| Oracle® Application Server Release Notes 10g Release 3 (10.1.3.1.0) for Linux x86 Part Number B31014-11 |
|
|
View PDF |
| Oracle® Application Server Release Notes 10g Release 3 (10.1.3.1.0) for Linux x86 Part Number B31014-11 |
|
|
View PDF |
This chapter describes issues associated with Oracle Web Services Manager (Oracle WSM). It includes the following topics:
This section describes general issues and workaround. It includes the following topics:
Section 10.1.1, "Basic Standalone Installation Cannot be Migrated"
Section 10.1.4, "Step Instance Creates One or More Long-Lived Connection to the Directory"
Section 10.1.5, "Deploying Oracle Web Services Manager Monitor"
Section 10.1.10, "Using Non-Unicode Character Sets in the Database"
Section 10.1.11, "BouncyCastle is the Supported Security Provider for PKCS #12 Certificates"
The Basic standalone installation is a compact deployment that is suitable for training, proof-of-concept, and pre-production development and testing, but it is not intended for full-scale production. Standalone installations of Oracle Web Services Manager, installed in Basic mode, cannot be migrated to production environments.
There are two Readme files in the ORACLE_HOME directory: Readme.txt and OC4J_Readme.txt. There are instructions in the OC4J_Readme.txt file for starting the Oracle Application Server. If you have installed Oracle WSM as a standalone installation, these instructions will not start the Oracle WSM Server correctly.
For the standalone Oracle WSM installation, follow the instructions for starting the Oracle WSM Server in the file named Readme.txt, and refer to the Oracle Web Services Manager Administrator's Guide for additional information.
There is no User ID or Password field on the Web services Discovery page. However, you will see the following instruction on this page (Figure 10-1):
Please enter the URL to Discovery service. Provide User Id and Password if authentication is required.
Ignore the second sentence referring to the user ID and password.
Each policy step instance creates one or two long-lived connection to the Active Directory or LDAP directory. In a production environment, this may cause connection overloading during user authentication against an LDAP or Active Directory server.
The default value of the connection lifetime parameter, 0 milliseconds, ensures that the connection is never timed out.
To provide a workaround for this behavior, you need to tune the connection lifetime parameter as follows:
Open the following file:
ORACLE_HOME/opmn/conf/opmn.xml
Find the process-type id whose value is the name of the instance in which Oracle Web Services Manager is installed. This may be "home", or it could be another instance name. For example:
... <ias-component id="default_group"> <process-type id="home" module-id="OC4J" status="enabled"> ...
Find the data id="java-options" in the category id="start-parameters" section of the file.
... <category id="start-parameters"> <data id="java-options" value="-server -XX:MaxPermSize=128M .../> </category> ...
Add the connection lifetime parameter under java-options. For example:
-Doracle.wsm.directory.timeout=3600000
Talk to your Active Directory or LDAP system administrator for the value for timing out the connection.
Restart the server for the configuration changes to take effect.
When you deploy the Oracle Web Services Manager Monitor on Linux, you get the following error: "Target 'install.deployCoreman' does not exist in this project. " The cause for this error is a typographical error in the Linux version of the Configuration Assistant (wsmadmin.sh). Edit the ORACLE_HOME/owsm/bin/wsmadmin.sh file, and replace both occurrences of the string "install.deployCoreman" with "install.deployMonitor". These should appear on lines 169 and 170 of the script.
This problem does not exist with the Windows version of the Configuration Assistant (wsmadmin.bat).
When you try to access the WSDL for a Web service that has been virtualized by the Oracle Web Services Manager Gateway, you may get a "500 internal server error." This problem occurs if the gateway application is deployed with a new component ID. To correct this problem, restart the application server.
Using non-alphanumeric characters in user names, user passwords, and group IDs may cause errors. For example, backslashes (\) and single quotes (') are invalid characters. Therefore, Oracle recommends using only alphanumeric characters in user name, user passwords, and group IDs.
There is a limitation on the character set encoding of characters in the property files. You may use characters that belong to the ISO 8859-1 character set in the property files. If you want to use characters that belong to any other character set, you must convert them to escaped UTF-8 characters. For example, to use a multibyte character in a user name or password, you must convert the multibyte character to an escaped UTF-8 character. If you do not convert characters, you will not get the intended result.
Date and time format are not localized on the following pages of the Web Services Manager Control Console:
Alarm List
Stress Report
Flow Detail
My Views
Date and time always appear in the U.S. English locale. There is no workaround for this.
Oracle WSM encodes data in the UTF-8 character set, and it supports UTF-8 as the character set for the database. If you are using another character set for the database, you may encounter some problems with data conversion between the database character set and UTF-8. For example, if the character set of the database is Big 5 (Traditional Chinese), there is a known problem when you use spaces in the name of a component (that is, the name of an agent or a gateway). The space is converted to its XML encoding ( ). Therefore, if you enter Acme Gateway, it is stored in the database as Acme Gateway. However, when the data is retrieved, it does not get correctly converted to Acme Gateway. Instead you will see Acme?Gateway. There is no workaround that allows you to use spaces. If you are using the Big 5 character set, Oracle recommends that you do not use spaces in the component names to avoid unintended results.
Oracle WSM supports the use of PKCS #12 (PKCS12) certificates for message confidentiality and message integrity. Oracle WSM 10g Release 3 (10.1.3.1.0) supports PKCS12 only with BouncyCastle as the security provider.
The following procedure describes how to create a keystore with BouncyCastle as the security provider.
On the computer where Oracle WSM is installed, locate the following file.
ORACLE_HOME/jdk/lib/security/java.security
Find the section of the file with the heading, "List of providers and their preference orders."
Add the following entry:
security.provider.preference_order=org.bouncycastle.jce.provider.BouncyCastleProvider
above the following line:
security.provider.preference_order_+1=com.sun.net.ssl.internal.ssl.Provider
The variable, preference_order, is the order in which providers are searched for requested algorithms when no specific provider is requested.
The entries in the file should look similar to the following:
security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=sun.security.jgss.SunProvider security.provider.7=com.sun.security.sasl.Provider
Copy the following file ORACLE_HOME/owsm/lib/extlib/bcprov-jdk14-119.jarto the ORACLE_HOME/jdk/jre/lib/ext directory.
From the ORACLE_HOME/jdk/jre/bin directory, execute the following command:
keytool -genkey -alias private_key -keyalg RSA -keystore apkcs12keystore.p12 -storepass password -storetype pcks12 -v -provider org.bouncycastle.jce.provider.BouncyCastleProvider
The variable private_key is the alias for the key, and password is the password for the alias.
For more information on how to use this tool, refer to Java JDK documentation on Security Tools (http://java.sun.com/j2se/1.5.0/docs/tooldocs/index.html#security).
There is a known problem when securing OC4J components (Web Services Manager Control and Oracle WSM Policy Manager) using SSL. The components are redeployed in order to register the port that listens for the HTTPS connections. However, because of a limitation, when you redeploy the components, the settings that specify which components are secured using SSL revert to the default settings. The components stop communicating with Oracle WSM Policy Manager because of a mismatch in port settings. The workaround is to follow these steps:
Decide which port will be used for your HTTPS connections.
Configure the truststore using keytool, a Java key and certificate management tool.
keytool -genkey -keyalg algorithm -alias server_alias -keystore keystore_file
For more information on how to use this tool, refer to Java JDK documentation on Security Tools (http://java.sun.com/j2se/1.5.0/docs/tooldocs/index.html#security).
In the following file: ORACLE_HOME/owsm/config/gateway/gateway-config-installer.properties
find the gateway.policymanagerURL property, and enter the following value:
gateway.policymanagerURL=https://hostname:SSL_port/policymanager
The variable, hostname, is the host on which the Oracle Policy Manager resides, and SSL_port is the port to which SSL connections are made.
In the following file: ORACLE_HOME/owsm/config/ccore/ui-config-installer.properties
find the following properties, and set them as shown:
ui.pm.server.httpScheme=https
ui.pm.server.httpPort=SSL_port
The variable, SSL_port, is the port to which SSL connections are made.
Then redeploy the Web Services Control application and the Oracle WSM Gateway application.
wsmadmin deploy password gateway wsmadmin deploy password ccore
For more information on deploying Oracle WSM components, see Oracle Web Services Manager Deployment Guide.
Note:
Because of the known limitation, the Web Services Manager Control and the Oracle WSM Gateway will temporarily be unable to connect to the Oracle WSM Policy Manager. You must complete the remaining steps. After you complete the last step, that is, you restart the Oracle Application Server, the components will be properly configured to communicate over the HTTPS ports.Secure the OC4J components using SSL. Follow the instructions in Oracle Web Services Manager Deployment Guide, Chapter 4, "Securing Oracle Web Services Manager Components over SSL," in the section, "Securing OC4J Using SSL."
Secure the communication between the OC4J components. Follow the instructions in Oracle Web Services Manager Deployment Guide, Chapter 4, "Securing Oracle Web Services Manager Components over SSL," in the section, "Configuring the Truststore in SSL Connections." Depending on whether your deployment an OPMN-managed deployment or it is a standalone OC4J deployment, you will performing one of the two procedures documented in this section.
In addition, there is one additional step that you must perform:
If you are performing the procedure in the "OPMN-Managed Deployments" section, then add the following trustore properties in step 2. These properties are in addition to the properties already mentioned in step 2.
-Djavax.net.ssl.keyStore=keystore_location -Djavax.net.keyStorePassword=password
The variable, keystore_location, is the path to the location of the keystore, and password is the password to the keystore.
If you are performing the procedure in the "Standalone OC4J Server Deployments" section, then add the following truststore properties as part of step 2. These properties are in addition to the properties already mentioned. in step 2.
<sysproperty key="javax.net.ssl.keyStore" value="keystore_location"/>
<sysproperty key="javax.net.ssl.keyStorePassword" value="password"/>
The variable, keystore_location, is the path to the location of the keystore, and password is the password to the keystore.
Restart Oracle Application Server.
This section describes configuration issues and their workarounds. It includes the following topics:
You may encounter an error when installing Oracle WSM on an NFS-mounted device. This error is the result of a timing problem on NFS-mounted devices and occurs during the running of the Oracle WSM Configuration Assistant. The error you see will be similar to the following:
dataload-clean; delete] Deleting directory ORACLE_HOME/product/instance_name/owsm/db BUILD FAILED ORACLE_HOME/product/instance_name/owsm/scripts/install.xml:1971: The following error occurred while executing this line: ORACLE_HOME/product/instance_name/owsm/scripts/dataload.xml:159: Unable to delete directory ORACLE_HOME/product/instance_name/owsm/db ...
To work around this problem, complete the following procedure:
Edit the ORACLE_HOME/owsm/scripts/dataload.xml file.
Edit the following line:
<delete dir="${dataload.generateSql.rootDirectory}" />
Add the text in bold to this line:
<delete quiet="true" dir="${dataload.generateSql.rootDirectory}" />
Click Retry to continue configuring Oracle WSM.
After you have successfully configured Oracle WSM, delete the following directory: ORACLE_HOME/owsm/db.
Using an Oracle XE database with Oracle WSM may present connection problems. This is a known error that sometimes occurs with Oracle XE database client, but presents an intermittent problem for Oracle WSM.
To work around this limitation you may need to increase the value of the database parameter PROCESSES. The default value for this parameter setting is 40, but you may try to increase the value to 64. If required, you can further increase the value of this parameter.
You may get an out of memory exception if the Oracle WSM is configured so that its runtime memory requirements exceed the JVM default configuration. One known situation where this can occur is if you patch Oracle WSM 10.1.3 to 10.1.3.1.
To avoid this error, you need to increase the size of the Java heap.
To change the values of the Java heap
Log in to Oracle Enterprise Manager 10g Application Server Control.
In the Cluster Topology page, locate the Members section, and click home.
Click Administration.
Find Server Properties in the Task Name list, and click the Go to Task icon.
Edit the values for Maximum heap size (1024 Mb) and Initial heap size (512 Mb).
Add a row for the -XX:MaxPermSize (256 Mb) and -XX:PermSize (128 Mb) parameters and provide a value.
Click Apply.
Restart the server.
Note:
The values in parentheses are provided as an example only. These values were derived assuming that all components in the Oracle Application Server 10g Release 3 (10.1.3.1.0), also known as the Oracle SOA Suite (10.1.3.1.0), are installed. Consult your OC4J administrator and the Oracle Application Server Performance Guide for the appropriate settings for your environment.In situations where there is high network latency between Oracle WSM and Oracle Database, the Web browser may time out before it can retrieve the data from the database.
To prevent the browser from timing out, modify the browser time out setting.
For Internet Explorer
Edit the following registry key:
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings
Add the DWORD KeepAliveTimeout, and set the value in milliseconds.
For all other supported Web browsers, please consult the product documentation for the browser for information on setting the browser time out.
When you configure the Oracle Access Manager Authenticate Authorize policy step, and you reconfigure the path to the Oracle Access Manager SDK, the new path does not take effect until you restart any agents or gateways that use this SDK.
Note:
Oracle Access Manager SDK is the same as what has previously been referred to as Access Server SDK.You may experience problems when invoking a service, located on the nonproxy host, from a proxy server even though you have configured the settings correctly. This may occur with a standalone installation of Oracle WSM or when Oracle WSM is installed as part of the Oracle SOA Suite.
To work around this limitation, delete the proxy.host and nonproxy.host settings in the properties files.
If you have a standalone installation of Oracle WSM, delete the settings in the ORACLE_HOME/owsm/bin/coresv.properties file.
If Oracle WSM is installed as part of the Oracle SOA Suite, delete the settings in the ORACLE_HOME/opmn/conf/opmn.xml file.
For more information about setting these properties, see the Oracle Web Services Manager Deployment Guide, or Section 10.3.4, "Correction to Command Syntax".
This section describes documentation errata. It includes the following topic:
Section 10.3.1, "One Oracle WSM Gateway Per Oracle WSM Instance"
Section 10.3.5, "Correction to Proxy Server Settings Syntax"
Section 10.3.6, "Correction to Extract Credentials Policy Step"
A clarification is required in Oracle Web Services Manager Deployment Guide, Chapter 2, "Implementing Your Oracle WSM Deployment," in the section titled "Configuring Oracle WSM in a Clustered Environment." In Figure 2-1, there are three Oracle WSM instances on vhost1, vhost2, and vhost3. There is one Oracle WSM Gateway in the instances on vhost1 and vhost2. It is implied by the figure, but not stated explicitly, that you can install only one Oracle WSM Gateway in an Oracle WSM instance. It is because you can only install one gateway per Oracle WSM instance that load balancing may be required
A clarification is required in Oracle Web Services Manager Deployment Guide, Chapter 5, "Deploying Oracle WSM Gateways," in the section titled "Enabling Oracle Web Services Manager to use JMS." This section contains the following instruction:
Copy the tibjms.jar and tibcrypt.jar files to the correct location in your Oracle WSM installation, for example, to ORACLE_HOME/10.1.3.1/OracleAS_1/owsm/lib/custom. Unless you perform this task, the JMS feature will not work.
You must complete this task only if you are using Tibco JMS. Oracle JMS does not require these Jar files.
When using the Oracle WSM WSMADMIN commands on UNIX operating systems, the command must be specified as wsmadmin.sh. The Oracle WSM documentation uses the syntax for Microsoft Windows operating systems (that is, wsmadmin) for all WSMADMIN commands. If you are using the commands on a UNIX system, replace wsmadmin with wsmadmin.sh.
There is an error in Oracle Web Services Manager Administrator's Guide, Chapter 6, "Monitoring Oracle Web Services Manager," in the section titled "Configuring Metrics Data Persistence."
In step 3 of the procedure, the correct command to redeploy the application is wsmadmin deploy application_server_password monitor.
There is an error in Oracle Web Services Manager Administrator's Guide, Chapter 10, "Troubleshooting, " in the "Error When Importing WSDL" section. The error occurs in the second procedure, titled "For Oracle WSM when it is installed as part of Oracle Application Server 10g Release 3 (10.1.3.1.0)."
Replace step 4 in the procedure with the following step:
4. Add the -Dhttp.proxySet, -Dhttp.proxyHost, -Dhttp.proxyPort, and -Dhttp.nonproxyHosts parameters to the java-options attribute of the data_ id tag:
<data_id="java-options" value="-server -XX:MaxPermSize=128M -Dhttp.proxySet=true -Dhttp.proxyHost=proxy_server -Dhttp.proxyPort=listen_port -Dhttp.nonproxyHosts=host_name .../>
Table 10-1 Parameter Settings for Oracle WSM Installed as Part of Oracle Application Server
| Parameter Value | Description of Value |
|---|---|
|
|
The value |
|
|
Name of the proxy server. For example, |
|
|
The port number on the proxy server where you wish to connect. For example, 80 |
|
|
Hosts that connect directly without intervention from the proxy server. This value can be a list of host names separated by a vertical bar (|) or an asterisk ( |
There is a correction to Appendix A, "Oracle Web Services Manager Policy Steps," in the Oracle Web Services Manager Administrator's Guide. The following corrections are to the Extract Credentials policy step.
There are four possible locations for the Credentials location property, one of which is XPath. The example XPath location given in the book is incorrect. The incorrect example is:
/soap:Header/soap:Envelope/wsse:Security/wsse:UsernameToken/
The correct example is:
/soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/
The Namespaces property is described, in part as follows:
Comma-delimited list of prefix and namespace Uniform Resource Identifier (URI) pairs for the prefixes used in the User ID xpath and Password xpath properties.
This is incorrect; the URI pairs must be separated by spaces, not by commas. Furthermore, if there are spaces in the URI itself, the space character must be replaced by the characters %20.
There is an error in Chapter 6, "Installing Agents" in Oracle Web Services Manager Deployment Guide. The documentation provides instructions for installing AXIS client agents. This is an error; Oracle Web Services Manager 10g Release 3 (10.1.3.1.0 and 10.1.3.3) does not support AXIS client agents. Oracle does plan to support AXIS client agents. Refer to the Oracle Application Server Patch Set Notes Addendum 10g (10.1.3) Patch Set 3 (10.1.3.3.0) for the most current information on the availability of this support.
There is a correction to Appendix D, "Database Maintenance," in Oracle Web Services Manager Deployment Guide. The procedures for changing the database password in the section, "Changing Passwords," should be replaced with the procedures that follow.
To change a password for a single database instance
Change the password for the OWSM schema in the Oracle Database.
Restart the Oracle Application Server on which the Oracle WSM components are deployed.
Edit the ORACLE_HOME\owsm\bin\coresv.properties file, and update the dataload.messagelog.db.password property with the new database password.
Encode the password in the coresv.properties file.
wsmadmin encodePasswords coresv.properties dataload.messagelog.db.password
Copy the database configuration properties to the configuration directory property files.
wsmadmin copyDBConfig
Redeploy the Oracle WSM applications either individually or using the all parameter.
wsmadmin deploy oc4j_admin_password all
Restart the Oracle Application Server instance.
Complete the procedure in Section 10.3.8.1, "Updating the Database Configuration Properties."
To update and reconcile a password for multiple database instances
Change the password for the OWSM schema in the Oracle Database.
Restart the Oracle Application Server on which the Oracle WSM components are deployed.
Update the relevant attribute in the application properties file for each application. These files are located in ORACLE_HOME\owsm\config\application_name.
Encode the password for each property that was changed in step 3.
wsmadmin encodePasswords file_name property_name
Redeploy the Oracle WSM components that connect to the database.
wsmadmin deploy oc4j_admin_password component
Restart the Oracle Application Server instance.
Repeat this procedure for each Oracle Database that is used by an Oracle WSM component.
Complete the procedure in Section 10.3.8.1, "Updating the Database Configuration Properties."
When you update the database password for Oracle WSM components, the database configuration properties for the Oracle WSM Agents and Gateways do not get updated. Therefore, you will not be able to access the message logs for these components. The workaround for this problem is to manually edit the properties for the components with the new password.
Log in to Web Services Manager Control.
In the navigation pane, select Policy Management.
Click Edit for the Oracle WSM Agent or Gateway.
Edit the cfluent.messagelog.db.password with the new database password, and save this change.
This is a correction to Appendix E, "Authentication Sources," in Oracle Web Services Manager Deployment Guide. In the section, "Active Directory," there are contradictory statements about which users can be authenticated against Active Directory. The correct statement is that Active Directory can be used to authenticate Oracle WSM system users as well as end users.
|
 Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|