Sunday, November 23, 2014

Quick Tips for Oracle ADF 12c Certified Implementation Specialist (1Z0-419) Exam

I passed the ADF 12c Implementation Specialist Exam last month. Lot of people had queries on the pattern/study material etc., so thought to write a quick blog -
  • The study material is same as Oracle ADF 11g Exam [D57350, D60499, D60501] though exam is much tougher than ADF 11g (I have cleared ADF 11g earlier as well)
  • No new features or concepts in ADF 12c have been covered in the exam
  • This is the best Oracle Exam I have given, totally conceptual, cringes you for time and challenges your concepts
  • 87 questions in 120 mins with multiple choice questions, I took the entire time.
  • Quite a few questions require you to choose the best option from all the right options :)
  • Few questions have screenshots and questions are asked pertaining to them which I though was a great idea to check implementation experience
  • If you have cleared the ADF 11g exam in the past and have got implementation experience, just a revision of the ADF 11g material should be good enough.
  • Do not attempt this exam without having hands on in ADF, it's pointless :)
  • Be very thorough on the ADF Lifecycle and ActionListener/ValueChangeListener order of execution, Nested AMs and transaction, DVT components, page templates, ADF BC; quite a few questions from there ! [D60501 is the guide to read for these]
Kudos to the certification team for such a comprehensive exam, I felt really happy on having cleared it !!

Useful links -
Exam Details and Topics (Cover all topics, questions from each are asked)
Study Guide details

Thursday, November 6, 2014

OAM 11gR2 / 11.1.2.2 : Redirection to favicon.ico screen after authentication to a Portal

Scenario After login to the Portal using OAM 11gR2PS2 login to access a protected resource for the first time (page not cached in browser), the end user is redirected to the favicon.ico url instead of the resource url. The browser needs to be refreshed with the Portal URL to get this to navigate to the Portal home page as expected.

Also if the favicon.ico is not present in the OHS /htdocs folder a 404 may also appear.

It was initially tricky to figure out that this issue was related to permissions in OAM. But if we remove the webgate entry from httpd.conf (i.e. Security layer is bypassed), we can confirm that this issue doesnot occur which means OAM is playing up here.

Cause -
This is caused by the favicon.ico being protected by OAM. 
If it's not in the browser cache, the client browser will fetch the favicon.ico resource on the server. It will get the favicon before the page, setting incorrectly the end_url parameter, redirecting to the favicon url instead of the resource url.


Solution -
Make sure that favicon.ico is created in <OHS_INSTANCE>/config/OHS/ohs1/htdocs/  folder so that there is no 404 ever. This is the icon which shows besides the website address.

Then, create a resource definition in OAM as documented in http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/app_domn.htm#CACJJGCA 
1) set type as HTTP
2) define resource URL to /favicon.ico
3) set protection level to "excluded"  (More about excluded resources here )


Reference - Oracle Support Document 

OAM 11.1.2.2 (11gR2) - System error after submitting credentials from Custom Login Page

Scenario : Standard Custom Login Page doing form post to /oam/server/auth_cred_submit with username/pwd and 'request_id' in cookie.

Issue - Sporadic redirection to an error page with 'System Error has occurred' message with details -
[oam_server1] [TRACE] [] [oracle.oam.binding] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 004sto37QpzDoYX5HvH7if00063I00002b,0:2] [SRC_CLASS: oracle.security.am.pbl.protocol.plugin.oam.AMFailureResponseHandler] [APP: oam_server#11.1.2.0.0] [SRC_METHOD: processResponse] [URI: /oam/server/auth_cred_submit] OAM-02073[[
oracle.security.am.common.utilities.exception.AmRuntimeException: OAM-02073
at oracle.security.am.engines.enginecontroller.AuthzEngineController.checkProtected(AuthzEngineController.java:438)
at oracle.security.am.engines.enginecontroller.AuthzEngineController.processEvent(AuthzEngineController.java:177)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:570)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:759)



Solution
"Verify that the custom login page is submitting the credentials to /oam/server/auth_cred_submit with the correct OAM Server Host and Port.The OAM_SERVER_HOST.DOMAIN and SSLPORT values should match those configured in the OAM Console -> System Configuration -> Access Manager Settings page for Load Balancing OAM Server Host and OAM Server Port.

In  my case, the form post URL was pointing to https://<host>/oam/server/auth_cred_submit.
Once I had it changed to https://<host>:443/oam/server/auth_cred_submit, (adding missing port) this issue got resolved.

Please check the above support document for some other causes for this issue.

Monday, October 6, 2014

OAM 11gR2 : Single-Sign-On to an internal Portal, logging in from an external facing public Portal

A common requirement for many Portal clients -
Allow single signed on access to an Internal Portal, with the user logging in from an external portal using a custom login form (one at the top right corner of the screen).
Why is this not straight forward ?
Well, you might ask what's the big deal with this. Isn't this a standard custom login page being implemented ? Nope, a standard OAM Custom Login page posts to the /oam/server/auth_cred_submit URL endpoint alongwith request_id as a parameter which contains the details of the protected resource to which it should navigate on successful authentication. In short, the protected page was solicited by the user, and after a series of redirects it lands at the custom login page. Once the user authenticates successfully, the resource is picked up from the request_id parameter and navigated to.
In the above scenario, the user needs to navigate to a resource which was not solicited.e.g. The user requested for  www.oracle.com and after logging in needs to navigate to oracle.com/EmployeePortal.
This introduces the concept of Unsolicited Login -
Unsolicited Login is used when we want to authenticate user without any request_id or resource. The page which is navigated to, upon successful authentication is not the one which was initially solicited hence the name Unsolicited Login.
This feature has been introduced by Oracle in 11gR2 (11.1.2.x series). Prior to 11gR2, this feature would need to be custom built.

Following are the steps needed to enable this feature in OAM :
1. Enable Direct Authentication for OAM.
Navigate to OAM Domain for your installation, under config/fmwconfig/oam-config.xml, ensure that ServiceStatus under DirectAuthenticationServiceDescriptor is set to true. (DirectAuthenticationServiceDescriptor is under OAMServicesDescriptor).

It is highly recommended that, you first stop the Admin Server and OAM Cluster before you make any changes to the oam-config.xml. Further, it is sufficient to do the above changes in the oam-config.xml under the AdminServer/config/fmwconfig incrementing the Version field by 1. Once you have restarted the AdminServer and the OAM Clusters, the oam-config.xml for OAM Cluster will get automatically updated.
2. Submit the following information to the endpoint via Custom Login Form (External Public facing Portal Page) https://oam_host:oam_port/oam/server/authentication:
a.      username
b.      password
c.       successurl, for example, http://machinename.mycompany.com:7778/sample-web/headers.jsp.
Code Example
<form id="loginForm" name="loginForm" action="http://OAMHost:Port/oam/server/authentication" method="post" hidden="true" >
<input id="username" type="text" name="username" />
<input id="password" type="password" name="password" />
<input id="successurl" type="text" name="successurl" value="http://chinni-pc:7777/"/>
<input type="submit" value="submit" />
</form>
You can use the above code bit in a JSP and package it within the same Custom Login Page app archive used for the Internal Portal. This will need to be re-deployed to the Weblogic Server for the functionality to work.
 In case you would like to use it in an external Portal page which is an HTML or the like you can iframe the above code as a JSP.
Once the credentials are validated, OAM Server redirects to the success URL after setting OAM_ID cookie as part of HTTP redirect (HTTP response code 302).
Note – Internal Portal Login page or code does not need to be changed.
3. To allow direct authentication only for POST, or vice-versa:
i)        Login to Oracle Access Management administration console and navigate to Policy Configuration, then Application Domains.
ii)      Select edit default application domain IAMSuite. Navigate to Resources, then search and edit resource /oamDirectAuthentication.
iii)    Under Operations, de-select all operations that are not to be supported, except POST. For example, GET, DELETE.
iv)    Make sure that the AuthenticationPolicy for the /oamDirectAuthentication points to the same AuthenticationScheme as for the Internal Portal.
If the above is not present in your OAM environment, please create it similar to the screenshots below.

Once user logs in, user will be redirected to successurl.

4. The URL pattern of the external Public facing Portal needs to be marked as ‘Unprotected’ with a ‘PublicAuthenticationPolicy’ which uses an ‘Anonymous Scheme’.
The internal Portal would continue to be as-it-is marked ‘Protected’ with a ‘PrivateAuthenticationPolicy’ pointing to the relevant ‘LDAPScheme’.

The above would need to be done within the appropriate ‘Application Domain’ which is used for the Portal.

In screenshot below, /ssologin/.../* represents the URL pattern for an External public facing Portal.

Oracle Documentation References
Screenshots from a POC on this
Below are the screenshots and summary from a POC done on OAM 11.1.2.2 with WebCenter Portal/Spaces 11.1.1.8.3 as the Success URL.

The below screenshot represents a public site with a login form. This page is not protected and is meant to represent an external portal.
Once the user enters the required credentials and clicks submit, they will be redirected to a protected resource. The protected resource shown below (WebCenter) is to reflect a protected internal portal.
Shown above, the user has successfully authenticated and has established an SSO session with Oracle Access Manager.
If the protected resource is accessed directly, a separate authentication method/form will be used to challenge the user. 

Friday, September 26, 2014

Oracle Fusion Middleware : 11.1.1.x / 11gR1 Support

Your 11gR1(11.1.1.x) customer does not wish to upgrade to 11gR2 (11.1.2.x) or to 12c (12.1.x) as he probably is not too keen on the new features or is not excited about the cloud yet.

Well, what about support on 11gR1 ? This can be a major factor for upgrade apart from new features!

11.1.1.x Premier support ends June 2015
As per http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf page 36

Note there are three kinds of support - Premier Support, Extended Support and Lifetime Support.
The extended support may not support integrations with new third party vendors and the sustaining support does not include new fixes!

Typically premier support is for 5 years since the launch of the product, extended support for 2 more years and sustaining support thereafter.

Monday, September 22, 2014

Oracle Security : Getting Started

Oracle Identity Management(IDM) is a vast collection of products with confusing terminology and it can be difficult to understand where to start. Hope the below links help.

Concepts
Oracle IDM Basics - (Keep clicking to navigate through entire topics)
A few simple Tutorials from Oracle to get started
Oracle IDM Home Page (Source to Datasheets, Whitepapers, Customer Use Cases and various Data)

Installs

Issues/Continuous learning of tricky use cases & finer concepts
Oracle IDM A-Team Blogs (Learn tricks of the trade)

Mapping of use cases with products

Collated IDM 11gR2 Blog Dashboard

Monday, September 1, 2014

UCM / Webcenter Content : Configuring an Admin User for UCM which resides in OID

UseCase :
  • The default install of Webcenter Content/UCM results in weblogic as the Default Content Admin which resides in the embedded LDAP.
  • In our Webcenter implementations we end up using a variety of LDAP's.
  • This post details how to change the Admin user for UCM to a user residing in OID which is easier to manage and the recommended approach instead of using weblogic.


Advantages : 
  • This can also be extended to use any LDAP like AD, OUD, ODSEE etc.
  • Another reason why this needs to be configured is so that the UCM Console can be logged in using a OHS URL or Virtual IP which has a LDAP configured as its IdentityStore instead of having to log in via the managed server port.

Configuration Steps :

1.Create a new user called ucmadmin in OID with object classes simialr to those present for orcladmin.

2.Create a new group called ucmadmingroup in OID with object classes top and groupOfUniqueNames.

3.Assign ucmadmin as a member of the ucmadmingroup.

4.Make sure the users and groups mentioned here reside in the DN hierarchy defined in the OID Authenticator(e.g. cn=Users,dc=oracle,dc=com)

5.You also need to create the Credential Maps to grant ucmadmingroup as the administrator in UCM. Then, in UCM, we mapp the OID group ucmadmin to UCM internal roles and all accounts priveliges. All the users who belong to the ucmadmin group will be automatically granted the UCM admin roles.
- Login to Content Server as weblogic and configure credential map (http://<host>:16200/cs)
  Administration -> Credential Maps, create a new map (e.g.: called "MyOIDMap")
- Add the following mapping
ucmadmingroup ,                  admin
ucmadmingroup ,                  guest
ucmadmingroup ,                  sysmanager
ucmadmingroup ,                  refineryadmin
ucmadmingroup ,                  rmaadmin
ucmadmingroup ,                  pcmadmin
ucmadmingroup ,                  ermadmin
ucmadmingroup ,                  @#all

6.Edit the provider.hda  and add the credit map "MyOIDMap" which would be at the location -
 <UCM-Domain>/ucm/cs/data/providers/jpsuserprovider/provider.hda
  Here is an example:
<feff><?hda version="11gR1-11.1.1.6.0-idcprod1-111219T111403" jcharset="UTF8" encoding="utf-8"?>
Properties LocalData
DefaultNetworkAccounts=#none
DefaultNetworkRoles=guest
PasswordScope=jpsuserprovider
ProviderClass=idc.provider.jps.JpsUserProvider
ProviderDescription=csJpsUserProviderDescription
ProviderName=JpsUserProvider
ProviderType=jpsuser
SourcePath=jpsuser
ProviderCredentialsMap=MyOIDMap
blDateFormat=M/d{/yy}{ h:mm[:ss]{ a}}!mAM,PM!tAmerica/Los_Angeles
pDescription=csJpsUserProviderDescription
end

7.Restart the UCM Managed Server.
 

8. Repeat the steps for the other machine if its a clustered environment.

9.After that , if you login to Content Server as ucmadmin, in the ucadmin profile, you should see something similar as the following:
 
 In the ucmadminprofile, you should see the "#all" in the Accounts fields. Otherwise, when users accessing documents in Spaces, it will fail the following error:
  User 'ucmadmin' does not have sufficient privileges to access the content account.

Monday, August 25, 2014

OID 11.1.1.7 - Unlocking superuser orcladmin account

We weren't able to login to WebCenter Portal which uses OID as the Authentication store today.
On investigation we found out that the superuser orcladmin account was itself locked.

Note -
1.There are 2 orcladmin accounts: the superuser account, cn=orcladmin, and the REALM administrator cn=orcladmin, for example: cn=orcladmin,cn=users,dc=oracle,dc-com.

2. The superuser account is hard coded and is not seen in the Oracle Directory Manager (ODM), nor the Oracle Directory Services Manager (ODSM) in 11g.


Following commands* executed from a command line tool helped to fix this issue -


export ORACLE_HOME=/u01/app/oracle/middleware/Oracle_IDM1/
export ORACLE_INSTANCE=/u01/app/oracle/admin/OID_Domain/oid_inst_2/
cd /u01/app/oracle/middleware/Oracle_IDM1/ldap/bin
>./oidpasswd connect=OIDDB unlock_su_acct=true      #find connect string from #/u01/app/oracle/admin/OID_Domain/oid_inst1/config/tnsnames.ora
OID DB user password:<ODS Schema pwd>

*This is just a representation of what i had to do in my environment to fix this.

Post this, you would need to login to ODSM, go to Data Browser tab and change the password for cn=orcladmin,cn=Users,dc=<companyName>,dc=com and change the password which in all probability might have expired as well.



Atul Kumar's post here also helps with similar issues.

To change password policies have a look at this Oracle Doc

Saturday, August 23, 2014

OAM 11gR2/Weblogic : The important of parameters in mod_wl_ohs.conf(Web Server plugins)

Configurations of various parameters in web server plugins plays in a major part in ensuring that Single-Sign-On works fine using OAM.

Oracle Documentation -
http://docs.oracle.com/cd/E23943_01/web.1111/e14395/plugin_params.htm

This post is intended to share my experiences with certain parameters and the repercussions if you don't include them :)

WLProxyPassThrough
WLProxySSl works great if webserver is doing the SSL work. But if SSL being terminated by a load balancer then mod_wl will remove any incoming WL-Proxy-SSL and the request will reach OHS over HTTP this means that the WebLogic server won't ever get that header and so request.isSecure() will always return false. If you add that directive and set it to ON then the WebLogic plug-in will not remove any incoming WL-Proxy-SSL header. This lets WebLogic Server know that the original request was initiated over SSL.  WL-Proxy-SSL header should not be sent if the inbound traffic to the load balancer was not SSL (HTTPS).

Error Scenario

Once I added this parameter for under the <if weblogic_module> tag and set it to true, this issue no longer reccurred .




WLCookieName
If you change the name of the WebLogic Server session cookie in the WebLogic Server Web application, you need to change the WLCookieName parameter in the plug-in to the same value. The name of the WebLogic session cookie is set in the WebLogic-specific deployment descriptor, in the <session-descriptor> element.

Error Scenario :
The Webcenter Portal application I was implementing SSO using OAM for, had changed the weblogic session cookie name to a non-JSESSION ID value for some reason.
This was not giving me any issues until I was configuring "Weblogic Cluster" value(instead of "Weblogic Host") in the OHS layer pointing to the Webcenter managed servers.Once I did so,the Webcenter Portal page would not load and instead would give me a flickering page with consistently changing values of adf_ctrl.state and the page would not load up.
This issue was resolved once I added WLCookieName <cookieName> under the context root tag for the Webcenter Portal app in mod_wl_ohs.conf

This post is also relevant in this regard.

Oracle IDM 11gR2 : Integrating with MS Active Directory 2003

The latest versions of OIM and OAM 11gR2(11.1.2.x) donot support LDAP Sync or OIM-OAM Integration using Active Directory(AD) 2003 as per the 11gr2 certification matrix
We had a use case to support federation using OAM 11gR2 somehow with AD 2003 as the Identity Store. 

Option 1 : Using OVD
We noticed that the latest version of OVD was 11.1.1.7 which happens to support AD 2003 as per the 11gR1 FMW certification matrix .So potentially we could hook OAM with OVD as the Identity Store and still connect to Active Directory 2003, which is not directly supported!
Extending this theory we could provision to OVD from OIM which finally would create relevant user accounts in Active Directory 2003!!
Oracle confirmed this in SR # 3-9503114871(you may not be able to view it directly but can refer to this in another SR if need be).

Option 2 : Using OID and DIP
Standup OID(11.1.1.7 is the latest as of today) and sync existing users from AD 2003 using a DIP process.

Option 3 : Use IDM 11gR1
Least preferred since it's never a good idea to go back to a older release when the newer release has so much to offer and IDM 12c is in the pipeline.If none of the above can be made to work for whatever reasons, AD 2003 is definitely supported both with OIM and OAM 11gR1(11.1.1.x).

Monday, August 11, 2014

OAM 11gR2 : 500 Internal Server Error after registering new 11g Webgate

I got the error as in the subject after I had registered a new webgate , done other necessary configurations and tried to access a WebCenter Portal page which I was trying to protect.

The error in the oblog.log said - 


Request Failed for : /index.html, Resp Code : [500]
OBWebGate_AuthnAndAuthz: Cannot get message for ObAccessException_NO_AGENT_KEY


Oracle Support had a similar issue for Fusion Apps which didnot really help -
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1534423.1

Finally , after using the OAM Tester , a colleague suggested to edit and re-copy Webgate related files from Output Directory of the OAM_Domain pertaining to the webgate to <OHS_Instance>/config/OHS/ohs1/webgate/config.

Hope this helps someone facing a similar issue.

Debugging SSO issues using OAM Tester

The OAM Tester is a great desktop based tool to test issues while accessing resources protected using OAM. It will help you with basic logs and categorizes on what exactly fails(authentication,authorization etc).

This is a quick way to ensure that everything works fine at the OAM layer without having to look at the logs and/or tools like Firebug or HTTPAnalyzers/Fiddler.

The port for the server connection would be 5575 which is the port for Access Manager.All the rest should be self explanatory.

Copy the following files from <ORACLE_IAM_HOME>/oam/server/tester & launch oamtest to get to this dialog.
Links from Oracle documentation -

Thanks to my colleague Shivram Sundaram to help find this thus quickly resolving multiple issues.

Note - I was on the 11gR2 version of OAM.

Tuesday, July 15, 2014

ADF / Webcenter : POJO Data Control caches values even when container taskflow is refreshed [UI Aware Data Model - I]


Oracle says ADF BC , EJBs , Webservices , POJOs etc. are supported as Business Services layer in ADF.

The Data control layer which happens to be the Model layer can be generated from each of the above ( gets generated automatically from ADF BC).






Use Case -
I had a taskflow which contained a jsff as a default view activity. The view in turn pulled data from a Webservice proxy (a POJO for all practical purposes) via a POJO DataControl.We had a requirement to refresh the taskflow when the value of a selectOneChocie outside the region changed .

Issue -
Though the taskflow refreshed but the page showed the same data  within the ADF Table (based on the POJO Data control) which was surprising !

Concern
Since as per the documentation -
http://docs.oracle.com/cd/E21764_01/web.1111/b31974/taskflows_regions.htm#CHDEIFBB
Example 17-8 says :
You do not need to refresh an ADF region to refresh the data controls inside the ADF region. During the ADF lifecycle, the refresh events telling the iterators to update will be propagated to the binding container of the current page of the ADF region.


Solution -
We had to re-execute the iterator's Query to get this to work either as a method call before your view is loaded or by overriding the refreshRegion() method of the Region Controller class.

Explanation - 
The actual reason why this is expected is because the way ADF works with ADF BC as the business services layer and the UI-aware data model aspect from the Oracle documentation. Other non - ADF BC business services implementation donot support this pattern and we would need to refresh iterators programmatically or clear cache's etc to reflect most recent data when using POJO's/ WS Datacontrols etc.

"When you use ADF Business Components in combination with the ADF Model layer and ADF Faces UI components, the data model is "UI aware" because your UI components will automatically update to reflect any changes to the row sets of these business objects
Thus, the UI-aware data model represents a solution that works across application technology layers to ensure that the UI and data model remain synchronized."

Here is the forum thread for reference.

Conclusion
Though many people who have worked in open source platforms and are used to having a handle to the code aren't fans of ADF BC - but ADF BC simplifies development by providing really cool features like the UI Aware Data Model.I would try to outline more in this in another post.