3
Management and Security Issues

This chapter summarizes issues associated with Oracle9i Application Server. Topics include:

3.1 Management Issues

This section contains the following topics:

3.1.1 Run dcmctl to Update Configuration for Manual Configuration Changes

If you make manual changes to the configuration files for these components:

Oracle HTTP Server
OC4J

your changes will not be reflected in the DCM repository.

To propagate your manual edits back to the DCM repository, run the following command after making any edits, either manually or through the Oracle Enterprise Manager.

dcmctl updateconfig ohs
dcmctl updateconfig oc4j

This is also the case if you created, modified, or deleted DADs or modified the mod_plsql cache setting using the Oracle Enterprise Manager.

See the Oracle9i Application Server Administrator's Guide for details.

3.1.2 Using emctl to Change the ias_admin Password

If you change the ias_admin password using emctl, then you must restart the Oracle Enterprise Manager Web Site with the following commands:

> emctl stop
> emctl start

3.1.3 OPMN Cannot Start OC4J Instance with Multibyte

The configuration file for OPMN, opmn.xml, is in UTF-8 encoding. The code that parses opmn.xml is written in C, and the data in opmn.xml is handled as UTF-8 bytes. This causes problems when the data is not converted to the right encoding. For example, if the default encoding of your operation system is EUC-JP, the directory is created using UTF-8 data. The multibyte instance name then becomes inaccessible.

As a workaround, avoid using multibyte characters for contents such as instance names and environment variables in opmn.xml.

3.1.4 Clock Synchronization

Several Oracle9iAS components require the clocks on the machines on which they run to be synchronized. You can synchronize the clocks by running the Network Time Protocol (NTP) daemon on these machines. You do this by .

3.1.5 Use Port Option to Configure Loading Application

There are several ways to configure how to load an application.

One is to load it dynamically when the first request comes in. This approach uses named pipes for communication.
Another approach is to load the application at startup. With this approach, you can configure it to use the port option or the named pipe option (where you do not have to specify the port). This release supports the port option only.

3.1.6 Oracle Enterprise Manager Does Not Display OC4J Metrics in the Home Page

When the Oracle Enterprise Manager Home Page is opened, the OC4J metrics are not displayed. Refresh the page in order to see the metrics.

3.1.7 Changing the ias_admin Password in Translated Versions of OEM

You cannot change the ias_admin password using a translated version of the Enterprise Manager Web site. This is because the Preferences link on the Instance Home Page is disabled.

You can change the ias_admin password using the following command:

ORACLE_HOME/bin/emctl set password new_password

3.1.8 "opmnctl restart" Displays Harmless "Unavailable Hostname" Message

If you run opmnctl restart or restart OC4J by other means, and EMD is running, you might see the following error messages in the ORACLE_HOME/Apache/Apache/error_log file:

[Wed Apr  3 12:09:50 2002] [error] MOD_OC4J_0082: Failed to call
gethostbyname() for host name: UNAVAILABLE.
[Wed Apr  3 12:09:50 2002] [error] MOD_OC4J_0019: Failed to resolve network
address of worker: home_15's host: UNAVAILABLE and port: 3003.
[Wed Apr  3 12:09:50 2002] [error] [client 130.35.92.190] MOD_OC4J_0138:
Failed tovalidate network worker: home_15 with host: UNAVAILABLE and port:
3003.
[Wed Apr  3 12:09:50 2002] [error] [client 130.35.92.190] MOD_OC4J_0141:
Failed to validate host: UNAVAILABLE and port 3003 for network worker:
home_15.

You can ignore these error messages; they will not cause any problems.

3.1.9 Attributes Containing Paths Break Cluster Model

In attributes that specify paths, make sure that the paths are relative to Oracle home. Otherwise, your cluster members may not run properly.

3.1.10 Oracle Enterprise Manager Does Not Support Multiple Locales

Oracle9iAS Unified Messaging

3.1.11 Operating System Patches for Host Metrics

You must install the systat package for the host metrics to work correctly on Linux Intel. After you install the systat package, create a symbolic link of /bin/bash to /bin/ksh.

3.1.12 Deploying UIX JSP and XML Applications Using Oracle Enterprise Manager

UIX JSP and UIX XML applications from JDeveloper deployed to Oracle9iAS through the Enterprise Manager deployment functionality runtime will result in a runtime rendering data access error. This happens only if data source information is added subsequently through Enterprise Manager and not pre-packaged already in the EAR file from JDeveloper.

If the EAR file generated from JDeveloper doesn't package the data source information or the "deploy to EAR files" option is chosen instead of "deploy to connection," and if that information is subsequently added through the Enterprise Manager through the edit data sources functionality, then the UIX/JSP and UIX/XML applications cannot run successfully due to runtime rendering error.

To avoid the error, do not add the data sources information after deployment through EM. Instead, package the EAR file with the data sources information from JDeveloper prior to deployment through EM. While creating the UIX/JSP or the UIX/XML application from JDeveloper, instead of just deploying to an EAR file, deploy to any existing connection, including dummy connections. That process will create an EAR file with the data sources information packaged.

If deploying to a dummy connection, although the process will result in deployment errors in JDeveloper, it will create an EAR file that includes the data source information that can be successfully deployed to Oracle9iAS.

3.1.13 Restart OC4J When User Manager is Changed From JAZN LDAP To XML

If the user manager for OC4J is changed from JAZN LDAP to JAZN XML, the change is not picked up dynamically. OC4J continues to use JAZN LDAP as the user manager.

In order to effect the change to JAZN XML, restart the OC4J instance.

3.1.14 Incorrect Indication of Oracle Internet Directory Status

Oracle Enterprise Manager web pages may show an incorrect status of Oracle Internet Directory (OID). The status may show that OID is down when it is actually up and running. This problem is caused by the Perl executable not being in the /usr/local/bin directory. It can be solved as follows:

Find the location of the Perl executable in your system by using the which command. For example:
```
> which perl
```
A full path name is displayed. Assume /perl_path/perl for this discussion
Set a soft link to the displayed path at /usr/local/bin/perl as follows:
```
> ln -s /perl_path/perl /usr/local/bin/perl
```
Restart the Oracle Enterprise Manager administration GUI.

3.1.15 Configuring JAAS with Oracle Enterprise Manager Web Site

3.1.16 Oracle9iAS Wireless Status Incorrectly Displayed as Down on Oracle Enterprise Manager Page

A condition has been discovered that will cause the Wireless status to be displayed (in Oracle Enterprise Manager) as Down, even though it is in fact Up. This occurs when more than one Oracle home directory exists on a single machine.

If you have more than one Oracle Home directory on a single machine, make the following changes to the Oracle9iAS Middle Tier (including Oracle9iAS Wireless) installation:

(UNIX only) Add the following line to the start of ORACLE_HOME/Wireless/sample/runpanamaserver.sh, just after the first line ("#!/bin/sh"):
```
ORACLE_HOME=${1}
```
(Windows only) Add the following line to the beginning of ORACLE_HOME\Wireless\samplerunpanamaserver.bat:
```
set ORACLE_HOME=%1
```

3.1.17 Oracle Enterprise Manager Intelligent Agent May Work Incorrectly in Non-English Environment

If the language environment is non-English, and the /usr/local/lib/tcl8.2/encoding/*.enc Tcl interpreter encoding definition files are installed on the node, OEM Intelligent Agent may not work properly with non-English characters. As a result, OEM jobs may fail to execute or return corrupted strings. If the above encoding definition files are not present, this problem should not occur.

The solution to this problem is to create empty Tcl interpreter encoding definition files at the following location:

$ORACLE_HOME/lib/tcl8.2/encoding/*.enc

To do so, perform the following steps:

Execute the following commands:

% cd $ORACLE_HOME/lib 
% mkdir tcl8.2 
% cp -pr /usr/local/lib/tcl8.2/encoding tcl8.2 
% cd tcl8.2/encoding

Additionally, execute the following commands depending on which shell you are running:
- If you are using C-shell or T C-shell:
```
% foreach file (*.enc) 
foreach? cp /dev/null $file 
foreach? end 
```
- If you are using Korn-shell or B-shell:
```
% for file in *.enc; do 
> cp /dev/null $file 
> done 
```
Once the empty encoding definition files have been created, restart Oracle Intelligent Agent as follows:
```
% agentctl stop 
% agentctl start 
```

Note that the NLS_LANG and LANG environment variables must be defined with appropriate values before Oracle Intelligent Agent is restarted.

3.2 Security Issues

The following are known issues associated with Oracle9iAS security.

3.2.1 Avoid Adding User Certificates to Trustpoints or Trusted Certificate Lists

If a wallet contains a user certificate as a trustpoint for a server, then a core dump occurs when the user connects to the server.

Oracle Corporation recommends not adding user certificates to trustpoints or trusted certificate lists in the Oracle wallet. Instead, install the certificate authority (CA) signers' certificate as a trustpoint.

3.2.2 Restrict Root Privileges to Oracle9iAS Web Cache Users

Users that install Oracle9iAS Web Cache may gain root privileges by running the root.sh because the webcachectl executable triggers the setuid to obtain root access.

To restrict root privileges, remove setuid from the webcachectl executable. Note that setuid is required in the following cases:

Privileged port numbers less than 1,024 are being used for Oracle9iAS Web Cache listening ports.
More than 1,024 file descriptors are being used for connections to Oracle9iAS Web Cache.
The current webcachectl user does not match the configured user in the Process Identity page (Cache-Specific Configuration > Process Identity) of Oracle9iAS Web Cache Manager.

3.2.3 JAZN Demo Data Needs to be Loaded into LDAP if JAZN LDAP is Global User Manager

If the user manager for the default application for an OC4J instance is changed to JAZN LDAP, the JAZN demo data needs to be loaded into the specified LDAP database. (This is documented in the README file in $ORACLE_HOME/j2ee/home/jazn/install.) Additionally, the default @ realm needs to be specified as "jazn.com".

If the above is not done, deployment of the demos through EM or dcmctl will fail with an error in looking up java:comp/ServerAdministrator.

3 Management and Security Issues