Friday, September 21, 2018

Integrate Weblogic With Active Directory Using LDAPS

In this post i will show how to integrate weblogic with active directory under LDAPS Port 636 and now using the 389, This is usually will work on different version of weblogic in my case i am using weblogic 12C.

I tried to make this article as simple as it's, since i faced different issue during this and couldn't find any articles or Oracle Support document that related to any of the issue i faced so i am writing this blog to share it and could be useful for people.

Weblogic Server comes with an Embedded LDAP Server which acts as the Default Provider for authentication, authorization and role mapping .Since authentication is based on JAAS ( Java Authentication and Authorization Service), we can have external providers as well one of these external provider is Active directory authentication. 

Important note :- Before start any of these steps you should ask your system administrator to create active directory user the purpose of this use only to read active directory information and system administrator should provide you with distinguished name (DN) for this user, and Assign it to Administrator Group. This is required as Active Directory gives connection only to Admin User.

Steps:



  • to enable the port you have to do different things before start doing the configuration from weblogic side, since we are using SSL Port and not the unsecured one you have to import the certificate first, the certificate could be provided to you by the system administrator, in my case to avoid any wasting of time i used Jdeveloper to import the certificate because the Jdeveloper having the capability to connect to the LDAP server in both way (636 or 389 ) once you are connected you can import the certificate.
  •  Now after importing the certificate go the weblogic server and run the below command i choose to save my certificate under #WLS_HOME/wlserver/server/lib :
keytool -import -trustcacerts -alias NEWAD -file Certifcate_name  -keystore NEWAD.jks -storepass Oracle123

    •  Alias  : the alternative name for the certificate you can choose yours but make it clear.
    • file : the certificate location where you imported from Jdeveloper or by system admin.
    • keystore : the output file and should be JKS format.
    • storepass : the password for the imported certificate.
  • once you are done from the above steps, shutdown the adminserver and managed server using the console of the weblogic and edit the setDomainEnv.sh or setDomainEnv.cmd depend on your operating system then add the below lines ( the location of the JKS file)
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStore=/u01/Oracle/Middleware/fmw_soa/wlserver/server/lib/NEWAD.jks




  • Now start the AdminServer, the following steps should be done before testing anything.
  • as you see from the below picture choose custom keystore and start fill the information which is the location for the JKS without putting the file, the password for the certificate that you choose it while importing. 

  • After that you should modify the SSL part, this time you have to remember the alias and the password like the below :-

  • Under Security Realms on the left panel choose providers > New providers 

  • Weblogic having different external provider > but we want Active Directory, make sure to choose the right one.

  • Some changes should be done after the provider created which is the order and flag of the  provider , for the order the Active directory provider should come first and flag should be SUFFICIENT.

  • Start fill the information like the below which AD Host, Active directory user ( Should be created first ), Password for the user, User Base DN and in the last Group Base DN " Don't change anything else" and check on SSL enabled.

  • For testing and if the provider working or not, under user and groups you should be able to see the AD users and groups now in the weblogic.



Some of the errors that i face during the configuration which is related to certificate in general, i shared these error to allow people to understand what kind of errors they will face and how to solve it:


  • Error [Security:090834]No LDAP connection could be established. ldaps://HOST:636 Cannot connect to the LDAP server 

  • weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection

  • Caused by: java.lang.reflect.InvocationTargetException

  • Caused by: netscape.ldap.LDAPException: General SSLEngine problem (91); Cannot connect to the LDAP server
  • Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
  • Caused by: sun.security.validator.ValidatorException: PKIX path building failed
  • Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target







Thank you
Osama 






Saturday, June 16, 2018

Where is the DBA in the DevOps tools ?


  • Database administrator job has been changed and it's not like before any more, In the past The DBA responsibility was limited within database which mean troubleshooting, backup , Performance tuning, high availability .. etc after few years new layer has been added to the responsibility which is application server layer for example weblogic ,Oracle embedded the weblogic with most of their products such as enterprise manager cloud, E-business suits, as i remember after three years another layer added to DBA knowledge which is virtualization and regarding to this virtualization  made the DBA life more easier and not like before, solution providing another layer of backup and server management.


However now everything has been changed and the market working under new term which is CLOUD including different vendor AWS, Azure, and Oracle, As DBA your knowledge shouldn't stop by only Database, within cloud there is new tools that can help the DBA with their daily Job and it's called Devops.

DBA usually review each change request to ensure that it is well thought out,They are in charge of monitoring their databases and keeping them available and high-performing, manage access to and the overall security of the platform.

Database automation frees the DBA from the bottleneck of the past that delayed application releases since there is different environment production, Pre-Production, Development or Testing, the DevOps Automation relieved of the pressures of constantly having to juggle and merge various teams’ database changes, are now free to help their organisations take bigger steps forward in ongoing innovation.

But what is the Devops ? And How can i use to make my Job Easier

DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market.


Benefits of DevOps
  • Speed
  • Rapid Delivery
  • Reliability
  • Scale
  • Security

DevOps Practices
  • Continuous Integration
  • Continuous Delivery
  • Microservices
  • Infrastructure as Code
  • Monitoring and Logging
  • Communication and Collaboration

DevOps practices for DBA and Data Team focus on the Tools, practices and techniques that are useful for the Data team to use for Development activities, Testing setup and execution, Collaboration techniques and Deployment tools and techniques. The aim of this site is to further the practice and help the DBA's and Data team to use these practices to become productive and become part of the delivery team and embrace the devops movement.

DevOps Tools
  • Docker
  • Jenkins
  • Ansible
  • Puppet
  • Nagios
  • Monit
  • Behat
  • Chef

There is more tools for sure each one of these tools having it's own purpose for example Docker is one of the powerful container solutions, A container image is a lightweight, stand-alone, executable package of a piece of software that includes everything needed to run it: code, runtime, system tools, system libraries, settings Available for both Linux and Windows based apps, containerized software will always run the same, regardless of the environment. Containers isolate software from its surroundings, for example differences between development and staging environments and help reduce conflicts between teams running different software on the same infrastructure.


Cheers
Osama Mustafa 

Saturday, October 21, 2017

Error: Server refused our key or No supported authentication methods available

If you use PuTTY to connect to your instance and get either of the following errors, Error: Server refused our key or Error: No supported authentication methods available, verify that you are connecting with the appropriate user name for your AMI. Enter the user name in the User name box in the PuTTY Configuration window.

The appropriate user names are as follows:


  • For an Amazon Linux AMI, the user name is ec2-user.
  • For a RHEL AMI, the user name is ec2-user or root.
  • For an Ubuntu AMI, the user name is ubuntu or root.
  • For a Centos AMI, the user name is centos.
  • For a Fedora AMI, the user name is ec2-user.
  • For SUSE, the user name is ec2-user or root.
  • Otherwise, if ec2-user and root don't work, check with the AMI provider.


Thanks
Osama

Thursday, October 12, 2017

Out Of memory , Not Enough Space Solaris 11

SQL> startup mount ;
ORA-27102: out of memory
SVR4 Error: 12: Not enough space
Additional information: 1671
Additional information: 16106127360
Additional information: 64424509440

The Above error appeared When trying to start Oracle 12c on Solaris 11.3, this is published bug 

Bug:20635316 - 12C DATABASE INSTANCE STARTUP FAILS WITH ORA-27102: OUT OF MEMORY

Solaris using something called OSM , Optimized Shared memory You can know more about it here 

To avoid this error as workaround just set the parameter

_use_osm=FALSE


Thanks
Osama

Monday, October 2, 2017

Configure AWS Command Line Interface

In this lesson i will show you how to configure AWS command line, and how to start working with your AWS account thru command line with very simple and basic steps :-


  • First of i will assume that you don't have any user or group in your AWS console
  • from the AWS Console :-


  • From IAM ( Identity access management ) Choose Group Create Group with permission Administrator access and then hit create.

  • create user and add that user to the group in my case the group name shown above, save the secret key and access ID as CSV.
  • Now from this link here, Download AWS Command Line Interface depend on your operating system and open cmd , terminal ... etc.
  • Now from Dos enter AWS configure and fill the information like the below:-

  • Open the command line and test if it's connected to AWS now.

You can learn more about the command line from AWS documentation , if you recive the following error 

"Could not connect to the endpoint URL: "https://s3.london.amazonaws.com/"

Then make sure you are on the right Region.

Thanks
Osama




Saturday, September 30, 2017

failed to associate the token : AWS

Once you create AWS you should activate "Activate MFA on your root account" 



and do that you should use your phone (Iphone, Android) download google authenticator app from the app store/Google Play once the installation is done Scan the QR and Enter the code, the code will be change automatically, if the first try not working and you receive this error " failed to associate the token" uninstall the app and try again.

Thank you
Osama

Friday, September 22, 2017

Helping implementer and tester dealing with famous Siebel - based system messages and errors



Upon my colleague Mohammad Altraimat i am publishing this article

 let me gives you a brief  about him , he is currently working with as Siebel Freelance , ensure the functionality of systems, support and train clients to use the systems and collect the requirements from the client and ensure it reflected during his career he developed this document to help people to understand more about Siebel.

You Can Share it But please mention the source of the article or you ask me to share the article with you.

You can find the article here.

Thank you
Cheers
Osama