1. 2016-12-30 - Oracle 12c on CentOS; Tags: Oracle 12c on CentOS

    Oracle 12c on CentOS

    Installing Oracle DB 12c on a virtual machine for testing and developing purposes has it advantages. The installation is quite invasive and when it’s done in a virtualbox, it does no harm to your host system at work, which is btw. Windows and a total mess itself. If you follow the installation instructions and restarted the virtual machine I notice few things that didn’t work by trying to access the database from a SQL client.

    First of all, the Oracle DB instance is not automatically started. IMHO it is good, since I don’t frequently use Oracle DB. If used, it allocates a lot of resources of my notebook.

    Environment Settings

    The Oracle user needs some environment variables set, to work properly. I named the file oracle_schrott

    >TMPDIR=$TMP; export TMPDIR ORACLE_BASE=/var/opt/oracle; export ORACLE_BASE ORACLE_HOME=$ORACLE_BASE/product/12.1.0/dbhome_1; export ORACLE_HOME ORACLE_SID=saa; export ORACLE_SID PATH=$ORACLE_HOME/bin:$PATH; export PATH LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib:/usr/lib64; export LD_LIBRARY_PATH CLASSPATH=$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH

    You can source this file for instance within your .bash_profile.

    [vinh@localhost ~]$ cat .bash_profile
    # .bash_profile
    # Get the aliases and functions
    if [ -f ~/.bashrc ]; then
            . ~/.bashrc
    # User specific environment and startup programs
    source ~/oracle_schrott
    export PATH

    Start Instance

    If you have the proper settings you have the command dbstart available. The proper call is however this:

    vinh@localhost ~]$ dbstart $ORACLE_HOME

    Now you can connect to the Oracle DB system

    [vinh@localhost ~]$ sqlplus / as sysdba
    SQL*Plus: Release Production on Thu Dec 29 17:46:26 2016
    Copyright (c) 1982, 2014, Oracle.  All rights reserved.
    Connected to an idle instance.

    :question: Idle instance. Yes you need to startup.

    SQL> startup
    ORACLE instance started.
    Total System Global Area 2432696320 bytes
    Fixed Size                  2927288 bytes
    Variable Size             654312776 bytes
    Database Buffers         1761607680 bytes
    Redo Buffers               13848576 bytes
    Database mounted.
    Database opened.
    SQL> select current_date from dual;

    If you can startup, you can also shutdown.

    SQL> shutdown immediate;
    Database closed.
    Database dismounted.
    ORACLE instance shut down.


    If you add the natting rule to virtualbox for the db port 1521, you will notice a connection problem. CentOS needs to be configured for that. First, check!

    [root@localhost ~]# firewall-cmd --get-active-zones
      interfaces: enp0s3

    Add Oracle ports

    [root@localhost ~]# firewall-cmd --zone=public --add-port=1521/tcp --add-port=5500/tcp --add-port=5520/tcp --add-port=3938/tcp --permanent
    [root@localhost ~]# firewall-cmd --reload
    [root@localhost ~]# firewall-cmd --list-ports
    1521/tcp 5520/tcp 3938/tcp 5500/tcp

    After that you can use the DB from the Windows host.

  2. 2016-12-29 - Install VirtualBox Guest Additions on CentOS; Tags: Install VirtualBox Guest Additions on CentOS

    Install VirtualBox Guest Additions on CentOS

    The guest additions of VirtualBox require DKMS (Dynamic Kernel Module Support). After every kernel update the modules for VirtualBox are automatically built. Therefore we need to install dkms which is outside the default repository, but in the EPEL (Extra Packages for Enterprise Linux) repository.

    Install it

    # yum install epel-release 
    # yum install dkms

    Mount the additions ISO and install it.

    # mkdir -p /media/cdrom 
    # mount -o loop /dev/cdrom /media/cdrom 
    # /media/cdrom/VBoxLinuxAdditions.run
  3. 2016-12-22 - Enabling DNS in VirtualBox NAT engine; Tags: Enabling DNS in VirtualBox NAT engine

    Enabling DNS in VirtualBox NAT engine

    For running VirtualBox with Windows. The name of the virtual machine is centos. Replace it with your machine name.

    Enabling DNS proxy in NAT mode

    "C:\Program Files\Oracle\VirtualBox\VBoxManage" modifyvm "centos" --natdnsproxy1 on

    Enabling DNS resolver

    "C:\Program Files\Oracle\VirtualBox\VBoxManage" modifyvm "centos" --natdnshostresolver1 on

    If you experience slow ssh connections with your virtual machine, you might add this option to your guest /etc/ssh/sshd_config:

    UseDNS no
  4. 2016-12-22 - Add proxy for yum; Tags: Add proxy for yum

    Add proxy for yum

    If you are running a virtual machine for linux centos on your windows host and you have configured CNTLM, you can access in the virtual machine with yum the repository by adding this line in your /etc/yum.conf:

    echo "proxy=" >> /etc/yum.conf

    Add proxy_username and proxy_password if you need it.

    To access with rpm the internet like

    rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

    put in /etc/environment

  5. 2015-08-23 - Setup SCR3311 for GnuPG on Linux; Tags: Setup SCR3311 for GnuPG on Linux

    Setup SCR3311 for GnuPG on Linux

    I have never documented how I setup above card reader for GnuPG smart cards. This article will fill the gap. I use my new setup elementary (Ubuntu/Debian) desktop as virtualization with VirtualBox.

    If you are interested in above card reader you can visit the vendor site for the data sheet. I did purchased it years ago from this excellent cryptoshop in Austria.

    VirtualBox Configuration

    You may skip this part, if you are running a real Linux OS. For VirtualBox it is mandatory to add the device to the USB device filter for the guest system to work properly before you the start the VM.

    VirtualBox USB filter


    Check card reader with lsusb

    tan@cinhtau:~$ lsusb
    Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    Bus 002 Device 002: ID 04e6:511d SCM Microsystems, Inc. SCR3311 Smart Card Reader
    Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

    We install these packages for the card reader

    sudo apt-get install libccid pcscd gnupg-pkcs11-scd gnupg2

    Device information

    As you can see in the lsusb command the vendor id is 04e6 and the product id is 511d. You may also obtain these information from /var/log/syslog or dmesg output:

    Aug 23 13:07:42 cinhtau kernel: [ 3096.072836] usb 1-2: new full-speed USB device number 3 using ohci-pci
    Aug 23 13:07:43 cinhtau kernel: [ 3096.336816] usb 1-2: New USB device found, idVendor=04e6, idProduct=511d
    Aug 23 13:07:43 cinhtau kernel: [ 3096.336820] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=5
    Aug 23 13:07:43 cinhtau kernel: [ 3096.336823] usb 1-2: Product: SCR3311 USB Smart Card Reader
    Aug 23 13:07:43 cinhtau kernel: [ 3096.336825] usb 1-2: Manufacturer: SCM Microsystems Inc.
    Aug 23 13:07:43 cinhtau kernel: [ 3096.336828] usb 1-2: SerialNumber: xxx

    If you are paranoid, you may look into USB ids to check if the id is correct.

    User permission

    Insert your smart card into the card reader. If we check the card status (sensitive data removed) as root user, the command works. As normal user you are not able the access the card reader.

    tan@cinhtau:~$ sudo gpg --card-status
    gpg: WARNING: unsafe ownership on configuration file `/home/tan/.gnupg/gpg.conf'
    gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'

    As always you should not run GnuPG as root user. The Linux OS has to be configured to allow that. We create the group for the smart card access.

    root@cinhtau:~# addgroup scard
    Adding group `scard' (GID 1001) ...
    root@cinhtau:~# addgroup tan scard
    Adding user `tan' to group `scard' ...
    Adding user tan to group scard

    You can check as your user, if you were added to the group with the groups command.

    tan@cinhtau:~$ groups
    tan adm cdrom sudo dip plugdev lpadmin sambashare vboxsf scard

    Next step is to tell udev that normal users are allowed to use the card reader. From the Free Software Foundation Europe (FSFE) you can download the udev rules.

    Basically you place this script file in /etc/udev/scripts:

    if [ "${ACTION}" = "add" ] && [ -f "${DEVICE}" ]
        chmod o-rwx "${DEVICE}"
        chgrp "${GROUP}" "${DEVICE}"
        chmod g+rw "${DEVICE}"

    Don’t forget to set the execute permission for that script!

    chmod a+x /etc/udev/scripts/gnupg-ccid

    Next are the gnupg-ccid.rules. I choose /etc/udev/rules.d/78-gnupg-ccid.rules as filename.

    # GPG SmartCard Reader Support
    ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="04e6/511d/*", RUN+="/etc/udev/scripts/gnupg-ccid", MODE="660", GROUP="scard"

    The values were taken from the lsusb output. Replace it with the data of your card reader. You have to reboot for the udev change to be applied. After the reboot you should be able to run gpg --card-status without any problems.

    tan@cinhtau:~$ gpg --card-status
    gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'
    Application ID ...: D2760001240102000005000013380000
    Version ..........: 2.0
    Manufacturer .....: ZeitControl

    If you still have problems, it is most likely that the gpg and gnome-keyring uses the gpg-agent functionality. See the debugging section for a solution.


    This setup assumes you have an existing gnupg smart card. We import our public key into the gnupg keyring: Output truncated:

    tan@cinhtau:~$ gpg --card-edit
    gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'
    gpg/card> fetch
    gpg: requesting key xxxxxxx from hkp server keys.gnupg.net
    gpg: /home/tan/.gnupg/trustdb.gpg: trustdb created
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    gpg/card> quit


    We have to test if our secret key on the smart card is detected.

    gpg --card-status
    gpg --list-secret

    The output should be a keyring with your listed private keys.


    We use the smart card to decrypt a gpg encrypted ssh private key.

    tan@cinhtau:~/Downloads$ gpg -d id_rsa.asc > id_rsa
    gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'
    Please enter the PIN
    gpg: encrypted with RSA key, ID xxx
    gpg: encrypted with 1024-bit RSA key, ID xxx, created 2012-03-30
          "Tan-Vinh Nguyen <xxx>"


    This section is a summary of recipes to pinpoint the problem.

    Smart Card Daemon

    Check if PC/SC Smart Card Daemon is running (foreground and debug option) to work properly with gnupg.

    sudo pcscd -f -d

    GnuPG card driver

    Run gpg as super user in debug mode:

    sudo gpg --debug 2048 --debug-ccid-driver -v --card-status

    Gnome Keyring

    Check the gnome-keyring-daemon is interfering and stop it with kill (use your pid):

    tan@cinhtau:~$ ps -Af | grep keyring
    tan       1506     1  0 15:22 ?        00:00:00 /usr/bin/gnome-keyring-daemon --start --components=gpg
    tan@cinhtau:~$ kill -2 1506

    The Gnome (2) keyring daemon is still used for certain application e.g. Mozilla Firefox or automated logins. Elementary starts automatically the daemon. You might kill it everytime or disable the gpg-agent. The gpg agent is in ~/.gnupg/gpg.conf per default activated. If you comment use-agent out, there will be no collision anymore.


    See also the official GnuPG HowTo.

  6. 2015-08-17 - List usb devices in VirtualBox; Tags: List usb devices in VirtualBox

    List usb devices in VirtualBox

    If you want to test which USB ports and devices is capable of, you can use the VBoxManage command.

    C:\Program Files\Oracle\VirtualBox>vboxmanage list usbhost
    Host USB Devices:
    UUID:               b83e5183-8a1c-4d8d-b329-2f62515e2051
    VendorId:           0x045e (045E)
    ProductId:          0x00db (00DB)
    Revision:           1.115 (01115)
    Port:               0
    USB version/speed:  2/2
    Manufacturer:       Microsoft
    Product:            Naturalr Ergonomic Keyboard 4000
    Address:            {36fc9e60-c465-11cf-8056-444553540000}\0016
    Current State:      Busy
    UUID:               c8543692-850b-45c1-aa44-42b9f631ca3c
    VendorId:           0x046d (046D)
    ProductId:          0xc063 (C063)
    Revision:           87.0 (8700)
    Port:               0
    USB version/speed:  2/2
    Manufacturer:       DELL
    Product:            DELL USB Laser Mouse
    Address:            {745a17a0-74d3-11d0-b6fe-00a0c90f57da}\0008
    Current State:      Busy