Thursday 14 June 2007

Starting and stopping Grid Control up

To start the Grid Control services one need to run the following sequence of activities:
  1. run database (first way)
    • sh# export ORACLE_SID={sid}
    • sh# sqlplus / as sysdba
    • SQL# startup
    • SQL# exit
    • sh# lsnrctl start {listener_name}
  2. run database (second way; one needs properly configured /etc/oratab)
    • sh# ORACLE_HOME/bin/dbstart
  3. run management services
    • sh# OMS_HOME/opmnctl startall
  4. optionally run agent to monitor also management repository and services
    • sh# AGENT_HOME/bin/emctl start agent
To stop the Grid Control services one need to do all the stuff above in reverse way:
  1. stop agent to monitor also management repository and services
    • sh# AGENT_HOME/bin/emctl stop agent
  2. stop management services
    • sh# OMS_HOME/opmnctl stopall
  3. stop database (first way)
    • sh# export ORACLE_SID={sid}
    • sh# sqlplus / as sysdba
    • SQL# shutdown immediate
    • SQL# exit
    • sh# lsnrctl stop {listener_name}
  4. stop database (second way; one needs properly configured /etc/oratab)
    • sh# ORACLE_HOME/bin/dbshut

Monday 11 June 2007

Policies used

Grid Control starts with quite high number of different policies (generally they have something to do with security issues). Of course it is recommended to apply all of them, though in general it is a little complicated. For example on one hand one should revoke EXECUTE privilege to let's say UTL_FILE from PUBLIC, while at the same time invalidating some synonyms within PUBLIC schema.

Here is shortcut of those policies toward database targets:

  • Parameter SQL92_SECURITY should be set to true. The parameter enforces having SELECT privilege to run UPDATE or DELETE with SET or WHERE clauses (and usage of column values)
  • Parameter GLOBAL_NAMES should be set to true. The parameter enforces a database link to have the same name as the database it connects to.
  • Checks whether UTL_FILE_DIR is not used with Oracle RDBMS version 9i and later (instead should be used directories of course)
  • Checks PUBLIC access to packages such as UTL_FILE, UTL_HTTP, UTL_SMTP, UTL_TCP, DBMS_LOB, DBMS_JOB, etc.
  • Checks if all objects are VALID, so on start one should compile all invalid objects and possibly remove those, which do not compile properly.
  • The password related settings for profiles in use should have non default values (default values mean usually UNLIMITED period). It particularly relates to PASSWORD_LIFE_TIME, PASSWORD_REUSE_TIME, PASSWORD_REUSE_MAX and PASSWORD_GRACE_TIME.