This chapter describes configuration tasks that you can perform to increase security, and other configuration tasks that you must perform before using Oracle Multimedia and other Oracle options. Where appropriate, the chapter provides references to other guides for those configuration tasks.
This chapter contains these topics:
Overview of NTFS File System and Windows Registry Permissions
About Configuring External Job Support for the Scheduler on Windows
About Advanced Replication on Windows
Note:
Directory path examples in this chapter follow Optimal Flexible Architecture (OFA) guidelines. If you specified non-OFA compliant directories during installation, then your directory paths differ. See Appendix B, "Optimal Flexible Architecture" in Oracle Database Installation Guide for Microsoft Windows for more information.By default, all newer Windows operating systems enable the Windows Firewall to block virtually all TCP network ports to incoming connections. As a result, any Oracle products that listen for incoming connections on a TCP port do not receive any of those connection requests, and the clients making those connections report errors.
Depending upon which Oracle products are installed and how they are used, some postinstallation configuration of the Windows Firewall might be required for the products to be functional on these operating systems.
This section contains these topics:
Table 5-1 lists the Oracle Database executables that listen on TCP ports on Windows. If the Oracle Database executables are in use and accepting connections from a remote client computer, then Oracle recommends that you add them to the Windows Firewall exceptions list to ensure correct operation. Except as noted, these Oracle executables can be found in the ORACLE_HOME\bin directory.
Note:
If multiple Oracle homes are in use, then several firewall exceptions might be needed for the same executable: one for each home from which that executable loads.See Also:
"Oracle Real Application Clusters Installation Guide" for more information on Oracle RAC executables requiring Windows Firewall exceptionsYou must configure exceptions for the Windows Firewall if your system meets all of the following conditions:
Oracle server-side components are installed on a Windows server operating system. The list of components includes Oracle Database, Oracle Grid infrastructure, network listeners, or any web servers or services.
The Windows system in question accepts connections from other machines over the network. If no other machines connect to the Windows system to access the Oracle software, then no postinstallation configuration steps are required and the Oracle software functions as expected.
The Windows system in question is configured to run the Windows Firewall. If the Windows Firewall is not enabled, then no postinstallation configuration steps are required.
If all the conditions are met, then the Windows Firewall must be configured to allow successful incoming connections to the Oracle software. To enable Oracle software to accept connection requests, Windows Firewall must be configured by either opening up specific static TCP ports in the firewall or by creating exceptions for specific executables so they can receive connection requests on any ports they choose. This firewall configuration can be done by one of the following methods:
From the Start menu:
Click Run and enter firewall.cpl. This opens the Windows Firewall Control Panel applet.
Complete one of the following operating system-specific steps to allow a program through the Windows Firewall:
On Windows 8, Windows 8.1, Windows Server 2012, or Windows Server 2012 R2 x64, click Allow an app or feature through Windows Firewall. Click Change Settings.
On Windows 7 or Windows Server 2008 R2, click Allow a program or feature through Windows Firewall. Click Change Settings, Allow Another Program.
On Windows Server 2008, click Allow a program through Windows Firewall.
On the Exceptions tab, click Add Program to create exceptions for the Oracle software.
From the command prompt, use the netsh firewall add... command.
When Windows notifies you that a foreground application is attempting to listen on a port, and gives you the opportunity to create an exception for that executable, if you choose to create the exception in this way, then the effect is the same as creating an exception for the executable either through Control Panel or from the command line.
The following sections list the executables that listen on TCP ports on Windows, along with a brief description of the executable. It is recommended that these executables (if in use and accepting connections from a remote, client computer) be added to the exceptions list for the Windows Firewall to ensure correct operation. In addition, if multiple Oracle homes are in use, firewall exceptions might be created for the same executable, for example, oracle.exe, multiple times, once for each Oracle home from which that executable loads.
For basic database operation and connectivity from remote clients (SQL*Plus, OCI, ODBC, OLE DB applications, and so on), the following executables must be added to the Windows Firewall exception list:
Oracle_home\bin\oracle.exe - Oracle Database executable
Oracle_home\bin\tnslsnr.exe - Oracle Listener
For remote monitoring capabilities to be available for a database running on Windows, the following executables must be added to the Windows Firewall exception list:
Oracle_home\bin\emagent.exe - Oracle Database Control
Oracle_home\jdk\bin\java.exe- Java Virtual Machine
After installing the Oracle Database Examples, the following executables must be added to the Windows Firewall exception list:
Oracle_home\opmn\bin\opmn.exe - Oracle Process Manager
Oracle_home\jdk\bin\java.exe - Java Virtual Machine
If your Oracle database interacts with non-Oracle software through a gateway, then you must add the gateway executable to the Windows Firewall exception list. Table 5-1 lists the gateway executables used to access non-Oracle software.
Table 5-1 Oracle Executables Requiring Windows Firewall Exceptions
| File Name | Executable Name |
|---|---|
|
|
Oracle Services for Microsoft Transaction Server |
|
|
Oracle Database Gateway for Sybase |
|
|
Oracle Database Gateway for Teradata |
|
|
Oracle Database Gateway for SQL Server |
|
|
Oracle Database Gateway for DRDA |
|
|
Oracle Database Gateway for APPC |
|
|
Oracle Database Gateway for APPC |
|
|
Oracle Database Gateway for WebSphere MQ |
|
|
Oracle Database Gateway for WebSphere MQ |
|
|
Oracle Database Gateway for ODBC |
If you installed the Oracle grid infrastructure software on the nodes in your cluster, then you can enable the Windows Firewall only after adding the following executables and ports to the Firewall exception list. The Firewall Exception list must be updated on each node.
Grid_home\bin\gpnpd.exe - Grid Plug and Play daemon
Grid_home\bin\oracle.exe - Oracle ASM executable (if using Oracle ASM for storage)
Grid_home\bin\racgvip.exe - Virtual Internet Protocol Configuration Assistant
Grid_home\bin\evmd.exe - OracleEVMService
Grid_home\bin\crsd.exe - OracleCRService
Grid_home\bin\ocssd.exe - OracleCSService
Grid_home\bin\octssd.exe - Cluster Time Synchronization Service daemon
Grid_home\bin\mDNSResponder.exe - multicast-DNS Responder Daemon
Grid_home\bin\gipcd.exe - Grid IPC daemon
Grid_home\bin\gnsd.exe - Grid Naming Service daemon
Grid_home\bin\ohasd.exe - OracleOHService
Grid_home\bin\TNSLSNR.EXE - SCAN listener and local listener for Oracle Database and Oracle ASM
Grid_home\opmn\bin\ons.exe - Oracle Notification Service
Grid_home\jdk\jre\bin\java.exe - Java Virtual Machine
Postinstallation configuration for the Windows Firewall must be undertaken if all of the following conditions are met:
Oracle server-side components are installed.
These components include Oracle Database, network listeners, and any web servers or services.
The computer handles connections from other computers over a network.
If no other computers connect to the computer with the Oracle software, then no postinstallation configuration steps are required and the Oracle software functions as expected.
The Windows Firewall is enabled.
If the Windows Firewall is not enabled, then no postinstallation configuration steps are required.
If all of the conditions are met, then you must configure the Windows Firewall either by opening specific static TCP ports in the firewall or by creating exceptions for specific executables so that they are able to receive connection requests on any ports they choose. Postinstallation configuration for the Windows Firewall can be done by one of following methods:
From the Control Panel, select Windows Firewall and then select Exceptions.
Or enter netsh firewall add... at the command line.
Alternatively, Windows informs you if a foreground application is attempting to listen on a port, and it asks you if you want to create an exception for that executable. If you choose to do so, then the effect is the same as creating an exception for the executable either in the Control Panel or from the command line.
Note:
Windows Server 2008 and later operating systems do not provide any information about applications attempting to listen on a port. Instead, a security audit event is logged to signal that an application is blocked.If you cannot establish certain connections even after granting exceptions to the executables listed in Table 5-1, then follow these steps to troubleshoot the installation:
Examine Oracle configuration files (such as *.conf files), the Oracle key in the Windows registry, and network configuration files in ORACLE_HOME\network\admin.
Pay particular attention to any executable listed in ORACLE_HOME\network\admin\listener.ora in a PROGRAM= clause. Each of these must be granted an exception in the Windows Firewall, because a connection can be made through the TNS Listener to that executable.
Examine Oracle trace files, log files, and other sources of diagnostic information for details on failed connection attempts. Log and trace files on the database client computer might contain useful error codes or troubleshooting information for failed connection attempts. The Windows Firewall log file on the server might contain useful information as well.
If the preceding troubleshooting steps do not resolve a specific configuration issue, then provide the output from command netsh firewall show state verbose=enable to My Oracle Support for diagnosis and problem resolution at:.
Oracle Database installs with many default accounts. Oracle Database Configuration Assistant locks and removes most default database accounts upon successful installation. Oracle recommends changing all user passwords immediately after installation.
See Also:
Oracle Database Administrator's Guide for more information about default database accounts and passwordsAuthenticated Users group is a Windows built-in group that cannot be modified and includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system. The SID for Authenticated Users is S-1-5-11.
Oracle recommends that you configure Oracle Database files, directories, and registry settings to provide full control to authorized database administrators (DBAs). If you have created a database using Oracle Database Configuration Assistant or upgraded a database using Oracle Database Upgrade Assistant, then no further action is required.
This section describes the permissions automatically set by Oracle Universal Installer, Oracle Database Configuration Assistant, and Oracle Database Upgrade Assistant and the steps to set these permissions manually.
This section contains these topics:
In addition to the various groups listed in Oracle Database Installation Guide for Microsoft Windows, Oracle Database software installation creates the following groups for Oracle internal use and sets permissions on files and registry entries for these groups to ensure that the Oracle software functions properly. The group memberships and permissions set for the following groups should not be changed or removed:
ORA_INSTALL
ORA_GRID_LISTENERS
ORA_CLIENT_LISTENERS
ORA_HOMENAME_SVCSIDS
See Also:
Your operating system documentation for more information about modifying NTFS file system and Windows registry settingsOracle Universal Installer, Oracle Database Configuration Assistant, and Oracle Database Upgrade Assistant set file permissions when Oracle Database software is installed or upgraded.
This section contains these topics:
About Default File Permissions Set by Oracle Universal Installer
About File Permissions Set by Oracle Database Configuration Assistant
About File Permissions Set by Oracle Database Upgrade Assistant
During Oracle Database installation, by default Oracle Universal Installer installs software in the ORACLE_HOME directory. Oracle Universal Installer sets the following permissions to this directory, and to all files and directories under this directory.
For Grid Infrastructure ORACLE_HOME:
Full control - Administrators, SYSTEM, ORA_GRID_LISTENERS, Oracle Installation User, Oracle Home User
Full control - Administrators, SYSTEM, Oracle Installation User, Oracle Home User
Full control - Administrators, SYSTEM, Oracle Installation User, ORA_HOMENAME_SVCSIDS or Oracle Home User
Oracle Universal Installer sets the following permissions to the ORACLE_BASE directory, and to all files and directories under this directory with the exception of database files, wallets, and so on:
Full control - Administrators, SYSTEM, Oracle Installation User, Oracle Home User
Full control - ORA_GRID_LISTENERS if the ORACLE_BASE is for the Oracle Grid Infrastructure ORACLE_HOME
Full control - ORA_HOMENAME_SVCSIDS or Oracle Home User if the ORACLE_BASE is for a Client ORACLE_HOME
Note:
If these accounts already exist and have more restrictive permissions, then the most restrictive permissions are retained. If accounts other thanAdministrators, SYSTEM, Authenticated Users, and the Oracle groups mentioned exist, then the permissions for these accounts are removed.See Also:
Oracle Grid Infrastructure Installation Guide for Microsoft Windows x64 (64-Bit) for information about Oracle Home User configurations
Oracle Database Installation Guide for Microsoft Windows for information about the Authenticated Users group
During Oracle Database configuration, Oracle Database Configuration Assistant installs files and directories in the following default locations, where database_name is the database name or SID:
ORACLE_BASE\admin\database_name (administration file directories)
ORACLE_BASE\oradata\database_name (database file directories)
ORACLE_BASE\oradata\database_name (redo log files and control files)
ORACLE_HOME\database (SPFILESID.ORA)
Oracle Database Configuration Assistant sets the following permission to these directories, and to all files and directories under these directories:
Full control - to Administrators, SYSTEM, Oracle Home User
Note:
If these accounts already exist and have more restrictive permissions, then the most restrictive permissions are retained. If accounts other thanAdministrators, SYSTEM, and Oracle Home User already exist, then the permissions for these accounts are removed.When an earlier version of the database is upgraded to Oracle Database 12c Release 1 (12.1), Oracle Database Upgrade Assistant installs software in the following directories, where database_name is the database name or SID:
ORACLE_BASE\admin\database_name (administration files)
ORACLE_BASE\oradata\database_name (database file directories)
ORACLE_BASE\oradata\database_name (redo log files and control files)
ORACLE_BASE\ORACLE_HOME\database (SPFILESID.ORA)
Oracle Database Upgrade Assistant sets the following permissions to these directories, and to all files and directories under these directories:
Full control - to Administrators, SYSTEM, Oracle Home User
Note:
If these accounts already exist and have more restrictive permissions, then the most restrictive permissions are retained. If accounts other thanAdministrators, SYSTEM, and Oracle Home User already exist, then the permissions for these accounts are removed.Starting with Oracle Database 12c Release 1 (12.1), Oracle Database Upgrade Assistant can also configure Oracle Enterprise Manager. If the Enable daily backup option is selected while configuring Oracle Enterprise Manager, then Oracle Database Upgrade Assistant shows a separate screen asking for Fast Recovery Area. Oracle Database Upgrade Assistant tries to create the directory structure (if it does not exist) in the specified file system location. Oracle Database Upgrade Assistant also puts the same set of file permissions to this location. The default location shown by Oracle Database Upgrade Assistant for Fast Recovery Area is:
ORACLE_BASE\recovery_area
When an Oracle Wallet is created in the file system, the user creating the wallet is granted access to the wallet by wallet creation tools. Starting with Oracle Database 12c Release 1 (12.1), Windows services for Oracle run under a standard Windows User Account and might not be able to access the wallet. See section "About Setting File System ACLs Manually" to be able to use Windows tools to grant access to the specific user and group or to either of them for the wallets in the file system.
As Oracle Database services now run under a standard Windows User Account, a file might not be accessible by Oracle Database services unless the file system Access Control Lists (ACLs) grant access to the file. Though Oracle installation configures the ACLs in a way to ensure that you do not have to change ACLs manually for typical usage, it might be necessary to change ACLs manually, for example, to manually upgrade databases, and database files not in Oracle base, or to grant access to wallets in the file system.
The rules to set file system ACLs manually are:
To allow Oracle Database service access to a file: Grant access to Oracle Home User for the file when a Windows User Account is used as the Oracle Home User. If a Windows built-in account is used as the Oracle Home User, then no such permission is necessary because the Oracle Database services run under the administrative account.
To allow Oracle Grid Listeners services access to a file: Grant access to ORA_GRID_LISTENERS group for the file.
To allow Oracle Database services from a client ORACLE_HOME access to a file: Grant access to Oracle Home User for the file when a Windows User Account is used as the Oracle Home User for the client home. If a Windows built-in account is used as the Oracle Home User, then grant access to the ORA_HOMENAME_SVCSIDS group for the file.
Oracle Universal Installer sets the following permissions for Windows registry entries pertaining to Oracle Database software:
All users have read permissions.
Local administrators and Oracle Installation User have full control.
Oracle Universal Installer sets the following permissions to users and user groups for Windows service entries for Oracle Database services:
ORA_DBA and ORA_HOMENAME_DBA group users have start and stop privileges for Windows service entries.
Local System Account and local administrators have full control of Windows service entries.
To ensure that only authorized users have full file system permissions:
Go to Windows Explorer.
Set the following permissions for each directory or file based on the information provided in the earlier sections.
See Also:
Your operating system online help for more information about how to modify NTFS file system and registry settingsOracle recommends that you remove write permissions from users who are not Oracle Database DBAs or system administrators in the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE directory of the Windows registry.
To remove write permissions:
Open the registry.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE.
Select Permissions from the Edit menu.
The Permissions for Oracle dialog box appears.
Remove write privileges from any users who are not Oracle Database DBAs or system administrators. Note that the SYSTEM account must have Full Control, because some Oracle Database services run as SYSTEM.
Ensure that user accounts that must run Oracle applications have read privileges.
Select OK.
This release includes Oracle Scheduler (the Scheduler), which provides enterprise scheduling functionality. External jobs performed by the user are started using the OracleJobSchedulerSID service. This service is disabled by default. To use the external jobs functionality, the administrator must set the user name and password for the user account under which this service must run and enable the service.
Starting with Oracle Database 12c Release 1 (12.1), ORADIM creates the Oracle Database service, Oracle VSS Writer service, and Oracle Scheduler service to run under the Oracle Home User account. If this account is a Windows Local User or a Windows Domain User Account, then ORADIM prompts for the password for that account and accepts the same through stdin. It is possible to specify both the Oracle Home User and its password using the -RUNAS osusr[/ospass] option to oradim. If the given osusr is different from the Oracle Home User, then Oracle Home User is used instead of osusr along with the given ospass. Restricting execution of external jobs to a low-privileged user prevents unauthorized database users from gaining operating system-level privileges, but it also places restrictions on the kinds of jobs that can be run. Jobs requiring a higher level of operating system privileges cannot be run by this mechanism.
Enabling and starting the OracleJobSchedulerSID service is required only for compatibility with Oracle Database 10g Release 1 and Release 2, for local external jobs that do not use credentials. This service is not required if all local external jobs use credentials. For improved security, Oracle recommends that all local external jobs use credentials.
See Also:
Oracle Database Administrator's Guide for more information about external jobsOracle Multimedia (formerly Oracle interMedia) is a feature that enables Oracle Database to store, manage, and retrieve images. It also helps DICOM format medical images and other DICOM data, audio, video, or other heterogeneous media data in an integrated fashion with other enterprise information. Oracle Multimedia extends Oracle Database reliability, availability, and data management to multimedia content in traditional, Internet, electronic commerce, medical, and media-rich applications.
If you install Enterprise Edition, Standard Edition, Standard Edition One, Standard Edition 2, or Personal Edition, then Oracle Database Configuration Assistant starts automatically at the end of installation. If you choose any Oracle Database Configuration Assistant installation type other than Customized, then Oracle Multimedia does not require manual configuration. All tasks described in this section are performed automatically.
If you select Customized installation, then Oracle Database Configuration Assistant guides you through configuration of Oracle Multimedia.
If you are creating and configuring a database manually, then you can configure Oracle Multimedia as follows:
Start SQL*Plus:
C:\> sqlplus /NOLOG
Connect to Oracle Database with account SYSDBA:
SQL> CONNECT / AS SYSDBA
Start the database (if necessary):
SQL> STARTUP
Run the script ordinst.sql:
SQL> ORACLE_HOME\ord\admin\ordinst.sql SYSAUX SYSAUX
Run the script iminst.sql:
SQL> ORACLE_HOME\ord\im\admin\catim.sql
Exit SQL*Plus:
SQL> EXIT
Note:
If you manually copy your Oracle8ilistener.ora and tnsnames.ora files into your Oracle Database network directory, then you must modify network configuration files tnsnames.ora and listener.ora on your server to enable external routine calls to work and Oracle Multimedia to function properly. Follow the procedure in Oracle Net Services Administrator's Guide.Oracle Text enables text queries through SQL and PL/SQL from most Oracle interfaces. By installing Oracle Text with an Oracle Database server, client tools such as SQL*Plus and Pro*C/C++ are able to retrieve and manipulate text in Oracle Database.
Oracle Text manages textual data in concert with traditional data types in Oracle Database. When text is inserted, updated, or deleted, Oracle Text automatically manages the change.
If you install Oracle Text from the media and do not have a previous release of Oracle Text installed, then Oracle Database is already configured for use with Oracle Text if one of the following is true:
You created the database by using Oracle Database Configuration Assistant in standalone mode, and selected the Typical database creation type.
The database is a starter database that you created by using Oracle Universal Installer (OUI) and selected the Create and configure a database option in "Select Installation Option" window.
See Also:
Oracle Database Installation Guide for Microsoft Windows for more information about creating a starter database
If none of these is true, then you must configure Oracle Database for use with Oracle Text by using "Configuring Oracle Text Using Database Configuration Assistant".
See Also:
Oracle Text Application Developer's Guide for information about upgrading your applications from previous releases of Oracle Text
Oracle Database Upgrade Guide for information about upgrading Oracle Text
Configuring Oracle Text Using Database Configuration Assistant
To use Oracle Database Configuration Assistant to configure Oracle Database for use with Oracle Text at the time you create the database, select Oracle Text as the option to configure when prompted.
To configure the database at a later time:
Start Database Configuration Assistant.
From the Start menu, select All Programs, then select Oracle - HOMENAME, then select Configuration and Migration Tools, and then select Database Configuration Assistant.
Select Configure Database Options.
Select the database to modify when prompted.
Select Oracle Text as the option to configure when prompted.
Oracle Spatial and Graph makes storage, retrieval, and manipulation of spatial data easier and more intuitive to users.
One example of spatial data is a road map. A road map is a two-dimensional object that contains points, lines, and polygons representing cities, roads, and political boundaries such as states. A road map represents geographic information. Locations of cities, roads, and political boundaries are projected onto a two-dimensional display or piece of paper, preserving relative positions and relative distances of objects.
If you install Oracle Spatial and Graph through Enterprise Edition, then no manual configuration is required. All Oracle Spatial and Graph configuration tasks are performed automatically.
If you install both Oracle Spatial and Graph and Oracle Database together through Enterprise Edition, Standard Edition, Standard Edition One, Standard Edition 2, or Personal Edition installation, then Database Configuration Assistant starts automatically at the end of installation. If you select Custom installation and select Create new database, then the assistant asks if Oracle Spatial and Graph is to be configured automatically.
If you install Oracle Spatial and Graph during a separate installation from Enterprise Edition, then you must either start Oracle Database Configuration Assistant and select Configure database options or configure Oracle Spatial and Graph manually. See Oracle Spatial and Graph Developer's Guide for more information on configuring Oracle Spatial and Graph manually.
Oracle Database installs replication packages and procedures automatically rather than as a separate manual process. There are many configuration and usage possibilities with Advanced Replication.
This section describes how to manually configure Advanced Replication in Oracle Database. Follow the instructions only if you add Advanced Replication to an installation of Oracle Database that was not previously configured with this feature.
See Also:
Oracle Database Advanced Replication for more information about Advanced Replication and for definitions of master sites and materialized view sitesConfiguring Advanced Replication consists of the following steps:
Recommended tablespace and rollback segment requirements for Advanced Replication are shown in Table 5-3.
Table 5-3 Advanced Replication Tablespace/Rollback Segment Requirements
| Tablespace/Rollback Segment | Minimum Free Space |
|---|---|
|
SYSTEM |
20 MB |
|
UNDOTBS |
10 MB |
|
RBS |
5 MB |
|
TEMP |
10 MB |
|
USERS |
No specific requirement |
Note:
Replication triggers and procedures are stored here.See Also:
Oracle Database Administrator's Guide for more information on tablespaceIf you use Advanced Replication, then certain parameter values must be added to the initialization parameter file, and others must be set to recommended values. Parameter names and values for the master site and materialized view sites are shown in Table 5-4.
Table 5-4 Advanced Replication Initialization Parameters
| Parameter Name | Recommended Value | Site |
|---|---|---|
|
|
50 MB |
master |
|
|
300 seconds |
master |
|
|
TRUE |
master |
|
|
4 |
master |
|
|
Add 9 to current value |
master |
|
|
2 Note |
master |
|
|
2 |
materialized view |
Depends on number of n-way sites.
If you use Advanced Replication and intend to set up a large number of replicated objects, then you are required to monitor the following data dictionary tables with the SQL SELECT argument:
ARGUMENT$
IDL_CHAR$
IDL_UB1$
IDL_UB2$
IDL_SB4$
I_ARGUMENT1
I_SOURCE1I$
SOURCE$
TRIGGER
If necessary, increase storage parameters to accommodate storage requirements of large numbers of replicated objects.