netgo

When I send DNS request, I will get some response. At this time, I had some question if this answer come from cached information or not. Someone think like me.

When the DNS server can recurse (RA is set)

1. Even if the query is recursive or not, the DNS which recived refer to local cache to find out the A record.

2. If the DNS is not authoritative, it will be return cached.

Please Look at these Packets.

There are 2 answers. One is CNAME which has 300 TTL time, other is A which 30 TTL time. I try again. And then

Now, I can see CNAME which has 300 TTL time and A which 29 TTL time. 

In my test environment, I have DNS and GSLB. It has the role each like below. I dig to Authoritative DNS.

Thus, 

1. Authoritative DNS return the TTL time for CNAME. This is the configuration value. 

- In the response packet, Authoritative flag is set.

2. Authoritative DNS recurse to GSLB and cache the answer and return to client. So this TTL time will be counted down.

- In the response packet, Recursion Available is set. (The DNS can recurse)

The best way to find out the answer come from cached is watching "TTL time will be counted down or not".

This is the other case, I will try dig to "8.8.8.8" which is google DNS server. Even if there are lots of DNS server behind 8.8.8.8.

In this result above, Recursion Available is set, so the DNS is expected to cache answer. However, this is not Authoritative. Therefore, the CNAME and A should be counted down.

So far, I send recursive query. However, I want to see the same result with iterative query. In this post, I explained how to generate iterative query. I will use "dig +norecurse". Please note below

1. "dig with norecurse" show the result by DNS properies.

- Some DNS show the next query information, even if it has cached record.

- Some DNS show the cached answer.

- Some DNS show "server failed" result

Because of this, I did not recommend to use "dig with norecurse". Anyway, I will show when it works. I used same DNS server target.

When dig with no-recurse works, It show CNAME with counted TTL time down and A with counted TTL time down. With result, this DNS server has cached record value.

I have already told that different type of result can be shown with "norecurse" option. I will send query "www.google.com" to different DNS servers.

At first, Cached A record information is returned from DNS server. At this time, I can expect this DNS server has the cache. Please look at the next case,

There is no Answer field. There are next DNS server information to query. This is the reason why I do not recommend this norecursion option. Sometime, I can see the server fail like below.

This is my result. It is OK to use "norecurse" option for checking the cached return. However, it can can show different result what I do not expect. 

1. See the response packet field : RA is set

2. See the TTL time count down.

This is the prove to cached.

Reference

[ 1 ] superuser.com/questions/523917/dns-queries-returning-no-answer-section

[ 2 ] superuser.com/questions/681680/dns-making-iterative-requests/681710

[ 3 ] www.slashroot.in/difference-between-iterative-and-recursive-dns-query

[ 4 ] www.ateamsystems.com/tech-blog/using-dig-to-find-domain-dns-ttl/

Sometimes, I need to use "dig trace" command. I have known that it trace the DNS hop by hop. In this post, I will see the Packet level with this command.

1. First Packet of dig trace.

The first packet is look like. 

There are 3 properties. 

1. "Recursion Desired" is not set (I have alread posted about recursion and iterative flags.)

2. The request is not for A record. it is NS.

3. This request is for "root" domain such "dot ."

By 2 property. the DNS response NS answer. After then, the client start to send A and AAAA request to the same DNS.

In this case, Client send A and AAAA for m.root-servers.net. The DNS does not response. After 5 second, it will retry.

In the result, I can see "couldn't get address for m.root-server.net" (Anyway this is not normal case)

The below is normal case. It request A and AAAA requests to all of targets which the response of the first NS request.

There is the things important to see. In wireshark, I estimate the time from request and response. 

The client choose the fastest one. In this sample, it will be "198.97.190.53". 

2. Second Reqeust for target domain

I think this is first step for the domain what I lookup. I have known that "198.97.190.53" is the namesever for next step. Therefore, I send the A record request to this DNS server.

Please not that "This is A record request with no-recursion". The below is the response packet.

There is no answer field in this response. Also, this server does not recursion available and is not Authoritative.

The DNS response with "Authoritative nameserver" list to client. The client must request other DNS server to find out.

Client send the nameserver (8.8.8.8) to find out A record for this nameserver list received. This is almost same with first one.

During these step, the client also choose the fastest one. At this time, it is "210.101.60.1"

With this value, the client try again.

However, there is no answer filed at this time. There are "authoritative nameservers list" again. Client will repeate above step.

3. Finally Request for A record.

The client send the A record request without recursion to 211.188.180.21 name server. It response like below.

At this time, there is "answer filed". Becuse of this, dig trace will be stoped. However, this is not A record. It is CNAME record with "authoritative nameservers" for this CNAME.

(Please note that "Authoritative is set" even if the A record is not responsed.) This measn that CNAME is valuable like A record.

Client must repeat this CNAME domain request again. It is the same above step.

[ Reference ]

[ 1 ] createnetech.tistory.com/60

In the past, I posted "how to configure bind9". During writing, I did not understand fully the concept of the recursion, even if there are simple explain like others.

I will see the some packet in this post. It is much easier.

1. General DNS Standard Query (Default Reqeust)

Normally, the servers are set the "/etc/resolv.conf" file to customize DNS server. In my case, I set "8.8.8.8" as the resolver.

It is everything which I can do simply. And then I use without any recognization. This is the Request Packet

In DNS packet, there is flags field. "Recursion Desired is set". This is what I want to find. Because of this, the DNS server (the request packeted is received) will try to recurse. 

In the received packet, there are lot of informations. I can estimate DNS properites such as "Authoritative" and "Recursion option".

This is the Default Reqeust Packet. Therefore, the DNS will do recursion and caching.

2. No Recursion DNS Reqeust (Iterative Request)

At this time, I want to send "no recursion DNS request". I mean iterative request. The simple way is to use "dig" command with "norecursion". Please look the manual page.

I will try "dig +norecurse" like below.

That is so strange. There is no answer for A record. "This imply that there is no cached A record for this domain", Becuase this DNS server does not do recursion. If the DNS has the cached A record. It looks like below.

In this case, the DNS has the cached A record. It returned the response. Look at the packet.

With "norecursion", "Recursion desired flag" is not set. This is the important factor to understand. 

In the response, the flags values are same as the above. Please look at the Answer. This means that "DNS server (8.8.8.8) give me 2 types of answers, first is CNAME and second is A record for the CNAME". This A record is cached value. Because This DNS server can recursion by the flag.

Reference 

[ 1 ] help.fasthosts.co.uk/app/answers/detail/a_id/1276/~/what-is-recursive-dns-and-why-is-it-not-recommended%3F

How to upgrade DNSSEC for bind9?

In this post, I wrote how to configure DNS servers (Bind9). In this post, I will setup the DNSSEC to enforce DNS secrutiy from the attacker. In fact, I am not friendly with DNS element. So I will follow this instruction.

1. Pre-requisite 

I need DNS servers (master, slave and caching). I can build from this instruction simply.

2. Edit Master DNS server configuration

At first, I need to update master DNS server configuration to enable DNSSEC function. Open "/etc/bind/named.conf.option" and update like below (red text)

DNSSEC required the ZSK KEY (Zone Signing Key) and KSK KEY (Key Signing Key). Both key are called as DNSKEY. I have to generated these. To generate encryption key, I need entropy algorithm. "havedged" is good solution for this.

Now, I can generate. Please note that Key files should be located on the same directory of zone files.

After run command to geneate, I can see the 2 files like below. These file are Zone Signing Key.

Now I will create Key Signing Key like below. After running, I can another 2 files.

All of these step are for creating signed zone file. Therefore, I will update zone file from now. Open zone file what I make secure and Include the key files above.

Now, I am ready to sign the zone file. I will run "dnssec-signzone -3 <salt> -A -N INCREMENT -o <zonename> -t <zonefilename>". "<Salt>" value is the random number. I can generate like below

With this value, I can complete the command above

"db.g.crenet.com.signed" and "dsset-g.crenet.com." files are created. I will update to target this signed zone file in "named.conf.local"

Service restart and dig the DNS query with this Master DNS server.

Now, The DNSSEC in master DNS server is worked.

3. Edit Slave DNS server configuration

There is not complicated. Just enable "named.conf.option" in Slave DNS server.

Also, change file value in "named.conf.local" of Slave DNS server.

Now, I have restart bind9 and reload zone file. I can see downloaded file which is signed.

4. Edit Caching DNS server configuration

I have alread update this file to work DNSSEC function. Please check "/etc/bind/named.conf.option" file.

5. Configure DS records with the registrar.

When I create Signed zone file, "dsset-g.crenet.com" file is also generated which include "DS" record. 

To publish this DNS server with DNSSEC, I have to offer these DS record to my DNS registrar. (DNS registrar mean the represtative compay which has the role to register DNS, such as GoDaddy or Gabia.

Reference 

[ 1 ] https://createnetech.tistory.com/46

[ 2 ] https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2 

How to configure DNS bind9 configuration in Ubuntu

Recently, I need to learn about DNS system. In fact, I have not considered about this system so far. To understand about this as the begineer. I will memorize how to configure simply.

1. Pre-requisite.

I have four servers with Ubuntu 16.04 in AWS. Each server has the Public IP address.

2. Installation of bind9 packages

In fact, I do not know anything at this time. I need some instructions. I will follow this instruction basically. At first I need to update hosts name.

And I will update repository and install the bind packages like below. I will repeate this step in each servers, ns2 and ns3 also.

Installation is completed. I can see the directory and files under /etc/bind directory.

3. Configuration Primary DNS Server

At first, I will edit "named.conf.options". In this file, I will add some options to work well as the DNS server. This configuration is not applied to only primary. I will edit all of servers. 

In above, there is "acl" field. It is the represatative name for allow-recursion. "recursion yes" means enable the recurive query from other DNS servers which is defined in "allow-recursion". In this instrucion, It shows what the recursive query is.

In this instruction, it is more simple contexts comparing with "iterative request".

If I do not want to use this recursion, I can change to "recursion no;" In my case, my authoritative DNS servers will be end of step for Domain. So I will disable the recursion. "allow-transfer { 10.10.0.99; 10.10.0.39; };" means transfering zone file to listed DNS servers which are refered as slave servers. 

After these configurations, I can check the configuration is correct or not.

If I do not get any answer or failed message, It works correct. In above, I defined "allow-transfer" like "allow-transfer { 10.10.0.99; 10.10.0.39; };". This parameter is the global value. Therefore, it is applied for all of zone files. It need to be limited sometimes. In the instruction, allow-transfer { none; }; is recommended.

I will define "allow-transfer" in "named.conf.local" individually in every zone difinition. I will edit the "named.conf.local". It looks like below.

In above, I defined "forward zone" and "reverse zone". (Please this does not mean zone file) I suppose the one of 10.10.0.0/16 ip addresses will be mapped with Domain. In this file, It show how many zone file are existed and the each properties. I wrote 2 types of configuration for master and slave. In this "master", I can define "allow-transfer { 10.10.0.99; 10.10.0.39; };" in each zone definition. (Even if I will explain later in this post) In "slave", I can define "masters" as the source.

I will locate the zone file under "/etc/bind/zones". If you do not have zone directory, I need to create before.

After these configurations, I can check the configuration is correct or not.

3. Createing the Forward and reverse zone files.

Under the "/etc/bind" directory, there is the sample file for these.

I will copy and edit this files for my zone file. This step is depends on your environments. It will be different from me

Open the forward zone file and edit at first. It looks like below.

I edit the TTL time for caching. If there is the caching DNS server in front of these authoritative DNS servers, the Caching server does not ask again during this time. I will adjust for 60 seconds. Serail number is increased. Every time, I edit zone file, I have to increase this number. This number is used for the slave servers to determince download zone file or not. I added all of name servers in end of SOA field.  For reverse zone file, it is similar with forward zone file. It looks like below.

Most of values are same. Add all of name servers end of SOA field, then add PTR records. After all of these, I can check my configuration.

If there are no errors, I will restart the daemon.

4. Configuration Secondary(Slave) DNS Server

I will do these on ns2 and ns3 in my case. It is almost same as the master DNS server. I have already written above. For "named.conf.options",

For "named.conf.local",

In this "named.conf.local", the file field is not a certain path. Now, I have slave DNS servers.

5. Verfication the Master and Slave DNS server.

Before I verify this. I need to download zone file from master to slave. On slaves, I run this command.

In the /var/cache/bind/, I can see the zone file downloaded. Now I can Domain lookup from remote clients.

6. Create Caching DNS server without zone file (Only Forwarding caching DNS server)

Now, I create the Caching DNS server in front of Authoritative DNS servers. I will refere this instruction. Most of steps are similar with above. I have already written above. 

In the instrucion, there is another term, "allow-query". This is same with "allow-recursion". So In my case I will use again in this post. I need to define "forwarders" which point to DNS server whiech handdle the recursive query. In my case, the authoritative DNS servers are listed in here. 

At this time, I want to make this Caching server to work as forwarder (This server does not response against the query reqeust itself). So I will add "forward only;" option. Final thing I need to edit is dnssec. In fact, I do not know what this is exactly. Anyway, this part make the server and client more secure. So, the my configuration of "named.conf.opiton" look like below.

After this configuration, I need to check the configuration with "named-checkconf" and restart bind

7. Verfication of Caching server (Clean cached DB)

In this blog, there is the way to view cahce status. 

This error happend due to permission of file location which is created by the command. Therefore, I need to re-define the path for the dump file in the configuration. Please read this instruction.

"dump-file "/var/cache/bind/dumps/named_dump.db";" is added int the configuration. After then, check configuration and restart. (Please note that the file should be located under /var/cache/bind directory)

I can see the file created. I can also read this file. The result look like below

If I want to clean this db and caching. I can run like below. Flush and service restarted are necessary.

8. Create Caching DNS server with zone file (Delegating sub-domain)

Because of above, I use another name "ozigo.shop". (So far, I used "dizigo.shop")

I will follow this instruction. Caching DNS server can have zone file and handle the query directly. For this, I will do some of changes. First I will remove "forward only;" and "forwarders". Therefore  "named.conf.option" is look like below

And then, I need other configuration file and zone file, "named.conf.local" and "zone file included sub-domain"

I used "$ORIGIN" term to seperate zone between ozigo.shop and ns.ozigo.shop. The red text show how to delegate sub-domain reqursion. The request query for "ns.ozigo.shop" will be sent to "ns1.ns.ozigo.shop" which has 10.10.0.72 IP address.  The authoritative DNS which has zone file will be like below.

My final goal is looking up "recursion.ozigo.shop". When I try to dig from remote client, the result should be like below.

9. TroubleShooting.

When I can meet some errors like below during checking zone file configuration in cache server.

In my case, I update /etc/resolv.conf file like below. I update the nameserver with my local private IP address.

Reference

[ 1 ] https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-18-04

[ 2 ] https://kifarunix.com/configure-bind-as-slave-dns-server-on-ubuntu-18-04/

[ 3 ] https://help.fasthosts.co.uk/app/answers/detail/a_id/1276/~/what-is-recursive-dns-and-why-is-it-not-recommended%3F

[ 4 ] https://www.slashroot.in/difference-between-iterative-and-recursive-dns-query

[ 5 ] https://help.fasthosts.co.uk/app/answers/detail/a_id/1276/~/what-is-recursive-dns-and-why-is-it-not-recommended%3F

[ 6 ] https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04

[ 7 ] https://linuxconfig.org/how-to-view-and-clear-bind-dns-server-s-cache-on-linux 

[ 8 ] https://bugzilla.redhat.com/show_bug.cgi?id=112350

[ 9 ] http://www.zytrax.com/books/dns/ch9/delegate.html

How install oracle 11g on Windows 2012 R2?  (Enable archive log and Supplemental log)?

Recently, I need to learn the oracle to migrate data from on-prem to aws. In fact, I am not the DBA, therefore, I can not handle deep dive. I hope the I can help someone like me who is the first time about oracle.

1. Pre-requsite.

I have Windows 2012 R2 which supports oracle database 11g. For successful installation, I need the ".Netframe 3.5" installed. In server manager. Click "Add Roles and Features" at first.

In Features, choose the ".NET Framework 3.5 Feature" and Install this.

After then, I am ready to install oracle database.

2. Install oracle database.

The reason why I select Windows is simple to consist rather than Linux. I will follow two instructions mainly. https://www.youtube.com/watch?v=YgFfjLHY-wE is helpful for me. At the beginning, I need installation file. I can download from oralce site.

In my case, I will download "Microsoft Windows (X64)". There are two files. After extract both of files, I need to merge and make together in same directory. I copied and pasted whole directory from secondary to first.

After merge, I can see the directory inside. There is the "setup" icon. Click it.

Click Run and Start Installation for oracle database.

Depends on the system environments, Installer make warnning messages like this. However, I can ignore this, Click "yes"

Uncheck "I wish to receive security updates via My Oracle support", because I do not need this feature. It does not matter for next step. In email field, I can leave with empty. Just click "Next"

After Next, the warning message come. However it is also not matter for next step. Just click "yes".

Choose "Create and configure as a database". Because this is first installtion on this server. Click "Next".

In my case, my operating system is windows 2012 R2 server. Therefore, I will choose "Sever class".

I will install with standalone mode. Choose "single instance database installation" and click "Next".

Choose "Advanced Install" and Next.

This step is more important rather than before. In this insturction, there are some explain about the fields. I overview about below. 

Select "Langurage"

I will select "Standard Edition One" (Please note I can select what I want as the oracle database engine).

I select my custom home directory like below.

Select configuration type. In my case, I will choose genera purpose.

"Global database name" is not SID. However, I choosed single instance mode. Becuase of this, the SID can be same as Global database name. However, I can make different in Advanced mode.

I will adjust some paramters for memory, characters set, security and sample schema.

I will UTF-8 for character sets.

I will not make sample schema. Un-check "Create database with sample schema"

During this installation, Oracle Enterprise Manager will be installed, even if I do not want. Just click Next

Select File system. Usually it is better to seperate from root disk.

This is the back up configuration. I don't want this at this time.

When I select "Typical Installation". There are Administrative password which is default password for schema (=users). 

However, In Advanced mode, I can set password individually like below.

If you use simple password, the warnning message happen like below. In my case, this is test oracle database. I will ignore this. Click yes.

This is summary, Click Finish to installation.

During installation, I can see the configuration assistant process like below.

During the installation, warnning message like below can be occure. In this case, I need to set variable in windows.

I will handle this later. At this time, just click next. I registered the "Administrative password" before. I have told it will be used as default password. However, I have another change to set the password for each schema (=user).

Click Password Management. I will set individual password for "SYS" and "SYSTEM". If you want more, you can set the password more. In oracle database, there are serveral sample test schema such as "HR" and "SCOTT".

Continue with Yes.

3. Access database

Now, I can access database. At this time, I can use sqlplus which is installed with.

I can access with SYSTEM schema account like below

4. Verify the oracle environment for enterprise manager.

During the installation, I see warning message below. Because of this, I need to check environment variables.

In this page, I need to check the status with "emctl status dbconsole". 

In this case, I need to set environment value. Properties > Advanced system settings.

In Advanced tap, there are environment value button.

I will add some values in User vriables for Administrator.

For the first issue, I will add "ORACLE_UNQNAME". 

I will reference the value from db_unique_name. In fact, there is value when environment is not set. run "select name,db_unique_name from v$database;".

I will try again "emctl status dbconsole". At this time, there is "Not found" error. 

Go into the directory. Thre is no localhost. Instead, 11.0.0.131 is existed.

To resolve this, I will add "ORACLE_HOSTNAME" like below.

After then, It will be like below. This is normal. However, It look like not perfect. "EM Daemon is not running" is happen.

I followed this video. To make success, I have to start service manually. At this time, I can not start after right button.

Find the file below. In emd properites file, "agentTZRegion=+06:00" should be adjusted with OS time.

I adjust the time 

Now, I can use this.

5. Oralce database stop, start and restart

In this instruction, there are several way to stop and start. In this part, I will overview sqlplus to stop and start.

6. Enable/Disable Archive log Mode

Sometime, it is necessary to enable this feature. It is utilized to synchronize databases with log-miner. For this, I will follow this instruction. run "archive log list". The result is displaied. It is not enabled default.

I need to shutdown with "shutdown immediate". My status is changed to "nolog".

I have to change the status to "mount", which I can change configuration on. Run "startup mount".

Run "alter database archivelog;" to enable

After then, I open the database "alter database open;"

If you want to disable, I use "alter database noarchivelog;"

7. Enable/Disable supplemental logging 

This action should be done in database. To check the status, run "select supplemental_log_data_min from v$database;"

To enable and disable, run query like below.

This is the basic configuration for the installation. 

Reference 

[ 1 ] https://www.youtube.com/watch?v=YgFfjLHY-wE

[ 2 ] https://medium.com/@Dracontis/how-to-install-oracle-11g-database-on-windows-server-2012-a4d30d4dc727

[ 3 ] https://www.oracle.com/technetwork/database/enterprise-edition/downloads/index.html

[ 4 ] https://docs.oracle.com/cd/E25178_01/server.1111/e10897/install.htm

[ 5 ] http://www.dba-oracle.com/t_oracle_unqname.htm

[ 6 ] http://blog.mclaughlinsoftware.com/2012/08/23/whats-oracle_unqname/

[ 7 ] https://www.youtube.com/watch?v=Y8i41J7aLwo

[ 8 ] https://docs.oracle.com/cd/B14117_01/win.101/b10113/admin.htm#CDCEJADC

[ 9 ] http://www.oracledistilled.com/oracle-database/backup-and-recovery/enabledisable-archive-log-mode-10g11g/

How to user the Oracle View and Joins (Inner and outer)

Recently, I have been studying about the Oracle Database. In this post, I wrote about the basic concept. In this post, I will handle about View and Joins.

1. Pre-requisite

I will create 2 tables like below.

After run these command, I can get the tables with datas

Now, I am ready to start.

2. Inner and  Right, Left, Full Joins

I will follow this instructions. In this instructions, It has more detail. In this post, I will handle the way how to use this. Joins are one of filters with tables. Therefore, I can extract the matched data from tables.

2-1. Inner Join

As the figure, It shows the result after Inner Join. I can extract the matched data as intersection. This is the command. 

This command means that I can extract intersection from both of "MYADMIN.users" table and "MYADMIN.lessons" table.

2-2. Left outer Join

With this option, Left side of tables are the source. This source start to compare data of the Right side of tables. When condition is matched. It extract matched data from both of table. However, the condition is not matched, the data from the source can be obtained but the data from right side of table inserted as the "<null>"

2-3. Right outer Join

This is reverse concept of the left outer join above. At this time, left side of tables is the source. Therefore, the value could be "<null>" from right side of tables, when condition does not match.

2-4. Full outer Join

With this option, left side and right side can be source. If the column from left side which does not exist in right side, this is the source. If the column from right side which does not exist in left side, this is also the source.  

3. Views

I will follow this instruction for this part. Views is the virtual table which is not existed in real. Sometime, I need to combine or make complex database query. In this case, this views is quite useful. For example, I will create view with the query of full outer join.

I have already told that the view is not real table. Thus, I can not find out the information from "user_tables".

However, I can see the view information from "user_views". In the "TEXT", I can see the query which I used to create.

I think "the views is belonged to the schema (=user), even if it is virtual table". I can give some grant option like below.

After login again with "MYUSER" account, I can show the data from this view also.

However, I can not show any detail information with "user_views" or "user_table".

Because, it only show the data whch is created by "schema". Therefore, if you want to see, you need to search through grant option like below.

If I want delete (drop) the view, Use this command below

Reference 

[ 1 ] https://www.techonthenet.com/oracle/joins.php

[ 2 ] https://createnetech.tistory.com/32

[ 3 ] https://www.techonthenet.com/oracle/views.php

How to use the Oracle database basically?

Recently, I need to study about the Oracle Database. In fact, I am not DBA. In this post, I will write the database queries to use later. I will use the Oracle SQL developer for this test.

1. Download and Connect database

I followed this instruction, which introduce how to connect to database. I need to download Oracle SQL developer from here. After download, I can connect database with connect button on the left of top.

2. Check the Database Properties.

I can see configuration or properties from query like below. For example, I can see the "Default Temp Tablespace" which the user information is stored in.

3. Create (Drop) User

This is important part to understand about Oracle Database. In Oracle, there is "schema" term. I think this is also user. All of objects such as table are connected to this schema. For example, "schema.table_name" is used as the table name when I create table. This instruction show how to create user.

I can get the all of users information in this database like below.

Now, I will create new user which is identified by the password.

I can see the new user created with "select * from dba_users;".

If you want to remove or revoke user, follows the command below.

4. Grant Privileges and role.

However, this user does not have any role and privileges. In this instruction, there are comments for roles.  

In my case, I am AWS Oracle RDS database. Look at the role assigned.

There are so many roles assigned.  There is no any role in user created before. However, there are so many role assigned for 'RDSADMIN' and master account.

Now I will give 3 role for user which I created like below.

After this I can check the role status.

So far, I studied how to grant the privileges. However, I need to revoke these sometimes. 

After granting roles to user, I need to give some privileges to this user. In oracle, there are two types of privileges, system and table.  At first, I will grant some privileges for the system.

I can give(remove) some system privileges like below.

After this, I can verify the status with "select * from dba_sys_privs" query.

Now, the table privileges left. In fact, I can not explain about this without the table. I will add more detail later in this post. Just look at the command how to see.

5. Create(Drop) Table

Before I create the Data table, I need to create table space. In this instruction, what kinds of parameters are required is explained. This command show the table spaces list. 

There are some necessary factor for this table space. Fist is "Contents". There are three values to category. In the instruction, there are comments like below.

From this statements above, "Undo tablespace" is not friendly rather than others. Please, read these instructions, https://oracle-base.com/articles/9i/automatic-undo-management and https://docs.oracle.com/cd/B28359_01/server.111/b28310/undo002.htm#ADMIN11462. For this "Undo tablespace",  "automatic undo management" is required. The recently version is set as defaults. Also, I tried to change this configuration in AWS RDS. Howerer, I can not alter this.

Second is the datafile conecpt such as "bigfile" or "smallfile". In this instruction, 

From this statements, I can not understand "smallfile tablespace can contain multiple datafiles". Please look at this link, 

However, this command does not work in AWS RDS. Because RDS does not give any permission for this like below. I can not create the datafile.

There are so many options, however I can not handle all of things. I think I can create tablespace with these information. I hope this instruction will be helpful.

After this command, I can see the "select * from dba_tablespaces;" and "select * from dba_data_files;"

Now, I created table spaces. I can start to create table. Please look at this, there are sample example to create table. 

This command create "error" like below. This error is occurred by table name.

In oracle, table name must be "schema (=user)"+"table name". This is the reason why the schema (=user) is import. Because of this, I have to revise the command below. "MYADMIN" is created user before.

After this command I can see the table information with "select * from dba_tables;"

There are 2 things special. I insert "MYADMIN.user_info" as the table name. Howerver, oracle re-arrange this table name with "owner" and "table_name". Also, "USERS" tablespace is allocated for this table, which is default permanent tablespace. However I want that this table is located in "MYSAPCE" table space. Thus, it should be revised like below.

However, I can create this. Because this table name has already existed. Thus I need to drop this table with this command.

Now, this is what I want.

6. Insert, Update, Delete Data

Before start this part, I need to covert account with "MYADMIN", which is used as the "schema name".

"user_tables" show the information which belonged to logon account. If I can see table only I create, it is OK.

However, there is other way to find out logon current user. In this instruction, "select user from dual;" is command.

I will follow this instruction. At first, I will try to insert some data into "user_info" table;

Please note that I can use both of "schema+table name" and "table name", because the current user is same as the schema name. After this command, look at the table information like below.

Now, I will update the data. Please note I use "schema+table name" as the table name. It does not affect the result.

Finally, Delete is left. This is not difficult to run.

7. Troubleshooting. (table privileges with other schema)

I am happy to learn how to insert, update and delete data. However, I need to think about my privileges. So far, I did not give any permission about table. The reason why this can be done is that this user is the "schema user". It look like admin user for this table. If I create another user (=schema), I wonder if this user can insert, update and delete with this table.

This user does not any role and privileges at the beginning. 

I can not logon into the Database. I add the role with "connect"

Now, I can login. However, I can not select, insert, update and delete over table. I need to give some privileges.

With administrator account, I will give this user some permissions. Please, look at the this instruction.

Now, I can select, insert, update and delete.

If I want to know what kinds of table privileges does this user has, use this command

This is basic oracle database concept. I hope it will be helpful. If I have enough time to learn, I will handle more. However, I am not DBA engineer. I hope I can keep touch about this part again.

Reference

[ 1 ] https://docs.aws.amazon.com/ko_kr/AmazonRDS/latest/UserGuide/USER_ConnectToOracleInstance.html

[ 2 ] https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/index.html

[ 3 ] https://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_8003.htm#SQLRF01503

[ 4 ] https://chartio.com/resources/tutorials/how-to-create-a-user-and-grant-permissions-in-oracle/

[ 5 ] https://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_7003.htm

[ 6 ] https://stackoverflow.com/questions/8496152/how-to-create-a-tablespace-with-multiple-datafiles

[ 7 ] https://docs.oracle.com/en/database/oracle/oracle-database/12.2/sqlrf/CREATE-TABLESPACE.html#GUID-51F07BF5-EFAF-4910-9040-C473B86A8BF9

[ 8 ] https://www.java2s.com/Code/Oracle/User-Previliege/Getcurrentusername.htm

[ 9 ] https://www.oracle-dba-online.com/sql/insert_update_delete_merge.htm

How to install self-signed certification on Windows 2012 R2 for RDP?

Recently, I have some issue about the RDP security. I try to find out how to use my own certification. Please note that it is not recommend that I use self-signed certification. Because it can make more complex trouble. However, I do not have any certification. So I will use self-signed certification for this post.

1. Pre-requisite

Before I start this post. I need to prepare the self-signed certification. In this post, I will write how to create certification with openssl. In addition, I need to merge and covert from "cert (crt)" to "pfx". In windows, the matched private key is necessary according to certification which I want to insert. 

2. Install certification feature and Import certificate file.

Run "mmc" and open the console. In here, I can install and configure the certification.

There is nothing at first. I need to install the certification. 

I need to follow "File > Add/Remove Snap-ins". 

And choose the what I want to install. In my case, Certificates is chosen. After "Add the Certificate for Snap-in". I can see the menu like below. Select "Computer account".

Select "Local computer"

After finishing the above steps, I can see the "Certificates" category on the left of side. In "Certificates > Personal > All Tasks > Import", I can see my self-signed certificate.

Now, I can start the "Certificate Import Wizard". Click "Next"

There is the form to insert the path for certificate which is the "pfx" file.

Input the optional values if I used the values.

Select the location which the certificate is located in. In this case, "Personal" is used.

Now I can check all of information.

Click Finish. I can check the certification which is located in Personal like below.

Now, I have done to insert my certificate.

3. Check the certification status and activate the certification.

After installation and import process above, I can check the detail of certification which is installed with "double click".  If it is status is good. I can see the comment "You have a private key that corresponds to this certificate".

Now, self-signed certification is imported with correct steps and status. Now, I need to check "Thumbprint" to activate and covert this certification from default. In Details, I can see the "Thumbprint" like below.

This value of "Thumbprint" is necessary. This value is used with command line below. There are two types of command. In my case, I will use "Command mode"

In the CMD, I can run like below and I will confirm that "Update is successful".

4. Access the Remote Desktop

Now, I will access and I can confirm the certification is changed like below.

Basically, RDP is encrypted by TLS. With the steps above. It is more customized.

I can see the TLS handshake by the wireshark packets.

5. (Optional) Enforce the RDP data and connection encryption level.

In this post. there are several steps to make more secure RDP connection. In the middle of contents, "Local Group Policy Editor" are used to enhance the security. Run "gpedit.msc" at first.

In "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security", there are several parameter which I have to change.

Reference 

[ 1 ] https://www.geocerts.com/support/how-to-export-import-ssl-certificate-between-windows-servers 

[ 2 ] https://www.youtube.com/watch?v=qDwF0_ax6_w

[ 3 ] http://createnetech.tistory.com/12?category=679927

[ 4 ] https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

[ 5 ] https://www.howtogeek.com/175087/how-to-enable-and-secure-remote-desktop-on-windows/ 

How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu?

From this post, I run multi-machine cluster basic mode. Now, I will run multi-machine cluster with TLS/SSL security. I am not the security engineer. I am not friendly about TLS/SSL concepts. I studied about key and chain concept before, however it still difficult to understand it. In this documentation, there are 2 things required,  a unique key pair (member.crt, member.key) and shared cluster CA certificate (ca.crt). In this post, I address how to create these.

1. Overview the command for multi-machine cluster with TLS/SSL.

From this documentation, the commands are look like below.

From command line above, there is something unknown like below. I need certificate. However, I do not know how and what can I obtain these.

"cfssl" can do for these. In this Git link, there are introduction about "cfssl" like below.

2. Download and install the "cfssl"

In this documentation, there are installation guide and usage. 

It is so simple. I verify the version.

3. Create root certificate (CA).

In the command, there are 2 root certificate, ca-client.crt and ca-peer.crt. It will be shared between all hosts. Thus, I create these certificate on single host and copy into others. To create root certificate, I need 2 files, "config.json" and "csr.json". The contents is here.

I create "ca-client-config.json" and "ca-client-csr.json" for ca-client certificate. I have to create more for ca-peer certificate. CN name should be different.

Now, I can generate with files above. Please, note that I will obtain some files which is named "ca.csr", "ca-key.pem" and "ca.pem"

I can verify this is normally good or not. 

It's good. I can generate intermediate certification with this certificate. Therefore I need to copy these files into other hosts. I move files on each directory like below. (I create these directory on every hosts)

In this documentation, there are several security models. Example 2 (Red) and Example 3(Blue) are matched with the command above.

At first, In example 2, I need server to run "etcd" and I need client certificate to get response. And second, In example 3, I need peer certificate to communicate between hosts.

4. Create server, client and peer certificate.

Look at this post, there are way to generate each certificate. I create server certificate. To create, I need to "server.json" file. In this Git, there are sample JSON file. For server.json, hosts information are most important.

I will generate server certificate. Please note that the command above use the name "infra-client", however, this is server certification, it is not client certificate.

"-profile=server" option makes server certificate. Next, I create the peer certificate. Also I need "peer.json" file. This file is similar with "server.json". However, CommonName (CN) should be different.

I generate peer certificate with peer.json file above. "-profile=peer" is adopted at this time.

I create server certificate and peer certificate. Therefore, I can run "etcd" with both certificate. However, I need client certificate to obtain response. I will use same root certificate of the server. I need "client.json" file.

I generate peer certificate with client.json file above. "-profile=client" is adopted at this time.

5. Run etcd in security mode.

I ready all certificate to run in security mode. Final command looks like below.

At this time, I do not know command line to put and get. However, there is sample curl command in this documentation (Example 2).

I can see the result {"action":"set","node":{"key":"/foo","value":"bar","modifiedIndex":17,"createdIndex":17}}. It's works now.

6. Run automatic certificate mode

So far, I do so many step to run in security mode. It's is not simple. Because of this, etcd offers automatic certificate mode. In this mode, etcd create certificate automatically. "--auto-tls" and "--peer-auto-tls" are replaced instead of part for certificate.

In Example 4 of this documentation, "curl -k https://127.0.0.1:2379/v2/keys/foo -Xput -d value=bar -v" command is used. (This site also useful)

Now, I can use with simple model.

Reference

[ 1 ] http://createnetech.tistory.com/16

[ 2 ] http://createnetech.tistory.com/14

[ 3 ] http://createnetech.tistory.com/12

[ 4 ] https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/clustering.md

[ 5 ] https://coreos.com/etcd/docs/latest/op-guide/security.html

[ 6 ] https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md

[ 7 ] https://coreos.com/os/docs/latest/generate-self-signed-certificates.html

[ 8 ] https://github.com/etcd-io/etcd/tree/master/hack/tls-setup

[ 9 ] https://coreos.com/etcd/docs/latest/demo.html

[ 10 ] https://www.mkyong.com/web/curl-put-request-examples/