Home » RDBMS Server » Security » Upgrade from 9.2 to 11.1 Label Security Problem (11.1, Windows 2003 Server SP2)
Upgrade from 9.2 to 11.1 Label Security Problem [message #317514] Thu, 01 May 2008 14:59 Go to next message
Messages: 4
Registered: May 2008
Location: DC Metro
Junior Member

First, I'd like to state up front that no one on our IT team is an Oracle DBA, so please bear with us. That said...

Our development team has been tasked with moving an Oracle database from 9.2 servers to new 11.1 servers. All of the servers use Windows 2003 SP2 as their operating systems. Fortunately there are new servers for both the development and production environments, so we can play, learn, make mistakes, and learn some more without adversely impacting our customers. Otherwise our names would be mud about now.

We successfully installed Oracle 11.1 on the new development server, then we installed Oracle Label Security. We then successfully exported the data from the old 9.2 database and imported it into the new 11.1 database. We also used Enterprise Manager to create the Label Security settings and set up the users based on the values in the old database. So far so good.

This database supports several web applications, one of which uses Oracle Label Security (OLS). Every other application loads and runs just fine using the new database server, while the application that uses OLS does not. Instead, the application throws an OLEDB error 80004005, leading to ORA-03113 and ORA-03114 errors.

After doing some investigation with the other members of the development team, we discovered that if a particular user logs in to the database using password authentication, then OLS works just fine. If the user is externally authenticated by the operating system, as is the case for our web applications, calls to the OLS functions in SA_SESSIONS fail. Both the externally-authenticated user and the password-authenticated user have the same privileges and roles; literally the only difference between them is how they are authenticated. We also checked the objects in the LBACSYS schema, and PUBLIC can select from every table and run every package/procedure/function in that schema, so we don't believe it's simply a permissions problem.

The application that uses OLS is written in ASP3 and VB script. Rather than reproduce the entire application, we created a small module that successfully reproduces the problem. This code is below. We also ran this on our 9.2 database system and did not get any errors; the external authentication worked.

Thoughts? Any help appreciated.
<%@ Language="VBScript" %>
Option Explicit
  Dim conn
  Dim constr
  Dim rs, sql

  Response.Write "<html><head><title>ORA Test</title></head><body><h3>Ora Ole Test</h3>"

  'Connection string for externally-authenticated users
  constr = "Provider=OraOLEDB.Oracle;OSAuthent=1;Data Source=cms_dev;"
  'Connection string for users who log directly in to the database
  'constr = "Provider=OraOLEDB.Oracle;user id=cms_dev_user;password=pass1234;Data Source=cms_dev;"

  'SQL Statement 1 - this works with both internally and externally authenticated users
  'sql = "select short_name from all_sa_levels where policy_name = 'CMS_SECURITY' order by short_name"

  'SQL Statement 2 - this fails with externally-authenticated users
  sql = "select lbacsys.sa_session.comp_read('CMS_SECURITY') from dual"

  Set conn =  Server.CreateObject("ADODB.Connection")


  If conn.State > 0 Then
    Response.Write "<br><br><b>Connection Open</b><br><br>"
    Response.Write "<br><br><b>Connection Closed</b><br><br>"
  End If

  Set rs = conn.Execute(sql)

  Response.Write "<table>"

  While NOT rs.EOF
    Response.Write "<tr><td>" & Server.HtmlEncode(rs(0)) & "</td><td>&nbsp;</td></tr>"

    If conn.State > 0 Then
      Response.Write "<tr><td><b>Connection Open</b><br></td><td>&nbsp;</td></tr>"
      Response.Write "<tr><td><b>Connection Closed</b><br></td><td>&nbsp;</td></tr>"
    End If


  Set rs = Nothing

  Set conn = Nothing

  Response.Write "</table></body></html>"

[EDITED by LF: added [code] tags to improve readability. Unfortunately, not being able to help.]

[Updated on: Thu, 01 May 2008 16:23] by Moderator

Report message to a moderator

Re: Upgrade from 9.2 to 11.1 Label Security Problem [message #318388 is a reply to message #317514] Tue, 06 May 2008 14:19 Go to previous message
Messages: 4
Registered: May 2008
Location: DC Metro
Junior Member
Just an update in case anyone is interested. We submitted this problem to Oracle via Metalink, along with the trace files and log files created on our server when the error occurred. This is the response we received:


I have created bug 7022591 for this issue since this it was found that the failure is due to an undocumented internal error.
I will contact you as soon as I will have news from development.

Previous Topic: Changing the privileges on executable files
Next Topic: What is use of Audit?
Goto Forum:

Current Time: Fri May 20 09:41:19 CDT 2022