by Joe Grant (@dba_jedi), Principal Architect
Accidental or unintentional use of the extra-cost options and management packs for Oracle Database poses a significant risk to anyone utilizing Oracle software. All of the options and management packs are simply a part of the database software, and many are enabled by default. As a result, it is very easy to accidentally use options or management packs that are not licensed. However, it is possible to disable some options and management packs in order to prevent their accidental usage.
There are several different ways in which to limit access to the different options and packs. They include:
- Oracle utility chopt
- Initialization (init) parameters
- Disabling management packs in Oracle Enterprise Manager (OEM)
- Obvious software configuration
- Some cannot be disabled and have to be managed by training, policies, and procedures
This blog is intended to be a general overview of the topic and is NOT a how-to guide. Always refer to the version specific Oracle documentation and/or My Oracle Support to determine the exact procedures for disabling any specific option or management pack. You can also reach out to House of Brick to have a more detailed conversation on this topic.
While not always practical, as of version 11.2, some options can be disabled in the executables by using the chopt utility. The options that can be disabled with chopt are version specific. The version specific documentation should be reviewed to determine if it is possible to disable a specific option. Keep in mind that chopt is intended to be used after the software is installed, but before the database is created. Please also note that disabling options for databases that are already running may produce unpredictable results.
The features that can be disabled by chopt is relatively small, so it is not particularly useful.
Initialization (init) Parameters
Some, but not all of the Oracle options and packs can be disabled by using Initialization (init) parameters. An example of this is the Database In-Memory feature that was introduced with version 188.8.131.52 of the database. There are several new init parameters that are used to control this new feature. The most important is inmemory_size, and it has a default value of 0 (zero). This parameter controls the amount of memory that the In-Memory option is allowed to use, and with the default value of 0, In-Memory is disabled.
Refer to product documentation to explore other options and determine whether you have init parameters that can be used to disable those features.
Disabling Management Packs in Oracle Enterprise Manager (OEM)
Management pack usage can be disabled via OEM. One overlooked “feature” of OEM is that all management packs are turned on by default. It then becomes the responsibility of the DBA to turn off those management packs that are not licensed. Please refer to the version specific documentation for additional details. In the OEM 12c Enterprise Manager Licensing Information Users Manual, the first three sections are of note:
- States that it is the responsibility of the Oracle customer to disable any functionality not licensed.
- Describes the procedure for turning on annotations within OEM. The annotations feature lists the required licensable management packs required for any particular page and/or link.
- Describes the procedure for turning off any unlicensed management packs.
Even if management packs are disabled in OEM, some third-party products such as Toad may still make use of these packs. While it should not be the case, it is up to the end user to make sure that unlicensed management packs remain unused. Always refer to the version specific Oracle documentation, as well as product documentation for any third party software for additional details.
Obvious Software Configuration
Some Oracle features are not easily used without further software or infrastructure configuration. An example of this is Active Data Guard (ADG). This feature is an extension of Data Guard, and is included as a feature in Enterprise Edition. Configuring a standby database with Data Guard is a very obvious configuration, so it should not be “accidentally” set up. There is a risk that however, that Active Data Guard could be accidentally used. In certain versions of the database, simply running the command startup on the standby instance will start ongoing recovery using Active Data Guard.
Database Options That Cannot Be Disabled
Some Oracle database options cannot have their usage be disabled. An example of this is the Label Security option. For Oracle Database version 11.2, Label Security can be disabled with the chopt utility as noted above. For Oracle Database 12.1+, however, disabling Label Security via chopt is no longer possible.
For those options that cannot be disabled, it is critical that operational controls and validations be put in place to help ensure that costly features are not used accidentally. Training for DBAs will also help avoid inadvertent usage.
The inadvertent use of Oracle database options and packs poses a considerable risk to most organizations. Because the software will not warn when expensive features are used, the possibility of incurring considerable non-compliance fees is something that should be continually evaluated. House of Brick has tools and services that can discover and monitor feature usage. We show our customers the level of risk that they might be exposed to, and develop strategies for controlling that usage going forward. Please reach out to House of Brick if you think we can help.