Find OIF version

After patching OIF from base 11.1.1.2.0 to higher version and still you're seeing OIF 11.1.1.2 in WebLogic console? Do you want to know if the version has upgraded after patching successfully, well here is a simple way to do:

1.     Goto /inventory/Patches21/oracle.idm.oif
2.     Run 'ls -la'
3.     It would display 3 results. OIF version can be found from the below sample results of this command.

drwxr-x---   3 idmadm   idmadm        96 Jan 20  2012 .
drwxr-x---  33 idmadm   idmadm      2048 Jan 20  2012 ..
drwxr-x---   3 idmadm   idmadm      1024 Jan 20  2012 11.1.1.5.0

There is an alternative approach.

1. Goto  /OPatch
2. export ORACLE_HOME variable.
3. export PATH variable by appending ORACLE_HOME/OPatch
4. Run opatch lsinventory

Using the customized OIF.ear file in 11g

This is regarding OIF 11g environment. There are 2 OIF servers in a cluster. Typically when OIF application is customized the updated oif.ear has to be moved to the location $ORACLE_IDM_HOME/fed/install (I have made changes to web.war present in oif.ear. To make changes to oif.ear don't unzip or extract it, just open it using zip tools and make the changes and save the ear file). If the OIF cluster instances are in different servers, then oif.ear has to be placed in all the other servers too.

Delete the files present in the locations $WL_DOMAIN/servers//tmp/_WL_user/OIF_11.1.1.2.0 in all OIF server instances.

Restart the OIF managed servers. Access the OIF application and observe the changes. It has not reflected in my case. I spent a lot of time figuring out the locations where oif.ear is present and making sure whether changes are reflected. Finally I identified that WebLogic staging directory is where the OIF application is moved to and is holding old oif.ear.

So I copied the oif.ear to staging directories of all OIF instances and removed the files under $WL_DOMAIN/servers//tmp/_WL_user/OIF_11.1.1.2.0 and restarted the OIF server instances. I am glad that everything worked!!

oracle.security.fed.event.exceptions.UnknownProviderException: Unknown Provider

While testing the IDP initiated SSO with IDP as OIF and SP as custom solution, we are getting 500 Internal Server error error.
The URL is of the format : http://idp_host:port/fed/idp/initiatesso?providerid=http://sp-host:port/app

We got the below exception in OIF logs.

[2013-06-25T13:00:29.732-07:00] [wls_oif1] [ERROR] [FED-15034] [oracle.security.fed.eventhandler.profiles.idp.sso.CreateAuthnRequestEventHandler] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 8285f2bb4b55ec93:-773f8c6e:13f5ce4fa24:-8000-000000000000e9a4,0] [APP: OIF#11.1.1.2.0] Profile is unknown: https://sp-host:443/sso/saml/SSO
[2013-06-25T13:00:29.732-07:00] [wls_oif1] [ERROR] [FED-12064] [oracle.security.fed.controller.ActionStateMachine] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 8285f2bb4b55ec93:-773f8c6e:13f5ce4fa24:-8000-000000000000e9a4,0] [APP: OIF#11.1.1.2.0] Exception: {0}[[
oracle.security.fed.event.exceptions.UnknownProviderException: Unknown Provider: https://sp-host:443/sso/saml/SSO

The root cause is accessing wrong service provider URL.
To know the correct provider ID URL, login to OIF console -> Oracle Identity Federation -> Federations. Notice the provider ID and use it in the IDP initiated SSO URL.

Feldet error : "java.lang.ExceptionInInitializerError"

I have completed the SP initiated SSO integration with IDP partner using Fedlet as Service Provider. Later, when I moved the fedlet configuration directory to a different location, it is throwing the below exception:

java.lang.ExceptionInInitializerError
at jsp_servlet._saml2._jsp.__fedletssoinit._jspService(__fedletssoinit.java:132)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
Truncated. see log file for complete stacktrace
Caused By: java.lang.NullPointerException

Changes I made:

• Moved the fedlet configuration directory to a different location.

• Updated the startWebLogic.sh script to include the new fedlet home as shown below.

JAVA_OPTIONS="${JAVA_OPTIONS} -Dcom.sun.identity.fedlet.home=/apps/tap/Oracle1036/user_projects/domains/tap_pit1/config/fedlet"

export JAVA_OPTIONS

• Restart the WebLogic server.
• Access the fedlet SP initiated SSO URL.

Troubleshooting:
Upon starting the weblogic server, the new fedlet home is not visible as JAVA_OPTIONS.

Fix:

• Update startWebLogic.sh script to include fedlet home parameter directly in java execution line as shown below. Update in the same manner in all the other java execution lines present in the script.

echo "${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS} -Dcom.sun.identity.fedlet.home=${DOMAIN_HOME}/config/fedlet ${PROXY_SETTINGS} ${SERVER_CLASS}"

• Restart the WebLogic server. Make sure that fedlet home appears in java options by using ps -ef | grep java

JDK version while using Fedlet

Please make sure you all use JDK6.0 version while customizing or setting up fedlet instance. This is because the fedlet jars such as openfedlib.jar and opensso-sharedlib.jar are generated based on JDK6 version.

Customizing Fedlet

I have been working on fedlet a lot these days. The greatest advantage of using fedlet is the customization. Since it is open source product, the jars available from fedlet application allows us to customize the federation process. It is also more useful to integrate with Custom IDPs.

The important jar files are:
openfedlib.jar
opensso-sharedlib.jar

These jars are present in fedlet sample application generated during fedlet setup. The major java files where customization can be made are:

SPSSOFederate.java generates the SAML Authentication request.
SPACSUtils.java processes the SAML response.
SAML2Utils.java verifies the response for validity of SAML response and assertion, signature and encryption.

Once these java files are modified appropriately, compile the class file and put the class file back to openfedlib.jar. Place the jar under application WEB-INF/lib folder and restart the application server (where fedlet is deployed) for changes to take into effect.

If you get any exceptions in fedlet, you can look for libSAML2.properties file located under WEB-INF/classes for all mapped error scenarios.

For example, while testing the SAML SSO, if  you see exception "Version is not present in the request" then look for mapped error in the libSAML2.properties file. Then search in fedlet java classes where missingVersion error is thrown.

missingVersion=Version is not present in the request.

Let me know if you need assistance to customize any specific functionality with fedlet, I can help you. 

Fedlet experiences

I will be writing series of posts on Fedlet in my other blog . It includes business use case discussion, fedlet setup, SSO use case execution, Signing and Encryption, Logout.

Which JDK is my weblogic server using?

If you quickly want to check which JDK your WebLogic server is using, this post will help you.

Under MW_HOME/wlserver_10.3/common/bin a commEnv.sh file exists. It has a setting specifying JAVA_HOME

Configure Logging level for OIF 11g

One can do the OIF logger setting either from EM console or wlst command.

If you want to do it through wlst command, here are the steps:

1. Run the ./wlst.sh from ORACLE_HOME. For eg., MW_HOME/Oracle_IDM1/common/bin
2. wls:/offline>> connect() --- connect to the AdminServer port with weblogic credentials 
3. wls> domainRuntime()
4. wls> listLoggers(pattern="oracle.security.fed.*",target="OIF_INSTANCE_NAME")
5. wls>setLogLevel(target='oif_server1',logger='oracle.security.fed',level='TRACE:32',persist="1",addLogger=1) 
6. exit()

No need to restart OIF servers.

Tool to search text in jars

Every now and then I see a need to search a text/pattern in sub-directories or jar files. One can build their own shell scripts to do this.

I found a blog that talks about a tool Javinder.
All you need to do is to download that jar file and run the command java -jar Javinder.jar and then it opens a wizard.

See the below screenshot where I wanted to search for WantAssertionsSigned pattern under jars directory C:\Projects\My_Fedlet\fedletsample\WEB-INF\lib.

Hope this helps others having the same need.

SAML2 encoder/decoder

Hi All,

I was working on Fedlet setup with OIF 11g. I could not get to see SAML assertions in Fedlet debug logs, I don't know why. The goal is to look at the SAML request and response for nameid and other details.

So here is the simple way to get saml xml's. One should be able to see the SAMLRequest and SAMLResponse in http headers while testing the federation URLs in browser.

Use the tool https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php and paste the SAMLRequest encoded data and click the Decode SAML Message.
Another one here, http://openidtest.uninett.no/samldebug 
The same holds true for both SAMLRequest and SAMLResponse data.

Connecting to OID Server through client

OID 10.1.4.3 was installed on remote server. All I know are the connection details. I could use LDAP tools such as JExplorer, Apache studio but I wanted to work on password policies configured in OID. However I did not have access to OID server to login to Oracle Directory Manager tool using oidadmin tool. Hence I have downloaded and installed the Oracle Database client 10g (10201_client_win32.zip).

While installing the Oracle DB client, use the option Administrator (installs the management console, management tools, networking services, util, basic client software).

The installation went successful however some optional components failed, so I did not bother.

I was able to see Oracle Directory Manager installed and can login to OID server through this client successfully.

I have referred this post for using OIDAdmin client tool.

How to find OIM version?

Login to DB as OIM schema user and execute the below sql statement. Check the screenshot below.

select xsd_value from xsd where xsd_code='XL_BUILD_NUMBER';

OIA 11.1.1.5 is not certified with WebLogic 10.3.6

Oh my god! I had struggled for 2 days deploying OIA 11.1.1.5 on WebLogic 10.3.6 in Linux environment. I was hitting the below exception during deployment.

message : Cannot construct com.vaau.commons.util.fileUtils.FileUtils$WrappedFile as it does not have a no-args constructor
cause-exception : com.thoughtworks.xstream.converters.reflection.ObjectAccessException
cause-message : Cannot construct com.vaau.commons.util.fileUtils.FileUtils$WrappedFile as it does not have a no-args constructor
class : com.vaau.commons.util.fileUtils.FileUtils$WrappedFile
required-type : com.vaau.commons.util.fileUtils.FileUtils$WrappedFile

I'd tried several troubleshooting methods by following OIA Admin & install guides for replacing the stax jar versions, modifying the configuration xmls such as dataaccess-context.xml, conf-context.xml etc.,, without success.

Finally, I had installed WLS 10.3.5, created a domain and deployed OIA and it just took hardly 20 mins for this whole process to work.

Guys, I hope this post will help you save lot of time if you're hitting the same issue.