Oracle MVA

Tales from a Jack of all trades

Configuring Fusion Middleware JDBC Data Sources Correctly

leave a comment »

The out of the box settings for a data source in a random Fusion Middleware product (SOA, WebCenter, OIM, etc. they are all alike) JDBC properties contains guesses about your environment and usage. Same goes for the settings required by RCU when installing a repository.

For a customer I recently wrote a document explaining which settings to set on the database and in WebLogic when configuring data sources for a Fusion Middleware product for production usage while connected to a RAC database.

The document assumes you are running a 11.2 RAC and WebLogic 10.3.4 or newer. Here’s the document:

Configure JDBC data sources for RAC

Hope this helps.

BTW: if you already downloaded the document, please download it again. Seems I made an error in the distributed lock area.

Advertisement

Written by Jacco H. Landlust

November 17, 2012 at 1:13 am

setting mBean attributes after securing OIM with SSL

with 2 comments

When you setup SSL for Oracle Identity Manager, you have to click through a pretty complicated mBean path. Since I am all about scripting deployments, I created a small WLST script that sets the appropriate mBean attributes for me. Creating this script was easier because of one of Edwin Biemond’s posts.

The specific attributes are:

  • OimFrontEndURL: The URL the end-user uses to access the OIM application, usually a VIP on a http-loadbalancer
  • Rmiurl: The URL the OIM application uses to contact SOA over RMI. This is a comma separated list of SOA servers available to OIM
  • Soapurl: The URL on which the OIM application can invoke services on SOA, usually a VIP on a http-loadbalancer

Please keep in mind that you might have to set up mod_wl_ohs on an http server. Also keep in mind that you have to choose the correct ports, in my case default https for OIM and SOA SOAP (with mod_wl_ohs in place) plus 8002 for t3s for SOA RMI.

Anyway, here’s the script (and yet again: sorry for the fubar layout):

connect('weblogic','Welkom01','t3s://oim.area51.local:7002')

domainRuntime()

oimBean = ObjectName('oracle.iam:Location=oim_server1,name=Discovery,type=XMLConfig.DiscoveryConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.1.3.0')
fUrl=Attribute('OimFrontEndURL','https://oim.area51.local')
mbs.setAttribute(oimBean,fUrl)

soaBean = ObjectName('oracle.iam:Location=oim_server1,name=SOAConfig,type=XMLConfig.SOAConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.1.3.0')

soaConfigRmiURL=Attribute('Rmiurl','t3s://oim1.area51.local:8002,t3s://oim2.area51.local:8002')
soaConfigSoapUrl=Attribute('Soapurl','https://oim.area51.local')

mbs.setAttribute(soaBean,soaConfigRmiURL)
mbs.setAttribute(soaBean,soaConfigSoapUrl)

disconnect()

After you have configured SSL correctly, I suggest you also enable the SSL port for OIM. How this can be done I explained here.

P.S. if you would setup OIM on a cluster, you would need to setup these attributes too.

Hope this helps.

Written by Jacco H. Landlust

July 5, 2012 at 9:05 pm

WLST: setup ssl for servers

leave a comment »

Since everyone seems to be posting these cool WLST snippets nowadays, I figured I should share some of my stuff 🙂 Here’s a little script that I wrote to enable SSL for servers. For those of you that don’t know much about SSL for WebLogic yet, Simon Haslam has a great post about it.

Please keep in mind that certain Fusion Middleware products need additional configuration. Also keep in mind that NodeManager needs to be configured for SSL too.

I stole part of the code from David M. Karr, all credits for the parameter parsing should be his. Also I made some assumptions about the keystore name (you can deduct that from the script).

I’m no fulltime jython coder, so please don’t kill me over stupid constructs. Also WordPress should be severely punished for having these broken code tags. Copying the script to vi (or your editor of choice) is easiest.

Finally: please don’t run this script on your production environment without testing it thoroughly first!

#!/bin/python
#

import os, sys, re, getopt
# Usage function
def usage():
     print "Usage: setup_ssl_for_servers.py -u adminuser -c password -t protocol -a adminserver -p port -k path_to_keys -x identityKeyPass -y trustStoreKeyPass -z privateKeyPass"

# Function that sets the keystore and key passphrases
# if SSL is not enabled, it will enable it now
# Also the SSL port is set
def setSSLSettings(serverObj, keypath, identitykey, truststorekey, privatekey):
     cd('/Servers/' + serverObj)
     # Get the relevant information (listen address, port and name)
     strListenAddress=cmo.getListenAddress()
     if strListenAddress == "":
          strListenAddress = java.net.InetAddress.getLocalHost().getHostName();
          print "the listen address of the server is empty, set it to " + str(strListenAddress)
     else:
          print "listen address of the server is : " + strListenAddress
          intListenPort=cmo.getListenPort()
          svrName=cmo.getName()
          # Set the Keystore Information
          cmo.setKeyStores('CustomIdentityAndCustomTrust')
          cmo.setCustomIdentityKeyStoreFileName( keypath + "/" + str(strListenAddress) + '.jks')
          cmo.setCustomIdentityKeyStoreType('JKS')
          set('CustomIdentityKeyStorePassPhrase', identitykey)
          cmo.setCustomTrustKeyStoreFileName(keypath + '/truststore.jks')
          cmo.setCustomTrustKeyStoreType('JKS')
          set('CustomTrustKeyStorePassPhrase', truststorekey)
          # Create SSL Port
          try:
               create(svrName,'SSL')
               cd('SSL/' + svrName )
          except:
               cd('SSL/' + svrName )
          portList = (intListenPort,100)
          cmo.setListenPort(sum(portList))
          print "SSL port was set to " + str(sum(portList))
          cmo.setEnabled(true)
          # Set private key settings
          cmo.setServerPrivateKeyAlias(strListenAddress)
          set('ServerPrivateKeyPassPhrase', privatekey)

# Process parameters
try:
     opts, args = getopt.getopt(sys.argv[1:], "u:c:t:a:p:k:x:y:z:",["adminuser=", "credential=", "adminProtocol=", "adminServer=","adminserverPort=", "keyPath=", "identityKeyPass=","trustStoreKeyPass=", "privateKeyPass="])
except:
     print "unknown argument passed"
     usage()
     sys.exit(2)

# Initialize variables
adminuser=""
credential=""
adminProtocol=""
adminServer=""
adminserverPort=""
identityKeyPass=""
trustStoreKeyPass=""
privateKeyPass=""
keyPath=""

# Get the parameters
for opt, arg in opts:
if opt == "-u":
     adminuser = arg
elif opt == "-c":
     credential = arg
elif opt == "-t":
     adminProtocol = arg
elif opt == "-a":
     adminServer = arg
elif opt == "-p":
     adminserverPort = arg
elif opt == "-k":
     keyPath = arg
elif opt == "-x":
     identityKeyPass = arg
elif opt == "-y":
     trustStoreKeyPass = arg
elif opt == "-z":
     privateKeyPass = arg

# Do some checking on the parameters
if adminuser == "":
     print "Missing \"-u adminuser\" parameter."
     usage()
     sys.exit(2)
elif credential == "":
     print "Missing \"-c password\" parameter."
     usage()
     sys.exit(2)
elif adminProtocol == "":
     print "Missing \"-t adminProtocol\" parameter."
     usage()
     sys.exit(2)
elif adminServer == "":
     print "Missing \"-a adminServer\" parameter."
     usage()
     sys.exit(2)
elif adminserverPort == "":
     print "Missing \"-p adminserverPort\" paramerer."
     usage()
     sys.exit(2)
elif keyPath == "":
     print "Missing \"-k keyPath\" parameter."
     usage()
     sys.exit(2)
elif identityKeyPass == "":
     print "Missing \"-x identityKeyPass\" parameter."
     usage()
     sys.exit(2)
elif trustStoreKeyPass == "":
     print "Missing \"-y trustStoreKeyPass\" parameter."
     usage()
     sys.exit(2)
elif privateKeyPass == "":
     print "Missing \"-z privateKeyPass\" parameter."
     usage()
     sys.exit(2)

print "Got all the required parameters"

# Connect
connectString= str(adminProtocol) + "://" + str(adminServer) + ":" + str(adminserverPort)
connect(adminuser,credential,connectString)

# Start Edit
edit()
startEdit()

# Loop through servers
cd('/Servers')
redirect('/dev/null','false')
servers=ls(returnMap='true')
redirect('/dev/null','true')

for svr in servers:
     # Do some SSL magic
     setSSLSettings( svr, keyPath, identityKeyPass, trustStoreKeyPass, privateKeyPass )

cd('/Clusters')
redirect('/dev/null','false')
clusters=ls(returnMap='true')
redirect('/dev/null','true')

for cls in clusters:
     cd('/Clusters/' + cls)
     # Set replication to secure
     cmo.setSecureReplicationEnabled(true)

# Activate
save()
activate()

Hope this helps.

Written by Jacco H. Landlust

July 2, 2012 at 11:20 pm

Posted in security, Weblogic

OUGF Harmony 2012 day 1

leave a comment »

As always on a conference, I try to write a small summary about the sessions I have attended. This is my first visit to OUGF in Aulanko (Hämeenlinna, Finland), which is a beautiful location. The conference site has a SPA, golf courses and everything you would need to relax. But that’s not why I’m here, I’m here for gaining some more knowledge about Oracle products.

So, back to the sessions. The day started out with a keynote by Chris Date. He had a passionate keynote about why nulls are not to be used. I do understand his issue with nulls (and the more I think about it, I get issues with using nulls too). The number of practical problems I can think of when working around that issue are numerous. To start with: all systems I work with are designed to implement the n+2 valued logic, including Oracle’s optimizer. Anyway, for me it is good to have a lecture, because that is what it is, about algebra and n+2 valued logic again. I try to understand and therefore be able to apply logic instead of replicating “facts”.

Next up Thomas Kyte was up for his keynote (Five things you probably didn’t know about SQL). I said some things in the past about Tom’s presentations and for me that still applies, I am far better at reading his stuff than hearing it. Please go and see his session if you can because that what applies to me doesn’t have to apply to you (and his talks do contain lots of useful information!). Some things I noticed and I shoot look into:

  • Tom suggests to use an array size of 100 as a rule of thumb, whereas Cary Millsap suggested a 2048 array size at his Mastering Oracle Trace Data series (that I happened to attend last week). This shows again: there is no silver bullet for performance. The answer is “it depends” all over again;
  • Gather statistics after some representative queries, that will raise the quality of statistics. Checkout dbms_stats.seed_col_usage. Actually I heard this before by Maria Colgan too (@Hotsos 2011), but I sort of forgot this.

Third up was Juris TrĂ´sins with a session called “Implementing Oracle Database Vault: from basics to some tricks”. Juris showed that just implementing Database Vault is not enough, you need to implement extra security measures like encryption. Most interesting fact for me was that DBA’s won’t see the values for histograms.

No conference is complete without at least one talk about implementing ExaData nowadays. Since one of my clients is looking at implementing ExaData I decided to visit Sergey Shchukin’s session about deploying ExaData. It seems that ExaData is deployed with ASM high redundancy for its data diskgroups, which is interesting to me. I would appreciate if anyone can tell me why high redundancy is chosen over normal redundancy (is it because of cell server reliability?). Also it seems you cannot install any new tooling on the servers (no changes to the software & hardware, except for switch configuration) according to Sergey. Finally I learned that hybrid columnar compression is “free” when you use ExaData.

Graham Wood had an entertaining talk about scaling with a demo that showed what happened if you incorrectly scale your JDBC pool size. His advice is to queue sessions on middleware instead of the database to get a higher troughput. The rationale behind this is that too many sessions on a host use up memory and CPU cache causing the sessions that need to run on CPU to be slower. This didn’t really show up in the demo, but youtube contains some interesting videos where these examples do work.

Protecting confidential data in and out of your database was presented by Jagan Athreya. This was a sessions about data masking, to be more exact the Oracle Enterprise Manager 12c pack that allows you to mask data for test data. It seems that just today the E-Business suite masking tooling was released.

The next slot I skipped to do some final checking on my presentation. Even though I finished the slides two weeks ago I decided to check upon one thing (nm_data.properties). Seems that changed with 12c.

Final slot of the day was for Andrejs Karpovs. He was presenting about Cloud FS / ACFS. Personally I am a great supporter of ACFS, so I was interested to see what he would tell about it. Andrejs showed me how you can have a general purpose filesystem to be managed by CRS.

and that was it for the technical content of day one.

Written by Jacco H. Landlust

May 30, 2012 at 6:20 pm

Posted in OUGF

3rd OUG Harmony Conference

with one comment

On May 31th I will be speaking at the 3rd OUG Harmony Conference organized by Oracle User Group Finland. This conference will be held at Aulanko, Hämeenlinna Finland. My session will be about a core component that you need to understand to really manage Fusion Middleware: WebLogic’s NodeManager.

Handling WebLogic’s lifecycle is a core activity while managing Fusion Middleware. This is done mostly through an agent called NodeManager. This session is all about the subtleties and caveats of
NodeManager. Topics covered include:
– Role of the nodemanager in the middleware topology
– Nodemanager properties
– WebLogic startup sequence
– Starting and stopping through NodeManager
– Crash recovery
– Security and SSL

The agenda looks great and early bird registration is still open (till April 30th). So if you plan to go, now would be a good time to register

Written by Jacco H. Landlust

April 18, 2012 at 9:49 pm

Securing embedded ldap access with a connection filter

leave a comment »

Numerous people have written about the embedded ldap (see here). These blog posts show that access to the embedded ldap is always enabled, just the username and password is unknown.

Others have posted about connection filters (see here). A connection filter allows the server to reject unwanted connections based on some filter criteria.

Since the embedded ldap is probe to brute force attacks, one should secure the ldap (and ldaps) port using a connection filter. When constructing the connection filter, you should remember that the managed servers use each others embedded ldap, therefore you should only block remote traffic.

For single server setups this rule would suffice:


0.0.0.0/0 * * deny ldap ldaps

Breakdown:
For all remote IP’s deny access to any server running on any local IP adres and any port for protocols ldap and ldaps

For clustered setups I would advice to allow local addresses in your server backbone and block all remote addresses. If your local server backbone would run on 172.16.X.X these two rules would be applicable:


172.16.0.0/0 * * allow
0.0.0.0/0 * * deny ldap ldaps

Breakdown:
Allow access to any server running on any port for all protocols if the originating IP address is in the 172.16.0.0 range. If the originating IP address is in any other range, deny access to any server running on any port for protocols ldap and ldaps.

Hope this helps.

Written by Jacco H. Landlust

April 11, 2012 at 11:28 am

Posted in security, Weblogic

SOA OIM integration and WebLogic administration port

with 2 comments

Recently I setup an Oracle Identity Manager (OIM) environment and I happened to enable the administration port. Mike Fleming wrote an excellent article about why you should enable the administration port of your weblogic domain, I won’t repeat his words. I did run into a small issue when I enabled the administration port for OIM which I figured would be interesting for other people too.

As soon as I logged into OIM and clicked on tasks the following error appeared in the oim_server1.out file:

< javax.naming.AuthenticationException [Root exception is java.lang.SecurityException: User 'principals=[weblogic, Administrators]' has administration role. All tasks by adminstrators must go through an Administration Port.]>

Now that is interesting. It seems that the OIM SOA integration stops working because of the administration port. So I started to read documentation, but found no clues here. Then I started looking some further and found this document that states:

“Connections that specify administrator credentials can use only the administration port”

Now there’s the answer for you, just as the logging states: you cannot use an administrator account to integrate OIM and SOA.

So how can I change this? First of all you need to setup a new account in weblogic. Navigate to your console and click on security realms –> myrealm –> User and Groups. Then click on new. Fill in the user details and click on ok

Do not assign any roles to the user. Next navigate to EM

First we will set the password for the soaadmin user in the credential map. Click on WebLogic Domain –> domain name. Then on WebLogic Domain –> Security –> credentials.

Select oim and then SOAAdminPassword. Click on edit and change the username from weblogic to soaadmin and the password to the password you set for the soaadmin user

Next up click on SOA –> soa-infra. Then click on SOA Infrastructure –> security –> application roles.

Now click on the button next to the the role name input box to find all roles.

Select the SOAAdmin role and click on “Add User” and select to soaadmin user.

Click on OK and you have completed the first step. Next you have to setup OIM to use this SOAAdmin user. This can be configured in EM to. Click on Identity and Access –> OIM –> oim (11.1.1.3.0). Then click on Oracle Identity Manager –> Sytem MBean Browser

Scroll al the way down and select oracle.iam –> Server: oim_server1 –> Application: oim –> XMLConfig –> Config –> XMLConfig.SOAConfig –> SOAConfig and change the username (SOA config username) from weblogic to soaadmin

Finally log into OIM and create a new user. Click on administration –> create user and fill in the form

click on save then on roles and assign the administrator role to the soaadmin user:

*presto*. Your OIM SOA integration is fully operational again.

Hope this helps.

Written by Jacco H. Landlust

January 10, 2012 at 2:41 pm

RCU-6011

with 2 comments

After reading the documentation and running RCU commandline for some time (mostly from a script I build) I felt confident about RCU. For a new environment I had to run RCU manually, so I setup the command:

$ ./rcu -silent -createRepository -connectString scan.area51.local:1521:rcuservice -dbUser SYS -dbRole sysdba -component MDS -component SOAINFRA -component OIM -component IAU -schemaPrefix DEV -f < /home/oracle/pass

and ran into this error:

Processing command line ....
Repository Creation Utility - Checking Prerequisites
Checking Global Prerequisites
RCU-6011:A valid prefix should be specified. Prefix can contain only alpha-numeric characters. It should not start with a number and should not contain any special characters.
RCU-6091:Component name/schema prefix validation failed.

Now this error surprised me to great extend. The parameters where all there, so what could cause this?  Some suffling around with the parameters learned me that this command does run:

$ ./rcu -silent -createRepository -connectString scan.area51.local:1521:rcuservice -dbUser SYS -dbRole sysdba -schemaPrefix TLTB1 -component MDS -component SOAINFRA -component OIM -component IAU -f < /home/oracle/pass

Turn out that the order of the parameters is of importance to rcu.

Hope this helps.

Written by Jacco H. Landlust

October 26, 2011 at 11:34 am

UCM, mod_wl_ohs and http response

with one comment

Some extensive testing, “maybe” some code decompiling, and some talking to an great ACS consultant about nice error pages for UCM when using a HTTP front-end ended in this statement:

If we add “HttpSevereErrorFirstLine=HTTP/1.1 400 Bad Request” in the config.cfg and restart the Content Server, the actual error message is seen instead of the bridge error. This undocumented parameter overrides the default 503 response sent by the Content Server in case of an error to 400.

Apache complains about the bridge error when a 503 response is sent and doesn’t when it’s something like HTTP/1.1 400 Bad Request.

This feature was tested on Universal Content Manager (UCM) 11.1.1.4.

hope this helps 🙂

Written by Jacco H. Landlust

August 22, 2011 at 10:52 pm

reponse files for iam 11.1.1.5 is broken

with one comment

When you run the silent install of iam 11.1.1.5 with the out of the box response file you get an error:


[ERROR] Data Insufficient to start Install.
[ERROR] One and Only One of the following variables must be present

Variable Name:SKIP_SOFTWARE_UPDATES     Expected Value:true
Variable Name:SPECIFY_DOWNLOAD_LOCATION Expected Value:true
. Aborting Install

As the error shows, the response file for iam 11.1.1.1.5 is missing the SKIP_SOFTWARE_UPDATES directive.

Just add SKIP_SOFTWARE_UPDATES=true to the .rsp file and you’re set to go.

The new file would look like this:


[ENGINE]
#DO NOT CHANGE THIS.
Response File Version=1.0.0.0.0
[GENERIC]
#Provide the complete path of the Oracle Home. The Oracle Home directory name may only contain alphanumeric , hyphen (-) , dot (.) and underscore (_) characters, and it must begin with an alphanumeric character.
ORACLE_HOME=/u01/app/oracle/middleware/Oracle_IAM1
#Provide the complete path to a valid Middleware Home.
MIDDLEWARE_HOME=/u01/app/oracle/middleware
#Give the list of complete paths of all the valid Middleware Homes existing on the system.
MIDDLEWARE_HOME_LIST=/u01/app/oracle/middleware
SKIP_SOFTWARE_UPDATES=true
[SYSTEM]
[APPLICATIONS]
[RELATIONSHIPS]

Written by Jacco H. Landlust

August 12, 2011 at 8:34 pm