This document covers performance and security topics for Oracle Database Administration. It discusses performance tuning at the system, database and application levels. Key aspects of SQL processing architecture like the parser, optimizer, row source generator and execution are explained. The document also covers security frameworks, patching, user accounts, passwords, encryption, auditing and hacking/forensics. Reading materials on performance tuning and security are recommended.
3. Harvard University
Performance Tuning
Trade-offs Between Response Time and
Throughput
OLTP applications define performance in
terms of throughput
Decision Support Systems define
performance in terms of response time
Response time = service time + wait time
5. Harvard University
SQL Syntax
The syntax for the SELECT statement is:
– SELECT columns
FROM tables
WHERE predicates;
From
http://www.techonthenet.com/sql/select.php
Good Information source for basic SQL
statements
6. Harvard University
Parser
The parser performs two functions:
– Syntax analysis: This checks SQL statements
for correct syntax
– Semantic analysis: Checks that the current
database objects and object attributes are correct
7. Harvard University
Optimizer
The optimizer is the heart of the SQL
processing engine. The Oracle server
provides one method of optimization: cost-
based optimizer (CBO).
Default CBO – all_rows
8. Harvard University
Row Source Generator
The row source generator receives the
optimal plan from the optimizer
It outputs the execution plan for the SQL
statement
A set of rows returned by an execution step is
called a row source
The execution plan is a collection of row
sources, structured in the form of a tree
9. Harvard University
Row Source Generator
A row source is an iterative control structure
It processes a set of rows, one row at a time,
in an iterative manner. A row source produces
a data set.
10. Harvard University
SQL Execution
The combination of steps required to execute
a statement is called an execution plan
An execution plan includes an access method
for each table that the statement accesses
and an ordering of the tables(the join order), if
required.
11. Harvard University
SQL Execution
To perform a full table scan, Oracle reads all
rows in the table, examining each row to
determine whether it satisfies the statement’s
WHERE clause
12. Harvard University
SQL Execution
SQL execution is the component that
operates on the execution plan associated
with a SQL statement
It then produces the results of the query.
The optimizer determines the most efficient
way to execute a SQL statement
13. Harvard University
SQL Execution
To execute a DML statement, Oracle may
need to perform many steps.
Each of these steps either retrieves rows of
data physically from the database or prepares
them in some way for use in the next step
14. Harvard University
Explain Plan
The EXPLAIN PLAN statement displays
execution plans chosen by the Oracle
optimizer for SELECT, UPDATE, INSERT,
and DELETE statements
A SQL statement’s plan is the sequence of
operations Oracle performs to execute the
statement
15. Harvard University
Explain Plan
The components of execution plans include:
– An ordering of the tables referenced by the
statement.
– An access method for each table mentioned in
the statement.
– A join method for tables affected by join
operations in the statement.
16. Harvard University
Explain Plan
EXPLAIN PLAN output shows how Oracle
executes SQL statements
The EXPLAIN PLAN results cannot
differentiate between well-tuned statements
and those that are poorly performed
If the EXPLAIN PLAN output shows that a
statement uses an index, this does not mean
the statement runs efficiently
17. Harvard University
Explain Plan
Sometimes using indexes can be extremely
inefficient
It is best to use EXPLAIN PLAN to determine
an access plan, and later prove that it is the
optimal plan through testing
When evaluating a plan, always examine the
statement’s actual resource consumption
18. Harvard University
Explain Plan
Use the SQL trace facility and TKPROF to
examine individual SQL statement
performance (relative cost)
Before issuing an EXPLAIN PLAN statement,
create a table to hold its output
Run the SQL script UTLXPLAN.SQL to create
a sample output table called PLAN_TABLE in
your schema
19. Harvard University
Explain Plan
The UTLXPLAN.SQL is located under
$ORACLE_HOME/rdbms/admin
PLAN_TABLE is the default table into which
the EXPLAIN PLAN statement inserts rows
describing execution plans
20. Harvard University
Explain Plan
EXPLAIN PLAN SET STATEMENT_ID = ‘1’
INTO plan_table
FOR <select * from v$datatbase>;
EXPLAIN PLAN SET STATEMENT_ID = ‘value’
INTO plan_table
FOR <sql_statement>;
21. Harvard University
Explain Plan
Display the most recent plan table output
using the following scripts:
– UTLXPLS.SQL - Shows plan table output for
serial processing
– UTLXPLP.SQL - Shows plan table output with
parallel execution columns
http://www.dbspecialists.com/presentations.html#explain_a
23. Harvard University
System Statistics
The gathered systems statistics are:
– single block readtime in ms
– multiblock readtime in ms
– cpu speed in mhz
– average multiblock_read_count in number of
blocks
24. Harvard University
System Statistics
http://www.oracle.com/technology/pub/articles
/lewis_cbo.html
http://www.oracle.com/technology/pub/articles
/tech_dba.html
29. Harvard University
Security Readiness
Regulations
– Sarbanes-Oxley (SOX)
– Gramm-Leach-Bliley (GLBA)
– Health Insurance Portability and Accountability
(HIPAA)
– Payment Card Industry Data Security (PCI)
– Federal Information Security Management
(FISMA)
30. Harvard University
Security Readiness
Secure the Network
Monitor the Network
Access Control Methods
– Who
– What
Audit Access and Data
– Who
– When
– What
32. Harvard University
Security Patches
Released 4 times a year
– January
– April
– July
– October
The single most significant step to take to
protect your databases
33. Harvard University
Security Patches
Ensure that you are using current product
versions
Apply the appropriate Mandatory patches
Stay current with Security patches for the
‘environment’
Database and Application Server patches are
cumulative
Application Products are not cumulative
34. Harvard University
Init.ora parameters
Sql92_security = true
– User must have ‘select’ on a table to be able to
run ‘update’ or ‘delete’ statements
07_dictionary_accesssibility = false
35. Harvard University
Accounts
Default Accounts and default passwords
– 700+ accounts depending on what products are
installed
– 3rd
party products
User profiles
– Complex passwords
– Script utlpwdmg.sql
– /u01/app/oracle/product/
{ORACLE_HOME}/rdbms/admin
36. Harvard University
Accounts
This script sets the default password resource
parameters
This script needs to be run to enable the password
features.
However the default resource parameters can be
changed based on the need.
A default password complexity function is also
provided.
This function makes the minimum complexity checks
like the minimum length of the password, password
not same as the username, etc. The user may
enhance this function according to the need.
37. Harvard University
Passwords
The default password list
– http://www.petefinnigan.com/default/default_pass
word_list.htm
More password information
– http://www.databasejournal.com/features/oracle/
article.php/3395721
38. Harvard University
SSL
Secure Socket Layer
Certificates
Prevent attacks from the ‘side’
Network sniffing
Virtual Private Network (VPN) tunnel
Virtual Private
39. Harvard University
Listener
From 10g onwards no specific ‘listener’
password required
Only the owner of the tnslsnr process can run
‘listener’ command
The ‘listener.ora’ file should be write protected
http://andrewfraser.wordpress.com/2007/05/24/listen
40. Harvard University
Transparent Data Encryption
Transparent data encryption is a key-based
access control system
Must be decrypted by a key to be understood
The key is stored in an Oracle Wallet
In 10g, columns in tables can be encrypted
In 11g, tablespaces and/or columns can be
encrypted
41. Harvard University
Transparent Data Encryption
http://www.oracle.com/technology/deploy/secu
rity/database-security/transparent-data-
encryption/tde_faq.html
http://www.databasejournal.com/features/orac
le/article.php/3649956
42. Harvard University
SQL Injection
It is a method of inserting SQL commands as
if they were user input
An attacker can append data and commands
to an existing sql query
Usually occurs at the URL
The username and password screens are the
most vulnerable as they are the ‘front door’ to
your application
43. Harvard University
Buffer Overflow
An application has an array (buffer) setup to
hold data.
Usually with languages C and C++
The array may not have specific boundaries
setup
If identified, a hacker can write data to this
buffer, overrun the array boundary and
replace other data values stored in memory
44. Harvard University
Buffer Overflow
Overflow is the process of writing to adjacent
buffers
http://www.windowsecurity.com/articles/Analy
sis_of_Buffer_Overflow_Attacks.html
45. Harvard University
Auditing
Enable auditing at the DB level by issuing the
below listed command
ALTER SYSTEM SET audit_trail=db
SCOPE=SPFILE; (if spfile in use)
Add the following to the startup script
EXECUTE
dbms_workload_repository.create_snapshot()
audit connect;
46. Harvard University
Auditing
Audit data is stored in the aud$ table in the
‘system’ tablespace
Purge the data in the AUD$ table periodically
or make sure that there is adequate space in
“SYSTEM” tablespace.
Recycle the environment to enable auditing
47. Harvard University
Auditing
Data collected
– Login/logout
– Source IP
– Programs used to connect from
Describe aud$ for more information
48. Harvard University
Advanced Security Option (ASO)
Encrypted sql*net
Used to secure direct connections to the
database.
Can encrypt data moving in both directions
Needs client side setup
– Sql*net.ora
– SQLNET.CRYPTO_SEED = (some value)
SQLNET.ENCRYPTION_TYPES_SERVER
SQLNET.ENCRYPTION_TYPES_CLIENT
50. Harvard University
Forensics
If some one gets into your database, what did
that do.
– What did they look at
– What did they change
– Did they extract any data
http://www.ngssoftware.com/
http://www.ngssoftware.com/company-
news/oracle-forensics-a-new-series-of-
papers-by-david-litchfield/
51. Harvard University
Recap
Design performance into the database setup
and configuration
Have a security and performance mind set
Understand your application and make
decisions based on that understanding
No absolutes
Be willing to change course
52. Harvard University
Reading
Oracle Performance Tuning, Oracle Press
– Richard J.Niemiec
Oracle 10g and 11g Security Guide
Practical Oracle Security (e-book)
– http://www.syngress.com/catalog/?pid=4620
Other Sources
– http://infosecurity.us/
– http://www.ngssoftware.com/