Total Pageviews

Sunday, April 1, 2018

oam and admin server enabling logging to 32



OAM SERVER TRACE 32 INSTRUCTIONS

How to increase the logging for the {odl-handler} to Trace:32, which would then add more details in the {oam managed server}-diagnostic.log file.

To set this up
1)run the /em console
2) Expand the Farm_base_domain
3) Expand Identity and Access
4) Expand OAM
5) Right click on oam_server
6) Click on Logs -> Log Configuration
7) On the Log Files tab, click on odl-handler to select it
8) Click Edit Configuration
9) Change the Logging Level to TRACE:32 //note the log level already set
10) Click OK
11) Click Close
12) On the Log Levels tab, click the triangle next to Root Logger to expand the list of loggers, then click the triangle next to "oracle", find both "oracle.oam" and "oracle.security" and use the pull down menu next to each one to change it to TRACE:32 (FINEST)
13) Click Apply
14) Click Yes
15) Click Close

16) Rename the OAM Server Diagnostic log so we get a clean log. i.e. rename oam_server1-diagnostic.log to oam_server1-diagnostic1.log
17) Restart the OAM Managed server and allow it to reach the Running state.
18) Set the Logging Level back to previous and apply


======================================================================

ADMIN SERVER TRACE 32 INSTRUCTIONS

How to increase the logging for the {odl-handler} to Trace:32, which would then add more details in the {admin server}-diagnostic.log file.

To set this up
1)run the /em console
2) Expand the Farm_base_domain
3) Expand Weblogic Domain
4) Expand base_domain
5) Right click on AdminServer
6) Click on Logs -> Log Configuration
7) On the Log Files tab, click on odl-handler to select it
8) Click Edit Configuration
9) Change the Logging Level to TRACE:32 //note the log level already set
10) Click OK
11) Click Close
12) On the Log Levels tab, use pull down menu next to Root Logger to change it to TRACE:32 (FINEST)
13) Click Apply
14) Click Yes
15) Click Close

16) Rename the Admin Server Diagnostic log so we get a clean log. i.e. rename AdminServer-diagnostic.log to AdminServer-diagnostic1.log
17) Restart the OAM Managed Server and allow it to reach the Running state.
18) Set the Logging Level back to previous and apply

OIF 11g: Questions about Maintenance and Expiry of Signing And Encryption Certificates (Doc ID 1991933.1)

   
 OIF 11g: Questions about Maintenance and Expiry of Signing And Encryption Certificates (Doc ID 1991933.1)    To BottomTo Bottom  

In this Document
Goal
Solution
References

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.
APPLIES TO:

Oracle Identity Federation - Version 11.1.1.5.0 and later
Information in this document applies to any platform.
GOAL

Oracle Identity Federation (OIF) 11.1.1.x has been configured as Identity Provider (IdP) or Service Provider (SP).

OIF has been configured with signing and encryption certificates for messages sent to peer providers. OIF has also been configured to accept signed [and encrypted] messages from peer providers.

This document answers a few common questions about maintenance of the OIF and peer provider signing / encryption certificates.


1. How to renew the OIF signing and/or encryption certificates when they expire?


2. The certificate used by OIF used for signing/encrypting SAML assertions is soon to expire.

A renewed certificate has been obtained and imported into a JKS store.

Is there a way to make OIF work with either of the certificates i.e. both the old and the new one?


3. A new wallet/keystore has been configured in the OIF Security and Trust settings. The old wallet has not been removed.

It is expected to see both new and old encryption certificates in the OIF IdP metadata at http(s)://OIFHOSTNAME.DOMAIN:OIFPORT/fed/idp/metadata for <md:KeyDescriptor use="encryption">.

But only the new certificate is shown in the OIF metadata.

For <md:KeyDescriptor use="signing"> both old and new certificates are included.

Why is this?


4. A peer provider's signing and/or encryption certificate has expired. Will this cause OIF to generate errors or Single Sign-On (SSO) to fail?

5. If a peer provider signing or encryption certificate is soon to expire or has expired, will OIF provide a warning? Is there a way to monitor peer provider certificate expiration through OIF?

6. A peer provider has replaced an expiring or expired signing and/or encyption certificate. How to configure OIF with the new peer provider certificate(s)?

7. How to configure OIF to validate peer provider signing or encryption certificates before use?

8. Does OIF validate certificates using a Certificate Revocation List (CRL)? How?






SOLUTION


1. To replace an expiring signing or encryption certificate in OIF 11.1.1.x, create a new Java keystore or Oracle Wallet containing a new, valid certificate.

Oracle FusionMiddleWare (FMW) 11g offers either Oracle Wallet Manager (owm) or keytool to manage certificate stores.

References:

Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Cross-Suite
Fusion Middleware Administrator's Guide
H Oracle Wallet Manager and orapki

Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Security for Oracle Fusion Middleware
Fusion Middleware Securing Oracle WebLogic Server
Using the Keytool Utility


Generate a certificate request using the appropriate tool (keytool or owm) and submit it to a Certificate Authority for the server certificate to be issued.
Then import the server certificate into the keystore/wallet.
After that the keystore/wallet is ready to be configured in OIF.

Follow the instructions here to configure OIF with the new keystore/wallet:

Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Identity Management
Fusion Middleware Administrator's Guide for Oracle Identity Federation
5.10.1 Security and Trust - Wallet

The following document also provides useful information about replacing the OIF certificates: How To Renew Default Signed Certificate With Self Signed Certificate In OIF (Doc ID 1434548.1).

After the new encryption and signing certificates have been configured in OIF, the OIF metadata must be re-generated and supplied it to all peer providers for them to use.

There is the option to keep the old certificates/wallet until all peer providers have updated their configuration with the new OIF metadata.
When all peer providers are using the new metadata, click Remove Old Wallet in EM Console to remove the old OIF certificates.


2. If OIF has been configured with new signing and encryptions certificates, will OIF work with either of the certificates i.e. both the old and the new one?

Yes, the old certificate(s) will continue to be used by OIF until "Remove old wallet" is selected.


3. Until "Remove old wallet" is selected in OIF Administration Security and Trust, OIF will provide both both old and new signing certificates in the metadata.

However only the new encryption certificate will be supplied in the OIF metadata.

Peer Providers/Partners only need to know about a single encryption certificate to send encrypted data to OIF. So the OIF IdP metadata only lists the new encryption certificate. The old certificate is no longer necessary.

The OIF server itself is still using the two encryption certificates to decrypt encrypted messages and therefore will be able to decrypt data encrypted with the new encryption certificate as well as the old encryption certificate.


4. OIF will not object to expired peer provider certificates unless OIF is configured to validate certificates before use.

See 7. below.

If certificate validation is configured and OIF cannot validate the signing or encryption certificate for an authentication request or response then SSO will fail.


5. OIF will not provide any warning if a peer provider signing or encryption certificate is soon to expire or has expired. It is the responsibility of the SP to ensure that their certificates are valid.

However OIF will produce an error if a peer provider certificate is expired and OIF is configured for certificate validation (see 7. below).


6. To configure OIF with new peer provider certificates, obtain the new metadata file from the peer provider which contains the renewed certificates. Upload the new metadata file in the OIF Administration -> Federations section. OIF will detect that a provider already exist with the same ID and will replace the existing metadata with the new metadata.


7. To configure OIF 11g to validate certificates, check the "Certificate Validation" checkbox in OIF Administration -> Security and Trust settings.

Note also that if Certificate Validation is configured, the root Certificate Authority (CA) certificate and any subCA certificates for chained certificates must be loaded into the OIF Trust Store.


8. OIF will execute certificate validation for the peer provider signing and encryption certificates IF "Enable Certificate Validation" is checked in OIF Configuration Security and Trust -> Trusted CAs and CRLs section.

If this option is checked then the OIF administrator must upload the root CA certificates for the peer provider signing and encryption certificates in the Trusted CAs list.
If a CRL is also configured then OIF will check the revocation status of certificates using the configured CRL(s).

More detail and more advanced configuration options are provided at the following location:

Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Identity Management
Fusion Middleware Administrator's Guide for Oracle Identity Federation
6.22 Certificate Path Validation



See also:

OIF 11g: Unable To Load Metadata Files. Error "The Signing Certificate Could Not Be Validated" (Doc ID 1908582.1)

OIF Generates 500 Error When Validating Incoming Message Signature - Reference Validation With URI Failed (Doc ID 1637895.1)

Identity Federation SSO Fails With "Signature verification failed for provider ID ..." (Doc ID 2032605.1)


REFERENCES

NOTE:2032605.1 - Identity Federation SSO Fails With "Signature verification failed for provider ID ..."
NOTE:1908582.1 - OIF 11g: Unable To Load Metadata Files. Error "The Signing Certificate Could Not Be Validated"
NOTE:1637895.1 - OIF Generates 500 Error When Validating Incoming Message Signature - Reference Validation With URI Failed

database error recovering system datafile from local storage to shared storage


Error:

ORA­01157: cannot identify/lock data file 64 ­ see DBWR trace fileORA­01110: data file 64: '/app/oracle/product/11.2.0.4/dbhome_1/dbs/path_to_your_datafiles_foldername_of_df_you_want.dbf'ORA02002: error while writing to audit trailORA­00604: error occurred at recursive SQL level 1 ORA­01157: cannot identify/lock data file 64 ­ see DBWR trace fileORA­01110: data file 64: '/app/oracle/product/11.2.0.4/dbhome_1/dbs/path_to_your_datafiles_foldername_of_df_you_want.dbf'


Solution:

We followed the following set of steps to resolve the issue
RMAN> copy datafile '/app/oracle/product/11.2.0.4/dbhome_1/dbs/path_to_your_datafiles_foldername_of_df_you_want.dbf' to '+DATA';

using SQL PLUS rename the Datafile to the New location

SQL>alter database rename file '/app/oracle/product/11.2.0.4/dbhome_1/dbs/path_to_your_datafiles_foldername_of_df_you_want.dbf'' to '+DATA/SYSTEM.xxx.zzzzzz';

­ open the DB
SQL> alter Database open;
­ remove the old file $ rm /u01/app/oracle/product/11.2.0.4/dbhome_1/dbs/path_to_your_datafiles_foldername_of_df_you_want.dbf


This is expected as it is RAC DB and it suppose to create the new Datafile on the shared disk no on the local node
when user add data file using
SQL> alter tablespace system add datafile 'FRA' SIZE 250M AUTOEXTEND ON NEXT 50M MAXSIZE UNLIMITED;
its add the datafile in the default OMG location db_create_file_dest


Extra commands used during troubleshooting.
use below commands to check the backup of currept file.


set pagesize 20000
set linesize 180
set pause off
set serveroutput on
set feedback on
set echo on
set numformat 999999999999999
alter session set nls_date_format = 'DD­MON­RRRR HH24:MI:SS';
Spool recover.lst select name,platform_name,open_mode,controlfile_type,log_mode,flashback_on,RESETLOGS_TIME,RESETLOGS_CHANGE# from v$database; select substr(name, 1, 50), status from v$datafile; select substr(name,1,50), recover, fuzzy, checkpoint_change#,RESETLOGS_TIME,RESETLOGS_CHANGE# from v$datafile_header; select * from v$backup; select name, open_mode, checkpoint_change#, ARCHIVE_CHANGE# from v$database; select GROUP#,THREAD#,SEQUENCE#,MEMBERS,ARCHIVED,STATUS,FIRST_CHANGE# from v$log; select GROUP#,substr(member,1,60) from v$logfile; select * from v$log_history; select * from v$recover_file; select * from v$recovery_log; select HXFIL File_num,substr(HXFNM,1,40) File_name,FHTYP Type,HXERR Validity, FHSCN SCN, FHTNM TABLESPACE_NAME,FHSTA status ,FHRBA_SEQ Sequence, FHTHR Thread from X$KCVFH; spool off


attribute AttributeAuthorityDescriptor and IDPSSODescriptor OIF


Migrating a Certificate in IdP Metadata

This article is for site administrators wishing to replace an old certificate with a new certificate in IdP metadata. Please read the overview Certificate Migration topic before continuing.
Handle the New Private Key Carefully!

The IdP private signing key must be handled with extreme care. Before generating a new private key, consult the IdP Key Handling topic for recommended practices.

In Federation metadata, all certificates in IdP metadata are contained in an <md:KeyDescriptor use="signing"> element. Such a certificate may be used for signing and/or TLS. Usually there are identical key descriptors contained in the <md:IDPSSODescriptor> element (used as a signing key) and the <md:AttributeAuthorityDescriptor> element (used as an TLS key), in which case both certificates are migrated out of metadata at the same time.

Implementation Requirements
This procedure ultimately requires two <md:KeyDescriptor use="signing"> elements to be bound to a single role descriptor in IdP metadata. Some SP software implementations will not consume such metadata (which is an implementation bug). Check with your federation partners before initiating the procedure below.

Regardless of the IdP implementation used, the general migration process is as follows.
Preconditions:

There is a single <md:KeyDescriptor use="signing"> element bound to each role descriptor in IdP metadata.

The IdP software is configured to use the corresponding private key as a signing key and/or TLS key.
Procedure:

Add a new <md:KeyDescriptor use="signing"> element to IdP metadata.

Wait for the newly updated metadata to propagate throughout the Federation.
Configure the IdP software to use the new key (instead of the old key) as the signing key and/or TLS key.

Remove the old <md:KeyDescriptor use="signing"> element from IdP metadata.
Procedural details:

At step 1, log into the Federation Manager, upload a new certificate, and bind that certificate to your metadata. Be sure to bind the certificate to each of the <md:IDPSSODescriptor> and <md:AttributeAuthorityDescriptor> elements. After doing so, your IdP's metadata will contain four (4) key descriptors, two of which are new.

Key Order in Metadata
When two verification keys are listed in IdP metadata, the old one is listed first. This is because the IdP is still signing with the old key as long as two keys are listed in metadata. This accommodates non-conforming SP implementations (such as EZProxy) that try the first key listed and then stop.

The configuration at step 3 depends on your particular IdP software implementation and how the key is used. Some implementations require separate configurations for signing and TLS. In particular, if your IdP supports artifact resolution or attribute query, it may require a separate TLS key configuration. Consult your software documentation for further instructions. (If you're using the Shibboleth IdP, refer to the next section.)

Finally, at step 4, remove the old key descriptors from metadata but leave the two newer key descriptors in the metadata. This completes the migration process.


oracle database tablespace size information





SELECT a.file_name,
       substr(A.tablespace_name,1,14) tablespace_name,
       trunc(decode(A.autoextensible,'YES',A.MAXSIZE-A.bytes+b.free,'NO',b.free)/1024/1024) free_mb,
       trunc(a.bytes/1024/1024) allocated_mb,
       trunc(A.MAXSIZE/1024/1024) capacity,
       a.autoextensible ae
FROM (
     SELECT file_id, file_name,
            tablespace_name,
            autoextensible,
            bytes,
            decode(autoextensible,'YES',maxbytes,bytes) maxsize
     FROM   dba_data_files
     GROUP BY file_id, file_name,
              tablespace_name,
              autoextensible,
              bytes,
              decode(autoextensible,'YES',maxbytes,bytes)
     ) a,
     (SELECT file_id,
             tablespace_name,
             sum(bytes) free
      FROM   dba_free_space
      GROUP BY file_id,
               tablespace_name
      ) b
WHERE a.file_id=b.file_id(+)
AND A.tablespace_name=b.tablespace_name(+)
ORDER BY A.tablespace_name ASC;

installing Weblogic at windows 2012 server


  • Run the Oracle WebLogic 10.3.6.0 installer from the image that you downloaded from the Oracle Software Delivery Cloud.
    The item name of the installer is (V29856-01). The filename of the installer is:
    wls1036_generic.jar
    Upon execution, the installer starts preparing the OUI install program.
  • Open a Command window with Run as Administrator option and run this command from the prompt:
    >java -jar wls1036_generic.jar

  • On Choose Middleware Home Directory, click this radio button:
    Create a new Middleware Home
    For example, your Middleware Home Directory might be:

    C:\Oracle\Middleware

  • On Register for Security Updates, Oracle strongly recommends you complete the Email address and/or the My Oracle Support Password fields to register your installation of Oracle WebLogic 10.3.6.0. This registration will enable you to be informed of security issues.
  • Click the Next button

  • On Choose Install Type, select the type of installation you wish to perform.
    In this guide, it is assumed you select the Typical installation type, which installs the Oracle WebLogic 10.3.6.0 and the Oracle Coherence Server.

  •  The Typical selection automatically includes the Oracle Coherence server, which is part of Oracle WebLogic 10.3.6.0. This new server is a stand-alone cache server that enables dedicated JVM instances responsible for maintaining and managing cached data. As of the initial publication of this guide, the JD Edwards EnterpriseOne HTML Server has not been certified with the Oracle Coherence Server.

  • On JDK Selection, click the check box for the JDK you wish to use and install with this product installation.
  • Click the Next button.
  • On Choose Product Installation Directories, complete these fields:
    • WebLogic Server
      Enter or browse to a location where you wish to install an Oracle WebLogic 10.3.6.0.
      For example:
      c:\Oracle\Middleware\wlserver_10.3
    • Oracle Coherence
      Enter or browse to a location where you wish to install the Oracle Coherence Server.
      For example:
      c:\Oracle\Middleware\coherence_3.7
  • Click the Next button.

  • If the above screen does display (because you are not running the installer as an Administrator), on Choose Shortcut Location, click this radio button:
    "All Users" Start Menu folder (recommended)
  • Click the Next button.

  • On Installation Summary, review the products that will be installed.
  • Click the Next button.


  • The installer starts copying files.
    A progress bar is displayed in the lower right-hand portion of the screen.
    As the installer progresses it displays the new features of the Oracle WebLogic 10.3.6.0.
  • nmConnect() error WLSTException: Error occured while performing nmConnect : Cannot connect to Node



    Connecting to Node Manager ...
    Traceback (innermost last):
      File "<console>", line 1, in ?
      File "<iostream>", line 123, in nmConnect
      File "<iostream>", line 648, in raiseWLSTException
    WLSTException: Error occured while performing nmConnect : Cannot connect to Node
    Manager. : Access to domain 'my_domain' for user 'weblogic' denied
    Use dumpStack() to view the full stacktrace


    Solution:
    if it is new installation update Weblogic credential information.