https://unixoracledba.wordpress.com/2012/06/16/how-to-create-and-relocate-an-11gr2-rac-database-service/
How to see what services you have and where they are running:
[oracle@Rac1 ~]$ srvctl status service -d RAC
Service CONTACT is running on instance(s) RAC1
How to Add Service to your RAC database:
[oracle@Rac1 ~]$ srvctl add service -s NEWSRV -r RAC1 -a RAC2 -d RAC
[oracle@Rac1 ~]$ srvctl add service -s NEWSRV1 -d RAC -r rac1, rac2
How to see more detailed information about your service:
oracle@Rac1 ~]$ srvctl config service -s NEWSRV -d RAC
Service name: NEWSRV
Service is enabled
Server pool: RAC_NEWSRV
Cardinality: 1
Disconnect: false
Service role: PRIMARY
Management policy: AUTOMATIC
DTP transaction: false
AQ HA notifications: false
Failover type: NONE
Failover method: NONE
TAF failover retries: 0
TAF failover delay: 0
Connection Load Balancing Goal: LONG
Runtime Load Balancing Goal: NONE
TAF policy specification: NONE
Preferred instances: RAC1
Available instances: RAC2
[oracle@Rac1 ~]$ srvctl config service -s NEWSRV1 -d RAC
Service name: NEWSRV1
Service is enabled
Server pool: RAC_NEWSRV1
Cardinality: 2
Disconnect: false
Service role: PRIMARY
Management policy: AUTOMATIC
DTP transaction: false
AQ HA notifications: false
Failover type: NONE
Failover method: NONE
TAF failover retries: 0
TAF failover delay: 0
Connection Load Balancing Goal: LONG
Runtime Load Balancing Goal: NONE
TAF policy specification: NONE
Preferred instances: RAC1,RAC2
Available instances:
How to Start your Service after creating it:
[oracle@Rac1 ~]$ srvctl start service -s NEWSRV -d RAC
[oracle@Rac1 ~]$ srvctl start service -s NEWSRV1 -d RAC
How to check if your service is registered:
oracle@Rac1 ~]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.1.0 – Production on 16-JUN-2012 10:03:26
Copyright (c) 1991, 2009, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
————————
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.1.0 – Production
Start Date 16-JUN-2012 08:40:17
Uptime 0 days 1 hr. 23 min. 10 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora
Listener Log File /u01/app/oracle/diag/tnslsnr/Rac1/listener/alert/log.xml
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.103)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.113)(PORT=1521)))
Services Summary…
Service “+ASM” has 1 instance(s).
Instance “+ASM1”, status READY, has 1 handler(s) for this service…
Service “CONTACT.localdomain” has 1 instance(s).
Instance “RAC1”, status READY, has 1 handler(s) for this service…
Service “NEWSRV.localdomain” has 1 instance(s).
Instance “RAC1”, status READY, has 1 handler(s) for this service…
Service “NEWSRV1.localdomain” has 1 instance(s).
Instance “RAC1”, status READY, has 1 handler(s) for this service…
Service “RAC.localdomain” has 1 instance(s).
Instance “RAC1”, status READY, has 1 handler(s) for this service…
Service “RACXDB.localdomain” has 1 instance(s).
Instance “RAC1”, status READY, has 1 handler(s) for this service…
The command completed successfully
How to connect to your Service:
1) Add following tns entry in your tnsnames.ora
NEWSRV =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = scan-ip)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = NEWSRV.localdomain)
)
)
2) connect thru sqlplus
[oracle@Rac1 admin]$ sqlplus system@NEWSRV
SQL*Plus: Release 11.2.0.1.0 Production on Sat Jun 16 10:12:49 2012
Copyright (c) 1982, 2009, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 – 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
SQL> select host_name from v$instance;
HOST_NAME
—————————————————————-
Rac1.localdomain
Relocating Services:
1) Service will relocate to available instance if preferred instance becomes unavailable:
[oracle@Rac1 admin]$ ps -ef |grep smon
oracle 5346 1 0 08:39 ? 00:00:00 asm_smon_+ASM1
oracle 6245 1 0 08:40 ? 00:00:02 ora_smon_RAC1
oracle 16371 8720 0 10:13 pts/2 00:00:00 grep smon
[oracle@Rac1 admin]$ kill -9 6245
[oracle@Rac1 admin]$ ps -ef |grep smon
oracle 5346 1 0 08:39 ? 00:00:00 asm_smon_+ASM1
oracle 16488 8720 0 10:14 pts/2 00:00:00 grep smon
[oracle@Rac1 admin]$ srvctl status service -s NEWSRV -d RAC
Service NEWSRV is running on instance(s) RAC2
[oracle@Rac1 admin]$ sqlplus system@NEWSRV
SQL*Plus: Release 11.2.0.1.0 Production on Sat Jun 16 10:14:42 2012
Copyright (c) 1982, 2009, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 – 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
SQL> select host_name from v$instance;
HOST_NAME
—————————————————————-
Rac2.localdomain
2) You can manually relocate service back to original instance once it is back up:
[oracle@Rac1 admin]$ srvctl relocate service -s NEWSRV -d RAC -i RAC2 -t RAC1
[oracle@Rac1 admin]$ srvctl status service -s NEWSRV -d RAC
Service NEWSRV is running on instance(s) RAC1
yntax and Options
Use the srvctl add service command with the following syntax:
srvctl add service -d db_unique_name -s service_name -r preferred_list
[-a available_list] [-P TAF_policy]
Table A-6 srvctl add service Options
Option Description
-d db_unique_name
Unique name for the database.
-s service_name
The service name.
-r preferred_list
The list of preferred instances.
-a available_list
The list of available instances
-P TAF_policy
The TAF policy (NONE, BASIC, or PRECONNECT). If you choose PRECONNECT, it creates a service_Preconn
Wednesday, November 30, 2016
java.lang.ClassNotFoundException: oracle.security.jps.wls.listeners.JpsApplicationLifecycleListener
1286039.1
Click to add to Favorites Managed Server Fails to Restart with ClassNotFoundException After Deploying the Imaging Application IPM 11g (Doc ID 1286039.1) To BottomTo Bottom
In this Document
Symptoms
Changes
Cause
Solution
Applies to:
Oracle Weblogic Server - Version 10.3.3 and later
Information in this document applies to any platform.
***Checked for relevance on 5-Oct-2012***
Symptoms
A managed server fails to start from the console with the following exception, after deploying an imaging application on IPM 11g. The server starts correctly when invoking the default start up scripts. It only fails when started through console using a node manager. The following error message is reported in the log file as the cause for the deployment failure:
Caused By: java.lang.ClassNotFoundException: oracle.security.jps.wls.listeners.JpsApplicationLifecycleListener
at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(GenericClassLoader.java:280)
Changes
An imaging enterprise application (.ear file) was deployed in the IPM 11g environment.
Cause
The issue is caused because the required classes are not loaded in the classpath when starting the servers using the nodemanager; that is, the nodemanager is used when starting managed servers through console. In the nodemanager.properties files the following settings are set to false, and as a result the servers are not using the classes present in the start up script.
StartScriptEnabled=false
When the servers directly usie the startWeblogic.sh or startManagedweblogic.sh scripts, instead of via nodemanager, the servers start up correctly. This is because all the required classes are present in the classpath when using the scripts for starting the server.
Solution
Force the classpath to be set to the desired value when starting the server through the node manager. To achieve this, the most recommended and easy solution is to set the node manager to use startup scripts while starting the managed server. You can execute the following steps to implement the above solution:
Open the nodemanager.properties file
Set the following properties to 'true':
StartScriptEnabled=true
StopScriptEnabled=true
Stop the Admin Server and other servers in the domain that are running.
Restart the nodemanager.
Start the Admin Server
Retest the issue by restarting the managed server through the console.
Migrate the solution as appropriate to other environments.
oam 11g good reference
http://yagneshg.blogspot.qa/2012/02/how-to-configure-oam-11g-server-and.html
https://oraidm.wordpress.com/2014/01/30/install-and-configure-11g-oracle-access-manageroam/
Monday, November 28, 2016
ORACLE : How to DROP a User who is connected – forcefully
https://javaworks.wordpress.com/2009/10/29/oracle-how-to-drop-a-user-who-is-connected-forcefully/
The ideal way for all development shops to work is to have each developer have his own database, but as you all know life is not that easy on us!.
So you want to update the schema, which requires to drop all users and you see that your script is complaining that some of the users (in oracle users are the schemas) are still conneted and cannot be dropped. This would normally mean some one is running an application/service/App server, which is holding some connections to your database.
You have been nice to all, mailed the group, pinged some of your fellow developers, but there is a rogue application holding on to a user/schema. What would you do. wait for ever or take matter into your hands
Here is some Mojo and fire power for you to boot/kill those users force fully ( ofcourse you need to have SysDba access to the database, otherwise you are out of luck )
find the sessions for the users/schema , as a DBA use : select sid,serial# from v$session where username = ''
Then kill them with : alter system kill session ','
A query that produces ready-built kill-statements could be
select 'alter system kill session ''' || sid || ',' || serial# || ''';' from v$session where username = ''
This will return one kill statement per session for that user – something like:
alter system kill session '375,64855';
alter system kill session '346,53146';
Now Drop the user : drop user cascade;
That’s it – The User is vaporized !
Sunday, November 27, 2016
Non-Ignorable Error: ORA-01917: user or role 'ODS' does not exist
2016-11-27 15:56:27.339 INCIDENT_ERROR rcu: oracle.sysman.assistants.rcu.backend.action.ActionThread::run: Failed to execute method: Excepton:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at oracle.sysman.assistants.rcu.backend.action.ActionThread.run(JavaAction.java:510)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.sql.SQLSyntaxErrorException: ORA-01917: user or role 'ODS' does not exist
at oracle.jdbc.driver.SQLStateMapping.newSQLException(SQLStateMapping.java:91)
at oracle.jdbc.driver.DatabaseError.newSQLException(DatabaseError.java:133)
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:206)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:455)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:413)
at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:1034)
at oracle.jdbc.driver.T4CStatement.doOall8(T4CStatement.java:183)
at oracle.jdbc.driver.T4CStatement.executeForRows(T4CStatement.java:942)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1222)
at oracle.jdbc.driver.OracleStatement.executeInternal(OracleStatement.java:1770)
at oracle.jdbc.driver.OracleStatement.execute(OracleStatement.java:1739)
at oracle.jdbc.driver.OracleStatementWrapper.execute(OracleStatementWrapper.java:299)
at oracle.ias.version.SchemaVersion.grantRegistryAccess(SchemaVersion.java:2688)
at oracle.ias.version.SchemaVersion.grantRegistryAccessToComponent(SchemaVersion.java:2632)
at oracle.ias.version.SchemaVersionUtil.utilSetComponentValid(SchemaVersionUtil.java:419)
... 6 more
2016-11-27 15:56:27.341 ERROR rcu: oracle.sysman.assistants.rcu.backend.action.AbstractAction::handleNonIgnorableError: Received Non-Ignorable Error: ORA-01917: user or role 'ODS' does not exist
Solution :
orpidm@pidmdb01:/u01pd/DB/oracle/product/12.1.0/dbhome_1/network/admin$ sqlplus / as sysdba
SQL*Plus: Release 12.1.0.2.0 Production on Sun Nov 27 15:57:09 2016
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Advanced Analytics and Real Application Testing options
SQL> alter profile default limit PASSWORD_VERIFY_FUNCTION null;
Profile altered.
SQL> commit;
Commit complete.
SQL>
Sunday, November 13, 2016
Oracle JDeveloper and Oracle ADF 12c (12.2.1.1.0): New Features
Oracle JDeveloper and Oracle ADF 12c (12.2.1.1.0): New Features
http://www.oracle.com/technetwork/developer-tools/jdev/documentation/1213nf-2222743.html
https://docs.oracle.com/cd/E13224_01/wlw/docs103/guide/webapplications/workshopJSP/tutorialJSP/TutorialJSPMakeJSP.html
Thursday, November 10, 2016
Post DB Installation Tasks :
Post Installation Tasks :
sqlplus "/as sysdba"
SQL> alter system set session_cached_cursors=100 scope=spfile;
System altered.
SQL> SQL> alter system set processes=500 scope=spfile;
System altered.
SQL> SQL> alter system set aq_tm_processes=1 scope=both;
System altered.
SQL> alter system set db_cache_size=150994944 scope=both
System altered.
SQL> alter system set java_pool_size=125829120 scope=both;
System altered.
SQL> alter system set shared_pool_size=183500800 scope=both;
System altered.
SQL> alter system set open_cursors=800 scope=both;
System altered.
Wednesday, November 9, 2016
Web Application Integration Steps in OAM 11gR2 (High Level)
https://blogs.oracle.com/OIM11gR2/entry/web_application_integration_steps_in
Install OAM, Webtier (OHS) and WebGate as per the standard installation steps.
Create a WebGate instance (i.e deploy WebGate)
A WebGate instance must be created that will copy required bits of agent from WEBGATE_HOME to WebGate instance location that shares the same INSTANCE_HOME with OHS
./deployWebGateInstance.sh –w /Oracle/Middleware/Oracle_WT1/instances/instance1/config/ohs1 –oh /Oracle/Middleware/Oracle_OAMWebGate1
Note: Here –w flag indicates OHS instance folder and –oh indicates the WebGate Oracle home
Configure WebGate
In the webgate configuration the EditHttpdConf utility will copy OUI instantiated apache_webgate.template from WEBGATE_HOME to webgate instance location (renamed to webgate.conf), and update httpd.conf with one additional line to include webgate.conf.
export LD_LIBRARY_PATH=$ LD_LIBRARY_PATH:/Oracle/Middleware/Oracle_WT1/lib
Navigate to /Oracle/Middleware/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools
./EditHttpdConf –w /Oracle/Middleware/Oracle_WT1/instances/instace1/config/OHS/ohs1 –oh /Oracle/Middleware/Oracle_OAMWebGate1 –o webgate.conf
Register WebGate
Use RREG tool to register the OAM 11G WebGate
Navigate to /Oracle/Middleware/Oracle_IDM1/oam/server/rreg/input
Edit OAM11Grequest.xml. Change the specific xml content to include the weblogic admin URL, agentBaseURL, host identifier etc..
Navigate to /Oracle/Middleware/Oracle_IDM1/oam/server/rreg/bin
Set permissions to oamreg.sh à chmod 777 oamreg.sh
Edit oamreg.sh and set OAM_REG_HOME=/Oracle/Middleware/Oracle_IDM1/oam/server/rreg
./oamreg.sh inband input/OAM11Grequest.xml
Enter the WebLogic admin credentials when prompted.
After performing the above steps, there will be two artifcats created under Oracle/Middleware/Oracle_IDM1/oam/server/rreg/output, namely ObAccessClient.xml (Stroing webgate config parameters) and cwallet.sso (storing the agent key). These files must be copied to WebGate instance config folder (/Oracle/Middleware/Oracle_WT1/instances/instance1/config/ohs1/webgate/config)
Restart OHS
Deploy the web application (myApp) in WebLogic application server
Proxy Configuration in OHS
The mod_wl_ohs module enables requests to be proxied from Oracle HTTP Server 11g to Oracle WebLogic Server.
Navigate to /Oracle/Middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1
Edit mod_wl_ohs.conf file to include the following:
WebLogicHost
WebLogicPort
# Debug ON
# WLLogFile /tmp/weblogic.log
MatchExpression *.jsp
SetHandler weblogic-handler
# PathTrim /weblogic
# ErrorPage http:/WEBLOGIC_HOME:WEBLOGIC_PORT/
Note: Here WEBLOGIC_HOST and WEBLOGIC_PORT are the WebLogic admin server host and port respectively
Restart OHS. Now if we access the web application URL with OHS host and port
(Ex: http://OHS_HOST:/myApp) so that the requests will be proxied to WebLogic server.
Create a new application domain
Login to OAM Admin Console
Navigate to Shared Componentsà Authentication Schemesà Create Authentication Scheme (Ex: LDAP Auth Scheme. Here the scheme is assoicated with LDAP Authentication Module)
Navigate to Policy Configuration à Application Domain à Create Application Domain
Enter the Application Domain Name and Click Apply.
Navigate to Resources tab and add the resource urls
(Web Application URLs that needs to be protected)
Navigate to Authentication Policy tab à Create a new authentication ploicy by providing the Resource URLs (The sample Web Application URLs) and Authentication Scheme.
Navigate to Authorization Policy tab à Create a new authorization policy à Enter authorization policy name and navigate to Resource Tab à Attach the Reource URL, Host Identifiers here.
Navigate to Conditions tab à Add the conditions like whom to allow and whom to deny access.
Navigate to Rules tab à Crate the Allow Rule and Deny Rule with the available conditions from the previous step so that the Authorization Policy may authorize the logins.
Navigate to Resources tab and attach the Authentication and Authorization plocies created in the above steps.
Test the Web Application Integration.
Oracle Access Manager SSO Request Flow
http://www.oraworld.co.uk/step-by-step-flow-of-user-request-for-sso-via-oracle-access-manager/
1. The user requests a resource.
2. A WebGate forwards the request to OAM for policy evaluation.
3 OAM:
– Checks for the existence of an SSO cookie
– Checks policies to determine whether the resource is protected and, if so, how
4. The OAM server logs and returns decisions.
5. The WebGate responds as follows:
– Unprotected Resource
The resource is served to the user.
– Protected Resource
The request is redirected to the credential collector.
The login form is served, based on the authentication policy.
The authentication processing begins.
6. The user sends credentials.
7. OAM verifies the credentials.
8. OAM starts the session and creates the following host-based cookies:
– One per partner: OAMAuthnCookie set by 11g WebGates (ObSSOCookie set by 10g WebGates) using the authentication token received from the OAM server after successful authentication
Note: A valid cookie is required for a session.
One for the OAM server: OAM_ID
9. OAM logs Success or Failure.
10. A credential collector redirects the request to the WebGate and the authorization
processing begins.
11. The WebGate prompts OAM to look up policies, compare them to the user’s identity,
and determine the user’s level of authorization.
12. OAM logs policy decision and checks the session cookie.
13. The OAM server evaluates authorization policies and caches the result.
14. The OAM server logs and returns decisions.
15. The WebGate responds as follows:
– If the authorization policy allows access, the desired content or applications are
served to the user.
– If the authorization policy denies access, the user is redirected to another URL
determined by the administrator.
OAM 11g WebGate Request Flow
1. The OAM 11g WebGate intercepts a request, determines whether the resource is
protected, and if it is, the server returns a response with the authentication scheme that
is required to authenticate the user.
2. The WebGate sets the OAM_REQ cookie to keep track of the target or requested URL,
and then redirects to the OAM 11g server, which routes the request to the credential
collector.
3. The credential collector serves up the login page, which captures the credentials and
posts them to the OAM server.
4. After the credentials are validated, the OAM server creates an authentication token, the
session in Coherence, and sets the OAM_ID cookie, which has details about the user,
the time the session was created, the idle timeout, and a session identifier to the
Coherence session.
5. Then the OAM server constructs a response, which is encrypted with the WebGate’s
key, and redirects to the WebGate. The WebGate decrypts the response, extracts the
authentication token and the session identifier, and uses that information to set an
OAMAuthnCookie, which is set as a host cookie:
OAMAuthnCookie_.
Note: If you are using a 10g WebGate, the response from the server will contain the
information required to set ObSSOCookie.
If you are using mod_osso, the response will contain the information required to set the OHS host cookie.
6. When subsequent requests are made from that WebGate, the authentication token is
passed by the WebGate to the OAM server, which validates the authentication token,
checks the validity of the OAM_ID cookie and session timeout, checks the server-side
session object stored in Coherence, and does the appropriate authorization checks.
7. When a resource protected by a second WebGate is requested, the request flow is
similar to the preceding points. WebGate2 (WG2) checks whether the resource is
protected, and gets the authentication scheme details from the OAM server. From there,
WG2 redirects to the OAM server and the OAM server checks the OAM_ID cookie,
generates a new authentication token for WG2, creates an encrypted response by using
the key for WG2, and then redirects to WG2. WG2 decrypts the response, extracts the
authentication token and session identifiers, and sets an OAMAuthnCookie as a host
cookie for WG2.
Sunday, November 6, 2016
How To Configure A Custom Login Page For OAM 11g (Doc ID 1281026.1)
Give Feedback...
Click to add to Favorites How To Configure A Custom Login Page For OAM 11g (Doc ID 1281026.1) To BottomTo Bottom
In this Document
Goal
Solution
APPLIES TO:
Oracle Access Manager - Version 11.1.1.3.0 and later
Information in this document applies to any platform.
GOAL
How to configure an Oracle Access Manager ( OAM ) authentication scheme to use an external custom Form Login page ?
The intention of this note is to provide only an example showing how to configure an external custom login page.
A full description about how to configure authentication schemes and custom login pages can be found in the
Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager 11g Release 1 (11.1.1).
Managing Authentication Modules
http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15478/shared.htm#BABEIFCE
and
Oracle Fusion Middleware Developer's Guide for Oracle Access Management 11g Release 2 (11.1.2)
4.2 Developing Custom Login Pages
http://docs.oracle.com/cd/E27559_01/dev.1112/e27134/custpages.htm#CHDIAFAJ
This Note does not cover how to configure a custom login page for the Detached Credential Collector (DCC) introduced with OAM 11.1.2.
Information how to configure a custom login page for the DCC could be found in the
Oracle Fusion Middleware Developer's Guide for Oracle Access Management 11g Release 2 (11.1.2) .
SOLUTION
The following requirements exist for an OAM 11g external custom login page:
Custom login pages require exactly two form fields (username and password). Oracle Access Manager supports authentication forms with two fields only.
The form action has to be: "http://oamserverhost:port/oam/server/auth_cred_submit".
The login page must submit back the "request_id" or the "OAM_REQ" value sent by OAM when redirecting to the external login page.
Please note that to test any custom authentication scheme it must be used to protect a resource of some kind, so there must be an existing application domain and policy that this authentication scheme can be applied to. Further it may be a good idea to validate the access to such a resource with one of the out-of-the-box authentication schemes prior to any customization.
Custom Login Page requirements dependent from the OAM Server "RequestCacheType" setting
During the authentication process the client browser is redirected by the OAM Server to the login page.
The OAM Server needs to store information about the client's original request to a protected resource.
The "RequestCacheType" parameter defines how this information is stored and is configured in the oam-config.xml file.
The "RequestCacheType" could be configured for the following values:
BASIC: In this mode the OAM Server stores the information in memory.
This mode could not be used in an OAM Cluster High Availability environment,
because during the authentication process, the client might be redirected to different OAM Server instances
and the information about the original request is only available in the memory of one OAM Server instance.
This mode requires the Custom Login Page to return the "request_id" value.
COOKIE: In this mode the OAM Server creates an encrypted OAM_REQ cookie to store the information.
This mode could be used in a High Availability environment.
The Custom Login Page only needs to return the username and password.
FORM: In this mode the OAM Server sends the information about the original request via a POST request using an encrypted OAM_REQ value.
This mode could be used in a High Availability environment.
The login page must return the OAM_REQ value
Example code to return the OAM_REQ parameter:
----------------------------------------------------------------------------------------
String oamReq = request.getParameter("OAM_REQ");
----------------------------------------------------------------------------------------
1. In this example a login JSP is used to be able to read the "request_id" parameter send by the OAM Server for each login request.
Caution
This sample code is provided for educational purposes only and not supported by Oracle Support Services. It has been tested internally, however, and works as documented. We do not guarantee that it will work for you, so be sure to test it in your environment before relying on it.
<%@page language="java" import="java.util.*" pageEncoding="ISO-8859-1"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.
getServerPort()+path+"/";
String reqId = request.getParameter("request_id");
%>
My JSP 'index.jsp' starting page
Custom Login JSP
Note: You have to change "oamservername" and "oamport" in the form action URL. For OAM 11.1.1.3: You have to provide the full qualified hostname and port for the OAM Server as specified in the OAM Console under SSO Engine settings. For OAM 11.1.1.5 and OAM 11.1.2.x : You have to provide the full qualified hostname and port for the OAM Server as specified in the OAM Console under System Configuration -> Access Manager Settings -> Load Balancing 2. The login JSP page could be deployed either to the same WebLogic domain where OAM Server is running or on any external Server capable to execute JSP ( for example OC4J ) . 2.1. Deploying the login.jsp to the WebLogic Domain, where OAM is running. 2.1.1. Create a war file. - create the directory "customloginpage" and the subdirectory "pages" - copy the file login.jsp containing the above example code to the directory "customloginpage/pages" - change directory to ""customloginpage" - execute the following command to create a war file: jar cvf customloginpage.war * 2.1.2. Copy the customloginpage.war file to the directory $WLS_DOMAIN/servers/AdminServer/upload 2.1.3. Deploy the war file: - Log on to the WebLogic console - Choose "Deployments" and press the "Install" button. - Choose the customloginpage.war file - Use the default "Install this deployment as an application" and press the "Next" button - Select the Admin server and all OAM managed Server and press "Next" - Accept the defaults and press the "Finish" button The war file is now deployed under the context root "/customloginpage" 2.1.4. Create an OAM authentication scheme referencing the custom login JSP page. - Log on to your "OAMCONSOLE" (/oamconsole). - Click the Authentication Schemes node, then click the Create button in the tool bar. - Complete with the following parameters: Name: provide a name for the authentication scheme Authentication Level: choose an appropriate level Challenge Method : FORM Challenge Redirect URL : /oam/server Authentication Module : LDAP Challenge URL: /pages/login.jsp Context Type : customWar Context Value : /customloginpage - Click the Apply button. 2.2. Installing the login JSP on an external Server 2.2.1. Install a login.jsp containing the above example code on an external Server and test the accessibility via a browser. 2.2.2 Create an OAM authentication scheme referencing the external custom login JSP page - Log on to your "OAMCONSOLE" (/oamconsole). - Click the Authentication Schemes node, then click the Create button in the tool bar. 2.3. Complete with the following parameters: Name: provide a name for the authentication scheme Authentication Level: choose an appropriate level Challenge Method : FORM Challenge Redirect URL : /oam/server Authentication Module : LDAP Challenge URL: URL to access the external JSP (example: http://myserver.oracle.com:80/j2ee/login.jsp) Context Type : external 2.4. Click the Apply button. Note: If you have an OAM-OIM integration any OIM links in the original login page need to be manually added to the custom login page. Troubleshooting: If you find that when modifying the custom login page and redeploying that the changes do not take effect, try removing the OAM servers cache and restarting the OAM server: 1. Shutdown oam_server1 2. Rename cache and tmp folders under $MW_HOME/user_projects/domains/base_domain/servers/oam_server1 3. Restart oam_server1 Join the IDM MOS community Forum for general IDM discussions, questions, best practices, and other valuable information
Note: You have to change "oamservername" and "oamport" in the form action URL. For OAM 11.1.1.3: You have to provide the full qualified hostname and port for the OAM Server as specified in the OAM Console under SSO Engine settings. For OAM 11.1.1.5 and OAM 11.1.2.x : You have to provide the full qualified hostname and port for the OAM Server as specified in the OAM Console under System Configuration -> Access Manager Settings -> Load Balancing 2. The login JSP page could be deployed either to the same WebLogic domain where OAM Server is running or on any external Server capable to execute JSP ( for example OC4J ) . 2.1. Deploying the login.jsp to the WebLogic Domain, where OAM is running. 2.1.1. Create a war file. - create the directory "customloginpage" and the subdirectory "pages" - copy the file login.jsp containing the above example code to the directory "customloginpage/pages" - change directory to ""customloginpage" - execute the following command to create a war file: jar cvf customloginpage.war * 2.1.2. Copy the customloginpage.war file to the directory $WLS_DOMAIN/servers/AdminServer/upload 2.1.3. Deploy the war file: - Log on to the WebLogic console - Choose "Deployments" and press the "Install" button. - Choose the customloginpage.war file - Use the default "Install this deployment as an application" and press the "Next" button - Select the Admin server and all OAM managed Server and press "Next" - Accept the defaults and press the "Finish" button The war file is now deployed under the context root "/customloginpage" 2.1.4. Create an OAM authentication scheme referencing the custom login JSP page. - Log on to your "OAMCONSOLE" (/oamconsole). - Click the Authentication Schemes node, then click the Create button in the tool bar. - Complete with the following parameters: Name: provide a name for the authentication scheme Authentication Level: choose an appropriate level Challenge Method : FORM Challenge Redirect URL : /oam/server Authentication Module : LDAP Challenge URL: /pages/login.jsp Context Type : customWar Context Value : /customloginpage - Click the Apply button. 2.2. Installing the login JSP on an external Server 2.2.1. Install a login.jsp containing the above example code on an external Server and test the accessibility via a browser. 2.2.2 Create an OAM authentication scheme referencing the external custom login JSP page - Log on to your "OAMCONSOLE" (/oamconsole). - Click the Authentication Schemes node, then click the Create button in the tool bar. 2.3. Complete with the following parameters: Name: provide a name for the authentication scheme Authentication Level: choose an appropriate level Challenge Method : FORM Challenge Redirect URL : /oam/server Authentication Module : LDAP Challenge URL: URL to access the external JSP (example: http://myserver.oracle.com:80/j2ee/login.jsp) Context Type : external 2.4. Click the Apply button. Note: If you have an OAM-OIM integration any OIM links in the original login page need to be manually added to the custom login page. Troubleshooting: If you find that when modifying the custom login page and redeploying that the changes do not take effect, try removing the OAM servers cache and restarting the OAM server: 1. Shutdown oam_server1 2. Rename cache and tmp folders under $MW_HOME/user_projects/domains/base_domain/servers/oam_server1 3. Restart oam_server1 Join the IDM MOS community Forum for general IDM discussions, questions, best practices, and other valuable information
Saturday, November 5, 2016
0ID 11G How to Unlock/Reset Super User cn=orcladmin When the ODS's Password Has Been Forgotten, Lost or is Unknown?
How to Unlock/Reset Super User cn=orcladmin When the ODS's Password Has Been Forgotten, Lost or is Unknown? (Doc ID 472752.1)
https://itbitsolutions.wordpress.com/2010/02/18/how-to-change-or-reset-password-of-super-user-cnorcladmin-account/
http://ptotech.blogspot.qa/2014/08/oid-11117-unlocking-superuser-orcladmin.html
http://orafapp.blogspot.qa/2012/09/reset-super-user-cnorcladmin-when-odss.html
oidpasswd utility is used in changing the super user account (cn=orcladmin) and ODS database schema password.
Note: cn=orcladmin is different from orasso orcladmin account which is used for SSO administration. if you want to change /pls/orasso orcladmin acccount you can do it directly from ODS or OIDDAS.
I) Changing cn=orcladmin password if ODS password is known
$oidpasswd conn=Connect string reset_su_password=true
Command would prompt for ODS password ex:
$oidpasswd conn=Connect string of MR reset_su_passwword=true
OID DB user password:
password: Enter password
confirm password: Enter Password
OID super user password reset successfully
II) Unlocking super user cn=orcladmin account.
$oidpasswd connect=connect_string unlock_su_account=true
III) Changing cn=orcladmin password if ODS password is unkown or forgotten.
Resetting the cn=orcladmin is bit lengthy and would require some down time on OID.
1. Shutdown the OID processes
$ opmnctl stopproc ias-component=OID
2. Verify that there is no OID process running
% ps -ef | grep -i oid
3. Rename ls oidpwd* files in $ORACLE_HOME/ldap/admin directory.
4. Login into OID database and change ODS password
SQL> alter user ods identified by password;
5. Verify that you are able to login to the database using following command.
$ sqlplus ods/password@connect_string
6. Execute the oidpasswd command to recreate the files renamed in step 3
%oidpasswd connect=connect_string create_wallet=true
Note: To use in this step the same password defined in step 4.
7. Verify that the files renamed in step 3 have been recreated under $ORACLE_HOME/ldap/admin directory
8. If the orcladmin account is locked then use following command
$ oidpasswd connect=connect_string unlock_su_acct=true
9. If the password for orcladmin needs to be changed then use following command
$ oidpasswd connect=connect_string reset_su_password=true
OID DB user password:
password: Enter password
confirm password: Enter Password
OID super user password reset successfully
10. Start the OID process
% opmnctl startproc ias-component=OID
11. Verify that the account orcladmin has been unlocked or that the password has been changed successfully
$ $ORACLE_HOME/bin/ldapbind -p port -D cn=orcladmin -w newpasswd
Reference:
472752.1 : How to Unlock/Reset Super User cn=orcladmin When the ODS’s Password Has Been Forgotten or is Unknown?
251354.1: OID Superuser Password Locked: How to Unlock the orcladmin Password
OIDPASSWD:
http://download.oracle.com/docs/cd/B14099_07/manage.1012/b14082/syntax.htm#sthref3864
A.9 OID Database Password Utility (oidpasswd) Syntax
Note: if you want to change the passwords of cn=orcladmin and ODS Database schema and sync their passwords (cn=orcladmin & ODS would have same passwords). You need to change orcladmin and then ODS
Wednesday, November 2, 2016
12c database install Oracle Clusterware infrastructure error in OLSNODES (OS PID 6333): CLSD/ADR initialization failed
The issue is because of the permission given to the client folder in the GRID_HOME , After bringing down the crs run the below command as root user from both nodes and then list the olsnodes. It should list only the nodes which are the member of the rac. and then proceed with the installation .
crsctl stop crs -f
# cd /crs/install/
# ./rootcrs.sh -init
crsctl start crs
This solve the issue
Subscribe to:
Posts (Atom)