Beware: Oracle RMAN Password Only Encrypted Compressed Backups to Tape Might Not Decrypt

So, a few weekends ago I had a BIG scare. I was moving an Oracle Database Appliance from one data center to another. Oracle said the only supported method to do so was to wipe the machine back to bare metal and rebuild it in the new data center with all the new IP addresses and network settings. To prepare for this I did a cold backup of a database to tape (really Oracle Cloud Backup) and used the following RMAN commands:

RMAN> set encryption on identified by ******************* only;
RMAN> backup device type sbt incremental level 0
      tag '2018_06_29_SERVER_MOVE' force as compressed backupset database;

Unfortunately, when it came time to read that backup from Oracle Cloud Backup (our configured sbt device), I got the following error:

ORA-19913: unable to decrypt backup

As I worked through the issue with Oracle Support for a very long time I eventually started working with some support folks who said the following:

“I’ve seen issues in the past when you do a password only encrypted compressed backup to tape where it can’t be decrypted. You shouldn’t do that.”

I think this is potentially one of the biggest bugs in the history of Oracle (if you can’t trust a backup then something is very very wrong!) if the issue is really there… I’ve yet to be able to do any additional testing of this, but figured I’d give folks a warning.

As an aside, I did take a disk backup before the tape backup and then copied the disk backup to a mounted NFS drive. I was able to move that disk backup over to the server and restore from it, so no customer data was harmed during the server move.

Advertisements

I’ll be speaking at KScope18!

ODTUG
Today I got an email that began like this:

Dear Richard,

Congratulations on being selected to speak at the premier Oracle user group conference—ODTUG Kscope18. We had more than 1,000 abstracts submitted this year, making this selection a very challenging process.

The following abstract has been accepted for presentation at ODTUG Kscope18, June 10-14 in Orlando, Florida. If you submitted multiple abstracts, you will receive multiple emails with the status of each abstract.

Texas Racing Commission: Lessons Learned from Migrating to Oracle Cloud

——–

I also had another presentation that got accepted as a possible alternate:  Entity Relationship Modeling in the Age of Agile Development.

Hopefully I’ll see some of you at KScope in Orlando!

Remember to use code “insum” at checkout to get a discount off your registration.


Today C2 Consulting and Insum Solutions Merged

Capture

Today is my first day as Director of Consulting Services at Insum Solutions! I’m really excited to be part of the Insum team. Insum has been a (the?)  leader in the APEX consulting services space for many years. C2 and Insum have had very similar philosophies and execution styles. I’m really looking forward to working with the new (much bigger) team.

https://www.insum.ca/insum-and-c2-consulting-unite-to-better-serve-the-american-market/


I’ll be speaking at AOUG on Friday December 15th

IMP_web001

I’ll be speaking, but if you come, you’ll be building!

You’ve heard about the Internet of Things (IoT). C2 Consulting has put together a hands on lab where you’ll get to build an IoT thermostat from electronic components and hook it up to to REST components in an Oracle Database and then control everything from an APEX application.

You can register for the event at this link or at this url if that link doesn’t work for some reason:
https://docs.google.com/forms/d/e/1FAIpQLSdKP0TZ8KraEuAoSM1Ad0FSqkzBIP5QMCuc4uItKneeG7nBNA/viewform?c=0&w=1

This is the lab we’ll be working through and it’s pretty awesome (and award winning!): https://concept2completion.com/iotemp

Here’s some details about the when and where:

Event Timing: Friday, December 15th from 11 am to 1:30 PM
Event Address: National Instruments at 11500 North Mopac Expressway, Building C, Rooms 1S13-1S15.
Parking available in the garage for building C.

If you are in the Austin area on Friday December 15th hopefully I’ll see you there.


Using Oracle VirtualBox (or the Oracle Cloud) to Build a DBA Practice Environment

When I get some time I’ll try to change this into a series of blog posts, but for right now here’s a 141 page pdf file that covers the following in a step by step manner:

  • Install and Oracle VirtualBox
  • Create an Oracle Linux Server
  • Install and Configure Oracle Grid Infrastructure for a Standalone Server (with special ‘Rich Soule’ start and stop scripts for using ACFS file systems)
  • Install Oracle 12cR2
  • Create a Multitenant Database
  • Install and Configure Apache/Tomcat/ORDS
  • Install and Configure Oracle Application Express

You can find the pdf here: Using the Oracle Cloud (or Oracle VirtualBox) to build a DBA practice environment.


Oracle Database 12cR2 is here!

oracledatabase12cr2

It’s 15 days early (Oracle Support had said that it would be here on Feb 15th) which means that I’ll be able to start on my ODTUG presentation 15 days earlier than I thought.

Go to http://eDelivery.oracle.com to get the latest and greatest Oracle Database.

Happy DBAing!


Oracle APEX 5.1 Documentation Bug

The installation documentation for Oracle APEX 5.1 has the following code in it for enabling network access from the database in a pre-12c database:

DECLARE
  ACL_PATH  VARCHAR2(4000);
BEGIN
  -- Look for the ACL currently assigned to '*' and give apex_050100
  -- the "connect" privilege if apex_050100 does not have the privilege yet.
 
  SELECT ACL INTO ACL_PATH FROM DBA_NETWORK_ACLS
   WHERE HOST = '*' AND LOWER_PORT IS NULL AND UPPER_PORT IS NULL;
 
  IF DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE(ACL_PATH, 'apex_050100',
     'connect') IS NULL THEN
      DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(ACL_PATH,
     'apex_050100', TRUE, 'connect');
  END IF;
 
EXCEPTION
  -- When no ACL has been assigned to '*'.
  WHEN NO_DATA_FOUND THEN
  DBMS_NETWORK_ACL_ADMIN.CREATE_ACL('power_users.xml',
    'ACL that lets power users to connect to everywhere',
    'apex_050100', TRUE, 'connect');
  DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL('power_users.xml','*');
END;
/
COMMIT;

You’ll notice that the username in the above is ‘apex_050100’. If you run the above code you’ll get the following:

01435. 00000 -  "user does not exist"
*Cause:    
*Action:

Changing each instance of ‘apex_050100’ to ‘APEX_050100’ will address the error and you’ll be able to run the code.

Interestingly enough the new 12c APIs are apparently doing an UPPER on the passed in username because the following code works just fine:

BEGIN
    DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
        host => '*',
        ace => xs$ace_type(privilege_list => xs$name_list('connect'),
                           principal_name => 'apex_050100',
                           principal_type => xs_acl.ptype_db));
END;
/

I’ve logged a bug request with Oracle Support (of course).

Happy APEXing!