Enabling SSL for Infra Tier – Oracle Application Server 10g

This small post is to let you know, how to enable SSL for for infrastructure tier in oracle application server 10g. When we start the apache server for infra tier, it runs in non SSL mode by default. However we can change from non SSL to SSL by doing a small change in opmn.xml file on infra tier.

Follow below steps for enabling SSL on infra tier.

1) Go to opmn.xml on infra tier.

cd $ORACLE_HOME/opmn/conf

2) make following changes in opmn.xml file

change ssl-disabled to ssl-enabled for HTTP_Server as given below

<ias-component id=”HTTP_Server”>
<process-type id=”HTTP_Server” module-id=”OHS”>
<module-data>
<category id=”start-parameters”>
<data id=”start-mode” value=”ssl-enabled“/>
</category>
</module-data>
<process-set id=”HTTP_Server” numprocs=”1″/>
</process-type>
</ias-component>

3) Bounce HTTP Server of infra tier.

cd $ORACLE_HOME/opmn/bin

./opmnctl stopproc ias-component=HTTP_Server

./opmnctl startproc ias-component=HTTP_Server

Now you should be able to access the HTTP server on infra tier using 4443 port instead of 7777 port and using HTTPS protocol.

Example: https://ap101fam.us.oracle.com:4443/oiddas/

Hope this helps !!

Advertisements

Dealing with Oracle Certificate Authority – Oracle Application Server 10g

Introduction:

Digital certificates are essential to securing an enterprise infrastructure deployment. Oracle Application Server Certificate Authority generates and publishes X.509 v3 PKI certificates to support uses such as securing network connections, digital signatures, and strong user authentication methods. Key features of Oracle Application Server Certificate Authority include its easy, out-of-the-box deployment and a web-based, self service interface for certificate provisioning.

Requesting the web administrator certificate

For OCA, there is a web administrator which can manage and also approve the certificate requested by other users. Users can request either a server certificate of user certificate. Server certificate is required when a user want to enable SSL for his application deployed on server. User certificate is required for user to install the same in his browser. This user certificate can be used a an option for authentication when a user wants to login a SSL enabled application which is also a SSO enabled.

Before we get the administrator account for OCA (Oracle Certificate Authority), we need to first get the OCA certificate and install the same in out browser.

Follow below steps to get the certificate for you AS10g OCA installation.

1) Login to OCA self-service URL using https://(hostname):(port)/oca/admin

Example in my case https://ap101fam.us.oracle.com:6602/oca/admin

Remember here that port you will be using is “Oracle Certificate Authority SSL Server Authentication port” present in ORACLE_HOME/install/portlist.ini file of your infra tier. Click on “Click Here” link.

2) Enrollment form will appear next. Fill in the details as shown in example below.

Click on “Submit” button.

3) Once you submit the certificate will be issued immediately.

This is the certificate for web administrator of OCA. This will be issued by OCA to the web administrator which is going to administer the OCA in future. This is issued only once.

Status:Valid
Serial Number:4
Signature Algorithm:RSA
Issuing Authority:O=oracle,C=US
Usage:Client Authentication, Signing, Encryption
Key Size::2048
Subject DN:CN=oca_admin,O=oracle,C=IN
Not Valid Before:Saturday, May 3, 2008 5:23:41 AM PDT
Not Valid After:Sunday, May 3, 2009 5:23:41 AM PDT

Once you get this information click on “Install in Browser”.

Once you install in browser you can check if the certificate has been installed correctly or not using

Tools -> Options -> Advanced Tab -> Encryption -> View Certificate

if you are using Mozilla fire fox browser. For other browsers, use the browser specific path.

Requesting Server Certificate

Once we get the OCA administrator certificate and we became the administrator, then any user who is needs the server certificate or user certificate will have to go through our approval for the same. The request for the certificate will come to us for approval and once we approve, user can download and implement SSL using that certificate. Lets see the process of requesting the certificate and approving the same.

1) Create a certificate request in OWM

  • If you are opening the wallet for the first time, it will ask you to create a new wallet and create a default directory for the same.
  • Also you need to set password for your wallet
  • Once this is done it will ask you if you want to create a new certificate request. Click on Yes.
  • A new window will open asking for the details as shown below.

Enter all the relevant information in the above screen and click on OK.

Once a certificate is created, you can export the same or you can copy the content to notepad.

2) Submitting the request to OCA

Click on submit. You will see the confirmation window as shown below.

3) Once you request for certificate, now you as an administrator can approve the certificate. Usually in production you have to request the certificate to some legeal certifying authority which will approve your certificate after a period of time and you will get your certificate. Here we being administrator for OCA, we can approve the certificate.

  • For this just go to https://(hostname):(port)/oca/admin Example : https://ap101fam.us.oracle.com:6602/oca/user
  • “Certificate Management” tab
  • You can see that the certificate request is pendng for your approval. If you dont see any request, you can search using the search textbox on the top using the request ID you got when you requested the certificate.

  • You can click on View Details and at the bottom, there will be button called “Approve”. Click on Approve.
  • You will get the confirmation window as given below.

4) Now you need to download this certificate and import into your wallet.

  • For this again go to https://(hostname):(port)/oca/user. Example : https://ap101fam.us.oracle.com:6603/oca/user
  • Server / SubCA Certificates tab and search for certificate with certificate number that is issued. Note that we have requested a certificate with a request number 4, but the issued certificate number is 5. So you have to search for certiifcate # 5.
  • Once you get it click on “View Details”
  • You should be able to see the certificate. Go down to the bottom of the page and click on “Save Certificate”.
  • There are 2 certificates in this. One is the CA certificate and one is the actual server certificate. The first one if the actual server certificate that you requested for and second one is the CA certificate.

5) You now have to import both server certificate and CA certificate.

  • For this go to OWM again and click on Operations -> Import User Certificate. It will give you 2 options 1) Paste the content 2) Upload as file.
  • In my case I am pasting the certificate as shown below.

  • When we click on OK, it might give following error
    User certificate import has failed because CA certificate does not exits. DO you want to import CA certificate?
  • Click on Yes and then paste CA certificate in new Textarea.
  • In the bottom of OWM window you will see a success message “Your certificate has been successfully imported“.

This is how we can import the certificate that can be used for SSL configuration for your application (like EBS).

Hope this helps !!

Start/Stop LISTENER_ES as Oracle User in Oracle Collabsuite 10g

Introduction

When we install Oracle Collabsuite 10g, we can administer all the services using oracle user (user who has installed Oracle Collabsuite 10g) except one service, which is LISTENER_ES.

LISTENER_ES is a apps side listener which is mainly responsible for bringing up SMTP and IMAP ports. All the ports for apps tier are defined in ORACLE_HOME/network/admin/listener.ora file present on apps side.

We always have to start LISTENER_ES as a root user and we cannot by default start this using oracle user. However, there is a way to enable start/stop using oracle user. This post explains the same.

Follow below steps to enable oracle to start/stop LISTENER_ES

  • Login to OCS host as root user
  • Go to apps tier and Source the environment using .env file
  • Stop the LISTENER_ES as root user using following command

$ORACLE_HOME/bin/tnslsnr LISTENER_ES stop &

  • As a root user run the below commands

cd $ORACLE_HOME/bin
chown root tnslsnr
chmod 6751 tnslsnr

  • Exit and login to OCS host as OH owner, source the instance on apps side using.env file and Start/stop the listener

lsnrctl start LISTENER_ES
lsnrctl stop LISTENER_ES

Hope this helps !!

References:

Metalink Note ID: 205298.1

Increasing Email Quota in Bulk – Oracle Collabsuite 10g

Introduction:

Some times we get a situation for increasing email quota for users. For example in Oracle Collabsuite 10g we have a default email quota limit of 38M and some times we want to increase or decrease the limit depending on the requirements.

In such situation we can change the global settings for email quota and any new users created will have the email quota that we specified. But what happens to the existing users? Problem is they will have same quota limit which was set at the time of creation.  However we can also change the quota of existing users as well, not just one by one but in bulk.

This post covers changing email quota for new users and existing users.

Changing E-mail quota for New users

Follow below steps for changing quota for new users

  1. Login to Oracle Web Mail client. The user should be domain administrator.
  2. Navigate to Administration tab
  3. Select an installation from the Installation drop-down list.
  4. Select a domain from the Domain drop-down list.
  5. Click Submit.
  6. Modify the following attributes:

*mail Quota (MB)**:  *(We can put 50MB here)

*** Note: 1048576 MB is the maximum quota that can be specified in this field. If you enter 0, a user has unlimited quota.

For more information check – Oracle Collabsuite Documentation

Changing E-mail quota for Existing Users

To change the email quota for existing users we need to make modification to one of the parameters in OID. For that you can get the value of that parameter from OID into an ldif file using ldapsearch and then modify the file and upload again using ldapmodify. Here are the steps

1) Retrieve information from OID using ldapsearch

$ORACLE_HOME/bin/ldapsearch -h <OID_HOST> -p <OID_PORT> -D “cn=orcladmin” -w <PASSWD> -b
“cn=Users,dc=yourdomain,dc=com,cn=um_system,cn=EMailServerContainer,cn=Products,
cn=OracleContext” -s sub “objectclass=*” dn orclmailquota > quota.ldif

Example:

ldapsearch -h ap6019fems -p 389 -D “cn=orcladmin” -w ocs10gadm -b “cn=Users, dc=ap6019fems, dc=us, dc=oracle, dc=com, cn=um_system, cn=EMailServerContainer, cn=Products, cn=OracleContext” -s sub “objectclass=*” dn orclmailquota > quota.ldif

2) Modify quota.ldif created above

In order to update the information about email quota, modify the ldif file created above so that file looks as given below.

dn:
mail=test1@test.yourdomain.com,cn=users,dc=yourdomain,dc=com,cn=um_system,cn=EMailServerContainer,cn=Products,cn=OracleContext
changetype: modify
replace:orclmailquota
orclmailquota: 50000000

dn:
mail=test2@test.us.oracle.com,cn=users,dc=yourdomain,dc=com,cn=um_system,cn=EMailServerContainer,cn=Products,cn=OracleContext
changetype: modify
replace:orclmailquota
orclmailquota: 50000000

dn:
mail=test3@test.us.oracle.com,cn=users,dc=yourdomain,dc=com,cn=um_system,cn=EMailServerContainer,cn=Products,cn=OracleContext
changetype: modify
replace:orclmailquota
orclmailquota: 50000000

where orclmailquota is the value of quota you want to modify. The values is in bytes.

3) load the modified ldif file

$ORACLE_HOME/bin/ldapmodify -h <ldap-host> -p <ldap-port> -D “cn=orcladmin” -w
<orcladmin_password> -f user.ldif

Example:

$ORACLE_HOME/bin/ldapmodify -h ap6019fems -p 389 -D “cn=orcladmin” -w
ocs10gadm -f quota.ldif

Hope this helps !!

References:

Oracle Collabsuite Admin Guide

Metalink Note ID: 374865.1

Changing Various Passwords in Oracle Collabsuite 10g

This simple post is to make you aware of the procedure for changing various passwords in Oracle Collabsuite 10g. I am having a project on Oracle Collabsuite 10g and I faced few issues in password management. So I though of putting the same in an organized way so that one can follow the same process.

There are few super user accounts present in Oracle Collabsuite which is used by administrator. Following is the list of accounts.

  1. ias_admin – used for logging into Oracle Collabsuite Server console (both on infra tier and apps tier)
  2. orcladmin super user for OID (Oracle Internet Directory)
  3. orcladmin super user for SSO (Single Sign On)
  4. Sys, System database users

Out of the above list of users, sys and system users are database users and I am sure you are well aware of the fact about changing passwords for these users. I will explain about changing passwords for other users.

Changing ias_admin password

We can use command line tool or server console for changing ias_admin password.

In user command line tool you can use emctl as given below.

-bash-3.00$ which emctl
~/product/ocs10g/apps/bin/emctl

emctl set password <old ias_admin password> <new ias_admin password>
Example:
[ocs10g@ap6059rt bin]$ emctl set password welcome1 ocs10g
Oracle Enterprise Manager 10g Application Server Control Release 10.1.2.0.2
Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.

Changed the password on apps side and was able to login as ias_admin using ocs10g password for link http://ap6059rt.us.oracle.com:1810/emd/console

However password for ias_admin on infra is still welcome1. Confirmed.

Before doing the password change, source the environment which means setting following parameters

ORACLE_HOME
TNS_ADMIN=$ORACLE_HOME/network/admin
ORACLE_SID
PATH=$ORACLE_HOME/bin:$PATH
LD_LIBRARY_PATH=$ORACLE_HOME/lib:$LD_LIBRARY_PATH

If you are setting ORACLE_HOME to apps side then emctl command shown above will change the password only on apps side. For infra tier you have to source the .env file on infra side or set ORACLE_HOME to point to infra tier. Once done you need to run emctl command again to change ias_admin password, but this time on infra side.

You can change the password using collabsuite server console using following steps

1) Go to apps side server console http://ap6059rt.us.oracle.com:1810/emd/console

2) Click on preferences and place old password and new password.

3) Click on OK. Password will get changed

Repeat same thing for infra URL http://ap6059rt.us.oracle.com:1156/emd/console

For more details check : Metalink Note ID: 220622.1

Changing password for orcladmin Super user for OID

  1. Source the env on infra side
  2. Run oidadmin
  3. Connect using orcladmin
  4. click on orcladmin@<hostname>:<port>
  5. Click on System password tab
  6. Enter new password (ocs10g) for orcladmin and click on Apply at the bottom

Changing password for orcladmin super user for SSO

  1. Login to OIDDAS self-service application using orcladmin user
  2. Go to Directory tab
  3. Search for orcladmin
  4. Click on Edit button
  5. Enter password in password field and Confirm Password field
  6. Click submit

You can also change this orcladmin password using oidadmin tool. You can navigate using following

  1. login to oidadmin as orcladmin (super user for OID)
  2. Go to “Entry Management” -> “dc=com” -> “dc=oracle” -> “dc=us” -> “dc=ap6019fems” -> “cn=Users”
  3. (The above navigation is specific to my instance, in you installation the namespace may be different)
  4. Click on “cn=orcladmin”
  5. On right hand side it will show all the attributes for this user. Scroll down to bottom and you will see a field called userpassword
  6. Change the password here and then click on Apply.

Note that this orcladmin password is different then orcladmin super user for OID.

Hope this helps !!

References:

http://www.acs.ilstu.edu/docs/Oracle9iAS/core.902/a92171/tools.htm#1018274
Metalink Note ID: 220622.1
http://www.acs.ilstu.edu/docs/Oracle9iAS/core.902/a92171/security.htm#1012998

Registering External Applicaition in SSO – Oracle Application Server 10g

External applications are those which are not deployed in you application server instance. Example is gmail application. You can access gmail accounts using http://mail.google.com. Such applications can be registered as external application in our Oracle Application Server 10g instance and access to such application can be made through SSO.

I have tried registering gmail as external application and I can access gmail without providing username and password once I login into SSO of my application server.

Here are the steps to do the same.

1) Connect to orasso application using http://(hostname):(infra http port)/pls/orasso

Example: http://ap101fam.us.oracle.com:7777/pls/orasso

login using orcladmin userID

2) Click on “SSO Server Administration”

3) Click on “Administer External Applications

4) Click on “Add External Application

On this page you have to provide following information

Application Name: Google Mail
Login URL: https://www.google.com/accounts/ServiceLoginAuth?service=mail
User Name/ID Field Name: Email
Password Field Name: Passwd
Type of Authentication Used: POST

Here Application Name is any name that you can give.

Login URL you can find by going to mail.google.com in you browser and view -> Page Source. In this you can search for “action=” and you will get the URL. Put this URL in “Login URL” field.

For User Name/ID field, you can again view the source and seach for “Username“. You can put the name for this field in source file into User Name/ID field.

Note that name for Username field on gmail home page is “Email”. Also you have to put all other hidden attributes in “Additional Fields” section as given below.

Similarly, search for “Password” in the source page and put the name of Password field in “Password Field Name” in orasso page.

Once done, you can click on OK. You can see “Google Mail” link will appear in Edit/Delete External Application” section. You can now click on that link and it will ask you for you Gmail username and password, you can provide the same as given below.

If you check “Remember My Login Information For This Application”, then you wont be asked for Gmail username and password from next time. SSO will store these username and password in OID and when even you login to SSO and click on “Google Mail” in external application, you will be taken to your inbox, without logging into google mail.

Hope this help !!

Using LDIFWRITE and BULKLOAD – Oracle Collabsuite 10g

Hi All,

I am having a collabsuite instance in test and production and I was checking the way to take backup of users in OID. I came across the utility LDIFWRITE and BULKLOAD.SH. Using these script we can take a backup of users in OID and restore back the same.

Here is how we use.

Using LDIFWRITE

ldifwrite is a ldap utility present in INFRA ORACLE_HOME/bin directory.

-bash-3.00$ ldifwrite
usage: ldifwrite [-c <Connect String>] -b <Base DN> -f <filename>
[-e <encoding>] [-t <no. of threads>]
-c = Connect String
-b = BaseDN
-f = LDIF filename
-e = Encoding scheme
-t = Number of threads to be created
-bash-3.00$ ldifwrite -c ocsdev -b “cn=Users, dc=ap6019fems, dc=us, dc=oracle, dc=com” -f ocsdev.ldif
This tool can only be executed if you know database user password for OiD
Enter OiD Password ::

————————————————————
Reading entries under BaseDN “cn=users,dc=ap6019fems,dc=us,dc=oracle,dc=com”…
————————————————————-

————————————————————
17 Entries are written to “ocsdev.ldif”.
————————————————————

Here ocsdev is the name of metadata repository I am using and BaseDN is where all your users entries are stored or created. We can take backup of any BaseDN into ldif file. Above command will generate an ldif file called ocsdev.ldif.

Using BULKLOAD

bulkload.sh script is present on INFRA tier in ORALCE_HOME/ldap/bin directory. Using bulkload.sh for loading user entries from ldif file to OID involves 3 steps

1) check schema for any duplicate or bad entries using -check option

[ocs10g@ap6059rt bin]$ bulkload.sh -connect orcl -check /slot03/oracle/product/ocs10g_1/infra/ocsdev.ldif

Verifying node “orcl”
—————————–
This tool can only be executed if you know database user password
for OiD on orcl
Enter OiD password ::

————————————————————-
Checking data for bulk loading for valid structure…
————————————————————-

No Schema Check Errors.

No Bad Entries found.

No Duplicate DN Entries.

————————————————————-
Bulkload data verification complete
————————————————————-
2) Generate an intermediate file for loading using -generate option.

While running with this option you have to have your OID process down, else you have to run the same command in -append mode.

If OID process is not down you might get following error.

[ocs10g@ap6059rt bin]$ bulkload.sh -connect orcl -check -generate /slot03/oracle/product/ocs10g_1/infra/ocsdev.ldif

Verifying node “orcl”
—————————–
This tool can only be executed if you know database user password
for OiD on orcl
Enter OiD password ::
OID Processes running on target node “orcl”
Shutdown OID Process on “orcl” for bulkload

After shutting down OID we can run the command as given below.

[ocs10g@ap6059rt bin]$ bulkload.sh -connect orcl -check -generate /slot03/oracle/product/ocs10g_1/infra/ocsdev.ldif

Verifying node “orcl”
—————————–
This tool can only be executed if you know database user password
for OiD on orcl
Enter OiD password ::

——————————————————————
Checking Internet Directory current schema state
——————————————————————

——————————————————————-
Checking and Generating Internet Directory data for bulk loading
——————————————————————-

Schema Check Errors are logged in : /slot03/oracle/product/ocs10g_1/infra/ldap/log/bulkload.log

Bad Entries are logged in : /slot03/oracle/product/ocs10g_1/infra/ldap/load/badentry.ldif

No Duplicate DN Entries.

——————————————————————-
Data Generated for bulk loading
——————————————————————-

3) Loading the data from intermediate file to OID using -load option.

[ocs10g@ap6059rt bin]$ bulkload.sh -connect orcl -load /slot03/oracle/product/ocs10g_1/infra/ocsdev.ldif

Verifying node “orcl”
—————————–
This tool can only be executed if you know database user password
for OiD on orcl
Enter OiD password ::
It is recommended to use -check option before generating/loading data
Do you want to continue (y/n?) [n]
y
Loading data on : “orcl”
===============================

——————————————————————
Preparing Internet Directory schema for bulk data loading
——————————————————————

——————————————————————
Initiating bulk load…
——————————————————————

Loading Attribute Search Catalogs..
battr_store001..
battr_store002..
battr_store003..
.

.

Log file for the same will get generated in $ORACLE_HOME/ldap/log/bulkload.log location.

While loading if there are any duplicate entries then it will be present in $ORACLE_HOME/ldap/log/duplicateDN.log file.

All bad entries will be present in $ORACLE_HOME/ldap/load/badentry.ldif

References:

Oracle OID Admin Guide