Thursday, April 7, 2016

ORA-24248 XMLDB extensible security not installed

A few days ago I ran into this problem. We upgraded one of our development database from oracle 10gR2 to 11gR1 recently.
 After the upgrade the application was broken very badly. Any user trying to login to the application was getting the error below:


ORA-24248: XML DB extensible security not installed
ORA-06512: at "SYS.UTL_INADDR", line 19
ORA-06512: at "SYS.UTL_INADDR", line 40
ORA-06512: at line 1


 I found that that in one of Java classes in the application, where a connection was being established to the databases, a query was being executed like this.


SELECT global_name,utl_inaddr.get_host_address FROM global_name;

The error above is quite self explanatory. I went ahead and verified the existence of Oracle XML Database and found the following:


11:49:41 sql>select comp_name from dba_registry;

COMP_NAME
----------------------------------------------------------------

Oracle Database Catalog Views
Oracle Database Packages and Types
Oracle Enterprise Manager

As can be seen from the output of the above query, we were missing Oracle XML Database. I was able to reproduce the problem in sqlplus.


11:52:23 sql>select global_name,utl_inaddr.get_host_address from global_name;
select global_name,utl_inaddr.get_host_address from global_name
                   *
ERROR at line 1:
ORA-24248: XML DB extensible security not installed
ORA-06512: at "SYS.UTL_INADDR", line 19
ORA-06512: at "SYS.UTL_INADDR", line 40
ORA-06512: at line 1


Install XML Database: Oracle 11g Enterprise Edition


$ cd $ORACLE_HOME/rdbms/admin

$ sqlplus / as sysdba

[oracle@Localhost ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.1.0 Production on Fri Apr 8 11:55:27 2016

Copyright (c) 1982, 2009, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options


SQL> spool install_xml_db.log
SQL> @catqm xdb sysaux temp YES
-- xdb is the password for XML Database repository schema
-- sysaux is the default tablespace for XML Database repository schema.
-- temp is the default temporary tablespace for XML Database repository schema.
-- YES is for using secure files for xdb$resource
.
.
.

SQL> declare
  2    suf  varchar2(26);
  3    stmt varchar2(2000);
  4  begin
  5    select toksuf into suf from xdb.xdb$ttset where flags = 0;
  6    stmt := 'grant all on XDB.X$PT' || suf || ' to DBA';
  7    execute immediate stmt;
  8    stmt := 'grant all on XDB.X$PT' || suf || ' to SYSTEM WITH GRANT OPTION';
  9    execute immediate stmt;
 10  end;
 11  /

PL/SQL procedure successfully completed.

SQL>spool off
11:58:14 SQL> select comp_name , status from dba_registry;

 COMP_NAME                                STATUS
---------------------------------------- --------------------------------------------
Oracle XML Database                      VALID
Oracle Database Catalog Views          VALID
Oracle Database Packages and Types     VALID
Oracle Enterprise Manager         VALID

The XML Database installation is complete. I opened the install_xml_db.log and didn't find any significant errors in it. Then I verified from dba_registry again to see the status of XML Database installed.


12:04:33 SQL> select global_name,utl_inaddr.get_host_address from global_name;
select global_name,utl_inaddr.get_host_address from global_name
                   *
 ERROR at line 1:
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "SYS.UTL_INADDR", line 19
ORA-06512: at "SYS.UTL_INADDR", line 40
ORA-06512: at line 1

Now the ORA-24248 is gone because we have XML Database installed. Now we are seeing ORA-24247, which means we can't access any network host using UTL_INADDR unless we allow access to this host via ACL.


SQL> conn / as sysdba
Connected.

BEGIN
   DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
        acl          =>'my_application_acl.xml',
        description  => 'ACL for users of my application.',
        principal    => 'SCOTT',
        is_grant     => TRUE,
        privilege    => 'resolve',
        start_date   => null,
        end_date     => null
    );
END;
/

PL/SQL procedure successfully completed.

/*
 All that UTL_INADDR.get_host_address does is resolve the host and return the IP Address.
 DBMS_NETWORK_ACL_ADMIN.CREATE_ACL creates an ACL and grant privilege to a user or role
 to that ACL.
 For the sake of this article I am using SCOTT as the grantee of the privilege resolve but
 in my application I granted this privilege to a role which was assigned to all the
 application users. So through that role all the users were granted resole privilege to
 this ACL.
*/


BEGIN
   DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
     acl         =>'my_application_acl.xml',
     host        => 'localhost',
     lower_port  => null,
     upper_port  => null
     );
END;
/

PL/SQL procedure successfully completed.

/*
 When UTL_INADDR.get_host_address is invoked without a host name specified with it,
 it sends the request to localhost. So we need to assign our ACL to the host "localhost".
*/

commit;


SQL> conn scott/tiger
Connected.
SQL> set lines 10000
SQL> column global_name format a20
SQL> column get_host_address format a15
SQL> select global_name,utl_inaddr.get_host_address from global_name;


TESTDB  10.XXX.XXX.XXX



As you can see above, SCOTT is now able to get server's IP Adress using utl_inaddr.get_host_address. And this solves our problem with the application.

Uninstall XML Database: Oracle 11g Enterprise Edition


$ cd $ORACLE_HOME/rdbms/admin
$ sqlplus / as sysdba

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> @catnoqm.sql
-- This will uninstall the Oracle XML Database.

1 comment:

  1. Casino of the Month 2021 | Dr.CMD
    In 양산 출장안마 just the past month, Casino of the Month 2021 is being promoted to the 광주광역 출장샵 the 광양 출장안마 casino of 오산 출장안마 the month 2021 익산 출장마사지 is the second largest online gambling

    ReplyDelete