CPU spike observed when changing common DB user password in a Multi-tenant Environment with FIPS enabled
(Doc ID 2693662.1)
Last updated on MARCH 12, 2021
Applies to:Oracle Cloud Infrastructure - Database Service - Version N/A and later
Information in this document applies to any platform.
While changing the password of common user in a Multi-tenant environment with FIPS enabled, you will observe sudden spike in CPU
The Federal Information Processing Standard (FIPS) standard, 140-2, is a U.S. government standard that defines cryptographic module security requirements.
Oracle Database uses these cryptographic libraries for Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and DBMS_CRYPTO PL/SQL package.
To know more details about FIPS, you can go through the below Note
How To Setup Federal Information Processing Standard (FIPS) standard for 140-2 Using FIPS.ORA On Single Instance and On RAC ( Real Application Cluster) (Doc ID 2250070.1)
Please verify and gather following information if you observe sudden Spike in CPU for alter user c##<username> identified by <password>
1. Verify FIPS is enabled in the database
show parameter DBFIPS_140
2. Verify the CPU usage from top output. You will observe the CPU (sys) call is more than 90% and spike is observed for less than a minute.
top- 21:23:02 up 82 days, 3:39, 5 users, load average: 204.95, 74.22, 54.29
Tasks: 4755 total, 428 running, 4327 sleeping, 0 stopped, 0 zombie
%Cpu(s): 9.0 us, 90.9 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st
KiB Mem : 79095232+total, 15247788+free, 57571520+used, 62759252 buff/cache
KiB Swap: 36700148 total, 36514096 free, 186052 used. 20797811+avail Mem
3. Verify AWR report with 15 minutes interval and check for Parallel Task Library (PTL queries) as shown below
CPU Time (s) Executions CPU per Exec (s) %Total Elapsed Time (s) %CPU %IO SQL Id SQL Module PDB Name SQL Text
212.69 1 212.69 1.21 224.77 94.63 0.53 a3ufafvn2aw05 sqlplus@xxxx /* SQL Analyze(14969, 0) */ SELECT /*+PARALLEL(91) */ * FROM X$KXFTASK /*kpdbReplayDDL, PDB_Replay_DDL*/
4. Verify rngd service running
The following diagnostic information can be gathered
2. Multiple pstack on the process which executing the alter user command
3. AWR report of 15 minutes
4. Perf Profile / OS Watcher logs
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document