SSL Hostname verification in Weblogic Server

While accessing any webservice on SSL, if you get the below error in the logs - 

<Notice> <StdErr> <BEA-000000> <javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://<Host-Name>:<Port>/<Webservice Endpoint>?wsdl. It failed with: [Security:090504]Certificate chain received from <Host-Name>.<Domain-Name> failed hostname verification check. Certificate contained *.<Domain Name> but check expected  <Host-Name>.<Domain-Name>

To Resolve this follow the below steps to disable the host name verification in WLS –

1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
2. In the left pane of the Console, expand Environment and select Servers.
3. Click the name of the server for which you want to disable host name verification.
4. Select Configuration > SSL , and click Advanced at the bottom of the page.
5. Set the Hostname Verification field to None.
6. Click Save.
7. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
   Not all changes take effect immediately—some require a restart (see Use the Change Center).

Note: This is not recommended for Production Environment.

Passed Oracle Mobile Security Suite 11g Essentials Exam

I am glad to share that I passed the Oracle Mobile Security Suite(OMSS) 11g Essentials Exam. OMSS leverages the technology acquired from the acquisition of Bitzer Mobile. It's a new Mobile Application Management(MAM) solution that comes with many cool features like App Containerization and simplify enterprise mobility. This is going to address BYOD(Bring your own device) initiative that many corporate started following and many more to join.

When I started preparing for exam, I didn't find much documentation other than the Oracle documents. To pass in the exam, just going through the Oracle documentation is enough. Most of the questions are straight forward and directly from the documents. Unlike Oracle other exams, none of the questions asked based on real implementation experience.

Some Useful Links -

OMSS Documentation - http://docs.oracle.com/cd/E52357_01/index.htm
Oracle Webcast - http://medianetwork.oracle.com/video/player/3442504861001
Blogs - http://ptotech.blogspot.com/2014/05/oracle-mobile-and-security-suite-omss.html

Weblogic Security Exception : Invalid Subject Principals

If you are seeing "Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals" error in weblogic server logs on RMI invocation of EJB(deployed on different Weblogic domain), this means the issue is in domain trust security settings.

Stack trace

Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals
at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:833)
at weblogic.security.service.SecurityServiceManager.getSealedSubjectFromWire(SecurityServiceManager.java:522)
at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:352)
at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:953)
at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:351)

To solve the above issues, enable trust between multiple Weblogic Server Domains and specify same credential in both the weblogic server domains. It can be fixed by -

• Enabling Cross Domain Security between Weblogic Server Domains
• Enabling Global Trust

I fixed it by enabling global trust between the weblogic server domains. By default, domain credentials are randomly generated and no two domains will have the same Domain credential. So, replace the generated credential and specify the same domain credential for each of the domains. In this way, identity is passed between WLS domains over an RMI connection without requiring authentication in the second domain.

Note: Don't confuse Domain credential with the credential for login to WLS console

Configuration Steps 

1. Log in to WLS console and click on Lock and Edit (top left pane)

2. In the left pane click on Domain name.

3. Select Security > General on the center pane. Click Advanced link.

4. Enter password in Credential and Confirm Credential fields.

5. Click on Activate Changes in the top left pane.

Webgate Installation on Solaris 10 Sparc 64 bit machine

Environment Details

OHS/Webgate (11.1.1.5)
Solaris 10 Sparc 64 bit

OHS/Webgate 11.1.1.5) requires the compiler package gcc 3.3.2 version. This has been clearly stated in Oracle Documentation http://docs.oracle.com/cd/E21764_01/install.1111/e12002/webgate.htm#INOIM75766. By default, Solaris 10 comes with the gcc 3.4.3 libraries. I checked with product development folks and they told me that there was a design decision to change over the compilation from gcc compiler to the native solaris compiler from 11.1.1.7 and  hence the OHS / Webgate product support for other newer versions of gcc are not there and I guess they found some issues with gcc 3.4.3+.

For details check the Oracle Support Document 1460975.1 (Where are the Gcc 3.3.2 64bits Libraries Required by the OAM11g WebGate on Solaris 10 Sparc 64-bit) can be found at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=1460975.1.

libgcc 3.3 package includes both 32 and 64 bit versions of the library files. Unzip and install the libgcc 3.3 package, by default this will install to /usr/local/lib.  Use the files in the /usr/local/lib/sparcv9/ directory as these are the 64 bit versions. The versions installed to /usr/local/lib/ are 32 bit versions.
If the correct version is not used, you will see the below error during installation -
ld.so.1: configureWebGate: fatal: 
/<WG install directory>/access/oblix/tools/configureWebGate/../../../oblix/lib/libstdc++.so.5: 
wrong ELF class: ELFCLASS32

X11 forwarding

This blog is about X11 forwarding. This comes in handy when you want to see the graphical interfaces of X11 programs running on a remote Linux server to be displayed on a local client machine. I am not an Linux expert so it took some time for me to set this up, so I thought of writing it in blog for future references.

Need ?

I came across the need to do X11 forwarding for one of my project. I had a remote access to the linux server and my task was to install one of the Oracle FMW product. During installation, graphical wizards comes for the configuration settings and this is the place where you require X11 forwarding.
When you connect to linux server via SSH and try to run the graphical applications you will get the error - Can't open display. Basically when you SSH in and run a graphical application, it has no location in which to draw the window. To put it another way, there is no display associated with that connection.In order to get the instructions on how to draw the window sent back over the network to our computer the SSH client needs to be configured to request them.

How to solve the problem ?

Problem can be fixed by following 2 steps -
1. Requesting the remote linux server to forward X connections - Configure the SSH client to send the instructions to draw the GUI sent over the network to the client machine.

2. Running an X server on the client machine to listen for the connections - The role of the X server is to make sense of the instructions coming from remote Linux server and translate them into commands that can be drawn by Windows.

Prerequisites 

• Install putty and configure for SSH.
• Install Xming server on your Windows PC. You can download it from Sourceforge link.

Configuration Steps

1 Set X11 forwarding in your putty session

2. SSH to the remote Linux server and follow the below steps.

i) Before issuing the su or sudo, request the cookie for the current DISPLAY to connect to your Xming server

$xauth list
host/domain:10 MIT-MAGIC-COOKIE-1 HEX-KEY

For Ex:

$ xauth list

atloraman/unix:10  MIT-MAGIC-COOKIE-1  926b224b5afc20f8db4bf06c0ef6a6c8

Note: Above output will be different for every session

ii) Switch to atladmin or oracle account

    $ su - atladmin

   Export your DISPLAY variable

  $ export DISPLAY=localhost:10.0

iii) Add the output string from the xauth list command above:

$ xauth add displayname protocolname hexkey

For Ex:
$ xauth add atloraman/unix:10  MIT-MAGIC-COOKIE-1  926b224b5afc20f8db4bf06c0ef6a6c8

Run xclock to verify your X11 session is working

iv) When you don't need the access, execute the below command -

xauth remove $DISPLAY

OAM - Webcenter Content Imaging (IPM) Logout Configuration

Environment Details

Oracle Access Manager - Version 11.1.1.5.0 and later
Oracle WebCenter Content: Imaging - Version 11.1.1.6.0 and later

Scenario

Here we are talking about the typical Fusion Application environment consisting of multiple applications like for ex: Oracle Webcenter Content, Imaging and Portal. OAM is used to provide the SSO fuctionality. I faced problem while configuring the SSO logout URL for IPM application.

Solution

To configure SSO logout url for Oracle Webcenter Content and portal, we run the command -

addOAMSSOProvider(loginuri, logouturi, autologinuri)

See Oracle Doc for details.

The same solution doesn't go well with IPM. I fixed it by writing the redirect rules in web server using the OHS URL rewrite engine. I am not sure if it's the oracle recommended approach.

RewriteCond %{QUERY_STRING} end_url=/imaging [NC]
RewriteCond %{QUERY_STRING} logout=true [NC]
RewriteRule ^/imaging/adfAuthentication  /imaging/adfAuthentication?logout=true&end_url=<OAM-Logout-URL>[L,R=301]

<OAM-Logout-URL> - http://OAMServer_host:14200/oam/server/logout

Go through the below links to get better understanding of OHS Rewrite Rules and flags -

http://www.webforgers.net/mod-rewrite/mod-rewrite-syntax.php
http://www.colder.ch/news/01-26-2007/24/truth-about-the-last-mod_.html (Very Good explaination of L Flag)





   

Passed Oracle ADF 12c Essentials Exam (1Z0-419) !!

I recently passed the Oracle ADF 12c exam(1Z0-419) and impressed with the exam pattern and question selection.

Here are my thoughts -

1. Questions are more structured and conceptual compared to the earlier ADF Essentials Exam (1Z0-554).
2. Surprisingly, not even one question asked on the added features in ADF 12c. So, the course material is same as earlier ADF exam.
3. Most of the questions test the practical knowledge and concepts instead of just mugging up the study/developer guide.
4. 87 questions in 120 minutes is not easy as many of the questions are multiple choice and require reading al l the options. So, don't think time is too much.
5. To pass the exam, just follow the Student Guides and cover each and every topic because questions are asked from all the topics.I really liked the questions asked on debugging scenarios. I followed Oracle student guides(D68160 and D68161). D68162 covers advance topics and not many questions are asked in exam from that.