These are the battle scars we talk about. We gladly take them in the interest of learning and getting better.
A few months ago I began a proof-of-concept effort to use OES 11gR2 as a fine grained policy decision point for Microsoft Office SharePoint (MOSS) 2010. Site or page level authorization simply doesn’t cut it in a need-to-share dynamic content environment. Going fine grained allows for content inspection at the time of the resource request. Using this fine grained PEP/PDP approach, content may be blocked/redacted by OES. In the case of MOSS this content includes web parts, documents, words, or any tagged data.
First off, the setup. I used Amazon Web Services (AWS) Elastic Cloud (EC2) instances. One server is dedicated OES 11gR2 server running 64-bit Red Hat Enterprise Linux (RHEL) 6 dot whatever. The second server is a vanilla install of SharePoint on Server 2010. This was my first time working hands on with AWS.
This Part One blog entry deals with the OES server install, which was relatively painless. Thus, I won’t go into too much detail since the existing Oracle documentation gets most of the job done. If there happens to be any confusion over the steps I’ve glossed over then I will gladly update the blog to include more detail. Again, this Part 1 covers the server setup in AWS, and installation of the basic Oracle stuff without getting into the MOSS PDP configuration. Part Two is the reason for writing about this stuff; it covers the OES/MOSS server side configuration and MOSS client side install and it is a mess!
The OES Install (11gR2 11.1.2.1.0)
Make a server
I created an AWS EC2 m1.small instance running 64-bit RHEL 6.4. The default book disk size is 7gb.
Get the keys
Download the instance-specific keypair in PEM format. This keypair is required in order to SSH into the server. This was done on my personal laptop, but it’s still worth changing the permissions on any and all keys to r/w only by the owner (chmod 600 key.pem). If you want to use Putty to SSH to the server, you’ll need to convert the keypair format to PPK format. I used SSH from my Ubuntu terminal which requires no change of key format, but should you want to use Putty:
On Ubuntu:
$ sudo apt-get install putty-tools
$ puttygen key.pem -o oes1112.ppk -P -C "oes server key" Enter passphrase to save key: Re-enter passphrase to verify:
Then log in using this method: http://www.howtoforge.com/ssh_key_based_logins_putty_p3
Add disk space
I created and attached a 20 GB Elastic Block Store (EBS) volume to contain any software we put on this server. There is plenty of documentation out there for how to do this. Basically just create the EBS volume, then mount it from the EC2 instance.
Get on the server
To get the URL from the AWS Web console, go to Services -> EC2 -> Instances -> find the “Name” for your instance.
sudo ssh -v -X -i [path to *.pem] root@ec2-xx-xxx-xxx-xxx.compute-1.amazonaws.com
Download and install WebLogic
This is pretty straightforward. The package is “” and I installed as oracle:oinstall
- Oracle WebLogic Server 11gR1 (10.3.6) Generic and Coherence: V29856-01
Download and install Oracle Identity and Access Management bits
Get the following, unpackage, and install OES. I did this all on the mounted 20gb EBS volume. The files you need are:
- Oracle Identity and Access Management 11g (11.1.2.1.0) (Part 1 of 2): V37472-01 Part 1 of 2
- Oracle Identity and Access Management 11g (11.1.2.1.0) (Part 2 of 2): V37472-01 Part 2 of 2
Bang head on desk and wonder, “How to get a GUI (X display) to a non-root account?” EC2 RHEL instances don’t support a desktop display from all I can tell. But the installer kicks off into a GUI. So I need to export a window, which is easy enough as root but wouldn’t work under any other account. I’m installing this software as oracle. You’ll see something like this:
[root@oes1112 ~]# su – oracle
[oracle@oes1112 ~]$ xclock &
[1] 28680
[oracle@oes1112 ~]$ debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 45610
debug1: channel 1: new [x11]
debug1: confirm x11
X11 connection rejected because of wrong authentication.
debug1: channel 1: free: x11, nchannels 2
Error: Can’t open display: localhost:10.0
Here’s what to do:
[root@remoteHost]$ xauth extract – :`echo $DISPLAY |awk -F: ‘{print $2}’` | sudo su – oracle -c “/usr/bin/xauth merge -“
Test it out:
The GUI install is straightforward. Just write down everything you configure.
Attempt to run Oracle Repository Creation Utility (RCU)
Package is:
- Oracle Fusion Middleware Repository Creation Utility 11g (11.1.2.1.0) for Linux x86: V37476-01
Bang head on desk and learn. This simply wouldn’t run on RHEL. Try this, which I assume would work for most: http://idmrockstar.com/blog/2012/11/rcu-utility-for-11gr2-fails-libxtst-so-6-cannot-open-shared-object-file/
However, I got the below error which basically means that the OS thinks it’s fine with the existing x86_64 and doesn’t want i686 version packaged with RCU:
“Error: Protected multilib versions”
Here’s what worked:
yum update –setopt=protected_multilib=false –skip-broken
yum install –skip-broken libXtst.i686*
yum install –skip-broken libXext.i686*
Let’s pause and talk about configuration settings
When working with new software, I routinely scour the Internet to find documentation of other people’s configuration settings to be incredibly helpful. More so with the Oracle stuff than any other software I’ve used, you will need to come back to these settings constantly. Document it well and save yourself a TON of time down the road.
Here’s what I’m working with (a few of these were set later in the install):
Setting
|
Default
|
Changed to
|
---|---|---|
Oracle Middleware Home | /root/Oracle/Middleware/home/Oracle/Middleware | /software/Oracle/Middleware |
WebLogic Server | /software/Oracle/Middleware/wlserver_10.3 | |
Oracle Coherence | /software/Oracle/Middleware/coherence_3.7 | |
Oracle Inventory Directory | /home/oracle/oraInventory | /software/Oracle/oraInventory |
Oracle Home Directory | Oracle_IDM1 | |
Domain Name | base_domain | oes_domain |
Domain Location | /software/Oracle/Middleware/user_projects/domains | |
Admin User Name | weblogic | |
Password | ||
ResourceType | MossResourceType | |
Admin URL File | c:\oracle\product\11.1.2\as_1\oessm\mosssm\adm\discovery\AdmUrls.txt | |
OES Policy File | C:\Oracle\product\11.1.2\as_1\oes_sm_instances\myMOSSSM | stored as objattr1, object1 |
MOSS Resource File | c:\oracle\product\11.1.2\as_1\oessm\mosssm\adm\configtool\moss_config.properties |
Database Connection Details
Field
|
Description
|
Value
|
---|---|---|
Database Type | Oracle Database | |
Host Name | instanceName.vms.domain.com | |
Port | 2115 | |
Service Name | orcl (go to oracle box, run lsnrctl status) | |
Username | sys | |
Password | ||
Role | SYSDBA | |
Connection String | jdbc:oracle:thin:@instanceName.vms.domain.com:2115/orcl | |
Admin Server Listen Port | 7001 | |
Admin Server SSL Listen Port | 7002 (select Admin Server for option configuration – enable this) | |
Admin Server URLs | http://ip-xx-xxx-xxx-xxx:7001https://ip-xx-xxx-xxx-xxx:7002 | |
<MW_HOME> | /software/Oracle/Middleware/ | |
<IAM_HOME> | /software/Oracle/Middleware/Oracle_IDM1/ | |
<domaindir> | OES Admin Server Domain | /software/Oracle/Middleware/user_projects/domains/oes_domain |
<datasource> | Domain security store (default opss-DBDS) | opss-DBDS |
<farmname> | Security store farm name (default domain name) | oes_domain |
<servertype> | Policy store type | DB_ORACLE |
Configure the security store for OES Admin
The command that finally worked for me
/software/Oracle/Middleware/oracle_common/common/bin/wlst.sh /software/Oracle/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py -d /software/Oracle/Middleware/user_projects/domains/oes_domain -t DB_ORACLE -m create -p password
Be happy when the script concludes with the following:
Info: diagnostic credential created in the credential store.
Info: Create operation has completed successfully.
Attempt to start WebLogic Server and yell at Java many times
Here is where I learn that WebLogic isn’t using the JAVA_HOME defined in the user .bash_profile.
- Go to ~/wlserver_10.3/common/bin ($WL_HOME/common/bin)
- In commEnv.sh set JAVA_HOME; but…that didn’t work
- so then I went to /software/Oracle/Middleware/user_projects/domains/oes_domain/bin
- In setDomainEnv.sh set JAVA_HOME and comment out all that if statement nonsense regarding the vendor (which would overwrite anything you set about JAVA_HOME
Set JAVA_HOME….
$ vi ~/.bash_profile
$ export JAVA_HOME=/usr/java/jdk1.5.0_07/bin/java
$ export PATH=$PATH:/usr/java/jdk1.5.0_07/bin
$ . ~/.bash_profile
$ echo $JAVA_HOME
Actually start WebLogic Server
Command to run:
/software/oracle/middleware/user_projects/domains/oes_admin/bin/startWebLogic.sh &
<Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on xx.xxx.xxx.xx for protocols iiops, t3s, ldaps, https.> <Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[1]" is now listening on fe80:0:0:0:1031:38ff:fe09:cdbe:7002 for protocols iiops, t3s, ldaps, https.> <Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[2]" is now listening on 127.0.0.1:7002 for protocols iiops, t3s, ldaps, https.> <Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[3]" is now listening on 0:0:0:0:0:0:0:1:7002 for protocols iiops, t3s, ldaps, https.> <Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on fe80:0:0:0:1031:38ff:fe09:cdbe:7001 for protocols iiop, t3, ldap, snmp, http.> <Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "Default[2]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.> <Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "Default[3]" is now listening on 0:0:0:0:0:0:0:1:7001 for protocols iiop, t3, ldap, snmp, http.> <Apr 23, 2013 9:45:45 AM EDT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on xx.xxx.xxx.xx:7001 for protocols iiop, t3, ldap, snmp, http.> <Apr 23, 2013 9:45:45 AM EDT> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "AdminServer" for domain "oes_domain" running in Development Mode> <Apr 23, 2013 9:45:45 AM EDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING> <Apr 23, 2013 9:45:45 AM EDT> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
Confirm that WebLogic Server is running:
netstat -lntp tcp 0 0 fe80::1031:38ff:fe09:c:7001 :::* LISTEN 3687/java tcp 0 0 ::1:7001 :::* LISTEN 3687/java tcp 0 0 ::ffff:xx.xxx.xxx.xx:7001 :::* LISTEN 3687/java tcp 0 0 ::ffff:127.0.0.1:7001 :::* LISTEN 3687/java tcp 0 0 fe80::1031:38ff:fe09:c:7002 :::* LISTEN 3687/java tcp 0 0 ::ffff:xx.xxx.xxx.xx:7002 :::* LISTEN 3687/java tcp 0 0 ::1:7002 :::* LISTEN 3687/java tcp 0 0 ::ffff:127.0.0.1:7002 :::* LISTEN 3687/java
Update iptables to allow for external access
Until this was done, I could only access the server from localhost. Open access to WebLogic ports 7001 and 7002 (per install configuration) and insert lines ahead of the final reject rule (for icmp-host-prohibited).
iptables -n -L -v –line-numbers
5 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7001
6 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7002
iptables -I INPUT 5-p tcp –dport 7001 -j ACCEPT
iptables -I INPUT 6 -p tcp –dport 7002 -j ACCEPT
But, that stuff didn’t seem to stick…so I just wrote directly to /ect/sysconfig/iptables as root
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [73286:15030158]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 7001 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 7002 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT
Restart iptables and you’re golden. You can now log in to:
Fusion Middleware: https://ec2-xx-xxx-xxx-xx.compute-1.amazonaws.com:7002/
OES: https://ec2-xx-xxx-xxx-xx.compute-1.amazonaws.com:7002/apm/faces/SignIn.jspx
Thanks for reading. Hopefully this saves you some headaches. Part 2 to come.
~tim (@orrtuber)