VCN Security List Allows Traffic to Restricted Ports – Alert Explanation and Remediation

 

An alert is generated in cloud guard when a Virtual Cloud Network (VCN) security list permits inbound traffic on ports classified as restricted. These ports are defined in the detector’s Restricted Protocol: Ports List within the input settings. Allowing such ports through ingress rules increases the attack surface and may expose workloads to unnecessary security risks.

This alert is raised to ensure that network access remains aligned with Oracle Cloud Infrastructure security best practices.

---

Impact

If restricted ports are allowed in VCN security list ingress rules, unauthorized or unintended access paths may be introduced. This can lead to compliance violations, increased vulnerability to network-based attacks, and deviation from established security baselines.

---

Recommended Resolution

Ensure that all VCN security lists do not allow any ports defined in the Restricted Protocol: Ports List through ingress (inbound) rules.

Specifically:

• Review all security list ingress rules.

• Remove or restrict any ports identified as restricted by the detector rule.

• Validate that only explicitly required ports are permitted.

---

Steps to Update the Detector Rule

1. Sign in to the OCI Console.

2. Navigate to:
   Oracle Cloud Guard → Detector Recipes

3. Open the relevant Detector Recipe.

4. Select Detector Rules.

5. Locate the rule “VCN Security List Allows Traffic to Restricted Port.”

6. Edit the rule and remove port 111 from the Input Settings.

7. Save and apply the changes.

---

Best Practices for Rule Customization

• Controlled Configuration:
  Update the Restricted Protocol: Ports List only when there is a validated business or technical requirement.

• Flexible Input Options:
  Restricted ports can be specified in two ways:

  • Manually entering individual port numbers or port ranges.

  • Referencing one or more predefined security lists by name.

• Periodic Review:
  Regularly review detector rules and security list configurations to ensure continued alignment with organizational security standards.

---

Conclusion

Proactively managing restricted ports within VCN security lists is essential to maintaining a secure OCI networking posture. By refining detector rule input settings and enforcing strict ingress controls, organizations can significantly reduce exposure to unnecessary network risks while remaining compliant with OCI security best practices.

Beyond Allow Policies: How OCI IAM Deny Policies Enhance Access Control and Risk Management

Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) traditionally follows an implicit deny model, where access is denied unless explicitly allowed. While this approach is effective, modern cloud governance often requires explicit guardrails to prevent sensitive actions—even when broad permissions exist. To address this need, OCI introduced IAM Deny Policies, enabling administrators to explicitly block specific actions and enforce stronger security controls.

---

What Are IAM Deny Policies?

IAM deny policies allow organizations to explicitly prohibit actions, overriding any existing allow policies. If a deny policy matches a request, the action is blocked regardless of other permissions. This capability is particularly valuable for enforcing governance standards, regulatory compliance, and operational safety in critical environments.

Deny policies are especially useful in large tenancies with multiple teams, compartments, and environments where broad access is necessary but unrestricted permissions could lead to accidental or unauthorized changes.

---

Key Characteristics

Explicit Opt-In

Deny policies are disabled by default and must be explicitly enabled by a tenancy administrator. Once enabled, the feature cannot be disabled, highlighting the need for careful planning before activation.

Administrator Protection

To prevent accidental lockouts, the default Administrators group in the default identity domain is exempt from deny policies. This ensures that core administrative access remains available even if restrictive deny rules are configured.

Policy Evaluation Order

During policy evaluation, deny policies take precedence over allow policies. If both apply to the same request, the deny rule always wins.

---

Policy Syntax Overview

Deny policies use the same structure as standard IAM policies, replacing allow with deny. This consistency makes them easy to understand and manage.

Example:

deny group DevTeam to manage bucket-family in compartment Prod
where request.operation = 'DeleteBucket'

This statement prevents the DevTeam group from deleting buckets in the production compartment, even if they have broader storage permissions.

---

Common Use Cases

Protecting Production Environments

Deny policies are ideal for preventing destructive actions such as deleting VCNs, databases, or object storage in production compartments.

Enforcing Separation of Duties

Organizations can restrict sensitive operations to specific teams by explicitly denying them to others, reinforcing clear responsibility boundaries.

---

Best Practices

• Enable deny policies only after governance review and testing.

• Keep deny statements narrow and condition-based to avoid unintended impact.

• Regularly review deny policies as environments and teams evolve.

• Document deny policies clearly to support audits and operational transparency.

---

Conclusion

OCI IAM Deny Policies add a powerful layer of control to cloud access management. When used thoughtfully, they help organizations protect critical resources, reduce operational risk, and enforce governance without sacrificing flexibility. As OCI environments grow in scale and complexity, deny policies become an essential tool for secure and disciplined cloud operations.

Creating Online-Patching-Compliant Table in Oracle E-Business Suite R12.2

Online patching introduced in Oracle E-Business Suite R12.2 fundamentally changed the way custom objects must be created and maintained. To ensure zero-downtime patching, every custom table must support Edition-Based Redefinition (EBR). This requires a base table, an editioning view, and an APPS synonym—created in a specific sequence using Oracle’s AD_ZD utilities.

This article provides a clear, step-by-step guide to creating an online-patching-compliant table along with its editioning view (EV) in R12.2. It also outlines how to manage future structural changes through XDF metadata or AD_ZD utilities.

---

1. Create the Base Table in the Owning Schema

Begin in the Run edition, logged in as the appropriate product schema (for example, APPLSYS or a custom application schema).
At this stage, only the base database objects are created.

Typical actions include:

• Creating the table using standard DDL.

• Defining supporting indexes.

• Using APPS_TS_* tablespaces depending on the object type.

• Preferring unique indexes instead of primary key constraints, in line with R12.2 object standards.

At this point, no editioning view exists. The table is still non-compliant with online patching.

---

2. Upgrade the Table to Create the Editioning View and APPS Synonym

Once the base table is ready, convert it into an online-patching-aware object using Oracle’s AD_ZD package:

EXEC AD_ZD_TABLE.UPGRADE('<OWNER_SCHEMA>', '<TABLE_NAME>');

This action generates two critical components:

• Editioning View (EV):
  Created in the owning schema with the name <TABLE_NAME>#.
  This view becomes the layer through which the application interacts with the table.

• APPS Synonym:
  A synonym named <TABLE_NAME> is created in the APPS schema, pointing to the EV.

From this point forward, all application components—Forms, OAF, PL/SQL APIs, reports—must reference the APPS synonym. This ensures that future table changes are transparently managed through the EV without breaking online patching rules.

---

3. Generate and Deploy the XDF Metadata

To package this custom table for deployment across environments, Oracle requires an XDF (XML Definition File) representation.

Steps:

1. Insert at least one row into the new table (mandatory for XDF generation).

2. Run xdfgen.pl from the Run edition to produce the .xdf file containing the metadata for the table, indexes, and associated objects.

3. Include this .xdf in your custom application patch.

4. During patch application, xdfcmp.pl automatically creates the base table and invokes AD_ZD_TABLE.UPGRADE, ensuring that the EV and APPS synonym are generated in all target instances.

This makes your object fully compliant with the R12.2 adoption and deployment model.

---

4. Managing Future Structural Changes

When enhancements or structural modifications are required—such as adding new columns—you must preserve online patching compliance.

Two methods are supported:

a. Preferred Method: Update via XDF

Modify the XDF file and apply it using xdfcmp.pl.
This ensures consistent behavior across environments and adheres to Oracle's standards.

b. Direct DDL in Development

If a table is altered manually in a development instance:

EXEC AD_ZD_TABLE.PATCH('<OWNER_SCHEMA>', '<TABLE_NAME>');

This regenerates the EV mapping to align it with the updated table structure.

---

Conclusion

Building online-patching-compliant objects is essential for long-term maintainability in Oracle E-Business Suite R12.2. By creating the base table, generating the editioning view through AD_ZD utilities, and managing future changes via XDF or AD_ZD_TABLE.PATCH, you ensure seamless behavior during both Run and Patch editions.

Understanding Oracle Unified Auditing: Quick Checks for DBAs

Oracle Unified Auditing consolidates all audit records into a single, unified framework, simplifying how auditing is configured, managed, and reviewed. As more environments move toward stricter compliance and security standards, DBAs increasingly rely on Unified Auditing to track database activity efficiently.

This short guide highlights how to quickly check whether Unified Auditing is enabled and how to review the audit policies configured in your database.

---

✅ How to Check if Unified Auditing Is Enabled

Unified Auditing can run in two modes:

• Mixed Mode (default)

• Pure Unified Auditing Mode

To verify the status, check the database options:

SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

• TRUE → Unified Auditing is enabled

• FALSE → Unified Auditing is disabled

If the database is running in pure mode, it was enabled during installation or via relinking.

---

View Enabled Unified Audit Policies

To see which audit policies are currently active:

SELECT DISTINCT policy_name 
FROM audit_unified_enabled_policies;

This lists all enabled policies, including Oracle-supplied and user-defined ones.

---

View All Available Unified Audit Policies

To list every policy defined in the system:

SELECT DISTINCT policy_name 
FROM audit_unified_policies;

This helps you understand what policies exist, even if they’re not currently enabled.

---

Check Audit Options Associated with Each Policy

To see which audit options belong to each policy:

SELECT audit_option, policy_name 
FROM audit_unified_policies 
GROUP BY policy_name, audit_option;

This provides insight into what actions are being audited under each policy.

---

Summary

Oracle Unified Auditing centralizes and simplifies auditing. With just a few queries, DBAs can quickly validate:

• Whether Unified Auditing is active

• Which policies are enabled

• What audit actions are tied to each policy

These checks are essential for maintaining security, ensuring compliance, and understanding the audit footprint of your Oracle environment.

Validating an Oracle TDE Wallet Password Safely with mkstore

When managing Oracle Transparent Data Encryption (TDE), it’s often necessary to verify whether a wallet password is correct—especially before performing operations such as opening the wallet, rotating keys, or restoring backups. The safest way to do this is by using the mkstore utility outside the database environment, without requiring any database open/close actions.

Below is a simple and secure method to validate your TDE wallet password.

---

Why Use mkstore for Validation?

mkstore allows you to test the wallet password independently of the database.
This approach ensures:

• No impact on the running database

• No wallet state changes

• A direct and reliable password validation method

---

 Steps to Validate a TDE Wallet Password

1. Copy Only the ewallet.p12 File

Copy the wallet file (ewallet.p12) to a temporary directory:

• Do not copy cwallet.sso
  The .sso file enables auto-login, which bypasses the password prompt.
  Excluding it ensures that mkstore must ask for the password.

Example:

cp /path/to/original/ewallet.p12 /tmp/wallet_validation/

---

2. Run the mkstore Command

From the Oracle home bin directory, execute:

mkstore -wrl <wallet_directory> -list

Replace <wallet_directory> with the path to your copied wallet (e.g., /tmp/wallet_validation/).

mkstore will prompt you to enter the wallet password.

---

3. Interpret the Result

• Valid Password:
  The command displays wallet contents (aliases/entries).

• Invalid Password:
  You will see an error indicating that the password is incorrect.

This method confirms the correctness of your TDE wallet password without any risk to the running database or the original wallet.

---

Why Avoid Copying cwallet.sso?

cwallet.sso enables auto-login mode.
If present, the wallet opens automatically and no password check occurs, defeating the purpose of validation.
By copying only ewallet.p12, you ensure that mkstore enforces password authentication.

---

Example Commands

cp /u01/app/oracle/admin/db_wallet/ewallet.p12 /tmp/wallet_validation/
mkstore -wrl /tmp/wallet_validation/ -list

---

🟩 Summary

Validating a TDE wallet password using mkstore is:

• Safe

• Non-intrusive

• Independent of database state

• Ideal before sensitive operations like wallet open, key changes, or backup restores

This simple check can help prevent downtime and errors related to incorrect wallet passwords.

Edition-Based Redefinition (EBR) in Action: Resolving Synonym Translation Errors

While working with Oracle Applications schemas, you may encounter the error ORA-00980: synonym translation is no longer valid when accessing editioning views or objects through a synonym. This article explains a practical example of how this issue arises and how to resolve it.

---

Scenario

A user TEST tried to access the APPS schema object FND_USER_RESP_GROUPS_DIRECT using a synonym.

SQL> SHOW USER
USER is "TEST"

The user then connected and created a synonym for the editioning view:

SQL> CONN test/***
Connected.

SQL> CREATE OR REPLACE SYNONYM "FND_USER_RESP_GROUPS_DIRECT" FOR APPS.FND_USER_RESP_GROUPS_DIRECT;

Synonym created.

However, when querying the synonym, the following error occurred:

SQL> SELECT COUNT(1) FROM FND_USER_RESP_GROUPS_DIRECT;
SELECT COUNT(1) FROM FND_USER_RESP_GROUPS_DIRECT
                     *
ERROR at line 1:
ORA-00980: synonym translation is no longer valid

---

Root Cause

This issue happens because the TEST user is not edition-enabled, while the target object in the APPS schema is an editioning view.
Edition-based redefinition (EBR) in Oracle allows for multiple versions of application objects (like packages and views) across different editions.
When a non-editioned user tries to access editioned objects, Oracle cannot resolve the synonym, leading to this error.

To verify the editioning status of the user:

SQL> SELECT EDITIONS_ENABLED FROM DBA_USERS WHERE USERNAME='TEST';

E
-
N

The result N indicates the user is not edition-enabled.

---

Resolution

Enable editions for the user to allow access to editioned objects:

SQL> ALTER USER test ENABLE EDITIONS;

User altered.

Confirm the change:

SQL> SELECT EDITIONS_ENABLED FROM DBA_USERS WHERE USERNAME='TEST';

E
-
Y

Reconnect as the user and retry the query:

SQL> CONN test/***
Connected.

SQL> SELECT COUNT(1) FROM FND_USER_RESP_GROUPS_DIRECT;

  COUNT(1)
----------
     18916

The query now executes successfully.

---

Key Takeaway

When creating synonyms for editioning views in Oracle E-Business Suite or any EBR-enabled schema, ensure that the referencing user has editioning enabled.
Otherwise, Oracle will fail to translate the synonym, resulting in the ORA-00980 error.

Oracle AI Database 26ai – What It Means for Oracle E-Business Suite

At Oracle AI World 2025 in Las Vegas, Larry Ellison announced the launch of Oracle AI Database 26ai (26ai) — the next evolution of Oracle Database, bringing AI-driven capabilities into the core database engine. This announcement marks a key milestone for both the Oracle Database and Oracle E-Business Suite (EBS) communities.

---

🔑 Key Highlights from the Announcement

• New Naming Convention: Oracle Database is now officially referred to as the Oracle AI Database.

• 26ai Replaces 23ai: Oracle AI Database 26ai supersedes Oracle Database 23ai, becoming the latest long-term release.

• No Architectural Changes: DB 26ai builds on 23ai with no changes to the internal architecture or APIs.

• Smooth Transition:

  • If you’re on Oracle Database 23ai, simply apply the October 2025 Database Release Update (DBRU).

  • If you’re on 19c or earlier, a standard upgrade is required to move to 26ai.

• Updated Documentation: Oracle’s database documentation and release materials now reference DB 26ai instead of DB 23ai.

• New Release Numbering: Oracle has updated its database release numbering with the introduction of 26ai.

For detailed platform availability, refer to:
📘 Release Schedule of Current Database Releases (Doc ID 742060.1)

---

💡 Impact on Oracle E-Business Suite

For Oracle E-Business Suite (EBS) customers:

• All EBS documentation will be updated to replace mentions of “Oracle Database 23ai” with “Oracle AI Database 26ai.”

• During this transition, you may see references to both names in parallel, but once updates are complete, only Oracle AI Database 26ai will appear across official documentation.

---

Oracle AI Database 26ai represents the next step in integrating AI-driven performance, automation, and insight into Oracle’s enterprise database platform—ensuring that EBS customers can continue to innovate with a future-ready, AI-enhanced foundation.

---

How to Safely Remove Sensitive Data Before Sharing Diagnostic Files with Oracle Support

When working with Oracle Support, customers often upload diagnostic files (such as logs, trace files, or exports) to assist in troubleshooting issues. However, these files may occasionally contain sensitive or confidential information.

Oracle provides clear guidance on how to review and sanitize such files before submission to ensure compliance and data privacy.

---

🔍 Key Recommendations

• Review Before Uploading:
  Oracle’s Global Customer Support (GCS) does not automatically collect Personally Identifiable Information (PII). Customers should review all diagnostic output before uploading it through My Oracle Support (MOS).

• Avoid Restricted File Types:
  Files with extensions like .exe, .com, .bat, and .aspx are not accepted by Oracle’s upload systems. Such files should be removed or archived (e.g., .zip, .tar, or .gzip) before resubmission.

• Editable File Types:
  Files such as .trc, .log, .txt, .sql, .xml, .doc, and .xls can be opened in standard text or office editors to manually remove sensitive portions.

• Non-Editable Formats:
  Files generated by tools like Documaker, or compressed binary files (e.g., .dpa, .pdf, .met, .pcl) may not be editable. Any personal data should be scrubbed before creating such files.

• Using ADR and RDA Data:

  • ADR packages: Remove specific files before packaging via Enterprise Manager → Support Workbench.

  • RDA files: Review .rda, .htm, or .txt outputs with a text editor to redact confidential sections.

---

🧩 Why This Matters

Protecting sensitive data during support interactions safeguards both organizational security and customer trust. Oracle’s documentation emphasizes that customers retain full control and responsibility for what data is shared with Support.

By following these simple steps, organizations can ensure that only the necessary, sanitized information is sent to Oracle — keeping diagnostic collaboration secure and compliant.

---

📘 Reference:
Oracle Support Document ID 1227943.1 – How to Edit Output from Oracle Tools and Utilities to Remove Sensitive Content

Understanding Profile Option Values in Oracle E-Business Suite R12

In Oracle E-Business Suite R12, administrators often query the table FND_PROFILE_OPTION_VALUES to check profile settings at the user, responsibility, or site level. However, many times the VALUE column displays a lookup code instead of a readable description — making it hard to interpret.

For example if you query "FND: Debug Log Level" for user or site level from backend, it shows some numeric value.

Let’s look at how to find the actual meaning behind those coded values.

---

🧩 Step 1: Identify the Lookup Type

1. Log in to EBS using the Application Developer responsibility.

2. Navigate to:
   Profiles → System → Query the Profile Option -"AFLOG_LEVEL" (using its short name).

3. In the results, note down the Lookup Type associated with that profile.

---

🧠 Step 2: Query the Lookup Meaning

Once you know the Lookup Type, use the following SQL query to decode the meaning: 

SELECT lookup_code,
       meaning,
       description
FROM   fnd_lookup_values
WHERE  lookup_type = 'AFLOG_LEVELS';

🧾 Example

If a profile option value shows as ‘3’ or ‘4’ in FND_PROFILE_OPTION_VALUES, the above query helps you find out what those codes actually represent (for example, Statement or Exception).

---

✅ Summary

When you see cryptic values in FND_PROFILE_OPTION_VALUES, remember:

• Use the Application Developer responsibility to find the Lookup Type.

• Query FND_LOOKUP_VALUES to get the actual meaning.

This simple approach helps DBAs and support teams interpret configuration settings accurately — ensuring smoother troubleshooting and configuration validation.

📅 Quarterly Upgrade Highlights: EBS August 2025

Oracle’s August 2025 update provides key recommendations for EBS environments and accompanying technology components. (Oracle Blogs)

✅ Core Platform Guidance

• EBS 12.2 remains in Premier Support through at least December 2036. 

• Older versions (EBS 12.1, 12.0, 11.5.10) are in sustaining support and no new patches will be released—migration to 12.2 is strongly recommended. 

🔧 Patching & Baselines

• Minimum patch baseline for EBS 12.2 should be Patch 24690690 (or equivalent) as of July 1 2024. 

• Apply the latest suite-wide Release Update Pack (RUP)—version 12.2.14 (Sept 2024) or 12.2.13 (Nov 2023). 

🧰 Technology Stack & Tools

Ensure these components are up to date:

• AD/TXK Delta version 16 (July 2024)

• OAF Bundle releases (ex: 12.2.14 OAF Bundle 3 as of Aug 2025)

• Deploy the latest desktop/client tier components: JRE 1.8.0_461, certified browsers, transition from IE 11 to Edge.

---

📝 Why This Matters

Adhering to these recommendations keeps your EBS environment secure, supported, and optimized. Lower patching risk means better stability, stronger compatibility, and clearer upgrade paths. For older EBS versions, the message is clear: migrate to 12.2 now to avoid unsupported environments.

---

🔗 For full details and the complete list of stack-specific recommendations, you can read the original blog here: https://blogs.oracle.com/ebstech/post/quarterly-ebs-upgrade-recommendations-august-2025

Oracle Linux vs. Red Hat Enterprise Linux: Clearing the Confusion

 

For many years, people have often assumed Oracle Linux and Red Hat Enterprise Linux (RHEL) are the same—or weren’t sure what truly sets them apart. While both share the same open-source upstream code base, Oracle Linux offers more flexibility, cost efficiency, and performance tuning.

🔍 Key Highlights

• Binary Compatibility: Oracle Linux is 100% compatible with RHEL, ensuring that any application running on RHEL will run flawlessly on Oracle Linux.

• Two Kernel Options:

  • Red Hat Compatible Kernel (RHCK) – identical to RHEL’s kernel.

  • Unbreakable Enterprise Kernel (UEK) – optimized for Oracle workloads and cloud performance.

• Lower Total Cost: Oracle Linux delivers enterprise-grade support at a lower price, without additional subscription fees for updates or security patches.

• Free Access to Updates: Oracle provides open and free access to all updates and patches through the Oracle Linux yum server—something RHEL restricts to paid subscribers.

• Built for Oracle Cloud: Oracle Linux is deeply integrated with Oracle Cloud Infrastructure (OCI), providing consistency across on-premises and cloud environments.

Troubleshooting a Never-Ending Concurrent Program in Oracle EBS 12.2 – My Real-Time Experience

 Recently, while working on our Oracle E-Business Suite 12.2 environment, I encountered an interesting issue that I thought was worth sharing.

The Problem

A few of our custom concurrent programs were not completing. They were running forever, with no errors in the log files and no obvious clues in the usual diagnostic areas.

Like most DBAs would do, I checked:

• Concurrent request log and output – nothing unusual.

• Database session waits – nothing conclusive.

• Trace files – no errors.

Eventually, I raised an Oracle SR to get assistance, but even after multiple attempts, we couldn’t pinpoint the issue.

The Breakthrough

Finally, I decided to take a different approach. I used the strace command on the Linux OS to trace the system calls of the concurrent program's process ID (PID).

What I saw was eye-opening — the process was generating a large number of file-related system calls, and one particular line caught my attention:

It was trying to write temporary files to a production directory path that did not exist in the cloned test server!

Root Cause

On further investigation, I discovered that the $APPLLKOR environment variable was pointing to a non-existing directory:

/usr/tmp/prod

This was a leftover from the production environment after the test instance was cloned. Since the directory did not exist on the test server, the concurrent programs were unable to write the required temporary files and got stuck.

The Fix

I corrected the $APPLLKOR variable in the environment file to point to a valid directory on the test server. After making this change, I restarted the EBS application services.

Immediately, the concurrent programs that were stuck started completing successfully!

Key Takeaways

• Think beyond EBS and DB logs – sometimes the issue is at the OS or filesystem level.

• strace is a powerful tool – it can reveal exactly what the process is trying to do at the system call level.

• Post-clone checks are critical – always verify environment variables and directory structures after cloning from production.

This experience reinforced for me that troubleshooting sometimes requires going one level deeper and thinking outside the usual EBS framework.

OCI Home Region Explained: Identity Domains & Service Access

Oracle Cloud Infrastructure (OCI) uses the concept of a Home Region for identity management, service access, and global policy enforcement. Knowing what this means, how it works, and how it affects your environment is critical.

---

🛠 What is the Home Region?

• When you set up an OCI tenancy, Oracle assigns you a Home Region. This is where your Identity and Access Management (IAM) resources—users, groups, policies, compartments, dynamic groups—are defined and managed. 

• Once set, the Home Region for your tenancy cannot be changed. 

• Even if you operate services in other regions, your IAM resource definitions always live in the Home Region. When you make changes (to policies, groups etc.), those changes happen in the Home Region and then get propagated to other subscribed regions. 

---

🌐 How It Impacts Identity Domains & Access

• Identity Domains Creation: When you create an identity domain in the Console, the region you select becomes its Home Region. The identity domain’s configurations and roles live there. 

• Policy Enforcement Across Regions: IAM policies defined in your Home Region are enforced in all regions you subscribe to. Even though the IAM resource definitions are centralized, their effects are global.

• Updates & Replication Delay: Because IAM resource updates are made in the Home Region, it may take a few minutes before those updates reflect across other regions. 

---

✅ What This Means for You

• Plan Your Home Region Carefully: Since it cannot be changed later, choose the most strategic region—consider latency, compliance, data sovereignty, etc.

• Know Where to Make IAM Changes: Always use the Home Region endpoint for API / SDK calls when modifying IAM resources. Even though you may be in another region, the changes happen in the Home Region. 

• Policy Design With Global Scope: Design IAM policies expecting that they will apply in other regions as well. If you need region-specific controls, explicitly define them.

• Identity Domain Awareness: If using multiple identity domains (including non-default ones), know which region is their Home Region, how replication works, and what control you have over region access. 

---

🧭 Bottom Line

OCI’s Home Region is more than just geographic—it’s the central authority for your identity, access, and policy definitions. It’s where your IAM is born and governed. Even though services may run in many regions, identity stays anchored at the Home Region—this ensures centralized control, consistency, and security.

Schedule an In-Place Upgrade to Oracle Database 23ai on Autonomous Database

 

Oracle Autonomous Database now supports in-place upgrades from Oracle Database 19c to 23ai using scheduled upgrades—a seamless, automated process tailored for modern cloud environments.

Upgrade Options Available:

• Scheduled Upgrade
  Define your preferred time, and the upgrade process runs automatically—no manual steps needed.

• Full Clone Upgrade
  Create a full clone of your 19c database and select 23ai during the clone setup to instantiate a new, upgraded instance.

• Refreshable Clone Upgrade
  Similar to a full clone but allows ongoing synchronization between the 19c source and 23ai clone—ideal for ensuring minimal downtime and continuous updates.

---

At a Glance

Upgrade Method	Description
Scheduled Upgrade	Automated upgrade of an existing 19c Autonomous DB.
Full Clone	Creates a brand-new 23ai clone from 19c.
Refreshable Clone	Creates a 23ai clone that syncs with the source 19c DB.

---

Upgrading to Oracle Database 23ai on Autonomous Database has never been more straightforward. Whether you choose a scheduled upgrade or cloning, you control the transition timing and method with minimal disruption.

Create Customer Secret Keys in OCI

 Step 1:

Login to OCI console and click top right on user, User Settings -> Tokens and keys

Click on customer secret keys -> Generate Secret Keys

Upon creation, you have to copy the secret keys and store it somewhere as once you close it, it wont show again.

Upon closing, you can get the Access key also.

Real-Time SQL Monitoring in Oracle Database: Key Facts

Real-Time SQL Monitoring is a powerful feature that provides detailed insights into SQL execution, helping DBAs identify performance bottlenecks and optimize queries efficiently. But before using it, there are some important licensing considerations.

🔑 Licensing Requirements

• Requires the Oracle Tuning Pack.

• The Oracle Diagnostics Pack is a prerequisite for the Tuning Pack.

• Both packs must be licensed, and they are only available with the Enterprise Edition of the Oracle Database.

📊 When Does SQL Monitoring Trigger?

SQL statements are automatically monitored when:

• A single execution consumes more than 5 seconds of CPU or I/O time.

• The SQL uses parallel execution (DML, DDL, or queries).

---

✅ In short: Real-Time SQL Monitoring is an Enterprise Edition-only feature requiring additional licenses, and it kicks in automatically for resource-intensive or parallel SQL operations.

OCI File Storage with Lustre: High-Performance, Managed File System for AI

Oracle Cloud Infrastructure (OCI) offers File Storage with Lustre—a fully managed, high-performance file system tailored for demanding workloads such as AI, machine learning, and high-performance computing (HPC).

Key Highlights:

• Fully Managed Infrastructure
  OCI handles deployment, maintenance, scaling, and management of Lustre components—including metadata servers, management servers, and storage servers—letting you focus on your applications, not infrastructure. 

• Parallel and Distributed Architecture
  Designed for massive data volumes, this system delivers high aggregate throughput by distributing I/O workload across server components. 

• Performance Tiers for Flexibility
  Choose from different bandwidth configurations:

  • 125 MB/s per TiB (1 Gbps)

  • 250 MB/s per TiB (2 Gbps)

  • 500 MB/s per TiB (4 Gbps)

  • 1000 MB/s per TiB (8 Gbps)
    Administrators can also tweak performance using Lustre's lfs tools, including features like file striping and Progressive File Layout (PFL). 

• Client Compatibility
  OCI supports Lustre version 2.15.5. Compatible client environments include:

  • Ubuntu 22.04 (kernel 5.15.x)

  • Oracle Linux 8 (RHCK 4.18)

• Global Availability
  This service is available across multiple OCI regions (at the time of writing this blog) —such as Sydney, Frankfurt, São Paulo, Montréal, Tokyo, Amsterdam, and more—ensuring localized access and compliance. 

---

Bottom Line:

OCI File Storage with Lustre provides a scalable, high-throughput file system custom-built for data-intensive workloads. With its fully managed infrastructure and multiple performance configurations, it’s an ideal fit for running AI training jobs which needs high performance computing needs.

Understanding V$SESSION_LONGOPS in Oracle Database

 In Oracle Database, V$SESSION_LONGOPS is a dynamic performance view available in every database release.

It provides visibility into the status of certain long-running operations—typically those that take more than 6 seconds to complete. Examples include:

• Backup and recovery processes

• Statistics gathering

• SQL query executions

The set of operations tracked is determined entirely by Oracle—DBAs cannot influence which operations are monitored.

By querying V$SESSION_LONGOPS, you can get progress updates, elapsed time, and estimated completion time for operations Oracle chooses to track.

The following query displays operation details, progress percentage, and remaining time:

SELECT opname,

       username,

       sql_fulltext,

       TO_CHAR(start_time,'DD-MON-YYYY HH24:MI:SS') AS start_time,

       (sofar/totalwork)*100 AS "%_complete",

       time_remaining,

       s.con_id

FROM   v$session_longops s

       INNER JOIN v$sql sl USING (sql_id)

WHERE  time_remaining > 0;

Oracle Linux: Introduction to CPU Hotplug (Quick Summary)

CPU Hotplug in Oracle Linux allows you to dynamically enable or disable CPU cores in a running system—without requiring a reboot. This is especially useful in virtualized and cloud environments where workloads fluctuate.

🔍 Key Points:

• ✅ Hotplug Support is included in the Unbreakable Enterprise Kernel (UEK) and enabled by default.

• 🛠️ You can manage CPU state using simple sysfs commands:

  echo 0 > /sys/devices/system/cpu/cpuX/online  # offline
  echo 1 > /sys/devices/system/cpu/cpuX/online  # online
  

• 🔒 Security-conscious systems can restrict CPU hotplug operations using procfs and system security modules like SELinux or AppArmor.

• 💡 Useful for performance tuning, resource scaling, and testing failover behavior without downtime.

---

Bottom Line:
CPU Hotplug gives administrators more control and flexibility over CPU resource allocation—supporting smarter, dynamic infrastructure management in Oracle Linux.

👉 Full Blog Here

Running out of tablespace? Let automation handle it!

In mission-critical Oracle environments, tablespace full alerts can cause major disruptions if not addressed in time. Manually managing these situations isn’t scalable.

💡 This Oracle blog post walks through how to automatically respond to tablespace full alerts using Corrective Actions in Oracle Enterprise Manager.

🔧 Highlights:

• Real-world use case: Handling tablespace full scenarios automatically

• Setup guide for defining and enabling corrective actions

• Custom script that auto-extends tablespaces

• Helps avoid downtime and manual interventions

📊 Ideal for DBAs looking to operationalize resilience in Oracle environments.

Planning Your Oracle Certification Path for Race to Certification 2025?

Here’s a curated list of Oracle Cloud and Data certifications to help you complete Levels 1, 2, and 3 – and potentially earn up to 7 free exam attempts! 🎓🧠

---

✅ Below certifications has 15 Free Attempts:

• Oracle Cloud Infrastructure 2025 AI Foundations Associate (1Z0-1122-25)

• Oracle Cloud Infrastructure 2025 Foundations Associate (1Z0-1085-25)

• Oracle Data Platform 2025 Foundations Associate (1Z0-1195-25)

🟢 Each of the above has 15 free attempts—great way to build confidence and progress quickly!

---

💼 Intermediate to Advanced Certifications:

Certification	Code
OCI Generative AI Professional	1Z0-1127-25
Oracle AI Vector Search Professional	1Z0-184-25
OCI Data Science Professional	1Z0-1110-25
OCI Architect Associate	1Z0-1072-25
OCI Migration Architect Professional	1Z0-1123-25
OCI Networking Professional	1Z0-1124-25
OCI Developer Professional	1Z0-1084-25
OCI DevOps Professional	1Z0-1109-25
OCI App Integration Professional	1Z0-1042-25
OCI Observability Professional	1Z0-1111-25
Oracle Redwood App Developer Associate	1Z0-1114-25
OCI Multicloud Architect Professional	1Z0-1151-25
Autonomous DB Cloud Professional	1Z0-931-25
Cloud DB Services Professional	1Z0-1093-25
APEX Cloud Developer Professional	1Z0-771
Oracle Analytics Cloud Professional	1Z0-1041-25
MySQL HeatWave Implementation Associate – Rel 1	1Z0-915-1

---

EBS 12.2.14: Key Enhancements by Product Family

 Financial Management

• ECC: GL, AR, iReceivables, iReceipts, Assets, Cash Management, Lease Contracts, Leases & Finance

• Equipment Leasing for IFRS 16/ASC 842/SFFAS 54

• GL & AP Approval Flexibility & Automation

• AR: New Cash Receipt Application Methods

• Enhanced Credit Scoring & Collections

• Lease & Finance: Increased Throughput Across Processes

---

Procurement

• Modern Shopping Minimizing Non-Catalog Spend

• ECC: Procurement, Project Procurement, CLM

• Procurement & Contract Efficiencies

• Supplier Portal: Advanced Configurability

• Supplier Management & Assessments

• Services Procurement: Invoicing & Complex Payments

• Project Procurement

• Sourcing Streamlined Flows

• Proc/Proj: G-Invoicing for US Federal Program Agencies

---

Projects

• ECC Projects

• Labor Costing with Actual Costs

• Budgetary Control for Labor & Non-Labor Transactions

• Enhanced Cost Accounting Adjustment Options

• Enhanced Billing including Federal Billing & Bill Groups

• Enhanced Revenue Recognition for IFRS 15 / ASC 606

• Scheduled % of Work Completed Based Structure

• Enhanced Project Planning & Controls

• Proc/Proj: G-Invoicing for US Federal Program Agencies

---

Applications Technology

• ECC Dashboards

• EBS on Oracle Cloud Infrastructure (OCI): EBS Cloud Manager

• Enterprise Command Center Framework

• Enhanced UX with OAF & WebADI

• Enhanced Oracle APEX Integration for EBS Customizations

• Oracle Guided Learning (OGL) Integration with EBS

• Customer Driven Enhancements

---

Order Management

• ECC: Order Management, Advanced Pricing, iStore, CHRM, OIC

• New HTML UIs

• Enhanced Subscription & Service Ordering

• Advanced Scheduling, Milestone, Usage Based

• Enhanced Returns (ISO) Processing

• Improved Cancellations, Performance, & Archival

• Enhanced Quoting Creation, Validation & Approval

• Enhanced Flexible Volume Pricing, Enhanced Financial Control

---

Logistics

• ECC: Inventory Mgmt, Landed Cost Mgmt

• UX: New HTML UIs

• ECC for Android and iOS enhancements

• Material Flow Mapping & Physical Inventory

• Enhanced Material Tracking

• Bin Optimization, Backorders, & Inter-Org Transfer (IOT)

• On Time In Full (OTIF)

• ECC: Receiving Efficiencies, Pick by More Docs, Yard Mgmt

• WMS/MSCA: Activity Tracking incl User-Defined Activities

---

Manufacturing

• ECC: Discrete Mfg, Process Mfg, Project Mfg, Outsourced Mfg

• ECC: Cost Mgt, OPM Analytics, Quality, BOM

• Discrete Mfg: Rework Work Orders, Dual UOM for Mfg, MES, Internet of Things, E-Kanban, Serialization

• Project Mfg: Procurement Availability Mgmt, Outsourced Mfg, MES, Item Genealogy

• Process Mfg: Equipment Availability & Utilization, Asset Integration, Serialization, Batch Genealogy, Lab Mgmt

• Quality: Enhanced Quality Collection & ECC Control

---

Asset Lifecycle Management

• ECC: EAM, Asset Tracking

• Mobile Maintenance App

• EAM: Linear Asset Management

• EAM Map Visualization for Assets & Work; Indoor Maps

• EAM: Central Maintenance Technician Assignment

• EAM: Functional Asset Hierarchy

• EAM: Enhanced Work Task Functionality & Productivity

• Installed Base & Asset Tracking Enhanced Flows

---

Service

• ECC: Service Contracts, Service, Field Service, Depot

• New HTML UIs

• Service Contracts: Enhanced Usage Billing w/Group Plans

• ECC: Improved MOAC & Inventory Org Security

• Enhanced SR Definition: Multiple Products on 1 SR, more

• Field Service Integration w/Projects; Enhanced DTL Integration

• Depot: Warranty, Waste Mgt, Outsourced Repair, Prescriptive Recommendations

---

Human Capital Management

• ECC: Human Resources, Payroll

• Mobile Apps: SSHR, OTL

• Time & Labor: Enhanced Entry & Processing

• Payroll: Enhanced Administration & Processing

• SSHR: Mass Update by Mgmt, Surrogate Approvers

• HTML Dashboards for Payroll & SSHR Admin

• Person Data Removal Tool (PDRT)

Connect OCI DB system using Console Connection

 

 

Step 1:

In your local machine, open terminal (Windows Powershell) and generate key pair

PS C:\Users\admin> ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (C:\Users\admin/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in C:\Users\admin/.ssh/id_rsa

Your public key has been saved in C:\Users\admin/.ssh/id_rsa.pub

The key fingerprint is:

SHA256:5Ioqw+KE2SJqgucRgjxXNhCpzZOBMgH4zSl/vYpD1Ec arunkumar k@doyenltp1980

The key's randomart image is:

+---[RSA 3072]----+

|=..oo            |

|+. o.   E        |

|.o+oo* ..        |

|o.o=B oo.        |

|oo.=.  oS        |

|.+o.o....        |

|B.o....  .       |

|X+.o..  .        |

|**o ....         |

+----[SHA256]-----+

PS C:\Users\admin>

 

Step 2:

Copy the contents of public key

PS C:\Users\admin> cat C:\Users\admin/.ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKYsAVXzjj1dmLevNjKdJkK7so6efkrlLq7Iy9jVOLcvsEOR4lFprAyXq+sQIl+xSzdlcEl7mFrbf+dzb2gzewWiGn6cj5zPRgQ6CVElhHizFFEfv9Nn2X4p3heeligRwnj4Alw80iqEaC3vf4a9b8npkQ05t0cRHJzX/Go/+NhLkwBA7XvfnrUY9iry05wLl1dzj+BseD3JuK/Zj8dx9mhCCurTh1bc72k1DMDSzlfpHifuFBLXylNPmEe/o3orHppakhbki7dYZTNuqS9jdXvZyWnA1oNYslCS773yULfFi82Dbdhpbp71B10jgKVt1t/AdoMLc7iT4UEDFUTcmIbNDp1raqtGb1LPgOl1G9WQhYzSLV3ciDtcMAYRTKmjljDkm/W9FMCZ2qZO3CCDkB4JchhLyhSzN51c+4a7nWG+xhXpI68wRJ5Q0xkpVmc84S6RUiybgLpyxblWgH5qAoHQm5OFiP89IqmcJt/U//VbavslvDlAzHUWM5tXhYb8E= username@desktop

PS C:\Users\admin>

Step 3:

 

Database service -> select the Database system -> consoleconnections-> click “Create console connection”

 

 

 

Step 4:

 

Add the public key you copied from step 2:

 

Step 5:

Once it is available after the below creating stage

 

Copy the ssh string and paste in notepad.

 

Step 6:

 

Switch to you local desktop and cd to .ssh directory.

 

Step 7:

Paste the SSH string and press enter and you will see the prompt asking for login.

 

ssh -o "HostKeyAlgorithms=+ssh-rsa" -o "PubkeyAcceptedAlgorithms=+ssh-rsa" -o ProxyCommand='ssh -W %h:%p -p 443 ocid1.instanceconsoleconnection.oc1.phx.anyhqljtwdx4egacfcdgmnzwb4itm3i3utnvuuwopeczdoyu6akmxgqev7aa@instance-console.us-phoenix-1.oci.oraclecloud.com' ocid1.instance.oc1.phx.anyhqljtwdx4egacejrj33wgjwhpcmn3xzafpv2htje66pa3ngtu5niy2wiq

 

 

Step 8:

Go back to OCI console and reboot the node and come back to you local machine and press enter. You will see the below message. As soon as you see this message, press up or down key to pause the reboot.

 

Step 9:

As soon as you see reboot message, press up or down key to pause the reboot. You will end up with below screen.

 

 

Step 10:

You may proceed with your troubleshooting.