Oracle web tier apply patch set 11.1.1.9 to existing 11.1.1.7

Backup complete 11.1.1.7 home

cd $MW_HOME

tar -cvf Oracle_WT1_backup.tar Oracle_WT1

Note: run tar as root to backup all files

Download 11.1.1.9 patchset – patch 20995453

Unzip and go to Disk1 folder

unzip p20995453_111190_Linux-x86-64.zip

Run the installer

cd Disk1

./runInstaller

Choose “Install software – Do Not Configure
XWin_MobaX_2018-02-27_11-00-23

specify Installation Location
XWin_MobaX_2018-02-27_11-03-23

chrome_2018-02-27_11-04-08
XWin_MobaX_2018-02-27_11-12-54

Verify

$ORACLE_HOME/OPatch/opatch lsinventory

Oracle Interim Patch Installer version 11.1.0.11.0
Copyright (c) 2018, Oracle Corporation.  All rights reserved.

Oracle Home       : /u01/product/oracle/Middleware_Webtier/Oracle_WT1
Central Inventory : /u01/app/oraInventory
    from           : /u01/product/oracle/Middleware_Webtier/Oracle_WT1/oraInst.loc
OPatch version    : 11.1.0.11.0
OUI version       : 11.1.0.9.0
Log file location : /u01/product/oracle/Middleware_Webtier/Oracle_WT1/cfgtoollogs/opatch/opatch2018-02-27_11-15-21AM_1.log

OPatch detects the Middleware Home as “/u01/product/oracle/Middleware_Webtier”

Lsinventory Output file location : /u01/product/oracle/Middleware_Webtier/Oracle_WT1/cfgtoollogs/opatch/lsinv/lsinventory2018-02-27_11-15-21AM.txt

——————————————————————————–
Installed Top-level Products (1):

Oracle WebTier and Utilities CD                                      11.1.1.9.0
There are 1 products installed in this Oracle Home.

start OHS instance

$INSTANCE_HOME/bin/opmnctl startall

$INSTANCE_HOME/bin/opmnctl status

Processes in Instance: ohs1
———————————+——————–+———+———
ias-component                    | process-type       |     pid | status
———————————+——————–+———+———
ohs1                             | OHS                |   33731 | Alive

If web tier is associated to weblogic domain follow below step

cd ORACLE_HOME/opmn/bin

./upgradenonj2eeapp.sh
-oracleInstance Instance_Home_Location
-adminHost WebLogic_Server_Host_Name
-adminPort administration_server_port_number
-adminUsername administration_server_user

MobaXterm_Personal_10.5_2018-02-27_11-26-15

Advertisements

Oracle HTTP Server 11.1.1.9 – Update SSLProtocol to TLS v1.2

TLS v1.1 and v1.2 are significantly more secure and fix many vulnerabilities present in SSL v3.0 and TLS v1.0.

OHS 11.1.1.9 supports TLSv1.1 and TSLv1.2. This post covers steps to configure OHS SSL protocols to support TLSv1.2 only and disable all other protocols.

Check protocols and ciphers supported
You can use below nmap command to check currently supported protocols and ciphers

nmap –script ssl-enum-ciphers –p <SSL_PORT> <HOSTNAME>

Update SSLProtocol
Go to ORACLE_INSTANCE/config/OHS/< OHS_name >/ssl.conf
Edit SSLProtocol as below

SSLProtocol +TLSv1.2

Optional: You can add or update SSLCipherSuite as well

SSLCipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256

For list of supported SSLCipherSuite check https://docs.oracle.com/middleware/11119/webtier/releasenotes-ohs/toc.htm

Save the file and restart OHS instance

Verify the change
Verify again by running same nmap command
2018-02-20_15-07-48

Best Practice for IAM Projects

Identity, Security & Me

I was recently asked to provide some best practice advice for Identity Management projects. This got me thinking and led me to write down some recommendations. I thought it might be useful to share my thoughts.

Identity Management has been delivering business value within organisations for many years. Over that time, thousands of deployment had enabled a number of lessons to be learned which can help organisations ensure that they are not taking an approach which will work against recognised good practice and cause problems as Identity requirements evolve.

Traditionally, Identity Management projects have been seen as complex, expensive and never-ending. Many people are looking to the Cloud to simplify identity management. Whilst the Cloud can introduce speed and agility into an IAM project, there are still fundamental challenges which must be addressed. The Cloud can help simplify the technology, however, as with most business transformation projects; the technology is…

View original post 1,062 more words

OAM 11gR2PS3 Multi Factor Authentication – Adaptive Authentication Service

The Adaptive Authentication Service offers stronger multifactor (also referred to as second factor) authentication for sensitive applications that require additional security in addition to the standard user name and password type authentication.

The second factor can be a One Time Pin (OTP) or an Access Request (or push) Notification. After an initial successful user/password authentication, a Second Factor Authentication page is displayed from which the user selects the preferred method of second factor authentication.
The following options are available:

  • OTP from Oracle Mobile Authenticator

  • OTP through SMS

  • OTP through Email

  • Access Request Notification from Oracle Mobile Authenticator

For using Oracle Mobile Authenticator in this post you must complete steps 1,2,7,8,9 from below post
https://oraidam.wordpress.com/2018/01/29/integrate-oam-11g-r2-ps3-and-oracle-mobile-authenticator/

In this post we will configure OAM for multi factor authentication with OTP through Email or SMS or Oracle Mobile Authenticator.

1. Enable “Adaptive Authentication Service”, login to OAM console –> Configuration –> Available Services
firefox_2018-02-19_11-14-39

2. Configure AdaptiveAuthenticationPlugin
Click on AUthentication plugins from OAM Console
firefox_2018-02-19_11-16-44
Search for plugin and click on it to edit properties
firefox_2018-02-19_11-17-25

3. Edit below properties in AdaptiveAuthenticationPlugin

SFATypes
Totp:Sms:Email:Push

UmsAvailable
true

UmsClientUrl
http://identity.oracleads.com:8001/ucs/messaging/webservice

EmailMsgFrom
workflow.admin@oracleads.com

Totp_Enabled
true

Email_Enabled
true

Sms_Enabled
true

EmailField
mail

PhoneField
mobile

TotpSecretKeyAttribute
description

Click on Save
Make the same changes in

4. Add credentials for UMS in weblogic domain
Login to weblogic Enterprise Manager, go to domain –> security –> credentials
firefox_2018-02-19_11-26-12
Expand OAM_CONFIG click on create key
firefox_2018-02-19_11-27-57
firefox_2018-02-19_11-29-35
Create umsKey as shown above and click ok.

5. Protect the resource
Go to application domain
firefox_2018-02-19_11-31-27
Go to Authentication Policies –> Protected Resource Policy
firefox_2018-02-19_11-32-03
firefox_2018-02-19_11-32-33
Go to Advanced Rules –> Post Authentication and click on Add
firefox_2018-02-19_11-33-00
firefox_2018-02-19_11-34-01
Click Add and click on Apply

Testing:
As we mentioned in configuration, make sure all below attributes are populated in user profile for testing all options.
EmailField: mail
PhoneField: mobile
firefox_2018-02-19_11-37-53
TotpSecretKeyAttribute: description
This attribute description will be populated automatically when you setup Oracle Mobile Authentication as specified in https://oraidam.wordpress.com/2018/01/29/integrate-oam-11g-r2-ps3-and-oracle-mobile-authenticator/ at Step 8,9
firefox_2018-02-19_11-39-50

Now hit the requested resource, you will be prompted for login using username and password for first factor authentication.
image
Supply username and password and click on Login. After successful login you will be prompted for option to choose for second factor login.
image
Select the option and click on OK.
image
Then supply pin for second factor authentication and click login to access protected resource
image
image

Demo: https://youtu.be/LiP1O99EUGU

Weblogic 12c Server State and Health State Monitoring with Email Notification

Configure Weblogic Mail Session (Optional. Only if you want to send email alert)
1. Login to weblogic console
2. Go to Mail Sessions
3. Click New
4. Enter details Name,JNDI Name, JavaMail Properties.

mail.port=25
mail.user=weblogic
mail.host=xx.xx.xx.xx
mail.transport.protocol=smtp
mail.from=weblogic

Configure Email Notifications in Weblogic Diagnostic
Go to Weblogic Console –> Diagnostic Modules –> Select Module “Module-FMWDFW” –> Configuration –> Policies and Action –> Actions
chrome_2018-02-19_12-09-33
Click new –> Select SMTP (E-Mail) –> Click Next –> Enter Notification Name & Check Enable Notification –> Got to SMTP Properties –> Select Mail session ->Enter Email Recipients

Server State Monitoring
1.Go to Weblogic Console –> Diagnostic Modules –> Select Module “Module-FMWDFW” –> Configuration –> Policies and Action –> Policies
2018-02-19_12-17-13
click New. Enter Details as below

Name: ServerStateWatch
Policy Type: Collected Metrics
Enable Policy: checked

Add rule expression as below, where slc.state is the state of server and slc.name is name of server

wls.domainRuntime.domain.serverLifeCycleRuntimes.stream().anyMatch(slc ->
((slc.state != ‘RUNNING’) and ( (slc.name == ‘AdminServer’) or (slc.name == ‘ManagedServer1’) ) ))

Then choose schedule and alarms in next screen as per requirement. In actions select email notification which was created in earlier step.
chrome_2018-02-19_12-23-11

Health State Monitoring
Go to Weblogic Console –> Diagnostic Modules –> Select Module “Module-FMWDFW” –> Configuration –> Policies and Action –> Policies
2018-02-19_12-17-13

click New. Enter Details as below

Name: ThreadPoolStateWatch
Policy Type: Collected Metrics
Enable Policy: checked

Add rule expression as below, where state is the health state of server and serverName is name of server

wls.domainRuntime.lookupServerRuntime(serverName=’AdminServer’).threadPoolRuntime.healthState.state != 0 or wls.domainRuntime.lookupServerRuntime(serverName=’ManagedServer1’).threadPoolRuntime.healthState.state != 0

Then choose schedule and alarms in next screen as per requirement. In actions select email notification which was created in earlier step.
chrome_2018-02-19_12-23-11

OAAM Second Factor Authentication – OTP via Email or SMS

Pre-Requisite: OAAM Advanced TAP Integration with OAM
https://oraidam.wordpress.com/2018/02/14/oaam-advanced-integration-with-oam-tap-integration/

Enable OTP Anywhere Registration
Set below properties to true

bharosa.uio.default.register.userinfo.enabled
bharosa.uio.default.userpreferences.userinfo.enabled

Login to OAAM admin console, go to properties
firefox_2018-02-14_13-44-27firefox_2018-02-14_13-45-11

Setting Properties in OAAM for User Messaging Service
set below properties

bharosa.uio.default.ums.integration.webservice http://identity.oracleads.com:8001/ucs/messaging/webservice

bharosa.uio.default.ums.integration.useParlayX
false

bharosa.uio.default.ums.integration.userName
workflow.admin@oracleads.com

bharosa.uio.default.ums.integration.password
Oracle123

bharosa.uio.default.ums.integration.fromAddress
workflow.admin@oracleads.commkdir oaam_extensions

bharosa.uio.default.otp.optOut.enabled
true

SMS & Email Properties

bharosa.uio.default.challenge.type.enum.ChallengeEmail.available
true

bharosa.uio.default.userinfo.inputs.enum.email.enabled
true

bharosa.uio.default.challenge.type.enum.ChallengeSMS.otp
true

bharosa.uio.default.userinfo.inputs.enum.mobile.enabled
true

bharosa.uio.default.userinfo.inputs.enum.mobile.required
true

Configuring OTP Presentation (Optional)
If you intend to change the OTP device used for challenge change to pin pad change below property

bharosa.uio.default.ChallengeEmail.authenticator.device
DevicePinPad

Restart OAAM managed server for properties to take effect.

Configure OAAM Policy for Second Factor Authentication
Go to policies, select OAAM Post authentication Security policy
firefox_2018-02-14_15-57-18
Go to Rules, Add a new rule
firefox_2018-02-14_15-58-32
firefox_2018-02-14_15-59-08
firefox_2018-02-14_15-59-29
firefox_2018-02-14_15-59-45
Now go to OAAM Challenge group.
firefox_2018-02-14_16-01-51
Change the actions as follows
firefox_2018-02-14_16-14-51
firefox_2018-02-14_16-02-20
Now go to OAAM Challenge Policy
firefox_2018-02-14_16-03-51
In as below in Trigger Combinations tab and click on apply
firefox_2018-02-14_16-04-39

Testing
Demo: https://youtu.be/uHuhgaGmpQI

OAAM Strong Authentication – Knowledge Based Authentication (KBA)

Pre-Requisite: OAAM Advanced TAP Integration with OAM
https://oraidam.wordpress.com/2018/02/14/oaam-advanced-integration-with-oam-tap-integration/

KBA is a secondary authentication method. It is presented after successful primary authentication (for example, a user entering a single factor credentials, such as a user name and password) to improve authentication strength.

The KBA solution consists of securing an application using a challenge/response process where users are challenged with one or more questions to proceed with their requested sign-on, transaction, service, and so on.

Log in into OAAM admin console
Go to Policies –> OAAM Post authentication Security
2018-02-14_10-27-58
Go to Rules Tab and click on +
firefox_2018-02-14_10-29-33
Enter information as below
firefox_2018-02-14_10-31-08
Add a condition
firefox_2018-02-14_10-53-00
firefox_2018-02-14_10-50-39
Click apply
Now go to OAAM Challenge Policy –> Trigger Combinations
Change the 3rd trigger as shown below and apply
firefox_2018-02-14_10-56-43

Testing
Request the protected resource
http://identity.oracleads.com:7777
firefox_2018-02-14_11-00-19
firefox_2018-02-14_11-00-49
firefox_2018-02-14_11-01-18
firefox_2018-02-14_11-01-38