Thursday, January 10, 2013

ORA-24248 XMLDB extensible security not installed

ORA-24248 XMLDB extensible security not installed



Oracle 11g introduces more secure and fine grained access on network packages like UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP and UTL_INADDR, i.e. an execute privilege on these packages is not enough to access an external network resource using these packages. You have to configure ACL (Access Control List), assign the network host and port to it and grant connect privilege to the users through this ACL .
These ACLs are XML files which are stored in the XML Database repository inside the database itself, which means that XML Database must be installed in the database to use the network PL/SQL packages. XML Database is installed automatically when you create a database using DBCA with default options. However, if you unselect/uncheck the XML Database option in DBCA while creating the database, XML Database won't installed.
A few days ago I ran into this problem. We upgraded one of our development database from oracle 10gR2 to 11gR1 recently. After the upgrade the application was broken very badly. Any user trying to login to the application was getting the error below:
ORA-24248: XMLDB extensible security not installed
ORA-06512: at "SYS.UTL_INADDR", line 19
ORA-06512: at "SYS.UTL_INADDR", line 40
ORA-06512: at line 1
After I investigated, I found that that in one of Java classes in the application, where a connection was being established to the databases, a query was being executed like this.
SELECT global_name,utl_inaddr.get_host_address FROM global_name;
When I saw UTL_INADDR being called, I realized instantly that we need an ACL for this call and ACL needs XML Database. The error above is quite self explanatory. I went ahead and verified the existence of Oracle XML Database and found the following:
SQL> select comp_name from dba_registry;

COMP_NAME
----------------------------------------
OWB
Oracle Application Express
Oracle Enterprise Manager
OLAP Catalog
Spatial
Oracle Multimedia
Oracle Text
Oracle Expression Filter
Oracle Rules Manager
Oracle Workspace Manager
Oracle Database Catalog Views
Oracle Database Packages and Types
JServer JAVA Virtual Machine
Oracle XDK
Oracle Database Java Packages
OLAP Analytic Workspace
Oracle OLAP API

17 rows selected.
As can be seen from the output of the above query, we were missing Oracle XML Database. I was able to reproduce the problem in sqlplus.
SQL> conn scott/tiger
Connected.

SQL> select global_name,utl_inaddr.get_host_address from global_name;
select global_name,utl_inaddr.get_host_address from global_name
                   *
ERROR at line 1:
ORA-24248: XML DB extensible security not installed
ORA-06512: at "SYS.UTL_INADDR", line 19
ORA-06512: at "SYS.UTL_INADDR", line 40
ORA-06512: at line 1

SQL>

Install XML Database: Oracle 11g Enterprise Edition

$ cd $ORACLE_HOME/rdbms/admin
$ sqlplus / as sysdba

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> spool install_xml_db.log
SQL> @catqm xdb sysaux temp YES
-- xdb is the password for XML Database repository schema
-- sysaux is the default tablespace for XML Database repository schema.
-- temp is the default temporary tablespace for XML Database repository schema.
-- YES is for using secure files for xdb$resource
.
.
.
[output trimmed]
.
.
.
SQL> declare
  2    suf  varchar2(26);
  3    stmt varchar2(2000);
  4  begin
  5    select toksuf into suf from xdb.xdb$ttset where flags = 0;
  6    stmt := 'grant all on XDB.X$PT' || suf || ' to DBA';
  7    execute immediate stmt;
  8    stmt := 'grant all on XDB.X$PT' || suf || ' to SYSTEM WITH GRANT OPTION';
  9    execute immediate stmt;
 10  end;
 11  /

PL/SQL procedure successfully completed.

SQL>spool off
The XML Database installation is complete. I opened the install_xml_db.log and didn't find any significant errors in it. Then I verified from dba_registry again to see the status of XML Database installed.
SQL> select comp_name , status from dba_registry;

COMP_NAME                                STATUS
---------------------------------------- --------------------------------------------
Oracle XML Database                      VALID
OWB                                      VALID
Oracle Application Express               VALID
Oracle Enterprise Manager                VALID
OLAP Catalog                             VALID
Spatial                                  VALID
Oracle Multimedia                        VALID
Oracle Text                              VALID
Oracle Expression Filter                 VALID
Oracle Rules Manager                     VALID
Oracle Workspace Manager                 VALID
Oracle Database Catalog Views            VALID
Oracle Database Packages and Types       VALID
JServer JAVA Virtual Machine             VALID
Oracle XDK                               VALID
Oracle Database Java Packages            VALID
OLAP Analytic Workspace                  VALID
Oracle OLAP API                          VALID

18 rows selected.

SQL>
The status should be VALID to indicate that the installation was successfull. Then I tested the UTL_INADDR again.
SQL> conn scott/tiger
Connected.
SQL> select global_name,utl_inaddr.get_host_address from global_name;
select global_name,utl_inaddr.get_host_address from global_name
                   *
ERROR at line 1:
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "SYS.UTL_INADDR", line 19
ORA-06512: at "SYS.UTL_INADDR", line 40
ORA-06512: at line 1
As you see now the ORA-24248 is gone because we have XML Database installed. Now we are seeing ORA-24247, which means we can't access any network host using UTL_INADDR unless we allow access to this host via ACL.
SQL> conn / as sysdba
Connected.

BEGIN
   DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
        acl          =>'my_application_acl.xml',
        description  => 'ACL for users of my application.',
        principal    => 'SCOTT',
        is_grant     => TRUE,
        privilege    => 'resolve',
        start_date   => null,
        end_date     => null
 );
END;
/

PL/SQL procedure successfully completed.

/*
 All that UTL_INADDR.get_host_address does is resolve the host and return the IP Address.
 DBMS_NETWORK_ACL_ADMIN.CREATE_ACL creates an ACL and grant privilege to a user or role 
 to that ACL.
 For the sake of this article I am using SCOTT as the grantee of the privilege resolve but 
 in my application I granted this privilege to a role which was assigned to all the 
 application users. So through that role all the users were granted resole privilege to 
 this ACL.
*/

BEGIN
   DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
     acl         =>'my_application_acl.xml',
     host        => 'localhost',
     lower_port  => null,
     upper_port  => null
     );
END;
/

PL/SQL procedure successfully completed.

/*
 When UTL_INADDR.get_host_address is invoked without a host name specified with it,
 it sends the request to localhost. So we need to assign our ACL to the host "localhost".
*/

commit;

SQL> conn scott/tiger
Connected.
SQL> set lines 10000
SQL> column global_name format a20
SQL> column get_host_address format a15
SQL> select global_name,utl_inaddr.get_host_address from global_name;

GLOBAL_NAME          GET_HOST_ADDRES
-------------------- ---------------
ORA11G.HOME.COM      127.0.0.1

SQL>
As you can see above, SCOTT is now able to get server's IP Adress using utl_inaddr.get_host_address. And this solves our problem with the application.

Uninstall XML Database: Oracle 11g Enterprise Edition

$ cd $ORACLE_HOME/rdbms/admin
$ sqlplus / as sysdba

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> @catnoqm.sql
-- This will uninstall the Oracle XML Database.







......Zahid 

No comments: