2. Oracle9i New Features http://www.ggola.com
Oracle9i New Features for Administrators
course
Preface
1. Oracle Server Security
2. General High Availability Technology
3. LogMiner Enhancements
4. Backup and Recovery
5. Data Guard
6. Database Resource Manager
7. Online Operation
8. Advanced Partition and Segment Management Enhancement
9. Automatic Segment and Advanced Index Management
Enhancement
10. Advanced Performance Features for Index, Cursor, Optimizing
and Statistics
11. Scalable Session Management
12. Real Application Cluster
13. Oracle Managed Files
14. New Tablespace Management
15. New Memory Management
16. Oracle Enterprise Manager
17. New and Standard SQL
18. Globalization Support
19. Workspace Management
20. Advanced Replication
OCP9i New Features check
.
jkspark@hanafos.com -2-
3. Oracle9i New Features http://www.ggola.com
Preface
oracle9i new features
oracle version
.
.
PIII 512M PC Redhat Linux 7
. test user scott
directory oracle OFA .
pc , linux server (hostname) “LIRACLE”
oracle instance “NEWSVC”
.
oem, rman globalization support
chapter
oracle version
.
ocp ocm
paper
. ocm
paper
. (
60 ) (2004.01)
2 .
9i (new
features ..) .
iSQL*Plus
- sql*plus 2tier client pc sql*net(net*?i
) .
- from 9i client web browser oracle
database oracle http server
sql*plus .
CF. , web browser oracle http rdbms
jkspark@hanafos.com -3-
4. Oracle9i New Features http://www.ggola.com
sample schema
- scott/tiger oracle sample schema
5 schema . database
example . (demo schema
“$ORACLE_HOME/demo/schema” )
- oracle HR, OE/OC, QS, PM, SH
schema QS QS_
user .
CF. test : AIX 9iR2 OC
redhat 9iR2 OE
. oracle install option
scripts .
- 350M ~ 400M disk
space .
CF. users partition, replication, advanced queuing
example
.(
)
jkspark@hanafos.com -4-
5. Oracle9i New Features http://www.ggola.com
1. Oracle Server Security
connection to database
oracle new version
. from 9i svrmgrl
remove shell svrmgrl
. to 8i sqlplus internal
.
remote password login file (orapw)
.
internal connection
- 1:
[NEWSVC]LIRACLE:/oracle/app/oracle/admin/NEWSVC/
work> sqlplus /nolog
SQL> conn / as sysdba
SQL>
- 2:
[NEWSVC]LIRACLE:/oracle/app/oracle/admin/NEWSVC/
work> sqlplus "/as sysdba"
SQL>
- 3:
[NEWSVC]LIRACLE:/oracle/app/oracle/admin/NEWSVC/
work> sqlplus
Enter user-name: /as sysdba
SQL>
default security
default security
oracle privilege
rule . oracle
grant, revoke privilege role
mechanism default security
from 9i
.
initial parameter O7_DICTIONARY_ACCESSIBILITY
- to 8i select any table privilege users
object .
jkspark@hanafos.com -5-
6. Oracle9i New Features http://www.ggola.com
- from 9i
sysdba data dictionary rule
.
- , select any table privilege object
initial parameter
O7_DICTIONARY_ACCESSIBILITY TRUE
. oracle default
parameter FALSE setting .
- .
SQL> sho parameter o7
NAME TYPE VALUE
--------------------------------------------------------------------------------
O7_DICTIONARY_ACCESSIBILITY boolean FALSE
SQL> conn system/manager
SQL> grant select any table to qs ;
SQL> conn qs/qs
SQL> desc v$session
ERROR:
ORA-04043: object "SYS"."V_$SESSION" does not exist
SQL> shutdown & restart after change parameter
SQL> sho parameter o7
NAME TYPE VALUE
--------------------------------------------------------------------------------
O7_DICTIONARY_ACCESSIBILITY boolean TRUE
SQL> conn qs/qs
SQL> desc v$session
Name Null? Type
---------------------------- -------- -------
SADDR RAW(4)
SID NUMBER
…………
dbca (database creation assistant)
- oracle oui runinstaller gui
database .
CF. “$ORACLE_HOME/bin/dbca”
.
- database initial
parameter ,
. dbca scripts
.
CF. ! dbca
jkspark@hanafos.com -6-
7. Oracle9i New Features http://www.ggola.com
.
- dbca database oracle default
security restriction .
1. oracle user default password
user lock .
2. database
users .
SQL> alter user hr account unlock ;
SQL> alter user hr identified by <password> ;
secure application role
role (control in application level)
- role "set role" or
"dbms_session.set_role" hidden password
. pl/sql block identification
application level role control
.
- "scott" user role enable
.
SQL> conn system/manager
SQL> create user scott identified by tiger default tablespace users
2 temporary tablespace temp ;
SQL> grant create session to scott ;
SQL> grant alter session to scott ;
SQL> sho parameter o7
NAME TYPE VALUE
--------------------------------------------------------------------------------
O7_DICTIONARY_ACCESSIBILITY boolean TRUE
SQL> create role marketing identified using system.sales_market ;
SQL> select * from dba_application_roles ;
ROLE SCHEMA PACKAGE
-------------------- -------------------- --------------------
MARKETING SYSTEM SALES_MARKET
SQL> grant select any table to marketing ;
jkspark@hanafos.com -7-
8. Oracle9i New Features http://www.ggola.com
SQL> create or replace procedure sales_market
2 authid current_user is
3 vs_user string(30);
4 begin
5 select sys_context('userenv', 'session_user')
6 into vs_user from dual;
7 if vs_user != 'SCOTT' then
8 dbms_output.put_line('you are an invalid user!');
9 return;
10 end if;
11 dbms_session.set_role('MARKETING');
12 end;
13 /
SQL> grant marketing to scott, scott2 ;
SQL> grant execute on sales_market to scott, scott2 ;
SQL> conn scott/tiger
SQL> desc v$session
Name Null? Type
----------------------------------------- -------- -------
SADDR RAW(4)
SID NUMBER
........
SQL> set role none ;
SQL> desc v$session ;
ERROR:
ORA-04043: object "SYS"."V_$SESSION" does not exist
SQL> set role marketing ;
set role marketing
*
ERROR at line 1:
ORA-01979: missing or invalid password for role 'MARKETING'
SQL> set serveroutput on
SQL> exec system.sales_market;
pl/sql procedure successfully completed.
SQL> desc v$session
Name Null? Type
----------------------------------------- -------- -------
SADDR RAW(4)
SID NUMBER
........
SQL> conn scott2/tiger
SQL> desc v$session
Name Null? Type
----------------------------------------- -------- -------
SADDR RAW(4)
SID NUMBER
........
jkspark@hanafos.com -8-
9. Oracle9i New Features http://www.ggola.com
SQL> set role none ;
SQL> desc v$session ;
ERROR:
ORA-04043: object "SYS"."V_$SESSION" does not exist
SQL> set role marketing ;
set role marketing
*
ERROR at line 1:
ORA-01979: missing or invalid password for role 'MARKETING'
SQL> set serveroutput on
SQL> exec system.sales_market;
you are an invalid user!
pl/sql procedure successfully completed.
SQL> desc v$session
ERROR:
ORA-04043: object "SYS"."V_$SESSION" does not exist;
global application context
application context and global
- oracle8i application context session
user session application context setup
time . , session context setup
.
( oracle8i new features application context
)
- 9i global application context setup time
, web based multiple sessions
application context reuse
. , global .
- oracle Virtual Private Database(VPD) capability
.
CF. ..
. oracle security policy
.
- application server database scott user
multiple connections .
CF. KIM JANG web
ID application
. client KIM,
JANG return client
jkspark@hanafos.com -9-
10. Oracle9i New Features http://www.ggola.com
unique client id (
ID ) client web
browser return . (cookie ..)
application server .
SQL> conn system/manager
SQL> grant unlimited tablespace to scott ;
SQL> grant create table to scott ;
SQL> grant create any context to scott ;
SQL> grant drop any context to scott ;
SQL> grant create procedure to scott ;
SQL> conn scott/tiger
SQL> create context emp_info using init accessed globally ;
SQL> create table emp (emp_id varchar2(10), emp_name varchar2(10), dept_id varchar2(10)) ;
SQL> create table dept (dept_id varchar2(10), dept_name varchar2(10)) ;
SQL> insert into dept values ('SAL01', 'SALES');
SQL> insert into dept values ('SYS01', 'SYSTEM');
SQL> insert into dept values ('MAR01', 'MARKET');
SQL> insert into emp values ('A1998001', 'KIM', 'SAL01');
SQL> insert into emp values ('B2002003', 'JANG', 'SYS01');
SQL> insert into emp values ('C2001003', 'LEE', 'MAR01');
SQL> create or replace package init as
2 procedure create_cont (as_empid string, as_client string);
3 procedure set_id (as_client string);
4 procedure clear_id;
5 procedure clear_cont (as_client string);
6 end init;
7 /
- test stored procedure “init”
context globally access .
- stored procedure ‘init” package context creation,
id setting, id clearing, context clearing sub
procedure .
package body .
jkspark@hanafos.com - 10 -
11. Oracle9i New Features http://www.ggola.com
SQL> create or replace package body init as
2 procedure create_cont (as_empid string, as_client string) is
3 vs_dbuser string(30);
4 vs_empuser string(30);
5 vs_deptname string(30);
6 begin
7 select sys_context('userenv','session_user')
8 into vs_dbuser from dual;
9 select e.emp_name, d.dept_name
10 into vs_empuser, vs_deptname
11 from emp e, dept d
12 where e.dept_id = d.dept_id and e.emp_id = as_empid;
13 dbms_session.set_context('EMP_INFO', 'NAME', vs_empuser, vs_dbuser, as_client);
14 dbms_session.set_context('EMP_INFO', 'DEPT', vs_deptname, vs_dbuser, as_client);
15 end;
16 procedure set_id (as_client string) is
17 begin
18 dbms_session.set_identifier(as_client);
19 end;
20 procedure clear_id is
21 begin
22 dbms_session.clear_identifier;
23 end;
24 procedure clear_cont (as_client string) is
25 begin
26 dbms_session.clear_context('EMP_INFO', as_client);
27 end;
28 end init;
29 /
- CASE1 : KIM ID A1998001
server . application server client
unique id web browser id
application context initialize .(
id 10121
call init procedure with id '10121')
SQL> exec init.create_cont('A1998001', '10121');
- CASE2 : JANG ID B2002003
server . application server client
unique id web browser id
application context initialize .(
id 10133
call init procedure with id '10133')
SQL> exec init.create_cont('B2002003', '10133');
- CASE3) KIM web browser application
call . context value ? context
global ,
session .
jkspark@hanafos.com - 11 -
12. Oracle9i New Features http://www.ggola.com
SQL> conn scott/tiger
SQL> exec init.set_id('10121');
SQL> select sys_context('EMP_INFO', 'NAME') name,
2 sys_context('EMP_INFO', 'DEPT') dept
3 from dual ;
NAME DEPT
-------------------- --------------------
KIM SALES
SQL> exec init.set_id('10133');
SQL> select sys_context('EMP_INFO', 'NAME') name,
2 sys_context('EMP_INFO', 'DEPT') dept
3 from dual ;
NAME DEPT
-------------------- --------------------
JANG SYSTEM
SQL> exec init.clear_id;
SQL> select sys_context('EMP_INFO', 'NAME') from dual ;
SYS_CONTEXT('EMP_INFO','NAME')
--------------------------------------------------------------------------------
- global application context session SGA
. ,
"clear_identifier('id')" clear client id
.
clear_identifier argument procedure .
- current session context
id clear remove
set_identifier context reuse .
- . context . context
dbms_session
clear_context context
- clear
SQL> exec init.clear_cont('10133');
SQL> exec init.set_id('10133');
SQL> select sys_context('EMP_INFO', 'NAME') from dual ;
SYS_CONTEXT('EMP_INFO','NAME')
--------------------------------------------------------------------------------
clear context .
jkspark@hanafos.com - 12 -
13. Oracle9i New Features http://www.ggola.com
- clear context .
SQL> exec init.set_id('10121');
SQL> select sys_context('EMP_INFO', 'NAME') from dual ;
SYS_CONTEXT('EMP_INFO','NAME')
--------------------------------------------------------------------------------
KIM
clear context .
- , context , set_context
clear_context context
stored procedure .
dbms_session
. init package
.
enhanced fine-grained access control (FGAC)
data security 8i fgac all user
groups rows access .
partitioned fgac
- from 9i application policy
.( partitioned fgac )
- fgac
1. design application context(called a driving context)
2. setting policy
3. table or view access
4. fgac looks up driving context
5. determine policy group
6. apply
- oracle9i fgac .
.
- table policy group
init context driving
context policy .
jkspark@hanafos.com - 13 -
14. Oracle9i New Features http://www.ggola.com
default policy 2 policy
predicate clause test .
- CASE1 : KIM, LEE sales, marketing
policy . group
basic_grp . JANG system
system policy
data . gruop
system_grp . ,
order_hstry check curnt_flg 'Y'
data .
SQL> alter table emp add grp_policy varchar2(10) ;
SQL> update emp set grp_policy = 'BASIC_GRP' where dept_id = 'SAL01' ;
SQL> update emp set grp_policy = 'SYSTEM_GRP' where dept_id = 'SYS01' ;
SQL> update emp set grp_policy = 'BASIC_GRP' where dept_id = 'MAR01' ;
SQL> select * from emp ;
EMP_ID EMP_NAME DEPT_ID GRP_POLICY
---------- ---------- ---------- ----------
A1998001 KIM SAL01 BASIC_GRP
B2002003 JANG SYS01 SYSTEM_GRP
C2001003 LEE MAR01 BASIC_GRP
SQL> create table order_hstry (
2 company varchar2(10), dept_name varchar2(10), goods varchar2(10),
3 amount number, curnt_flg varchar2(1) default 'Y');
SQL> insert into order_hstry values ('ACOM', 'SALES', 'RACKET', 1000, 'Y') ;
SQL> insert into order_hstry values ('BCOM', 'SALES', 'RACKET', 1000, 'N') ;
SQL> insert into order_hstry values ('BCOM', 'SYSTEM', 'CABLE', 4000, 'N') ;
SQL> insert into order_hstry values ('ECOM', 'SYSTEM', 'COMPUTER', 10000, 'Y') ;
SQL> insert into order_hstry values ('FCOM', 'MARKET', 'SHEET', 400, 'Y');
SQL> insert into order_hstry values ('GCOM', 'MARKET', 'BOX', 500, 'N');
SQL> commit ;
jkspark@hanafos.com - 14 -
15. Oracle9i New Features http://www.ggola.com
- CASE2 : application context KIM
login application .
policy .
SQL> exec dbms_session.set_identifier('10121');
SQL> select sys_context('EMP_INFO', 'NAME') name from dual ;
NAME
----
KIM
SQL> select * from order_hstry ;
COMPANY DEPT_NAME GOODS AMOUNT C
---------- ---------- ---------- ---------- -
ACOM SALES RACKET 1000 Y
BCOM SALES RACKET 1000 N
BCOM SYSTEM CABLE 4000 N
ECOM SYSTEM COMPUTER 10000 Y
FCOM MARKET SHEET 400 Y
GCOM MARKET BOX 500 N
jkspark@hanafos.com - 15 -
16. Oracle9i New Features http://www.ggola.com
- CASE3 : policy driving context procedure
application context initialize package
policy group context policy
context table add . case1
3 policy 3 procedure .
SQL> create or replace package body init as
2 procedure create_cont (as_empid string, as_client string) is
3 vs_dbuser string(30);
4 vs_empuser string(30);
5 vs_deptname string(30);
6 vs_policy string(30);
7 begin
8 select sys_context('userenv','session_user')
9 into vs_dbuser from dual;
10 select e.emp_name, d.dept_name, e.grp_policy
11 into vs_empuser, vs_deptname, vs_policy
12 from emp e, dept d
13 where e.dept_id = d.dept_id and e.emp_id = as_empid;
14 dbms_session.set_context('EMP_INFO', 'NAME', vs_empuser, vs_dbuser, as_client);
15 dbms_session.set_context('EMP_INFO', 'DEPT', vs_deptname, vs_dbuser, as_client);
16 dbms_session.set_context('EMP_INFO', 'POLICY', vs_policy, vs_dbuser, as_client);
17 end;
18 procedure set_id (as_client string) is
19 begin
20 dbms_session.set_identifier(as_client);
21 end;
22 procedure clear_id is
23 begin
24 dbms_session.clear_identifier;
25 end;
26 procedure clear_cont (as_client string) is
27 begin
28 dbms_session.clear_context('EMP_INFO', as_client);
29 end;
30 end init;
/
SQL> conn system/manager
SQL> grant execute on dbms_rls to scott ;
SQL> conn scott/tiger
SQL> exec dbms_rls.add_policy_context('scott', 'order_hstry', 'emp_info', 'policy') ;
SQL> create or replace function order_standard (t_owner varchar2, t_name varchar2) return varchar2
is
2 begin
3 return 'curnt_flg = ''Y''';
4 end;
5 /
SQL> create or replace function order_basic (t_owner varchar2, t_name varchar2) return varchar2 is
2 begin
3 return 'dept_name = sys_context(''emp_info'', ''dept'')';
4 end;
5 /
jkspark@hanafos.com - 16 -
17. Oracle9i New Features http://www.ggola.com
SQL> create or replace function order_system (t_owner varchar2, t_name varchar2) return varchar2 is
2 begin
3 return 'dept_name <> sys_context(''emp_info'', ''dept'')';
4 end;
5 /
SQL> exec dbms_rls.add_grouped_policy('scott', 'order_hstry', 'SYS_DEFAULT', 'for_standard', 'scott',
'order_standard') ;
- "sys_default" default group
add_policy . policy drop drop_policy
. group
drop_grouped_policy group
drop_grouped_policy
delete_policy_group .
SQL> exec dbms_rls.create_policy_group('scott', 'order_hstry', 'basic_grp') ;
SQL> exec dbms_rls.add_grouped_policy('scott', 'order_hstry', 'basic_grp', 'for_basic', 'scott',
'order_basic') ;
SQL> exec dbms_rls.create_policy_group('scott', 'order_hstry', 'system_grp') ;
SQL> exec dbms_rls.add_grouped_policy('scott', 'order_hstry', 'system_grp', 'for_system', 'scott',
'order_system') ;
- CASE 4 : context test
context initialize identifier .
SQL> exec init.clear_cont('10121');
SQL> exec init.create_cont('A1998001', '10121');
SQL> exec init.create_cont('B2002003', '10133');
SQL> exec init.set_id('10121');
SQL> select sys_context('emp_info','policy') from dual ;
SYS_CONTEXT('EMP_INFO','POLICY
--------------------------------------------------------------------------------
BASIC_GRP
- policy basic_grp . sql
oracle default policy sys_default
for_standard policy(order_standard function)
basic_grp for_basic policy(order_basic function)
sql return .
SQL> select * from order_hstry ;
no rows selected
no data found . .
jkspark@hanafos.com - 17 -
18. Oracle9i New Features http://www.ggola.com
- user KIM sales sys_default
curnt_flg 'Y' data basic_grp
'SALES' data , .
?
SQL> select * from order_hstry ;
COMPANY DEPT_NAME GOODS AMOUNT C
---------- ---------- ---------- ---------- -
ACOM SALES RACKET 1000 Y
- oracle iTAR .
"This was recently reported as a known bug, 2635664 Testcase
established two policy groups, each with an associated policy.
When running with no context, no rows were returned as both
policies were in effect (correct) and the predicates they
generated were mutually exclusive. Changing the context to
either one or the other valid groups resulted in still no rows
being returned as both policies were still being applied
(wrong) rather than just the only valid policy. You may see
some relief as a workaround to flush the shared pool after
changing the driving context, see if this helps. Solution for this
issue is to apply the 9.2.0.4 patchset as this contains the fix."
- upgrade
.
fine-grained audit (FGA)
row auditing
- from 9i row level tracking auditing
.
- dbms_fga package (add, drop, enable,
disable_policy) policy (dba_audit_policies)
dba_fga_audit_trail view . , policy
(invoke procedure) "select with a where clause for
only one audit column" event handler audit feature
.
CF. select trigger user
fetch data audit condition data
.
- fga .
1. design audit policy
2. create audit event handler(if you want to call stored
procedure whenever users call audited data)
jkspark@hanafos.com - 18 -
19. Oracle9i New Features http://www.ggola.com
3. add policy
4. check dba_fga_audit_trail, alert.log(if you call the stored
procedure with writing function to alert.log)
- order_hstry table fga .
9i fga .
.
- CASE1 : "SYSTEM"
(dept_id = 'SYS01') access auditing
.
SQL> conn system/manager
SQL> grant execute on dbms_fga to scott ;
SQL> conn scott/tiger
SQL> exec dbms_fga.add_policy('scott', 'emp', 'policy_emp', 'dept_id = ''SYS01'' ', 'emp_id');
SQL> select object_schema, object_name, policy_name, policy_text from dba_audit_policies ;
OBJECT_SCH OBJECT_NAM POLICY_NAM POLICY_TEXT
---------- ---------- ---------- --------------------
SCOTT EMP POLICY_EMP dept_id = 'SYS01'
SQL> select emp_name from emp where dept_id = 'SYS01' ;
EMP_NAME
----------
JANG
SQL> select count(*) from emp ;
COUNT(*)
----------
3
SQL> select count(*) from emp where dept_id = 'SYS01' ;
COUNT(*)
----------
1
SQL> select session_id, timestamp, object_schema, object_name, policy_name
2 from dba_fga_audit_trail ;
no rows selected
- 3 SQL dept_id = 'SYS01' audit
column emp_id access audit .
jkspark@hanafos.com - 19 -
20. Oracle9i New Features http://www.ggola.com
SQL> select emp_id from emp ;
EMP_ID
----------
A1998001
B2002003
C2001003
SQL> select emp_id from emp where dept_id = 'MAR01';
EMP_ID
----------
C2001003
SQL> select emp_name from emp where emp_id = 'C2001003' ;
EMP_NAME
----------
LEE
SQL> select session_id, timestamp, object_schema, object_name, policy_name
2 from dba_fga_audit_trail ;
SESSION_ID TIMESTAMP OBJECT_SCH OBJECT_NAM POLICY_NAM
---------- --------- ---------- ---------- ----------
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
- 3 sql audit
data (where ) .
auditing . .
SQL> analyze table emp compute statistics;
SQL> select emp_name from emp where emp_id = 'C2001003' ;
EMP_NAME
----------
LEE
SQL> select emp_id from emp where dept_id = 'MAR01';
EMP_ID
----------
C2001003
SQL> select emp_id from emp where dept_id = 'SYS01' ;
EMP_ID
----------
B2002003
SQL> select session_id, timestamp, object_schema, object_name, policy_name
2 from dba_fga_audit_trail ;
SESSION_ID TIMESTAMP OBJECT_SCH OBJECT_NAM POLICY_NAM
---------- --------- ---------- ---------- ----------
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
jkspark@hanafos.com - 20 -
21. Oracle9i New Features http://www.ggola.com
- 3 SQL audit
. . , analyze
.
SQL> select emp_name from emp where emp_id = 'B2002003' ;
EMP_NAME
----------
JANG
SQL> select session_id, timestamp, object_schema, object_name, policy_name
2 from dba_fga_audit_trail ;
SESSION_ID TIMESTAMP OBJECT_SCH OBJECT_NAM POLICY_NAM
---------- --------- ---------- ---------- ----------
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
- emp_id select where policy dept_id =
'SYS01' emp_id access auditing
. , policy audit
column access (select ) auditing
.
- CASE2 : session alert
message auditing . , policy
handle procedure alert message auditing
. (application developer's guide 9i
util_alert_pager call alert log auditing
.
procedure .
.
SQL> conn system/manager
SQL> grant execute on dbms_alert to scott ;
SQL> conn scott/tiger
SQL> create or replace procedure trail_emp
2 (ud_schema varchar2, ud_table varchar2, ud_policy varchar2) is
3 pragma autonomous_transaction;
4 begin
5 dbms_alert.signal('alert_emp', to_char(sysdate, 'YYYYMMDD HH24:MI:SS') || ud_schema || ':' ||
ud_table || ':' || ud_policy);
6 commit;
7 end;
8 /
SQL> select object_schema, object_name, policy_name, policy_text, pf_schema, pf_function
2 from dba_audit_policies ;
OBJECT_SCH OBJECT_NAM POLICY_NAM POLICY_TEXT PF_SCHEMA PF_FUNCTIO
---------- ---------- ---------- ----------------- ---------- ----------
SCOTT EMP POLICY_EMP dept_id = 'SYS01' SCOTT TRAIL_EMP
jkspark@hanafos.com - 21 -
22. Oracle9i New Features http://www.ggola.com
- auditing procedure .
pf_function procedure .
procedure pragma
autotnomous_transaction dbms_alert
signal commit select
application commit
. (autonomous_transaction
oracle8i new features )
- (terminal #2)
SQL> var status number
SQL> var message varchar2(2000)
SQL> exec dbms_alert.waitone('alert_emp', :message, :status);
….waiting….
alert message .
, auditing procedure trail_emp
waiting . .
waiting
package dbms_pipe
( polling )
.
- (terminal #1)
sql auditing terminal #2
waiting prompt
.
SQL> select emp_name, emp_id from emp where dept_id = 'SYS01' ;
EMP_NAME EMP_ID
---------- ----------
JANG B2002003
SQL> select session_id, timestamp, object_schema, object_name, policy_name
2 from dba_fga_audit_trail ;
SESSION_ID TIMESTAMP OBJECT_SCH OBJECT_NAM POLICY_NAM
---------- ---------- ---------- ---------- ----------
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
198 18-AUG-03 SCOTT EMP POLICY_EMP
jkspark@hanafos.com - 22 -
24. Oracle9i New Features http://www.ggola.com
- (terminal #1) auditing
.
SQL> select policy_name, enabled from dba_audit_policies ;
POLICY_NAME ENA
------------------------------ ---
POLICY_EMP NO
SQL> select session_id, timestamp, object_schema, object_name, policy_name
2 from dba_fga_audit_trail ;
no rows selected
SQL> select emp_name, emp_id from emp where dept_id = 'SYS01' ;
EMP_NAME EMP_ID
---------- ----------
JANG B2002003
SQL> select session_id, timestamp, object_schema, object_name, policy_name
2 from dba_fga_audit_trail ;
no rows selected
- auditing data . disable .
encryption enhancements
9i
.
9i dbms_obfuscation_toolkit package data
encryption and decryption .
oracle
encryption and decryption package
.
DES, MD5, DES3
- , DES(Data Encryption
Standard), MD5(Message Digest 5)
DES DES3(Triple DES) .
- dbms_obfuscation_toolkit 3
DES .
CF. 9i .
- CASE : DES input data
encryption and decryption (private) key
.
jkspark@hanafos.com - 24 -
25. Oracle9i New Features http://www.ggola.com
CF. DES3 key 3
.
- procedure
dbms_obfuscation_toolkit desencryption procedure
call key data
desdecryption procedure call key
.
SQL> create or replace procedure pwd_encdec (pwd varchar2, key varchar2) is
2 vr_inraw raw(128) := utl_raw.cast_to_raw(pwd);
3 vr_keyraw raw(128) := utl_raw.cast_to_raw(key);
4 vr_encraw raw(2048);
5 vr_decraw raw(2048);
6 begin
7 dbms_output.put_line('----------------------------------------------');
8 dbms_output.put_line('your pwd (converted with to raw type) : ' ||
utl_raw.cast_to_varchar2(vr_inraw));
9 dbms_output.put_line('your key (converted with to raw type) : ' ||
utl_raw.cast_to_varchar2(vr_keyraw));
10 dbms_output.put_line('----------------------------------------------');
11 dbms_obfuscation_toolkit.desencrypt( input => vr_inraw, key => vr_keyraw, encrypted_data =>
vr_encraw);
12 dbms_output.put_line('encrypted hex value : ' || rawtohex(vr_encraw));
13 dbms_obfuscation_toolkit.desdecrypt( input => vr_encraw, key => vr_keyraw, decrypted_data
=> vr_decraw);
14 dbms_output.put_line('decrypted pwd : ' || utl_raw.cast_to_varchar2(vr_decraw));
15 dbms_output.put_line('----------------------------------------------');
16 end;
17 /
SQL> set serveroutput on
SQL> exec pwd_encdec('pwd12345', 'key56789');
----------------------------------------------
your pwd (converted with to raw type) : pwd12345
your key (converted with to raw type) : key56789
----------------------------------------------
encrypted hex value : 8AE1B93004764662
decrypted pwd : pwd12345
----------------------------------------------
- encrypted value raw type sqlplus
hexvalue .
- data 'pwd12345' key value 'key56789'
encryption key decryption
.
- . error case .
error .
jkspark@hanafos.com - 25 -
26. Oracle9i New Features http://www.ggola.com
SQL> exec pwd_encdec('pwd1234', 'key56789');
----------------------------------------------
your pwd (converted with to raw type) : pwd1234
your key (converted with to raw type) : key56789
----------------------------------------------
BEGIN pwd_encdec('pwd1234', 'key56789'); END;
*
ERROR at line 1:
ORA-28232: invalid input length for obfuscation toolkit
ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT_FFI", line 0
ORA-06512: at "SYS.DBMS_OBFUSCATION_TOOLKIT", line 99
ORA-06512: at "SCOTT.PWD_ENCDEC", line 11
ORA-06512: at line 1
- error . encryption data 7
. , DES
.
.
- DES Restriction :
1. DES symmetric key algorithm
, key
key
.
2. DES 64bit data block 56bit key
encryption data 8 (multiple of 8
bytes)
.
3. key 56-bit key
.
CF. DES data
.(
)
others
9i new features
optional 9i database
.
oracle label security
- feature trusted oracle
pl/sql policy .
vpd(virtual private database)
jkspark@hanafos.com - 26 -
27. Oracle9i New Features http://www.ggola.com
connection user row label
.
CF. 9i feature
optional product . , database
features .
- . oracle oracle
policy manager gui .
optional
.
- , vpd policy
policy application context
data data access
.
CF. label hidden column data
access .
oracle login server
- oracle oid(oracle internet directory) single sign-on
. 9i application server
database connection
.
- web application multiple database
.
jkspark@hanafos.com - 27 -
28. Oracle9i New Features http://www.ggola.com
2. General High Availability Technology
minimal I/O recovery (only instance or crash recovery)
unplanned down database restart
oracle instance recovery database
open .
to 8i instance recovery
- 3 .
1. rolling forward(redo log applying)
.
failure check point redo log
read ( )
datafile read/write (
)
2. database open
3. rolling back (by smon)
from 9i : rolling forward two-pass recovery
- rolling forward datafile read/write
time .
- two-pass recovery :
1. failure checkpoint redo log
read(sequential read) pga recovery
block keeping
2. pga keeping recovery block
applying ( dbwr deferred write
)
3. redo log two-pass .
4. block recovery
. 9i redo log block dirty
in the buffer cache
.
- instance or crash recovery dba
oracle .
jkspark@hanafos.com - 28 -
29. Oracle9i New Features http://www.ggola.com
CF. instance or crash single instance
rac(ops) .
fast-start time-based recovery limit
recovery performance
recovery , redo
.
oracle checkpoint rba(redo byte address) control
file recovery checkpoint rba
oracle instance
. checkpoint rba failure
recovery . mttr
.
mttr(mean time to recover)
- dba recovery time
.
checkpoint rba ,
datafile dirty block write ,
checkpoint dba
.
- log_checkpoint_interval or
fast_start_io_target parameter
.
- new parameter fast_start_mttr_target
crash recovery time .
dynamic parameter fast_start_io_target
log_checkpoint_interval
.
CF. rac crash recovery time open
instances sum of fast_start_mttr_target
. node failure node
recovery
.
- 0 ~ 3600 0
. recommended value sga size
site service level agreement (sla) .
recovery time parameter
- recovery time 4 parameter
jkspark@hanafos.com - 29 -
30. Oracle9i New Features http://www.ggola.com
1. db_block_max_dirty_target (obsoleted from 9i)
2. fast_start_io_target
3. log_checkpoint_interval
4. log_checkpoint_timeout (no change)
- from 9i fast_start_mttr_target
fast_start_io_target, log_checkpoint_interval
. fast_start_io_target,
log_checkpoint_interval
fast_start_mttr_target override .
new 3 columns in v$instance_recovery for recovery time
information
- oracle 30 mttr .
1. TARGET_MTTR : oracle mttr
value . dba system
monitoring
fast_start_mttr_target
.
2. ESTIMATED_MTTR : instance failure recovery time
3. CKPT_BLOCK_WRITES : checkpoint
db block write
flashback (managing by smon)
consistent view
.
, data
time machine
query .
(
8i rollback segment
. .)
- scn
.
data scn mapping .
jkspark@hanafos.com - 30 -