Monday, March 22, 2010

SSO server (with WNA) fails to start with Kerberos errors

When you see this on the log:

10/03/22 12:06:22 Acquire TGT using AS Exchange
10/03/22 12:06:22 KerberosAuthenticator: GSSException raised in constructor - No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
10/03/22 12:06:22 GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
10/03/22 12:06:22 at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
[snip!]
10/03/22 12:06:22 ... 22 more
10/03/22 12:06:22 KerberosAuthenticator: Please check the error messages and fix it. Restart OC4J (OC4J_SECURITY instance) server
10/03/22 12:06:22 KerberosAuthenticator: Possible errors may be:
10/03/22 12:06:22 KerberosAuthenticator: 1.HTTP service name in $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml or $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml is wrong.
10/03/22 12:06:22 KerberosAuthenticator: 2.KDC Details (host/port) in $ORACLE_HOME/opmn/conf/opmn.xml are wrong.
10/03/22 12:06:22 KerberosAuthenticator: 3.KDC is down.
10/03/22 12:06:22 KerberosAuthenticator: 4.KDC Details in the keytab file are wrong or the keytab file path has been incorrectly specified.


then try adding the following to $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml, under the section <login-module>

<class>com.sun.security.auth.module.Krb5LoginModule</class>

  <option>
         <name>isInitiator</name>
         <value>false</value>
  </option>

Then, restart the OC4J_SECURITY process.

Inspite of


everything noted in the note, it works with:

Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2.07-050121-15:53)
Java HotSpot(TM) Server VM (build 1.4.2 1.4.2.07-050121-21:06-IA64N IA64, mixed mode)
running on:
HP-UX [myhost] B.11.23 U ia64 4294967040 unlimited-user license
Posted by Frank at 3/22/2010 12:46:00 PM 3 comments

Friday, March 12, 2010

Grid Control & OID: a deadly combo

If you ever experience these symptoms, ask your self whether you have Grid Control (or OEM) running.
  • Single Sign On fails
  • OID Processes suddenly have stopped (which explains the above)
  • ODS database account is locked, which seems to cause the problem
  • Unlocking the ODS account resolves the problem, but it gets locked after a short period.
The cause is the fact you changed the ODS password. Now, you may have done this quite correctly by using the oidpasswd utility, ensuring the wallet gets updated, etc, but that does not update targets.xml... This means, Grid Control (or OEM) periodically tries to log on with the wrong password.

One solution is to update the ldap section of $ORACLE_HOME/sysman/emd/targets.xml, and update the password in plain text (and signal it is no longer encrypted by means of: ENCRYPTED="FALSE").
Then, restart Grid Control (or OEM)

More in Doc ID 567256.1
Posted by Frank at 3/12/2010 10:18:00 AM 0 comments

Wednesday, February 17, 2010

IAM 10.1.4 on Ubuntu

Starting off with a OID Repository, with is of the "Wrong Version" (Installed with REPCA 10.1.4 - trying to install 10.1.4...), now several wizards fail.

It starts with the Delegated Administration Service Configuration Wizard; Apache fails to start with:

Syntax error on line 1113 of /oracle/iam/Apache/Apache/conf/httpd.conf:
Cannot load /oracle/iam/Apache/Apache/libexec/mod_rewrite.so into server: /oracle/iam/Apache/Apache/libexec/mod_rewrite.so: undefined symbol: dbm_fetch
and several others.
In spite of earlier actions, one needs to:
sudo apt-get install libdb1-compat

That still does not resolve everything - but at least I can use LDAP.
Posted by Frank at 2/17/2010 01:26:00 PM 0 comments

Friday, February 05, 2010

There's quite a leak in 11G

There's quite a security leak in Oracle 11G release 2. You are warned. No patch or workaround known (not installing Java - would that be an option?)
Found on c't (German magizine, see link in title), announced on the Black Hat conference by David Litchfield.

Update

First line of defense: revoke all on DMBS_JAVA, DBMS_JAVA_TEST and DBMS_JVM_EXP_PERMS from PUBLIC.

Update 2

Here's a link to an English version of the original article. Note the "How-to" video is available (again).
Posted by Frank at 2/05/2010 05:53:00 PM 0 comments

Wednesday, January 27, 2010

Install APEX receipe

How to install APEX - shorthand.

Prepare the database

There are some options and tools to be installed. If you use the DBCA to generate scripts, make sure you at least run these:

@$AH/scripts/CreateDB.sql
@$AH/scripts/CreateDBFiles.sql
@$AH/scripts/CreateDBCatalog.sql
@$AH/scripts/JServer.sql
@$AH/scripts/context.sql
@$AH/scripts/xdb_protocol.sql
@$AH/scripts/postDBCreation.sql

$AH stands for my Administrative Home directory; usually something like $ORACLE_BASE/admin/{SID}

Check

Not sure? You should at least get the following three, when running this:
select comp_id from dba_registry;

COMP_ID
------------------------------
  XDB
  CONTEXT
  JAVAVM

owa_util

select owa_util.get_version from dual;
should result in 10.1.2.0.6 or higher. It will need to get patched/upgraded if not. You can safely execute owainst.sql in the owa sub directory of the installation, as the OWA installation checks the version, and only patches if there's something to patch

shared_pool

Only when not using SGA_TARGET (10g and 11g) or MEMORY_TARGET (11g), define shared_pool_size 100MB or higher.

Install

Now, you are ready to install:
@apexins sysaux sysaux temp /i/

Don't forget the last "/"... Change the password of the public account, and unlock the account:
alter user apex_public_user identified by ABC123DEF account unlock;

The OHS

Assuming a MS Windows workstation, zip the images directory of the apex install. Transfer that to your OHS (Oracle Http Server). Now, create a directory and unzip:

$ mkdir $ORACLE_BASE/htdocs/apex
$ cd $ORACLE_BASE/htdocs/apex
$ unzip /.../apeximg.zip

plsql.conf

Add this entry to plsql.conf ($ORACLE_BASE points to /oracle/apex):
PlsqlMaxParameters 15000

dads.conf

Add this dads.conf:
Alias /i/ "/oracle/apex/htdocs/apex/images/"
AddType text/xml xbl
AddType text/x-component htc
<Location /demo>
   SetHandler pls_handler
   Order deny,allow
   Allow from All
   AllowOverride None
   PlsqlDatabaseUsername apex_public_user
   PlsqlDatabasePassword   ABC123DEF
   PlsqlDatabaseConnectString cs-frank03.home.local:1521:orcl.home.local ServiceNameFormat
   PlsqlNLSLanguage American_America.UTF8
   PlsqlAuthenticationMode Basic
   PlsqlSessionStateManagement StatelessWithFastResetPackageState
   PlsqlDocumentPath docs
   PlsqlDocumentProcedure wwv_flow_file_mgr.process_downloadd
   PlsqlDocumentTablename wwv_flow_file_objects$
   PlsqlDefaultPage apex
   PlsqlAlwaysDescribeProcedure Off
   PlsqlRequestValidationFunction wwv_flow_epg_include_modules.authorize
</Location>

Obfuscate password

It is not a good practice to leave cleartext passwords; obfuscate it:
cd $ORACLE_HOME/ohs/modplsql/conf
export PERL5LIB=$ORACLE_HOME/perl/lib/5.8.3
export SHLIB_PATH=$ORACLE_HOME/lib:/usr/lib
export PATH=$ORACLE_HOME/ohs/modplsql/conf:$ORACLE_HOME/perl/bin:$PATH

perl dadTool.pl -o

$ Error: Could not obfuscate password 'ABC123DEF' for dad '/demo'
Number of failed obfuscations : 1

Nevermind - it is. Just check it. You're almost done, just make OHS aware of all changes:
$ opmnctl restartproc type=ohs

You are now ready to add workspaces and users, like I've done here.
Posted by Frank at 1/27/2010 09:57:00 AM 0 comments

Wednesday, January 20, 2010

OHS2 on Ubuntu (error loading shared libraries)

Trying to install the Oracle HTTP Server powered by Apache 2, I got the following errors:
/oracle/as/10.1.3/ohs/bin/apachectl startssl: execing httpd
/oracle/as/10.1.3/ohs/bin/httpd: error while loading shared libraries: libgdbm.so.2: cannot open shared object file: No such file or directory

That can be resolved by: 
sudo ln -s /usr/lib/libgdbm_compat.so.3.0.0 /usr/lib/libgdbm.so.2

The next error on the opmn http log will be:
/oracle/as/10.1.3/ohs/bin/apachectl startssl: execing httpd
/oracle/as/10.1.3/ohs/bin/httpd: error while loading shared libraries: libdb-3.3.so: cannot open shared object file: No such file or directory

In order to resolve that, execute:
sudo ln -s /usr/lib/libdb-4.7.so /usr/lib/libdb-3.3.so
Posted by Frank at 1/20/2010 10:50:00 AM 0 comments

Oracle 10G R2 on Ubuntu 9.10 (ins_rdbms.mk link error)

Installing Oracle 10G release 2 on Ubuntu 9.10 (Karmic Koala) is pretty much the same as installing on 8.04, except for the extra packages needed. In this entry, I used
apt-get install build-essential libaio1 gawk ksh libmotif3 alien libtool lsb-rpm libstdc++5
Problem with 9.10 is: libstdc++5 has been fased out and superseeded with libstdc++6.
When you try to install nevertheless, you'll get:
Package libstdc++5 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package libstdc++5 has no installation candidate

Trying to go along with the installation will get you:

Error in invoking target 'all_no_orcl' of makefile 'ins_rdbms.mk'.

Workaround

The solution is simple: create a link to the V6 library:

sudo ln -s /usr/lib/libstdc++.so.6.0.13 /usr/lib/libstdc++.so.5

Fast!

I am, by the way, impressed about the speed of this install. I have the impression, this ext4 filesystsem is a lot faster than the 2-disk lvm I had on CentOS.
Posted by Frank at 1/20/2010 09:14:00 AM 4 comments
Subscribe to: Posts (Atom)