Online Apps DBA

JRockit is Java Virtual Machine (JVM) from BEA (acquired by Oracle) . Other major JVM vendors are Sun, IBM, Apache .. for complete list of JVM vendors click  here

.

What is JRockit, JRockit Mission Control (JRMC) and JRockit Real Time (JRRT) ?

A. JRockit : is JVM technology for JRockit Family. JRockit JVM is bundled with Oracle Fusion Middleware Products (like WebLogic, SOA, WebCenter)

B. JRockit Mission Control (MRMC): is set of tools running on JRockit JVM that provide monitoring and management. Main component of JRMC are Runtime Analyzer, Memory Leak Detector and Management Console. More on JRMC architecture here 

C. JRockit Real Time (JRRT) : is JRockit JVM optimized for real-time applications. JRRT offers predictable garbage collection pause times (which means high response time) and tools that allows you to find and remedy latency issues in java applications. JRRT is bundled with WebLogic Application Grid (more on Application Grid coming soon…).You could also buy separate licence for JRRT and use in your Fusion Middleware or Standalone Java Application.

For FAQ on JRockit Family including pricing and license terms check   here

. 

JRockit Family Version

JRockit JVM, JRockit Mission Control (JRMC) & JRockit Real Time (JRRT) all have their own version numbers.

JRockit JVM : R28, R27.X
JRockit Mission Control (JRMC) : 4.0, 3.X
JRockit Real Time (JRRT) : 4.0, 3.X

Note* You could have JRMC 4.0 or JRRT 4.0 for Java 5.0 or 6 and similarly JRMC 3.X or JRRT 3.X for Java 1.4 , 5.0 or 6

Download JRockit Real Time 
Identify Your Operating System (Linux, Solaris, Windows..), Bit (32 or 64), Java Version (1.4, 5.0 or 6) and JRockit JVM version (R27 or R28) and then download appropriate JRockit Real Time from here 

.

Install JRockit Real Time : Installation is very simple (available in GUI or Console mode)
a)Start installation by running jrrt-[version]-[java_version]-[OS]-[bit].bin
b) Select Installation Directory

For JRockit Realtime 3.X Installation Guide click here

.

1. #JRockit Mission Control (JRMC) : Software & Documentation Location
2. #JRockit Mission Control Overview - JRMC Management Console
3. Installing JRockit RealTime (JRRT) 3.X

Share This

This post covers the steps for Integration of Oracle Access Manager with Oracle Identity Manager.

The objective of this integration is to protect the Oracle Identity Manager User Administration Console using Oracle Access Manager.

The authentication scheme used in this Post is Form Based authentication. The other schemes such as Basic Over LDAP, Certificate and Custom are also possible but are not covered in this post.

In this case, OIM is deployed in Oracle Application Server and hence this post will cover only configurations required for OAS as part of this integration.

During the time of installation of Oracle Identity Manager, we would select Default Mode generally, wherein the OIM will handle the authentication by itself. The other option available is Single sign-on mode, wherein the OIM looks for a header variable passed by external authentication system (it is OAM in our case).

The architecture is as given below.

The integration flow is explained below:

1. User access the OIM user administration console.
2. The WebGate installed on WebServer (acting as proxy server for Application Server where OIM is deployed) will intercept that request and check if the OIM is protected or not and accordingly challenges the user as per the authentication scheme configured.
3. Form page gets displayed and user enters credentials.
4. WebGate passes login details to Access Server for authentication.
5. Upon successful authentication, WebGate checks with Access Server if the user is authorized to access the resource or not.
6. Upon successful authorization,WebGate will execute the authorization actions which sets userid header variable. Access Server generates ObSSOCookie and sends it to  WebGate which in turn sends it to browser.
7. The WebServer will forward the request to the Oracle Identity Manager and it is configured to read the header variable and treats that userid as logged in user.

Configuration changes:

• We assume that OIM is already deployed in Oracle Application Server. A WebServer acting as proxy server is also installed and configured accordingly.
• We need to install a WebGate on the WebServer.
• Create Policy Domain in OAM with resource to be protected as host:port/xlWebApp
• Create Authorization rule accordingly and set the action tab to set the HeaderVar as userid as shown below.
• HeaderVar                 HTTP_REMOTE_USERID             uid
• Configure Authentication Rule and Authorization expression in Default Rules.
• Enable the policy domain.
• Stop the Application Server gracefully where OIM is deployed.
• Open the file OIM_HOME/xellerate/config/xlconfig.xml and change the Authentication and AuthHeader elements to SSO and  HTTP_REMOTE_USERID  respectively as shown below.
• From

  <web-client>
  <Authentication>Default</Authentication>
  <AuthHeader>REMOTE_USER</AuthHeader>
  </web-client>

• To

  <web-client>
  <Authentication>SSO</Authentication>
  <AuthHeader>SSO_HEADER_NAME</AuthHeader>
  </web-client>

• Start the Application server.

Test the integration:
Access the OIM console i.e., http://host:port/xlWebApp and you will notice the Form page is displayed for entering the credentials. Enter the login details and see if the logged in user shown on Right side is the actual user logged in.

Observations:

You can observe that the Logout link vanishes after OAM-OIM integration. This is because OIM will be expecting the Logout page specification from OAM as it is already integrated for SSO configuration. I will cover this part in the next post.

References:

Oracle Docs

Share This

Oracle Service Repository - is UDDI version 3 (Universal Description, Discovery and Integration) compliant service registry to publishing, discovery and approval of SOA business Service.
.

Usecase for OSR -

i) Register/Publish SOA Business Service
ii) Discover/Search discoverable SOA business Service
iii) Approve published service so that it can be Discovered/Searched

.

Tasks/Functions/Modes available with OSR

a) Publication Registry : You could deploy OSR in publication mode where you publish, test and approve your SOA Business Services.

b) Discovery Registry : Once SOA business service is approved it is migrated to Discovery Registry where this business SOA services will be searched.

Note* You could have both Publication & Discovery Registry in to single registry server aka Standalone Service Registry.
.

OSR Key Points
1.Oracle Service Registry (OSR) 11g is consolidation of BEA’s AquaLogic Service Registry (ALSR) and Oracle Service Registry (OSR) 10g.

.

.
2. It is possible to run OSR with or withoutapplication server (weblogic server). When you deploy OSR without application server (weblogic) then OSR uses embedded  Jetty Server

.

.

3. It is possible to deploy/configure OSR in following way
a) Standalone Registry Configuration - Both Publication and Discovery are configured as Single Service Repository. Same Registry will be used by both business SOA service publishers and business SOA service consumers.

b) Multi-Registry Configuration - This configuration has multiple Registry i.e. one or more Publication Registry and one Discovery Registry. Publication Registry is Service Registry where SOA Business Services will be published, tested and approved on one or more Service Registry (Publication Registry) on approval (automatic or manual) it is migrated to another registry (Discovery Registry) so that approved SOA business Services can be searched/enquired.

.
Note* If you have Multi-Registry Configuration deployment (with one Publication Registry and One Discovery Registry) then Discovery Registry should be installed first as Discovery Registry Server certificate is needed on Publication Service Registry.

4. To install Oracle Service Registry 11g run  java -jar oracle-service-registry-11.1.1.jar

.

.

5. OSR Domain Template installation : This is new deployment feature with OSR 11g . When you use this deployment method, Installer produces all required file + .war file and “WebLogic Domain Template” . It then places these war file and weblogic domain template in Oracle Registry Home and you then run config.sh(script in weblogic server) to create domain and use domain template created earlier.

Note* When you use “WebLogic Domain Template” deployment model ensure to install OSR inside Oracle Middleware Homei.e. install OSR_HOME inside MW_HOME . For more information on various HOMEs in Oracle Fusion Middleware click here

OSR Domain Template deployment model option is available with WebLogic 11g and recommended deployment model.

6. OSR 11g is Supported On/With
a) Operating System - Linux, Solaris, Windows, AIX and HP-UX.
b) Database - Oracle (10g R2, 11g R1/R2), MS-SQL (2005, 2008), DB2 (9.5/9.7)
c) LDAP - OID (11.1.1.1.2), Sun One DS (6.3), MS-AD (2003 & 2008) - For external Authentication
d) Application Server- WebLogic Server (10.3.0, 10.3.1, 10.3.2, 10.3.3)

For list of exact version check OSR certification matrix here
 
Installing OSR 11g in Active-Active Cluster coming next ….

1. Oracle Application Server Service Registry : Installation
2. Oracle Service Repository 11g - Standalone, Discovery, Publication or Intermediate Regitry for SOA Governance

Share This

If you are planning to deploy custom WebCenter application in Fusion Middleware then Oracle’s recommendation is NOT to use any three pre-configured Managed Servers (WLS_Portlet, WLS_Spaces, WLS_Services) or Admin Server but to create new managed server and deploy your custom webcenter application in that managed server,  more information here

If you deploy your custom webcenter application on managed server (created after WebCenter installation) you could run into issues while deploying your custom webcenter application.

Managed Server weblogic.management.DeploymentException : [J2EE:160149] Error while processing library references. Unresolved application library references, defined in weblogic-application.xml : Extension-Name: oracle.webcenter.framework, Specification-Version : 11.1.1

Root Cause: Required library file (in this case oracle.webcenter.framework) is missing from managed server on which you are deploying custom webcenter application

Fix : Go to WebLogic Server console -> Deployments -> [Click on library file causing issue] -> Select tab Targets -> Select Managed Server(on which you are deploying webcenter application) and click save 

Note* - You could also use WLST(WebLogic Scripting Tool) orFusion Middleware Control (/em) to target missing library to managed server. 

.

.

For an overview of Admin Server and Managed Server in WebLogic click here

.

References

• Deploying Custom WebCenter Applications
• Configuring High Availability for Oracle ADF and WebCenter Applications

1. Oracle WebCenter Suite Installation Overview
2. Oracle WebCenter Interaction / BEA AquaLogic User Interaction (ALUI)
3. Oracle Webcenter Suite 11g (FMW) Installation Overview
4. Error while deploying custom webcenter application to WebLogic : Unresolved application library references

Share This

This post covers overview and key points for deploying Oracle Service Bus (OSB) 10.3.1(earlier BEA’s AquaLogic Service Bus) on WebLogic Cluster. For OSB 10.3.1 Single Node deployment click here 

 If you are new to WebLogic then I would recommend to look at Domain, Admin Server, Managed Server and Clusters in WebLogic Server here.  

.

Key Points for OSB 10.1.3 Cluster Deployment

1.In WebLogic Server you can create multiple Clusters in single domain. Oracle Service Bus domains can support a single cluster, and all managed servers (running hosting OSB application) in the domain must belong to that cluster i.e. You can’t span OSB across multiple clusters in a domain

2.You can create domain and clusters in weblogic server by running configuration wizard (config.sh)

3. Singleton Services : are services which must run only on one server at given time. In OSB cluster most of services run on all servers which are part of cluster however some services must run on only one server at a time . Singleton Services for OSB include
a) File, FTP and E-Mail Pollers for Proxy Services
b) SLA Manager
c) JMS Server
d) ALSB domain Singleton Marker Application

.

High level steps to deploy OSB 10.1.3 in Active Active Cluster

1. Install OSB on Machine1
2. Install OSB on Machine2
3. Run config.sh on Machine1
4. Create Admin Server on Machine1, Managed Server (WLS_OSB1) on Machine1 and Managed Server (WLS_OSB2) on Machine2
5. Create cluster OSB_Cluster and add two managed servers WLS_OSB1 (on Machine1) and WLS_OSB2 (on Machine2) in cluster OSB_Cluster.
6. Deploy OSB configuration to OSB_Cluster
7. Configure Oracle HTTP Server (or Load Balancer) to forward request to two managed servers (WLS_OSB1 & WLS_OSB2)

.

References 

• Configuring a Clustered Deployment  
• Understanding Oracle Service Bus Clusters  

1. Oracle Service Bus << AquaLogic Service Bus (BEA) + Oracle Enterprise Service Bus (Oracle)
2. Oracle Service Bus 10.3.1 Installation
3. Oracle Service Bus 11g ( #OSB ) Installation overview for single node deployment
4. Oracle Service Bus #OSB 10.3.1 deployment in Active-Active Cluster

Share This

As we know the significance of setting headers to return to the target application after authentication and authorization by the Oracle Access Manager, we must also be aware of which browsers are supported to test this and watch for header variables.

So far I was under the impression that we can see the HTTP Headers using the IE HTTP Headers Tool to read the header variables set by OAM, but it was proved to be wrong.

All you can see with IE Http Headers are Cookies, Redirection URLs etc.,

To try that, you can download the IE HTTP Headers tool here (ieHTTPHeadersSetup.exe).

By using this, you can inspect stuff like what happens internally when you access a protected resource and what is the URL constructed & where the redirection happens etc.,

This is very useful for testing purpose. You may also look IE Watch tool. I have tested it personally in Mozilla where we have Live HTTP Headers available as an add-on plugin and this is also not showing the headers.

In case of IE browser, having said that you will not be able to view headers in IE headers tool, still you can use below syntax code to fetch headers in the target application.String userid = request.getHeader(”HTTP_REMOTE_USERID”);

HTTP_REMOTE_USERID is the header variable defined in Authorization actions. Here, I am returning the userid of a user from OAM, you can return any other variables as you wish.

I would summarize like this:

Though you are not able to view headers using IE HTTP Headers tool, you can use the above code to fetch the headers in the target application. This is applicable irrespective of Authentication scheme used as Basic Over LDAP or Form Based Authentication.

These are my personal opinions and does not reflect the views of Oracle.

Share This

I have observed a problem while using Form Based authentication for a resource protected by Oracle Access Manager. We have set Actions in Authentication Rule in the Policy Domain which are found to be not set in http headers. In addition, the authentication actions are getting executed if we use Basic Over LDAP instead of Form based scheme. However, it works fine if we define the actions in Authorization Rules. Hence it is always recommended to define actions to be executed in Authorization Rules.

After the OAM authenticates the user and before the user is served the requested resource, OAM executes the Authentication Actions that are defined.  In case of Form based authentication, users are redirected to a form when they request a protected resource. Now, when users authenticate and redirect to the requested resource, the ObSSOCookie will have already been set. The presence of the ObSSOCookie usually indicates that authentication actions have already been performed and should be bypassed.

The workaround for this is to include a key called ObTriggerAuthentication (OTA) in both Form based authentication scheme and Policy Domain.

In the Form based authentication scheme, add a new challenge parameter as shown below.

OTA:true

In the Policy domain, goto the Authentication Actions, add a new field as shown below.

The type is cookie.

The Name is NoExecuteOTA.

The Return Value is true.

The way it works is as shown below:

The NoExecuteOTA cookie set to true along with OTA set to true in a policy domain means that the authentication actions will not be performed for the resource protected by the policy domain.

The NoExecuteOTA cookie set to false along with OTA key set to true means that the authentication actions will be performed for the resource and the OBSSOCookie will be reset.

By default NoExecuteOTA is set to false.

Useful Docs:

Metalink Note: 472353.1

Oracle Documentation

Share This

Please refer the post for more details why do we need to fetch the userid attribute value from a Cookie instead of Header Variable.

Most of the integrations that we do with Oracle Access Manager expect user id to be passed to the target application to identify the user authenticated.

The below code can be used to fetch the Cookie which has userid in a jsp page.

String cookieName = “HTTP_REMOTE_UID”;
String userid = null;
Cookie cookies [] = request.getCookies();
if (cookies != null)
{
for (int i = 0; i < cookies.length; i++)
{
if (cookies [i].getName().equals (cookieName))
{
userid=cookies[i].getValue();

}
}
}

User Logged into application <%= userid %>

I have taken jsp in this case, it could also be servlet or asp etc.,

You should be really cautious to justify  this solution to the customer because of a security loophole with this approach.

The Cookie that is sent from OAM to user browser is a plain text and not encrypted. Anyone who has good knowledge in tweaking the code could easily intervene and take user information which is highly confidential. In our case, we have just retrieved userid, but it can be other attributes like mobile no., SSN etc.,

Hence, please use this approach with more circumspection.

Share This

Hi all,

This post will cover an important caveat of Oracle Access Manager with Form Based authentication when there are multiple web servers in your architecture resulting into multiple redirections.

Lets say the architecture has components WebServer1, WebServer2, WebServer3 and Oracle Access Manager.

Lets assume WebServer1 is used as reverse proxy server, WebServer2 is where a web application is deployed and WebServer3 is where the form login page is residing.

Ideally in a real time project, we would place form login page in a centralized location. (Please write your queries in comments if you want to know why this?)

Here, the OAM WebGates will be installed on WebServer1(Reverse Proxy server) and WebServer3 (Form login page resides here). (Also, the form action will be protected by Anonymous Authentication Scheme) . Lets assume, the application deployed in WebServer2 is protected in OAM by a policy domain with resource host identifier as Reverse Proxy WebServer1 (not WebServer2 ****** This is important to remember).

Generally, you will add Header variables to return to the protected application in Authorization & Authentication Actions.  (I will cover the caveats with Authentication Actions in a separate post). This means, the authorization actions gets executed after the Authorization is performed by OAM.

In this case, when the user access the protected application through Proxy server WebServer1,  the webgate intercepts and redirects to WebServer3 displaying the form login page. User enters the credentials and lets assume OAM authenticates it and authorization actions are executed. Now the WebGate on WebServer3 will redirect to the WebServer1 with the cookie created and header variables set.

The WebServer1 will inturn redirect it to the WebServer2 where the actual resource is located.

Hence, you can observe multiple re-directions happening and there is a possibility of headers being lost when it finally reaches the protected application.

Workaround: 

This is just a temporary workaround to overcome this issue.

In general you would have passed the header variable as shown below.

HeaderType                       HeaderName                         HeaderAttribute
HeaderVar                          HTTP_REMOTE_UID                uid
You will need to define a Cookie instead of HeaderVar in Authorization Actions as shown below.

HeaderType                       HeaderName                         HeaderAttribute

Cookie                                  HTTP_REMOTE_UID                uid

You can observe the uid value as a cookie instead of header variable and this will be persistent in session regardless of multiple re-directions.
You will also need to modify your protected application to fetch the UID from a cookie instead of header variable.

Please check the post for the code you need to embed in protected application to fetch cookie and security loopholes of this approach.

Helpful Docs:

Metalink Note: 403280.1

Share This

This issue is from one of our readers where He was facing issue while configuring OID multimaster replication usign remtool.

remtool : REplication Mangement TOOL is command like tool to manage OID replication configuration (adding, deleting node, setting up ASR based replication -asrsetup and configuraing LDAP based replica groups). More on remtool here

.

Error Message
________________
ASR setup has failed.
Error occurred while dropping database link.
XXXX.xxx.CO.IN : ORA-02084: database name is missing a component
________________
This error could occur if your database global name contains a word that belongs to the list of Oracle Database Reserved Words (Example AT, BY, IN, IS) for list of all reserved words check view V$RESERVED_WORDS
. 

Fix is to remove any reserved words from you database global name (for all databases which are part of OID Multimaster Replication)

.

References

1. Oracle Internet Directory OID
2. Oracle Internet Directory - Basics II
3. Integrate OID with AD Part I
4. OID to OID/Active Directory/iPlanet other LDAP Server Integration
5. Multi Master OID Replication
6. OID Architecture
7. Oracle Internet Directory , OID Troubleshooting
8. Server Chaining in OID
9. OID Quesries/ Scripts FAQ
10. OIDADMIN Client
11. Oracle Identity Management (OID) 11g installation Issues on Linux
12. OID 11g - Oracle Directory Services Manager (ODSM)
13. DIP : Synchronization, Provisioing, Connectors, DSS in Oracle Directory Services (ODS) 11g
14. OID Replication - Suppliers, Consumers, DRG, ASR/LDAP based replication
15. ASR setup has failed - Error occurred while dropping database link : ORA-02084 : database name is missing a component while Configuring Multi Master OID replication using “remtool -asrsetup”

Share This

Hi all,

Today, I have faced a common error where WebGate installed on OHS 11g is not intercepting the HTTP requests and thought its worth sharing. So, I would like to write the root cause of our issue and other points for troubleshooting.

The background of this is there is a custom portal application deployed in a webserver at backend. We are using OHS 11g as front end for proxying all the backend servers. Hence, we have installed a OHS 11g WebGate on proxy server.

This is followed by creating a Policy domain for protecting resources and assigning Authentication Scheme etc.,

When we test a specific page which is protected in Policy Domain using Access Tester, it gives expected behaviour.  When we test the same in browser accessing the protected resource, it is displayed without OAM WebGate intercepting the request.

There are different points to be followed to troubleshoot this.

1. Need to check the time sync between WebGate and Access Server machines.
2. Try to ping the Access Server port from WebGate machine to check whether the port is port in Firewall or not.
3. We have to ensure that we are using the right Host Identifiers which is configured in Access System Console. Needs to add all possible hostnames, domain name and ip address with port numbers.
4. Needs to check the WebGate profiles for WebGate Hostname, Preferred Host Identifiers which should be webgate_webserver_hostname:port*****. This is really important which is the root cause in our case.
5. Also, if we are installing the webgate on proxy server, it is good to make IP validation field as No since the proxy server does not show the actual IP.
6. If you had specified wrong details in WebGate profile, then it will prompt when you enter the WebGate and Access Server details while  installing the WebGate.
7. After the webgate is installed, ensure to check whether the webgate is installed properly by accessing the following URL.
8. http://webgate_webserver_hostname:port/access/oblix/apps/webgate/bin/webgate.cgi?progid=1

I have not covered checking the WebGate logs here which shows different errors for various types of issues.

Just in case if you feel I have missed any other points, please let me know.

Share This

Oracle today announced release of Coherence 3.6  

.
.
What is Oracle Coherence ? 
Oracle Coherence is in-memory data grid solution and provides distributed cachingplatform for Middleware Products.  Oracle Coherence is product from Tangosol acquired by Oracle in 2007.

             Oracle Coherence is part of Oracle Fusion Middleware Family and can be intergrated with Oracle WebLogic Server via ActiveCache.

• Download Oracle Coherence from here
• For Coherence 3.6 documentation click here
• For Coherence*Web integration with WebLogic click here

1. Oracle #Coherence 3.6 is now available

Share This

Hi all,

We were installing the OHS WebGate and it failed at step while configuring the WebGate connecting to Access Server. We are able to telnet the access server port from webgate machine and it works fine. The oblog.log of WebGate shows the below error.

 The AccessGate is unable to contact any Access Servers.”    raw_code^301
2010/07/12@17:01:38.000695    471274    0    ACCESS_GATE    ERROR    0×0000151A    /export/home2/abuild/Oblix/10142ce/palantir/webgate2/src/isprotected.cpp:219    ”Failure to connect to Access Server”

Now, I have checked the status of Access Server and found its up and running. Even the restart of Access Server could not help. I have then checked the time of both OAM Access Server and WebGate machines and I found that they are in different timezones and thus resulting in Access Server connection failure. Upon making both servers in sync with time, the webgate installation went smoothly.

Hence it is always a pre-requisite step to ensure both the machines of WebGate  and Access Server to have time synchronization.

Share This

WSM is the process of moving the entire server instance from one physical machine to another upon failure or scheduled maintenance. All the services being hosted by that particular instance will also be migrated along with it to another healthy server.

Machine configuration for WSM

1. Identify two machines on the same sub net for running Server Migration.

2. Create a local directory for the user. Ensure same directory structure on both the machines.

3. User need to have access to some shared disk between these two boxes (e.g. NFS).

4. Obtain Floating IP addresses that can be shared between the two machines.

5. Establish trust between Machines (SSH/RSH). SSH version should be of same version and needs to be available on both the boxes. Use following commands for that -

cd .ssh

ssh -keygen -t rsa

cat id_rsa.pub >> authorized_keys

Copy authorized_keys dir to .ssh directory of another machine.

6. Get Super-User privileges to add/remove floating IPs.

7. Note the interface name and Netmask of each machine

8. Install WebLogic server on both the machines in the user local home directory.

9. Modify wlscontrol.sh under WL_HOME/common/bin directory to add interface and NetMask.

10. Change Interface=${WLS_Interface:-”"} to Interface=en0<!–[endif]–>

and NetMask=${WLS_NetMask:-”"} to NetMask=255.255.255.0

11. Modify wlsifconfig.sh to hard code value of Sudo. For e.g. SUDO=/usr/bin/sudo

<!–[if gte mso 9]> Normal 0 <![endif]–>

<!–[if gte mso 9]> Normal 0 <![endif]–> <!–[if !supportLists]–>

12. Copy wlscontrol.sh and wlsifconfig.sh to /usr/bin (these two files need to be in system path and /usr/bin is always in system path).

Configuring Whole Server Migration

1. Creating clustered domain

Create a multi machine clustered domain with following configuration:

1. Admin server

2. Two managed servers (here ms1 and ms2) with floating IP addresses assigned to them.

3. A cluster with managed servers assigned to it.

4. Two machines (machine1 and machine2). Assign IP address of one of the machines (physical machine) to Node manager listen address of machine1 and IP address of other machine as Node manager listen address of machine2.

5. Assign Admin server and managed server1 to machine1 and managed server2 to machine2.

2. Packing and unpacking of domain

Now pack this domain and unpack it under same directory structure in second machine.

Execute Following command under $WL_HOME/common/bin dir to pack this domain.

pack.sh –managed=true –domain=<domain name> -template=<domain_name.jar> -template_name=”<description>”

<!–[if gte mso 9]> Normal 0 <![endif]–> Now copy the jar file under some location in another machine where we have to unpack it. For unpacking execute following command under $WL_HOME/common/bin

unpack.sh –domain=<domain name> -template=<jar file name>

For more details on packing and unpacking of domain, please click here

3. Configuring Automatic Migration

<!–[if gte mso 9]> Normal 0 <![endif]–>

After you are done with creating domain, and packing/unpacking of domain, run admin server as well as node managers in both machines. Open admin console and configure for automatic server migration. The steps are as follows:

• Configure Migration Leasing Basis - Configure migration leasing basis as database or consensus (in-memory) for cluster. Under Domain structure in admin console, go to Environment -> Clusters and click on cluster name. You’ll get screen as shown below. Go to Migration tab under Configuration. Select Migration basis as consensus or database. Under Candidate Machines for Migratable Servers select and move machines from available to chosen. These are the machines and order of preference on which Node Manager will restart failed servers.

• Configure Managed Servers for Automatic Migration -
  Go to Environment -> Servers, you’ll see summary of severs. Click on managed server you want to configure for migration (here ms2).

.

In the following screen. Go to Migration tab and select Automatic Server Migration Enabled. Also move the machines from Available to Chosen under Candidate Machines.

.

Now restart the admin server and managed servers in both machines.

After the servers are restarted, you’ll see ms1 and admin server running in unix1 and ms2 running in unix2.

To verify if the configuration, go to unix2 machine and kill ms2 as well as nodemanager running in that machine. Killing nodemanager is necessary because if it is not killed, it will try to restart the server in same machine that is unix2 instead of migrating it to another machine. Once the nodemanager and ms2 are killed in unix2 machine, go to unix1 machine and check the running processes. You’ll see ms2 process starting in unix1 machine.

4. Manually Migrating Server Instance

For manual migration, go to Environment -> servers and click on the server instance you want to migrate. For e.g. ms2. Go to Control tab and under that go to Migration tab. Under “Migrate to Machines”, select the machine on which you want to migrate the selected server instance (unix1 in this case). Now you can go to that particular machine and check the processes running (ps -aef) in that machine. In this case you’ll see ms2 also running in unix1.

Share This

If you follow Mark Wilcox’s blog here you must have noticed OracleIdM 11g webinar on 21st July where Oracle is going to show rest of the 11g Identity Management (My guess is on Oracle Identity Manager (OIM) which currently on version 9.1.X and Oracle Access Manager (OAM) which is currently on version 10.1.4.3)

To register for this webinar click here

Just to give you brief overview of Oracle IdM (Oracle Identity Management) product stack

Directory Services

• Oracle Virtual Directory (OVD)  version 11.1.1.3
• Oracle Internet Directory (OID) version 11.1.1.3

Identity Administration

• Oracle Identity Manager (OIM)  version 9.1.X
• Oracle Role Manager (ORM) version 10g R3

Access Control

• Oracle Access Manager (OAM) version 10.1.4.3 (preferred Single Sign-On)
• Oracle Web Services Manager (OWSM) version 11.1.1.3 (part of OPSS: Oracle Platform Security Services)
• Oracle Identity Federation (OIF) version 11.1.1.3 (cross domain)
• Oracle Enterprise Single Sign-On (eSSO) version 11.1.1.X
• Oracle Entitlements Server (OES) version 10.1.4.3 (fine grained control)

Audit & Compliance

• Oracle Identity Analytics (OIA) version

1. Oracle Identity & Access Management II
2. Upgrade Oracle Internet Directory/IdM Suite to 10.1.4.2
3. Oracle Launches Oracle Access Management Suite
4. Installing Oracle Fusion Middleware (FMW) 11g - Identity Management Components (OID, DIP, OVD, OIF)
5. Oracle Identity Management Products - OID, OVD, OAM, OIM, ORM, OWSM, OIF, eSSO, OES, OAAM
6. #OracleIdM 11g webinar : Is this for OAM (Oracle Access Manager) & OIM (Oracle Identity Manager) 11g ?

Share This

OAM- Oracle Access Manager is recommended Single Sign-On solution for Fusion Middleware products (SOA, WebCenter, OSB, UCM ….)

ObSSOCookie - is cookie generated by OAM for users authenticated via OAM.

.
What is Authentication Provider in WebLogic Server ?
WebLogic Server includes numerous Authentication security providers: given a username and password credential pair, the provider attempts to find a corresponding user in the provider’s data store (LDAP, Database or other data store). In addition to these username/password based security providers, WebLogic Server includes identity  assertion Authentication providers, which use certificates or security tokens, rather than username/password pairs, as credentials.

More on authentication providers in WebLogic server here . For steps on how to configure Authentication Providers in  WebLogic Server check Configure Authentication and Identity Assertion providers in  Administration Console Online Help for weblogic here

• To configure OID (Oracle Internet Directory) as Authentication Provider in WebLogic click here

.

OAM Authentication Provider for WebLogic

Oracle Access Manager Authentication Provider (oamAuthnProvider.jar - part of OAM 10.1.4.3) provides two features/functions (”Identity Assertion for Single Sign-On” and  “Authenticator“) which can be integrated with WebLogic Server.

a) OAM Identity Assertion for Single Sign-On - This authentication provider in WebLogic Server, uses OAM authentication service and also validate already-authenticated (users with ObSSOCookie) users and creates a WebLogic-authenticated session. This function (OAM Identity Assertion) also provides single sign-on between WebGates and portals (webcenter, soa…)

b) OAM Authenticator - This authentication provider in WebLogic Server, uses OAM authentication service to authenticate users who access applications deployed in WebLogic Server.

• If you have Oracle Fusion Middleware 11g of type WebCenter, SOA or Identity Management then “OAM Identity Assertion for Single Sign-On” and “OAM authenticator” should already be available in your weblogic authentication providers.
• If you have standalone weblogic server (NO - SOA, WebCenter or Identity Management) then you can get these two providers (”OAM Identity Assertion for Single Sign-On” and “OAM authenticator“) by downloading oamAuthnProvider.jar from OTN (Oracle Technology Network)

.

a) oamAuthnProvider.jar: Includes files for both the Oracle Access Manager Identity Asserter for single sign-on and the Authenticator for Oracle WebLogic Server 10.3.1
b) oamauthenticationprovider.war: (optional component) Restricts the list of providers that you see in the Oracle WebLogic Server Console to only those needed for use with Oracle Access Manager. (This application is required “only if” you wish to restrict weblogic console to see only two authentication provider in weblogic)
 

c) oamcfgtool.jar: (optional component) - is script that automates creation of the Oracle Access Manager form-based authentication scheme, policy domain, access policies, and WebGate profile for the Identity Asserter for single sign-on.  For more information on oamcfgtool.jar click here  - You can configure all steps (as done by oamcfgtool.jar) manually too.

.

More on OAM Identity Assertion for Single Sign-On   &  OAM Authenticator  coming soon.

1. Oracle WebLogic Installation Steps
2. Domain , Administration & Managed Server, Cluster in Oracle WebLogic
3. Create Domain in Oracle WebLogic
4. Oracle WebLogic Server - Startup/Shutdown
5. Oracle WebLogic Server 10g R3 10.3 is out now
6. Deploy Application on Oracle WebLogic Server
7. Cluster Architecture : Oracle WebLogic Server
8. Start WebLogic Server on Linux on port 80, 443 <= 1024
9. JDBC (Java DataBase Connectivity ) in Oracle WebLogic - Overview
10. WebLogic Server JDBC for Database connection : Step by Step
11. Security in Oracle WebLogic : Realm, Security Provider, Authentication, Authorization, Users
12. Deploy ADF application to Oracle WebLogic Server
13. Node Manager in Oracle WebLogic Server
14. Configure Oracle HTTP Server infront of Oracle WebLogic Server mod_wl_ohs
15. How to install weblogic server on 64 bit O.S. (Linux /Solaris) ?
16. Oracle WebLogic Login Issue : Password is not correct (Password Lock Policy)
17. Oracle WebLogic Server : Node Manager in nutshell
18. Certification : 1Z0-108 Oracle WebLogic Server 10g System Administrator Certified Expert
19. How to integrate WebLogic with Oracle Internet Directory for Login : Authentication
20. opatch, adpatch and now “smart update” (BSU) to apply weblogic patches
21. Disater Recovery documentation for Oracle WebLogic Server 11g (Fusion Middleware)
22. Authentication Providers in #WebLogic - Oracle Access Manager Identity Assertion for Single Sign-On and OAM Authenticator

Share This

.

OSB (Oracle Service Bus) = ALSB(BEA’s AquaLogic Service Bus) + ESB (Enterprise Service Bus)

• Download 11g OSB Software from here
• Oracle Service Bus 11g Installation Guide is available here
• For High Availability (Active-Active cluster) in Oracle Service Bus 11g click here

.

Key points for OSB 11g Installation

1) OSB Installer gives you option to install following sub components
a) Oracle Service Bus Server
b) Oracle Service Bus IDE (Integrated Development Environment)
c) Oracle Service Bus examples (sample examples to see How OSB operates in run-time environment) - “Choose Custom Install to select this option”

2) Prerequisites software to install Oracle Service Bus 11g
a) Oracle Database(OSB schema to store data and metadata)
b) Repository Creation Utility (RCU) more here to create OSB related schema in Database
c) Oracle WebLogic Server  (OSB will run on WebLogic server)
d) Optional : Oracle Coherence (optional component, recommended for caching functionality) - This comes with default installation of WebLogic Server
e) Optional : Oracle Enterprise Pack for Eclipse (used mainly to develop, deploy and debug applications for weblogic server) : If you are using OSB IDE component then OEPE (Oracle Enterprise Pack for Eclipse) is mandatory - This component can also be installed with WebLogic Server
3) For development, WebLogic comes with default database (Derby) which can be used in place of Oracle Database (If you plan to use weblogic’s derby database then oracle database and RCU is not required)

4) Installation order for Oracle Service Bus 11g installation
a) Install database 11g
b) Install RCU
c) Run RCU to create/load schemas for OSB
d) Install OSB 11g
e) Create/Extend domain by running config.sh

5) OSB 11g Installation type
a) Interactive - installer (GUI) will prompts details to install software
b) Silent - Installer runs on its own with no intervention from user. Installer uses response file (with parameters used during installation) to install software silently.

6) OSB 11g installation two options
a) Typical Install - OSB Server and Binary of OSB IDE in new Oracle Home
b) Custom Install - gives option to select components (OSB Server, OSB IDE, OSB Examples)
7) Default OSB 11g install will create ORACLE_HOME (directory Oracle_OSB1) under Fusion  Middleware Home (MW_HOME). This directory Oracle_OSB1 is also referred as OSB_HOME or OSB ORACLE_HOME.  For more information on MW_HOME, ORACLE_HOME and DOMAIN_HOME click here

Database Schema is NOT mandatory with OSB. Database is required only if you wish to use
a) Reporting Feature in OSB  or
b) Oracle Web Services Manager (OWSM) policies.
9. To start installation run
a) For Unix- [software]/runInstaller -jreLoc $MW_HOME/jrockit_160_17_R28.0.0-670/jre 
b) For Windows- [software]\setup.exe -jreLoc $MW_HOME\jrockit_160_17_R28.0.0-670\jre 

10.Fusion Middleware Home (MW_HOME) can contain one and only one Oracle Service BusORACLE_HOME . In one MW_HOME there could be multiple ORACLE_HOME of different type like one ORACLE_HOME for OSB, one for SOA and one for IdM (Identity Management)

11. OSB installation log files are stored in ORACLE_INVENTORY_LOCATION/logs directory

12. If you are installing OSB 11g on 64 bit machine, select Custom Installation type and deselect OSB IDE (Integrated Development Environment) option.

13. After OSB install, create domain ($MW_HOME/oracle_common/common/bin/config.sh|cmd). Default configuration will create domain with 1 Admin Server (listening on port 7001) and 1 Managed Server(osb_server1) . For more information on WebLogic Server Domain, Admin Server and Managed Server click here

14.After OSB installation and configuration, Start Admin Server and Doamin Server using startWebLogic.sh & startManagedWebLogic.sh(osb_server1)  For more information on options to start WebLogic Server clickhere

15. Access OSB Administration Console using
http://<hostname>:<osb-port>/osbconsole where osb-port is port configured for managed server osb_server1
16. For OSB 11g Installation screens clickhere

OSB 11g cluster deployment (Active-Active) coming soon ….

1. Oracle Service Bus << AquaLogic Service Bus (BEA) + Oracle Enterprise Service Bus (Oracle)
2. Oracle Service Bus 10.3.1 Installation
3. Oracle Service Bus 11g ( #OSB ) Installation overview for single node deployment

Share This

1. Resources: In OIM’s terminology resource is external source like ERP, CRM, mainframes or LDAP Servers; to which OIM connects for Provisioning and Reconciliation

2) Reconciliation - Process of comparing and synchronizing accounts information in target system with OIM. Data flows into Oracle Identity Manager from External Source.
Type of OIM reconciliation - Two Type
a) Trusted Source Reconciliation - External Source is authoritative source (eg. HR), External Source drives creation, modification and deletion of user in Oracle Identity Manager.
b) Target resource reconciliation - external Source is non-authoritative source with which user is already provisioned.

Events in Reconciliation - Three type of events
a) Reconciliation Insert - OIM detects a user which does not exists in OIM
b) Reconciliation Update - OIM detects a modification to user  which already exists in OIM
c) Reconciliation Delete - OIM decides that user present in OIM should be removed

3) Provisioning - Process to create, modify or delete user information in target resource is initiated by OIM. Data flow is from OIM to resource (external source)
Type of Provisioning in OIM
a) Day-one provisioning - involves initial creation of access privileges to resource(external source) for users and removal of these privileges.
b) Day-two provisioning - modification of privileges with resources (external source) based on business needs.

.

4) OIM Connector - is a container that holds information that OIM needs to reconcile user identity with external source and provision user with target resource.  Mandatory components of connector are IT Resource Type (One and Only Resource Type per connector), IT Resource (One IT resource per resource), Process Form, Process Task Adapter, Resource Object, Provisioning Process, Process Task. More on connectors and its components here

1. Oracle Identity Manager (User Provisioning - Thor)
2. Installing Oracle Identity Manager (Thor Xellerate)
3. Oracle Identity Manager 9.1 released
4. Oracle Identity Manager (Thor Xellerate) Architecture
5. Resource, Reconciliation, Provisioning and Connector in Oracle Identity Manager #OIM

Share This

.
Oracle Identity Manager (OIM)  is a product from Oracle Identity Management Stack (acquired from Thor Xellerate) that handles user provisioning, Creating/Removing/Managing Access Privileges from Users, Reconciliation and request processing(using workflow). 

• OIM is J2EE (for provisioning, request processing and job scheduling) and Web-based (profile management and delegated administration) application.
• OIM is j2ee based application deployed on J2EE compliant application server (WebLogic, Tomcat, IBM WebSphere) and repository in relational database (Oracle, MySQL)
• For OIM certification matrix (certified O.S., WebServer, Database)  Click Here
• 9.1.0.2 is latest available version for OIM (as of June 2010). . 

.

Various logical layers in OIM’s N-Tier architecture are

1. Presentation Layer (Client Side)
a) Administrative Console- Web Browser-based application running on client PC
b) Design Console - Stand-alone Java application running at client PC and interacting directly with Identity Manager

2. Dynamic Presentation Logic Layer (Logical Component)
c) WebServer (serving JSP, Servlets, XML, XSL …). This layer holds logic to generate dynamic pages for Administrative Console. Design Console includes Dynamic Presentation Layer.

.
3. Business Logic Layer/ Server Tier (Logical Component)
This layer is interface between presentation/dynamic presentation layer and data layer(OIM repository) or integration layer (Connecting to external sources like ERP/CRM/mainframes)
d) J2EE application server(EJB and other J2EE technology): Supported J2EE application servers are WebLogic, JBoss, OC4J, WebSphere,
e) Web-based application deployed on J2EE application server (for profile/password management, provisioning and delegated administration)
f) J2EE-based application (uses EJB, JMS, JDBC and JNDI) deployed on J2EE application server (for Provisioning, Reconciliation, Request Processing and Scheduled Jobs)
g) Remote Manager (aka Agent , Optional component to be deployed on target machine) - used only by Advanced Mainframe connectors (IBM RACF, CA, ACF2…) and Active Directory Password Synchronization
h) Quartz - is a J2EE scheduling product which comes as part of Oracle Identity Manager

.
4. Backend System/Integration Layer (Logical Component)
i) Database to hold OIM schema and repository - Certified databases are Oracle and MS-SQL
j) Backend systems (aka resources in OIM terminology) like ERP, CRM, mainframes, LDAP Servers which integrates with OIM for user provisioning or reconciliation (These systems are external and not part of OIM component)

 .

For overview of Oracle Identity Manager installation click here

.

Related

• Oracle Identity Manager Architecture Whitepaper  
• Oracle Identity Manager Concepts Guide 

Resource, Reconciliation, Provisioning and Connectors in Oracle Identity Manager coming soon !!

1. Oracle Identity Manager (User Provisioning - Thor)
2. Installing Oracle Identity Manager (Thor Xellerate)
3. Oracle Identity Manager 9.1 released
4. Oracle Identity Manager (Thor Xellerate) Architecture
5. Resource, Reconciliation, Provisioning and Connector in Oracle Identity Manager #OIM

Share This

.

Password Policy in Oracle Access Manager’s Password Management Services(available in OAM’s Identity System) enable you to define multiple password policies, constraints on password composition, forced-password change and lost password management feature.

.
Password Policy : is set of rules that governs kind of passwords that users create and validity of password (duration)
.

.

• You configure Password Policy from Identity System Console -> System Configuration -> Password Policy
• Password Policies are created in Identity System (OAM consists of two parts Identity System and Access System) but also applicable to access system. These policies also apply to users who try to access resources protected by Access System
• You can create multiple password policiesapplicable at different level in your domain (or realm) for example if your domain (in LDAP server) DC=com, DC=onlineappsdba, OU=EMEA, OU=UK, cn=user1 then you can have multiple password policies applicable at different level i.e. policy1 (applicable at DC=onlineappsdba), policy2 (applicable at OU=EMEA), policy3(applicable at OU=UK) and policy4 (applicable at cn=user1)
• Password Policies are evaluated at bottom-to-top level, i.e. if you have password policy at user level then that password policy will be applicable. If not then it will check for password policy applicale at OU=UK. If there is no password policy at OU=UK level then it will look for password policy applicable to OU or DC levelhigher to that.
• There are three type of administrator users in OAM
  a) Master Administrators : They have administrative access to both Identity and Access System
  b) Identity Administrators : They have administrative access to Identity System)
  c) Access Administrators (They have administrative access to Access System)
  Only Master Administrators have access to configure password policies in Oracle Access Manager.
• If you have password policy where change on reset is enabled (user must change password after password reset) but NO Password Change Redirect URL is defined, This prevents users from changing password and ultimately logging in
• Directory Server (OID, AD…) may have its own password Policy, Password Policy on Directory Server should not be more strict than Access Manager Password Policy otherwise it will create conflicts. For Example if Password Policy in OAM dictates that OAM should lock account after 5 continuous failed login attempts where as in Directory Server (AD, OID..) account lockout policy is 3 attempts then it will conflict with OAM’s Password Policy
• You can create default password policy that apply to all domains. You can create Password Policy to specific directory domain or Multiple policies with in domain
• Object Class for Password Policy in Oracle Access Manager is OblixPersonPasswordPolicy
• To implement password policy in OAM, define Password Policy using Identity System Console and then modify Authentication Scheme in Access System (add obReadPasswdMode=”LDAP”, obWritePasswdMode=”LDAP” to validate_password plug-in)



.

How often Access Server checks for changes for Password Policies ?
Password Policy Reload Period (in Seconds) is access server setting which determines frequency in which Access Server checks Identity Server for new Password Policy.

           Password Policies are cached in Access Server, You can manually flush Password Policy Cache in Access Server or Restart Access Server which will automatically flush Password Policy Cache.

. 

How to flush password policy cache in Access Server ?

Access System Configuration -> Common Information Configuration -> Flush Password Policy

.

Reference

• Configure Password Policies in Oracle Access Manager

1. Integration Steps - 10g AS with OAM (COREid)
2. OAS - OAM (Access Manager / Oblix COREid) Integration Architecture
3. Oblix COREid and Oracle Identity Management
4. Installing Oracle Access Manager (Oblix COREid / Netpoint)
5. Oracle Access Manager (Oblix COREid) 10.1.4.2 Upgrade
6. Access Manager: WebGate Request Flow
7. Introduction to Oracle Access manager : Identity and Access System - WebPass , Webgate, Policy Manager
8. Certified Directory Server (AD, OID, Tivoli, Novell, Sun or OVD) and their version with Oracle Access Manager
9. Install Oracle Access Manager (OAM) 10.1.4.3 Identity Server, WebPass, Policy Manager, Access Server, WebGate
10. Multi-Language or multi-lingual Support/Documentation for Oracle Access Manager (OAM)
11. OAM Policy Manager Setup Issue “Error in setting Policy Domain Root” : OAM with AD and Dynamic Auxiliary Class
12. OAM 10.1.4.3 Installation Part II - Indentity Server Installation
13. OAMCFGTOOL : OAM Configuration Tool for Fusion Middleware 11g (SOA/WebCenter) Integration with OAM
14. Oracle Access Manager Installation Part III : Install WebPass
15. OAM : Access Server Service Missing when installing Access Manager with ADSI for AD on Windows
16. OAM : Create User Identity - You do not have sufficient rights : Create User Workflow
17. Password Policy in Oracle Access Manager #OAM

Share This