Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Password Repository (OPR) is updated to version 1.1.8"] [Next entry: "Frank talked about form-based authentication with struts"]

A new sample installation session for Oracle Password Repository (OPR) version 1.1.8



Mike Thomas has emailed me a new sample installation session including some great commentary and notes. If anyone is considering using Oracle Password Repository (OPR) they would find these notes useful. Here they are in full:


----------

----------
----------
Updated 2005-Jul-01

The improvements in opr-1.1.8.tar.gz required
us to revise and simplify our walk through notes.
The issues with SETUID and dynamic library loading
were fixed. The program works on RHEL3 LINUX as written.
--

We chose to implement one repository per system
(host or cluster) because we wanted one repository
to reside on each filesystem with our scripts.
We installed one OPR repository on hosts
serving multiple databases. We installed another
OPR repository on an nfs mounted file system being
shared by each node on a RAC cluster.

Our opr.sh script is used to set the OPRREPOS
environment variable. If we deploy opr.sh
to an existing path we eliminate any client
environment settings for the tool.
--

Mike Thomas
qnxodba@gmail.com
--


---
-- Setup OPR on host
---
login oracle @minke

---
-- Create opr LINUX account
---
su - root
groupadd oprinstall # group owner of OPR files
useradd -c "Oracle Password Recovery" -g oprinstall opr
passwd opr
--
Note:
useradd -m (create home directory) -g (initial group) -G (supplementary groups)
--

---
-- Test accounts
---
su - root
groups opr
id opr
id oracle
--
[root@minke root]# groups opr
opr : oprinstall
--
[root@minke opr]# id opr
uid=605(opr) gid=605(oprinstall) groups=605(oprinstall)
--
[root@minke opr]# id oracle
uid=600(oracle) gid=600(oinstall) groups=600(oinstall),601(dba)
--

-- shell
vi .bash_profile
set | grep -i ora
--
Note: see below
--

---
-- Install OPR
---
login opr @minke

-- (1) directory
cd /home/opr
rm -rf /home/opr/data
rm -rf /home/opr/prog
mkdir /home/opr/data
mkdir /home/opr/prog
chmod 700 /home/opr/data
chmod 700 /home/opr/prog
ls -al
--

-- (2) program
cd /home/opr/prog
ftp opr-1.1.8.tar.gz to /home/opr/prog
tar zxvf opr-1.1.8.tar.gz
--
cd /home/opr/prog/opr-1.1.8
./configure
make
strip src/opr
cp /home/opr/prog/opr-1.1.8/src/opr /home/opr
--
cd /home/opr
opr -c
ls -l $OPRREPOS
chmod 755 /home/opr
chmod 511 /home/opr/opr
chmod u+s /home/opr/opr
ls -al /home/opr/opr
chmod 555 /home/opr/opr.sh
chmod u+s /home/opr/opr.sh
ls -al /home/opr/opr.sh
--

-- (3) script
vi /home/opr/opr.sh
#!/bin/bash
OPRREPOS=/home/opr/data/repos.opr;export OPRREPOS
opr ${1} ${2} ${3} ${4}

--
[opr@minke src]$ ls -l $OPRREPOS
-rw------- 1 opr oprinstall 352 Jul 1 11:04 /home/opr/data/repos.opr
[opr@minke src]$ ls -al /home/opr/opr
-r-s--x--x 1 opr oprinstall 20308 Jul 1 11:01 /home/opr/opr
[opr@minke src]$ ls -al /home/opr/opr.sh
-r-sr-xr-x 1 opr oprinstall 87 Jul 1 11:05 /home/opr/opr.sh
--


-- (4) Client oracle .bash_profile modification
ORACLE_BASE=/u01/app/oracle;export ORACLE_BASE
OPR_BASE=/home/opr;export OPR_BASE
ORACLE_HOME=$ORACLE_BASE/product/10.1.0/db_1;export ORACLE_HOME
PATH=/usr/sbin:/sbin:$ORACLE_HOME/bin:$ORACLE_HOME/OPatch:$OPR_BASE:$PATH
--
Note: If opr.sh used in existing path then no client environment
settings required to path, e.g. OPR_BASE.
--

---
-- Configure commands OPR repository
---
--
login opr @minke

--
cat /etc/oratab | egrep ":N|:Y"
--
[opr@minke opr]$ cat /etc/oratab | egrep ":N|:Y"
*:/u01/app/oracle/product/10.1.0/db_1:N
CALPREC:/u01/app/oracle/product/10.1.0/db_1:N
--

--
-- Add password requires the default '*:/u01...' entry in /etc/oratab as shown above.
--

-- minke
opr -a calprec calgb oracle
--
-- orca (cluster)
opr -a calp calgb oracle
--
-- narwhal (cluster)
opr -a calp calgb oracle {should fail as duplicate entry}
--
-- pilot
opr -a cald calgb oracle
--
Note: opr -a
Adding -f option forces entry without database verification.
--

---
-- Test OPR examples
---
login oracle @minke
sqlplus "calgb/`opr.sh -r calprec calgb`@cald"
--
login oracle @orca
sqlplus "calgb/`opr.sh -r calp calgb`@calp"
--
login oracle @narwhal
sqlplus "calgb/`opr.sh -r calp calgb`@calp"
--
login oracle @pilot
sqlplus "calgb/`opr.sh -r calp calgb`@cald"
--
Note: The and parameters are case insensitive.
--


----------
-- OPR UNIX ACCOUNT
----------
login opr @minke

vi .bash_profile
--
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

##########
# Login Sequence - Check if behaviour unclear
# /etc/passwd
# /etc/shadow
# /etc/group
# /etc/profile
# /etc/profile.d/*.sh
# ~/.bash_profile
# ~/.bashrc
# /etc/bashrc
##########
# User specific environment and startup programs
##########
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
DB_HOME=$ORACLE_BASE/product/10.1.0/db_1; export DB_HOME
OPR_BASE=/home/opr;export OPR_BASE
OPRREPOS=/home/opr/data/repos.opr;export OPRREPOS
ORACLE_HOME=$ORACLE_BASE/product/10.1.0/db_1;export ORACLE_HOME
#
##########
#PATH=$PATH:$HOME/bin
#PATH=/usr/sbin:/sbin:$PATH
PATH=/usr/sbin:/sbin:$DB_HOME/bin:$ORACLE_HOME/OPatch:$OPR_BASE:$PATH
#
export PATH
##########

unset USERNAME
--

----------
----------

----------
----------


Again many thanks to Mike and Brian for compiling these notes and for testing and documenting the installation and configuration of OPR. Great work!