Friday, August 29, 2008

X- Windows

I have encountered the issue which I have faced almost 6-7 yrs back. We have to do the installation of 10g iAS on one of the production server and we are not able to run any X-windows like VNC etc on that box due to missing packages on that server. But we do not have time to look around for unix guys and get this fixed.
So what are the options available to finish this task. This is how you can proceed. Look at the box where VNC is running, run the following from this box to the one where vnc is not running:
ssh -X targethost -l username
it will prompt for password for that user and Vola you are in. You have to have ssh daemon running on target host otherwise it will not work. We completed are job and hope this helps others to do their job on time.

Happy Troubleshooting !!!

Thursday, August 28, 2008

Oracle 10g SSO Integration with E-Biz - Implementation-5

Now we are going to register Oracle Ebiz Instance with recently setup OID server. Just before we move into apps grab some information from IDM host for orasso password via following command:

$ORACLE_HOME/bin/ldapsearch -h -p 389 -D "cn=orcladmin" -w password -b "cn=IAS,cn=Products,cn=OracleContext" -s sub -v "OrclresourceName=orasso" grep orclpasswordattribute

Once you get the orasso passsword from OID post login to Application tier of Oracle EBiz and move to $FND_TOP/bin and add $IAS_ORACLE_HOME/lib under $LD_LIBRARY_PATH variable to avoid any errors while registering.

Run this commmand and provide information required: $FND_TOP/bin/ -script=SetSSOReg
Enter the host name where Oracle iAS Infrastructure database is installed ?
Enter the Oracle iAS Infrastructure database port number ?
Enter the Oracle iAS Infrastructure database SID ?
Enter the LDAP Port on Oracle Internet Directory server ?
Enter Oracle E-Business apps database user password ?
Enter Oracle iAS Infrastructure database ORASSO schema password ?
Enter Oracle E-Business SYSTEM database user password ?
Enter E-Business Suite existing SSOSDK schema password or choose a password to use with the new SSOSDK schema if the schema does not exist ?
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ?
Enter the instance password that you would like to register this application instance with ?

Once the required all aove information is provided you will see the scroll up with:
Program : $FND_TOP/bin/ started @ Thu Aug 28 04:32:53 2008
*** Log File = $OAD_TOP/rgf/SID/sso/txkSetSSOReg_Thu_Aug_28_04_31_58_2008.log
######################## WARNING ########################################This application works with SSOSDK version 9.0.2 or higher. If lower version(3.0.9) of SSOSDK was installed in your system and you have a registeredpartner application, this process will remove the 3.0.9 version of the SSOSDKschema and install the 9.0.2 version.
######################## WARNING ########################################
Beginning input parameter validation for SSO registration. Beginning loading SSO SDK into database if necessary. Loading of SSO SDK into database completed successfully.Input parameter validation for SSO registration completed.Beginning input parameter validation for OID registration.Input parameters validation for OID registration completed.
Beginning to register partner application.Partner application has been registered successfully.Single Sign-On partner application registered successfully.
Beginning to register Application and Service containers if necessary.Application and Service containers were created successfully.Beginning to register application in Oracle Internet Directory.Registration of application in Oracle Internet Directory completed successfully.Beginning to register instance password in Oracle Internet Directory.Registration of instance password in Oracle Internet Directory completed successfully.Beginning to test application registration in Oracle Internet Directory.Testing of application registration in Oracle Internet Directory completed successfully.Beginning to register provisioning profile in Oracle Internet Directory.Registration of provisioning profile in Oracle Internet Directory completed successfully.Application is now registered successfully with provisioning in Oracle Internet Directory.End of $FND_TOP/bin/ : No Errors encountered

Great you are done registering your apps instance as patner application with OID. Now if you try to access your Apps instance you will challenged by SSO. you have to provide your AD username and password to get in.

Happy Troubleshooting !!!

Oracle 10g SSO Integration with E-Biz - Implementation-4

As a next step we have to configure External Authentication Plug-In:
User passwords are maintained in Active Directory. For every AD user in enterprise LDAP directory the synchronization connector will maintain a shadow entry in Oracle Internet Directory of the type “orclADUser”.
For such users Oracle Internet Directory will need to forward authentication request to Active Directory.
On the host where OID component is installed execute the following command:
$OH/bin/dipassistant ea \
-h \
-p \
-D cn=orcladmin \
-w \
-t AD

The following configuration parameters need to be set:

· Active Directory host and port number – AD LDAP host and port,
· Active Directory failover configuration - Secondary AD LDAP host and port,
· Invocation Naming Context – OID user container
. Second failover Activer Directory - If you have.

Once this is done, you can test and login with your AD username and password and you will be able to login. Vola Setup is done for OID and AD Integration. Now in next note we will do the setup at Ebiz Apps end to register that with Patner Application with OID.

Happy Troubleshooting !!!

Oracle 10g SSO Integration with E-Biz - Implementation-3

Next step after we are done importing users is to Enable ActiveChgImp profile. This is how we do in IDM version

Access OID administration tool as “orcladmin” super-user. Navigate to “Integration Server” -> “Configuration Set 1”. Select the import profile “ActiveChgImp” and click edit. This should display the profile attributes. Enable the profile and save the modified profile

But in IDM 1.4.2, here are the steps to follow:
Profiles are now managed with the Oracle Directory Integration and Provisioning Server Administration tool ...e.g.. dipassistant -gui
To incorporate these changes into the upgraded OID please do the following:
1. launch the admin tool (dipassistant -gui) and navigate to Connector Group Management and expand the tree. Notice that there are two entries:
- defaultgroup
- configset1
2. Expand configset1 to see the old synchronization profiles.
3. Since a 'profile group' must now be supplied when starting odisrv it is recommended to rename this 'configset' as it will become confusing when starting the server. To rename the profile group:
- highlight configset1 and right click the mouse, then select rename
Give it a new name, for instance: Group1 and click OK
4. The defaultgroup contains NO profiles after the upgrade so one may wish to (re)associate any profiles previously configured and enabled to become part of the default group. To do so:
- expand the Group1
- highlight the profile to be made part of default group, then click Dissociate Profile (you will be prompted to confirm, note that when confirmed it will disappear from the list)
- highlight the defaultgroup and click Associate Profile
- highlight the profile from the list and click Select (the new profile will now appear in the defaultgroup)
NOTE: One MUST always Dissociate a profile before Associating it with a new group.
5. Start the odisrv using the additional grpID flag: For example:
oidctl connect=orcl server=odisrv instance=2 configset=1 flags="host=jdsmith-us port=13060 grpid=defaultgroup debug=63" start

Check the logs under $ORACLE_HOME/ldap/odi/log directory for synchronization errors in “ActiveChgImp.trc” and “ActiveChgImp.aud”

Happy Troubleshooting !!!

Oracle 10g SSO Integration with E-Biz - Implementation-2

Now we are going to modify import connector profile so that we can import users from AD to OID.
1. Create the “mapping rules” listed her and save to a file named “”
OU=OU_MYUSERS,DC=corp,DC=mygrp,DC=com:cn=adusers,cn=users,dc=corp, dc=mygrp, dc=com:
# attribute rule common to all objects
objectguid: :binary: :orclobjectguid:string: :bin2b64(objectguid)
ObjectSID: :binary: :orclObjectSID:string: :bin2b64(ObjectSID)
distinguishedName: : : :orclSourceObjectDN: :orclADObject
# attribute rule for mapping windows organizationalunit
ou: : :organizationalunit:ou: : organizationalunit
# attribute rule for mapping directory containers
cn: : :container: cn: :orclContainer
# attribute rule for mapping directordomains
dc: : :domain: dc: :domain
# attribute rule for mapping windows LOGIN id
sAMAccountName,userPrincipalName: : :user:orclSAMAccountName: :orclADUser:sAMAccountNametrunc(userPrincipalName,'@')
# attribute rule for mapping Active Directory LOGIN id
userPrincipalName: : :user:orclUserPrincipalName: :orclADUser:userPrincipalName
# Map the userprincipalname to the nickname attr by default
samAccountName,userPrincipalName: : :user:uid: :inetorgperson:sAMAccountNametrunc(userPrincipalName,'@')
# Assign the userprincipalname to Kerberos principalname
# userPrincipalName: : :user:krbPrincipalName: :orcluserv2:trunc(userPrincipalName,'@')+'@'+toupper(truncl(userPrincipalName,
samAccountName: : :user:krbPrincipalName: :orcluserv2:samAccountName+'@'+'DOMAINNAME.COM'
# This rule is mapped as SAMAccountName is a mandatory attr on AD
# and sn is mandatory on OID. sn is not mandatory on Active Directory
sn,SAMAccountName: : :person:sn: : person:snSAMAccountName
# attributes to map to cn - normally this is the given name
cn: : :person:cn: :person:
# attribute rule for mapping entry and to create orclUserV2
# There should be a mapping rule with orcluserv2 objectclass
# without which the PORTAL may not function properly
givenName: : :user:displayName: :inetorgperson:
employeeID: : :user:employeeNumber: :inetOrgPerson:
physicalDeliveryOfficeName: : :user:physicalDeliveryOfficeName: :organizationalPerson:
title: : :user:title: :organizationalPerson:
mobile: : :organizationalperson:mobile: :inetorgperson:
telephonenumber: : :organizationalperson:telephonenumber: :inetorgperson:
facsimileTelephoneNumber: : :organizationalperson:facsimileTelephoneNumber: :inetorgperson:
l: : :user:l: :organizationalperson:
# mail needs to be assigned valid value for default settings in DAS
userPrincipalName: : :user:mail: :inetorgperson:
cn: : :group:cn: :groupofuniquenames:
# displayname needs to be assigned a valid value for default settings on DAS
SAMAccountName: : :group:displayName: :orclgroup:
# Description needs tobe assigned a valid value for default settings on DAS
Description: : :group:Description: :groupOfUniqueNames:
member: : :group:uniquemember: :groupofUniqueNames:
managedby: : :group:owner: :orclprivilegegroup:
sAMAccountName: : :group:orclSAMAccountName: :orclADGroup:
2. Create the “Import Profile Configuration” listed here and save to a file named “ActiveChgImp.cfg”
Package: gsi
Reader: ActiveChgReader
SkipErrorToSyncNextChange: true
SearchDeltaSize: 500
3. Replace the “-h” OID host and “-p” port in the command below and execute:

$ORACLE_HOME/bin/dipassistant modifyprofile \
-h \
-p 389 \
-D cn=orcladmin \
-w \
-profile ActiveChgImp \
odip.profile.condiraccount="ADUSERname" \
odip.profile.condirpassword= \
odip.profile.condirurl="activedirectoryhostname:389" \
odip.profile.configfile="ActiveChgImp.cfg" \
odip.profile.condirfilter="((objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer))))" \
4. On the IDM host where OID component is installed, replace the “-h” OID host and “-p” port in the command below and execute:

$ORACLE_HOME/bin/dipassistant bootstrap \
-h \
-p \
-D “cn=orcladmin” \
-w \
-profile ActiveChgImp

Check the bootstrap log file located in $ORACLE_HOME/ldap/odi/log directory for errors. If no errors Vola you are done importing all users in OID.

Watch out my next post for modifying ActiveChgImp profile. As it has some new steps in IDM version

Happy Troubleshooting !!!

Oracle 10g SSO Integration with E-Biz - Implementation

I guess you might be kept on waiting for my update. But here I come. Now as a next step we will create adusers container in OID so that we can load users from AD to OID under this realm.
1. Create a file “create_aduser_container.ldif” containing following lines:
dn: cn=adusers,cn=users,dc=corp, dc=mygrp, dc=com
cn: adusers
objectclass: top
objectclass: orclContainer
description: Container for Enterprise AD Users

2. On the IDM host, execute the following command after replacing the “-h” oidhost and “-p” oidport parameter:

$ORACLE_HOME/bin/ldapadd \
-c -v \
-h \
-p \
-D “cn=orcladmin” \
-w \
-f create_aduser_container.ldif

With the above step you can see container adusers in OID.

to be continue .......

Monday, August 4, 2008

Can't Publish Reports in ADI 7.2

We are using Oracle names server to connect to our database. We have issue last week regarding Publishing reports via ADI 7.2 . Getting following error :
"An error occured while attempting to establish an Applications File Server connection.There may be a network configuration problem, or the TNS listener may not be running.Nodename : Hostname"
It is clear something wrong with Apps listener, we tried bouncing it and Run one report like "Active Users" and tried viewing output. It was working, but still ADI Report Publishing was not working. We were clue less what is happening, we thought Names server might be an issue and we bounced Names server too, but that too didn't helped. As truely said if nothing works go and read the readme. We went and look at how ADI select FNDFS values, this is how
"ADI selects the node_name from the FND_CONCURRENT_REQUESTS table, appends that value to FNDFS_ and then looks in the TNSNAMES.ora file for 'directions' on what host to go
to and what port to ping for the FNDFS listener service"
So while checking for node_name value we got 2 records, one for virtual host and other one for physical host. That clears our issue, we looked at our concurrent manager node name. Again we have virtual host entry in that. For resolving this without downtime, we add one more entry in names server for virtual host FNDFS_. And vola it worked. But during weekend we took downtime to resolve concurrent manager node_name back to physical host.

Happy Troubleshooting !!!

XML Based Concurrent Program -SSLHandshake Error

We have one of the concurrent program which developed in XML and it has been used for printing checks in one of the location where we operates. This issue occure only in condition when we have combination of following setup :
1. Portal 3.0.9 login server (iAS
2. Siteminder as authentication software.
3. SSL.
4. Concurrent Managers are running on Virtual Host.

The only solution which I found to overcome this situation to move our Concurrent Manger from Virtual Host to Physical Host. Other than that we do not have any other problem in using Virtual host.

Happy Troubleshooting !!!