Wednesday, July 08, 2015

OAM PS3 - continued


Allow auto start (production mode) for your scripts:
cd /oracle/user_projects/domains/oam_domain/servers mkdir -p oam_server1/security mkdir -p omsm_server1/security mkdir -p oam_policy_mgr1/security vi oam_server1/security/boot.properties cp oam_server1/security/boot.properties omsm_server1/security/ cp oam_server1/security/boot.properties oam_policy_mgr1/security/
You can now use command line scripts to start the other servers (oam_server1, omsm_server1, and oam_policy_mgr1), like so:
/oracle/user_projects/domains/oam_domain/bin/startManagedWebLogic.sh oam_server1

Starting using WLS Console (GUI)

In the OAM 11GRel2PS2 setup, I created a "machine". This is not a physical machine, just a weblogic placeholder. I need one to allow the nodemanager to start/stop all servers.
If I don, I will get these messages trying to control (start/stop) a managed server via de admin server console:
So, login on the console, choose to expand the Environment, click the "Lock & Edit' button, and create e New Machine:
Name does not really matter, as said, it is just a place holder, and bears no connection to ant (physical) machine whatsoever. Leave OS type to Other; it is not Unix, and it is not Virtual (it is Linux).
Next, define the nodemanager. By default the nodemanager is created to listen in SSL mode, and it will listen on all addresses, so localhost should do.
In a serious clustered environment, you want to change the nodemanager to listen to the machine name or address, not just localhost - if you would, the nodemanager would not accept calls from the other cluster members.
Now, you can add the Admin, and managed servers to this machine, and control these from the GUI as well. Next task will be protecting resources.

Monday, June 15, 2015

refhost.xml kludge is fixed

No More missing packages

I wrote several times about manually editing refhost.xml. There's not need for it, just apply Patch 18231786.

Monday, June 08, 2015

Wrong Java version on Unified Directory Server

Wrong version Java

After losing the battle with the OS guys for control over java, I keep stumbling upon environments that have wrong java versions due to the fact java is installed in /usr/java, or /usr/bin.
In such cases, this is the result:
which java /usr/bin/java
As I do not have control over /usr/bin, I install java in /oracle/middleware/java, so I would like
which java /oracle/middleware/java/jre/bin/java

Adapting OUD

Luckily, adapting OUD to use another Java proves quite easy; just alter $MW_HOME/asinst_1/OUD/lib/set-java-home and $MW_HOME/asinst_1/OUD/config/java.properties to point to the correct java environment, and bounce the ldap server.

Wednesday, June 03, 2015

OAM PS3

Identity and Access Management Patch Set 3

It has been launched last week. I have seen it in March, during a partner event in Paris, and there are quite a few changes and improvements to get exited about.

Install over previous (not upgrade)

I cloned my PS2 OAM machine, and the plan is to get PS3 running asap. So, I fire up the V11.1.1.9 RCU, and drop the existing schemas.
Next, rerun the RCU, and create the schemas:
Note the Mobile Security - that's new...

Install OUD V11.1.1.9.0

Yep - that's new as well...
[oracle@oam ~]$ /mnt/orainst/Software/OFM/11.1.2.3.0/oud_11.1.2.3.0/Disk1/runInstaller -jreLoc $JAVA_HOME

Install WebLogic

Same as before, 10.3.6.0 - but with a load of patches. These will require you run JSSE!
A list of patches (but hold on downloading each of these!) :
18398295 (FSG4)
        This Oracle WebLogic Server patch is required only if you are using 
        Multi Byte Character Set.
Bit of an odd remark for an OAM installation guide, as OAM practically dictates you use AL32UTF8 for the standard characterset in your repository database.
14404715 (ZARV)        This is a mandatory Oracle WebLogic Server patch.

16844206 (NPM3)        This is a mandatory Oracle WebLogic Server patch.
Looks like that is only on MS Win, as the description is "WLST CANNOT GET ENV ON WINDOWS SERVER 12 WITH MINIMAL ENV"
13964737 (YVDZ)        This is a mandatory Oracle WebLogic Server patch when running 
Oracle WebLogic Server on Oracle JDK 7.
After you apply this patch to your WebLogic Server Middleware home, you must start 
the Node Manager, the WebLogic Administration Server, and the various Managed Servers 
with Java Secure Socket Extension (JSSE) enabled. To start the Node Manager with JSSE 
enabled, see the "Set the Node Manager Environment Variables" topic in Node Manager 
Administrator's Guide for Oracle WebLogic Server.

After starting Node Manager with JSSE enabled, you must start the 
WebLogic Administration Server and Managed Servers with JSSE enabled. 
For more information, see the "Using the JSSE-Enabled SSL Implementation" topic in 
Securing Oracle WebLogic Server.

14174803 (IMWL)        This is a mandatory Oracle WebLogic Server patch when running 
Oracle WebLogic Server on Oracle JDK 7. 
After you apply this patch to your WebLogic Server Middleware home, you must start 
the Node Manager, the WebLogic Administration Server, and the various Managed Servers 
with Java Secure Socket Extension (JSSE) enabled. To start the Node Manager with JSSE 
enabled, see the "Set the Node Manager Environment Variables" topic in Node Manager 
Administrator's Guide for Oracle WebLogic Server.

After starting Node Manager with JSSE enabled, you must start the 
WebLogic Administration Server and Managed Servers with JSSE enabled. 
For more information, see the "Using the JSSE-Enabled SSL Implementation" topic in 
Securing Oracle WebLogic Server.

17938462 (XECL)         This is a mandatory Oracle WebLogic Server patch when running 
Oracle WebLogic Server on Oracle JDK 7.

13114768 (56MM)        This is a mandatory Oracle WebLogic Server patch.

15865825 (CM69)        This is a mandatory Oracle WebLogic Server patch.

14809365 (XA6W)        This is a mandatory Oracle WebLogic Server patch.
Apart from all that, I would also apply 20181997 (YUIS): WLS PATCH SET UPDATE 10.3.6.0.11

Install OAM

[oracle@oam ~]$ /mnt/orainst/Software/OFM/11.1.2.3.0/Disk1/runInstaller -jreLoc $JAVA_HOME
You no longer need to kludge the refhost.xml file:

WLS Patching

cd /oracle/middleware/utils/bsu mkdir cache_dir cd cache_dir unzip /mnt/orainst/Software/weblogic/p20181997_1036_Generic.zip cd .. ./bsu.sh -install -patch_download_dir=/oracle/middleware/utils/bsu/cache_dir -patchlist=YUIS -prod_dir=/oracle/middleware/wlserver_10.3
Remove README.txt from the cache_dir, and repeat for
  • p17938462_1036_Generic.zip (XECL)
  • p13964737_1036_Generic.zip (YVDZ)
There is no need for
  • p15865825 (CM69)
  • p14809365 (XA6W)
  • p14404715 (ZARV)
  • p14174803 (IMWL)
as they conflict -or better: are resolved by- YUIS.
See MOS DocID 1997891.1 (bugs resolved by WLS 10.3.6.0.11).

p13114768_1036_Generic.zip (56MM) is not listed in this document, yet reports it cannot co-exist with YUIS:
[oracle@oam bsu]$ ./bsu.sh -install -patch_download_dir=/oracle/middleware/utils/bsu/cache_dir -patchlist=56MM -prod_dir=/oracle/middleware/wlserver_10.3 Checking for conflicts... Conflict(s) detected - resolve conflict condition and execute patch installation again Conflict condition details follow: Patch 56MM is mutually exclusive and cannot coexist with patch(es): YUIS

Configure

OUD

OUD - has been done on previous entries. Some things have changed; the default memory assignments could be a bit less (although I could not get them below 1GB initial). Also, there's the possibility for DIP integration directly in OUD (i.e. not needing the ODSM weblogic stack???):

OAM

Has also been done before, but there are slight differences:
All I chose here, was Oracle Access Management and Mobile & Social (renamed from Oracle Access Management), as well as the Entitlement Server for Admin server.
Do NOT start the OAM stack, yet! You (still) need to follow chapter 11 "Configuring Database Security Store ... "
cd /oracle/middleware/oracle_common/common/bin ./wlst.sh /oracle/middleware/Oracle_IDM1/common/tools/configureSecurityStore.py \ -d /oracle/user_projects/domains/oam_domain -c IAM -m create -p [your OPSS password]

Start it up

Enable autostart (Production Mode)

cd /oracle/user_projects/domains/oam_domain mkdir -p servers/AdminServer/security vi servers/AdminServer/security/boot.properties /oracle/user_projects/domains/oam_domain/startWebLogic.sh
One thing that I noticed, was the amount of logging during the initial startup: it has been decreased enormously! You will see
SEVERE: Failed to communicate with any of configured Access Server, ensure that
 it is up and running.
, but that is an configuration issue that I will take care of. Several other errors (Primary Keys violated...) seem to have no effect; after about 5 minutes, I can login to the new interface (yet again...):
There are a lot of defaults now standard available, which you used to have to think of in the previous release; even the dreaded favicon is now excluded. Happily surprised!

Getting rid of the SEVERE error

Login to the WLS console (http://your_oam_host:7001/console), navigate to the security realm MyRealm, go to the Providers tab, and delete IAMSuiteAgent:
You will have to stop and start the Admin Server...

Finalize WLS Patching

One of the results of patching WLS is the prerequisite to use JSSE. The easiest way is to set the "Use JSSE" flag for all managed servers (WLS console, Lock and Edit, Environment, Servers, Select a server, navigate to the SSL tab, scroll to the bottom, click 'Enhanced', and -at the bottom- enable JSSE). After applying the changes, stop all servers.
For the node manager, edit the startNodeManager.sh script and add the following lines somewhere at the top of the file:
JAVA_OPTIONS="-Dweblogic.ssl.JSSEEnabled=true" export JAVA_OPTIONS
Somewhere around line 40 will do. File is located at /oracle/middleware/wlserver_10.3/server/bin/startNodeManager.sh
For all other, command line initiated scripts, introduce the following environment variables:
JAVA_OPTIONS="-Dweblogic.ssl.JSSEEnabled=true" export JAVA_OPTIONS
Starting the admin server will show this is the logging:
Starting WLS with line:
/oracle/jdk1.7.0_76/bin/java -server   -Xms1024m -Xmx2048m -XX:PermSize=256m -XX:MaxPermSize=512m 
-Dweblogic.Name=AdminServer -Djava.security.policy=/oracle/middleware/wlserver_10.3/server/lib/weblogic.policy
-Dweblogic.ProductionModeEnabled=true -Dweblogic.ssl.JSSEEnabled=true

Thursday, May 07, 2015

Access Denied - Access to administration console is restricted

Access Denied - Access to administration console is restricted.

Ran into it, today. Again. This time, I'll make a proper blog entry, not like this one...
This time, I actually did follow my own advice, but for the fact, I now am working in a multi-homed WebLogic environment - I simply pasted the wrong WLS home...

Monday, March 30, 2015

Retrieving OAM keystore password

How to retrieve the password of OAM keystore

If you ever need it; the password of the default OAM keystore password (which is generated) can be retrieved using:
cd /oracle/middleware/oracle_common/common/bin ./wlst.sh connect(); domainRuntime() listCred(map="OAM_STORE",key="jks")
Would you like to change it, use
resetKeystorePassword()

Wednesday, March 18, 2015

BEA-090898 during PlugIn activation in clusters

Be Secure

I did not mention it in my not so "OAM-in-a-day" entry, but when you run a clustered environment, make sure to set the "Secure" flag on the AdminServer and Managed Server configuration screens. It does have more impact that setting the "Use JSSE" flag on the SSL/Advanced section of the Weblogic console, but when you failed to do so, that's one place to correct it.

Why?

No particular reason, other than the fact OAM will check whether distribution and activation of custom plug ins was done correctly, by checking a HeartBeat. This is SSL, whatever your settings.
You see the problem arising...
Even is no SSL configuration is available, the HeartBeat is SSL - and will fail.
<BEA-090898> <Ignoring the trusted CA certificate "CN=CertGenCA,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US".
The loading of the trusted certificate list raised a certificate parsing exception PKIX:
Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
The plugin status will get status "activation failed".

Workaround

Make sure your settings in the (optional...) Configure Servers, Clusters and Machines screens have "Secure" selected.
This configuration will prevent this error from happening.

Else, stop your Managed and Admin Servers, alter oam-config.xml: change "activation-failed status for the plugin(s) into activated, increase Version by 1, save oam-config.xml and start all servers again.
Mind you, this will bring down your services, and have impact on SLA times.

Peter Abé of Oracle figured this out, and it has been fixed as-of BP2