For those who unfamiliar with Oracle Patch is little confusing what patch to apply when get a table with different patch in the same version.
I will try clarify some doubts.
Note: You must provide a valid My Oracle Support login name in order to access below Links.
Patch version numbering changed
In November 2015 the version numbering for new Bundle Patches, Patch Set Updates and Security Patch Updates for Oracle Database changed the format from 5th digit of the bundle version with a release date in the form “YYMMDD” where:
- YY is the last 2 digits of the year
- MM is the numeric month (2 digits)
- DD is the numeric day of the month (2 digits)
More detail can be found here: Oracle Database, Enterprise Manager and Middleware – Change to Patch Numbering from Nov 2015 onwards (Doc ID 2061926.1)
Changes on Database Security Patching from 220.127.116.11 onwards
Starting with Oracle Database version 18.104.22.168 , Oracle will only provide Patch Set Update (PSU) patches to meet the Critical Patch Update (CPU) program requirements for security patching. SPU (Security Patch Update) patches will no longer be available. Oracle has moved to this simplified model due to the popularity of the PSU patches. PSUs are Oracle’s preferred proactive patching vehicle since their inception in 2009.
Where to find last Patches for Database?
What Patch to apply PSU, GI PSU,Proactive Bundle Patch, Bundle Patch (Windows 32bit & 64bit)?
When using the Patchset Assistant the assistant show below table:
In this case I search for last patch for 22.214.171.124.
Understanding the Patch Nomenclature :
New Patch Nomenclature for Oracle Products (Doc ID 1430923.1)
Note: As of April 2016, the Database Patch for Engineered Systems and Database In-Memory has been renamed from “Bundle Patch (BP) ” to “Database Proactive Bundle Patch”.
Note: Windows Platform must use “Bundle Patch (Windows 32bit & 6bit)”.
Database patch content:
- SPU contains only the CPU program security fixes
- PSU contains the CPU program security fixes and additional high-impact/low-risk critical bug fixes
- Proactive Bundle Patch (PBP) includes all PSU fixes along with fixes targeted at the specific Bundle Patch environment.
They are cumulatives,so if you have a OH (126.96.36.199) in base release (i.e no fix) and apply the last PSU or PBP it will fix all bugs from base release until current version of patch.
Where to apply each Patch?
- PSU – Can be applied on Database Servers, Client-Only and Instant Client.
- GI PSU – Can be applied on GI Home (Oracle Restart or Oracle Clusterware) in conjunction with RAC, RACOne, Single Instance home, Client-Only and Instant Client.
- Proactive Bundle Patch – Can be applied on GI Home in conjunction with RAC, RACOne, or Single Instance home, Client-Only and Instant Client.
An installation can only use one of the SPU, PSU or Proactive Bundle Patch patching methods.
How to choose between them?
The “Database Proactive Bundle Patch” requires a bit more testing than a Patch Set Update (PSU) as it delivers a larger set of fixes.
If you are installing a new fresh installation you should to apply Database Proactive Bundle Patch.
PSU is addressed to environments sensitive to changes, because it required less testing.
I have Applied “Database PSU” how to move to “Database Proactive Bundle Patch”?
Moving from “Database PSU” to “Database Proactive Bundle Patch”
- Back up your current setup
- Fully rollback / deinstall “Database PSU”
- If using OJVM PSU that is likely to require OJVM PSU to be rolled out too
- Apply / install the latest “Database Proactive Bundle Patch”
- Apply any interim patches also rolled out above (including OJVM PSU if that was installed)
Note from Oracle: It is not generally advisable to switch from “Database PSU” to “Database SPU” method.
The below note can clarify any doubt on this post.
Oracle Database – Overview of Database Patch Delivery Methods (Doc ID 1962125.1)
GI PSU and Proactive Bundle Patch are supported by OPlan.
OPlan is a utility that facilitates the patch installation process by providing you with step-by-step patching instructions specific to your environment.
In contrast to the traditional patching operation, applying a patch based on the README requires you to understand the target configuration and manually identify the patching commands relevant to your environment. OPlan eliminates the requirement of identifying the patching commands by automatically collecting the configuration information for the target, then generating instructions specific to the target configuration.
I saw some doubts as to which utility to use and in what situation we should use.
I searched on some sites related to Oracle and saw that the people is still a bit confused about which command we should use.
But before start there is a rule to a Clusterware Envorinment:
The “srvctl” is to be used to managed resources with the prefix ora.* resources and “crsctl” is to be used to query or start/stop resources with prefix ora.*, but crsctl is not supported to modify or edit resources with prefix ora.* .
See this note on MOS:
|Oracle Clusterware and Application Failover Management [ID 790189.1]|
Using crs_* or crsctl commands on resources with the prefix ora.* (resources provided by Oracle) remains unsupported.
So, if you created a resource with “srvctl” this resource should be managed only by “srvctl”. If you create a resource with “crsctl” this resource should be managed using “crsctl” command.
Let’s talk about the concept Policy-Based Cluster.
Oracle Clusterware 11g release 2 (11.2) introduces a different method of managing nodes and resources used by a database called policy-based management.
With Oracle Clusterware 11g release 2 (11.2) and later, resources managed by Oracle Clusterware are contained in logical groups of servers called server pools. Resources are hosted on a shared infrastructure and are contained within server pools. The resources are restricted with respect to their hardware resource (such as CPU and memory) consumption by policies, behaving as if they were deployed in a single-system environment.
- Enables dynamic capacity assignment when needed to provide server capacity in accordance with the priorities you set with policies
- Enables allocation of resources by importance, so that applications obtain the required minimum resources, whenever possible, and so that lower priority applications do not take resources from more important applications
- Ensures isolation where necessary, so that you can provide dedicated servers in a cluster for applications and databases
Applications and databases running in server pools do not share resources. Because of this, server pools isolate resources where necessary, but enable dynamic capacity assignments as required. Together with role-separated management, this capability addresses the needs of organizations that have standardized cluster environments, but allow multiple administrator groups to share the common cluster infrastructure.
This is only a concept.
Therefore Oracle divided this concept to be used for two types of configuration
Policy-Managed Database and Policy-Based Management to non-database.
A database that you define as a cluster resource. Management of the database is defined by how you configure the resource, including on which servers the database can run and how many instances of the database are necessary to support the expected workload.
To configure Policy managed database, Oracle already have pre-defined configuration for that.
So, the options are limited and specific to Database resources (such as Services,Database).
For that reason Oracle provided “srvctl add serverpool”.
$ srvctl add serverpool -h Adds a server pool to the Oracle Clusterware. Usage: srvctl add srvpool -g <pool_name> [-l <min>] [-u <max>] [-i <importance>] [-n "<server_list>"] [-f] -g <pool_name> Server pool name -l <min> Minimum size of the server pool (Default value is 0) -u <max> Maximum size of the server pool (Default value is -1 for unlimited maximum size) -i <importance> Importance of the server pool (Default value is 0) -n "<server_list>" Comma separated list of candidate server names -f Force the operation even though some resource(s) will be stopped -h Print usage
Policy-Based Management to non-database.
To configure Non-Database resources, Oracle provided another command with much more options “crsctl add serverpool”.
This allow the DBA explore all options which Policy Managed can supply.
$ crsctl add serverpool -h Usage: crsctl add serverpool <spName> [[-file <filePath>] | [-attr "<attrName>=<value>[,...]"]] [-i] where spName Add named server pool filePath Attribute file attrName Attribute name value Attribute value -i Fail if request cannot be processed immediately -f Force option
So, we NEVER should not mix the serverpool used by database resource and serverpool used by non-database resource.
Also never use “crsctl” command to change Database Server Pool wich was created by “srvctl”. Never put a database in a serverpool created by using “crsctl” command.
Server Pool to database resource must be created by using “srvctl”.
Server Pool to non-database resource must be created by using “crsctl”
Question: Is possible change ora.* resources with “crsctl”?
Yes, It’s possible but not supported by Oracle.
Hope make this clear.
In this post I will show you how to setting up environment high availability without the option Oracle RAC.
Oracle Fail Safe is available only for Windows, for Unix / Linux would need third party software Cluster to do the Failover.
Good News From Oracle:
Oracle Clusterware provides cluster membership and high availability services. It provides the cluster membership for features such as Oracle Real Application Clusters and Oracle ASM. It includes the following features:
- Application monitoring, restart, and failover
- Cluster membership services
- Server monitoring and fencing
- Single Client Access Name (SCAN)
- Server Pools
- Grid Naming Services
Oracle Clusterware can be used to protect any application (restarting or failing over the application in the event of a failure), free of charge, if one or more of the following conditions are met:
- The server OS is supported by a valid Oracle Unbreakable Linux support contract.
- The product to be protected is either:
- Any Oracle product (e.g. Oracle Applications, Siebel, Hyperion, Oracle Database EE, Oracle Database XE)
- Any third-party product that directly or indirectly stores data in an Oracle database
- At least one of the servers in the cluster is licensed for Oracle Database (SE or EE)
A cluster is defined to include all the machines that share the same Oracle Cluster Registry (OCR) and Voting Disk.
See step by step here using clusterware 11.1, we can improvise this setup to 11.2 using SCAN feature which is more easy.
Recently we discovered a possible vulnerability on SCAN Listener, so we opened SR and Oracle give us a solution.
I recommend all apply this security. “As far as I know only the availability can be affected, none concern about data integrity” .
Thread: How prevent REMOTE LISTENER register on SCAN LISTENER
Oracle Security Alert for CVE-2012-1675
This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as “TNS Listener Poison Attack” affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied.
Affected Products and Versions
Oracle Database 11g Release 2, versions 188.8.131.52, 184.108.40.206
Oracle Database 11g Release 1, version 220.127.116.11
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Recommendations for protecting against this vulnerability can be found at:
- My Oracle Support Note 1340831.1 for Oracle Database deployments that use Oracle Real Application Clusters (RAC).
- My Oracle Support Note 1453883.1 for Oracle Database deployments that do not use RAC.
Please note that Oracle has added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters and Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Node options so that the directions provided in the Support Notes referenced above can be applied by all Oracle customers without additional cost.
Note: Please refer to the Oracle licensing documentation available on Oracle.com regarding licensing changes that allow Oracle Advanced Security SSL/TLS to be used with Oracle SE Oracle Real Application Clusters and Oracle Enterprise Edition Real Application Customers (Oracle RAC) and Oracle RAC OneNode Options.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply this Security Alert solution as soon as possible.