Problem solve Get help with specific problems with your technologies, process and projects.

Is it possible to automate Oracle CPUs for a DoD project?

Oracle security expert Brian Fedorko explains the best way to apply Oracle Critical Patch Updates (CPUs) when working on a DoD project and using remote databases.

I am working on a DoD (Department of Defense) project. We need to apply security patches on 120 remote databases and we are not allowed to use the Oracle EM--GUI interface. So my question is, do you know any third-party tools that have functions that can apply patches to remote database worldwide? It means this tool has to be enterprise edition and have the kind of repository to register all remote server/database login info, etc.
As a veteran (quite literally!) of DoD database administration, I definitely understand the scope and timelines associated with applying the quarterly Oracle Critical Patch Updates (CPUs).

Unfortunately, I'm not aware of any third-party tools that would allow you to automate Oracle CPUsDevelopment of such a tool would be extremely problematic for the following reasons;

  • Each Oracle CPU may differ significantly from the last. Directory naming conventions change, steps have been added and removed, etc. The lack of consistency makes automation extremely difficult.
  • The tool would need to utilize and/or store the system passwords to your database, or have a privileged login on your servers. The presents a significant security risk when the "keys to the kingdom" are stored in a centralized location.
  • Oracle recommends that patches are applied directly at the server console. If this is impossible, this type of administration needs to be accomplished logged into the database server (in Linux/Unix) or through a Remote Desktop to the database server with the '/console' option (MSWindows). Once again, automating for every server configuration could prove quite difficult.
You solution may be simply scripting out the patch routine using OPatch.

Several of the DoD databases I had worked on were extremely sensitive to downtime, so a quick and efficient patching solution was required. We painstakingly standardized the databases from the system level and this allowed us to perform the patching on our test servers using OPatch, then collect and script out the necessary patch application actions and commands.

The results were an extremely fast, repeatable and were standardized process that required minimal manpower to accomplish. We were also able to archive the scripts to use as future resources, and bring another facet of the data storage system under positive configuration management control. I hope this gives you a useful idea of how to accomplish your goal.

Dig Deeper on Oracle database security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.