A well written post by Andre Correa on Fusion Middleware Security Blog says “One of the main strengths of SAML is the ability to communicate identity information across security domains that do not necessarily share the same user base. In other words, the authenticated user in one security domain does not necessarily exist in the target security domain providing the service.”

This concept where user authenticated in one domain doesn’t exist in another domain but trusted by second domain (as part of SAML assertion) is called as Virtual User. This post covers covers how to set this virtual user in Oracle Web Services Manager (OWSM) that is used to protect WebServices deployed on SOA/ OSB.

OWSM delegated authentication of incoming subject in SAML assertion to Oracle Platform Security Services (OPSS). OWSM uses SAML Login Module (saml.loginmodule or saml2.loginmodule ) and to enable virtual user in OWSM you set property oracle.security.jps.assert.saml.identity=true in jps-config.xml located at $DOMAIN_HOME/config/fmwconfig )

Property oracle.security.jps.assert.saml.identity is a domain-wide property used to determine the mapping between the SAML subject and the user.

Valid values include:

a) false—When this flag is set to false, the username in the SAML subject is mapped to the actual user in the identity store. The user roles and subject are created with username and roles specified in the identity store. This is the default value.

b) true—When this flag is set to true, the SAML subject is treated as a logical/virtual user. The user is not mapped to the actual user in the identity store. The subject is populated only with the username from the SAML subject. Because the subject is treated as a virtual user, identity store configuration is not required and the Identity Assertion Provider is not invoked for all SAML policies in the domain using this login module.

To set Virtual User (aka logical user)

1. Login to Enterprise Manager of WebLogic domain and go to WebLogic Domain

2. From WebLogic Domain drop down menu, Security -> Security Provider Configuration -> Login Modules -> Edit 

3. Add custom property  oracle.security.jps.assert.saml.identity=true

4. Restart Admin and managed servers in WebLogic Domain

Related/References

• SAML with OWSM
• Configure SAML and Kerberos Login Module
• Virtual User in WebLogic, OWSM, OIF

The purpose of this course is to build a fundamental understanding of Business Intelligence Reporting using the Oracle Business Intelligence Reporting.

Please click on the below link to view course contents & schedule details :

http://focusthread.com/training/development-training/obiee-training/99-obiee-training

Commencement Date: 21 December 2013

Training Schedule: 21, 22, 28, 29 December 2013 & 04, 05 January 2014

In this new series “Pick of the  Week”, I’ll be sharing interesting posts I read on weekly basis . If you think any post is worth sharing with readers of this blog then share link under comments section

First post in this series is Securing Heterogeneous Systems using Oracle Web Services Manager (OWSM) by Ronald Van Luttikhuizen & Jens Peters . If you are working on Web Services, SOA, OSB, or OWSM then I highly recommend this.

Oracle Web Services Manager (OWSM) provides policy based ws-security to Web Services and is part of Oracle SOA Suite

The post starts with discussion on problems encountered with Web Services in Java (Web Service Provider) and consumed by .NET clients (Web Service Consumer) or vice versa .

Article investigates a case-study of securing Application built on Microsoft .NET framework and Silverlight consuming WebServies exposed by Oracle Service Bus (OSB) , Read the full post here

If you have any interesting post that you would like to share with readers then leave link as comment.

If you manage Oracle Identity Manager (OIM – is Identity Management and Account Provisioning Software and is part of Oracle Identity Manageemnt Suite) and if you see OIM database growing then this post is for you. This post covers, type of data in OIM database  (OIM purge in detail to follow soon).

In Oracle Identity Manager (OIM) there is mainly four type of data

a) Reconciliation Data (Reconciliation Events): During reconciliation, reconciliation manager reconciles data in reconciliation tables (RECON_%, RA_%) . This data is not cleared from reconciliation tables automatically and you must purge/archive these tables periodically.

b) Task Data : Task data refers to activities that make Provisioning Process (OSI, OSH, SCH). This data is not cleared from reconciliation tables automatically and you must purge/archive these tables periodically.

c) Platform Data : Data for Orchestration Events or Context Data is referred as Platform Data and is stored in table ORCHPROCESS, ORCHEVENTS, CONTEXT, CONTEXTVALUE. There is schedule task “Orchestration Process Cleanup Task scheduled task” to delete completed Orchestration Process . However, this task does not delete Orchestration Process that are not yet complete . More on how to purge OIM Orchestration Events whose status is not COMPLETE in next post.

d) Request Data : Requests in OIM are stored in database in tables REQUEST%, WF_INSTANCE. The data in these tables must be purged regularly for better performance.

This information is covered in OIM documentation here

You must also look at Oracle Support Note # 1331331.1 Using the Audit Archival and Purge Utility for OIM(Oracle Identity Manager)

I recently configured SAML Identiy Switching by setting subject.precedence=false in OWSM policy protecting Web Service . This post covers error encountered after configuring Context Switching ( Subject.Precedence) in OWSM policy.

For Identity Switching to work you must set permission for class oracle.wsm.security.WSIdentityPermission as described here

If you don’t set permisson you will see error like

___

access denied (oracle.wsm.security.WSIdentityPermission resource=<myApp> assert)
oracle.wsm.security.SecurityException: access denied (oracle.wsm.security.WSIdentityPermission resource=<myApp> assert)

___

• You add permission either from EM or using WLST (grantPermission) for
  Permission Class - oracle.wsm.security.WSIdentityPermission
  Resource Name –  resource=<myApp>
  Permission Actions - assert 
• This permsision gets added to codeBase file:${common.components.home}/  modules/  oracle.wsm.agent.common_11.1.1/ wsm-agent-core.jar in file $DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml

_____

<08-Jan-2014 19:52:20 o’clock GMT> <Error> <oracle.wsm.resources.policyaccess> <WSM-06303> <The method “registerListener” was not called with required permission “oracle.wsm.policyaccess” >

<08-Jan-2014 20:53:06 o’clock GMT> <Warning> <oracle.wsm.resources.enforcement> <WSM-07507> <Failure in Oracle WSM Agent, category= security, function=agent.function. client,  stage=request due to RuntimeException. java.security. AccessControlException: access denied (oracle.security. jps.service.credstore. CredentialAccess Permission context=SYSTEM,mapName=oracle. wsm.security, keyName=keystore-csf-key read)         at java.security.Access ControlContext. checkPermission (AccessControlContext.java:374)  javax.xml.ws. WebServiceException: oracle.fabric. common.PolicyEnforcement Exception: access denied (oracle.security. jps.service. credstore. CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=keystore-csf-key read)         at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:867)

Caused By: oracle.fabric.common.PolicyEnforcementException:  access denied (oracle.security.jps. service.credstore. CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=keystore-csf-key read)         at oracle.integration. platform.common. InterceptorChainImpl. createPolicyEnforcement Exception(InterceptorChainImpl.java:200)         at oracle.integration.platform.common. InterceptorChainImpl. processRequest (InterceptorChainImpl.java:136)

________

If you get error like above then this error means some of the permissions are missing in .

.

Note : Policy Store in Oracle Fusion Middleware could be in one of three locations and is defined in jps-config.xml  (under $DOMAIN_HOME/config/fmwconfig)

a) File Based in XML file :  $DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml

b) Database : Under OPSS schema . Note: Only supported database for Policy Store is Oracle Database.

c) LDAP Server : Note: Only supported LDAP Server for Policy Store is Oracle Internet Directory (OID)

In my case setting permission for oracle.wsm.security.WSIdentityPermission removed existing permission for codebase wsm-agent-core.jar, adding permission in bold under codebase wsm-agent-core.jar fixed this issue

_____

 <grant>
               <grantee>
                   <codesource>
                       <url>file:${common.components.home}/ modules/oracle.wsm.agent.common_11.1.1/ wsm-agent-core.jar</url>
                   </codesource>
               </grantee>
<permissions>
<permission>

<class>oracle.security.jps. service.credstore. CredentialAccessPermission</class>
<name>context=SYSTEM, mapName=oracle.wsm.security, keyName=*</name>
<actions>*</actions>
</permission>
<permission>
<class>java.util.PropertyPermission</class>
<name>*</name>
<actions>read</actions>
</permission>
<permission>
<class>java.util.PropertyPermission</class>
<name>osdt.useMTOM</name>
<actions>read,write</actions>
</permission>
<permission>
<class>oracle.security.jps.JpsPermission</class>
<name>IdentityAssertion</name>
</permission>
<permission>
<class>java.lang.RuntimePermission</class>
<name>accessDeclaredMembers</name>
</permission>
<permission>
<class>java.lang.reflect.ReflectPermission</class>
<name>suppressAccessChecks</name>
</permission>
<permission>
<class>java.io.FilePermission</class>
<name>-</name>
<actions>read</actions>
</permission>
<permission>
<class>java.lang.RuntimePermission</class>
<name>getProtectionDomain</name>
</permission>
<permission>
<class>java.lang.RuntimePermission</class>
<name>oracle.wsm.policyaccess</name>
</permission>
<permission>
<class>oracle.security.jps.service.attribute.AttributeAccessPermission</class>
<name>*</name>
<actions>get,set</actions>
</permission>

______

Related/Reference

• 1485851.1 After an Upgrade, Error Message WSM-06303 : The method “registerListener” was not called with required permission “oracle.wsm.policyaccess”

This post covers everything you must know about Auditing in Oracle Entitlement Server (OES) . With auditing enabled ON in OES, you can get information like who did what, when, how (Policy Modification, GRANT/DENY of resource etc )

1. Auditing in OES is based on Fusion Middleware Audit Framework and is DISABLED by default.

2. OES consists of OES Administration Console (aka APM) which is used to Manage Policy and OES SM (Security Module) that acts as Policy Enforcement Policy (PEP) and possibly Policy Decision Point (PDP). You must enabled auditing for OES Administration Console (APM) and in all OES SM (depending on audit requirement).

3. Audit configuration for OES Administration Console (APM) is stored in file $DOMAIN_HOME/config/fmwconfig/jps-config.xml as mentioned by

<serviceInstance name=”audit.db” provider=”audit.provider”>
<property name=”audit.loader.repositoryType” value=”File”/>
<property name=”auditstore.type” value=”db”/>
<property name=”audit.loader.jndi” value=”jdbc/AuditDB”/>
<property name=”audit.maxDirSize” value=”0″/>
<property name=”audit.filterPreset” value=”All”/>
<property name=”audit.maxFileSize” value=”104857600″/>
<property name=”audit.loader.interval” value=”15″/>
<propertySetRef ref=”props.db.1″/>
</serviceInstance>

Note : Audit configuration mentioned in OES Administration guide [part number E27153-03 ] is incorrect (look for entry mentioned above)

4. Audit Level for OES is controlled by audit.filterPreset and value can be NONE (default), LOW, MEDIUM, ALL, CUSTOM

5. Audit Configuration file at $DOMAIN_HOME/config/fmwconfig/audit-store.xml that has Filters LOW, MEDIUM that defines what events are captured when you set Audit to LOW or MEDIUM

6. To Audit OES Security Modules (SM), you must update jps-config.xml used by Security Module and update entry for serviceInstance audit.db

<serviceInstance name=”audit.db” provider=”audit.provider”>

7. As OES SM could be WebLogic with JRF, WebLogic without JRF, or Other types location of jps-config.xml for

a) WebLogic with JRF is $DOMAIN_HOME/config/fmwconfig/

b) WebLogic without JRF is $DOMAIN_HOME/config/oeswlssmconfig/AdminServer

c) Others is SM OES_CLIENT\oes_sm_instances\[SM_NAME]\config\

8. Output of Audit log file for OES Admin Console (APM) is in $DOMAIN_HOME /servers/AdminServer/logs/auditlogs/JPS/audit_[N]_[N].log

9. Output of audit log file should look like

2014-01-14 17:12:36.878  – “CheckPermission” true “Authorization check permission succeeded.” – — “0000KEHjNVA0nnWFLzvH8A1IpMzx000000,0″ “Authorization” “success” – - – - – - – - -”file:/u01/ app/oracle/ product/ iam/ modules/ com.bea.core.weblogic.security.wls_1.0.0.0_6-2-0-0.jar”- – - – - – - – - – - – - – - – - – - – - – - – - – “” “true” “JpsPermission” – - “idstore.config”- – - – - – - – - – - – - – - – - – - – - – - “[]” – - – - – - – - – - – - – - – - – - – - – - – -

- – - – - – - “1″ “0″ – - “(oracle.security.jps.JpsPermission idstore.config)” – - – - “15″ -

10. OES Audit store can be file based repository or database based repository and controlled by  <property name=”audit.loader.repositoryType” value=”File”/> or (Db for database)

More on how to configure OES Audit store to Database for later …

Related/References

• Auditing OES from Administration Guide
• 1375460.1 How to configure Database Auditing with OES11g
• 1578228.1  OES11gr2 – How To set StandaloneAuditLoader for WLS SM
• ER 17201437 – OES AUDIT LEVEL IS NOT LOGGED FOR FEW EVENT
• Bug 17167389 : OES AUDIT LEVEL IS SET TO ALL, BUT IT IS NOT LOGGING ALL THE EVENTS
• Bug 17888863 : NO ORACLE ENTITLEMENTS SERVER AUDIT DB DESCRIPTION AVAILABLE

Hi All,

I’ve written a post earlier about working with 10g Access Gates using Oracle Access Manager 11g. Today, I would like to give insights into implementation of 10g Access Gates using Oracle Access Manager 10g. Access Server SDK 10g is used for Access Gates where out of the box webgates are not available for a web server.

In OAM 10g, Access Server SDK is available in both 32-bit and 64-bit modes in Windows/Linux environments.

1. First and foremost, download the right Access Server SDK installer for your environment. Go through this ReadMe document to know more about existing Access Server SDK versions.
2. Create Host identifier in OAM Access Console.
3. Create Access Gate instance in OAM Access Console. You will need to specify the details AccessGate Name, Hostname, Access Gate Password, Transport Security, Access Management Service, Primary HTTP Cookie Domain, Preferred HTTP Host. You can also specify other Access Gate parameters such as Debug mode, Session timeouts etc.,
4. Create Policy domain in OAM Policy Manager for the custom application. Specify the authentication scheme, authorization rules etc., accordingly.
5. Goto the machine where Access SDK needs to be installed. Install the Access Server SDK with proper user privileges.
6. Goto the directory %ACCESS_SDK_INSTALL_DIR%/oblix/tools/configureAccessGate where %ACCESS_SDK_INSTALL_DIR% is the Access Server SDK installed directory.
7. Configure the Access Gate using the below command configureAccessGate.exe -i %ACCESS_SDK_INSTALL_DIR% -t AccessGate -w <<ACCESS_GATE_NAME>> -m <<SECURITY_MODE as open/simple/cert>> -P <<ACCESS_GATE_PASSWORD>> -h <<ACCESS_GATE_HOSTNAME>> -p <<ACCESS_GATE_PORT>> -a <<ACCESS_SERVER_ID>>
8. If you get this message “AccessGate installed Successfully.” then the Access Gate installation is successful. Otherwise verify the input parameter values for the above issued command.
9. Set the following environment variables. Set PATH to %PATH%;%ACCESS_SDK_INSTALL_DIR%/oblix/lib. Set CLASSPATH to %ACCESS_SDK_INSTALL_DIR%/oblix/lib/jobaccess.jar. Set OBACCESS_INSTALL_DIR to %ACCESS_SDK_INSTALL_DIR% .
10. If you are using Linux environment, set additional environment variable LD_LIBRARY_PATH to %ACCESS_SDK_INSTALL_DIR%/oblix/lib.
11. Make sure that Access Server SDK and JDK are of the right versions. For eg., if the JDK is 64-bit and Access Server SDK is 32-bit, then java code execution will fail.

Testing:

If you want to test a stand-alone java code download the JAccessClient.java from section 4.1 in this documentation and place it in a directory.

1. Goto java code directory. Compile the javacode using javac JAccessClient.java.
2. If there are any compiler errors and if it throwing error while compiling com.oblix.access class files, then jobaccess.jar is not placed in CLASSPATH properly.
3. Run the javacode using java JAccessClient.

If your custom application is deployed in an application Server (say Tomcat) then embed the OAM API code and set the environment variables in Application Server Startup scripts. If you are writing the code in a Java Editor such as Eclipse, make sure to add the jobaccess.jar present in %ACCESS_SDK_INSTALL_DIR%\oblix\lib in the  application classpath.

I earlier discussed about WebLogic Server startup hanging at “Initializing self-tuning thread pool”, in today’s post I covers fix for WebLogic Server hang but this time while writing ‘Log File‘ and ‘IIOP subsystem enabled‘ in Server logs.

I verified disk space (not 100%), enogh space in /tmp and O.S. user was able to write to /tmp.

Start-up Logs in webLogic Server hangs at

____

<15-Jan-2014 15:11:27 o’clock GMT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING> <15-Jan-2014 15:11:27 o’clock GMT> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool> <15-Jan-2014 15:11:28 o’clock GMT> <Notice> <Log Management> <BEA-170019> <The server log file /u01/ app/ oracle/ admin/ dev_domain/ aserver/ dev_domain/ servers/ AdminServer/ logs/ AdminServer.log is opened. All server side log events will be written to this file.>

_______

In AdminServer.log

_______

####<15-Jan-2014 15:11:28 o’clock GMT> <Info> <Socket> <testMachine> <AdminServer> <[ACTIVE] ExecuteThread: ’0′ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <> <1389798688594> <BEA-000446> <Native IO Enabled.> ####

<15-Jan-2014 15:11:28 o’clock GMT> <Info> <IIOP> <testMachine> <AdminServer> <[ACTIVE] ExecuteThread: ’0′ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <> <1389798688861> <BEA-002014> <IIOP subsystem enabled.>

_____________

• Based on feedback from various forums and blog posts, this issue could be because of corrupt LDAP data (WebLogic’s embedded LDAP server).
• Embedded LDAP files in WebLogic are stored at $DOMAIN_HOME/servers/[ServerName]/data/ldap

Fix: Move ldap directory from $DOMAIN_HOME/servers/[ServerName]/data/ and try again .

Oracle Identity & Access Management (IAM) 11gR2 PS2 (11.1.2.2) is now available to download here

Following IAM products are available as part of 11gR2 PS2

• Oracle Identity Manager (OIM)
• Oracle Access Manager (OAM), OAM SDK, WebGates
• Oracle Entitlement Server (OES) & Security Modules (OES SM)
• Oracle Adaptive Access Manager (OAAM)
• Oracle Privileged Account Manager (OPAM)
• Oracle Unified Directory (OUD)*
• Oracle Enterprise Single Sign-On (eSSO)*

Note: For complete list of all Oracle IAM components click here

• Documentation for IAM 11gR2 PS2 (11.1.2.2) version including release note is available here

If you are confused like many others about various Oracle IAM component version then check my previous post here

Stay tuned for how to upgrade Oracle IAM ….

I discussed about Oracle Identity Analytics (OIA) installation here. In this post I am going to cover key points when deploying OIA in cluster for High Availability (Active-Active).

Note: This post assumes that you are familiar with deploying OIA in single node and steps here are only specific to cluster configuration.

1. OIA is a J2EE application deployed on WebLogic Server. For High Availability on application tier, configure two or more managed server in WebLogic Cluster and deploy OIA application on this WebLogic Cluster (Follow point 3-6 to create war file and deploy it to WebLogic Cluster ).

2. For database tier configure Oracle Real Application Cluster (RAC) . In $RBACX_HOME/conf/jdbc.properties use SCAN listener and service name for OIA database.

jdbc.url=jdbc:oracle:thin:@OIADB_SCAN_ADDRESS:DB_PORT/RAC_SERVICE_NAME
jdbc.quartz.isClustered=true

3. In file $RBACX_STAGE/WEB-INF/application-context.xml look for bean id=”commManager” then

a) Set Unique cluster name – for constructor-arg change value to a unique name like ‘cluster_oia’ (You can pick any name of your choice)

<constructor-arg index=”0″ value=”cluster_oia”/>

b) Add cluster members  - Uncomment constructor-arg index=”1″ and set *hostnames* of OIA cluster members

<constructor-arg index=”1″ value=”OIA_HOST1;OIA_HOST2″/>

c) Set property name “enabled” to “true”

<property name=”enabled” value=”true”/>

Note: Documentation says use IP address for OIA_HOST1 & OIA_HOST2 but you must consider using hostname (or virtual name) so that you can fail transparently to Disaster Recovery site

.

4. Configure searchConfiguration in $RBACX_STAGE/WEB-INF/search-context.xml – In file search-context.xml look for bean id “searchConfiguration” and set contructor-arg value to 2

<!– Could be one of the following values
0: SINGLE_INSTANCE
1: RUNNING_IN_CLUSTER_NON_SHARED_INDEXES
2: RUNNING_IN_CLUSTER_SHARED_INDEXES –>

<constructor-arg index=”0″ type=”int” value=”2″/>

b) In same file (search-context.xml) change indexLocation value to shared files system so that both nodes can see .indexes

<property name=”indexLocation” value=”/full_path_of_shared_location/.indexes”/>

Note: You must copy content of .indexes from $RBACX_HOME/.indexes to .indexes folder mentioned above in search-context.xml file

.

5. Configure oscache for clustering – Update $RBACX_STAGE/WEB-INF/classes/oscache.properties and

a) uncomment cache.event.listeners cache.event.listeners=com.opensymphony.oscache. plugins.clustersupport. JavaGroupsBroadcastingListener, com.opensymphony.oscache.extra. CacheMapAccessEventListenerImpl

b) Uncomment cache.cluster.multicast.ip

cache.cluster.multicast.ip=231.12.21.100

6. If you are configuring logging which is defined using $RBACX_STAGE/WEB-INF/log4j.properties then ensure that value of log4j.appender.file= is not shared across two servers (OIA server on different machine should be able to write to this log location)

7. Time on servers where OIA is deployed in cluster must be in SYNC (Time on servers should be more than couple of seconds apart, use NTP Server)

Related/References

• 1527019.1 What Are Basic Steps To Configure OIA As Cluster?
• 1562598.1 How To Setup And Test MultiCasting For An OIA Cluster?
• 1379896.1 Oracle Identity Analytics – Is It Possible To Have Two OIA Instances On The Same Phyical Machine?
• 1601654.1  Oracle Identity Analytics High Availability Clustering Setup Failed to Start With Error : [UDP] failed sending message to null
• OIA Installation Guide HA steps

I’ve got an opportunity to integrate Cisco Prime Service Catalog application 10.1 with Oracle Access Manager 10g.  FYI: OAM 10g is not certified with Cisco Prime Service Catalog product for SSO integration.

Here is the requirement:

There are lot of applications in the organizations which are integrated with OAM 10g for SSO. Cisco Prime Service Catalog is another application added to SSO applications spectrum.

Background of Cisco Prime Service Catalog:

Service Catalog Directory Integration simplifies security administration and enhances user convenience and productivity by implementing centralized user authentication and synchronization with an enterprise directory.

This product is capable of talking to External directories for authentication purpose and external products for Single Sign-On purpose. However for SSO, it expects header variables or cgi variables.

Integration Process:

1. Cisco Prime Service Catalog is installed in JBOSS application server front ended by IIS web server.
2. Install WebGate on IIS web server and this is as usual.
3. Create Policies in OAM for protecting the root URL.
4. Change the SSO configuration at Cisco Prime Service Catalog product. Login into Cisco Prime Service Catalog and goto Administration.
5. Goto Directories. Click on Events.
6. Edit the Login functionality. Make sure that Login event is enabled. Select Operation as Single Sign-On from the drop-down.
7. Click on Additional Options button. Select the Header Variable Radio button.
8. Specify the Login ID Mapping as OAM_REMOTE_USER. This is the header variable name specified in OAM authorization rule Actions and it returns user id.
9. Specify the Authentication Failure URL in Redirect URL text box.
10. Click Update. Please refer the below screenshot.

This completes the SSO configuration changes at Cisco Prime Service Catalog application.

Testing:

Access the application URL http://host:port/RequestCenter/ which prompts for authentication configured in policy. Submit the credentials and it will redirect to application home page.

Observations:

While working on this integration, Cisco product was honoring OAM_REMOTE_USER header variable and not REMOTE_USER which was interesting. It may be possible that this header variable name was specified in one of the product configuration files or it is how the product is configured.

Helpful links:

Documentation is here.

I recently configured access control in OID to grant READ/WRITE access on one of the OU in OID to a group. This post cover steps to debug Access Control issues (READ/DELETE/MODIFY) in OID.

• If you encounter “Insufficient Access Rights” in OID then enable Debug in OID (Set orcldebugflag to 8192 and orcldebugop to 8 to OID instance) using ODSM

Note: For value of orcldebugflag (8192 is for Access Control List Processing) & orcldebugop (8 is for DELETE ) follow Note # 1239943.1  How To Set OID Debug / Trace Levels for 11g

Replicate issue and check OID logs at $ORACLE_INSTANCE/ diagnostics/ OID/ oid/ oidldapds[NNNNN].log 

_______

2014-01-23T23:45:00+00:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: oidhost.oiddomain] [pid: 17878] [tid: 10] [ecid: 004wAjKOjRu6aMW_Lxo2ye0004NM00001V,0] ServerWorker (REG):[[
BEGIN
ConnID:77 mesgID:34 OpID:33  OpName:delete ConnIP:192.168.1.12 ConnDN:cn=atul kumar,ou=internal,cn=users,dc=onlineappsdba,dc=com
gslaudegGetNearestACP:Parsing the node cn=testuser1,ou=external,cn=users,dc=onlineappsdba,dc=com
2014-01-23T23:45:00 * gslaudegGetNearestACP:Parsing the node ou=merchant users,ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) Entry DN: (cn=testuser1,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation: Operation id:(33) User DN: (cn=atul kumar,ou=internal,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=users,ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Entry Accees denied by ACP:(cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) User has Privilege groups Evaluation continues
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Entry Accees denied by ACP:(dc=onlineappsdba,dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) User has Privilege groups Evaluation continues
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Entry Accees denied by ACP:(dc=com)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) User has Privilege groups Evaluation continues
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (cn=root)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Entry Accees denied by ACP:(cn=root)
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) User has Privilege groups Evaluation continues
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Op id:(33) Enforcing Server Def Access Policy
2014-01-23T23:45:00 * gslaudeeEntryEvaluation:Operation id:(33) Access to Entry (cn=testuser1,ou=External,cn=Users,dc=onlineappsdba,dc=com) not allowed by ACP at: (Deafault Policy)
END
]]

_______

If you notice Access Control Policy checked it all the way from ou=external,cn=users,dc=onlineappsdba,dc=com –> cn=users,dc=onlineappsdba,dc=com –> dc=onlineappsdba,dc=com –> dc=com –> cn=root

Fix: I defined ACL at level dc=onlineappsdba,dc=com and granted access to group “cn=oimadministrators…” and added user cn=atul kuma…. to group cn=oimadministrators

• For more information on ACL in OID 11g click here

Log after defining ACL

_______

2014-01-23T23:45:00+00:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: oidhost.oiddomain] [pid: 17878] [tid: 10] [ecid: 004wAjKOjRu6aMW_Lxo2ye0004NM00001V,0] ServerWorker (REG):[[
BEGIN
ConnID:77 mesgID:34 OpID:33  OpName:delete ConnIP:192.168.1.12 ConnDN:cn=atul kumar,ou=internal,cn=users,dc=onlineappsdba,dc=com
gslaudegGetNearestACP:Parsing the node cn=testuser1,ou=external,cn=users,dc=onlineappsdba,dc=com
2014-01-23T23:59:00 * gslaudegGetNearestACP:Parsing the node ou=merchant users,ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Operation id:(33) Entry DN: (cn=testuser1,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation: Operation id:(33) User DN: (cn=atul kumar,ou=internal,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=users,ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=testou,ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (ou=external,cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Entry Accees denied by ACP:(cn=users,dc=onlineappsdba,dc=com)
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Operation id:(33) User has Privilege groups Evaluation continues
2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Visiting ACP at: (dc=onlineappsdba,dc=com)

2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Op id:(33) Enforcing Server Def Access Policy

2014-01-23T23:59:00 * gslaudeeEntryEvaluation:Operation id:(33) Access to Entry (cn=testuser1,ou=External,cn=Users,dc=onlineappsdba,dc=com)  allowed by ACP at: (dc=onlineappsdba,dc=com)
END
]]

_______

• 1239943.1  How To Set OID Debug / Trace Levels for 11g
• ACL in OID Admin Guide

.

I mentioned about availability of Oracle Identity & Access Management version 11gR2 PS2 (11.1.2.2).

This post covers changes in installation from previous version of these components (OIM, OAM, OAAM, OES, OPAM) i.e.

a) 11gR1 – 11.1.1.3, 11.1.1.5, 11.1.1.7
b) 11gR2 – 11.1.2.0, 11.1.2.1

Installation steps are more or less same as 11gR1 or 11gR2 (including PS1) with following additional steps

1. You must upgrade the OPSS schema (XXX_OPSS) from 11.1.1.7.0 to 11.1.1.7.2

Note: When you create OPSS schema using 11.1.2.2 RCU, OPSS schema version is 11.1.1.7.0 . You must upgrade OPSS schema from 11.1.1.7.0 to 11.1.1.7.2 using Patch Set Assistant (PSA) 

2. You must configure security store to database (configureSecurityStore.py)

Note 1: By default security store (credential & policy store) is in XML file and this step migrates it to database in OPSS schema.

Note 2: This step is also required in 11gR2 and PS1 (11.1.2.0 & 11.1.2.1)

Note 3: In 11gR1 (11.1.1.3, 11.1.1.5) policy store could be set to either in XML, OID, or Oracle Database .

3. You can deploy IAM in 11gR2 PS 2 using IAM Lifecycle Tools (idmlcm) More information here (Deploying IAM using IDMLCM is optional)

Note: Deployment of IAM using IAM Lifecycle Management Tool (idmlcm) is mainly for Oracle Fusion Applications

High Level installation Steps of IAM 11gR2 PS2 (11.1.2.2)

• Install JDK 1.6
• Install WebLogic 10.3.6
• Install IAM 11.1.2.2
• Create Schema in database using RCU 11.1.2.2
• Install SOA 11.1.1.7 (Only if you are installing OIM)
• Configure WebLogic Domain and select components (OIM, OAM, OES, OPAM, OAAM )
• Upgrade OPSS
• Configure Database Security Store
• Configure OIM (If you are planning to use OIM)
• Start Services

Here is installation guides for IAM 11gR2 PS2 (11.1.2.2)

• Quick Installation Guide
• Installation Guide
• Deployment Guide

.

I recently encountered issue ORA-01652 unable to extend temp segment by 128 in tablespace DEV_IAS_TEMP while upgrade of application which is self explanatory.

If you hit above error then check v$sort_segment

_______

SQL> SELECT TABLESPACE_NAME,TOTAL_BLOCKS,USED_BLOCKS,FREE_BLOCKS FROM V$SORT_SEGMENT;

Output in my case 

TABLESPACE_NAME                 TOTAL_BLOCKS USED_BLOCKS FREE_BLOCKS

——————————- ———— ———– ———–

TEMP                                    3584           0        3584
DEV_IAS_TEMP                          12672           0       12672

_________

To fix this issue, I added additional 1GB temp file in temporary tablespace reported in error (DEV_IAS_TEMP)

1. Identity name & location of temp file in tablespace

SQL> select * from dba_temp_files where tablespace_name like ‘DEV_IAS_TEMP’;

/u01/app/oracle/oradata/iamdb/dev_iastemp.dbf         13 DEV_IAS_TEMP                   104857600      12800 ONLINE            1 NO           0          0            0  103809024       12672

2. Add additional temp file in temporary tablespace

SQL> ALTER TABLESPACE DEV_IAS_TEMP ADD TEMPFILE ‘/u01/ app/oracle/ oradata/ iamdb/ dev_iastemp02.dbf’ size 1024m;

Related/References

• 793380.1  ORA-1652 Error Troubleshooting
• Data Blocks, Extents, Segments
• 161357.1  ORA-1652 Out of Space Errors in the Databases TEMPORARY Tablespace

I discussed about IAM (OAM, OIM, OES, OAAM) 11gR2 PS2 (11.1.2.2) availability here  and changes introduced in installation of 11gR2 PS2 (11.1.2.2) here

In this post I am going to cover new feature introduced in Oracle Access Manager i.e. to deploy OAM in high availability (Active-Active) across Data Centres. For list of all the new features introduced in OAM 11gR2 PS2 click here. Till before 11gR2 PS2 (i.e. 11gR1 and 11gR2 PS1) you could deploy OAM in Active-Active within data centre but only in Active-Passive across data centres.

.

From OAM 11gR2 PS2 (11.1.2.2) you could use one of the three deployment model across data centres

1. Active – Active Mode : OAM cluster in Data Centre 1 and Data Centre 2 run Active – Active mode and both OAM clusters can be used at any given time (as shown in image above)

2. Active – Hot Standby Mode : OAM cluster in Data Centre 1 is active and OAM cluster in Data Centre 2 is running but not actively used until data centre 1 goes down.

3. Active – Standby Passive Mode : OAM cluster in Data Centre 1 is active and OAM cluster in Data Centre 2 is down. OAM cluster in data centre 2 can be bought up within reasonable time, if OAM cluster in primary data centre fails.

.
Key Points when deploying OAM across data centres in Active-Active mode

1. The WebLogic Server domain (containing OAM cluster) will NOT span across data centres. As shown in figure above, there will be two OAM WebLogic domains, one in Data Centre 1 and second OAM domain in data centre 2.

Note: You will have two WebLogic domains each containing 1 OAM cluster

2. Install (or use an existing OAM) and configure OAM domain in data centre 1 and install/configure (or clone) OAM in data centre 2 . Then use T2P (Test2Prod) tools to configure syncing of configuration and policies.

For more information on T2P (Test 2 Production) click here

3. WebGates in data center 1 will have Primary Server List pointing to OAM cluster in data center 1 and Secondary Server List pointing to OAM cluster in data center 2

4. WebGates in data center2 will have Primary Server List pointing to OAM cluster in data center 2 and Secondary Server List pointing to OAM cluster in data center 1

5. One of the OAM cluster is designated as master while other OAM cluster as clone, any modification to policies or configurations must be done on master OAM cluster .

More information to set one OAM as master check WLST setMultiDataCentreClusterName.

6. Other OAM cluster (in data centre 2) is designated as CLONE using WLST addPartnerForMultiDataCentre

7. T2P (Test to Prod) tools and utilities (like copyBinary , pasteBinary, copyConfig, pasteConfig more here) are used to create OAM environment marked as CLONE

8. Periodically syncing of data (policies/configuration) from Master to Clone happen using replication REST API

If you are looking for certified O.S. , JDK, Database or Web Server version for Oracle Identity & Access Management then check Certification Matrix for Fusion Middleware Components here

On Fusion Middleware Certification Matrix page, search for your Identity & Access Management version and click on XLS . For Certification Matrix for IAM version 11.1.2.2 click here

In today’s post I am going to discuss issue while integrating WebLogic Server with LDAP Server (OID/OVD) listening on SSL. To know more about adding OID as authentication provider in WebLogic click here

If OID/OVD is configured to listen on SSL (for steps on how to configure OID/OVD in SSL click here and here ) then you select checkbox SSL Enabled in Provider Specific details.

• You must also import CA’s certificate (Certifying Authority) that issued certificate to your LDAP Server (OID/OVD) into trust store of WebLogic Server. To more about SSL and steps to import CA’s certificate in WebLogic’s Trust Store click here and here

Note: Default trust store for WebLogic Admin Server is $WL_HOME/ server/ lib/ DemoTrust.jks

Issue : After integrating WebLogic with OID (on SSL Port), OID users were not visible in WebLogic Server User’s list.

Errror message in WebLogic’s Admin Server log file $DOMAIN_HOME/ servers/ AdminServer/ logs was like

_________________

####<03-Jan-2014 17:27:14 o’clock GMT> <Error> <Console> <weblogic-host> <AdminServer> <[ACTIVE] ExecuteThread: ’2′ for queue: ‘weblogic.kernel.Default (self-tuning)’> <weblogic> <> <8bd6ca5edfb80812:2e32f4d2:143fdec9191:-8000-0000000000000033> <1391534834374> <BEA-240003> <Console encountered the following error weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection  at weblogic. security. providers. authentication. LDAPAtnDelegate. getConnection

. . . . Caused by: javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE – A corrupt or unuseable certificate was received.  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)

__________________

• Looking at error message, isssue seems to be becasue of bad SSL certificate .  Verified ROOT CA’s certificate usingn keytool -v and certificate listed properly.

.

On carefully looking at Admin Server logs again at start of Admin Server

________________

####<03-Jan-2014 12:29:55 o’clock GMT> <Notice> <Security> <WebLogic-Host> <AdminServer> <[ACTIVE] ExecuteThread: ’0′ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <><1391603395409> <BEA-090169> <Loading trusted certificates from the jks keystore file /u01/app/weblogic/certs/WebLogic-Host.jks.>

####<03-Jan-2014 12:29:55 o’clock GMT> <Notice> <Security> <WebLogic-Host> <AdminServer> <[ACTIVE] ExecuteThread: ’0′ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <>

<1391603395425> <BEA-090898> <Ignoring the trusted CA certificate “cn=myRootCA,DC=onlineAppsDBA,DC=com”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>

_____

Note: WebLogic’s TrustStore in my environemnt is pointing to /u01/app/weblogic/certs/WebLogic-Host.jks

Note: Notice loading of trusted certificate failed in WebLogic’s Admin Server with error Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11

Root Cause : By default WebLogic Server does not trust certificates stronger that 128-bit. You must use JSSE (Java Secure Socket Extenstion) SSL implementation that supports certificates stronger than 128-bit

Fix :  Enable JSSE SSL implementation for Weblogic : Admin Server -> Configuration -> SSL (Under Advanced) select Use JSSE SSL . Restart Weblogic Server.

Get trained from the best instructor known to have trained novices as experts in this field.

Commencement Date: 15 February 2014

Training Duration: 4 Days

Training Schedule:- 15, 16, 22, 23 February 2014

Timing: 12:00 Noon GMT | 7:00AM EST | 4:00AM PST | 6:00AM CST | 5:00AM MST | 5:30PM IST

Course Fee - USD 399

Course Content & Registration Link :

http://www.focusthread.com/training/dba-trainings/oracle-goldengate-11g-fundamentals-for-oracle/394-oracle-goldengate-11g-fundamentals-for-oracle
For full curriculum and details, email us at training@focusthread.com or contact us on Phone – US: +1 213-814-4243 |UK: +44(0) 20 7193 7426 |India: +91-9833815812

Class size is limited—sign up for this course today!!!

I discussed about availability of IAM 11gR2 PS2 (11.1.2.2) here and installation changes in IAM 11gR2 PS2 (11.1.2.2) here. In this post I am going to cover steps to upgrade IAM (OES in specific) from 11gR2 (11.1.2.0/1) to 11gR2 PS2 (11.1.2.2) . Upgrade of other IAM component (OIM, OAM, OAAM & OPAM) to follow soon.

For upgrade (or patch) from PS1 to PS2 check Oracle Documentation IAM Upgrade Guide

Note: IAM 11gR2 PS2 (11.1.2.2) is complete software that can also be used to patch 11.1.2.0 or 11.1.2.1

.

High Level Upgrade Steps for OES from 11.1.2.0/1 to 11.1.2.2

OES Upgrade has two parts

a) Upgrade OES Server
b) Upgrade OES Client i.e. OES Security Module (OESSM)

Upgrade OES Server

• Stop OES Server (WebLogic Admin Server where OES is deployed)
• Install Oracle IAM 11.1.2.2 in same ORACLE_HOME where OES/IAM 11.1.2.0/1 is installed

Note: Above step should upgrade ORACLE_HOME binaries from version 11.1.2.0.0/1 to 11.1.2.2

• Upgrade OPSS schema (schema for OES) using Patch Set Assistant (PSA) from version 11.1.1.6.X to 11.1.1.7.2 (Yes OPSS schema for OES 11gR2 PS2 is 11.1.1.7.2)). Use $MW_HOME/oracle_common/bin/psa

• Upgrade OPSS (Platform Security Service) i.e. configuration file jps-config.xml and policy store to 11.1.2.2 using WLST upgradeOpss

• Start WebLogic Server where OES Server is deployed

Upgrade OES Client

In OES client (OESSM) side you install
a) OES Client Software
b) IAM Software – Yes, you saw it right complete IAM software is also required at client side too.

Note: OES Client Software and IAM Software must be installed in separate ORACLE_HOMES

• Install OES CLIENT 11.1.2.2 in same ORACLE_HOME where OES CLIENT 11.1.2.0/1 is installed

Note: Above step should upgrade OES CLIENT binaries from version 11.1.2.0.0/1 to 11.1.2.2

• On CLIENT SIDE – Install IAM/OES 11.1.2.2 in same ORACLE_HOME where IAM/OES 11.1.2.0/1 installed

Note: Above step should upgrade ORACLE_HOME binaries from version 11.1.2.0.0/1 to 11.1.2.2

Lessons Learned in Upgrade from OES 11gR2 to OES 11gR2 PS2

• Ensure that you take backup of Application Tier file system and Database before upgrade (obvious thing)
• If you have too many OES policies ensure that TEMP tablespace used by OES Schema has enough free space, Check if you get ORA-01652 Unable to extend temp segment by 128 in tablespace while upgrading OPSS schema (using psa)
• If Upgrade of OPSS schema (using psa) fails in between, it is better and quick to restore database from backup. Fix the issue and start again (avoid fixing failed attempt and continue with upgrade as upgrade may fail again) – Re-running of OPSS schema upgrade after failure may not work.
• If upgrade of OPSS (WLST upgradeOpss) fails with OutOfMemory error like below

_______

Traceback (innermost last):
File “<console>”, line 1, in ?
File “/oracle/apps/atul/mwoes/oracle_common/common/wlst/jpsWlstCmd.py”, line 1759, in upgradeOpss java.lang.OutOfMemoryError
java.lang.OutOfMemoryError: java.lang.OutOfMemoryError

_______

Add JVM size in wlst.sh ($WL_HOME/common/bin/wlst.sh) MEM_ARGS=”-Xms4096m -Xmx4096m”  (Ensure that MEM_ARGS are added aftre ”${WL_HOME}/server/bin/setWLSEnv.sh”)

This is an intensive 6-day, full time hands-on in Oracle Real Application Clusters (RAC) course.

Unlike other Oracle RAC tuning classes, it will provide you step by step guidance to create RAC environment at your home PC using VMWARE a freeware software. The course focuses on RAC architecture, installation, patching, administration, backup and recovery and tuning. The course will also include specialized Oracle RAC tuning script for monitoring all of the critical RAC performance areas.

Commencement Date: 22 February 2014

Training Schedule : 22, 23 February 2014, 01, 02, 08, 09 March 2014

Training Duration:  6 Days

Timings : 1:00PM GMT | 8:00AM EST | 5:00AM PST | 7:00AM CST | 6:00AM MST | 6:30PM IST

Course Fee: USD 599