Friday, August 14, 2015

OAM PS3 State-of-the-art

An attempt to run OAM 11G Release 2 PS3 on Oracle Linux 6.7, WLS 12C, RDBMS 12C.

Install Linux

Pretty straightforward. Used Oracle 6.7, as 7 is not certified. Create a 200MB /boot, and an LVM for /, both ext4. Install just the server. Deselect *all* options, just X system and X legacy support (the OUI needs it). Some 566 packages will get installed. Make sure it boots, and the network starts.

Linux Maintenance

Change /etc/sysconfig/selinux to read
SELINUX=disabled

I needed to use
ifup eth0
Address that by editing /etc/sysconfig/network-scripts/ifcfg-eth0 and change
ONBOOT=yes

Update to the latest:
yum update

Reboot...
As a pleasant surprise, my 6.6 was updated to 6.7, according to the boot messages.
Then, log in as root again, and start preparing for installs:
yum install oracle-rdbms-server-12cR1-preinstall

Also, add the following to /etc/sysctl.conf:
# IPv6 disabled net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1

As the oracle preinstall alters you grub, you do want to... reboot.

Oracle installs

[root@tvs ~]# mkdir /oracle [root@tvs ~]# chown oracle:oinstall /oracle [root@tvs ~]# passwd oracle Changing password for user oracle. New password: Retype new password: passwd: all authentication tokens updated successfully.
As oracle:
[oracle@tvs ~]$ mkdir /oracle/depot
Mount my private storage:
[root@tvs ~]# mount -o soft,intr,rsize=8192,wsize=8192,nolock 192.168.4.198:/volume2/oracle/Software /oracle/depot

Database

/oracle/depot/12G/database/runInstaller - fails with
"PRVF-0002: could not retrieve local node name".

I have to modify the hosts file (/etc/hosts), and add the current ip address and host name. I chose just to install the software, for a single instance database, changed the base to /oracle/app, and that changes the db software location to /oracle/app/product/12.1.0/dbhome_1. All else remains default.
Alter .bash_profile:
# Additional stuff export ORACLE_HOME=/oracle/app/product/12.1.0/dbhome_1 export PATH=$ORACLE_HOME/bin:$PATH export TNS_ADMIN=$ORACLE_HOME/network/admin

Java

Install the latest Java JDK; WLS 12C needs a development environment...
tar zxf /oracle/depot/weblogic/jdk-8u51-linux-x64.tar.gz -C /oracle mv /oracle/jdk1.8.0_51/* /oracle/java/
Alter .bash_profile, source it, and check:
export JAVA_HOME=/oracle/java/jre export PATH=$JAVA_HOME/bin:$PATH [oracle@tvs] . .bash_profile [oracle@tvs] java -version java version "1.8.0_51" Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)
This version is not aligned with the installers, these make Java throw this warning:
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512m; support was removed in 8.0

Use netca to create a listener, or manually, if you like that:
[oracle@tvs ~]$ cat /oracle/app/product/12.1.0/dbhome_1/network/admin/listener.ora # listener.ora Network Configuration File: /oracle/app/product/12.1.0/dbhome_1/network/admin/listener.ora # Generated by Oracle configuration tools. LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = tvs)(PORT = 1521)) ) )

If you want to cut-n-paste the above code, make sure to manually start the listener, using lsnrctl start.

Repository Creation Utility

/oracle/depot/OFM/11.1.2.3.0/rcu_linux_11.1.1.9.0_64/rcuHome/bin/rcu

OK, that has no problems installing against a 12C database. I heart (never seen it, though) that previous versions would not install against 12C.

Weblogic 12C

java -jar -d64 /oracle/depot/weblogic/fmw_12.1.3.0.0_wls.jar
Do NOT start the Configuration Wizard. Also, make sure, this is the first install in your middleware home - WLS refuses to install in a non-empty location.

OUD

Has been done before, nothing new, but for the Java version used here.
/oracle/depot/OFM/11.1.2.3.0/oud_11.1.2.3.0/Disk1/runInstaller -jreLoc $JAVA_HOME

Just as well create an instance, as described here.

OAM

Has been done before, too. Refer to that blog entry.

Redo...

WLS12C does NOT work with OAM. The config.sh never comes to an end other than "Too many parameters". Besides, it's not certified according to the matrix, as is Java 8 (Java 8 is not certified, that is.) So, I guess state of the art is Linux 7 (yes - that is certified!), WLS 10.3.6.11, Java 7 update 80.

Wednesday, July 08, 2015

OAM PS3 - continued


Allow auto start (production mode) for your scripts:
cd /oracle/user_projects/domains/oam_domain/servers mkdir -p oam_server1/security mkdir -p omsm_server1/security mkdir -p oam_policy_mgr1/security vi oam_server1/security/boot.properties cp oam_server1/security/boot.properties omsm_server1/security/ cp oam_server1/security/boot.properties oam_policy_mgr1/security/
You can now use command line scripts to start the other servers (oam_server1, omsm_server1, and oam_policy_mgr1), like so:
/oracle/user_projects/domains/oam_domain/bin/startManagedWebLogic.sh oam_server1

Starting using WLS Console (GUI)

In the OAM 11GRel2PS2 setup, I created a "machine". This is not a physical machine, just a weblogic placeholder. I need one to allow the nodemanager to start/stop all servers.
If I don, I will get these messages trying to control (start/stop) a managed server via de admin server console:
So, login on the console, choose to expand the Environment, click the "Lock & Edit' button, and create e New Machine:
Name does not really matter, as said, it is just a place holder, and bears no connection to ant (physical) machine whatsoever. Leave OS type to Other; it is not Unix, and it is not Virtual (it is Linux).
Next, define the nodemanager. By default the nodemanager is created to listen in SSL mode, and it will listen on all addresses, so localhost should do.
In a serious clustered environment, you want to change the nodemanager to listen to the machine name or address, not just localhost - if you would, the nodemanager would not accept calls from the other cluster members.
Now, you can add the Admin, and managed servers to this machine, and control these from the GUI as well. Next task will be protecting resources.

Monday, June 15, 2015

refhost.xml kludge is fixed

No More missing packages

I wrote several times about manually editing refhost.xml. There's not need for it, just apply Patch 18231786.

Monday, June 08, 2015

Wrong Java version on Unified Directory Server

Wrong version Java

After losing the battle with the OS guys for control over java, I keep stumbling upon environments that have wrong java versions due to the fact java is installed in /usr/java, or /usr/bin.
In such cases, this is the result:
which java /usr/bin/java
As I do not have control over /usr/bin, I install java in /oracle/middleware/java, so I would like
which java /oracle/middleware/java/jre/bin/java

Adapting OUD

Luckily, adapting OUD to use another Java proves quite easy; just alter $MW_HOME/asinst_1/OUD/lib/set-java-home and $MW_HOME/asinst_1/OUD/config/java.properties to point to the correct java environment, and bounce the ldap server.

Wednesday, June 03, 2015

OAM PS3

Identity and Access Management Patch Set 3

It has been launched last week. I have seen it in March, during a partner event in Paris, and there are quite a few changes and improvements to get exited about.

Install over previous (not upgrade)

I cloned my PS2 OAM machine, and the plan is to get PS3 running asap. So, I fire up the V11.1.1.9 RCU, and drop the existing schemas.
Next, rerun the RCU, and create the schemas:
Note the Mobile Security - that's new...

Install OUD V11.1.1.9.0

Yep - that's new as well...
[oracle@oam ~]$ /mnt/orainst/Software/OFM/11.1.2.3.0/oud_11.1.2.3.0/Disk1/runInstaller -jreLoc $JAVA_HOME

Install WebLogic

Same as before, 10.3.6.0 - but with a load of patches. These will require you run JSSE!
A list of patches (but hold on downloading each of these!) :
18398295 (FSG4)
        This Oracle WebLogic Server patch is required only if you are using 
        Multi Byte Character Set.
Bit of an odd remark for an OAM installation guide, as OAM practically dictates you use AL32UTF8 for the standard characterset in your repository database.
14404715 (ZARV)        This is a mandatory Oracle WebLogic Server patch.

16844206 (NPM3)        This is a mandatory Oracle WebLogic Server patch.
Looks like that is only on MS Win, as the description is "WLST CANNOT GET ENV ON WINDOWS SERVER 12 WITH MINIMAL ENV"
13964737 (YVDZ)        This is a mandatory Oracle WebLogic Server patch when running 
Oracle WebLogic Server on Oracle JDK 7.
After you apply this patch to your WebLogic Server Middleware home, you must start 
the Node Manager, the WebLogic Administration Server, and the various Managed Servers 
with Java Secure Socket Extension (JSSE) enabled. To start the Node Manager with JSSE 
enabled, see the "Set the Node Manager Environment Variables" topic in Node Manager 
Administrator's Guide for Oracle WebLogic Server.

After starting Node Manager with JSSE enabled, you must start the 
WebLogic Administration Server and Managed Servers with JSSE enabled. 
For more information, see the "Using the JSSE-Enabled SSL Implementation" topic in 
Securing Oracle WebLogic Server.

14174803 (IMWL)        This is a mandatory Oracle WebLogic Server patch when running 
Oracle WebLogic Server on Oracle JDK 7. 
After you apply this patch to your WebLogic Server Middleware home, you must start 
the Node Manager, the WebLogic Administration Server, and the various Managed Servers 
with Java Secure Socket Extension (JSSE) enabled. To start the Node Manager with JSSE 
enabled, see the "Set the Node Manager Environment Variables" topic in Node Manager 
Administrator's Guide for Oracle WebLogic Server.

After starting Node Manager with JSSE enabled, you must start the 
WebLogic Administration Server and Managed Servers with JSSE enabled. 
For more information, see the "Using the JSSE-Enabled SSL Implementation" topic in 
Securing Oracle WebLogic Server.

17938462 (XECL)         This is a mandatory Oracle WebLogic Server patch when running 
Oracle WebLogic Server on Oracle JDK 7.

13114768 (56MM)        This is a mandatory Oracle WebLogic Server patch.

15865825 (CM69)        This is a mandatory Oracle WebLogic Server patch.

14809365 (XA6W)        This is a mandatory Oracle WebLogic Server patch.
Apart from all that, I would also apply 20181997 (YUIS): WLS PATCH SET UPDATE 10.3.6.0.11

Install OAM

[oracle@oam ~]$ /mnt/orainst/Software/OFM/11.1.2.3.0/Disk1/runInstaller -jreLoc $JAVA_HOME
You no longer need to kludge the refhost.xml file:

WLS Patching

cd /oracle/middleware/utils/bsu mkdir cache_dir cd cache_dir unzip /mnt/orainst/Software/weblogic/p20181997_1036_Generic.zip cd .. ./bsu.sh -install -patch_download_dir=/oracle/middleware/utils/bsu/cache_dir -patchlist=YUIS -prod_dir=/oracle/middleware/wlserver_10.3
Remove README.txt from the cache_dir, and repeat for
  • p17938462_1036_Generic.zip (XECL)
  • p13964737_1036_Generic.zip (YVDZ)
There is no need for
  • p15865825 (CM69)
  • p14809365 (XA6W)
  • p14404715 (ZARV)
  • p14174803 (IMWL)
as they conflict -or better: are resolved by- YUIS.
See MOS DocID 1997891.1 (bugs resolved by WLS 10.3.6.0.11).

p13114768_1036_Generic.zip (56MM) is not listed in this document, yet reports it cannot co-exist with YUIS:
[oracle@oam bsu]$ ./bsu.sh -install -patch_download_dir=/oracle/middleware/utils/bsu/cache_dir -patchlist=56MM -prod_dir=/oracle/middleware/wlserver_10.3 Checking for conflicts... Conflict(s) detected - resolve conflict condition and execute patch installation again Conflict condition details follow: Patch 56MM is mutually exclusive and cannot coexist with patch(es): YUIS

Configure

OUD

OUD - has been done on previous entries. Some things have changed; the default memory assignments could be a bit less (although I could not get them below 1GB initial). Also, there's the possibility for DIP integration directly in OUD (i.e. not needing the ODSM weblogic stack???):

OAM

Has also been done before, but there are slight differences:
All I chose here, was Oracle Access Management and Mobile & Social (renamed from Oracle Access Management), as well as the Entitlement Server for Admin server.
Do NOT start the OAM stack, yet! You (still) need to follow chapter 11 "Configuring Database Security Store ... "
cd /oracle/middleware/oracle_common/common/bin ./wlst.sh /oracle/middleware/Oracle_IDM1/common/tools/configureSecurityStore.py \ -d /oracle/user_projects/domains/oam_domain -c IAM -m create -p [your OPSS password]

Start it up

Enable autostart (Production Mode)

cd /oracle/user_projects/domains/oam_domain mkdir -p servers/AdminServer/security vi servers/AdminServer/security/boot.properties /oracle/user_projects/domains/oam_domain/startWebLogic.sh
One thing that I noticed, was the amount of logging during the initial startup: it has been decreased enormously! You will see
SEVERE: Failed to communicate with any of configured Access Server, ensure that
 it is up and running.
, but that is an configuration issue that I will take care of. Several other errors (Primary Keys violated...) seem to have no effect; after about 5 minutes, I can login to the new interface (yet again...):
There are a lot of defaults now standard available, which you used to have to think of in the previous release; even the dreaded favicon is now excluded. Happily surprised!

Getting rid of the SEVERE error

Login to the WLS console (http://your_oam_host:7001/console), navigate to the security realm MyRealm, go to the Providers tab, and delete IAMSuiteAgent:
You will have to stop and start the Admin Server...

Finalize WLS Patching

One of the results of patching WLS is the prerequisite to use JSSE. The easiest way is to set the "Use JSSE" flag for all managed servers (WLS console, Lock and Edit, Environment, Servers, Select a server, navigate to the SSL tab, scroll to the bottom, click 'Enhanced', and -at the bottom- enable JSSE). After applying the changes, stop all servers.
For the node manager, edit the startNodeManager.sh script and add the following lines somewhere at the top of the file:
JAVA_OPTIONS="-Dweblogic.ssl.JSSEEnabled=true" export JAVA_OPTIONS
Somewhere around line 40 will do. File is located at /oracle/middleware/wlserver_10.3/server/bin/startNodeManager.sh
For all other, command line initiated scripts, introduce the following environment variables:
JAVA_OPTIONS="-Dweblogic.ssl.JSSEEnabled=true" export JAVA_OPTIONS
Starting the admin server will show this is the logging:
Starting WLS with line:
/oracle/jdk1.7.0_76/bin/java -server   -Xms1024m -Xmx2048m -XX:PermSize=256m -XX:MaxPermSize=512m 
-Dweblogic.Name=AdminServer -Djava.security.policy=/oracle/middleware/wlserver_10.3/server/lib/weblogic.policy
-Dweblogic.ProductionModeEnabled=true -Dweblogic.ssl.JSSEEnabled=true

Thursday, May 07, 2015

Access Denied - Access to administration console is restricted

Access Denied - Access to administration console is restricted.

Ran into it, today. Again. This time, I'll make a proper blog entry, not like this one...
This time, I actually did follow my own advice, but for the fact, I now am working in a multi-homed WebLogic environment - I simply pasted the wrong WLS home...

Monday, March 30, 2015

Retrieving OAM keystore password

How to retrieve the password of OAM keystore

If you ever need it; the password of the default OAM keystore password (which is generated) can be retrieved using:
cd /oracle/middleware/oracle_common/common/bin ./wlst.sh connect(); domainRuntime() listCred(map="OAM_STORE",key="jks")
Would you like to change it, use
resetKeystorePassword()