Cloud

O SpecGold OracleBusIntApps7 clr

 Gcloud

 

   Call us now 

  Manchester Office

  +44 (0) 8450 940 998

 

  

 

John's Blog

This is my blog of various topics, from things that I think might be useful to others, to things that I just find interesting personally. If you have any comments or questions on any of my posts then please do ask - any positive contribution is very much welcomed.

The views expressed in this blog and completely my own and do not reflect those of Beyond Systems Ltd. All content is provided for informational purposes only, and you are solely responsible for how you use this on your own or others systems. We accept no liability for any losses or damages caused.

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login
    Login Login form
John Keymer

John Keymer

My primary area of interest and expertise is Oracle E-Business Suite, particularly Foundation, Human Resources, Payroll, Time and Labor, Warehouse Management and Inventory. Whilst I prefer to focus on functional aspects I do have a keen interest in technical areas too such as SQL tuning/the optimizer, Application Express (APEX), Unix (particularly Linux) and general development.











  ACE Logo




Cert Logo  
Cert Logo 2

Unless you've been hiding under a stone for the past few years you'll know that the cloud is the big thing at Oracle. There are fewer and fewer on-premise installations for greenfield projects. With the new pricing structure it is easy to see why more and more organizations are considering cloud services for their new developments. An easy venture for a client new to cloud may be say a reporting suite, developed in APEX, utilizing data from their source ERP system. The big question then of course is how do you transfer your data to the cloud securely? there are many products out there to facilitate this, such as Oracle Data Integrator (ODI), Oracle DataSync, custom processes with file transfers over sFTP etc. However I want to show a really easy way to do this via an SSH tunnel.

There are a number of steps that need to be done - some are optional (such as TNS Names entries) and you can work without them, however I've written the post as I would prefer to set it up - you may choose . I am using E-Business Suite R12.1.3 Vision as a source system, however the principle applies equally to others.

Source System Configuration

First we create a read-only user on the source system and grant the objects we wish to expose. We then create synonyms as that user to make querying easier (and to protect against change in the future).
As SYS

VIS121 r121@ebs121-vm ~ $ sqlplus / as sysdba

SQL*Plus: Release 11.1.0.7.0 - Production on Tue Dec 12 16:00:40 2017

Copyright (c) 1982, 2008, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> create user apps_cl_query identified by apps_cl_query;

User created.

SQL> grant connect, resource to apps_cl_query;

Grant succeeded.

SQL> conn apps/apps
Connected.
SQL> grant select on per_all_people_f to apps_cl_query;

Grant succeeded.

SQL> conn apps_cl_query/apps_cl_query
Connected.
SQL> create synonym per_all_people_f for apps.per_all_people_f;

Synonym created.

SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
VIS121 r121@ebs121-vm ~ $

Last modified on Continue reading
Tagged in: Cloud DBaaS ETL
in Technical 94 0
0

If you haven't already started using Oracle Cloud services, then what better way than to sign up for $300 free credits for a pay-as-you-go subscription (valid for one month)? Simply visit https://cloud.oracle.com/tryit and click Sign Up. I did it earlier - it's really easy and was set up within an hour. To try it out, I provisioned myself a Standard Edition Database service - again, pretty easy. You can choose either a predefined set of options, or customise it to suit your needs (in terms of CPU's, memory, database version etc). You'll see the service in your console with a status of "Creating service...".

Creating Service

After about half an hour the service provisioning is complete. You may notice that provisioning a Database service actually gives you a couple of supporting others too - you can of course provision these standalone if required.

Services

Starting/Stopping a particular service is as easy as this:

Starting and Stopping Services

Next was to get access via SSH. To do that you will need to generate a key pair on your client machine using ssh-keygen. Then simply copy your public key up to the client.

Last modified on Continue reading
Tagged in: Cloud Database 12.2
in Technical 173 0
0

I know there are already a good number of blogs/guides out there already describing various methods of automating the backup of APEX applications, however I thought I'd share the method I recently implemented internally as it uses a remote subversion repository. This gives rise to a number of subsequent benefits such as holding a full version history, low storage overheads and resilience to local hardware failure. Why might you want to do this? Well, aside from the obvious catastrophes, acts of God, malicious deletion, accidental corruption etc, it's sometimes simply useful to be able to take your application as of a particular point in time, regardless of your database flashback etc.
Anyway, here is the process we take will follow.

  1. Export all our APEX applications from the workspace.
  2. Add any new applications that we've not seen before to the svn repository.
  3. Commit any changes to svn

First we need to create a working directory of our repository on the APEX database server. Note that I already added all applications to this repository previously - this is not necessary however. I chose to check out a specific directory only rather than the root. You of course need to install the svn client software on your server if you haven't already for this step. It's free and easy - and not worth explaining here.

[oracle@localhost tmp]$ svn checkout https://mysvnrepo/folder/subfolder/etc svn
A    svn/f101.sql
A    svn/f10100.sql
A    svn/f110.sql
A    svn/f10200.sql
A    svn/f20100.sql
A    svn/f10210.sql
A    svn/f20200.sql
A    svn/f20300.sql
Checked out revision 1079.

To export we can use the APEXExport Java utility. This is called in the following way.

java -cp $CLASSPATH oracle.apex.APEXExport -db <database connection> -user <database user> -password <database password> -workspaceid <workspace id>

This will generate a set of .sql files in the format f<application_id>.sql in the current directory, which we can then copy into our working directory. The issue here is that an APEX export file contains a line representing the date and time at which the export was done. This will then be considered a change by svn. To avoid that, I strip out that line using the sed utility.

sed -i '/--   Date and Time:/d' f*.sql
Last modified on Continue reading
Tagged in: APEX
in Technical 713 0
0

Oracle APEX Exploitation - Part 3

This is the third in my series of short posts about methods thatc an be used to exploit your Oracle APEX applications. The first two posts concentrated on URL Injection which is relatively easy to protect against, however this third post is going to focus on something that is a bit more difficult to stop, and not quite as obvious an issue. I am going to call it Select List Injection.

Select List Injection

This exploit relies on the application having a select list that has been filtered somehow for the user. For example, a select list may show the list of employees that report to the current user - in reality the list of employees on the base table is a superset of these.

Mechanism of Attack

A simple example is a page which contains a select of employees reporting to the current user and displays a report based on the selected value. The select list only contains the employees visible to the user. We can set up a simple example as follows.
Select List LOV Code:

select ename, empno from emp
where mgr=7566
order by ename


Report Code:

select ename, empno, hiredate, sal from emp
where empno=:p5_emp_id

Report

Last modified on Continue reading
Tagged in: APEX
in Technical 844 3
0

Taking a break out of the APEX Exploits series for this as it's something I keep coming across at different client sites.

select p.full_name, su.supervisor
  from per_people_x p, per_assignments_x a, per_people_x s
 where a.person_id = p.person_id
   and a.person_id (+) = a.supervisor_id;

With me (or the reader) being told: This query gives you all employees with their supervisors. Ah - but does it? Well, yes it does... sometimes.

See the problem is, many a time a developer will use a view such as per_people_x without knowing exactly what it is doing, and what impact future configuration changes might have. They know the view only returns current records, It runs fine in the development tool (Toad, SQL Developer etc), and when put in an Oracle form it works fine too. All good. However, at some point in the future, after HR have been changing some of their security settings, we suddenly find that people's supervisors aren't being reported as expected. Why? Because the per_person_x view is secured. We have the ability to see the people via our HR security profile, however we might not have access to see the records of their supervisor - that includes something as simple as the name. In reality, our query should probably be:

select p.full_name, su.supervisor
  from per_people_x p, per_assignments_x a, per_all_people_f s
 where a.person_id = p.person_id
   and a.person_id (+) = a.supervisor_id
   and trunc(sysdate) between a.effective_start_date(+) and a.effective_end_date(+);

But then again - should it? Are we interested in who is a person's supervisor now, or who was the supervisor at a particular point in time (i.e. maybe the run date of the Payroll) - hint - the above query shows the former. What about if the person is no longer an employee - they may not get included in the above.

Last modified on Continue reading
Tagged in: E-Business Suite HRMS
in Technical 254 0
0