Wednesday, December 21, 2016

OAM Coherence General SSLEngine problem - Certificates does not conform to algorithm constraints

Oracle Access Management 11.1.2.3.0 running on JDK 1.7.0.121 have the following warning spawn on the logs every a couple of seconds:

<Dec 19, 2016 5:08:07 PM EET> <Warning> <Coherence> <BEA-000000> <2016-12-19 17:08:07.764/977.031 Oracle Coherence GE 3.7.1.13 <Warning> (thread=PacketListener1, member=1): TcpDatagramSocket{bind=ServerSocket[addr=/x.x.x.x,localport=9095]}, exception regarding peer oam.xxx.com/x.x.x.x:9095, General SSLEngine problem; Certificates does not conform to algorithm constraints>
<Dec 19, 2016 5:08:07 PM EET> <Warning> <Coherence> <BEA-000000> <2016-12-19 17:08:07.764/977.031 Oracle Coherence GE 3.7.1.13 <Warning> (thread=PacketListener1, member=1): TcpDatagramSocket{bind=ServerSocket[addr=/x.x.x.x,localport=9095]}, exception regarding peer /x.x.x.x:48698, Received fatal alert: certificate_unknown>

This is due to The SSL MD5withRSA support is deprecated and RSA keySize < 1024 is disabled by default as of JDK 1.7 release 95.

A quick and temporal (unsecure) fix is to edit java.security on jdk/jre/lib/security/java.security
and remove MD5withRSA from
jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768

and also remove MD5 and lower the RSA keySize to 512 in
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024


To permanently solve this error certificate need to be replaced with a stronger one.

First we need to recover keystore password using em.

There is a method called getPortableCredential in Application Defined MBeans->com.oracle.jps->Domain: <your domain name>->JpsCredentialStore JpsCredentialStore found with System MBean Browser.

Execute using OAM_STORE for parameter 1 and coh for parameter 2.

Inside domain_home/config/fmwconfig we create a new certificate:
keytool -genkey -alias admin -keyalg RSA -keysize 2048 -dname "CN=\"administrator ou=oam\", o=Oracle, C=US" -validity 3650 -keypass 9tgsga3ohf8let75019jfk2tga -keystore .cohstore.jks.new -storetype jks -storepass 9tgsga3ohf8let75019jfk2tga

Then we export the certificate:
keytool -export -alias admin -file cohadmin.cert -keystore .cohstore.jks.new -storepass 9tgsga3ohf8let75019jfk2tga -storetype jks
Certificate stored in file <cohadmin.cert>

And then we import the certificate back as assertion-cert:

keytool -importcert -alias assertion-cert -trustcacerts -file cohadmin.cert -keystore .cohstore.jks.new -storetype jks -storepass 9tgsga3ohf8let75019jfk2tga
Certificate already exists in keystore under alias <admin>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

Finally we stop all servers and replace cohstore.jks with cohstore.jks.new

Starting all sevrers and error is gone away.

Reference doc: 1986560.1




Monday, December 19, 2016

oracle identity management rcu with oracle 12c database

Certification matrix for Oracle Identity Management 11G R2 states 12C Database is supported. Concretely the document states that "The Oracle databases listed are supported on all configurations (including RAC) and platforms that the database team supports" and Oracle 12.1.0.1+ is in the list.

I create a 12C Database Container Database and i also create a pluggable Dastabase to host my OIM schemas. I have download the RCU 11.1.1.9 which is the version supported for OIM 11G R2. But when i run it and try it for create the repositories it said that my Database is not supported.

After searching on the web i realized that i haven't read the release notes for OIM. https://docs.oracle.com/cd/E52734_01/core/IDMRN/intro.htm#IDMRN389

The release notes states that: "Oracle Database 12c (12.1.0.x) with PDB is not Supported in 11g Release 2 (11.1.2.3)"

There is also a second minor problem with 12C support. We need to run xaview.sql from ORACLE_HOME/rdbms/admin directory to create XAVIEW objects because as the release document states "For Oracle Database 10g and 11g databases, these objects are automatically created by RCU if they are not already in place. Oracle Database 12c databases have a new XAVIEW structure that requires the explicit creation of these objects."

If this script haven't run before the RCU, the RCU will stop with the following error:

Error: Views/Synonyms required for XA transaction support are missing in this Database 12c.
         These views/synonyms are required by the OIM Schema.
  Action: Refer Oracle Database Administrator's Guide to install XA transaction recovery views/synonyms
 using the script xaview.sql. Contact your DBA.

Running the script output:
SQL> @xaview.sql

DROP VIEW d$xatrans$

*

ERROR at line 1:

ORA-00942: table or view does not exist

DROP VIEW d$pending_xatrans$

*

ERROR at line 1:

ORA-00942: table or view does not exist

View created.

Synonym created.

View created.

Synonym created.

So after running the script the RCU generates the OIM schema successful.

As a conclusion the release notes for Oracle Products contains valuable information that some times documentation does not include and should not be ignored before installation.

Friday, December 16, 2016

weblogic installation unable to instantiate GUI, defaulting to console mode

Installing WebLogic 10.3.6 on Centos minimal installation from terminal using x-forward results in "installation unable to instantiate GUI, defaulting to console mode"

$ java -jar wls1036_generic.jar
$ Unable to instantiate GUI, defaulting to console mode.

We can of course do the installation in console mode.
To fix the gui issue we need to install libXtst using yum

$ sudo yum install libXtst.x86_64 -y

After installation is running in GUI mode as expected.

Wednesday, December 14, 2016

sqlcl improves the way we work with oracle databases from terminal

sqlcl is a command line tool for connecting and work with an oracle database from terminal. Having autocomplete, easy formatting for terminal or for export in CSV, HTML and other formats, history of commands, edit of SQL commands in external editor, edit or correct multi line commands and many many more features.

You can download it from Oracle website:

http://www.oracle.com/technetwork/developer-tools/sql-developer/overview/index-097090.html

For run it you need to extract it and put the sqlcl/bin in your system/user PATH for convenience.

the command to run it on linux is sql inside sqlcl/bin (You can use sql.bat or sql.exe on windows)

To connect with the database there are several ways. Personally i prefer to connect like this:

$ sql sys@//dbhostname:port/servicename as sysdba

The first thing to do is change the sqlformatl. You can do it using
SQL> set sqlformat ansiconsole

This will change the output of queries to be more easy to read from terminal. Try it with or without this setting and the improvements are obvious.

Using tab you can use the autocomplete for all kind of objects and commands. I found this very useful.

You can write multi line commands using the enter to separate the rows.
The nice thing is that after you wrote the command and execute it, you can edit it in vi (or the editor or your choice) from terminal without exit sqlcl and execute it again. To do this just do

SQL> edit
SQL>/

The / will execute the command you just edited with vi.

History is available using the history command
SQL> history

We can execute operating system commands using !
SQL>!ls

This will list the files from working directory

I am not a DBA and i occasionally connect and work with Databases but i loved this tool already because i enjoy working from terminal and sqlcl improves the way i work with databases from terminal. Give it a go i am sure you will enjoy with it.

You can find more information in this excellent blog:

http://krisrice.blogspot.com

And a getting started video here:

https://www.youtube.com/watch?v=HApdy-o525A





Friday, December 18, 2015

Oracle BPM Suite 12c Server using Ansible

This article describes a way to automate the installation of Oracle BPM 12.2.1 on Linux 7 server. I'm using Ansible to automate the configuration of Linux server and install the software. I'm also using Vagrant with Oracle Virtual Box to automatically provision a Linux 7 server and run the Ansible playbook on the virtual machine automatically for testing.
You can download the sample code in my GitHub account:

https://github.com/cvezalis/ansible.oracle.bpm.12c

The sample source code contains an Ansible playbook and configuration for Vagrant. Before you run it you need to download the supported JDK 8 installation file (for example jdk-8u66-linux-x64.tar.gz) and put it on roles/linux-jdk/files folder, Fusion Middleware Infrastructure 12.2.1 installation file and put it on roles/fmw-software/files folder and Oracle BPM suite 12.2.1 installation and put it on roles/soa-software/files from Oracle support.
You need to have an Oracle Database up and running. If you do not have one or you want to create one with Ansible you can use my playbook for Oracle Database. Links are at the end of this article.

For run it you need to have installed Ansible, Vagrant and Virtual Box and then just do:

$ vagrant up

Playbook is idempotent so you can run it again in the same server several times to have your server in the expected status.

You can configure your infrastructure parameters on infra-vars.yml. As minimum (if you do not use my ansible playbook for create the database) you need to configure the database connection settings.

You can also set custom passwords on secrets.yml file. For oracle Linux user you need to set the password encrypted. On a Linux system use the following to create the encrypted password:

mkpasswd --method=SHA-512

Monday, December 14, 2015

jdeveloper 12c generic installer windows 10 integrated weblogic cannot create domain

If you try to install JDeveloper 12c (12.2.1 or 12.1.3) on Windows 10 using the generic installer you will not manage to create a new WebLogic domain because jython libraries that integrated weblogic have cannot recognize the operating system. The same problem can happen if you install on Windows 7 the 12c JDeveloper using the generic installer, then upgrade the operating system to Windows 10 and need to recreate the domain. This is also happening in SOA Suite and Business Process Management Suite quick start for Developers installation.

A quick solution for this is to use the Windows installer and not the generic one. For SOA/BPM quick start JDeveloper installation you need to patch the juthon-modules.jar to create the SOA domain.

If you still want to use the generic installer (for example to use a newer version of JDK) you can extract the jython-modules.jar at C:\Oracle\Middleware\Oracle_Home\wlserver\common\wlst\modules and edit javashell.py inside Lib. Find _osTypeMap and add the string 'Windows 10'.

_osTypeMap = (
        ( "nt", ( 'nt', 'Windows NT', 'Windows NT 4.0', 'WindowsNT',
                  'Windows 2000', 'Windows 2003', 'Windows XP', 'Windows CE',
                  'Windows Vista', 'Windows Server 2008', 'Windows 7', 'Windows 8', 
                  'Windows Server 2012', 'Windows 10' )),
        ( "dos", ( 'dos', 'Windows 95', 'Windows 98', 'Windows ME' )),
        ( "mac", ( 'mac', 'MacOS', 'Darwin' )),
        ( "None", ( 'None', )),
        )


Then you need to package jar file again using jar -cvf jython-modules.jar *.* inside jython-modules extracted folder.

You can optionally download the patched jython-modules.jar for windows 10 here:

http://www.link.net.gr/files/jython-modules.jar

Friday, November 27, 2015

WebLogic JDBC performance analyzing using Java Flight Recorder

Java Flight Recorder (JFR) is a tool for monitoring Java applications. JFR is integrated into Java Virtual Machine (JVM). It have less than 1% overhead and is capable for monitoring production systems without affecting performance.

To enable JFR with the JVM that will run a WebLogic server we need to start the WebLogic using 2 flags:

-XX:+UnlockCommercialFeatures
-XX:+FlightRecorder

The JVM default JMX port is 7091. We can change it and set it for example to 7093 using:

-Dcom.sun.management.jmxremote.port=7093

This is useful when monitoring multiple managed servers on the same machine. Each managed server can have it's own port.

For development servers we can also disable authentication and SSL using the following (this is an insecure setting, do not use it with production machines):

-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false

We can then open the Java Mission control using the jmc command from JAVA_HOME bin folder

$ cd $JAVA_HOME/bin
$ ./jmc