Monday, April 07, 2014

HTTP-404 on /oamconsole

WeblogicHost versus WeblogicCluster

Despite the fact, the oamconsole can not be clustered, it has to be "clustered". If you ever find yourself in a scenario, where your configure a webgate in front of your OAM Console, make sure you configure it like
############################################## ## Entries Required by Oracle Access Manager ############################################## # OAM Console <Location /oamconsole> SetHandler weblogic-handler WebLogicCluster oamhost1.home.local:7001, oamhost2.home.local:7001 </Location>
This looks wrong, as -when you actually are running the OAM console on oamhost1- you simply cannot navigate to oamhost2.home.local:7001/oamconsole. You *can* navigate to oamhost1.home.local:7001/oamconsole.
As you manually have to reconfigure the adminserver in case of disaster, you may consider putting this in your configuration:
############################################## ## Entries Required by Oracle Access Manager ############################################## # OAM Console <Location /oamconsole> SetHandler weblogic-handler WebLogicCluster oamhost1.home.local:7001 </Location>

This does NOT work

BTDT:
############################################## ## Entries Required by Oracle Access Manager ############################################## # OAM Console <Location /oamconsole> SetHandler weblogic-handler WebLogicHost oamhost1.home.local WebLogicPort 7001 </Location>
This is what the Enterprise Deployment Guide suggests.
My config uses WLS 10.3.6.0.7, OAM 11.1.2.2.0, RedHat Enterprise Linux Server release 6.5 (Santiago), Kernel version 2.6.32-431.el6.x86_64

Symptoms

Your call to /oamconsole is initially redirected, and produces a login screen. You seem to authenticate OKAY, as other screens can be accessed without being re-authenticated.
However, /oamconsole is not displayed, and results in a 404 (Not Found).
Hope this helps!

Sunday, April 06, 2014

OAMSSA-06252 after patching

Once upon a time..

you had a working environment with WebLogic, Access and Identity Management (or Discoverer, or ...) and all of a sudden things start failing.

Symptoms

You notice the dreaded OAMSSA-06252 (Policy Store not Available) while starting up, and start fearing the worst. Also, it seems as-if you cannot login to OAM management console anymore; your credentials are accepted, but you get an "Access Prohibited" error from OAM. Just resending the url (server:port/oamconsole) will get the console.

WLS security Patch 10.3.6.0.7 (WLS patch ID FCX7)

Then, you remember you rolled out Security patch 10.3.6.0.7 (Doc Id 1613601.1) a.k.a. WLS patch ID FCX7 last February. It turn out you need to reread the installation guide for OFM 11.1.2.2.0, in particular the Issues chapter!
Unfortunately, just applying the workaround mentioned in paragraph 2.1.7 is not enough.
You must also apply paragraph 2.1.8, but change the "grant codebase" mentioned to:
// Due to patched WLS... FvB 4-apr-2014 grant codeBase "file:/oracle/middleware/patch_wls1036/patch_jars/-" { permission java.security.AllPermission; // original: permission java.lang.RuntimePermission "oracle.*","read"; };
Hope this helps.

Monday, March 31, 2014

Customized pages with Distributed Credential Cellector (DCC)

One of the worst documented areas in OAM; customizing pages with DCC.
One revelation: you must use login.pl when you want logout.pl to work, as login.pl seems to build the "Callback URL" list, that logout.pl uses to destroy the session cookies.

Wednesday, March 26, 2014

Access Management alternatives (Part 1: Directory Services)

Intro

At the governmental institute that hired me, I'm working hard to get the full Oracle Identity and Access Management (IAM) stack implemented.
A colleague suggested OpenIAM, which -at closer look- turns out to be a fork of what I believe to be the origin of the Oracle stack, Sun's OpenSSO.

So, I started at looking at this stack, which is available from ForgeRock. Let's start with the basis: directory services.

Directory Services

As Oracle moves away from Internet Directory (OID) and Virtual Directory (OVD) towards the Unified Directory server (OUD), I found that OUD actually is the Sun Directory Server. Just look at the installation logs of OUD, there are references to
org.opends.quicksetup.installer
And OpenDS was Sun's Directory Server (of which they carried an Enterprise Edition, too: ODSEE - OpenDirectoryServer EE, now dubbed Oracle Directory Server EE).
OpenDS was donated to the open source cummunity, and picked up by ForgeRock to become OpenDJ. Here is more info on that.

Acquire and Install

According to the Installation Manual, OpenDJ 2.6.1 is out, but I did not see a link on the download page. I will go for 2.6.0, noting that Oracle's plans to add capabilities to OUD are similar to OpenDJ's plans: OpenDJ V4 should be capable of virtualisation, like OVD.

Compatibility with Oracle products

There are several articles to be found on how to integrate this open stack with Oracle products like Forms, Reports, OBIEE, etc. I have not found any on Enterprise User Security and TNS Name resolving combined, so I will attempt to do that, as I have done for OUD as well.
Notable entries in the OUD setup log are:
$ORACLE_HOME/config/EUS/oracleContext.ldif
The installation should be simple:
- create "opensso" as install directory as well as as user.
- download and install the software
- configure OpenDJ

Installation Details

As root:
[root@openiam ~]# useradd opensso [root@openiam ~]# passwd opensso Changing password for user opensso. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@openiam ~]# mkdir -p /opensso/mnt [root@openiam ~]# chown -R opensso /opensso [root@openiam ~]# mount -o soft,intr,rsize=32768,wsize=8192,nolock 192.168.4.199:/volume1/oracle /opensso/mnt
Now, I need Java, before installing OpenDJ (the "J" does signify Java...). I have the V8 rpm already downloaded, so let's see:
[root@openiam ~]# rpm -iv /opensso/mnt/Software/java/jre-8-linux-x64.rpm Preparing packages for installation... jre-1.8.0-fcs Unpacking JAR files... rt.jar... jsse.jar... charsets.jar... localedata.jar... jfxrt.jar... [root@openiam ~]# rpm -qa|grep -i jre jre-1.8.0-fcs.x86_64 [root@openiam ~]# rpm -iv /opensso/mnt/Software/Forgerock/opendj-2.6.0-1.noarch.rpm Preparing packages for installation... Pre Install - initial install opendj-2.6.0-1 Post Install - initial install
That's it. For now, I used the rpm, simply because it is the easiest way.

Configure

As the installation here was done using rpm - and that is root privileged, the setup can be executed as root. That allows for the program to run on privileged ports as 389 (LDAP) and 636 (LDAPS). These are the standard LDAP ports.

Whenever you do not want that, for whatever reason, do NOT run setup as non-root user, but do use the zip file; extract and run setup from whatever install directory as non-privileged user.
The latter option allows for none of the openDJ files and executables to be owned by root; the first will create an instance, owned by root (and therefor, able to open privileged ports).
The combo (install rpm as root, run setup as non-privileged user) does not work with additional fiddling (installer cannot create directories for the configuration).

Java 8 not supported

Tried to setup as root, with Java 8. It fails to generate self-signed certificates.
It also fails to launch the ControlPanel.
java.lang.Error: An unexpected error occurred launching the Control Panel. at org.opends.quicksetup.ui.QuickSetup$3.processBackgroundTask(QuickSetup.java:444) at org.opends.quicksetup.util.BackgroundTaskThread.run(BackgroundTaskThread.java:67) An unexpected error occurred launching the Control Panel. java.lang.Error: An unexpected error occurred launching the Control Panel. at org.opends.quicksetup.ui.QuickSetup$3.processBackgroundTask(QuickSetup.java:444) at org.opends.quicksetup.util.BackgroundTaskThread.run(BackgroundTaskThread.java:67) An unexpected error occurred launching the Control Panel.
It will probably fail in other places, too, and -as this is not on my todo list- I will simply revert to JRE7u51:
[root@openiam ~]# rpm -e jre error: Failed dependencies: jre >= 1.6 is needed by (installed) opendj-2.6.0-1.noarch [root@openiam ~]# rpm -e opendj jre Pre Uninstall - uninstall Server already stopped Post Uninstall - uninstall OpenDJ successfully removed. [root@openiam ~]# rpm -iv /opensso/mnt/Software/java/jre-7u51-linux-x64.rpm Preparing packages for installation... jre-1.7.0_51-fcs Unpacking JAR files... rt.jar... jsse.jar... charsets.jar... localedata.jar... jfxrt.jar... [root@openiam ~]# rpm -iv /opensso/mnt/Software/Forgerock/opendj-2.6.0-1.noarch.rpm Preparing packages for installation... Pre Install - initial install opendj-2.6.0-1 Post Install - initial install [root@openiam ~]# /opt/opendj/setup Launching graphical setup...
The screens are exactly what Oracle Unified Directory uses - Oracle did not yet brand this. Obviously Oracle did add TNS and EUS as options.
And there's a graphic control option, which will double as LDAP browser:
So far, so good.

Oracle specifics

Still on the ToDo list:
- extend the schema with Oracle specific Object Identifiers (OID's).
- extend the schema with Oracle specific ObjectClasses and ObjectTypes.
- prove TNS resolving and EUS can be used with OpenDJ.

As more people have attempted to get TNS Names resolving to work with OpenLDAP, this should not be too daunting a task.

Wednesday, February 12, 2014

Check this out: IAM 11G Rel2 V8

Oracle lanched Identity and Access management 11G Release 2, Version 8 (also known as V11.1.2.2.0) two weeks ago.
You should check it out. Some reasons why:
  1. Installation is so much easier
  2. Installation is error proof (the "just MUST run configuresecurity first, or redo all" error can not occur. Tested it)
  3. The interface (OAM Console) has had a major overhaul. It responds faster and is more consistent.
Really. Oracle did a fine job here.

Wednesday, October 30, 2013

Identity Management 11G Rel 2: RCU

Repository Creation Utility

Running the Repository Creation Utility (RCU) for Linux is troublesome for some reasons.
One of the reasons is it is 32-bits software, whereas the Linux platforms now are predominantly 64 bits.
The other is java...

Running it off my Ubuntu LTS host, using
linux32 ./bin/rcu"
resulted in the following error:
frank@ubuntu64:~/Downloads/rcuHome$ linux32 ./bin/rcu ./bin/rcu: 276: ./bin/rcu: /home/frank/Downloads/rcuHome/jdk/jre/bin/java: not found
Java is actually installed:
frank@ubuntu64:~/Downloads/rcuHome$ which java /usr/bin/java
The line 276 is OK; it contains $JRE_DIR - it is the definition of this variable that is wrong (at line 133). Just change
JRE_DIR=$ORACLE_HOME/jdk/jre
into
JRE_DIR=/usr
Then change permissions (if needed), and rerun.
Happy RCU-ing!

Wednesday, October 23, 2013

Enterprise Install of Identity & Access Management 11.1.2

Hardware

Virtual hardware added to the Database and OUD/OVD installs: an 8GB/4CPU VM.

Basic Software

Of course, jrockit (the 37 release, the 45 does not always work with OFM 11GR2...) and WebLogic 10.3.6. WLS 12 is not yet certified against OFM I&AM 11GR2, as far as I know.

Software install

Start off with I&AM software 11.1.2.1: V37472.
[oracle@idm ~]$ /oracle/install/Software/OFM/11.1.2.1/V37472/Disk1/runInstaller -jreLoc /oracle/jrockit-jdk1.6.0/ Starting Oracle Universal Installer... Checking if CPU speed is above 300 MHz. Actual 3378 MHz Passed Checking Temp space: must be greater than 150 MB. Actual 22018 MB Passed Checking swap space: must be greater than 512 MB. Actual 6127 MB Passed Checking monitor: must be configured to display at least 256 colors. Actual 16777216 Passed

Skip the Software updates.
All green, due to the oracle-rdbms-server-11gR2--pre-install package install.

Leave default; matter of taste.
The list of software, note the Privileged Account Manager, and Entitlements server. The Entitlements server is needed for the IAM stack, and comes licensed as such; using it as stack on it's own requires a license.
Takes a while, you might want to check rngd is ok...