FTP Adapter Configuration for SFTP Communication in SOA using public key authentication process

Target : To establish SFTP communication between the SOA server and the SFTP server and configure FTP Adapter using public key authentication process.

Solution :

1. Login to the SOA server
cd ~ ( This will navigate to the home location of the user )
cd .ssh

2. Execute the below command. This will generate the public and private key
ssh-keygen

3. After entering the above command, you would be asked the file where the keys would be saved. Accept the default values and enter. Now, the identification will be saved at the below location
Private key location : /<home location of the user>/.ssh/id_rsa
Public Key Location : /<home location of the user>/.ssh/id_rsa.pub

4. Copy the public key of the SOA host ( /<home location of the user>/.ssh/id_rsa.pub ) to the known_hosts/authorized keys of the SFTP server. This can be done by copying the content of the pub key file into the authorized_keys file. ( If not sure how to perform this, please contact the system admin )

5. On the SFTP server, make sure you have the required privileges on the authoroized_keys

6. Now test the SFTP communication. This can be done by the following steps on the SOA server
sftp <sftp_user>@SFTPHOST

Alternatively, You can use the below command if the SFTP is running on a different port apart from the default one :
sftp -vvv -oPort=<port number> <user>@<SFTP HOST>

7. When you do this for the first time, you will be prompted for confirmation. Type "yes"

8. This completes the SFTP communication between the SOA server and the SFTP host.

9. Once the communication is established, now configure the adapter : Update the FTP adapter connection pool which you are using with the below parameters :
o Authentication type : publickey
o Host : <SFTP Host Name>
o Port : <SFTP Port>
o Private key file : /<user's home>/.ssh/ id_rsa
The above is the private key path which has been created in the 1s step.
o Username : <SFTP User>
o useSFTP : true

10. Save and activate the changes. Update the deployment FTP Adapter.

Weblogic startup error: java.lang.OutOfMemoryError: PermGen space

Problem:

Weblogic Server fails to startup by giving the below error:

<Oct 16, 2014 11:51:39 AM CDT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: java.lang.OutOfMemoryError: PermGen space

java.lang.OutOfMemoryError: PermGen space

at java.lang.ClassLoader.defineClass1(Native Method)

at java.lang.ClassLoader.defineClass(ClassLoader.java:800)

at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)

at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)

at java.net.URLClassLoader.access$100(URLClassLoader.java:71)

Truncated. see log file for complete stacktrace

>

***************************************************************************

The WebLogic Server encountered a critical failure

Reason: PermGen space

***************************************************************************

Exception in thread "main"

Solution:

Weblogic is running with Java JDK. For JDK we need to pass this parameter -XX:MaxPermSize  in startup argument.

This parameter needs to be setup along with the heap argument.

Go to setDomainEnv.sh file, edit the memory parameter for each server as:

if [ "${SERVER_NAME}" = "AdminServer" ] ; then

USER_MEM_ARGS="-Xms2048m -Xmx2048m -XX:MaxPermSize=1024m"

fi

if [ "${SERVER_NAME}" = "soa_server1" ] ; then

USER_MEM_ARGS="-Xms2048m -Xmx2048m -XX:MaxPermSize=1024m"

fi

Deployment Failure error: BEA-149205 (Failed to initialize the application 'hello' due to error weblogic.management.Deployment xception)

Problem:
Deployment fails by giving below error. Error observed while starting the server. Server comes up, but the application goes into 'Prepared' state.

<Jul 6, 2014 11:28:43 AM IST> <Error> <Deployer> <BEA-149205> <Failed to initialize the application 'hello' due to error weblogic.management.Deployment
xception: .
weblogic.management.DeploymentException:
        at weblogic.servlet.internal.WarDeploymentFactory.findOrCreateComponentMBeans(WarDeploymentFactory.java:69)
        at weblogic.application.internal.MBeanFactoryImpl.findOrCreateComponentMBeans(MBeanFactoryImpl.java:48)
        at weblogic.application.internal.MBeanFactoryImpl.createComponentMBeans(MBeanFactoryImpl.java:110)
        at weblogic.application.internal.MBeanFactoryImpl.initializeMBeans(MBeanFactoryImpl.java:76)
        at weblogic.management.deploy.internal.MBeanConverter.createApplicationMBean(MBeanConverter.java:91)
        Truncated. see log file for complete stacktrace
Caused By: java.io.FileNotFoundException: File not found
        at java.util.zip.ZipFile.open(Native Method)
        at java.util.zip.ZipFile.<init>(ZipFile.java:117)
        at java.util.zip.ZipFile.<init>(ZipFile.java:133)
        at weblogic.servlet.utils.WarUtils.existsInWar(WarUtils.java:84)
        at weblogic.servlet.utils.WarUtils.isWebServices(WarUtils.java:76)
        Truncated. see log file for complete stacktrace


Solution:
Deployment Path of application 'hello' is changed. Server is not able to find the location from where it was last deployed. Check the path where it is pointed or redeploy it.
In my case, I moved it from 'C:\Users\amitaj\Desktop\OAM\hello.war' to some other location, hence while starting the server, I got the above deployment error. Fixed it by redeploying it from the new location.

How to change SUPERVISOR password for ODI

Follow the below steps to change the SUPERVISOR password in ODI 11g:

1. Naviagate to start --> All Programs --> Oracle --> Oracle Data Integrator --> ODI Studio

2. Navigate on ODI Studio
  click on left pane -->   Connect to Repository --> pop up the Master Repository with Supervisor/<pwd> --> click on OK

        and go to
View --> ODI Security Navigator -->  click on users --> click on "Supervisor " --> on right pane click on "change password"

Change the password and save it.

Go to the below location:

3. cd <ODI_HOME>/odi_111/oracledi/agent/bin

4. Take the backup of the file odiparams.sh

5. Run the command

      ./encode.sh  <new password>

6. Copy the encoded password to odiparams.sh in the following location

      ODI_SUPERVISOR=SUPERVISOR
      ODI_SUPERVISOR_ENCODED_PASS=<encoded password>

7. Restart all the servers and DB.

If you face below error after changing:

<Jul 3, 2014 6:28:10 AM GMT> <Warning> <Default> <J2EE JMX-46252> <Error during postRegister for MBean oracle.odi.re:name=AgentStatistics,oditype=ODIRuntimeMBeans,Application=odiconsole
java.lang.RuntimeException: oracle.odi.core.security.BadCredentialsException: ODI-10199: Incorrect ODI username or password.
        at oracle.as.jmx.framework.generic.spi.interceptors.LoggingMBeanInterceptor.internalPostRegister(LoggingMBeanInterceptor.java:703)
        at oracle.as.jmx.framework.generic.spi.interceptors.AbstractMBeanInterceptor.doPostRegister(AbstractMBeanInterceptor.java:205)
        at oracle.as.jmx.framework.standardmbeans.spi.OracleStandardEmitterMBean.postRegister(OracleStandardEmitterMBean.java:516)
        at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.postRegisterInvoke(DefaultMBeanServerInterceptor.java:1033)
        at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerDynamicMBean(DefaultMBeanServerInterceptor.java:973)
        at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerObject(DefaultMBeanServerInterceptor.java:916)
        at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:312)
        at com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:492)
        at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$27.run(WLSMBeanServerInterceptorBase.java:714)
        at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.registerMBean(WLSMBeanServerInterceptorBase.java:709)


Kindly check for below points if repository details have also been updated:

a) Master Repository connection details
b) Work Repository Details
c) Both the Datasources in weblogic console: jdbc/odiMasterRepository and jdbc/odiWorkRepository should have the correct password.
d) Update Master/Work repository configuration in odiparams.sh

OAM 11g Access Tester

Introduction

Oracle Access Manager 11g has an inbuilt Access Tester which we can use to test the connectivity and troubleshoot issues between agent and OAM server.
The beauty of Access Tester is that we can simulate interactions between registered OAM Agent and OAM 11g Servers and it can be run from any computer.

How it works

1) Go to this directory $ORACLE_HOME/oam/server/tester
2) java -jar oamtest.jar

3) GUI window of Access Tester will open up :

4) Enter the below parameters as shown and see the respected output:

1. Server Connection:

IPAddress: IP address where OAM server is running

Port: OAM server port, default is 5575

AgentID: Webgate profile ID, which was given to register the webgate

Click on Connect

2. Protected Resource URI:

Host: It should be same as present in host identifier in oamconsole

Port: It should be same as present in host identifier in oamconsole

Resource: Resource URI which is protected.

Click on Validate

3. User Identity:

Enter the username and password to authenticate the user for the above given resource URI.

4. Test the Authorization of the resource by clicking on Authorize button

In this way you can simulate the access flow from Webgate to OAM server and troubleshoot for any errors.

Do post for any queries !

OWSM policies in SOA 11g

What is OWSM ?

Oracle Web Service Manager is a security framework, which provides security for web application. It can be implemented at runtime(using EM) as well as at design time(using Jdeveloper).
By applying the policies at run time, it gives the advantage to devlopers as they can now focus on developing the service rather then worrying about security.

Configuring OWSM Policies in SOA 11g from EM console:

1) Login to EM with administrator user.
2) Deploy a simple health check composite or any composite you want to secure.
3) Go to 'Polices' Tab(under Dashboard) of the composite.

 4) Attach the basic security policy (oracle/wss_username_token_service_policy)

5) This policy enforces security by requesting for username and password in soap message.

How to test:

1) Once the security policy is applied successfully, go to 'Test' tab of the composite.
2) On the Request Tab, under Security, select 'OWSM Security Policies'.
3) Click on oracle/wss_username_token_client_policy. Enter the username/password (weblogic/welcome1)
4) Give the input and click on Test Button.

Successful invocation shows policy is attached successfully like this:

Else you will get the OWSM error (WSM-00006) as below :

<May 14, 2014 5:15:40 PM IST> <Error> <oracle.wsm.resources.security> <WSM-00006> <Error in receiving the request: oracle.wsm.security.SecurityException
: WSM-00069 : The security header is missing. Ensure that there is a valid security policy attached at the client side, and the policy is enabled..>
<May 14, 2014 5:15:40 PM IST> <Error> <oracle.wsm.resources.enforcement> <WSM-07607> <Failure in execution of assertion {http://schemas.oracle.com/ws/20
06/01/securitypolicy}wss-username-token executor class oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.>
<May 14, 2014 5:15:40 PM IST> <Error> <oracle.wsm.resources.enforcement> <WSM-07602> <Failure in WS-Policy Execution due to exception.>
<May 14, 2014 5:15:40 PM IST> <Error> <oracle.wsm.resources.enforcement> <WSM-07501> <Failure in Oracle WSM Agent processRequest, category=security, fun
ction=agent.function.service, application=soa-infra, composite=DeployHealthCheck, modelObj=synchbpel_client_ep, policy=oracle/wss_username_token_service
_policy, policyVersion=null, assertionName={http://schemas.oracle.com/ws/2006/01/securitypolicy}wss-username-token.>
<May 14, 2014 5:15:40 PM IST> <Error> <oracle.webservices.service> <OWS-04086> <oracle.fabric.common.PolicyEnforcementException: InvalidSecurity : error
 in processing the WS-Security security header

Unable to start Admin server BEA-000386 (Server subsystem failed. Reason: java.lang.AssertionError: java.lang.reflect.InvocationTargetException)

Problem: Not able to start Admin server with BEA-000386 Error.

Symptom:
Weblogic Server fail with below error:

<Apr 30, 2014 5:50:48 PM IST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: java.lang.AssertionError: java.lang.reflect.In
ocationTargetException
java.lang.AssertionError: java.lang.reflect.InvocationTargetException
        at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy._invokeServiceMethod(DescriptorManager.java:175)
        at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy.decrypt(DescriptorManager.java:192)
        at weblogic.descriptor.DescriptorManager$SecurityServiceImpl.decrypt(DescriptorManager.java:114)
        at weblogic.descriptor.internal.AbstractDescriptorBean._decrypt(AbstractDescriptorBean.java:1092)
        at weblogic.management.configuration.SecurityConfigurationMBeanImpl.getCredential(SecurityConfigurationMBeanImpl.java:737)
        Truncated. see log file for complete stacktrace
Caused By: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy._invokeServiceMethod(DescriptorManager.java:173)
        Truncated. see log file for complete stacktrace
Caused By: weblogic.security.internal.encryption.EncryptionServiceException
        at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:139)
        at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:187)
        at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:96)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        Truncated. see log file for complete stacktrace
>

Solution:
The file SerializedSystemIni.dat has become corrupted. Admin Server will not start because it is not able to decrypt the credential and perform authentication properly.

Take backup of config.xml file and replace all the encrypted values with plain text, like below:

<credential-encrypted>{AES}HLsT8dQxvGB0z6NBItIlMaiX/kYyI/d7SNqhwnqL/xot2gUAj7EglBJeM2mkynJDZUbwCe7cN6hwVRU5jZkLOZLA3C/WUqlc6voRI9mKiPTfaqMvqNSJsny+gas8V8cO</credential-encrypted>

<credential-encrypted>SimpleText</credential-encrypted>

Once you restart the Admin Server, all the plain text values will get encrypted again.