Saturday, 19 January 2019

Details about Canary Deployment

About Canary Deployment:

  • Definition: Canary deployments are a pattern for rolling out releases to a subset of users or servers. The idea is to first deploy the change to a small subset of servers, test it, and then roll the change out to the rest of the servers
  • This means when i have to deploy an update in production, i can do this by canary way. This will allow me to deploy the change in production but only to a subset of servers. So by this way we subset of users can test the new update & report if any issue occurs. If all goes well than the update can be rolled out completely.




How to switch the traffic to from old version to new version?

This can be made possible with blue-green deployment. More info Understanding blue-green deployment.

References:
Enjoy :-)

Friday, 18 January 2019

Error: The authentication scheme protecting the resource sets 'Secure' OAMAuthnCookie/ObSSOCookie, but the resource is not being accessed via secure http

Error Statement:

If the authentication scheme is configured to set "Secure" OAMAuthnCookie/ObSSOCookie and the user is accessing an insecure resource, the browser may enter an authentication browser loop. Show an error i.e.:

"The authentication scheme protecting the resource sets 'Secure' OAMAuthnCookie/ObSSOCookie, but the resource is not being accessed via secure http."


Workaround:

In authentication scheme, remove the following parameter & save the changes;

Syntax for 11g Webgate and OAMAuthnCookieSyntax for 10g Webgate and ObSSOCookie
ssoCookie=Secure
ssoCookie:Secure

Make sure changes are applied properly, as in the policy sync-up at OAM server happens successfully. 
You may restart the server instance (ohs/apache/iis etc) or you can wait for webgate cache clean. Try accessing the protected resource once again, you should be prompted for login.

Resolution:

Recheck you SSL settings at WebServer end.

References:



Enjoy :-)



Wednesday, 5 July 2017

Increase docker pool size by changing storage driver

Configure Docker with the devicemapper storage driver

NOTE: This is for Docker CE & Docker EE

Issue:

By default you will notice that docker storage device is "brtfs" i.e. default storage, which is limited to 20GB of data storage.

default storage driver

Usually you will find this storage as too limited to use. As most of the times we have to install multiple images that too of high storage like 4/8/10GB. And with this default storage you will be end up getting frustrated.

Solution:

Configure Docker with "devicemapper" storage driver.

How to do this:

1) Stop Docker
$ sudo systemctl stop docker 

2) Edit /etc/docker/daemon.json. If it does not yet exist, create it. Assuming that the file was empty, add the following contents.
{
  "storage-driver": "devicemapper"
}
Note: Docker will not start if the daemon.json file contains badly-formed JSON

3) Start Docker
$ sudo systemctl start docker

4) Verify that the daemon is using the devicemapper storage driver. Use the docker info command and look for Storage Driver
devicemapper storage driver

Note: This host is running in loop-lvm node, which is not supported on production systems. This is indicated by the fact that the Data loop file and a Metadata loop file are on files under /var/lib/docker/devicemapper/devicemapper.


Hope this helps :-)
Enjoy :-)

Monday, 3 July 2017

Enable SSL in between OHS & Outbound Applications

Enabling SSL in between OHS & OutBound Applications

Prerequisites:
  1. OHS SSL is enabled.
  2. Outbound App SSL is enabled like OAM, Weblogic, OIM etc.
What we are aiming is to setup SSL in b/w OHS & outbound apps

Eg: Consider you want to proxy your OAM server via OHS as a load balancer/proxy call it any. This is a very normal usecase where you have your OAM servers sitting in your data-center & you don't want it's hostname/IP to be exposed. So what you usually do is proxy OAM via OHS.
  • Consider your OHS server name is https://abc.com. So if admin needs to access the oamconsole. Admin will fire the url as https://abc.com/oamconsole
  • To enable this usecase, /oamconsole is to be added in ssl.conf/mod_wl_ohs.conf file(usual way).
  • But the catch is that our OHS & OAM are in SSL mode.
  • This means that they will do handshake before starting to talk to each other.
  • As we all know that while doing handshake, server sends its user certificate, now this cert is verified by client i.e. here mod_wl_proxy of OHS. So the wallet used by it has to have the trusted certificate entry in it.

Steps you need to follow for this are as;

  • Import the certificate used by Outbound app such as Oracle WebLogic Server into the Oracle HTTP Server wallet as a trusted certificate.
    • To add trusted certificate you can use orapki utility or any of your choice.
    • <MW_HOME>/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert cacert.pem -auto_login_only 
    • Note: './' is used as we consider that you are running this command from the directory where your cwallet.sso is present. You can substitute it with directory path of cwallet.sso as well.
  •  Now you need to add 2 tags in ssl.conf or mod_wl_proxy.conf:
    • SecureProxy On
      WlSSLWallet "<wallet location>" 

Complete Eg:

<Location /console>
SetHandler weblogic-handler
WebLogicHost xyz.us.domain.com
WebLogicPort 7001
SecureProxy ON
WlSSLWallet "/MW_HOME/keystores/newwallet"
</Location>


Now start your OHS server, and try to access the proxied url, you should be able to make a successful connection. You can also confirm the same by capturing wireshark traces. 

Hope this helps... :-)

Useful links:

Enjoy :-)

Wednesday, 14 December 2016

Enabling OCSP Validation using X.509 Authentication Scheme

Assumptions:

  • You have already configured & tested the X.509 authentication use case. And now we are enabling certificate validation using OCSP Server.
  • To setup OCSP we will be using 'openssl'. So before proceeding check if you installed openssl or not. If not go get it first.
  • You have imported the user certificate in your browser as part of X.509 Authentication.

Brief about OCSP Server:

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.
An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.

Steps to perform:


1) To setup OCSP Server: Steps to setup OCSP
2) Once you have setup OCSP, you will be having the following items with you;
  • CA Authority certificate (self signed) - ca.pem
  • CA private key - ca-key.pem
  • OCSP Server URL -> i.e. host and port details http://abc.us.oracle.com:6060
  • index.txt -> basically this is the file having the user certificates details which will be checked by the OCSP server for the received cert request. Based on this OCSP will respond 'good', 'revoked' or 'unknown'. It returns 'unknown' in case the cert entry is missing from the file.
    • This file name could be any name of your choice.

a) OCSP server files;

 b) Staring OCSP server


2) Goto Access Manager Configuration Settings: Select Certificate Validation



3) Select OCSP/CDP Settings:


  •  Enter OCSP Url
  •  Provide the OCSP CA Authority Certificate Subject
  • Apply the changes
4)  Now goto Authentication Scheme

5) Select X509Scheme

 6) Provide the details as required for enabling OCSP Validation

7) Now goto Authn Module

8) Select X509 Module

9) Remember to enable Cert Validation & OCSP. Provide the required details.


10) Now we need to attach the X509Scheme in our webgate profile Protected  Resource Policy.





11) Now when you fire a request from your browser, you will be asked for the user cert to be used for authentication. And if this user is not present in OCSP database i.e. the index.txt file or it is been revoked than you should get 'Authentication Failed' message.

12) To implement a use case to check certificate revocation:
Execute this command:
./openssl ca -revoke <user certificate name>
Eg: 
bash-3.2$ ./openssl ca -revoke user1\@oracle.com.crt
Using configuration from /scratch/ckukreja/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Revoking Certificate BE.
Data Base Updated

  •  Here i have copied the cakey.pem, ca.pem & index.txt to 'demoCA' folder. Basically openssl refer to this folder as it is configured in my openssl.cnf file.
  • After this your index.txt gets updated and you can actually see the difference as well. Now when you try to access the protected resource with the user cert who has been revoked in OCSP databse, so this time OCSP will say 'revoked' to OAM server. And hence you will get authentication failed message.

Note: Important points to help you debug;

a) Always check if the log.txt file provided with OCSP server startup is getting populated with request or not.
b) If request is landing on OCSP and its a good cert request but still it is failing to authenticate than check OAM server diagnostic logs. You must be getting an exception there.


Important Informative Links:

Managing Common Services and Certificate Validation
X.509 Certificate Revocation Checking Using OCSP protocol with Oracle WebLogic Server 12c
How to set up OCSP using OpenSSL - I-Space Research Labs



That's All Guys......
Enjoy :-)

Monday, 15 February 2016

Enabling IP Validation in Load Balancer Environment using ProxyTrustedList & ProxyRemoteIPHeaderVar in OAM 11g

Why we are discussing this topic?

  • It is important to understand the configuration required to be done in OAM for validating the IP addresses when the application server is behind the proxies.

What difference will it make if app server is behind the proxy?

  • The client ip calculation will be different if proxy is present.

How client ip is fetched in OAM/Webgate?

  • remote_addr contains the client ip, in case of proxy this remote_addr will have the last proxy IP Address.

How can i than validate the IP in this scenario where proxies are used?

  • For such scenario we have to configure 2 user defined parameters in Webgate Profile:
    • ProxyRemoteIPHeaderVar = <by default it is set to HTTP_X_FORWADED_FOR>
    • ProxyTrustedIPList = <list of comma seperated IP Addresses>
  • Along with these parameter we need to set the IP Validation flag in webgate profile.

How remote_addr & x_forwaded_for header are related?

  • Remote_addr: Actually it contains the IP address of the client in general. But in scenarios where proxies are involved, this remote_addr conatins the last proxy IP Address.
  • HTTP_X_FORWARDED_FOR: header is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

Considering the scenario such as:

Client -> Proxy1 -> Proxy2 -> OHS Server(having Webgate)
 
Thus in this scenario, the headers contains following values;
  • REMOTE_ADDR = Proxy2 IP
  • HTTP_X_FORWARDED_FOR = Client IP, Proxy1 IP

So how the ProxyTrustedIPList is to be configured?

  • This parameter should have all the proxies IP Addresses that are present in the deployment or production environment.

How HTTP_X_FORWADED_FOR & ProxyTrustedIPList co-relates?

The IP Addresses present in x_forwaded_for header are backtracked against trustediplist & when the Ip is not found in TrustedList than that is considered to be the client ip.

Consider the scenario:
Client -> Proxy1 -> Proxy2 -> OHS Server(having Webgate)

Headers:
  • HTTP_X_FORWADED_FOR = ClientIp, Proxy1
  • REMOTE_ADDR = Proxy2
Configuration:
  • ProxyTrustedIPList = Proxy1, Proxy2

 
Enjoy :-)