Monday Dec 30, 2013

Final Post: Retiring from Oracle

December 31st will be my last day at Oracle.  Although I've been asked by my boss and sales management to stay on, I've decided that now is the time to enjoy as much free time as I can.

I joined Sun in September of 1995 after 11 years at Gould/Encore and have survived through the ups and downs including multiple levels of layoffs at Sun.  I successfully transitioned to the North American Public Sector Hardware (NAPSH) organization of Oracle and have enjoyed working closely with our software colleagues.  At Sun and Oracle I've seen tremendous innovation in technologies such as:

  • Java
  • Solaris
  • Engineered Systems
  • SPARC 
  • Virtualization

as well as a few flops such as:

  • Sun/Netscape Alliance
  • Acquisition of Cobalt
  • Sun A7000 storage acquisition from Encore (my former employer) 

During my time at Snoracle, I've had the pleasure to support our war fighters by providing high performance, secure and scalable systems for the Global Command and Control System, DISA Datacenters, NIPRnet, SIPRnet and other mission critical programs.  I've also worked with key government customer such as NASA, DoT, FAA and others.

My first blog entry here was posted in October of 2006 and with my final entry will be hitting number 136.  In the last two years alone, I've received over 100 comments on my entries.  Whether positive or negative, they are always appreciated.

Thanks to all my readers and coworkers for your comments and contributions over the years.  I'm glad that I've been able to help the global Sun and Oracle community to better understand our technologies.

Solaris 11 STIG update

My work on the Solaris 11 STIG will continue in the able hands of Brett Norman and Glen Brunette. I would like to thank Glenn and others from Oracle (Glenn Faden, Gary Winiger, Darren Moffat, Alex Barclay and Dave Walker) for their assistance.  Without them, the project would have foundered.  Thanks, also to Charlie at DISA FSO for keeping us moving the right direction.

Monday Dec 16, 2013

Solaris 11.1 STIG update

I am still in the process of creating a Solaris 11.1 Security Technical Implementation Guide (STIG) with DISA Field Security Office.  The process is long and detailed requiring significant testing and review by DISA for final approval.  The STIG items are complete (pending DISA's approval).  While I can't predict how long the final approval will take, if you are a DoD customer wishing to run Solaris 11, you may contact your Oracle systems sales team to receive a draft copy in spreadsheet form.

STIGs are guidelines to assist DoD customers in securing their systems.  It is NOT required to have a DISA STIG document to run Solaris 11 in your environment.  In the absence of a DISA approved STIG, customers may use industry or vendor recommended guidelines.  We already have a number of DoD customers running Solaris 11.  Resources available include:

 

Our customers find that Solaris 11 is much more secure "out of the box" than Solaris 10 and is easier to bring into compliance.  Solaris 11 is now over two years old and provides significant new features and benefits for Solaris 10 including:

  • ZFS default root file system enabling:
    • Easier, safer system updates
    • Automatic alternate boot envioronments
    • Improved zone management 
    • Encrypted file systems
    • Compressed, de-duplicated file systems
    • Simplified RAID and mirror configuration
  • Image Packaging system for:
    • Faster, safer updates
    • Easier system minimization
  • Improved Security including
    • Elimination of root login
    • FIPS 140-2 certified Crypto Framework
    • Multi-level security enhancements
  • Complete network and application virtualization
  • Automated installer
  • Much more

Learn more about What's New in Solaris 11 and 11.1.

 

Solaris 11 Crypto Framework receives FIPS 140-2 certification


NIST has awarded FIPS 140-2 certificate #2060 to the Oracle Solaris Kernel Cryptographic Framework with SPARC T4 and SPARC T5 (Software-Hybrid), and FIPS 140-2 certificate #2061 for the Oracle Solaris Kernel Cryptographic Framework (Software) module.  The certificates are not yet available, however, the details are already posted on the NIST Validated FIPS 140-2 Website listed below.

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm

The Userland Software and Software-Hybrid validations are still in the NIST Coordination phase.  

Thursday Jul 11, 2013

National Security, the "two man rule" and Solaris

A recent article in Federal Computer week reports:

In the raging debate over the data breach at the National Security Agency, here’s a nugget that deserves more attention than it has received: The NSA'a director, Gen. Keith Alexander, recently instituted a two-man rule to limit the previously unfettered access of the 1,000-plus systems administrators who work for the agency. It ensures that no single person can gain access to confidential, sensitive and often top secret data.

 In addition, DISA has published "Security Requirements Guides for Operating Systems" which require:

 The operating system must enforce a two-person rule for changes to organization defined information system components and system level information.

Luckily, Solaris 10 and 11 have all the tools to assist in creating a "two man rule." In fact, we published a paper on the topic in 2005. Its comprehensive role and profile based collection of authorizations ensure that only user with the proper authorizations are allowed access to administrative tools.  Solaris can be configured so that one user has the role of "Security Admin" while another user has the role of "System Admin."  The security admin has privileges to add users and give (or remove) authorizations from those users but does not have all the other traditional capabilities of "root."  In other words, the security admin cannot accidentally "rm -rf /" to corrupt the system.  The system admin has authorizations to perform traditional system administration functions such as create file systems, manage services but cannot create new users or give himself additional privileges.

Solaris 11 is Oracle's premier Unix based operating system with support for SPARC based systems from Oracle and Fujitsu and X86 systems from a wide variety of vendors.

Many customers don't know that Solaris is built from a single source code base for both platforms and consists about 95% common code.  Unless there is a specific difference in hardware support (virtualization, cryptography, hardware failure detection, dynamic reconfiguration) Solaris looks and works the same on both platforms from an administrative point of view.

In addition, Solaris helps to protect your software investment by providing a unique Binary compatibility guarantee.  An application written to our ABI on SPARC or X86 from the Solaris 2.6 timeframe will continue to run on newer versions of the same platform running Solaris 11.  

Our source code guarantee ensures that code written for SPARC will compile on X86 and vice versa.

Since the merger of Oracle and Sun, both Solaris and Oracle Database have been optimized to work better together.  With the release of Oracle DB 12c, these enhancements include:

  • Dynamic tracing probes for improved monitoring
  • Dynamic SGA resizing for improved availability
  • Improved DB startup times
  • In kernel Oracle RAC performance enhancements 
  • Improved encryption, security and virtualization support

 

Choose Solaris and Oracle hardware and software for the most reliable, scalable and secure data center environments. 

Wednesday Apr 24, 2013

Solaris 11 and Payment Card Industry (PCI) security compliance

See Lynn Rorher's blog about Oracle's newly published white paper discussing how Solaris 11 enabled security for the payment card industry.

Tuesday Apr 23, 2013

Solaris 11 outperforms RHEL 6 on 2 socket Intel servers

As a long time Sun employee, I've often heard the term "Slow-laris" applied to Oracle's premier Unix operating system.  Most frequently this was in comparison to the Linux OS running on small two socket servers.  I will admit that in the Solaris 8 and 9 timeframe engineering decisions were made to benefit scalability to 64 sockets that sometimes penalized smaller servers.  In addition, because of Solaris long history and derivation from ATT and BSD Unix code, there was undoubtedly a bit of code labeled, "if it ain't broke, don't fix it."  With the advent of Solaris 10 and Dynamic Tracing, (DTrace) we actually hunted down and killed a number of those legacy code segments using a new philosophy labeled internally, "If Solaris is slower than Linux on the same hardware, it's a bug."

As a result, Solaris 11 provides higher performance than Red Hat Enterprise Linux 6.3 on basically identical 2 socket hardware as measured by the SPECjbb benchmark.  According to SPEC:

The SPECjbb2013 benchmark has been developed from the ground up to measure performance based on the latest Java application features. It is relevant to all audiences who are interested in Java server performance, including JVM vendors, hardware developers, Java application developers, researchers and members of the academic community.

Java is one of the predominant enterprise programming environments for mission critical applications and many of Oracle's products are written in Java.

This chart from the SPECjbb site shows the performance of our X3-2 Intel based server with 16 cores and 128 GB of RAM running Solaris 11.1.  The X3-2 tested features the Intel E5-2690 CPU @ 2.9 Ghz.

X3-2 Chart

By comparison, an HP ML350P with the identical Intel chip and clock speed running RHEL 6.3 produces this chart.  Clearly, Solaris 11 produce a smoother response curve with higher numbers for both MaxjOPS and Critical jOPS.  In addition, the X3-2 system requires only 1 rack unit vs. 4 rack units for the HP model reducing data center requirements. 

HP Chart

 To summarize, Solaris is faster than RHEL 6 on small servers and more scalable and responsive on large servers including our SPARC T5 servers.

At the same time, it provides virtualization, security and availability features unavailable on RHEL including:

  • Solaris zones
  • Network virtualization
  • ZFS file system
  • Dynamic Tracing
  • Predictive self-healing
  • Service Management Facility
  • Trusted Extensions 
  • Image packaging system

See more at:

  • Jeff Victor's blog
  • Oracle's Performance Blog
  • SPEC and the benchmark name SPECjbb are registered trademarks of Standard Performance Evaluation Corporation (SPEC). Results as of 4/22/2013, see http://www.spec.org for more information.
  • SPARC T5-2 75,658 SPECjbb2013-MultiJVM max-jOPS, 23,334 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X2-4 65,211 SPECjbb2013-MultiJVM max-jOPS, 22,057 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X3-2 41,954 SPECjbb2013-MultiJVM max-jOPS, 13,305 SPECjbb2013-MultiJVM critical-jOPS. SPARC T4-2 34,804 SPECjbb2013-MultiJVM max-jOPS, 10,101 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant DL560p Gen8 66,007 SPECjbb2013-MultiJVM max-jOPS, 16,577 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML350p Gen8 40,047 SPECjbb2013-MultiJVM max-jOPS, 12,308 SPECjbb2013-MultiJVM critical-jOPS. Supermicro X8DTN+ 20,977 SPECjbb2013-MultiJVM max-jOPS, 6,188 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML310e Gen8 12,315 SPECjbb2013-MultiJVM max-jOPS, 2,908 SPECjbb2013-MultiJVM critical-jOPS. Intel R1304BT 6,198 SPECjbb2013-MultiJVM max-jOPS, 1,722 SPECjbb2013-MultiJVM critical-jOPS.


Solaris 11 provides smooth, scalable performance on SPECjbb 2013

Oracle released SPEC Benchmark results for the T5-2 and X2-4 processor using the SPECjbb 2013 benchmark. Who would be interested in SPECjbb performance? According to SPEC:

The SPECjbb2013 benchmark has been developed from the ground up to measure performance based on the latest Java application features. It is relevant to all audiences who are interested in Java server performance, including JVM vendors, hardware developers, Java application developers, researchers and members of the academic community. 

Jeff Victor has posted an excellent comparison of the T5 SPECjbb performance to our competitors on a per core basis.  To me, the charts tell the biggest part of the story,  Oracle's Solaris 11 on both SPARC and X86 shows smooth scaling with excellent response times over a wide range of transaction counts.

First, let's look at the results for the SPARC T5-2 server with 2 CPU sockets and 32 cores.  The vertical access marks "response time" so a lower number is better.  The horizontal axis is the number of Java operations being performed.  The blue dots indicate the median response time at each level of operations being processed.  Notice how Solaris 11 and the SPARC hardware provide smooth, predictable performance up through 60,000 jOPS.

(Note: You may not be able to see the full chart width on this page.  Right-click and open image in new tab to see the full chart.) 

T5-2 Chart

 Now let's look at Oracle's X2-4 Intel based system also running Solaris 11.  The X2-4 has 4 CPU chips with 40 total cores.  Here Solaris 11 also provides smooth scaling of performance.

X2-4 chart

For comparison, I've also selected HP's most powerful Intel based server the DL980 with 8 CPUs and 80 cores.  This system, however is running Red Hat Enterprise Linux 6.3.  On this chart you will see that RHEL 6 takes a dive in median response time shortly after 27,000 jOPS. Response time drops from 10 milliseconds to 100 milliseconds at around 27,000 jOPS.  Oracle's T5-2 stays below 100 milliseconds all the way to about 62,000 jOPS. Also note how the minimum response times fall apart at around 20,000 jOPS where the T5-2 stays consistent through 57,000 jOPS.

While admittedly, the 80 core DL980 reaches a higher total MaxjOPS throughput number than the 32 core T5-2, the Solaris 11 based system provides smoother scalability in a 2 socket system that requires only three rack units of space.  If that's not enough horsepower, we also offer a T5-4 and T5-8 system.  Need more?  Our M5-32 data center server scales to 32 sockets, 192 cores and 1536 threads. The M5-32 also supports up to 32 TB of RAM. All support our no cost Logical Domains virtualization capability.

HP DL980 Chart

Summary:

 If you want a proven, enterprise class, scalable OS for SPARC (from Oracle or Fujitsu) or X86 based platforms (from Oracle or many third party vendors), choose Solaris 11.  Predictability in response time is important to your enterprise customers.

All Oracle servers under Premier Support for systems include:

  • 7 x 24 on-site hardware support
  • Solaris (SPARC or X86), Oracle Linux (x86 only) and Oracle VM support (SPARC or X86)
  • Integrated Lights out Management
  • Oracle Enterprise Manager Ops Center support 

For more information on recent SPARC T5 world records, see https://blogs.oracle.com/BestPerf/.

  • SPEC and the benchmark name SPECjbb are registered trademarks of Standard Performance Evaluation Corporation (SPEC). Results as of 4/22/2013, see http://www.spec.org for more information.
  • SPARC T5-2 75,658 SPECjbb2013-MultiJVM max-jOPS, 23,334 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X2-4 65,211 SPECjbb2013-MultiJVM max-jOPS, 22,057 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X3-2 41,954 SPECjbb2013-MultiJVM max-jOPS, 13,305 SPECjbb2013-MultiJVM critical-jOPS. SPARC T4-2 34,804 SPECjbb2013-MultiJVM max-jOPS, 10,101 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant DL560p Gen8 66,007 SPECjbb2013-MultiJVM max-jOPS, 16,577 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML350p Gen8 40,047 SPECjbb2013-MultiJVM max-jOPS, 12,308 SPECjbb2013-MultiJVM critical-jOPS. Supermicro X8DTN+ 20,977 SPECjbb2013-MultiJVM max-jOPS, 6,188 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML310e Gen8 12,315 SPECjbb2013-MultiJVM max-jOPS, 2,908 SPECjbb2013-MultiJVM critical-jOPS. Intel R1304BT 6,198 SPECjbb2013-MultiJVM max-jOPS, 1,722 SPECjbb2013-MultiJVM critical-jOPS.

Monday Apr 15, 2013

DoD customer receives authority to operate SparcSupercluster

Recently, one of our good U.S. DoD customers purchased a SPARC SuperCluster system and received their "Interim Authority to Operate" on the DoD network.  Why is this a big deal?  First, allow me provide an overview of the SPARC SuperCluster system.

SPARC SuperCluster is a relatively new engineered system from Oracle consisting of:

This engineered system is designed to provide extremely high performance on database and applications while also reducing "time to mission" and cost of operations.  Because it is engineered in the factory by Oracle, it reduces the amount of vendor finger pointing, tuning, integration and incompatibilities.  It is also 100% compatible with Solaris/SPARC applications written for Solaris 11, 10, 9 and 8.

Getting the authority to operate on a DoD network means that our customer showed to their security auditors that they can properly and securely operate this large, complex, virtualized super-server in compliance with DoD standards. 

To my knowledge, this is the first instance of Solaris 11 being accredited in the US DoD.  As readers of my blog may know, the Defense Information Systems Agency (DISA) creates Security Technical Implementation Guides (STIGs) for various products and technologies.  You can find the Solaris 10 STIG documents at the DISA site, for example.  There is currently no DISA STIG document written for Solaris 11 although I am working to create one with DISA.  Because they are going through a lengthy transition from scripted compliance auditing to SCAP based auditing, the STIG for Solaris 11 is being re-written from scratch using their new Security Resource Guide for Operating systems as a baseline requirement.  Watch this site for updates on the Solaris 11 STIG process.

If there is no STIG for Solaris 11, how did this customer complete their accreditation?  DISA's guidance has alway's been, "In the absence of a DISA provided STIG, the customer may use vendor or industry recommended security practices." There are several resources publicly available for Solaris 11 and the SPARC SuperCluster:

In addition, with the help of my colleague, Kevin Rohan, I have been able to provide customers with two additional resources:

  • A spreadsheet mapping the current Solaris 10 STIG to Solaris 11 features
  • A set of scripts that can be used to configure the most common security settings.  This tool take advantage of advance Solaris 11 features such as alternate boot environments, Image Packaging System (IPS) and System Management Facility (SMF).

These tools are available from the Oracle DoD hardware sales team and not publicly posted at this time.

To summarize, I would like to remind our customers that:

  • A DISA STIG is not required to complete accreditation.
  • Solaris 11 and the SPARC SuperCluster has received an IATO from the DoD  
  • Other DoD customers have received accreditation for Exadata, Exalogic and Database Appliance engineered systems
  • Oracle can provide support to help you complete accreditation for SuperCluster, Exadata, Exalogic and Oracle Database Appliance.
  • Oracle's Engineered systems can help you reduce costs, speed time to mission and simply your operations.

Please contact me: jim dot laurent at oracle dot com for additional information.

FAQ: Is Solaris 11 "approved for use" in the US DoD?

Because of my work with the US DoD and Defense Information Systems Agency (DISA), I get asked this question all the time from Oracle employees as well as customers.

  • Is Oracle XYZ server or operating system on the DISA approved products list?

MYTH

There is a single organization in the Government/DoD that approves products for use.

REALITY

Although DISA has a Unified Capabilites Certification Office (UCCO), I asked them the question directly and their response was: "Although there is a Category Holder for Servers on the UC APL webpage, Servers do not fall into the scope of the UCR nor do they fall into an existing product category.  This product can be purchased without an UC APL listing; however site certification and accreditation for IA must be met in the field."

Each customer or funded program goes through its own approval and accreditation process.  There is no single approver.  A program or agency has an assigned DAA (Designated Approving Authority) who's responsible for the security posture of  the entire program.  This includes reviewing the policies, people, products and procedures (4P) that are put in place.  This person signs his name on the line asserting that all reasonable actions have been taken to make the system secure in line with the job that it does.  This may include items like electro-magnetic shielding, encryption, firewalls as well as operating systems, password rules and auditing.  An accounting system gets a different amount of scrutiny than an intelligence gathering or combat system.

I can tell your from personal experience that Solaris 10 and 11 with Zones and Oracle VM for SPARC (aka LDOMs) are currently deployed in the US DoD. 

Why you should care.

Many government contractors or employees believe that they can't use a product unless it's on some approved list.  In most cases products can be used if sufficient rigor is  applied and the DAA can be convinced that the system is secure.  Solaris 10 and 11 provides a wide variety of security features that make this easier today than ever before.


Monday Mar 25, 2013

Learn about the world's fastest microprocessor tomorrow

On Tuesday, join Larry Ellison and John Fowler when Oracle will announce new SPARC servers with the world's fastest microprocessor. Considering that the current SPARC processors already have performance comparable with the newest from competing architectures, the performance of these new processors should give you the best real-world performance for your enterprise workloads.

You can register to watch the event live at 4:00 PM EDT (New York).

Of course, these systems will run Solaris 10 or 11 and provide virtualization built-in. 

Monday Jan 28, 2013

Using Solaris profiles to run with limited privilege

Solaris has had Role Based Access Controls since the Solaris 8 timeframe (circa 2000). With each release, it has been improved with additional profiles and capabilities.  In Solaris 11, we took a step further and converted the "root" user in to a role.  The goal of these enhanced security features is to ensure that an administrator can perform his assigned functions with the minimum privileges required and reduce the number of personnel required to access the root role.  Glenn Faden, security architect for Solaris engineering has blogged about these topics extensively (also see Glenn Brunette's blog).

Here's a simple use case for why you might need to use Solaris profiles and how to use them. 

Let's imagine that you are a basic Solaris user, but you have been asked to be the Auditing Administrator.  The first thing you might to is check to see if you have permissions to run the auditing tools.

test@solaris11:~$ pfexec auditconfig -getflags
auditon(2) failed.
error: Not owner(1)

Perhaps this is because you don't have the proper profile configured.  Check your current profiles.

test@solaris11:~$ profiles
          Basic Solaris User
          All

Without the "Audit Configuration" profile, you can't execute this command.  Here is what the Audit Configuration profile looks like when you enter profiles -all.  It allows you to execute the auditconfig command with the correct authorizations.

Audit Configuration
auths=solaris.smf.value.audit
          /usr/sbin/auditconfig      privs=sys_audit

You ask the senior administrator to add the Audit configuration profile to your list.  Pay close attention to the "+" sign, quote and upper case letters.  The "+" sign means to add this profile to your existing profiles.  Leave it off and it will replace existing profiles.

sudo usermod -P +"Audit Configuration" test

Now, you can try again.  You profile has been updated and the command is successful.

test@solaris11:~$ profiles
          Audit Configuration
          Basic Solaris User
          All

test@solaris11:~$ pfexec auditconfig -getflags
active user default audit flags = ex,xa,ps,ua,as,ss,ap,lo,ft(0x80575080,0x80575080)
configured user default audit flags = ex,xa,ps,ua,as,ss,ap,lo,ft(0x80575080,0x80575080)

Note that the pfexec command is required to execute this command with your profiles in effect.  To avoid typing "pfexec" in front of every command, you can simply run pfbash or ask the administrator to make your default shell /usr/bin/pfbash instead of standard bash.

sudo usermod -s /usr/bin/pfbash test

There are many different profiles available in Solaris 11 to include ZFS administration, SMF administration, File system administration and more.  Type profiles -all to see the entire list.

Thursday Oct 25, 2012

Oracle Solaris 11.1 available today

Today Oracle is pleased to announce availability of Oracle Solaris 11.1.

Download Solaris 11.1

Order Solaris 11.1 media kit


Existing customers can quickly and simply update using the network based repository

Highlights include:

  • 8x faster database startup and shutdown and online resizing of the database SGA with a new optimized shared memory interface between the database and Oracle Solaris 11.1
  • Up to 20% throughput increases for Oracle Real Application Clusters by offloading lock management into the Oracle Solaris kernel
  • Expanded support for Software Defined Networks (SDN) with Edge Virtual Bridging enhancements to maximize network resource utilization and manage bandwidth in cloud environments
  • 4x faster Solaris Zone updates with parallel operations shorten maintenance windows
  • New built-in memory predictor monitors application memory use and provides optimized memory page sizes and resource location to speed overall application performance.
Learn more and share these valuable tools with your customers to enable them to move to Oracle Solaris 11.1 quickly. Many customers wait for the first update --now is the time to encourage them to install Oracle Solaris 11.1.

Oracle Solaris 11.1 Data Sheet 
What's New in Oracle Solaris 11.1
Oracle Solaris 11.1 FAQs
Oracle Solaris 11 .1 Customer Presentation

Oracle Solaris 11.1 is recommended for all SPARC T4 Systems and will soon be available preinstalled.

IDC Recommends Oracle Solaris 11

IDC published a research report this week on Oracle Solaris 11 and described it as "Delivering unique value."  The report emphasizes the ability of Oracle Solaris to scale up and provide a mission critical platform for a wide variety of computing.

Solaris built-in server and network virtualization helps to lower costs and enable consolidation while reducing administration costs and risks.

Learn more about Oracle Solaris and the recently announced 11.1 update.

In their conclusion, IDC reports:

Today, Oracle is a multi-OS vendor that is adjusting to the opportunities presented by a significantly expanded product portfolio. The company has a long history of supporting Unix operating systems with its broad product portfolio, but the main difference is that now Oracle has direct control over the destiny of the Solaris operating system.

The company has made a strong commitment to Solaris on both SPARC and x86 systems, as well as to Linux on x86 systems, and expects to continue to enhance Oracle Solaris 11 with update releases once a year as well as Solaris 12, which is already on the road map.

Oracle is working to help its customers understand its strong commitment to Oracle Solaris and the product's role as a single operating system that runs on both SPARC and x86 processors. While Oracle Solaris and Oracle Linux are critical assets, the company's crown jewel is the deep collection of software that runs on top of both Oracle Solaris and Oracle Linux, software that creates a robust application environment. The continuing integration and optimization of the software and hardware stack is a differentiator for Oracle and for customers that run an Oracle Solaris stack.

Tuesday Sep 18, 2012

New Solaris 11 book available

A new Solaris 11 book is now available.  Congratulations to my colleague in the Oracle Public Sector Hardware sales organization "Dr. Cloud" Harry Foxwell and his co-writers on publishing Oracle Solaris 11 System Administration The Complete Reference

Table of contents

1 The Basics of Solaris 11
2 Prepare a System for Solaris
3 Installation Options
4 Alternative Installations for Enterprise
5 The Solaris Graphical Desktop Environment
6 The Service Management Facility
7 Solaris Package Management "Image Packaging System"
8 Solaris at the Command Line
9 File systems and ZFS
10 Customize the Solaris Shells
11 Users and Groups HF
12 Solaris 11 Security
13 Basic System Performance Tuning
14 Solaris Virtualization
15 Print Management
16 DNS and DHCP
17 Mail Services
18 Mgmt of Trusted Extensions
19 The Network File System
20 The FTP Server
21 Solaris and Samba

22 Apache and the Web Stack

Buy one today

Tuesday Sep 11, 2012

Oracle SPARC SuperCluster and US DoD Security guidelines

I've worked in the past to help our government customers understand how best to secure Solaris.  For my customer base that means complying with Security Technical Implementation Guides (STIGs) from the Defense Information Systems Agency (DISA).  I recently worked with a team to apply both the Solaris and Oracle 11gR2 database STIGs to a SPARC SuperCluster.  The results have been published in an Oracle White paper.

The SPARC SuperCluster is a highly available, high performance platform that incorporates:

  • SPARC T4-4 servers
  • Exadata Storage Servers and software
  • ZFS Storage appliance
  • InfiniBand interconnect
  • Flash Cache 
  • Oracle Solaris 11
  • Oracle VM for SPARC
  • Oracle Database 11gR2

It is targeted towards large, mission critical database, middleware and general purpose workloads. 

Using the Oracle Solution Center we configured a SSC applied DoD security guidance and confirmed functionality and performance of the system.  The white paper reviews our findings and includes a number of security recommendations.  In addition, customers can contact me for the itemized spreadsheets with our detailed STIG reports.

Some notes:

  • There is no DISA STIG  documentation for Solaris 11.  Oracle is working to help DISA create one using their new process. As a result, our report follows the Solaris 10 STIG document and applies it to Solaris 11 where applicable.
  • In my conversations over the years with DISA Field Security Office they have repeatedly told me, "The absence of a DISA written STIG should not prevent a product from being used.  Customer may apply vendor or industry security recommendations to receive accreditation."

Thanks to the core team: Kevin Rohan, Gary Jensen and Rich Qualls as well as the staff of the Oracle Solution Center and Glenn Brunette for their help in creating the document.  You should also review SPARC SuperCluster T4-4 Platform Security Principles and Capabilities by Glenn and others in Oracle's Enterprise Solution Group.

Friday May 11, 2012

Solaris and IPv6

I work with my federal government and US DoD customers, and I'm frequently asked whether Oracle product X is IPv6:

  • Enabled
  • Compliant
  • Certified
  • DoD Certified

This is because the Federal Acquisition Regulations require that the government purchase IPv6 compliant products. 

Unless the agency Chief Information Officer waives the requirement, when acquiring information technology using Internet Protocol, the requirements documents must include reference to the appropriate technical capabilities defined in the USGv6 Profile (NIST Special Publication 500-267) and the corresponding declarations of conformance defined in the USGv6 Test Program.  

 Let's examine each of these adjectives one by one.

  • Enabled is clearly the lowest bar to hurdle.  A vendor could implement one or two RFCs in the IPv6 spectrum and claim that they are "enabled."
  • Compliant is a little more of a problem.  Compliant with what?  There are  many different RFCs related to supporting IPv6.  Are you compliant if you support DHCPv6 but not IKEv2?  Are you compliant if your device is a web server but doesn't support DHCPv6 because it's not applicable?  It appears from the statement above that the FARs require that the CIO of an organization determine WHICH capabilities from the USGv6 profile are required by a particular product. The USGv6 profile ONLY list requirements for hosts, routers and network protection devices.
  • Certified.  By whom? Against what list of RFCs?  How recently and on what versions?  If a version changes from 5.1 to 5.2, is it still certified?
  • DoD Certified.  This would be handy if the DoD, in fact, had an IPv6 certification program.  It did at one time through the Joint Interopability Test Command (JITC), but apparently they determined that attempting to test every OS and device that the DoD might buy was a Sisyphean task. To quote their web page, "DoD no longer requires a stand-alone IPv6 certification." Several years ago Sun paid them a large amount of money, loaned two server and a person in order to receive our certification for Solaris 10. 

At the DISA mission partner conference this week, I attended a presentation by the DoD IPv6 Transition Office.  The slides are available online.  I asked the speaker if there is an "accepted" way of advertising IPv6 compliance and received no answer.  He has promised to get back to me, however. 

Oracle is a very large company with an extensive production encompassing storage, servers, thin clients, databases, middleware and application.  I have found no single resource documenting the IPv6 status of every product.  I can tell you, however, that Solaris 10 and Solaris 11 have successfully completed the USGv6 testing by the UNH Interoperability IPv6 test facility and the results are posted at their site.

As for Oracle Linux, it is fully compatible with Red Hat Linux 5 and 6 which has already been tested by UNH as well. 

Note:  I intended to provide additional references on USGv6 profiles and "Suppliers Declaration of Conformance" but the NIST web page seems to be in disrepair and the pages are not available. 

Tuesday Apr 24, 2012

Oracle at the DISA Partnership conference, May 7-10

Join the Oracle hardware and software team in booth 1323 at the DISA Partnership Conference, May 7-10 in Tampa, FL.  A wide variety of Oracle technology and staff will be available to answer your questions and offer solutions to your information processing problems.

Oracle's President Mark Hurd will deliver a keynote address. 

On display will be:

Come see us across from the DISA pavilion.

Thursday Dec 01, 2011

Solaris 11 compliance with DISA Security guidance

Disclaimer

This article should not be construed as a statement of compliance by Oracle or by DISA.  It is simply the result of a casual review of Solaris 11 against current DISA Security Guidelines

Some of my dedicated readers (I know you're out there) remember that back in Janauary of this year, I reviewed Solaris 11 for compliance to the DISA Security Technical Implementation Guidelines (STIGs).  The STIGs are written by DISA and used by the DoD community to ensure that systems are secured properly before connecting to the network.

With the release of Solaris 11 in November, I decided to update the document. 

Update: Thanks to Darren Moffat's comments I've updated the document as of 12/9/11. 

Download the PDF document to review

The great news is that the one item that I listed as RED in January has been fixed in the release of Solaris 11.  At that time, the installation scripts did not provide any way for /var to be mounted as a separate file systems as required by the scripts.  The default installation now automatically sets of /var as a separate ZFS data set.

Friday Nov 11, 2011

Building a Solaris 11 repository without network connection

Solaris 11 has been released and is a fantastic new iteration of Oracle's rock solid, enterprise operating system.  One of the great new features is the repository based Image Packaging system.  IPS not only introduces new cloud based package installation services, it is also integrated with our zones, boot environment and ZFS file systems to provide a safe, easy and fast way to perform system updates.

My customers typically don't have network access and, in fact, can't connect to any network until they have "Authority to connect."  It's useful, however, to build up a Solaris 11 system with additional software using the new Image Packaging System and locally stored repository. The Solaris 11 documentation describes how to create a locally stored repository with full explanations of what the commands do. I'm simply providing the quick and dirty steps. 

The easiest way is to download the ISO image, burn to a DVD and insert into your DVD drive.  Then as root:

  • pkg set-publisher -G '*' -g file:///cdrom/sol11repo_full/repo solaris

Now you can to install software using the GUI package manager or the pkg commands.  If you would like something more permanent (or don't have a DVD drive), however, it takes a little more work.

  • After installing Solaris 11, download (on another system perhaps) the two files that make up the Solaris 11 repository from our download site
  • Sneaker-net the files to your Solaris 11 system
  • Cat the two files together to create one large ISO image. The file is about 6.9 GB in size
  • mount -F hsfs sol-11-11-repo-full.iso /mnt

You could stop here and set the publisher to point to the /mnt/repo location, however, this mount will not be persistent across reboots. Copy the repository from the mounted ISO image to a permanent, on disk location.

  • zfs create -o atime=off -o compression=on rpool/export/repoSolaris11
  • rsync -aP /mnt/repo /export/repoSolaris11
  • pkgrepo -s /export/repoSolaris11/repo refresh
  • pkg set-publisher -G '*' -g /export/repoSolaris11/repo solaris

You now have a locally installed repository for adding additional software packages for Solaris 11.  The documentation also takes you through publishing your repository on the network so that others can access it.



Saturday Nov 05, 2011

11 reason to love Solaris 11

Solaris 11 will be launched on November 9th in New York and via live webinar.  Here are 11 reasons you will want to try Solaris 11.

  1. Faster, easier, safer updates using Image Packaging System
  2. Improved security via immutable zones.
  3. Easy to manage boot environments using ZFS snapshots.
  4. Improved quality of service controls for networking
  5. Reduced costs through system wide network virtualization
  6. Reduce your planned downtime using Solaris fast reboot
  7. Safer data at rest in encrypted ZFS datasets
  8. Reduced storage costs using file system de-duplication and compression
  9. No cost virtualized environments through Oracle VM for SPARC and Solaris Zones
  10. Platform choice, SPARC and 64-bit Intel or AMD chip support
  11. It "goes to 11!"
  12. I've only listed 11 reasons but there are many more benefits to S11.  What the web cast and find out more reasons that Solaris 11 will lower your costs, improve your performance and reduce your downtime.

Friday Aug 05, 2011

Oracle at the DISA Customer Conference

Each year the Defense Information Systems Agency has a great conference hosting their customer, employees and industry partners for four days of technology talk and networking.  Oracle will be attending as usual this year and can be found at booth #1320.  We will be representing all of Oracle's technologies including Database, Middleware, Applications, Sun Servers, Storage and Operating Systems.

Oracle technologies are a key part of DISA Computer Services Directorate offerings as well as their Command and Control programs. 

Come see me and the rest of the Oracle team to learn more about our Exadata and Exalogic Integrated Systems, security software, advanced virtualization options and development tools.

See you in Baltimore, August 15-18th.

Monday Apr 25, 2011

Jim Laurent's blog moving to blogs.oracle.com

The big move is coming soon.  My blog will be moving to blogs.oracle.com and should be live on May 6th.  Hopefully all of my current content (working as my online memory) will be moved and I will start adding new content.

 Come join the fun in May at blogs.oracle.com!

Friday Jan 07, 2011

Solaris 11 Express and US DoD Security guides

Disclaimer

This article should not be construed as a statement of compliance by Oracle or by DISA.  It is simply the result of a casual review of Solaris 11 against current DISA Security Guidelines

With the release of Solaris 11 Express, I decided to compare it against the current US DoD Security Technical Implementation Guidelines (STIGs) as maintained by my customer DISA. Solaris 11 Express is a production ready and fully supported OS from Oracle.  It was released in September 2010 at Oracle OpenWorld and provides a preview to the features and capabilities that will be available later this year in Solaris 11.  It supports SPARC and X86 platforms from Oracle as well as other vendors.  See the Hardware Compatibility List for options.

DISA owns and operates the DoD datacenters, develops a number of command and control applications, runs the DoD networks and is responsible for enforcing DoD security mandates.  The STIG checklist is a comprehensive set of requirements that system adminstrators are expected to follow in order to attach and maintain a system on DoD networks.  There are STIG documents for enclaves, dabatases, firewalls, web servers and more, but obviously, I'm only concerning myself here with the STIG document for Unix/Linux operating systems.

The DISA STIG checklist is a public document that describes specific permissions settings, password policies, administrative record keeping and more. Section 3 is 546 pages long and is where all the specific requirements can be found. There is a collection of Security Readiness Review (SRR) scripts that automate portions of the review process to assist a system administrator in evaluating the completion of the process.  These are not publicly available.

For my review, I downloaded the documents and the SRR scripts.  I then compared Solaris 11 Express feature sets to the checklist, ran the scripts and documented where Solaris 11 Express was in compliance as well as the areas in which it differed from Solaris 10.  

Some items of note:

  • The SRR scripts will sometimes generate false positive or negative results because they are looking at files that are no longer used in Solaris 11.
  • Solaris 11 features the root home directory in /root therefore complying without any extra action
  • Solaris 11 auditing is managed as an SMF service making it easier to use but causing problems in the SRR scripts
  • Solaris 11 includes a native in-kernel CIFS service rather than using Samba
  • The default ZFS root file system currently does NOT allow /var to be mounted as a separate filesystem as required by one of the STIG items.  I have made Solaris engineering aware of this requirement.
  • I had to modify only one line of the SRR scripts to allow it to run on Solaris 11.
  • Solaris 11 has a number of new privileged user accounts that cause false finding in the SRR scripts.
  • Solaris 11 by default does NOT allow a user to login as root.  root is a role.
  • Solaris 11 implements "Secure by default" upon installation allowing only SSH access.

In summary, with the exception of the /var filesystem issue, it should be possible to bring a Solaris 11 express system in compliance with DISA STIGs. Download the detailed document.  As always, comments, clarifications and corrections are welcome!

For those who are still running Solaris 10, please refer to my earlier blog entry on using the Solaris Security toolkit to facilitate the STIG process. 

Monday Nov 15, 2010

Video Tutorial: Installing Solaris 11 Express in VirtualBox

Today, Solaris 11 Express is available for download allowing customer to get a preview of the technologies that will be delivered in Solaris 11 next year.  In this video tutorial, I take you through the steps to install and configure Solaris 11 Express using Oracle's free Type 2 hypervisor, VirtualBox.  VirtualBox can be downloaded for free and is available for MacOS, Solaris, Linux and Windows Platforms.

Solaris 11 Express is binary compatible with Solaris 8, 9 and 10 and is supported on SPARC as well as X86 chip sets. It is a fully virtualized operating system to include virtual networks, zones and file systems (ZFS).  Learn more about What's New in Solaris 11 Express.  You can also learn more about Solaris 11 by reviewing these slides from the recent Oracle Solaris Summit.

The video is 13 minutes long and through the magic of digital video editing covers "just the good parts" without all the waiting around.  I created it using the built-in screen recording features of Quicktime X on MacOS 10.6 and used iMovie 09 for the editing and voiceover.  It's available on YouTube and viewing it in full screen mode makes it easier to see the terminal commands.

Listen to the Podcast and Download Solaris 11 Express today. (Use the "LiveCD" ISO download version which includes the GUI installer)

FAQ:

  • How do I get out of the virtual machine and back to my host OS?
    • VirtualBox defines a "HOST" key.  The default in MacOS is the Left Command key.  Pressing this key releases the cursor and keyboard from the VM control.  You can change this key in VirtualBox Preferences.
  • How do I make the virtual machine run in full screen mode?
    • On MacOS, use Command-F or the VirtualBox menus to switch between window mode and full screen mode.
  • My Virtual machine is locked in a low resolution display mode?  How do I get it to adjust properly to the window size?
    • You MUST have the VirtualBox guest extensions installed.  The VM must be rebooted after installing.
  • What's the difference between the "Solaris" choice in VirtualBox VM settings and Solaris 64-bit?
    • If you choose, Solaris the system will boot the 32-bit kernel.  If you choose Solaris 64-bit, it will choose the 64-bit kernel.  Only a single install is required because both the 32 and 64-bit kernel are installed.  In fact, you can change this parameter after installing Solaris 11 Express and it will automatically boot the correct kernel.
  • How did you find out all these tips?
    • See the VirtualBox Help menu.  It's actually quite helpful.
  • How do you make the folder sharing work without having to manually mount the file system each time as root?
    • See by original blog entry on sharing folders which I recently updated describing how to give the user the Primary Administrator role.  It describes how to add a mount command to the Gnome startup options.
  • Where can I learn more about the installation procedure?

Tuesday Aug 10, 2010

Solaris 11 in 2011

John Fowler (Executive VP of Oracle Hardware Systems) today announced continue increasing investment in SPARC and Solaris technologies going forward.  Oracle is committing to increased performance, ease of management, security, reliability and scalability going forward.  He also announced that Solaris 11 will be available in 2011 and sooner as Solaris 11 Express for enterprise customers.

The replay of the web cast and the actual presentation slides will be posted later today or tomorrow.

Solaris 11 will be based on technologies currently available for preview in OpenSolaris including:

  • Image packaging system
  • Crossbow network virtualization
  • ZFS de-duplication 
  • CIFS file services
  • Enhanced Gnome user environment
  • Updated installer and auto network installer
  • Network Automagic configuration
  • and much more
Look for more information next month at Oracle Openworld.  Join us there for JavaOne activities as well.

 

Friday Mar 05, 2010

Sun/Oracle Welcome event in Reston VA, March 11

Come join us to learn about Sun and Oracle's strategy for combining the technologies of the two companies in Reston VA on March 11th.

If you can't make this event learn more about our product strategies with these video webinars.   Topics such as Solaris, SPARC, Identity Management, MySQL, Glassfish and OpenOffice are covered.

 Register for the Reston event or other locations.

Thursday Jan 28, 2010

Oracle's strong commitment to Solaris

I'm very excited after hearing Oracle's commitment to Solaris during their strategy webcast yesterday (1/27).  In case you've been living under a rock, Oracle offered to purchase Sun back in April 2009 and completed the acquisition on 1/26/2010. While the delay was certainly frustrating to Sun employees and customers, it gave Oracle enough time to formulate a strong strategy and product plan.  

During his portion of the webcast Edward Screven (Chief Corporate Architect) provided his view of how Oracle will invest more in Solaris and how Solaris is a primary platform today for Oracle products such as the Database, WebLogic, PeopleSoft and other product lines. (View the PDF as well).  He also commented on Oracle's commitment to Sun's virtualization technologies such as Solaris Containers and Logical Domains and promised that they will be managed (along with Oracle VM) a centralized coherent fashion.

It  also became clear that those of us with Solaris expertise will soon be learning about Oracle Enterprise Linux and Oracle VM as well.  OEL currently has over 4000 paying subscription customers. 

At the end of the five hour extravaganza Larry Ellison provided an excellent summary and answered questions from the audience.  Larry is also a huge Solaris fan and emphasized that both Solaris and OEL had their market position and applications. He believes that Solaris can become the center of a grid of systems operated as a single collection (and had some very entertaining comments about the term "cloud computing.") Oracle will be able to provide both and manage them from a single point using a combinatation (over time) of Sun Ops Center and Oracle Enterprise Manager.

As I tell my 19-year old college student (majoring in IT at George Mason University), "Get used to learning new things, because in this business, you will never stop learning."

Congratulations to Oracle and I'm looking forward to expanding my own skills and knowledge in the coming years.  I invite you to view all the video and PDF slides from the webcast.

 (You'll notice that ALL the sun.com content has migrated to Oracle.com)

Friday Nov 13, 2009

Sun System configurator available

Ever wanted to build your own custom configuration for Sun servers?  Find that the Sun store provides a limited set of preconfigured systems?  Try the Sun Desktop system Configurator. It allows you to build supported configurations of Sun servers, disk, tape, desktop systems and racks.  With a completed configuration you can export to a CSV file that opens in OpenOffice or Excel with standard list pricing.  You can then send this configuration to your favorite Sun reseller for a discounted pricing quote.

It is a Java Webstart Application that support multiple OS platforms that run Java 1.6.  Click on the link and the application will start on your desktop.  

Monday Nov 02, 2009

Meet up at the Government Open Source Conference

I'll be joining a number of government customers and some of my colleagues from Sun at the Government Open Source Conference (GOSCON) this Thursday.  Join me, Dr. Harry Foxwell (published author of "Pro Opensolaris") and Bill Vass (Sun Federal President and COO) at the Reagan Building in downtown Washington D.C on November 5th.

Sun is a leader in open source development communities and we have a wide variety of very popular projects including MySQL, Glassfish, Java, OpenSolaris, OpenOffice and more.

See you there.

Wednesday Oct 28, 2009

Oracle updates plans for Sun's products

Oracle recently updated their FAQ document on the acquisition of Sun Microsystems  (JAVA on NASDAQ currently trading at $8.20 against a $9.50 purchase price by Oracle).  There is a lot of encouraging news about OpenOffice, Glassfish, MySQL, Solaris and SPARC.

For the highlights, see this blog entry (he beat me to it) or read the entire FAQ.

As a Solaris fanatic, I'm very excited about their statements such as:

Oracle plans to spend more money developing Solaris than Sun does now. The industry leading capabilities of the Solaris operating system make it the leader in performance, scalability, reliability, and security – all of which are core requirements for our customers. Oracle plans to enhance our investment in Solaris to push core technologies to the next level as quickly as possible.

We expect that our customers will see the management of their environments that run both Linux and Solaris simplified. Additionally, customers using both Solaris and Linux will be able to rely on one vendor, Oracle, for the support of their entire stack – applications to disk.

Oracle and Sun’s management software are highly complementary. Oracle Enterprise Manager provides comprehensive solutions for managing the full Oracle stack including applications, middleware, database, Linux, and virtualization. Sun Ops Center provides a comprehensive solution for managing Sun servers and their firmware; Solaris, Linux and Windows operating systems; and virtualization technologies such as Solaris Containers and Logical Domains. Oracle Enterprise Manager and Sun Ops Center are expected to combine and deliver to customers the most complete top-down application and systems management environment from applications to hardware.

I know that my federal government customers will be excited to see that Oracle is behind Sun's open source strategy particularly in light of the recent DoD statement about open source.

This memo from the DoD Deputy CIO states:

In almost all cases, OSS meets the definition of “commercial computer software”
and shall be given appropriate statutory preference in accordance with 10 USC 2377
(reference (b)) (see also FAR 2.101(b), 12.000, 12.101 (reference (c)); and DFARS
212.212, and 252.227-7014(a)(1) (reference (d))).

In addition, it notes that:

The use of any software without appropriate maintenance and support presents an
information assurance risk.

Which means that government users of open source products should pay for support to the appropriate vendor.

 The memo also calls out a number of benefits of open source including rapid prototyping, lower costs, security, reliability and avoiding vendor lock-in.



About

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today