Monday, December 07, 2020

Firewall-cmd to open ports

My notes to open internal firewall on a newly built server.

 

On a newly built Redhat/Oracle Linux all the ports are blocked by default

I installed Oracle & the listener is running on port 1521 port - I was not able to access the port from other servers or from network. The fix is to open internal firewall, this can be performed using GUI/command line options.


Important

"firewall-cmd  --reload"   Always run after adding/removing a port/service .


Verify opened ports

$ firewall-cmd --list-ports


Add Ports - TCP/UDP

$ firewall-cmd --permanent --add-port=1521/tcp

$ firewall-cmd --permanent --add-port=7001-7099/tcp 

$ firewall-cmd  --permanent --list-ports

blank

$ firewall-cmd  --reload

$ firewall-cmd  --list-ports

1521/tcp 7001-7099/tcp 


Add Service  - Instead of TCP/UDP, you can also add service function

$ firewall-cmd --permanent --add-service=ssh

$ firewall-cmd --permanent --add-service=http

Remove Port

$ firewall-cmd --permanent --remove-port=444/udp

$ firewall-cmd --permanent --remove-port=1521/tcp

$ firewall-cmd --permanent --remove-port=7001-7099/tcp 


$ firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0

  sources:

  services: dhcpv6-client postgresql ssh

  ports: 1521/tcp 1522/tcp 22/tcp

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:


Ref:

https://www.liquidweb.com/kb/an-introduction-to-firewalld/

https://landoflinux.com/linux_firewall_config_tool.html

https://www.tecmint.com/open-port-for-specific-ip-address-in-firewalld/

https://firewalld.org/documentation/howto/open-a-port-or-service.html

https://firewalld.org/documentation/howto/add-a-service.html





EFS filesystem inode64 libjvm.so

 On Amazon EFS filesystem I am trying to stage the Oracle EBS 12.2 software


Received the following error when staging the software using buildStage.sh 

 

Error: no `server' JVM at `/software/EbsStage/startCD/Disk1/rapidwiz/jre/Linux_x64/1.6.0/lib/i386/server/libjvm.so'.

Press Enter to continue ...


Reason

EFS filesystem uses inode64 but the software is looking for inode32 filesystem.

The same issue can also occur on XFS filesystem larger than 1 TB. In that case you can use "inode64" in /etc/fstab and remount the filesystem. But for mounting NFS filesystem there is no inode64 option. 


Fix:

$ echo "options nfs enable_ino64=0"  > /etc/modprobe.d/nfs.conf

Reboot the server or remount the filesystem to resolve the above issue.


Ref: 

https://access.redhat.com/solutions/22256

https://www.mjr19.org.uk/sw/inodes64.html




Extend XFS root Fileystem

 My Notes to extend the existing XFS root filesystem

O/S: Redhat 7 

1) Create new Disk

fdisk /dev/sda  
-- create new partition

2) Recognize the new disk
$ partprobe
-- Error "The backup GPT table is not at the end of the disk"

$parted -l
Error: The backup GPT table is not at the end of the disk, as it should be.
This might mean that another operating system believes the disk is smaller.
Fix, by moving the backup to the end (and removing the old backup)?
Fix/Ignore/Cancel? Fix 

3) Verify the new disk added 
$ lsblk


4) Create Physical Volume
$ pvs /dev/sda5

5) Extend the existing root volume group
$ vgextend rhel /dev/sda5

6) Extend the Logical Volume
$ lvextend -l 100%FREE /dev/rhel/root

7) Verify if the new disk is added 
$ df -h
-- Still my filesystem has old size

8) Extend the root filesystem 
$ xfs_growfs -d /

9) Verify if the new disk is added 
$ df -h

Good Luck!


Wednesday, April 24, 2019

Remove Trusted Certificate Chain from Wallet / Keystore

It's been long time posting blogs, spent many hours troubleshooting this issue and its "Time to Share"

Using this note you can accomplish many things
1) Remove any trusted cert's from Oracle Wallet/Keystore
2) Remove a certificate chain from UserCertificate
3) Display/List the certificates in wallet/keystore
4) Add certificates to wallet/keystore
5) Convert JKS to Wallet
6) Convert Wallet to JKS
7) orapki commands
8) keytool commands
9) Extract Private Key from Oracle Wallet


Ref:
Followed Oracle Notes Doc ID -- Note 2275107.1, 2405429.1

One of my trusted cert (intermediate) in the chain has expired.  Following is the process I used to resolve the issue.

1)
Opened Oracle Wallet, tried deleting by right clicking on the certificate "Trusted certificate in use, deletion failed"   Note 2275107.1

2) Convert Wallet to JKS
Tried deleting from command line
orapki wallet remove - wallet -trusted_cert -dn 'CN=inter2' -pwd password  
PKI-04015: Trusted cert cannon be removed

3)  Convert Wallet to JKS

a) To Display what all the certificates in wallet
$ orapki wallet display -wallet

b) Convert the wallet to JKS
orapki wallet pkcs12_to_jks -wallet -pwd wallet_pwd -jksKeyStoreloc /ewallet.jks -storepass

c) Find the Alias of the TrustCert using keytool:
keytool -list -v -keystore /ewallet.jks -jkspwd

Alias name:

d) Remove trusted certificate using the alias_name found above.
keytool -delete -alias 'alias_name' -keystore /ewallet.jks

e) Run the keytool list command to confirm that the alias_name for the Trusted Certificate is gone.
keytool -list -v -keystore /ewallet.jks

4) I Still saw the CertificateChain has the expired entries, googled and found a note

a) First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):
keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12

b) Next, export a PEM file with key and certs from the PKCS12 file:

openssl pkcs12 -in old.p12 -out pemfile.pem -nodes

c) Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes").
Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "newcert", at this point

openssl pkcs12 -export -in pemfile.pem -name newcert -out new.p12

d) Finally, convert back from PKCS12 to JKS:
keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12


5) Convert JKS to Oracle Wallet
a) Create an empty wallet.  This will create a Password Protected Wallet (ie.  ewallet.p12 and cwallet.sso)
$MW_HOME/oracle_common/bin/orapki wallet create -wallet -auto_login

b) Display the wallet contents
orapki wallet display -wallet

c) Delete any trusted cert (if needed)
orapki wallet remove -wallet -trusted_cert_all -pwd

d) Convert JKS to a new Oracle Wallet
orapki wallet jks_to_pkcs12 -wallet -pwd -keystore /ewallet.jks -jkspwd jks_pwd


Some more important commands, not related to above issue

6) To Add a trusted Cert to JKS or Wallet
orapki wallet add -wallet -trusted_cert -cert newTrust.cer
keytool -import -file newTrust.cer -trustcacerts -alias newTrust -keystore ewallet.jks


7) Extracting Private Key from Oracle Wallet
$ openssl pkcs12 -in ewallet.p12 -nocerts -out private_key.pem
$ openssl rsa -in private_key.pem -out private.key
$ openssl rsa -in private_key.pem -check           <= verify private key


Good Luck ... 


Monday, December 08, 2014

Extract priv.key from Oracle Wallet and convert to Java keystore


Brief extract from an issue encountered recently when we renewed SSL Certificates.

Normal process we follow is use openssl -> Create CSR -> Get verisign cert -> Convert to Oracle Wallet -> Convert to keystore.

In Fusion Middleware 11g for creating Oracle Wallet from openssl we need to follow Oracle Note 184701.1. Because of a bug I was not able to see the wallet in OWM.  So the below new process is used 
create OWM Cert -> Get Verisign Cert -> Import into OWM -> Extract priv.key -> Convert to java keystore

Following are the brief steps
1) Generate CSR using OWM executable using "owm" binary from Fusion Middleware Home
2) Submit the CSR to Verisign and after you get the user certificate, import into OWM and select Auto Login and save
3) Use the ewallet.p12 cwallet.sso (From Step 2) in Fusion Middleware OHS,
4) From ewallet.p12 extract the priv.key
openssl pkcs12 -in /tmp/SSL_2014/oraclewallet_dir/ewallet.p12 -nocerts -out private_key.pem
The first password that openssl asks (Enter Import Password) is the wallet password, the other password (Enter PEM pass phrase) is used to protect the exported key.
openssl rsa -in private_key.pem -out priv.key
5) Use the SSL Cert and priv.key in Apache
6) Create Java Keystore from Oracle Wallet
export PATH=$PATH:$MW_HOME/oracle_common/bin/
orapki wallet pkcs12_to_jks -wallet ewallet.p12 -jksKeyStoreLoc ewallet.jks -jksKeyStorepwd -pwd
7) Use the JKS in Oracle Weblogic Server.

8) Which File and where it is used
ewallet.jks -- is Used in Oracle Weblogic Server.
ewallet.p12 and cwallet.sso    -- is used in Fusion Middleware OHS
server.crt and priv.key -- is used in Apache

9) Useful verification commands

Verify CSR
openssl req -in fsplifm1.csr -noout -text

Verify private.key
openssl rsa -in private.key -check

Verify Oracle Wallet
orapki wallet display -wallet oraclewallet_dir -pwd

Verify Java Keystore
keytool -list -keystore ewallet.jks -storepass



 Good Luck!

Thursday, December 19, 2013

Use Java Code Signing Certificate in Oracle E-Business Suite



Create and Import Java Code Signing Certificate to use in Oracle E-Business Suite

Ref: Oracle Note
Enhanced Jar Signing for Oracle E-Business Suite (Doc ID 1591073.1)

Oracle note is important document and covered most of the errors/resolutions. But there are short comings in the document .I did not use ADJAVA command and substituted with KEYTOOL command.

1)     Generate KeyPair

keytool -genkey -keyalg RSA -keysize 4096 -alias EbsJarCert -keypass EbsJarkp1 -storepass EbsJarsp1 -keystore /ebs/home/test/keystore.dat –v

What is your first and last name?
  [Unknown]:  EbsJarServ.com
What is the name of your organizational unit?
  [Unknown]:  Ebs
What is the name of your organization?
  [Unknown]:  Ebs Company
What is the name of your City or Locality?
  [Unknown]:  Washington
What is the name of your State or Province?
  [Unknown]:  District of Columbia
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=EbsJarServ.com, OU=Ebs, O=Ebs Company, L=Washington, ST=District of Columbia, C=US correct?
  [no]:  yes

Generating 4,096 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days
        for: CN=EbsJarServ.com, OU=Ebs, O=Ebs Company, L=Washington, ST=District of Columbia, C=US
[Storing /ebs/app/keystore.dat]

2)      Verify KeyPair

$ keytool -list –v -storepass EbsJarsp1 -keystore /ebs/home/test/keystore.dat -alias EbsJarCert
 ( You can also execute the same command with adjkey
adjkey -list -v -storepass EbsJarsp1 -keystore /ebs/home/test/keystore.dat -alias EbsJarCert)

Alias name: EbsJarCert
Creation date: Dec 17, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=EbsJarServ.com, OU=Ebs, O=Ebs Company, L=Washington, ST=District of Columbia, C=US
Issuer: CN=EbsJarServ.com, OU=Ebs, O=Ebs Company, L=Washington, ST=District of Columbia, C=US
Serial number: 52b06a4a
Valid from: Tue Dec 17 09:05:46 EST 2013 until: Mon Mar 17 10:05:46 EDT 2014
Certificate fingerprints:
         MD5:  10:37:62:7D:60:EA:89:AF:15:77:19:62:59:49:28:DD
         SHA1: 02:93:CC:96:BD:EF:CE:28:B9:38:51:8E:4B:F8:94:05:ED:C8:68:0A
         Signature algorithm name: SHA1withRSA
         Version: 3

3)      Request Certificate (CSR)

keytool -certreq -alias EbsJarCert \
                -storepass EbsJarsp1 -keypass EbsJarkp1 \
                -file /ebs/home/test/EbsJarCert.csr \
                -keystore /ebs/home/test/keystore.dat

4)      Submit your CSR to Signing  Authority for certificate (Verisign)

Note: Be sure to request a Java Code Signing Certificate. This certificate can be used to sign your jar content across one or mutliple Oracle E-Business Suite environmments. After you get the certificate, export in X509 format and ftp in ascii to web server.

5)      Verify the Certificate (CRT) after you receive from Verisign

keytool -printcert -v -file /ebs/home/test/EbsJarCert.crt

6)      Import Intermediate and Root Certificate to the cacerts Keystore File

Create myca.crt ( by exporting Intermediate and Root Certificate in X509 format)
Go to = $OA_JRE_TOP/jre/lib/security/
chmod +w cacerts
cat inter.crt root.crt >myca.crt
keytool -import -alias myca -file myca.crt -trustcacerts -v -keystore cacerts
chmod a-w cacerts
Note: The default Java for the cacerts keystore certificates file is usually changeit.

7)      Import the Java Code Signing Certificate into the Keystore

= $APPL_TOP/admin
Create EbsJarCert.crt ( by exporting .crt in X509 format)
cp EbsJarCert.crt $APPL_TOP/admin/adkeystore.crt 
cp /ebs/home/test/keystore.dat $APPL_TOP/admin/adkeystore.dat

Import the certificate
keytool -import \
                -file /ebs/app/test/ appl/admin/adkeystore.crt \
                -trustcacerts -storepass EbsJarsp1
                -alias EbsJarCert \
                -keystore /ebs/app/test / appl/admin/adkeystore.dat
               
8)      Verify and Update jripasswords in the database

Login as APPS
SQL>
set serveroutput on
declare
spass varchar2(30);
kpass varchar2(30);
begin
ad_jar.get_jripasswords(spass, kpass);
dbms_output.put_line('--------');
dbms_output.put_line('STOREPASS = '||spass);
dbms_output.put_line('KEYPASS = '||kpass);
dbms_output.put_line('--------');
end;
/

If STOREPASS and KEYPASS does not match to adkeystore.dat then update with correct passwords
SQL> exec ad_jar.DEL_JRIPASSWORDS;
SQL> exec ad_jar.PUT_JRIPASSWORDS('EbsJarsp1',' EbsJarkp1');

9)      Generate JAR files with ADADMIN

vi $APPL_TOP/admin/adsign.txt
EbsJarCert 1 CUST

adadmin
Choose Generate Applications Files menu
From this menu choose Generate product JAR files

Enter yes when prompted with: Do you wish to force regeneration of all jar files? [No] ? yes

10)   Verify the Digital Signature of a Signed Jar File
jarsigner -verify -verbose -certs /ebs/app/test /comn/java/oracle/apps/fnd/jar/fndlist.jar

X.509, CN=EbsJarServ.com, OU=Digital ID Class 3 - Java Object Signing, OU=Ebs, O=Ebs Company, L=Washington, ST=District of Columbia, C=US
      [certificate is valid from 12/17/13 7:00 PM to 12/16/15 6:59 PM]
jar verified.

11)   Test the Applications

Java Control Panel -> Security -> Security Level: Very High
Java Control Panel -> Advanced  -> Show Console (Check)
Java Control Panel -> Advanced  -> Enable logging (Check)
Java Control Panel -> Advanced  -> Enable Trace (Check)

Login to Applications and test

Verify output In Java Console for any issues/errors/warning.

Some of them are
Missing Permissions manifest attribute for:
https://11iurl/OA_JAVA/oracle/apps/fnd/jar/fndutil.jar
Missing Codebase manifest attribute for:
https:// https://11iurl /OA_JAVA/oracle/apps/fnd/jar/fndutil.jar

Fix
All the JAR files are not signed properly , run the following commands
adjava -mx512m -nojit oracle.apps.ad.jri.adjcopy -masterArchive $JAVA_TOP -sync -reportfile javatopfiles.lst
adjava -mx512m -nojit oracle.apps.ad.jri.adjcopy -masterArchive $JAVA_TOP -sync -mode APPLY
Run ADADMIN again and force generate JAR files

For error in java console
network: Connecting http://ocsp.verisign.com/ with proxy=DIRECT
network: Connecting http://ocsp.verisign.com:80/ with proxy=DIRECT
security: Failing over to CRLs: java.net.SocketTimeoutException: connect timed out
network: Cache entry not found [url: http://crl.verisign.com/pca3-g5.crl, version: null]
network: Connecting http://crl.verisign.com/pca3-g5.crl with proxy=DIRECT
network: Connecting http://crl.verisign.com:80/ with proxy=DIRECT

Fix
Control Panel->Java->Advanced' Tab->'Perform certificate revocation checks on' section - Select “DO NOT CHECK”


Wednesday, December 05, 2012

Cisco VPN on Windows 8

Got new personal Windows 8 laptop. Looks like we need to learn a lot to get familiar using Windows o/s.  

Googling helped a lot - Credit goes to the following link

I have Cisco VPN 5.0.07.0440 for x64 running without any issues on Windows 7 

I used the Followed steps to install and use it on Windows 8.

1) During Installation -> Right Click and check Compatibility to Windows 7
2) After installation imported the PCF file
3) Backup registry
4) Browse to the Registry Key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CVirtA
     Select the DisplayName to modify, and remove the leading characters from the value data upto "%;" i.e.
     "@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to "Cisco Systems VPN Adapter for 64-bit Windows
5) Test Connectivity
  

If you have 32 bit use the following
o    For x86, change the value data from something like "@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter” to "Cisco Systems VPN Adapter


One more Note - to get start menu on Windows 8  then use Power 8  

Wednesday, February 03, 2010

Apps Patching error; FGA enabled ORA-28110

In this post I am not specifying any details about FGA (Fine Grained Auditing) - but some quick steps to resolve the issue

During one of my recent apps patching I ran into the following issue.

SELECT ROWNUM FROM PO.PO_ACCRUAL_RECONCILE_TEMP_ALL WHERE ROWNUM=1
Due to error:
ORA-28110: policy function or package APPS.CST_POLICY_SECURITY has error


As usual searched metalink and googled - except saying that disable FGA and continue patching but no detailed steps.

Detailed Steps

1) SQL to find details
select OBJECT_OWNER, OBJECT_NAME, POLICY_GROUP, POLICY_NAME
from dba_policies where object_name='PO_ACCRUAL_
RECONCILE_TEMP_ALL'

2) Disable FGA for that object
SQL> exec dbms_rls.disable_grouped_policy('OBJECT_OWNER', 'OBJECT_NAME', 'POLICY_GROUP', 'POLICY_NAME');

SQL> exec dbms_rls.disable_grouped_policy('PO', 'PO_ACCRUAL_RECONCILE_TEMP_ALL', 'SYS_DEFAULT', 'CST_POLICY_SECURITY');
or login as PO user and execute statement
SQL> exec dbms_rls.disable_grouped_
policy(NULL, 'PO_ACCRUAL_RECONCILE_TEMP_ALL', 'SYS_DEFAULT', 'CST_POLICY_SECURITY');

then restart the worker and after patching is done

3) Enable FGA for the above object
SQL> exec dbms_rls.enable_grouped_policy('OBJECT_OWNER', 'OBJECT_NAME', 'POLICY_GROUP', 'POLICY_NAME');

SQL> exec dbms_rls.enable_grouped_policy('PO', 'PO_ACCRUAL_RECONCILE_TEMP_ALL', 'SYS_DEFAULT', 'CST_POLICY_SECURITY');
or login as PO user and execute
SQL> exec dbms_rls.enable_grouped_
policy(NULL, 'PO_ACCRUAL_RECONCILE_TEMP_ALL', 'SYS_DEFAULT', 'CST_POLICY_SECURITY');



Hope this helps someone for quick steps

Good Luck

Thursday, January 28, 2010

From 10g Clone DB Home - Never Copy and relink Oracle Binaries.

Prior to 10g - we always used to just copy oracle binaries from source to target (PROD to DEV) and relink. But with 10g, there are lot of files and places where the information is hard-coded.

So use the following way to Clone Oracle Home - And never do copy and relink, its not supported/recommended. The same applied even to 11g.

You can get more information in Oracele Installation Document - under Installer.
This method is also useful if the Oracle home that you are cloning patches applied to it. When you clone this Oracle home, the new Oracle home will have the patch updates as well.


1) Copy Oracle Home from Source to Target
(cd /u01/app/oracle/10.2//db_1 ;tar -cf - .) | ( cd /u01/app/oracle/10.2//db_1; tar -xvfp - ) >> /tmp/prod_dev_dbcopy1.log 2>&1 &


2) Get soft link list on Source

cd /u01/app/oracle/10.2//db_1
find . -type l -exec ls -la {} \; | grep eb_rda0_p| awk '{print " ln -s " $11 " " $9 }' > /tmp/createlink.sh
find . -type l -exec ls -la {} \; | grep eb_rda0_p| awk '{print " rm " $9 }'> /tmp/removelink.sh

3) Remove Softlink on Target
sh /tmp/removelink.sh

4) Recreate Softlinks on Target
edit the temp file with correct path for new oracle home
sh /tmp/createlink.sh

5) Backup oraInventory on Target Server
to get Inventory location do "cat /var/opt/oracle/oraInst.loc"

6) Detach/Remove Existing Oracle Home in OraInventory.
cd $ORACLE_HOME/oui/bin
runInstaller -silent -detachHome ORACLE_HOME="/u01/app/oracle/10.2//db_1" ORACLE_HOME_NAME="OraDb10g"

7) Edit $ORACLE_HOME/clone/config/cs.properties
add "-ignoreSysPrereqs" at the end

8) Set the following Environment variables.
export PATH=$ORACLE_HOME/perl/bin:$PATH:.
export PERL5LIB=$ORACLE_HOME/perl/lib/5.8.3:$ORACLE_HOME/appsutil/perl

9) run Perl clone script
cd $ORACLE_HOME/clone/bin
perl clone.pl ORACLE_HOME="/u01/app/oracle/10.2//db_1" ORACLE_HOME_NAME="OraDb10g"

if for any case you have issues with perl - then you can run the following also
$ORACLE_HOME/oui/bin/runInstaller -silent -clone ORACLE_HOME="/u01/app/oracle/10.2//db_1" ORACLE_HOME_NAME="OraDb10g"


Log File

$perl clone.pl ORACLE_HOME="/u01/app/oracle/
10.2//db_1" ORACLE_HOME_NAME="OraDb10g"
./runInstaller -silent -clone -waitForCompletion "ORACLE_HOME=/u01/app/oracle/
10.2//db_1" "ORACLE_HOME_NAME=OraDb10g" -noConfig -nowait -ignoreSysPrereqs

Starting Oracle Universal Installer...

No pre-requisite checks found in oraparam.ini, no system pre-requisite checks will be executed.

>>> Ignoring required pre-requisite failures. Continuing...

Preparing to launch Oracle Universal Installer from /tmp/OraInstall2009-01-23_11-
47-03PM. Please wait ...Oracle Universal Installer, Version 10.2.0.3.0 Production
Copyright (C) 1999, 2006, Oracle. All rights reserved.

You can find a log of this install session at:
/u01/app/oracle/10.2/
oraInventory/logs/cloneActions2009-01-23_11-47-03PM.log
..............................
...................................................................... 100% Done.

Installation in progress (Fri Jan 23 23:48:22 EST 2009)
..............................
.................................................. 80% Done.
Install successful

Linking in progress (Fri Jan 23 23:48:58 EST 2009)
Link successful

Setup in progress (Sat Jan 24 00:12:00 EST 2009)
Setup successful

End of install phases.(Sat Jan 24 00:12:26 EST 2009)
WARNING:
The following configuration scripts need to be executed as the "root" user.
#!/bin/sh
#Root script to run
/u01/app/oracle/10.2//db_
1/root.sh
To execute the configuration scripts:
1. Open a terminal window
2. Log in as "root"
3. Run the scripts

The cloning of OraDb10g_q592 was successful.
Please check '/u01/app/oracle/10.2/
oraInventory/logs/cloneActions2009-01-23_11-47-03PM.log' for more details.

Any Comments, let me know

Thanks

Tuesday, June 24, 2008

OLAP Added to 10gR2 but XOQ component INVALID

Did not post new blogs for last couple of months, busy working on database upgrade, its a 10.2.0.3, size 5TB and 3 node RAC.

Recently I visited my favorite BLOG like every day/week, and at the same time we got a request to apply OLAP Patch 5746153 - which I applied successfully and done post-patch steps.
Component XOQ was INVALID, no matter what I do, its still Invalid. Did the usual steps - googled, searched metalink and then created tar. Finally I was able to get hold of good analyst who reffered me to note Note:466363.1, after following the steps I got below error.

SQL> select status from dba_registry where comp_id = 'XOQ';
STATUS
------------------------
INVALID

SQL> set serveroutput on size 10000
SQL> exec xoq_validate
compat -> 10.2.0
BEFORE BOOTSTRAPORA-37111: Unable to load the OLAP API sharable library: (Cannot map text forlibrary: mmap(0x0,0x13e6914, 0x5, 0x41, 58, 0x0) returns Permission denied.)
AFTER BOOTSTRAP: REGISTRY.INVALID
comp_name: Oracle OLAP API
version: 10.2.0.3.0
status: INVALID
PL/SQL procedure successfully completed.

$ls -l /home/oracle/10.2/lib//libolapapi10.sl
-rw-r--r-- 1 oracle dba 36056968 Apr 23 2007 /home/oracle/10.2/lib//libolapapi10.sl

Did the usual searching and finally did a CHMOD and ran xoa_validate to my surprise it got validated.

chmod 744 /home/oracle/10.2/lib//libolapapi10.sl

SQL> select status from dba_registry where comp_id = 'XOQ';
STATUS
------------------------
VALID

Then later I found its a know bug 6979371 and oracle ended-up publishing note 603179.1 for the same

Reference Metalink Notes
Note#: <466363.1>Titled: Oracle Olap API Invalid After Adding OLAP
Note#: <603179.1>Titled: Oracle Olap Api Invalid After Upgrade To 10.2.0.3



Good Luck

Monday, March 24, 2008

DST Change - OEM start agent failed, agentTZRegion settings

Because of DST change, I saw the agents which were shutdown are not starting, tried manually but no luck.

$ emctl start agent
Oracle Enterprise Manager 10g Release 10.2.0.2.0.
Copyright (c) 1996, 2006 Oracle Corporation. All rights reserved.
Starting agent ...... failed.
The agentTZRegion value in /home/oracle/product/10.2.0/em10g/agent10g/sysman/config/emd.properties is not in agreement with what agent thinks it should be.Please verify your environment to make sure that TZ setting has not changed since the last start of the agent.
If you modified the timezone setting in the environment, please stop the agent and exectute 'emctl resetTZ agent' and also execute the script mgmt_target.set_agent_tzrgn(
, ) to get the value propagated to repository.
Consult the log files in: /home/oracle/product/10.2.0/em10g/agent10g/sysman/log


Resolution
In emd.properties you need to correctly set the agentTZRegion value
agentTZRegion=-04:00

And login to OEM repository and run the following SQL to get the present values, so you can reset the value in repdb - login as SYS

select TARGET_NAME, timezone_region FROM mgmt_targets WHERE target_type = 'oracle_emd' AND target_name like '%hostname%';

TARGET_NAME TIMEZONE_REGION
-------------------------- --------------------------
hostname.domainname:2872 -05:00


Now reset the value to correct TZ settings

SQL> exec mgmt_target.set_agent_tzrgn('hostname.domainname:2872','-04:00');
SQL> commit;

Restart the agent, its successful

$emctl start agent
Oracle Enterprise Manager 10g Release 10.2.0.2.0.
Copyright (c) 1996, 2006 Oracle Corporation. All rights reserved.
Starting agent .............................. started.



Good Luck, Cheers

Friday, July 13, 2007

Burn multiple ISO into DVD

Non Oracle Post

If you have downloaded software and if it comes in multiple cd ISO images and want to burn into one single image for creating dvd then do the following.

In my case some of the linux s/w which i downloaded has multiple cd's so I used the below method to create the dvd image. I used the single iso image to install linux on vmware.

cat image1.iso image2.iso image3.iso >imagedvd.iso
or
cat image1.iso > imagedvd.iso
cat image2.iso >> imagedvd.iso
cat image3.iso >> imagedvd.iso


All the contents if 3 iso images are clubbed into one image.


Hope this helps someone

Thursday, May 17, 2007

How to setup more than one AD Domains for OID External Authentication (10.1.2 vs 10.1.4)

You might be wondering why I am comparing 2 versions, when we started our integration, 10.1.4 was released and I read technet documentation but could not find any information on metalink (all the info is for 10.1.2 and 9.0.4) and at my earlier project I worked on integrating SiteMinder against 10.1.2, thats how I got some insight into differences which I am sharing with you.

The above combinations are integrated with 11.5.10.2 instances, To login to 11i Users are externally authenticated by AD or Siteminder and 10gAS is used as a intermediary to accomplish it.

We have multiple domains, so I worked on seting up multiple plug-in for external authentication. But at the end we ended up using AD Global Catalog.

10.1.2 - Source:

1) Go to $ORACLE_HOME/ldap/admin
2) Make a copy of oidspada.pls file, and save it as oidspada2.pls
3) Modify oidspada2.pls
* Replace OIDADPSWD with OIDADPSWD2 (Global replace)
4) Make a copy of oidspadi.sh file and save it as oidspadi2.sh (Global Replace)
* replace "oidspada.pls" with "oidspada2.pls"
* replace "adwhencompare" with "adwhencompare2"
* replace "adwhenbind" with "adwhenbind2"
* replace "OIDADPSWD" with "OIDADPSW2"
5) Run oidspad2.sh
It will register new profiles for new domain.

10.1.4 - Source:

1) Configure external authentication for one domain
2) Dump the configuration information into LDIF file
ldapsearch -p 3060 -D cn=orcladmin -w welcome -s sub -L -b "cn=plugin,cn=subconfigsubentry" cn="oidexplg_*_ad" >> output.ldif
3) Modify the output.ldif
cn=oidexplg_compare_ad with cn=oidexplg_compare_ad2
cn=oidexplg_bind_ad with cn=oidexplg_bind_ad2
Change the values for orclpluginflexfield;host and orclpluginflexfield;port for the external directory host name and port number
Modify orclpluginsubscriberdnlist for the plug-in invocation naming context.
4) Upload the new plug-in information
$ORACLE_HOME/ldap/bin/ldapadd -h host -p port -D cn=orcladmin -w orcladminPwd -v -f input.ldif

Test using ldapbind and ldapcompare against both the domains
a) ldapbind -h oidHost -p port -D "cn=ADUser,cn=Users,dc=uk,dc=acme,dc=com" -w adpassword
b) ldapcompare -h oidHost -p port -D "cn=orcladmin" -w iasadminpswd -b "cn=ADUser,cn=Users,dc=uk,dc=acme,dc=com" -a userPassword -v adpassword

a) ldapbind -h oidHost -p port -D "cn=ADUser,cn=Users,dc=us,dc=acme,dc=com" -w adpassword
b) ldapcompare -h oidHost -p port -D "cn=orcladmin" -w iasadminpswd -b "cn=ADUser,cn=Users,dc=us,dc=acme,dc=com" -a userPassword -v adpassword



Good Luck