Get trained from the best instructor known  to have trained novices as experts in this field.

This is a hands-on lab-intensive course conducted on weekends. Our instructor lead trainings are interactive with Practice and Q/A Sessions. We use industry leading Conferencing Software [with integrated VOIP] to provide trainings.

Training Schedule: 31 August 2013 & 01, 07, 08, 14 September 2013

Course Fee: USD 599

Timings: 12:00 Noon GMT | 8:00AM EST | 5:00AM PST | 7:00AM CST | 6:00AM MST | 5:30PM IST | 1:00PM UK

Please click on the below link to view course contents & schedule details :
http://www.focusthread.com/training/dba-trainings/obiee-basic-a-advanced-administration-training/253-online-obiee-basic-a-advance-administration-training

We have always received excellent feedback from our Trainees. Please have a look at them:
http://www.focusthread.com/training/35-training-testimonials/87-training-testimonials

For full curriculum and details, email us at training@focusthread.com. or contact us on Phone – US: +1 213-814-4243 |UK: +44(0) 20 7193 7426 |India: +91-9833815812

Class size is limited—sign up for this course today!

I discussed about launch of Oracle Cloud Application Foundation  and New/Changed feature in WebLogic 12.1.2 (New Installer, BSU replaced by opatch, dynamic cluster etc). In this post I am going to cover Dynamic Cluster in WebLogic Server  12.1.2

If you are new to WebLogic Server then I highly recommend you to read my previous post on WebLogic Domain, Admin & Managed Server

• Dynamic Cluster is a new feature introduced in WebLogic 12.1.2 which makes creating and managing WebLogic Cluster really simple and quick.
• In a normal WebLogic Cluster (aka Configured Cluster) you define Managed Server and add them to Cluster.
• In Dynamic Cluster , you select number of Servers you want in Cluster and Server Template you wish to assign to Servers in this WebLogic Dynamic Cluster.
• Servers (or Managed Server) that are part of WebLogic Dynamic Cluster will have properties taken from Server Template 
• If you need to modify any setting for Dynamic Servers (part of Dynamic Cluster), you modify Server Template that is applicable to Dynamic Cluster.

How to create a Dynamic Cluster in WebLogic 12.1.2

1. Login to WebLogic Console : Environment -> Clusters : New -> Dynamic Cluster : Enter name of dynamic cluster and click Next

2. On “Specify Dynamic Server Properties” page specify Number of Servers that you wish to create in cluster , Server Prefix Name and Server Template (You can Create new Server Template or Clone an existing Server Template )

3. In “Specify Machine Bindings” specify Host where you wish to start Servers in this cluster

You can start Servers part of this cluster on

a) Any Machine that are part of this domain
b) All Servers on same Machine
c) Start Servers on sub set of Machines

Note: Machine must be configured in WebLogic Domain 

4. On Specify Listen Port Binding page , specify on what port these Servers (part of Dynamic Cluster) should listen

5. On Review Your Dynamic Cluster Configuration page , review cluster configuration page and click Finish

6. If WebLogic Domain is configured in production mode (other is development mode) then Activate Change

7. Finally Verify Server Details

You can also look at presentation from  Dave Cabelus (Senior Principal Product Manager )

Related/Further Reading

• Create Dynamic Cluster in WebLogic

In this post , we will cover some of the parameters and factors which affect JDBC performance in Weblogic Server. But first I will like to show how jdbc connections are made (in Snaps below )and for that we need to understand two terms Data Sources and Connection Pool.

Data sources:
Are administered factory Objects that provide JDBC connections.
Are bound into Java naming and Directory Interface (JNDI) and configure using the Administration console.
Make the application code Portal Across databases.
- Creating a connection to the database is an expensive operation.

Connection pools:
- Remove the overhead of establishing connections.
-Improve server performance by sharing database connections among multiple users accessing the Web application.

A simple Way to boost JDBC application performance and avoid Wasting resources:
1. JNDI lookups are relatively expensive. So caching an object that requires a lookup in client.
code or application code avoids incurring additional performance cost.
2. When client or application code has a connection, maximize the reuse of this connection rather than closing and reacquiring a new connection. Although acquiring and returning an existing creation is much less expensive than creating a new one, excessive acquisitions and returns to pools creates contention in the connection pool and degrades application performance.
3. Do not hold connections any longer than is necessary to achieve the Work needed. Getting a connection once, completing all necessary Work, and returning it as soon as possible provides the best balance for overall performance.

Parameters that Affect JDBC Data Source performance (which can be changed using Weblogic console) :

1. Connection Pool Capacity (Most Important) :
o Connection creation is expensive.
o For applications that consistently involve heavy database traffic:
 Determine the optimal Maximum Capacity of a data source experimentally
 Set the lnitial Capacity and Maximum Capacity to the same value.
o For applications, where peak database load is intermittent:
 Use different values for initial and maximum sizes.
Tune Capacity increment and Shrink Frequency on the basis of load changes.

In my Environment, I have kept Minimum value as 20 and Maximum as 100. Minimum cant be kept too high as there will be extra overhead because of this.

2. Connection testing :
- The WebLogic Server can test a connection from the connection pool before giving it to a client.
- Test Connection On Reserve parameter enables automatic testing of database connection.
- Connections can also be tested periodically for validity by using the Test Frequency parameter.
- Both these parameters can degrade performance (So , in production instances Avoid this)

3. Shrink Frequency
- The WebLogic Server periodically shrinks the connection pool to its initial capacity based on usage.
- The Shrink Frequency parameter is used to specify the number of seconds to wait before shrinking a connection pool.
- When set to Zero 0, shrinking is disabled. This can be helpful in a production environment.

4. Configuring Row Pre Fetch

 -Row prefetching improves performance by fetching multiple rows from the sen/er to the client in one server access.

- The optimal prefetch size depends on the particulars of the query.

- In general, increasing this number will increase performance, until a particular value is reached.
Note: This is applicable only for external clients, not for clients in the same Java Virtual Machine (JVM) as the WebLogic Server.
Very rarely will increased performance result from Exceeding 100 rows.
Max value is 65536 and minimum value is 2

5. Statement caching:

The three types of statements in JDBC are:
-Statements (not cached)
-Prepared statements
-Callable statements
The prepared statements and callable statements are Cacheable and improve overall performance through reuse.
- The statement cache type determines how the cache is refreshed:
LRU: Replaces least recently used statement with new .
FIXED: no replacement is done

6. Statement Cache Size: The Statement Cache Size attribute determines the total number of prepared and callable statements to cache for each connection in each instance of the data source. By caching statements, you can increase your system performance. However, you must consider how your
DBMS handles open prepared and callable statements. In many cases, the DBMS will maintain a cursor for each open statement. This applies to prepared and callable statements in the statement cache. If you cache too many statements, you may exceed the limit of open cursors on your database server. Setting the size of the statement cache to 0 turns off statement caching.
-Minimum value: 0
-Maximum value: 1024

7. Connection Pinned to Thread:
- A data source can dedicate or “pin” a connection to the first server thread that requests it.
- This capability:
- May increase performance by eliminating potential contention for connections by threads
- ls not supported with multidata sources or Oracle Real Application Clusters (RAC)

8. Inactive Connection Timeout:
The number of inactive seconds on a reserved connection before WebLogic Server reclaims the connection and releases it back into the connection pool.
You can use the Inactive Connection Timeout feature to reclaim leaked connections – connections that were not explicitly closed by the application. Note that this feature is not intended to be used in place of properly closing connections.
When set to 0, the feature is disabled.

Things to Consider on Oracle Database Instance side:

Number of processes

-It includes simultaneous users and Oracle background processes.

-The default setting is usually too low.

Shared pool size

-It contains data and control information for each instance.

-lt is critical to performance.

-Even the moderate use of stored procedures and triggers may require an increase.

Maximum opened cursor

-It should be increased if you are using JDBC statement caching.

There are several other Factors which affect JDBC performance which i will try to cover later , the ones discussed above are primary and important . Although Performance issues differ from environment to environment and may be due to some other reasons or factors (which are not mentioned above) , but i hope understanding these parameters will certainly help.

Hi all ,

We have a requirement for a Oracle Technical Administrator in our organisation at Navi Mumbai.

Details are as follows :

Designation : Oracle Technical Administrator

Qualification required : Fresher - BE, BTech, BSc(IT), BSc(CS), BCA, BCom(IT)

Must have basic knowledge of Linux. Oracle Database knowledge can be an added advantage

Compensation – Best in Industry

If interested please write to jobs@focusthread.com with your updated profiles.

- Recruitment Team

Focusthread

I would like to share my experience with strange issue that encountered in our OIF production environment. We are using OIF 11.1.1.5 in cluster mode. OIF is using OVD as user store which is talking to AD underneath.

OIF is also using DB for Federation and configuration data stores. We are acting as Identity Provider with email address as mapping mechanism between two partners.

An user called JDoe (example) exists in AD and his NT ID was changed due to some requirements and he is supposed to get new NT ID generated by AD and so is the email address. New NT ID and email address got generated and it can be seen through OVD too. The partner data store also got updated with new email address in their system.

While the user is trying to perform Federation, the assertion generated at IDP (our end) is not validated by Partner. The SAML assertion contains below Name ID value as OLD email address.

<saml:NameID Format=\”urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\”>

However there are some additional attributes that are being passed along with assertion and email address is one of them. Interestingly new email address is seen in the attributes list.

We’ve tried restarting the servers, refreshed the AD/OVD caches etc., but no luck.

Finally I’ve deleted the SAML assertion record generated for that user in OIF EM console at Oracle Identity Federation -> Administration -> Identities. User has tried federation and it has worked. This time the Name ID in assertion has new email address value.

This could be something with timeout parameter of federation data store but this issue is not seen for any of the other users. We can’t even reproduce this issue.

I’ve had the opportunity to work on OVD 11.1.1.7 recently and I would like to share couple of experiences.

First comes first Local Store Adapter. Why we need this? The requirement is to  provide unified view of two different Active Directories (it could be of any other LDAP). I’ve created 2 AD Adapters and to get Root View I should create Local Store Adapter.

Lets assume the mapped Namespace of AD Adapter 1 is : ou=OrgA,ou=Users,dc=ovd,dc=dev

Lets assume the mapped Namespace of AD Adapter 2 is : ou=OrgB,ou=Users,dc=ovd,dc=dev

So the mapped namespace for Local Store Adapter is definitely dc=ovd,dc=dev. I’ve created the LSA adapter with dc=ovd,dc=dev Root Namespace. However I could see null entries under Root after expansion.

Here is why?

First we need to create an LDAP structure in OVD schema with LSA namespace say dc=ovd,dc=dev as shown below. ldapadd command can be used.

version: 1
dn: dc=ovd,dc=dev
objectclass: top
objectclass: domain
dc: ovd

That’s not all.

We also need to create structure ou=Users,dc=ovd,dc=dev in OVD LDAP schema with contents given below. Remember that contents of this file has changed because the objectclasses associated with entries are different. Since we are ou=Users, it belongs to OrganizationalUnit class and hence ou attribute needs to be defined. If you are using cn=Users,dc=ovd,dc=dev then container objectclass has to be used.

dn: ou=Users,dc=ovd,dc=dev
ou: Users
description: Users container
objectclass: top
objectclass: organizationalUnit

Use ldapadd command to upload the above ldif file.

It is all set now. Remember that you don’t have to create an LDAP entry ou=OrgA,ou=Users,dc=ovd,dc=dev because AD adapter has already created this entry. Refresh the LSA root node in ODSM client view and expand to see the entries.

If you have integrated your Oracle Fusion Middleware including WebLogic or Identity Management with OEM 12c then OEM 12c comes with pre-defined events & compliance rule violation.  Incidentsare raised when these compliance rule violation reach to  a particular value.

In my Fusion Middleware Environment, I recently received alert that “Compliance Score xx% is below Critical Threshold”

If you get alert like this then this event is from Compliance Management module of OEM 12c

To find out root cause of the issue

1. Login to OEM 12c Cloud Control Console : Enterprise -> Compliance -> Dashboard

2. On Compliance Dashboard page click on Security Recommendation For Oracle Products under Compliance Summary

3. On Compliance Standard Result Detail page select tab Violations and then select one of the entry under General (window Violations) and look for message “Securty Patch [patch_number] is applicable to it”.

To list all the missing Security Patches applicable to this host

1. Login to OEM 12c Cloud Control Console : Enterprise -> Compliance -> Results

2. Under Search select Security Recommended For Oracle Products and click on Show Details

3. On Compliance Standard Result Detail page double click on Security Recommendation For Oracle Products and then select tab Violation Events

Fix:

Apply all the patches applicable to that host which raised Incident “Compliance Score xx% is below critical threshold”

 To see all the Complaince Rules

Login to OEM 12c Cloud Control Console : Enterprise -> Compliance -> Library

Get trained from the best instructor known  to have trained novices as experts in this field.

Our online Core DBA Training is mostly hands-on based. It will help candidates to learn Oracle 11g Database Architecture and day-to-day activities of a DBA such as Database installation, backup & recovery, troubleshooting performance issues. We give special care to every trainee to complete the hands-on lab exercises on each topic. Extra topics on Linux is also covered to help trainees get comfortable with Linux.

Training Schedule:  07, 08, 14, 15, 21 & 22 September 2013

Course Fee : USD 399

Timings : 12:00 Noon GMT | 8:00AM EST | 5:00AM PST | 7:00AM CST | 6:00AM MST | 5:30PM IST | 1:00PM UK

Please click on the below link to view course contents & schedule details :
http://www.focusthread.com/training/dba-trainings/oracle-core-dba-training/88-oracle-core-dba-training

We have always received excellent feedback from our Trainees. Please have a look at them:
http://www.focusthread.com/training/dba-trainings/oracle-core-dba-training/111-oracle-core-dba-training-testimonialsfeedback

For full curriculum and details, email us at training@focusthread.com. or contact us on Phone – US: +1 213-814-4243 |UK: +44(0) 20 7193 7426 |India: +91-9833815812

Class size is limited—sign up for this course today!

Get trained from the best instructor known  to have trained novices as experts in this field.

This training focuses on techniques for building high availability, clustered configurations to ensure maximum application uptime. Method for hardening the implementation to provide reliable security are also emphasized. .

Training Schedule: 07, 08, 14, 15, 21 & 22 September 2013

Course Fee: USD 499

Timings: 12:00 Noon GMT | 8:00AM EST | 5:00AM PST | 7:00AM CST | 6:00AM MST | 5:30PM IST | 1:00PM UK

Please click on the below link to view course contents & schedule details :
http://www.focusthread.com/training/dba-trainings/oracle-weblogic-administrator-training/112-oracle-weblogic-administrator-training-contents

We have always received excellent feedback from our Trainees. Please have a look at them:
http://www.focusthread.com/training/dba-trainings/oracle-weblogic-administrator-training/140-oracle-weblogic-administrator-training-testimonials

For full curriculum and details, email us at training@focusthread.com. or contact us on Phone – US: +1 213-814-4243 |UK: +44(0) 20 7193 7426 |India: +91-9833815812

Class size is limited—sign up for this course today!

In todays’s post I am going to cover issue encountered recently on Oracle Access Manager 11g with WebGate 10g in SIMPLE mode configured with OHS 11g.

First for those who are new to OAM, Oracle Access Manager (OAM) is recommended Single Sign-On (SSO) solution from Oracle, WebGate is a Agent that acts as Policy Enforcement Point (PEP) and installed with WebServer (OHS, IHS, IIS etc). To know more about OAM 11g and its components, you can check my book at Amazon

• WebGate communicates directly with OAM server’s proxy port (5575) in OAM 11g (or Access System in OAM 10g) using Oracle Access Protocol (OAP).
• WebGate communicates with OAM server in one of three modes

a) OPEN – Communication between WebGate and OAM is in clear text
b) SIMPLE –  Communication between WebGate and OAM is secured (SSL) but using Oracle signed certificates
c) CERT –  Communication between WebGate and OAM is secured (SSL) but using recognised certificate signing authority (like verisign)

To change OAM/WebGate communication mode, check my post here

When WebGate is installed and configured in SIMPLE or CERT mode , for SSL communication between WebGate and OAM 11g (using OAP with SSL) certificates are generated and stored in OAM Server (at $DOMAIN_HOME/output/[WebGate_ID]) and Web Server (at $WEB_GATE_HOME/oblix/config/simple/aaa_cert.pem and aaa_key.pem)

• If your WebGate version is 10g and mode is SIMPLE then validity of certificate at WebGate side is just 1 Year
• To view certificate validity at WebGate side, open aaa_cert.pem (you can change extension to CER and open it on windows to see certify valid till date )

• During WebGate configuration, this certificate is generated using configuration file $WEBGATE_HOME/oblix/tools/openssl/ openssl.cnf and openssl_silent.cnf  (default_days = 365) which defines validity period as 1 year

_________

Message from OHS Host at Aug 30 09:34:07 … Oblix: 2013/08/30@09:34:07.384935 #01116526#01116568# 011ACCESS_GATE#011FATAL#0110x0000181C #011/scratch/alnguyen /Oblix/10143hf/palantir/ webgate2/src/ apache2entry_web_gate.cpp :434#011 “Oracle AccessGate API is not initialized.”#011raw_code^204#011

Message from OHS Host at Aug 30 09:34:07 … Oblix: 2013/08/30@09:34:07.384935#01116526 #01116568#011ACCESS_GATE #011FATAL#0110x0000181C #011/scratch/alnguyen /Oblix/10143hf/palantir /webgate2/src/ apache2entry_web_gate.cpp :434#011 “Oracle AccessGate  API is not initialized.”#011raw_code^204#011

________

Note: This error is generic and means for some reason WebGate is unable to initialize with OAM Server.

In OAM Logs $DOMAIN_HOME/servers/[OAM_SERVER]/logs , I noticed messages like

______

29-Aug-2013 20:07:15 oracle.security.am.engines.common.adapters.OAMLoggerImpl severe SEVERE: Simple Mode HandShake: Mismatch in Client Response. expectedResponse: eb8d218676b5f81a5b8fb4a52902157c clientResponse: ef1560bd753f98a4e164440960852573

______

I then looked at SSL certificates at WebGate and noticed certificate was expired .

Fix: You can regenerate SSL certificates for WebGate in SIMPLE mode by re-configuring WebGate ($WEBGATE_HOME/oblix/tools/configureWebGate/ configureWebGate -i [WebGate_Install_Dir] -t WebGate). More on re-configure 10g WebGate here

Note: During WebGate configuration, it will prompt for WebGate Password (if WebGate is password protected) and Global Passphrase.

• If you don’t remember WebGate Password then you can reset if from OAM console (/oamconsole)
• If you don’t remember Global Passphrase then you can retrieve it by running  WLST  displaySimpleModeGloablPassphrase()

Note: If your OAM Server is using JDK 1.6.24+ (higher than JDK 1.6.24) then there is BUG in SSL certificate generation in SIMPLE mode which is fixed in WebGate 10.1.4.3 BP 11A or higher (Apply latest WebGate Bundle Patch for 10.1.4.3 i.e. BP13 17231077)

To find out your WebGate version click here and to apply patches in OAM (including WebGate) click here

References/Related

• Configuration of Webgate 10g with OAM 11g Server Fails For SIMPLE Communication Mode (Doc ID 1453208.1)
• Password.xml missing
• ORABOT certificate expired/li>
•  Why OAM will fail in 2010

This is a continuation to OVD 11g implementation experiences. Please refer to my previous post for LSA adapter implementation.

We are using AD adapters underneath LSA adapter. There are list of attributes that needs to be returned as part LDAP search query for both AD Users and Groups.

By default OVD will return all  the user attributes (NOT NULL) that are part of LDAP entry. However our requirement is to allow only few attributes and forbid the rest.

There is a field in OVD Adapter that let’s you achieve this.

1. Login to ODSM Console.
2. Goto Adapters tab.
3. Click on Adapter.
4. Click on Routing tab.
5. In the Retrieval attributes field, click Add to select the attributes that you want to return. It is not mandatory to click Add to add all those attributes. It may be time consuming to add say 40 attributes. Therefore the easiest approach is to write all attributes in a notepad with each attribute separated by line and copy it to the Retrievable Attributes text box. Please refer the below screenshot.
6. Click Apply.
7. Observe that the order of the attributes may get changed.

Run an ldap search to look for all the returning attributes, refer the below example.

./ldapsearch -h host -p port -D credential -w pwd -b “user search base” -s sub “cn=JDoe”

If you have a requirement to forbid few set of attributes from ldap search then you can specify those attributes in Unretrievable Attributes field.

This is continuation to OVD 11g experience related posts. Please refer the earlier posts here.

Usually when you are searching an user/group in LDAP we would apply filters. Here are few examples:

1. (objectclass=person)
2. (&(objectclass=user)(objectclass=inetorgperson))
3. (|(mail=*@myorg.com)(uid=*@myorg.com)(sn=*)(givenname=*)(cn=*))
4. (&(|(uid=*)(cn=*))(sn=*))

While you’re creating an LDAP Adapter, OVD provides an easy option to add these filters. In the specific Adapter, goto Routing tab. Observe the fields Filters to Include and Filters to Exclude.

The Filters to Include and Filters to Exclude settings are essentially a filter and apply to the LDAP search filters specified by a client. If a client search filter fulfills the logical requirements defined in the Filters to Include setting, that adapter is selected for inclusion in the set of adapters used in the search. Similarly, for the Filters to Exclude setting, if the logical requirements are met, that adapter is deselected from the set of adapters used in the client search.

In my case, I’ve created AD adapters for users and groups containers. Unfortunately the Users and Groups Search base in AD is same. Therefore while searching for User under mapped OVD Users container, the results shows groups and vice-versa.

Hence, I’ve used the Filters to Exclude attribute to define (objectclass=group*) in AD Users adapter and (objectclass=user*) in AD Groups adapter.

This post explains the implementation details around achieving IWA authentication for IIS 7.5 using OAM 10.1.4.3.

Refer to the list of supported / available webgates for respective IIS version and OS version here.

We’ve used Windows 2008 R2 64-bit, IIS 7.5 in our environment. It is assumed that WebGate instances, Host Identifiers, Authentication Schemes and Policies were created already. This post explicitly explains the configuration changes required at IIS servers for IWA mechanism.

First and foremost is installing the Webgate on IIS windows box.

Some of the important notes are:

1. Select the Server Type as IIS in the installation wizard.
2. You might see some pop-ups to replace the dll files matching the webgate. Some of those DLLs are msvcirt.dll, mfc70.dll, obnss3.dll etc., Click Yes to replace all those DLL files.
3. Click Yes to automatically update the IIS configuration.

Here are the actual SSO configuration changes required:

• Goto C:\Windows\System32\inetsrv\config in WebGate box. Take backup of applicationHost.config file. Edit the applicationHost.config file and search for segment word. Remove the line <add segment=”bin” /> and Save the file.
• Open the IIS Manager.
• Go to Sites
• Click on Site to be protected for IWA.
• Click ISAPI Filters in the center pane.
• Verify that OracleWebGate is added pointing to webgate.dll. If it is not already added, create one.
• Goto Sites. Right click on Site application and click Add Virtual Directory.
• Specify Alias as access. Specify Physical path as WebGate access folder. Click OK.
• Select access and double click Handler Mappings in center-pane
• Click Edit Feature Permissions in Actions pane
• Enable Execute check-box and click OK
• Goto webgate access folder D:\Oracle\webgate\access and right click and select Security. Verify the following.

1. Verify user “IUSR”, has “Allow” for “Modify”
2. Verify user “IIS_IUSRS”, has “Allow” for “Modify”
3. Verify user “NETWORK”, has “Allow” for “Modify”
4. Verify user “NETWORK SERVICE”, has “Allow” for “Modify”
5. Verify if group “Administrators” has “Allow” for “Modify”

• Goto Site. Double click Authentication
• Right click on Anonymous Authentication and disable it. Right click on Windows Authentication and enable it
• Restart IIS using iisreset

This post explains the integration of OAM 10.1.4.3 with Bridge-way eCounsel application using IWA mechanism. Please refer the previous post for IWA implementation steps.

What is Bridge-way eCounsel?

Bridgeway eCounsel is the complete, easy-to-use matter management solution that lets you easily track every detail for any matter, assign and manage internal staff and outside counsel, manage your legal spend, analyze trends, and more—from anywhere, via the Web.

Bridge-way eCounsel Application has Suite-Manager wizard which lets us to manage the  identities/authentication mechanisms and other eCounsel specific features.

eCounsel is a web application that is deployed on WebLogic Servers. So we have used IIS as proxy for WebLogic defining IWA on IIS for OAM authentication purposes.

Follow the below steps to configure Suite Manager to perform SSO with eCounsel application.

Suite Manager SiteMinder integration changes:

Bridge-way supports Site-Minder as 3rd party SSO. Here we are impersonating the Site Minder using OAM WebGate by passing a header variable which is consumed by Bridge-way to allow user single sign-on.

• Login to Suite Manager as administrator
• Double Click on Authentication
• Click on tab SiteMinder Integration
• Specify the header variable name as sm-user. Please note that this is case-sensitive
• Enable the checkbox SiteMinder Integration enabled
• Click Save.

Suite Manager User Mapping:

Prior SSO, all the Bridge-way users should be mapped with Site-Minder ID which is the header variable passed by OAM webgate. Usually it is NT ID of the user coming from OAM User Store.

• Login to Suite Manager with admin privileges
• Double click on Users/Groups.
• Search for the user id to be mapped in the Filter textbox
• Edit the user
• Specify NT ID in the SiteMinder ID field as shown in below screenshot.
• Click Save
• Repeat these steps for all eCounsel users.

Further steps will be continued in next post.

I discussed about overview of Oracle Service Bus (OSB) 11g installation in my previous post here,  in this post I am going to cover high level installation steps for OSB 11g (11.1.1.7)

•  OSB 11.1.1.7 Installation Guide is available here so I am going to cover quick high level steps here.

High Level Installation Steps 

1. Install Oracle Database (Database is used to host OWSM MDS & OSB JMS Reposting) :

Note: This step is required only if you are using OSB Reporting or OWSM to protect WebServices deployed on OSB

2. Create schema (XXX_MDS & XXX_SOAINFRA ) using 11.1.1.7 RCU :

This step is required only if you are using OSB Reporting or OWSM to protect WebServices deployed on OSB

If you are new to Repository Creation Utility (RCU) then click here

3. Install JDK 1.6.x

4. Install WebLogic 10.3.6

Note: This step will create Middleware Home (MW_HOME) & WebLogic Home (WL_HOME)

5. Install OSB 11.1.1.7 from $OSB11.1.1.7_SOFTWARE/Disk1/runInstaller -jreLoc [JDK_HOME_FROM_STEP3]

Note : Install OSB (OSB ORACLE_HOME) in Middleware Home (MW_HOME) created above

6. Configure OSB using OSB_ORACLE_HOME/oracle_common/common/bin/config.sh :

Note: You can create New WebLogic Domain or extend existing WebLogic domain (More on WebLogic Domain here )

7. Start Admin Server and Managed Server (osb_server1). More on options to start WebLogic Server (Admin or Managed Server) here

8. Access WebLogic Console (http://host:AdminPort/console) and OSB Console (http://host:AdminPort/sbconsole) using user created during WebLogic Domain creation.

Few things to note

1. When you create schema using Repository Creation Utility (RCU) , select Metadata Services (MDS) and SOA Infrastructure (SOAINFRA)

2. When installing OSB software , select Middleware Home as used during WebLogic Server installation .

Note: OSB ORACLE_HOME is full path till Oracle_OSB1

3. When installing OSB software, you can select installation type as Typical or Custom

a) Typical install OSB, OSB IDE (required for development)

b) Custom install gives option to select what you wish to install (you can choose to install or ignore OSB IDE and OSB examples)

4. When installing OSB software and select installation type as Custom , you get option to select what component to install.

Note:  If you are deploying this in PROD or TEST environment (and not using it for development) then unselect OSB IDE & OSB Examples

4. When installing OSB software, installer prompts for WebLogic Server location. Provide WebLogic Server location installed in previous step

5. When configuration OSB (i.e. creating or extending WebLogic domain to host OSB application) select following

Note: select OSB OWSM extension if you wish to protect services deployed on OSB server using OWSM.

OSB Console

This post is continuation to OAM integration with Bridgeway eCounsel application for SSO here.

The previous post covers the configuration changes required at Suite Manager console. If you access the eCounsel application through IIS server then you will see that IWA happening however a window pop-up would appear asking for credentials again.

This is because eCounsel application is deployed in WebLogic Servers and it does not honor the cookies set by OAM. Few configurations to be made at WebLogic server are explained below:

• Login to WebLogic Admin server box.
• Open command prompt window
• Go to the folder <WL_HOME>/common/bin
• Execute the wlst.cmd
• Execute connect() and enter appropriate details.
• Execute cd(‘SecurityConfiguration’)
• Execute ls()
• Execute cd(‘<domain-name>’)
• Execute ls()
• Observe the parameter EnforceValidBasicAuthCredentials which would be set to true
• Execute edit()
• Execute startEdit()
• Execute cd(‘SecurityConfiguration’)
• Execute cd(‘<domain-name>’)
• Execute set(‘EnforceValidBasicAuthCredentials’,'false’)
• Execute save()
• Execute activate()
• Restart all managed and admin servers for changes to take effect.

Test the eCounsel Application:

Login to Windows machine as normal AD user and try to access eCounsel application through IE browser.

Open the IE headers tool to see the OAM cookies set.

If you have integrated Oracle Identity Manager (OIM) with Oracle Identity Analytics (OIA) as mentioned here and hitting problem with User Sync  from OIM to OIA then check my previous post here to troubleshoot and log location.

In order to Synchronize users from OIM to OIA , you run Import Job “Import Users, Accounts, User Role Memberships and Entitlements” in OIA.

I encountered same issue again recently (check steps on how to troubleshoot here ) but this time error in OIM out log (no issues reported in OIA logs) is

___

<03-Sep-2013 13:57:16 o’clock UTC> <Error> <XELLERATE.SERVER> <BEA-000000> <SQLException occured while performing data collection for the session urn:uuid:587448AFB91F160 DCE1378303023 1643994 java.sql. SQLException: ORA-20003: Account ID property is not defined ORA-06512: at “DEV.OIM_PKG_OIA_INTEGRATION”, line 1392 ORA-06512: at line 1

at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:457)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405)

____

If you hit error like above “ORA-20003: Account ID property is not defined ORA-06512” in OIM logs at time of Import Job then ensure that for all Target Applications integrated with OIM (like Active Directory, or Exchange, or Oracle E-Business Suite), Parent Process Form and Child Process Form are updated like below

• For child process form related to Target Application, create new version and add two property Entitlement=true and OIAParentAttribute=true (ensure to make new version of child process form ACTIVE)
• For parent process form related to Target Application, create new version and add property ITResource=true for (ITResourceLookupField) and AccountName=true for User ID (TextField) (ensure to make new version of parent process form ACTIVE)
• Verify that Parent & Child Process Forms are latest updated version and are ACTIVE

For more information on what to update in OIM process form check OIA-OIM integration guide

Root Cause & Fix: In my case , additional Target Application (Microsoft Exchange) was added to OIM and users were provisioned to this target application via OIM however In Parent (UD_EXCHANGE) & Child (UD_EX_CH) Process Form of Target Application (in OIM), additional property was not added .

Oracle Fusion Applications 11.1.7 is now available to download from eDelivery

• Fusion Application 11.1.7 Installation Document is available here

• Fusion Application 11.1.7 need Oracle Identity & Access Management (OID, OVD, OIM, OAM) and installation Guide for Identity & Access Management for Fusion Applications is available here

Other things to note in 11.1.7 Fusion Application :

• Fusion Applications Transactional Database and Identity & Access Management Database must be of version 11.2.0.3
• Fusion Applications Transactional Database and Identity & Access Management Database must be separate (You must NOT use same database to host FA & IDM)
• Fusion Applications 11.1.7 is supported on Microsoft Windows X64, Linux x86-64, Oracle Solaris, and IBM AIX on Power Systems 64 bit

Note: Process to install & configure Identity & Access Management for Fusion Application 11.1.7 is different from FA 11.1.1.5.1 version that I installed earlier hence I’ll cover new steps on this blog .

Stay Tuned for Fusion Applications 11.1.7 installation & configuration !!

I’m working on OAM 101.1.4.3 environment which is setup in CERT mode. I noticed that OAM Servers have stopped working and are not coming up. Furthermore I’ve identified that OAM certificates are expired.

Here are the steps you need to do to renew the certs:

1. Get the new certificates.
2. Prepare it as ois_cert.pem, ois_key.pem and ois_chain.pem certificates for Identity server and WebPass. You should have private key password handy. Similarly prepare certs aaa_key.pem, aaa_cert.pem and aaa_chain.pem and aaa_server.pem for Access Server and Policy Manager and WebGates.
3. Place the above certs in either <identity>/oblix/config and <access>/oblix/config appropriately.
4. Pick up the passsword.xml present in <OAM_Component>/oblix/config folder and observe the password encrypted.
5. Use the tool obencrypt.exe which is available in OAM 10.1.4.0.1 webgates (and not in higher versions) and run the command obencrypt.exe key_pwd
6. The above command gives encrypted password output.
7. Place this encrypted password in password.xml.
8. Restart OAM Identity and Access Servers along with WebServer.

NOTE: There would be a different way to renew certificate using configure_AAA_Server that would encrypt the key password behind the scenes but I am not convering this here.

Around 2 Years and 3 months back I wrote about why Oracle Apps DBA’s should learn WebLogic and changes planned in Oracle E-Business Suite 12.2

If you follow  Steven Chan’s blog then you must know by now that Oracle E-Business Suite 12.2 is now available to download & install from eDelivery

• Oracle E-Business Suite 12.2 documentation is available at OTN
• Oracle E-Business Suite 12.2 Installation Guide is available here
• Oracle E-Business Suite 12.2 Concepts Guide here

Stay tuned for installation, configuration and new features in Oracle Apps 12.2 !!