Support@example.com
Get in touch - Saturday: 8:30 am - 6:00 pm

Slider 1 mini Slider 2 mini

Thursday, 4 June 2026

Filled under:

 You can write it like this:

Hi Tarun,

Thanks for the quick catch-up yesterday. I have documented the shared remediation details into steps and started testing them on multiple servers.

During testing, I noticed one concern after performing the remediation steps. Post-remediation, the DB connection started failing with:

ORA-28860: Fatal SSL error

After that, I ran the SHA2 command with the grid option, but the connection then failed with a different error:

ORA-28043: invalid bind credentials for DB-OID connection

Later, when I ran the SHA2 command without the grid option, the DB connection started working again.

At this point, I am not fully sure whether the earlier remediation steps caused the DB connectivity issue, or whether the database already had an existing certificate-related issue that became visible during testing.

Since this remediation may be applied estate-wide and potentially in production soon, I wanted to highlight this observation and double-confirm the expected behavior before we proceed further.

Could you please help review this and confirm whether the SHA2 command should be executed with or without the grid option for this use case? Also, is there any additional validation we should perform before considering the remediation safe for estate-wide rollout?

Regards,

Nikhil

Posted By Nikhil08:29
Filled under:

 Hi [Name], quick reminder on the Red Zone dependency item.


Since this was carried over and is blocked again due to pending response from Red Zone team, can you please try to arrange a short 15-min catch-up and confirm the owner/next action/ETA before your leave from Monday?


This will help us avoid carrying the blocker further without clear direction.

Posted By Nikhil07:02

Wednesday, 3 June 2026

Filled under:

 

Yes Lisa, that’s a valid point. I agree we should not change the common package only for ~30 RAC databases if it creates risk for the wider estate.

My only concern is that we should also not lose useful RAC metrics from LGTM. Maybe we can keep the existing package unchanged for non-RAC and handle RAC through a specific conditional logic / separate metrics file, so both sides are covered safely.

Posted By Nikhil08:36
Filled under:

 

Thank you for the kind note and recognition.

I am truly grateful for the support, encouragement, and learning opportunities provided by the organisation and the team. Working in this environment has helped me learn from real enterprise database challenges, collaborate with experienced colleagues, and continuously grow as a professional.

Being part of the Oracle ACE community allows me to share these learnings and practical experiences with the wider Oracle community outside the organisation. It also helps me stay connected with Oracle product updates, technical overview sessions, community discussions, and opportunities to engage with Oracle product teams.

I hope this also encourages more team members to stay connected with the Oracle ecosystem, as these learnings and engagements can bring useful value back to our database and engineering work.

Thank you again for the encouragement and support.

Posted By Nikhil07:08
Filled under:

 Impact:

Some scripts/docs may currently depend on Confluence pages owned by other applications or PODs. If those pages are moved, restricted, renamed, or decommissioned, our documentation or operational references may break.


Bringing required references into the Emerging DB space will improve ownership, accessibility, consistency, and long-term maintainability.

Posted By Nikhil05:24
Filled under:

 

Hi Tarun,

Thank you for the detailed inputs.

I have a few follow-up questions to understand the correct approach before we proceed further across the estate.

Do we know since when the process moved from STID:WRAPPER / STID:RENEW:WRAPPER to PEM:PISABASEID? Also, do we have the exact documented steps for the PEM:PISABASEID based renewal process? I found something similar here for reference:

For estate-wide validation, do we have any specific command or known check to confirm whether a host is correctly using PEM:PISABASEID? For STID:WRAPPER, I am currently using the below command/check, but when I try a similar check for PEM:PISABASEID, it does not return anything.

<add your wrapper command/check here>

Do we already have any provision or arrangement available to scan the estate for this? If not, could you please advise the exact Tanium command/query we should use to identify hosts with STID:WRAPPER, STID:RENEW:WRAPPER, and PEM:PISABASEID?

I also have two sample hosts with me for comparison:

  1. Host where PEM:PISABASEID is not listed, but the DB/GI certificates are valid.
  2. Host where STID:WRAPPER is invalid, and the DB/GI certificates are also invalid.

Could you please help confirm the expected state for such hosts and the correct remediation path?

Regards,
Nikhil

Posted By Nikhil00:46

Tuesday, 2 June 2026

Filled under:

 1

sudo find /etc/pki /usr/share/pki -type f \( -name "*.crt" -o -name "*.pem" -o -name "*.cer" \) 2>/dev/null | grep -i standard

2.

openssl x509 -in /path/to/standardID.crt -noout -subject -issuer -serial -fingerprint -sha256 -enddate

-

New ##

1

echo | openssl s_client -connect server01:443 -servername server01 -showcerts 2>/dev/null

2 check issuer / subject

echo | openssl s_client -connect server01:443 -servername server01 -showcerts 2>/dev/null \

| openssl x509 -noout -subject -issuer -fingerprint -sha256 -enddate

3.

servers.txt

&

#!/bin/bash

PORT=443

HOSTLIST="servers.txt"

OUTPUT="standardid_port_check_$(date +%F_%H%M).csv"

echo "HOST,PORT,STATUS,DETAIL" > "$OUTPUT"

while read -r HOST

do

[ -z "$HOST" ] && continue

echo "Checking $HOST:$PORT ..."

CERT_INFO=$(timeout 10 bash -c "echo | openssl s_client -connect ${HOST}:${PORT} -servername ${HOST} -showcerts 2>/dev/null \

| openssl x509 -noout -subject -issuer -fingerprint -sha256 -enddate 2>/dev/null")

if [ -z "$CERT_INFO" ]; then

echo "$HOST,$PORT,NO_TLS_OR_CONNECTION_FAILED,\"No certificate returned on this port\"" >> "$OUTPUT"

continue

fi

if echo "$CERT_INFO" | grep -iq "standard"; then

DETAIL=$(echo "$CERT_INFO" | tr '\n' ' ' | sed 's/"/""/g')

echo "$HOST,$PORT,FOUND,\"$DETAIL\"" >> "$OUTPUT"

else

DETAIL=$(echo "$CERT_INFO" | tr '\n' ' ' | sed 's/"/""/g')

echo "$HOST,$PORT,NOT_FOUND,\"$DETAIL\"" >> "$OUTPUT"

fi

done < "$HOSTLIST"

echo "Report generated: $OUTPUT"

#

openssl x509 -in /etc/pki/ca-trust/source/anchors/standardID.crt -noout -fingerprint -sha256

sudo find /etc/pki /usr/share/pki -type f \( -name "*.crt" -o -name "*.pem" -o -name "*.cer" \) 2>/dev/null | grep -i standard

Posted By Nikhil18:10
Subscribe to: Posts (Atom)

 

About Metro UI Theme

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit...