Category: OHS

Avoid password prompt when using startComponent.sh–12c

MuzammilLeave a comment

With 12c release, identity management components like OID, OUD, OHS when installed and configured in collocated mode are started using startComponent.sh and stoped using stopComponent.sh scripts located in $DOMAIN_HOME/bin

However, when starting or stopping script prompts for node manager password.

image

Above prompt can be avoided by adding storeUserConfig option. This stores the password.

[oracle@oel1 bin]$ ./startComponent.sh oid1 storeUserConfig

image

Once the password is stored, you can execute start or stop without password prompt.

[oracle@oel1 bin]$ ./stopComponent.sh oid1
[oracle@oel1 bin]$ ./startComponent.sh oid1

image

Oracle Access Management WebGate on OHS 12c

Muzammil1 Comment

Pre- Requisite:
– OAM 12c installed and configured : https://oraidam.wordpress.com/2018/03/10/oracle-access-manager-12c-12-2-1-3-in-collocated-mode/
– OHS 12c installed and configured : https://oraidam.wordpress.com/2018/03/10/oracle-http-server-12c-12-2-1-3-in-collocated-mode/

Configure WebGate on OHS 12c

[oracle@oel1 deployWebGate]$ cd /u01/oracle/product/Oracle_Home/webgate/ohs/tools/deployWebGate

[oracle@oel1 deployWebGate]$ ./deployWebGateInstance.sh -w /u01/oracle/config/Domain_Home/ODS_Domain/config/fmwconfig/components/OHS/ohs1 -oh /u01/oracle/product/Oracle_Home

image

Verify webgate directory

[oracle@oel1 deployWebGate]$ cd /u01/oracle/config/Domain_Home/ODS_Domain/config/fmwconfig/components/OHS/ohs1
[oracle@oel1 ohs1]$ ll

image

Edit HTTP conf file

[oracle@oel1 InstallTools]$ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/u01/oracle/product/Oracle_Home/lib

[oracle@oel1 InstallTools]$ cd /u01/oracle/product/Oracle_Home/webgate/ohs/tools/setup/InstallTools/

[oracle@oel1 InstallTools]$ ./EditHttpConf -w /u01/oracle/config/Domain_Home/ODS_Domain/config/fmwconfig/components/OHS/ohs1 -oh /u01/oracle/product/Oracle_Home

image

Register the WebGate with OAM

Login to OAM console
http://oel1.mylab.com:7011/oamconsole

Click on SSO Agent Registration

XWin_MobaX_2018-03-06_15-12-08
Specify Agent Type as Webgate and click Next.
Fill in the details for webgate as shown below
image
Click Finish.
Then click on download and save the file.
XWin_MobaX_2018-03-06_15-15-51

Copy the zip file to ohs_instance/webgate/config and unzip

[oracle@oel1 Downloads]$ cp OHS12c_WebGate.zip /u01/oracle/config/Domain_Home/ODS_Domain/config/fmwconfig/components/OHS/ohs1/webgate/config/
[oracle@oel1 Downloads]$ unzip OHS12c_WebGate.zip

Restart Servers

[oracle@oel1 Downloads]$ cd /u01/oracle/config/Domain_Home/ODS_Domain/bin/
[oracle@oel1 bin]$ ./stopComponent.sh ohs1
[oracle@oel1 bin]$ ./stopManagedWebLogic.sh oam_policy_mgr1
[oracle@oel1 bin]$ ./stopManagedWebLogic.sh oam_server1
[oracle@oel1 bin]$ ./stopWeblogic.sh

[oracle@oel1 bin]$ ./startWeblogic.sh
[oracle@oel1 bin]$ ./startManagedWebLogic.sh oam_server1
[oracle@oel1 bin]$ ./startManagedWebLogic.sh oam_policy_mgr1
[oracle@oel1 bin]$ ./startComponent.sh ohs1

Test
Access OHS : http://oel1.mylab.com:7777
User will be redirected to OAM login page

XWin_MobaX_2018-03-06_15-59-05XWin_MobaX_2018-03-06_15-59-31

Oracle HTTP Server 12c 12.2.1.3 in collocated mode

Muzammil1 Comment

Installing OHS 12c in collocated mode requires installing Oracle fusion middleware infrastructure followed by OHS 12c installation and configuration.

Check below post section “Install Infrastructure 12c” for installing Oracle fusion middleware
https://oraidam.wordpress.com/2018/03/08/oracle-internet-directory-12c-12-2-1-3-in-collocated-mode/

then follow below steps for installing and configuring OHS 12c.

Install OHS 12c

[oracle@oel1 OHS12c]$ unzip fmw_12.2.1.3.0_ohs_linux64_Disk1_1of1.zip
[oracle@oel1 OHS12c]$ ./fmw_12.2.1.3.0_ohs_linux64.bin

image
image
image
image
image
image

Configure HTTP Server

[oracle@oel1 OHS12c]$ cd /u01/oracle/product/Oracle_Home/oracle_common/common/bin/
[oracle@oel1 bin]$ ./config.sh

I am going to update existing domain which I created for OID in below post.
https://oraidam.wordpress.com/2018/03/08/oracle-internet-directory-12c-12-2-1-3-in-collocated-mode/

However, if you don’t have one you can create new domain. (Note: You need to create schemas if you are creating a new domain)

image
Select Oracle HTTP Server (Collocated)
image
image
image
image
Add new components ohs1 and specify component type as OHS
XWin_MobaX_2018-03-06_14-25-02XWin_MobaX_2018-03-06_14-26-37
XWin_MobaX_2018-03-06_14-27-09XWin_MobaX_2018-03-06_14-27-38XWin_MobaX_2018-03-06_14-28-30
image
image

Start Servers

Start Node manager

[oracle@oel1 bin]$ cd /u01/oracle/config/Domain_Home/ODS_Domain/bin
[oracle@oel1 bin]$ nohup ./startNodeManager.sh &

image

Start Admin server

[oracle@oel1 bin]$ cd /u01/oracle/config/Domain_Home/ODS_Domain/bin
[oracle@oel1 bin]$ nohup ./startWebLogic.sh &

image

Start OHS

[oracle@oel1 bin]$ cd /u01/oracle/config/Domain_Home/ODS_Domain/bin[oracle@oel1 bin]$ ./startComponent.sh ohs1

image

Verify
http://oel1.mylab.com:7777/
image

OHS Add X-Content-Type-Options Header

MuzammilLeave a comment

Missing X-Content-Type-Options header increases exposure to drive-by download attacks.

This post covers adding X-Content-Type-Options header to OHS.

Edit $INSTANCE_HOME/INSTANCE_NAME/config/OHS/INSTANCE_NAME/httpd.conf

Ensure mod_headers.so is enabled

LoadModule headers_module “${ORACLE_HOME}/ohs/modules/mod_headers.so”

Add below line

Header set X-Content-Type-Options nosniff

Restart OHS

Verify
1

OHS Add X-XSS-Protection Header

MuzammilLeave a comment

Missing X-XSS-Protection header may allow Cross-Site Scripting attacks.

This post covers adding X-XSS-Protection header to OHS.

Edit $INSTANCE_HOME/INSTANCE_NAME/config/OHS/INSTANCE_NAME/httpd.conf

Add below line

Header set X-XSS-Protection “1; mode=block”

Restart OHS

Verify
2

OHS HSTS – Add Strict-Transport-Security Header

MuzammilLeave a comment

Missing Strict-Transport-Security header may opens the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page.

This post covers adding Strict-Transport-Security header to OHS.

Edit $INSTANCE_HOME/INSTANCE_NAME/config/OHS/INSTANCE_NAME/httpd.conf

Add below line

Header set Strict-Transport-Security “max-age=63072000; includeSubdomains;”

Restart OHS

Verify
3

And to redirect visitors to https, you can add below line

Redirect permanent / https://example.com/

Oracle web tier apply patch set 11.1.1.9 to existing 11.1.1.7

MuzammilLeave a comment

Backup complete 11.1.1.7 home

cd $MW_HOME

tar -cvf Oracle_WT1_backup.tar Oracle_WT1

Note: run tar as root to backup all files

Download 11.1.1.9 patchset – patch 20995453

Unzip and go to Disk1 folder

unzip p20995453_111190_Linux-x86-64.zip

Run the installer

cd Disk1

./runInstaller

Choose “Install software – Do Not Configure
XWin_MobaX_2018-02-27_11-00-23

specify Installation Location
XWin_MobaX_2018-02-27_11-03-23

chrome_2018-02-27_11-04-08
XWin_MobaX_2018-02-27_11-12-54

Verify

$ORACLE_HOME/OPatch/opatch lsinventory

Oracle Interim Patch Installer version 11.1.0.11.0
Copyright (c) 2018, Oracle Corporation.  All rights reserved.

Oracle Home       : /u01/product/oracle/Middleware_Webtier/Oracle_WT1
Central Inventory : /u01/app/oraInventory
    from           : /u01/product/oracle/Middleware_Webtier/Oracle_WT1/oraInst.loc
OPatch version    : 11.1.0.11.0
OUI version       : 11.1.0.9.0
Log file location : /u01/product/oracle/Middleware_Webtier/Oracle_WT1/cfgtoollogs/opatch/opatch2018-02-27_11-15-21AM_1.log

OPatch detects the Middleware Home as “/u01/product/oracle/Middleware_Webtier”

Lsinventory Output file location : /u01/product/oracle/Middleware_Webtier/Oracle_WT1/cfgtoollogs/opatch/lsinv/lsinventory2018-02-27_11-15-21AM.txt

——————————————————————————–
Installed Top-level Products (1):

Oracle WebTier and Utilities CD                                      11.1.1.9.0
There are 1 products installed in this Oracle Home.

start OHS instance

$INSTANCE_HOME/bin/opmnctl startall

$INSTANCE_HOME/bin/opmnctl status

Processes in Instance: ohs1
———————————+——————–+———+———
ias-component                    | process-type       |     pid | status
———————————+——————–+———+———
ohs1                             | OHS                |   33731 | Alive

If web tier is associated to weblogic domain follow below step

cd ORACLE_HOME/opmn/bin

./upgradenonj2eeapp.sh
-oracleInstance Instance_Home_Location
-adminHost WebLogic_Server_Host_Name
-adminPort administration_server_port_number
-adminUsername administration_server_user

MobaXterm_Personal_10.5_2018-02-27_11-26-15

Oracle HTTP Server 11.1.1.9 – Update SSLProtocol to TLS v1.2

MuzammilLeave a comment

TLS v1.1 and v1.2 are significantly more secure and fix many vulnerabilities present in SSL v3.0 and TLS v1.0.

OHS 11.1.1.9 supports TLSv1.1 and TSLv1.2. This post covers steps to configure OHS SSL protocols to support TLSv1.2 only and disable all other protocols.

Check protocols and ciphers supported
You can use below nmap command to check currently supported protocols and ciphers

nmap –script ssl-enum-ciphers –p <SSL_PORT> <HOSTNAME>

Update SSLProtocol
Go to ORACLE_INSTANCE/config/OHS/< OHS_name >/ssl.conf
Edit SSLProtocol as below

SSLProtocol +TLSv1.2

Optional: You can add or update SSLCipherSuite as well

SSLCipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256

For list of supported SSLCipherSuite check https://docs.oracle.com/middleware/11119/webtier/releasenotes-ohs/toc.htm

Save the file and restart OHS instance

Verify the change
Verify again by running same nmap command
2018-02-20_15-07-48

OHS not starting

MuzammilLeave a comment

OHS instance status is stop. OHS not starting or stopping.

[oracle@identity bin]$ ./opmnctl status
Processes in Instance: ohs_inst1
———————————+——————–+———+———
ias-component                    | process-type       |     pid | status 
———————————+——————–+———+———
ohs_inst1                        | OHS                |    4857 | Stop   

Error in log files
——–
18/01/28 22:59:41 Stop process
——–
/app/Middleware/Oracle_WT1/ohs/bin/apachectl hardstop: httpd (no pid file) not running

Reason
When Oracle HTTP Server starts up, it writes the process ID (PID) of the parent httpd process to the httpd.pid file located, by default, in the following directory:

ORACLE_INSTANCE/diagnostics/logs/OHS/component_name

When I check at above location there was no httpd.pid file.

Solution
Create a empty file http.pid in above location
image

Rename or clear states directory in below location. (Stop/Kill opmn processes before this)

ORACLE_INSTANCE/config/OPMN/opmn/states

image

Start OHS
image

OHS SSL WILDCARD CONFIGURATION

MuzammilLeave a comment

WildCard file server.pfx (format PKCS)Generate Java Keystore from WildCard

Convert PKCS to JAVA KEYSTORE
keytool -v -importkeystore –srckeystore server.pfx -srcstoretype PKCS12 -destkeystore yournewkeystore.jks -deststoretype JKS

Convert JAVA KEYSTORE to WALLET
Create new wallet
mw_home\oracle_common\bin\orapki wallet create -wallet ./ -pwd “mypassword”

Convert to wallet
orapki wallet jks_to_pkcs12 -wallet ./ -pwd “mypassword” -keystore ./yournewkeystore.jks -jkspwd “mypassword”

A new wallet file ewallet.p12 will be created.

Use this wallet for SSL in OHS. It can be configured using wallet manager or weblogic enterprise manager.

Below is procedure to import from enterprise manager.
1. Login to Enterprise manager
2. Go to WebTier –> Right Click on OHS component –> Security –> Wallets
3. Click Import
4. Choose File ewallet.p12, uncheck Auto-Login, specify wallet password (mypassword in create wallet step) password
5. Click Ok
6. Go to WebTier –> Right Click on OHS component –> Virtual Hosts
7. Select SSL port virtual host, Select SSL Configuration from drop down
8. Under Server Wallet Name, select the new created wallet, click on OK
9. Restart OHS