The Oracle Application Server 10g Infrastructure

If you need to handle the administration and management of Oracle Application Server 10g, this article covers the metadata repository (iasdb), the Single Sign-On (SSO) security framework, and the Oracle Application Server 10g Management Services. It is excerpted from chapter 2 of the book, Oracle Application Server 10g Administration Handbook, written by John Garmany and Donald Burleson (McGraw-Hill/Osborne, 2004; ISBN: 0072229586).

This chapter moves deeper into the administration and management of Oracle Application Server 10g as we start to look at management of the infrastructure. The Application Server 10g  infrastructure is the heart of the Application Server 10g farm and is the central metadata repository for many critical application components. While many administrators limit their definition of the infrastructure to the metadata database (often referred to as the iasdb instance), the infrastructure consists of much more. In this chapter, we will examine the metadata repository (iasdb), the Single Sign-On (SSO) security framework, and the Oracle Application Server 10g Management Services:

  • Repository The Application Server 10g metadata repository (the iasdb database) contains important configuration and usage information for all Application Server 10g components. In addition to iasdb, the Oracle LDAP server (Oracle Internet Directory, OID) provides nondatabase information for use by Application Server 10g components.

  • Security Oracle SSO provides centralized security control across all Application Server 10g instances. This removes the need to manage each component independently and provides a simple, centralized security system.

  • Management Services The Application Server 10g OEM console screens provide complete administrative facilities for all farms, clusters, instances, and components. Virtually every management task can now be done using the OEM console.

In Application Server 10g, you can use the enhanced Oracle Enterprise Manager (OEM) tool to administer the infrastructure components. As an Application Server 10g administrator, it is your job to become familiar with all of these components. Of course, your shop may not have some of the optional components, such as Single Sign-On, but it is imperative that you understand how these infrastructure tools communicate with each other to provide the administrative framework for Application Server 10g.

Let’s begin with an overview of the repository data structures.

{mospagebreak title=The Infrastructure Repository}

As the scope of Application Server 10g expanded, Oracle recognized that a centralized data repository was needed to handle all of the metadata required by Application Server 10g. This was achieved by creating an Oracle database on the Application Server 10g midtier called iasdb. The metadata repository is known by several names, including the Application Server 10g infrastructure repository, the infrastructure instance, and iasdb. The iasdb name is the default $ORACLE_SID for the Oracle 9i database that holds the data.

The metadata repository holds configurations for many of the Application Server 10g components, and is also extended for use by SSO. As of release 9.0.4, there are nearly 20 Application Server 10g components, and many of these use iasdb for centralized metadata storage. Also, starting in release 9.0.4, the infrastructure may be any supported release of Oracle 9i that is at the correct version and patch level.

Remember, not all Application Server 10g components make the same use of iasdb. For example, OID and SSO use iasdb to store security access data, while other components such as OHS and Web Cache only store configuration information in iasdb.

The iasdb database contains all of the metadata and internal information for all SSO components, Oracle Portal, Oracle Wireless, and some DCM components. The infrastructure repository holds data for all Application Server 10g components in a farm, and is critical to the proper operation of these components:

  • OID     Oracle Internet Directory (LDAP)

  • DCM    Distributed Configuration Manager

  • Portal  The web development component of Application Server 
              10g

  • OEM    The repository for many OEM components

  • SSO     Oracle Single Sign-On

  • Wireless   Oracle Wireless metadata

Let’s take a quick tour of the various schemas within the iasdb database and see how each schema is used by the Application Server 10g components. Then we will examine the iasdb log files and look at queries that can be automated for easy viewing.

The iasdb database instance has many individual schemas. Each of these schemas has a special function to help control and manage each of the various Application Server 10g components. Table 2-1 lists the Application Server 10g schemas within iasdb. These schema components are always installed in the infrastructure database, even if you are not using a component.

Once you understand the schema owner’s purpose, you can examine the complexity of each schema. As an Application Server 10g administrator, you must become intimate with these schemas and understand which schemas control what system functions. The iasdb instance has some schemas that must be locked, others whose passwords may be changed at will, and others that are registered with the OID and should only be changed using OEM.

Immutable iasdb Schemas

Some schemas are immutable, and the passwords and data structures must never be changed. This is especially true for this group of iasdb schemas:

Schema Name  Used By                 Default Password _________________________________________________________

CTXSYS       Intermedia Text option  change_on_install
MDSYS        Spatial Data option     mdsys     OLAPDBA      OLAP Services option    olapdba  OLAPSVR      OLAP Services option    instance OLAPSYS      OLAP Services option    manager
ORDPLUGINS   InterMedia Audio option ordplugins ORDSYS       InterMedia Audio option ordsys        OUTLN        Stored Outlines         outln


Schema Description
AURORA$JIS$UTILITY$ Oracle Servlet Engine schema
AURORA$ORB$UNAUTHENTICATED Oracle Servlet Engine schema
DCM Distributed Configuration Manager
DISCOVERER5 Oracle Application Server Discoverer 10g
DSGATEWAY Oracle 9i Syndication Server
INTERNET_APPSERVER_REGISTRY Contains the COMPONENTS table
IP TCP/IP replication (advanced queuing) and Internet
audit log tables
OCA Oracle Application Server Certificate Authority 10g
ODS Oracle Internet Directory metadata
ORAOCA_PUBLIC Oracle Application Server Certificate Authority 10g
synonyms
ORASSO Oracle Application Server Single Sign-On 10g
ORDSYS Oracle InterMedia Audio schema
ORDPLUGINS Oracle InterMedia Audio schema
OSE$HTTP$ADMIN Oracle Servlet Engine
OWA_MGR Oracle Workflow
PORTAL Oracle Application Server Portal 10g
PORTAL_APP Oracle Application Server Portal 10g
PORTAL_DEMO Oracle Application Server Portal 10gdemonstration
schema
PORTAL_PUBLIC Oracle Application Server Portal 10gPublic
synonyms
UDDISYS Oracle Application Server Web Services 10g
WFADMIN Oracle Workflow
WIRELESS Oracle Application Server Wireless 10g
WKSYS Oracle Ultra Search
WK_PROXY Oracle Ultra Search
WK_TEST

Oracle Ultra Search

 

{mospagebreak title=Workflow iasdb Schemas}

The following iasdb schemas are used by the Oracle Workflow component, and the passwords may be changed as desired:

Schema Name

 

Used By

Default Password

BLEWIS Workflow component blewis
CDOUGLAS Workflow component cdouglas
KWALKER

Workflow component

kwalker
SPIERSON

Workflow component

 

spierson
Schemas Registered in the OID

The next group of iasdb schemas includes those that are registered in OID. Because the OID manages the passwords for these schemas, you should never attempt to alter any of these schema owner passwords with the alter user command. Instead, you should use the OEM facility for changing these passwords. When using OEM to alter these passwords, OEM will change the password inside the iasdb database and also update the appropriate OID system tables.

OID Schema Name                   Used By
____________________________________________________
DISCOVERER5                       Discoverer
DSGATEWAY                         Syndication Server
DSSYS                             Web Services
ODS                               Internet Directory
ODSCOMMON                         Internet Directory
ORASSO                            Single Sign-On
ORASSO_DS                         Single Sign-On
ORASSO_PA                         Single Sign-On
ORASSO_PS                         Single Sign-On
ORASSO_PUBLIC                     Single Sign-On
PORTAL                            Portal
PORTAL_APP                        Portal
PORTAL_DEMO                       Portal
PORTAL_PUBLIC                     Portal
WIRELESS                          Wireless

Now let’s go deeper and explore SQL*Plus scripts that allow you to see the individual schema components in greater detail.

{mospagebreak title=Viewing the Whole iasdb Instance}

The entire iasdb instance contains more than 10,000 database objects and more than 1800 tables. You can run the following script to show the counts for each object type within iasdb.

iasdb_component_count.sql

set lines 60
set pages 999
ttitle ‘OracleAS iasdb|Object Report’
spool obj_count.lst
col c1 heading ‘Owner’ format a30
col c2 heading ‘Object|Type’ format a15
col c3 heading ‘Object|Count’ format 99,999
break on c1 skip 2
compute sum of c3 on c1
select
   owner c1,
   object_type c2,
   count(*) c3 
from 
dba_objects 
where 
owner in ( 
‘OSE$HTTP$ADMIN’,
‘DCM’,
‘DISCOVERER5′,
‘ORASSO_PS’,
‘ORASSO_PUBLIC’,
‘ORASSO’,
‘ODS’,
‘ORAOCA_PUBLIC’,
‘UDDISYS’,
‘WCRSYS’,
‘OCA’,
‘IP’,
‘OWF_MGR’,
‘WIRELESS’,
‘DSGATEWAY’,
‘PORTAL_APP’,
‘PORTAL_PUBLIC’,
‘PORTAL’,
‘ORASSO_PA’,
‘ORASSO_DS’,
‘WKPROXY’,
‘INTERNET_APPSERVER_REGISTRY’,
‘SPIERSON’,
‘SYSADMIN’,
‘WFADMIN’,
‘ORDPLUGINS’
) 
group by 
    owner,
  
 object_type
order by
    c1,
    c3 desc
; 
spool off

The output from this script is shown in the following listing. Even though there are more than 10,000 objects in the iasdb database, when you break them down into their components, you see that IP is the largest schema with 400+ tables, followed by PORTAL with 350+ tables, and WIRELESS and OWF_MGR with over 200 tables each.

OracleAS iasdb
Object Report
Owner     Object Type     Object Count
—————————– ————— ——-
DCM INDEX

TABLE 11

LOB 1

SEQUENCE 1

****************************** ——-

sum 29

DISCOVERER5 INDEX 34

SEQUENCE 8

TABLE 8

LOB 3

****************************** ——-

sum 53

DSGATEWAY INDEX 30

TABLE 30

PACKAGE 17

PACKAGE BODY 16

SEQUENCE 12

TYPE 12

LOB 3

VIEW 1

****************************** ——-

sum 121

INTERNET_APPSERVER_REGISTRY INDEX 2

TABLE 1

VIEW 1

****************************** ——-

sum 4

42 Oracle Application Server 10 gAdministration Handbook

IP TRIGGER 1,293

INDEX 762

TABLE 475

VIEW 437

LOB 223

PACKAGE 9

PROCEDURE 9

QUEUE 9

PACKAGE BODY 8

SYNONYM 7

SEQUENCE 4

TYPE 4

FUNCTION 1

****************************** ——-

sum 3,241

OCA INDEX 11

TABLE 11

SEQUENCE 5

LOB 2

PACKAGE 2

PACKAGE BODY 2

VIEW 1

****************************** ——-

sum 34

ODS INDEX 300

TABLE 156

TYPE 23

PACKAGE 20

PACKAGE BODY 20

SEQUENCE 7

LOB 2

PROCEDURE 1

****************************** ——-

sum 529

ORASSO PACKAGE 176

PACKAGE BODY 162

INDEX 155

TABLE 91

TYPE 51

VIEW 43

SEQUENCE 39

TRIGGER 35

TYPE BODY 10

PROCEDURE 8

LOB 7

FUNCTION 4

JAVA CLASS 2

SYNONYM 2

LIBRARY 1

****************************** ——-

sum 786

ORASSO_DS SYNONYM 4

****************************** ——-

sum 4

ORASSO_PA SYNONYM 1

****************************** ——-

sum 1

ORASSO_PS SYNONYM 5

****************************** ——-

sum 5

ORDPLUGINS PACKAGE 14

PACKAGE BODY 14

****************************** ——-

sum 28

OSE$HTTP$ADMIN TABLE 3

SEQUENCE 2

****************************** ——-

sum 5

OWF_MGR INDEX 261

TABLE 204

PACKAGE 136

PACKAGE BODY 132

VIEW 85

SEQUENCE 49

LOB 36

QUEUE 36

TYPE 9

UNDEFINED 9

SYNONYM 8

TYPE BODY 3

TABLE PARTITION 2

****************************** ——-

sum 970

PORTAL PACKAGE 729

PACKAGE BODY 704

INDEX 584

TABLE 379

JAVA CLASS 199

VIEW 157

TRIGGER 130

TYPE 114

SEQUENCE 89

LOB 50

TYPE BODY 38

PROCEDURE 12

FUNCTION 5

SYNONYM 5

JAVA RESOURCE 4

JAVA SOURCE 1

****************************** ——-

sum 3,200

PORTAL_APP SYNONYM 3

****************************** ——-

sum 3

UDDISYS INDEX 130

TABLE 46

LOB 4

PACKAGE 3

PACKAGE BODY 2

SEQUENCE 2

TYPE 1

VIEW 1

****************************** ——-

sum 189

WCRSYS TABLE 10

INDEX 9

SEQUENCE 2

PACKAGE 1

PACKAGE BODY 1

****************************** ——-

sum 23

WIRELESS INDEX 403

TABLE 236

TRIGGER 92

VIEW 67

SEQUENCE 54

LOB 46

TYPE 43

QUEUE 41

PACKAGE 33

PACKAGE BODY 32

PROCEDURE 16

FUNCTION 7

CLUSTER 1

****************************** ——-

sum 1,071

It should come as no surprise that the iasdb database contains complex data structures and stored packages, but administrators must understand how these database components are used by the Application Server 10g application components. Of course, the iasdb schema components should never be altered or directly manipulated, but there are some important logging components within iasdb. Let’s take a close look at some of the Application Server 10g infrastructure log tables.

{mospagebreak title=The Infrastructure Log Tables}

The Application Server 10g system contains numerous log files, some of which are stored in flat files while others are stored inside the iasdb instance. Remember that log files and audit trails may exist in many places, and you must become accustomed to looking for error messages and audits in the proper places.

In practice, administrators use shell scripts with SQL*Plus to automate this task, and filter out unwanted messages so they can see only those messages that are germane to their current needs. When the iasdb database is initially loaded, log files are created in the $ORACLE_HOME/config directory. These include the following files:

  • schemaload.log This file reports on the iasdb load process.

  • useinfratool.log This file reports on all tools whose definitions have been loaded into the iasdb instance.

  • infratool_instance_jazn.log This reports on the Java Authorization (JAZN) install using Oracle’s Java Authentication and Authorization Service (JAAS).

  • infratool_mod_osso.log This file reports on the mod_osso load process.

After the iasdb initial load, it is a good idea to check these files for errors. Application Server 10g will report on all successful component installations in these logs, and you can easily check the status with a single command:

root> grep -i succeeded $ORACLE_HOME/config/*.log
infratool_instance_jazn.log:Configuration succeeded for IASProperty
infratool_instance_jazn.log:Configuration succeeded for IAS infratool_instance_jazn.log:Configuration succeeded for LDAP
infratool_mod_osso.log:Configuration succeeded for JAZN infratool_mod_osso.log:Configuration succeeded for HTTPD

infratool_mod_osso.log:Configuration succeeded for MODOSSO schemaload.log:Configuration succeeded for SchemaLoad

Of course, there are many other flat files for logs within Application Server 10g, and they are fully discussed in later chapters. Next let’s look at the OEM console interface for displaying Application Server 10g  log messages.

Using the OEM Console to View Application Server 10g Logs

The Oracle Enterprise Manager console contains a graphical log viewer that can be used to display some of the log files, as shown in Figure 2-1. From this screen you can choose any Application Server 10g component and view some of the associated log files. In the example shown in Figure 2-2, we chose Wireless and selected the Search button. Here you see server-side error log messages associated with Oracle Portal. However, this screen can be misleading because the infrastructure database also contains repository logs.


Figure 2-1.  The OEM log file viewer


Figure 2-2.  The OEM Wireless log file viewer 

Using the OEM Repository Log Viewer

The repository log viewer is easy to use, and you can select any Application Server 10g component and view the associated repository log messages (Figure 2-3). From this screen you can choose the repository components and specify filter conditions. This OEM screen then generates the SQL statements to query the native iasdb database log tables. In the example in Figure 2-3, we selected the OC4J wireless logs.

When you click the Search button, you see the error messages associated with the OC4J Wireless component displayed in HTML format. Although the OEM console GUI is great for ad hoc queries, administrators often supplement this GUI with custom scripts to extract and e-mail important error messages. Let’s take a closer look at how this works.

{mospagebreak title=Writing Your Own Infrastructure Repository Log Scripts}

As we just noted, the OEM viewer is great for quick online queries, but most administrators write SQL*Plus scripts to directly extract the repository log message, often e-mailing it to the desktop.


Figure 2-3.  The OEM infrastructure repository log viewer

To see how this works, here is a sample Korn shell script that will extract the online repository logs for SSO and mail them to the Application Server 10g administrator:

  mail_logs.ksh

  #!/bin/ksh 
  # First, we must set the environment . . . .
  ORACLE_SID=iasdb
   export ORACLE_SID
   ORACLE_HOME=`cat /etc/oratab|grep $ORACLE_SID:|cut -f2 -
  ‘:’`

   export ORACLE_HOME
   PATH=$ORACLE_HOME/bin:$PATH
   export PATH
   # Get the server name
 
 host=`uname -a|awk ‘{ print $2 }’` 
  ${ORACLE_HOME}/bin/sqlplus system/`cat password.txt`<<!

  spool log_rpt_mgt.1st
 
   @sso_audit_log.sq l
spool off
exit;
!
#************************************
# Filter only error messages #************************************
grep –i error log_rpt_mgt.lst > errors_log.lst

#************************************
# Mail the Object Statistics Reports #************************************
cat error_rpt_mgt.lst|mailx -s “Oracle AS 10g Repository SSO Messages”  
   larry_lizard@us.oracle.com
  
raham_cracker@oracle.com
  
bob_white@oracle.com

Note the password security in the SQL*Plus invocation line. You can save the SYSTEM password on your server in a file called password.txt and protect it by setting the file permissions such that only the Oracle user may view the password:

oracle> chmod 700 password.txt
oracle> ls -al *.txt
 -rwx—— 1 oracle  oracle   13 Aug 18 05:35 password.txt

Now that you’ve seen how easy it is to write SQL*Plus scripts against the iasdb instance, let’s take a look at the log tables and see which are the most important to the Application Server 10g administrator.

Viewing the Repository Log Tables

Because Oracle has been very careful to use uniform table naming conventions, you can write a simple SQL*Plus query to see the Application Server 10g log tables. In the following listing, we select all iasdb tables that contain the string LOG.

select owner, table_name
from dba_tables
where table_name like ‘%LOG%';

WIRELESS                 PTG_LBS_LOG
                                PTG_DEBUG_LOG
                                PTG_SERVICE_LOG
                                PTG_SESSION_LOG
                                TRANS_REQUEST_LOG
                                TRANS_HANDLE_LOG
                                TRANS_PROCESS_LOG
                                TRANS_ENQUEUE_LOG
                                TRANS_DEQUEUE_LOG
                                ASYNC_STATISTICS_LOG
                                MESSAGING_OUTGOING_LOG
                                LBEVENT_ENQUEUE_LOG
                                LBEVENT_DEQUEUE_LOG
                                LBEVENT_MSG_LOG
                               LBEVENT_ACTIVATION_LOG
                                STUDIO_LOG MESSAGES 
                                PROVISIONING_TRANSACTION_LOG
                                BILLING_SDR_LOG
                                SYS_LOGGER_TABLE
                               WWSEC_SSO_LOG$
OWF_MGR                    ECX_OUTBOUND_LOGS
                               ECX_DOCLOGS
                               ECX_EXTERNAL_LOGS
                               ECX_OXTA_LOGMSG
                               ECX_INBOUND_LOGS
                               ECX_MSG_LOGS
IP                 TIP_ERRORLOGINSTANCE_T_AUD
                  
ERRORLOGRECORDDATA_AUD
                              TIP_ERRORLOGINSTANCE_RT
                              TIP_ERRORLOGRECORDDATAINSTA_RT
                              TIP_RTLOG
                              B2BERROR_LOG

The output shows each of the iasdb schemas and their associated log tables. Remember, not all of the log tables are populated with meaningful information, so you must carefully examine each log file to see the contents.

{mospagebreak title=Infrastructure Log Reports}

The following script can be run to display all of the iasdb logs in your system. Next is a handy script called display_all_log_tables.ksh that can be embedded into a shell script to extract all log messages into a flat file.

display_all_log_tables.ksh

#!/bin/ksh
# First, we must set the environment . . . .
ORACLE_SID=iasdb
export ORACLE_SID

ORACLE_HOME=`cat /etc/oratab|grep $ORACLE_SID:|cut -f2 -d':’` export ORACLE_HOME
PATH=$ORACLE_HOME/bin:$PATH
export PATH
${ORACLE_HOME}/bin/sqlplus system/`cat password.txt`<<!
ttitle off
set heading off
set lines 200
set pages 999
set echo off
set feedback off
set long 4000;
spool runme.sql
select ‘spool all_logs.lst’ from dual;
select ‘set echo on’ from dual;
select
  ‘select * from ‘||owner||’.’||table_name||';’
from
  dba_tables
where
  table_name like ‘%LOG%’
and
  owner not in (‘SYS’,’SYSTEM’)
;
select ‘spool off’ from dual;
spool off;
@runme.sql
spool off;
exit;

!
#************************************
# Filter only error messages
#************************************
grep –i error all_logs.lst > error_log.
grep –i warning all_logs.lst > warning_
#************************************
# Mail the Object Statistics Reports
#************************************
cat error_log.lst|mailx -s “Oracle AS 10g Repository Error Messages”
  graham_cracker@oracle.com
tom_thumb@oracle.com
cat error_log.lst|mailx -s “Oracle AS 10g Repository Warning Messages”
  graham_cracker@oracle.com
  tom_thumb@oracle.com

Note that once you have run this script and off-loaded all repository log messages, you can then use the UNIX grep command to extract selected contents. Next, let’s look at special types of iasdb repository log tables and see scripts to extract their messages.

Oracle Servlet Log Tables

The Application Server 10g servlet engine has several log tables in the repository that are used to track servlet errors:

  • ose$http$admin.error$log This table contains the error message number and associated text.
  •  ose$http$admin.event$log This table contains servlet event  
    numbers and their associated text messages.
  •  ose$http$admin.http$log$ This is the repository log table that contains specific log information about remote user servlet messages. The table contains the remote user ID, time of the servlet request, and the referrer URL. The referrer column is most useful because you can use it to track the source of servlet requests.

SQL> desc ose$http$admin.http$log$;

       Name                   Null?       Type
——————————————————————–       SERVER_NAME                      VARCHAR2 (80)
           TIMESTAMP                        DATE 
       REMOTE_HOST                      RAW(4) 
       REMOTE_USER                      VARCHAR2(80) 
       REQUEST_LINE                     VARCHAR2(256) 
       STATUS                           NUMBER(3) 
       RESPONSE_SIZE                    NUMBER(38) 
       REQUEST_METHOD                   RAW(1) 
       REFERER                          VARCHAR2(80) 
       AGENT                            VARCHAR2(80)

Portal Repository Log Audit Reports

Oracle Portal has several log tables in the iasdb repository, and these can be referenced with SQL to create developer activity reports for Portal. This produces a report similar to using the Oracle DDL system-level trigger, and tracks all Portal changes made by your development staff. The following report references the portal.wwlog_activity_log1$ and portal.wwlog_activity_log2$ tables and produces a useful report of all Portal development activity.

portal_summary_report.sql

set echo off
set feedback off
ttitle off

clear computes
set heading on
set pages 999
set lines 70
col c1 heading ‘Date’ format a20
col c2 heading ‘User’ format a10
ol c3 heading ‘Action’ format a12

col c4 heading URL’

format a15

col c5 heading nfo’ format a20
col c6 heading ows’ format 99,999

prompt *************************************************** prompt Portal Row Count Summary Report
prompt
**************************************************** alter session set nls_date_format = ‘YYYY MM DD';
break on c1 skip 2
select
  to_char(start_time,’yyyy-mm-dd’) c1,
  sum(row_count) c6
from
  PORTAL.WWLOG_ACTIVITY_LOG1$
group by
  to_char(start_time,’yyyy-mm-dd’)
UNION
select
  to_char(start_time,’yyyy-mm-dd’) c1,
  sum(row_count) c6
from
  PORTAL.WWLOG_ACTIVITY_LOG2$
group by
  to_char(start_time,’yyyy-mm-dd’) ;
prompt *********************************************** prompt Portal Action Summary Report
prompt *********************************************** select
  to_char(start_time,’yyyy-mm-dd’) c1,
  action                                      c3,
  sum(row_count)                         c6
from
  ORTAL.WWLOG_ACTIVITY_LOG1$
group by
  to_char(start_time,’yyyy-mm-dd’),
  action
UNION
select
  to_char(start_time,’yyyy-mm-dd’)  c1,

  action c3,
  sum(row_count) c6
from
  ORTAL.WWLOG_ACTIVITY_LOG2$
group by

  to_char(start_time,’yyyy-mm-dd’),
  action
;
prompt *********************************************
prompt Portal Detail Summary Report prompt     prompt*************************************************
select
  to_char(start_time,’yyyy-mm-dd hh24:mi:ss’) c1,
  userid              c2,
  action              c3,
  url                 c4,
  row_count           c6
from
  PORTAL.WWLOG_ACTIVITY_LOG1$
UNION
select
  to_char(start_time,’yyyy-mm-dd hh24:mi:ss’) c1,
  userid              c2,
  action              c3,
  url                 c4,
  row_count           c6
from
  PORTAL.WWLOG_ACTIVITY_LOG2$ ;

You can see the report output in the following listing. It shows the total number of rows processed by Portal developers, aggregated by date, and a summary of all Portal developer activity by date. This administration report is especially useful for change control tracking and quality control functions.

*********************************************
  Portal Row Count Summary Report ********************************************* Date                                 Rows
————————     ———
2003-05-05                        1,741
2003-06-03                       44,321
2003-06-04                         6,321
2003-06-05                        83,301 ***************************************************
Portal Action Summary Report *************************************************** Date                  Action       Rows
——————– ———— ——-
2003-05-05            add_to_page     13
                      create         375
                      delete          99
                      edit            87
                      error        3,123
                      move             3
                      portlet        405
                      provider       948
2003-06-03            acl_event       77
                      add_to_page     54
                      create         377
                      delete          85
                      edit            42
                      portlet        923
                      process_back    37
                      ground_inval     9
                      provider        15
2003-06-04            create          53
                      edit           374
                      login          671
                      logout         102
 
*************************************************** Portal Detail Summary Report *************************************************** Date                        User       Action     URL                 Rows
———————————————————–2003-05-05 17:50:26 PORTAL    create                                0 2003-05-05 17:51:59 PORTAL    create                                0 2003-05-05 17:53:50 PORTAL    create    URL/PAGE/SHARED   0
                                                          /SAMPLE_BANNER1
                                                         /?_mode=16 
                               PORTAL    edit     URL/PAGE/SHARED       0
                                                          /SAMPLE_BANNER1
                                                         /?_mode=16
2003-05-05 17:53:51PORTAL add_to_page URL/PAGE/SHARED 
                                      0/SAMPLE_BANNER1
                                     /?_mode=16
                   PORTAL    edit   URL/PAGE/SHARED    0
                                    /SAMPLE_BANNER1
                                    /?_mode=16
2003-06-03 18:39:11 PORTAL process_back
                           ground_inval                0
2003-06-03 18:39:13 PORTAL   edit                      0

The iasdb repository also contains a wwlog_event$ table that provides total counts of Portal actions. This report is useful for Portal development auditing.

portal_actions_summary.sql

col c1 heading ‘Action’ format a20
col c2 heading ‘Count’ format 999,999
select
  action c1,
  count(*) c2
from
 
PORTAL.WWLOG_EVENT$
group by
  action
order by
  c2 desc
;

The following listing shows the output. Here you see all of the Portal activities and total counts for each activity.

Action                          Count
——————————- ————view                               18
create                             15
delete                             15
edit                               15
access_control                     12
export                             12
copy                               12
execute                            12
generate                           12
insert                             12
update                             12                     

save                               12
rename                             12
query                              12
manage                             12
move                                2
add_to_page                         1
search                              1
show                                1
delete_from_page                    1
debug                               1
customize                           1
hide                                1
checkin                             1

Now we’re ready to look at the generic infrastructure management tools and components.

{mospagebreak title=Repository Administration and Management}

Because iasdb is an Oracle database, the Application Server 10g components rely on this database being available when they are started. After the components are started, the iasdb database can be stopped without adverse effects to OHS and Java. However, some Application Server 10g components, including SSO, Portal, and Wireless, will not be able to function without iasdb.

Hence, the iasdb database is a central point of failure for your Application Server 10g enterprise, and as the administrator, you should take steps to ensure continuous availability of the iasdb database. These steps may include the following:

  • Using the Oracle9i standby database (Data Guard)

  • Using Real Application Clusters (RAC)

  • Using triple mirroring of disks

While the Oracle documentation does not specifically mention the use of RAC as an availability option for Application Server 10g, using RAC for the repository can protect you from lockups due to instance failure. Remember, when the infrastructure repository is not available, users cannot access the SSO login server, and the whole enterprise stops. Because the infrastructure is such a critical component of Application Server 10g, using a high-availability tool such as RAC guarantees continuous availability for the enterprise because the Oracle Transparent Application Failover (TAF) component will automatically continue processing any “in-flight” transactions if there is a failure on any iasdb instance.

Let’s review the basic infrastructure administration tasks.

Starting and Stopping the Infrastructure

While performing general maintenance and backups, the Application Server 10g administrator must stop and restart the infrastructure instance. Because of its tight coupling to important Application Server 10g components, the infrastructure database must be started in a specific order. While the startup procedures for the infrastructure are the same as any other Oracle database, remember that iasdb must be running before other Application Server 10g components are started. Here is the order of iasdb startup steps:

  1. Start the iasdb listener process (lsnrctl start).

  2. Start the iasdb database.

  3. Start the OID.

  4. Start emctl.

  5. Start the Oracle HTTP Server (OHS).

  6. Start the OC4J_Das.

If you are using any optional Application Server 10g products, you may also include the following startup steps:

  1. Start the Web Cache.

  2. Start the OEM Intelligent Agent.

  3. Start OMS.

With all these steps, it should come as no surprise that you use scripts to start and stop the Application Server 10g components. Application Server 10g uses a hierarchy of shell scripts to perform the start operations, with calls to Oracle executables at the lowest level (Figure 2-4).


Figure 2-4.  The hierarchy of Application Server 10g scripts

Here is the main driving script to start all the Application Server 10g infrastructure and midtier components:

startall.ksh

/bin/ksh
./startinfra.sh
sleep 10
./startmidtier.sh
sleep 10

Note that this script calls the start scripts for the infrastructure followed by calls to start the midtier application. Let’s examine these scripts and their features. The start script for the infrastructure issues these Application Server 10g commands:

  1.  Start listener: 
    $ORACLE_HOME/bin/lsnrctl start
  2. Start the iasdb database: 
    $ORACLE_HOME/bin/sqlplus /nolog<<EOF
    connect / as sysdba
    startup 
  3.  Start all opmnctl controlled processes: 
    $ORACLE_HOME/opmn/bin/opmnctl startall

    4    Check status of infrastructure with DCM:
     $ORACLE_HOME/dcm/bin/dcmctl getState -v -i $INFRA

    5.   Start OMS:
     $ORACLE_HOME/bin/emctl start oms

              6.   Start OEM: 
          $ORACLE_HOME/bin/emctl start agent
          $ORACLE_HOME/bin/emctl start em

Here is the whole script, ready for you to use. Note that the emctl commands are normally performed manually because they prompt for a password and are not easily scripted.

startinfra.sh

# cat startinfra.sh
#!/bin/bash
# script created by mikael.fransson@oracle.com
# Save the original path and restore it at the end of the script
export SAVED_PATH=$PATH
# Customize ORACLE_HOME and ORACLE_SID to your environment
export ORACLE_HOME=/home/oracle/infra904

export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/dcm/
bin:$ORACLE_
HOME/webcache/ bin:$ORACL
_HOME/opmn/bin
export ORACLE_SID=iasdb
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib #  Customize the following two to your environment
export  DISPLAY=localhost:0.                                                  export INFRA=infra_904.appvr.localdomain.com
echo
echo Starting Listener
echo —————–
$ORACLE_HOME/bin/lsnrctl start
echo
echo Starting Database
echo —————–
$ORACLE_HOME/bin/sqlplus /nolog<<EOF
connect / as sysdba
startup
EOF
echo
echo Starting all opmnctl controlled processes
echo ————————————————
$ORACLE_HOME/opmn/bin/opmnctl startall
echo
echo Checking status of app server instances
echo ———————————————
echo Getting status for $INFRA $ORACLE_HOME/dcm/bin/dcmctl getState -v -i $INFRA
# If you want to automatically start the EM website
# uncomment the following lines.
# Remember stopping EM requires a password.
#
#echo Starting the EM website
#echo —————————
#$ORACLE_HOME/bin/emctl start oms
#$ORACLE_HOME/bin/emctl start agent
# Restore the original path
export PATH=$SAVED_PATH

Once the infrastructure is started, you invoke another script to start the midtier application. This script performs the following actions:

    1.   Start all OPM processes: 
        $ORACLE_HOME/opmn/bin/opmnctl startall

    2.   Check midtier status:
        $ORACLE_HOME/dcm/bin/dcmctl getState -v -i $MIDTIER

    3.   Start Enterprise Manager: 
        $ORACLE_HOME/bin/emctl start em

Here is the final script, ready to run.

startmidtier.sh

#!/bin/bash
# script maintained by mikael.fransson@oracle.com
# Save the original path and restore it at the end of the script export SAVED_PATH=$PATH
# Customize ORACLE_HOME and ORACLE_SID to your environment export ORACLE_HOME=/home/oracle/oraportal904
export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/dcm/
bin:$ORACLE_HOME/webcache/bin:

$ORACLE_HOME/opmn/bin
export ORACLE_SID=iasdb
export
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib # Customize the following two to your environment
export DISPLAY=localhost:0.0
export MIDTIER=porta904.appsvr.localdomain.com echo
echo Starting midtier instance with portal
echo Other components such as Forms, Reports and Discoverer
echo should also be started here.
echo ———————————— $ORACLE_HOME/opmn/bin/opmnctl startall
echo Sleeping 45
seconds sleep 45
echo
echo Checking status of app server instances
echo —————————————
echo Getting current stat of $MIDTIER
# $ORACLE_HOME/dcm/bin/dcmctl getState -v -i $MIDTIER
echo
echo Starting EM
echo———–
$ORACLE_HOME/bin/emctl start em
# Restore the original path
export PATH=$SAVED_PATH

You also have scripts to stop the infrastructure. Note that the stopping process is the exact inverse of the start, shutting down all the Application Server 10g processes before stopping the infrastructure database.

stopinfra.sh

#!/bin/bash
# script maintained by mikael.fransson@oracle.com

# Save the original path and restore it at the end of the script
export SAVED_PATH=$PATH

# Customize ORACLE_HOME and ORACLE_SID to your environment export ORACLE_HOME=/home/oracle/infra904
export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/
dcm/bin:$ORACLE_HOME/webcache/bin:
$ORACLE_HOME/opmn/bin
export ORACLE_SID=iasdb
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib

# Customize the following two to your environment
export DISPLAY=localhost:0.0
export INFRA=infra_904.appsvr.localdomain.com

echo
echo getting current state of $INFRA
$ORACLE_HOME/dcm/bin/dcmctl getState -v -i $INFRA
echo Stopping all opmn managed processes in $INFRA $ORACLE_HOME/opmn/bin/opmnctl stopall
echo Sleeping 5
sleep 5

echo
echo Stopping Database Listener
echo —————–
$ORACLE_HOME/bin/lsnrctl stop

echo
echo Stopping Database
echo —————–
$ORACLE_HOME/bin/sqlplus /nolog<<EOF

connect / as sysdba
shutdown immediate
EOF

echo
echo Stopping Database Listener
echo —————–
$ORACLE_HOME/bin/lsnrctl stop

echo
echo Stopping EM
$ORACLE_HOME/bin/emctl stop em<<EOF
<ias_admin_password>
EOF
 
# Restore the original path
export PATH=$SAVED_PATH

echo ——————————————
echo
echo Listing processes owned by ias
ps -ef|grep ias
echo echo Be Sure to kill any rogue processes


NOTE  The String <iasadmin_password> should be replaced with your
password.


Now that we have reviewed the infrastructure administrative components, let’s turn our attention to the most important infrastructure component, Oracle Single Sign-On, commonly called SSO.

{mospagebreak title=Single Sign-On (SSO)}

Before the introduction of Application Server SSO 10g, each component within Application Server 10g required separate password and authentication management. Besides the duplication of passwords, the lack of a unified security interface presented huge maintenance issues and also compromised the overall manageability of the application.

Without SSO, every user is required to maintain a distinct password for every application in the enterprise. As anyone who has dozens of passwords can tell you, this means that users must write down the passwords, which can cause a serious security breach. With SSO, each user has only one password for all applications within the Application Server 10g framework.

Unlike traditional Oracle applications, SSO is designed for web-based users. Any Oracle system can be web enabled, and end users can securely access their applications from the Internet, anywhere in the world. The central components of Application Server SSO 10g are the mod_osso module and the SSO login server, and these will be the focus of our SSO exploration. As an Application Server 10g administrator, you are responsible for maintaining enterprise security, and knowledge of SSO administration is required.

Application Server 10g uses two techniques for end-user authentication, one for local “partner” applications (internal) and another for external applications. Because of the infinite possible authentication mechanisms of external applications, they cannot be integrated into SSO, and LDAP entries are used to manage security.

  • Local partner applications Local application authentication is performed from a lookup table within the iasdb schema on the repository. The lookup table contains all of the data, including the user ID, password, and privileges for local users.

  • External applications External SSO identification allows any third-party products to be incorporated in an Application Server 10g system. External applications use the Oracle Internet Directory, and Application Server 10g handles authentication using standard LDAP entries. At connect time, Application Server 10gbinds to OID and looks up the remote user’s credentials in the appropriate directory on the server.

This chapter focuses on SSO administration, and you can find details on user assignment and application management with SSO in Chapter 12. Let’s get started by exploring the roles of the SSO administrator and SSO configuration and then look at the mod_osso utility to learn how it is used to administer Application Server 10g SSO security.

Roles of the SSO Administrator

The SSO administrator is responsible for all access controls and must manage all users who will connect to an application, all applications within the system, and the assignment of users to applications. There are three basic areas of SSO administration: server configuration, user management, and application management. We will focus on the server installation and configuration of SSO.

It’s important to note that SSO should run seamlessly once it has been installed and configured. Afterward, the ongoing management of applications and users becomes trivial.

If you are using Oracle Portal or external applications, there are additional administrative interfaces to SSO. This is because Portal and any external applications must have customized authentication code. Because SSO controls the security for the entire Application Server 10g enterprise, it is critical that administrators ensure that proper security is maintained.

For more details on the daily operational use of SSO, see Chapter 12.

Configuring the SSO Server

The configuration of SSO involves the creation and management of the server-side components for the SSO login server. These configuration tasks include

  • Allocate SSO directories These must be allocated with the proper OS permissions to maintain security.

  • Set up SSO configuration files These must contain the correct values for your system.

  • Configure SSO programs These must be configured properly.

  • Establish SSO library routines These must have proper group permissions.

These are relatively trivial tasks, but crucial to the successful use of SSO. Let’s start by looking at the SSO directory structures and understand the purpose and functions of the components within each directory.

SSO Directories

The SSO log-in server will have the following directories allocated at install time. Each of these directories serves a specific purpose to SSO and contains important scripts and executables.

  • $ORACLE_HOME/reports/conf This directory has the configuration files for Oracle Reports.

  • $ORACLE_HOME/sso/bin This directory contains SSO executables.

  • $ORACLE_HOME/dcm/bin This is the directory for the DCM utility files.

  • $ORACLE_HOME/Apache/Apache/conf This is the location of the mod_osso configuration file.

  • $ORACLE_HOME/sso/lib This contains the ossoreg.jar file and other SSO library routines.

These are the main driving directories for SSO, and they contain important programs for SSO management. One of the most important is the SSO configuration utility. It is located in $ORACLE_HOME/sso/bin/ssocfg.sh, and ssocfg.sh is a shell script that invokes Java routines to manage the SSO layer. The ssocfg.sh script accepts the new_host_name and new_port name as arguments. For example, if you wanted to add server diogenes on port 1446, you would issue the following command:

ssocfg.sh diogenes 1446

Internally, the ssocfg.sh script issues the following Java invocation, calling the oracle.security.sso.SSOServerConfig Java program:

java oracle.security.sso.SSOServerConfig $*

Enabling SSO

Turning on SSO requires adjusting the SINGLESIGNON parameter in the rwservlet configuration file (rwservlet.properties). With singlesession=yes, you are telling Application Server 10g that you will use SSO to authenticate users. As we have noted, the rwservlet configuration file is usually found in the $ORACLE_HOME/reports/conf directory.

After you have completed configuring the SSO server, you must configure OHS to use SSO. This is done by making an entry in the mod_osso.conf file and enabling mod_osso in the OMS configuration file. The file osso.conf contains a partner registration record registered with the Single Sign-On server. Once the OHS is configured for SSO, you can use SSO to protect individual resources via the SSO server. There are several important directives in the file:

  • OSS idle timeout  If you set OssoIdleTimeout on, Application Server 10g will invoke a global inactivity timeout to disconnect idle sessions.

  • OSS IP check  If you set OssoIpCheck on, Application Server 10g SSO will invoke an IP address check to ensure that the authenticating browser is the same as the browser requesting access to protected facilities.

The SSO login server is the component of Application Server 10g that accepts the users’ passwords and manages their access to all Application Server 10g applications. After a user enters an accepted password, Application Server 10g sends a message to all applications that this user has been authenticated and (optionally) stores a cookie on the browser. This cookie is used to avoid the need to reenter the password during subsequent visits.

TIP

Any web browser that uses SSO should be configured to accept cookies because the end user will become annoyed with the repeated login screens that are displayed without cookie support.

Because SSO governs security for the whole enterprise, you must have Full Administrator privileges on the login server to configure the SSO login server. If you want to access the SSO login server from Application Server Portal 10g, you must be an Authorized Application Server Portal 10g Administrator.

The Application Server 10g repository has some important SSO log tables that assist in tracking SSO interaction and errors. Let’s take a look at these log tables.

{mospagebreak title=Using the SSO Audit Log Tables}

There is an important log table inside the iasdb instance in the orasso schema, called wsso_ audit_log_table_t, that you can use to extract SSO interaction information. This table contains many detailed metrics about SSO interaction:

SQL> desc ORASSO.WWSSO_AUDIT_LOG_TABLE_T;

Name                    Null?               Type
———————————————————–SUBSCRIBER_ID           NOT NULL NUMBER
LOG_ID                      NOT NULL NUMBER
USER_NAME                 NOT NULL VARCHAR2(256)
AUDIT_TYPE                NOT NULL VARCHAR2(32)
ACTION_CODE              NOT NULL NUMBER
ACTION                      NOT NULL VARCHAR2(80)
IP_ADDRESS               NOT NULL VARCHAR2(32)
APP_SITE                  NOT NULL VARCHAR2(80)
MESSAGE                    NOT NULL VARCHAR2(256)
LOG_DATE                  NOT NULL DATE
PROCESS_DATE                         DATE
EMAIL                       VARCHAR2(80)
MAINTAINER_ID                        VARCHAR2(80)

You can take the data from this table and create an SSO summary report for execution in SQL*Plus. Here is a common SSO activity report:

sso_audit_log.sql
set echo off
set feedback off
ttitle off
set heading on
set pages 999
set lines 80
prompt*************************************************** prompt SSO Activity summary Report  prompt*************************************************** alter session set nls_date_format = ‘YYYY MM DD';
col c0 heading ‘date’   format a15
col c1 heading ‘action’ format a20
col c2 heading ‘Count’  format 99,999

break on c0 skip 2
compute sum of c2 on c0
select
   to_char(log_date,’yyyy-mm-dd hh24′)
c0, 
   action                             c1,
  
 count(*)                           c2      
   from 
    ORASSO.WWSSO_AUDIT_LOG_TABLE_T 
   group by                      
    
to_char(log_date,’yyyy-mm-dd hh24′),
action;

prompt *************************************************** prompt SSO Message summary Report prompt*************************************************** col c1 heading ‘message’ format a20 
select
  to_char(log_date,‘yyyy-mm-dd hh24′) c0,                
  message                                             c1,
  count(*)                                            c2
from
  ORASSO.WWSSO_AUDIT_LOG_TABLE_T 
group by
  to_char(log_date,’yyyy-mm-dd hh24′),
  message;

set lines 80
prompt ********************************************
prompt SSO Activity summary Report
prompt ********************************************
alter session set nls_date_format = ‘YYYY-MM-DD HH24:MI:SS';
col c1 Heading ‘Date’ format a20
col c2 heading ‘User’ format a10

col c3 heading ‘Action

format a10 

col c4 heading
‘Message’
                  format a20select            
log_date                                c1,
user_name                   c2,
action                      c3,
message                     c4
from
ORASSO.WWSSO_AUDIT_LOG_TABLE_T
;

The following listing shows the output from this report. Here you see a summary of all login operations, summed by hour of the day. You also see counts of all SSO messages summed by hour of the day. The last report in this section shows all SSO details.

*************************************************** SSO Activity summary Report *************************************************** date              action                    Count
—————– ——————–   ——–
2003-06-04 09           LOGIN                                4
***************                                           ——                   sum                                                                    4
2003-06-04 10        LOGIN                               1
***************                                           ——
sum                                                                    1
2003-06-04 11            LOGIN                                2
***************                                           ——-
sum                                                                    2
2003-06-04 14             LOGIN                              1
***************                                           ——-
sum                                                                    1
2003-06-04 20         LOGIN                    2
***************                                            ——-
sum                                            2
2003-06-05 08         LOGIN                    1
***************                                           ——-
sum                                                                     1

2003-07-08 14             LOGIN                     3
***************                                             ——-
sum                                                                      3
2003-07-10 08        LOGIN                     4
***************                                           ——-
sum                                            4 *************************************************** SSO Message summary Report *************************************************** date                          message                          Count
——————– —————————-       ——–

2003-06-04 09
                
Login failed 4
***************                             ———
sum 4

2003-06-04 10          Login Successful          11 
                                 Login failed                       4
***************                                              ——-
sum                                                                      15
2003-06-04 11             Login Successful                334
***************                                                ——-
sum                                                                       334
2003-06-04 14         Login Successful          432 
***                                  Login failed        14           sum                                                                      446
2003-06-04 20        Login Successful            62
                     Login failed                 3
***************                               ——-
sum                                              65
2003-06-05 08        Login Successful           433
                     Login failed                61
***************                               ——-
sum                                             494
2003-07-08 14        Login failed                 3
***************                               ——-
sum                                               3
2003-07-10 08        Login failed                 4
***************                                ——-
sum                                               4
************************************************ SSO Activity Detail Report *************************************************** Date                               User             Action            Message   ————— ————– ———— ————–

2003-06-04 09:45:42 GARMANYJ LOGIN Login failed
2003-06-04 11:46:27 GARMANYJ LOGIN

Login Successful

2003-06-04 14:32:52 GARMANYJ LOGIN Login Successful
2003-06-04 20:58:44 GARMANYJ LOGIN Login Successful
2003-06-05 08:58:24 GARMANYJ LOGIN Login Successful
2003-07-08 14:28:20 GARMANYJ LOGIN Login failed
2003-07-08 14:28:26 GARMANYJ LOGIN Login failed
2003-07-08 14:28:37 GARMANYJ LOGIN Login failed
2003-07-10 08:29:49 GARMANYJ LOGIN Login failed
2003-07-10 08:29:53 GARMANYJ LOGIN Login failed
2003-07-10 08:30:00 GARMANYJ LOGIN Login failed
2003-07-10 08:30:05 GARMANYJ LOGIN Login failed
2003-06-04 09:42:24 IAS_ADMIN LOGIN Login failed
2003-06-04 09:42:12

ORACLADMIN

LOGIN

Login failed
2003-06-04 09:42:44

ORACLADMIN

LOGIN

Login failed
2003-06-04 10:22:18 ORCLADMIN LOGIN Login Successful
2003-06-04 11:39:45 ORCLADMIN LOGIN Login Successful
2003-06-04 20:53:24 ORCLADMIN LOGIN Login Successful

You can also write a script to check the availability of SSO. As noted earlier, if the infrastructure is down or SSO cannot accept connections, no users can access your system. Hence, frequently checking SSO connectivity is an important Application Server 10g administration task.

Here is a Perl script that you can use to check SSO availability. This script checks to see if the Single Sign-On (SSO) Server is accessible and is responding to HTTP requests.

check_sso.pl

PERL5LIB=
$ORACLE_HOME/
perl/lib/
5.6.1:
$ORACLE_HOME/
perl/
lib/site_perl/
5.6.1
; export PERL5LIB ;
$ORACLE_HOME/
perl/bin/perl -e ‘
$returncode = “NOK”;
$oraclehome = $ENV{‘ORACLE_HOME’};
use IO::Socket;
  $url = $ARGV[0];
  $host = $ARGV[1];
$searchstring = $ARGV[2];
open FILE, “$oraclehome/install/portlist.ini” or die “File portlist.ini not found”;
while ($line = <FILE>) {
  $i = index $line, $searchstring;
  if  ( $i == 0 ) {
      if ($line =~ /(=)([ ]*)(S+)/) {
              $port = $3;
    
 }
  }
}
close FILE;
$this_socket = new IO::Socket::INET PeerAddr => $host, Timeout => “9”,
PeerPort => $port, Proto => “tcp” ;
if(!$this_socket){
    $returncode = “NOK”;
  } else {
$get_request = (“GET $url HTTP/1.0rn” );
$this_socket->print ($get_request);
$this_socket->print(“Accept: text/plainn”);
$this_socket->print(“Accept: text/htmln”);
$this_socket->print(“UserAgent: LoogBrowser/1.0nn”); $returncode=”POK”;
while ($line=($this_socket->getline())) 

{
  if ( $line =~ /(HTTP/1.1 200 OK)/) {
$returncode = “POK”;
 }
if ( $line =~ /(Access Partner Applications)/) {
  $returncode = “OK”;
    }
  }
}
print $returncode
‘ “/pls/orasso/orasso.home” “localhost” “Oracle HTTP Server port”

If this script returns the standard output of “OK,” then SSO can accept HTTP requests. Many Application Server 10g administrators place this script into a cron task and run it every five minutes. If there is a failure in SSO, a pager alert is immediately sent to the administrator. Now, let’s look at using the mod_osso utility for SSO administration.

{mospagebreak title=SSO Administration Using the mod_osso Utility}

As SSO expanded into the Application Server 10g architecture, Oracle recognized that the Oracle HTTP Server (OHS) should be included in the SSO framework. Starting with Application Server 10g version 2, the mod_osso module was created to allow SSO to function within OHS.

Before mod_osso, specific logic would have to be embedded into the Java application if the application was to use SSO. The mod_osso module now makes it easy for incoming users to connect directly to SSO, become authorized, and get the required information to access their applications (Figure 2-5). The mod_osso utility also allows for a single security point, thereby relieving the tedious and cumbersome problem of maintaining multiple securities for each Application Server 10g component.

To see SSO in action, let’s look at the steps that occur when an Application Server 10g client connects to his or her application:

  1. The user requests a URL through a web browser. This URL is intercepted by the Oracle HTTP Server.
       Figure 2-5.  Using SSO to connect to Application Server 10g

  2. The HTTP Server calls mod_osso to locate a cookie for the user on the HTTP Server. If the cookie exists, the web server extracts the user’s information and uses it to log the user in to the requested application. At this point the connection is established.

  3. If the cookie does not exist on the HTTP Server, mod_osso redirects the user to the Single Sign-On server.

  4. The Single Sign-On server makes a request back to the user’s browser to see if a local cookie exists on the user’s PC. If it finds no remote cookie, SSO tries to authenticate the user with a username and password. If authentication is successful, the Single Sign-On server creates a cookie in the browser as a reminder that the user has been authenticated. If a cookie exists, the Single Sign-On server will authenticate using the cookie.

  5. Upon successful sign-on, the SSO server then returns the user’s encrypted information to mod_osso.

  6. mod_osso creates a cookie for the user and sends it to the browser PC. It then redirects the user to his or her original URL page.

As you see, mod_osso is an alternative method for maintaining SSO, but it is not as powerful as server-side scripting for command interfaces.

Summary

The Oracle Application Server 10g infrastructure is a critical component of your enterprise because it serves as a centralized repository and management facility that controls the operation of several vital components. The focus of this chapter has been on the configuration and management of the infrastructure, and the main points are as follows:

  • The Application Server 10g infrastructure is a database instance with an ORACLE_SID of iasdb.

  • The iasdb instance contains separate schemas for each component within the Application Server 10g architecture.

  • The infrastructure database contains more than 10,000 objects and over 1000 individual tables.

  • The infrastructure contains log tables that monitor administration and usage activities for several Application Server 10g components, including Portal and SSO.

  • Startup and shutdown of the infrastructure must be carefully coordinated with other system processes, such that the infrastructure is started before the Application Server 10g components. Upon shutdown, the Application Server 10g processes and services must be stopped before shutting down the infrastructure. Scripts are the recommended way of doing this!

  • Because the infrastructure is a central point of failure for the entire enterprise, administrators commonly use tools such as Oracle9i and Oracle Data Guard or Oracle Real Application Clusters to ensure against instance failure. Many administrators also use multiple levels of RAID to ensure against unexpected disk failure.

  • The SSO component of the Application Server 10g repository is arguably one of the single most important components of the enterprise. All incoming connections to the Application Server 10g must pass through the infrastructure SSO login server; thus it is vital that the SSO login server be continuously available for servicing HTTP requests.

In the next chapter we will look at details of the initial installation and configuration of Application Server 10g and its components.

[gp-comments width="770" linklove="off" ]
antalya escort bayan antalya escort bayan