My Oracle Support Banner

CPU spike observed when changing common DB user password in a Multi-tenant Environment with FIPS enabled (Doc ID 2693662.1)

Last updated on JUNE 15, 2023

Applies to:

Oracle Cloud Infrastructure - Database Service - Version N/A and later
Information in this document applies to any platform.

Symptoms

While changing the password of common user in a Multi-tenant environment with FIPS enabled, you will observe sudden spike in CPU

The Federal Information Processing Standard (FIPS) standard, 140-2, is a U.S. government standard that defines cryptographic module security requirements.
Oracle Database uses these cryptographic libraries for Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and DBMS_CRYPTO PL/SQL package.

To know more details about FIPS, you can go through the below Note
How To Setup Federal Information Processing Standard (FIPS) standard for 140-2 Using FIPS.ORA On Single Instance and On RAC ( Real Application Cluster) (Doc ID 2250070.1)

Please verify and gather following information if you observe sudden Spike in CPU for alter user c##<username> identified by <password>

Verify :

1. Verify FIPS is enabled in the database

sqlplus " / as sysdba"
show parameter DBFIPS_140

2. Verify the CPU usage from top output. You will observe the CPU (sys) call is more than 90% and spike is observed for less than a minute.

Example :
top- 21:23:02 up 82 days, 3:39, 5 users, load average: 204.95, 74.22, 54.29
Tasks: 4755 total, 428 running, 4327 sleeping, 0 stopped, 0 zombie
%Cpu(s): 9.0 us, 90.9 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st
KiB Mem : 79095232+total, 15247788+free, 57571520+used, 62759252 buff/cache
KiB Swap: 36700148 total, 36514096 free, 186052 used. 20797811+avail Mem

3. Verify AWR report with 15 minutes interval and check for Parallel Task Library (PTL queries) as shown below

SQL ordered by CPU Time
CPU Time (s) Executions CPU per Exec (s) %Total Elapsed Time (s) %CPU %IO SQL Id SQL Module PDB Name SQL Text
212.69 1 212.69 1.21 224.77 94.63 0.53 a3ufafvn2aw05 sqlplus@xxxx /* SQL Analyze(14969, 0) */ SELECT /*+PARALLEL(91) */ * FROM X$KXFTASK /*kpdbReplayDDL, PDB_Replay_DDL*/

4. Verify rngd service running

ps -ef | grep rngd

The following diagnostic information can be gathered

1. 10046 Trace for the execution of alter user command
2. Multiple pstack on the process which executing the alter user command
3. AWR report of 15 minutes
4. Perf Profile / OS Watcher logs

 

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.