Hermans Hermits...
No, no postings today (or yesterday) as it's simply too hot to sit behind a screen: 30 °C, at 80 or 90% humidity... Pffft.
Luckily it will be just 18 °C asof Monday... It's all or nothing over here.
Saturday, May 28, 2005
Thursday, May 26, 2005
Enterprise Security VI: Bolts and Nuts
The Oracle Certificate Authority is one of the things I will need for Single Sign On; in Oracle, this means having a certificate in your electronic wallet, signed by a trusted autority, to ensure you are who you claim to be.
That means, I have to request a certificate with an authority (that would be... me!). Let's see how things look; there are two entries; a user, and an administrative one.
The user OCA site shows the option to install the server certificate to be installed in my browser:
This is an Authority Certificate, a base, that will be used to verify that other certificates from this site are genuine.
Now let's take a look at the administrative side; it looks asif we need to generate yet another certificate:
Not much I can do, than to go ahead with it, so click on Click here:
Okay - that was not difficult - install the certificate, and we're done.
If I now go back to the /oca/admin page, I can query the certificates, issued by this authority:
As you can see, the first one is the one generated during the installation, and it's a certificate that can be used to sign other certificates, or CRL's (Certificate Revokation Lists).
The second certificate is the server certificate, and it's meant to identifiy the server (csdb01.cs.nl). The third is similar, but for the client (which happens to reside on the same machine...).
The fourth certificate is the one I just created as part of the OCA setup, and will identify me as administrator of this Authority. To prove that, I went back to the user part of OCA, and used the second option (use your certificate) to authenticate. In stead of 'server did not accept certificate' I now get this presented:
Four - nill for me, I'd say... At least, that part of the deal works: I can now request and authorize (sign) digital certificates. And I will need that ability to sign certificate requests from ... me. Eehrm - make that 'any of my employees', working here, at CarrotSoft, Inc.
Getting a Server Certificate.
OK - time for configurations. First of all, I need to make it possible for the server to validate against a wallet. In order to do that, I need to create a wallet, and need a server DN certificate. Let's pull up the OCA screen, and display the details of certificate #1, the trusted Van Bortel Certificate authority. Also fire up the Oracle Wallet Manager, using the own command in a vnc window. Open a new Wallet, provide a password, but do not request a certificate yet.
From your web browser, copy all of the letter garbage under the header Base-64 Encoded Certificate with CA certificate chain, including the '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----'.
Switch to the Wallet Manager, from the menu, select Operations, Import Trusted Certificate, Paste the certificate:
It is all about the certificate authority; the Van Bortel Certificate Authority should be added:
Of course, in real life situations you should get your certificates with a genuine authority, but for internal, or test use, why should you? This step was only necessary, because I do my own signing, and I trust myself to know me to voutch for me that I am me.
Now, let's request a certificate; still using the Wallet manager on the server, choose Operations, Add Certificate Request. I use the Advanced CN, and filled in CN=o10gR1, CN=OracleContext, DC=nl, DC=cs. The Certificate property will change from Empty to Requested.
Highlight the Certificate entry, and the right hand panel will show a similar letter gobblygook as before: it is the server's encrypted request. Copy the request, again: from, and including the first hyphen, upto and including the last hyphen.
In the OCA web browser window, that is still open, press the OK button. Press the 'Request a Certificate' button in the upper right corner. Paste the certificate request in the PKCS#10 field, fill in the contact information, and press the submit button.
Nothing is going to happen with the contact information - it is just information the human administrator can use if questions arise about the request - no part of it will be incorporated into the certificate.
You will see something like:
Your certificate request is accepted. Administrator will contact you for certificate issuance.
Youwill see:
Certificate Request is approved.
In the Wallet manager, the Certificate status should change from Requested to Ready.
That means, I have to request a certificate with an authority (that would be... me!). Let's see how things look; there are two entries; a user, and an administrative one.
The user OCA site shows the option to install the server certificate to be installed in my browser:
This is an Authority Certificate, a base, that will be used to verify that other certificates from this site are genuine.
Now let's take a look at the administrative side; it looks asif we need to generate yet another certificate:
Not much I can do, than to go ahead with it, so click on Click here:
Okay - that was not difficult - install the certificate, and we're done.
If I now go back to the /oca/admin page, I can query the certificates, issued by this authority:
As you can see, the first one is the one generated during the installation, and it's a certificate that can be used to sign other certificates, or CRL's (Certificate Revokation Lists).
The second certificate is the server certificate, and it's meant to identifiy the server (csdb01.cs.nl). The third is similar, but for the client (which happens to reside on the same machine...).
The fourth certificate is the one I just created as part of the OCA setup, and will identify me as administrator of this Authority. To prove that, I went back to the user part of OCA, and used the second option (use your certificate) to authenticate. In stead of 'server did not accept certificate' I now get this presented:
Four - nill for me, I'd say... At least, that part of the deal works: I can now request and authorize (sign) digital certificates. And I will need that ability to sign certificate requests from ... me. Eehrm - make that 'any of my employees', working here, at CarrotSoft, Inc.
Getting a Server Certificate.
OK - time for configurations. First of all, I need to make it possible for the server to validate against a wallet. In order to do that, I need to create a wallet, and need a server DN certificate. Let's pull up the OCA screen, and display the details of certificate #1, the trusted Van Bortel Certificate authority. Also fire up the Oracle Wallet Manager, using the own command in a vnc window. Open a new Wallet, provide a password, but do not request a certificate yet.
From your web browser, copy all of the letter garbage under the header Base-64 Encoded Certificate with CA certificate chain, including the '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----'.
Switch to the Wallet Manager, from the menu, select Operations, Import Trusted Certificate, Paste the certificate:
It is all about the certificate authority; the Van Bortel Certificate Authority should be added:
Of course, in real life situations you should get your certificates with a genuine authority, but for internal, or test use, why should you? This step was only necessary, because I do my own signing, and I trust myself to know me to voutch for me that I am me.
Now, let's request a certificate; still using the Wallet manager on the server, choose Operations, Add Certificate Request. I use the Advanced CN, and filled in CN=o10gR1, CN=OracleContext, DC=nl, DC=cs. The Certificate property will change from Empty to Requested.
Highlight the Certificate entry, and the right hand panel will show a similar letter gobblygook as before: it is the server's encrypted request. Copy the request, again: from, and including the first hyphen, upto and including the last hyphen.
In the OCA web browser window, that is still open, press the OK button. Press the 'Request a Certificate' button in the upper right corner. Paste the certificate request in the PKCS#10 field, fill in the contact information, and press the submit button.
Nothing is going to happen with the contact information - it is just information the human administrator can use if questions arise about the request - no part of it will be incorporated into the certificate.
You will see something like:
Your certificate request is accepted. Administrator will contact you for certificate issuance.
- Your request ID is "4".
- Please use this request ID for future reference.
Youwill see:
Certificate Request is approved.
- The serial number of the issued certificate is "5".
- Requestor Name:frank.van.bortel
- Requestor E-Mail ID:frank.van.bortel@xxxxxxxxx.com
In the Wallet manager, the Certificate status should change from Requested to Ready.
Enterprise Security V: Infrastructure wrap up
Following the infrastucture installations, I should now be able to see my database server on the internet, or rather: intranet - a firewall should protect that machine from alien contacts. Fooling around, I found the certificate autority was not active. It has to be hand started; and after that still does not start, or restart, using the HTML interface:
/o/ias10/oca/bin/ocactl start
I suddenly am the proud owner of a farm. Oracle could have warned me; I'm not into early retirement -yet-!
I expected to see that OracleAS somewhere - here it is. Let's see if I can get the lot to use somewhat less of my precious memory, not present in abundancy. After all, I have just a test box with one occasional user (me!), and I do not need (semi-) production settings with which the Oracle Application Server obviously comes default.
I mean, just looks at the memory usage of the http server alone: 133MB! Let's go over the configuration by using the HTTP Server link, and selecting the Administration tab.
Follow the 'Advanced Server Properties' link which gives you an overview of all configurations files. Click on the ones you want to edit:
I started with httpd.conf, and changed some lines; here's a diff output:
[oracle10@csdb01 conf]$ diff httpd.conf httpd.conf.smibak
114c114
<> MaxKeepAliveRequests 100
147c147
<> MaxClients 150
162c162
<> MaxRequestsPerChild 0
1074a1075
>
485c485
< # AddLanguage et .ee --- > # AddLanguage et .ee
494c494
< # AddLanguage it .it --- > # AddLanguage it .it
533c533
< # LanguagePriority ar en da nl et fi fr de el it ja ko kr no pl pt pt-br ro ru ltz ca es sk sv th tr zh-cn zh-tw zh-cn --- >%2
Basically - I do not want so many processes to start up front, and I do not need support for other languages than English and Dutch, with the corresponding characterset, ISO8859P1. All others are commented out by means of a number sign (#) in column 1.
Restart the httpd server, and now that component uses just 23MB - a reduction of over 75%! I can live with that.
/o/ias10/oca/bin/ocactl start
I suddenly am the proud owner of a farm. Oracle could have warned me; I'm not into early retirement -yet-!
I expected to see that OracleAS somewhere - here it is. Let's see if I can get the lot to use somewhat less of my precious memory, not present in abundancy. After all, I have just a test box with one occasional user (me!), and I do not need (semi-) production settings with which the Oracle Application Server obviously comes default.
I mean, just looks at the memory usage of the http server alone: 133MB! Let's go over the configuration by using the HTTP Server link, and selecting the Administration tab.
Follow the 'Advanced Server Properties' link which gives you an overview of all configurations files. Click on the ones you want to edit:
I started with httpd.conf, and changed some lines; here's a diff output:
[oracle10@csdb01 conf]$ diff httpd.conf httpd.conf.smibak
114c114
<> MaxKeepAliveRequests 100
147c147
<> MaxClients 150
162c162
<> MaxRequestsPerChild 0
1074a1075
>
485c485
< # AddLanguage et .ee --- > # AddLanguage et .ee
494c494
< # AddLanguage it .it --- > # AddLanguage it .it
533c533
< # LanguagePriority ar en da nl et fi fr de el it ja ko kr no pl pt pt-br ro ru ltz ca es sk sv th tr zh-cn zh-tw zh-cn --- >%2
Basically - I do not want so many processes to start up front, and I do not need support for other languages than English and Dutch, with the corresponding characterset, ISO8859P1. All others are commented out by means of a number sign (#) in column 1.
Restart the httpd server, and now that component uses just 23MB - a reduction of over 75%! I can live with that.
Watch out...
Behold the two entries in a tnsnames.ora file:
Seems pretty straightforward, not? Yet, one entry works, and the other does not:
FRANK.CS.NL =
(description =
(address=(protocol=BEQ)(PROGRAM = ORACLE)
(ARGV0=oracleDB920)
(ARGS='(DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=BEQ)))'))
(CONNECT_DATA =(SID=DB920)
)
)
FRANKIE.CS.NL =
(DESCRIPTION=
(ADDRESS = (PROTOCOL = BEQ)(PROGRAM=oracle)
(ARGV0=oracledb920)
(ARGS='(DESCRIPTION=(LOCAL=yes)(ADDRESS=(PROTOCOL=BEQ)))'))
(CONNECT_DATA=(SID=db920)
)
)
C:\>tnsping frank
TNS Ping Utility for 32-bit Windows: Version 9.2.0.4.0 - Production on 26-MAY-20 05 10:18:45
Copyright (c) 1997 Oracle Corporation. All rights reserved.
Used parameter files:
D:\oracle\ora92\network\ADMIN\sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (description = (address=(protocol=BEQ)(PROGRAM = ORACLE) (
ARGV0=oracleDB920) (ARGS='(DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=BEQ)))')) (
CONNECT_DATA =(SID=DB920)))
TNS-12560: TNS:protocol adapter error
C:\>tnsping frankie
TNS Ping Utility for 32-bit Windows: Version 9.2.0.4.0 - Production on 26-MAY-2005 10:20:52
Copyright (c) 1997 Oracle Corporation. All rights reserved.
Used parameter files:
D:\oracle\ora92\network\ADMIN\sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION= (ADDRESS = (PROTOCOL = BEQ)(PROGRAM=oracle)
(ARGV0=oracledb920) (ARGS='(DESCRIPTION=(LOCAL=yes)(ADDRESS=(PROTOCOL=BEQ)))'))
(CONNECT_DATA=(SID=db920)))
OK (30 msec)
This is Windows/2000.
TNS Ping Utility for 32-bit Windows: Version 9.2.0.4.0 - Production on 26-MAY-20 05 10:18:45
Copyright (c) 1997 Oracle Corporation. All rights reserved.
Used parameter files:
D:\oracle\ora92\network\ADMIN\sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (description = (address=(protocol=BEQ)(PROGRAM = ORACLE) (
ARGV0=oracleDB920) (ARGS='(DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=BEQ)))')) (
CONNECT_DATA =(SID=DB920)))
TNS-12560: TNS:protocol adapter error
C:\>tnsping frankie
TNS Ping Utility for 32-bit Windows: Version 9.2.0.4.0 - Production on 26-MAY-2005 10:20:52
Copyright (c) 1997 Oracle Corporation. All rights reserved.
Used parameter files:
D:\oracle\ora92\network\ADMIN\sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION= (ADDRESS = (PROTOCOL = BEQ)(PROGRAM=oracle)
(ARGV0=oracledb920) (ARGS='(DESCRIPTION=(LOCAL=yes)(ADDRESS=(PROTOCOL=BEQ)))'))
(CONNECT_DATA=(SID=db920)))
OK (30 msec)
Remarkable trivia
FLAP and DG-031
Having a genetic change in your FLAP gene causes the chance to get a cardiac arrest (cardiac infarct) to double. Cholesterol just increases the same chance by 1.6. Iceland scientists have found this [Journal of the American Medical Association, 2005-05-11]. FLAP (or 5-lipoxygenase-activating protein) increases production of leukotrieen B, a substance that causes veins to inflammate. 30% of a large group of heart patients in the USA also suffered from high levels of leukotrieen; it is suspected to cause heart diseases in other regions than Iceland as well.
DG-031 was found to be effective: 26% reduction, causes 20% less heart tissue to deteriorate over three years.
The Fastest Flower on Earth
The Canadian cornus (cornus canadensis) has the fastest flower [Nature, 2005-05-12] on earth: it opens in less than 1 millisecond, to release pollen. Acceleration is 2400G to 3.1 m/s, the flower leaves turn aside with a speed of 6.7 m/s. Pollen reaches a height of about 2.5 cm, or ten times the height of the flower itself.
This movement is faster than the opening of Impatiens pallida (2.8-5.2 ms), the shutting of the Venus flycathing flower (Dionaea muscipula - 100ms), even faster than animals: a jumping cicade (Philaenus spumarius: 0.5-1 ms), or the catching preying mantis (Odontodactylus scyllarus: 2.7 ms)
Having a genetic change in your FLAP gene causes the chance to get a cardiac arrest (cardiac infarct) to double. Cholesterol just increases the same chance by 1.6. Iceland scientists have found this [Journal of the American Medical Association, 2005-05-11]. FLAP (or 5-lipoxygenase-activating protein) increases production of leukotrieen B, a substance that causes veins to inflammate. 30% of a large group of heart patients in the USA also suffered from high levels of leukotrieen; it is suspected to cause heart diseases in other regions than Iceland as well.
DG-031 was found to be effective: 26% reduction, causes 20% less heart tissue to deteriorate over three years.
The Fastest Flower on Earth
The Canadian cornus (cornus canadensis) has the fastest flower [Nature, 2005-05-12] on earth: it opens in less than 1 millisecond, to release pollen. Acceleration is 2400G to 3.1 m/s, the flower leaves turn aside with a speed of 6.7 m/s. Pollen reaches a height of about 2.5 cm, or ten times the height of the flower itself.
This movement is faster than the opening of Impatiens pallida (2.8-5.2 ms), the shutting of the Venus flycathing flower (Dionaea muscipula - 100ms), even faster than animals: a jumping cicade (Philaenus spumarius: 0.5-1 ms), or the catching preying mantis (Odontodactylus scyllarus: 2.7 ms)
Tuesday, May 24, 2005
Enterprise Security IV: The Application Server Infrastructure installation
Time to get the installer on the server back up! Choose the Infrastructure install, followed by Identity Management (I already installed the Repository). After some checks (not all values meet the requirements), finally the options screen pops up.
Choose the following:
Make sure to include the Certificate Authority - omitting it here means installation in another oracle_home later... I use automatic port assignment. Entering details about the repository; note the remark about how the repository should not be registered...
I'll accept the namespace - it's what I use internally (cs.nl), even though it causes a threat. If I had to do my internal network again, I would choose a really non existant domain, like cs.home, or vanbortel.home. After all - there is a possibility, someone else might like cs.nl.
For now, I'll be my own Certificate Autority :)
One slight error in the above picture: you cannot have a comma in your Distinguished Name!
Oracle Certificate Authority administrator gets a password of welcome1, as does the ias_admin. The Oracle Application Server instance I called OracleAS. I think we will see that in Enterprise Manager, lateron.
Finally, the installation is about to start:
Note the 1.1GB space needed, and 227 (!) products, that are about to be installed... After a while,and after running the root.sh script that does a lot:
And am I glad I did not have to type all this:
Choose the following:
Make sure to include the Certificate Authority - omitting it here means installation in another oracle_home later... I use automatic port assignment. Entering details about the repository; note the remark about how the repository should not be registered...
I'll accept the namespace - it's what I use internally (cs.nl), even though it causes a threat. If I had to do my internal network again, I would choose a really non existant domain, like cs.home, or vanbortel.home. After all - there is a possibility, someone else might like cs.nl.
For now, I'll be my own Certificate Autority :)
One slight error in the above picture: you cannot have a comma in your Distinguished Name!
Oracle Certificate Authority administrator gets a password of welcome1, as does the ias_admin. The Oracle Application Server instance I called OracleAS. I think we will see that in Enterprise Manager, lateron.
Finally, the installation is about to start:
Note the 1.1GB space needed, and 227 (!) products, that are about to be installed... After a while,and after running the root.sh script that does a lot:
Entering Oracle Internet Directory Root Installation Sectionand some (22!) configuration assistants, the final screen appears, with the links to be used for maintenance.
OiD Server Installation
Checking LDAP binary file protections
Setting oidmon file protections
Setting oidldapd file protections
Setting oidrepld file protections
Setting oidpasswd file protections
Setting oidemdpasswd file protections
Setting oidstats.sh file protections
Setting remtool file protections
Setting oiddiag file protections
Setting oiddt file protections
Leaving Oracle Internet Directory Root Installation Section
And am I glad I did not have to type all this:
Output generated from configuration assistant "Unlock Metadata Repository Schemas Configuration Assistant.":
Schema Unlocked : ODSSchema Unlocked : DCM
Schema Unlocked : OCA
Schema Unlocked : DSGATEWAY
Schema Unlocked : UDDISYSSchema Unlocked : DISCOVERER5
Schema Unlocked : WIRELESS
Schema Unlocked : ORASSO
Schema Unlocked : ORASSO_PUBLIC
Schema Unlocked : ORASSO_PSSchema Unlocked : ORASSO_DS
Schema Unlocked : ORASSO_PA
Schema Unlocked : PORTAL
Schema Unlocked : PORTAL_PUBLICSchema Unlocked : PORTAL_APP
Schema Unlocked : PORTAL_DEMO
Schema Unlocked : OWF_MGR
Schema Unlocked : WKSYS
Schema Unlocked : WKPROXY
Schema Unlocked : ORAOCA_PUBLICSchema Unlocked : WCRSYS
Schema Unlocked : B2B
The config tool succeeded. See the log file /o/ias10/config/infratool_unlock_schema.log for more details.
Configuration assistant "Unlock Metadata Repository Schemas Configuration Assistant." succeeded
================================================================================================================
Output generated from configuration assistant "Oracle Net Configuration Assistant":
Parsing command line arguments:
Parameter "orahome" = /o/ias10
Parameter "orahnam" = oracleas1
Parameter "responsefile" = /o/ias10/network/install/netca_asinstall.rsp
Done parsing command line arguments.
Oracle Net Services Configuration:Default local naming configuration complete.
Created net service name: o10gR1
Profile configuration complete.
Oracle Net Services configuration successful. The exit code is 0
Configuration assistant "Oracle Net Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "HTTP Server Configuration Assistant":
Configuration assistant "HTTP Server Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "OC4J Configuration Assistant":
2
Configuration assistant "OC4J Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "Java Security Configuration Assistant":
Invoking command:/o/ias10/dcm/bin/dcmctl resyncInstancestatus = 0
Dcmctl resyncInstance completed successfullyOracle JAAS [Tue May 24 19:20:18 CEST 2005] admin password is changed successfully
Invoking command:/o/ias10/dcm/bin/dcmctl updateConfigstatus = 0
Oracle JAAS [Tue May 24 19:20:28 CEST 2005] password change is propagated successfully
Please check the log file [/o/ias10/cfgtoollogs/jaznca.log] for details.
Configuration assistant "Java Security Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "OracleAS Instance Configuration Assistant":
Configuration assistant "OracleAS Instance Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "Internet Directory Configuration Assistant":
-> LOADING: /o/ias10/ldap/install/oidssl.sbs-> LOADING: /o/ias10/ldap/install/oidconfig1.sbscsdb01_o10gr1Oracle Internet Directory Configuration completed successfully.
Configuration assistant "Internet Directory Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "Directory Integration Platform Configuration Assistant":
Registering for the first time...Directory Integration Platform Configuration completed successfully.
Configuration assistant "Directory Integration Platform Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "Infrastructure Schema Configuration Assistant":
-> LOADING: /o/ias10/config/iasrepo.ldifThe config tool succeeded. See the log file /o/ias10/config/schemaload.log for more details.
Configuration assistant "Infrastructure Schema Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "Infrastructure Instance Configuration Assistant":
The config tool succeeded. See the log file /o/ias10/config/infratool_instance_jazn.log for more details.
Configuration assistant "Infrastructure Instance Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "Oracle Application Server Randomize Password":
Warning! Schema not found OEM_REPOSITORYPassword randomization succeeded for schema DSGATEWAYPassword randomization succeeded for schema UDDISYSPassword randomization succeeded for schema WIRELESSPassword randomization succeeded for schema PORTALPassword randomization succeeded for schema PORTAL_PUBLICPassword randomization succeeded for schema ORASSOPassword randomization succeeded for schema ORASSO_PUBLICPassword randomization succeeded for schema ORASSO_PSPassword randomization succeeded for schema ORASSO_PAPassword randomization succeeded for schema ORASSO_DSPassword randomization succeeded for schema DCMPassword randomization succeeded for schema OCAPassword randomization succeeded for schema ORAOCA_PUBLICPassword randomization succeeded for schema DISCOVERER5Password randomization succeeded for schema PORTAL_DEMOPassword randomization succeeded for schema WKSYSPassword randomization succeeded for schema WKPROXYPassword randomization succeeded for schema PORTAL_APPPassword randomization succeeded for schema OWF_MGRPassword randomization succeeded for schema WCRSYSPassword randomization succeeded for schema B2B
Configuration assistant "Oracle Application Server Randomize Password" succeeded
================================================================================================================
Output generated from configuration assistant "Single Sign-On Configuration Assistant":
CLASSPATH=/o/ias10/jlib/repository.jar:/o/ias10/sso/lib/ossoca.jar:/o/ias10/lib/xmlparserv2.jar:/o/ias10/jdbc/lib/classes12.jar:/o/ias10/jdbc/lib/nls_charset12.jar:/o/ias10/jlib/jndi.jar:/o/ias10/jlib/ojmisc.jar:/o/ias10/j2ee/home/jazn.jar:/o/ias10/j2ee/home/jaas.jar:/o/ias10/jdk/lib/rt.jar:/o/ias10/jdk/lib/i18n.jar:.:/o/ias10/sysman/webapps/emd/WEB-INF/lib/emd.jar:/o/ias10/dcm/lib/dcm.jar:/o/ias10/sysman/webapps/emd/WEB-INF/lib/portalSMI.jar:/o/ias10/jlib/emConfigInstall.jar:/o/ias10/lib/dms.jar:/o/ias10/opmn/lib/ons.jar:/o/ias10/j2ee/home/oc4j.jar:/o/ias10/jlib/ojmisc.jar:/o/ias10/j2ee/home/jaznplugin.jar:/o/ias10/sysman/webapps/emd/WEB-INF/lib/click-agent.jar:/o/ias10/sso/conf:/o/ias10/sysman/webapps/emd/WEB-INF/lib/disco_dsc_smi.jar:/o/ias10/sysman/webapps/emd/WEB-INF/lib/f90em.jarParameters passed to ssoca : param0:config param1:/o/ias10 param2:cn=orcladmin param3:***** param4:"AMERICAN_AMERICA.WE8ISO8859P1" param5:http param6:csdb01.cs.nl param7:7777 param8:en
Tue May 24 19:23:16 CEST 2005
Parameters received by ssoca : param0:config param1:/o/ias10 param2:cn=orcladmin param3:***** param4:"AMERICAN_AMERICA.WE8ISO8859P1" param5:http param6:csdb01.cs.nl param7:7777 param8:en Content of ssoca config file is :
-- listing properties --
config_sso_oid=true
config_lang=true
config_sso_seed=true
config_targets_xml=true
config_ssoupg=true
config_dad=true
config_em_integ=trueACTION by SSOConfigAssistant :
/o/ias10/bin/sqlplus orasso/*****@"cn=o10gr1,cn=oraclecontext"
@/o/ias10/sso/admin/plsql/sso/ssoseedi.sql http csdb01.cs.nl 777
SQL*Plus: Release 10.1.0.3.0 - Production on Tue May 24 19:23:20 2005
Copyright (c) 1982, 2004, Oracle. All rights reserved.
SQL> Connected.
SQL> SQL> exit;
Disconnected from Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - Production
With the Partitioning, OLAP and Data Mining options
ACTION by SSOConfigAssistant :
/o/ias10/bin/sqlplus orasso/*****@"cn=o10gr1,cn=oraclecontext"
@/o/ias10/sso/admin/plsql/sso/ssooidd.sql csdb01.cs.nl 3131 "cn=orcladmin" ***** Y
SQL*Plus: Release 10.1.0.3.0 - Production on Tue May 24 19:23:25 2005
Copyright (c) 1982, 2004, Oracle. All rights reserved.
SQL> Connected.
SQL> Creating OID entries for SSO
Deleted cn=component
owners,orclapplicationcommonname=orasso_ssoserver,cn=sso,cn=products,cn=oracleco
ntext
Deleted cn=associated
mid-tiers,orclapplicationcommonname=orasso_ssoserver,cn=sso,cn=products,cn=oracl
econtext
Deleted
orclapplicationcommonname=orasso_ssoserver,cn=sso,cn=products,cn=oraclecontext
Application Process entry created in OID
SSO application entry added to OracleSecurityAdmins grp
SSO application entry added to verifierServices grp
OID information set
Users Search Base DN refreshed:cn=users,dc=cs,dc=nl
Global Group Search Base DN refreshed:cn=groups,dc=cs,dc=nl
User Nickname Attribute refreshed:uid
Subscriber Nickname Attribute refreshed:dc
DAS Host Name refreshed:
Change Password URL refreshed:oiddas/ui/oracle/ldap/das/mypage/AppChgPwdMyPage
Profile URL refreshed:oiddas/ui/oracle/ldap/das/mypage/AppViewMyPage
Create User URL refreshed:oiddas/ui/oracle/ldap/das/user/AppCreateUserInfoAdmin
Edit User URL refreshed:oiddas/ui/oracle/ldap/das/user/AppEditUserAdmin
Delete User URL refreshed:oiddas/ui/oracle/ldap/das/user/AppDeleteUserAdmin
User LOV URL refreshed:oiddas/ui/oracle/ldap/das/search/LOVUserSearch
Create Group URL
refreshed:oiddas/ui/oracle/ldap/das/group/AppCreateGroupInfoAdmin
Edit Group URL refreshed:oiddas/ui/oracle/ldap/das/group/AppEditGroupAdmin
Delete Group URL refreshed:oiddas/ui/oracle/ldap/das/group/AppDeleteGroupAdmin
Group LOV URL refreshed:oiddas/ui/oracle/ldap/das/search/LOVGroupSearch
People Search URL refreshed:oiddas/ui/oracle/ldap/das/search/AppUserSearch
Directory Administration URL refreshed:oiddas/ui/oiddashome
Local OID cache refreshed
PUBLIC user entry exists
PL/SQL procedure successfully completed.
*** Refreshing WWC OID cache....***
Users Search Base DN refreshed:cn=users,dc=cs,dc=nl
Global Group Search Base DN refreshed:cn=groups,dc=cs,dc=nl
User Nickname Attribute refreshed:uid
Subscriber Nickname Attribute refreshed:dc
DAS Host Name refreshed:
Change Password URL refreshed:oiddas/ui/oracle/ldap/das/mypage/AppChgPwdMyPage
Profile URL refreshed:oiddas/ui/oracle/ldap/das/mypage/AppViewMyPage
Create User URL refreshed:oiddas/ui/oracle/ldap/das/user/AppCreateUserInfoAdmin
Edit User URL refreshed:oiddas/ui/oracle/ldap/das/user/AppEditUserAdmin
Delete User URL refreshed:oiddas/ui/oracle/ldap/das/user/AppDeleteUserAdmin
User LOV URL refreshed:oiddas/ui/oracle/ldap/das/search/LOVUserSearch
Create Group URL
refreshed:oiddas/ui/oracle/ldap/das/group/AppCreateGroupInfoAdmin
Edit Group URL refreshed:oiddas/ui/oracle/ldap/das/group/AppEditGroupAdmin
Delete Group URL refreshed:oiddas/ui/oracle/ldap/das/group/AppDeleteGroupAdmin
Group LOV URL refreshed:oiddas/ui/oracle/ldap/das/search/LOVGroupSearch
People Search URL refreshed:oiddas/ui/oracle/ldap/das/search/AppUserSearch
Directory Administration URL refreshed:oiddas/ui/oiddashome
*** Updating Default Subscriber entry...***
Default Subscriber DN: dc=cs,dc=nl
Default Subscriber GUID: F7DE6A3E30B45008E030A8C0C701615A
Subscriber Naming attribute: dc
Default Subscriber Name: cs
*** Resetting user DN and GUID information ...***
Done....
PL/SQL procedure successfully completed.
No errors.
Disconnected from Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - Production
With the Partitioning, OLAP and Data Mining options
NLS_LANG character set = WE8ISO8859P1
NLS_LANG param = AMERICAN_AMERICA.WE8ISO8859P1/o/ias10/jdk/bin/java-cp
/o/ias10/lib/xmlparserv2.jar:/o/ias10/sysman/webapps/emd/WEB-INF/lib/emd.jar:/o/ias10/sysman/webapps/emd/WEB-INF/lib/log4j-core.jar:/o/ias10/lib/emSDK.jar
-DORACLE_HOME=/o/ias10
oracle.sysman.emSDK.conf.TargetInstaller
deletetarget
oracle_sso_server
OracleAS.csdb01.cs.nl_Single Sign-On:orassoSetting the AS product version value in targets.xml to be "10.1.2.0.0".
Calling method getASTargetInfo.
getASTargetInfo: oracleHome = "/o/ias10".
getASTargetInfo: iasName = "OracleAS.csdb01.cs.nl".
getASTargetInfo: iAS Target Type = "oracle_ias".getASTargetInfo: StatusURL value = "http://csdb01.cs.nl:7777".
Retrieved SSO protocol, host, and port info from targets.xml.
The values are: "http://csdb01.cs.nl:7777".
The following values will be used to configure the sso_server target entry in targets.xml.
Protocol: "http".
Hostname: "csdb01.cs.nl".
Port: "7777"./o/ias10/jdk/bin/java
-cp
/o/ias10/lib/xmlparserv2.jar:/o/ias10/sysman/webapps/emd/WEB-INF/lib/emd.jar:/o/ias10/sysman/webapps/emd/WEB-INF/lib/log4j-core.jar:/o/ias10/lib/emSDK.jar
-DORACLE_HOME=/o/ias10
oracle.sysman.emSDK.conf.TargetInstaller
addtarget
/o/ias10/sso/sso_server_target2add.xmlConfiguring SSO languages with the following language code:
us Language us is already installed.
About to execute java call using emConfigInstall.jar.
Here are the arguments:
/o/ias10/jdk/bin/java
-DORACLE_HOME=/o/ias10
-jar
/o/ias10/jlib/emConfigInstall.jar
consolesn
/o/ias10/sso/conf/consoleConfigSNSegment.xmlFinished executing the call.Child Process has exited.
SSO Configuration Assistant finished successfully.
Configuration assistant "Single Sign-On Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "Delegated Administration Service Configuration Assistant":
Delegated Administration Service Configuration completed successfully.
Configuration assistant "Delegated Administration Service Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "Infrastructure mod_osso Configuration Assistant":
JAAS: Use system property "ORACLE_HOME".
JAAS: System property oracle.home not defined.
JAAS: System property oracle.j2ee.home not defined.JAAS: J2EE_HOME=/o/ias10/j2ee/home
JAAS: Verify oracle.home=/o/ias10
JAAS: ORACLE_HOME=/o/ias10
JAAS: Verify file=/o/ias10/j2ee/home/config/jazn.xml
JAAS: Bootstrap jazn.xml @/o/ias10/j2ee/home/config/jazn.xml
JAAS: Configuration file=/o/ias10/j2ee/home/config/jazn.xml
JAAS: Configuration file=/o/ias10/j2ee/home/config/jazn.xmlJAAS: Configuration properties={location=./jazn-data.xml, provider.type=XML}
JAAS: Configuration properties={location=./jazn-data.xml, deployment.url=file:/o/ias10/j2ee/home/config/jazn.xml, provider.type=XML}
JAAS: default jazn.xml @ /o/ias10/j2ee/home/config/jazn.xml : [JAZNConfig file:/o/ias10/j2ee/home/config/jazn.xml]
JAAS: Verify file=config/jazn.xml
JAAS: Configuration file=config/jazn.xml
JAAS: Configuration file=config/jazn.xml
JAAS: Configuration properties={location=/o/ias10/config/jazn-data.xml, provider.type=XML}
JAAS: Configuration properties={location=/o/ias10/config/jazn-data.xml, deployment.url=file:/o/ias10/config/jazn.xml, provider.type=XML}
JAAS-LDAP: ldap.user=null
JAAS-CA: ldap.user=null
JAAS-CA: oidhost=csdb01.cs.nl oidPort=3060 sslport=3131 sslonly=false oraHome=/o/ias10JAAS-CA: default realm=cs
JAAS: Configuration properties={ldap.user=orclApplicationCommonName=jaznadmin1,cn=JAZNContext,cn=products,cn=OracleContext, ldap.password=!+u-|tx-0"C?e~D|{, realm.default=cs, provider.type=LDAP}JAAS: Configuration file=/o/ias10/config/jazn.xml
JAAS: Configuration file=/o/ias10/config/jazn.xml
JAAS: Configuration properties={location=/o/ias10/config/jazn-data.xml, provider.type=XML}
JAAS: Configuration properties={location=/o/ias10/config/jazn-data.xml, deployment.url=file:/o/ias10/config/jazn.xml, provider.type=XML}Modosso command line: /o/ias10/jdk/bin/java -jar /o/ias10/sso/lib/ossoreg.jar -site_name OracleAS.csdb01.cs.nl -mod_osso_url http://csdb01.cs.nl:7777 -config_mod_osso TRUE -oracle_home_path /o/ias10 -u oracle10 -config_file /o/ias10/Apache/Apache/conf/osso/osso.conf -admin_info cn=orcladminThe config tool succeeded. See the log file /o/ias10/config/infratool_mod_osso.log for more details.
Configuration assistant "Infrastructure mod_osso Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "OracleAS Certificate Authority Configuration Assistant":
OCA Jazn configuration installed.
Password store created.
OCA configuration information changed.
Distinguished Name:CN=Van Bortel Certificate Authority,OU=BIOS,O=CarrotSoft Inc,C=NL
CA certificate generated successfully.
Distinguished Name:CN=csdb01.cs.nl,OU=BIOS,O=CarrotSoft Inc,C=NL
CA SSL Server wallet saved (/o/ias10/oca/wallet/ssl/ewallet.p12)
Distinguished Name:CN=oca1,CN=OCA,CN=PKI,CN=Products,CN=OracleContext
LDAP Server wallet saved (/o/ias10/oca/wallet/ldap/ewallet.p12)
Oracle Certificate Authority configuration tool finished successfully
Configuration assistant "OracleAS Certificate Authority Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "OC4J Instance Configuration Assistant":
Reading ini file - '/o/ias10/j2ee/deploy.ini'Adding web-app 'wirelesssso-web.war' for app 'wirelesssso'.Adding web-app 'web.war' for app 'sso'.
Adding web-app 'ssohelp.war' for app 'sso'.
OC4J instance 'OC4J_SECURITY': Adding java stop command line option '-server'
OC4J instance 'OC4J_SECURITY': Adding java command line option '-Xmx512m'
OC4J instance 'OC4J_SECURITY': Adding Environment variable 'LD_LIBRARY_PATH' with value '/o/ias10/lib32:/o/ias10/lib'
OC4J instance 'OC4J_SECURITY': Adding Environment variable 'DISPLAY' with value 'csdb01.cs.nl:0.0'Adding web-app 'oca.war' for app 'ocaapp'.
OC4J instance 'oca': Adding java stop command line option '-Doracle.home=/o/ias10'
OC4J instance 'oca': Adding java stop command line option '-Djava.awt.headless=true'
OC4J instance 'oca': Adding java stop command line option '-Doracle.ons.oraclehome=/o/ias10'
OC4J instance 'oca': Adding java stop command line option '-DORACLE_HOME=/o/ias10'
OC4J instance 'oca': Adding java stop command line option '-DIASHOST=csdb01.cs.nl'
OC4J instance 'oca': Adding java command line option '-Xmx256M'
OC4J instance 'oca': Adding java stop command line option '-Djava.library.path=/o/ias10/lib32:/o/ias10/lib:/o/ias10/jlib:/o/ias10/oca/lib'
Adding web-app 'ui.war' for app 'oiddas'.
Ignoring jvm command-line option '-Xmx512m'. Larger heap already specified with '-Xmx512m'
OC4J instance 'OC4J_SECURITY': Env Option 'LD_LIBRARY_PATH' already exists with value '/o/ias10/lib32:/o/ias10/lib'
Initializing DCM..done.
Creating OC4J instance 'oca' (unprotected)..done.Appending security configuration from '/o/ias10/oca/conf/ocajava2.policy' to java2.policy file...done.
Creating OC4J instance 'OC4J_SECURITY' (protected)..done.Adding dependent libraries for application 'default'..done.
Calling SMI to save changes.SMISession.saveChanges succeeded.
Starting OC4J instance 'oca'..done.
Deploying application 'ocaapp' to OC4J instance 'oca'.Notification ==> Application Deployer for ocaapp STARTS [ 2005-05-24T19:26:33.809CEST ]
Notification ==> Undeploy previous deployment
Notification ==> Removing files for app file:/o/ias10/j2ee/oca/applications/ocaapp.ear
Notification ==> Copy the archive to /o/ias10/j2ee/oca/applications/ocaapp.ear
Notification ==> Unpack ocaapp.ear begins...
Notification ==> Unpack ocaapp.ear ends...
Notification ==> Initialize ocaapp.ear begins...
Notification ==> Initialize ocaapp.ear ends...
Notification ==> Initialize oca begins...
Notification ==> Initialize oca ends...
Notification ==> deleting: /o/ias10/j2ee/oca/applications/ocaapp.ear
Notification ==> deleting: /o/ias10/j2ee/oca/applications/ocaapp/oca.war
Notification ==> Application Deployer for ocaapp COMPLETES [ 2005-05-24T19:26:34.324CEST ]
Starting OC4J instance 'OC4J_SECURITY'..done.
Deploying application 'wirelesssso' to OC4J instance 'OC4J_SECURITY'.Notification ==> Application Deployer for wirelesssso STARTS [ 2005-05-24T19:26:46.741CEST ]
Notification ==> Undeploy previous deployment
Notification ==> Removing files for app file:/o/ias10/j2ee/OC4J_SECURITY/applications/wirelesssso.ear
Notification ==> Copy the archive to /o/ias10/j2ee/OC4J_SECURITY/applications/wirelesssso.ear
Notification ==> Unpack wirelesssso.ear begins...
Notification ==> Unpack wirelesssso.ear ends...
Notification ==> Initialize wirelesssso.ear begins...
Notification ==> Initialize wirelesssso.ear ends...
Notification ==> Initialize wirelesssso-web begins...
Notification ==> Initialize wirelesssso-web ends...
Notification ==> deleting: /o/ias10/j2ee/OC4J_SECURITY/applications/wirelesssso.ear
Notification ==> deleting: /o/ias10/j2ee/OC4J_SECURITY/applications/wirelesssso/wirelesssso-web.war
Notification ==> Application Deployer for wirelesssso COMPLETES [ 2005-05-24T19:26:47.151CEST ]
Deploying application 'oiddas' to OC4J instance 'OC4J_SECURITY'.Notification ==> Application Deployer for oiddas STARTS [ 2005-05-24T19:26:48.416CEST ]
Notification ==> Undeploy previous deployment
Notification ==> Removing files for app file:/o/ias10/j2ee/OC4J_SECURITY/applications/oiddas.ear
Notification ==> Copy the archive to /o/ias10/j2ee/OC4J_SECURITY/applications/oiddas.ear
Notification ==> Unpack oiddas.ear begins...
Notification ==> Unpack oiddas.ear ends...
Notification ==> Initialize oiddas.ear begins...
Notification ==> Initialize oiddas.ear ends...
Notification ==> Initialize ui begins...
Notification ==> Initialize ui ends...
Notification ==> deleting: /o/ias10/j2ee/OC4J_SECURITY/applications/oiddas.ear
Notification ==> deleting: /o/ias10/j2ee/OC4J_SECURITY/applications/oiddas/ui.war
Notification ==> Application Deployer for oiddas COMPLETES [ 2005-05-24T19:26:51.855CEST ]
Deploying application 'sso' to OC4J instance 'OC4J_SECURITY'.Notification ==> Application Deployer for sso STARTS [ 2005-05-24T19:26:52.546CEST ]
Notification ==> Undeploy previous deployment
Notification ==> Removing files for app file:/o/ias10/j2ee/OC4J_SECURITY/applications/sso.ear
Notification ==> Copy the archive to /o/ias10/j2ee/OC4J_SECURITY/applications/sso.ear
Notification ==> Unpack sso.ear begins...
Notification ==> Unpack sso.ear ends...
Notification ==> Initialize sso.ear begins...
Notification ==> Initialize sso.ear ends...
Notification ==> Initialize ssohelp begins...
Notification ==> Initialize ssohelp ends...
Notification ==> Initialize web begins...
Notification ==> Initialize web ends...
Notification ==> deleting: /o/ias10/j2ee/OC4J_SECURITY/applications/sso.ear
Notification ==> deleting: /o/ias10/j2ee/OC4J_SECURITY/applications/sso/ssohelp.war
Notification ==> deleting: /o/ias10/j2ee/OC4J_SECURITY/applications/sso/web.war
Notification ==> Application Deployer for sso COMPLETES [ 2005-05-24T19:26:53.175CEST ]
Calling updateConfig to notify DCM of new deployments..done.Adding dependent libraries for application 'ocaapp'..done.
Adding OC4J mount points for application 'wirelesssso'..done.
Adding OC4J mount points for application 'oiddas'...done.
Adding dependent libraries for application 'sso'..done.
Adding OC4J mount points for application 'sso'...done.
Calling SMI to save changes.SMISession.saveChanges succeeded.
Binding web app 'oca' to default-web-site for application 'ocaapp' in OC4J instance 'oca'Web app 'oca' bound successfully.
Binding web app 'wirelesssso-web' to default-web-site for application 'wirelesssso' in OC4J instance 'OC4J_SECURITY'Web app 'wirelesssso-web' bound successfully.
Binding web app 'ui' to default-web-site for application 'oiddas' in OC4J instance 'OC4J_SECURITY'Web app 'ui' bound successfully.
Binding web app 'web' to default-web-site for application 'sso' in OC4J instance 'OC4J_SECURITY'Web app 'web' bound successfully.
Binding web app 'ssohelp' to default-web-site for application 'sso' in OC4J instance 'OC4J_SECURITY'Web app 'ssohelp' bound successfully.
Calling updateConfig to notify DCM of new web-bindings..done.
Adding application 'ocaapp' to the DCM repository..done.
Application 'ocaapp' deployed successfully.
Stopping OC4J instance 'oca'..done.
Adding application 'wirelesssso' to the DCM repository..done.
Application 'wirelesssso' deployed successfully.
Adding application 'oiddas' to the DCM repository..done.
Application 'oiddas' deployed successfully.
Adding application 'sso' to the DCM repository..done.
Application 'sso' deployed successfully.
Stopping OC4J instance 'OC4J_SECURITY'..done.
Calling SMI to retry init of failed plugins...done.Copying /o/ias10/j2ee/deploy.ini to /o/ias10/j2ee/deploy.ini.1116955674238.bak.
Writing any undeployed entries back to /o/ias10/j2ee/deploy.ini.
Oc4jDeploy tool completed successfully!
Configuration assistant "OC4J Instance Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "OPMN Configuration Assistant - start HTTP Server":
opmnctl: starting opmn managed processes...
Configuration assistant "OPMN Configuration Assistant - start HTTP Server" succeeded
================================================================================================================
Output generated from configuration assistant "OPMN Configuration Assistant - start DAS Instance":
opmnctl: starting opmn managed processes...
Configuration assistant "OPMN Configuration Assistant - start DAS Instance" succeeded
================================================================================================================
Output generated from configuration assistant "OPMN Configuration Assistant - start OCA Instance":
opmnctl: starting opmn managed processes...
Configuration assistant "OPMN Configuration Assistant - start OCA Instance" succeeded
================================================================================================================
Output generated from configuration assistant "Register DCM Plug-Ins With EM":
Operation successful.
Configuration assistant "Register DCM Plug-Ins With EM" succeeded
================================================================================================================
Output generated from configuration assistant "Application Server Control Configuration Assistant":
TZ set to Europe/AmsterdamOracle Enterprise Manager 10g Application Server Control Release 10.1.2.0.0
Copyright (c) 1996, 2004 Oracle Corporation. All rights reserved.
http://csdb01.cs.nl:1810/emd/console/aboutApplication Starting Oracle Enterprise Manager 10g Application Server Control .. started successfully.
Configuration assistant "Application Server Control Configuration Assistant" succeeded
================================================================================================================
Output generated from configuration assistant "DCM Repository Backup Assistant":
backup created: InstalledImage_OracleAS.csdb01.cs.nl
Configuration assistant "DCM Repository Backup Assistant" succeeded
Enterprise Security III: Metadata Repository
A new day; what is the planning regarding Oracle Enterprise Security? I did install Oracle 10g Release 1 yesterday, and patched it to 10.1.0.4. That leaves me with:
One of the "nice" things is that the installer checks on swap space... As I have 1.5 GB memory installed, I found an additional 1200MB swap enough - any process claiming 2.7GB on a Windows workstation is worth getting killed anyway. But no - the installer insists:
Checking swap space: 1280 MB available, 1535 MB required. Failed <<<<
It looks like you have a choice (continue y/n), but you haven't - responding 'y' will just cause the check to fail again. So, I stooped to other measures: I edited the oraparam.ini file, found in the install subdirectory. I replaced all SWAP_SPACE=1535 with SWAP_SPACE=1024; the installer is happy as could be.
But the database is not in a good shape... Oh no: Oracle insists on setting shared_pool_size, and db_cache_size, thus killing any automatic memory tuning mechanism. All prerequisites are in the file in %ORACLE_HOME%/repca/config/prerequisite.xml
Note it is not required to have tnsnames on the client, where you run the RepCA utility from. It will use the java machine:port:service mechanism to connect. As I have not installed anything yet, I will not register, just load:
After some checks, the RepCA utility cannot find the Oracle Text Supplied Knowledge base, something required (?) for Portal, obviously... I do not want Portal (now), so I'll just continue:
Even though I have plenty space left, I don't quite understand why
And they still don't know how to figure that out...
Hopefully, it's teatime by now - just let the wheels keep turning.
And you will be rewarded:
That concludes the installation of the Metadata Repository in an existing database. I want to decrease the amount of memory used for my 10g database, and then fire up VNC again, and install the Application Server components.
- Install the 10gAS Metedata repository
- Install 10gAS Identity Management
- Install 10gAS
One of the "nice" things is that the installer checks on swap space... As I have 1.5 GB memory installed, I found an additional 1200MB swap enough - any process claiming 2.7GB on a Windows workstation is worth getting killed anyway. But no - the installer insists:
Checking swap space: 1280 MB available, 1535 MB required. Failed <<<<
It looks like you have a choice (continue y/n), but you haven't - responding 'y' will just cause the check to fail again. So, I stooped to other measures: I edited the oraparam.ini file, found in the install subdirectory. I replaced all SWAP_SPACE=1535 with SWAP_SPACE=1024; the installer is happy as could be.
But the database is not in a good shape... Oh no: Oracle insists on setting shared_pool_size, and db_cache_size, thus killing any automatic memory tuning mechanism. All prerequisites are in the file in %ORACLE_HOME%/repca/config/prerequisite.xml
Note it is not required to have tnsnames on the client, where you run the RepCA utility from. It will use the java machine:port:service mechanism to connect. As I have not installed anything yet, I will not register, just load:
After some checks, the RepCA utility cannot find the Oracle Text Supplied Knowledge base, something required (?) for Portal, obviously... I do not want Portal (now), so I'll just continue:
Even though I have plenty space left, I don't quite understand why
- every component sub part should be in a tablespace for itself
- I have tablespaces for Portal components - didn't I just tell I did not want Portal?!?
And they still don't know how to figure that out...
Hopefully, it's teatime by now - just let the wheels keep turning.
And you will be rewarded:
That concludes the installation of the Metadata Repository in an existing database. I want to decrease the amount of memory used for my 10g database, and then fire up VNC again, and install the Application Server components.
Monday, May 23, 2005
Enterprise Security II: Finishing the database install
Right - teatime is over. The script ran to completion, only thing left is to set up the network; specifically listener.ora and tnsnames.ora (anyone wants an LDAP server instead?).
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /o/oracle10/10gR1)
(PROGRAM = extproc)
)
(SID_DESC =
(SID_NAME = o10gR1)
(ORACLE_HOME = /o/oracle10/10gR1)
(SID = o10gR1)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
(ADDRESS = (PROTOCOL = IPC)(KEY = o10gR1))
)
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = csdb01.cs.nl)(PORT = 1522))
)
)
)
The blue text signifies the additions and modifications to the listener.ora file; the only modification is the port, 1522, in setad of the standard 1521. Port 1521 is used by the oracle 9 Release 2 installation, and I wanted to keep those installations separated.
The tnsnames.ora has no entries (apart from an extproc, you may want to delete), so all this is new:
o10gR1 =
(description =
(address = (protocol=beq)(PROGRAM = oracle)
(ARGV0 = oracleo10gR1)
(ARGS = '(DESCRIPTION =(LOCAL = YES)(ADDRESS = (PROTOCOL = BEQ)))'))
(CONNECT_DATA = (SERVICE_NAME = o10gR1.csdb01.cs.nl))
)
I like the bequeth protocol, as it does not require a listener process running, and it is extremely fast - no overhead. I've demonstrated AIX 4.3 and 8i Release 1 with tcp and bequeth, and the tcp output could be seen pausing and resuming, where the bequeth connection just was a blur.
Anyway - tomorrow, I will install the Infrastructure in this database, and configure a repository.
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /o/oracle10/10gR1)
(PROGRAM = extproc)
)
(SID_DESC =
(SID_NAME = o10gR1)
(ORACLE_HOME = /o/oracle10/10gR1)
(SID = o10gR1)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
(ADDRESS = (PROTOCOL = IPC)(KEY = o10gR1))
)
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = csdb01.cs.nl)(PORT = 1522))
)
)
)
The blue text signifies the additions and modifications to the listener.ora file; the only modification is the port, 1522, in setad of the standard 1521. Port 1521 is used by the oracle 9 Release 2 installation, and I wanted to keep those installations separated.
The tnsnames.ora has no entries (apart from an extproc, you may want to delete), so all this is new:
o10gR1 =
(description =
(address = (protocol=beq)(PROGRAM = oracle)
(ARGV0 = oracleo10gR1)
(ARGS = '(DESCRIPTION =(LOCAL = YES)(ADDRESS = (PROTOCOL = BEQ)))'))
(CONNECT_DATA = (SERVICE_NAME = o10gR1.csdb01.cs.nl))
)
I like the bequeth protocol, as it does not require a listener process running, and it is extremely fast - no overhead. I've demonstrated AIX 4.3 and 8i Release 1 with tcp and bequeth, and the tcp output could be seen pausing and resuming, where the bequeth connection just was a blur.
Anyway - tomorrow, I will install the Infrastructure in this database, and configure a repository.
Enterprise Security in Oracle
Thought I could set up enterprise security... Got some things to work, some not, some only after great problems. One of the problems, I realized along the line, was that I documented nothing. So... Idecided to throw away the lot - my 10g database, 10g Infrastucture Server, and Internet Directory, and Signing Authority. And start over again.
OK - some details about the machine: it's an MSI KT4V based system, running an AMD 1800+, with 2 Western Digital WD1200JB's connected to the FastTrak 133 Lite Raid controller, partially in a software stripe (RAID0) configuration:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/hdf1 2063504 330860 1627824 17% /
/dev/hde1 77750 14125 59611 20% /boot
none 513736 0 513736 0% /dev/shm
/dev/hdf3 1035692 138524 844556 15% /tmp
/dev/hde3 3020172 1357036 1509716 48% /usr
/dev/md0 222415788 17839508 193277800 9% /o
I have 1GB of memory installed, and 2GB of swap space. The OS is WhiteBox Linux Enterprise 3, and the machine is connected to my (100MBit) LAN via an onboard 1GB network interface.
After creating the obligatory groups and users, start off with installing the 10g Release 1 database:
The network assistant, I usually leave for what it is, and let it perform a default configuration. As the details about the database are often not known in this stadium, it's a safe option:
After that, the Database Creation Assistant will pop up. I always want control, so I always choose "Custom". Global database names with me are not just SID.domain - they are SID.server.domain:
As I will be configuring OEM later, I will not install it right now:
One more thing to watch out for: 10240k for redolog files is a tad small (10MB): increase to at least 100M, I say - all three of them. As a last step, I never create the database from here, but I save the scripts:
That concludes the graphical part of installation for now - I like to check the scripts and run them, using SSH (Secure Shell) with a nice emulator, based on TeraTerm: TeraTerm Professional with SSH. It even supports IPv6, and UTF8. And -not unimportant for Dutchies- it's free! Check it out - autocopy to clipboard is my favourite!
OK - check specific Oracle changes:
[root@csdb01 root]# cat /etc/sysctl.conf
# Oracle specific requirements...
kernel.shmmax=2147483648
kernel.sem=250 32000 100 128
fs.file-max=65536
net.ipv4.ip_local_port_range=1024 65000
and, for the oracle10 user tail .bash_profile:
# Oracle 10G Specifics...
export ORACLE_BASE=/o/oracle10
export ORACLE_HOME=$ORACLE_BASE/10gR1
export ORACLE_SID=o10gR1
export LD_ASSUME_KERNEL=2.4.1
export PATH=$ORACLE_HOME/bin:$PATH:.:/sbin:
[oracle10@csdb01 oracle10]$ more /o/oracle10/admin/o10gR1/scripts/o10gR1.sh
#!/bin/sh
mkdir -p /o/oracle10/10gR1/dbs
mkdir -p /o/oracle10/10gR1/oradata
mkdir -p /o/oracle10/admin/o10gR1/bdump
mkdir -p /o/oracle10/admin/o10gR1/cdump
mkdir -p /o/oracle10/admin/o10gR1/create
mkdir -p /o/oracle10/admin/o10gR1/pfile
mkdir -p /o/oracle10/admin/o10gR1/udump
mkdir -p /o/oracle10/flash_recovery_area
mkdir -p /o/oracle10/oradata/o10gR1
ORACLE_SID=o10gR1; export ORACLE_SID
echo Add this entry in the oratab: o10gR1:/o/oracle10/10gR1:Y
/o/oracle10/10gR1/bin/sqlplus /nolog @/o/oracle10/admin/o10gR1/scripts/o10gR1.sql
May oh, may - it looks like the Oracle folk found the -p option on mkdir... Goody! About time, though. For all of you none *ni* type of people: mkdir -p will create all parent directories, if any does not exist. And the .bash_profile is adapted, too, it has the ORACLE_SID entry. Very, ferry good! Now just scan the CreateDB.sql and CreateDBFiles.sql for maxsize unlimited, and I can kick off the script, and go for a cuppa' .
Oops! Hold on, let's apply the 10.1.0.4 patch first... Stop the listener, and ocssd - that seems harder than expected, but this does the trick (as root!):
/etc/rc.d/init.d/init.cssd stop
And there's nothing more to it, expect commenting out the last line in /etc/inittab, to prevent the service from starting at boot time.
Time to get some tea!
OK - some details about the machine: it's an MSI KT4V based system, running an AMD 1800+, with 2 Western Digital WD1200JB's connected to the FastTrak 133 Lite Raid controller, partially in a software stripe (RAID0) configuration:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/hdf1 2063504 330860 1627824 17% /
/dev/hde1 77750 14125 59611 20% /boot
none 513736 0 513736 0% /dev/shm
/dev/hdf3 1035692 138524 844556 15% /tmp
/dev/hde3 3020172 1357036 1509716 48% /usr
/dev/md0 222415788 17839508 193277800 9% /o
I have 1GB of memory installed, and 2GB of swap space. The OS is WhiteBox Linux Enterprise 3, and the machine is connected to my (100MBit) LAN via an onboard 1GB network interface.
After creating the obligatory groups and users, start off with installing the 10g Release 1 database:
The network assistant, I usually leave for what it is, and let it perform a default configuration. As the details about the database are often not known in this stadium, it's a safe option:
After that, the Database Creation Assistant will pop up. I always want control, so I always choose "Custom". Global database names with me are not just SID.domain - they are SID.server.domain:
As I will be configuring OEM later, I will not install it right now:
One more thing to watch out for: 10240k for redolog files is a tad small (10MB): increase to at least 100M, I say - all three of them. As a last step, I never create the database from here, but I save the scripts:
That concludes the graphical part of installation for now - I like to check the scripts and run them, using SSH (Secure Shell) with a nice emulator, based on TeraTerm: TeraTerm Professional with SSH. It even supports IPv6, and UTF8. And -not unimportant for Dutchies- it's free! Check it out - autocopy to clipboard is my favourite!
OK - check specific Oracle changes:
[root@csdb01 root]# cat /etc/sysctl.conf
# Oracle specific requirements...
kernel.shmmax=2147483648
kernel.sem=250 32000 100 128
fs.file-max=65536
net.ipv4.ip_local_port_range=1024 65000
and, for the oracle10 user tail .bash_profile:
# Oracle 10G Specifics...
export ORACLE_BASE=/o/oracle10
export ORACLE_HOME=$ORACLE_BASE/10gR1
export ORACLE_SID=o10gR1
export LD_ASSUME_KERNEL=2.4.1
export PATH=$ORACLE_HOME/bin:$PATH:.:/sbin:
[oracle10@csdb01 oracle10]$ more /o/oracle10/admin/o10gR1/scripts/o10gR1.sh
#!/bin/sh
mkdir -p /o/oracle10/10gR1/dbs
mkdir -p /o/oracle10/10gR1/oradata
mkdir -p /o/oracle10/admin/o10gR1/bdump
mkdir -p /o/oracle10/admin/o10gR1/cdump
mkdir -p /o/oracle10/admin/o10gR1/create
mkdir -p /o/oracle10/admin/o10gR1/pfile
mkdir -p /o/oracle10/admin/o10gR1/udump
mkdir -p /o/oracle10/flash_recovery_area
mkdir -p /o/oracle10/oradata/o10gR1
ORACLE_SID=o10gR1; export ORACLE_SID
echo Add this entry in the oratab: o10gR1:/o/oracle10/10gR1:Y
/o/oracle10/10gR1/bin/sqlplus /nolog @/o/oracle10/admin/o10gR1/scripts/o10gR1.sql
May oh, may - it looks like the Oracle folk found the -p option on mkdir... Goody! About time, though. For all of you none *ni* type of people: mkdir -p will create all parent directories, if any does not exist. And the .bash_profile is adapted, too, it has the ORACLE_SID entry. Very, ferry good! Now just scan the CreateDB.sql and CreateDBFiles.sql for maxsize unlimited, and I can kick off the script, and go for a cuppa' .
Oops! Hold on, let's apply the 10.1.0.4 patch first... Stop the listener, and ocssd - that seems harder than expected, but this does the trick (as root!):
/etc/rc.d/init.d/init.cssd stop
And there's nothing more to it, expect commenting out the last line in /etc/inittab, to prevent the service from starting at boot time.
Time to get some tea!
Sunday, May 15, 2005
For the brave...
For those, living on the edge, Fedora Core 4 has been released to test. Maybe you download, install and try to get Oracle installed and running?
Should be something of a challenge, as with Linux growing, new versions of the Compiler, and compiler libraries are released, causing problems with previously built software (like Oracle, but undoubtly many more).
I'll stay with White Box Linux, if only for the fact WBL is built off the Red Hat sources. I have done my share of FC1, 2 and 3 installs and Oracle configurations (FC3 and Oracle 10g Database without a glitch, by the way), and do not find it challenging anymore.
It's the ease of installation on fairly new notebook models that counts nowadays, and in that respect, you should check FC4 out. It's got Gnome 2.1 or KDE 3.4, and GCC 4. Oracle prefers 2.96 - see the dark clouds yet?
Oh - don't forget: you can also check out White Box Enterprise Linux 4 RC 1... Be sure to read the WBL home page on what WBL is not, and when you should buy Red Hat's bundles.
Should be something of a challenge, as with Linux growing, new versions of the Compiler, and compiler libraries are released, causing problems with previously built software (like Oracle, but undoubtly many more).
I'll stay with White Box Linux, if only for the fact WBL is built off the Red Hat sources. I have done my share of FC1, 2 and 3 installs and Oracle configurations (FC3 and Oracle 10g Database without a glitch, by the way), and do not find it challenging anymore.
It's the ease of installation on fairly new notebook models that counts nowadays, and in that respect, you should check FC4 out. It's got Gnome 2.1 or KDE 3.4, and GCC 4. Oracle prefers 2.96 - see the dark clouds yet?
Oh - don't forget: you can also check out White Box Enterprise Linux 4 RC 1... Be sure to read the WBL home page on what WBL is not, and when you should buy Red Hat's bundles.
Friday, May 06, 2005
En nu de guldens terugvorderen
Had ik net over de te dure Euro geschreven, is er een site, waar je je aan kunt melden als je je guldens terug wilt vorderen...
Kost wel €50 per jaar... Moet je wel veel terug willen vorderen - en wie zorgt er nu niet voor, dat zijn rekeningen leeg zijn op 31 December?!?
Kost wel €50 per jaar... Moet je wel veel terug willen vorderen - en wie zorgt er nu niet voor, dat zijn rekeningen leeg zijn op 31 December?!?
Monday, May 02, 2005
En ik ben niet de enige...
Zelfs zijn eigen vrouw, Laura Bush, vindt zichzelf een 'desperate housewife', die haar 'Mr. Exiting' om negen uur 's avonds in bed vindt - nee, slapend!
Aldus Laura Bush op een etentje met de pers... "Ik weet tenminste hoe je 'nucleair' uitspreekt", zei de oud-bibliothecaresse, die tot haar verbazing George W. leerde kennen in de bibliotheek! "Hij stond niet bepaald bekend als een boekenwurm".
Enige vorm van diplomatie schijnt George ook ook vreemd: "op de farm in Texas lost hij altijd alles op met een kettingzaag. Zeker vandaar dat hij zo goed kan opschieten met Cheney en Rumsfeld kan opschieten."
Chainsaw - Cheney; hij is leuk, Laura, hij is leuk.
Aldus Laura Bush op een etentje met de pers... "Ik weet tenminste hoe je 'nucleair' uitspreekt", zei de oud-bibliothecaresse, die tot haar verbazing George W. leerde kennen in de bibliotheek! "Hij stond niet bepaald bekend als een boekenwurm".
Enige vorm van diplomatie schijnt George ook ook vreemd: "op de farm in Texas lost hij altijd alles op met een kettingzaag. Zeker vandaar dat hij zo goed kan opschieten met Cheney en Rumsfeld kan opschieten."
Chainsaw - Cheney; hij is leuk, Laura, hij is leuk.
Subscribe to:
Posts (Atom)