Vishwa Krishna

Thursday, June 10, 2021

How OCI made simple to IAM Service lets you control who has access to your cloud resources!

Oracle Cloud Infrastructure Identity and Access Management (IAM) Service lets you control who has access to your cloud resources.

Prerequisites:

1. You should have OCI account created.

2. OCI basic understanding

In left pane, Identity & Security -> Identity -> Compartments then create your Compartment

Once you create, you should be able to see as –

Managing Users, Groups and Policies to Control Access

We should create a user, a group, and a security policy to understand the concept.

Again, login to OCI console and Menu -> Identity & Security -> Groups

Below are my policy statements –

Policy Statements

Allow group oci-testgroup1 to inspect users in compartment vishwa-test1

Allow group oci-testgroup1 to inspect groups in compartment vishwa-test1

Allow group oci-testgroup1 to use users in compartment vishwa-test1 where target.group.name != 'Administrators'

Allow group oci-testgroup1 to use groups in compartment vishwa-test1 where target.group.name != 'Administrators'

Now, create the new user:

Verify user permissions

a) Go to the Menu, click Compute and then click Instances.

b) Try to select any compartment from the left menu.

c) The message “You don’t have permission to view these resources” appears. This is normal as you did not add the user to the group where you associated the policy.

Sign Out as ‘testuser01’

Add User to a Group

a) Sign back in with the your Admin account.

b) On the Menu click Identity & Security, and then click Users. From the Users list, click the user account that you just created (for example, testuser01) to go to the User Details page.

Go to the Menu, click Identity and select Groups.

The message “Authorization failed or requested resource not found” appears. This is expected, since your user has no permission to modify groups. (Note: You may instead get the "An unexpected error occurred" message instead. That is also fine.)

Sign Out from testuser01

Happy Learning!

Saturday, June 5, 2021

Deploying the IIS WebGate 12c Instance and Testing

(1) DEPLOYWEBGATE:

C:\Oracle\Middleware\Oracle_Home\webgate\iis\tools\deployWebGate>deployWebGateInstance.bat -w C:\webgate12cInstance\test8088 -oh C:\Oracle\Middleware\Oracle_Home -ws iis

Copying files

C:\Oracle\Middleware\Oracle_Home\webgate\iis\config\oblog_config_wg.xml

1 File(s) copied

C:\Oracle\Middleware\Oracle_Home\webgate\iis\tools\openssl\simpleCA\cacert.pem

1 File(s) copied

C:\Oracle\Middleware\Oracle_Home\webgate\iis\tools\openssl\simpleCA\cakey.pem

1 File(s) copied

Done!

C:\Oracle\Middleware\Oracle_Home\webgate\iis\tools\deployWebGate>

(2) CONFIGURE WEBGATE:

C:\Oracle\Middleware\Oracle_Home\webgate\iis\tools\ConfigureIISConf>ConfigureIISWebGate.bat -oh C:\Oracle\Middleware\Oracle_Home -w C:\webgate12cInstance\test8088 -site "test8088"

processed dir: C:\webgate12cInstance\test8087\webgate\config\simple

processed dir: C:\webgate12cInstance\test8087\webgate\tools\openssl

processed dir: C:\webgate12cInstance\test8087\webgate\tools\openssl\simpleCA

processed file: C:\webgate12cInstance\test8087\webgate\tools\openssl\simpleCA\cacert.pem

processed file: C:\webgate12cInstance\test8087\webgate\tools\openssl\simpleCA\cakey.pem

c:\oracle\middleware\oracle_home\webgate\iis\lib\webgate.ini is updated.

(3) Registering webgate in /OAMCONSOLE

Once created then download artifacts -

Copy the generated webgate artifacts to -->> C:\webgate12cInstance\test8088\webgate\config

Restart the IIS

Troubleshooting:

When you access http://<iis-host>:port/hello.html and if you get error below:

In Windows 2019 Server you may face ISAPI extension issue.

Follow - Server Manager -> Tools -> IIS

On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Application Development, and then select CGI or ISAPI Extensions. Click Next.

Later stuck at --->

- Installed relative vc++ redistributaion

- Checked IIS configuration settings

- Followed Oracle Doc IDs 2309712.1 and 2361926.1 however not worked.

Install webgate 12c on windows 2019

Continued from - Install and create IIS websites

Installing webgate 12c

(1) Downloaded webgate 12c Oracle Software Delivery

(2) Install Screen shots -

(2) Prerequisites should be fulfilled - MS Visual C++

 I have used in built in JDK comes with Windows 2019 Server.        

Though you install Visual C++ Redistributable for Visual Studio 2012 Update 4, vcredist_x64.exe And you get above warning then click 'return'

Continued .... deploying IIS webgate 12c

Friday, June 4, 2021

IIS Webgate 12c Installation and Configuration in Windows 2019

OAM 12c PS4 on Linux 7.x Server || IIS Webgate 12c on Windows 2019 Server

Windows 2019 server:

(1) Configure IIS Server, used below Server Manager.

(2) Click 'Add roles and features'

(3) Click 'Next' for all till you reach 'Server Roles' there you should select 'Web Server (IIS) (13 of 43 installed'

(4) Click install -

(5) Then select option 'Tools' -> 'Internet Information Services (IIS) Manager'

(6) IIS server manager - right click on 'Sites'

(7) You should create a website under C:\inetpub\wwwroot

(8) Once created. You should go to 'Directory Browsing' and 'Enable' it.

(9) Below (my case it's enabled already)

(10) Open Command prompt as administrator. run 'iisreset' . Try to access http://localhost:port. If all set correct then you should able to see IIS default page.

Continued ., install webgate 12c on windows 2019

Tuesday, October 17, 2017

Mobile and Social for Google AuthN Provider

OAM Mobile and Social for Google AuthN Provider

:: Steps Outlined ::

=====================================================================

1. Enabling Social Identity Provider Service

2. Configure Identity Directory Service (IDS) Profile

3. Configure User Profile Service Provider and User Profile Service

4. Configure Social Login with Google

5. Configure OAM Domain to use Mobile and Social Login

6. Testing Social Login with Google

:: Detailed Steps ::

=====================================================================

1. Open a browser and enter URL http://abc.mycompany.com:7001/oamconsole and Click Configuration tab and click Available Services.

2. Scroll down to Mobile Section. If Mobile and Social service is Disabled, click Enable Service

3. Open a browser and enter URL http://abs.mycompany.com:7001/oamconsole and Click Configuration tab and from Launch Pad click User Identity Stores.

4. Scroll down to Identity Directory Services section and click Create from IDS Profiles and create IDS Profile.

A] Configure User Profile Service Provider and User Profile Service:

1. Click Mobile Security tab and from Launch Pad click Mobile and Social Services

2. From Service Providers section, click Create and select Create User Profile Service Provider.

3. Give the Name as OUD User Profile SP and scroll down to select OUDStoreIDSProfile as Identity Directory Service Click Create.

4. From Service Profiles section, click Create and select Create User Profile Service

5. Give the Name as OUD User Profile. For Service Endpoint, enter OUD. For Service Provider select OUD User Profile SP. Click checkbox for Service Enabled and click Create.

B] Configure Social Login with Google:

1. Go to Google Developer Console at URL https://console.developers.google.com and sign in with your Google credentials (in case the URL doesn’t work search for Google Developer console)

2. Click Select a project dropdown and click Create a project

3. Give it some Name and click Create

4. Once created you will be redirected to Dashboard for the project in a few seconds. Click Use Google APIs to create credentials for using OAuth.

5. Click Credentials on Left and click New Credentials and Select OAuth Client ID

6. You will be asked to first set a product name on the consent screen. Click Configure consent screen.

7. For Product Name, enter something like OAM Social Login and click Save.

8. Select Web application as Application type and for Authorized redirect URIs, enter http://abc.mycompany.com:14100/oic_rp/popup. Click Create

9. You will be given OAuth Client ID and Client Secret. Make a note of these as you will need it in next steps.

10.You can now exit Google Developer Console.

11.Enter URLhttp://abc.mycompany.com:7001/oamconsole to open the Access Management Console.

12.Click Federation tab and from Launch Pad click Social Identity

13.In Social Identity Providers section, select Google and click Edit.

14.Provide Consumer Key (same as Client ID) and Consumer Secret (same as Client Secret), which was generated from Google Console and click Apply and close the tab.

15.Back in the Social Identity section scroll down to Application profiles, select OAMApplication and click Edit. OAMApplication is prebuilt application profile and can be used directly, or used as a template to build other application profiles.

The name of this entry must be the same as the name of the OAM Application Domain that you wish to enable social login for. At this time, this is a one to one relationship.

For our exercise, rather than creating a new Application Domain entry matching the OAM Application Profile, we will rename the webgate_1 Application Domain to match this default entry

16.Enter Oracle123 for Shared Secret.

17.In Application Profile Properties section, make sure Login Type is Local Authentication and Social Identity Provider Authentication, Enable Browser Popup is Yes and User Registration is Enabled. Select User Profile Service Endpoint as /OUD.

18.Scroll down to Application User Attribute and Social Identity Provider User Attributes Mapping. Select Google as Social Identity Provider. You will find predefined attributes listed there, delete all the entries and do a new mapping of Application Social Identity Provider User Attributes as shown on the below screen print.

19.Go to the WebLogic console to modify the OAM managed servers SSL settings. Click the SSL tab and then expand the advanced link at the bottom of the page. Change the hostname verification from 'BEA Hostname Verifier' to 'Custom Hostname Verifier' and in the next box set the custom hostname verifier value to weblogic.security.utils.SSLWLSWildcardHostnameVerifier'.

At the very bottom of the page check the box for 'Use JSSE SSL'. Save the changes and then restart the OAM managed server.

C] Configure OAM Domain to use Mobile and Social Login:

1. In /oamconsole Click Application Security tab and from Access Manager, click Application Domains

2. Modify your webgate_1 to OAMApplication and apply.

3. Open OAMApplication application domain -> AuthN policies -> Protected Resource Policies -> Chnage AuthN Scheme to OICSceme

Important Step:

You should be able to connect to the internet from VM where OAM is running. Open a browser inside VM to access www.google.com to

verify. NOTE: If your VM is running in "Host Only" mode you need to change your VBox VM network settings to be in bridged or NAT

mode, and afterwards update your OAM VM /etc/hosts file with your new ip address accordingly.

There are add-on configurations are needed for Facebook, Twitter, and Yahoo. Please contact me if any issues!

🙌 Many Thanks 🙌

Monday, October 2, 2017

OAM 12c Installation and Configuration (Complete Setup)

⛹ - OAM 12c Setup - ⛹

===================================

You should have installed Database 12c by

Database 12c

Install java - jdk8

/jdk8 (jdk 8 is mandatory)

Install Weblogic 12.2.1.3.0

Install FMW infrastructure ( /fmw_12.2.1.3.0_infrastructure_generic.jar)
/jdk8/bin/java -jar fmw_12.2.1.3.0_infrastructure_generic.jar

Install IDM generic 12.2.1.3.0

/fmw_12.2.1.3.0_idm_generic.jar
/fmw_12.2.1.3.0_idm_generic2.jar

export JAVA_HOME=/u01/installable/jdk8
/jdk8/bin/java -jar fmw_12.2.1.3.0_idm_generic.jar ( /u01/idam/Oracle/Middleware/Oracle_Home )

Create RCU for OAM schema

create RCU for OAM schema, Select OAM Schema
export MW_HOME=/u01/idam/Oracle/Middleware/Oracle_Home
$MW_HOME/oracle_common/bin/rcu - run RCU and create OAM Schema.

Invoke config and configure oam and default dependent templates.

Run $MW_HOME/oracle_common/common/bin/config.sh
Select : "Oracle Access Management Suite " from available templates ( select "Oracle Access Management Suite", it will select JRF and cluster extension also; weblogic/Welcome1 ; Development ; **** Dont give local addresses)
Create a new domain.
Please note, if you choose advanced configuration, you can configure a node-manager,cluster,provide user defined server port numbers,enable ssl ports,configure machines and enter a front end url.

Verification

http://hostname .mycompany.com :7001/console ( weblogic/ Welcome1 )

- AdminServer(admin) 7001
- oam_policy_mgr1 14150
- oam_server1 14100
startWebLogic.sh
startManagedWebLogic.sh
Edit passwords weblogic/Welcome1
http://hostname .mycompany.com:7001/oamconsole
http://hostname .mycompany.com :7001/console
http://hostname .mycompany.com :14100/oam/server/logout

🙋 Please leave the comments if any issues or cluster setups 🙋

Wednesday, April 19, 2017

Oracle Database 12c installation and configuration on Oracle Linux-OEL6

Note.1: JDK version should be 1.8+

1. Set the JAVA_HOME

--------------------------------

$JAVA_HOME=/home/oracle/jdk/jdk1.8.0_131

$export JAVA_HOME

2. Install all required libraries. For e.g compat-libstdc++-33-3.2.3 compat-libstdc++-33-3.2.3 (32 bit) gcc-4.1.2 gcc-c++-4.1.2 but in OEL-6 most of them have or can be updated by $yum install updates.

3. Assuming you have downloaded Oracle database 12c (files: linuxamd64_12102_database_1of2.zip & linuxamd64_12102_database_2of2.zip)

4. Go to database where you have unzipped linuxamd64_12102_database_1of2.zip & linuxamd64_12102_database_2of2.zip files.

In above screen shot, you should un-check “I wish to -----“

5. Select the “create and configure a database”

6. Select Desktop class

7. Create a ORACLE_HOME=/home/oracle/12c-database (create your own convenience)

8. Summery page as below.

9. Once it reaches at ~80% then ask for to run oraInventory commands in ‘root’ user.

[oracle@vishwa ~]$ sqlplus / as sysdba

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL> select name from v$database;

NAME

---------

ORCL

SQL>

Hope this helps!

Many Thanks

Vishwa