Wednesday, April 29, 2009

Identity Management Part I: Making friends with the Oracle Internet Directory (OID) for Oracle Application Server 10gR2

Dear Readers,

Our series continues for Oracle Fusion Middleware technology with a focus on Oracle Application Server (10gAS). The following will be topics for Fusion Middleware:

Part I: Identity Management- OID and SSO
Part II: Tips and Tricks for Monitoring and Troubleshooting Oracle Application Server
Part III: Performance Tuning Oracle Application Server

As part of our new Fusion Middleware series of tips for Oracle database technology, this week will cover
how to configure the complex identity management piece (IdM) for Oracle 10gR2 Application Server (OAS)
by using the Oracle Internet Directory (OID) component of the Oracle 10g Application Server infrastructure.

What is the Oracle Application Server (OAS) ? The Oracle 10gAS is a robust technology that provides a multitude of web server
and rich content management functions for customer applications. It is the heart of many core Oracle enterprise technologies such as Oracle EBS and additional technologies that require web inter/intranet functionality.

For our case study, we will use a full blown installation of Oracle 10gR2 Application Server ( on the Oracle Enterprise 5 Linux 32 bit platform (OEL 5.3) . Since Fusion Middleware is a suite of 200+ products, we will only cover Application Server for the time being in our Fusion Middleware series before we move onto other core topics such as BPEL and SOA (Service Oriented Architecture). What are the components of the Oracle 10g Application Server? There are two major pieces: the middle tier application server and the second technical stack is called the Infrastructure. In a standard OAS installation, one only needs to use the middle tier application server for most purposes. The infrastructure is an optional enterprise tech stack that is not always required. In essence, we have an n-tiered architecture that makes up the structure for an Oracle 10gAS environment: web tier, middle tier, and infrastructure. First, lets review the components of the middle tier for Oracle 10g Application server.

Web Tier

- Oracle HTTP Server (OHS) which is the Oracle modified version of the Apache HTTP server with a few twists unique to Oracle
- Oracle Application Server Web Cache (optional): provides enhancement in performance for caching web page content
and some software based load balancing features

Middle Tier Oracle 10g Application Server (10.1.2 OracleAS)

- OC4J server which is the Oracle Container for Java Enterprise Edition and the heart of the Oracle 10g Application Server
- Oracle Portal: rich web based content management system for portlets and web applications
- Oracle Wireless: for handheld wireless devices to access web rich database applications

Infrastructure Components of OracleAS 10gR2:

The infrastructure architecture of Oracle 10g Application Server consists of two core technical items:
Identity Management: includes Oracle Internet Directory(OID), Single Sign On (SSO)
Metadata Repository which is an Oracle 10g database which stores metadata for OAS application services such as OID and

Oracle recommends at least a 2-3 tiered approach to optimize performance and provide for optional load balancing solution.

One key area within the Oracle Application Server that is poorly understood is Identity Management. Identity management provides many security administration functions to streamline access to Oracle web systems such as Single Sign On (SSO) authentication. Single Sign On allows a user to access multiple Oracle web applications with a single user name and password that is authenticated against the OAS and Oracle database environments. Stay tuned as we will cover SSO in future installments. For now, hang on and we will return to OID and Application Server setup. The reason why I chose to cover OID first is that now Oracle 10gAS requires a full setup with OID before installation of Discoverer for the Business Intelligence (BI) environment. What is OID? OID or Oracle Internet Directory is the Oracle LDAP implementation (Lightweight Directory Access Protocol) with Application Server. I like to think of OID is Microsoft Active Directory on steroids for Oracle. So for those of you who are new to LDAP, to break it down in simple terms. LDAP has a name structure based on an inverted tree as shown below:

Suffice it to say, a discussion of LDAP is beyond scope of our discussion for Oracle 10gAS but a good reference on LDAP is available in the Oracle Internet Directory Administrator's Guide 10g available at .

OK, lets get started with configuration for Oracle Internet Directory (OID) with Oracle 10g Application Server. One useful item to mention is the help system that comes with OAS as shown in the below figure example:

Now, lets start a new session to configure OID. Of note: OID can also be configured for non-Application Server environments. For instance, we can setup OID with Oracle 11g. The OID security is available from the Network Configuration Assistant (netca) to setup the Oracle Internet Directory with Oracle database environments. For Oracle 10gAS, the method to setup and configure OID is to use the oidadmin utility.

Back to our Oracle 10gAS environment. The oidadmin utility is located under our $ORACLE_HOME/bin directory. Make sure to correctly set your Oracle environment variables for your operating system. We start oidadmin and the welcome screen appears below.

We need to login to OID as the default administrator. Since OID uses LDAP, we need to specify the login format based on common name (CN)

password= the password for ias_admin account that we chose during the Oracle 10gAS installation process.

Then we login. The welcome screen appears and shows our default OID environment.

Now, let's expand the tree structures to expose the various configuration details for OID with our 10gAS environment.

As you can see, multiple tasks can be performed to administer users and servers within the OID environment for Oracle 10gAS.
Suffice it to say, it would require an entire book to detail all aspects of Oracle Identity management with Oracle 10g Application Server. For now, we will provide a basic walkthrough to get the baseline configuration up and running with our new 10g Application Server. There are three divisions of OID configuration to consider:

1. Access Control Management
2. Schema Management
3. Server Management

Access Control Management

First we will consider Access Control Management with OID. Access Control management is the process of granting and restricting access to a realm of Oracle application or database servers within the Oracle Internet Directory (OID) environment for Identity Management.

Access controls can be managed and created via the OID interface for applications and users based on the OID LDAP X.509 standard using cn (common name) and LDAP syntax. For example, we have the cn=Reports details displayed for Access Control Management listed below.

Schema Management for OID and Identity Management

By default, OID stores all metadata about configuration details and users in a set of schemas within the Oracle 10g repository database which is part of the Infrastructure component of Oracle 10gAS.

Each schema item is broken down into subitems such as object id, class, and attributes based on the LDAP syntax for OID as shown below.

Now let's move on to showcase server management for OID and 10g Application Server.

Server Management for OID and Identity Management

OID provides various types of server configurations for Oracle 10gAS:

- Directory Server
- Replication Server
- Integration Server

These servers determine the specific type of security mechanism and configuration to be used with Oracle 10g Application Server. For example, to view, change and update settings for our directory server we would expand the tree structure menu item under Server management:

We also have options to modify settings for SSL (Secure Sockets Layer):

Now let's move on to configuration tasks for Oracle 10g Application Server with a basic Identity Management setup. So, we return to our Oracle 10gAS control window.

To access the settings for Identity Management, we navigate to the Infrastructure tab on our Application Server Enterprise Manager. As expected, it shows us that nothing has been configured yet. We click on the configure tab.

We enter the hostname details for our 10g Application Server, port number.

Recall that we need to specify the username in LDAP format with cn=orcladmin and the password for ias_admin that
was given during the Oracle 10gAS installation. Oracle then politely informs us that the entire tech stack for Oracle 10g Application Server will be shutdown and restarted to complete our basic Identity Management configuration. We verify all settings are correct.

Now our configuration setup should be complete for a baseline Identity Management install. Our next post will detail basic SSO configuration for Oracle 10g Application Server.


Sunday, April 19, 2009

CLOUG Conference and Chile- Part II

This was my first time to speak at CLOUG conference in Santiago, Chile as well as to South America. It was challenging to translate on the fly my presentation from English to Spanish for Oracle 11g RAC. However, since I have a minor in Spanish literature and spent a year abroad in college as an exchange student in Mexico, I was able to quickly switch gears to present in Spanish. With a shortage of translators to convert English to Spanish, the folks at CLOUG appreciated my bilingual skills and I enjoyed presenting on 11g RAC in Spanish. Of course no visit would be complete without photos of the beautiful landscape that makes Chile a beautiful country. Santiago is the capital of Chile and we had the CLOUG conference at the Ritz Carlton Hotel.

Santiago reminds me quite a bit of Los Angeles and what is even more amazing is that Chile is a lot like California!

Of course, the many excellent presentation by Oracle ACEs and Oracle ACE Directors went quite well and I enjoyed all the sessions that I attended until Montezuma's revenge hit me on day 2 and I ended up taking medicine from the pharmacy and recovering from a stomach bug. Fortunately, I was able to complete and give both of my presentations on the first day when I was well.

Due to a global economic crisis not seen since the Great Depression, not as many folks were able to attend the first CLOUG session. Hopefully, the world economy will improve and allow more folks to attend the next CLOUG conference! And this time, I promise to write and do it all in Spanish! Para que los demas se pueden entender bien, voy a dar mis presentaciones en espanol al futuro!

Now the fun part and best thing about the CLOUG conference was all about the people. I feel blessed to have spent time over many conversations with the likes of Robert Freeman (aka Mr. RMAN and New Features) and Tim Hall. Of course, my favorite part was interacting with the folks from Latin America who attended my Oracle 11g RAC session and listening to their challenges. One young lady who is a DBA in Chile for Fedex asked me some questions on Oracle RAC performance with Weblogic server and if she gets back to me, I will follow up with some tips :-)

We had the Oracle ACE dinner at an excellent Polynesian restaurant called Bali Hai that Francisco Munoz Alvarez reserved and an excellent evening of technical conversation over food, drinks and dancing was excellent!

I even tried the famous Chilean drink called a Pisco Sour made with egg white, Pisco a liquor from Chile made from grapes, lime juice and sugar. It tastes a lot like a margarita and some debate exists over whether the Pisco sour comes originally from Peru or Chile! We had a famous Oracle ACE from Peru, Plinio Arbizu debate the matter over dinner with us.

The last day of the conference we had a nice seafood dinner with lots of good Chilean wine at a local seafood restaurant in Santiago. As you can see, it was a lot of fun!

After the conference, Francisco led us Oracle ACEs who were in Chile after the conference on a nice tour of the nearby coastal towns of Vina del Mar and Valparaiso. These are a lot like San Francisco and San Diego!

We all enjoyed our tour of these coastal Chilean towns very much.

Hans Forbrich, Robert Freeman, Tim Hall, and Francisco Munoz Alvarez enjoy tour of Vina Del Mar in Chile.

We hope to have future Oracle conferences in Latin America and I would love to speak in Spanish on Oracle 11g and RAC in Peru, Columbia, Argentina, and Chile as well as Brazil in the future.


Thursday, April 16, 2009

CLOUG Conference in Chile- Part One

Greetings fellow readers,

We had the first ever major Oracle conference in Chile with CLOUG this year and I was fortunate to present along with many fellow Oracle ACEs and Oracle ACE Directors including Tim Hall, Robert Freeman, Daniel Morgan and Hans Forbrich just to name a few. Overall, I believe it was a success. Since pictures are worth a thousand words, I believe the following showcase the energy and amazing technical sessions hosted for CLOUG this year in Santiago, Chile.

First we had a keynote speech by Odair Aguiar, Senior Director for the Latin American Oracle market present a strategy briefing for Oracle product direction with respect to the Latin American market:

Next up was Francisco Munoz Alvarez to introduce the event and other speakers. I personally want to thank Francisco for all of the massive amounts of behind the scenes work that he put into making CLOUG a success. He is a wonderful guy as well and my heartfelt thanks as I was able to present in both Spanish and English and share my tips on Oracle with fellow Oracle professionals in Chile and other parts of Latin America. Muchas gracias!

Oracle ACE Director Tim Hall delivered the keynote Oracle technical presentation of the morning on 11g New Features for PL/SQL developers.

I enjoyed all of the presentations and learned a lot on how to polish my own speaking and presenting sessions by watching other speakers.

Daniel Morgan of Morgan's library Oracle knowledge power fame provided insight into using Oracle 11g features via Oracle Gems session which I enjoyed quite a bit as well.

Daniel is a fountain of knowledge on Oracle and I had the pleasure to meet him at CLOUG in Chile and share many good chats on database technology and life.

Robert Freeman gave an excellent session that I attended the first day on Oracle RMAN:

Another Oracle ACE director, Hans Forbrich, delivered a solid technical session on Oracle VM which I found quite interesting as well.

Unfortunately, since I had Montezuma's revenge on day 2, I missed some sessions due to need for medicine. Fortunately, I was able to attend the dinner party later that evening.

I presented on Oracle 11g RAC Troubleshooting and Oracle 11g Undocumented Secrets. Since there were only a few translators, I gave my Oracle 11g RAC presentation in Spanish and hope that folks understood my on the fly translation of the materials into Spanish from English. My goal is to deliver all future Oracle presentations in Spanish for Latin American conferences so that material flows and Spanish speakers have the presentations in Spanish format for later review and reference.

Thursday, April 2, 2009

Post-Install OBIEE Part I: Login problems for OBIEE BI Publisher

In my quest to cover all things Oracle, the latest adventure is to setup and configure a test environment on VMWare with OBIEE- Oracle Business Intelligence Suite for Oracle Enterprise Linux platform. I was able to setup OBIEE 10.1.3 for OEL 5 without too many issues. I did have to download and configure the jdk 1.5 from the website as OBIEE requires the latest jdk 1.5 as part of the installation. Like most of the core Oracle Enterprise products, Oracle Application Server (OAS) is at the heart of OBIEE as well as other key technologies such as E-Business. Everything went smooth after that and I was able to bring up the OBIEE database server control for Application Server.

Unfortunately, even though all of the key OBIEE services came online without incident, I was unable to login to the OBIEE BI Publisher site as Administrator using the default password of Administrator!

So, I had to solve this problem by restarting the OBIEE services script located under $ORACLE_HOME/setup as shown in the example below:

OK, one question that comes to mind is where does OBIEE store the passwords for access to BI publisher? Well, OBIEE stores its configuration for passwords in an XML formatted file called xml-server-config.xml which is located under $ORACLE_HOME/xmlp/XMLP/Admin/Configuration directory. Recall that we had to restart the OBIEE services on account of our login problem. Now, we see the correct default values for the Administrator account as shown in the below output for the xml-server-config.xml configuration file:

One word of caution- since this file is not encrypted, you want to be careful to restrict access to avoid any security vulnerability issues to sensitive data within OBIEE.

And now we can login as Administrator to our OBIEE BI Publisher site to perform administration tasks for managing our OBIEE BI dashboads.

I was able to run sample reports using the canned examples that come with OBIEE default installation. OBIEE really is the updated version of Siebel since Oracle purchased Siebel as part of the recent spending buyout spree.

We will cover additional key Oracle Fusion Middleware technical tips and tricks in upcoming installations such as the new Oracle Beehive Collaborate Suite as well as how to deploy the new Oracle SOA suite and Oracle Weblogic Application server. Stay tuned!


Wednesday, April 1, 2009

Tips and Tricks for Installing Oracle 10g Application Server - Revenge of the missing libraries!

Oracle 10g Application Server (10g AS) is a key part of the Oracle E-Business Suite since version 11i. Since Oracle Apps DBAs and Oracle portal DBAs need to understand how to install and configure this key technology, I decided to create a new Oracle 10g Application Server environment on Oracle Enterprise Linux 5 (OEL 5, 32 bit OS). There are a few gotchas that will cause the Oracle 10g Oracle Application Server installation to fail on both RHEL 5 and OEL 5 platforms. The first issue that occurs is that the OUI (Oracle Universal Installer) will complain that either Red Hat Enterprise Linux 5 or OEL 5 are not supported and hence the runInstaller OUI program will halt. How to fix this issue? Simple. We need to edit the oraparam.ini file and re-start the OUI runInstaller program so that either RHEL5 or OEL5 are supported. In my case, I had to do this for 10g OAS by editing the oraparam.ini file with the Linux vi editor.

[oracle@oas10g install]$ id
uid=500(oracle) gid=501(oinstall) groups=500(dba),501(oinstall)

[oracle@oas10g install]$ cd /u01

[oracle@oas10g u01]$ ls
as_linux_x86_101201_disk1.cpio Disk1 lost+found
as_linux_x86_101201_disk2.cpio Disk2 oracle

[oracle@oas10g u01]$ cd Disk1

[oracle@oas10g Disk1]$ ls
doc install runInstaller stage utils

[oracle@oas10g Disk1]$ cd install

[oracle@oas10g install]$ ls
help install-config.xml lsnodes resource runInstaller
images oraparam.ini Response unzip
[oracle@oas10g install]$ vi oraparam.ini

We need to make entry in the oraparam.ini file for redhat-5.2 since OEL5 and RHEL5 both use the 5.2 release of Linux (Carthage)

[Certified Versions]

Save the updated oraparam.ini file and restart OUI with runInstaller and we are good to go.

OK, so now we can kick off our installation process for 10g Application Server ( for OEL 5 Linux platform. Now, we hit a major snag during the installation of the configuration assistants for SSO and Portal.

Unfortunately, the error message is unclear and further investigation into the logs reveals the root cause:
Since the installation for 10g Application Server (OAS) fails during the SSO configuration assistant step, further analysis of the SSO logs provides the cause of the headaches:

$ cd /u01/oracle/infra/sso/log

Contains two key log files for SSO: ssoca.log and ssoreg.err that we need to examine.

Why? Because, yes, our missing in action friend from last time, that pesky library, called is not present in a default Red Hat (RHEL5) or Oracle Enterprise Linux 5 (OEL5) installation. That poor guy just gets no respect like Rodney Dangerfield would say. Even the up2date oracle-validated command from the Oracle Unbreakable Linux network forgot this one. Hmm, maybe if I run into the Linux development team at OpenWorld I can ask them to include our friend in the Linux setup for next release of OEL! OK, so how do we solve this? Same as last time. We need a patch, well actually its our missing friend the library. So we got Metalink and download patch 6078836 and copy it over like we did earlier for our R12 EBS installation.

As smart DBAs, we review the README.txt file before apply the patch which gives us the installation steps and backout steps.

Now, after we download We need to unzip the patch that contains this missing library and as root superuser copy it to /usr/lib directory. We can resume the installation without further incident. One note that during the install, toward the end, when the installation process brings up the Apache HTTPD server processes via opmnctl utility for the first time, it will complain on errors. Ignore and continue. The install should now finish. We are happy to see the success screens listed below.

Now the final steps, are to verify the installation for our 10g Oracle Application Server database and web portal infrastructure.
First, we logon to the main 10g Application Server control as ias_admin account.

Good. All of the web portal components including OC4J and SSO are up and running. Now, lets check out the default topology setup post-install.

Excellent. Now our last post-install verification step for 10g Oracle Application Server ( is to connect to the Oracle 10g database repository and check the listener. First we set the .bash_profile for the oracle user account with Linux and then we logon to the 10g repository database.

Next up on our tour of Oracle- how to install the OBIEE software for OEL5 on VMWare! Stay tuned.