Upgrade OID to

Download Patch : 20995629

Backup Oracle home
tar -cvf OracleIDM1_backup.tar Oracle_IDM1

Backup OID instance
tar -cvf oid_inst1_backup.tar oid_inst1

Install patch 20995629
Execute from Disk1 ./runInstaller












Upgrade database schema using patch set assistant











Verify the upgrade
Check Binaries: Execute $ORACLE_HOME/OPatch/opatch lsinventory
Check Schema: select comp_name,owner,version from schema_version_registry where owner = ‘ODS’;


Weblogic State and HealthState Monitoring with Email Notification

Configure Weblogic Mail Session (Optional. Only if you want to send email alert)
1. Login to weblogic console
2. Go to Mail Sessions
3. Click New
4. Enter details Name,JNDI Name, JavaMail Properties.
JavaMail Properties:

Configure Email Notifications in Weblogic Diagnostic
Go to notifications –> click new –> Select SMTP (E-Mail) –> Click Next –> Enter Notification Name & Check Enable Notification –> Got to SMTP Properties –> Select Mail session ->Enter Email Recipients

Server State Monitoring
1. Login to weblogic console
2. Go to Diagnostic Modules
3. Click on “
Module-FMWDFW” module
4. Go to Configuration –> Watches and Notifications –> Watches
5. Click New
6. Enter Watch Name, Watch Type: Collected Metrics
7. Click Next
8. Click on Add Expressions
9. Select ServerRunTIme –> Select weblogic.management.runtime.ServerLifeCycleRuntimeMBean –> Click Next –> Click Next
6. Select Message Attribute “State”
7. Select Operator “!=”
8. Enter value RUNNING
9. Below watch rule will be generated
(${ServerRuntime//[weblogic.management.runtime.ServerLifeCycleRuntimeMBean]//State} != ‘RUNNING’)
10. ServerRuntime dies along with the managed Server. Therefore we need to DomainRuntime.
Edit rule manually replace ServerRuntime with DomainRuntime
(${DomainRuntime//[weblogic.management.runtime.ServerLifeCycleRuntimeMBean]//State} != ‘RUNNING’)
11. Click Next
12. Select Alarm (if required. Used for not spamming email)
13. Select the notifications
14. Click Finish

Health State Monitoring
Stuck thread is very common issue with weblogic servers. Below is a good article on dealing with stuck threads.
We had a requirement to capture server healthstate for stuck thread. By default healthstate is not collected from diagnostic module. A harvester must be created to gather healthstate data.
1. Go to Weblogic Console –> Diagnostic Modules
2. Configuration tab –> Collected Metrics tab
3. Click new
4. Select ServerRuntime –> Select weblogic.management.runtime.ThreadPoolRuntimeMBean
5. Add Attribute Expression as “HealthState.State”  (without quotes)
6. Select the Server Instance
7. Click Finish

Now create a watch rule to compare harvested attribute value
8. Now go to Watches and Notifications tab –> Watches –> Click New
9. Enter Name, Watch Type: Collected Metrics
10. Add Watch Rule
(${ServerRuntime//[weblogic.management.runtime.ThreadPoolRuntimeMBean]com.bea:Name=ThreadPoolRuntime,ServerRuntime=osb_InstSvr_1a,Type=ThreadPoolRuntime//HealthState.State} != 0)
11. For creating above rule you can select Add Expressions –> ServerRuntime –> weblogic.management.runtime.ThreadPoolRuntimeMBean –> Select instance –> Attribute Expression: HealthState.State –> Operator: != –> Value: 0)
12. Select Alarm (if required. Used for not spamming email)
13. Select the notifications
14. Click Finish


WildCard file server.pfx (format PKCS)Generate Java Keystore from WildCard

keytool -v -importkeystore –srckeystore server.pfx -srcstoretype PKCS12 -destkeystore yournewkeystore.jks -deststoretype JKS

Create new wallet
mw_home\oracle_common\bin\orapki wallet create -wallet ./ -pwd “mypassword”

Convert to wallet
orapki wallet jks_to_pkcs12 -wallet ./ -pwd “mypassword” -keystore ./yournewkeystore.jks -jkspwd “mypassword”

A new wallet file ewallet.p12 will be created.

Use this wallet for SSL in OHS. It can be configured using wallet manager or weblogic enterprise manager.

Below is procedure to import from enterprise manager.
1. Login to Enterprise manager
2. Go to WebTier –> Right Click on OHS component –> Security –> Wallets
3. Click Import
4. Choose File ewallet.p12, uncheck Auto-Login, specify wallet password (mypassword in create wallet step) password
5. Click Ok
6. Go to WebTier –> Right Click on OHS component –> Virtual Hosts
7. Select SSL port virtual host, Select SSL Configuration from drop down
8. Under Server Wallet Name, select the new created wallet, click on OK
9. Restart OHS

Weblogic SSL WildCard Configuration

Weblogic 10.3.6 +
WildCard file server.pfx (format PKCS)Generate Java Keystore from WildCard

Generate Java Keystore from WildCard
1. Source environment

2. Use OpenSSL to check the pfx certificate’s content.
openssl pkcs12 -in server.pfx -out KEYSTORE.pem –nodes

3. Open KEYSTORE.pem file from step 2. You should find three certificates in it and the private key.
a. Private Key. To identify the private key, look for the following headings:

b. Root Certificate. To identify the Root Certificate, look for the following headings:
subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

Subject and issuer must be the same. Save the content of it into a file called my_key_root.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE.

c. Intermediate Certificate. To identify an Intermediate Certificate, look for the following heading:
subject=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

Subject and issuer are different only on the CN. Save the content of it into a file called my_key_intermediate.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE.

NOTE: This certificate is optional and there are some cases where it will not be present. If this is the case, go ahead and skip this step. In any other case, this needs to be added to the identity keystore jks file.

d. Server Certificate. To identify a Server Certificate, look for the following heading:
friendlyName: some.thing.com
subject=/serialNumber=sj6QjpTjKcpQGZ9QqWO-pFvsakS1t8MV/C=US/ST=Missouri/L=CHESTERFIELD/O=Oracle_Corp, Inc./OU=Oracle/CN=some.thing.com

A server certificate includes a heading called Friendly Name. Go ahead and save the content of it into a file called my_key_crt.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE.

4. Create a Trust Keystore and import the Root certificate into it.
keytool -import -trustcacerts -file my_key_root.pem -alias my_key_root -keystore my_key_trust.jks -storepass <store_pass> -keypass <key_pass>

5. Generate an Identity Keystore and import the private key into it.
java utils.ImportPrivateKey -keystore my_key_identity.jks -storepass <store_pass> -storetype JKS -keypass <key_pass> -alias server_identity -certfile my_key_crt.pem -keyfile my_key_pk.pem -keyfilepass <pfx_password>

With these instructions, two jks files will be produced:
my_key_identity.jks & my_key_trust.jks

Configure WebLogic Server To Support Wildcard Certificates
1. Navigate to Home->Summary of Servers->ServerName
a. go to SSL tab
b. Click on Advanced
2. Lock and Edit
3. Set the Hostname Verification field to Custom Hostname Verifier.
4. Enter the name of the implementation of the weblogic.security.utils.SSLWLSWildcardHostnameVerifier interface in the Custom Hostname Verifier field.
5. Click Save.
6. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
7. Restart Server

Configure Weblogic SSL
Follow below steps to configure weblogic server to use above keystores:
1. Login to admin console
2. Navigate to servers>[server_name]>Configuration>Keystores
3. Select Custom Identity and Custom Trust and provide below details:
a. -Custom Identity Keystore: /path/to/my_key_identity.jks
b. -Custom Identity Keystore Type: jks
c. -Custom Identity Keystore Passphrase:<password>
d. -Confirm Custom Identity Keystore Passphrase:<password>
e. -Custom Trust Keystore: /path/to/my_key_trust.jks
f. -Custom Trust Keystore Type: jks
g. -Custom Trust Keystore Passphrase:<password>
h. -Confirm Custom Trust Keystore Passphrase:<password>
4. Then click on SSL tab next to Keystores and provide values for below parameters:
a. -Private Key Alias: server_identity
b. -Private Key Passphrase: <password>
c. -Confirm Private Key Passphrase: <password>
5. Then enable SSL port for that particular weblogic server by navigating servers>[server_name]>Configuration>General
6. Enable SSL port for that particular weblogic server by navigating servers>[server_name]>Configuration>General
7. Save and activate changes.

Note: If SSL port is enabled for first time you need to restart server.

Automated deployment of OIM 11gR2 PS3

For Oracle Identity and Access Management 11g Release 2 (, the LCM Tools automated installation capabilities are available only for single-host scenarios. The tools can be used to evaluate and test the Oracle Identity and Access Management software and should be used for proof-of-concept and demonstration purposes only.

OIM only topology: https://docs.oracle.com/cd/E52734_01/core/IDMPV/intro.htm#IDMPV113

When you download and unpack the archives for Deployment Repository distribution, you end up with a directory structure that contains a software repository. Within this repository are all the software installers required to install and configure Oracle Identity Manager, as well as the Oracle Identity and Access Management Life Cycle Management Tools.

Directory Structure: https://docs.oracle.com/cd/E52734_01/core/IDMPV/preprov.htm#IDMPV109


System Requirements
OS: Oracle Linux 7
Kernel Parameters (file location /etc/sysctl.conf)

kernel.sem=256 32000 100 142
kernel.shmmax=10737418240 or higher

Run as root

/sbin/sysctl -p

Open File Limit (file location /etc/security/limits.conf)

* soft  nofile  4096
* hard  nofile  65536
* soft  nproc   2047
* hard  nproc   16384

Reboot machine to reflect limits

Installation Screenshots

Run installer from


Screenshot from 2015-06-09 19%3A20%3A53

Note: If below error encountered install lsb rpms (yum install lsb)

Cannot run program “lsb_release”: error=2, No such file or directory

Screenshot from 2015-06-09 19%3A22%3A23

Screenshot from 2015-06-09 19%3A23%3A26

Screenshot from 2015-06-09 19%3A23%3A34

Screenshot from 2015-06-09 19%3A23%3A51

Screenshot from 2015-06-09 19%3A24%3A06

Screenshot from 2015-06-09 19%3A24%3A10

Screenshot from 2015-06-09 19%3A25%3A54

Screenshot from 2015-06-09 19%3A25%3A58

Screenshot from 2015-06-12 11%3A17%3A12

Screenshot from 2015-06-12 10%3A54%3A24

Screenshot from 2015-06-12 10%3A54%3A34

Screenshot from 2015-06-12 10%3A54%3A48

Screenshot from 2015-06-12 10%3A55%3A19

Screenshot from 2015-06-12 10%3A55%3A30

Screenshot from 2015-06-12 10%3A55%3A42

Screenshot from 2015-06-12 11%3A01%3A10

Screenshot from 2015-06-12 11%3A02%3A40

Screenshot from 2015-06-12 11%3A02%3A53

Screenshot from 2015-06-12 11%3A03%3A38

Screenshot from 2015-06-12 11%3A05%3A32

Screenshot from 2015-06-12 11%3A05%3A39

Screenshot from 2015-06-12 11%3A05%3A45

Screenshot from 2015-06-12 11%3A05%3A59

Screenshot from 2015-06-12 11%3A06%3A11

Screenshot from 2015-06-12 11%3A17%3A12

Screenshot from 2015-06-12 11%3A17%3A27

Screenshot from 2015-06-12 11%3A17%3A43

Screenshot from 2015-06-12 11%3A17%3A51

Screenshot from 2015-06-12 11%3A17%3A58

Screenshot from 2015-06-12 11%3A18%3A03

Screenshot from 2015-06-12 11%3A18%3A08

I encountered below error

Screenshot from 2015-06-12 11%3A20%3A28

Screenshot from 2015-06-12 11%3A20%3A36

Screenshot from 2015-06-12 11%3A21%3A01

Screenshot from 2015-06-12 11%3A21%3A11

Screenshot from 2015-06-12 11%3A22%3A39

Screenshot from 2015-06-12 11%3A22%3A55

Screenshot from 2015-06-12 11%3A26%3A28

Complete the action plan given in above health check screen shot. Close the installer (clean up and restore). Restart installer with same deployment response file.

Screenshot from 2015-06-12 13%3A31%3A46

Screenshot from 2015-06-12 14%3A02%3A15

Screenshot from 2015-06-12 14%3A49%3A46

Screenshot from 2015-06-12 15%3A25%3A57

Screenshot from 2015-06-12 16%3A02%3A27

Screenshot from 2015-06-12 16%3A21%3A56

Screenshot from 2015-06-12 17%3A59%3A41

Screenshot from 2015-06-12 18%3A01%3A31

Screenshot from 2015-06-12 18%3A01%3A41

Screenshot from 2015-06-12 18%3A01%3A48

Reset The Last Applied Change Number in a Provisioning Profile

Issue faced
EBS provisioning profile trying to retrieve number of changes are more than size limit. Time to search all changes taken more than 3600ms i.e maximum time allowed for a search to complete.


You can check above configuration from enterprise manager or check “orcltimelimit “ “orclsizelimit” in cn=oid,cn=osdldapd,cn=subconfigsubentry


ldapsearch -h <hostname> -p <port> -D cn=orcladmin -w xxxxxx -b “” -s base “objectclass=*” lastchangenumber

ldapsearch -h <hostname> -p <port> -D cn=orcladmin -w xxxxxx -b “cn=provisioning profiles,cn=changelog subscriber,cn=oracle internet directory” -s sub objectclass=* | grep orcllastappliedchangenumber

lastchangenumber – orcllastappliedchangenumber > Maximum number of entries to be returned by search


Reset the last applied change number in provisioning profile.

oidprovtool operation=modify ldap_host=”<hostname>” ldap_port=”<port>” \
ldap_user_dn=”cn=orcladmin” ldap_user_password=”xxxx” application_dn= \

At prompt, enter following details
Interface Connection information –> <Apps_DB_host>:<Apps_DB_Port>:<Apps_SID>:<Apps_schema_user>:<apps_password>