After long gap I’m start writing blogs and I’m feeling for that.
Today I have faced login issue in WNA setup environment.
Requirement is user would need to login via WNA fallback authentication and access to the OAM WNA protected resources but it login request landed into error page “Account locked or disabled”.
From oam-server1.out logs
Note: If you are not able to see below then you should enable Kerberos trace level.<Jul 21, 2015 6:27:52 PM AEST> <Error> <oracle.oam.plugin> <BEA-000000> <Defective token detected (Mechanism level: GSSHeader did not find the right tag) GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:80) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) at oracle.security.am.plugin.authn.SPNEGOLoginModule$1.run(SPNEGOLoginModule.java:139) at javax.security.auth.Subject.doAs(Subject.java:394) at oracle.security.am.plugin.authn.SPNEGOLoginModule.login(SPNEGOLoginModule.java:124) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) Normally this issue appears to be that something different from a Kerberos or NTLM token is being sent by the Microsoft IE browser client machine.
OAM only accepts Kerberos or NTLM tokens for now.
We noticed browser was sending the following token when accessing in company network domain.
And it keeps sending this similar like “Authorization: Negotiate” string over and over.
This is not a standard NTLM value, as normally when we review the headers we would expect to see either:
Authorization: Negotiate TlRMTVNTUAABAAA…. (NTLM)
Authorization: Negotiate YIIGeAYGK…(Kerberos)
then this will still not work for OAM WAN Fallback, since the token received by OAM Server is NOT an NTLM token like, but appears to be more related to a NEGOEXTS token, which the Windows 7 clients sometimes send.
So, the token was not sent correctly by the browser to OAM server.
On the UNIX host, use kinit on your user account and use klist to verify that you have a ticket to the HTTP/DOMAIN.NAME@REALM.NAME principal or not.
In our cause we have encountered below exceptionkinit(v5): Client not found in Kerberos database while getting initial credentials
We have found a DNS issue for application OAM hostname. OAM VIP host name was resolving to different hostname and Keytab was created based on VIP hostname not actual hostname different and frontend host which is critical specially for creating a keytab
Re-generated the keytab for DNS resolve hostname as follow
ktpass -princ HTTP/DOMAIN.NAME@REALM.NAME
-mapuser aurdev\srv-oam-iap1 -pass <Password> -out master.keytab -kvno 0
Copy the new keytab into <Oracle Home>/server/config/ and restart OAM server.
Hope above information helped you to get out of the issues.
I started this blog 9 years back with first post as How to become Oracle Apps DBA (back then it was 11i) and with 225 comments, this is still the most common question I get in mail or on this blog.
We are starting our new batch for Oracle Apps DBA training (R12.2) from August 8, 2015 and first thing we cover is Architecture of Oracle E-Business Suite. If you are learning (getting trained) on Oracle E-Business Suite on your own then first thing you should learn is Architecture of Oracle Apps.
As shown below Oracle E-Business suite is Three Tier Architecture
a) Database Tier : With Oracle Database where data resides
b) Application Tier : With Application & Web Server where business logic resides
c) Client Tier : browser based client from where end user access application
Note: Till Oracle E-Business Suite R12.1 (prior versions include 12.0 & 11i), Application Tier uses 10g Application Server (or 9 for some versions of 11i). From Oracle E-Business Suite 12.2 onwards Application Tier is deployed on Oracle WebLogic Server as application Server.
You can get more information on Architecture of Oracle E-Business Suite in Concepts Guide or learn it from our expert team by registering to Oracle Apps DBA Training (starting on 8th August) where Day1 coversArchitecture and File System
- Architecture of R12.2
- Changes in Oracle Apps from previous version
- Requirement/Hardware Sizing Guidelines
- File System Overview
- Benefit of New Architecture
- File System including Changes from previous version
- Provide one working instance of R12.2 to the Trainee with Front end and backend access
- Get comfortable with the Terminology/File system/Environment Variables
- Understand the Architecture via Navigation
Get 200 USD off by registering before 20th July and use code A2OFF at time of checkout (We limit seats per batch to register early to avoid disappointment).
The post How to become/learn Oracle Apps DBA R12.2 : Part I appeared first on Oracle : Design, Implement & Maintain.
- All the Freshers, Newbies or may be who want to enter Oracle Applications Area.
- Who is into Core DBA from years and want new technology to learn.
For further details check
The post Learn Oracle Apps DBA (R12) with us:Training Starts on 8th of August appeared first on Oracle : Design, Implement & Maintain.
This post covers procedure installs the Java Development Kit (JDK) for 64-bit RPM-based Linux platforms, such as Red Hat and SuSE, using an RPM. This post is from our Oracle Fusion Middleware (FMW) or Oracle Access Manager (OAM) training where we provide dedicated machine to trainees to practice but if you need to install similar setup on your local machine (We use Oracle Virtual Box with Oracle Linux 5.5 ).
You must be login as root user to install this installation (Assumption is that you are installing JDK on 64 bit Linux)
1. Download the JDK software from here (jdk-7u60-linux-64.rpm)
2. The installation process should be carried out with the “root” user.
su – root
when prompted for password, enter the root password.
3. Navigate to the directory where your JDK software is downloaded
4. Install the package using the command : rpm -ivh <package_name>
rpm -ivh jdk-7u60-linux-x64.rpm
Note: This step will install JDK 1.7 under /usr/java/jdk1.7.0_60
5. To verify the version of java, navigate to the directory /usr/java/jdk1.7.0_60/bin and check javac and java versions. The version should be the latest installed JDK version.
Note: JDK is default installed under the directory /usr/java/jdk1.7.0_60
6. Delete the .rpm file if you want to save disk space.
7. Exit the root shell. No need to reboot.
If you are part of our training program and have not yet registered for closed Facebook Group then send request and post any technical queries.
The post Installation steps of JDK 7 for Linux for Oracle Fusion Middleware appeared first on Oracle : Design, Implement & Maintain.
This post is coming from our Oracle Fusion Middleware Training where we cover Oracle WebLogic Server on Day1 . One of the performance issue that commonly encountered in poorly written application (or on not so performant Fusion Middleware infrastructure) is Stuck Threads.
Stuck Threads in WebLogic Server means a thread performing the same request for a very long time and more than the configurable Stuck Thread Max Time in WebLogic .
Thread dumps are diagnosis information that is used to analyse and troubleshoot performance related issues such as server hangs, deadlocks, slow running, idle or stuck applications etc.
How to generate Thread dumps?
In this post, I will walk you through the steps to generate Thread dumps of a server using operating system (O.S.) commands.
1. Start the server from command line script (using nohup). Let us take managed server as an example for which we need to generate the thread dumps so start the server using script as shown below.
nohup ./startManagedWeblogic.sh <Server_name> &
2. Now identify the PID (java Process ID) for the managed server using the below command:
ps auxwww | grep –i java | grep –i <server_name> (This command is for Solaris)
3. Now run the below command to create the thread dump.
kill -3 <PID>
(This will send a signal to the process whose dump we require. This signal causes the Java Virtual Machine to generate a stack trace of the process.)
This command will create thread dump in the nohup.out file (where we started the managed server)
4. Open the nohup.out file to see generated thread dumps:
- How To Take Thread Dumps With WLST (Doc ID 1274713.1)
- How to get java thread dump (stack trace) of an application deployed in Weblogic? (Doc ID 1468660.1)
The post WebLogic Server (FMW) : Generating Thread Dumps using OS commands appeared first on Oracle : Design, Implement & Maintain.
I had convinced myself the Apple Watch was an overpriced fitness band and that it wasn’t for me and was set to get a Garmin to track my running instead. Then out of the blue I was given an Apple Watch. So you can certainly put me down as a cynic, but I certainly like to think I am open minded, so here are my thoughts after a week with the watch.
The experience of getting it set up was surprisingly frustrating, I had to upgrade my phone to iOS 8 before I could activate the watch and that meant deleting things to free a few Gb of memory (to upgrade my Operating System, really?). So everything had to wait until after I got home and backed up my phone.
First I got this rather cool visual on my watch to scan with the phone and then it was paired and I got this screen telling me the model that I had bought. OK so I still could not get the time from this watch and I have had the thing all day, I’m getting a little impatient at this point.
After waiting about 5 minutes for it to synch, suddenly a load of my apps, including my email, texts, calendar, twitter fitness apps and more are available on my watch. This is about to get interesting.
The first thing I noticed is that it is actually really easy to ready and see at a glance the notifications that are sent to your watch, such as Calendar reminders, text messages and Oracle Social Network updates (glad to see we are quick to the new platform with our own mobile apps). This is good for me, I get a lot of these alerts and I found a glance at my wrist was much nicer than pulling out my phone and unlocking it and starting at it. This sounds like a very small thing, but it is these small improvements in frequent interactions that make for a great user experience. I also agree with Jeremy Ashley about the huge value in being able to retain eye contact, notifications on my watch are far less obtrusive and the glance at my wrist it is a great experience.
So I wanted to try using it for some different things so I decided to test out text messages first, a quick SMS to respond to my wife’s text ‘ETA?’ to let her know what time I am planning to get home.
So I tap once on that nice Reply button
I can now either pick from a set of pre-defined responses and they would be sent without any other interaction from me. However I like the personal touch, this is my wife after all, so I decide I will click on the microphone icon to dictate a response. I speak in my answer and see the sound wave at the bottom and the text comes up perfectly first time.
So now I click done and get a really option to either send the audio or to just tap on the text and send that. This is a great feature if maybe the voice to text didn’t work properly and I don’t want to waste time correcting it or speaking it again.
After tapping on the text I am now done. The whole interaction was very fast and felt very natural. At this point I am really starting to like the Apple Watch. In the next few days I try driving directions, twitter, my calendar, a variety of fitness apps and more and pretty much across the board I find the interactions are natural and quick and the fact I have to pull out my phone less is a much bigger deal than I expected. I find I can glance down at my watch see a text or meeting reminder and carry on a conversation in a way that was not really possible if I had to pull my phone out. The one app I haven’t yet mentioned is the time, I haven’t worn a watch for over 10 years and I have realized in the last week it’s much easier to glance at my wrist than to pull out my phone – who knew?
Whenever a patch request comes in the first and foremost thing which has to be done by an Oracle apps DBA is to look into existing system, if the patch exists. We can query ad_bugs.login to sqlplus with apps user and fire the below command.
SQL> select bug_number,creation_date from apps.ad_bugs where bug_number in (‘&bug_number’);
Enter the patch number and if you see any rows, it means the patch is in the system already and you can go ahead and tell the business that patch already exists. You will see something like this.
But if you see no rows returned, then you have to set the ball rolling. Now you will have to perform the patch analysis of requested patch.
The next step would be to login to Oracle support with your credentials and open the README of the patch, There would be a pre-requisite section which would state that if there is any prerequisite of this patch which has to be applied. Now if you see a prerequisite then you will have to open the REDAME of that patch and check the prerequisite of that patch and this process goes on till there is no prerequisite.
From my personal experience I would suggest to prepare a template like below to do the analysis of the patch.
Now lets understand the example given above, the main patch requested in 123456, this patch has a pre-requisite 67890 and 67890 has a pre-requisite 8585858 and this has a pre-requisite 8686868.
So to apply the main patch we have to
a) First apply 8686868 and
b) Then 8585858 and
c) Then 67890 and then the main patch.
So now you will send this analysis back to your business and you will request for the downtime. Now downtime is calculated on the basis of your experience.
I assume that you have received the confirmation from the business to apply the patch. Download the patch in your patch top directory and unzip the file. After unzipping you will see a driver file like u123456.drv. When you will run adpatch (in 12.1) from this location it will ask you the name of the driver file and you have to give u123456.drv.
Now something about file systems, There are basically two types
1)Shared file systems
2)Distributed file systems
In my environment, I have shared file system and there are multiple web nodes. So in case of shared file system patches have to be applied on one node only since it is shared file system.
So let us assume that we have 3 application nodes and Non RAC DB server and also the patch is available only in American English and there are no other languages installed on the application.
Steps for patching (EBS 12.1) would be
- Shut down the application on all the 3 nodes by logging into each node separately.
- From adadmin put the application into maintenance mode
- Take the count of invalids by logging to sql plus with apps user
- Use adpatch to apply patches to the application.
- Again check the count of invalid objects in database and compare with pre-patch application invalid count.
- From adadmin disable the maintenance mode
- Start the application on all the 3 nodes
Please don’t forget that for any operation to take place in the app, DB has to be up and running.
Please note that before doing any kind of patching activity, ask the unix team to perform the backup of the file systems because we can’t roll back the patch applied using adpatch
We will discuss more about patching in my next blog. Any comments or queries then post hereRelated Posts for R12 Patches
- Basics of Patching in Oracle Apps (adpatch)
We announced OAM Training on 4th of July (only 3 seats left) and since our announcement lot of you asked what integration we are going to cover. Looking at kind of queries we received, I though its worth posting here. We are going to cover
- Oracle E-Business Suite (R12 – 12.1) integration with Oracle Access Manager
- Microsoft Active Directory (AD)/Windows Native Authentication (WNA) integration with Oracle Access Manager (OAM) for Zero Single Sign-On.
Register here for Oracle Access Manager Training (100 USD off if you register before 1st July, last 3 seats before we close registration)
- OAM Training (4th July) : EBS & AD Integration : 11gR2 PS3 Launch
The post OAM Training (4th July) : EBS & AD Integration : 11gR2 PS3 Launch appeared first on Oracle : Design, Implement & Maintain.
If you subscribed to our blog onlineAppsDBA (using RSS feed) prior to April 2015 then from today you will receive email for new posts via new/better email service provider.
Emails for new post will come from email ID contactus[@]k21technologies.com and subject as [New Post] … and will look like image above.
Note: Ensure that you add email address contactus[@]k21technologies.com as safe sender list.
1. Permissions were correct on directories:
chmod go-w $HOME/
chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chmod 600 $HOME/.ssh/id_rsa
chmod 644 $HOME/.ssh/id_rsa.pub
chmod 644 $HOME/.ssh/known_hosts
2. Keys were correctly placed
However, it still asked for password, whenever SFTP connection was done:
Using username "sftpuser".Authenticating with public key "rsa-key-20150214"Server refused public-key signature despite accepting key!Using keyboard-interactive authentication.Password:
I tried various things, none worked and I eventually went back to my notes for SFTP troubleshooting:
1. Correct Permissionschmod go-w $HOME/chmod 700 $HOME/.sshchmod 600 $HOME/.ssh/authorized_keyschmod 600 $HOME/.ssh/id_rsachmod 644 $HOME/.ssh/id_rsa.pubchmod 644 $HOME/.ssh/known_hosts
2. Make sure the owner:group on the directories and files is correct:
ls -ld $HOME/ls -ld $HOME/.sshls -ltr $HOME/.ssh
3. Login as root
chown user:group $HOME chown user:group $HOME/.sshchown user:group $HOME/.ssh/authorized_keyschown user:group $HOME/.ssh/id_rsachown user:group $HOME/.ssh/id_rsa.pubchown user:group $HOME/.ssh/known_hosts
4. Check for user entries in /etc/passwd and /etc/shadow
5. grep user /etc/shadow
When I did the 5th step, I found that /etc/shadow entry for the user didn't exist. So I did these steps:
chmod 600 /etc/shadowvi /etc/shadowInsert this new line at the endsftpuser:UP:::::::Save Filechmod 400 /etc/shadow
It started working after that.