Tuesday, September 16, 2008

No Responsibilities Are Available For The Given Connection Details At Login

We had some wierd issue today after upgrade. Some of the uses complaining after upgrading to Discoverer version 10.1.2.2 they were not able to login and getting error "No Responsibilities Are Available For The Given Connection Details At Login". But this strange for us too as some of them able to login and some not. I did test their login, responsibility end date etc etc. Then thought of checking some Bug and came to Metalink. And What its a bug, it has mentioned in Note 466188.1, and suggested to apply patch 6146747 (47MB). But we do not have time to apply this patch when production is live. So need to find workaround, guess what ???? nothing big, just added "Notification" responsibility to all users having only one responsibility against their username. So we made fool of Bug and it worked :-)

Happy Troubleshooting !!!

BIB-7000 Cannot access X Server

We had this issue while we did 11.5.10.2 upgrade last week. It was a hectic weekend, but with help of my patner Apps DBA we made it easy and delivered the instance 11hrs before actual outage. So come to the issue. I have mentioned in of the my previous Post regarding Xvfb setup in our production env admin node. Display variable is working fine adnd we dint' have any issues with DISPLAY, but getting "BIB-7000 Cannot access X Server" message while accessing graphs in Workflow pages from OAM.
While investigating realized this error was coming from Application tier where we do not have setting for Display, or I can say was set to somewhere else which was not working. As we didn't want to run Autoconfig again, what we did. We changed DISPLAY variable in jserv.properties file to our admin node Display setting and bounce Apache. Vola it worked.

Happy Troubleshooting !!!

Thursday, September 11, 2008

WNA Config with IDM version 1.4.0.1

Last part we missed in our 10g iAS integration setup was configuring WNA (Windows Native Authentication) using Kerberose. Which help you to avoid and challenge related to credentials. Here we go:
1. Have the Solaris administrator update the krb5.conf file as below
[libdefaults]
default_realm = DOMAINNAME.COM
clockskew = 300

[realms]
DOMAINNAME.COM = {
kdc = activedirectoryservername.com
kdc = activedirectoryservername.com
}
[domain_realm]
.domainname.com = DOMAINNAME.COM
domainname.com = DOMAINNAME.COM

2. Have the AD administrator create a service account for the OracleAS Single Sign-On server in Microsoft Active Directory. AD administrator will then need to create a keytab file for the server, and map the service principal (the server) to the account name. The keytab file stores the server's secret key. This file enables the server to authenticate to the KDC. The service principal is the entity, in this case, the single sign-on server, to which the KDC grants session tickets. The Keytab file is generated using KTPASS command executed on the AD host.

Ktpass.exe /princ HTTP/@DOMAINNAME.COM
/mapuser
/pass
/mapop set
+desonly
/ptype KRB5_NT_PRINCIPAL
/kvno 1
/crypto DES-CBC-CRC
/out sso.keytab

The AD Administrator will provide the keytab file which needs to be “binary” ftp’d or copied to SSO mid-tier (where OC4J_SECURITY runs) in $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory.

3. Backup following SSO files :
$ORACLE_HOME/sso/conf/policy.properties
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml
$ORACLE_HOME/opmn/conf/opmn.xml

4. Configure WNA using ossoca.jar

$OH/jdk/bin/java -jar $ORACLE_HOME/sso/lib/ossoca.jar wna \
-mode sso \
-oh $ORACLE_HOME \
-ad_realm DOMAINNAME.COM \
-kdc_host_port \
-verbose

Check login to https://hostname.domainname.com:4443/pls/orasso and click login. It should take you with any challenge. If it works you are done.

Happy Troubleshooting !!!