Why and How to create a SAN SSL certificate request?

Why ?

The purpose of SAN is to have multiple CN and this will be used instead of wild card (*.domain.com) CN if same certificate will be used for multiple subdomain.

How ?

1- create a configuration file as below.

vi req.conf

 

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no

[req_distinguished_name]

C = BH

ST = MANAMA

L = MANAMA

O = <companyName>

OU = IT

CN = CN.Domain

[v3_req]

keyUsage = keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1 = CN1.Domain

DNS.2 = CN2.Domain

2- Create CSR file along with the key and keep a copy of this private key that you may use it if needed:

openssl req -new -out certificate.csr -newkey rsa:2048 -nodes -sha256 -keyout certificate.key -config req.conf

Submit the certificate to CA to be singed , you may want to verify the CSR file information, use the below :

openssl req -text -noout -verify -in certificate.csr

Below are pem file certificate sequence for a reference in case needed:

-----BEGIN CERTIFICATE-----

(Your Primary SSL certificate: your_domain_name.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Your Intermediate certificate: DigiCertCA.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Your Root certificate: TrustedRoot.crt)

-----END CERTIFICATE-----

Why and How to generate self-singed or public singed certificate ?

Why ?

Certificate can be self-singed or publicly singed , self-singed is singed by your server only and no public trusted authority know this certificate, it is good to be used for testing only, production servers/website services that may need a certificate , you have to generate a request file to be signed by public known authority and load the singed in your public website or service that may need this certificate.

How ?

1- generate a private key that will be used to generate a certificate request, this key is important to be kept with you for future needed in case .

 ## with password:

openssl genrsa -des3 -out private.key 2048

## without password:

openssl genrsa -out VISA_ACS1_PROD_Signing.key 2048

2- Create the Certificate Singed Request:

openssl req -new -key privkey.key -sha256  -out server.csr

If this certificate will be singed by public authority , you have to share “server.csr” and they will provide you a singed certiticate (mainly .csr or .crt ) file

3- For Selef-Singed Certificate do the below, First generate a server certificate that will act like private authority to singe the csr:

openssl x509 -req -days 1825 -in server.csr -signkey server.key -out server.crt

4- In many cases you may need to convert crt to PEM format, use the below:

openssl x509 -in server.crt -out server.pem -outform PEM

Why and How to setup the xdisplay parameter after switch user in Linux ?

Why ?

Display on ssh session that is support X11-forwarding  (remote display forwarded through SSH) will appeared for the first login user only , if -X -Y used the display will be transferred as well however if just switch user only using ‘su’ this will lead to lose the display from server to client , use the below steps to move the display from first to the second switched user

How ?

1- After login with first user before switching take the details of display .

$ xuath list $DISPLAY

<output1>

$ echo $DISPLAY

<output2>

2- Switch to the user:

$ xauth add <output1>

$ export DISPLAY=<output2>

Why and How to implement TDE in 11g and 19c ?

Why ?

As clarified by Oracle ,“Transparent Data Encryption (TDE) enables you to encrypt sensitive data that you store in tables and tablespaces” . Below are a quick note using oracle document for both versions 19c or lower versions (11g or 12c).

How ?

1- Set the Software Keystore Location in the sqlnet.ora File . For 11g or 12.1 or 12.2c .

ENCRYPTION_WALLET_LOCATION=

  (SOURCE=

   (METHOD=FILE)

    (METHOD_DATA=

     (DIRECTORY=/etc/ORACLE/WALLETS/orcl)))

For  19c, it is recommended to use spfile parameters as below :

ALTER SYSTEM SET WALLET_ROOT = '$ORACLE_BASE/ADMIN/ORCL/WALLET' SCOPE = SPFILE SID = '*';

ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE = BOTH SID = '*';

2- Create the Software Keystore:

ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/etc/ORACLE/WALLETS/orcl' IDENTIFIED BY password;

You may create an auto login to avoid re-entering the wallet password every time:

ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/etc/ORACLE/WALLETS/orcl' IDENTIFIED BY password;

3- Open the Software Keystore ## In case autologin not configured:

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY password;

4- Set the Software TDE Master Encryption Key:

ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY keystore_password WITH BACKUP USING 'key_backup';

5- Encrypt Your Data:

CREATE TABLESPACE encrypt_ts

  DATAFILE '$ORACLE_HOME/dbs/encrypt_df.dbf' SIZE 1M

  ENCRYPTION USING 'AES256'

  DEFAULT STORAGE (ENCRYPT);

6- Convert exist Tablespace, for prior 12.2c it is offline only , for 12.2 and later version , both offline and online can be used:

## offline

ALTER TABLESPACE users OFFLINE NORMAL;

ALTER TABLESPACE users ENCRYPTION OFFLINE USING 'AES256' ENCRYPT;

ALTER TABLESPACE users ONLINE;

## online

ALTER TABLESPACE users ENCRYPTION ONLINE USING 'AES256' ENCRYPT FILE_NAME_CONVERT = ('users.dbf', 'users_enc.dbf');

 

Why and How to fix Red hat Linux library issue?

Why ?

For any reason you may discover an issue with library like the below issue , where you will not be able even to access the server with emergency mode/target , use the below to fix it, for example , I got the below error.

/usr/sbin/sulogin: error while loading shared libraries: libcrypt.so.1: cannot open shared object file: permission denied

 

How ?

1- First it needs to boot the system into the rescue mode using DVD/CD ISO on the installation media:

How to boot Red Hat Enterprise Linux to Rescue Mode for Data Collection (sosreport, vmcore, etc.)

https://access.redhat.com/articles/3405661

2- Check the rpm package that is behind this library as below:

# rpm -qf /usr/lib64/libcrypt.so.1

libxcrypt-4.1.1-4.el8.x86_64

3- re-install the package using the below and reboot the system to disk boot again:

yum reinstall libxcrypt

Why and How to migrate and upgrade from 12c to 19c using RMAN incremental backup?

 Why ?

Migrate is move your database from machine to different machine and upgrade is moving your data from old to new version , it is may you need to move and upgrade in same time , below I am listing simple steps to achieve this goal by using RMAN incremental backup to minimize the downtime needed in case the RMAN backup is the only suitable solution in your case.

How ?

Below are steps to be follow in order to achive the goal , I am assuming the below:

Source DB 12c : orcl , running in archive log mode , OS is Linux

Destination DB 19c : orcl , software only is installed , OS is Linux

1- check the archive log mode in source DB, if it is disable then backup will be only offline backup ( cold backup) :

Sql> archive log list ;

2- Take backup level 0 which is equivalent to full backup for both database and archive logs:

rman> backup incremental level 0 database format '/u01/backup/db_%U' plus archivelog format '/u01/backup/arch_%U';

3- On target database start create a password file as below:

ORAPWD file=PWD<ORACLE_SID>.ora password=<password>

4- take a pfile from spfile of source and edited as needed and startup the target DB using this pfile:

Sql> create pfile=’location/orclinit.ora’ from spfile;

 

-- copy the file to the target and edit it with the needed, make sure the create any missed directory specially the adum path.

 

-- startup the target DB to nomount:

Sql> startup nmount pfile=location\orclinit.ora;

 

5- On source database take backup of control file:

rman> backup current controlfile format '/u01/backup/cf_%U';

6- On target database restore backup of control file and start database on mount stage:

rman> restore controlfile from '/u01/backup/<filename> ;

rman> alter database mount ;

 

7- On target database correct any path need to be correct if it is differ from source , you may check this using the below:

sql> report schema ;

sql> select * from v$logfile ;

sql> alter database rename file '<sourcepath>/redo01.log' to '<distpath>/redo01.log';

sql> alter database rename file '<sourcepath>/redo02.log' to '<distpath>/redo02.log';

sql> alter database rename file '<sourcepath>/redo03.log' to '<distpath>/redo03.log';

8- On target database restore backup incremental backup level 0:

rman>

run

{

allocate channel c1 device type disk;

set newname for database to '/u02/oradata/%U';

set newname for tempfile '/u01/oradata/orcl/temp01.dbf' to '/u02/oradata/temp01.dbf' ;

restore database ;

switch datafile all;

switch tempfile all;

release channel c1;

}

 

8- On source database take backup incremental level 1:

rman> backup incremental level 1 database format '/u01/backup/db_%U' plus archivelog format '/u01/backup/arch_%U';

8- On target database recover backup incremental level 1 and level 0 after catalog the new level1 in the control file, check the last sequence and add 1 then:

rman> catalog start with '/u01/backup/';

rman> list backup ;

run

{

allocate channel c1 device type disk;

set until sequence (maxnumber+1);

recover database ;

release channel c1;

}

9- Now you can start database in upgrade stage and reset the logs , then perform the upgrade(you may use autoupgrade.jar) :

rman> alter databas open resetlogs upgrade ;

cd $ORACLE_HOME/rdbms/admin

$ORACLE_HOME/perl/bin/perl catctl.pl catupgrd.sql