Monday Apr 18, 2016

IBM Software Products and SPARC Hardware Encryption: Update

Last December, we told you about IBM's GSKit and how it now allows several popular IBM products seamless access to Oracle SPARC hardware encryption capabilities. We thought we'd create a quick Springtime update of that information for our partners and customers.

Obtaining The Proper Version of GSKit

GSKit is bundled with each product that makes use of it; over time, new product releases will incorporate GSKit v8 by default. Until then, the latest GSKit v8 for SPARC/Solaris is available on IBM Fix Central, for download and upgrade into existing products. Installation instructions can be found here.

The support described above is available in GSKit v8.0.50.52 and later. As of April, 2016, the latest GSKit v8.0.50.59 is available for download from Fix Central.

IBM Products that currently make use of GSKit v8 on Solaris (and therefore could take advantage of SPARC on-chip data encryption automatically) include (but are not limited to):

 Product Versions w/bundled GSKit v8.0.50.52 or later Versions requiring manual update of GSKit
DB2 v9.7 FP11, v10.1 FP5, v10.5 FP7
HTTP Server iFix available for v8.0 and v8.5
Security Directory Server (fka Tivoli Directory Server)
v6.3 and later certified with GSKit 8.0.50.59
Informix IDS v11.70 and v12.10 fix available which updates to GSKit 8.0.50.57
Cognos BI Server v10.2.2 IF008 and later
Spectrum Protect (fka Tivoli Storage Manager) v7.1.5 and later
WebSphere MQ v8 Fix Pack 8.0.0.4 and later

Determining Current GSKit Version

  • $ /opt/ibm/gsk8/bin/gsk8ver # 32-bit version
  • $ /opt/ibm/gsk8_64/bin/gsk8ver_64 # 64-bit version

Sunday Mar 13, 2016

Increasing Security for SAP Installations with Immutable Zones

In recent blogs we have talked about various aspects of end-to-end application security with Oracle Solaris 11, SPARC M7 and the ISV Ecosystem. We also talked about a white paper that provides best practices for using the Oracle Solaris compliance tool for SAP installations. Another way to increase the security of an SAP installation is to use Oracle Solaris Immutable Zones. 

A Solaris zone is a virtualized operating system environment created within a single instance of the Solaris OS. Within a zone, the operating system is represented to the applications as virtual operating system environments that are isolated and secure. Immutable Zones are Solaris zones with read-only roots. Both global and non-global zones can be Immutable Zones.

Using Immutable Zones is one technique that can protect applications and the system from malicious attacks by applying read-only protection to the host global zone, kernel zones and non-global zones. Oracle Solaris Zones technology is the recommended approach for deploying application workloads in an isolated environment—no process in one zone can monitor or affect processes running in another zone. Immutable Zones extend this level of isolation and protection by enabling a read-only file system, preventing any modification to the system or system configuration.

As an SAP system requires write access to some directories, it is not possible to install SAP inside an Immutable Zone without further configuration. A new paper provides instructions and best practices on how to create and manage an SAP installation on an Oracle Solaris Immutable Zone. Read the white paper for details or see SAP Note 2260420 (requires SAP login).

Thursday Feb 11, 2016

SAS and Oracle SPARC M7 Silicon Secured Memory

In an earlier blog we talked about Solaris /SPARC features that enable you to increase end-to end security of your applications. One of the key security risk areas in applications is memory corruption.

Applications are vulnerable to memory corruption due to both common software programming errors as well as malicious attacks that exploit software errors. 317 million new malicious programs and 24 zero-day vulnerabilities were reported in 2014 alone*.

Memory corruption causes unpredictable application behavior and system crashes. A victim thread encounters incorrect data sometime after the run-time error occurred making these bugs extremely hard to locate and fix. Buffer overflows are a major source of security exploits. In-memory databases increase this exposure as terabytes of critical data reside in-memory. Databases and Operating Systems have tens of millions of lines of code, developed by distributed teams of thousands of developers, so errors introduced by a subsystem could adversely affect one or more other subsystems.

Oracle Silicon Secured Memory (SSM) is a feature of Oracle SPARC T7/M7 systems that detects invalid data accesses based on memory tagging. A version number is stored by software in spare bits of memory. Dedicated non-privileged load/store instructions provide the ability to assign a 4-bit version to each 64-byte cache line. Metadata stored in memory is maintained throughout the Cache hierarchy and all Interconnects. On load/store operations, the processor compares the version set in the pointer with the version assigned in the target memory and generates an exception if there is a mismatch.

3 hours vs 1 minute

SAS recently completed a proof of concept using SSM with SAS 9.4 and the Oracle Studio Discover tool.

SAS 9.4 is a large memory intensive enterprise application predominantly written in C.  Using a standard debug track that uses malloc(3) for memory allocation, SAS test programs could be run by optionally interposing the Oracle Studio discover ADI shared library to intercept malloc() calls.  This transparently enables discover ADI to utilize SPARC M7 Silicon Secured Memory to check for memory corruptions at the silicon layer and produce full stack walk backs if a memory corruption was found.

They were able to realize the following immediate results:

Tag Cross platform bugs in just 2-3 days of testing

Find, triage, fix and put back bugs in less than 2 hours

Identify bugs 180x faster

Other memory validation tool: 3 hours

Silicon Secured Memory and Discover tool: 1 minute

Memory Validation Testing In QA Cycles

SSM along with the Oracle Studio discover ADI allows ISVs to perform full QA runs running them at near real time speed, whereas traditional memory validation tools cannot be used as such due to their high performance overhead and instead are typically only used to debug memory corruptions after bug reports come in.

If you develop or deploy large scale memory intensive applications, can you afford not knowing how SSM can help you with your products quality and security?  

For more on the SAS as well as the Oracle Database experience with SSM, see the OOW 2015 presentation CON8216: “Inoculating Software, Boosting Quality: Oracle DB & SAS Experience with Silicon Secured Memory” (PDF).

To learn more about SSM and how your applications can take advantage of it, read the article Detecting Memory Errors with Silicon Secured Memory.


* Based on the April 2015 Internet Security Threat Report from Symantec.


Tuesday Jan 12, 2016

Best Practices Using Oracle Solaris Compliance Tool for SAP

In a recent blogs we talked about end-to-end security with Oracle Solaris 11, SPARC M7 and the ISV Ecosystem  and one of the main elements: the built-in Solaris 11 compliance tools.

Organizations such as banks, hospitals, and governments have specialized compliance requirements. Auditors, who are unfamiliar with an operating system, can struggle to match security controls with requirements. Therefore, tools that map security controls to requirements can reduce time and costs by assisting auditors.

Oracle Solaris 11 lowers the cost and effort of compliance management by designing security features to easily meet worldwide compliance obligations; documenting and mapping technical security controls for common requirements like PCI-DSS to Oracle Solaris technologies. The simple-to-use tool Oracle Solaris compliance tool provides users with not only reporting but also simple instructions on how to mitigate any compliance test failure. It also provides compliance report templates.

Available since release 11.2, Oracle Solaris provides scripts that assess and report the compliance of Oracle Solaris to two security benchmarks:

  • Oracle Solaris Security Benchmark and
  • Payment Card Industry-Data Security Standard (PCI-DSS).

The new command, compliance (1M), is used to run system assessments against security/compliance benchmarks and to generate HTML reports from those assessments. The reports indicate which system tests failed and which passed, and they provide any corresponding remediation steps.

A new whitepaper introduces the compliance report on Oracle Solaris and provides information and best practices on how to assess and report the compliance of an Oracle Solaris system to security standards for SAP Installations. The procedure in this whitepaper was tested on an Oracle Solaris global zone, non-global zone, kernel zone, Oracle SuperCluster, Oracle Solaris Cluster, as well as various SAP Advanced Business Application Programming (ABAP) and Java releases with Oracle Database 11g and 12g. The document concludes with information on an additional new SAP benchmark for SAP applications with special security requirements. Read the whitepaper for details. There is also a related SAP note 2114056  "Solaris compliance tool for SAP installation" published (requires SAP login).

Tuesday Dec 08, 2015

IBM GSKit Supports SPARC M7 Hardware Encryption

Oracle and IBM have a very close working relationship running IBM software on Oracle hardware. One of the recent results of this collaboration is the announcement by IBM that its GSKit v8 now supports SPARC M7 hardware encryption (as well as SPARC T4 and T5 processors). This, in turn, means that several IBM software products can now make use of on-chip SPARC hardware encryption today, automatically, without significant performance impact

What Is GSKit?

The IBM Global Security Kit (aka GSKit) is not a product offering in itself, but instead a security framework used by many IBM software products for its cryptographic and SSL/TLS capabilities. Example IBM products making use of GSKit today include DB2, Informix, IBM HTTP Server and WebSphere MQ. This latest version of GSKit ( aka "IBM Crypto for C" ), version 8, was validated as a FIPS 140-2 Cryptographic Module within the past earlier this year.

Obtaining The Proper Version of GSKit

GSKit is bundled with each product that makes use of it; over time, new product releases will incorporate GSKit v8 by default. Until then, the latest GSKit v8 for SPARC/Solaris is available on IBM Fix Central, for download and upgrade into existing products. Installation instructions can be found here.

The support described above is available in GSKit v8.0.50.52 and later. As of this writing, the latest GSKit v8.0.50.55 is available for download from Fix Central.

IBM Products that currently make use of GSKit v8 on Solaris (and therefore could take advantage of SPARC on-chip data encryption automatically) include (but are not limited to):

Determining Current GSKit Version

  • $ /opt/ibm/gsk8/bin/gsk8ver # 32-bit version
  • $ /opt/ibm/gsk8_64/bin/gsk8ver_64 # 64-bit version

What This Means

In many cases (such as SSL/TLS over-the-wire communication), products using the proper version of GSKit on Solaris/SPARC will automatically take advantage of hardware encryption. Situations with larger client-server packets will benefit more than those with small packet sizes.  

This will allow these products to make use of the increased security that encryption offers with extremely low performance overhead (something that is not possible with software-only crypto or hardware crypto on other platforms).

Because each of these IBM products has specific use cases, we'll cover more details for each in future blogs.

Monday Dec 07, 2015

End-to-End Security: Solaris 11, SPARC M7 and the ISV Ecosystem

You'll be seeing quite a bit on this blog about increasing security of your applications in the coming weeks and months. Before that, however, before we dive into the specs and numbers, the wonders of CPU features, the software technologies that protect -- it is worth setting some overall context.  

Security is more than just data encryption. Indeed, security is more than any single feature, technology or product. Security, as much as anything in the IT world, must be addressed, planned-for and administered both in the whole, as well as the details. Security must be considered from beginning to end or -- as we engineers like to say -- "end-to-end". Holistically. The Big Picture. Soup to Nuts. You get the idea.

Because, in truth, while any single component of a system can provide state-of-the-art security for its little realm, the entire system is only as secure as each and every component. Your on-disk encryption can be unbreakable, but if your system uses weak passwords on internet-facing portals, your company could be the next featured New York Times data breach story.

Within the Oracle Systems Group, we get that. We understand that it takes more than algorithms and firewalls. That's why we'll be talking about Best Practices. About Security Compliance. About Industry and Governmental Security Standards. About hardware encryption. About all the roles in the development, deployment and use of a system. About the pieces of a system which, in total, is 'end-to-end secure'.

With the recent announcement of SPARC M7, Oracle now has the most compelling End-to-End Security platform for the Data Center. These new SPARC-based servers, with on-chip Security in Silicon, and running the Solaris 11 Operating System provide the following enhancements:

  • Silicon Secured Memory: For the first time, Silicon Secured Memory adds real-time checking of access to data in memory to help protect against malicious intrusion and flawed program code in production for greater security and reliability. This protection is available to third-party software developers via application programming interfaces.

  • Hardware-Assisted Encryption: Built into all 32 cores, this feature enables data encryption without performance penalty. This gives customers the ability to have secure runtime and data for all applications even when combined with wide key usage of AES, DES, SHA, and more. Existing applications that use encryption will be automatically accelerated by this new capability including Oracle, third party, and custom applications.

  • Built-in Solaris Compliance Tools: Oracle Solaris 11 lowers the cost and effort of compliance management by designing security features to easily meet worldwide compliance obligations; documenting and mapping technical security controls for common requirements like PCI-DSS to Oracle Solaris technologies with a simple-to-use tool that provides not only reporting but also simple instructions on how to mitigate any compliance test failures; and providing compliance report templates. The compliance system is standards based (XML) and built on the SCAP ecosystem (XCCDF, OVAL, and SCE), which easily integrates with enterprise wide compliance management programs. 

Tuesday Dec 01, 2015

Increasing Data Security with SPARC M7 'Always On' Cryptography

Oracle's new SPARC M7-based servers (released in late October) have numerous compelling hardware features, including the all new Software in Silicon feature set. What many still don't realize is that one of these features -- Hardware Assisted Cryptography -- has existed on SPARC CPUs for several generations. SPARC M7 provides the most powerful on-chip hardware encryption capabilities to date, and what many don't know is that it's Always On and it's available at No Extra Cost. It's also supported by a plethora of Oracle and third-party software offerings Right Now.

SPARC M7 provides 32 cryptographic engines per processor, delivering wide-key encryption of both 'data at rest' and 'data in-motion' with near zero performance impact. Most of today's most secure bulks encryption ciphers, message digests and public-key encryption algorithms are supported. Nothing to enable, no code to change.

SPARC M7 on-board encryption functionality (similar to that of previous-generation SPARC T5):

Accelerator Driver: Userland (no drivers required)
Public-Key Encryption: RSA, DSA, DH, ECC
Bulk Encryption: AES, DES, 3DES, R4, Camelia
Message Digest: CRC32c, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
APIs: PKCS#11 Standard, UCrypto APIs, Java Cryptography Extensions, OpenSSL

What about software support? Oracle 12c already takes advantage of M7 HW Crypto via its Oracle Advanced Security Transparent Data Encryption (TDE), out of the box. WebLogic? The same - it works out of the box. This is true for both native (C/C++-based) and Java Oracle "Red Stack" applications, all of which make seamless use of the underlying hardware encryption mechanisms. 

Okay, you say, we'd expect Oracle's Database and Middleware to support Oracle hardware features -- what about the rest of us? Well, as it turns out, much of the framework software in Solaris 11 is hardwired to take advantage on SPARC HW Crypto when it's detected. Third-party software that makes use of these will usually "get HW Crypto for free". This list includes:

  • openssl (5)
  • ssh (1)
  • Solaris VM for SPARC (aka LDoms)
  • Java runtime - configured via standard JCE/JSSE security mechanisms
The Systems ISV Engineering team is currently working with a number of Solaris ISVs to insure support and optimal usage of SPARC Hardware Crypto functionality. Look for future blog posts here (and technical articles on OTN) where we will cover this topic with ISVs such as IBM and Sybase.

"The future data center is completely encrypted, and this is the first processor that enables that."

— John Fowler, Oracle Executive Vice President for Systems

You can test your applications on SPARC M7-based systems today, to explore and leverage their breakthrough technologies using the Oracle Software in Silicon Cloud for developers and partners. Available now to all OPN members, enterprise developers with MOS accounts and university researchers (members of Oracle Academy), the Software in Silicon Cloud is a robust and secure cloud platform with ready-to-run virtual machine environments and offers easy access to Oracle SPARC M7 systems running Oracle Solaris 11.3. Try it today!

Additional Reading:

Monday Oct 26, 2015

ISV Partners See Amazing Results on SPARC M7-Based Systems

Today Oracle announced an all-new family of SPARC systems built on the revolutionary 32-core, 256-thread SPARC M7 microprocessor. The systems feature Security in Silicon for advanced intrusion protection and encryption; SQL in Silicon that delivers unparalleled database efficiency; and world record performance spanning enterprise, big data, and cloud applications. These new systems, include the Oracle SuperCluster M7 engineered system and SPARC T7 and M7 servers. Read the full press release.

Some of our ISV partners have been testing these new systems through the early access program and have been seeing amazing results: 

Siemens PLM: Hear how Siemens looks to Oracle for innovation and integration across the stack, highlighting the SPARC M7 servers with Software in Silicon technology for unprecedented performance and unique security capabilities in this video.

“As a leading global provider of product lifecycle management software and services, Siemens PLM Software, helps thousands of companies realize innovation by optimizing their processes. We continually leverage our strong relationship with Oracle to ensure that our Teamcenter software is tuned to run on Oracle platforms. Teamcenter tests of the new Oracle SPARC M7 servers showed dramatic performance improvements, surpassing any improvements seen with a single generation upgrade of SPARC servers. Software-in-Silicon features of the SPARC M7 processor such as the Silicon Secured Memory and SQL in Silicon offer unique capabilities for performance tuning,” said Chris Brosz, vice president of Technical Operations, Siemens PLM Software. 

BPC: “BPC Banking Technologies’ long-term relationship with Oracle aims to find the best technology solutions for our clients. We successfully tested SmartVista on Oracle’s SPARC M7 server running Oracle Solaris, and measured the impact of the Oracle Database In-Memory option along with the SPARC M7 processor’s new SQL in Silicon feature,” said Evgeny Kozhin, senior solutions architect, BPC Banking Technologies. “We were excited to see dramatic performance increases for both our online and batch processing tests. SmartVista is highly tuned and traditionally we only see incremental performance gains with new processor generations. No modifications to SmartVista were needed to get these extraordinary results.”

Capitek: “Capitek AAA is a carrier-grade access authentication management application for the wireless communication networks across China. In our tests processing log files for each AAA server, Oracle's SPARC M7 systems with Silicon Secured Memory and Oracle Solaris Studio development tools proved to be the only effective method of protection against dangerous programming vulnerabilities,” said Jerry Chen, senior manager, Telecom Software Product Department. “It enabled Capitek AAA to be more secure and highly available with very little impact on overall system performance. Other software based memory checking tools proved to be unusable due to their large overhead.”

JomaSoft: “JomaSoft recently completed performance tests on Oracle’s SPARC T7 system running Virtual Datacenter Control Framework (VDCF), our management solution for creating, migrating, patching and monitoring Oracle Solaris environments. Our results showed VDCF to be 1.5x faster core-to-core on SPARC T7 compared to SPARC T5. JomaSoft views Oracle’s powerful SPARC M7 and T7 systems as ideal platforms for customer consolidation and virtualization projects, with technology and value that no other vendor can offer,” said Marcel Hofstetter, CEO at JomaSoft.

MSC Software: “MSC Software, a worldwide leader in multidiscipline simulation technology, recently tested our SimManager simulation data and process management system on Oracle’s SPARC M7 system with Oracle Database 12c. Our testing found SPARC M7 to be extremely scalable and able to deliver better core-to-core throughput than an Intel Xeon X5 v3 server running a SimManager workload. Oracle Solaris 11 virtualization also consolidates multiple instances of the MSC SimManager server, providing a simplified method of managing and processing hundreds of thousands of simulations for product design onto a single platform,” said Leo Kilfoy, general manager, Engineering Lifecycle Management Business Unit, MSC Software Corporation.

SAS: "Oracle's Software in Silicon technology delivers significant value to both SAS customers and internal development teams. The scalability, performance and extensive memory bandwidth of the Oracle SPARC M7 is well-matched with the highly threaded and memory intensive algorithms of our high performance Business Analytics software – which means customers running SAS on Oracle will see faster analysis of their data so they can make better business decisions,” said Craig Rubendall, vice president, Research & Development, SAS. “In addition, SAS uses a variety of tools to ensure the quality of code that is delivered to our customers. The SPARC M7’s Silicon Secured Memory feature along with the Oracle Solaris Studio Code Analyzer detected difficult to find run-time errors far more quickly than other products we use for this purpose, resulting in faster fixes to common code across all platforms.”

Software AG: “Software AG’s Adabas Database Management System Platform is optimized for large-scale transaction processing and provides high-performance and reliable data processing for enterprise business transactions. We have been collaborating closely with Oracle engineering and we recently tested Adabas version 6.4 SP 1 on Oracle’s SPARC M7 system through their early access program and achieved an amazing 2.8X performance increase over Oracle’s SPARC T5 system,” said Angelika Siffring, VP, Product Management, Software AG. “Software AG’s relationship with Oracle helps us provide the fastest and most secure software solutions to our mutual customers.”

Software in Silicon Cloud 

You can test your applications on these new systems to leverage their breakthrough technologies using the Oracle Software in Silicon Cloud for developers and partners. Available now to all OPN members, enterprise developers with MOS accounts and university researchers (members of Oracle Academy), the Software in Silicon Cloud is a robust and secure cloud platform with ready-to-run virtual machine environments and offers easy access to Oracle SPARC M7 systems running Oracle Solaris 11.3. Try it today!

Monday May 11, 2015

Oracle for SAP Technology Update

Oracle and SAP have had an ongoing commitment to tens of thousands of joint customers for over 27 years. Deploying SAP applications on Oracle platforms delivers end-to-end SAP infrastructure solutions that improve productivity and performance, increase system utilization, and create an eco-friendly data center. The two companies recently renewed their longstanding reseller and support agreements to provide enhanced access to Oracle Database technology and world class customer support.

The Oracle for SAP Technology Update is an annual publication that provides updates and information about Oracle products and services for SAP customers. The latest update was published this month.  Example topics covered are:

  • Oracle Database 12c for SAP: Roadmap and Base Certification Features 
  • Implementing a Data Management Infrastructure for SAP with Oracle Database Options and Packs
  • Why Oracle Database and Engineered Systems for SAP
  • Oracle Mission-Critical Support Services for SAP Customers
  • Oracle DB and Oracle Solaris related Notes for SAP
  • Why more and more SAP customers are migrating to Solaris
  • Oracle Security Solutions for SAP environments
  • Customer Examples

You can get the full report here: Oracle for SAP Technology Update #24

Monday Nov 03, 2014

Software in Silicon Innovations for Database

Juan Loaiza, Sr. VP of Technology at Oracle gave an overview of innovative new Software in Silicon technology and its benefits to databases and applications at Oracle OpenWorld 2014.

He talked about three key ways this new revolutionary technology enhances performance, capacity and reliability:

  • Extreme performance with DB in-memory acceleration engines
  • Increased data capacity with decompression engines
  • Revolutionary change to memory architecture that stops memory corruption, be it from malicious attacks or programmer errors

Watch the video to learn details:

Please note: developers can take advantage of this revolutionary technology using the Oracle Software in Silicon Cloud today!

Saturday Dec 26, 2009

Reminder: Tech Webinar on Security for Web Application

Reminder: Wednesday January 27th, Join the Sun Startup Essentials Webinar on  Security for Web Applications.[Read More]

Tuesday Dec 15, 2009

HowTo: Using Virtualization to Secure MySQL in a Chrooted Environment

Chrooted environments - often used with MySQL - are known to improve system and application security by providing them with a higher degree of isolation.  With the latest OpenSolaris release, virtualization can be used to bring isolation - thereby security - to the next level[Read More]

Monday Dec 07, 2009

Tech Webinar: Security for Web Application

Wednesday January 27th, Join the Sun Startup Essentials Webinar on  Security for Web Applications.[Read More]

Saturday Nov 28, 2009

Webinar Security for MySQL and Web Application

We are planning on a Webinar in January about security for Web applications[Read More]

Saturday Oct 17, 2009

Technical Webinars

Take advantage of some free technical Webinars conducted by Sun's experts.[Read More]

Friday Oct 16, 2009

MySQL in production: looking for security (part 2 of 2)

Here is the follow up on the best practices to secure MySQL in production[Read More]

Saturday Oct 10, 2009

Securing MySQL (part 1 of 2)

Here are a set of post-installation best practices to bring MySQL security to the next level.[Read More]
About

Application tuning, sizing, monitoring, porting on Solaris 11

Search

Categories
Archives
« May 2016
SunMonTueWedThuFriSat
1
3
4
5
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
26
27
28
29
30
31
    
       
Today