Monday, 19 October 2015

Configuring self signed SSL Certificates for OHS 11.1.1.7 or 11.1.1.9

Recently i came across a very good article by the a-team regarding configuring the SSL certificates signed by CA authority with the OHS.


Currently if we access a secured SSL port of OHS, our browser shows us a warning, and ask us whether to trust the certificate or not. Basically this certificate is the default one that comes with the OHS.
But in actual scenario's we need configure the SSL certificate of our organization that will be signed by CA authority like VeriSign.

It is also possible for us to generate the SSL Certificate & sign it by root CA i.e. basically our own CA, because for testing purpose we are not going to sign it by external CA.

So the article shared by a-team describes the steps to be followed to achieve the purpose.

http://www.ateam-oracle.com/setting-up-https-on-ohs-for-fusion-apps/



Enjoy :-)

Sunday, 18 October 2015

OAM 11g - Start & Stop Servers using Node Manager and Weblogic Console

Let's start the process: follow the below steps;


We need to enroll the machine on which the domain is running via wlst; for this do the following;


1) Goto - <MiddlewareHome>/<wls server>/common/bin
2) Execute the wlst.sh  
    bash$> ./wlst.sh

3) Now one needs to connect to the domain via connect() command;
wls:/offline> connect()
Please enter your username :weblogic
Please enter your password :
Please enter your server URL [t3://localhost:7001] :
Connecting to t3://localhost:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'base_domain'.


4) After this we need to enroll the machine; using nmEnroll() command:
    This command does the following;
  • Enrolls the machine on which WLST is currently running with Node
    Manager. WLST must be connected to an Administration Server to
    run this command; WLST does not need to be connected to Node Manager.
  • This command downloads the following files from the Administration
    Server:
    o Node Manager secret file (nm_password.properties), which
     contains the encrypted username and password that is used for
     server authentication 
  •  This command also updates the nodemanager.domains file under the
    WL_HOME/common/nodemanager directory with this new domain, where
    WL_HOME refers to the top-level installation directory for
    WebLogic Server.
Note: You must run this command once per domain per machine, unless the domain shares the root directory of the Administration Server.
  • If the machine is already enrolled when you run this command, the Node
    Manager secret file (nm_password.properties) is refreshed with the
    latest information from the Administration Server.
wls:/base_domain/serverConfig> nmEnroll('/scratch/ckukreja/Oracle/Middleware/user_projects/domains/base_domain')
Enrolling this machine with the domain directory at /scratch/ckukreja/Oracle/Middleware/user_projects/domains/base_domain ...
Successfully enrolled this machine with the domain directory at /scratch/ckukreja/Oracle/Middleware/user_projects/domains/base_domain.


5) Goto weblogic console, under Machines -> check if a machine is added their if not create one;



Note: if you create a new machine than provide the node manager host & port details. Dn't use localhost as host name.

Once you update/create the machine, it contacts the node manger & creates some file in its directory path (wlserver/common/nodemanger); like
bash-3.2$ ls -ltr
total 16
-rw-r----- 1 ckukreja dba 114 Oct 18 13:15 nodemanager.domains
-rw-r----- 1 ckukreja dba   0 Oct 18 13:34 nodemanager.log.lck
-rw-r----- 1 ckukreja dba 130 Oct 18 13:34 nm_data.properties
-rw-r----- 1 ckukreja dba 900 Oct 18 13:34 nodemanager.properties
-rw-r----- 1 ckukreja dba 793 Oct 18 13:34 nodemanager.log


Initially only nodemanger.domains file is present under this directory path.


Do a bit of Configurations:

6) Configuring nodemanager.domains File

This file contains the domain name = directory path (key-val pair)
It is present under the following directory path;
<wlserver>/common/nodemanger/

7) Configure nodemanger.properties file:
Set the below 2 parameters value as mentioned below; by default they are set to false;
  • StopScriptEnabled=true
  • StartScriptEnabled=true

 

Let's start the node manager

8) Starting the node manager;


  • Goto the wlserver/server/bin directory;
  • Execute startNodeManager.sh
 bash-3.2$ ./startNodeManager.sh
.
.
.
.
<Oct 18, 2015 1:34:11 PM PDT> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
<Oct 18, 2015 1:34:11 PM PDT> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
<Oct 18, 2015 1:34:11 PM PDT> <Info> <Security> <BEA-090908> <Using default WebLogic SSL Hostname Verifier implementation.>
<Oct 18, 2015 1:34:11 PM> <INFO> <Secure socket listener started on port 5556>
Oct 18, 2015 1:34:11 PM weblogic.nodemanager.server.SSLListener run
INFO: Secure socket listener started on port 5556


When we execute this command, it actually sets the default configuration which it reads from the nodemanager.properties, present at;
<wlserver path>/common/nodemanager directory path.


  Assigning Servers to the Machines


9) Now we need to add the Admin/Managed Server to the 'Machines' in Weblogic Console, so that node manager can start/stop them;

Note: This cannot be done when server is in running state so first stop the Managed Server; 


 




Now we need to add admin server as well; but we know when server is in running state we cannot do that; so this requires manual effort; let's do that:
  • Stop AdminServer 
  • Goto the domain config file; present at <domain>/config/config.xml
  • Find the element used to assign the machine for oam_server1
  • <machine>Machine-0</machine>
  • Copy that and paste that element right after the AdminServer <name/> element .
  • Also specify the AdminServer listen address to be the hostname to bind to, by default it is blank which means bind to all network interfaces. 
   

  • Start the weblogic again.
  • Now you will see the Machine-0 registered with the server.

  •  Configure the start up details for the Managed servers, that are required by the console to start & stop the servers;
  •  Configure Node Manager Username & password on console;  
Note: Keep this uid/password same as the default one, else you will be asked for 2 time credential at the time of nmConnect(). <you will see this command in next step>


Connecting to the Servers


10) Now we need to connect to Admin & Managed Server by node manager & console;
  • Execute the wlst.sh
bash$>cd <domain path>/bin
bash-3.2$ ./setDomainEnv.sh
*****************************************************
** Setting up OAM specific environment...
.
USER_MEM_ARGS=-Xms1024m -Xmx2048m -XX:PermSize=256m -XX:MaxPermSize=512m
.
*****************************************************
** End OAM specific environment setup
*****************************************************


bash$> cd <wlserver>/common/bin
bash$>./wlst.sh
wls:/offline> help('nmConnect')

Description:
Connects WLST to Node Manager to establish a session. After connecting
to Node Manager, you can invoke any Node Manager commands via WLST.
Node Manager must be running before you can execute this command. 


wls:/offline> nmConnect(domainName='base_domain',username='weblogic',password='Welcome1')
Connecting to Node Manager ...
Successfully Connected to Node Manager.


wls:/nm/base_domain> nmStart('AdminServer')
Starting server AdminServer ...
Successfully started server AdminServer ...



Note: Once you are connected to node manager, one can view the logs at
/<domain_directory>/servers/AdminServer/logs/AdminServer.out
Here i have started AdminServer, if it is managed than in its respective directory you can view the log

Now we can start the Admin Server Console;




  • Let's start the Managed Server from the console it self;
    • Goto servers-> select Control -> Under this you will see the list of servers
    • Now select the one you want to start, like in our case we will be starting oam_server1
  
Note
Admin/Managed Servers log can be viewed at <domain_dir>/servers/<server_name>/logs/


Test a bit

 11) Now its testing time; you need to manually kill the managed servers process & need to verify whether its gets restarted or not.
 Node manager should restart it, & you can view the server logs to verify the same.



More Info:
https://docs.oracle.com/cd/E23943_01/web.1111/e13740/nodemgr_config.htm#NODEM161
Great Help:
https://blogs.oracle.com/jamesbayer/entry/weblogic_nodemanager_quick_sta



Enjoy :-)

What is Oracle Coherence

If someone is new to this Oracle Coherence term, than following things one might ask;
1) What it is?
2) Why to use it?
3) Where does it comes into picture?

It is answered very well in the below post;
http://www.mythics.com/about/blog/the-features-and-benefits-of-oracle-coherence

But yes one will see this Oracle Coherence mostly when you are installing weblogic server say 10.3.6
At that time you have the option to either use the typical installation mode or go for the custom mode.

If you select custom mode, than there you will see that Oracle Weblogic Server & Oracle Coherence are the 2 products that will get installed.
One can untick the Oracle Coherence if not required, else it will by default gets installed with the weblogic server.


Enjoy :-)

Unable to login to oam console with new identity store

Unable to login to OAM Console 11g:

Sometimes we get into a situation where we are unable to login to oamconsole when we change the identity store in OAM 11G oamonsole from EMBEDDED LDAP store to some other LDAP Store like OID, OVD or ODSEE etc...

In this case we should take caution by taking backup of oam-config.xml file; now the question comes in that why it is so important to take backup of this file?

This file contains all the configurations related info required for OAM Server and also it gets updated when update the server configuration.

For example: Default LDAP store configured in it will be like;

<Setting Name="UserIdentityStore" Type="htf:map">
     <Setting Name="SECURITY_PRINCIPAL" Type="xsd:string">cn=Admin</Setting>
    <Setting Name="GROUP_SEARCH_BASE" Type="xsd:string">ou=groups,ou=myrealm,dc=base_domain</Setting>
     <Setting Name="USER_NAME_ATTRIBUTE" Type="xsd:string">uid</Setting>
     <Setting Name="Type" Type="xsd:string">LDAP</Setting>
     <Setting Name="IsSystem" Type="xsd:boolean">true</Setting>
     <Setting Name="IsPrimary" Type="xsd:boolean">true</Sghetting>
     <Setting Name="Name" Type="xsd:string">UserIdentityStore1</Setting>
     <Setting Name="SECURITY_CREDENTIAL" Type="xsd:string">{AES}F8E3A9FAD9D662F753D842979423ED3D</Setting>
    <Setting Name="LDAP_PROVIDER" Type="xsd:string">EMBEDDED_LDAP</Setting>
    <Setting Name="USER_SEARCH_BASE" Type="xsd:string">ou=people,ou=myrealm,dc=base_domain</Setting>
    <Setting Name="ENABLE_PASSWORD_POLICY" Type="xsd:boolean">false</Setting>
    <Setting Name="LDAP_URL" Type="xsd:string">ldap://ldap-host:7001</Setting>
   <Setting Name="UserIdentityProviderType" Type="xsd:string">OracleUserRoleAPI</Setting>
   </Setting>

Similarly when you configure a new LDAP Store, a same sort of entry will be created where you will notice that the new IDENTITY Store will become the primary store and its flag will be set as true while the embedded ldap store isPrimary flag turns false;
<Setting Name="IsPrimary" Type="xsd:boolean">true</Setting>

Possible way outs:
1) Check whether the user you are logging with has admins rights; i.e. is that user added to the administrators group of the LDAP Store.
2) If the step 1 is fine than you might not have done proper configuration in weblogic console;
  • Check for the users&groups configuration, whether the added user is present under users tab or not,
  • Check for the roles&policies, i.e. under global roles->Admin-> is your admin group is present.
  • Check whether the identity store is placed at the top in the providers tab, if not you need to reorder it.
3) If step 2 is ok than check oamconsole settings, now you will ask when i am not able to login than how can i check those?
  • So the answer lies in below mentioned explanations.
Thus in case you are enable to login to the oamconsole than just replace the oam-config.xml file with the old one. Remember whenever you do changes in oam server configuration after applying the changes a backup file gets generated automatically.

So either replace the current oam-config.xml with the last saved auto backed up file or with the one you have saved as a copy.

Than restart the admin & manged server, you should be able to login with the default credentials of embedded ldap store. 



Enjoy :-)

Tuesday, 31 March 2015

Enabling Diagnostics Trace Level Log for OAM SERVER

OAM Server Diagnostics Logging - Never so easy................ That's a myth now... ;-)


To capture OAM Server logs for diagnosis, we now just need to add few logger statement in logging.xml.

Important Point to note here is that NO SERVER RESTART IS REQUIRED ...........!!!!!!!

So first question that strikes where is this logging.xml is placed?

Ans - It is present in the weblogic server domains directory, like
/scratch/ckukreja/Oracle/Middleware/user_projects/domains/base_domain/config/fmwconfig/servers/wls_oam1/logging.xml

Note: My domain name is "base_domain" and oam server name is "wls_oam1"

Next question, why we need to see the OAM Server diagnostics?

Ans - It will help us to analyze the flow, like when webgate sends the IsRescProtected() NAP Call, in that case whether server is getting it or not. We can find it in the server logs. Moreover we can track that server thread, that what else operations it is performing. Whether sending success to webgate or failure. Or raising exception for performed operation.
All this can be very helpful while debugging an issue.

Now what logger statement need to be added?

Ans - Following are the logs statement need to be added:
<logger name='oracle.oam' level='TRACE:32'/>
<logger name='oracle.security.am' level='TRACE:32'/>
<logger name='oracle.oam.engine.policy' level='TRACE:32'/>
<logger name='oracle.oam.engine.session' level='TRACE:32'/>
<logger name='oracle.oam.engine.sso' level='TRACE:32'/>
<logger name='oracle.oam.engine.authz' level='TRACE:32'/>



Where to place the above snippet in the logging.xml?

Ans - You will find a statement "logger name='' level='ERROR:1'" in the file, place it just after its block.



<logger name='' level='ERROR:1'>
   <handler name='odl-handler'/>
   <handler name='wls-domain'/>
   <handler name='console-handler'/>
  </logger>

<logger name='oracle.oam' level='TRACE:32'/>
<logger name='oracle.security.am' level='TRACE:32'/>
<logger name='oracle.oam.engine.policy' level='TRACE:32'/>
<logger name='oracle.oam.engine.session' level='TRACE:32'/>
<logger name='oracle.oam.engine.sso' level='TRACE:32'/>
<logger name='oracle.oam.engine.authz' level='TRACE:32'/>


 Note: I have enabled the logs in TRACE level 32


Important Point to note here is that NO SERVER RESTART IS REQUIRED ...........!!!!!!!!

For more info related to logging, reference the below link:
http://www.ateam-oracle.com/logging-made-easy-in-oam-11g-with-this-simple-trick/


Enjoy :-)

Monday, 16 March 2015

Understanding the reason why to use OAAM

Understanding OAAM:


1) Risk Analysis: to find/detect the suspicious attack real time or offline.

  • This involves keeping the logged in user activity prints, so that to understand the pattern performed. In case whenever pattern variance is detected, OAAM alarms the user.

2) Fraud Analysis: with this we can detect that whether a human is interacting with the system or some malware/bot is placed. To check such suspicious attack either by human or bot, OAAM offers:

  • OTP
  • KBA
  • Fingerprint Detection
  • Challenge Schemes...etc
 

Reference:
http://docs.oracle.com/cd/E23943_01/admin.1111/e14568/intro.htm#AAMAD636


Enjoy :-)

OAAM Basic vs Advance vs Advance using TAP Integration with OAM

What all we will be covering?

  1. Understanding Basic OAAM Integration
  2. Understanding Advance OAAM Integration
  3. Understanding Advance TAP OAAM Integration
In this post we will be understanding Basic OAAM Integration

OAAM Basic Integration with OAM:

The basic integration of OAAM offers a limited set of functionality when integrated with OAM. There are extension libraries that bundles with OAM server itself, using which the basic integration is offered.

Knowledge Based Authentication is the only challenge mechanism offered in this basic integration.

What all is needed in this integration?

1) OAAM Admin Server
2) OAAM Database
3) OAM Admin + Managed Server

Note: Webgate 10g & 11g Agents are supported with this integration.

References:
http://docs.oracle.com/cd/E23943_01/doc.1111/e15740/aam.htm#AIING268


Enjoy :-)