-->
For example, I don't understand the meaning of 'No holder', 'GLOBAL' and 'Unknown' (values of blockingsessionstatus). Should I kill all the sessions having these values or should I kill only those having 'No holder' etc – Ken Russell Jan 1 '13 at 15:13.
Applies to: System Center Configuration Manager (Current Branch)
If a client computer or client mobile device is no longer trusted, you can block the client in the System Center 2012 Configuration Manager console. Blocked clients are rejected by the Configuration Manager infrastructure so that they cannot communicate with site systems to download policy, upload inventory data, or send state or status messages.
You must block and unblock a client from its assigned site rather than from a secondary site or a central administration site.
Important
Although blocking in Configuration Manager can help to secure the Configuration Manager site, do not rely on this feature to protect the site from untrusted computers or mobile devices if you allow clients to communicate with site systems by using HTTP, because a blocked client could rejoin the site with a new self-signed certificate and hardware ID. Instead, use the blocking feature to block lost or compromised boot media that you use to deploy operating systems, and when site systems accept HTTPS client connections.
Clients that access the site by using the ISV Proxy certificate cannot be blocked. For more information about the ISV Proxy certificate, see the System Center Configuration Manager Software Development Kit (SDK).
If your site systems accept HTTPS client connections and your public key infrastructure (PKI) supports a certificate revocation list (CRL), always consider certificate revocation to be the primary line of defense against potentially compromised certificates. Blocking clients in Configuration Manager offers a second line of defense to protect your hierarchy.
Considerations for blocking clients
- This option is available for HTTP and HTTPS client connections, but has limited security when clients connect to site systems by using HTTP.
- Configuration Manager administrative users have the authority to block a client, and the action is taken in the Configuration Manager console.
- Client communication is rejected from the Configuration Manager hierarchy only.NoteThe same client could register with a different Configuration Manager hierarchy.
- The client is immediately blocked from the Configuration Manager site.
- Helps to protect site systems from potentially compromised computers and mobile devices.
Considerations for using certificate revocation
- This option is available for HTTPS Windows client connections if the public key infrastructure supports a certificate revocation list (CRL).Mac clients always perform CRL checking and this functionality cannot be disabled.Although mobile device clients do not use certificate revocation lists to check the certificates for site systems, their certificates can be revoked and checked by Configuration Manager.
- Public key infrastructure administrators have the authority to revoke a certificate, and the action is taken outside the Configuration Manager console.
- Client communication can be rejected from any computer or mobile device that requires this client certificate.
- There is likely to be a delay between revoking a certificate and site systems downloading the modified certificate revocation list (CRL).
- For many PKI deployments, this delay can be a day or longer. For example, in Active Directory Certificate Services, the default expiration period is one week for a full CRL, and one day for a delta CRL.
- Helps to protect site systems and clients from potentially compromised computers and mobile devices.NoteYou can further protect site systems that run IIS from unknown clients by configuring a certificate trust list (CTL) in IIS.
Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign up Find file Copy path
1 contributor
-- Find all blocked sessions and who is blocking them |
select sid,blocking_session,username,sql_id,event,machine,osuser,program,last_call_et from v$session where blocking_session >0; |
select*from dba_blockers |
select*from dba_waiters |
-- Find what the blocking session is doing |
select sid,blocking_session,username,sql_id,event,state,machine,osuser,program,last_call_et from v$session where sid=746 ; |
-- Find the blocked objects |
select owner,object_name,object_type from dba_objects where object_id in (select object_id from v$locked_object where session_id=271and locked_mode =3); |
-- Friendly query for who is blocking who |
-- Mostly for versions before v$session had blocking_session column |
selects1.inst_id,s2.inst_id,s1.username||'@'||s1.machine |
||' ( SID='||s1.sid||' ) is blocking ' |
||s2.username||'@'||s2.machine||' ( SID='||s2.sid||' ) 'AS blocking_status |
from gv$lock l1, gv$session s1, gv$lock l2, gv$session s2 |
wheres1.sid=l1.sidands2.sid=l2.sidands1.inst_id=l1.inst_idands2.inst_id=l2.inst_id |
andl1.BLOCK=1andl2.request>0 |
andl1.id1=l2.id1 |
andl2.id2=l2.id2 |
order bys1.inst_id; |
-- find blocking sessions that were blocking for more than 15 minutes + objects and sql |
selects.SID,p.SPID,s.machine,s.username,CTIME/60as minutes_locking, do.object_nameas locked_object, q.sql_text |
from v$lock l |
join v$session s onl.sid=s.sid |
join v$process p onp.addr=s.paddr |
join v$locked_object lo onl.SID=lo.SESSION_ID |
join dba_objects do onlo.OBJECT_ID=do.OBJECT_ID |
join v$sqlarea q ons.sql_hash_value=q.hash_valueands.sql_address=q.address |
where block=1and ctime/60>15 |
-- Check who is blocking who in RAC |
SELECT DECODE(request,0,'Holder: ','Waiter: ') || sid sess, id1, id2, lmode, request, type |
FROM gv$lock |
WHERE (id1, id2, type) IN ( |
SELECT id1, id2, type FROM gv$lock WHERE request>0) |
ORDER BY id1, request; |
-- Check who is blocking who in RAC, including objects |
SELECT DECODE(request,0,'Holder: ','Waiter: ') || gv$lock.sid sess, machine, do.object_nameas locked_object,id1, id2, lmode, request, gv$lock.type |
FROM gv$lock join gv$session on gv$lock.sid=gv$session.sidand gv$lock.inst_id=gv$session.inst_id |
join gv$locked_object lo on gv$lock.SID=lo.SESSION_IDand gv$lock.inst_id=lo.inst_id |
join dba_objects do onlo.OBJECT_ID=do.OBJECT_ID |
WHERE (id1, id2, gv$lock.type) IN ( |
SELECT id1, id2, type FROM gv$lock WHERE request>0) |
ORDER BY id1, request; |
-- Who is blocking who, with some decoding |
selectsn.USERNAME, |
m.SID, |
sn.SERIAL#, |
m.TYPE, |
decode(LMODE, |
0, 'None', |
1, 'Null', |
2, 'Row-S (SS)', |
3, 'Row-X (SX)', |
4, 'Share', |
5, 'S/Row-X (SSX)', |
6, 'Exclusive') lock_type, |
decode(REQUEST, |
0, 'None', |
1, 'Null', |
2, 'Row-S (SS)', |
3, 'Row-X (SX)', |
4, 'Share', |
5, 'S/Row-X (SSX)', |
6, 'Exclusive') lock_requested, |
m.ID1, |
m.ID2, |
t.SQL_TEXT |
from v$session sn, |
v$lock m , |
v$sqltext t |
wheret.ADDRESS=sn.SQL_ADDRESS |
andt.HASH_VALUE=sn.SQL_HASH_VALUE |
and ((sn.SID=m.SIDandm.REQUEST!=0) |
or (sn.SID=m.SIDandm.REQUEST=0and LMODE !=4and (ID1, ID2) in |
(selects.ID1, s.ID2 |
from v$lock S |
where REQUEST !=0 |
ands.ID1=m.ID1 |
ands.ID2=m.ID2))) |
order bysn.USERNAME, sn.SID, t.PIECE |
-- Who is blocking who, with some decoding |
select OS_USER_NAME os_user, |
PROCESS os_pid, |
ORACLE_USERNAME oracle_user, |
l.SID oracle_id, |
decode(TYPE, |
'MR', 'Media Recovery', |
'RT', 'Redo Thread', |
'UN', 'User Name', |
'TX', 'Transaction', |
'TM', 'DML', |
'UL', 'PL/SQL User Lock', |
'DX', 'Distributed Xaction', |
'CF', 'Control File', |
'IS', 'Instance State', |
'FS', 'File Set', |
'IR', 'Instance Recovery', |
'ST', 'Disk Space Transaction', |
'TS', 'Temp Segment', |
'IV', 'Library Cache Invalidation', |
'LS', 'Log Start or Switch', |
'RW', 'Row Wait', |
'SQ', 'Sequence Number', |
'TE', 'Extend Table', |
'TT', 'Temp Table', type) lock_type, |
decode(LMODE, |
0, 'None', |
1, 'Null', |
2, 'Row-S (SS)', |
3, 'Row-X (SX)', |
4, 'Share', |
5, 'S/Row-X (SSX)', |
6, 'Exclusive', lmode) lock_held, |
decode(REQUEST, |
0, 'None', |
1, 'Null', |
2, 'Row-S (SS)', |
3, 'Row-X (SX)', |
4, 'Share', |
5, 'S/Row-X (SSX)', |
6, 'Exclusive', request) lock_requested, |
decode(BLOCK, |
0, 'Not Blocking', |
1, 'Blocking', |
2, 'Global', block) status, |
OWNER, |
OBJECT_NAME |
from v$locked_object lo, |
dba_objects do, |
v$lock l |
wherelo.OBJECT_ID=do.OBJECT_ID |
ANDl.SID=lo.SESSION_ID |
and block=1 |
Copy lines Copy permalink