OAM 11g integration with Kerberos on cluster with load-balanced virtualhost
Hello!
I need to make a Kerberos integration with OAM.
I find following notes about OAM 11g: WNA Configuration for HA Clusters [ID 1365888.1] (https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_afrLoop=223640518878014&type=DOCUMENT&id=1365888.1&displayIndex=1&_afrWindowMode=0&_adf.ctrl-state=14ehvbh4z2_61).
"In an OAM Clustered environment, the OAM Principal for WNA must be the same on all tiers i.e. the load-balanced virtualhost for the OAM cluster.
Therefore each OAM managed server will reference the same keytab file, generated for Principal HTTP/<virtualhost.domain>, and the keytab file will be in the same location on all OAM managed servers.
For example: ${DOMAIN_HOME}/domains/${DOMAIN_NAME}/config/fmwconfig/oam/<keytab filename>.
After copying the keytab file to the same directory on all OAM managed server machines, complete the configuration of the Kerberos authentication module in OAM Administration Console (/oamconsole).
The AdminServer will ensure that the oam-config.xml file on all OAM managed server tiers in the cluster is updated with this configuration."
The question is; When I generate oam.keytab with following command, What is the name of the server that I will must put in the command? Virtualhost (load-balanced), Node1 or Node2?
ktpass -princ HTTP/<servername>@DOMAIN -pass XXXXXXX mapuser DOMAIN\user -out oam.keytab.
Thanks in advance and best regards!
PS: Sorry if my english is not clear.
David,
Your Principal name should be the SSO LB URL.(ie :sso.mycomany.com)
ktpass -princ HTTP/sso.mycomany.com@DOMAIN -pass XXXXXXX mapuser DOMAIN\user -out oam.keytab.
Also make sure sso.mycomany.com has a reverse DNS configured correctly.
you can check using dig command
ping sso.mycomany.com
What ever the ip-address
dig -x <IP-ADDRESS>
Check in the reverse DNS section there should be 1 record.
;; ANSWER SECTION:
1.1.1.1.in-addr.arpa. 3600 IN PTR sso.mycomany.com.
Let me know if you have more questions.
Thanks
Saurabh
Similar Messages
-
CF8/JRun4 Cluster for Load Balancing
Does anyone have an example of how to set up a CF8/JRun4
cluster for load balancing?
I have three servers:
x004 - Linux - Apache2 (10.0.0.54,10.1.0.54)
x020 - Linux - JRun4/CF8 (10.0.0.70,10.1.0.70)
x021 - Linux - JRun4/CF8 (10.0.0.71,10.1.0.71)
Every server in our network has two network cards. One
network card is attached to 10.0.x.x which has a gateway to the
internet and runs at 100Mbps and is firewalled, and the other is
attached to 10.1.x.x which runs at 1Gbps and is internal with no
gateway. I'm trying to set it up so web traffic arrives on
10.0.0.54 into Apache and mod_jrun20 bootstraps a cluster named
STST using 10.1.0.54 which consists of STST_x020 coldfusion server
running on x020 and STST_x021 running on x021. I want the
communications between JRun4 on x020 and x021 to occur on the
10.1.x.x network and eventhough JRun and ColdFusion will only use
the 10.1.x.x network I still need the 10.0.x.x network card
attached for other purposes which require a gateway. I have
installed JRun4/CF8 about 10 times already and it seems I have no
control over what network JRun4 clusters on... sometimes it will
communicate on one, sometimes the other and without being able to
set which network is being used there always seems to be "network
error" on at least one of the two CF8 servers. I was able to get
everything working fine by disabling the network cards on the
10.0.x.x network and re-installing everything... but as soon as I
added the network cards back the whole thing was broken again.
How is this supposed to work? Most of the examples are either
no clustering or clustering on the same machine with Apache running
on the same box... I don't see any clustering across machines
examples.
How do I install a connector on a web server which doesn't
have JRun on it and get wsconfig to connect to a multi-machine
cluster when wsconfig only accepts a single IP address as a host
and the cluster is not listed?
How do I get JRun to bind to a specific network card?
Does this work if I choose a J2EE server other than JRun?
Any help anyone can provide is greatly appreciated. I'm
getting close to giving up which means staying on the non-clustered
environment and figuring out how we can deal with scalability by
switching to something else.The article at
http://www.adobe.com/go/1e8e9170
is specific to configuring two or more cluster nodes that reside on
separate networks, e.g. 10.0.1.0/24 and 10.0.2.0/24. (The article
doesn't state it, but you can only use unicast peers if your
cluster nodes host a single instance of JRun or multiple instances
of JRun in the same cluster domain. When performing unicast
discovery, JRun looks for all Jini groups and not just the cluster
group.)
Anyhow, that's not your problem. The simplest solution is you
haven't enabled the jrun.servlet.jrpp.JRunProxyService service. I'm
most familiar with the Windows version of JRun, but I'm assuming
the directory structure is similar across platforms. In
<jrun_root>/servers/<name>/SERVER-INF/jrun.xml, set the
deactivated attribute of the jrun.servlet.jrpp.JRunProxyService
service to false and restart JRun. You should now see JRun
listening on the appropriate port. (The default for the first
manually created instance is 51000.) You can limit the proxy
service to a single interface using the interface attribute.
If you have enabled the proxy service, verify your security
settings in <jrun_root>/lib/security.properties. It's usually
best to limit access to specific hosts. Comment out the
jrun.subnet.restriction parameter and set the jrun.trusted.hosts to
the IP address of your web server, e.g. 10.1.0.54.
Forcing all JRun processes/services to listen on a single
interface isn't difficult, but it does require modifying quite a
few configuration files by hand. If you need assistance with that,
I can elaborate.
Configuring the JRun module under Apache is pretty
straightforward. If you're not using virtual hosts, it's very
simple. If you are using virtual hosts, it's still simple, but your
JRun configuration can be virtual host-specific.
On your Apache server, you'll want to create a directory
structure for the JRun module. I'll assume
/opt/jrun/lib/wsconfig/1, but you can use anything you want. Once
the directory structure is created, extract the appropriate JRun
module from wsconfig.jar to the new directory. You're most likely
interested in the Apache 2.0 module,
wsconfig.jar/connectors/apache/intel-linux/prebuilt/mod_jrun20.so.
Let's assume you've extracted the module to
/opt/jrun/lib/wsconfig/1/mod_jrun20.so. Your Apache service account
should have read, write, and execute permissions on the
/opt/jrun/lib/wsconfig/1 directory.
The JRun module configuration is normally appended to your
current httpd.conf file by wsconfig. Here's a sample configuration:
LoadModule jrun_module
"/opt/jrun/lib/wsconfig/1/mod_jrun20.so"
<IfModule mod_jrun20.c>
JRunConfig Verbose false
JRunConfig Apialloc false
JRunConfig Ssl false
JRunConfig Ignoresuffixmap false
JRunConfig Serverstore
"/opt/jrun/lib/wsconfig/1/jrunserver.store"
JRunConfig Bootstrap 10.1.0.70:51000
#JRunConfig Errorurl <optionally redirect to this URL on
errors>
#JRunConfig ProxyRetryInterval 600
#JRunConfig ConnectTimeout 30
#JRunConfig RecvTimeout 30
#JRunConfig SendTimeout 30
AddHandler jrun-handler .jsp .jws .cfm .cfml .cfc .cfr
.cfswf
</IfModule>
You may also want to update your DirectoryIndex directive
with an appropriate index page, e.g. index.cfm.
After the first request to a page handled by the JRun module
is received, the module will query the boostrap server,
10.1.0.70:51000, for a list of cluster peers. If you've configured
your cluster correctly, a line similar to following will be written
to /opt/jrun/lib/wsconfig/1/jrunserver.store:
proxyservers=10.1.0.70:51000;10.1.0.71:51000
You can create/edit this file manually as well.
Unfortunately, the bootstrap option only accepts one server. If
your bootstrap server is down, the JRun module will use the values
in jrunserver.store directly, if the file exists.
Here's a complete list of JRun module options:
metrics *
debugger *
ssl *
verbose
traceflags
serverstore
bootstrap
errorurl
apialloc
ignoresuffixmap
proxyretryinterval
connecttimeout
recvtimeout
sendtimeout
sslcalist
Options flagged with an asterisk can only be configured at
the Apache server level. All other options can be configured at the
server level and/or the virtual host level. The usage of these
options is in the JRun documentation, and the JRun module source
code is included in wsconfig.jar. Keep in mind that versions of the
JRun module shipped prior to ColdFusion 8 were coded to assign the
connecttimeout and sendtimeout options to the socket connection
timeout. Whichever option appeared last in your configuration ended
up as the final value. This has been fixed in ColdFusion 8 and
presumably the next release of the JRun updater.
I think that's a good start. If you need more information or
can't find what you need in the JRun or ColdFusion documentation,
let me know.
If you're looking for resiliency, I highly recommend
expanding your configuration to include a second web server and a
hardware load-balancer (preferably one that supports redudancy via
multiple paths and devices, e.g. devices from Cisco, F5, or Foundry
Networks). Often, however, running Apache on the ColdFusion
server(s) provides adequate performance, and round-robin DNS
records coupled with the ability to update DNS quickly in the event
of a failure may be all you need for load-balancing and
failover. -
How to setup Adobe Media Server Professional x 2 run as cluster for load balance?
How to setup Adobe Media Server Professional x 2 run as cluster for load balance?
Hi,
Welcome to adobe forums,
Please refer to these help files in order to setup AMS as a cluster : https://helpx.adobe.com/adobe-media-server/config-admin/load-balancing.html
https://helpx.adobe.com/adobe-media-server/tech-overview/scaling-server.html
Let me know if you need any help.
Regards,
Puspendra -
Having issue with start weblogic cluster with tangosol cluster
Hi,
Oracle Coherence Version 3.3.1/389p1
Grid Edition: Development mode
We are using Weblogic 8.1.5 with Tangosol 3.3.1 on Linux servers.
And we added the initializing logic in the servlet's init() method to get all NamedCaches and put into the ServletContext.
When we start weblogic cluster, the first weblogic member will startup successfully with following messages :
<Nov 7, 2007 10:12:30 AM EST> <Info> <HTTP> <BEA-101047> <[2007-11-07 10ServletContext(id=259640596,name=clusterqa,context-path=)] initObjects: init>:12:31.565 Oracle Coherence 3.3.1/389p1 <Info> (thread=Main Thread, member=n/a): Loaded operational configuration from resource "zip:/home/server/clusterqa/wls81/DOCVIEW/docqa1/.wlnotdelete/extract/docqa1_DOC_clusterqa/jarfiles/WEB-INF/lib/coherence.jar!/tangosol-coherence.xml"
2007-11-07 10:12:31.598 Oracle Coherence 3.3.1/389p1 <Info> (thread=Main Thread, member=n/a): Loaded operational overrides from file "/home/www/WEB-INF/lib/tangosol-coherence-override.xml"
Oracle Coherence Version 3.3.1/389p1
Grid Edition: Development mode
Copyright (c) 2000-2007 Oracle. All rights reserved.
2007-11-07 10:12:31.938 Oracle Coherence GE 3.3.1/389p1 <Info> (thread=Main Thread, member=n/a): Loaded cache configuration from file "/home/www/WEB-INF/lib/pub-search-cache-config.xml"
2007-11-07 10:12:31.983 Oracle Coherence GE 3.3.1/389p1 <Info> (thread=Main Thread, member=n/a): sun.misc.AtomicLong is not supported on this JVM; using a synchronized counter. Though safe to ignore, you may upgrade to BEA's 1.5 JVM to fix this issue.
2007-11-07 10:12:33.267 Oracle Coherence GE 3.3.1/389p1 <Warning> (thread=Main Thread, member=n/a): UnicastUdpSocket failed to set receive buffer size to 1428 packets (2096304 bytes); actual size is 89 packets (131071 bytes). Consult your OS documentation regarding increasing the maximum socket buffer size. Proceeding with the actual value may cause sub-optimal performance.
2007-11-07 10:12:34.118 Oracle Coherence GE 3.3.1/389p1 <D5> (thread=Cluster, member=n/a): Service Cluster joined the cluster with senior service member n/a
2007-11-07 10:12:37.508 Oracle Coherence GE 3.3.1/389p1 <Info> (thread=Cluster, member=n/a): Created a new cluster with Member(Id=1, Timestamp=2007-11-07 10:12:33.323, Address=10.5.176.86:8088, MachineId=48982, Edition=Grid Edition, Mode=Development, CpuCount=4, SocketCount=2) UID=0x0A05B056000001161AAB782BBF561F98
2007-11-07 10:12:37.736 Oracle Coherence GE 3.3.1/389p1 <D5> (thread=Invocation:Management, member=1): Service Management joined the cluster with senior service member 1
2007-11-07 10:12:38.168 Oracle Coherence GE 3.3.1/389p1 <D5> (thread=DistributedCache, member=1): Service DistributedCache joined the cluster with senior service member 1
<Nov 7, 2007 10:12:38 AM EST> <Info> <HTTP> <BEA-101047> <[ServletContext(id=259640596,name=clusterqa,context-path=)] xslProcessor: init>
But trying to start the second weblogic member server, the startup process is stucked after tangosol cache initialization and the second weblogic member server never up running. Please see following messages :
<Nov 7, 2007 9:49:38 AM EST> <Info> <HTTP> <BEA-101047> <[ServletContext(id=153019550,name=clusterqa,context-path=)] initDSNames: init>
<Nov 7, 2007 9:49:42 AM EST> <Info> <HTTP> <BEA-101047> <[ServletContext(id=153019550,name=clusterqa,context-path=)] initObjects: init>
2007-11-07 09:49:43.156 Oracle Coherence 3.3.1/389p1 <Info> (thread=Main Thread, member=n/a): Loaded operational configuration from resource "zip:/home/server/clusterqa/wls81/DOCVIEW/docqa2/.wlnotdelete/extract/docqa2_DOC_clusterqa/jarfiles/WEB-INF/lib/coherence.jar!/tangosol-coherence.xml"
2007-11-07 09:49:43.188 Oracle Coherence 3.3.1/389p1 <Info> (thread=Main Thread, member=n/a): Loaded operational overrides from file "/home/www/WEB-INF/lib/tangosol-coherence-override.xml"
Oracle Coherence Version 3.3.1/389p1
Grid Edition: Development mode
Copyright (c) 2000-2007 Oracle. All rights reserved.
2007-11-07 09:49:43.528 Oracle Coherence GE 3.3.1/389p1 <Info> (thread=Main Thread, member=n/a): Loaded cache configuration from file "/home/www/WEB-INF/lib/pub-search-cache-config.xml"
2007-11-07 09:49:43.571 Oracle Coherence GE 3.3.1/389p1 <Info> (thread=Main Thread, member=n/a): sun.misc.AtomicLong is not supported on this JVM; using a synchronized counter. Though safe to ignore, you may upgrade to BEA's 1.5 JVM to fix this issue.
2007-11-07 09:49:44.829 Oracle Coherence GE 3.3.1/389p1 <Warning> (thread=Main Thread, member=n/a): UnicastUdpSocket failed to set receive buffer size to 1428 packets (2096304 bytes); actual size is 89 packets (131071 bytes). Consult your OS documentation regarding increasing the maximum socket buffer size. Proceeding with the actual value may cause sub-optimal performance.
2007-11-07 09:49:45.419 Oracle Coherence GE 3.3.1/389p1 <D5> (thread=Cluster, member=n/a): Service Cluster joined the cluster with senior service member n/a
2007-11-07 09:49:45.555 Oracle Coherence GE 3.3.1/389p1 <Info> (thread=Cluster, member=n/a): Failed to satisfy the variance: allowed=16, actual=47
2007-11-07 09:49:45.555 Oracle Coherence GE 3.3.1/389p1 <Info> (thread=Cluster, member=n/a): Increasing allowable variance to 19
2007-11-07 09:49:46.040 Oracle Coherence GE 3.3.1/389p1 <Info> (thread=Cluster, member=n/a): This Member(Id=2, Timestamp=2007-11-07 09:49:45.69, Address=10.5.176.85:8088, MachineId=48981, Edition=Grid Edition, Mode=Development, CpuCount=4, SocketCount=2) joined cluster with senior Member(Id=1, Timestamp=2007-11-07 09:45:10.205, Address=10.5.176.86:8088, MachineId=48982, Edition=Grid Edition, Mode=Development, CpuCount=4, SocketCount=2)
Could you please explain why it happens, and what should I do to resolve this issues ?
Many Thanks,
BingHi, Gene
Thank you for the response. I will send you our full log files and thread dumps.
I just want to give you more details about our cases :
1. This only happened without starting cache servers (com.tangosol.net.DefaultCacheServer).
2. And our application which are running on weblogic cluster will just call "CacheFactory.getCache("XXX")", and running as the Tangosol DataClient.
3. All weblogic member servers will be up running successfully if our cache servers are up running.
Also I tried to test another case :
Suppose all weblogic instances and cache server instances are up running. Now I trying to restart (kill weblogic instance process and restart) one of the weblogic member, It will up running successfully only if add some sleep times after killing weblogic processes and restarting it. Looks like tangosol cluster need certain time to aware the member has left cluster, then the restart process will be successful.
Questions :
1. Should we start our weblogic cluster only after cache server cluster is up running ?
2. How do we decide how many time we should wait before start new process to join the cache cluster ?
Could you please help to explain this one for me and let us if there anyway we can do to avoid the problem.
Many Thanks !!!
Bing -
Cisco 2811 Router with 3 ADSL card and load balancing
Dear All,
I have few queries:
1. Does Cisco 2811 Router support 3 ADSL card?
2. We are the ISP. I want to do load balancing with 3 dsl
line on Cisco 2811 Router.
Please send me the linke for this configuration.
Thanks/Regards
Atulhi
In 2811 you have 4 HWIC and 1 NME you can install 1-port ADSL WAN Interface Cardon the HWIC slots.
Also just enable 3 default (equal cost) routes towards the interfaces which will take care of the load balancing.
if you need more info and inputs do post out with ur requirements along with network topology in place at present..
regds -
OCS 10g Cluster Installation - Load Balancing
Hi all,
Anybody have sucessfully install and configure OCS 10g Cluster ?, with load balancing ?
I'm trying to install OCS 10g cluster with a two node server setup, and using Oracle web Cache as the load balancer, but not sucessfull. Any hints ?
Regards
LanangJust found out that Oracle Web Cache support HTTP and HTTPS only, no LDAP traffic yet. That why the cluster node installation failed. Trying using iptables NAT for the LDAP traffic, and the HTTP will use web cache.
Regards
Din -
OBPM Enterprise Deployment on WLS - No Cluster, But Load Balanced
All,
Does anyone know of any gotchas when deploying BPM to WLS on 2 separate nodes, sharing the same directory, but not clustered. The system is load balanced based on F5. Basically we are talking a hot server/cold server deployment.
When we deploy projects, they default to the hot server even if the cold server is specified for deployment.
Anyone done this before?
TIA,
IGSHi,
Sorry, but I could not understand completely your architecture.
Are you talking about the Workspace (not clustered but load balanced). That's supported.
Or, are you trying to load balance the engine? (a single engine with 2 or more nodes)
If so.... I wouldn't recommend that you to do that.
Let me explain you why.
The engine uses the queue to balance the work among the different nodes. (that's why you have to configure a Distributed Queue and disable the server affinity in the connection factory).
Even more, the engine has some internal mechanism of synchronization among nodes so as to avoid some inter-node locking. If your engine nodes are not in a cluster, that mechanism will be disabled and the overall engine performance will be significantly degraded.
I'm not sure if I have answered your question. If not, please add more details of your configuration.
Hope this helps,
Ariel -
Question about Cluster/DSync/Load Balance
According to the admin doc of iplanet, primary server is
the "manager" for data sync, is there any impact on
load balance when the iAS run as primary or backup?
will the primary kxs get the request first and do dispatching?
Thanks.
HengFirst of all lets discuss load balancing....
The type of load balancing you are using will determine which process manages the load balancing. If you are using Response time (per server or per component response time) or round robin (regular or weighted) the web connector does the load balancing. If you are using User Defined (iAS based) load balancing then the kxs process becomes involved with load balancing of requests since the "Load Balancing System" is part of the kxs process.
Now for Dsync and how it impacts load balancing.
When a server is a sync primary or a sync backup role it is doing more work. For the sync primary the extra work is making sure the backup has the latest Dsync Data and processing requests from the other servers in the cluster about the Distributed data. All state/session information is updated/created/deleted on the sync primary, when this happens the sync primary immediately updates the sync backup(s) with this new information. As you can guess managing the Dsync information and making the updates to the sync backups causes extra processing on the sync primary, so this will impact the overall performance of the machine (whether it be in server load or response time of processing). All lookup of state/session information is done on the sync primary only so the more lookups/updates you have to more impact on the server.
The sync backup(s) also have the extra work of managing their copy of the Dsync Data which will impact server performance but to a lessor degree of the sync primary.
Ultimately the extra overhead involved does have an impact on loadbalancing due to the extra load on the sync primary and sync backups.
Hope that helps,
Chris Buzzetta -
Cluster not load-balancing, ideas?
I've been struggling to identify why my JMS producers are not load-balancing against a remote cluster.
I've ruled out the producer as being the problem (I see the same non-load-balancing behavior regardless of what I use to create messages - Hermes, ALSB, simple Java producer...) I also don't think the JMS Connection Factory config is the problem, judging by the help I've received from folks over on the jms forum.
I believe something is wrong with our cluster setup because in addition to the problem I just mentioned, we also are not seeing JNDI entries propagate to all managed servers - for example, if I create one jms queue on m1, that queue does not appear in the jndi tree on m2.
I've been trying to find any documentation on what settings I should look at to verify the cluster configuration. If I go through the WLS console and look at the Cluster settings, I see both managed servers there, is there some other place that the configuration could be messed up?
Added 6/11, 9:30 am:
We're focusing on multicast now as the most likely problem. Can anyone tell me whether clusters on the same multicast address but different ports will interfere with each other? It looks like the infrastructure team has set up 5 clusters like that (same multicast address in each cluster, but different ports).
We've got a ticket open with BEA but it's been two weeks now and nothing except requests for more information.
Any ideas/help are much appreciated!
Meghan
Edited by pietila at 06/11/2008 7:38 AMMeghan Pietila wrote:
> I've been struggling to identify why my JMS producers are not load-balancing against a remote cluster.
>
> I've ruled out the producer as being the problem (I see the same non-load-balancing behavior regardless of what I use to create messages - Hermes, ALSB, simple Java producer...) I also don't think the JMS Connection Factory config is the problem, judging by the help I've received from folks over on the jms forum.
>
> I believe something is wrong with our cluster setup because in addition to the problem I just mentioned, we also are not seeing JNDI entries propagate to all managed servers - for example, if I create one jms queue on m1, that queue does not appear in the jndi tree on m2.
>
> I've been trying to find any documentation on what settings I should look at to verify the cluster configuration. If I go through the WLS console and look at the Cluster settings, I see both managed servers there, is there some other place that the configuration could be messed up?
>
> Added 6/11, 9:30 am:
> We're focusing on multicast now as the most likely problem. Can anyone tell me whether clusters on the same multicast address but different ports will interfere with each other? It looks like the infrastructure team has set up 5 clusters like that (same multicast address in each cluster, but different ports).
>
> We've got a ticket open with BEA but it's been two weeks now and nothing except requests for more information.
>
> Any ideas/help are much appreciated!
>
> Meghan
>
> --
> Edited by pietila at 06/11/2008 7:38 AM
You could be right. I think we have had problems where the same IP but
different ports were used for multicast. This is on 8.1 though.
I think as a rule, it's best to have a different ip and port for each
cluster.
Also - can you be sure that no one else is using the multicast addresses
on the network for anything else - we had someone bring up a test
cluster using our addresses which caused a few issues and took a while
to find! We also have security cameras which also use multicast, which
if they are using the same address/port can cause issues!
We're using 239.192.1.4:8001 for one cluster and 239.192.1.3:7001 for
the other - I think it's best to keep those as different as you can.
In 8.1, there is also the multicast monitor utility - there's a support
pattern on e-support on how to diagnose it. I've found this useful in
the past when I've suspected a cluster issue.
https://support.bea.com/application_content/product_portlets/support_patterns/wls/MulticastErrorsPattern.html
Check also that you're using a valid range for the address - we weren't
for a while and had odd problems from time to time.
There are also cluster debug flags available which you'll see listed in
the support document.
Are you seeing dropped multicast packets?
Hope that helps.
Pete -
OAM 11g integration with Demantra, VCP and APCC
I have a requirement here to implement SSO between the following applications using the OAM 11.1.1.5
1. Oracle e-Business Suite 12.1.3 (iSupplier, iReceivables and iStore)
2. VCP ( Value Chain Planning )
3. Demantra
4. APCC ( Advanced Planning Command Center )
I am following the below url for configuring the OAM with Oracle e-Business Suite to implement SSO.
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=BULLETIN&id=1309013.1
And VCP, demantra and APCC applications have been deployed independently on it’s own application servers on three different hosts.
I am trying to figure it out the SSO implementation approach for these 3 applications. I would like to know whether Oracle has got any out of box SSO implementation techniques for these applications as EBS. I would appreciate if someone shares oracle document links related to this integration.
I am seeking experts suggestion on this to proceed further.David,
Your Principal name should be the SSO LB URL.(ie :sso.mycomany.com)
ktpass -princ HTTP/sso.mycomany.com@DOMAIN -pass XXXXXXX mapuser DOMAIN\user -out oam.keytab.
Also make sure sso.mycomany.com has a reverse DNS configured correctly.
you can check using dig command
ping sso.mycomany.com
What ever the ip-address
dig -x <IP-ADDRESS>
Check in the reverse DNS section there should be 1 record.
;; ANSWER SECTION:
1.1.1.1.in-addr.arpa. 3600 IN PTR sso.mycomany.com.
Let me know if you have more questions.
Thanks
Saurabh -
Weblogic cluster software load balancer
Hi,
We are currently using Weblogic domain as a Proxy Plug-In for High Availability test as it’s explained in this blog http://andrejusb.blogspot.com/2009/04/weblogic-load-balancing-for-oracle-adf.html.
Its working fine for POC project but what software load balancer would you recommended for production environment on Linux? (Assume that we don’t have a hardware load balancer).
- Oracle active-passive OHS web-tier clustering.
-Using Linux open source Linux Software(e.g. HAProxy and KeepAlived as explained here http://biemond.blogspot.com/2010/04/high-availability-load-balancer- for.html
-Using any other software load Balancer
I would appreciate if anybody can provide some recommendations/links etc.
Thanks
AlexHi Alex,
Yes you should never use HttpClusterServlet, not even for fun ;-)
We use mod_wl (Web Server Plug-In) for Apache for several customers and that works fine.
Check this:
http://docs.oracle.com/cd/E23943_01/web.1111/e14395/toc.htm
Regards Peter -
Cluster without load balancer?
Can two FMS interactive servers work this way:
1. they both serve the same VOD flv file existing on both
machines
2. whe one server gets X users connected, next user (X+1) is
routed to the next server
3. there is no hardware for the load balancer
Is this possible and if it is, how?Yes.... it's possible, but there's nothing built-in to FMS to
handle it. You need to write your own application to do it.
I like to handle this by building a little app that polls the
admin service of each involved server once a second or so, and
retrieves stats about the application instances i need to keep
track of (we'll call it the "load balancer app" . In this
application, I include functions to loop through the stats data for
each server, and determine which is the most logical to send the
next client to.
On the client side, I first connect to the load balancer app,
providing an identifier for the application I want to connect to as
an argument in the connect() call. The load balancer makes the best
server determination, and returns the host name of the target
server. The client then disconnects from the load balancer, and
connects to the target host. -
OAM 11g BP02 with Kerberos is not working on AIX
Hi,
We are trying to configure OAM 11g with Kerberos on AIX with no success..
Resource is protected according to OAM documentation guide but the oam logs shows the following:
[2012-08-28T00:03:22.305-05:00] [oam_server1] [TRACE] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread:
'2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000J_fbCuS9h^k5kzWByZ1GF532
00000G,0] [APP: oam_server] [SRC_METHOD: log] [SRC_CLASS: oracle.security.am.engines.common.adapters.OAMLoggerImp
l] Authentication Failed.[[
javax.security.auth.login.LoginException: Bad JAAS configuration: bad URL /home/oracle/oam.keytab
Error java.net.MalformedURLException: no protocol: /home/oracle/oam.keytab
at com.ibm.security.jgss.i18n.I18NException.throwLoginException(I18NException.java:5)
at com.ibm.security.auth.module.Krb5LoginModule.j(Krb5LoginModule.java:537)
at com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:146)
at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:274)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
we are using OAM 11g BP 02.
oam-config.xml is configured as follow:
<Setting Name="KerberosModules" Type="htf:map">
<Setting Name="6DBSE52C" Type="htf:map">
<Setting Name="keytabfile" Type="xsd:string">/home/oracle/oam.keytab</Setting>
<Setting Name="krbconfigfile" Type="xsd:string">/etc/krb5/krb5.conf</Setting>
<Setting Name="name" Type="xsd:string">Kerberos</Setting>
<Setting Name="principal" Type="xsd:string">HTTP/myssoserver@mydomain</Setting>
</Setting>
</Setting>
Please let me know how to get this resolved. Thanks in advance.
Regards.David,
Your Principal name should be the SSO LB URL.(ie :sso.mycomany.com)
ktpass -princ HTTP/sso.mycomany.com@DOMAIN -pass XXXXXXX mapuser DOMAIN\user -out oam.keytab.
Also make sure sso.mycomany.com has a reverse DNS configured correctly.
you can check using dig command
ping sso.mycomany.com
What ever the ip-address
dig -x <IP-ADDRESS>
Check in the reverse DNS section there should be 1 record.
;; ANSWER SECTION:
1.1.1.1.in-addr.arpa. 3600 IN PTR sso.mycomany.com.
Let me know if you have more questions.
Thanks
Saurabh -
Load balancing to a WLS 8.1 cluster with BigIP 9.0
We are experiencing a problem load balancing to our 8.1 cluster using f5's 1500 with BigIP 9.02. The cluster is not configured with any failover capability; we are have configured the BigIP with active cookie insertion persistence; all is well untill we take down one of the nodes in the cluster; any session associated with that node via the load balancer is bounced repeatedly between the two remaining nodes; the only solution appears to be to close all browser instances and open a new one. Has anyone experienced this behavior and have some suggestions ?
We are experiencing a problem load balancing to our 8.1 cluster using f5's 1500 with BigIP 9.02. The cluster is not configured with any failover capability; we are have configured the BigIP with active cookie insertion persistence; all is well untill we take down one of the nodes in the cluster; any session associated with that node via the load balancer is bounced repeatedly between the two remaining nodes; the only solution appears to be to close all browser instances and open a new one. Has anyone experienced this behavior and have some suggestions ?
-
OAM 11g throws error when user store is changed
We have OAM 11g integrated with OIF 11g as the SP. We need to change the OAM User store from OID to OVD. I added a new User store in the OAM console and set that as the default store. In the OAM console, under System Configuration -> Common Configuration -> Data Stores -> User Identity Stores, I added the OVD repository we want to use and set it as the default store. When I make this change in OAM data stores, OAM throws an error.
On the browser I see the error: System error. Please re-try your action. If you continue to get this error, please contact the Administrator.
In the OAM diagnostic logs, I see the following errors:
[2012-08-11T08:37:27.016-04:00] [oam_server1] [ERROR] [OAMSSA-20005] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f,0] [APP: oam_server] Error initializing User/Role API : null.
[2012-08-11T08:37:27.021-04:00] [oam_server1] [WARNING] [OAMSSA-20007] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f,0] [APP: oam_server] Unable to connect to the User Store. User Store may not be initialized : Error initializing User/Role API : null..
[2012-08-11T08:37:27.021-04:00] [oam_server1] [ERROR] [OAMSSA-12126] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f,0] [APP: oam_server] Cannot assert the username from DAP token.
The user exists in OVD and appropriate attributes have been set.
Comparing the trace for the two, in the OID trace, I see a 302 for the URL at /oam/server/dap/cred_submit. In the OVD trace, I see a 200 for the same URL.
Following is a successful request when OID is set as the default user store:
GET /oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEVGMzBGMUJFRTdGRkM0NjQxREFFQn5GODdEQjFEMjczMjZCQjFCQTZEQTlDQTI5RDA3RTA0QTQ2OThEQzdEfjRCMDk0OUE1RjgyNjcwRkU2M0E3OTM5QjI1OTlCMzdEfmRiYzEzMDFiMWMxOTFiMDA5ZmM3YWM5MTFjNjM5MDhjNTgwMzZjMzYyZDZhZTQ3OTY5ZGRiNTllYmVlMTUwMjkxYTY4MzQwZjU2ZGEwMmNhMmE4YTM0YWUwNmUxMjY4MzE5NmFkNjM4YzIwOTliMWZmM2NmZTRhMjYyYmU2N2M1MDEwYWY5OWFmOWU1NTg5NGIyYTVjYWRkOGRlMDI5NjVjN2I2YzM5YTJjMDU1NmU5OTJkMzU4Y2RlYzAxNmU4MWZjMDRiYjFjM2RhYTAzYzliNDIwNjQzOTZlNzZlMzZhOTMwZjI4YTAyMzdmMTI1NjVjOTcwYTk1NzFkZDMzNzQ%3D HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://hostname.idpdomain.com/fed/user/?refid=id-5RtbGMaw6NfaaPUgth-wxZwxY5Q-
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: hostname.spdomain.com:14101
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Sat, 11 Aug 2012 12:42:32 GMT
Transfer-Encoding: chunked
Location: https://www.google.com
Set-Cookie: OAM_ID=VERSION_4~8u5oPtHwZW/uJbd8ybw87A==~I2VDurl3pyBxQdHBmwHXXu5AabtNgaGcQx1FJ6v3sVzuoU0WOvMyDi40pizUWNrSIUkCIrl7Fc6cumRyKUAU0yHSHEtzwtiGO3bmiC7rOXKglLnO9Iw0eNUATA1AuJ7m9a6JxE5fX2vDFDYzk/H9eK5/74mO9TKNP0HTcKF6NzEluuTT3sRlQH3dAzBhPouTCO6yMmd00SmQEhrQxCpUc+ec78GFQgfKrE+6mDNTFSO9gHEB0JQ+xzGzzsr34BDCTB2FC41d0Q3tTGXANSHHRg==; path=/; secure; HttpOnly
Set-Cookie: OAM_REQ=invalid; path=/; secure; HttpOnly
X-ORACLE-DMS-ECID: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000042d
X-Powered-By: Servlet/2.5 JSP/2.1
Following is a failed request when OVD is set as the default user store:
GET /oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEVGMjRDREUyNUU4QTI1REUwMzVGM344MzRCNTU5RTNCREM1MjFBMjFBRDQ4MTBBNjMzMTI5QzM0MUU5RjI5fjA4ODY1M0JENjg1ODk1MTZDNUVGQjU0NTYwRjg5OEREfjYyMWE3NzhjMzUwMmVhODQ5MWRkMGIyYTBkYmM1MGU0ZDlmZTA0ZjE1NDBhMDVkOGM3ZWIwOGUzNGY3ZDhiNTBhMTNkMjY0MDliMGZmMmY2MzJjZGZjM2UzNzgzNzQ3YzM3OTIwYjlkMmNhZWY0ZDQ2M2MyYzE1NWM2MDkxMjI4MjU0NTEyZDIzODU3NTBlZjI4MjRlZTAzOWFkYmMxYTVmZWE3NTk5NTRlMGY3NTkyNjE5YTRkM2U3OTczZjZiMThmYzgxODg2MzM3ZDg5NzQ2NWUxYmZhNThjOGVmN2VhZmI5OGRiMDNiZmJmZGJjOWUzZmNjYTU1N2U5OWVjMDQ%3D HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://hostname.idpdomain.com/fed/user/?refid=id-R5gYcX-W8o6-bQSR2IIYdkQLLKA-
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: hostname.spdomain.com:14101
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Date: Sat, 11 Aug 2012 12:37:26 GMT
Pragma: no-cache
Content-Length: 2051
Content-Type: text/html; charset=UTF-8
Expires: 0
Set-Cookie: OAM_JSESSIONID=0VksQmSHwhpr2vT33Kq1ZgqWgxrtk2BXxpr4PgmL1LwThMxYSlKQ!-450564370; path=/; HttpOnly
X-ORACLE-DMS-ECID: 3480b637355d0d24:-ed7c663:13913246a02:-8000-000000000000040f
X-Powered-By: Servlet/2.5 JSP/2.1Hi AV,
we had the same problem
the reason was a wrong definition in cutomizing
Partner Processing -> Define Partner Determination Procedure -> User Interface Settings
there for the relevant procedure we had to define this sequence of functions :
1. Activity Partner
2. Contact Partner
3. Employee Responsible
4. Sales Representative
Regards
Meinrad
Maybe you are looking for
-
Multiple different emails under one account
several years ago i payed extra to add a few various email to my account ( for my accountant and one employee). it set up their own email and such with my company name. where do i access that info now? i need to update one of the emails and have no c
-
Moving Columns in Table Layout
Hi, I'm newbie to Disco.Is there any short cut to move columns the way we want in Table Layout or we've to manually move column by column? Thanks, Kiran
-
We have both ABAP (NSP) and J2EE (J2E) sneak preview installed on a common laptop. In setting up CCMS tests using NSP as the CEN system, we got a failure when registereing J2E as a monitored system from the Visual Administrator. The error occurs beca
-
Jrockit R27 does not works with WLST! (jython..)
Deatils: Jython 2.1 on java (JIT: null) ls:/(offline)> WLST VERSION: WLST v6.1 (with GUI), August 2005 WebLogic Temporary Patch for CR263825 06/12/2006 12:10:52 WebLogic Temporary Patch for CR260218 05/10/2006 08:28:00 WebLogic Temporary Patch for CR
-
Download itunes setup freezes computer
Hello, I am trying to download Itunes onto my PC and every time I try to go into my downloads folder to open the setup, the entire folder freezes. I've tried to delete the setup file but it won't let me, it continues to freeze every time I click on i