Fun Times Integrating SharePoint with Oracle Entitlements Server (Part One)

These are the battle scars we talk about.  We gladly take them in the interest of learning and getting better.

A few months ago I began a proof-of-concept effort to use OES 11gR2 as a fine grained policy decision point for Microsoft Office SharePoint (MOSS) 2010.  Site or page level authorization simply doesn’t cut it in a need-to-share dynamic content environment.  Going fine grained allows for content inspection at the time of the resource request.  Using this fine grained PEP/PDP approach, content may be blocked/redacted by OES.  In the case of MOSS this content includes web parts, documents, words, or any tagged data.

First off, the setup.  I used Amazon Web Services (AWS) Elastic Cloud (EC2) instances.  One server is dedicated OES 11gR2 server running 64-bit Red Hat Enterprise Linux (RHEL) 6 dot whatever.  The second server is a vanilla install of SharePoint on Server 2010.  This was my first time working hands on with AWS.

This Part One blog entry deals with the OES server install, which was relatively painless.  Thus, I won’t go into too much detail since the existing Oracle documentation gets most of the job done.  If there happens to be any confusion over the steps I’ve glossed over then I will gladly update the blog to include more detail.  Again, this Part 1 covers the server setup in AWS, and installation of the basic Oracle stuff without getting into the MOSS PDP configuration.  Part Two is the reason for writing about this stuff; it covers the OES/MOSS server side configuration and MOSS client side install and it is a mess!

The OES Install (11gR2 11.1.2.1.0)

Make a server

I created an AWS EC2 m1.small instance running 64-bit RHEL 6.4.  The default book disk size is 7gb.

Get the keys

Download the instance-specific keypair in PEM format. This keypair is required in order to SSH into the server. This was done on my personal laptop, but it’s still worth changing the permissions on any and all keys to r/w only by the owner (chmod 600 key.pem). If you want to use Putty to SSH to the server, you’ll need to convert the keypair format to PPK format.  I used SSH from my Ubuntu terminal which requires no change of key format, but should you want to use Putty:

On Ubuntu:

$ sudo apt-get install putty-tools
$ puttygen key.pem -o oes1112.ppk -P -C "oes server key" Enter passphrase to save key: Re-enter passphrase to verify:

Then log in using this method: http://www.howtoforge.com/ssh_key_based_logins_putty_p3

Add disk space

I created and attached a 20 GB Elastic Block Store (EBS) volume to contain any software we put on this server.  There is plenty of documentation out there for how to do this.  Basically just create the EBS volume, then mount it from the EC2 instance.

Get on the server

To get the URL from the AWS Web console, go to Services -> EC2 -> Instances -> find the “Name” for your instance.

sudo ssh -v -X -i [path to *.pem] root@ec2-xx-xxx-xxx-xxx.compute-1.amazonaws.com 

Download and install WebLogic

This is pretty straightforward.  The package is “” and I installed as oracle:oinstall

  • Oracle WebLogic Server 11gR1 (10.3.6) Generic and Coherence: V29856-01

Download and install Oracle Identity and Access Management bits

Get the following, unpackage, and install OES.  I did this all on the mounted 20gb EBS volume.  The files you need are:

  • Oracle Identity and Access Management 11g (11.1.2.1.0) (Part 1 of 2): V37472-01 Part 1 of 2
  • Oracle Identity and Access Management 11g (11.1.2.1.0) (Part 2 of 2): V37472-01 Part 2 of 2

Bang head on desk and wonder,How to get a GUI (X display) to a non-root account?”  EC2 RHEL instances don’t support a desktop display from all I can tell.  But the installer kicks off into a GUI.  So I need to export a window, which is easy enough as root but wouldn’t work under any other account. I’m installing this software as oracle. You’ll see something like this:

[root@oes1112 ~]# su – oracle
[oracle@oes1112 ~]$ xclock &
[1] 28680
[oracle@oes1112 ~]$ debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 45610
debug1: channel 1: new [x11]
debug1: confirm x11
X11 connection rejected because of wrong authentication.
debug1: channel 1: free: x11, nchannels 2
Error: Can’t open display: localhost:10.0

Here’s what to do:

[root@remoteHost]$ xauth extract – :`echo $DISPLAY |awk -F: ‘{print $2}’` | sudo su – oracle -c “/usr/bin/xauth merge -“

Test it out:

xclock

The GUI install is straightforward.  Just write down everything you configure.

Attempt to run Oracle Repository Creation Utility (RCU)

Package is:

  • Oracle Fusion Middleware Repository Creation Utility 11g (11.1.2.1.0) for Linux x86: V37476-01

Bang head on desk and learn. This simply wouldn’t run on RHEL.  Try this, which I assume would work for most: http://idmrockstar.com/blog/2012/11/rcu-utility-for-11gr2-fails-libxtst-so-6-cannot-open-shared-object-file/

However, I got the below error which basically means that the OS thinks it’s fine with the existing x86_64 and doesn’t want i686 version packaged with RCU:

“Error: Protected multilib versions”

Here’s what worked:

yum update –setopt=protected_multilib=false –skip-broken

yum install –skip-broken libXtst.i686*

yum install –skip-broken libXext.i686*

Let’s pause and talk about configuration settings

When working with new software, I routinely scour the Internet to find documentation of other people’s configuration settings to be incredibly helpful.  More so with the Oracle stuff than any other software I’ve used, you will need to come back to these settings constantly.  Document it well and save yourself a TON of time down the road.

Here’s what I’m working with (a few of these were set later in the install):

Setting
Default
Changed to
Oracle Middleware Home /root/Oracle/Middleware/home/Oracle/Middleware /software/Oracle/Middleware
WebLogic Server /software/Oracle/Middleware/wlserver_10.3
Oracle Coherence /software/Oracle/Middleware/coherence_3.7
Oracle Inventory Directory /home/oracle/oraInventory /software/Oracle/oraInventory
Oracle Home Directory Oracle_IDM1
Domain Name base_domain oes_domain
Domain Location /software/Oracle/Middleware/user_projects/domains
Admin User Name weblogic
Password
ResourceType MossResourceType
Admin URL File c:\oracle\product\11.1.2\as_1\oessm\mosssm\adm\discovery\AdmUrls.txt
OES Policy File C:\Oracle\product\11.1.2\as_1\oes_sm_instances\myMOSSSM stored as objattr1, object1
MOSS Resource File c:\oracle\product\11.1.2\as_1\oessm\mosssm\adm\configtool\moss_config.properties

Database Connection Details

Field
Description
Value
Database Type Oracle Database
Host Name instanceName.vms.domain.com
Port 2115
Service Name orcl (go to oracle box, run lsnrctl status)
Username sys
Password
Role SYSDBA
Connection String jdbc:oracle:thin:@instanceName.vms.domain.com:2115/orcl
Admin Server Listen Port 7001
Admin Server SSL Listen Port 7002 (select Admin Server for option configuration – enable this)
Admin Server URLs http://ip-xx-xxx-xxx-xxx:7001https://ip-xx-xxx-xxx-xxx:7002
<MW_HOME> /software/Oracle/Middleware/
<IAM_HOME> /software/Oracle/Middleware/Oracle_IDM1/
<domaindir> OES Admin Server Domain /software/Oracle/Middleware/user_projects/domains/oes_domain
<datasource> Domain security store (default opss-DBDS) opss-DBDS
<farmname> Security store farm name (default domain name) oes_domain
<servertype> Policy store type DB_ORACLE

Configure the security store for OES Admin

The command that finally worked for me

/software/Oracle/Middleware/oracle_common/common/bin/wlst.sh /software/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /software/Oracle/Middleware/user_projects/domains/oes_domain -t DB_ORACLE -m create -p password

Be happy when the script concludes with the following:

Info: diagnostic credential created in the credential store.

Info: Create operation has completed successfully.

Attempt to start WebLogic Server and yell at Java many times

Here is where I learn that WebLogic isn’t using the JAVA_HOME defined in the user .bash_profile.

  • Go to ~/wlserver_10.3/common/bin ($WL_HOME/common/bin)
  • In commEnv.sh set JAVA_HOME; but…that didn’t work
  • so then I went to /software/Oracle/Middleware/user_projects/domains/oes_domain/bin
  • In setDomainEnv.sh set JAVA_HOME and comment out all that if statement nonsense regarding the vendor (which would overwrite anything you set about JAVA_HOME

Set JAVA_HOME….
$ vi ~/.bash_profile
$ export JAVA_HOME=/usr/java/jdk1.5.0_07/bin/java
$ export PATH=$PATH:/usr/java/jdk1.5.0_07/bin
$ . ~/.bash_profile
$ echo $JAVA_HOME

Actually start WebLogic Server

Command to run:

/software/oracle/middleware/user_projects/domains/oes_admin/bin/startWebLogic.sh &

 

<Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on xx.xxx.xxx.xx for protocols iiops, t3s, ldaps, https.> 
<Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[1]" is now listening on fe80:0:0:0:1031:38ff:fe09:cdbe:7002 for protocols iiops, t3s, ldaps, https.> 
<Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[2]" is now listening on 127.0.0.1:7002 for protocols iiops, t3s, ldaps, https.> 
<Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[3]" is now listening on 0:0:0:0:0:0:0:1:7002 for protocols iiops, t3s, ldaps, https.> 
<Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on fe80:0:0:0:1031:38ff:fe09:cdbe:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "Default[2]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "Default[3]" is now listening on 0:0:0:0:0:0:0:1:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on xx.xxx.xxx.xx:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Apr 23, 2013 9:45:45 AM EDT> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "AdminServer" for domain "oes_domain" running in Development Mode> 
<Apr 23, 2013 9:45:45 AM EDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING> 
<Apr 23, 2013 9:45:45 AM EDT> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode> 

Confirm that WebLogic Server is running:

netstat -lntp
tcp        0      0 fe80::1031:38ff:fe09:c:7001 :::*                     LISTEN      3687/java
tcp        0      0 ::1:7001                    :::*                     LISTEN      3687/java
tcp        0      0 ::ffff:xx.xxx.xxx.xx:7001   :::*                     LISTEN      3687/java
tcp        0      0 ::ffff:127.0.0.1:7001       :::*                     LISTEN      3687/java
tcp        0      0 fe80::1031:38ff:fe09:c:7002 :::*                     LISTEN      3687/java
tcp        0      0 ::ffff:xx.xxx.xxx.xx:7002   :::*                     LISTEN      3687/java
tcp        0      0 ::1:7002                    :::*                     LISTEN      3687/java
tcp        0      0 ::ffff:127.0.0.1:7002       :::*                     LISTEN      3687/java

Update iptables to allow for external access

Until this was done, I could only access the server from localhost.  Open access to WebLogic ports 7001 and 7002 (per install configuration) and insert lines ahead of the final reject rule (for icmp-host-prohibited).

iptables -n -L -v –line-numbers

5 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7001
6 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7002

iptables -I INPUT 5-p tcp –dport 7001 -j ACCEPT

iptables -I INPUT 6 -p tcp –dport 7002 -j ACCEPT

But, that stuff didn’t seem to stick…so I just wrote directly to /ect/sysconfig/iptables as root

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [73286:15030158]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 7001 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 7002 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT

Restart iptables and you’re golden.  You can now log in to:

Fusion Middleware: https://ec2-xx-xxx-xxx-xx.compute-1.amazonaws.com:7002/

OES: https://ec2-xx-xxx-xxx-xx.compute-1.amazonaws.com:7002/apm/faces/SignIn.jspx

 

Thanks for reading.  Hopefully this saves you some headaches.  Part 2 to come.

~tim (@orrtuber)

You might also enjoy