Friday, September 26, 2014

Latest OAM certified against EBS

OAM 11.1.2.2 certified EBS

This blog entry shows OAM 11G Rel 2 PS2 (a.k.a. 11.1.2.2.0) is certified against the Oracle e-Business suite 11 and 12 as of February 2014. Just in case you missed it, like me.

Oracle e-business and SSO using OAM

The blog entry also references a series of articles on how to do e-Business Suite SSO using OAM.

Wednesday, September 24, 2014

Private Storage

Just a little project

I just happened to be upgrading my workstation, and was left with some spare parts. I had some memory modules, an old P5 motherboard, and several AT-style enclosures.
Also, I noticed my trusty Synology Diskstation began needing some larger disks. Or maybe it was time to replace it all together? Keeping up indexing my music and photos seems to become quite a daunting task, judging by the CPU load.

Xpenology!

It was while considering alternatives for my Synology, that I stumbled across xpenology. And, as I had the above mentioned spares, I decided to give it a try.
Log story short: I succeeded in creating an so-called "Synology XS3612xs" on a P5B, 4GB Ram, and an old 300GB Harddisk. Performance was awesome!
Unfortunalety, my P5B gave up on the battery; it kept forgetting it's BIOS settings. Replacing it did not help, so something else must have been broken. Besides, based on the blogs BYON, DIY-NAS and BBG Zuinige Server (Energy Efficient Server), I already kind of decided for a build which should be energy efficient. After all, the NAS is powered on almost 24/7.

My hardware selection

Motherboard: It should have many SATA connectors, silent, and have a Mini ATX format.
Based on Build Your Own NAS, I choose the Asus E2KM1I-DeLuxe; a complete, fanless mobo with an AMD-E2-2000 CPU, and 6 SATA6 interfaces. It can hold up to 16GB of memory in 2 slots; I used 2 of the 4 sticks I had left, totaling 8GB.
The real Synology DS3612xs gets delivered with 2GB, with an optional 4GB extra, so 8GB should be plenty. That set me back €129 - and I reused some left-overs
Case: A Fractal Design Node 304, a stylish black case with room to spare. One large, slow rotating fan. No Power Supply. Style comes with a price tag: €68
Power Supply: I opted for a Pico picoPSU-80, also because another space was a brick style PSU like used for laptops. These are quite efficient (at least the have better efficiency than an average ATX-style case with built-in PSU). Power set me back another €38
DisksI opted for 2 WB Red 3TB drives, to start with. The 304 allows 6 drives to be mounted, and that would -with current storage technology- give me a total gross storage of 30TB. Five drives (no more SATA interfaces) of 6TB each.
Using the Hybrid RAID technology, that would add up to 24TB net storage!
The drives set me back another €210.

Install

After installing the lot, the system would not boot up. I found out I needed a Pico P4 converter cable, which was clearly stated in the mobo manual - you need to power the 4 pin molex connector, or else the system will not start. Oh well, who reads manuals?

After that, it was time to get DSM installed. Boring. Just follow the instructions (create a boot USB, dowmload and install Synology Assistant and DSM image off the Synology site), and create a volume.

Performance

Here are some results, I used CrystalDiskMark under Windows (V7, Professional, 64 bit), as it seems an accepted tool for disk benchmarks.
Here is a test using a mapped drive (Z:)
I only have a 1Gbps connection between my workstation and the storage cabinet, with a 1Gbps router in the middle, so obviously I cannot transfer more than 1Gbps, or 100MB/sec, which seems pretty much the case, here.
The network seems to be the bottleneck, not the NAS!

For comparison, same test run against a locally attached 300GB SATA2 disk running 1,5Gbps:
It seems this disk is mis aligned. Not the point; the point is that this DIY NAS outperforms locally attached store, in my case. One more test, with large files (1GB, in stead of 100MB):

Conclusion

Starting off with scrap basically, you can build a performance NAS that will allow you to store your photos, videos and music, as well as act a iSCSI target for your Oracle experiments.
I decided to take it one step further, and spend a whopping €238 (yes, the molex adapter cable came at another €3-something) for a machine that goes for €2200. Storage is up to you, in my configuration (Hybrid RAID, 2 disks of 3TB each, net capacity 2.7TB) it added another €210.
The mentioned price for the DS3612xs is without storage, too. Of course it has other features, like dual ports, links aggregation, etc.

Monday, April 07, 2014

HTTP-404 on /oamconsole

WeblogicHost versus WeblogicCluster

Despite the fact, the oamconsole can not be clustered, it has to be "clustered". If you ever find yourself in a scenario, where your configure a webgate in front of your OAM Console, make sure you configure it like
############################################## ## Entries Required by Oracle Access Manager ############################################## # OAM Console <Location /oamconsole> SetHandler weblogic-handler WebLogicCluster oamhost1.home.local:7001, oamhost2.home.local:7001 </Location>
This looks wrong, as -when you actually are running the OAM console on oamhost1- you simply cannot navigate to oamhost2.home.local:7001/oamconsole. You *can* navigate to oamhost1.home.local:7001/oamconsole.
As you manually have to reconfigure the adminserver in case of disaster, you may consider putting this in your configuration:
############################################## ## Entries Required by Oracle Access Manager ############################################## # OAM Console <Location /oamconsole> SetHandler weblogic-handler WebLogicCluster oamhost1.home.local:7001 </Location>

This does NOT work

BTDT:
############################################## ## Entries Required by Oracle Access Manager ############################################## # OAM Console <Location /oamconsole> SetHandler weblogic-handler WebLogicHost oamhost1.home.local WebLogicPort 7001 </Location>
This is what the Enterprise Deployment Guide suggests.
My config uses WLS 10.3.6.0.7, OAM 11.1.2.2.0, RedHat Enterprise Linux Server release 6.5 (Santiago), Kernel version 2.6.32-431.el6.x86_64

Symptoms

Your call to /oamconsole is initially redirected, and produces a login screen. You seem to authenticate OKAY, as other screens can be accessed without being re-authenticated.
However, /oamconsole is not displayed, and results in a 404 (Not Found).
Hope this helps!

Sunday, April 06, 2014

OAMSSA-06252 after patching

Once upon a time..

you had a working environment with WebLogic, Access and Identity Management (or Discoverer, or ...) and all of a sudden things start failing.

Symptoms

You notice the dreaded OAMSSA-06252 (Policy Store not Available) while starting up, and start fearing the worst. Also, it seems as-if you cannot login to OAM management console anymore; your credentials are accepted, but you get an "Access Prohibited" error from OAM. Just resending the url (server:port/oamconsole) will get the console.

WLS security Patch 10.3.6.0.7 (WLS patch ID FCX7)

Then, you remember you rolled out Security patch 10.3.6.0.7 (Doc Id 1613601.1) a.k.a. WLS patch ID FCX7 last February. It turn out you need to reread the installation guide for OFM 11.1.2.2.0, in particular the Issues chapter!
Unfortunately, just applying the workaround mentioned in paragraph 2.1.7 is not enough.
You must also apply paragraph 2.1.8, but change the "grant codebase" mentioned to:
// Due to patched WLS... FvB 4-apr-2014 grant codeBase "file:/oracle/middleware/patch_wls1036/patch_jars/-" { permission java.security.AllPermission; // original: permission java.lang.RuntimePermission "oracle.*","read"; };
Hope this helps.

Monday, March 31, 2014

Customized pages with Distributed Credential Collector (DCC)

One of the worst documented areas in OAM; customizing pages with DCC.
One revelation: you must use login.pl when you want logout.pl to work, as login.pl seems to build the "Callback URL" list, that logout.pl uses to destroy the session cookies. Update sept 2014This blog entry of the ATeam looks promising: part two is on how to customize DCC login pages.

Wednesday, March 26, 2014

Access Management alternatives (Part 1: Directory Services)

Intro

At the governmental institute that hired me, I'm working hard to get the full Oracle Identity and Access Management (IAM) stack implemented.
A colleague suggested OpenIAM, which -at closer look- turns out to be a fork of what I believe to be the origin of the Oracle stack, Sun's OpenSSO.

So, I started at looking at this stack, which is available from ForgeRock. Let's start with the basis: directory services.

Directory Services

As Oracle moves away from Internet Directory (OID) and Virtual Directory (OVD) towards the Unified Directory server (OUD), I found that OUD actually is the Sun Directory Server. Just look at the installation logs of OUD, there are references to
org.opends.quicksetup.installer
And OpenDS was Sun's Directory Server (of which they carried an Enterprise Edition, too: ODSEE - OpenDirectoryServer EE, now dubbed Oracle Directory Server EE).
OpenDS was donated to the open source cummunity, and picked up by ForgeRock to become OpenDJ. Here is more info on that.

Acquire and Install

According to the Installation Manual, OpenDJ 2.6.1 is out, but I did not see a link on the download page. I will go for 2.6.0, noting that Oracle's plans to add capabilities to OUD are similar to OpenDJ's plans: OpenDJ V4 should be capable of virtualisation, like OVD.

Compatibility with Oracle products

There are several articles to be found on how to integrate this open stack with Oracle products like Forms, Reports, OBIEE, etc. I have not found any on Enterprise User Security and TNS Name resolving combined, so I will attempt to do that, as I have done for OUD as well.
Notable entries in the OUD setup log are:
$ORACLE_HOME/config/EUS/oracleContext.ldif
The installation should be simple:
- create "opensso" as install directory as well as as user.
- download and install the software
- configure OpenDJ

Installation Details

As root:
[root@openiam ~]# useradd opensso [root@openiam ~]# passwd opensso Changing password for user opensso. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@openiam ~]# mkdir -p /opensso/mnt [root@openiam ~]# chown -R opensso /opensso [root@openiam ~]# mount -o soft,intr,rsize=32768,wsize=8192,nolock 192.168.4.199:/volume1/oracle /opensso/mnt
Now, I need Java, before installing OpenDJ (the "J" does signify Java...). I have the V8 rpm already downloaded, so let's see:
[root@openiam ~]# rpm -iv /opensso/mnt/Software/java/jre-8-linux-x64.rpm Preparing packages for installation... jre-1.8.0-fcs Unpacking JAR files... rt.jar... jsse.jar... charsets.jar... localedata.jar... jfxrt.jar... [root@openiam ~]# rpm -qa|grep -i jre jre-1.8.0-fcs.x86_64 [root@openiam ~]# rpm -iv /opensso/mnt/Software/Forgerock/opendj-2.6.0-1.noarch.rpm Preparing packages for installation... Pre Install - initial install opendj-2.6.0-1 Post Install - initial install
That's it. For now, I used the rpm, simply because it is the easiest way.

Configure

As the installation here was done using rpm - and that is root privileged, the setup can be executed as root. That allows for the program to run on privileged ports as 389 (LDAP) and 636 (LDAPS). These are the standard LDAP ports.

Whenever you do not want that, for whatever reason, do NOT run setup as non-root user, but do use the zip file; extract and run setup from whatever install directory as non-privileged user.
The latter option allows for none of the openDJ files and executables to be owned by root; the first will create an instance, owned by root (and therefor, able to open privileged ports).
The combo (install rpm as root, run setup as non-privileged user) does not work with additional fiddling (installer cannot create directories for the configuration).

Java 8 not supported

Tried to setup as root, with Java 8. It fails to generate self-signed certificates.
It also fails to launch the ControlPanel.
java.lang.Error: An unexpected error occurred launching the Control Panel. at org.opends.quicksetup.ui.QuickSetup$3.processBackgroundTask(QuickSetup.java:444) at org.opends.quicksetup.util.BackgroundTaskThread.run(BackgroundTaskThread.java:67) An unexpected error occurred launching the Control Panel. java.lang.Error: An unexpected error occurred launching the Control Panel. at org.opends.quicksetup.ui.QuickSetup$3.processBackgroundTask(QuickSetup.java:444) at org.opends.quicksetup.util.BackgroundTaskThread.run(BackgroundTaskThread.java:67) An unexpected error occurred launching the Control Panel.
It will probably fail in other places, too, and -as this is not on my todo list- I will simply revert to JRE7u51:
[root@openiam ~]# rpm -e jre error: Failed dependencies: jre >= 1.6 is needed by (installed) opendj-2.6.0-1.noarch [root@openiam ~]# rpm -e opendj jre Pre Uninstall - uninstall Server already stopped Post Uninstall - uninstall OpenDJ successfully removed. [root@openiam ~]# rpm -iv /opensso/mnt/Software/java/jre-7u51-linux-x64.rpm Preparing packages for installation... jre-1.7.0_51-fcs Unpacking JAR files... rt.jar... jsse.jar... charsets.jar... localedata.jar... jfxrt.jar... [root@openiam ~]# rpm -iv /opensso/mnt/Software/Forgerock/opendj-2.6.0-1.noarch.rpm Preparing packages for installation... Pre Install - initial install opendj-2.6.0-1 Post Install - initial install [root@openiam ~]# /opt/opendj/setup Launching graphical setup...
The screens are exactly what Oracle Unified Directory uses - Oracle did not yet brand this. Obviously Oracle did add TNS and EUS as options.
And there's a graphic control option, which will double as LDAP browser:
So far, so good.

Oracle specifics

Still on the ToDo list:
- extend the schema with Oracle specific Object Identifiers (OID's).
- extend the schema with Oracle specific ObjectClasses and ObjectTypes.
- prove TNS resolving and EUS can be used with OpenDJ.

As more people have attempted to get TNS Names resolving to work with OpenLDAP, this should not be too daunting a task.

Wednesday, February 12, 2014

Check this out: IAM 11G Rel2 V8

Oracle lanched Identity and Access management 11G Release 2, Version 8 (also known as V11.1.2.2.0) two weeks ago.
You should check it out. Some reasons why:
  1. Installation is so much easier
  2. Installation is error proof (the "just MUST run configuresecurity first, or redo all" error can not occur. Tested it)
  3. The interface (OAM Console) has had a major overhaul. It responds faster and is more consistent.
Really. Oracle did a fine job here.