Thursday, October 25, 2012

ORA-24960: the attribute OCI_ATTR_CLIENT_IDENTIFIER is greater than the maximum allowable length of 64

So, you have just finished configuring Oracle Access Manager (OAM) to work with your Oracle Discoverer configuration and now you are reciving this error on authentication attempts:

ORA-24960: the attribute OCI_ATTR_CLIENT_IDENTIFIER is greater than the maximum allowable length of 64

More then likely you also have two-factor authentication enable within OAM and what is happening is OAM is populating the certificate DN of the user in the header of the browser session. Then in turn Discoverer pulls this value from the header and makes it part of the authentication request which blows out the 64 character limit.

The fix, surprisingly enough, is fairly easy. Log into http://<server host>:7001/em and expand the discoverer node and click on administration. Change userid type from "SSO User Name" to "GUID". Restart opmnctl and WLS_DISCO and the error goes away.

Wednesday, August 29, 2012

Oracle Access Manager - 11.1.2 and OCSP

If you are reading this post, and are interested in OCSP and Oracle Access Manager (OAM), you probably work in some capacity for the U.S. Government.  If I was a betting man, and I am, you are probably trying to figure out how to enable OCSP to work with the OCSP responder for x509 authentication (aka PKI authentication, smart-card, two-factor, etc). Well the sad truth is OAM does NOT work with the DoD implementation of OCSP. You can open a ticket with Oracle support, argue with them back and forth on the issue, but in the end you will get no where. The issue is the DoD implementation use the Direct Trust Model which eliminate the need for a self-sighed OCSP certificate....which is exactly what the configurations require in order to operate on OAM. In a nut shell you are going to have to find another way to implement revocation checking for your user base. My personal recommendation would be to call and purchase there Vaildator Server and drop that module into OHS and use two-proxy authentication between Weblogic & OHS. This will check the users before they get into the system and still adhered to the letter of the STIG requirements. Your other option is to write a custom Java plug-in-in, but that can get nasty because of the limit support you have to import supporting JAR files for your code.  Avoid the axway and get the Server Validator for 11g OHS and get the stamp of JITIC approval for your implementation.

Friday, November 25, 2011

OID CPU performence Issue

I've spent the last six months working on a major OAS upgrade project from one client going from -> OID and apparently we have hit know bug that only impacts our production environment. It would appear the emagent is issuing the following query against the infrastructure database:


Which completely sucks up all CPU on the server and negatively impacting system response time. You will see this statement run for ~5 min, finish and drop off for another ~5min, and then repeat again under the same PID id. It appears this is know bug:


That was suppose to be fixed in wasn't. If you are hitting this problem as a temporary work around you can shutdown the emagent with this command:

opmnctl stopproc ias-component=emagent

and life will go back to normal...if you consider not being able to use the administrative functionality of OID as "normal". Let's hope the DEV at Oracle will get this one fixed right on the NEXT release.

Thursday, August 25, 2011

Tik-Tok on the clock the party never stops...until you try restarting OID that is

So you have built out your dev/test/prod enviorments and have worked threw the process of getting all your customers migrated and life is finally looking up after all the misery you went threw. You are so confident now you are ready to actual take your system down and apply security patches! But after doing all your work OID won't come up and when you look @
4ORACLE_INSTANCE/diagnostics/logs/OID/oid1/oidldapd01sXXXX.log shows

ORA-28002: the password will expire within n days

where n is the number of days.
WTF you say? Rest assured my friend you have hit a new "feature" built into 11 R2 and it has just brought a moment of panic to your planned weekend outage. By default Oracle puts ODS & ODSSM on a 180 day self-destruct timer once you actually install the software. To avoid hitting this issue you can modify the default profile like so:

or you can create a new profile and assign it to ODS & ODSSM. For further clarification you can take a look at note 1064334.1

Wednesday, June 22, 2011

Oracle DIP (Directory Interface Protocal) setup in 11g


Identify the steps required to configure the DIP for directory synchronization. At the time of this writing the GUI Oracle ships with 11g is a pieace of shit and doesn't work correctly. It flags things that are invalid, when in fact, they are vaild and I highly recommend you avoid the GUI and use the command lines to setup intergration between OID and Active directory (or any directory for that matter)

Part I:  Directory setup

Be sure prior to completing this document you have followed Oracle note 1203271.1 and have correctly provisioned service accounts in both OID & AD that have the appropriate permissions. I would recommend creating a new account and giving those user “administrative” permissions since they need to touch about every part of the directory.

Part II:  Modify DIP configuration files

First step in configuration the DIP process is to be sure the A) DIP properties file is correct and B) The directory mapping file is correct. This post will not focus on how theses files should be configure, however if you wish to learn more you can review Oracle note 859177.1.


Part III:  Configure keystore

In order to use SSL with the DIP process we must first configure the example.jks file to contain all the certificates public keys used by both AD & OID.

Create an empty keystore:

keytool -genkey -alias foo -keystore example.jks
keytool -delete -alias foo -keystore example.jks

Next import the various public key’s used by OID for SSL:

keytool -import -trustcacerts -alias "example" -file public-key.cer -keystore example.jks -storepass <password>

Next register the keystore with weblogic from the same server were OID is installed:

manageDIPServerConfig set -attr keystorelocation -val /app/infra/certs/example.jks -h localhost -p 7005 -wlsuser weblogic

Set the password within weblogic:


connect ('weblogic', '<password>', 't3://localhost:7001')

createCred(map="dip", key="jksKey", user="jksuser", password="<password>")

At this point the setup should be complete. We will want to test the profile connection within EM once we have the profile registered (Since that is the only think in EM that appears to work correctly)

Part IV:  Create DIP Profile & Mapping in OID

Once you have the configuration files as desired the next step is to load both the ExampleExport.profile and configurations into OID. This can be accomplished by execute the following commands:

manageSyncProfiles register -h localhost -p 7005 -D weblogic  -f /app/infra/wl-home/Oracle_IDM/ldap/odi/conf/EXAMPLE/ExampleExport.profile

followed by a validation check:

manageSyncProfiles validateProfile -h localhost -p 7005 -D weblogic -pf ExampleProfile

At this point the profile exist is registered in OID and can be acceded through EM (It may show it as invaild when it is not). Be default the profile was NOT enabled. When you are at a point where you feel comfortable enabling it (IE ready to move to the new target directory) enabled the profile  with the following command:

manageSyncProfiles activate -h localhost -p 7005 -D weblogic -pf ExampleProfile -fa true

However, prior to doing that please sure you have boot-strapped the directory first before enabling the profile

Part V: Bootstrap Directory

 In order to get OID and AD in sync we must boot-strap the directory. To boot strap the directory execute this command:

syncProfileBootstrap -host -port 7005 -D weblogic -profile ActiveImport_Groexample -lp 5

At this point you should also enable the profile

Installing Oracle Forms & Reports on RHEL Linux

Part I:  O/S Setup

Running Oracle Forms/Reports linux is completely impossible on any platform other then 64-bit Linux. Yes, the certification documentation may indicate you can run on 32-bit Linux; but in reality you can’t. That is because at their minimal configurations the process will consume 3 gig’s of RAM just sitting there idling. So given you can only allocate 4 gigs of RAM in 32 bit Linux you can see where the problem exists.  If you dig deep in the Oracle documentation you actually find that they require 6 gig’s of RAM for a bare-bones system. With that in mind we have the following:

Red Hat Enterprise Linux 5.6 64-bit (RHEL)
4 Gig’s of RAM (You can squeeze by with 2 in DEV if need be)
60 gigs of virtual storage mounted as /app/infra
1 virtual CPU
3 gigs of /tmp space (Necessary for web-logic to install)
3 gigs of swap space

The first action is to create a service account to own all of the software. We need to create the groups “dba” & “oinstall”. Next we need to create a user (which is “oracle” of course) to be granted access to those groups:

groupadd dba
groupadd oinstall
useradd –g dba –G oinstall oracle
passwd oracle

We also need to install a bunch of packages in RHEL to satisfy future dependence needs. This can be accomplished with the following yum command executed as root:

yum install binutils-2.* elfutils-libelf-0.* glibc-2.* glibc-common-2.* libaio-0.* libgcc-4.* libstdc++-4.* make-3.* compat-libstdc++-33* elfutils-libelf-devel-0.* glibc-devel-2.* gcc-4.* gcc-c++-4.* libaio-devel-0.* libstdc++-devel-4.* unixODBC-2.* unixODBC-devel-2.* sysstat-7 xhost xclock xdpyinfo libXp libXtst  gdbm.i386* libXp*.i386*

Now we need to re-configure the server’s operational parameters to give the various fusion middleware components the resources it needs to operate. Your numbers will differ based upon your hardware specs, but in /etc/sysctl.conf you will need to change theses:

 kernel.shmmax = 68719476736
kernel.shmall = 4294967296

and append theses to the end of the file:

kernel.sem = 250 32000 100 128
fs.file-max = 6815744
net.ipv4.ip_local_port_range = 9000 65500
net.core.wmem_max = 1048576
fs.aio-max-nr = 1048576
kernel.shmmni = 4096
followed by this command to make the kernel changes take-effect:

/sbin/sysctl -p

Next we need to modify /etc/security/limits.conf and append the following to the file:

oracle              soft    nproc   2047
oracle              hard    nproc   16384
oracle              soft    nofile  1024
oracle              hard    nofile  65536

and append this to /etc/pam.d/login:

session    required

Since fusion middleware runs a jillion different process, which would take forever to correctly configure with SELinux, we disable SELinux by editing /etc/selinux/config and setting this:


Finally, at this point we should bounce the server. We have pushed through a lot of changes and a nice clean bounce is advisable before continuing. Also, because of the complexities associated with fussion middleware and the fact that we are installing all the infrastructure components on the same machine with same service account a robust profile for oracle is strongly recommend.    

Part II:  Install Web-logic

The biggest challenging in installing OAS 11g is locating the components you need to install! I strongly recommend you pull any software you need from The downloads may be slow; but usually the organization format is much better and the usually have the install software installed followed by patchsets. Remember patchsets are cumulative in 11g so it is save to install the software and then install the highest patchset and you are good to go. Assuming we have the latest version of Weblogic, which at the time of this writing is 10.3.5, we can begin the install by unzipping the file and issuing this command::

java –jar –d64 wls1035_generic.jar

During the installation un-check the “Coherence” components and un-check the evaluation database and specify the following for the installation path: /app/mid/wl-home. At the end of the installation be sure to un-check launch startup screen: We will configure the domain at the same time we configure the forms/reports/discoverer components.

Part IV:  Install Forms/Reports software

From download & Forms/Reports/Discover software. Once you have all the components downloaded unzip them and make sure the “Disk” directories are all in the same folder and sequential to each other (IE Disk1, Disk2, etc) Once that is done execute the “setup.exe” located in disk one. Use the following for the Oracle home location:


Once the installer is finished repeat the process and install the patchset.

Following the patchset install we need to install a one-off patch to deal with a specific error that impacts compling forms. Download patch 9473270 and install it with opatch following by the following series of commands:

Cd $ORACLE_HOME/forms/lib

make  -f frmcmp_install
make  –f frmbld_install
make  –f frmcmpb_install
make  –f frmweb_install

Which causes another series of problems that need to be fixed by following note 1218994.1 and relinkings the reports process.

Part V:  Configure WebLogic and Forms/Reports stack

Once both the base install, and the patchset, have been installed we can now configure the software. To do this execute the following command:


This will begin the process to actually configure a running instances of the software. From the configuration menu select the following components:

  • Oracle Forms
  • Oracle Reports
  • Oracle Forms Builder
  • Oracle Reports Builder
  • Oracle HTTP Server
And specify the following for the ORACLE_INSTANCE:


And the following for the domain name to something a bit more descriptive: FormsDomain

Once the software finishes configuring we can verify everything is operating correctly by logging into the domain control:


Following the configuration of the software we need to setup a file so we don’t have to specify weblogic credentials for the admin server and the various domain components. This can be accomplished by creating the file in the following locations:


The file format should be as follows:


The file will automatically encrypt itself on the next server startup and I recommend restarting the entire stack at this point to test the changes: WLS_FORMS WLS_REPORTS
opmnctl stopall

followed by: &
opmnctl startall WLS_FORMS WLS_REPORTS

Also, we can remove the default report server with the following command:

opmnctl deletecomponent -adminUsername weblogic -adminHost localhost -adminPort 7001 -oracleHome /app/mid/wl-home/as_1 -oracleInstance /app/mid/wl-home/asinst -instanceName asinst -componentName <report name> -componentType ReportsServerComponent

Part VI:  Configure Web-Util

The components/configuration for web-util are mostly in place, but we need to copy the in the Jacob.jar file to $ORACLE_HOME/forms/java and Jacob.dll to $ORACLE_HOME/forms/webutil. Can't rember the exact URL, but make sure you dowload version 1.10.1 as specified in note 1137293.1

 Part VI:  Configure Auto-start on Linux

 Cut & past the following into /etc/init.d/orainit and then cd to /etc/rc5.d and execute the following commands;
ln –s /etc/init.d/orainit S99orainit
ln –s /etc/init.d/orainit K99orainit

# description: webLogic adminServer and managedServer start script
WLS_LOG_START=${WLS_BASE}/logs/start.`date '+%d%m%y'`.log
WLS_LOG_STOP=${WLS_BASE}/logs/stop.`date '+%d%m%y'`.log

export ORACLE_INSTANCE=/app/mid/wl-home/asinst
export ORACLE_HOME=/app/mid/wl-home/as_1

if [ ! -f $WLS_HOME/ ]

    echo "WebLogic startup: cannot $WLS_HOME/ "
#start node manager
su $WLS_OWNER -c "nohup $WLS_NODE_HOME/ > ${WLS_LOG_START} 2>&1 &"
sleep 10

#start admin server
su $WLS_OWNER -c "nohup $WLS_HOME/ >> ${WLS_LOG_START} 2>&1 &"
sleep 10

#start OHS proccess
su $WLS_OWNER -c "nohup ${ORACLE_HOME}/opmn/bin/opmnctl startall &"
sleep 30

#Start the rest of the IDM proccess

su $WLS_OWNER -c "nohup $WLS_HOME/bin/ $WLS_MANAGED_SERVER1 >> $WLS_LOG_START 2>&1 &"
sleep 10

#Stop node manager
su $WLS_OWNER -c "nohup $WLS_NODE_HOME/ > $WLS_LOG_STOP 2>&1 &"
sleep 10

#Stop managed nodes
su $WLS_OWNER -c "nohup $WLS_HOME/bin/ $WLS_MANAGED_SERVER1 t3://localhost:$WLS_ADMIN_PORT >> $WLS_LOG_STOP 2>&1 &"
sleep 10

#stop OHS proccess
su $WLS_OWNER -c "nohup ${ORACLE_HOME}/opmn/bin/opmnctl stopall &"

sleep 30
#Stop admin server
su $WLS_OWNER -c "nohup $WLS_HOME/bin/ >> $WLS_LOG_STOP 2>&1 &"
sleep 10

case "$1" in



        echo "Usage: $0 start|stop|restart"
        exit 1

Finally, at long last you have finished setting up a forms instance. Remember the good old days of 10g when everything was done for you in one shot? L

Sunday, June 12, 2011

Changing orclhostname in OID in 11g

One of the major changes in 11g is you have to establish a new OID instance if you require certificate authentication. This is often necessary if you are using the DIP plug-in, or any other product that requires -U 2 authentication in the SSL handshake. More on that setup is here:
One of the challenges of creating another component in 11g is it creates a new OID instance listening on the default hostname ip address listening on a non-standard port (vs 389 & 636) You can do the following to change the IP address:

1) Create a new virtual ip address on the server that contains a user-friendly DNS tag
2) Update orclhostname in OID @ cn=<oid name>,cn=osdldapd,cn=subconfigsubentr
3) Run the following command: $ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration -adminHost localhost -host <new IP address>  -adminPort 7001  -adminUsername weblogic  -componentType OID   -componentName oid2 -Port 3060  -Sport 3131
4) restart everything

When it comes back up you will notice that the OID process are up: But the server properties do not show up in the weblogic console! It show an error that it couldn't find the process on the OLD ip address. To resolve this problem do the following:

In your $DOMAIN_HOME/opmn/toplogy.xml file change the host value in both <ias-instance id="asinst" oracle-home="/app/infra/wl-home/Oracle_IDM" instance-home="/app/infra/wl-home/asinst" host="xxxx" port="6701">  and  <property name="host" value="xxxx"/> to match your virtual IP address and start all your process and you are good to go! Once that is done you can configure your ports to listen on common ports & protocols and not conflicts with process that may already be listening in on that IP address!