Installation of SOA Suite 12c

Oracle recently released the SOA Suite 12c and following are the steps to install SOA Suite 12c on your local system.
1. Download SOA Suite 12c from http://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html 
2. Please note that SOA Suite is certified only for 64 bit machine on a 64 bit JVM. You should have 64bit JDK on your system , Only JRE is not sufficient.
3.The download results  includes two jar files fmw_12.1.3.0.0_soa_quickstart.jar and fmw_12.1.3.0.0_soa_quickstart2.jar

4.Open a command line and execute the command java -jar fmw_12.1.3.0.0_soa_quickstart.jar. Please note that in the class path we should include the path of jdk/bin and java home set to jdk.Or you may execute this command from the jdk/bin folder.
5. This opens up a GUI as follows.Follow the screen shots as listed below and thats it, your SOA is installed.

6. Check that on the file system the following directories are created.

7.This version has an inbuilt jdeveloper which can be used for deploying soa composites as well unlike the older versions of jdeveloper. This means that to test the soa composites on our local system there is no need to create a soa domain. Just start the integrated weblogic from Jdeveloper and it will create a domain and the weblogic server will start. The port for this soa domain is 7101 and username password is weblogic/welcome1. 

Installation and configuration of Webgate for Oracle HTTP Server

Installation of OHS11g Oracle HTTP Server Webgate

Oracle http  server webgate needs to be installed on both the nodes.Webagtes server on linux require 64 bit libraries for libgcc_s.so.1 under /usr/lib64 folder.

1.       Copy the GCC file libgcc_s.so.1 from /lib64 to /usr/lib64. Make sure the output of all the below commands is greater than 1.

a.        strings -a libgcc_s.so.1 | grep -c "GCC_3.0"

b.        strings  -a libgcc_s.so.1  | grep -v "GCC_3.3.1" | grep -c "GCC_3.3"

c.        strings -a libgcc_s.so.1 | grep -c "GCC_4.2.0"

d.        file  libgcc_s.so.1 | grep "64-bit" | grep -c "x86-64"

e.        file  -L libstdc++.so.6  |  grep "64-bit" | grep -c "x86-64"

2.       Navigate to the installable folder like  /media/FMW/IDM/Webgate/V38082-01/Disk1/install/linux64.

3.       Run the command ./runInstaller.

4.       Click next on the wlecome screen. Wait for th pre-requisities check to be completed.

5.       Specify the installation location /apps/oracle/product/fmw.Leave the Oracle Home Directory as Oracle_OAMWebgate1.Click on Next.

6.       Wait for the installation to be completed.

Configuration of OHS and Webgate

1.  Login to OHS box i.e. and stop the OHS instance(if running) by executing the command ./opmnctl stopall 

2.       Navigate to /apps/oracle/product/fmw/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate/ on the OHS box.

3.       Execute the command.  

./deployWebGateInstance.sh -w /apps/oracle/product/admin/instance1/config/OHS/ohs1 -oh /apps/oracle/product/fmw/Oracle_OAMWebGate1

/apps/oracle/product/admin/instance1/config/OHS/ohs1- is the home directory of OHS server instance

/apps/oracle/product/fmw/Oracle_OAMWebGate1 is the home directory of webgate is installation

4.       Set the LD_LIBRARY_PATH variable.

export LD_LIBRARY_PATH=/apps/oracle/product/fmw/Oracle_WT1/lib

Navigate to /apps/oracle/product/fmw/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools.

5.Execute the command

 ./EditHttpConf -w /apps/oracle/product/admin/instance1/config/OHS/ohs1/ -oh /apps/oracle/product/fmw/Oracle_OAMWebGate1 -o webgate.conf

Excerpt of the command:-

[oracle@linuxmachine InstallTools]$ ./EditHttpConf -w /apps/oracle/product/admin/instance1/config/OHS/ohs1/ -oh /apps/oracle/product/fmw/Oracle_OAMWebGate1 -o webgate.conf

The web server configuration file was successfully updated

/apps/oracle/product/admin/instance1/config/OHS/ohs1/httpd.conf has been backed up as /apps/oracle/product/admin/instance1/config/OHS/ohs1/httpd.conf.ORIG

Setting up Kerberos authentication on Oracle Access Manager

The configuration for Windows Native Authentication requries a keytab file to be generated by the AD administrator.

                       1.       Send a request to AD administrator to generate a Keytab file .Instructions to be sent to AD                        administrator is as follows.Windows Server 2008 R2.

a.       Create an AD user. username = oam1 password = Welcome1

b.      Verify that the SPNs do not exist for oam1.

a.       setspn -L oam1

c.       Generate the keytab by using the following command.

d.      ktpass -princ HTTP/oam1.domain.com@DOMAIN.COM -pass Welcome1 -mapuser oam1 -out c:\temp\oam1.keytab. (The name oam1.domain.com is the listen address of OAM server. Not specifying any encyption mechanism makes use of RC4-HMAC protocol.)

e.      Check the box does not require Kerberos pre authentication. (this was requried else I was getting an error saying that pre authentication is required.)

2.       Update the krb5.conf file located at /etc folder on the OAM servers 

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = DOMAIN.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 default_tkt_enctypes = arcfour-hmac-md5

 default_tgs_enctypes = arcfour-hmac-md5

 ticket_lifetime = 24h

 forwardable = yes

udp_preference_limit = 1  (I required this paramter because i was getting an error saying that packet size                                                was too huge. Then found that by default kereberos uses UDP Protocol which has                                                     a limitation of paket size. This parameter forces the use TCP protocol.)

[realms]

 DOMAIN.COM = {

  kdc = ADSERVER

  admin_server = ADSERVER

  default_domain = DOMAIN.COM

 }

[domain_realm]

 .lacmta.net  =  DOMAIN.COM

 lacmta.net =  DOMAIN.COM

[appdefaults]

 pam = {

   debug = true

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

   autologin = true

   forward = true

   encrypt = true

 }

2.       Once the keytab file is sent by the AD administrator validate the keytab file by executing the below command on the OAM boxes.Place the keytab file on the OAM server at /share/oracle/keytab.

kinit -V -k -t /share/oracle/keytab/oam1.keytab HTTP/oam1.domain.com@DOMAIN.COM

                              This should result in an output of “Authenticated to Kerberos v5”.

                       In case you are not able to authenticate please debug and then proceed further.

3.       Login to http://oam.domain.com:7001/oamconsole and open the OAM console.Navigate to System Configuration.

4. Navigate to Common Configuration->Data Sources->User Identity Store and click on New.

5. Create a Datastore such that the samacountname from the AD matches the usernameattribute in the username.In my case the samaccountname in AD was kumarab, but in OID the cn was m80845kumar and orclasamaccountame was kumarab. So when creating the datastorein the username attribute of the datastore i specified orclsamaccountname. (generally we specify cn or uid.)Make the user store the default userstore.

6. Navigate to Access Manager ->  Authentication Modules -> Kerberos Authentication module -> Kerberos

7. Fill in the following details.                                                                                                                                         

   

Name	Kerberos
Key Tab File	/share/oracle/keytab/oam1.keytab
Principal (same as the one which was given when creating the keytab.)	HTTP/oam1.domain.com@DOMAIN.COM
KRB Config File	/etc/krb5.conf

8. Now go to authentication modules->protected policies->use kerberos scheme as the authentication policy.

9. ADD http://oam1.domain.com to your local list of intranet resources in your browser and you should be done.

Some common issues which I faced:-

OAM in most of cases gives a generic error saying userid is locked. Enable trace32 log for OAM and you may be able to see some more details in the diagonistic logs.

1. gssheader did not find the right tag. The principal name which is sent by the browser does not the principal name in the keytab. for example the principal name sent by browser may be HTTP/oam2.domain.com whereas the keytab may be generated by using HTTP/oam1.domain.com. To find out which principal is generated use the network tracing NETSH Micorosoft netsh command and network monitor tool mechanism of Windows 7 and apply the filter as kerberos to view details. The error in the logs would say " KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN."Hence the spengo token is not sent instead NLTM token is sent. This can be detected by using a HTTP header, NLTM headers are generally one liners whereas SPENGO are bigger in size as compared to NLTM.(Definitely more than one line.)
2. The other error is GSSException: Failure unspecified at GSS-API level which is  generally due to the non matching KVNO version .This can be resolved   by regenerating the keytab.
3. Other issue which I faced was to the packet limit constraint, which was resolved by adding a parameter in the krb5.conf. udp_preference_limit = 1.
4. Other issue is user not found in datastore. In this case cross verify the datastore configured in OAM, make sure the default userstore is the one which has usernameattribute==samaccountname from AD.

OID-AD External Authentication Password Pass through Configuration

The use case which I will be discussing here is , the user data will be stored will be stored in OID, but for authentication the OID will authenticate against AD. Micorsoft AD will store the password and not OID. This will be useful when the customers want the password to be kept and managed from a single system, whereas other applications may want to use OID as their user identity store like EBS.
The first step would be to configure OID-AD synchronization discussed here .
The steps to configure OID-AD password pass through are as follows:-

1. Log into OID Server
2. export  CLASSPATH=$ORACLE_HOME/ldap/jlib/oidexcfg.jar:$ORACLE_HOME/ldap/jlib/ldapjclnt11.jar:$CLASSPATH
3. java -classpath $CLASSPATH oracle.ldap.extplg.oidexcfg -h oidhost  -p 3060  -D cn=orcladmin  -w XXXXXXXXX -t ad
4. Transcript of Command in details.

-----------------------------------------------------------------------
External Authentication Plug-in Configuration against Active Directory
-----------------------------------------------------------------------

Active Directory external authentication plug-in: Disabled
Active Directory host name: host.domain.com
Active Directory port number: 389

Using SSL to connect to Active Directory: No

Failover to backup Active Directory: Disabled

External authentication invocation naming context: cn=users, dc=XXXXX,dc=XXXX
External authentication invocation request group:

Do you want to change the configuration? [y/n]: y

[1] Enable/Disable the Active Directory external authentication plug-ins
[2] Modify the Active Directory host name and port number
[3] Modify the Active Directory SSL configuration
[4] Modify the Active Directory failover configuration
[5] Modify the invocation naming context or request group
[6] Show the configuration changes
[7] Save the configuration changes and quit
[8] Quit without saving the changes

2 – Modify AD Host / Port #

Please enter 1, 2, 3, 4, 5, 6, 7, or 8: 2
Please enter host name: ADHost
Please enter port number: 389

[1] Enable/Disable the Active Directory external authentication plug-ins
[2] Modify the Active Directory host name and port number
[3] Modify the Active Directory SSL configuration
[4] Modify the Active Directory failover configuration
[5] Modify the invocation naming context or request group
[6] Show the configuration changes
[7] Save the configuration changes and quit
[8] Quit without saving the changes

Please enter 1, 2, 3, 4, 5, 6, 7, or 8: 4
Do you want to enable failover to backup Active Directory? [y/n]: y
Please enter backup host name: ADBackupHost
Please enter backup port number: 389
Do you want to use SSL to connect to backup Active Directory? [y/n]: n

[1] Enable/Disable the Active Directory external authentication plug-ins
[2] Modify the Active Directory host name and port number
[3] Modify the Active Directory SSL configuration
[4] Modify the Active Directory failover configuration
[5] Modify the invocation naming context or request group
[6] Show the configuration changes
[7] Save the configuration changes and quit
[8] Quit without saving the changes

Please enter 1, 2, 3, 4, 5, 6, 7, or 8: 5
Please enter invocation naming context: cn=OracleUsers,cn=Users,dc=XXXXX,dc=XXXX
Please enter request group:
[Hit Enter] – No request group

[1] Enable/Disable the Active Directory external authentication plug-ins
[2] Modify the Active Directory host name and port number
[3] Modify the Active Directory SSL configuration
[4] Modify the Active Directory failover configuration
[5] Modify the invocation naming context or request group
[6] Show the configuration changes
[7] Save the configuration changes and quit
[8] Quit without saving the changes

Please enter 1, 2, 3, 4, 5, 6, 7, or 8: 1
Please enter 0 to disable or enter 1 to enable [0/1]: 1

.... External authentication plug-ins will be enabled.

[1] Enable/Disable the Active Directory external authentication plug-ins
[2] Modify the Active Directory host name and port number
[3] Modify the Active Directory SSL configuration
[4] Modify the Active Directory failover configuration
[5] Modify the invocation naming context or request group
[6] Show the configuration changes
[7] Save the configuration changes and quit
[8] Quit without saving the changes

Please enter 1, 2, 3, 4, 5, 6, 7, or 8: 7

Exit from external authentication plug-in configuration tool...

Test using ldapbind – enter OID ID and corresponding AD Network Password.