B System Configuration Utilities

Run these commands as root user to manage system configuration and CLI utilities.

B.1 CONFIG-ASO

Use this command to display the public certificate that is presented to the target for decoding Oracle native encryption (Transparent Data Encryption) on the Database Firewall appliance.

This command is available after installing the Database Firewall diagnostics package.

Syntax

/opt/avdf/config-utils/bin/config-aso help
/opt/avdf/config-utils/bin/config-aso show

Arguments

Argument Description

help

To seek help on displaying the public certificate used to present to the target.

show

To display the existing public certificate used to present to the target.

Attributes

Attributes Key Values

certificate

The actual certificate details.

Example

/opt/avdf/config-utils/bin/config-aso show

B.2 CONFIG-AVS

Use this command to establish the communication channel between Database Firewall and Audit Vault Server.

This command is available with the Database Firewall installation.

Syntax

/opt/avdf/config-utils/bin/config-avs help
/opt/avdf/config-utils/bin/config-avs set
/opt/avdf/config-utils/bin/config-avs show

Arguments

Argument Description

help

To seek help on establishing the communication channel between Database Firewall and Audit Vault Server.

show

To display the existing communication channel between Database Firewall and Audit Vault Server.

set

To modify the communication channel between Database Firewall and Audit Vault Server.

Attributes

Attributes Key Values

address

IP address of the Audit Vault Server instance.

avs

primary

secondary

certificate

The CA certificate of the Audit Vault Server.

Example

/opt/avdf/config-utils/bin/config-avs set avs=primary address=192.0.2.12 certificate=/root/avscert.crt

B.3 CONFIG-BOND

Use this command to configure bonding between two Network Interface Cards (NIC). The bonding functionality increases the bandwidth and supports redundancy of the network connections on the appliance.

This command is available with the Database Firewall installation.

Note:

The Database Firewall command-line interface (CLI) creates a bond interface with the default configuration for the operating system. To configure specific bonding controls, use the operating system. See Create Network Bonds using Network Manager CLI for details on creating network bonds in Oracle Linux.

Syntax

/opt/avdf/config-utils/bin/config-bond help
/opt/avdf/config-utils/bin/config-bond add
/opt/avdf/config-utils/bin/config-bond delete
/opt/avdf/config-utils/bin/config-bond set
/opt/avdf/config-utils/bin/config-bond show

Arguments

Argument Description

help

To seek help on configuring bonding between two Network Interface Cards.

add

To configure bonding between two Network Interface Cards.

delete

To delete the existing bonding between two Network Interface Cards.

show

To display the existing bonding between two Network Interface Cards.

set

To modify the existing bonding functionality between two Network Interface Cards.

Attributes

Attributes Key Values

description

A short description of the network or service this bond provides.

device

User defined name of the bonded device.

enabled

This attribute confirms if the bonding between two Network Interface Cards exists. The allowed values are Yes or No.

gateway

IP address of the gateway.

ip_address

Ip address of the bond.

network_mask

The network mask of the device.

components

The names of the component devices.

Example

/opt/avdf/config-utils/bin/config-bond add device=bond0 components=enp0s18,enp0s19 ip_address=192.168.10.10 network_mask=255.255.255.0 gateway=192.168.10.1 enabled=yes

B.4 CONFIG-CAPTURE

Use this command to monitor the network traffic on the Database Firewall and create packet capture files (PCAP) for Database Firewall configuration.

This command is available with the Database Firewall installation.

Syntax

/opt/avdf/config-utils/bin/config-capture help
/opt/avdf/config-utils/bin/config-capture add
/opt/avdf/config-utils/bin/config-capture delete
/opt/avdf/config-utils/bin/config-capture show

Arguments

Argument Description

help

To seek help on configuring traffic capture facility on the Database Firewall appliance.

add

To capture traffic using a NIC on the Database Firewall appliance.

delete

To delete the results of the traffic captured using a NIC on the Database Firewall appliance.

show

To display the list of the recorded traffic captured on the Database Firewall appliance.

Attributes

Attributes Key Values

duration

The amount of time (in seconds) to capture the traffic.

interface

The name of the interface.

size

The maximum allowed size (in kilobytes) of the traffic capture file.

Example

/opt/avdf/config-utils/bin/config-capture add interface=enp0s3 duration=300 size=9999

B.5 CONFIG-DIAGNOSTICS

Use this command to run the system diagnostics status which displays current information about a range of processes monitored on the appliance.

This command is available after installing the Database Firewall diagnostics package.

Syntax

/opt/avdf/config-utils/bin/config-diagnostics help
/opt/avdf/config-utils/bin/config-diagnostics show

Arguments

Argument Description

help

To seek help on system diagnostic processes monitored on the appliance.

show

To display the existing system diagnostic capturing process on the appliance.

Example

/opt/avdf/config-utils/bin/config-diagnostics show

B.6 CONFIG-DNS

Use this command to get and set the DNS server addresses on the appliance.

This command is available after installing the Audit Vault Server and Database Firewall diagnostics packages.

Syntax

/opt/avdf/config-utils/bin/config-dns help
/opt/avdf/config-utils/bin/config-dns set
/opt/avdf/config-utils/bin/config-dns show

Arguments

Argument Description

help

To seek help on configuring DNS server addresses on the appliance.

set

To configure the DNS server address on the appliance.

show

To display the existing DNS server configuration on the appliance.

Attributes

Attributes Key Values

servers

Up to three DNS server IP addresses separated by comma.

Example

/opt/avdf/config-utils/bin/config-dns set servers="192.0.2.1 192.0.2.2 192.0.2.3"

B.7 CONFIG-KEYTABLE

Use this command to configure keyboard locale on the appliance.

This command is available after installing the Audit Vault Server and Database Firewall diagnostics packages.

Syntax

/opt/avdf/config-utils/bin/config-keytable help
/opt/avdf/config-utils/bin/config-keytable set
/opt/avdf/config-utils/bin/config-keytable show

Arguments

Argument Description

help

To seek help on configuring keyboard locale on the appliance.

set

To configure the keyboard locale on the appliance.

show

To display the existing keyboard locale settings on the appliance.

Attributes

Attributes Key Values

layout

Any value from /lib/kbd/keymaps/xkb/ and /lib/kbd/keymaps/legacy/

Example

/opt/avdf/config-utils/bin/config-keytable set layout=us

B.8 CONFIG-NIC

Use this command to configure secondary network interfaces on the appliance.

This command is available with the Audit Vault Server and the Database Firewall installation.

Syntax

/opt/avdf/config-utils/bin/config-nic help
/opt/avdf/config-utils/bin/config-nic set
/opt/avdf/config-utils/bin/config-nic show

Note:

This command should be used for debugging purpose only. It is advisable to use the Audit Vault Server console to perform the NIC configuration.

Arguments

Argument Description

help

To seek help on configuring secondary network interfaces on the appliance.

set

To configure secondary network interfaces on the appliance.

show

To display the current settings of secondary network interfaces on the appliance.

delete

To delete a configured secondary network interface on the appliance.

Attributes

Attributes Key Values

description

User defined name of the interface.

device

Device name of the interface on the appliance.

enabled

Yes

No

gateway

IP address of the gateway.

hostname

User defined hostname for all the NICs.

info

System level information about the NIC.

ip_address

IP address of the secondary NIC.

network_mask

The network mask of the NIC.

Example

/opt/avdf/config-utils/bin/config-nic set device=enp0s3 ip_address=192.0.2.22 network_mask=255.255.255.0 gateway=192.0.2.1 enabled=true

B.9 CONFIG-NTP

Use this command to configure up to 3 NTP server addresses on the appliance.

This command is available with the Database Firewall installation. This command is also available after installing the Audit Vault Server diagnostics package.

Syntax

/opt/avdf/config-utils/bin/config-ntp help
/opt/avdf/config-utils/bin/config-ntp set
/opt/avdf/config-utils/bin/config-ntp show

Arguments

Argument Description

help

To seek help on setting NTP server address on the appliance.

set

To set NTP server address on the appliance.

show

To display the current NTP server settings on the appliance.

Attributes

Attributes Key Values

enabled

Yes

No

panic

The amount of time drift that the NTP synchronization ends. It can be an integer.

servers

Comma separated IP addresses or hostnames of NTP servers on the appliance.

sync_on_save

To synchronize the time when settings are saved.

time_differences

To get the time difference of different NTP servers on the appliance.

Example

/opt/avdf/config-utils/bin/config-ntp set servers=192.0.2.0,192.0.2.2,192.0.2.22

B.10 CONFIG-PROXY

Use this command to configure traffic proxy ports on the Database Firwewall appliance.

This command is available after installing the Database Firewall diagnostics package.

Syntax

/opt/avdf/config-utils/bin/config-proxy help
/opt/avdf/config-utils/bin/config-proxy add
/opt/avdf/config-utils/bin/config-proxy delete
/opt/avdf/config-utils/bin/config-proxy set
/opt/avdf/config-utils/bin/config-proxy show

Note:

This command should be used for debugging purpose only. It is advisable to use the Audit Vault Server console to configure proxy ports.

Arguments

Argument Description

add

To add a proxy port on the Database Firewall appliance.

delete

To delete an existing proxy port on the Database Firewall appliance.

help

To seek help on proxy port configuration for the Database Firewall appliance.

set

To modify a proxy port on the Database Firewall appliance.

show

To display the existing traffic proxy ports on the Database Firewall appliance.

Attributes

Attributes Key Values

description

User defined name of the port.

enabled

Yes

No

id

A unique ID has to be set for the proxy port on the Database Firewall appliance.

network_id

To set the network interface used for the proxy port on the Database Firewall appliance.

port

To set a specific port as a proxy for the Database Firewall appliance.

Example

/opt/avdf/config-utils/bin/config-proxy set id=1 network_id=enp0s8 port=9999 enabled=true description='Sales proxy port'

B.11 CONFIG-SNMP

Use this command to configure SNMP access on the appliance.

This command is available after installing the Audit Vault Server and Database Firewall diagnostics packages.

Syntax

/opt/avdf/config-utils/bin/config-snmp help
/opt/avdf/config-utils/bin/config-snmp set
/opt/avdf/config-utils/bin/config-snmp show

Arguments

Argument Description

set

To set SNMP access on the appliance.

show

To display the current SNMP access settings on the appliance.

help

To get help on setting SNMP access on the appliance.

Attributes

Attributes Key Values

access

To set SNMP access to the appliance, provide a list of IP addresses separated by comma.

community

To set SNMP community string on the appliance.

Example

/opt/avdf/config-utils/bin/config-snmp set access=192.0.2.0,192.0.2.2,192.0.2.22,192.0.2.24

B.12 CONFIG-SSH

Use this command to configure SSH access on the appliance.

This command is available with the Database Firewall installation. This command is also available after installing the Audit Vault Server diagnostics package.

Syntax

/opt/avdf/config-utils/bin/config-ssh help
/opt/avdf/config-utils/bin/config-ssh set
/opt/avdf/config-utils/bin/config-ssh show

Arguments

Argument Description

set

To set SSH access on the appliance.

show

To display the current SSH access settings on the appliance.

help

To get help on setting SSH access on the appliance.

Attributes

Attributes Key Values

access

To set SSH access to the appliance, provide a list of IP addresses separated by comma.

Example

/opt/avdf/config-utils/bin/config-ssh set access=192.0.2.0,192.0.2.2,192.0.2.22,192.0.2.24

B.13 CONFIG-STATUS

Use this command to display the current status of updates on various Database Firewall components.

This command is available after installing the Database Firewall diagnostics package.

Syntax

/opt/avdf/config-utils/bin/config-status show
/opt/avdf/config-utils/bin/config-status help

Arguments

Argument Description

show

To display the current status of updates on various Database Firewall components.

help

To get help on the commands for retrieving the status of updates on various Database Firewall components.

Attributes

Attributes Key Values

component_version

Defines the version of the Database Firewall component, like 20.1.0.0.0.

diagnostic_status

Defines the diagnostic status of the Database Firewall component, like OK, Fail, Warn.

free_space

Defines the free available space on the Database Firewall component.

grammar_versions

Defines the SQL grammar version on the Database Firewall component.

software_version

Defines the software version of the Database Firewall component.

Examples

/opt/avdf/config-utils/bin/config-status show
/opt/avdf/config-utils/bin/config-status show component_version
/opt/avdf/config-utils/bin/config-status show diagnostic_status
/opt/avdf/config-utils/bin/config-status show free_space
/opt/avdf/config-utils/bin/config-status set grammar_versions
/opt/avdf/config-utils/bin/config-status set software_version

B.14 CONFIG-SYSLOG

Use this command to configure syslog destinations on the appliance. It can also be used to set the active syslog categories and the maximum message length.

This command is available after installing the Database Firewall diagnostics package.

Syntax

/opt/avdf/config-utils/bin/config-syslog set
/opt/avdf/config-utils/bin/config-syslog show
/opt/avdf/config-utils/bin/config-syslog help

Arguments

Argument Description

set

To set syslog destinations on the appliance.

show

To display the current syslog destinations on the appliance.

help

To get help of the available commands and supported attributes.

Attributes

Attributes Key Values

categories

system

alerts

info

debug

heartbeat

max_message_length

Defines the maximum length of the syslog messages. It can be any integer between 1024 and 1048576.

tcp_destinations

The TCP destinations on the appliance includes IP address, or the hostname, and the port number. For example, my.host:1234

udp_destinations

The UDP destinations on the appliance includes IP address or the hostname. For example, my.host

The default port number is 514.

Example

/opt/avdf/config-utils/bin/config-syslog set categories=system,alerts,info,debug,hearbeat max_message_length=2000 tcp_destinations=my.host:1234,second.host:4321 udp_destinations=my.host

B.15 CONFIG-TIME

Use this command to configure the time on the appliance.

This command is available after installing the Audit Vault Server and Database Firewall diagnostics packages.

Syntax

/opt/avdf/config-utils/bin/config-time set
/opt/avdf/config-utils/bin/config-time show
/opt/avdf/config-utils/bin/config-time help

Arguments

Argument Description

set

To set the time on the appliance.

show

To display the current time on the appliance.

help

To get help of the available commands and supported attributes.

Attributes

Attribute Key Values

time

Define the date and time in ISO8601 format:

yyyy-mm-ddThh:mm:ss

Example

/opt/avdf/config-utils/bin/config-time set time=2020-02-15T14:31:01

B.16 CONFIG-PKI_IDENTITY

Use this command to list, add, delete, and validate TLS identities (keys, certificates, Certificate Signing Requests) for Database Firewall.

Note:

This command is available starting with Oracle AVDF 20.7.

Syntax

/opt/avdf/config-utils/bin/config-pki_identity show
/opt/avdf/config-utils/bin/config-pki_identity help

Arguments

Argument Description

show

To display the list of certificates and Certificate Signing Requests.

add

To create a Certificate Signing Request with specified attributes.

set

To self sign or import external signed certificates to a specified path.

delete

To delete a certificate with the specified common_name.

help

To get help of the available commands and supported attributes.

Attributes

Attribute Key Values

common_name

Common name of the certificate.

alt_dns

alt_email

alt_ip

alt_uri

common_name

country

email

locality

organisation

organisational_unit

state

Generic certificate attributes used for creating a CSR (add).

cert_gid

cert_mode

cert_path

cert_uid

File system setting for the generated CSR.

key_gid

key_mode

key_path

key_uid

File system setting for the generated key.

self_sign

Argument to self sign the CSR with the local CA.

Example

/opt/avdf/config-utils/bin/config-pki_identity show common_name=foobar.example.com
/opt/avdf/config-utils/bin/config-pki_identity set cert_path=/usr/local/dbfw/certificate.crt
/opt/avdf/config-utils/bin/config-pki_identity delete common_name=foobar.example.com

/opt/avdf/config-utils/bin/config-pki_identity add \
  common_name=foobar.example.com \
  country=US \
  email=first.last@example.invalid \
  locality=city \
  organisation=company \
  organisational_unit=group \
  state=area \
  cert_uid=user \
  cert_gid=group \
  cert_mode=444 \
  key_uid=root \
  key_gid=privilegedgroup \
  key_mode=440 \
  key_path=/usr/local/dbfw/private.key \
  cert_path=/usr/local/dbfw/certificate.csr