Enable SSL in between OHS & Outbound Applications

Enabling SSL in between OHS & OutBound Applications

Prerequisites:

1. OHS SSL is enabled.
2. Outbound App SSL is enabled like OAM, Weblogic, OIM etc.

What we are aiming is to setup SSL in b/w OHS & outbound apps

Eg: Consider you want to proxy your OAM server via OHS as a load balancer/proxy call it any. This is a very normal usecase where you have your OAM servers sitting in your data-center & you don't want it's hostname/IP to be exposed. So what you usually do is proxy OAM via OHS.

• Consider your OHS server name is https://abc.com. So if admin needs to access the oamconsole. Admin will fire the url as https://abc.com/oamconsole
• To enable this usecase, /oamconsole is to be added in ssl.conf/mod_wl_ohs.conf file(usual way).
• But the catch is that our OHS & OAM are in SSL mode.
• This means that they will do handshake before starting to talk to each other.
• As we all know that while doing handshake, server sends its user certificate, now this cert is verified by client i.e. here mod_wl_proxy of OHS. So the wallet used by it has to have the trusted certificate entry in it.

Steps you need to follow for this are as;

• Import the certificate used by Outbound app such as Oracle WebLogic Server into the Oracle HTTP Server wallet as a trusted certificate.
• To add trusted certificate you can use orapki utility or any of your choice.
• <MW_HOME>/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert cacert.pem -auto_login_only 
• Note: './' is used as we consider that you are running this command from the directory where your cwallet.sso is present. You can substitute it with directory path of cwallet.sso as well.
•  Now you need to add 2 tags in ssl.conf or mod_wl_proxy.conf:

• SecureProxy On

  WlSSLWallet "<wallet location>" 

Complete Eg:

<Location /console>
SetHandler weblogic-handler
WebLogicHost xyz.us.domain.com
WebLogicPort 7001

SecureProxy ON
WlSSLWallet "/MW_HOME/keystores/newwallet"
</Location>

Now start your OHS server, and try to access the proxied url, you should be able to make a successful connection. You can also confirm the same by capturing wireshark traces. 

Hope this helps... :-)

Useful links:

https://docs.oracle.com/cd/E23943_01/core.1111/e10105/sslconfig.htm#ASADM10286

http://middlewaretimes.blogspot.sg/2014/03/configuring-modwlohs-to-use-ssl-between.html

Enjoy :-)

Configuring self signed SSL Certificates for OHS 11.1.1.7 or 11.1.1.9

Recently i came across a very good article by the a-team regarding configuring the SSL certificates signed by CA authority with the OHS.

Currently if we access a secured SSL port of OHS, our browser shows us a warning, and ask us whether to trust the certificate or not. Basically this certificate is the default one that comes with the OHS.
But in actual scenario's we need configure the SSL certificate of our organization that will be signed by CA authority like VeriSign.

It is also possible for us to generate the SSL Certificate & sign it by root CA i.e. basically our own CA, because for testing purpose we are not going to sign it by external CA.

So the article shared by a-team describes the steps to be followed to achieve the purpose.

http://www.ateam-oracle.com/setting-up-https-on-ohs-for-fusion-apps/



Enjoy :-)

Configuring Detached Credential Collector Webgate 11g with Oracle Traffic Director Server

Pre-requisites:

1. OTD is installed & is in running state.
2. Origin Server like OHS is configured in origin server pool settings.
3. WebGate 11g is configured with OTD - you are able to execute ECC Scenario (this step is just to verify that setup is done properly).

This chapter is divided into :

• Configure OHS Server (here we have used OHS server as origin server with OTD)
• Creating DCC Webgate Profile in OAM Server
• Accessing OTD Protected resource.

Quickly i will show you the OTD Admin Console & Config done on it:

Let's begin the configuration process:

1) In order to enable DCC configuration in OTD, we need the resources used by DCC like login.pl, logout.pl etc present at OHS Server.

• Now the question arises why at OHS not at OTD? Because in OTD we have to rely on origin server to provide the resources.
• Now second question - from where we will get the resources. It is simple to answer. You can get these resources from OTD webgate installed directory.

bash$> ls /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso*

• So simply copy these 2 folder in OHS server instance directory:
• Copy the oamsso-bin folder:

bash$> cp -rf /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso-bin /Middleware_Home/Oracle_WT1/instances/<instance-name>/config/OHS/ohs1/oamsso-bin/

• Copy the oamsso folder under htdocs directory:

bash$> cp -rf /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso /Middleware_Home/Oracle_WT1/instances/<instance-name>/config/OHS/ohs1/htdocs/oamsso/ 

• Ok, we have the resources with us. Now it is required to config the OHS httpd.conf file.

This is what we have added:

1) 

 ScriptAlias /oamsso-bin/ "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin/"

    Alias /oamsso/ "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/oamsso/"

2) 

<Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin">

    AllowOverride None

    Options None

    Order allow,deny

    Allow from all

</Directory>

• Done.. We need to check whether we are able to access the resource. So how we will do this. Simple man - start the ohs server & access the resource.

bash$> cd /Middleware_Home/Oracle_WT1/instances/instance1/bin

bash$> ./opmnctl startall

Server started.....

• Access the resource hit the url- http://<host:port>/oamsso-bin/login.pl

You will be able to see the login.pl resource.

2) We are done with OHS settings, now proceed to create a DCC webgate profile at OAM Server. to do this follow: Configure DCC Webgate Profile

• Copy the created artifacts to the OTD Webgate instance directory.

bash$>cp /Middlware_Home/user_projects/domains/base_domain/output/dcc-9090/* /scratch/ckukreja/oracle/product/11.1.1.7.0/trafficdirector_Home_1/otd_instance/dcc-inst/config/

Note: My otd webgate instance is present in the otd installed directory itself. May be your directory structure might be different than mine. So no need to worry.

3) Now restart the OTD Instance:

bash$> cd /scratch/ckukreja/oracle/product/11.1.1.7.0/trafficdirector_Home_1/instances/bin/net-otd/
bash$> ./stopserv
Server Stopped....

bash$> ./startserv
Server Started....

You can restart/start/stop the otd instance from OTD Admin Console as well......

4) Access a protected resource like /index.html:
hostname - clk-host.us.com
OTD insatnce port - 9090
resource - index.html

http://clk-host.us.com:9090/index.html

Congrats you have done it.....!!!!!!

Enjoy :-)

Purpose of Max Session Time OAM

Purpose of Max Session Time field:

Max Session Time (hours)

Maximum time to keep server connections alive. The unit is based on the maxSessionTimeUnits user-defined parameter which can be 'minutes' or 'hours'. When maxSessionTimeUnits is not defined, the unit is defaulted to 'hours'.

What does this above definition means?

Basically this is the session time for the OAP/NAP connections made between Webgate & OAM Server.
This is the TTL (Time to live) of these OAP/NAP connections.

Is this field defines the time in minutes or hours?

By default it is in 'hours'. But when you create a Webgate Agent Profile there is a user defined parameter defined as 'maxSessionTimeUnits' & it has value 'minutes'.
Thus this makes the value configured in 'MAX SESSION TIME' in minutes.

• In this agent profile we have max session time configured as '2'. This is in minutes why?
• Because we have configured the user defined parameter 'maxSessionTimeUnits' & value of this parameter is 'minutes'.

But if you remove this parameter 'maxSessionTimeUnits' than MAX SESSION TIME will have 'hours' as its unit.

Note:

• User won't be challenged for credentials again because of the 'MAX Session time'. This time is not user session timeout. It is for the OAP/NAP connection timeout.

How will you test these connections?

bash$> netstat -anp | grep 5575 | grep httpd.worker

Note:

1. Port 5575 is the listening port used by the OAM Server. While creating webgate agent profile server connection port is mentioned.
2. 'httpd.worker'  is the OHS server process.
3. In this example 2 worker threads have made OAP/NAP connection with the OAM Server. 

After 2 minutes these connections are re-established, here is the proof.

Hope it clears your doubts.....!!!!!!


Reference Doc:
http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/register.htm#AIAAG631


Enjoy :-)

[Weblogic]: How to Deploy a Web App on OAM Weblogic Console

This post is divided into 3 sections:

1) Create a web-app.

2) Deploy it on the managed server.

3) Accessing the web-app.

Let's Start:

1) Create an web-app: For this i have an already created web-app, which contains a headers.jsp page.

• headers.jsp - This page will be used to display all the HTTP Headers that are set by the OAM-Weblogic.

2) Deploy web-app:

• Login to weblogic server: http://<host:port>/console

• Once you gets logged in, select 'Deployment' option under Domain Structure.

Note: Before you move to next step, copy the web-app folder to the domain directory i.e.

Copy to this path: <MiddlewareHome>/user_projects/domains/<your_domain_name>/

• Click 'install' button: This will lead you to deployment process.

• Now select your app folder

• Select the folder like here it is showing 'source' as it contains the app:

          Press Next....

Note: 

• Here the 'source' folder has the web app pages, thus when we need to actually access these resources from the browser. We will fire the request as:

         http://<host:port>/source/Login.jsp

• Thus in case if your folder name is something else, than you will access it from that name only.

         Syntax: http://host:port/<webapp folder name>/<resource name>

• On next page: nothing needs to be change as of now, keep on selecting the default option. Just press next.

• Available Targets: Select 'oam_server1' or you can also deploy it on Admin Server and press Next.

• General Assistance: This will show you the selected options, here you just need to press Next.

Note: One thing that you need to make a note of is the deployment name. Because in future if you need to update the app, you need the name.

• Finish: Click 'Finish' & it will deploy the app.

Note: Click the 'Activate Changes' button on the top left, this will apply the changes & no restart is required.

3) Accessing the web-app: 

• We need to make changes in mod_wl_ohs.conf file, & we need to front end the deployed app.

        Note: Here i have front ended the app with OHS. 

• '/source' is the app folder that we have chosen while deploying.
• Mention the host name - this will be the host on which you have installed the OHS.
• Mention the Port - this will be the port on which managed server is listening.
• Save the changes.
• Restart the OHS server.

• Open the browser, fire the url - http://<host:port>/source/headers.jsp
• It will redirect you to credential collector page. Provide the credentials.

• And you will get the 'headers.jsp' resource.

• Now you can even try to access other resources present on your OHS Server i.e. you have placed in htdocs folder. Like:

         http;//<host:port>/index.html

• You will not be asked for the credentials again, as you have already logged in & your OAMAUthnCookie & OAM_ID cookies are present with your browser.

Enjoy :-)

[OHS]: Configure Webgate to include Execution context ID (ECID)

Enabling Webgate ECID Logs:

1) Go to Webgate Instance Directory:

bash$> $OHS_HOME/instances/instance1/config/OHS/ohs1/

2) Change Directory to webgate config folder:

bash$> cd webgate/config

3) Open oblog_config_wg.xml file to edit it:

bash$> vi oblog_config_wg.xml

4) By default LOGLEVEL_ECID will be off. Thus it is required to 'On' the logging.

<!--  LOGLEVEL_ECID logs will be logged in a seperate file by default 
  --> 
- <!--  By default LOGLEVEL_ECID will be off.                           
  --> 
- <!--  To make it on change "LOG_STATUS" parameter to "On"             
  --> 
- <ValNameList xmlns="http://www.oblix.com" ListName="LogEcid2File">
  <NameValPair ParamName="LOG_LEVEL" Value="LOGLEVEL_ECID" /> 
  <NameValPair ParamName="LOG_WRITER" Value="MPFileLogWriter" /> 
  <NameValPair ParamName="FILE_NAME" Value="webgate.ecid.log" /> 
- <!--  Buffer up to 64 KB (expressed in bytes) of log entries before flushing to the file. 
  --> 
  <NameValPair ParamName="BUFFER_SIZE" Value="512" /> 
- <!--  Rotate the log file once it exceeds 50 MB (expressed in bytes). 
  --> 
  <NameValPair ParamName="MAX_ROTATION_SIZE" Value="52428800" /> 
- <!--  Rotate the log file after 24 hours (expressed in seconds). 
  --> 
  <NameValPair ParamName="MAX_ROTATION_TIME" Value="86400" /> 
  <NameValPair ParamName="LOG_STATUS" Value="Off" /> 
  </ValNameList>

5) Here we need to change the LOG_STATUS Value to "On"

<!-- <NameValPair ParamName="LOG_STATUS" Value="Off" /> -->

<NameValPair ParamName="LOG_STATUS" Value="On" />

6) If we want to get the logs write quickly, no buffer storage. We can reduce the BUFFER_SIZE to "1".

7) Save the changes. And we are good to go...!!!!
8) Restart the OHS Web Server.

9) You will see a log file created in the diagnoistics folder named "webgate.ecid.log"

bash$> cd $OHS_HOME/instances/<instance_name>/diagnostics/logs/OHS/ohs1/
bash$> ls *ecid*
webgate.ecid.log


Enjoy :-)

[Webgate]: Configure ProxyPassMatch Directive -> Required for Apache/OHS Internal Redirect Calls

Potential Problem :

When webgate identifies an error/exception (may be reported by OAM) , in this
case webgate fires an internal redirect request for "/oberr.cgi" & this
invokes an error handler.
This error handler is defined in the webgate.conf file.
<Location "/oberr.cgi">
SetHandler obwebgateerr
</Location>

But when the resource webgate is the proxy. In this case if webgate
identifies error/exception, it fires an internal redirect request. But the
error handler "obwebgateerr" is not invoked.

Potential Reason: 

When apache sends the internal redirect request in that case it sets "proxy-server" handler by itself.
Due to which the handler defined for "/oberr.cgi" is not set as already an
handler is set. This causes the request to be proxied to the backend server &
causes problem.

Solution:

It is required to set a "ProxyPassMatch" directive before the "ProxyPass"
directive in the conf file.
By setting this directive, it will not proxy for the "/oberr.cgi" request to
the backend server rather it will be served by the webgate itself.

Configuration to do:

1) Add the following directive in the conf file. Restart the Web Server:

ProxyPassMatch ^/oberr.cgi !

Syntax:
ProxyPassMatch [regex] !

The ! directive is useful in situations where you don't want to reverse-proxy.

Eg:

ProxyPassMatch ^/oberr.cgi !
ProxyPass / http://something.com/AuthenticationService/
ProxyPassReverse / http://something.com/AuthenticationService/


Enjoy :-)

Installing and Configuring Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0)

Installing and configuring the latest version of Oracle Identity and Access Management 11g components involves the following steps:

• Obtaining the Oracle Fusion Middleware Software
• Database Requirements
• Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU)
• WebLogic Server and Middleware Home Requirements
• ** Installing Oracle SOA Suite (Oracle Identity Manager Users Only)
• Starting the Oracle Identity and Access Management Installer
• Installing Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0)
• Configuring Oracle Identity and Access Management (11.1.2.2.0) Products
• Upgrading OPSS Schema using Patch Set Assistant
• Configuring Database Security Store for an Oracle Identity and Access Management Domain
• Configuring Oracle Identity Manager Server, Design Console, and Remote Manager
• Starting the Servers

Note: ** If you are installing Oracle Identity Manager, you must install Oracle SOA Suite 11g Release 1 (11.1.1.7.0). Note that only Oracle Identity Manager requires Oracle SOA Suite. This step is required because Oracle Identity Manager uses process workflows in Oracle SOA Suite to manage request approvals.

Enjoy :-)

Stop OPMN to ping OHS Worker Threads.......

Making Debugging Possible with OHS Server:

When we hook our component with an OHS (Oracle HTTP Sever) web server which is an apache based web server, we might get into a situation where we want to debug our hooked code.

Thus in such scenario's we will notice that the OPMN automatically restarts the OHS Web Server.

It will bring out the httpd.worker processes out of the debug mode after a while. And thus we won't be able to debug properly.

Basically it is due to the OPMN service running into the background. It is the one who is tightly looking into the httpd.worker process, that whether it is running properly or not. If not than restart it. It keeps on pinging the workers to get the know how of it.

How OPMN comes to know which managed process it needs to ping?

All this is mentioned in the opmn.xml file, which is located at 

<MiddlewareHome>/Oracle_WT1/instances/<instance_name>/config/OPMN/opmn/opmn.xml

The opmn.xml file shows you which system components OPMN is managing on your system.

You will find following similar kind of configuration in opmn.xml file:
<ias-instance id="instance1" name="instance1">
        <environment>
           <variable id="TEMP" value="/tmp"/>
           <variable id="TMP" value="/tmp"/>
        </environment>
      <ias-component id="ohs1">
  <process-type id="OHS" module-id="OHS2">
    <module-data>
      <category id="start-parameters">
        <data id="start-mode" value="ssl-enabled"/>
      </category>
    </module-data>    
    <process-set id="OHS" numprocs="1"/>
  </process-type>

Comment the <process-set> directive & add below mentioned 2 lines in its place:

   <!-- <process-set id="OHS" numprocs="1"/> -->
   <ping interval="0" />
   <process-set id="OHS" numprocs="1" restart-on-death="false" />

Note:

• restart-on-death=false To disable automatic restarting of terminated managed processes set the attribute to false.
• process-set=1 Specifies the number of processes for OPMN to start for the process-set.

By doing this configuration we ensures that the OHS won't get restarted in debug mode anymore.


Enjoy :-)

coreadm - core file administration

coreadm command for Solaris:

You must be wondering what this coreadm command does. It is really a powerful tool that helps the administrator to look at the cores generation way.

Actually there are times when we found that our core files is getting generated with the name "core" in the process running directory. And if the process is generating cores in quick succession than the same file is getting overwritten all the time.

Thus it will become tough for us to debug the core..............

So in such cases we can actually make the core file get generated with a name pattern and this can be possible with the coreadm command in Solaris OS (x86 or SPARC).

Execute the command without any option will display the current settings done for the core files generation.

bash-3.2$ coreadm
     global core file pattern:
     global core file content: default
     init core file pattern: core
     init core file content: default
     global core dumps: disabled
     per-process core dumps: enabled
     global setid core dumps: disabled
     per-process setid core dumps: disabled
     global core dump logging: disabled

When i executed the command on my Solaris Sparc box above output is shown. It shows that core file generation per-process is enabled but the core file name pattern (in init core file pattern) is "core" only. Thus with this setting the same file will be overwritten all the time.

So as to set the name pattern for per-process, follwoing is the command:

• bash-3.2$ coreadm -i core.%f.%p.%t

Here %f - file/process name
         %p - process pid
         %t - default timestamp

To confirm above made settings, execute below mentioned command:

• bash-3.2$ coreadm $$

          27756:  core.%f.%p.%t   default
It shows the set core file name pattern.

Thus now-onwards you will notice that core files will be generated with a name pattern.
Like - "core.httpd.worker.4298.1404300544"

So coreadm makes our life easy....................

Enjoy :-)

Lock Files in OAM 11g R2PS2

Don't play with Lock Files in OAM 11g:

You must have had noticed that there are some files present in diagnostics folder or in webgate profile folder with an extension .lck.

Eg: 

polltracking.lck

oblog.log.lck

ObAccessClient.xml.lck

Basically these lock files are required by the server process so as to perform the read/write lock operations.

In case they are unable to do so, it might cause an issue.

So what could be the reason that the process is not able to acquire lock on a file and what can happen in that case.

Scenario:

1) In the Oracle Webtier instance directory we have a diagnostics folder where the logging info is captured.

Path: <MiddlewareHome>/<Oracle_WebTier>/instances/<instance_name>/diagnostics/logs/OHS/ohs1

In the above mentioned directory we have another directory having some numeric name like ->  2517662326/

So what this contains & how come this name?

• Basically this folder contains lock files which are as follows:
• polltracking.lck
• oblog.log.lck
• ObAccessClient.xml.lck

• And the name of this folder is the result of Hash done on the instance_name absolute path i.e. /scratch/ckukreja/OracleNew/Middleware/Oracle_WT1/instances/instance1/diagnostics/logs/OHS/ohs1
• So the hash of above path is 2517662326 this.

Now at the time server process is coming up, it checks for the directory path where the .lck file can be created or lock can be acquired.

As we know that webgate is integrated to the web-server like OHS, OTD, DOMINO, IIS, APACHE etc, So like in case of OHS server, the httpd.worker process looks for the directory path in following sequence:

1) Webgate Lock Directive mentioned in webgate.conf

2) Lock Directive mentioned in httpd.conf

3) Default Lock Directive

This sequence info can be found in webgate.conf file present in <MiddlewareHome>/<Oracle_WebTier>/instances/<instance_name>/config/OHS/ohs1/webgate.conf

Abstract from webgate.conf:

# WebGateLockFileDir: Optional directive specifying the location to create

# webgate lock files.

#

# If configured, then all webgate lock files will be created under

# <WebGateLockFileDir>/<Hash of WebGateInstancedir>. The hash subdir is to

# ensure uniqueness for each webserver instance and avoid locking conflicts

# if two different instances have configured the directive with same value.

#

# If the dir does not exist before, will try to create it first. If dir

# creation failed or the directive not configured, for Apache based web

# servers, will check web server's LockFile directive (also optional), extract

# its dir and use <LockFile's dir>/<Hash of WebGateInstancedir> if exists or

# created successfully.

#

# If none of above is defined or exists, then webgate falls back to old model,

# i.e. use same location as original file that lock is based upon.

#

# This directive is useful when webgate instance is located on NFS mounted

# disks and performance greatly impacted. Configure it to local dir will solve

# the issue.

#

# WebGateLockFileDir "<some_local_dir>"

So lets say we have specified the entry in the httpd.conf file:

• Under mpm worker module 
• LockFile ${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/http_lock"

Thus from here the location is identified & webgate will initialize & read-write lock to this directive only for its task.

Problem:

So what if while the server is up & running and some one tries to play with these locks intentionally or unintentionally. In that case its a problem.........!!!!!!!

Usually what we do is that we specify the lock file location to some /tmp or other directive which is listed in some cron job. And the time cron job executes it deletes the directory.

Thus while the process is running & such tampering is done, so when some user request lands to the web server, it will result in failure of user requests.

WebGate will again create this directory and subsequent calls will be success.

Precaution:

Always specify the lock file directory to such a place where it is a surety that the directory won't gets deleted while the server is running and catering users requests............................

Enjoy :-)