Sunday, 18 October 2015

What is Oracle Coherence

If someone is new to this Oracle Coherence term, than following things one might ask;
1) What it is?
2) Why to use it?
3) Where does it comes into picture?

It is answered very well in the below post;
http://www.mythics.com/about/blog/the-features-and-benefits-of-oracle-coherence

But yes one will see this Oracle Coherence mostly when you are installing weblogic server say 10.3.6
At that time you have the option to either use the typical installation mode or go for the custom mode.

If you select custom mode, than there you will see that Oracle Weblogic Server & Oracle Coherence are the 2 products that will get installed.
One can untick the Oracle Coherence if not required, else it will by default gets installed with the weblogic server.


Enjoy :-)

Unable to login to oam console with new identity store

Unable to login to OAM Console 11g:

Sometimes we get into a situation where we are unable to login to oamconsole when we change the identity store in OAM 11G oamonsole from EMBEDDED LDAP store to some other LDAP Store like OID, OVD or ODSEE etc...

In this case we should take caution by taking backup of oam-config.xml file; now the question comes in that why it is so important to take backup of this file?

This file contains all the configurations related info required for OAM Server and also it gets updated when update the server configuration.

For example: Default LDAP store configured in it will be like;

<Setting Name="UserIdentityStore" Type="htf:map">
     <Setting Name="SECURITY_PRINCIPAL" Type="xsd:string">cn=Admin</Setting>
    <Setting Name="GROUP_SEARCH_BASE" Type="xsd:string">ou=groups,ou=myrealm,dc=base_domain</Setting>
     <Setting Name="USER_NAME_ATTRIBUTE" Type="xsd:string">uid</Setting>
     <Setting Name="Type" Type="xsd:string">LDAP</Setting>
     <Setting Name="IsSystem" Type="xsd:boolean">true</Setting>
     <Setting Name="IsPrimary" Type="xsd:boolean">true</Sghetting>
     <Setting Name="Name" Type="xsd:string">UserIdentityStore1</Setting>
     <Setting Name="SECURITY_CREDENTIAL" Type="xsd:string">{AES}F8E3A9FAD9D662F753D842979423ED3D</Setting>
    <Setting Name="LDAP_PROVIDER" Type="xsd:string">EMBEDDED_LDAP</Setting>
    <Setting Name="USER_SEARCH_BASE" Type="xsd:string">ou=people,ou=myrealm,dc=base_domain</Setting>
    <Setting Name="ENABLE_PASSWORD_POLICY" Type="xsd:boolean">false</Setting>
    <Setting Name="LDAP_URL" Type="xsd:string">ldap://ldap-host:7001</Setting>
   <Setting Name="UserIdentityProviderType" Type="xsd:string">OracleUserRoleAPI</Setting>
   </Setting>

Similarly when you configure a new LDAP Store, a same sort of entry will be created where you will notice that the new IDENTITY Store will become the primary store and its flag will be set as true while the embedded ldap store isPrimary flag turns false;
<Setting Name="IsPrimary" Type="xsd:boolean">true</Setting>

Possible way outs:
1) Check whether the user you are logging with has admins rights; i.e. is that user added to the administrators group of the LDAP Store.
2) If the step 1 is fine than you might not have done proper configuration in weblogic console;
  • Check for the users&groups configuration, whether the added user is present under users tab or not,
  • Check for the roles&policies, i.e. under global roles->Admin-> is your admin group is present.
  • Check whether the identity store is placed at the top in the providers tab, if not you need to reorder it.
3) If step 2 is ok than check oamconsole settings, now you will ask when i am not able to login than how can i check those?
  • So the answer lies in below mentioned explanations.
Thus in case you are enable to login to the oamconsole than just replace the oam-config.xml file with the old one. Remember whenever you do changes in oam server configuration after applying the changes a backup file gets generated automatically.

So either replace the current oam-config.xml with the last saved auto backed up file or with the one you have saved as a copy.

Than restart the admin & manged server, you should be able to login with the default credentials of embedded ldap store. 



Enjoy :-)

Tuesday, 31 March 2015

Enabling Diagnostics Trace Level Log for OAM SERVER

OAM Server Diagnostics Logging - Never so easy................ That's a myth now... ;-)


To capture OAM Server logs for diagnosis, we now just need to add few logger statement in logging.xml.

Important Point to note here is that NO SERVER RESTART IS REQUIRED ...........!!!!!!!

So first question that strikes where is this logging.xml is placed?

Ans - It is present in the weblogic server domains directory, like
/scratch/ckukreja/Oracle/Middleware/user_projects/domains/base_domain/config/fmwconfig/servers/wls_oam1/logging.xml

Note: My domain name is "base_domain" and oam server name is "wls_oam1"

Next question, why we need to see the OAM Server diagnostics?

Ans - It will help us to analyze the flow, like when webgate sends the IsRescProtected() NAP Call, in that case whether server is getting it or not. We can find it in the server logs. Moreover we can track that server thread, that what else operations it is performing. Whether sending success to webgate or failure. Or raising exception for performed operation.
All this can be very helpful while debugging an issue.

Now what logger statement need to be added?

Ans - Following are the logs statement need to be added:
<logger name='oracle.oam' level='TRACE:32'/>
<logger name='oracle.security.am' level='TRACE:32'/>
<logger name='oracle.oam.engine.policy' level='TRACE:32'/>
<logger name='oracle.oam.engine.session' level='TRACE:32'/>
<logger name='oracle.oam.engine.sso' level='TRACE:32'/>
<logger name='oracle.oam.engine.authz' level='TRACE:32'/>



Where to place the above snippet in the logging.xml?

Ans - You will find a statement "logger name='' level='ERROR:1'" in the file, place it just after its block.



<logger name='' level='ERROR:1'>
   <handler name='odl-handler'/>
   <handler name='wls-domain'/>
   <handler name='console-handler'/>
  </logger>

<logger name='oracle.oam' level='TRACE:32'/>
<logger name='oracle.security.am' level='TRACE:32'/>
<logger name='oracle.oam.engine.policy' level='TRACE:32'/>
<logger name='oracle.oam.engine.session' level='TRACE:32'/>
<logger name='oracle.oam.engine.sso' level='TRACE:32'/>
<logger name='oracle.oam.engine.authz' level='TRACE:32'/>


 Note: I have enabled the logs in TRACE level 32


Important Point to note here is that NO SERVER RESTART IS REQUIRED ...........!!!!!!!!

For more info related to logging, reference the below link:
http://www.ateam-oracle.com/logging-made-easy-in-oam-11g-with-this-simple-trick/


Enjoy :-)

Monday, 16 March 2015

Understanding the reason why to use OAAM

Understanding OAAM:


1) Risk Analysis: to find/detect the suspicious attack real time or offline.

  • This involves keeping the logged in user activity prints, so that to understand the pattern performed. In case whenever pattern variance is detected, OAAM alarms the user.

2) Fraud Analysis: with this we can detect that whether a human is interacting with the system or some malware/bot is placed. To check such suspicious attack either by human or bot, OAAM offers:

  • OTP
  • KBA
  • Fingerprint Detection
  • Challenge Schemes...etc
 

Reference:
http://docs.oracle.com/cd/E23943_01/admin.1111/e14568/intro.htm#AAMAD636


Enjoy :-)

OAAM Basic vs Advance vs Advance using TAP Integration with OAM

What all we will be covering?

  1. Understanding Basic OAAM Integration
  2. Understanding Advance OAAM Integration
  3. Understanding Advance TAP OAAM Integration
In this post we will be understanding Basic OAAM Integration

OAAM Basic Integration with OAM:

The basic integration of OAAM offers a limited set of functionality when integrated with OAM. There are extension libraries that bundles with OAM server itself, using which the basic integration is offered.

Knowledge Based Authentication is the only challenge mechanism offered in this basic integration.

What all is needed in this integration?

1) OAAM Admin Server
2) OAAM Database
3) OAM Admin + Managed Server

Note: Webgate 10g & 11g Agents are supported with this integration.

References:
http://docs.oracle.com/cd/E23943_01/doc.1111/e15740/aam.htm#AIING268


Enjoy :-)

Friday, 27 February 2015

OAM 11g - Webgate NAP Tunneling

 

What is NAP Tunneling?

NAP or OAP is the protocol that is used for communication mechanism between OAM Server & Webgate.
Webgate relies on this channel for communication with the server. This channel is webgate initiated i.e. the request is made by webgate via this NAP channel & server sends the response on this NAP itself.

Now what this tunneling is meant for? It is basically a mechanism via which one can access the resource that is actually deployed at the OAM Server.

So what does that mean by accessing a resource?
Ok, take an example. I want to use an app, which is actually deployed at the OAM Server. But as we know that resources are something which are placed in some resource server.
And to use this app i can't directly hit the resource url because it is not accessible directly.

Thus with webgate r2ps2, a new feature is added i.e. NAP Tunneling. With this we can actually configured the urls that need to be tunneled, like tunneled the request only when the requested url has '/oam' in the url. So by this webgate sends this tunnel request to the server, which in turn sends the resource to the webgate & it is the responsibility of the webgate to parse the response & redirect it back to the user's browser.

How to configure/enable NAP Tunneling Feature in OAM?

1) Define a user-defined parameter in the Webgate Artifact i.e.

     TunneledUrls=<url_path> (relative path not absolute)

Like - I want to tunnel all the request that has '/oam' or '/oamfed' or '/sample'

     TunneledUrls=/oam, /oamfed, /sample

2) The Urls path that we want to tunnel, they must use public resource policy both for authentication & authorization.


3) Make sure that the parameter "DirectAuthenticationServiceDescriptor" in oam-config.xml is set to true.


Note: This oam-config.xml file is placed at <Middleware_Home>/user_projects/domains/<domain_name>/config/fmwconfig/oam-config.xml



The above 3 steps are required for enabling tunneling for ECC. But in case you want to enable tunneling in DCC, than you need to perform few more steps;
 
Following post shows DCC NAP TUNNELING.


Enjoy :-)

Wednesday, 25 February 2015

[OAM]: Start OAM Admin/Managed Server without getting prompt for username & password

The answer to this is boot.properties file, using this we can make the OAM Admin/Managed Server to start without getting prompt for the username & password.

Where to find this file & what does it contains?

When we install OAM in development mode, this file is created for AdminServer & placed under the <Domain_Home>/servers/AdminServer/security/ directory path.

Note: Domain Home in above directory is the place where you have created the user projects in the middleware home.

Under the above mentioned directory the boot.properties file is created & it contains the credentials details i.e.:
username=<encrypted text>
password=<encrypted text>

That's why in development mode you are not prompted for username & password when you start the Admin Server.

How to use this for Managed Server?

One can simply use the boot.properties file present in the AdminServer security directory & copy it to the oam_server security directory.

Note: This is true in case both the servers are in the same domain.

Like - in my case i have oam_server1 entry in
<domain_home>/servers/oam_server1

Inside this directory i couldn't locate the security folder, so i created a folder with the name 'security' & copies the 'boot.properties' file in it.

Now when i started my oam server it didn't asked me for the credentials.

What if i create my own boot.properties file?

One can create a new boot.properties files, that means it will contain plain text username & passowrd not the encrypted one.
When someone starts the oam server, it reads the credentials but it than encrypts the file. Thus the file contents are changed that means no more plain text is their.

I don't see a security folder in my server directory?

So create one a folder with name 'security' & create a file with name 'boot.properties. User credentials need to be entered in the properties file.

References:
http://docs.oracle.com/cd/E14571_01/web.1111/e13708/overview.htm#START128


Enjoy :-)