SOA OIM integration and WebLogic administration port
Recently I setup an Oracle Identity Manager (OIM) environment and I happened to enable the administration port. Mike Fleming wrote an excellent article about why you should enable the administration port of your weblogic domain, I won’t repeat his words. I did run into a small issue when I enabled the administration port for OIM which I figured would be interesting for other people too.
As soon as I logged into OIM and clicked on tasks the following error appeared in the oim_server1.out file:
< javax.naming.AuthenticationException [Root exception is java.lang.SecurityException: User 'principals=[weblogic, Administrators]' has administration role. All tasks by adminstrators must go through an Administration Port.]>
Now that is interesting. It seems that the OIM SOA integration stops working because of the administration port. So I started to read documentation, but found no clues here. Then I started looking some further and found this document that states:
“Connections that specify administrator credentials can use only the administration port”
Now there’s the answer for you, just as the logging states: you cannot use an administrator account to integrate OIM and SOA.
So how can I change this? First of all you need to setup a new account in weblogic. Navigate to your console and click on security realms –> myrealm –> User and Groups. Then click on new. Fill in the user details and click on ok
Do not assign any roles to the user. Next navigate to EM
First we will set the password for the soaadmin user in the credential map. Click on WebLogic Domain –> domain name. Then on WebLogic Domain –> Security –> credentials.
Select oim and then SOAAdminPassword. Click on edit and change the username from weblogic to soaadmin and the password to the password you set for the soaadmin user
Next up click on SOA –> soa-infra. Then click on SOA Infrastructure –> security –> application roles.
Now click on the button next to the the role name input box to find all roles.
Select the SOAAdmin role and click on “Add User” and select to soaadmin user.
Click on OK and you have completed the first step. Next you have to setup OIM to use this SOAAdmin user. This can be configured in EM to. Click on Identity and Access –> OIM –> oim (11.1.1.3.0). Then click on Oracle Identity Manager –> Sytem MBean Browser
Scroll al the way down and select oracle.iam –> Server: oim_server1 –> Application: oim –> XMLConfig –> Config –> XMLConfig.SOAConfig –> SOAConfig and change the username (SOA config username) from weblogic to soaadmin
Finally log into OIM and create a new user. Click on administration –> create user and fill in the form
click on save then on roles and assign the administrator role to the soaadmin user:
*presto*. Your OIM SOA integration is fully operational again.
Hope this helps.
RCU-6011
After reading the documentation and running RCU commandline for some time (mostly from a script I build) I felt confident about RCU. For a new environment I had to run RCU manually, so I setup the command:
$ ./rcu -silent -createRepository -connectString scan.area51.local:1521:rcuservice -dbUser SYS -dbRole sysdba -component MDS -component SOAINFRA -component OIM -component IAU -schemaPrefix DEV -f < /home/oracle/pass
and ran into this error:
Processing command line ....
Repository Creation Utility - Checking Prerequisites
Checking Global Prerequisites
RCU-6011:A valid prefix should be specified. Prefix can contain only alpha-numeric characters. It should not start with a number and should not contain any special characters.
RCU-6091:Component name/schema prefix validation failed.
Now this error surprised me to great extend. The parameters where all there, so what could cause this? Some suffling around with the parameters learned me that this command does run:
$ ./rcu -silent -createRepository -connectString scan.area51.local:1521:rcuservice -dbUser SYS -dbRole sysdba -schemaPrefix TLTB1 -component MDS -component SOAINFRA -component OIM -component IAU -f < /home/oracle/pass
Turn out that the order of the parameters is of importance to rcu.
Hope this helps.
UCM, mod_wl_ohs and http response
Some extensive testing, “maybe” some code decompiling, and some talking to an great ACS consultant about nice error pages for UCM when using a HTTP front-end ended in this statement:
If we add “HttpSevereErrorFirstLine=HTTP/1.1 400 Bad Request” in the config.cfg and restart the Content Server, the actual error message is seen instead of the bridge error. This undocumented parameter overrides the default 503 response sent by the Content Server in case of an error to 400.
Apache complains about the bridge error when a 503 response is sent and doesn’t when it’s something like HTTP/1.1 400 Bad Request.
This feature was tested on Universal Content Manager (UCM) 11.1.1.4.
hope this helps 
reponse files for iam 11.1.1.5 is broken
When you run the silent install of iam 11.1.1.5 with the out of the box response file you get an error:
[ERROR] Data Insufficient to start Install.
[ERROR] One and Only One of the following variables must be present
Variable Name:SKIP_SOFTWARE_UPDATES Expected Value:true
Variable Name:SPECIFY_DOWNLOAD_LOCATION Expected Value:true
. Aborting Install
As the error shows, the response file for iam 11.1.1.1.5 is missing the SKIP_SOFTWARE_UPDATES directive.
Just add SKIP_SOFTWARE_UPDATES=true to the .rsp file and you’re set to go.
The new file would look like this:
[ENGINE]
#DO NOT CHANGE THIS.
Response File Version=1.0.0.0.0
[GENERIC]
#Provide the complete path of the Oracle Home. The Oracle Home directory name may only contain alphanumeric , hyphen (-) , dot (.) and underscore (_) characters, and it must begin with an alphanumeric character.
ORACLE_HOME=/u01/app/oracle/middleware/Oracle_IAM1
#Provide the complete path to a valid Middleware Home.
MIDDLEWARE_HOME=/u01/app/oracle/middleware
#Give the list of complete paths of all the valid Middleware Homes existing on the system.
MIDDLEWARE_HOME_LIST=/u01/app/oracle/middleware
SKIP_SOFTWARE_UPDATES=true
[SYSTEM]
[APPLICATIONS]
[RELATIONSHIPS]
OOW 2011, the warm-up starts
Seems people start plugging their sessions for OOW 2011, so just to make sure I’m not facing an empty room here goes: This year (2011) I will be presenting on Oracle Open World together with my friend Simon Haslam. If you happen to be at OOW and fancy fusion middleware infrastructure, please come and join Simon on Monday 2 PM in Moscone South.
| Title: | Deployment Patterns for Oracle Fusion Middleware 11g | |
| Time | Monday, 02:00 PM, Moscone South – 310 | |
| Length | 1 Hour | |
| Abstract: | Oracle Fusion Middleware 11g is a comprehensive software suite that can be installed in a wide range of different topologies. In this session, an Oracle ACE Director and an Oracle ACE combine their real-world experience in a range of organizations (including supermarkets, government departments, and banks) to explain the decisions you have to make in designing a middleware infrastructure.The presentation covers Oracle WebLogic Server, supporting infrastructure such as Oracle Internet Directory, and layered products such as Oracle SOA Suite. Topics include domain planning, clustering options, handling virtualization, patching strategy, and promoting software from test to production. | |
The schedule builder can be found here.
crashing jrockit while starting WebLogic
Just today I spent some time working on a JVM (jrockit) while starting WebLogic with the default startWebLogic.sh script. The enviroment is rather straight forward:
- Jrockit (jrockit-jdk1.6.0_22-R28.1.1-4.0.1)
- WebLogic 10.3.4
- SOA Suite PS3 (11.1.1.4)
Now whenever I started WebLogic I ran into a rather lengthy core dump, which you can view: here (just rename to .txt). The interesting part of this core dump is this:
Read the rest of this entry »
OHS 11 and configuration errors
While trying to work out some rewrite rules for UCM on OHS (Apache) I noticed a new feature that I didn’t notice before. Back in the good old OAS days (when the air was clean and sex was dirty) I was used to check my apache configuration like this:
apachectl configtest
This would prevent Apache from crashing upon restart from opmn. When moving to 11 (and WebLogic) I stopped doing this (could get the configtest to work), which ment I have to doublecheck my configurations before setting them online.
Anyway, constructing rewrite rules is difficult (to me), chances are that you make a mistake while constructing the rule. So when I made a configuration error I noticed this:
$ /u01/app/oracle/admin/instance1/bin/opmnctl restartproc process-type=OHS
opmnctl restartproc: restarting opmn managed processes...
================================================================================
opmn id=testbox.area51.local:6701
0 of 1 processes restarted.
ias-instance id=instance1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
——————————————————————————–
ias-component/process-type/process-set:
ohs1/OHS/OHS/
Error
–> Process (index=1,uid=893024996,pid=14351)
Process restart failed.
Process is still alive — check configuration.
Log:
/u01/app/oracle/admin/instance1/diagnostics/logs/OHS/ohs1/console~OHS~1.log
Now that’s interesting. Oracle added a new feature: check the configuration before restarting Apache. The “Process is still alive — check configuration.” is new to me. Didn’t read this is the docs, still nice to know.
Hope this helps.
OID11 on Windows 2008R2 abnormality
One of the organizations I work for is running their middleware on Windows (on VMWare), to be precize on Windows 2008 R2. Last week service pack 1 was applied on their boxes and somehow OID died on me. When I checked opmn I noticed that oid was really down:
opmnctl status
Processes in Instance: asinst_1
--------------+--------------+------+---------
ias-component | process-type | pid | status
--------------+--------------+------+---------
oid1 | oidldapd | N/A | Down
oid1 | oidldapd | N/A | Down
oid1 | oidmon | N/A | Down
EMAGENT | EMAGENT | 3868 | Alive
Now when I called opmn to start all processes, I didn’t see an error, but somehow OID still didn’t start:
opmnctl startall
opmnctl startall: starting opmn and all managed processes...
opmnctl status
Processes in Instance: asinst_1
--------------+--------------+------+---------
ias-component | process-type | pid | status
--------------+--------------+------+---------
oid1 | oidldapd | N/A | Down
oid1 | oidldapd | N/A | Down
oid1 | oidmon | N/A | Down
EMAGENT | EMAGENT | 3868 | Alive
When I checked the logfiles I noticed that the .oidmonstdout had a different filesize from normal. The contents was this:
ORA-24550: signal received: Unhandled exception: Code=c0000005 Flags=0
----- Call Stack Trace -----
calling call entry argument values in hex
location type point (? means dubious value)
-------------------- -------- -------------------- ----------------------------
kpeDbgCrash()+83 CALL??? kpedbg_dmp_stack()+ 0774AB328 00168DD86 000000000
0 005CFD9D0
kpeDbgSignalHandler CALL??? kpeDbgCrash()+0 00168E026 000000000 005CFD9D0
()+122 000000002
skgesig_Win_Unhandl CALL??? kpeDbgSignalHandler 000000000 000000000 000000000
edExceptionFilter() ()+0 000000000
+171
0000000077439490 CALL??? skgesig_Win_Unhandl 000000001 000000000 000000001
edExceptionFilter() 000000000
+0
00000000776543B8 CALL??? 0000000077439330 005CFDB40 000000006 000000000
000000001
00000000775D85A8 CALL??? 0000000077654374 000000000 000000000 000000000
000000000
00000000775E9D0D CALL??? 00000000775D850C 005D00000 005CFFF90 005CFFF90
077702DE8
00000000775D91AF CALL??? 00000000775E9D00 005D00000 0774ADF08 000012F24
00369C680
0000000077611278 CALL??? 00000000775D8E20 005CFE780 005CFE290 000000000
000000000
0000000000402877 CALL??? 000000007761124A 000000000 00056B5BC 005CFE730
005CFE6A8
0000000010011A80 CALL??? 00000000004027B4 000000000 000000000 004FCD010
003790000
0000000010005E3E CALL??? 0000000010011A24 000000000 7FEFD8E1413
004FCD010 004FCD010
000007FEFD92C387 CALL??? 0000000010005E08 00504E900 000000000 000000000
000000000
000007FEFD92C424 CALL??? 000007FEFD92C370 7FEFD971EA0 004FCD010
000000000 000000000
00000000773B652D CALL??? 000007FEFD92C3A8 000000000 000000000 000000000
000000000
00000000775EC521 CALL??? 00000000773B6520 000000000 000000000 000000000
000000000
----- End of Call Stack Trace -----
Some googleing tought me that this has to do with some sqlnet settings for diagnostics. Funny how diagnostics can actually break your stuff on Windows… Anyway, placing a sqlnet.ora in C:\Oracle\asinst_1\config (yes, that’s the config directory of your instance, or any other location if you have modified your opmn.xml manually) with this contents fixed the issue:
DIAG_ADR_ENABLED=OFF
DIAG_SIGHANDLER_ENABLED=FALSE
DIAG_DDE_ENABLED=FALSE
Hope this helps.
rlwrap, wlst and the nodemanager
Lately I have seen a couple of blogposts about wlst and rlwrap (e.g. this one). This blogpost is a friendly warning to all of you who have followed this tip.
If you happen to start your nodemanager from wlst, i.e. like this:
$ rlwrap java weblogic.WLST
Initializing WebLogic Scripting Tool (WLST) …
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline>
wls:/offline>
wls:/offline> startNodeManager(NodeManagerHome=’/u01/app/oracle/nodemanager’,PropertiesFile=’/u01/app/oracle/nodemanager/nodemanager.properties’)
Launching NodeManager …
<>
Node Manager starting in the background
wls:/offline>
your nodemanager gets started just like expected. If you check your process tree you might find something you won’t like:
wls_user 21785 19630 0 17:35 pts/0 00:00:00 rlwrap java weblogic.WLST
wls_user 21786 21785 4 17:35 pts/1 00:00:09 java weblogic.WLST
wls_user 22740 21786 15 17:38 pts/1 00:00:06 /u01/app/oracle/jrmc-4.0.0-1.6.0/jre/bin/java -classpath /u01/app/oracle/jrmc-4.0.0-1.6.0/jre/lib/rt.jar:/u01/app/oracle/jrmc-4.0.0-1.6.0/jre/lib/i18n.jar:/u01/app/oracle/middleware/wlserver_10.3/server/ext/jdbc/oracle/11g/ojdbc6dms.jar:/u01/app/oracle/middleware/patch_wls1033/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/app/oracle/middleware/patch_ocp353/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/app/oracle/jrmc-4.0.0-1.6.0/lib/tools.jar:/u01/app/oracle/middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/u01/app/oracle/middleware/wlserver_10.3/server/lib/weblogic.jar:/u01/app/oracle/middleware/modules/features/weblogic.server.modules_10.3.3.0.jar:/u01/app/oracle/middleware/wlserver_10.3/server/lib/webservices.jar:/u01/app/oracle/middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/u01/app/oracle/middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:/u01/app/oracle/middleware/wlserver_10.3/server/lib/weblogic.jar:/u01/app/oracle/middleware/oracle_common/soa/modules/commons-cli-1.1.jar:/u01/app/oracle/middleware/oracle_common/soa/modules/oracle.soa.mgmt_11.1.1/soa-infra-mgmt.jar:/u01/app/oracle/middleware/oracle_common/modules/oracle.jrf_11.1.1/jrf.jar:/u01/app/oracle/middleware/wlserver_10.3/common/derby/lib/derbyclient.jar:/u01/app/oracle/middleware/wlserver_10.3/server/lib/xqrl.jar -DPropertiesFile=/u01/app/oracle/middleware/wlserver_10.3/common/nodemanager/nodemanager.properties -DNodeManagerHome=/u01/app/oracle/middleware/wlserver_10.3/common/nodemanager -DQuitEnabled=true weblogic.NodeManager -v
as you can see, the user wls_user owns the pid that started rlwrap. This pid is the parent of the wlst session, which is the parent of the nodemanager pid. Now guess what happens if you exit out of your wlst session?
To make this worse, guess what process is the parent of the startWebLogic.sh script that starts your managed server?
wls_user 23727 22740 0 17:41 ? 00:00:00 /bin/sh /u01/app/oracle/middleware/user_projects/domains/ooid_domain/bin/startWebLogic.sh
So, here’s my friendly advice: do not start the nodemanager with a rl-wrapped wlst session or you will be finding yourself banging your head against the wall.
hotsos 2011, the other days
Somehow my WordPress app on iPad got fu-barred on the plane back home, two large draft blogposts got lost. That’s the last time I trusted just an app with a lot of content! Because of this I will cut my post short: after the anger of losing the content I can only recapitulate some highlights.
Well, in short hotsos-tuesday was all about statistics. The sessions were in the wrong order for me though. For me personally it would have made much more sense to first let Doug Burns and Maria Colgan explain the theoretics and after that let Margaret Norman show a real world implementation. I still don’t get why Margaret wrote her own implementation of degree input parameter for dbms_stats, but that’s probably my ignorance. All three sessions were great and I can advise everyone to look for the presentations online.
Another highlight of Tuesday was Tim Gorman showing a perfect valid example of how you can use AWR and ASH for more than performance tuning. An entertaining presentation, exactly the right amount of content for an end-of-the-day presentation.
Hotsos wednesday was interesting. I went to see Karl Arao, Toon Koppelaars (tip: great presenter!), Mark Farnham, Tanel Põder and did something I promised I would not do again: I went to see Tom Kyte. Tom was enormous entertaining, a true keynote presenter: way to go mr. Kyte.
Next I had to sprint to a cab (which I shared with Alex G.) to take my flight to Detroit, a 50 minute transfer and then off to Amsterdam.
All in all I had a great conference. It’s been a while since I attended a conference with that much technical content. Hopefully I will attend again next year for the tenth anniversary.
Finally, to conclude this post: Disclosure; I’m attending this year’s Hotsos Symposium without the help of any other program. The time off work, travel & accommodation is at my own expense.
