ldapbind command with U2 mode

 ldapbind -h -p 3161 -D "cn=user1,cn=Users,dc=xxx,dc= xxx,dc=ca" -q -U2 -W file:e:\oracle\certs\folderNameWhereTheCertsAreStored -P CAtext

Change OID 11g LDAP port

The content of this post is from the following:
http://onlineappsdba.com/index.php/2012/06/06/how-to-change-oid-11g-ldapldaps-listen-port/


OID by default listens on two LDAP ports
a) LDAP Port : 3060 (default non-secure port)
b) LDAPS Port : 3131 (default secure port)

• The port number is configured as attribute (orclnonsslport & orclsslport) of OID instance.
• These OID Ports can be changed using either EM (Enterprise Manager Fusion Middleware Control), ODSM (Oracle Directory Services Manager), LDAP command, or WLST (WebLogic Scripting Tool) .
• If you are using LDAP command or ODSM to update port then update OPMN configuration using opmnctl updatecomponentregistration (If you use WLST or EM then updatecomponentregistration is not required)

Steps to update OID LDAP(S) Port using EM
1. Check OID port on which OID is currently configured to run using opmnctl status -l
Processes in Instance: asinst_1
———————————+–
ias-component | process-type | pid | status | uid | memused | uptime | ports
———————————+–
ovd1 | OVD | 22966 | Alive | 1529370089 | 762356 | 142:41:33 | ldaps:6082,https:8929,ldap:6081,https:2253
oid1 | oidldapd | 22838 | Alive | 1529376751 | 308252 | 142:41:49 | N/A
oid1 | oidldapd | 22845 | Alive | 1529376374 | 845992 | 142:41:48 | N/A
oid1 | oidmon | 22824 | Alive | 1529370086 | 298084 | 142:41:49 | LDAPS:3091,LDAP:3060
EMAGENT | EMAGENT | 23337 | Alive | 1529370090 | 63824 | 142:41:14 | N/A
2. Chage port from /em (http://webLogicHost:<admin_server_port>/em) -> Identity and Access -> oid1 -> Administration -> Server Properties : under tab General, change port as shown in below screenshot

If there are multiple OID instances then repeat this step for oid2, …, oidN
3. Restart OID using opmnctl stopall; opmnctl startall
4. Check port number using opmnctl status -l
Processes in Instance: asinst_1
———————————+–
ias-component | process-type | pid | status | uid | memused | uptime | ports
———————————+-
ovd1 | OVD | 16451 | Alive | 1529377899 | 761556 | 0:00:23 | https:8929,https:2253,ldaps:6082,ldap:6081
oid1 | oidldapd | 16553 | Alive | 1529377901 | 787180 | 0:00:22 | N/A
oid1 | oidldapd | 16523 | Alive | 1529377900 | 308376 | 0:00:23 | N/A
oid1 | oidmon | 16450 | Alive | 1529377898 | 298084 | 0:00:23 | LDAPS:3091,LDAP:3090
EMAGENT | EMAGENT | 16449 | Alive | 1529377897 | 63824 | 0:00:23 | N/A
5. Change port in application using OID as identity or policy store.

URL Manipulation: URL rewrite, URL redirect, Proxy and Reverse proxy

The following are pretty much all extracted from the following URL:

http://www.akadia.com/services/apache_redirect.html

Often in the live of a webmaster it happens, that you want to map an old URL into a new one. The possibilities to manipulate an URL are:

• Redirect the URL
• Rewrite the URL
• Proxy and ReverseProxy Server

Redirection

The Redirect directive maps an old URL into a new one. The new URL is returned to the client who can fetch it again with the new address.  The new URL will be displayed in the client browser.
Suppose, you want to redirect each request to another Server on the Internet, you specify the following directive in http.conf

Redirect / http://www.foobar.com/

Each request to your server will be redirected to http://www.foobar.com.

URL Rewrite 

The Apache Module mod_rewrite, is the Swiss Army Knife of URL manipulation, it is a really sophisticated module which provides a powerful way to do URL manipulations like:

• Solve Trailing Slash Problem
• Solve Moved DocumentRoot Problem
• Solve Moved Homedirs to Different Webserver Problem
• Solve Filesystem Reorganisation Problem
• Redirect Homedirs For Foreigners
• Redirect Failing URLs To Other Webserver
• From Old to New (intern)
• From Old to New (extern)
• Search pages in more than one directory
• .... and many more ....

Example: 

Map the non SSL URL http://www.foobar.com/abc to the SSL URL https://www.foobar.com/abc

<VirtualHost _default_:80>
  RewriteEngine on
  RewriteRule ^/abc/(.*)$ https://%{SERVER_NAME}/abc/$1 [R,L]
</VirtualHost>

Proxy Module

Apache Proxy allows remote servers to be mapped into the space of the local server; the local appears to be a mirror of the remote server. The following proxy directives. In the following example the website Arkum.ch is a proxy for Akadia.ch.

#
# Virtual Host for arkum.ch
#
  <VirtualHost 193.247.121.196>
  ServerAdmin martin dot zahn at akadia dot ch  ServerName www.arkum.ch
  ProxyRequests On
  ProxyPass / http://www.akadia.ch/
  ProxyPassReverse / http://www.akadia.ch/
</VirtualHost>

ProxyPass
The directive ProxyPass allows remote servers to be mapped into the space of the local server; the local server does not act as a proxy in the conventional sense, but appears to be a mirror of the remote server.
Suppose the local server has address http://wibble.org/; then

   ProxyPass /mirror/foo/ http://foo.com/

will cause a local request for the <http://wibble.org/mirror/foo/bar> to be internally converted into a proxy request to http://foo.com/bar.

ProxyPassReverse

The directive  ProxyPassReverse lets Apache adjust the URL in the Location header on HTTP redirect responses. For instance this is essential when Apache is used as a reverse proxy to avoid by-passing the reverse proxy because of HTTP redirects on the backend servers which stay behind the reverse proxy.
Suppose the local server has address http://wibble.org/; then

   ProxyPass /mirror/foo/ http://foo.com/
   ProxyPassReverse  /mirror/foo/ http://foo.com/

will not only cause a local request for the <http://wibble.org/mirror/foo/bar> to be internally converted into a proxy request to <http://foo.com/bar> (the functionality ProxyPass provides here). It also takes care of redirects the server foo.com sends: when http://foo.com/bar is redirected by him to http://foo.com/quux Apache adjusts this to http://wibble.org/mirror/foo/quux before forwarding the HTTP redirect response to the client.

Dataflow between HTTP-Client and HTTP-Server

Redirect and Rewrite

1. The HTTP client sends a request to the HTTP Server.
2. The HTTP Server sends the manipulated URL back to the Client.
3. The HTTP client sends again a request using the changed URL. If the new URL points to a new HTTP Server, the request a new connection is setup to this server.
4. The new server sends back the the answer.

One disadvantage using this approach together with another server is, that the manipulated URL is not hidden from the HTTP client, the changed URL is presented to the users.

 

 Proxy Server

1. The HTTP client sends a request to the HTTP Proxy.
2. The HTTP Proxy connects the HTTP Server.
3. The HTTP Server sends back the answer to the HTTP Proxy.
4. The HTTP Proxy sends back this answer to the HTTP client.

There are several advantages using proxies. The new server is completely hidden for the user. The URL always points to the HTTP Proxy, the connection to the real HTTP Server is hidden. The HTTP Proxy caches the documents locally, therefore we have  a performance gain.

HTTP Server: mod_weblogic

If you are looking for reading material on how to configure an HTTP Server (apache based), especially, mod_weblogic here are some good references:

http://docs.oracle.com/cd/E15051_01/wls/docs103/plugins/apache.html

Oracle HTTP Server as the Reverse Proxy

Refer to this article for the basic configuration of a reverse proxy:

http://www.oracle-base.com/articles/misc/apache-reverse-proxy-configuration.php


A reverse proxy is activated using the ProxyPass directive or the [P] flag to the RewriteRule directive.

For information on directives like any of the following:
 ProxyPass
 ProxyPassReverse
ServerAdmin
ServerName

Please refer to Apache Mod-proxy module:
  http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Edit the host files

Following is from:
http://helpdeskgeek.com/windows-7/windows-7-hosts-file/

Need to figure out how to edit the Hosts file in Windows 7? For the most part, it’s pretty much the same as Windows XP and Vista, but with a few extra hiccups!
Just if case you don’t know, the Hosts file is where you can manually enter a hostname and an IP address pair, thereby bypassing the DNS server. This can be pretty useful in certain situation, especially for anyone in IT.
The path to the Hosts file in Windows 7 is the same as usual:

%systemroot%\system32\drivers\etc\

where %systemroot% is usually c:\windows unless you installed Windows on a different partition. By default, you cannot see these hidden folders since they are system folders.


Need to run "Notepad" as administrator to update the host file.

Portal 11G: wwv_context.sync() job broken

WWW_context is a package in the XXX_Portal schema. This www_contex.sync() job is created when Portal is installed. This particular job is used to sync the content users creates so that content management component can get it.

How to fix it when this job is broken?
Refer to Oracle doc:   Note [ID 1346255.1]
https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_afrLoop=468237572974133&_afrWindowMode=0&_adf.ctrl-state=100zpvdb9u_21

First find the job # of the broken job by execute the following in the database:

select * from dba_jobs;
select job, broken, what from dba_jobs;

Applies to:

Portal - Version: 10.1.2.2 and later   [Release: 10gR2 and later ]
Information in this document applies to any platform.

Symptoms

Search does not show result for new content added.

Cause

The Portal's  job synchronization  was not working properly.

Try  to run manually the job  from sqlplus got error:

16:37:54 SQL> exec dbms_job.run(181);
BEGIN dbms_job.run(181); END;
*
ERROR at line 1:
ORA-12011: execution of 1 jobs failed
ORA-06512: at "SYS.DBMS_IJOB", line 406
ORA-06512: at "SYS.DBMS_JOB", line 275
ORA-06512: at line 1

Solution

1.- Remove the job fro the queue.

Login as Portal from sqlplus

execute dbms_job.remove(181);

To check the jobid use the following query

select * from dba_jobs order by 1;
Then check for the job sync jobid

2.- Delete the job reference from Portal

Login as Portal from sqlplus and execute:

exec WWPRE_API_NAME.DELETE_NAME(p_path => 'oracle.portal.search',
p_name => 'text_sync_jobid');
commit;


3.- Recreate the job: Login as Portal user from sqlplus  and run:

cd E:\oracle\portal\portal_home\portal\admin\plsql\wws

set TNS_ADMIN=e:\oracle\portal\portal_instance\config

sqlplus xxx_portal@portal

@textjsub.sql START 16-05-13 60

$ORACLE_HOME/portal/admin/plsql/wws/textjsub.sql START DD-MM-YY 60

Replace : DD-MM-YY for the current day.
This job will run every 60

Oracle HTTP Server: How do I change port #s?

Reference: http://onlineappsdba.com/index.php/2010/06/10/changingstarting-ohs-oracle-http-server-11g-on-port-80-on-unix/


Change httpd.conf(using user owning OHS – awebtier in my case)
Change value against Listen to 80

Start OHS using OPMN (using user owning OHS – awebtier in my case)
cd    Oracle/web/web_instance /bin
 /opmnctl startall (stopall and startall if opmn is already running)
 Test OHS via URL
 Check if port 80 is listening on that machine “netstat -an | grep 80″
Type URL http://servername:80 (If you don’t specify port with http by default it takes port 80)

How to debug ORA-31203: DBMS_LDAP: PL/SQL - Init Failed error?

Reference link: https://forums.oracle.com/forums/thread.jspa?threadID=946119

We got into this problem when installing 10G OIM. DBMS_LDAP is a package in the 10g Metadata repository. The following is observed in logs:

SQL> Creating OID entries for SSO
Error code   : 1
Error message: User-Defined Exception
LDAP error    : ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.
ERROR: deleting application entry
Error code: 1
Error message: User-Defined Exception
ERROR: creating SSO users and groups in OID

PL/SQL procedure successfully completed.

*** Refreshing WWC OID cache....***
declare
*
ERROR at line 1:
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at "ORASSO.WWSEC_OID", line 1199
ORA-06512: at "ORASSO.WWSEC_OID", line 1328
ORA-06512: at "ORASSO.WWSEC_OID", line 2498
ORA-06512: at "ORASSO.WWSEC_OID", line 2528
ORA-06512: at "ORASSO.WWSEC_OID", line 1606
ORA-06512: at "ORASSO.WWSEC_OID", line 1755
ORA-06512: at "ORASSO.WWSEC_OID", line 2133
ORA-06512: at line 8

Following is what we did:
1. find out whether Ldap server is running or not.
netstat -ano|findstr 363

or do a ldapbind:
ldapbind -h hostname -p 363
bind successful

2.Go to the database to ensure that the package DBMS_LDAP is present.
3.Then run the following from the database SQL:

If it fails, it means database server is unable to connect to the server where OID resides via that port 363.
Further to confirm this, we asked the DBA to telnet to the server using the following:

Telnet <server name where OID resides> 363
And he confirmed that an access problem does exist. The access problem needs to be fixed first before OIM installation can continue.
 -------------------------------------------------

1. Connect to your repository db and run the following code:

sqlplus sys/<password>
set serverout on
DECLARE
retval PLS_INTEGER;
my_session DBMS_LDAP.session;
BEGIN
my_session := DBMS_LDAP.init('host address where the oid resides','636');
retval := DBMS_LDAP.open_ssl(my_session, null, null, 1);
dbms_output.put_line('open_ssl returns: '|| to_char(retval));
retval := DBMS_LDAP.simple_bind_s(my_session,'cn=orcladmin','');
dbms_output.put_line('simple_bind_s returns: '|| to_char(retval));
retval := DBMS_LDAP.unbind_s(my_session);
dbms_output.put_line('unbind_s returns: '|| to_char(retval));
END;
/

2. This should fail...

DECLARE
*
ERROR at line 1:
ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 79
ORA-06512: at "SYS.DBMS_LDAP", line 50
ORA-06512: at line 5

Oracle HTTP Server SSL Configuration

Reference:
http://docs.oracle.com/cd/E23943_01/web.1111/e10144/getstart.htm

Configuring Secure Sockets Layer

Secure Sockets Layer (SSL) is an encrypted communication protocol that is designed to securely send messages across the Internet. It resides between Oracle HTTP Server on the application layer and the TCP/IP layer, transparently handling encryption and decryption when a secure connection is made by a client.
One common use of SSL is to secure Web HTTP communication between a browser and a Web server. This case does not preclude the use of non-secured HTTP. The secure version is simply HTTP over SSL (HTTPS). The differences are that HTTPS uses the URL scheme https:// rather than http://.

By default, an SSL listen port is configured and enabled using a default wallet during installation. Wallets store your credentials, such as certificate requests, certificates, and private keys.
The default wallet that is automatically installed with Oracle HTTP Server is for testing purposes only. A real wallet must be created for your production server. The default wallet is located in the ORACLE_INSTANCE/config/OHS/component_name/keystores/default directory. You can either place the new wallet in this location, or change the SSLWallet directive in ORACLE_INSTANCE/config/OHS/component_name/ssl.conf to point to the location of your real wallet.

Identity Keystore and Trust Keystore

Reference:
http://one-size-doesnt-fit-all.blogspot.ca/2009/09/weblogic-server-identity-vs-trust.html

http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/identity_trust.htm#i1170342
http://mynotes.wordpress.com/2009/08/04/difference-between-keystore-truststore/

In short,
Identity Keystore  contains   private keys
Trust KeyStore    contains    CA's public key (or certificates)

sometimes, people refer Identify Keystore to be Keystore
Trust Keystore to be Truststore.

SSL provides you with encryption, integrity, and authentication. That is,
the messages are encrypted, and come from an authenticated identity. 

"The public key is embedded in a digital certificate with additional information describing the owner of the public key, such as name, street address, and e-mail address *as well as the hostname*. *Along with this the digital certificate containing the public key, and the separate related private key, provide identity for the server*."

...ultimately to identify the server, to assert the server is who the server says it is.


The digital certificate containing the public key is also referred to as the "server certificate".

Thus the "identity" of the server is established by what's stored in the "identity" keystore, and its contents are what are farmed out to clients establishing secure connections with the server, who then verify the supplied digital certificate's CA against the clients own list of trusted CAs. The "identity keystore" is also referred to as the "server keystore", because it establishes the server's identity (ie. I am who I say I am).

The trust keystore is typically used for storing CA digital certificates, essentially the CAs who will be used to check any digital certificates that are given to the server at runtime (just the same as the client did above).

Oracle 11g: install node manager as a windows service

About Installing Node Manager as a Windows Service

reference

http://docs.oracle.com/cd/E28280_01/doc.1111/e14142/prepare.htm#WLSIG230

When installing your software on a Windows platform, you can optionally install WebLogic Server Node Manager as a Windows service. The WebLogic Server Node Manager is used to:

·        Start and stop server instances—both Administration Servers and Managed Servers—remotely.

·        Monitor the self-reported health of servers and automatically kill server instances whose health state is FAILED.

·        Migrate servers in a WebLogic Server cluster.

·        Automatically restart servers that have the "failed" health state, or have shut down unexpectedly due to a system crash or reboot.

In a multi-machine environment, you must install Node Manager on each machine that hosts Managed Server and Administration Server instances of WebLogic Server.

Note:

You must have Administrator privileges to install Node Manager as a Windows service.

Node Manager is installed as part of Weblogic Server installation. 

 

To install the Node Manager Windows Service during an initial installation, you must select a Custom installation.

OID 11g how to recover from a bad realm configuration in a clustered environment

Node 1 is our main node, Node2 is our secondary node. We are using IDM 11.1.1.6.
(1) used "setup.exe -deinstall" to remove OID installation.  Following the following instructions:
http://www.idmworks.com/blog/entry/uninstalling-oracle-fusion-middleware-products

We kept the admin server running.
We then deinstalled ASInstance on node 1 using "setup.exe -deinstall".
We then deinstalled Oracle IDM_home on node 1 using "setup.exe -deinstall".
We did not deinstall the remote instance on node2.
We then went to file system to remove idmdomain manually. It did not allow.

We disabled node manager  and AS instance control in Windows Servers. We restarted node 1, then we are able to successfully remove idmdomain.
We then deleted the remaining of AsInstance folder in the file system.

(2) We revert the 11g RAC database back to before we started the 11g OID install and configuration.

(3)We run "setup.exe" to Install and Configure node1.
   Thing went well. Admin server up, ... odsm works.

(4) On Node2, we tried to reconfigure by running "config.exe" but it is complaining about AS instance being existed.

we disabled both node manager and Oracle Instance Control (I think this is opmn control) in windows service.
 We then removed Oracle Instance Control windows service by issuing the following in an administrative command prompt:
      sc delete "Oracle ...Instance Control".
rerun "config.exe" succeeded.

(5) We want to http:<node1>:port/em to ensure that both oid1 and oid2 are up.
We then stopped the existing  wls_ods1 on node1. and restarted wls_ods1 so that it is aware of the 2nd node in the cluster.