Tuning & Strengthening SSL - Apache web server

Importance of SSL 

SSL - Secure Socket Layer is enabled via a series of communications and encryption/decrypting routines that already exit on browser programs and servers. The function of SSL certificates is to provide authentication of the identity of the server and to allow access to the security functionality of the web server itself.

During an SSL transaction, the client browser sends a list of algorithms that it is willing to support to the server. The server chooses one of these algorithms and sends it back to the client browser along with a certificate containing the server’s public key. The certificate serves the purpose of authenticating the server to the client. It then provides the public key that the client can then use to encrypt a pre-master-secret that is ultimately used to help create a symmetric key that is shared by both the client and server to encrypt traffic between themselves. The key item of note here is that the SSL encryption strength is not determined by the certificate, but is a function of the algorithms supported by the browser and server software.

During this SSL “handshake” - the browser and web agree to use the supporting cipher suite that meets the minimum requirements set-up on the application server -- whether it be 40-bit, 128-bit or even 256-bit.

Strengthening SSLCipher

Considering the importance of SSL communications between the browser & web, its very vital to remove the low level bit cipher from Web-Server configuration. We can achieve this by adding in httpd.conf:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLProtocol -ALL +SSLv3 +TLSv1

Enabling SSLCache for High Performance

By adding SSLSessionCache shm:/etc/httpd/logs/ssl_gcache_data(512000) to httpd.conf file, we can boost performance with SSL Cache which enables SSL-delivered downloads faster and reduce the network requests - if any requests are repeated from any network/client machine.

Tool to check SSL Vulnerabilities

SSLScan - a fast SSL vulnerability scanner for ports,ciphers & their strengths on the existing SSL on any webserver. It provides very good insight of all details of current SSL installed on a website. Its can be downloaded from  http://sourceforge.net/projects/sslscan/ or using yum in linux:

# yum list sslscan

The above command can be used to see the available versions in the current repos of that particular Linux flavour Operating system. Once satisfied with the availability, one can install sslscan using:

# yum install sslscan

once the Installation completed, you can test the SSL on any given website using:


# sslscan --no-failed www.example.com

This will provide a clean report of all accepted ciphers only. For further usage of the SSLScan, one can use:

# man sslscan

Once the above SSLCipher & SSLCache added to httpd.conf file, please make sure you restart the Apache server and then execute:

# sslscan --no-failed www.example.com

 to confirm the changes.

Good Luck.

Setting up Secure FTP w/wo SSH connectivity - CentOS 5

Hello folks - today I will be sharing about SFTP.

SFTP is an acronym for Secure File Transfer Protocol. SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can't use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.

Now, in this article I  will be providing necessary configuration details for configuring SFTP server to transfer files & with / with out SSH access by a SFTP user account. We will be using OpenSSH 5.8 for this configuration. First we need to install the necessary dependencies for the OpenSSH package.

# yum install gcc 

# yum install openssl-devel

# yum install pam-devel

# yum install rpm-build

Now, downloading the OpenSSH package:-

# wget http://openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-5.8p2.tar.gz
# wget http://openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-5.8p2.tar.gz.asc
  

Now that we have the gunzip file, we need to unzip the package, then build the RPM file and install the RPM. We can disable the building of GUI components in the spec file as we don’t need this GUI on a server: 

# tar –xvzf openssh-5.8p2.tar.gz 

# cp openssh-5.8p2/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp openssh-5.8p2.tar.gz /usr/src/redhat/SOURCES/
# cd /usr/src/redhat/SPECS
# perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec
# rpmbuild -bb openssh.spec
# cd /usr/src/redhat/RPMS/`uname -i`
# rpm -Uvh openssh*rpm 

Once the rpm installation is done, lets restart the ssh daemon & closely watch for errors if any.

# service sshd restart 

Next will be to change few settings in ssd-config file: [here i've provided a sample configuration file for better understanding with the available options and modified ones]

# vi /etc/ssh/sshd-config

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 60
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
#Subsystem sftp /opt/libexec/sftp-server

Subsystem sftp internal-sftp

DenyUsers root wuser
DenyGroups root nossh
#DenyGroups nossh


#Manual configuration
Match Group sftp
#ChrootDirectory %h

ChrootDirectory /ftpdir/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Interesting..........................

An Atheist Professor of Philosophy speaks to his Class on the Problem Science has with GOD, the ALMIGHTY.
He asks one of his New Christian Students to stand and . . .

Professor : You are a Christian, aren't you, son ?
Student : Yes, sir.
Professor : So you Believe in GOD ?

Student : Absolutely, sir.
Professor : Is GOD Good ?
Student : Sure.
Professor : Is GOD ALL - POWERFUL ?
Student : Yes.
Professor : My Brother died of Cancer even though he Prayed to GOD to Heal him.
Most of us would attempt to help others who are ill.
But GOD didn't.
How is this GOD good then? Hmm?


( Student is silent )

Professor : You can't answer, can you ?
Let's start again, Young Fella.
Is GOD Good?
Student : Yes.
Professor : Is Satan good ?
Student : No.
Professor : Where does Satan come from ?
Student : From . . . GOD . . .
Professor : That's right.
Tell me son, is there evil in this World?
Student : Yes.
Professor : Evil is everywhere, isn't it ?
And GOD did make everything. Correct?
Student : Yes.
Professor : So who created evil ?

(Student does not answer)


Professor : Is there Sickness? Immorality? Hatred? Ugliness?
All these terrible things exist in the World, don't they?
Student : Yes, sir.
Professor : So, who Created them ?

( Student has no answer )

Professor : Science says you have 5 Senses you use to Identify and Observe the World around you.
Tell me, son . . . Have you ever Seen GOD?
Student : No, sir.
Professor : Tell us if you have ever Heard your GOD?
Student : No , sir.
Professor : Have you ever Felt your GOD, Tasted your GOD, Smelt your GOD?
Have you ever had any Sensory Perception of GOD for that matter?
Student : No, sir. I'm afraid I haven't.
Professor : Yet you still Believe in HIM?
Student : Yes.
Professor : According to Empirical, Testable, Demonstrable Protocol, Science says your GOD doesn't exist.
What do you say to that, son?
Student : Nothing. I only have my Faith.
Professor : Yes, Faith. And that is the Problem Science has.
Student : Professor, is there such a thing as Heat?
Professor : Yes.
Student : And is there such a thing as Cold?
Professor : Yes.
Student : No sir. There isn't.

( The Lecture Theatre becomes very quiet with this turn of events )

Student : Sir, you can have Lots of Heat, even More Heat, Superheat, Mega Heat, White Heat,
a Little Heat or No Heat.
But we don't have anything called Cold.
We can hit 458 Degrees below Zero which is No Heat, but we can't go any further after that.
There is no such thing as Cold.
Cold is only a Word we use to describe the Absence of Heat.
We cannot Measure Cold.
Heat is Energy.
Cold is Not the Opposite of Heat, sir, just the Absence of it.

( There is Pin - Drop Silence in the Lecture Theatre )

Student : What about Darkness, Professor? Is there such a thing as Darkness?
Professor : Yes. What is Night if there isn't Darkness?
Student : You're wrong again, sir.
Darkness is the Absence of Something…
You can have Low Light, Normal Light, Bright Light, Flashing Light . . .
But if you have No Light constantly, you have nothing and its called Darkness, isn't it?
In reality, Darkness isn't.
If it is, were you would be able to make Darkness Darker, wouldn't you?
Professor : So what is the point you are making, Young Man ?
Student : Sir, my point is your Philosophical Premise is flawed.
Professor : Flawed ? Can you explain how?
Student : Sir, you are working on the Premise of Duality.
You argue there is Life and then there is Death, a Good GOD and a Bad GOD.
You are viewing the Concept of GOD as something finite, something we can measure.
Sir, Science can't even explain a Thought.
It uses Electricity and Magnetism, but has never seen, much less fully understood either one.
To view Death as the Opposite of Life is to be ignorant of the fact that
Death cannot exist as a Substantive Thing.
Death is Not the Opposite of Life: just the Absence of it.
Now tell me, Professor, do you teach your Students that they evolved from a Monkey?
Professor : If you are referring to the Natural Evolutionary Process, yes, of course, I do.
Student : Have you ever observed Evolution with your own eyes, sir?

( The Professor shakes his head with a Smile, beginning to realize where the Argument is going )

Student : Since no one has ever observed the Process of Evolution at work and
Cannot even prove that this Process is an On - Going Endeavor,
Are you not teaching your Opinion, sir?
Are you not a Scientist but a Preacher?

( The Class is in Uproar )

Student : Is there anyone in the Class who has ever seen the Professor's Brain?

( The Class breaks out into Laughter )

Student : Is there anyone here who has ever heard the Professor's Brain, Felt it, touched or Smelt it? . . .
No one appears to have done so.
So, according to the Established Rules of Empirical, Stable, Demonstrable Protocol, Science says that
You have No Brain, sir.
With all due respect, sir, how do we then Trust your Lectures, sir?

(The Room is Silent. The Professor stares at the Student, his face unfathomable)

Professor : I guess you'll have to take them on Faith, son.
Student : That is it sir . . .
The Link between Man and GOD is FAITH.
That is all that Keeps Things Moving and Alive.

It turned out later that the student is Albert Einstein

Downgrading from Oracle Database11g to Oracle Database 10g at CLI [Command Line Interface]

I would like to share the downgrade process of Oracle Database 11gR2 to 10gR2.


11GR2 ORACLE_HOME = /u01/app/oracle/product/11.2.0/dbhome_1

10GR2 ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1

Step: Checking the current instance details on current database

SYS@OTRANS 29-DEC-10> select instance_name from v$instance;

INSTANCE_NAME
----------------
otrans


Step: This is important, make sure you have set the compatible parameter to the version in which you would like to downgrade to, in this example its 10.2.0.3.0

SYS@OTRANS 29-DEC-10> show parameter compatible

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
compatible string 10.2.0.3.0

SYS@OTRANS 29-DEC-10> select * from v$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0
PL/SQL Release 11.2.0.1.0 - Production
CORE 11.2.0.1.0 Production
TNS for Linux: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production

Step: Prepare Oracle database for downgrade (11g Home)

SYS@OTRANS 29-DEC-10> shutdown immediate

Database closed.
Database dismounted.
ORACLE instance shut down.

SYS@OTRANS 29-DEC-10> STARTUP DOWNGRADE
ORACLE instance started.

Total System Global Area 939495424 bytes
Fixed Size 2232088 bytes
Variable Size 251658472 bytes
Database Buffers 679477248 bytes
Redo Buffers 6127616 bytes
Database mounted.
Database opened.


Step: Run catdwgrd.sql to downgrade --- this script is used from downgrading from the current release you have installed to the release in which you have upgraded from.

SYS@OTRANS 29-DEC-10> SPOOL downgrade-1023g.log
SYS@OTRANS 29-DEC-10> @?/rdbms/admin/catdwgrd.sql

SYS@OTRANS 29-DEC-10> Rem ***********************************************************************
SYS@OTRANS 29-DEC-10> Rem END catdwgrd.sql
SYS@OTRANS 29-DEC-10> Rem ***********************************************************************

SYS@OTRANS 29-DEC-10> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.

Step: Define the ORACLE_HOME environment variable for SQLPLUS usage

$ export ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1
$ /u01/app/oracle/product/10.2.0/db_1/bin/sqlplus /nolog

SYS@OTRANS 29-DEC-10> connect / as sysdba
Connected to an idle instance.

SYS@OTRANS 29-DEC-10> STARTUP UPGRADE
ORACLE instance started.

Total System Global Area 734003200 bytes
Fixed Size 2099136 bytes
Variable Size 192940096 bytes
Database Buffers 532676608 bytes
Redo Buffers 6287360 bytes
Database mounted.
Database opened.


Step: Execute catrelod.sql to reload all of the database components with their current versions in the downgraded database

SYS@OTRANS 29-DEC-10> SPOOL reload1023.log

SYS@OTRANS 29-DEC-10> @?/rdbms/admin/catrelod.sql


COMP_NAME STATUS VERSION
----------------------------------- ----------- ----------
Oracle Database Packages and Types VALID 10.2.0.3.0
Oracle Database Catalog Views VALID 10.2.0.3.0
JServer JAVA Virtual Machine VALID 10.2.0.3.0
Oracle XDK VALID 10.2.0.3.0
Oracle Database Java Packages VALID 10.2.0.3.0
Oracle Text VALID 10.2.0.3.0
Oracle XML Database VALID 10.2.0.3.0
Oracle Workspace Manager VALID 10.2.0.3.0
Oracle Data Mining VALID 10.2.0.3.0
OLAP Analytic Workspace VALID 10.2.0.3.0
OLAP Catalog VALID 10.2.0.3.0
Oracle OLAP API VALID 10.2.0.3.0
Oracle interMedia VALID 10.2.0.3.0

SYS@OTRANS 29-DEC-10> SPOOL OFF

Step: You have to make sure to Shutdown and Startup database then recompile all objects of the Database

SYS@OTRANS 29-DEC-10> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.

SYS@OTRANS 29-DEC-10> startup
ORACLE instance started.

Total System Global Area 734003200 bytes
Fixed Size 2099136 bytes
Variable Size 247466048 bytes
Database Buffers 478150656 bytes
Redo Buffers 6287360 bytes
Database mounted.
Database opened.

SYS@OTRANS 29-DEC-10> @?/rdbms/admin/utlrp.sql

SYS@OTRANS 29-DEC-10> select * from v$version;

BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0
PL/SQL Release 10.2.0.3.0 - Production
CORE 10.2.0.3.0 Production
TNS for Linux: Version 10.2.0.3.0 - Production
NLSRTL Version 10.2.0.3.0 - Production

SYS@OTRANS 29-DEC-10> show parameter compatible

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
compatible string 10.2.0.3.0

Now, my database was downgraded to 10.2.0.3, Please correct me if am missing something above. Looking forward for your views.

వాట్ ఐ హవె లేఅర్నేడ్ సో ఫార్ ....................

I’ve learned..........

- that it’s taking me a long time to become the person I want to be.

- that you cannot make someone love you. All you can do is be someone who can be loved. The rest is up to them.

- that no matter how much I care, some people just don’t care back.

- that it takes years to build up trust, and only seconds to destroy it.

- that no matter how good a friend is, they’re going to hurt you every once in a while and you must forgive them for - that.

- that my best friend and I can do anything or nothing and have the best time.

- that sometimes the people you expect to kick you when you’re down will be the ones to help you get back up.

- that just because someone doesn’t love you the way you want them to doesn’t mean they don’t love you with all they have.

- that we don’t have to change friends if we understand - that friends change.

- that it’s not what you have in your life but who you have in your life - that counts.

- that you should never ruin an apology with an excuse.

- that you shouldn’t compare yourself to the best others can do.

- that you can do something in an instant - that will give you heartache for life.

- that you should always leave loved ones with loving words. It may be the last time you see them.

- that we are responsible for what we do, no matter how we feel.

- that either you control your attitude or it controls you.

- that heroes are the people who do what has to be done when it needs to be done, regardless of the consequences.

- that maturity has more to do with what types of experiences you’ve had and what you’ve learned from them and less to do with number of birthdays.

- that your family won’t always be there for you. It may seem funny, but people you aren’t related to can take care of you and teach you to trust people again.

- that it isn’t always enough to be forgiven by others. Sometimes you are to learn to forgive yourself.

- that no matter how bad your heart is broken the world doesn’t stop for your grief.

- that our background and circumstances may have influenced who we are, but we are responsible for who we become.

- that a rich person is not the one who has the most, but is one who needs the least.

- that you shouldn’t be so eager to find out a secret. It could change your life forever.

- that two people can look at the exact same thing and see something totally different.

- that even when you think you have no more to give, when a friend cries out to you, you will find the strength to help.

- that credentials on the wall do not make a decent human being.

- that the people you care about most in life are taken from you too soon.

- that it’s hard to determine where to draw the line between being nice and not hurting people’s feelings, and standing up for what you believe.

- that people will forget the good you said, and people will forget the good you did, but people will never forget how you made them feel bad even just once.

a small inspiration for all techies out dere.....

Once Upon a time a very strong woodcutter asked for a job from a timber merchant, and he got it. The pay was really good and so were the working conditions. For that reason, the woodcutter was determined to do his best.

His boss gave him an axe and showed him the area where he was supposed to work.
The first day, the woodcutter brought 18 trees.
“Congratulations,” the boss said. “Go on that way!”

Very motivated for the boss’ words, the woodcutter tried harder next day, but he could bring 15 trees. The third day he tried even harder, but only could bring 10 trees. Day after day he was bringing less and less trees.

“I must be losing my strength”, the woodcutter thought. He went to the boss and apologized, saying that he could not understand what was going on.

“When was the last time you sharpened you axe? The boss asked.

“Sharpen ? I had no time to sharpen my axe. I have been very busy trying to cut trees…”


Morale:

WORK SMARTER THAN HARDER. TAKE BEST CARE OF YOUR RESOURCES THAT HELP YOU ACHIEVE THE SUCCESS.

OCR & Voting Disks - Oracle RAC

A long weekend is always a good thing. When you combine that with the ability to literally “get away from it all”, they are even better :)  After so many days,  am able to publish my work am glad about it. Here I present one of my recent works :-

Oracle Clusterware includes two important components: the voting disk and the Oracle Cluster Registry (OCR). The voting disk is a file that manages information about node membership and the OCR is a file that manages cluster and RAC database configuration information.

Oracle recommends that you select the option to configure multiple voting disks during Oracle Clusterware installation to improve availability.

Backing up Voting Disks

Run the following command to back up a voting disk. Perform this operation on every voting disk as needed where voting_disk_name is the name of the active voting disk and backup_file_name is the name of the file to which you want to back up the voting disk contents:

dd if=voting_disk_name of=backup_file_name

Recovering Voting Disks

Run the following command to recover a voting disk where backup_file_name is the name of the voting disk backup file and voting_disk_name is the name of the active voting disk:

dd if=backup_file_name of=voting_disk_name

Note: If you have multiple voting disks, then you can remove the voting disks and add them back into your environment using the crsctl delete css votedisk path and crsctl add css votedisk path commands respectively, where path is the complete path of the location on which the voting disk resides.

Changing the Voting Disk Configuration after Installing Real Application Clusters

You can dynamically add and remove voting disks after installing Real Application Clusters. Do this using the following commands where path is the fully qualified path for the additional voting disk. Run the following command as the root user to add a voting disk:

crsctl add css votedisk path

Run the following command as the root user to remove a voting disk:

crsctl delete css votedisk path

Changing the location of Voting disks

Login as root, group dba

Shutdown CRS on all nodes:
 ./crsctl stop crs

cross checking the status:
 ./crsctl check crs

Check the the location of the voting disk:
 ./crsctl query css votedisk

Copy the voting disk to the new location:

Change the location in CRS:
 ./crsctl add css votedisk
[Repeat step if more voting disks need to be added]

Delete the old Voting Disks:
crsctl delete css votedisk

Changing the location of OCR

Login as root, group dba

Start CRS on all nodes:

 ./crsctl start crs

 ./crsctl check crs

Check OCR configuration/backups:

 ocrcheck

 ocrconfig -showbackup

Copy the OCR mirror to the new location:

Check the files in the new location:

 ls -rlt

 cp crs_mirror /mnt/prdaudit_crs_mirror1

Change the OCR location in the CRS:

 ./ocrconfig -replace ocrmirror [path for ocrmirror]

Same way to move the ocr:

oraconfig -replace ocr 

then run the check command:

 ocrcheck

if everything seems right:

 exit 

These are the vital tasks which are associated with Voting Disks & OCR of Oracle Clusterware. use the article for your references to save lot of time :)

See you next time......

MySQL - Oracle Comparison in a week-end :)

As I have been working on MySQL and Oracle quite a bit in these days, thought to put down point-to-point comparison so that it would quite easy for many of us to compare and contrast and get the glimpse of the two most popular databases. so here are few points:-

MySQL is a database fit for some types of applications. These tend to be smaller applications, or those which integrate applications with less sophisticated needs than those running Oracle on the backend.

MySQL shares with Oracle good support for database access including ODBC and JDBC drivers, as well as access libraries for Perl, Python and PHP. MySQL and Oracle both support binary large objects, character, numeric, and date datatypes. They both have primary and unique keys, and as of 4.x with InnoDB, MySQL has foreign keys, and transactions including READ UNCOMMITED, READ COMMITED, REPEATABLE READ, and SERIALIZABLE. Both databases have sophisticated language and character set support. MySQL can do table locking, and recently improved to include row-level locking.

However, quite a number of features we find in Oracle as standard, which remain missing in MySQL. Until recently that included row-level locking, true transactions, and subqueries although as of 4.x those seem to be present. However, those have been present, and core technologies in Oracle for years, with very stable and solid implementation, you're sure to achieve dramatic performance . Views are still absent in MySQL, though they may be around the corner with subqueries available now.

Of course a lot of the high end Oracle features remain completely absent from MySQL, and may never be added. Features such as parallel query, and partitioned tables, which include a whole host of special features such as the ability to take one partition offline without impacting queries on the rest of the table. The indexing on partition tables is sophisticated too, allowing partition elimination, and range scans on indexes of specific partitions. There are other large database features such as special functions for star queries. Oracle has terabyte databases in production, so this fact speaks for itself.

MySQL has somewhat limited set of index types. For instance Oracle has reverse key, bitmap, and function based indexes, as well as index organized tables. These are all very powerful features for developers who are trying squeeze that last bit of performance out of complex SQL queries against large tables. Although MySQL does provide some index statistic collection, Oracle provides the full set of statistics, including histograms, and makes great use of it inside the Cost Based Optimizer.

MySQL still does not have privilege groups, called ROLES in Oracle. Oracle can also provide column level.

MySQL does not have good procedure to handle backups which have been an integral part of Oracle for years. In addition, Oracle's RMAN has become a sophisticated piece of software, and grown to be very stable, providing block level backups so only the data that changed can be included in subsequent backups. This makes nightly backups smaller overall. It also aids tremendously during recovery, providing a lot of automation, and assistence, during those times when you need it most. MySQL's method is to dump data, and further if you want to guarentee a point in time dump of your data, you have to lock all the tables in the database, potentially slowing down your application tremendously. Lastly MySQL does not have automatic or point in time recovery, a real limitation on heavy use production databases.

MySQL also has some limitations on row sizes. MyISAM tables for instance, can have a maximum 64k of data per row, and InnoDB tables 8k per row. This does not include BLOB and TEXT types.

Lastly, MySQL does not include database links such as those found in Oracle allowing you to query a table from an external database inside a query in a local database. This can be useful for moving data between databases, and is key to implementing advanced replication in Oracle.

P.S:- Some of the above features / numbers are taken from different sources available in the Internet, including MySQL documentation