Configuring ssl/https on Oracle apps 11i

1. create cert directories

mkdir $COMMON_TOP/admin/certs

cd $COMMON_TOP/admin/certs

mkdir ssl.crt ssl.key

2. get openssl env

export OPENSSL_TOP=$IAS_ORACLE_HOME/Apache/open_ssl

export OPENSSL_CONF=$IAS_ORACLE_HOME/Apache/open_ssl/bin/openssl.cnf

3. Create randon file

touch ortest

$OPENSSL_TOP/bin/openssl sha1 or* > $HOME/.rnd

ls -la $HOME/.rnd

-rw-r--r-- 1 applmgr dba 55 Oct 20 02:13 /home/applmgr/.rnd

4. Generate 2048 bit private key

$OPENSSL_TOP/bin/openssl genrsa -des3 -out apache_2048.key 2048

Enter passphrase of your choice

5. Genrate certificate request to be send to vendor to get the certificate

$OPENSSL_TOP/bin/openssl req -config $OPENSSL_CONF -new -key apache_2048.key -out apache_2048.csr

Give inputs as needed below

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:Arizona

Locality Name (eg, city) []:Scottsdale

Organization Name (eg, company) [Internet Widgits Pty Ltd]:abc.cde.com

Organizational Unit Name (eg, section) []:abc.cde.com

Common Name (eg, YOUR name) []:abc.cde.com

Email Address []:abc@abc.com

Note : Organization Name,Organizational Unit Name,Common Name to be given as full name of server or url (in case of virtual url ) , else certificate will create issue while starting apache

6. Send this CSR to the vendor you are buying your cert (make sure it is ftped in binary mode ).

Vendor will provide you with certificate (.crt ) file and root file (ca.crt) .

Vendor could also give you one integrated file .pk7 or .pk9 .Inthis case you need to open cert at your local pc and export certificate to file and root certificates to another file ans save it and ftp in binary mode to server location .

7. Copy the certificate and ca file recieved to the ssl.crt file as created above .

8. Modify follofine contex variables

s_webport=443

s_external_url=https://abc.abc.com

s_webentryurlprotocol=https

s_active_webport=443

s_webssl_port=443

s_apps_portal_url=https://abc.abc.com/pls/ebstst_portal30/portal30.home

s_login_page=https://abc.abc.com/oa_servlets/AppsLogin

s_f60map=https://abc.abc.com/OA_TEMP

s_forms60_https_negotiate_down=TRUE

s_url_protocol=https

s_local_url_protocol=https

s_webentryurlprotocol=https

s_chronosURL=https://abc.abc.com/oracle_smp_chronos/oracle_smp_chronos_sdk.gif

s_webcache_url_protocol=https

s_webcache_https_port=443

s_webcache_http_port=443

webentrty port

ssl_*key

ssl_*cert

ssl_*ca

9. Run autoconfig

10 .Login as root , source the apps env and start apache

good luck .....

Enabling debug on R12

Enable HTTP/OC4J/OPMN debug logging

Enable http ODL logging

-----------------------------

Edit httpd.conf file, add the following to the end of file $ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf/httpd.conf

OraLogMode oracle OraLogSeverity TRACE:32 OraLogDir $LOG_HOME/ora/10.1.3/Apache/oraclePlease use the full path to $LOG_HOME e.g.

OraLogDir /u01/inst/apps/JCB_atg/logs/ora/10.1.3/Apache/oracle Warning: the log.xml file created by the http ODL log can get very large. Diligence must be taken to monitor this file and maintain its size under the 2GB limit which when exceeded can cause issues with login.

Make the following directory which will be where the Apache ODL log files are created

mkdir $LOG_HOME/ora/10.1.3/Apache/oracle

Increase OC4J logging for oacore

1/ edit j2ee-logging.xml, adjust the following in file:

$ORA_CONFIG_HOME/10.1.3/j2ee/oacore/config/j2ee-logging.xml

2/ edit orion-web.xml, adjust the following in file:

$ORA_CONFIG_HOME/10.1.3/j2ee/oacore/application-deployments/oacore/html/orion-web.xml

param-name>debug_mode

true

Increase OC4J logging for forms

1/ edit j2ee-logging.xml, adjust the following in file:

$ORA_CONFIG_HOME/10.1.3/j2ee/forms/config/j2ee-logging.xml

Increase OC4J logging for OAFM

1/ edit j2ee-logging.xml, adjust the following in file:

$ORA_CONFIG_HOME/10.1.3/j2ee/oafm/config/j2ee-logging.xml

2/ edit orion-web.xml, adjust the following in file:

$ORA_CONFIG_HOME/10.1.3/j2ee/oafm/application-deployments/oafm/webservices/orion-web.xml

param-name>debug_mode

true

Increase OPMN Logging

-------------------------------

edit opmn.xml adjust the following in file:

$ORA_CONFIG_HOME/10.1.3/opmn/conf/opmn.xml

Finding out if ad-oid-EBS guid mismatch

SQL> select fnd_ldap_user.get_user_guid('PRABHAT') from dual ;

FND_LDAP_USER.GET_USER_GUID('PRABHAT')

--------------------------------------------------------------------------------

AB67FBA866329263E04023D823AF1C1B

SQL> select user_guid from fnd_user where user_name='PRABHAT';

USER_GUID

--------------------------------

AB67FBA866329263E04023D823AF1C1B

If there is difference is guid in both , then update the guid in fnd_user from what u get from first query .

Doing db recovery when few datafiles are corrupted

In case you are trying to bring up the database from an inconsistent backup and there are chances of corruption when you open database with resetlogs , you can use the following init parameter to open the DB.

_ALLOW_RESETLOGS_CORRUPTION=TRUE

Remove this parameter when your DB is up and recycle the DB gracefully.

You can use the following event to skip the scn by 1 or any number in case some of the archives are missing for particular scns.

alter session set events '10015 trace name adjust_scn level 1'; <= change the value of 1 to number of scns you want to skip.

R12 Apache login issue common error

If Login Page (AppsLocalLogin.jsp ) doesn’t work

a. Stop Application Services

b. Clear $COMMON_TOP/_pages directory

c. cd $FND_TOP/patch/115/bin ./ojspCompile.pl --compile --flush -p 10

d. If error something like this

Caused by: oracle.apps.jtf.base.resources.FrameworkException: ORA-01578: ORACLE data block corrupted (file # 25, block # 228173)ORA-01110: data file 25: 'apps_ts_tx_data.290.743539659'ORA-26040: Data block was loaded using the NOLOGGING option

run below as apps user

begin

apps.wf_local_synch.BULKSYNCHRONIZATION(P_ORIG_SYSTEM=>'ALL', P_PARALLEL_PROCESSES=>2, P_LOGGING=>'LOGGING', P_RAISEERRORS=>TRUE, P_TEMPTABLESPACE=>'APPS_TS_TX_DATA');

END;

setting up ssl 636 port for oid to ad for sync

Copied the wallet to /wallet .

Modified following changes as per ML DOC .

1. Open the Oracle Directory Manager

2. Navigate to SERVER MANAGEMENT, DIRECTORY SERVER , configuration set 1

3. Select the SSL Setup Tab and provide following details

ssl enable - ssl only

ssl wallet url : /wallet

ssl port : 636

ssl authentication : ssl server authentication

Click on apply and exit

4. Open dipassistant -gui and edit the profile activechngimp

check the connect directory ssl enable check box .

Update port as 636

5. Bounce odisrv services .

These 2 are the notes we need to follow to set this up .

##################

+.Please note that setting up AD SSL and ldapdind with ldap is must be resolved with AD admin help or with Microsoft Support.

1.>Note 842391.1--How To Set Up DIP Synchronization To Use SSL

In this note follow the other note mentioned to create new configset for SSL.

2.> This second note is just for your information.

NOTE:300756.1 - Active Directory (AD) Synchronization to OID Via SSL Mode Fails: DIP_GEN_CONNECTION_FAILURE

change orcladmin password

==========================

-bash-3.2$ ./oidpasswd connect=oid2 reset_su_password=true

OID DB user password:

new password:

confirm password:

password set

Here the db user password entered is the orasso password .

Changing orasso password in oracle oid

Change the orasso passwd.

==========================

# sqlplus system/system_passwd

Change the orasso passwd.

SQL> alter user orasso identified by neworassopassword

If you chose to manually update the "orasso" schema password in the database you will also need to update that same password in OID as well. There are two ways to update the "orasso" password in OID. The first is by using the Oracle Directory Manager GUI and the second is manually using an ldapmodify command.

ODM (Oracle Directory Manager)

Login to ODM as the orcladmin user.

After you login, drill down to the "OrclResourceName=ORASSO" directory entry as follows:

From "Entry Management" Click "cn=OracleContext"

Then "cn=Products"

Then "cn=IAS"

Then "cn=IAS Infrastructure Databases"

Then "orclReferenceName=" is your infrastructure database sid and domain (ie asdb.mydomain.com)

Then highlight the entry "OrclResourceName=ORASSO"

This entry will contain an attribute called "orclpasswordattribute"

Enter the new "orasso" schema password in this attribute

ssl certificate conversion to oracle wallet

Source your env and use below tool and syntax to do this .Make sure you have all 3 files (certificate, key, root certificate available before starting .)

$ORACLE_HOME/Apache/Apache/bin/ssl2ossl -cert /u01/app/apptb/product/disco/Apache/Apache/conf/ssl.wlt/default/certs/server.crt -key /u01/app/apptb/product/disco/Apache/Apache/conf/ssl.wlt/default/certs/server.key -cafile /u01/app/apptb/product/disco/Apache/Apache/conf/ssl.wlt/default/certs/ca.crt -wallet /u01/app/apptb/product/disco/Apache/Apache/conf/ssl.wlt/default/cbeytest -ssowallet yes

Enter wallet password:

Verifying password - Enter wallet password:

SUCCESS

Bulk delete from oracle sso oid

1)Take backup of OID

2)Disable sync profile

$ dipassistant mp -host -port 389 -passwd ***** -profile ActiveChgImp odip.profile.status=DISABLE

Profile successfully modified.

Note: For security reasons it is not recommended to provide a password on the command line, unless you're being prompted for it.

3)Stop DIP process

oidctl connect=oid server=ODISRV instance=2 configset=1 flags="host=oid01.oracle.net grpid=configset1 port=389 " stop

NLS_LANG not set in environment

Setting NLS_LANG to AMERICAN_AMERICA.AL32UTF8

oidctl:Waiting for oidmon to stop ODISRV (instance=2) pid=10157

oidctl:Waiting for oidmon to stop ODISRV (instance=2) pid=10157

oidctl:Stopped ODISRV (instance=2) successfully

4)Get list of all users to be deleted

ldapsearch -h oid01.oracle.net -p 389 -D "cn=orcladmin" -w **** -s sub -b "cn=Users,dc=com" "(objectclass=*)" dc >> \tmp\test.ldif

5)Delete following from the user list created in step 4, as we want to retain these contianers

vi \tmp\test.ldif

cn=Users, dc=com

cn=orcladmin, cn=Users, dc=com

cn=PUBLIC, cn=Users, dc=com

6)Do bulk delete

ldapdelete -h oid01.oracle.net -p 389 -D "cn=orcladmin" -w ***** -c -v -f \tmp\test.ldif

finding orasso password from oid

ldapsearch -h -p -D "cn=orcladmin" -w "*****" -s sub "orclResourceName=orasso" orclpasswordattribute