solaris command To check oam processes

/usr/ucb/ps -auxwwl|grep oam_server1

OpenDJ commands to start and sop OpenDJ

start-ds
stop-ds

to determine search performance

searchrate -p 1389 -b "dc=example,dc=com" -g 'rand(0,10000)' '(uid=user.%1$d)'

Compress older log file, log files older than 2 days linux command

Compress files older than 2 days cronjob command

find /var/forgerock/server/logs/ -mtime +1 -exec gzip {} \;

to cronjob use below

05 01 * * * find /var/forgerock/server/logs/ -mtime +1 -exec gzip {} \;

To delete or print

Find -mtime +120 -print

Find -mtime +120 -delete

unix file permission number, what each number means

. 1 = execute only. 
2 = write only. 
3 = write and execute (1+2) 
4 = read only.
 5 = read and execute (4+1) 
6 = read and write (4+2) 
7 = read and write and execute (4+2+1)

ForgeRock OpenAM exporting and importing servers configuration using ssoadm command

In order to export server configuration from ForgeRock OpenAM server run the following command that is under

../../openamtools/admin/.../bin


./ssoadm export-svc-cfg -u [adminID] -f [passwordfile] -e [secretkey] -o [outputfile]

Where

-u is username that have full admin rights to export the configuration

-f is password file

-e secretkey  is the secure key that you want to use to encrypt the file. you have to use same key when you import the configuration. you can use any keyword "abcd"

-o this the name of xml file that will contain all the configuration information.



To Import the configuration;

use below command

./ssoadm import-svc-cfg -u [adminID] -f [passwordfile] -e [secretkey] -X [XMLfile]

ForgeRock OpenDJ installation steps

 ForgeRock OpenDJ installation is same as we install ODSEE or any other DS instance. to Install the OpenDJ Toolkit Perform the following in the Root window as the root user

 1. The OpenDJ Toolkit has been downloaded from http://forgerock.org.
Navigate to the /OpenDJ folder and copy the downloaded file.
# cp /opt/fr-462/software/opendj-ldap-toolkit2.6.0.zip /OpenDJ
# cd /OpenDJ

 2. Extract the files in the ZIP file.  For instance, if you downloaded the 2.6- version of the OpenDJ Toolkit you would enter the following:
# unzip opendj-ldap-toolkit-2.6.0.zip This will create a new folder containing the extracted files (for instance, opendj-ldap-toolkit-2.6.0).

 3.  Rename the new folder to opendjtk. # mv opendj-ldap-toolkit-2.6.0 opendjtk 


 4. Add the /OpenDJ/opendjtk/bin folder to your PATH variable.

 5. Verify that you can locate the tool kit tools. # which searchrate 

Oracle 12C database abnormal shutdown solution

If Anytime Oracle Database goes down abnormally, due to machine failure or server reboot, most of the times objects gets into "INVALID" state.


command to check the status
select object_name,status from dba_objects where status='INVALID';

if you see a lot of INVALID objects run the following command after login to SQL

../../dbhome/rdbms/admin

run following utility to recompile these objects

SQL>@utlrp.sql

OAM command to dump all url from OAM server

This command should dump the URIs from the existing OAM server. Just change the path and the application domain.


OAM_REG_HOME=<MW_HOME>middleware/Oracle_IDM1/oam/server/rreg

./bin/oamreg.sh agentValidate <application_domain>

OAAM 11gr1ps2 enabling logging and exporting configuration

Enable trace in OAAM Server
- Log in to Fusion Middleware Control console (hostname:7001/em)
- On the left pane go to Farm_IAMDomain -> WebLogic Domain -> IAMDomain -> oaam_server_server1 (you might have different domain name or server names).
- From the top of the right pane, under oaam_server_server1, select WebLogic server -> Logs -> Log Configuration.
- Go to Log Levels tab, expand the Root logger -> Oracle node and change the level for oracle.oaam to TRACE:32.


Exporting OAAM properties.
To export OAAM properties -> go to oaam_admin console -> Properties -> leave the Search fiels empty -> run Search -> click on Row in the left corner of the properties table to select all -> Actions -> export selecte

OAM export policies error Traceback (innermost last): File "", line 1, in ? NameError: exportPolicy

wls:/oam_domain/serverConfig> exportPolicy(PathTempOAMPolicyFile='/tmp/pre_upgrade_oam.xml')

Traceback (innermost last):

  File "<console>", line 1, in ?

NameError: exportPolicy

wls:/oam_domain/serverConfig> exportPolicy('/tmp/policy_export.xml')

Traceback (innermost last):

  File "<console>", line 1, in ?

NameError: exportPolicy

wls:/oam_domain/serverConfig> exit()

Solution:

you are running wlst.sh command from wrong place. it should be run from $ORACLE_HOME/common/bin/wlst.sh

find where is ORACLE_HOME/common/bin

and run 

wlst.sh

wls:/oam_domain/serverConfig> exportPolicy('/tmp/policy_export.xml')

Successfully exported policies. Check log file for details.

if you got below error use  command without path

wls:/oam_domain/serverConfig> exportPolicy(PathTempOAMPolicyFile='/tmp/pre_upgrade_oam.xml')

Traceback (innermost last):

  File "<console>", line 1, in ?

TypeError: exportPolicy() got an unexpected keyword argument 'PathTempOAMPolicyFile'

use command without PathTempOAMPolicyFile

wls:/oam_domain/serverConfig> exportPolicy('/tmp/policy_export.xml')

difference between 10g webgate and 11g webgate

from oracle

Here is 11g features:

• Oracle Universal Installer for platform. Generic for all platforms
• Host-based cookie
• Individual WebGate OAMAuthnCookie_ making it more secure
• A per agent key, and server key, are used. Agent key is stored in wallet file and Server key is stored in Credential store
• One per-agent secret key shared between 11g WebGate and OAM Server One OAM Server key
• OAM 11g supports cross-network-domain single sign-on out of the box. Oracle recommends you use Oracle Identity Federation for this situation.
• Capability to act as a detached credential collector
• Webgate Authorization Caching
• Diagnostic page to tune parameters
• Has separate install and configuration option. Hence, single install and multiple instance configuration is supported.

And 10g:

• InstallShield and One installer per platform
• Domain-based cookie
• ObSSOCookie (one for all 10g Webgates)
• Global shared secret stored in the directory server only (not accessible to WebGate)
• There is just one global shared secret key per OAM deployment which is used by all the WebGates
• OAM 10g provides a proprietary multiple network domain SSO capability that predates Oracle Identity Federation. Complex configuration is required.
• One Web server configuration supported per WebGate. Need to have multiple WebGates for multiple instances.

configuring e-Auth Mode at OIF thru WLST

Configuring for eAuth Mode

You can configure the Oracle Identity Federation server to comply with the eAuth specifications. Most of the configuration is performed through Fusion Middleware Control, but the specifications require the presence of two attributes in the SSO assertion that can only be configured through the MBeans/WLST scripts:

the us:gov:e-authentication:basic:specVer attribute containing the version of the eAuth specifications supported by this server

the us:gov:e-authentication:basic:Sid attribute containing the session identifier of the user performing the single sign-on

To configure Oracle Identity Federation to set those two attributes (for a specific provider) and to set the value of the eAuth version, enter the WLST script environment for Oracle Identity Federation instance, and set the following properties if needed:

Set the eauthmodeenabled boolean property for the remote provider to true to enable the eAuth mode:

setFederationProperty(REMOTE_PROVIDER_ID,
'eauthmodeenabled', 'true', 'boolean')
##
## replace REMOTE_PROVIDER_ID with the identifier of the remote provider
Set the eauthversion string property from the idpglobal group to the value the Oracle Identity Federation server should use (2.0 for example):

setConfigProperty('idpglobal', 'eauthversion', '2.0', 'string')

OIF updating self signed certificate 2048 bit using orapki

OIF require creating PKCS#12 wallet creation. below is the command to create wallet



1. Creating a PKCS#12 Wallet
To create an Oracle PKCS#12 wallet (ewallet.p12), use the following command:

orapki wallet create -wallet wallet_location [-pwd password]


To create an auto login wallet (cwallet.sso) that is associated with a PKCS#12 wallet (ewallet.p12), use the following command:

orapki wallet create -wallet wallet_location -auto_login [-pwd password]

This command creates a wallet with auto login enabled (cwallet.sso) and associates it with a PKCS#12 wallet (ewallet.p12). The command prompts you to enter the password for the PKCS#12 wallet, if no password has been specified at the command line

2. Adding self signed certificate to Wallet

./orapki wallet add -wallet /tmp/wallet dn "cn=Orasystemsusa certificate" keysize 2048 self_signed validity 1825 pwd Password1

validity 1825 is number of days certificate will be valid.


3. Once you have wallet with self-signed certificate you can upload it by following

Upload the new wallet.

Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

Navigate to Administration, then Security and Trust.

In the Wallets tab, click Update.

Check the Update checkbox for the wallet you want to update.

Select the keystore type, wallet location, password, and alias. (i uploaded ewallet file)

Click OK.

OIF PKI and SSL Encryption explaination

Good explanation from oracle.


Oracle Identity Federation provides secure communication using X.509 certificate authentication.

Oracle Identity Federation provides encryption for data integrity using public key cryptography, a technique that uses a public and private key pair. Data is signed with a sending party's private key and the signature is verified by the recipient using the sender's public key.

Oracle Identity Federation uses documents known as certificates to enable peer providers to establish trust. A Certificate Authority (CA) issues a certificate to vouch for a user's identity, including the party's public key in the certificate for use by the receiving party.

You configure key pairs and certificates using a local keystore. The identity provider configures a public and private key pair and a certificate - providing validation of the public key from a Certificate Authority (CA) - when using the POST profile. The presentation of the public key by the IdP, and certificate import by the SP, are critical aspects in managing the trust relationship between partners.

steps to add aditional SOA server at current environment

Steps followed to add additional servers:
1) Clone existing SOA server
2) change the hostnames accordingly and added server to the existing cluster
3) Update startup arguments or any other necessary
4) Added the new 3rd servers to the JMS servers list, JMS modules 

changing OIM console to use ssl setting in firefox

1) In FireFox, enter "about:config" in the URL field and press enter.

2) Accept the "This might void your warranty!" warning.

3) In the search field at the top, enter "security.ssl3.dhe_rsa_aes".

4) Double click each result (128 and 256) to toggle the Value to "false" 

OHS 11gR2 is becoming un responsive and loosing the connectivity

when OHS becomes unresponsive due to time out. following setting needs to be changed at httpd.conf



1. Login to OHS server

2. Take a backup of the following files
httpd.conf


3. Change the following

httpd.conf

KeepAliveTimeout  30

4. Restart OHS server

OIF Managing Signing and Encryption Wallets

from oracle:

Oracle Identity Federation provides a way to update signing and/or encryption wallets smoothly, without interrupting service.

When you need to replace a signing or encryption wallet and a new one is uploaded, Oracle Identity Federation saves the old wallet. The server then continues to use the old wallet in all transactions until it is removed. However, generated metadata will contain the new wallet information as well as the old information. This allows time to notify remote providers about the change.

Once new metadata has been created and distributed to all remote providers, the old wallet can be deleted and Oracle Identity Federation will use the newly uploaded wallet for all subsequent transactions.

Follow these steps when replacing a signing or encryption wallet:

Upload the new wallet.

Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

Navigate to Administration, then Security and Trust.

In the Wallets tab, click Update.

Check the Update checkbox for the wallet you want to update.

Select the keystore type, wallet location, password, and alias.

Click OK.

Generate and distribute new metadata.

Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

Navigate to Administration, then Security and Trust.

In the Provider Metadata tab, under the Generate Metadata section, select the provider type and the protocol of the metadata to be generated, and click Generate.

Save the generated metadata.

Distribute the generated metadata to all remote peer providers.

Once all the remote peers updated their system with new metadata, then Delete the old wallet.

Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

Navigate to Administration, then Security and Trust.

In the Wallets tab, click Update.

In the wallet that you have updated, click Delete old Wallet.

how to get file from remote unix linux or solaris server using ftp, sftp or scp

ftp servername
to get the file from the host machine use

get filename

to get multipile files use
mget filename

$ sftp user@host
Connected to host
sftp> cd /usr/local/folder
sftp> pwd
Remote working directory: /usr/local/folder
sftp> put myfile.tgz    (to put file at other server)
sftp> get myfile.tgz    (to get file from other server)

above commands can also be used with just ftp if you can cant use secure 

or use scp

scp username@host.example.com:/etc/file.txt .