Remotely SQLPlus as sysdba – ORA-01031: insufficient privileges

Hello,

SQLPlus as SYSDBA remotely can throw the following error due to security reason :

>sqlplus sys/syspass@servername/instance as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on Mer. Ao¹t 30 14:25:48 2017

Copyright (c) 1982, 2011, Oracle. All rights reserved.

ERROR:
ORA-01031: insufficient privileges

 

To allow to connection, connect locally using SQLPlus and make sure the parameter “remote_login_passwordfile” is set to ‘”EXCLUSIVE” :

SQL> show parameter remote_login_passwordfile

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string EXCLUSIVE

 

Then check a password file exist for your instance :

SQL> select * from v$pwfile_users;

no selected row.

 

It appears it does not exist and needs to be created to allow remote connection. We will create on a Windows Server and I will refer to Oracle doc https://docs.oracle.com/html/E25494_01/dba007.htm

D:\oracle\11.2.0\db\BIN>orapwd.exe file=D:\oracle\11.2.0\db\database\PWDINSTANCENAME.ora

Enter password for SYS:

 

You can now log on remotely.

Advertisements

Oracle Veeam Backup | VSS_FAILED_AT_FREEZE | ORA-00257: archiver error from remote SQLPlus | ORA-16038 ORA-19809 ORA-00312 found in Eventvwr | Fast Recovery Area is Full

Today, I was facing an issue where my Veeam Backup job failed on one Oracle Server hosting many Instances.

Only one of them was failing and Veeam reported the following error :

Processing SERVER_NAME Error: Unfreeze error: [Backup job failed.
Cannot create a shadow copy of the volumes containing writer's data.
A VSS critical writer has failed. Writer name: [Oracle VSS Writer - INSTANCE_NAME]. Class ID: [{26d02976-b909-43ad-af7e-62a4f625e372}]. Instance ID: [{bf669252-5552-433d-a0b5-cab28e14a19b}]. Writer's state: [VSS_WS_FAILED_AT_FREEZE]. Error code: [0x800423f4].]

 

Checking the Server Eventlogs reported Event 46, Oracle.VSSWriter.INSTANCE_NAME

General Tab :

VSS-00046: failure to switch the current database redo logs

Cause : OCI call failed.

Action : Check the accompanying error message.

Additional info :
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
Oracle VSS writer version 11.2.0.2.0 Production
Error at line : 4856
Failure on Freeze event

Details Tab reported (example copied from Internet) :

ORA-16038: log 1 sequence# 49 cannot be archived
ORA-19809: limit exceeded for recovery files
ORA-00312: online log 1 thread 1:
'/opt/oracle/db/home/data/imapdb/redo01.log'

 

Also, trying to connect remotely using SQLPlus trowed the following :

ERROR:
ORA-00257: archiver error. Connect internal only, until freed.

 

With all these information, I suspected the Fast_Recovery_Area to be full and it has been confirmed by running the following SQL statement (locally to avoid SQLPlus connection issue explained above) :

SQL> SELECT * FROM V$RECOVERY_FILE_DEST;

NAME
--------------------------------------------------------
SPACE_LIMIT SPACE_USED SPACE_RECLAIMABLE NUMBER_OF_FILES
----------- ---------- ----------------- ---------------
D:\oracle\fast_recovery_area
 4322230272 3,4490E+10 759962624 809

Indeed, it is more than full.

 

Finally, I tried to delete expired Archivelogs using RMAN but it did not find any files to delete. It’s why I suggest to 1st run a Crosscheck and then delete expired items :

  • Start RMAN in a Command Prompt
  • Connect to your Instance
rman > connect target SYS/oracle@trgt
  • Run a Crosscheck
rman > crosscheck archivelog all;
  • Delete expired Archivelogs
rman > delete expired archivelog all;

 

In my case,  after deleting expired Archivelogs, the FRA was still Full so I decided to simply delete all of them and just keep the last 10 days by running :

rman>delete archivelog until time ‘SYSDATE-10’;

 

Veeam Backup & Oracle VSS is now working, Remote SQLPlus connection too. Solved. Hope this helps.

Oracle Client 12.1 crashes / closes when clicking on Install at Step 6 of 8

CAUSE

OUI is unable to create or update the appropriate registry keys for 32-bit installation.

You can run the below query to make sure registry does not have the required key.

C:> reg query HKLM\SOFTWARE\WOW6432Node\ORACLE /v inst_loc
ERROR: The system was unable to find the specified registry key or value.

Development team is currently working on this issue via bug 20219460

SOLUTION

Monitor this Bug for the final solution, Bug 20219460 INSTALLER OUI DISAPPEARED ON INSTALLING WIN32 BIT CLIENT ON WINDOWS2012 R2 64BIT

Workaround:

1. Open registry
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node
3. Create a new key with name Oracle
4. Go to Oracle and then create a new String Value with name inst_loc
5. Give the value as C:\Program Files (x86)\Oracle\Inventory
6. Retry installation.

 

Source : oracle.com

Install VMWare Tools on Linux VM using open-vm-tools

Hello everyone,

 

This article will show how to install VMWare Tools on a Linux VM. For this example, I’ll do it on a Debian/Ubuntu & CentOs Distributions.

First thing to know is you can install VMWare Tools as you do on a Windows VM by Right-Clicking the VM – Guest – Install/Upgrade VMWare Tools. VMWare already has a good article on HowTo do it here.

But ! VMWare itself recommends installing 3rd Party OS VM Tools Package named “open-vm-tools” so I’ll go ahead with is installation which is easier and faster than installing VMWare’s own tools from vSphere Client.

For Debian/Ubuntu :

  • Log on to your Server as root and update apt-get
apt-get update
  • Install “open-vm-tools”
apt-get install open-vm-tools

 

For CentOs :

Depending on your CentOs version, you should be or not be able to install the package instantly from the default Repo if you have one of the latest version, here 7.2. If earlier version, maybe you will need to add a Repo.

  • Install “open-vm-tools”
yum install open-vm-tools
  • Start the service
service vmtoolsd start

 

Done. Hope this helps.

 

BGInfo – Display Windows information on Background and deploy using GPO

Hi,

I have just set up BGInfo on my Servers and I will share with you the steps I followed to get it customized and deployed through GPO.

 

At the time I write this, the version is 4.22.

 

  • Extract it and copy Bginfo.exe to \\domain.local\NETLOGON\BGInfo\

BGInfo folder has to be created. If you face permission problem, logon to your DC and create it in its local location : C:\Windows\SYSVOL\domain\scripts\BGInfo

 

  • Run Bginfo.exe and customize it to suit your needs.

I will not explain how it works as it’s pretty simple. Once configured, save it (File – Save As) in the same folder. You can name it what you want. for this example I used “Bginfo.bgi”.

 

  • Create a new Batch file in the same folder, in this example named “Bg_script.bat” which will contain the following and will be executed by your GPO in the next steps :
@echo off
\\domain.local\NETLOGON\BGInfo\Bginfo.exe /nolicprompt /timer:0 \\domain.local\NETLOGON\BGInfo\Bginfo.bgi
exit

The argument “/nolicprompt” remove the licence agreement and “/timer:0” apply it without delay. For more information on arguments, check the download link given above.

 

  • Create a new GPO and link it to your Servers Organization Unit. The settings I used are :

BGInfo_GPO

As you can see, the script is executed at Logon on User’s context (yeah I know, I said to apply the GPO on your Servers Organization unit). This is why the GPO Loopback Processing mode is enabled. For more information, consult Microsoft documentation here : https://technet.microsoft.com/en-us/library/cc978513.aspx

 

  • Ok, at next logon, you should have your new BGInfo applied.

In my case, it’s mostly instant on Windows Server 2008 (R2) but takes a few seconds/minutes on Windows Server 2012 (R2).

Hope this helps!

 

 

IIS (.pfx) SSL Certificate to Apache (.crt and .key)

Hello everyone,

This article is coming from RapidSSL knowledge base. I will not rewrite it to make it my own. Useless. I can just confirm that it is well explained and working as expected as I had to do it.

 

To move a SSL certificate from Microsoft IIS 7.0 to Apache, the certificate must be converted from a PKCS#12 (.p12 or .pfx) to two separate files (private and public key).

Step 1: Export certificate in IIS 7

  1. From the web server, click Start
  2. In the Search programs and files field, type mmc
  3. From the Programs list, click mmc.exe
  4. At the permission prompt, click Yes
  5. From the Microsoft Management Console (MMC), click  File Add/Remove Snap-in
  6. From the list of snap-ins, select Certificates
  7. Click Add
  8. Select Computer account
  9. Click Next
  10. Select Local computer (the computer this console is running on)
  11. Click Finish
  12. In the Add/Remove Snap-in window, click OK
  13. Save these console settings for future use
  14. Double click on Certificates (Local Computer) in the center window.
  15. Double click on the Personal folder, and then on Certificates.
  16. Right Click on the Certificate you would like to backup and choose > All Tasks > Export
  17. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
  18. Choose to ‘Yes, export the private key
  19. Choose to “Include all certificates in certificate path if possible.” (do NOT select the delete Private Key option)
  20. Enter a password you will remember
  21. Choose to save file on a set location
  22. Click Finish
  23. You will receive a message > “The export was successful.” > Click OK
  24. The .pfx file backup is now saved in the location you selected.

Step 2:  Convert PFX file to compatible files for Apache

Move the .pfx file to the Apache server or install OpenSSL on your Windows  ( https://slproweb.com/products/Win32OpenSSL.html )

To extract the private key, run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx  -nocerts -out key.pem

To extract the certificate (public key), run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out cert.pem

cert.pem can be renamed to server.crt if needed
If you do not want to include a passphrase you can use the following command:

openssl rsa -in key.pem -out server.key

 

You can now use server.crt and server.key in your Apache configuration.

Install Apache Reverse Proxy on Ubuntu Server

Hello everyone,

I am going to implement an Apache Reverse Proxy on Ubuntu Server. I will share with you the steps I did to accomplish this task.

 

  • Install Ubuntu Server

I will not explain how to install Ubuntu Server as it’s straight forward and easy. For your information I used the 16.04.2 version and did a basic install without LAMP.

 

  • Install Apache

First of all, run :

sudo apt-get update

sudo apt-get upgrade

To make sure all of your packages are up to date. Then install Apache, here Ubuntu version 2.4.18 :

sudo apt-get install apache2

Check that Apache is now properly running and available by opening up your browser and surf to your server’s IP or run :

service apache2 status

 

  • Configure Apache

To work as a Proxy,  Apache needs some modules enabled. To enable a module, you can run :

a2enmod

It will show you all available modules you can enable. We will go ahead with the following ones :

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo a2enmod rewrite
sudo a2enmod deflate
sudo a2enmod headers
sudo a2enmod proxy_balancer
sudo a2enmod proxy_connect
sudo a2enmod proxy_html

We will then need to disable Apache default configuration file 000-default.conf and create a new one inside the /etc/apache2/sites-available directory.

To disable it, run :

sudo a2dissite 000-default

Then create the new file :

sudo nano /etc/apache2/sites-available/reverse-proxy.conf

Note : you need to name it .conf or “a2ensite” will not find it when trying to enable it later.

Add your VirtualHost in this file to match your Reverse-Proxy preferences. Here is mine, you can tweak it :

<VirtualHost *:80>
 ServerName localhost
 DocumentRoot /var/www/html
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 <Location />
 Require all denied
 </Location>
</VirtualHost>

<VirtualHost *:80>
 ServerName server1.domain.com
 ServerAdmin admin@domain.com
 DocumentRoot /var/www/html
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 ProxyPass / http://srv1.domain.com/
 ProxyPassReverse / http://srv1.domain.com
# ProxyPreserveHost On
</VirtualHost>

<VirtualHost *:80>
 ServerName server2.domain.com
 ServerAdmin admin@domain.com
 DocumentRoot /var/www/html
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 ProxyPass / http://srv2.domain.com/
 ProxyPassReverse / http://srv2.domain.com
# ProxyPreserveHost On
</VirtualHost>

 

The first VirtualHost will just deny the access to the default website if the others two are not match when checking the ServerName directive.

If you browse to server1.domain.com, it will forward requests to server srv1.domain.com and if you browse to server2.domain.com, it will forward requests to srv2.domain.com.

If you browse using the IP address or another subdomain pointing to your Proxy server, you will get the access denied webpage from the first VirtualHost.

I suggest you to read the great document on Apache’s website for more information on how Apache handle incoming requests, their orders and whats Directives your can use.

Here is the doc followed by some examples :

https://httpd.apache.org/docs/2.4/vhosts/index.html

https://httpd.apache.org/docs/2.4/vhosts/examples.html

 

Now, enable your new configuration file :

sudo a2ensite reverse-proxy

And finally, restart Apache :

sudo service apache2 restart

 

Your Proxy server should now work. IE.: as said above, browsing to server1.domain.com should redirect you to the app hosted on srv1.domain.com