Wednesday, October 30, 2013

Identity Management 11G Rel 2: RCU

Repository Creation Utility

Running the Repository Creation Utility (RCU) for Linux is troublesome for some reasons.
One of the reasons is it is 32-bits software, whereas the Linux platforms now are predominantly 64 bits.
The other is java...

Running it off my Ubuntu LTS host, using
linux32 ./bin/rcu"
resulted in the following error:
frank@ubuntu64:~/Downloads/rcuHome$ linux32 ./bin/rcu ./bin/rcu: 276: ./bin/rcu: /home/frank/Downloads/rcuHome/jdk/jre/bin/java: not found
Java is actually installed:
frank@ubuntu64:~/Downloads/rcuHome$ which java /usr/bin/java
The line 276 is OK; it contains $JRE_DIR - it is the definition of this variable that is wrong (at line 133). Just change
JRE_DIR=$ORACLE_HOME/jdk/jre
into
JRE_DIR=/usr
Then change permissions (if needed), and rerun.
Happy RCU-ing!

Wednesday, October 23, 2013

Enterprise Install of Identity & Access Management 11.1.2

Hardware

Virtual hardware added to the Database and OUD/OVD installs: an 8GB/4CPU VM.

Basic Software

Of course, jrockit (the 37 release, the 45 does not always work with OFM 11GR2...) and WebLogic 10.3.6. WLS 12 is not yet certified against OFM I&AM 11GR2, as far as I know.

Software install

Start off with I&AM software 11.1.2.1: V37472.
[oracle@idm ~]$ /oracle/install/Software/OFM/11.1.2.1/V37472/Disk1/runInstaller -jreLoc /oracle/jrockit-jdk1.6.0/ Starting Oracle Universal Installer... Checking if CPU speed is above 300 MHz. Actual 3378 MHz Passed Checking Temp space: must be greater than 150 MB. Actual 22018 MB Passed Checking swap space: must be greater than 512 MB. Actual 6127 MB Passed Checking monitor: must be configured to display at least 256 colors. Actual 16777216 Passed

Skip the Software updates.
All green, due to the oracle-rdbms-server-11gR2--pre-install package install.

Leave default; matter of taste.
The list of software, note the Privileged Account Manager, and Entitlements server. The Entitlements server is needed for the IAM stack, and comes licensed as such; using it as stack on it's own requires a license.
Takes a while, you might want to check rngd is ok...

Monday, October 07, 2013

Access Manager 11G Rel 2 and APEX 4.2

There is some documentation regarding APEX and OAM, but it is flawed.
  1. Make sure APEX functions with standard (APEX user based) security, even through OAM; this means
    • Allow /APEX/**
    • Allow /i/**
    • Protect /apex/apex_authentication.callback

  2. Page 9 states "OAM_REMOTE_USER with a value of $user.userid is created by default".
    Not true, just add it. What the extra entries are for is beyond me, APEX will just recognize one value in the header...
  3. Page 12: The PlsqlCGIEnvironmentList mentiones HTTP_OAM_ variables; this is an error, the variables should be called as defined in OAM: OAM_REMOTE_USER, not HTTP_OAM_REMOTE_USER.
  4. Page 14 states the Header Variable Name in the APEX configuration should be called HTTP_OAM_REMOTE_USER.
    No, it should be called whatever you named it in Access Manager: OAM_REMOTE_USER.
 Just some common sense, and it works. 

Next step: WNA+OAM+APEX - anyone done that?

Wednesday, September 18, 2013

Setup OUD and ODSM, and OVD/OID with ODSM

ODSM and ODSM?

The version of ODSM, suitable for OUD will *not* serve OVD or OID, it is as simple as that. In fact, Oracle spends a whole chapter on installing the lot. I did follow this, but sometimes you want to explore different routes.

OUD and ODSM

I have described the installation and configuration of these components in a previous entry. There's one update; for this entry I used V11.1.1.7.0 of ADF.

OVD and ODSM

I will use V11.1.1.7.0 of OVD/OID, and will use OVD as front-end to OUD, hence I want ODSM to be able to serve OVD as well - how else to define adapters? All services have been started, OUD as well as the weblogic Admin server (where OUD/ODSM is deployed). Starting the OVD installation:
/oracle/install/Software/OFM/11.1.1.7.0/IDM_V37386/Disk1/runInstaller -jreLoc /oracle/jrockit-jdk1.6.0
Skipping the -by now familiar- welcome and update screens, I went for an 'Install and Configure' setup.
I just ignore the error in the Make of sqlplus.
Run the root script
/oracle/middleware/Oracle_OVD1/oracleRoot.sh
There's no feedback. Overview of the configuration:
Location: /oracle/middleware/Oracle_OVD1 Disk Space Required: 2200 MB Available: 20116 MB Free After Install: 17856 MB Applications Selected For Install Oracle Internet Directory Oracle Directory Integration Platform Oracle Virtual Directory Oracle Identity Federation Oracle HTTP Server Oracle Directory Service Manager Enterprise Manager Applications Selected For Configuration Oracle Virtual Directory Enterprise Manager Oracle Directory Service Manager Middleware Home Location : /oracle/middleware Oracle Instance Location : /oracle/middleware/ovdinst Oracle Instance : ovdinst Domain Option : Create Domain Domain Name : OVD_domain Domain Home : /oracle/middleware/user_projects/domains/OVD_domain Domain Host Name : oud Domain Port : 7002 Weblogic Console : http://oud:7002/console Weblogic User Name : weblogic Automatic Port Detection : true Enterprise Manager : http://oud:7002/em Enterprise Manager Agent http://oud:5162/emd/main Oracle Virtual Directory SSL Port : 7501 Admin SSL Port : 8899 Non SSL Port : 6501 Oracle Directory Services Manager : http://oud:7005/odsm/faces/odsm.jspx
Note that Enterprise Manager and console are configured for port 7002 - this is due to the fact the OUD AdminServer was active, and using 7001. The installer detects that, and uses the next higher port.
Now, create boot.properties in
/oracle/middleware/user_projects/domains/OVD_domain/servers/AdminServer/security
/oracle/middleware/user_projects/domains/OVD_domain/servers/wls_ods1/security
and
/oracle/middleware/user_projects/domains/OUD_domain/servers/AdminServer/security
Create the security directory if it does not exist (it will not in this stage).

OVD runs as opmn controlled process:
/oracle/middleware/ovdinst/bin/opmnctl status -l Processes in Instance: ovdinst ---------------------------------+--------------------+---------+----------+------------+----------+-----------+------ ias-component | process-type | pid | status | uid | memused | uptime | ports ---------------------------------+--------------------+---------+----------+------------+----------+-----------+------ ovd1 | OVD | 7606 | Alive | 672537780 | 1129136 | 0:08:35 | ldaps:7501,https:8899,ldap:6501 EMAGENT | EMAGENT | 7737 | Alive | 672537781 | 106096 | 0:08:12 | N/A

Now, I have two ODSM environments: at port 7001 (the original ADF/OUD/ODSM setup), and the freshly installed one, at port 7005 (the Managed Server wls_ods1 in the domain OVD_domain).

Maintenance: stopping and starting

Stop OVD:
/oracle/middleware/ovdinst/bin/opmnctl stopall opmnctl stopall: stopping opmn and all managed processes...
Stop ADF/OUD/ODSM (ODSM is deployed in the Adminserver, so there is no managed server to stop/start):
/oracle/middleware/user_projects/domains/OUD_domain/bin/stopWebLogic.sh Stopping Weblogic Server... [WARN ] Use of -Djrockit.optfile is deprecated and discouraged. Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands Connecting to t3://oud.home.local:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'OUD_domain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. Shutting down the server AdminServer with force=false while connected to AdminServer ... Disconnected from weblogic server: AdminServer Exiting WebLogic Scripting Tool. Done Stopping Derby Server...
Now, same exercise as above for stopping the OVD/ODSM managed server wls_ods1, and the admin server. Stop OVD_domain AdminServer (ODSM/OVD):
/oracle/middleware/user_projects/domains/OVD_domain/bin/stopWebLogic.sh Stopping Weblogic Server... [WARN ] Use of -Djrockit.optfile is deprecated and discouraged. Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands Connecting to t3://oud.home.local:7002 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'OVD_domain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. Shutting down the server AdminServer with force=false while connected to AdminServer ... Disconnected from weblogic server: AdminServer Exiting WebLogic Scripting Tool. Done Stopping Derby Server...
Stop OUD:
/oracle/middleware/asinst_1/OUD/bin/stop-ds

After the boot

As root:
[root@oud ~]# rngd -r /dev/urandom -o /dev/random -b [root@oud ~]# service iptables stop
As oracle:
/oracle/middleware/asinst_1/OUD/bin/start-ds /oracle/middleware/ovdinst/bin/opmnctl startall sh /oracle/middleware/wlserver_10.3/server/bin/startNodeManager.sh & nohup /oracle/middleware/user_projects/domains/OUD_domain/startWebLogic.sh & nohup /oracle/middleware/user_projects/domains/OVD_domain/startWebLogic.sh & nohup /oracle/middleware/user_projects/domains/OVD_domain/bin/startManagedWebLogic.sh wls_ods1 &
And there you are:
Stopping, all commands in a row and in correct sequence:
/oracle/middleware/user_projects/domains/OVD_domain/bin/stopManagedWebLogic.sh wls_ods1 /oracle/middleware/user_projects/domains/OVD_domain/bin/stopWebLogic.sh /oracle/middleware/user_projects/domains/OUD_domain/bin/stopWebLogic.sh /oracle/middleware/ovdinst/bin/opmnctl stopall /oracle/middleware/asinst_1/OUD/bin/stop-ds

Possible alterations

You may consider loosing the NodeManager, and wls_ods1, by migrating the deployment on wls_ods1 to the adminserver in the OVD domain. It will free some resources, and ease maintenance; no managed server to stop/start, and no nodemanager to kill/start. Of course, nodemanagers are needed when you start clustering...

Thursday, September 12, 2013

ORA-02248 - brilliant

Brilliant explanation, RTFM made polite.
[oracle@local ~]$ oerr ora 2248 02248, 00000, "invalid option for ALTER SESSION" // *Cause: Obvious. // *Action: see SQL Language Manual for legal options.

Friday, June 14, 2013

Oracle Unified Directory 11.1.2.1.0: TNS and EUS - Part 2: Enterprise User Security

Enterprise User Security: Step by Step

I want to set OUD up in the way I've done it with OID 10.1.4.3:
  • Use a Shared Schema in every database
  • map this shared schema within the security domain in OUD
  • create enterpise users in OUD
  • Use a group in OUD to assign the enterprise roles to
  • Assign Enterprise Users (defined in OUD) to these groups

Planning

Implementing Enterprise User security involves the following steps:
  1. Make the database known to your Directory Service and allow it to communicate with the Directory Server.
  2. Create a general account in the database, that will serve as catch-all for the Enterprise users
  3. Create Enterprise Roles in each database instance, and grant database roles to these Enterprise Roles.
  4. On the Directory Server, create (a) group(s), and possibly users (you may want to consider using your main login, which will be MS Active Directory [MSAD] in many cases. OVD and DIP come in place here).
  5. Create a search path in the Directory Server to indicate where to find valid accounts.
  6. On the Directory Server, create the Enterprise Roles.
  7. Map the database specific Enterprise Roles on the Directory Roles.
  8. Map the group(s) to the database specific general account.
Steps 1, 2, 3 and 5 have to be done for each database instance.
Step 4 and 6 are executed only once. If you have DIP in place, all you have to do is add an account to the group to allow that account to use ALL database instances!

Step 1: database and directory server.

Actually, by registering the database the way I did, I completed step 1.
You may verify this entry using the command line version of the Enterprise User Security Manager, EUSM, like this:
[oracle@idm1 ~]$ eusm listdomaininfo domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" DOMAIN INFOMATION FOR DOMAIN: OracleDefaultDomain ------------------------------------------------- Current user DB links status: DISABLED Allowed user authentication methods: ALL LIST OF DATABASES ----------------- idm1

Steps 2 and 3: The general account and Enterprise Roles

create user global_schema identified globally as ''; create role er_connect identified globally; grant connect to er_connect; create role er_resource identified globally; grant resource to er_resource; create role er_dba identified globally; grant dba to er_dba;

Step 4: Create User and Group on Directory Server

First of all, start weblogic to access the Oracle Directory Server Manager (ODSM):
[oracle@oud ~]$ /oracle/user_projects/domains/OUD_domain/bin/startWebLogic.sh
Login to ODSM and create user "frank", group "EnterpriseDBA" and make frank a member of this group.
Create user

Basic info; last name is obligatory!

Oracle EUS needs orcluser and
orclUserV2 object classes.
Add them!

Add group.
Not sure about difference between
Static, Dynamic or Virtual, static it is.

Name it

Add "frank" as member - press the plus sign

Browse through, and select "frank"

Done!

Step 5: Directory Server: create account search path

I will use the EUSM command line:
[oracle@idm1 ~]$ eusm createmapping domain_name="OracleDefaultDomain" map_type=SUBTREE" map_dn="cn=Users,dc=home,dc=local" schema="global_schema" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
And verify:
[oracle@idm1 ~]$ eusm listmappings domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"LIST OF DATABASE SCHEMA MAPPINGS:: ------------------------------------ Mapping Name: MAPPING0 Mapping Type: SUBTREE Mapping DN: cn=Users,dc=home,dc=local Mapping schema:global_schema Mapping Level :DOMAIN
It is also visible in ODSM:


















Step 6: Directory Server: create Enterprise Roles

Now, create the Enterprise Roles in the Directory Server, again using the command line interface (CLI):
[oracle@idm1 ~]$ eusm createRole enterprise_role="OUD_DBA" domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" [oracle@idm1 ~]$ eusm createRole enterprise_role="OUD_Connect" domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" [oracle@idm1 ~]$ eusm createRole enterprise_role="OUD_Resource" domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
Again, you can use eusm to verify the action (as there's no feedback...):
[oracle@idm1 ~]$ eusm listenterpriseroles domain_name="OracleDefaultDomain" \ > realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 \ > ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" LIST OF ENTERPRISE ROLES IN DOMAIN: OracleDefaultDomain ------------------------------------------------- OUD_Connect OUD_DBA OUD_Resource
This, too, can been seen in ODSM




















Step 7: Map Enterprise roles (database to directory)

Make sure you use "sys as sysdba" for db_user, and the SID, not the service_name in the connect string:
[oracle@idm1 ~]$ eusm addglobalrole enterprise_role="OUD_Resource" \ > domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" \ > Database_name="idm1" global_role="er_resource" dbuser="sys as sysdba" \ > dbuser_password="manager" dbconnect_string="idm1.home.local:1521:idm1" \ > ldap_host=oud.home.local ldap_port=1389 \ > ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" [oracle@idm1 ~]$ eusm addglobalrole enterprise_role="OUD_DBA" \ > domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" \ > Database_name="idm1" global_role="er_dba" dbuser="sys as sysdba" \ > dbuser_password="manager" dbconnect_string="idm1.home.local:1521:idm1" \ > ldap_host=oud.home.local ldap_port=1389 \ > ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" [oracle@idm1 ~]$ eusm addglobalrole enterprise_role="OUD_connect" \ > domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" \ > Database_name="idm1" global_role="er_connect" dbuser="sys as sysdba" \ > dbuser_password="manager" dbconnect_string="idm1.home.local:1521:idm1" \ > ldap_host=oud.home.local ldap_port=1389 \ > ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"

Step 8: Grant the Directory Enterprise Roles to the group

[oracle@idm1 ~]$ eusm grantrole enterprise_role="OUD_DBA" domain_name="OracleDefaultDomain" \ > realm_dn="dc=home,dc=local" group_dn="cn=EnterpriseDBA,cn=Groups,dc=home,dc=local" \ > ldap_host=oud.home.local ldap_port=1389 \ > ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"

Eating the pudding

One snag, I did not document earlier; you need to fill in the Optional(!) attribute userpassword for your user. If you don't you will run into this:
[oracle@idm1 ~]$ sqlplus frank/DemoOud1@idm1 SQL*Plus: Release 11.2.0.3.0 Production on Fri Jun 14 13:10:56 2013 Copyright (c) 1982, 2011, Oracle. All rights reserved. ERROR: ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
After rectifing this issue, I got enterpise secrity:
[oracle@idm1 ~]$ sqlplus frank/DemoOud1@idm1 SQL*Plus: Release 11.2.0.3.0 Production on Fri Jun 14 13:11:13 2013 Copyright (c) 1982, 2011, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning option SQL> select * from session_roles; ROLE ------------------------------ ER_DBA DBA SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE EXECUTE_CATALOG_ROLE HS_ADMIN_EXECUTE_ROLE DELETE_CATALOG_ROLE EXP_FULL_DATABASE IMP_FULL_DATABASE DATAPUMP_EXP_FULL_DATABASE DATAPUMP_IMP_FULL_DATABASE GATHER_SYSTEM_STATISTICS SCHEDULER_ADMIN WM_ADMIN_ROLE JAVA_ADMIN JAVA_DEPLOY XDBADMIN XDB_SET_INVOKER 18 rows selected. SQL>