Thursday, August 30, 2007

Remove a realm

Playing around with OID and Application Server Hosting, I created some realms. Quite easy to add one, but there's no delete, drop or remove realm option.

So: how to drop a realm, without painstakingly going through the ODM (Oracle Directory Manager) screens, that do not support a cascaded delete?

Appears to be quite simple:
login on the machine your OID runs on, and:

opmnctl stopall
./bulkdelete.sh -connect [tns_alias] \
-base "dc=test2,dc=home,dc=local"


The base is the actual realm you want to drop.

How to unlock orcladmin

Proving the point that using 'cn=orcladmin' or 'orcladmin' when starting Oracle Internet Directory (OID) Manager (ODM), is actually the same account, I managed to "prove" the point just once too often, resulting in a "your account is locked" error.

So, the question raises: how to unlock you superuser account orcladmin?

Very simple:
login on the Application Server where your OID runs, and:

$ORACLE_HOME/bin/oidpasswd connect=[tns_alias] unlock_su_acct=true


You will be asked to provide the ODS password - which happens to be the same as the ias_admin password, specified at install time. Which happens to be the password for orcladmin, too, unless you changed it.

Tuesday, August 28, 2007

Passwords: store them in a Wallet!

Working on OID and database registrations, I found the wallet created by the DBCA does not need to be signed. Basically - it's empty!
Well, not quite; although the oracle Wallet Manager, owm, only shows "there's something", details can be retrieved using mkstore:

oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -list
Enter password:

Oracle Secret Store entries:
ORACLE.SECURITY.DN
ORACLE.SECURITY.PASSWORD
oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -viewEntry ORACLE.SECURITY.DN
Enter password:

ORACLE.SECURITY.DN = cn=infra,cn=OracleContext,dc=home,dc=local
oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -viewEntry ORACLE.SECURITY.PASSWORD
Enter password:

ORACLE.SECURITY.PASSWORD = RJT01YL5
oracle10@infra

The password you need to provide, is the password you specified for the wallet at the time you registered the database.
So, if you ever want to know the password of database registration, this is how. Works for 10.2 databases, should work for 10.1 (as 10.1 also knows mkstore), does not work for 9.2 or lower.

Another great option of mkstore (and the reason I found this...) is to store credentials for a database - great for securing database links and batch processes.
More on that in the security manual, here, and an example.

Monday, August 27, 2007

Status 84?

Not feasable to Fix?

Annoying, to say the least - ever been in the situation where the Network Configuration Assistant could not process your tnsnames.ora? Manually edited just once too often?

I ran into this error when using the Enterprise Security Manager - I was mapping an Enterprise Role to Database Roles.

[AWT-EventQueue-0][2007-8-17:16:14:56:927] java.lang.ArrayIndexOutOfBoundsException: 240
at oracle.net.nl.NVTokens.parseTokens(Unknown Source)
at oracle.net.nl.NVFactory.createNVPair(Unknown Source)
at oracle.net.nl.NLParamParser.addNLPListElement(Unknown Source)
at oracle.net.nl.NLParamParser.initializeNlpa(Unknown Source)
at oracle.net.nl.NLParamParser.(Unknown Source)
at oracle.sysman.vdb.VdbUtil.findInTNSFile(VdbUtil.java:824)
at oracle.sysman.vdb.VdbUtil.findInTNSNAMES(VdbUtil.java:792)
at oracle.sysman.vdb.VdbUtil.buildConnectDescriptor(VdbUtil.java:295)
at oracle.sysman.vdb.VdbUtil.buildConnectDescriptor(VdbUtil.java:224)
at oracle.sysman.vdb.VdbSession.buildConnectionInformation(VdbSession.java:4195)

Not the complete stack - note the "findInTNSFile"

Much to my surprise, the ESM ignores the ldap.ora entries completely, and falls back to the local tnsnames.ora file - which it fails to process. Metalink revealed two related bugs (5527753 and 2887391), of which 2887391 looked like an exact match. 2887391 has a status "Closed, not feasable to fix", which is status 84...

The workaround is to clean up the tnsnames.ora file that is being used, and make it NetCA compatible...

Come on, Oracle! Just this once, make your C programs and java begave the same! If SQL*Plus can process this file correctly, and tnsping can, why can't NetManager, ESM or NetCA?!?

Friday, August 17, 2007

Enterprise network issues

Just had a situation where I set up an enterprise user on a registered database. Logging on to the instance works on the machine itself:

SQL> create user global_id_schema_user identified globally;
User created.

SQL> grant connect to global_id_schema_user;
Grant succeeded.

SQL> connect bortel
Enter password:
Connected.
SQL> select sys_context('userenv','external_name') from dual;

SYS_CONTEXT('USERENV','EXTERNAL_NAME')
--------------------------------------------------------------------------------
cn=bortel,cn=users,dc=***,dc=nl

SQL> select * from session_roles;

ROLE
------------------------------
CONNECT

However, trying to connect from a remote station, I got the following error:
SQL> conn bortel@oinfra
Enter password:
ERROR:
ORA-12514: TNS:listener does not currently know of service requested in connect descriptor

This strikes as odd, as the database registered successfully.
The TNSPING utility shows

M:\>tnsping oinfra

TNS Ping Utility for 32-bit Windows: Version 10.2.0.3.0 - Production on 17-AUG-2007 11:14:15

Copyright (c) 1997, 2006, Oracle. All rights reserved.

Used parameter files:
C:\oracle\DB92\network\admin\sqlnet.ora

Used LDAP adapter to resolve the alias
Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=machine.at.certain.domain)(PORT=1521))
(CONNECT_DATA=(SERVICE_NAME=oinfra.machine.at.certain.domain)))
OK (10 msec)

Looks like the service_name is not within the listener. I know this setup uses hardcoded aliases in listener.ora (which is going to change - this client will switch to instances registering themselves, using local_listener). Sure enough, on the database server:

me@machine> lsnrctl services listener_machine

LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:29:21

Copyright (c) 1991, 2005, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
Services Summary...
Service "oinfra" has 1 instance(s).
Instance "oinfra", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:136 refused:0
LOCAL SERVER
The command completed successfully

Not a trace of the fully qualified service name "oinfra.machine.at.certain.domain".
The solution to this is to add GLOBAL_DBNAME to the listener.ora file:

SID_LIST_LISTENER_MACHINE =
(SID_LIST =
(SID_DESC =
(SID_NAME = oinfra)
(global_dbname=oinfra.machine.at.certain.domain)
(ORACLE_HOME = /oracle/....)
(connection_data =
(sid = oinfra)
)
)
)

Then, do a reload of the listener configuration, and check the results:
me@machine>lsnrctl reload listener_machine

LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:55:55
Copyright (c) 1991, 2005, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
The command completed successfully
me@machine>lsnrctl services listener_machine

LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:56:04
Copyright (c) 1991, 2005, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
Services Summary...
Service "oinfra.machine.at.certain.domain" has 1 instance(s).
Instance "oinfra", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0
LOCAL SERVER
The command completed successfully

After that, the remote login succeeds:

SQL> conn bortel@oinfra
Enter password:
Connected.