If you are running Oracle E-Business Suite (EBS) application today you will now be able to perform an auto discovery of all related resources in OCI Stack Monitoring. It will collect metrics specific for your EBS resources as well as ability to perform correlation across the EBS application and infrastructure stack as well as enable proactive alerting.
Components that will be auto discovered includes:
Concurrent Processing Node
Workflow Manager
WebLogic
Forms
Today, Stack Monitoring service supports EBS version 12.1 and 12.2 deployments hosted on OCI, On-Premise or Third Party Cloud (eg. AWS, Azure).
In the example, I will show you how you can configure Stack Monitoring for EBS version 12.2.
Oracle Cloud Agent (OCA) – This agent is deployed by default if you provision hosts via the OCI Compute Service. OCA has extensions and plugins which can be used to enable other features native to OCI Compute Services.
Management Agent (OMA) – This agent is a standalone version where you can deploy to hosts or VMs: – That do not have OCA installed on OCI eg. OCI Database Services (eg. Oracle Base VM/BM, ExaCS). – On-Premise – Third Party Cloud (AWS, Azure etc..)
…
Please see the current O&M support we have for each agent:
OCI Agent
Logging Analytics
Stack Monitoring
Database Management
Operations Insights
Target
Oracle Cloud Agent (OCA)
Yes
Yes
Yes
OCI Compute VM / BM Host
Oracle Management Agent (OMA)
Yes
Yes
Yes
Yes
Other VM Host (including on-premise and 3rd party cloud)
OMA Agent Install
In previous post, I have provided steps on how you can install the Oracle Management Agent.
OCA Agent Install
For this post, let me show you how easy it is to enable the O&M services for Oracle Cloud Agent (OCA).
HTTPS is essential as it protects the privacy of our data over the Internet. W3’s 2022 report shows nearly 80% of all websites use HTTPS as their default web protocol, up 6% on the previous year.
Getting started with HTTP/TLS is fairly straightforward. Obtain a CA signed certificate, configure it on your web servers and reverse proxy load balancers and you’re good to go. But how do you ensure your configuration stays up-to-date with current industry standards?
CyberSecurity is an arms race. As hardware and software evolves, so do the tools and techniques created to exploit them. This fierce race largely drives the innovation that we see in the industry today.
How does this relate to TLS? Since the inception of SSLv1 by Netscape in the 90’s there’s been many revisions, SSLv2, SSLv3, TLSv1.1, TLSv1.2 with the current version being TLSv1.3. TLSv1.1 was deprecated in 2021, with new versions being released approximately every 5 years. Given the rate at which exploits are discovered these release cycles will also need to keep pace.
For organisations this poses a number of interesting challenges because you can only control what TLS versions you support. Also if your website or API is public then it’s likely you have no control over the connecting client, or which TLS versions they’re able to use.
If you’re like me, then working in IT means you also assume Tech Support duties for friends, family, and those distant relatives that only seem to call when they’ve got a problem.
I just clicked on this link, and my computer is doing something weird. I think my PC has a virus, what do I do?
When it’s just a single computer, the answer is simple, contain and validate the rouge software is removed, install an AV solution, change their passwords, enable MFA, and provide some education on what to look out for next time.
But now imagine you’re an organisation building a new application, or are moving applications to the cloud. Are you simply performing a lift-and-shift or are you planning to make use of cloud native services? Where are you going to store your data, specifically user uploaded files? Object Storage was built specifically to solve the challenges of how to store unstructured data in the cloud.
However, there is a catch. If you were previously storing files on a server file system, then it’s likely you were also running an anti-virus / anti-malware solution to identify malicious files. With Object Storage the underlying file system is transparent, so you can’t install AV, yet many compliance requirements still state “Uploaded files must be scanned for viruses and malware”.
I’m sure we can all agree, adopting a cloud strategy is awesome. The opportunities and benefits it affords are many. However cloud governance is an ongoing problem that plagues security, compliance, and management teams, which cloud vendors like Oracle are continually trying to solve.
If you’re reading this, you’ve probably been asked, or heard at least once:
Who has access to what in our environment?
Any Security / Compliance Manager
The answer should be easy and simple. However the reality is likely lots of manual time & work, spreadsheets, and endless clicking in a cloud console. If you’re doing this manually then I agree, it’s time that you could be dedicating to more important tasks.
The challenge in trying to answer these questions:
What users exist and what groups do they belong to?
What does my OCI tenancy compartment structure look like?
What policies have users explicitly created?
What permissions do users have in my tenancy?
Are there any excessive / non-compliant policies & permissions in my tenancy?
is that these complex relationships can’t be easily represented and interpreted in a table-like format. In the OCI ecosystem:
users can be federated with an Identity Provider and can belong to one or many federated, or local IAM groups,
policies can be defined for “any-user” or for a group,
policies are inherited meaning they apply to all sub-compartments from which the policies are applied.
To make things easier I’ve created a solution using Oracle tools and services to simplify the auditing of OCI tenancies and user permissions called “Peek”.
Note: From 22/05/2023 APEX is no longer required as the solution runs entirely inside the container. To run the new container for OCI with IDCS use the following command:
docker run -it --name peek --rm \
--mount type=bind,source=/Full/Path/To/.oci/,target=/root/.oci/,readonly \ -e OCI_PROFILE_NAME=<from your OCI config> \-e OCI_TENANCY_OCID=<from text file> \
-e OCI_IAM_URL=<from text file> \
-e IDCS_URL=<from text file> \
-e IDCS_CLIENT_ID=<from text file> \
-e IDCS_SECRET=<from text file> \-e TOOLTIP_LINE_PX=20 \
-p 4567:4567 \scottfletcher/oci-peek
After the docker container has started, you can access the web interface using the locally mapped port http://localhost:4567. You should see a progress window:
Once the mapping process is complete the visualisation will appear.
Depending on how long your policy statements are, you may wish to adjust TOOLTIP_LINE_PX to a number greater or smaller than 20. If your policy statements overflow the tooltip box then increase this value, or if the box is too big, then you can decrease this value.
If you haven’t run Peek before, please read on as I explain how to create the required credentials and where to obtain the values for the other environment variables. You can skip the APEX steps, as APEX will not be used.
This inspiration series is to highlight the work of others from different circumstances.
This particular team were enrolled in Business Information Systems & Analytics Capstone (BISM3208) at University of Queensland where a part of the course was a hackathon and a team of mentors from Oracle Cloud Engineering provided the problem statement and guidance throughout the semester. The problem statement focused on the Sustainable Development Goals “SDGs” with the requirement to design a digital solution using Oracle Cloud.
Introducing Mobile Apollo – one of the finalists in the hackathon.
The team consisted of: Alfred Ong (here), Jennifer Poon (here), Morwenna Fisher (here), Shin Goh (here) and Vera Han (here).
The team focused on SDG 3 – Good Health and Well-Being – To ensure healthy lives and promote well-being for all at all ages.
Over the past couple of years, we’ve posted about the OCI Arcade. You can find the original article (here) and the repository (here). As part of the revamp, many things have changed and as such we’ve spent a little bit of time to make it better. Check out some of these new additions.
Update: There is now an even better way to do this, with first-class support from the OCI Resource Scheduler – just set it to ‘Start’ your Function, and it will be invoked based upon the configured schedule.
Functions in Oracle Cloud Infrastructure are great. As a serverless execution environment with pre-built logging, metrics, etc. it allows developers to simply focus on their code and not worry about all of the supporting infrastructure, while still providing a lot of flexibility through the use of container primitives. As great as Functions are, they are reactive, they can only be invoked and can’t natively be configured to be executed in a spontaneous or scheduled manner. Often this won’t matter, as Functions will be invoked directly or indirectly by users, or in response to events, but sometimes you simply need a bit of code to run periodically.
This blog title seems quite easy and simple but there are bit of steps to manage SOA Market Place Image (SOA MP) Database password reset configuration within application tier which I will discuss in this blog.
There could be multiple situations when user needs to change SOA MP Database password e.g. SOA MP DB password might got expired, or about to expire hence that’s must need to reset to new password which should get further updated all relevant places inside SOA application tier.
In my case it was for SOA dev/test environment eventually SOA MP DB password has default expiry set for 6-month time and it got expired, due to which SOA application was not coming up and constantly keep throwing below error-
Caused by: java.sql.SQLException: ORA-28001: the password has expired
Note:
In my case below software version were used.
SOA Suite 12.2.1.4
Oracle Autonomous Database 19c
Instruction given here may not work exactly for another SOA and DB version.
To fix above problem. We need to perform below steps –
Need to find out how many places within SOA Application tier DB password been used?
Are the SOA MP DB users locked? or Password expired? or both
Reset & unlock the SOA MP DB user’s password
Create encrypted value of new password for WebLogic Data source & update all Data source files with this new encrypted password and restart all WLS Admin/SOA servers.
Note: If step 4 doesn’t work (In my case, it hasn’t worked but as per Oracle documentation it should work. I may be doing some mistake which hard to troubleshoot so I took alternate path as workaround)5
5. (Optional) force WebLogic to start in Development mode instead of Production mode as clear text password not accepted in Production mode inside JDBC configuration files.
6. (Optional) Use new password as clear string inside JDBC configuration file, bring up WebLogic server and again update new password from WebLogic console for all Data sources, this will encrypt database password inside data source files.
7. Create new DB profile with UNLIMITED limit and assigning to each SOA DB users to avoid password expiry in future.
Need to find out how many places within SOA Application tier DB password been used? –
SOA interact with Database using WebLogic Data source which act as bridge between application tier to Database tier. So, we need to know how many WebLogic Data sources using the SOA Database. There are two ways you can validate this –
If WebLogic Admin server up and running then go to console>>data sources >> and make a note of all Data source except your Custom one which you might have created for some other purpose. E.g.
b) If WebLogic server not up and running (which most likely the case) then ssh to server where SOA binaries and domain reside and find out ‘jdbc’ folder, which will list out all Data sources which exists within WebLogic.
E.g.
/u01/data/domains/mgusoa_domain/config/jdbc/
So, now first challenge is sorted out, now we know what are all Data sources which are using SOA MP database, so if we change SOA MP database password all these Data source files needs to be updated with new password.
Are the SOA MP DB users locked? or Password expired? or both
Now, let’s move to next step and check whether SOA MP Database DB users are locked, or password expired or both.
In order to do that, first you need to know DB users name used for SOA. One quick and easy way to open one of Data source files and find out DB prefix e.g. “SP1603934449”
Once you know DB prefix, run below query in SOA Database to know all SOA DB users.
select username from dba_users where username like 'SP1603934449%';
So, now you know all the SOA DB users within SOA Database which are used by SOA application tier. Next step to check each of them whether they are locked, or password expired.
Run below sql query to know their status –
select username, account_status from dba_users where username like 'SP1603934449%';
You should be able to see “account_status” column value either “LOCKED” or “EXPIRED & LOCKED”
In my case most of them with status “EXPIRED & LOCKED”
Reset & unlock the SOA MP DB user’s password
ALTER USER SP1603934449_IUA identified by Lxxx#1xxxxx;
ALTER USER SP1603934449_SOAINFRA ACCOUNT UNLOCK;
commit;
Once password reset and unlocked, run the below SQL query again and account status should be “OPEN” now
select username, account_status from dba_users where username like 'SP1603934449%';
Create encrypted value of new password for Weblogic Datasource & update all datasource files with this new encrypted password and restart all WLS Admin/SOA servers.
WebLogic data source files doesn’t except password in clear text if, WebLogic running in “Production” mode. If WebLogic running in “Development” mode, then it can accept clear text password. In my case, although it was dev/test environment but unfortunately it was set for “Production” mode, so I have to generated encrypted value of new password.
Run the WebLogic Encryption Utility and enter the password you set for the database schemas:
/u01/jdk/bin/java weblogic.security.Encrypt
password: new_password
Once you run “/u01/jdk/bin/java weblogic.security.Encrypt” command it will ask to type new password, type the new password. It will further generate encrypted password value as highlighted in above screen shot.
Once you know the new encrypted value for new password, update all the JDBC data sources files one by one with this new encrypted password and restart the WLS admin/SOA Servers
Your WebLogic server should be up and running after this change.
Note: If step 4 doesn’t work (In my case, it hasn’t worked but as per Oracle documentation it should work. I may be doing some mistake which hard to troubleshoot so I took alternate path as workaround)
(Optional) force WebLogic to start in Development mode instead of Production mode as clear text password not accepted in Production mode inside JDBC configuration files.
You must update multiple configuration file to force WebLogic to start in “Development” mode.
I have updated below 4 configuration files. The full path is just for reference, you must use your environment path to find out these files. Make Production value either “false” or “” depending up on file existing value.
Once above configuration is done, now you can update all JDBC data source files with clear text password
Once all JDBC data source xml files got updated with new password in clear text format.
Restart the WLS admin and SOA server using out of box script available in SOA Market Place Image
/opt/scripts/restart/restart_12c_servers.sh
Admin server should go in running mode
Now you can access WebLogic Admin console and start remaining servers if needed.
Last steps to update all data source from Weblogic console again, this will update all JDBC data source files in backend with encrypted password instead of clear text password. Use the same clear text password from WebLogic console for all Data source files and click save button, this will replace clear text password in backend to encrypted password.
Create new DB profile with UNLIMITED limit and assigning to each SOA DB users to avoid password expiry in future.
Above command should create a database profile with password expiry set to unlimited and can be verified by running below command
select * from dba_profiles where resource_name = 'PASSWORD_LIFE_TIME';
Now, set all SOA DB Users to use that profile.
Run below command to check whether profile for each SOA Database user been changed or not?
Above step hopefully will force SOA DB users password not to expire in future and will help to avoid all above steps. However, that’s not recommend for Production environment.
Normally, as part of the review of a hackathon I would write something about the teams and the solutions. This time round I’m doing something a little different. With the three challenges being very specific, I want to share the github repositories and kaggle code that I could find.
RedThunder.Blog 