems.

This section contains these topics:

Oracle Executables Requiring Firewall Exceptions

Table 4-1 lists the Oracle Database 10g Release 1 (10.1) or later executables that listen on TCP ports on Windows. If they are in use and accepting connections from a remote client computer, then Oracle recommends that you add them to the Windows Firewall exceptions list to ensure correct operation. Except as noted, they can be found in ORACLE_HOME\bin.

Note:

If multiple Oracle homes are in use, then several firewall exceptions may be needed for the same executable: one for each home from which that executable loads.

You must configure exceptions for the Windows Firewall if your system meets all of the following conditions:

  • Oracle server-side components are installed on a Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows 2008 R2, Windows Server 2012 or Windows Server 2012 R2 system. The list of components includes the Oracle Database, Oracle Grid Infrastructure, network listeners, or any Web servers or services.

  • The Windows system in question accepts connections from other machines over the network. If no other machines will be connecting to the Windows system to access the Oracle software, then no postinstallation configuration steps are required and the Oracle software will function as expected.

  • The Windows system in question is configured to run the Windows Firewall. If the Windows Firewall is not enabled, then no postinstallation configuration steps are required.

If all of the above conditions are met, then the Windows Firewall must be configured to allow successful incoming connections to the Oracle software. To enable Oracle software to accept connection requests, Windows Firewall needs to be configured by either opening up specific static TCP ports in the firewall or by creating exceptions for specific executables so they can receive connection requests on any ports they choose. This firewall configuration can be done by one of the following methods:

  • From the Control Panel, select Windows Firewall. In the Windows Firewall application, select the Exceptions tab and then click either Add Program or Add Port to create exceptions for the Oracle software.

  • From the command prompt, use the netsh firewall add... command.

  • When Windows notifies you that a foreground application is attempting to listen on a port, and gives you the opportunity to create an exception for that executable. If you choose the create the exception in this way, the effect is the same as creating an exception for the executable either through Control Panel or from the command line.

The following sections list the Oracle Database 11g Release 2 executables that listen on TCP ports on Windows, along with a brief description of the executable. It is recommended that these executables (if in use and accepting connections from a remote, client computer) be added to the exceptions list for the Windows Firewall to ensure correct operation. In addition, if multiple Oracle homes are in use, firewall exceptions may need to be created for the same executable, for example, oracle.exe, multiple times, once for each Oracle home from which that executable loads.

Firewall Exceptions for Oracle Database

For basic database operation and connectivity from remote clients (SQL*Plus, OCI, ODBC, OLE DB applications, and so on), the following executables must be added to the Windows Firewall exception list:

  • Oracle_home\bin\oracle.exe - Oracle Database executable

  • Oracle_home\bin\tnslsnr.exe - Oracle Listener

For remote monitoring capabilities to be available for a database on Windows, the following executables must be added to the Windows Firewall exception list:

  • Oracle_home\bin\emagent.exe - Oracle Database Control

  • Oracle_home\jdk\bin\java.exe- Java Virtual Machine

Firewall Exceptions for Oracle Database Examples

After installing the Oracle Database Examples, the following executables must be added to the Windows Firewall exception list:

  • Oracle_home\opmn\bin\opmn.exe - Oracle Process Manager

  • Oracle_home\jdk\bin\java.exe - Java Virtual Machine

Firewall Exceptions for Oracle Gateways

If your Oracle database interacts with non-Oracle software through a gateway, then you must add the gateway executable to the Windows Firewall exception list. Table 4-1 table lists the gateway executables used to access non-Oracle software.

Table 4-1  Oracle Executables Requiring Windows Firewall Exceptions

File Name Executable Name

omtsreco.exe

Oracle Services for Microsoft Transaction Server

dg4sybs.exe

Oracle Database Gateway for Sybase

dg4tera.exe

Oracle Database Gateway for Teradata

dg4msql.exe

Oracle Database Gateway for SQL Server

dg4db2.exe

Oracle Database Gateway for DRDA

pg4arv.exe

Oracle Database Gateway for APPC

pg4t4ic.exe

Oracle Database Gateway for APPC

dg4mqs.exe

Oracle Database Gateway for WebSphere MQ

dg4mqc.exe

Oracle Database Gateway for WebSphere MQ

dg4odbc.exe

Oracle Database Gateway for ODBC


Firewall Exceptions for Oracle Clusterware and Oracle ASM

If you installed the Oracle grid infrastructure software on the nodes in your cluster, then you can enable the Windows Firewall only after adding the following executables and ports to the Firewall exception list. The Firewall Exception list must be updated on each node.

  • Grid_home\bin\gpnpd.exe - Grid Plug and Play daemon

  • Grid_home\bin\oracle.exe - Oracle ASM executable (if using Oracle ASM for storage)

  • Grid_home\bin\racgvip.exe - Virtual Internet Protocol Configuration Assistant

  • Grid_home\bin\evmd.exe - OracleEVMService

  • Grid_home\bin\crsd.exe - OracleCRService

  • Grid_home\bin\ocssd.exe - OracleCSService

  • Grid_home\bin\octssd.exe - Cluster Time Synchronization Service daemon

  • Grid_home\bin\mDNSResponder.exe - multicast-DNS Responder Daemon

  • Grid_home\bin\gipcd.exe - Grid IPC daemon

  • Grid_home\bin\gnsd.exe - Grid Naming Service daemon

  • Grid_home\bin\ohasd.exe - OracleOHService

  • Grid_home\bin\TNSLSNR.EXE - SCAN listener and local listener for Oracle Database and Oracle ASM

  • Grid_home\opmn\bin\ons.exe - Oracle Notification Service

  • Grid_home\jdk\jre\bin\java.exe - Java Virtual Machine

Firewall Exceptions for Other Oracle Products

In additional to all the previously listed exceptions, if you use any of the Oracle software listed in, then you must create an exception for Windows Firewall for the associated executable.

Table 4-2 Other Oracle Software Products Requiring Windows Firewall Exceptions

Oracle Software Product Executable Name

Data Guard Manager

dgmgrl.exe

Oracle Internet Directory LDAP Server

oidldapd.exe

External Procedural Calls

extproc.exe


Configuring the Windows Firewall

Postinstallation configuration for the Windows Firewall must be undertaken if all of the following conditions are met:

  • Oracle server-side components are installed.

    These components include the Oracle Database, network listeners, and any Web servers or services.

  • The computer services connections from other computers over a network.

    If no other computers connect to the computer with the Oracle software, then no postinstallation configuration steps are required and the Oracle software will function as expected.

  • The Windows Firewall is enabled.

    If the Windows Firewall is not enabled, then no postinstallation configuration steps are required.

You can configure Windows Firewall by opening specific static TCP ports in the firewall or by creating exceptions for specific executables so that they are able to receive connection requests on any ports they choose. To configure the firewall, from the Control Panel, select Windows Firewall and then select Exceptions or enter netsh firewall add... at the command line.

Alternatively, Windows will inform you if a foreground application is attempting to listen on a port, and it will ask you if you want to create an exception for that executable. If you choose to do so, then the effect is the same as creating an exception for the executable either in the Control Panel or from the command line.

Note:

Windows 2008 and later operating systems do not provide any information on applications attempting to listen on a port. Instead, a security audit event is logged to signal that an application is blocked.

Troubleshooting Windows Firewall Exceptions

If you cannot establish certain connections even after granting exceptions to the executables listed in Table 4-1, then follow these steps to troubleshoot the installation:

  1. Examine Oracle configuration files (such as *.conf files), the Oracle key in the Windows registry, and network configuration files in ORACLE_HOME\network\admin.

  2. Pay particular attention to any executable listed in ORACLE_HOME\network\admin\listener.ora in a PROGRAM= clause. Each of these must be granted an exception in the Windows Firewall, because a connection can be made through the TNS Listener to that executable.

  3. Examine Oracle trace files, log files, and other sources of diagnostic information for details on failed connection attempts. Log and trace files on the database client computer may contain useful error codes or troubleshooting information for failed connection attempts. The Windows Firewall log file on the server may contain useful information as well.

  4. If the preceding troubleshooting steps do not resolve a specific configuration issue on Windows XP Service Pack 2, then provide the output from command netsh firewall show state verbose=enable to Oracle Support for diagnosis and problem resolution.

See Also:

Resetting Passwords for Default Accounts

Oracle Database installs with many default accounts. Database Configuration Assistant locks and expires most default database accounts upon successful installation. Oracle recommends changing all user passwords immediately after installation.

See Also:

Oracle Database Administrator's Guide for more information on default database accounts and passwords

NTFS File System and Windows Registry Permissions

Oracle recommends that you configure Oracle Database files, directories, and registry settings to allow only authorized database administrators (DBAs) to have full control. If you created a database using Database Configuration Assistant or upgraded a database using Oracle Database Upgrade Assistant, then no further action is required.

This section describes the permissions automatically set by Oracle Universal Installer, Database Configuration Assistant, and Oracle Database Upgrade Assistant and the steps to set these permissions manually.

This section contains these topics:

File Permissions

Beginning with Oracle9i Release 2 (9.2), Oracle Universal Installer, Database Configuration Assistant, and Database Upgrade Assistant set file permissions when Oracle Database software is installed or upgraded.

This section contains these topics:

File Permissions Set by Oracle Universal Installer

During Oracle Database installation, by default Oracle Universal Installer installs software in ORACLE_HOME. Oracle Universal Installer sets the following permissions to this directory, and all files and directories under this directory:

  • Administrators - Full control

  • System - Full control

  • Authenticated Users - Read, Execute, and List Contents

    Important:

    If these accounts already exist and possess more restrictive permissions, then the most restrictive permissions are retained. If accounts other than Administrators, System, and Authenticated Users already exist, then the permissions for these accounts are removed.

File Permissions Set by Database Configuration Assistant

During database configuration, Database Configuration Assistant installs files and directories in the following default locations, where database_name is the database name or SID:

  • ORACLE_BASE\admin\database_name (administration file directories)

  • ORACLE_BASE\oradata\database_name (database file directories)

  • ORACLE_BASE\oradata\database_name (redo log files and control files)

  • ORACLE_HOME\database (SPFILESID.ORA)

Database Configuration Assistant sets the following permissions to these directories, and all files and directories under these directories:

  • Administrators - Full Control

  • System - Full Control

    Important:

    If these accounts already exist and possess more restrictive permissions, then the most restrictive permissions are retained. If accounts other than Administrators and System already exist, then the permissions for these accounts are removed.

File Permissions Set by Database Upgrade Assistant

When an older version of the database is upgraded to Oracle Database 10g Release 1 (10.1) or later, Database Upgrade Assistant installs software in the following directories, where database_name is the database name or SID:

  • ORACLE_BASE\admin\database_name (administration files)

  • ORACLE_BASE\oradata\database_name (database file directories)

  • ORACLE_BASE\oradata\database_name (redo log files and control files)

  • ORACLE_BASE\ORACLE_HOME\database (SPFILESID.ORA)

Database Upgrade Assistant sets the following permissions to these directories, and all files and directories under these directories:

  • Administrators - Full Control

  • System - Full Control

    Important:

    If these accounts already exist and possess more restrictive permissions, then the most restrictive permissions are retained. If accounts other than Administrators and System already exist, then the permissions for these accounts are removed.

Beginning with Oracle Database 11g Release 2 (11.2), Database Upgrade Assistant can also configure Enterprise Manager. If the "Enable daily backup" option is selected while configuring Enterprise Manager, then Database Upgrade Assistant shows a separate screen asking for Fast Recovery Area. Database Upgrade Assistant will try to create the directory structure in whatever file system location is specified if it does not exist. It will put the same set of file permissions to this location. The default location shown by DBUA for fast recovery area is:

  • ORACLE_BASE\recovery_area

See Also:

"Oracle ACFS and File Access and Administration Security" section of Oracle Automatic Storage Management Administrator's Guide for more information about using Oracle ACFS and administration security

Setting NTFS File System Security

To ensure that only authorized users have full file system permissions:

  1. Go to Windows Explorer.

  2. Set the following permissions for each directory or file:

    Directory Group and Permissions
    ORACLE_HOME
    • Administrators - Full Control
    • System - Full Control

    • Authenticated Users - Read, Execute and List Contents

    ORACLE_BASE\admin\database_name
    • Administrators - Full Control
    • System - Full Control

    ORACLE_BASE\oradata\database_name
    • Administrators - Full Control
    • System - Full Control

    ORACLE_HOME\database\spfileSID.ora
    • Administrators - Full Control
    • System - Full Control


Note:

Oracle Database uses the Windows LocalSystem built-in security account. Therefore, file permissions must be granted to the System account of the local computer Oracle Database.

See Also:

Your operating system online help for more information about how to modify NTFS file system and registry settings

Setting Windows Registry Security

Oracle recommends that you remove write permissions from users who are not Oracle Database DBAs or system administrators in HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE of the Windows registry.

To remove write permissions:

  1. Open the registry.

  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE.

  3. Select Permissions from the Security main menu.

    The Registry Key Permissions dialog appears.

  4. Remove write permissions from any users who are not Oracle Database DBAs or system administrators. Note that the SYSTEM account must have Full Control, since this is the account with which Oracle Database runs.

  5. Ensure that user accounts that must run Oracle applications have read privileges.

  6. Choose OK.

  7. Exit the registry.

Configuring External Job Support for the Scheduler on Windows

This release includes Oracle Scheduler (the Scheduler) which provides enterprise scheduling functionality. External jobs performed by the user are started using the OracleJobSchedulerSID service. This service is disabled by default. To use the external jobs functionality, the administrator must set the user name and password for the user account under which this service must run and enable the service.

Restricting execution of external jobs to a low-privileged user prevents unauthorized database users from gaining operating system level privileges, but it also places restrictions on the kinds of jobs that can be run. Jobs requiring a higher level of operating system privileges cannot be run by this mechanism.

Enabling and starting the OracleJobSchedulerSID service is required only for compatibility with Oracle Database 10g Release 1 and Release 2, for local external jobs that do not use credentials. This service is not required if all local external jobs use credentials. For improved security, Oracle recommends that all local external jobs use credentials.

See Also:

Oracle Database Administrator's Guide for more information about external jobs

Configuring Oracle Multimedia on Windows

Oracle Multimedia (formerly interMedia) is a feature that enables Oracle Database to store, manage, and retrieve images. It also helps DICOM format medical images and other DICOM data, audio, video, or other heterogeneous media data in an integrated fashion with other enterprise information. Oracle Multimedia extends Oracle Database reliability, availability, and data management to multimedia content in traditional, Internet, electronic commerce, medical, and media-rich applications.

If you install Standard Edition, Standard Edition One, or Enterprise Edition, then Database Configuration Assistant starts automatically at the end of installation. If you choose any Database Configuration Assistant installation type other than Customized, then Oracle Multimedia does not require manual configuration. All tasks described in this section are performed automatically.

If you select Customized installation, then Database Configuration Assistant will guide you through configuration of Oracle Multimedia.

If you are creating and configuring a database manually, then you can configure Oracle Multimedia as follows:

  1. Start SQL*Plus:

    C:\> sqlplus /NOLOG
    
  2. Connect to Oracle Database with account SYSDBA:

    SQL> CONNECT / AS SYSDBA
    
  3. Start the database (if necessary):

    SQL> STARTUP
    
  4. Run script ordinst.sql:

    SQL> ORACLE_HOME\ord\admin\ordinst.sql SYSAUX SYSAUX
    
  5. Run script iminst.sql:

    SQL> ORACLE_HOME\ord\im\admin\catim.sql
    
  6. Exit SQL*Plus:

    SQL> EXIT
    

    Note:

    If you manually copy your Oracle8i listener.ora and tnsnames.ora files into your Oracle Database network directory, then you must modify network configuration files tnsnames.ora and listener.ora on your server to enable external routine calls to work and Oracle Multimedia to function properly. Follow the procedure in Oracle Net Services Administrator's Guide.

Configuring Oracle Text on Windows

Oracle Text enables text queries through SQL and PL/SQL from most Oracle interfaces. By installing Oracle Text with an Oracle Database server, client tools such as SQL*Plus and Pro*C/C++ are able to retrieve and manipulate text in Oracle Database.

Oracle Text manages textual data in concert with traditional data types in Oracle Database. When text is inserted, updated, or deleted, Oracle Text automatically manages the change.

If you install Oracle Text from the media and do not have a previous release of Oracle Text installed, then Oracle Database is already configured for use with Oracle Text if one of the following is true:

If none of these is true, then you must configure Oracle Database for use with Oracle Text by using "Configuring Oracle Text Using Database Configuration Assistant".

Upgrading Oracle Text from a Previous Release

If you install Oracle Text from the 11.2 media and have a previous release of Oracle Text (formerly called interMedia Text) already installed, then the executables for USER_FILTER are now executed from ORACLE_HOME\ctx\bin. Therefore, after the upgrade, you must issue the following sql command as database user SYS, SYSTEM, or CTXSYS, to get a list of USER_FILTER executables. These executables must be copied from ORACLE_HOME\bin to ORACLE_HOME\ctx\bin:

SQL> SELECT IXV_VALUE FROM CTXSYS.CTX_INDEX_VALUES WHERE IXV_CLASS='FILTER'
AND IXV_OBJECT='USER_FILTER' AND IXV_ATTRIBUTE='COMMAND';

Configuring Oracle Text Using Database Configuration Assistant

To use Database Configuration Assistant to configure Oracle Database for use with Oracle Text at the time you create the database, simply select Oracle Text as the option to configure when prompted.

To configure the database at a later time:

  1. Start Database Configuration Assistant.

    From the Start menu, select Programs, then select Oracle - HOME_NAME, then select Configuration and Migration Tools and then select Database Configuration Assistant.

  2. Select Configure database options in a database.

  3. Select the database to modify when prompted.

  4. Select Oracle Text as the option to configure when prompted.

Configuring Oracle Spatial on Windows

Oracle Spatial makes storage, retrieval, and manipulation of spatial data easier and more intuitive to users.

One example of spatial data is a road map. A road map is a two-dimensional object that contains points, lines, and polygons representing cities, roads, and political boundaries such as states. A road map represents geographic information. Locations of cities, roads, and political boundaries are projected onto a two-dimensional display or piece of paper, preserving relative positions and relative distances of objects.

If you install Oracle Spatial through Enterprise Edition, then no manual configuration is required. All Oracle Spatial configuration tasks are performed automatically.

If you install both Oracle Spatial and Oracle Database together through Enterprise Edition or Standard Edition Custom installation, then Database Configuration Assistant starts automatically at the end of installation. If you choose Custom installation and select Create new database, then the assistant asks if Oracle Spatial is to be configured automatically.

If you install Oracle Spatial during a separate installation from Enterprise Edition, then you must either start Database Configuration Assistant and select Configure database options in a database or configure Oracle Spatial manually.

To configure Oracle Spatial manually:

  1. Start SQL*Plus at the command prompt:

    C:\> sqlplus /NOLOG
    
  2. Connect to Oracle Database with account SYSDBA:

    SQL> CONNECT / AS SYSDBA
    
  3. Start the database (if necessary):

    SQL> STARTUP
    
  4. Run script ordinst.sql:

    SQL> ORACLE_HOME\ord\admin\ordinst.sql SYSAUX SYSAUX
    
  5. Connect to the database as user SYSTEM:

    SQL> CONNECT SYSTEM
    Enter password: system_password
    
  6. Run script mdinst.sql:

    SQL> ORACLE_HOME\md\admin\mdinst.sql
    
  7. Exit SQL*Plus:

    SQL> EXIT
    

    Note:

    Script mdinst.sql has a variable %MD_SYS_PASSWORD% that Oracle Universal Installer will instantiate at installation time. Therefore, if you have changed the mdsys user's password, then during a manual installation remember to update script mdinst.sql with that password.

Configuring Advanced Replication on Windows

Oracle Database installs replication packages and procedures automatically rather than as a separate manual process. There are many configuration and usage possibilities with Advanced Replication.

This section describes how to manually configure Advanced Replication in Oracle Database. Follow the instructions only if you add Advanced Replication to an installation of Oracle Database that was not previously configured with this feature.

See Also:

Oracle Database Advanced Replication for more information about Advanced Replication and for definitions of master sites and materialized view sites

Configuring Advanced Replication consists of the following steps:

Checking Tablespace and Rollback Segment Requirements

Recommended tablespace and rollback segment requirements for Advanced Replication are shown in Table 4-3.

Table 4-3  Advanced Replication Tablespace/Rollback Segment Requirements

Tablespace/Rollback Segment Minimum Free Space

SYSTEM

20 MB

UNDO TABLESPACE

10 MB

RBS

5 MB

TEMP

10 MB

USERS

No specific requirement


Note:

Replication triggers and procedures are stored here.

Adding and Modifying Initialization Parameters

If you use Advanced Replication, then certain parameter values must be added to the initialization parameter file, and others must be set to recommended values. Parameter names and values for the master site and materialized view sites are shown in Table 4-4.

Table 4-4  Advanced Replication Initialization Parameters

Parameter Name Recommended Value Site

JAVA_POOL_SIZE

50 MB

master

DISTRIBUTED_LOCK_TIMEOUT

300 seconds

master

GLOBAL_NAMES

TRUE

master

OPEN_LINKS

4

master

PROCESSES

Add 9 to current value

master

JOB_QUEUE-PROCESSES

2 Note

master

JOB_QUEUE_PROCESSES

2

materialized view


Note

Depends on number of n-way sites.

Monitoring Data Dictionary Tables

If you use Advanced Replication and intend to set up a large number of replicated objects, then you are required to monitor the following data dictionary tables with the SQL SELECT command:

  • ARGUMENT$

  • IDL_CHAR$

  • IDL_UB1$

  • IDL_UB2$

  • IDL_SB4$

  • I_ARGUMENT1

  • I_SOURCE1I$

  • SOURCE$

  • TRIGGER

If necessary, increase storage parameters to accommodate storage requirements of large numbers of replicated objects.