Category: APEX
August 14

Oracle 11g Security – XMLDB is here to stay…

If you like it or not, but XMLDB will be an important component of your new Oracle 11g database. I didn’t really looked into the new dependencies regarding other features of the database. I tested mainly on Oracle 11g XMLDB storage functionality, but today, fiddling around with the new WSDL web service feature, I encountered serious security issue. Eh, improvement that is.

XMLDB functionality controls a lot of security with it’s build-in ACL (Access Control List) security. Today I discovered that it is NOT ONLY XMLDB functionality, but also OTHER database features are affected by it.

Yesterday I installed Oracle 11.1.0.6.0 on Oracle Enterprise Linux V5. Doing so I was able to get the WSDL functionality working. Mark Drake (Sr. Product Manager Oracle, XML Technologies), as always, replied on my question on the XMLDB OTN forum with a great example of how one could enable and / or use the WSDL feature. This mentioned also the use of a package called DBMS_NETWORK_ACL_ADMIN

When I looked further into the package DBMS_NETWORK_ACL_ADMIN I read that this is part of Oracle’s more tightened security methods also referred to as “Fine-Grained Access to External Network Services”. Packages that create access to the outside database world are controlled via XMLDB ACL methods.

Packages now controlled via ACL’s are: UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, or UTL_INADDR

The Oracle 11g Upgrade manual describes it as follows:

Read the postOracle 11g Security – XMLDB is here to stay…
June 8

DBMS_XDB.SETLISTENERLOCALACCESS

I noticed an new addition to the DBMS_XDB package a while ago named SETLISTENERLOCALACCESS that, despite it is part of a XMLDB package, was first seen by me on a APEX forum (it is not listed in the Oracle 10g manuals (eg. Oracle® Database PL/SQL Packages and Types Reference).

What does it do?

The manual (Oracle® Database Express Edition Installation Guide !) described it as follows:

4.4 Making Oracle Database XE Server Available to Remote Clients
After you install Oracle Database XE Server, its graphical user interface is only available from the local server, not remotely.

    Security Note:

    With remote HTTP access to Oracle Database XE, all information exchanged between the browser and the database is in clear text—that is, unencrypted—including database user names and passwords. If this is cause for concern, do not enable remote HTTP connection to the database.

Asking for an explanation on the XMLDB forum the following information was given:

Read the postDBMS_XDB.SETLISTENERLOCALACCESS
June 6

HOWTO: Enable the Protocol Server (Listener)

On itself, this one is very simple, but to my surprise it still not very clear when I read the questions about this on the OTN XMLDB forum. Maybe this occurs because this isn’t mentioned on the OTN XMLDB FAQ thread, which isn’t read as much as it should be. A lot of really good examples of Mark (Drake) are described in more detail here, and the are definitely worth your time.

So how to enable the WebDAV, HTTP(s) and FTP(s) functionality via the protocol server?

Before Oracle database version 10.2 this is done default (HTTP on port 8080, FTP on port 2100). After (and in my opinion this is the correct behavior) port numbers are set to 0 (zero) and therefore this functionality is disabled.

The XMLDB Protocol Server functionality is configured and controlled via the xdbconfig.xml file. Updating this file via SQL statements is described in the following section.

Read the postHOWTO: Enable the Protocol Server (Listener)