The OpenOffice.org conference is now over. We had some fantastic three days at the INSA of Lyon, and I would like to thank everybody who managed to drop by and visit us. People came from all over the place; Korea, Brazil, India, Bengladesh, Germany, Norway, U.S.A...
This conference could not have been possible without the Francophone community, of which I am a member; so I would like to thank everybody who helped us before and during these three days!
On Monday evening, the 11th of September, we organized the Native-Language Party on a ship that cruised the Rhone and Saone Rivers along the city of Lyon. Besides the actual venue that was outwardly marvellous and very classy, I would like to say, just like I did to one of my American guests there, that even though I didn't mention the 9/11 in my welcoming speech on the ship, I had the feeling that the actual presence of so many people on board, coming from the entire world was in a sense, a beautiful answer to the international terrorism. For Open Source does also mean peace. OpenOffice.org and the Native-Lang Confederation are living evidences of this. I am honoured to lead such a confederation of communities who are building something useful together, and I can experience this on a daily basis.
Now I'm sure you'll be interested by the pics and the transcripts of the conferences! So here you will find the videos and some pics of the conferences. Not all of them have been uploaded yet, so make sure to check back there again for several days. Kudos to the Kiberpipa team from Slovenia who accomplished all this while being asked at the last moment!
Here you will find lots of pictures taken by Jerome D. from Ars Aperta. Here, and also here and there you will find shots from Florian E., Jesus C. and Simon B. from several Native-Lang projects.
The OpenOffice.org Conference is as always the time for major announcements concering the software itself. I recommend that the interested readers take a look at the still being uploaded slides of every conference for more details.
However, I shall disclose the major points that were discussed in Lyon. First, OpenOffice.org shall get Firefox-like extensions capabilities by the 2.0.4. This release should be ready somewhere between the coming week and the end of the month. What this means is that besides the fact that OpenOffice.org could include extensions before, now the way to develop, include, select and manage them will be made easy. Aside the traditionnal .zip and unopkg extensions packages, a new and definitive extension format, .oxt, shall be used across the extensions that can be developed using a breadth of languages ranging from StarBasic to Java. New wizards and configuration tools shall be added for the benefit of our endusers.
Second, and I think that although we have no clear roadmap for this yet (besides, our version naming scheme is going to change once again ), OpenOffice.org and StarOffice shall include the Mozilla Foundation's Thunderbird and Sunbird (calendaring application) in the future. Besides the inclusion of those two softs inside the office suite, connectors to Sun Calendar Server and Microsoft Exchange will also be developed accordingly.
Third, a word on the 3.0. A few months ago we change our release process as to accomodate more and more community's input and patches; and so we switched to a fully incremental, quarterly release schedule. Which in turns, makes the famous 3.0 rather unpredictable as to what its feature set and characteristics could be. This is why it is useless to look for a weird prototype of it quietly sitting in a virtual Area-51. The only objective of the 3.0 will be to make it much more modular and running on tops of frameworks such as Eclipse, Netbeans or Mozilla's XUL.
In any case, feel free to get a look at the conferences' slides, they are really worth it... And as you may not know, OpenOffice.org will celebrate its sixth anniversary, so stay tuned!!!
Saturday, September 23, 2006
How much abuse will you take from Microsoft?
Seriously, how many times must users and businesses be kicked in the face before they buy a clue? Before they realize that they don't have to stay in the abusive Microsoft relationship. The answer seems to be: an unlimited number of times.
Take, for example, Internet Explorer. In the latest bad news, the newest zero-day flaw in the Internet Explorer implementation of the Vector Markup Language has opened up a gaping wound in Windows. Through that wound, every kind of garbage imaginable -- bots, Trojan down-loaders, spyware, rootkits -- are pouring into Windows systems.
You think you're safe because you do all the right things in patching your systems? Think again, this hole exists even in fully-patched version of Windows XP SP2 running IE 6. Right now, this very moment, if you go to the wrong site with IE 6, your system is going to get as sick as a dog and You Can't Do Anything About It.
Well, actually, there is one thing you could do. You could switch from vermin-ridden Windows to a desktop Linux. For businesses, I recommend SLED (SUSE Linux Enterprise Desktop) 10. For home users, Ubuntu 6.06, SimplyMEPIS 6.0, Xandros 4, or Freespire are all excellent choices.
Not sure how to do it? No problem. IBM has just published a free 376-page book, the Linux Client Migration Cookbook, on how to jump from Windows to Linux.
OK, so you're not ready to do that. Fine, then would you do yourself the favor of at least dumping IE and using Firefox instead? Yes, Firefox has security problems, too. But, you know what? They tend to be fixed fast -- and there has never, I repeat, never been a significant Firefox-based malware attack of any kind.
Internet Explorer? It takes forever for some problems to be fixed. Worse still, even when Microsoft "fixes" a problem they sometimes can't get it right the first time, or even the second time. They finally did get it right the third time... but, of course, it was only after that, that the floodwaters of filth came pouring into the hole the folks from Redmond hadn't patched.
What will it take?
Some Microsoft users swear that they trust Microsoft to get it right. Is that the same kind of right as when Microsoft tried to slip by us the fact that the Zune, their answer to the iPod, won't play Microsoft's own PlaysForSure media files?
The only thing I'm sure of about Microsoft is that they believe that there's a sucker born every minute. So far, it seems that they're right, as users continue to stand by their shoddy goods, without even seriously considering the competition.
My only hope for most of these poor fools is that Vista's price tag will make them at least consider an alternative to Windows on their desktops. And, since Microsoft doesn't have a strangle-hold on the portable music market, buyers will have the good sense to not give Zune a chance to trap their music in a new Microsoft DRM (digital rights management) prison.
-- Steven J. Vaughan-Nichols
Take, for example, Internet Explorer. In the latest bad news, the newest zero-day flaw in the Internet Explorer implementation of the Vector Markup Language has opened up a gaping wound in Windows. Through that wound, every kind of garbage imaginable -- bots, Trojan down-loaders, spyware, rootkits -- are pouring into Windows systems.
You think you're safe because you do all the right things in patching your systems? Think again, this hole exists even in fully-patched version of Windows XP SP2 running IE 6. Right now, this very moment, if you go to the wrong site with IE 6, your system is going to get as sick as a dog and You Can't Do Anything About It.
Well, actually, there is one thing you could do. You could switch from vermin-ridden Windows to a desktop Linux. For businesses, I recommend SLED (SUSE Linux Enterprise Desktop) 10. For home users, Ubuntu 6.06, SimplyMEPIS 6.0, Xandros 4, or Freespire are all excellent choices.
Not sure how to do it? No problem. IBM has just published a free 376-page book, the Linux Client Migration Cookbook, on how to jump from Windows to Linux.
OK, so you're not ready to do that. Fine, then would you do yourself the favor of at least dumping IE and using Firefox instead? Yes, Firefox has security problems, too. But, you know what? They tend to be fixed fast -- and there has never, I repeat, never been a significant Firefox-based malware attack of any kind.
Internet Explorer? It takes forever for some problems to be fixed. Worse still, even when Microsoft "fixes" a problem they sometimes can't get it right the first time, or even the second time. They finally did get it right the third time... but, of course, it was only after that, that the floodwaters of filth came pouring into the hole the folks from Redmond hadn't patched.
What will it take?
Some Microsoft users swear that they trust Microsoft to get it right. Is that the same kind of right as when Microsoft tried to slip by us the fact that the Zune, their answer to the iPod, won't play Microsoft's own PlaysForSure media files?
The only thing I'm sure of about Microsoft is that they believe that there's a sucker born every minute. So far, it seems that they're right, as users continue to stand by their shoddy goods, without even seriously considering the competition.
My only hope for most of these poor fools is that Vista's price tag will make them at least consider an alternative to Windows on their desktops. And, since Microsoft doesn't have a strangle-hold on the portable music market, buyers will have the good sense to not give Zune a chance to trap their music in a new Microsoft DRM (digital rights management) prison.
-- Steven J. Vaughan-Nichols
rocketed Linux to success
GPL, BSD, and NetBSD - why the GPL rocketed Linux to success
Charles M. Hannum (one of the 4 originators of NetBSD) has posted a sad article about serious problems in the NetBSD project, saying "the NetBSD Project has stagnated to the point of irrelevance." You can see the article or an LWN article about it.
There are still active FreeBSD and OpenBSD communities, and there's much positive to say about FreeBSD and OpenBSD. I use them occasionally, and I always welcome a chance to talk to their developers - they're sharp folks. Perhaps NetBSD will partly revive. But systems based on the Linux kernel ("Linux") absolutely stomp the *BSDs (FreeBSD, OpenBSD, and NetBSD) in market share. And Linux-based systems will continue to stomp on the *BSDs into the foreseeable future.
I think there is one primary reason Linux-based systems completely dominate the *BSDs' market share - Linux uses the protective GPL license, and the *BSDs use the permissive ("BSD-style") licenses. The BSD license has been a lot of trouble for all the *BSDs, even though they keep protesting that it's good for them. But look what happens. Every few years, for many years, someone has said, "Let's start a company based on this BSD code!" BSD/OS in particular comes to mind, but Sun (SunOS) and others have done the same. They pull the *BSD code in, and some of the best BSD developers, and write a proprietary derivative. But as a proprietary vendor, their fork becomes expensive to self-maintain, and eventually the company founders or loses interest in that codebase (BSD/OS is gone; Sun switched to Solaris). All that company work is then lost forever, and good developers were sucked away during that period. Repeat, repeat, repeat. That's enough by itself to explain why the BSDs don't maintain the pace of Linux kernel development. But wait - it gets worse.
In contrast, the GPL has enforced a consortia-like arrangement on any major commercial companies that want to use it. Red Hat, Novell, IBM, and many others are all contributing as a result, and they feel safe in doing so because the others are legally required to do the same. Just look at the domain names on the Linux kernel mailing list - big companies, actively paying for people to contribute. In July 2004, Andrew Morton addressed a forum held by U.S. Senators, and reported that most Linux kernel code was generated by corporate programmers (37,000 of the last 38,000 changes were contributed by those paid by companies to do so; see my report on OSS/FS numbers for more information). BSD license advocates claim that the BSD is more "business friendly", but if you look at actual practice, that argument doesn't wash. The GPL has created a "safe" zone of cooperation among companies, without anyone having to sign complicated legal documents. A company can't feel safe contributing code to the BSDs, because its competitors might simply copy the code without reciprocating. There's much more corporate cooperation in the GPL'ed kernel code than with the BSD'd kernel code. Which means that in practice, it's actually been the GPL that's most "business-friendly".
So while the BSDs have lost energy every time a company gets involved, the GPL'ed programs gain every time a company gets involved. And that explains it all.
That's not the only issue, of course. Linus Torvalds makes mistakes, but in general he's a good leader; leadership issues are clearly an issue for some of the BSDs. And Linux's ability early on to support dual-boot computers turned out to be critical years ago. Some people worried about the legal threats that the BSDs were under early on, though I don't think it had that strong an effect. But the early Linux kernel had a number of problems (nonstandard threads, its early network stack was terrible, etc.), which makes it harder to argue that it was "better" at first. And the Linux kernel came AFTER the *BSDs - the BSDs had a head start, and a lot of really smart people. Yet the Linux kernel, and operating systems based on it, jumped quickly past all of them. I believe that's in large part because Linux didn't suffer the endless draining of people and effort caused by the BSD license.
Clearly, some really excellent projects can work well on BSD-style licenses; witness Apache, for example. It would be a mistake to think that BSD licenses are "bad" licenses, or that the GPL is always the "best" license. But others, like Linux, gcc, etc., have done better with copylefting / "protective" licenses. And some projects, like Wine, have switched to a protective (copylefting) license to stem the tide of loss from the project. Again, it's not as simple as "BSD license bad" - I don't think we fully understand exactly when each license's effects truly have the most effect. But clearly the license matters; this as close to an experiment in competing licenses as you're likely to get.
Obviously, a license choice should depend on your goals. But let's look more carefully at that statement, maybe we can see what type of license tends to be better for different purposes.
If your goal is to get an idea or approach widely used to the largest possible extent, a permissive license like the BSD (or MIT) license has much to offer. Anyone can quickly snap up the code and use it. Much of the TCP/IP code (at least for tools) in Windows was originally from BSD, I believe; there are even some copyright statements still in it. BSD code is widely used, and even when it isn't used (the Linux kernel developers wrote their own TCP/IP code) it is certainly studied. But don't expect the public BSD-licensed code to be maintained by those with a commercial interest in it. I haven't noticed a large number of Microsoft developers being paid to improve any of the *BSDs, even though they share the same code ancestries in some cases.
If your goal is to have a useful program that stays useful long-term, then a protective ("copylefting") license like the LGPL or GPL licenses has much to offer. Protective licenses force the cooperation that is good for everyone in the long term, if a long-term useful project is the goal. For example, I've noticed that GPL projects are far less likely to fork than BSD-licensed projects; the GPL completely eliminates any financial advantage to forking. The power of the GPL license is so strong that even if you choose to not use a copylefting license, it is critically important that an open source software project use a GPL-compatible license.
Yes, companies could voluntarily cooperate without a license forcing them to. The *BSDs try to depend on this. But it today's cutthroat market, that's more like the "Prisoner's Dilemma". In the dilemma, it's better to cooperate; but since the other guy might choose to not cooperate, and exploit your naivete, you may choose to not cooperate. A way out of this dilemma is to create a situation where you must cooperate, and the GPL does that.
Again, I don't think license selection is all that simple when developing a free-libre/open source software (FLOSS) program. Obviously the Apache web server does well with its BSD-ish license. But packages like Linux, gcc, Samba, and so on all show that the GPL does work. And more interestingly, they show that a lot of competing companies can cooperate, when the license requires them to
Charles M. Hannum (one of the 4 originators of NetBSD) has posted a sad article about serious problems in the NetBSD project, saying "the NetBSD Project has stagnated to the point of irrelevance." You can see the article or an LWN article about it.
There are still active FreeBSD and OpenBSD communities, and there's much positive to say about FreeBSD and OpenBSD. I use them occasionally, and I always welcome a chance to talk to their developers - they're sharp folks. Perhaps NetBSD will partly revive. But systems based on the Linux kernel ("Linux") absolutely stomp the *BSDs (FreeBSD, OpenBSD, and NetBSD) in market share. And Linux-based systems will continue to stomp on the *BSDs into the foreseeable future.
I think there is one primary reason Linux-based systems completely dominate the *BSDs' market share - Linux uses the protective GPL license, and the *BSDs use the permissive ("BSD-style") licenses. The BSD license has been a lot of trouble for all the *BSDs, even though they keep protesting that it's good for them. But look what happens. Every few years, for many years, someone has said, "Let's start a company based on this BSD code!" BSD/OS in particular comes to mind, but Sun (SunOS) and others have done the same. They pull the *BSD code in, and some of the best BSD developers, and write a proprietary derivative. But as a proprietary vendor, their fork becomes expensive to self-maintain, and eventually the company founders or loses interest in that codebase (BSD/OS is gone; Sun switched to Solaris). All that company work is then lost forever, and good developers were sucked away during that period. Repeat, repeat, repeat. That's enough by itself to explain why the BSDs don't maintain the pace of Linux kernel development. But wait - it gets worse.
In contrast, the GPL has enforced a consortia-like arrangement on any major commercial companies that want to use it. Red Hat, Novell, IBM, and many others are all contributing as a result, and they feel safe in doing so because the others are legally required to do the same. Just look at the domain names on the Linux kernel mailing list - big companies, actively paying for people to contribute. In July 2004, Andrew Morton addressed a forum held by U.S. Senators, and reported that most Linux kernel code was generated by corporate programmers (37,000 of the last 38,000 changes were contributed by those paid by companies to do so; see my report on OSS/FS numbers for more information). BSD license advocates claim that the BSD is more "business friendly", but if you look at actual practice, that argument doesn't wash. The GPL has created a "safe" zone of cooperation among companies, without anyone having to sign complicated legal documents. A company can't feel safe contributing code to the BSDs, because its competitors might simply copy the code without reciprocating. There's much more corporate cooperation in the GPL'ed kernel code than with the BSD'd kernel code. Which means that in practice, it's actually been the GPL that's most "business-friendly".
So while the BSDs have lost energy every time a company gets involved, the GPL'ed programs gain every time a company gets involved. And that explains it all.
That's not the only issue, of course. Linus Torvalds makes mistakes, but in general he's a good leader; leadership issues are clearly an issue for some of the BSDs. And Linux's ability early on to support dual-boot computers turned out to be critical years ago. Some people worried about the legal threats that the BSDs were under early on, though I don't think it had that strong an effect. But the early Linux kernel had a number of problems (nonstandard threads, its early network stack was terrible, etc.), which makes it harder to argue that it was "better" at first. And the Linux kernel came AFTER the *BSDs - the BSDs had a head start, and a lot of really smart people. Yet the Linux kernel, and operating systems based on it, jumped quickly past all of them. I believe that's in large part because Linux didn't suffer the endless draining of people and effort caused by the BSD license.
Clearly, some really excellent projects can work well on BSD-style licenses; witness Apache, for example. It would be a mistake to think that BSD licenses are "bad" licenses, or that the GPL is always the "best" license. But others, like Linux, gcc, etc., have done better with copylefting / "protective" licenses. And some projects, like Wine, have switched to a protective (copylefting) license to stem the tide of loss from the project. Again, it's not as simple as "BSD license bad" - I don't think we fully understand exactly when each license's effects truly have the most effect. But clearly the license matters; this as close to an experiment in competing licenses as you're likely to get.
Obviously, a license choice should depend on your goals. But let's look more carefully at that statement, maybe we can see what type of license tends to be better for different purposes.
If your goal is to get an idea or approach widely used to the largest possible extent, a permissive license like the BSD (or MIT) license has much to offer. Anyone can quickly snap up the code and use it. Much of the TCP/IP code (at least for tools) in Windows was originally from BSD, I believe; there are even some copyright statements still in it. BSD code is widely used, and even when it isn't used (the Linux kernel developers wrote their own TCP/IP code) it is certainly studied. But don't expect the public BSD-licensed code to be maintained by those with a commercial interest in it. I haven't noticed a large number of Microsoft developers being paid to improve any of the *BSDs, even though they share the same code ancestries in some cases.
If your goal is to have a useful program that stays useful long-term, then a protective ("copylefting") license like the LGPL or GPL licenses has much to offer. Protective licenses force the cooperation that is good for everyone in the long term, if a long-term useful project is the goal. For example, I've noticed that GPL projects are far less likely to fork than BSD-licensed projects; the GPL completely eliminates any financial advantage to forking. The power of the GPL license is so strong that even if you choose to not use a copylefting license, it is critically important that an open source software project use a GPL-compatible license.
Yes, companies could voluntarily cooperate without a license forcing them to. The *BSDs try to depend on this. But it today's cutthroat market, that's more like the "Prisoner's Dilemma". In the dilemma, it's better to cooperate; but since the other guy might choose to not cooperate, and exploit your naivete, you may choose to not cooperate. A way out of this dilemma is to create a situation where you must cooperate, and the GPL does that.
Again, I don't think license selection is all that simple when developing a free-libre/open source software (FLOSS) program. Obviously the Apache web server does well with its BSD-ish license. But packages like Linux, gcc, Samba, and so on all show that the GPL does work. And more interestingly, they show that a lot of competing companies can cooperate, when the license requires them to
Saturday, September 16, 2006
List web based Help Desk
ManageEngine
ManageEngine ServiceDesk Plus is a web based Help Desk and Asset Management software whose features include contract managenent, purchasing and knowledge management functionalities. It integrates Ticketing, Asset Tracking, Purchasing, Contract Management and Knowledge base in one package. ServiceDesk Plus enables end-users to submit tickets via an online web form or through email. It automates several tasks such as case routing, acknowledging requester, technician notification and handling of SLA rules. It includes a Solutions module that allows you to document best practices and solutions to common problems in an online knowledge base.
ServiceDesk Plus offers inventory tracking functionality across Windows and Linux workstations. It can also track software licenses and let you know the number of over-utilized or under-utilized licenses across your organization.
LiveTime
LiveTime Help Desk provides an enterprise-wide solution for delivering customer service and support. With support for IT Infrastructure Library (ITIL) best practices and a user interface IS team members can have access to audit trails of every case in just a few clicks. With a built-in self-service portal, comprehensive alerting system and knowledge infrastructure, IS staff can focus on solving complex problems and let the system deal with common solutions to everyday problems. LiveTime Help Desk is based on an Internet infrastructure which can be accessed from any browser, with no plug-ins, no client maintenance and no client updates. LiveTime provides pre integration with many third party products, such as Asset Management solutions, and CRM systems.
GoverLAN
GoverLAN is a remote administration, user support and enterprise desktop management suite for Windows NT and Active Directory platforms. It is equally a critical asset for enterprise administrators, system administrators and technical support teams.
The GoverLAN Suite is composed of three main features:
GoverLAN Scope Actions: GoverLAN Scope Actions are a new concept in GoverLAN and represents a major improvement in what GoverLAN has to offer. This new feature empowers you to take control of your machines, users and groups as a whole. Every piece of information, every setting, and every action can now be reported, modified and executed at a scope level.
GoverLAN Administration & Diagnostics: Use GoverLAN to execute real-time remote administration and troubleshooting on your users, computers and groups.
GoverLAN Remote Control: 80% of the GoverLAN Remote Control code has been re-written to provide you with a much faster, more secure remote control feature. Support for clients with multi-monitors has also been added.
:: Company :: PJ Technologies, Inc.
:: URL :: www.pjtec.com
:: Email :: info@pjtec.com
:: Screenshot :: click here
:: Price :: $549.00
ManageEngine ServiceDesk Plus is a web based Help Desk and Asset Management software whose features include contract managenent, purchasing and knowledge management functionalities. It integrates Ticketing, Asset Tracking, Purchasing, Contract Management and Knowledge base in one package. ServiceDesk Plus enables end-users to submit tickets via an online web form or through email. It automates several tasks such as case routing, acknowledging requester, technician notification and handling of SLA rules. It includes a Solutions module that allows you to document best practices and solutions to common problems in an online knowledge base.
ServiceDesk Plus offers inventory tracking functionality across Windows and Linux workstations. It can also track software licenses and let you know the number of over-utilized or under-utilized licenses across your organization.
LiveTime
LiveTime Help Desk provides an enterprise-wide solution for delivering customer service and support. With support for IT Infrastructure Library (ITIL) best practices and a user interface IS team members can have access to audit trails of every case in just a few clicks. With a built-in self-service portal, comprehensive alerting system and knowledge infrastructure, IS staff can focus on solving complex problems and let the system deal with common solutions to everyday problems. LiveTime Help Desk is based on an Internet infrastructure which can be accessed from any browser, with no plug-ins, no client maintenance and no client updates. LiveTime provides pre integration with many third party products, such as Asset Management solutions, and CRM systems.
GoverLAN
GoverLAN is a remote administration, user support and enterprise desktop management suite for Windows NT and Active Directory platforms. It is equally a critical asset for enterprise administrators, system administrators and technical support teams.
The GoverLAN Suite is composed of three main features:
GoverLAN Scope Actions: GoverLAN Scope Actions are a new concept in GoverLAN and represents a major improvement in what GoverLAN has to offer. This new feature empowers you to take control of your machines, users and groups as a whole. Every piece of information, every setting, and every action can now be reported, modified and executed at a scope level.
GoverLAN Administration & Diagnostics: Use GoverLAN to execute real-time remote administration and troubleshooting on your users, computers and groups.
GoverLAN Remote Control: 80% of the GoverLAN Remote Control code has been re-written to provide you with a much faster, more secure remote control feature. Support for clients with multi-monitors has also been added.
:: Company :: PJ Technologies, Inc.
:: URL :: www.pjtec.com
:: Email :: info@pjtec.com
:: Screenshot :: click here
:: Price :: $549.00
Web Based Help Desk Software
Web Based Help Desk Software
There are many reasons companies have turned to Web-based software in lieu of traditional stand-alone applications. One of the most notable benefits of Web-based software, is of course, the advantages it poses for companies with multiple locations, satellite offices and traveling employees. Web-based applications can be accessed from any place that has an Internet connection.
Web-based software is also much easier to manage in terms of installation and upgrades. Once an upgrade or change is installed on the server, all users have immediate access. There is no need to upgrade individual PC's, and migration issues no longer take up valuable DBA and technician resources. Finally, Web-based applications are much more cost-effective to deploy, as all users are accessing it through a browser. There is also then, no need for testing on different operating systems and hardware/software configurations.
Simplifying Customer Service Tasks
Web-based help desk software uses the power and universality of the Internet to manage and simplify customer service tasks. With our application, managers can have access to real-time customer trends, speed call turnaround and increase customer satisfaction. It also allows users to remotely check ticket progress, submit requests and view service bulletins.
Help Desk was designed to operate as both a stand-alone application or one that is integrated with other Eden, or third party business software solutions. It was developed to align with ITIL® best practices, and can easily be maintained on any J2EE compliant application server, or Eden can host the solution for you. Our Help Desk is user-friendly enough that it rarely requires technical support, but just in case, Eden maintains a staff of highly-trained technicians to answer your questions 24 hours a day.
There are many reasons companies have turned to Web-based software in lieu of traditional stand-alone applications. One of the most notable benefits of Web-based software, is of course, the advantages it poses for companies with multiple locations, satellite offices and traveling employees. Web-based applications can be accessed from any place that has an Internet connection.
Web-based software is also much easier to manage in terms of installation and upgrades. Once an upgrade or change is installed on the server, all users have immediate access. There is no need to upgrade individual PC's, and migration issues no longer take up valuable DBA and technician resources. Finally, Web-based applications are much more cost-effective to deploy, as all users are accessing it through a browser. There is also then, no need for testing on different operating systems and hardware/software configurations.
Simplifying Customer Service Tasks
Web-based help desk software uses the power and universality of the Internet to manage and simplify customer service tasks. With our application, managers can have access to real-time customer trends, speed call turnaround and increase customer satisfaction. It also allows users to remotely check ticket progress, submit requests and view service bulletins.
Help Desk was designed to operate as both a stand-alone application or one that is integrated with other Eden, or third party business software solutions. It was developed to align with ITIL® best practices, and can easily be maintained on any J2EE compliant application server, or Eden can host the solution for you. Our Help Desk is user-friendly enough that it rarely requires technical support, but just in case, Eden maintains a staff of highly-trained technicians to answer your questions 24 hours a day.
Web Based Help Desk
A help desk that allows you to provide comprehensive service through a central ticketing system while balancing work flow between your site operators. Some of the features include a powerful email parser for email communication, separate public interfaces, a fully integrated knowledgebase, “Ajax” enabled work flow management features, and live chat integration options.
SupportTrio allows you to easily track, manage, and respond accurately to your visitor’s support queries. It eases your support load and provides better support management. The user and the visitor can track and update support tickets through a centralized location. Ticketing avoids the inherent confusion and pitfalls of email support. The ticket are archived and can be accessed at a later date
SupportTrio allows you to easily track, manage, and respond accurately to your visitor’s support queries. It eases your support load and provides better support management. The user and the visitor can track and update support tickets through a centralized location. Ticketing avoids the inherent confusion and pitfalls of email support. The ticket are archived and can be accessed at a later date
Friday, September 15, 2006
How To Win The .BIZ - .INFO Domain Lottery.
This summary is not available. Please
click here to view the post.
Think You Control Your Domain Name? Think Again!
Permission is granted for free publication of this article, either electronically or in print, provided both the bylines and resource box are included. A courtesy copy of your publication would be appreciated.
Let me ask you some questions that may sound "obvious" but can have downright scary answers. Did you buy your domain name from a service? Do you know who is in control of your domain name? Have you done a "Whois" search to find out? The answer may very well shock you!
Buying a domain name is a very easy thing to do. But if you buy a domain name without any knowledge of "ownership" vs. "control", you could very well be headed down a bumpy road.
Unfortunately, most Web site owners are unaware that "ownership" does not equate to "control." Just because you paid for your domain name does not mean you have access or authority to make changes, transfers or other necessary functions. But if not you - the owner - who does?
There are 4 components to a domain name:
1.Registrant: you - the person who registered the domain name
2.Billing Contact: could be anyone
3.Technical Contact: could be anyone
4.Administrative Contact: could be anyone
The registrant is you. You might assume that items two, three and four are also you. A natural assumption. Guess what… most of the time they are not! THIS is where you get into trouble.
Who's In Control?
So whose names are listed in the "control" spots? Nine times out of ten, it is a person within the organization you purchased your domain name from. Any inquiries about billing, technical issues and administrative questions are sent to this arbitrary person. The domain name registration company has FULL control over your URL. What does this mean?
Even though you are the owner, and you make a request for changes, the confirmation request will go to the administrator for verification. This person has the full authority to approve or reject changes to your domain name.
The Dangers
Keep one thing in mind, domain registrars can, and do, go out of business. They get bought and sold just like other organizations. They are not legally required to notify you of any changes within their firm. This fact alone can cause unlimited problems with renewals, changes, sales or transfers. But that's not all.
Let's say you put in a domain transfer request. A time sensitive confirmation will be sent from the registrar of your domain name to the administrative contact. This confirmation must be answered within a certain timeframe. Now, if the administrative contact is someone at the business you purchased your domain name from we could have a serious problem. That person might be on vacation, sick, fired, or even under orders not to respond. In any case, your transfer will be denied. Think it doesn't happen. I'm horrified to tell you it does - every single day.
What does the technical contact control? Basically, where your Web site "lives." What happens if you submit a hosting transfer request and your technical contact (not you - someone at the business you got your domain name from) does not respond to the message? Your domain name is trapped! Worse case scenario… your site is down for days or weeks because your Web site lives at one place, and your domain name lives somewhere else.
And finally, the billing contact. At some point it will be time to renew your domain name registration. Most registrars send a notice to the billing contact 30 days before the payment is due. For whatever reason, the person listed as the billing contact does not contact you about the renewal. You just lost your domain name due to expiration!
Your Domain Name Is Being Held Hostage
When a domain name registration company forces itself into the contact fields of your registration records, it's commonly know as being "held hostage."
I personally know of countless horror stories of online business owners who have fought tirelessly to "free" their domain names and regain control. They will be glad to tell you the woes of losing control of your URL. So what do you do about it? How do you get back full control of your business?
Steps To Take
Make sure when you register a domain name that the registrant, administrative, technical and billing contacts are in your name. Just as soon as you receive confirmation and access information, log in and change any "forced" contact information to your name.
Use a contact email address you will always have. A good one is the one associated with your domain name. The email address on record must match the email address you are sending a request from. If you use an email associated with your ISP (@hotmail.com, @rr.sc.com, @earthlink.com) and later change ISPs, you'll have to make contact information corrections prior to making any transfers, etc.
And lastly, if at all possible, register with a company that provides you with a management or control center. This is - without a doubt - the safest way to go.
·You won't have to wait for someone else to make needed changes.
·You won't have to ask anyone for permission to make changes.
·You will never be denied the changes you need to make.
·You won't lose your domain name because the company listed as "contact" closed or was bought out.
·You won't lose your domain name because you weren't notified of the renewal date.
·You WILL be in full control of the most important part of your company - your domain name.
Take back control of your domain name today. Make the necessary adjustments to the contacts on record so that your URL can never be held hostage.
Let me ask you some questions that may sound "obvious" but can have downright scary answers. Did you buy your domain name from a service? Do you know who is in control of your domain name? Have you done a "Whois" search to find out? The answer may very well shock you!
Buying a domain name is a very easy thing to do. But if you buy a domain name without any knowledge of "ownership" vs. "control", you could very well be headed down a bumpy road.
Unfortunately, most Web site owners are unaware that "ownership" does not equate to "control." Just because you paid for your domain name does not mean you have access or authority to make changes, transfers or other necessary functions. But if not you - the owner - who does?
There are 4 components to a domain name:
1.Registrant: you - the person who registered the domain name
2.Billing Contact: could be anyone
3.Technical Contact: could be anyone
4.Administrative Contact: could be anyone
The registrant is you. You might assume that items two, three and four are also you. A natural assumption. Guess what… most of the time they are not! THIS is where you get into trouble.
Who's In Control?
So whose names are listed in the "control" spots? Nine times out of ten, it is a person within the organization you purchased your domain name from. Any inquiries about billing, technical issues and administrative questions are sent to this arbitrary person. The domain name registration company has FULL control over your URL. What does this mean?
Even though you are the owner, and you make a request for changes, the confirmation request will go to the administrator for verification. This person has the full authority to approve or reject changes to your domain name.
The Dangers
Keep one thing in mind, domain registrars can, and do, go out of business. They get bought and sold just like other organizations. They are not legally required to notify you of any changes within their firm. This fact alone can cause unlimited problems with renewals, changes, sales or transfers. But that's not all.
Let's say you put in a domain transfer request. A time sensitive confirmation will be sent from the registrar of your domain name to the administrative contact. This confirmation must be answered within a certain timeframe. Now, if the administrative contact is someone at the business you purchased your domain name from we could have a serious problem. That person might be on vacation, sick, fired, or even under orders not to respond. In any case, your transfer will be denied. Think it doesn't happen. I'm horrified to tell you it does - every single day.
What does the technical contact control? Basically, where your Web site "lives." What happens if you submit a hosting transfer request and your technical contact (not you - someone at the business you got your domain name from) does not respond to the message? Your domain name is trapped! Worse case scenario… your site is down for days or weeks because your Web site lives at one place, and your domain name lives somewhere else.
And finally, the billing contact. At some point it will be time to renew your domain name registration. Most registrars send a notice to the billing contact 30 days before the payment is due. For whatever reason, the person listed as the billing contact does not contact you about the renewal. You just lost your domain name due to expiration!
Your Domain Name Is Being Held Hostage
When a domain name registration company forces itself into the contact fields of your registration records, it's commonly know as being "held hostage."
I personally know of countless horror stories of online business owners who have fought tirelessly to "free" their domain names and regain control. They will be glad to tell you the woes of losing control of your URL. So what do you do about it? How do you get back full control of your business?
Steps To Take
Make sure when you register a domain name that the registrant, administrative, technical and billing contacts are in your name. Just as soon as you receive confirmation and access information, log in and change any "forced" contact information to your name.
Use a contact email address you will always have. A good one is the one associated with your domain name. The email address on record must match the email address you are sending a request from. If you use an email associated with your ISP (@hotmail.com, @rr.sc.com, @earthlink.com) and later change ISPs, you'll have to make contact information corrections prior to making any transfers, etc.
And lastly, if at all possible, register with a company that provides you with a management or control center. This is - without a doubt - the safest way to go.
·You won't have to wait for someone else to make needed changes.
·You won't have to ask anyone for permission to make changes.
·You will never be denied the changes you need to make.
·You won't lose your domain name because the company listed as "contact" closed or was bought out.
·You won't lose your domain name because you weren't notified of the renewal date.
·You WILL be in full control of the most important part of your company - your domain name.
Take back control of your domain name today. Make the necessary adjustments to the contacts on record so that your URL can never be held hostage.
What is a domain name and why would I want one?
In this article we will cover the basics of what a domain name is, how they work and why you need to have at least one. I am going to try and avoid complicated computer terms and stick to explanations that should be easily understood by someone without a computer science degree.
What is a Domain Name? Before we can go into what a domain name is I'm going to tell you why we need them as the answers compliment each other. The Internet is just a really big collection of connected computers (a network). For the purpose of explaining domain names you can think of the Internet a bit like the phone system and just like the phone system every computer on the Internet has it's own phone number except an Internet phone number is called an IP addresses. This address is made up of up to 12 digits in the form 123.123.123.123, computers use these IP addresses to send information to each other over the Internet.
When the Internet was first created it quickly became clear that these IP addresses were not easy to remember and another method was need to make these addresses more human friendly. The solution to this was the Domain Name System (DNS). Basically the DNS is a really really big phone book for computers. When you type a web site address into your web browser it checks the DNS for that website name and finds the IP address. Once it has the IP address it can then send a message to that computer and ask it for the web page you wanted.
Ok so you know a domain name is part of a web site address but which part? Lets look at a website address so we can identify and discuss what bit of it is a domain name.
http://www.itxcel.com/index.html
The above address is the home page of the itXcel web site. It can be split into 3 main parts. The first part is http:// this just tells your web browser what kind of information it is going to get and how to get it. The last part is /index.html this is name of the files on the remote computer that you want your browser to get. The bit in the middle www.itxcel.com is a domain name. This is the name that your computer sends to the DNS to get back the IP address.
So you know what a domain name is and that there is a phone book called the DNS to change your easy to remember domain name into an IP address that you computer can understand. The Internet phone book (DNS) is special in that everyone on the Internet needs to be able to use it. This makes the DNS very very big (100+ million addresses big). Due to the size of this phone book it needed to have a carefully organised and managed structure.
Domain names themselves are split into different levels like a hierarchy. The DNS system uses this hierarchy to search the DNS for the IP address of the domain name it is trying to find. The last bit of a domain, in the previous example the com part is called the top level domain. There are a large selection of top level domains like com, net, org and info. There are also very similar endings called country level domains like uk and de. Each of the top level and country level domains are managed by a different organization, sometimes these are companies or non profit organizations and sometimes governments. In the domain business these organisations are referred to as the registries. Each registry looks after it's own part of the domain name system.
If you decide you want to use a domain name in the top level domain com, like mycompany.com you would have to have this name assigned by the registry that manages that top level domain (for .com a US company called VeriSign). The process of being assigned a domain name is called domain registration.
Domain registration is more like a lease than a purchase. You are renting the second level domain (the mycompany bit) from Verisign for a specific amount of time normally between 1 and 10 years at a time. Most of the organizations that allow you to register a second level domain charge a fee for each year that you register the domain for. With almost all domain names you are also given the option to renew your registration (lease) when it is close to running out (expiring).
Once you have registered a second level domain you are free to create as many third level domains (sometimes called sub domains) as you like. In our previous example the www is a sub domain of itxcel.com
Most of the registries that manage these top level domain names do not allow individuals or businesses to register domains directly with them. To register a domain you need to use a company like itXcel. We act as a registrar and send all the required information and the registration fee to the registry. Registrars are useful as they hide the differences that exist in each of the registries from the customer and provide a simple step by step process for registering a domain. A registrar also allows you to manage and track all your domains from one place rather than having to deal with a different company for each top level domain.
OK so I know what a domain name is, Why do need one? Can you image what a nightmare it would be if you had an email address like myname@123.246.128.255 or a web site address http://123.246.128.255/. These addresses are possible but not very easy to remember. Now if you register a domain name you could create an email address like myname@mycompany.com and a web site address like http://mycompany.com These are much easier to remember and look 100 times more professional.
One of the important points about registering a domain is that once done you have an exclusive right to use that domain for as long as you keep the domain registered in your name. If you do not renew a domain at the end of it's registration period it will again become available for registration by someone else. For this reason even if you don't want or need a web site at the moment, it's still a good idea to register a domain as soon as possible. Just imagine if your competition registered the domain name of your company or product. Although there is a process in place to retrieve these domain it can be long and complicated. It is definitely simpler to spend a little money up front to secure your chosen domain names.
To find out what domains are available and to quickly and cheaply register them visit http://www.itxcel.com now and enter your desired name in the domain search box.
What is a Domain Name? Before we can go into what a domain name is I'm going to tell you why we need them as the answers compliment each other. The Internet is just a really big collection of connected computers (a network). For the purpose of explaining domain names you can think of the Internet a bit like the phone system and just like the phone system every computer on the Internet has it's own phone number except an Internet phone number is called an IP addresses. This address is made up of up to 12 digits in the form 123.123.123.123, computers use these IP addresses to send information to each other over the Internet.
When the Internet was first created it quickly became clear that these IP addresses were not easy to remember and another method was need to make these addresses more human friendly. The solution to this was the Domain Name System (DNS). Basically the DNS is a really really big phone book for computers. When you type a web site address into your web browser it checks the DNS for that website name and finds the IP address. Once it has the IP address it can then send a message to that computer and ask it for the web page you wanted.
Ok so you know a domain name is part of a web site address but which part? Lets look at a website address so we can identify and discuss what bit of it is a domain name.
http://www.itxcel.com/index.html
The above address is the home page of the itXcel web site. It can be split into 3 main parts. The first part is http:// this just tells your web browser what kind of information it is going to get and how to get it. The last part is /index.html this is name of the files on the remote computer that you want your browser to get. The bit in the middle www.itxcel.com is a domain name. This is the name that your computer sends to the DNS to get back the IP address.
So you know what a domain name is and that there is a phone book called the DNS to change your easy to remember domain name into an IP address that you computer can understand. The Internet phone book (DNS) is special in that everyone on the Internet needs to be able to use it. This makes the DNS very very big (100+ million addresses big). Due to the size of this phone book it needed to have a carefully organised and managed structure.
Domain names themselves are split into different levels like a hierarchy. The DNS system uses this hierarchy to search the DNS for the IP address of the domain name it is trying to find. The last bit of a domain, in the previous example the com part is called the top level domain. There are a large selection of top level domains like com, net, org and info. There are also very similar endings called country level domains like uk and de. Each of the top level and country level domains are managed by a different organization, sometimes these are companies or non profit organizations and sometimes governments. In the domain business these organisations are referred to as the registries. Each registry looks after it's own part of the domain name system.
If you decide you want to use a domain name in the top level domain com, like mycompany.com you would have to have this name assigned by the registry that manages that top level domain (for .com a US company called VeriSign). The process of being assigned a domain name is called domain registration.
Domain registration is more like a lease than a purchase. You are renting the second level domain (the mycompany bit) from Verisign for a specific amount of time normally between 1 and 10 years at a time. Most of the organizations that allow you to register a second level domain charge a fee for each year that you register the domain for. With almost all domain names you are also given the option to renew your registration (lease) when it is close to running out (expiring).
Once you have registered a second level domain you are free to create as many third level domains (sometimes called sub domains) as you like. In our previous example the www is a sub domain of itxcel.com
Most of the registries that manage these top level domain names do not allow individuals or businesses to register domains directly with them. To register a domain you need to use a company like itXcel. We act as a registrar and send all the required information and the registration fee to the registry. Registrars are useful as they hide the differences that exist in each of the registries from the customer and provide a simple step by step process for registering a domain. A registrar also allows you to manage and track all your domains from one place rather than having to deal with a different company for each top level domain.
OK so I know what a domain name is, Why do need one? Can you image what a nightmare it would be if you had an email address like myname@123.246.128.255 or a web site address http://123.246.128.255/. These addresses are possible but not very easy to remember. Now if you register a domain name you could create an email address like myname@mycompany.com and a web site address like http://mycompany.com These are much easier to remember and look 100 times more professional.
One of the important points about registering a domain is that once done you have an exclusive right to use that domain for as long as you keep the domain registered in your name. If you do not renew a domain at the end of it's registration period it will again become available for registration by someone else. For this reason even if you don't want or need a web site at the moment, it's still a good idea to register a domain as soon as possible. Just imagine if your competition registered the domain name of your company or product. Although there is a process in place to retrieve these domain it can be long and complicated. It is definitely simpler to spend a little money up front to secure your chosen domain names.
To find out what domains are available and to quickly and cheaply register them visit http://www.itxcel.com now and enter your desired name in the domain search box.
Web Site Basics
the web or internet is an exciting place, but can seem very daunting to the novice web designer.
You want to get a web site up and live, how is it done, and how can it be done cheaply?
Domain Names
The first step is to select a domain name, try and choose a name that is easy to remember, short, and if possible one that describes your website.
Nearly all the obvious domain name have gone, so you may need to use your imagination!
There are many domain name registration services such as my own site www.discountdomainsuk.com on the web. All domain names are created by the Top Level Domain providers such as Nominet in the UK so there is no great advantage in paying over the top for your domain name. Look for a company that offers telephone support, e-mail only can be frustrating.
Web Hosting
Next you will need some space on the web to publish or host your website. If you have a broadband or ADSL connection, you can use this to host your own site. It does of course mean that you can’t switch off your machine.
To point a domain name at a site hosted in this way you need to have a static IP address and look for an IP pointing option in your domain name registrars control panel. This is usually called the domains Zone Records.
Mostly everyone uses a third party hosting company; once again there are loads to choose from including my own service at www.discountdomainsuk.com
Select the hosting package that best matches your requirements and budget. It’s usually best to start with a basic package than upgrade, hosting companies make most of their money by selling you space which you then don’t use.
Your hosting company will provide you with a username and password to allow you to FTP, File Transfer Protocol your site to the hosting space.
If you’re using a hosting company other than your domain name registrar, you will need their Primary and Secondary DNS or Domain Name Settings, which take the form of domain names e.g.
Ns1@asdasdasd.co.uk
Ns0@asdadadsa.co.uk
Web Design
A great package to start out web designing is MS FrontPage; it follows the format of the rest of the Microsoft office suite and is very reasonably priced and easy to pick up.
Once you’ve progressed with FrontPage then a more professional and sophisticated package to try is Macromedia Dreamweaver.
Once you have designed a site then simply select the publishing option, enter the domain name, your user name and password, and your site will FTP to your web-server.
Summary
That’s all there is too it. Getting a website up and live can be done in a matter of minutes, its worth mentioning that a new domain name and DNS changes can take up to 48 hours to get picked up by the worldwide DNS system.
You want to get a web site up and live, how is it done, and how can it be done cheaply?
Domain Names
The first step is to select a domain name, try and choose a name that is easy to remember, short, and if possible one that describes your website.
Nearly all the obvious domain name have gone, so you may need to use your imagination!
There are many domain name registration services such as my own site www.discountdomainsuk.com on the web. All domain names are created by the Top Level Domain providers such as Nominet in the UK so there is no great advantage in paying over the top for your domain name. Look for a company that offers telephone support, e-mail only can be frustrating.
Web Hosting
Next you will need some space on the web to publish or host your website. If you have a broadband or ADSL connection, you can use this to host your own site. It does of course mean that you can’t switch off your machine.
To point a domain name at a site hosted in this way you need to have a static IP address and look for an IP pointing option in your domain name registrars control panel. This is usually called the domains Zone Records.
Mostly everyone uses a third party hosting company; once again there are loads to choose from including my own service at www.discountdomainsuk.com
Select the hosting package that best matches your requirements and budget. It’s usually best to start with a basic package than upgrade, hosting companies make most of their money by selling you space which you then don’t use.
Your hosting company will provide you with a username and password to allow you to FTP, File Transfer Protocol your site to the hosting space.
If you’re using a hosting company other than your domain name registrar, you will need their Primary and Secondary DNS or Domain Name Settings, which take the form of domain names e.g.
Ns1@asdasdasd.co.uk
Ns0@asdadadsa.co.uk
Web Design
A great package to start out web designing is MS FrontPage; it follows the format of the rest of the Microsoft office suite and is very reasonably priced and easy to pick up.
Once you’ve progressed with FrontPage then a more professional and sophisticated package to try is Macromedia Dreamweaver.
Once you have designed a site then simply select the publishing option, enter the domain name, your user name and password, and your site will FTP to your web-server.
Summary
That’s all there is too it. Getting a website up and live can be done in a matter of minutes, its worth mentioning that a new domain name and DNS changes can take up to 48 hours to get picked up by the worldwide DNS system.
Register Domain Names One Year At A Time!
I first heard about this money saving news from a press release that wound
up in my inbox. I haven't heard it posted anywhere else so I decided to do a
little digging on my own, and do what I can to spread the good news.
Effective January 15, 2000, the restriction of registering domain names for
two years at a time has been lifted. You can now register domain names from
one to ten years, in one year increments, up to a maximum of ten years. The
following text is taken directly from the ICANN NSI-Registrar License and
Agreement, located at:
http://www.icann.org/nsi/nsi-rla-04nov99.htm
2.3. New Architectural Features. NSI will use its best commercial efforts to
develop and implement two additional modifications to the Licensed Product
by January 15, 2000 as follows:
2.3.1. NSI will issue an upgrade to the Licensed Product that will enable a
Registrar to accept initial domain name registrations or renewals of a
minimum of one year in length, or in multiples of one year increments.
2.3.2. NSI will issue an upgrade to the Licensed Product that will enable
registrars to accept the addition of one additional year to a registrant's
"current" registration period when a registrant changes from one registrar
to another.
In no event shall the total unexpired term of a registration exceed ten (10)
years.
So there you have it folks, right from ICANN themselves. If you have a lot
of domain names - like me - you may want to keep them reserved one a year at
a time, to keep your costs down. Or, if you have a company name not likely
to be sold in the future, you can register it for 10 years at a big savings
off of the regular price.
After digging and digging around, at several ICANN accredited registrars, I
was hard pressed to find even one that allowed anything but the old two year
registrations. I did finally find one Canadian company that does one to ten
year registrations (partnered with Melbourne IT an ICANN accredited
registrar). The fact that they have a shopping cart to allow multiple
registrations and a real time database is just the icing on the cake.
https://secure.kudosnet.com/domain/k2/r.dmc/
With 21 domain names to register, I'm happy to say that I saved over $600 US
by being able to register them for a single year, instead of two, and I
submitted them all with a single mouse click.
up in my inbox. I haven't heard it posted anywhere else so I decided to do a
little digging on my own, and do what I can to spread the good news.
Effective January 15, 2000, the restriction of registering domain names for
two years at a time has been lifted. You can now register domain names from
one to ten years, in one year increments, up to a maximum of ten years. The
following text is taken directly from the ICANN NSI-Registrar License and
Agreement, located at:
http://www.icann.org/nsi/nsi-rla-04nov99.htm
2.3. New Architectural Features. NSI will use its best commercial efforts to
develop and implement two additional modifications to the Licensed Product
by January 15, 2000 as follows:
2.3.1. NSI will issue an upgrade to the Licensed Product that will enable a
Registrar to accept initial domain name registrations or renewals of a
minimum of one year in length, or in multiples of one year increments.
2.3.2. NSI will issue an upgrade to the Licensed Product that will enable
registrars to accept the addition of one additional year to a registrant's
"current" registration period when a registrant changes from one registrar
to another.
In no event shall the total unexpired term of a registration exceed ten (10)
years.
So there you have it folks, right from ICANN themselves. If you have a lot
of domain names - like me - you may want to keep them reserved one a year at
a time, to keep your costs down. Or, if you have a company name not likely
to be sold in the future, you can register it for 10 years at a big savings
off of the regular price.
After digging and digging around, at several ICANN accredited registrars, I
was hard pressed to find even one that allowed anything but the old two year
registrations. I did finally find one Canadian company that does one to ten
year registrations (partnered with Melbourne IT an ICANN accredited
registrar). The fact that they have a shopping cart to allow multiple
registrations and a real time database is just the icing on the cake.
https://secure.kudosnet.com/domain/k2/r.dmc/
With 21 domain names to register, I'm happy to say that I saved over $600 US
by being able to register them for a single year, instead of two, and I
submitted them all with a single mouse click.
Thursday, September 14, 2006
cheap hosting domain
Web hosting provides domain registration and ssl certificates and other cheap web hosting services for all types of web page hosting needs. Website hosting plans include PHP hosting, MySQL hosting, PostgreSQL web hosting, FrontPage hosting, CGI Hosting, SSH Web Hosting, Web Space Hosting, PHPBB Hosting, PHPNuke Hosting, Domain names registration, Webmail Hosting / Pop3 Web Hosting / Email Web Hosting, Image web hosting, Internet web hosting, Foto & Gallery Hosting, New Zealland web hosting, Custom Mime types and error pages, Python Web Hosting, Perl, CGI web hosting, SSH hosting, Zend, Sablotron, SSI, Webmail hosting, Forum Web Hosting, Blog Hosting, Email Hosting SMTP, IMAP, pop3, Secure personal web hosting and lots more.
Tryhttp://www.cheapwebhosting.co.nz/
http://www.hostingdude.com/
Maintenance Management
The purpose of this column is to raise questions and challenge plant leadership on strategy, vision and execution of reliability and maintenance management. Since the name of this magazine is Reliable Plant, I think it would be interesting for my first column to challenge you on the meaning of the term “reliability.”
Reliability is often used by plants to define future improvement efforts and set expectations for employees and managers. In several recently written mission statements, I’ve seen expressions such as “to increase profitability through increased reliability.” But when companies are asked to define what the words mean, what reliability is and how it’s measured, it’s unusual to get a comprehensive answer.
The manufacturing and process industry may not have defined the meaning of the word reliability, but you would think the service sector would have done so by now. It has not. Consultants start the trends and use these words in order to sell the industry a new concept. We sometimes, however, fail to define the meaning of the terms we invent.
The goal for any plant is to increase overall production reliability, meaning the maximization of output with current resources by reducing waste in equipment reliability and process reliability (the latter is often used in process industry; it may be called “manufacturing reliability” in discrete manufacturing). Equipment and process reliability jointly create reliable production.
This can be measured using overall production reliability (OPR). Traditionally, this measurement is called overall equipment effectiveness (OEE). OEE and OPR refer to the same measurement, but I use the name OPR since it better describes what is actually measured. It should be called OPR because it includes all possible production-related waste, not only equipment-related waste.
OPR is calculated as:
OPR = Quality (%) x Speed (%) x Time Availability (%)
Speed, Time Availability and Quality describe all losses in a production or process line. OPR is, therefore, an excellent measurement to use when setting reliability goals jointly for operations, maintenance and engineering.
Operations’ primary responsibility is process reliability, where the process, or manufacturing, is operating with as little waste as possible. Examples of process waste are quality and production losses due to operating parameters such as setting of pressures, machine speeds, cutting tool selection or concentration of chemicals.
Maintenance’s primary responsibility is equipment reliability. Lack of equipment reliability creates waste due to failing components, quality losses for the reason of equipment problems, or speed losses because of component wear or breakdowns.
Engineering should focus on supporting equipment and process reliability through life cycle cost (LCC) design. LCC is used to consider the cost of buying and owning equipment. It’s common that engineering departments only focus on making sure a new installation is on time and under budget. Reliability and maintainability aspects of the equipment design are forgotten. For example, why would someone buy a motor or gearbox without jacking bolts (pushbolts used when aligning equipment) installed?
We know world-class shaft alignment is virtually impossible to do with a sledgehammer, so why don’t we specify jacking bolts as part of the design?
In conclusion, most companies need to better specify the term reliability. It will help employees understand what the goal is when we refer to, for example, “production reliability.”
In maintenance management, we primarily focus on equipment reliability. In my next column, we’ll discuss how plant maintenance management can set goals by clarifying “equipment reliability” for their co-workers.
Reliability is often used by plants to define future improvement efforts and set expectations for employees and managers. In several recently written mission statements, I’ve seen expressions such as “to increase profitability through increased reliability.” But when companies are asked to define what the words mean, what reliability is and how it’s measured, it’s unusual to get a comprehensive answer.
The manufacturing and process industry may not have defined the meaning of the word reliability, but you would think the service sector would have done so by now. It has not. Consultants start the trends and use these words in order to sell the industry a new concept. We sometimes, however, fail to define the meaning of the terms we invent.
The goal for any plant is to increase overall production reliability, meaning the maximization of output with current resources by reducing waste in equipment reliability and process reliability (the latter is often used in process industry; it may be called “manufacturing reliability” in discrete manufacturing). Equipment and process reliability jointly create reliable production.
This can be measured using overall production reliability (OPR). Traditionally, this measurement is called overall equipment effectiveness (OEE). OEE and OPR refer to the same measurement, but I use the name OPR since it better describes what is actually measured. It should be called OPR because it includes all possible production-related waste, not only equipment-related waste.
OPR is calculated as:
OPR = Quality (%) x Speed (%) x Time Availability (%)
Speed, Time Availability and Quality describe all losses in a production or process line. OPR is, therefore, an excellent measurement to use when setting reliability goals jointly for operations, maintenance and engineering.
Operations’ primary responsibility is process reliability, where the process, or manufacturing, is operating with as little waste as possible. Examples of process waste are quality and production losses due to operating parameters such as setting of pressures, machine speeds, cutting tool selection or concentration of chemicals.
Maintenance’s primary responsibility is equipment reliability. Lack of equipment reliability creates waste due to failing components, quality losses for the reason of equipment problems, or speed losses because of component wear or breakdowns.
Engineering should focus on supporting equipment and process reliability through life cycle cost (LCC) design. LCC is used to consider the cost of buying and owning equipment. It’s common that engineering departments only focus on making sure a new installation is on time and under budget. Reliability and maintainability aspects of the equipment design are forgotten. For example, why would someone buy a motor or gearbox without jacking bolts (pushbolts used when aligning equipment) installed?
We know world-class shaft alignment is virtually impossible to do with a sledgehammer, so why don’t we specify jacking bolts as part of the design?
In conclusion, most companies need to better specify the term reliability. It will help employees understand what the goal is when we refer to, for example, “production reliability.”
In maintenance management, we primarily focus on equipment reliability. In my next column, we’ll discuss how plant maintenance management can set goals by clarifying “equipment reliability” for their co-workers.
Money In-Depth Stock Picks
Stocks discussed in the in-depth session of Jim Cramer’s Mad Money TV program, Friday September 8. Click on a stock ticker for more analysis:
Baby Boom: Kimberly-Clark (KMB)
Cramer appeared on his show sporting a diaper to emphasize how much he believed in KMB, not just for its consumer products which are necessary no matter how the economy is behaving but also because it is a play on oil since petroleum is used in the production of diapers. As the price of oil decreases, comments Cramer, KMB should improve especially since $300 million to $350 million of cost inflation built into its 2006 numbers is mostly due to oil. As raw costs go down, says Cramer, KMB will go up.
Related: Catablast Media's discussion of the effect of the new baby boom and increased diaper demand on Kimberly-Clark.
Go to the Tape: Deere's (DE)
In a new segment of Mad Money called "Go the Tape," Cramer used Deere as an example of a stock which declined and came back. In spite of a good quarter, DE dropped $3 because it reported slowing construction. However, those who listened to the conference call would have noticed that inventory was low and that Deere is an agriculture play and is not connected with housing as many people believe. Because expectations were low and the stock was shorted DE bounced back. Cramer said that the Deere story teaches investors to look for three things: "Aggressive shorting during options expiration week, companies that tamp down expectations and have upside surprises, and misinformation about business cycles."
Goldman Sachs (GS), Lehman Brothers (LEH), and Bear Stearns (BSC)
These three companies report earnings next week and "could provide a really super trading backdrop," Cramer said. Expectations are low for this sector and that is a reason pay attention, according to Cramer, because these companies should get a boost in September after people return from vacation and start trading. Of the three, Cramer prefers GS because it is "cheap and ready to roll" and advises purchasing September $1.50 call options on GS; "They should be cheap because they expire at the end of the week," Cramer said. "Don't buy all at once. Buy a quarter on Monday, a quarter on Tuesday, and if the stock goes down, you double down."
Related: Eli Hoffman comments on the recent pullback in brokerage stocks.
CEO Interview: Devon Energy (DVN) Chairman and CEO Larry Nichols
In addition to recent discovery in the Gulf of Mexico Larry Nichols says that Devon has three other potential finds "in the pipeline" and is second only to Chevron (CVX). When Cramer asked how he makes sense of Wall Street, Larry Nichols replied, "there is a time when people are going to talk about oil going down, and there will be brief lulls when it does," and added that since oil sources are often policital hotspots, "there is only a matter of time before another problem comes up and the price shoots back up."
Seeking Alpha publishes a summary of Jim Cramer's stock picks every day including: Mad Money Recap, Lightening Round, Stop Trading and his Radio Show.
Baby Boom: Kimberly-Clark (KMB)
Cramer appeared on his show sporting a diaper to emphasize how much he believed in KMB, not just for its consumer products which are necessary no matter how the economy is behaving but also because it is a play on oil since petroleum is used in the production of diapers. As the price of oil decreases, comments Cramer, KMB should improve especially since $300 million to $350 million of cost inflation built into its 2006 numbers is mostly due to oil. As raw costs go down, says Cramer, KMB will go up.
Related: Catablast Media's discussion of the effect of the new baby boom and increased diaper demand on Kimberly-Clark.
Go to the Tape: Deere's (DE)
In a new segment of Mad Money called "Go the Tape," Cramer used Deere as an example of a stock which declined and came back. In spite of a good quarter, DE dropped $3 because it reported slowing construction. However, those who listened to the conference call would have noticed that inventory was low and that Deere is an agriculture play and is not connected with housing as many people believe. Because expectations were low and the stock was shorted DE bounced back. Cramer said that the Deere story teaches investors to look for three things: "Aggressive shorting during options expiration week, companies that tamp down expectations and have upside surprises, and misinformation about business cycles."
Goldman Sachs (GS), Lehman Brothers (LEH), and Bear Stearns (BSC)
These three companies report earnings next week and "could provide a really super trading backdrop," Cramer said. Expectations are low for this sector and that is a reason pay attention, according to Cramer, because these companies should get a boost in September after people return from vacation and start trading. Of the three, Cramer prefers GS because it is "cheap and ready to roll" and advises purchasing September $1.50 call options on GS; "They should be cheap because they expire at the end of the week," Cramer said. "Don't buy all at once. Buy a quarter on Monday, a quarter on Tuesday, and if the stock goes down, you double down."
Related: Eli Hoffman comments on the recent pullback in brokerage stocks.
CEO Interview: Devon Energy (DVN) Chairman and CEO Larry Nichols
In addition to recent discovery in the Gulf of Mexico Larry Nichols says that Devon has three other potential finds "in the pipeline" and is second only to Chevron (CVX). When Cramer asked how he makes sense of Wall Street, Larry Nichols replied, "there is a time when people are going to talk about oil going down, and there will be brief lulls when it does," and added that since oil sources are often policital hotspots, "there is only a matter of time before another problem comes up and the price shoots back up."
Seeking Alpha publishes a summary of Jim Cramer's stock picks every day including: Mad Money Recap, Lightening Round, Stop Trading and his Radio Show.
Tuesday, September 12, 2006
Pcb
Pcb is a handy tool for laying out printed circuit boards.
Pcb was first written by Thomas Nau for an Atari ST in 1990 and ported to UNIX and X11 in 1994. It was not intended as a professional layout system, but as a tool which supports people who do some home-developing of hardware.
The second release 1.2 included menus for the first time. This made Pcb easier to use and thus a more important tool.
Release 1.3 introduced undo for highly-destructive commands, more straightforward action handling and scalable fonts. Layer-groups were introduced to group signal-layers together.
Release 1.4 provided support for add-on device drivers. Two layers (the solder and the component side) were added to support SMD elements. The handling of libraries was also improved in 1.4.1. Support for additional devices like GERBER plotters started in 1.4.4. The undo feature was expanded and the redo-feature added in 1.4.5.
harry eaton took over pcb development beginning with Release 1.5, although he contributed some code beginning with Release 1.4.3
Release 1.5 provides support for rats-nest generation from simple net lists. It also allows for automatic clearances around pins that pierce a polygon. A variety of other enhancements including a Gerber RS-274-X driver and NC drill file generation have also been added.
Release 1.6 provides automatic screen updates of changed regions. This should eliminate most of the need for the redraw ((R key). Also some changes to what order items under the cursor are selected were made for better consistency - it is no longer possible to accidentally move a line or line point that is completely obscured by a polygon laying over top of it. Larger objects on the upper most layers can be selected ahead of smaller objects on lower layers. These changes make operations more intuitive. A new mode of line creation was added that creates two line on 45 degree angles with a single click. The actual outline of the prospective line(s) are now shown during line creation. An arc creation mode was added. Drawn arcs are quarter circles and can be useful for high frequency controlled impedance lines. (You can have eighth circle arc if the source is compiled with -DARC45, but be aware that the ends of such arcs can never intersect a grid point). Two new flags for pins and vias were created - one indicates that the pin or via is purely a drill hole and has no copper annulus. You can only toggle this flag for vias - for elements, it must be an integral part of the element definition. The other flag controls whether the pad will be round or octagonal. There is also now a feature for converting the contents of a buffer into an element.
Release 1.6.1 added the ability to make groups of action commands bound to a single X11 event to be undone by a single undo. Also a simple design rule checker was added - it checks for minimum spacing and overlap rules. Plus many fixes for bugs introduced with the many changes of 1.6
Release 1.7 added support for routing tracks through polygons without touching them. It also added support for unplated drill files, and drawing directly on the silk layer. A Netlist window for easily working with netlist was also added.
Release 2.0 adds an auto-router, a new simpler library mechanism, much improved support for graphically creating (and editing) elements, viewable solder-mask layers (and editing), snap to pins and pads, netlist entry by drawing rats, element files (and libraries) that can contain whole sub-layouts, metric grids, improved user interface, a GNU autoconf/automake based build system, and a host of other improvements.
Special thanks goes to:
Thomas Nau (who started the project and wrote the early versions).
C. Scott Ananian (who wrote the auto-router code).
Bernhard Daeubler (Bernhard.Daeubler@physik.uni-ulm.de)
Harald Daeubler (Harald.Daeubler@physik.uni-ulm.de)
DJ Delorie (djdelorie@users.sourceforge.net)
Larry Doolittle (ldoolitt@recycle.lbl.gov)
Dan McMahill (danmc@users.sourceforge.net)
Roland Merk (merk@faw.uni-ulm.de)
Erland Unruh (Erland.Unruh@malmo.trab.se)
Albert John FitzPatrick III (ajf_nylorac@acm.org)
Boerge Strand (borges@ifi.uio.no)
Andre M. Hedrick (hedrick@Astro.Dyer.Vanderbilt.Edu)
who provided all sorts of help including porting Pcb to
several operating systems and platforms, bug fixes, library enhancement, user interface suggestions and more. In addition to these people, many others donated time for bug-fixing and other important work. Some of them can be identified in the source code files. Thanks to all of them. If you feel left out of this list, I apologize; please send me an e-mail and I'll try to correct the omission.
Overview
Pcb is a printed circuit board editor for the X11 window system. Pcb includes many professional features such as:
Up to 8 copper layer designs
RS-274-X (Gerber) output
NC Drill output
Centroid (X-Y) data output
Postscript and Encapsulated Postscript output
Autorouter
Trace optimizer
Rats nest
Design Rule Checker (DRC)
Connectivity verification
Pcb is Free Software
Can interoperate with free schematic capture tools such as gEDA and xcircuit
Pcb was first written by Thomas Nau for an Atari ST in 1990 and ported to UNIX and X11 in 1994. It was not intended as a professional layout system, but as a tool which supports people who do some home-developing of hardware.
The second release 1.2 included menus for the first time. This made Pcb easier to use and thus a more important tool.
Release 1.3 introduced undo for highly-destructive commands, more straightforward action handling and scalable fonts. Layer-groups were introduced to group signal-layers together.
Release 1.4 provided support for add-on device drivers. Two layers (the solder and the component side) were added to support SMD elements. The handling of libraries was also improved in 1.4.1. Support for additional devices like GERBER plotters started in 1.4.4. The undo feature was expanded and the redo-feature added in 1.4.5.
harry eaton took over pcb development beginning with Release 1.5, although he contributed some code beginning with Release 1.4.3
Release 1.5 provides support for rats-nest generation from simple net lists. It also allows for automatic clearances around pins that pierce a polygon. A variety of other enhancements including a Gerber RS-274-X driver and NC drill file generation have also been added.
Release 1.6 provides automatic screen updates of changed regions. This should eliminate most of the need for the redraw ((R key). Also some changes to what order items under the cursor are selected were made for better consistency - it is no longer possible to accidentally move a line or line point that is completely obscured by a polygon laying over top of it. Larger objects on the upper most layers can be selected ahead of smaller objects on lower layers. These changes make operations more intuitive. A new mode of line creation was added that creates two line on 45 degree angles with a single click. The actual outline of the prospective line(s) are now shown during line creation. An arc creation mode was added. Drawn arcs are quarter circles and can be useful for high frequency controlled impedance lines. (You can have eighth circle arc if the source is compiled with -DARC45, but be aware that the ends of such arcs can never intersect a grid point). Two new flags for pins and vias were created - one indicates that the pin or via is purely a drill hole and has no copper annulus. You can only toggle this flag for vias - for elements, it must be an integral part of the element definition. The other flag controls whether the pad will be round or octagonal. There is also now a feature for converting the contents of a buffer into an element.
Release 1.6.1 added the ability to make groups of action commands bound to a single X11 event to be undone by a single undo. Also a simple design rule checker was added - it checks for minimum spacing and overlap rules. Plus many fixes for bugs introduced with the many changes of 1.6
Release 1.7 added support for routing tracks through polygons without touching them. It also added support for unplated drill files, and drawing directly on the silk layer. A Netlist window for easily working with netlist was also added.
Release 2.0 adds an auto-router, a new simpler library mechanism, much improved support for graphically creating (and editing) elements, viewable solder-mask layers (and editing), snap to pins and pads, netlist entry by drawing rats, element files (and libraries) that can contain whole sub-layouts, metric grids, improved user interface, a GNU autoconf/automake based build system, and a host of other improvements.
Special thanks goes to:
Thomas Nau (who started the project and wrote the early versions).
C. Scott Ananian (who wrote the auto-router code).
Bernhard Daeubler (Bernhard.Daeubler@physik.uni-ulm.de)
Harald Daeubler (Harald.Daeubler@physik.uni-ulm.de)
DJ Delorie (djdelorie@users.sourceforge.net)
Larry Doolittle (ldoolitt@recycle.lbl.gov)
Dan McMahill (danmc@users.sourceforge.net)
Roland Merk (merk@faw.uni-ulm.de)
Erland Unruh (Erland.Unruh@malmo.trab.se)
Albert John FitzPatrick III (ajf_nylorac@acm.org)
Boerge Strand (borges@ifi.uio.no)
Andre M. Hedrick (hedrick@Astro.Dyer.Vanderbilt.Edu)
who provided all sorts of help including porting Pcb to
several operating systems and platforms, bug fixes, library enhancement, user interface suggestions and more. In addition to these people, many others donated time for bug-fixing and other important work. Some of them can be identified in the source code files. Thanks to all of them. If you feel left out of this list, I apologize; please send me an e-mail and I'll try to correct the omission.
Overview
Pcb is a printed circuit board editor for the X11 window system. Pcb includes many professional features such as:
Up to 8 copper layer designs
RS-274-X (Gerber) output
NC Drill output
Centroid (X-Y) data output
Postscript and Encapsulated Postscript output
Autorouter
Trace optimizer
Rats nest
Design Rule Checker (DRC)
Connectivity verification
Pcb is Free Software
Can interoperate with free schematic capture tools such as gEDA and xcircuit
Monday, September 11, 2006
PCB history
The inventor of the printed circuit was probably the Austrian engineer Paul Eisler (1907–1995) who, while working in England, made one circa 1936 as part of a radio set. Around 1943 the USA began to use the technology on a large scale to make rugged radios for use in World War II. After the war, in 1948, the USA released the invention for commercial use. Printed circuits did not become commonplace in consumer electronics until the mid-1950s, after the Auto-Sembly process was developed by the United States Army.
Before printed circuits (and for a while after their invention), point-to-point construction was used. For prototypes, or small production runs, wire wrap can be more efficient.
Originally, every electronic component had wire leads, and the PCB had holes drilled for each wire of each component. The components' leads were then passed through the holes and soldered to the PCB trace. This method of assembly is called through-hole construction. In 1949, Moe Abramson and Stanilus F. Danko of the United States Army Signal Corps developed the Auto-Sembly process in which component leads were inserted into a copper foil interconnection pattern and dip soldered. With the development of board lamination and etching techniques, this concept evolved into the standard printed circuit board fabrication process in use today. Soldering could be done automatically by passing the board over a ripple, or wave, of molten solder in a wave-soldering machine.
However, the wires and holes are wasteful since drilling the holes is expensive and the protruding wires are merely cut off.
Instead of using through-hole parts, often 'surface mount' parts are used instead. See Surface-mount technology below.
Physical composition
Most PCBs are composed of between one and sixteen conductive layers separated and supported by layers of insulating material (substrates) laminated (glued with heat, pressure & sometimes vacuum) together.
Layers may be connected together through drilled holes called vias. Either the holes are electroplated or small rivets are inserted. High-density PCBs may have blind vias, which are visible only on one surface, or buried vias, which are visible on neither.
Substrates
FR-2
Low-end consumer grade PCB substrates frequently are made of paper impregnated with phenolic resin, sometimes branded "Pertinax". They carry designations such as XXXP, XXXPC, and FR-2. The material is inexpensive, easy to machine by drilling, shearing and cold punching, and causes less tool wear than glass fiber reinforced substrates. The letters "FR" in the designation indicate flame resistant.
FR-4
High-end consumer and industrial circuit board substrates are typically made of a material designated FR-4. This consists of a woven fiberglass mat impregnated with a flame resistant epoxy resin. It can be drilled, punched and sheared, but due to its abrasive glass content requires tools made of tungsten carbide for high volume production. Due to the fiberglass reinforcement, it exhibits about five times higher flexural strength and resistance to cracking than paper-phenolic types, albeit at higher cost.
RF
PCBs for high power radio frequency (RF) work use plastics with low dielectric constant (permittivity) and dissipation factor, such as Rogers 4000, Rogers Duroid, Teflon type GT or GX, polyimide, polystyrene and cross-linked polystyrene. They typically have poorer mechanical properties, but this is considered an acceptable engineering tradeoff in view of their superior electrical performance.
Conductive Core
PCBs designed for use in vacuum or in zero gravity, as in spacecraft, being unable to rely on convection cooling, often have thick copper or aluminum cores to dissipate heat from electrical components.
Flex
Not all circuit boards use rigid core materials. Some are designed to be very flexible or slightly flexible, using DuPont's Kapton polyimide film and others. This class of boards, sometimes called flex circuits, or rigid-flex circuits, respectively, are difficult to create but have many applications. Sometimes they are flexible to save space (PCBs inside cameras and hearing aids are almost always made of flex circuits so they can be folded up to fit into the limited available space). Sometimes, the flexible part of the circuit board is actually being used as a cable or moving connection to another board or device. One example of the latter application is the cable connected to the carriage in an inkjet printer.
Ceramic/Metal Core
Power electronic applications require low-thermal resistivity substrates, with thick copper track to carry high currents. The main technologies are ceramic-based substrates (Direct Bonded Copper) and metal-based substrates (Insulated Metal Substrate).
PCB definition
PCB:
Stands for "Printed Circuit Board." A PCB is a thin board made of fiberglass or a similar material. Electrical wires are "printed" onto the board, connecting the microprocessor to other components on the board. Some examples of PCBs include motherboards, RAM chips, and network interface cards.
Printed circuit boards are sometimes abbreviated as "PC boards," which is fitting, since the boards are commonly used in personal computers. However, PCBs are also found in other types of electronic devices, such as radios, televisions, and computer monitors. Because PCBs are relatively flat, they can also be used in thin devices such as laptops and portable music players.
Stands for "Printed Circuit Board." A PCB is a thin board made of fiberglass or a similar material. Electrical wires are "printed" onto the board, connecting the microprocessor to other components on the board. Some examples of PCBs include motherboards, RAM chips, and network interface cards.
Printed circuit boards are sometimes abbreviated as "PC boards," which is fitting, since the boards are commonly used in personal computers. However, PCBs are also found in other types of electronic devices, such as radios, televisions, and computer monitors. Because PCBs are relatively flat, they can also be used in thin devices such as laptops and portable music players.
Oracle Instructor's Guide to Oracle9i
An Oracle Instructor's Guide to Oracle9i
Oracle claims that Oracle9i raises the competitive bar by which all future database servers will be judged. Oracle's latest release contains enhancements in virtually all areas of the database server, resulting in an Oracle database with improvements in scalability, availability, performance, manageability, multimedia datatype support and functionality. This article is not intended to be an all-inclusive list of features, but rather an overview of some of the more beneficial (and hopefully interesting) enhancements contained in this release.
The information on Oracle9i will be provided in three installments. In this article, we'll take a look at the following features: persistent initialization parameter files, remote startup/shutdown, database managed undo segments, resumable space allocation and flashback query.
Part two will cover external tables, tablespace changes, Oracle managed files, multiple block sizes and cache configuration, list partitioning, on-line table reorganization and index monitoring.
The last article in this series will cover RAC (Real Application Clusters), fail safe, data guard, fine-grained resource management, fine-grained auditing and label security.
With all of new features contained in this release, Oracle9i promises to be the most exciting Oracle release to date. This series will focus on what Oracle customers can look forward to when using the "latest and greatest" version of Oracle's flagship database product, Oracle9i.
Persistent Initialization Parameter Files
Oracle9i introduces on-line parameter changes that persist across database shutdowns and startups. This feature allows administrators to make changes to database initialization parameters and have them take affect immediately. In the past, these changes would require the administrator to edit the database's parameter file (initsid.ora). Because Oracle only reads the parameter file during startup, the changes would not take affect until the next time the database was shutdown and restarted.
In Oracle9I, a server-based parameter file, called a SPFILE, is used as the repository for initialization parameters. Oracle9i documentation now refers to the old initsid.ora parameter file as the PFILE. The SPFILE is initially created by using the PFILE (initsid.ora) parameter file as the source. It is important to note that the database is initially created using the old PFILE parameter file. Administrators then use the "CREATE SPFILE FROM PFILE" command to create the server-based parameter file. At system startup, the default behavior of the STARTUP command is to look for the SPFILE before it looks for the PFILE. The Oracle administration guides provide information on default location and naming conventions for server-based parameter files.
The administrator uses the ALTER SYSTEM statement to dynamically change initialization parameters. A parameter can be changed immediately or deferred until the next database startup. Although the majority of the parameters can be dynamically changed, there are a few configuration parameters that can only be changed by editing the old initsid.ora parameter file (PFILE).
Here are a few hints on PFILEs and SPFILEs:
Never, ever edit a SPFILE manually. Although you can view it in both UNIX and NT editors, editing it can produce a "less than desirable" outcome. The SPFILE was edited three times during our beta testing and the result was three database failures.
If you are required to edit the PFILE to change a static parameter, don't forget to execute the 'CREATE PFILE FROM SPFILE' statement to refresh the PFILE with all of the dynamic changes recorded in the SPFILE. Execute the SPFILE to PFILE refresh before you edit the PFILE. If you don't you could lose the dynamic changes recorded in the SPFILE. Remember, the database looks for the SPFILE first during startup, so you will need to execute the "CREATE SPFILE FROM PFILE" after you edit the PFILE to migrate your changes. If your PFILE doesn't have a record of all your dynamic parameter changes, you will lose them when you execute the 'CREATE PFILE FROM SPFILE' statement. The recommended procedure is to always execute the 'CREATE PFILE FROM SPFILE' command after dynamically changing a parameter to back up the changes recorded in the SPFILE to the PFILE.
Oracel9i provides a new static parameter called MAX_SGA_SIZE which specifies the maximum size of SGA for the lifetime of the instance. Another new Oracle9i parameter DB_CACHE_SIZE replaces DB_BLOCK_BUFFERS. DB_BLOCK_BUFFERS is still provided for backwards compatibility. DB_BLOCK_BUFFERS and the MAX_SGA_SIZE parameters are static so they can only be changed by editing the PFILE, then executing the 'CREATE SPFILE FROM PFILE' statement and restarting the instance.
During our testing, we found that the online changes to parameters worked well. We did find that changing SGA parameters produced some interesting results. We were able to dynamically alter the initialization parameters that affect the size of the buffer caches, shared pool, and large pool, but only to the extent that the sum of these sizes and the sizes of the other components of the SGA (fixed SGA, variable SGA, and redo log buffers) did not exceed the value specified by SGA_MAX_SIZE.
When we reduced memory from the data buffers by decrementing DB_CACHE_SIZE, Oracle allocated the memory saved to the shared pool. When we reversed the operation by reducing the memory allocated to the shared pool, Oracle allocated the freed memory to the data buffers.
Remote Startup/Shutdown
Oracle9i's persistent parameter files provide administrators with the ability to start an Oracle instance using SQL*Plus on remote clients.
Before we begin, some background information is in order. Oracle has been promising to desupport server manager and CONNECT INTERNAL for some time now. Administrators would use server manager on the host to connect to the database using the INTERNAL account to start and stop an Oracle instance.
Server manager and CONNECT INTERNAL are officially desupported in Oracle9i and are replaced by SQL*Plus and a special privilege called SYSDBA. SQL*Plus and SYSDBA have been available for some time but were never a primary means of starting and stopping an Oracle instance.
During an instance start, Oracle reads instance configuration parameters from a SPFILE or PFILE. In order to facilitate remote startup and shutdown, SQL*Plus is now able to reference the server-based parameter file (SPFILE) from remote clients. This solves the problem of propagating copies of the PFILE to all remote clients that require the ability to start an Oracle instance. By having all clients point to a single source, administrators can rest easy knowing the same parameters are used to configure the instance during each startup.
The steps to access a SPFILE from a remote client are as follows:
1. A server-based parameter file (SPFILE) is configured on the database server by executing the 'CREATE SPFILE FROM PFILE' command.
2. Create a parameter file on the remote client that contains a single line that references the server-based SPFILE:
spfile=/u01/app/oracle/product/9.0.0/dbs/spfiledemo1.ora
3. Start SQL*Plus without connecting to the database by executing:
SQL*PLUS /nolog
4. Connect to the remote instance as SYSDBA:
CONNECT username/password@connect_identifier AS SYSDBA
5. Start the instance by executing:
STARTUP PFILE=pfilename.ora
* where pfilename.ora is the parameter file name created in step 2.
Standard operating practice in UNIX environments is to embed STARTUP and SHUTDOWN commands in server manager to start and stop an Oracle instance. Shops migrating existing databases to Oracle9i should change the startup scripts from server manager to SQL*PLUS.
Database Managed Undo Segments
You don't have to be an Oracle expert to know that rollback segments can be "somewhat troublesome." Out of space conditions, contention, poor performance and the perennial favorite "snap shot too old" errors have been plaguing Oracle database administrators for over a decade. Oracle finally decided that the database could probably do a better job of managing before images of data than we could.
A transaction uses a rollback segment to record before images of data it intends to change. If the transaction fails before committing, Oracle uses the before images to rollback or undo the uncommitted data changes. Oracle also uses rollback segments for statement-level read consistency. Read consistency ensures that all data returned by a query comes from the same point-in-time (query start time). Lastly, rollback segments provide before images of data to help the instance roll back failed transactions during instance recovery.
In Oracle9i, administrators have their choice of continuing to manage rollback segments on their own (manual undo management) or configuring the database to manage its own before image data (automatic undo management). Oracle refers to system managed before image segments as undo segments.
Administrators must create a tablespace to hold undo segments by using the new UNDO keyword in the tablespace create statement:
CREATE UNDO TABLESPACE undots1
DATAFILE 'undotbs_1a.f'
SIZE 10M AUTOEXTEND ON;
The following initialization parameters are used to activate automatic undo management:
UNDO_MANAGEMENT - AUTO configures the database is to use automatic undo segments. MANUAL configures the database to use rollback segments.
UNDO_TABLESPACE - Specifies the tablespaces that are to be used to hold the undo segments. The tablespace must be created using the UNDO keyword. If no tablespace is defined, Oracle will select the first available undo tablespace. If no undo tablespaces are present in the database, Oracle will use the system rollback segment during startup. This value can be set dynamically by using the ALTER SYSTEM statement.
UNDO_RETENTION - specifies the amount of time that Oracle attempts to keep undo data available. This parameter becomes important when the Oracle9i flashback query option is used.
You cannot create database objects in undo tablespaces. It is reserved for system-managed undo data. The view DBA_UNDO_EXTENTS can be accessed to retrieve information relating to system managed undo data. For those of us familiar with V$ROLLSTAT, it is still available and the information reflects the behavior of the undo segments in the undo tablespace.
We found automatic undo management to be pretty reliable during our initial beta testing of Oracle9i. The key to success is to allocate sufficient disk storage to the undo tablespace and to set AUTOEXTEND on to allow the tablespace datafiles to grow automatically. During our beta testing, numerous heavy batch update jobs were simultaneously run to simulate heavy work loads. We found that the system managed undo segments worked as advertised. During performance comparisons, we did find that system managed undo segments did seem to add some extra processing time to the batch loads. We found that the rollback segment tablespace used in our comparison testing auto extended sooner than its system managed undo tablespace counterpart. One possible explanation is that the overhead can be attributed to the system managed undo segments performing additional actions to squeeze more undo data in the tablespace before giving up and auto expanding the undo tablespace datafile.
Resumable Space Allocation
Running update jobs that insert or update large amounts of data also cause their fair share of problems. Estimating the space required by large operations can be quite a formidable forecasting effort.
Do you add extra space to data and index tablespaces? Do you make the table and index INITIAL and NEXT extent sizes bigger? Do you increase the size of the rollback segments to handle the additional load? Should you increase the size of your TEMP tablespace and make your default INITIAL and NEXT extent sizes larger?
In previous releases, when an out of space condition occurs, the statement quit running and the database rolled back the unit of work. Rolling back can be a time-consuming (sometimes a VERY time-consuming) process. The DBA corrected the problem and the program was run again (hopefully successfully the second time). How many times have there been a third, fourth and fifth time?
Oracle 9i solves this problem with resumable statements. Oracle9i temporarily pauses SQL statements that suffer from out of space conditions (no freespace in tablespace, file unable to expand, maxextents or maximum quota reached). The DBA is able to easily identify the problem and correct the error. The statement will then resume execution until completion.
The ALTER SESSION ENABLE RESUMABLE statement is used to activate resumable space allocation for a given session. Developers are able to embed the ALTER SESSION statement in programs to activate resumable space allocation. A new parameter, called RESUMABLE, is used to enable resumable space allocation for export, import and load utilities.
Statements do not suspend for an unlimited amount of time. A timed interval can be specified in the ALTER SESSION statement to designate the amount of time that passes before the statement wakes up and returns a hard return code to the user and rolls back the unit of work.
If no time interval is specified, the default time interval of two hours is used.
When a resumable statement suspends because of an out of space condition, the following actions occur:
A triggerable system event is initiated. Developers are able to code triggers that fire when a statement suspends.
Entries are placed into system data dictionary tables. The data dictionary views DBA_RESUMABLE and USER_RESUMABLE can be accessed to retrieve the paused statement's identifier, text, status and error message.
Messages are written to the alert log identifying the statement and the error that caused the statement to suspend.
Flashback Query
How many times have database recoveries been performed because of incorrect changes made to database data? Were your users ever unsure of the damage? There are times when a simple before change and after change comparison was all that was needed. If the damage was limited, a simple update may have been able to correct the problem. A process that is much less painless than a database restore.
Oracle9i's flashback query provides users with the capability of viewing data in the past. Oracle describes this new feature as "Oracle Invents the Time Machine" in many of its advertisements. It may not be a time machine, but it does allow data to be viewed in the past and it is easy to use. I must admit, I thought "It sounds too good. It has to be hard to use or not be reliable." I was wrong on both counts.
To take advantage of flashback queries, the database must use system managed undo segments. If flashback query is to be used, the administrator is tasked with determining how much of the old data should be kept available. The undo tablespace must be sized to hold the desired amount of undo data. Oracle documentation provides calculations that use update frequency and the amount of data being changed to estimate the required size of the undo tablespace.
The configuration parameter UNDO_RETENTION which specifies the amount of time that Oracle attempts to keep undo data available plays an important role in flashback query. Although Oracle documentation recommends flashback query for applications that want to view data in the past, it is important to understand that the UNDO_RETENTION parameter does not force Oracle to keep the old data in the undo tablespace. Depending on the available disk storage allocated to the undo tablespace, the database might not always be able to keep all of the requested undo data available. Providing active transactions with undo image space takes precedence over flashback query requirements. As a result, applications should not be designed to depend on the availability of historical data retrieved from undo segments.
The system supplied package DBMS_FLASHBACK is used to provide flashback query capabilities. Standard date and time SQL functions can be used to determine the time in the past the data will be retrieved from. Here is an example that goes back five minutes:
EXECUTE DBMS_FLASHBACK.ENABLE_AT_TIME (SYSDATE - (5/(24*60)));
The above statement sends the session five minutes back in time for the duration of that session or until the EXECUTE DBMS_FLASHBACK.DISABLE is executed. Oracle recommends that the session not be ended without executing the FLASHBACK.DISABLE procedure. I have seen a few sessions ended without executing FLASHBACK.DISABLE without any detrimental affects. It is better to be safe than sorry, so the recommendation is to always execute FLASHBACK.DISABLE before ending the session.
Currently, flashback query is able to provide 5 days (uptime not wallclock) worth of data using the date and time parameter. To query data older than this, you must specify an SCN rather than a date and time.
Two important points to remember when using flashback query:
The current data dictionary is used. If DDL changes have been made to the table between the time stated in the flashback query and the current point in time, an error will be returned.
Data can not be updated during a flashback query enabled session. To save historical data, the old data can be placed into a cursor. The contents of the cursor can be dumped into a work table after the FLASHBACK.DISABLE procedure is executed.
Remember, although flashback query is promising to be a beneficial feature in Oracle9i, it is not a panacea. Applications should not be designed to depend upon flashback query data. In addition, although it may prevent an occasional database recovery, it must be used cautiously. If data has been changed incorrectly, administrators must determine if other transactions have used that incorrect data as input. If the transactions using incorrect data as input have also made data changes, bad data is now being propagated throughout the database. It may be safer to perform a database recovery to a previous point in time.
In our next discussion of Oracle9I, we'll discuss external tables, tablespace changes, Oracle managed files, multiple block sizes and cache configuration, list partitioning, on-line index table and index reorganization and index monitoring.
See you in class!
Christopher Foot has been involved in database management for over 18 years, serving as a database administrator, database architect, trainer, speaker, and writer. Currently, Chris is employed as a Senior Database Architect at RemoteDBA Experts, a remote database services provider. Chris is the author of over forty articles for a variety of magazines and is a frequent lecturer on the database circuit having given over a dozen speeches to local, national and international Oracle User Groups. His book titled OCP Instructors Guide for DBA Certification, can be found at http://www.dba-oracle.com/bp/bp_book14_OCP.htm.
Oracle claims that Oracle9i raises the competitive bar by which all future database servers will be judged. Oracle's latest release contains enhancements in virtually all areas of the database server, resulting in an Oracle database with improvements in scalability, availability, performance, manageability, multimedia datatype support and functionality. This article is not intended to be an all-inclusive list of features, but rather an overview of some of the more beneficial (and hopefully interesting) enhancements contained in this release.
The information on Oracle9i will be provided in three installments. In this article, we'll take a look at the following features: persistent initialization parameter files, remote startup/shutdown, database managed undo segments, resumable space allocation and flashback query.
Part two will cover external tables, tablespace changes, Oracle managed files, multiple block sizes and cache configuration, list partitioning, on-line table reorganization and index monitoring.
The last article in this series will cover RAC (Real Application Clusters), fail safe, data guard, fine-grained resource management, fine-grained auditing and label security.
With all of new features contained in this release, Oracle9i promises to be the most exciting Oracle release to date. This series will focus on what Oracle customers can look forward to when using the "latest and greatest" version of Oracle's flagship database product, Oracle9i.
Persistent Initialization Parameter Files
Oracle9i introduces on-line parameter changes that persist across database shutdowns and startups. This feature allows administrators to make changes to database initialization parameters and have them take affect immediately. In the past, these changes would require the administrator to edit the database's parameter file (initsid.ora). Because Oracle only reads the parameter file during startup, the changes would not take affect until the next time the database was shutdown and restarted.
In Oracle9I, a server-based parameter file, called a SPFILE, is used as the repository for initialization parameters. Oracle9i documentation now refers to the old initsid.ora parameter file as the PFILE. The SPFILE is initially created by using the PFILE (initsid.ora) parameter file as the source. It is important to note that the database is initially created using the old PFILE parameter file. Administrators then use the "CREATE SPFILE FROM PFILE" command to create the server-based parameter file. At system startup, the default behavior of the STARTUP command is to look for the SPFILE before it looks for the PFILE. The Oracle administration guides provide information on default location and naming conventions for server-based parameter files.
The administrator uses the ALTER SYSTEM statement to dynamically change initialization parameters. A parameter can be changed immediately or deferred until the next database startup. Although the majority of the parameters can be dynamically changed, there are a few configuration parameters that can only be changed by editing the old initsid.ora parameter file (PFILE).
Here are a few hints on PFILEs and SPFILEs:
Never, ever edit a SPFILE manually. Although you can view it in both UNIX and NT editors, editing it can produce a "less than desirable" outcome. The SPFILE was edited three times during our beta testing and the result was three database failures.
If you are required to edit the PFILE to change a static parameter, don't forget to execute the 'CREATE PFILE FROM SPFILE' statement to refresh the PFILE with all of the dynamic changes recorded in the SPFILE. Execute the SPFILE to PFILE refresh before you edit the PFILE. If you don't you could lose the dynamic changes recorded in the SPFILE. Remember, the database looks for the SPFILE first during startup, so you will need to execute the "CREATE SPFILE FROM PFILE" after you edit the PFILE to migrate your changes. If your PFILE doesn't have a record of all your dynamic parameter changes, you will lose them when you execute the 'CREATE PFILE FROM SPFILE' statement. The recommended procedure is to always execute the 'CREATE PFILE FROM SPFILE' command after dynamically changing a parameter to back up the changes recorded in the SPFILE to the PFILE.
Oracel9i provides a new static parameter called MAX_SGA_SIZE which specifies the maximum size of SGA for the lifetime of the instance. Another new Oracle9i parameter DB_CACHE_SIZE replaces DB_BLOCK_BUFFERS. DB_BLOCK_BUFFERS is still provided for backwards compatibility. DB_BLOCK_BUFFERS and the MAX_SGA_SIZE parameters are static so they can only be changed by editing the PFILE, then executing the 'CREATE SPFILE FROM PFILE' statement and restarting the instance.
During our testing, we found that the online changes to parameters worked well. We did find that changing SGA parameters produced some interesting results. We were able to dynamically alter the initialization parameters that affect the size of the buffer caches, shared pool, and large pool, but only to the extent that the sum of these sizes and the sizes of the other components of the SGA (fixed SGA, variable SGA, and redo log buffers) did not exceed the value specified by SGA_MAX_SIZE.
When we reduced memory from the data buffers by decrementing DB_CACHE_SIZE, Oracle allocated the memory saved to the shared pool. When we reversed the operation by reducing the memory allocated to the shared pool, Oracle allocated the freed memory to the data buffers.
Remote Startup/Shutdown
Oracle9i's persistent parameter files provide administrators with the ability to start an Oracle instance using SQL*Plus on remote clients.
Before we begin, some background information is in order. Oracle has been promising to desupport server manager and CONNECT INTERNAL for some time now. Administrators would use server manager on the host to connect to the database using the INTERNAL account to start and stop an Oracle instance.
Server manager and CONNECT INTERNAL are officially desupported in Oracle9i and are replaced by SQL*Plus and a special privilege called SYSDBA. SQL*Plus and SYSDBA have been available for some time but were never a primary means of starting and stopping an Oracle instance.
During an instance start, Oracle reads instance configuration parameters from a SPFILE or PFILE. In order to facilitate remote startup and shutdown, SQL*Plus is now able to reference the server-based parameter file (SPFILE) from remote clients. This solves the problem of propagating copies of the PFILE to all remote clients that require the ability to start an Oracle instance. By having all clients point to a single source, administrators can rest easy knowing the same parameters are used to configure the instance during each startup.
The steps to access a SPFILE from a remote client are as follows:
1. A server-based parameter file (SPFILE) is configured on the database server by executing the 'CREATE SPFILE FROM PFILE' command.
2. Create a parameter file on the remote client that contains a single line that references the server-based SPFILE:
spfile=/u01/app/oracle/product/9.0.0/dbs/spfiledemo1.ora
3. Start SQL*Plus without connecting to the database by executing:
SQL*PLUS /nolog
4. Connect to the remote instance as SYSDBA:
CONNECT username/password@connect_identifier AS SYSDBA
5. Start the instance by executing:
STARTUP PFILE=pfilename.ora
* where pfilename.ora is the parameter file name created in step 2.
Standard operating practice in UNIX environments is to embed STARTUP and SHUTDOWN commands in server manager to start and stop an Oracle instance. Shops migrating existing databases to Oracle9i should change the startup scripts from server manager to SQL*PLUS.
Database Managed Undo Segments
You don't have to be an Oracle expert to know that rollback segments can be "somewhat troublesome." Out of space conditions, contention, poor performance and the perennial favorite "snap shot too old" errors have been plaguing Oracle database administrators for over a decade. Oracle finally decided that the database could probably do a better job of managing before images of data than we could.
A transaction uses a rollback segment to record before images of data it intends to change. If the transaction fails before committing, Oracle uses the before images to rollback or undo the uncommitted data changes. Oracle also uses rollback segments for statement-level read consistency. Read consistency ensures that all data returned by a query comes from the same point-in-time (query start time). Lastly, rollback segments provide before images of data to help the instance roll back failed transactions during instance recovery.
In Oracle9i, administrators have their choice of continuing to manage rollback segments on their own (manual undo management) or configuring the database to manage its own before image data (automatic undo management). Oracle refers to system managed before image segments as undo segments.
Administrators must create a tablespace to hold undo segments by using the new UNDO keyword in the tablespace create statement:
CREATE UNDO TABLESPACE undots1
DATAFILE 'undotbs_1a.f'
SIZE 10M AUTOEXTEND ON;
The following initialization parameters are used to activate automatic undo management:
UNDO_MANAGEMENT - AUTO configures the database is to use automatic undo segments. MANUAL configures the database to use rollback segments.
UNDO_TABLESPACE - Specifies the tablespaces that are to be used to hold the undo segments. The tablespace must be created using the UNDO keyword. If no tablespace is defined, Oracle will select the first available undo tablespace. If no undo tablespaces are present in the database, Oracle will use the system rollback segment during startup. This value can be set dynamically by using the ALTER SYSTEM statement.
UNDO_RETENTION - specifies the amount of time that Oracle attempts to keep undo data available. This parameter becomes important when the Oracle9i flashback query option is used.
You cannot create database objects in undo tablespaces. It is reserved for system-managed undo data. The view DBA_UNDO_EXTENTS can be accessed to retrieve information relating to system managed undo data. For those of us familiar with V$ROLLSTAT, it is still available and the information reflects the behavior of the undo segments in the undo tablespace.
We found automatic undo management to be pretty reliable during our initial beta testing of Oracle9i. The key to success is to allocate sufficient disk storage to the undo tablespace and to set AUTOEXTEND on to allow the tablespace datafiles to grow automatically. During our beta testing, numerous heavy batch update jobs were simultaneously run to simulate heavy work loads. We found that the system managed undo segments worked as advertised. During performance comparisons, we did find that system managed undo segments did seem to add some extra processing time to the batch loads. We found that the rollback segment tablespace used in our comparison testing auto extended sooner than its system managed undo tablespace counterpart. One possible explanation is that the overhead can be attributed to the system managed undo segments performing additional actions to squeeze more undo data in the tablespace before giving up and auto expanding the undo tablespace datafile.
Resumable Space Allocation
Running update jobs that insert or update large amounts of data also cause their fair share of problems. Estimating the space required by large operations can be quite a formidable forecasting effort.
Do you add extra space to data and index tablespaces? Do you make the table and index INITIAL and NEXT extent sizes bigger? Do you increase the size of the rollback segments to handle the additional load? Should you increase the size of your TEMP tablespace and make your default INITIAL and NEXT extent sizes larger?
In previous releases, when an out of space condition occurs, the statement quit running and the database rolled back the unit of work. Rolling back can be a time-consuming (sometimes a VERY time-consuming) process. The DBA corrected the problem and the program was run again (hopefully successfully the second time). How many times have there been a third, fourth and fifth time?
Oracle 9i solves this problem with resumable statements. Oracle9i temporarily pauses SQL statements that suffer from out of space conditions (no freespace in tablespace, file unable to expand, maxextents or maximum quota reached). The DBA is able to easily identify the problem and correct the error. The statement will then resume execution until completion.
The ALTER SESSION ENABLE RESUMABLE statement is used to activate resumable space allocation for a given session. Developers are able to embed the ALTER SESSION statement in programs to activate resumable space allocation. A new parameter, called RESUMABLE, is used to enable resumable space allocation for export, import and load utilities.
Statements do not suspend for an unlimited amount of time. A timed interval can be specified in the ALTER SESSION statement to designate the amount of time that passes before the statement wakes up and returns a hard return code to the user and rolls back the unit of work.
If no time interval is specified, the default time interval of two hours is used.
When a resumable statement suspends because of an out of space condition, the following actions occur:
A triggerable system event is initiated. Developers are able to code triggers that fire when a statement suspends.
Entries are placed into system data dictionary tables. The data dictionary views DBA_RESUMABLE and USER_RESUMABLE can be accessed to retrieve the paused statement's identifier, text, status and error message.
Messages are written to the alert log identifying the statement and the error that caused the statement to suspend.
Flashback Query
How many times have database recoveries been performed because of incorrect changes made to database data? Were your users ever unsure of the damage? There are times when a simple before change and after change comparison was all that was needed. If the damage was limited, a simple update may have been able to correct the problem. A process that is much less painless than a database restore.
Oracle9i's flashback query provides users with the capability of viewing data in the past. Oracle describes this new feature as "Oracle Invents the Time Machine" in many of its advertisements. It may not be a time machine, but it does allow data to be viewed in the past and it is easy to use. I must admit, I thought "It sounds too good. It has to be hard to use or not be reliable." I was wrong on both counts.
To take advantage of flashback queries, the database must use system managed undo segments. If flashback query is to be used, the administrator is tasked with determining how much of the old data should be kept available. The undo tablespace must be sized to hold the desired amount of undo data. Oracle documentation provides calculations that use update frequency and the amount of data being changed to estimate the required size of the undo tablespace.
The configuration parameter UNDO_RETENTION which specifies the amount of time that Oracle attempts to keep undo data available plays an important role in flashback query. Although Oracle documentation recommends flashback query for applications that want to view data in the past, it is important to understand that the UNDO_RETENTION parameter does not force Oracle to keep the old data in the undo tablespace. Depending on the available disk storage allocated to the undo tablespace, the database might not always be able to keep all of the requested undo data available. Providing active transactions with undo image space takes precedence over flashback query requirements. As a result, applications should not be designed to depend on the availability of historical data retrieved from undo segments.
The system supplied package DBMS_FLASHBACK is used to provide flashback query capabilities. Standard date and time SQL functions can be used to determine the time in the past the data will be retrieved from. Here is an example that goes back five minutes:
EXECUTE DBMS_FLASHBACK.ENABLE_AT_TIME (SYSDATE - (5/(24*60)));
The above statement sends the session five minutes back in time for the duration of that session or until the EXECUTE DBMS_FLASHBACK.DISABLE is executed. Oracle recommends that the session not be ended without executing the FLASHBACK.DISABLE procedure. I have seen a few sessions ended without executing FLASHBACK.DISABLE without any detrimental affects. It is better to be safe than sorry, so the recommendation is to always execute FLASHBACK.DISABLE before ending the session.
Currently, flashback query is able to provide 5 days (uptime not wallclock) worth of data using the date and time parameter. To query data older than this, you must specify an SCN rather than a date and time.
Two important points to remember when using flashback query:
The current data dictionary is used. If DDL changes have been made to the table between the time stated in the flashback query and the current point in time, an error will be returned.
Data can not be updated during a flashback query enabled session. To save historical data, the old data can be placed into a cursor. The contents of the cursor can be dumped into a work table after the FLASHBACK.DISABLE procedure is executed.
Remember, although flashback query is promising to be a beneficial feature in Oracle9i, it is not a panacea. Applications should not be designed to depend upon flashback query data. In addition, although it may prevent an occasional database recovery, it must be used cautiously. If data has been changed incorrectly, administrators must determine if other transactions have used that incorrect data as input. If the transactions using incorrect data as input have also made data changes, bad data is now being propagated throughout the database. It may be safer to perform a database recovery to a previous point in time.
In our next discussion of Oracle9I, we'll discuss external tables, tablespace changes, Oracle managed files, multiple block sizes and cache configuration, list partitioning, on-line index table and index reorganization and index monitoring.
See you in class!
Christopher Foot has been involved in database management for over 18 years, serving as a database administrator, database architect, trainer, speaker, and writer. Currently, Chris is employed as a Senior Database Architect at RemoteDBA Experts, a remote database services provider. Chris is the author of over forty articles for a variety of magazines and is a frequent lecturer on the database circuit having given over a dozen speeches to local, national and international Oracle User Groups. His book titled OCP Instructors Guide for DBA Certification, can be found at http://www.dba-oracle.com/bp/bp_book14_OCP.htm.
Database Security Primer
An Enterprise Database Security Primer
For many system administrators, the terms “open systems” and “security” can seem impossibly opposite. Maintaining security for a centralized database system is difficult enough, and when faced with a network of networked databases, maintaining a level of access and update security is a formidable challenge. Security is often an afterthought, and the database industry is plagued with sub-standard security, especially for enterprise databases that are cobbled-together as a result of external factors such as corporate acquisitions.
There are many problems with security for enterprise databases, far more than the IT industry would care to acknowledge. These security exposures stem from the following architectural issues:
Multiple entry points — Unlike a traditional centralized database, web-based databases have many entry points. These entry points include web servers, VPN access, app server access and access to databases via web portal protocols. When dealing with literally hundreds of entry points, special care needs to be taken to insure that harmful viruses are not introduced into the system.
Weakest link problem — The recent publicity regarding security holes in enterprise security underscores the weakest link problem. When dealing with such a wide variety of entry points and platforms, the overall system security is only as secure as the weakest link in the federation. No matter how much care is taken to insure security at the database level, problems can still be introduced from a variety of other sources. For example, once a hack get root access to a web server, it is often easy to gain access to the database server, especially when remote shell capability is enabled.
Web-based databases — Databases that are configured to allow external communications from other web portals face an exceptional data security challenge. Hackers can constantly attempt to hack into web portals, eventually locating a weakness in the Net Services architecture.
When we speak of security, we must define the scope of security. Security means different things to different managers, and we must clearly define the scope of security.
Server access security
Internet access security
Database access security
Data privacy security
While few security systems are perfect (the exception being the retinal eyeball scanners used by the U.S. Department of Defense for top-secret systems), there are some things that can be done to decease the likelihood of a security breach. Many of these methods are time-consuming and slow down the runtime system, so careful thought must be given to these solutions before implementing them in a production environment. Let’s explore each of these areas and see some common security problems.
Server Access Security
Server access security refers to preventing unwanted access to the server environment and ensuring controlled access to the IT staff. There are several technologies that are employed to assist with external server access:
Kerberos security — This popular “ticket”-based authentication system provides password-based server access authentication.
Authentication servers (Radius servers) — Secure authentication servers provide positive identification for external users.
Password security consolidation — Many vendors offer tools to consolidate passwords among dozens of servers.
Obviously, all security must start at the server level. The IT manager must provide reliable access methods for IT staff members while ensuring that the database is not open to external threats. Let’s start by looking at internal server access tools:
Call-back access — Using this technique, the IT staff member calls a phone number, enters a password, and the server calls them, thereby ensuring that access is always with pre-defined phone numbers.
Time-based access cards — This scheme is commonly used by banking institutions and classified government systems. A credit-card-sized timer is given to each IT employee that generates a new password every 60 seconds. The card is synchronized with a server-side password change routine.
VPN access — Using Virtual Private Networks, IT staff members can gain access to a server using secure shell (ssh) protocols.
However, even all of these precautions do not always prevent un-wanted hacker access, especially for web-enabled databases. There are many ways that a malicious programmer can bypass the security of a database. The media is full of reports of adolescent hackers who have breached top-secret systems, and even the major database vendors have been plagued with bugs that allow external hackers access to web servers and app servers. While there are new approaches to breaking into systems being developed constantly, there are some general categories of methods.
There are a large variety of vendors that offer tools to manage internal IT security. Listing 1 shows an alphabetical sample of the major security vendors. As we can see, there is a huge amount of choice in security software.
AuthAPI (Entact Information Security)
Cicso Secure Policy Manager (Cisco Systems)
Control-SA (BMC Software)
Control-SA/Links (BMC Software)
Enterprise Security Administration (Computer Associates)
Enterprise Security Manager (Axent Technologies)
Lucent Security Management Server (Lucent Technologies)
OpenEdition DCE Security Server (IBM)
Open e-Security Platform (e-Security)
PassGo CUA (Axent Technologies)
ProtectIT (Computer Associates)
Resource Manager for UNIX (Axent Technologies)
SecureWay Policy Director (IBM)
Tivoli Security Management (Tivoli)
Unicenter TNG (Computer Associates)
VACMAN Radius Server (Vasco Data Security)
Listing 1: A list of IT security vendors.
Internal Passwords and Database Security
In an open system environment, system access is controlled at the network sign-on level, the individual work station, each database within the federation, as well as each application.
If possible, servers should not be accessible over the Internet unless network and systems administrators have followed the general guidelines for authenticated external access. Some companies use domain servers to restrict server access to specified users. However, hackers still might intercept user IDs and passwords. To prevent this, many companies employ tools that utilize secure shell (ssh) technologies to encrypt external Internet communications. The most popular of these tools is SecureCRT, which gives authorized users Internet access to servers without the fear of someone capturing the user ID and password.
Secure shell tools use sophisticated Huffman cryptography techniques for Internet transmissions; these products are more secure even than the Enigma code that was used during World War II. However, such superb encryption sometimes lulls IT staffs into believing that they are protected from external attack. Remember, the bulk of the security is at the server firewall, not on the Internet.
There has been a great debate about the effectiveness of requiring frequent password changes. Advocates argue that it reduces the likelihood that the user will use easily guessed names. Those against enforced password changes point out that the frequent changes may be seen as obtrusive by the end-user and also require the forgetful end-user to write down their current password. With so many possible ports of entry, effective ID management can be quite difficult. Invariably, all of the password control mechanisms have significant problems:
Password-changing routines — Many shops have discovered that when a user is forced to provide multiple passwords for each component in an enterprise database, they commonly compromise system security by choosing passwords that are cyclic in nature. For example, a user may rotate between the passwords “north,” “south,” “east,” and “west” in order to avoid having to keep track of the multiple sign-on’s to all of the system components. More sophisticated password devises require the end-user to specify passwords of a minimum length (greater than five characters), prohibit the re-use of passwords, and require that the passwords are changed on a periodic basis. One approach that has been especially effective is to link the password-changing software with the user’s personnel records so that the names of family members, street addresses, and other easily guessed information may not be included in the password.
Automatic account disabling — If you suspend the server ID after three password attempts, attackers are thwarted. Without user ID suspension, an attacker can run a program that generates millions of passwords until it guesses the user ID and password combination.
Random password generators — This is one of the most problematic mechanisms of all, and virtually guarantees that your staff will have written lists of passwords. For example, consider the following screen (refer to ).
Figure 1: An ineffective random password generator.
Without a centralized security component, the end-users are forced to write down all of these passwords to each system component in order to manage the complexity of remembering all of the passwords. While this strategy is a tremendous headache for the end users, it does ensure that system-wide security is not jeopardized through a single breach. In system-wide security environments, security tables are kept which allow the end user to specify their user ID and sign-on once, and the security subsystem automatically manages their access to networks, operating systems, databases and applications.
There are two basic approaches to password security. The first and most common approach utilizes a common security system (refer to Figure 2). This security system maintains a single password, and controls access to all of the system components. This idea has been borrowed from ancient mainframe systems such as RACF and ACF2.
Figure 2: Internal Password propagation.
While this is a great simplification for the end user of the system, it also increases the risk that a breach to the system-wide security could have widespread ramifications. One downside to this approach is that a failure on the processor that contains the propagation routine could conceivably lock up the entire enterprise. Another potential problem with centralized security is the possibility that a user might de-encrypt a password on one component, thereby gaining access to the entire federation.
Another method for controlling security is to make each of the distributed systems components access the security tables directly (refer to Figure 3). This eliminates the exposure of having redundant passwords stored in each processor and provides a simple point of control for the entire federation.
Figure 3: Centralized password security.
This approach requires user-exits to be installed at the level of each sign-on, at the network, operating system, and database level. The security files of each component continue to exist, but the password fields contain random, unchanging values. While it is nice to have a single point with which to control security, there is also the possibility that a failure on the security system would block access to the entire federation. To alleviate this potential exposure, security tables are stored redundantly on two processors, and a failure on one processor will trigger the security mechanism to check the other processor. Security at each level of the system is still maintained because each individual security component is still active, with random passwords that are never actually used for signing on to the component.
Auditing External Security
With such complexity, many IT managers employ security experts and professional white-hat hackers to ensure that their security is bullet-proof. Such checks usually involve the following areas:
Firewall security assessment
Enforcement of Network security policies
Router security checks
Review of Kerberos and remote authentication servers
Review of network security policies
Review of UNIX vendor security updates
Password strength checking
Use of UNIX shadow passwords
Checking for improper rhosts connectivity
Checking sticky bits for exposures
Of course, security is for more than internal IT staff. You must also provide access over the web to end users from all over the world. Let’s explore this issue.
Web-based Access Security
Today’s Web architectures include four layers of servers: Web listeners, Web servers, application servers, and database servers. Each of these layers is vulnerable to hacks.
Figure 4: A four-tiered eCommerce architecture (courtesy Builder.com).
In general, security concerns over Internet access are similar to security issues in an internal network. To understand the similarity, let’s examine the entry points for hackers and demonstrate some techniques that attackers use to gain access to confidential data. All Web-based applications have numerous possible entry points, and security must be enforced at each level. Hackers look at the following areas when they try to break into a Web application.
Internet access — If hackers can guess the IP address of a server, they can telnet to the server and get a login prompt. At this point, all they need is a user ID and password to gain access to the server.
Port access — All Web applications are configured to listen on a predefined port for incoming connections, and they generally use a listener daemon process to poll for connections.
Server access — A four-tiered Web application incorporates a series of Web servers, application servers, and database servers. Each of these servers presents a potential point of entry, and if remote shell (rsh) access is enabled, a hacker that gets access to a single database may get access to many servers.
Network access — OracleNet, as an example, allows for incoming connect strings to the Oracle listener process. If hackers know the port, IP address, Oracle ID, and password, they can gain direct access to the database.
After you identify possible attack points, you must restrict access to those points. Disabling external entry can be accomplished though several methods. Next, let’s examine web-based security access.
Ecommerce security is especially important for Web-based databases where hackers can gain complete control of the environment. Many managers are justifiably concerned about opening up mission-critical applications to the Internet. With dozens of potential entry points and almost daily news about large companies being hacked, proper database security is critical.
Web port access security — All applications are directed to listen at a specific port number on the server. Like any standard HTTP server, the Web Listener can be configured to restrict access.
XML-based access security — The latest trend among web-enabled database is in the area of Web services, specifically the inter-communications between databases over the Internet. We have the Microsoft .NET initiative and web service tools offering to assist in managing security between web portals. Most of these use XML security to verify communications across an insecure network.
Internet hackers are constantly searching for servers to attack. To do this, the hackers write simple scripts that randomly generate and ping IP addresses, looking for servers that respond with an “ack.” The response is called a “ping acknowledgment” and is a standard feature of the TCP/IP ping utility. For example, here we ping the IP address for a major eCommerce database web server:
C:\ ping 172.234.33.101
Here’s the output:
Pinging 172.234.33.101 with 32 bytes of data:
Reply from 172.234.33.101: bytes=32 time=164ms TTL=254
Reply from 172.234.33.101: bytes=32 time=162ms TTL=254
Reply from 172.234.33.101: bytes=32 time=170ms TTL=254
Ping statistics for 172.234.33.101:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 162ms, Maximum = 170ms, Average = 165ms
The acknowledgment packet tells the hacker that there’s an active server at this IP address. Next, the hacker simply uses the telnet utility to go to the server and begins a series of attempts to hack the root or the Oracle user password. The best way to foil this type of attack is to disable all server accounts after three password attempts.
Below you’ll find the pseudocode for a UNIX shell script to cruise the Internet for vulnerable servers. I have deliberately obfuscated the actual code as a courtesy, but this script should give you the idea. Hackers run such scripts as daemon processes and they can scan hundreds of thousands of IP addresses every hour. Please note that I have deliberately introduced syntax errors into the pseudocode routine to prevent its being used by any potential hackers.
/*#/bin/ksh
while true
do
#****************************************************
# Generate a random IP address
#****************************************************
$IP_ADDRESS=rnd(1-255).rnd(1-255).rnd(1-255).rnd(1-255)
#****************************************************
# Submit the IP address to the ping command
#****************************************************
nohup ping $IP_ADDRESS > /tmp/t.lst 2>&1 &
#****************************************************
# If ping is responding - start the attack
#****************************************************
if `cat /tmp/t.lst|wc -l` > 0 then invoke attack_routine
fi
done
Even a novice computer user can write an attack program and locate server attack opportunities, and the average 12-year-old knows the fundamentals of a denial of service (DOS) attack. Although the main method of attack is directly from the IP address, some creative hackers gain entry with I/O-enabled Java applets or programs that compromise cookie-writing. To prevent these types of external attacks, savvy companies employ some of the following techniques:
Use trusted IP addresses — UNIX servers are configured to answer only pings from a list of known and trusted IP addresses. In UNIX, this is accomplished by configuring the rhosts file, which restricts server access to a list of specific users.
Special tools — Products such as Zone Alarm send an alert when an external server is attempting to breach your firewall security.
Let’s drill down deeper and explore database security.
Database Access Security
Database access security refers to the access controls placed upon the end users of the database. Database access security is generally customized at the database level through a variety of methods:
Internal role-based security — Specific object-level and system-level privileges are grouped into roles and granted to specific database users. Object privileges can be grouped into roles, which can then be assigned to specific users.
Grant-execute security — Execution privileges against database procedures can be tightly coupled to specific users. When a user executes the procedures, they gain database access, but only within the scope of the procedure. Users are granted execute privileges on functions and stored procedures. The grantee takes on the authority of procedure owner when executing the procedures, but has no access outside the procedure.
Application-level security — This type of access control is popular with ERP solutions such as Oracle Applications and SAP. With application level security, the app servers establish pre-spawned connections to the database, and the app server manages connectivity to the database layer.
Data Privacy Security — Data privacy security is the offshoot of stringent US privacy laws such as HIPAA. Under US HIPAA rules, all database access must be tracked and complete audits must be made of all updates and retrieval of sensitive information. There are a variety of techniques used for this challenge.
Update auditing — Many database managers use the database recovery logs (redo logs) as an audit trail for database updates. The database logs record every change to the database and information about who made the change. Examples of such tolls are Oracle LogMiner and BMC’s SQL-Backtrack.
Schema change auditing — Many databases provide methods for tracking every change to a database schema using system-level DML triggers. Here is a link to DBAZine article on DML tracking for Oracle.
Virtual private databases — VPD technology can restrict access to selected rows of tables. Virtual Private Databases (fine-grained access control) allows for the creation of policies that restricts table and row access at runtime.
Many companies are developing security systems that tie security to the data that feed the enterprise applications, rather than the applications themselves. This data-level approach ensures that the database controls access to the data and eliminates the possibility that someone may bypass the application and the security.
Conclusion
Database security has become a very critical task, and the MBO goals of many IT managers require that they lock-down security at the server level, web level and database level. However, with a plethora of choices, the IT manager must make a decision regarding the best security techniques and tools that will be cost-effective and also provide the desired levels of security.
In our next installment, we will examine the Oracle9i suite of security tools and look at how they are used in Oracle environments to ensure proper database security and access control.
--
Donald K. Burleson is one of the world’s top Oracle Database experts with more than 20 years of full-time DBA experience. He specializes in creating database architectures for very large online databases and he has worked with some of the world’s most powerful and complex systems. A former Adjunct Professor, Don Burleson has written 15 books, published more than 100 articles in national magazines, serves as Editor-in-Chief of Oracle Internals and edits for Rampant TechPress. Don is a popular lecturer and teacher and is a frequent speaker at Oracle Openworld and other international database conferences. Don’s Web sites include DBA-Oracle, Remote-DBA, Oracle-training, remote support and remote DB
For many system administrators, the terms “open systems” and “security” can seem impossibly opposite. Maintaining security for a centralized database system is difficult enough, and when faced with a network of networked databases, maintaining a level of access and update security is a formidable challenge. Security is often an afterthought, and the database industry is plagued with sub-standard security, especially for enterprise databases that are cobbled-together as a result of external factors such as corporate acquisitions.
There are many problems with security for enterprise databases, far more than the IT industry would care to acknowledge. These security exposures stem from the following architectural issues:
Multiple entry points — Unlike a traditional centralized database, web-based databases have many entry points. These entry points include web servers, VPN access, app server access and access to databases via web portal protocols. When dealing with literally hundreds of entry points, special care needs to be taken to insure that harmful viruses are not introduced into the system.
Weakest link problem — The recent publicity regarding security holes in enterprise security underscores the weakest link problem. When dealing with such a wide variety of entry points and platforms, the overall system security is only as secure as the weakest link in the federation. No matter how much care is taken to insure security at the database level, problems can still be introduced from a variety of other sources. For example, once a hack get root access to a web server, it is often easy to gain access to the database server, especially when remote shell capability is enabled.
Web-based databases — Databases that are configured to allow external communications from other web portals face an exceptional data security challenge. Hackers can constantly attempt to hack into web portals, eventually locating a weakness in the Net Services architecture.
When we speak of security, we must define the scope of security. Security means different things to different managers, and we must clearly define the scope of security.
Server access security
Internet access security
Database access security
Data privacy security
While few security systems are perfect (the exception being the retinal eyeball scanners used by the U.S. Department of Defense for top-secret systems), there are some things that can be done to decease the likelihood of a security breach. Many of these methods are time-consuming and slow down the runtime system, so careful thought must be given to these solutions before implementing them in a production environment. Let’s explore each of these areas and see some common security problems.
Server Access Security
Server access security refers to preventing unwanted access to the server environment and ensuring controlled access to the IT staff. There are several technologies that are employed to assist with external server access:
Kerberos security — This popular “ticket”-based authentication system provides password-based server access authentication.
Authentication servers (Radius servers) — Secure authentication servers provide positive identification for external users.
Password security consolidation — Many vendors offer tools to consolidate passwords among dozens of servers.
Obviously, all security must start at the server level. The IT manager must provide reliable access methods for IT staff members while ensuring that the database is not open to external threats. Let’s start by looking at internal server access tools:
Call-back access — Using this technique, the IT staff member calls a phone number, enters a password, and the server calls them, thereby ensuring that access is always with pre-defined phone numbers.
Time-based access cards — This scheme is commonly used by banking institutions and classified government systems. A credit-card-sized timer is given to each IT employee that generates a new password every 60 seconds. The card is synchronized with a server-side password change routine.
VPN access — Using Virtual Private Networks, IT staff members can gain access to a server using secure shell (ssh) protocols.
However, even all of these precautions do not always prevent un-wanted hacker access, especially for web-enabled databases. There are many ways that a malicious programmer can bypass the security of a database. The media is full of reports of adolescent hackers who have breached top-secret systems, and even the major database vendors have been plagued with bugs that allow external hackers access to web servers and app servers. While there are new approaches to breaking into systems being developed constantly, there are some general categories of methods.
There are a large variety of vendors that offer tools to manage internal IT security. Listing 1 shows an alphabetical sample of the major security vendors. As we can see, there is a huge amount of choice in security software.
AuthAPI (Entact Information Security)
Cicso Secure Policy Manager (Cisco Systems)
Control-SA (BMC Software)
Control-SA/Links (BMC Software)
Enterprise Security Administration (Computer Associates)
Enterprise Security Manager (Axent Technologies)
Lucent Security Management Server (Lucent Technologies)
OpenEdition DCE Security Server (IBM)
Open e-Security Platform (e-Security)
PassGo CUA (Axent Technologies)
ProtectIT (Computer Associates)
Resource Manager for UNIX (Axent Technologies)
SecureWay Policy Director (IBM)
Tivoli Security Management (Tivoli)
Unicenter TNG (Computer Associates)
VACMAN Radius Server (Vasco Data Security)
Listing 1: A list of IT security vendors.
Internal Passwords and Database Security
In an open system environment, system access is controlled at the network sign-on level, the individual work station, each database within the federation, as well as each application.
If possible, servers should not be accessible over the Internet unless network and systems administrators have followed the general guidelines for authenticated external access. Some companies use domain servers to restrict server access to specified users. However, hackers still might intercept user IDs and passwords. To prevent this, many companies employ tools that utilize secure shell (ssh) technologies to encrypt external Internet communications. The most popular of these tools is SecureCRT, which gives authorized users Internet access to servers without the fear of someone capturing the user ID and password.
Secure shell tools use sophisticated Huffman cryptography techniques for Internet transmissions; these products are more secure even than the Enigma code that was used during World War II. However, such superb encryption sometimes lulls IT staffs into believing that they are protected from external attack. Remember, the bulk of the security is at the server firewall, not on the Internet.
There has been a great debate about the effectiveness of requiring frequent password changes. Advocates argue that it reduces the likelihood that the user will use easily guessed names. Those against enforced password changes point out that the frequent changes may be seen as obtrusive by the end-user and also require the forgetful end-user to write down their current password. With so many possible ports of entry, effective ID management can be quite difficult. Invariably, all of the password control mechanisms have significant problems:
Password-changing routines — Many shops have discovered that when a user is forced to provide multiple passwords for each component in an enterprise database, they commonly compromise system security by choosing passwords that are cyclic in nature. For example, a user may rotate between the passwords “north,” “south,” “east,” and “west” in order to avoid having to keep track of the multiple sign-on’s to all of the system components. More sophisticated password devises require the end-user to specify passwords of a minimum length (greater than five characters), prohibit the re-use of passwords, and require that the passwords are changed on a periodic basis. One approach that has been especially effective is to link the password-changing software with the user’s personnel records so that the names of family members, street addresses, and other easily guessed information may not be included in the password.
Automatic account disabling — If you suspend the server ID after three password attempts, attackers are thwarted. Without user ID suspension, an attacker can run a program that generates millions of passwords until it guesses the user ID and password combination.
Random password generators — This is one of the most problematic mechanisms of all, and virtually guarantees that your staff will have written lists of passwords. For example, consider the following screen (refer to ).
Figure 1: An ineffective random password generator.
Without a centralized security component, the end-users are forced to write down all of these passwords to each system component in order to manage the complexity of remembering all of the passwords. While this strategy is a tremendous headache for the end users, it does ensure that system-wide security is not jeopardized through a single breach. In system-wide security environments, security tables are kept which allow the end user to specify their user ID and sign-on once, and the security subsystem automatically manages their access to networks, operating systems, databases and applications.
There are two basic approaches to password security. The first and most common approach utilizes a common security system (refer to Figure 2). This security system maintains a single password, and controls access to all of the system components. This idea has been borrowed from ancient mainframe systems such as RACF and ACF2.
Figure 2: Internal Password propagation.
While this is a great simplification for the end user of the system, it also increases the risk that a breach to the system-wide security could have widespread ramifications. One downside to this approach is that a failure on the processor that contains the propagation routine could conceivably lock up the entire enterprise. Another potential problem with centralized security is the possibility that a user might de-encrypt a password on one component, thereby gaining access to the entire federation.
Another method for controlling security is to make each of the distributed systems components access the security tables directly (refer to Figure 3). This eliminates the exposure of having redundant passwords stored in each processor and provides a simple point of control for the entire federation.
Figure 3: Centralized password security.
This approach requires user-exits to be installed at the level of each sign-on, at the network, operating system, and database level. The security files of each component continue to exist, but the password fields contain random, unchanging values. While it is nice to have a single point with which to control security, there is also the possibility that a failure on the security system would block access to the entire federation. To alleviate this potential exposure, security tables are stored redundantly on two processors, and a failure on one processor will trigger the security mechanism to check the other processor. Security at each level of the system is still maintained because each individual security component is still active, with random passwords that are never actually used for signing on to the component.
Auditing External Security
With such complexity, many IT managers employ security experts and professional white-hat hackers to ensure that their security is bullet-proof. Such checks usually involve the following areas:
Firewall security assessment
Enforcement of Network security policies
Router security checks
Review of Kerberos and remote authentication servers
Review of network security policies
Review of UNIX vendor security updates
Password strength checking
Use of UNIX shadow passwords
Checking for improper rhosts connectivity
Checking sticky bits for exposures
Of course, security is for more than internal IT staff. You must also provide access over the web to end users from all over the world. Let’s explore this issue.
Web-based Access Security
Today’s Web architectures include four layers of servers: Web listeners, Web servers, application servers, and database servers. Each of these layers is vulnerable to hacks.
Figure 4: A four-tiered eCommerce architecture (courtesy Builder.com).
In general, security concerns over Internet access are similar to security issues in an internal network. To understand the similarity, let’s examine the entry points for hackers and demonstrate some techniques that attackers use to gain access to confidential data. All Web-based applications have numerous possible entry points, and security must be enforced at each level. Hackers look at the following areas when they try to break into a Web application.
Internet access — If hackers can guess the IP address of a server, they can telnet to the server and get a login prompt. At this point, all they need is a user ID and password to gain access to the server.
Port access — All Web applications are configured to listen on a predefined port for incoming connections, and they generally use a listener daemon process to poll for connections.
Server access — A four-tiered Web application incorporates a series of Web servers, application servers, and database servers. Each of these servers presents a potential point of entry, and if remote shell (rsh) access is enabled, a hacker that gets access to a single database may get access to many servers.
Network access — OracleNet, as an example, allows for incoming connect strings to the Oracle listener process. If hackers know the port, IP address, Oracle ID, and password, they can gain direct access to the database.
After you identify possible attack points, you must restrict access to those points. Disabling external entry can be accomplished though several methods. Next, let’s examine web-based security access.
Ecommerce security is especially important for Web-based databases where hackers can gain complete control of the environment. Many managers are justifiably concerned about opening up mission-critical applications to the Internet. With dozens of potential entry points and almost daily news about large companies being hacked, proper database security is critical.
Web port access security — All applications are directed to listen at a specific port number on the server. Like any standard HTTP server, the Web Listener can be configured to restrict access.
XML-based access security — The latest trend among web-enabled database is in the area of Web services, specifically the inter-communications between databases over the Internet. We have the Microsoft .NET initiative and web service tools offering to assist in managing security between web portals. Most of these use XML security to verify communications across an insecure network.
Internet hackers are constantly searching for servers to attack. To do this, the hackers write simple scripts that randomly generate and ping IP addresses, looking for servers that respond with an “ack.” The response is called a “ping acknowledgment” and is a standard feature of the TCP/IP ping utility. For example, here we ping the IP address for a major eCommerce database web server:
C:\ ping 172.234.33.101
Here’s the output:
Pinging 172.234.33.101 with 32 bytes of data:
Reply from 172.234.33.101: bytes=32 time=164ms TTL=254
Reply from 172.234.33.101: bytes=32 time=162ms TTL=254
Reply from 172.234.33.101: bytes=32 time=170ms TTL=254
Ping statistics for 172.234.33.101:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 162ms, Maximum = 170ms, Average = 165ms
The acknowledgment packet tells the hacker that there’s an active server at this IP address. Next, the hacker simply uses the telnet utility to go to the server and begins a series of attempts to hack the root or the Oracle user password. The best way to foil this type of attack is to disable all server accounts after three password attempts.
Below you’ll find the pseudocode for a UNIX shell script to cruise the Internet for vulnerable servers. I have deliberately obfuscated the actual code as a courtesy, but this script should give you the idea. Hackers run such scripts as daemon processes and they can scan hundreds of thousands of IP addresses every hour. Please note that I have deliberately introduced syntax errors into the pseudocode routine to prevent its being used by any potential hackers.
/*#/bin/ksh
while true
do
#****************************************************
# Generate a random IP address
#****************************************************
$IP_ADDRESS=rnd(1-255).rnd(1-255).rnd(1-255).rnd(1-255)
#****************************************************
# Submit the IP address to the ping command
#****************************************************
nohup ping $IP_ADDRESS > /tmp/t.lst 2>&1 &
#****************************************************
# If ping is responding - start the attack
#****************************************************
if `cat /tmp/t.lst|wc -l` > 0 then invoke attack_routine
fi
done
Even a novice computer user can write an attack program and locate server attack opportunities, and the average 12-year-old knows the fundamentals of a denial of service (DOS) attack. Although the main method of attack is directly from the IP address, some creative hackers gain entry with I/O-enabled Java applets or programs that compromise cookie-writing. To prevent these types of external attacks, savvy companies employ some of the following techniques:
Use trusted IP addresses — UNIX servers are configured to answer only pings from a list of known and trusted IP addresses. In UNIX, this is accomplished by configuring the rhosts file, which restricts server access to a list of specific users.
Special tools — Products such as Zone Alarm send an alert when an external server is attempting to breach your firewall security.
Let’s drill down deeper and explore database security.
Database Access Security
Database access security refers to the access controls placed upon the end users of the database. Database access security is generally customized at the database level through a variety of methods:
Internal role-based security — Specific object-level and system-level privileges are grouped into roles and granted to specific database users. Object privileges can be grouped into roles, which can then be assigned to specific users.
Grant-execute security — Execution privileges against database procedures can be tightly coupled to specific users. When a user executes the procedures, they gain database access, but only within the scope of the procedure. Users are granted execute privileges on functions and stored procedures. The grantee takes on the authority of procedure owner when executing the procedures, but has no access outside the procedure.
Application-level security — This type of access control is popular with ERP solutions such as Oracle Applications and SAP. With application level security, the app servers establish pre-spawned connections to the database, and the app server manages connectivity to the database layer.
Data Privacy Security — Data privacy security is the offshoot of stringent US privacy laws such as HIPAA. Under US HIPAA rules, all database access must be tracked and complete audits must be made of all updates and retrieval of sensitive information. There are a variety of techniques used for this challenge.
Update auditing — Many database managers use the database recovery logs (redo logs) as an audit trail for database updates. The database logs record every change to the database and information about who made the change. Examples of such tolls are Oracle LogMiner and BMC’s SQL-Backtrack.
Schema change auditing — Many databases provide methods for tracking every change to a database schema using system-level DML triggers. Here is a link to DBAZine article on DML tracking for Oracle.
Virtual private databases — VPD technology can restrict access to selected rows of tables. Virtual Private Databases (fine-grained access control) allows for the creation of policies that restricts table and row access at runtime.
Many companies are developing security systems that tie security to the data that feed the enterprise applications, rather than the applications themselves. This data-level approach ensures that the database controls access to the data and eliminates the possibility that someone may bypass the application and the security.
Conclusion
Database security has become a very critical task, and the MBO goals of many IT managers require that they lock-down security at the server level, web level and database level. However, with a plethora of choices, the IT manager must make a decision regarding the best security techniques and tools that will be cost-effective and also provide the desired levels of security.
In our next installment, we will examine the Oracle9i suite of security tools and look at how they are used in Oracle environments to ensure proper database security and access control.
--
Donald K. Burleson is one of the world’s top Oracle Database experts with more than 20 years of full-time DBA experience. He specializes in creating database architectures for very large online databases and he has worked with some of the world’s most powerful and complex systems. A former Adjunct Professor, Don Burleson has written 15 books, published more than 100 articles in national magazines, serves as Editor-in-Chief of Oracle Internals and edits for Rampant TechPress. Don is a popular lecturer and teacher and is a frequent speaker at Oracle Openworld and other international database conferences. Don’s Web sites include DBA-Oracle, Remote-DBA, Oracle-training, remote support and remote DB
Subscribe to:
Posts (Atom)