Saturday, June 17, 2017

Configuring OHS 12c for HTTPS Communication

Oracle 12c introduced back the old Oracle concept of Wallets, while standard keystores can still be used, this post focuses on the configuration using Oracle Wallets.

CREATE CSR AND SLL CERTS USING WALLETS


The first step is to create a wallet and then a CSR (the request you need to submit to the certification authority to generate your SSL certificate)

1. Create a new directory to store the wallet (we will be using the $HOME directory of the Oracle user)

mkdir ~/keystores
$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet $HOME/keystores/wallet -auto_login_only
3. Create CSR (certificate request), you pass the DN for the certificate, usually your sitename and the company

$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $HOME/keystores/wallet -dn 'CN=ora-middleware.blogspot.com,OU=IT,O=ACME,L=Atlanta,ST=GA,C=USA' -keysize 2048 -auto_login_only

4. Export CSR, now that you have created the CSR, we need to export it to a file we can send to the certification Authority. The following command will create a file server.csr containing the CSR

$ORACLE_HOME/oracle_common/bin/orapki wallet export -wallet $HOME/keystores/wallet -dn 'CN=ora-middleware.blogspot.com,OU=IT,O=ACME,L=Atlanta,ST=GA,C=USA' -request $HOME/keystores/wallet/server.csr

5. Now, you will need to request a certification authority using the generated file, i.e. goDaddy in my case, for a SSL certificate, they will send you the certificate as well as the root and intermediate certificates required,

6. Once the cert authority creates the certificate, you will need to first import root certificate, sometimes they will give it to you as part of the bundle, in my case, it was not present and I have to downloaded it from their website (gdroot-g2.crt from goDaddy), you need all the certificates in the SSL chain.

$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $HOME/keystores/wallet -trusted_cert -cert $HOME/keystores/wallet/gdroot-g2.crt -auto_login_only

7. Now import any other certificate in the chain, I got this one as part of the bundle they sent me

$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $HOME/keystores/wallet -trusted_cert -cert $HOME/keystores/wallet/gd_bundle-g2-g1.crt -auto_login_only

8. Finally, import the cert itself

$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $HOME/keystores/wallet -user_cert -cert $HOME/keystores/wallet/certificatefromgodaddy.crt -auto_login_only

9. You can validate that the certificates have been imported using the following command.

$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet  $HOME/keystores/wallet

CONFIGURE OHS for SSL

Now that we have a wallet, we need to tell OHS to use it, by default, 12c has already a virtualhost configured for SSL, so we only have to update it and specify the new wallet. In my case I have a stand-alone installation, if you have an OHS with Enterprise Manager configured most of this can be done from the Web Console, but the manual work works in both scenarios

1. Edit the ssl.conf file under the configuration folder for the instance.

vi $ORACLE_HOME/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/ssl.conf

Set the SSLWallet directive to the directory were we saved the wallet

SSLWallet /home/opc/keystores/wallet

2. Stop OHS

$ORACLE_HOME/user_projects/domains/base_domain/bin/stopComponent.sh ohs1

3. Start OHS

$ORACLE_HOME/user_projects/domains/base_domain/bin/startComponent.sh ohs1

4. You can test the configuration on the default SSL port for OHS 4443

https://mysite..com:4443

MAKE HTTP RUN ON PRIVILEGED PORTS


If you want to just use the https URL without any ports, you will need to modify OHS to run on the port 443, for plain http the port is 80.

1. Change the permissions on the launch file

sudo chown root $ORACLE_HOME/ohs/bin/launch
sudo chmod 4750 $ORACLE_HOME/ohs/bin/launch
2. Edit the httpd.conf file on the same directory ($ORACLE_HOME/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1)

Modify the Listen Directive from the default 7777 to 80

Listen 80

Also, modify or add if it doesn't exist the following directives with the linux user and group that own the OHS installation

User opc
Group opc

3. for SSL, edit hte same ssl.conf as before and modify the Listen directive from the default 4443, to 443

Listen 443

Also, update the virtual host directive to use the same port

%lt;VirtualHost *:443%gt;

4. Stop OHS

$ORACLE_HOME/user_projects/domains/base_domain/bin/stopComponent.sh ohs1

5. Start OHS

$ORACLE_HOME/user_projects/domains/base_domain/bin/startComponent.sh ohs1

6. You can test now without the ports

https://mysite..com
http://mysite..com

Friday, October 07, 2016

Java Flight Recordings (JFR) for WLS managed servers

Starting Java Flight Recordings (JFR) for WLS managed servers



1) Identify the Process IDs for the managed servers you want to record.
ps -ef | grep WC_Spaces
ps -ef | grep UCM_server
2) You can start the recording with the following command:

/usr/java/jdk1.7.0_65bin/jcmd [PID] JFR.start duration=[DURATION]s filename[PATH_TO_FILE]

For example
/usr/java/jdk1.7.0_65bin/jcmd 1234 FR.start duration=14000s filename=/mnt1/jfr/OAMPOC/20161006/WC_Spaces1.jfr
The command will give you a confirmnation like:
Started recording 3. The result will be written to:/mnt1/jfr/OAMPOC/20161006/UCM_server1.jfr

Note the number of the recording (3) you will need this for the next step

3) The recording will stop automatically after the duration flag has been reached, if you need to stop it before that you can run the following command passing the recording number

/usr/java/jdk1.7.0_71/bin/jcmd 16439 JFR.stop recording=3

Tuesday, July 12, 2016

Copy large number of items in the background with rsync

rsync -ahuv --log-file=/tmp/rsync07082016.log foldertocopy destination

options:
a archive
h display human readable
u update only – do not copy items already in the folder
v verbose


After running rsync command, click Ctrl+z
Then type bg to triger it on the background
You can monitor the output with tail -f /tmp/rsync07082016.log
  

Wednesday, August 06, 2014

Configuring Oracle HTTP server to run on port 80

A very common requirement for most implementations is that the web servers run on port 80, that way the users don't have to type the port in the URL, usually after installing Oracle Web Tiers, the apache server runs on port 7777.

One way to address this is to do a port translation at the LB level, but apache can and usually run on port 80, the only change to the system is that as port 80 is a protected port, the apache demon needs to be run as root.

The first this to do is change the Listen port of the web tier from the default 7777 to 80. This can be done by modifying the httpd.conf file located under the instance home ($MW_HOME/Oracle_WT1/instances/instance1/config/OHS/ohs1)

1. Stop the web tier

$MW_HOME/Oracle_WT1/instances/instance1/bin/opmnctl stopall
2. Edit the httpd file

Look for the Listen key and set it to 80
# OHS Listen Port
Listen 80
Additionally, check that the user and group settings in the same config document are correct (sometimes they can be commented out). These settings are use to switch to the oracle owner after starting the system as root.

User oracle
Group oinstall

3. if you have any Virtual Host that you want to run on port 80 too, change the virtual host configuration too, for example, in my system I have a separate configuration file under the moduleconf folder (all files in this folder are added to the httpd.conf as includes), some other configurations may have this configuration directly on the httpd.conf file

NameVirtualHost *:80
<virtualhost>

    ServerName myportal.com:80

    ServerAdmin you@your.address

    RewriteEngine On

    RewriteOptions inherit
</virtualhost>

After modifying the configuration files we need to make the change to the apachectl demon so it runs as root

1. Login as the root user and go to the bin directory for the WebTier home

cd $MW_HOME/Oracle_WT1/bin

2. change the owner of the file to root (please note that the file starts with a "." as it is a system file) and the permissions so it can be executed by the opmnctl tool
chown root .apachectl
chmod 6750 .apachectl

3. login as the Oracle owner and start the web tier

$MW_HOME/Oracle_WT1/instances/instance1/bin/opmnctl stopall

You should now be able to access the site on port 80.

Wednesday, March 12, 2014

Using af:poll for long running taskflows

I recently was asked a question about how taskflows are loaded in a WebCenter page, and In remembered a previous implementation where we encountered some issues with long loading pages and needed to speed them up.


As you might already know, in a normal ADF page containing multiple taskflows, each taskflows needs to be initialized and their initial views created before the overall page can be rendered. what this means is that if you have a long running taskflow, it will afect the entire page’s performance.


You can manage the partial page refresh and do things like Lazy Loading for subsequent request, but the initial one needs to have a view object for the page to render.


With this in mind we looked at the different tasksflow and found one in particular that was taking a long time to load, removing the tasksflow made the whole page performed 4x faster. This is where we needed to get creative,


We needed to create a view object for the tasksflow even if the over all results (a webservice query that was gathering information from the EBS HR records) was not ready.


For this we used the af:poll component. the idea being that the will be an initial request to the web service and the pool will monitor the results (stored in a managed bean) if the results where not present yet, we use a af:switcher to print a simple message (“Loading...”). hence creating the view object and allowing the page to load.


Once the results are loaded, we simply set the value of the poll to “-1” disabling the refresh

This is a sample code of how this might work:


<af:panelGroupLayout id="pgl1" layout="vertical" halign="center" partialTriggers="loadData">
         <af:poll id="loadData" interval="#{pageFlowScope.myESSDetailsManagedBean.hasloaded == 0 ? 1000 : -1}"
                   pollListener="#{pageFlowScope.myESSDetailsManagedBean.loadLinks}"
                   immediate="true" rendered="true"/>
         <af:spacer width="10" height="20" id="s1"/>
         <af:switcher id="s2"
         facetName="#{pageFlowScope.myESSDetailsManagedBean.hasloaded == 0? 'Loading':
                            pageFlowScope.myESSDetailsManagedBean.errorCode eq '1'?'GeneralError':
                            pageFlowScope.myESSDetailsManagedBean.errorCode eq '2'? 'NoAccess':
                            'Ok'}">
            <f:facet name="GeneralError">
               <af:outputText value="Error contacting the EBS, Please try again later"
                                     id="ot2"/>
            </f:facet>
            <f:facet name="NoAccess">
               <af:group id="g1">
                  <af:outputText value="You don't have access to the ESS module in EBS"
                                        id="ot1"/>
               </af:group>
            </f:facet>
            <f:facet name="Loading">
               <af:group id="g2">
                  <af:outputText value="Loading ...."
                                        id="ot3"/>
               </af:group>
            </f:facet>
            <f:facet name="Ok">
               <af:panelGroupLayout id="pgl2" layout="vertical" halign="center">

                  <af:outputText value="THIS IS WHERE THE RESULTS ARE DISPLAYED"
                                        id="ot1"/>
                  
                  <af:goLink text="Your current leave balance is #{pageFlowScope.myESSDetailsManagedBean.leaveBalance}"
                                        id="gl6"
                                        destination="#{pageFlowScope.myESSDetailsManagedBean.leaveBalanceFullURL}"
                                        targetFrame="_blank"
                                        rendered="#{pageFlowScope.myESSDetailsManagedBean.leaveBalance ne ''}"/>
                     
                        <af:goLink text="Manage Your Leave" id="gl7"
                                        destination="#{pageFlowScope.myESSDetailsManagedBean.leaveBalanceFullURL}"
                                        targetFrame="_blank"
                                        rendered="#{pageFlowScope.myESSDetailsManagedBean.leaveBalance eq ''}"/>
                  
                     <af:spacer width="10" height="10" id="s5"/>
      
         
               </af:panelGroupLayout>
            </f:facet>
         </af:switcher>
      </af:panelGroupLayout>

Monday, October 29, 2012

Useful Shell Commands

Manage Files and Folders

Copy all files in subfolders to the current folder. (Used when changed the filestorage rule in UCM)
find . -type f  -exec mv -t . {} +

Find Size of subfolders
du -sh *

Find a String in all files
sed -i 's/\/u01\/Oracle\/Middleware\/user_projects\/domains/\/mnt/g' *.hda

Recursively
find . -name *.hda -exec sed -i 's/\/u01\/Oracle\/Middleware\/user_projects\/domains/\/mnt/g' {} +


Manage Partitions and Disk


List the available Disk
fdisk -l

List the mounted disk and space available
df -k

Mount disk
mount /dev/sdf /ebs

Format Disk
mkfs.ext3 /dev/sdf

Resize partition to the full available disk
resize2fs /dev/xvda1

Keep Mounts after restart
Edit /etc/fstab and add
/dev/xvdi /media/newdrive/ ext3 defaults,noatime 0 0
/dev/xvdj  /u01      ext3   defaults,noatime        0 0

Firewall

Enable VNC connections (port 5901)
/etc/init.d/iptables -I INPUT 1 -p tcp --dport 5901 -j ACCEPT
/etc/init.d/iptables save

Disable iptables
/etc/init.d/iptables save
/etc/init.d/iptables stop
chkconfig iptables off

For RHEL
service firewalld stop
systemctl disable firewalld

Swap Space

Check Swap Space
swapon -s

Add Swap Space
  1. Create a new swap file
    dd if=/dev/zero of=/myswapfile1 bs=1M count=1024
  2. Change permission to only root
    chmod 600 /myswapfile1
  3. setup file as swap
    mkswap /myswapfile1
  4. Enable new swap space
    swapon /myswapfile1
  5. to keep after reboot, add the following to /ect/fstap
    /myswapfile1 swap swap defaults 0 0

Network

Check If IPv6 is loaded
lsmod | grep ipv6

Change Hostname
hostname newname.domain

Change Hostname after reboot:
Edit /etc/sysconfig/network and add the followin
HOSTNAME=newname.domain

Check If IPv6 is loaded
lsmod | grep ipv6

Disable IPv6

  1. Edit/create the /etc/modprobe.d/modprobe.conf file and add the following:
    options ipv6 disable=1
    alias net-pf-10 off
    alias ipv6 off
    install ipv6 /bin/true
  2. Edit /etc/sysconfig/network and add
    NETWORKING_IPV6=no
    IPV6INIT=no
  3. Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and add
    IPV6INIT=no
    IPV6_AUTOCONF=no

Tuesday, October 09, 2012

How to Upgrade JRockit


How to Upgrade JRockit


  1. Download the latest version of JRockit from http://www.oracle.com/technetwork/middleware/jrockit/downloads/index.html 
  2. Login to the server, use an XSession (i.e. VNC) as the Oracle user
  3. Run the installer and follow the screens, select the target folder for example /u01/java/jrockit-jdk1.6.0_33-R28.2.4-4.1.0


It is a good practice to create a symbolic link to reference JRockit, this makes future upgrades easier as you won’t need to modify any configuration files in weblogic, just re-create the link to the new version. If you haven’t done this, do the following steps


  1. Create a symbolic link using the following command
    ln -s /u01/java/jrockit-jdk1.6.0_33-R28.2.4-4.1.0 /u01/java/jrockit
  2. Update your profile script to set the new JAVA_HOME and PATH pointing to the symbolic link you just created
    vi $HOME/.bash_profile

    change the following:

    export JAVA_HOME=/u01/java/jrockit
    export PATH=$JAVA_HOME/bin:$PATH
  3. After saving the file run it once to test the configuration
    . $HOME/.bash_profile
  4. Test the environment variables
    java –version

    It should return something like:
    java version "1.6.0_33"
    Java(TM) SE Runtime Environment (build 1.6.0_33-b03)
    Oracle JRockit(R) (build R28.2.4-14-151097-1.6.0_33-20120618-1634-linux-x86_64, compiled mode)

After your environment is set, you will need to edit the weblogic server scripts to reference the symbolic link (only if you haven’t done this before)

Edit the following files changing all references to jrockit to “/u01/java/jrockit” or wherever the path to your symbolic link is


  • $FMW_HOME/wlserver_10.3/common/bin/commEnv.sh
  • $FMW_HOME/user_projects/domains//bin/setDomainEnv.sh
  • $FMW_HOME/wlserver_10.3/common/nodemanager/nodemanager.properties
  • $FMW_HOME/utils/bsu/bsu.sh
  • $FMW_HOME/utils/quickstart/quickstart.sh
  • $FMW_HOME/utils/uninstall/uninstall.sh