shutterstock_120673339It is sometimes necessary to change the password of the Oracle Identity Management (OIM) System Administrator, known as XELSYSADM.  As this user has many dependencies in OIM, we would need to change the XELSYSADM password using the WLS utility.  Previously (in version 10g), this was a small task, but with the introduction of OIM 11g, new approval workflows, and other special security features, this task can now be somewhat involved and needs to be executed with care.

Some instructions suggest changing the XELSYSADM password from the OIM Identity Console, with a couple of CSF keys from the EM console – that’s it!  This may be true in some cases, but not in all.  If you have LDAP sync enabled or OIM integrated with OAM, following those steps is not enough.  In this case, the best way to change the system admin user password is through the oimadminpassword_wls.sh utility.

The oimadminpassword_wls.sh utility is available in the <ORACLE_HOME>/server/bin directory.  Running this utility is quite simple, as you just need to provide the values of certain parameters in the oimadminpassword_wls.properties file, then run the shell (.sh) file in your Linux environment.  Keep in mind, however, that this is not applicable if your OIM is on a Windows environment.  There is no batch file for a Windows environment.

If we open the oimadminpassword_wls.sh script and check a command that this utility is running, we can change the password by simply running a java class file.  This java class file can be directly run, even if your OIM environment is on a Windows box.

The following are common steps to be executed, regardless of environment (e.g., Linux or Windows):

  1. Log in to the EM console with the WebLogic user credentials.
  2. Expand the WebLogic Domain, right click OIAM_domain, and navigate to Security > Credentials.
  3. On the Credentials page, Expand ‘oim’ and select ‘sysadmin’, then click on the Edit icon to change the XELSYSADM credentials from the pop-up window.

1

4.  Repeat step 3, above, for the oim.sysadminmap (CSF key: sysadmin) and                                          oracle.wsm.security (CSF key: OIMAdmin) CSF maps.

 Follow the steps below to change the password for the XELSYSADM user (System Administrator or any other user) in a Linux environment:

  1. Open the Command prompt.
  2. Go to the <OIM_ORACLE_HOME>/server/bin directory.
  3. Open the oimadminpasswd_wls.properties file from the <OIM_ORACLE_HOME>/server/bin directory.
  4. Update the following content from the oimadminpasswd_wls.properties file. (Example values are provided for each attribute present in the file.  These are sample values only; you must change all values as appropriate for your environment.)
JAVA_HOME=/opt/ora/middleware/products/identity/jdk
COMMON_COMPONENTS_HOME=/opt/ora/middleware/products/identity/oracle_common
OIM_ORACLE_HOME=/opt/ora/middleware/products/identity/iam
ORACLE_SECURITY_JPS_CONFIG=/opt/ora/private/oracle/config/domains/IAMGovernanceDomain/config/fmwconfig/jps-config-jse.xml
DOMAIN_HOME=/opt/ora/private/oracle/config/domains/IAMGovernanceDomain
DBURL=jdbc:oracle:thin:@<database server>:11140/<IAM URL>
DBSCHEMAUSER=EDGIGD_OIM
#It should be true only if there is LDAP Sync and OIM OAM integration)
OIM_OAM_INTG_ENABLED=false 
#Only update this attribute if you have LDAP Sync enabled and have OIM-OAM integration
LDAPURL= 
#Only update this attribute if you have LDAP Sync enabled and have OIM-OAM integration)
LDAPADMINUSER= 
#Only update this attribute if you have LDAP Sync enabled and have OIM-OAM integration) 
OIM_ADMIN_LDAP_DN=
  1. Execute the ./oimadminpasswd_wls.sh  oimadminpasswd_wls.properties command on the command line. It will ask a couple of questions, as shown below.  Provide the correct input for each question.
Enter OIM DB Schema Password  :
Enter OIM Adminstrator xelsysadm new Password: 
Re-enter OIM Adminstrator xelsysadm new Password:
Dec 06, 2016 2:48:21 PM oracle.security.audit.Auditor init
WARNING: IAU:IAU-6012: Unable to determine the audit log directory. No log directory specified.
Dec 06, 2016 2:48:21 PM oracle.security.jps.util.JpsUtil disableAudit
INFO: JpsUtil: isAuditDisabled set to true
Dec 06, 2016 2:48:21 PM oracle.security.jps.internal.audit.AuditServiceImpl validateLogPossible
WARNING: No audit log directory is set. Cannot perform audit operations for component JPS.
Dec 06, 2016 2:48:21 PM com.thortech.util.logging.Logger info
INFO: Not able to fetch OIMPlatform instance for the given Platform.
Dec 06, 2016 2:48:21 PM com.thortech.util.logging.Logger info
INFO: Searching App Server Information in System Enviroment...
Dec 06, 2016 2:48:21 PM com.thortech.util.logging.Logger info
INFO: APPSERVER_TYPE = [null]

==================================================================
OIM Admin user xelsysadm password reset successfully in OIMDB
==================================================================
  1. A confirmation message should be received after successful execution of the utility.

Follow the steps below to change the password for the XELSYSADM user (System Administrator or any other user) in a Windows environment:

1.  Open the command prompt and run the following command, as appropriate:

a.  Run the command below if you have OIM-OAM integration enabled or LDAP sync enabled:

<JAVA_HOME>/bin/java -Doracle.security.jps.config=<DOMAIN_HOME>\config\fmwconfig\jps-config-jse.xml -DDOMAIN_HOME=<DOMAIN_HOME> oracle.iam.platform.utils.OIMAdminPasswordReset_WLS jdbc:oracle:thin:@<DB_HOST>:<DB_PORT>:<SID> <OIM_SCHEMA_OWNER> xelsysadm ldap://<LDAP_HOST>:<LDAP_PORT> <LDAP_ADMIN_USER> cn=xelsysadm,cn=Users,dc=example,dc=com

If you do not have LDAP sync or OIM-OAM integration enabled, run the command below:

<JAVA_HOME>/bin/java -Doracle.security.jps.config=<DOMAIN_HOME>\config\fmwconfig\jps-config-jse.xml -DDOMAIN_HOME=<DOMAIN_HOME> oracle.iam.platform.utils.OIMAdminPasswordReset_WLS jdbc:oracle:thin:@<DB_HOST>:<DB_PORT>:<SID> <OIM_SCHEMA_OWNER> xelsysadm

where,

<JAVA_HOME> is e.g. C:\Java\jdk1.7.0_51
<DOMAIN_HOME> is e.g.
C:\Oracle\Middleware\user_projects\domains\iam_domain
<OIM_SCHEMA_OWNER> is e.g. DEV_OIM
<LDAP_HOST> is server hostname where OID, AD is deployed for ldap sync
<DB_HOST> is server hostname of the database server
<DB_PORT> is e.g.
1521
<SID> is e.g.
orcl
<LDAP_PORT> is e.g
3060 for OID
<LDAP_ADMIN_USER> is e.g.
cn=orcladmin

2. After running the command, enter the password for the DB Schema user and LDAP admin user.  Also, enter the new password for XELSYSADM you wish to set.

Enter the following after running the script to complete the password change for XELSYSADM:

  • OIM DB Schema Password
  • LDAP Administrator Password
  • OIM Administrator XELSYSADM new password
  • Re-enter OIM Administrator XELSYSADM new password

As always, if you have any questions about the processes or ideas presented here, please leave us a comment below.

Tagged with: , , , , ,

As promised in an earlier blog post, we are continuing our exploration of Oracle Identity Cloud Service (IDCS) this week.  In this post, we’ll provide some insight on IDCS Integration with Salesforce to achieve Single Sign-On (SSO).  Herein are the various steps involved in achieving this.

Note:  We did not have a Salesforce instance available for this demo, so we used the developer version of Salesforce.  The Salesforce developer edition is fairly easy to obtain – just sign up at https://developer.salesforce.com/signup.  After signing up, we received an email with the credentials and were set to go.

High-Level Integration Steps

IDCS–Salesforce integration can be achieved using the following steps:

  1. Create test users in Oracle IDCS.
  2. Create the same test users in Salesforce as were created in IDCS in Step 1.
  3. Register the Salesforce Domain.
  4. Extract Identity Provider Metadata from IDCS and import to Salesforce.
  5. Extract Service Provider Metadata from Salesforce and import to IDCS.
  6. Test the login.

Detailed Steps

The details of each step are provided below.

Step 1:  Upload users in Oracle IDCS via CSV import. This step is the same as illustrated in the previous blog post on IDCS.

Step 2:  Create users in Salesforce.

a.  Log in to Salesforce.

b.  Click on Manage Users link.

1

c.  Click on Users.

2

d.  Click New User button.

3

e.  Fill in the user details in the form, shown below, making sure that the username is the same as the username in IDCS.

4

f.  Click the Save button and make sure that the newly created user is visible in the list.

5

Step 3:  Register the Salesforce Domain.

a.  Log in to Salesforce.

b.  Click on Domain Management.

6

c.  Click on My Domain.

7

d.  The My Domain page is shown below.

8

e.  Enter the domain name and click the Check Availability button.

9

f.  Click the Register Domain button.

10

g.  User receives an email confirmation. Please note that this can sometimes take a day to receive.

h.  To complete the domain registration, follow the instructions in the email.

Step 4:  Extract Identity Provider Metadata from IDCS and import to Salesforce.

 Follow the below steps to extract Metadata from IDCS.

a.  Log in to IDCS at:  https://xxxxx.identity.oraclecloud.com/fed/v1/Metadata

b.  Enter username and password to log in.

11

c.  Click on the File menu and select Save As.

12

d.  Enter the name of the file and click the Save button.

13

Follow the steps below to Import Metadata to Salesforce.

a.  Log in to Salesforce at: https://serene-dev-ed.my.salesforce.com

b.  Click on Security Controls, then Single Sign-On Settings.

14

c.  The Single Sign-On settings page is shown below.

15

d.  Click the New from Metadata File button.

16

e.  Enter Name of Identity provider and select the extracted IDCS file.

17

f.  Click the Create Button.

18

g.  Click Save.

19

h.  Click the Edit button.

20

i.  Check the SAML Enabled box. Click Save.

21

j.  The page will look like that shown below.

22

k.  Click on Domain Management > My Domain.

23

l.  Click the Edit button under Authentication Configuration.

24

m.  Click on Deploy to Users button to deploy the domain to the users.

25

Step 5:  Extract Service Provider Metadata from Salesforce and import to IDCS.

 Follow the below steps to Extract Service Provider Metadata from Salesforce.

a.  Log in to Salesforce at: https://serene-dev-ed.my.salesforce.com

b.  Click on Security Controls, then Single Sign-On Settings.

26

c.  Click on SAML Single Sign-On Settings.

27

d.  Click the Download Metadata button and save the file.

28

e.  Click on the IDCS MetaData link and note the following values. Also, download the signing certificate.

  • logoutRequestUrl
  • partnerProviderId
  • assertionConsumerUrl

f.  Click on Certificate and Key Management.

29

g.  Click the SelfSignedCert_29Dec2016_073349 link from the Certificates panel and click the Download Certificate button to save the file.

30

Follow the below steps to Import Salesforce SP Metadata into IDCS.

a.  Obtain access token from OIDCS as admin user.

URL: IDCS token service end point

Headers: Authorization

Operation: POST

Data: admin user, password, scope

Example:

31

b.  Use the above access token to invoke the REST API.

URL: IDCS token service end point

Headers: Authorization

Operation: POST

Data: Details populated with service provider SCIM schema

32

Step 6:  Test the login.

a.  Log in to Salesforce at: https://serene-dev-ed.my.salesforce.com.  You should be redirected to the IDCS login page.

33

b.  Enter username and password.

c.  User is now logged in to Salesforce successfully!

34

 Optionally, follow these steps to verify the underlying SAML Exchange.

a.  Behind the scenes, the Salesforce service provider sends a signed authentication request to IDCS (which can be seen in the SAML tracer plugin in Chrome).

b.  IDCS Identity Provider sends a signed assertion response confirming the user’s identity.

35

As always, if you have any questions about these steps to Integrate IDCS with Salesforce, please do not hesitate to leave us a comment below!

Tagged with: , , , ,

Oracle launched its Identity Cloud Service (IDCS) in the fall of 2016.  IDCS is designed on Microservice architecture, which aligns with the Cloud principles of Scalability, Elasticity, Resilience, Ease of Deployment, Functional Agility, Technical Adoption, and Organization Alignment.  Moreover, IDCS is intended to provide a set of hybrid identity features to maintain a single identity for each user across on-premises and in-the-cloud services, while delivering a seamless user experience.

This blog is the first of a multi-part series that will focus on providing insights and common use cases for IDCS.  In this post, we will discuss how an integration with IDCS can simplify user authentication and single-sign-on capabilities for Oracle Eloqua Marketing Cloud Service.  This blog post highlights the federation capability of IDCS.

High-Level Integration Steps

IDCS–Oracle Eloqua integration can be achieved using the following steps:

1

Step 1:  Upload users in Oracle IDCS via CSV import.

Step 2:  Create users in Oracle Eloqua Marketing Cloud Service.

Step 3:  Extract Identity Provider Metadata from IDCS and import to Oracle Eloqua Marketing Cloud Service.

Step 4:  Extract Service Provider Metadata from Oracle Eloqua Marketing Cloud Service and import it into IDCS.

Step 5:  Test the login.

In general, these high-level steps will remain the same for IDCS integration with any other Oracle Cloud Product.

Detailed Steps

The details of each step are listed below.

Step 1:  Upload users in Oracle IDCS via CSV import.

a.  Create a CSV file. A sample CSV file can be found on the Oracle Documentation here.

2

Sample file to create users in IDCS and Eloqua

3

b. Log in to IDCS.

c.  Click on the Users tab.

4

d.  Click on the Import button.

5

e.  Click the Browse button.

6f.  Select UserImport.csv.

g.  Click the Import button.

7

h.  User import completed.

8i.  Click on the Job tab and verify the user import status.

9

j.  Click on the User tab and validate the created users.

10

Step 2:  Create users in Oracle Eloqua Marketing Cloud Service.

a.  Log in to Oracle Eloqua Marketing Cloud Service.

11

b.  The Marketing Eloqua Cloud home page looks like this:

12

c.  Click on Contact from the Audience tab.

d.  Click the Upload button.

13

e.  Select the CSV file.

14

f.  Click the cloud to upload the file.

15

g.  Select the file that contains the users which need to be created in Oracle Eloqua Marketing Cloud Service.

16

h.  Validate the user details and click the Next Step button.

17

i.  Click the Next Step button.

18

j.  Select the root folder.

19

k.  Click the Finish button.

l.  The User is created.

Step 3:  Extract Identity Provider Metadata from IDCS and import to Oracle Marketing Cloud.

 Follow the below steps to extract Metadata from IDCS.

a.  Log in to IDCS.

https://xxxxx.identity.oraclecloud.com/fed/v1/Metadata

b.  Enter user name and password to log in.

20

c.  Click on the file menu and select Save As.

21

d.  Enter the name of the file and click the Save button.

22

Follow the steps below to Import Metadata to Oracle Eloqua Marketing Cloud Service.

a.  Log in to Oracle Eloqua Marketing Cloud Service: https://login.eloqua.com/

23

b.  Click the Settings icon in the upper right corner of the screen.

24

c.  Click on View Users.

25

d.  Click the Single Sign On tab, then click on Identity Provider Setting.

26

e.  The Identity Provider Management dashboard is displayed, as seen below:

27

f.  Click on the Upload Identity Provider from Metadata button.

28

g.  Enter the name of the Identity Provider and select the extracted IDCS file.

29

h.  Click the Open button.

30

i.  Click the Save Button.

Step 4:  Extract Service Provider Metadata from Oracle Eloqua Marketing Cloud and import to IDCS.

 Extract Service Provider Metadata from Oracle Eloqua Marketing Cloud.

a.  Log in to Oracle Eloqua Marketing Cloud Service: https://login.eloqua.com/. Click on the Settings icon in the upper right corner.

31

b.  Click on View Users.

32

c.  Click the Single Sign-On tab, then click on Identity Provider Settings.

33

d.  The Identity Provider Management dashboard is displayed, as shown below:

34

e.  Click on the IDCS Metadata link and note the following values. Also, download the signing certificate.

  • logoutRequestUrl
  • partnerProviderId
  • assertionConsumerUrl

35

f.  Click the Single Sign-On tab, then click on Certificate Setup.

36

g.  Click on Service Provider Certificate for IDCS Metadata.

37

h.  Click the Download button.

38

i.  Finish.

Importing Oracle Eloqua Marketing Cloud Service SP Metadata into IDCS.

Currently, IDCS does not offer any UI interface for the addition of Service Provider Metadata, or any other similar changes to SAML settings.  These functionalities are exposed as REST APIs.  Hence, any addition or likewise changes can be achieved by using the curl commands or using REST clients.

For example, we can use a poster plugin as a rest client for these operations.

Importing Service Provider Metadata to IDCS is a two-step process.

a.  Obtain access token from OIDCS as admin user.

URL: IDCS token service end point

Headers: Authorization

Operation: POST

Data: admin user, password, scope

Example:

39

b.  Use the above access token to invoke the REST API.

URL: IDCS token service end point

Headers: Authorization

Operation: POST

Data: Details populated with service provider SCIM schema

40

Step 5:  Test the login.

a.  Log in to Oracle Eloqua Marketing Cloud Service:  https://login.eloqua.com/

41

b.  Click Sign in with SSO or another account; Enter Company Name and click the Sign In button.

42

c.  The page should be redirected to the IDCS login.

43

d.  Enter IDCS username and password.

44

e.  User is now logged in to Eloqua Marketing Cloud successfully!

45

Finally, follow these steps to verify the underlying SAML Exchange.

a.  Behind the scenes, the Eloqua service provider sends a signed authentication request to IDCS (which can be seen in the SAML tracer plugin in Chrome).

46

b.  IDCS Identity Provider sends a signed assertion response confirming the user’s identity.

47

Concluding Remarks

Here, we saw how simple and easy it is to on-board a cloud application for Federation.  The frustrations of on-premises solutions, such as acquiring hardware, setting up the load balancer, installing and configuring components can be avoided.  The cloud instance is readily available for everyone immediately from day-one, unlike the on-premises solution which required months to prepare the environment.

Oracle Identity Cloud Service provides a comprehensive IAM platform, built on modern cloud principles that can be used by organizations to simplify interactions with business partners and customers.

Tagged with: , , , , ,

shutterstock_332258036Recently, while working on an IAM project in which we needed to build an Enterprise Security Infrastructure using the 11gR2PS3 version of the IAM software, the requirement for Lifecycle Management (LCM) presented itself.  The LCM tool is designed to simplify and automate the multiple manual steps of a typical IAM installation.

The traditional method of installation includes installing/configuring quite a few components, such as JAVA, WebLogic, SOA, OIM, RCU, then creating a domain.  With the introduction of LCM, the installation is simplified and automated; however, there is a learning curve involved and there are changes expected in the infrastructure.

It is important to fully understand the various aspects of the LCM tools and their benefit, as well as how LCM can help reduce implementation time.  Herein is a brief presentation prepared for our customer in order to educate them on LCM, as well as highlight the benefits, challenges, and limitation of the LCM tool.

 

Tagged with: , , , , ,

Recently, we ran into an issue in which we had multiple users in BPM falling under the same group with similar access, and we needed to restrict the users’ access to the BPM Human Task claimed by another user.  In this way, only the assigned party can take actions on the Task.

In order to provide a solution to the above issue, we worked within the Access Restrictions provided in Human Task, and restricted the Owner of the Task with “View Only” access.

The below snapshots illustrate this process.

  • Open Human Task and go to Access → Actions (Tab).

1

  • Uncheck all grants, except “View”, “Resume Timers”, and “Suspend Timers”.

2

  • Save and Test the Process. Any user other than the Assignee should not be able to perform any action on the Task.
Tagged with: , , , ,

shutterstock_273386390Oracle Mobile is a framework provided by Oracle that enables developers to build cross-platform mobile applications.  At AST, a passionate set of developers are using Oracle Mobile to build mobile applications that will be used as an extension for Oracle Cloud Products.  During our development life-cycle, we discovered a fundamental issue with the Oracle Mobile framework, particularly with the JSONBeanSerializationHelper class.

The role of the JSONBeanSerializationHelper class within the Oracle Mobile framework is to convert JAVA objects to JSON strings.  A JSON string is an industry standard accepted for data representation; it consists of name: value pairs.  According to the JSON Specification, a JSON String is always case-sensitive.  When the JSONBeanSerializationHelper converts a JAVA object into name: value pairs, it doesn’t respect the variable case in the JAVA object.  All variables are converted to names in JSON strings in lowercase.

We took this up with Oracle and have an Enhancement Request (ER) logged.  We will update this post once the ER has been resolved.

Described below is a use case and how this impacts the mobile application integration with Oracle Service Cloud.  However, you could face the same issue when integrating with other Oracle Cloud Products:

Use Case

Consider a use case in which you have a mobile application built using Oracle Mobile.  The application has a feature that allows you to create an incident in Oracle Service Cloud.

Issue Details

  • Consider an Incident bean defined as:
public class Incident {
    private Integer id = null;
    private String lookupName = null;
    private String createdTime = null;
    private String updatedTime = null;
    private Asset asset = null;
    private Contact primaryContact = null;
    private String subject = null;
    private Threads threads = null;
    private AssignedTo assignedTo = null;
    private Banner banner = null;
    private String category = null;
    private String channel = null;
    private String chatQueue = null;
    private Date closedTime = null;
    private Account createdByAccount = null;
    private ParentInc ParentInc = null;
    private CustomFields customFields = null;
    private Link[] links;
    private PropertyChangeSupport _propertyChangeSupport = new PropertyChangeSupport(this);
    ..
    ..
    ..
}
  • An incident object will be instantiated and initialized when the user inputs the required values from the mobile interface.
  • The incident object is then converted to JSON using oracle.adfmf.framework.api.JSONBeanSerializationHelper
  public static Incident convertFromJSON(String response) {
        try {
            incident = (Incident) JSONBeanSerializationHelper.fromJSON(Incident.class, response);
        } catch (Exception e) {
            Debug.print(e.getLocalizedMessage());
        }
        return incident;
    }
  • Converted jsonObject:
{  
   "updatedTime":{  
      ".null":true
   },
   "createdByAccount":{  
      ".null":true
   },
   "subject":"Curb damaged",
   "customFields":{  
      "c":{  
         "incident_address":"200 East Santa Clara Street San Jose California 95113",
         "incident_zip_postal_code":"95113",
         "incident_state_province":"California",
         "incident_latitude":"37.3378484",
         "incident_city":"San Jose",
         ".type":"com.astcorporation.CRMServiceMobile.api.entities.C",
         "incident_longitude":"-121.8861262",
         "incident_street_address":"200 East Santa Clara Street"
      },
      "transit":{  
         ".type":"com.astcorporation.CRMServiceMobile.api.entities.Transit",
         "latitude":"37.3378484",
         "longitude":"-121.8861262",
         "incidentMappingAddress":"200 East Santa Clara Street San Jose Califo"
      },
      ".type":"com.astcorporation.CRMServiceMobile.api.entities.CustomFields",
      "propertyChangeSupport":{  
         ".type":"oracle.adfmf.java.beans.PropertyChangeSupport",
         "propertyChangeListeners":[  

         ]
      },
      "store":{  
         ".null":true
      }
   },
   "channel":{  
      ".null":true
   },
   "threads":{  
      "entryType":{  
         ".type":"com.astcorporation.CRMServiceMobile.api.entities.Entry",
         "id":3
      },
      ".type":"com.astcorporation.CRMServiceMobile.api.entities.Threads",
      "text":"Curb on Ogden & River Road intersection is damaged"
   },
   "banner":{  
      ".null":true
   },
   "propertyChangeSupport":{  
      ".type":"oracle.adfmf.java.beans.PropertyChangeSupport",
      "propertyChangeListeners":[  

      ]
   },
   "assignedTo":{  
      ".null":true
   },
   "closedTime":{  
      ".null":true
   },
   "parentInc":{  
      ".null":true
   },
   "chatQueue":{  
      ".null":true
   },
   ".type":"com.astcorporation.CRMServiceMobile.api.entities.Incident",
   "primaryContact":{  
      ".type":"com.astcorporation.CRMServiceMobile.api.entities.Contact",
      "propertyChangeSupport":{  
         ".type":"oracle.adfmf.java.beans.PropertyChangeSupport",
         "propertyChangeListeners":[  

         ]
      },
      "id":1847
   },
   "createdTime":{  
      ".null":true
   },
   "links":{  
      ".null":true
   },
   "id":{  
      ".null":true
   },
   "category":{  
      ".null":true
   },
   "asset":{  
      ".null":true
   },
   "lookupName":{  
      ".null":true
   }
}
  • The JSON generated will not be accepted by the create incident API because:
    1. It contains “null” names: value pairs for variables that did not hold any values
    2. It contains a “type” name: value pair for variable with custom data types
    3. It contains “propertyChangeSupport” names: value pairs as the beans had a property change attribute defined. This is not expected by the create incident REST-API
    4. The JSON did not respect the case of the JAVA variables defined in the Incident bean when generating corresponding name: value pairs.
      1. For example: Consider the attribute “transit” in the JSON – the JAVA variable was defined as “Transit”. The create incident REST-API also expects the name to be “Transit”.
public class C {
    private String incident_latitude;
    private String incident_longitude;
    private String incident_street_address;
    private PropertyChangeSupport _propertyChangeSupport = new PropertyChangeSupport(this);
    ..
    ..
}

Workaround

  • Option 1: Create your own implementation of the JSON serialization class. 
  • Option 2: Create a method to format your JSON as a break-fix.
    • Call custom method removeNullsAndTypeFromJSON post-JSON conversion
public static JSONObject convertToJSON(Incident incident) {
        try {
            jsonObject = (JSONObject) JSONBeanSerializationHelper.toJSON(incident);
            removeNullsAndTypeFromJSON(jsonObject);

        } catch (Exception e) {
            Debug.print(e.getLocalizedMessage());
        }
        return jsonObject;
    }
  • removeNullsAndTypeFromJSON” method implementation:
protected static void removeNullsAndTypeFromJSON(JSONObject jsonObj) throws JSONException {
        jsonObj.remove(".type");
        jsonObj.remove("propertyChangeSupport");

        for (int i = 0; i < jsonObj.length(); i++) {
            String key = jsonObj.names().getString(i);
            if (JSONBeanSerializationHelper.isObjectNull(jsonObj.get(key))) {
                jsonObj.remove(key);
                i--;
            } else {
                if (jsonObj.get(key).toString().contains(".type")) {
                    removeNullsAndTypeFromJSON(jsonObj.getJSONObject(key));
                }
                if (jsonObj.get(key).toString().contains(".null")) {
                    removeNullsAndTypeFromJSON(jsonObj.getJSONObject(key));
                }
            }
            //BUG: JSONBeanSerializationHelper does not variable match case
            if ("transit".equals(key)) {
                JSONObject transit = jsonObj.getJSONObject("transit");
                jsonObj.remove("transit");
                String Latitude = transit.getString("latitude");
                transit.remove("latitude");
                transit.put("Latitude", Latitude);
                String Longitude = transit.getString("longitude");
                transit.remove("longitude");
                transit.put("Longitude", Longitude);
                String IncidentMappingAddress = transit.getString("incidentMappingAddress");
                transit.remove("incidentMappingAddress");
                transit.put("IncidentMappingAddress", IncidentMappingAddress);
                jsonObj.put("Transit", transit);
            }
        }
    }

Reference

Tagged with: , , , , ,

shutterstock_237797614You sometimes may have large payload structures with most of the elements empty, especially when using canonical schemas.  This large payload structure, combined with a large volume of data, can result in a significant part of the payload containing empty elements, leading to transformation errors or service errors.

As an example, in one of our recent projects, we had a service using a canonical schema as input, and in our use case, we passed only the relevant information, leaving the remaining elements empty.  This resulted in a null pointer exception in remote service, as it was not configured to handle empty elements correctly.  Changes in the implementation of the remote service were out of our purview, hence, the only solution available in this case was not to pass any empty elements.

Another benefit of removing unused empty elements, in such cases, is the reduction in actual payload size, as many of the generic empty elements will be removed from the XML payload.

One way of removing empty elements in the payload is adding “If” conditions in the transformation; however, this will make the transformation complex, especially when dealing with a canonical schema.  Further, this would not be a reusable solution, as it would be tied to a particular type of canonical schema.  If the canonical schema is complex and large, this would enhance that complexity.

Alternatively, by using an XSLT transformation, we can create a generic reusable solution that can remove all empty elements, regardless of the XML schema, thereby avoiding the need to create complex transformations.  The following XSLT will remove all empty elements from the input and assign non-empty elements to the output.  You can use the same variable name as input and output, and the resulting XML payload will have only non-empty elements and a much smaller size.

The following is the generic XSLT transformation that can be used, regardless of input and output XML schemas:

<XSL:TEMPLATE MATCH="NODE()" XML:ID="ID_11">
        <XSL:IF TEST="COUNT(DESCENDANT::TEXT()[STRING-LENGTH(NORMALIZE-SPACE(.))>0]|@*)" XML:ID="ID_12">
            <XSL:COPY XML:ID="ID_13">
                <XSL:APPLY-TEMPLATES SELECT="@*|NODE()" XML:ID="ID_14"/>
            </XSL:COPY>
        </XSL:IF>
    </XSL:TEMPLATE>
    <XSL:TEMPLATE MATCH="@*" XML:ID="ID_15">
        <XSL:COPY XML:ID="ID_16"/>
    </XSL:TEMPLATE>
    <XSL:TEMPLATE MATCH="TEXT()" XML:ID="ID_17">
        <XSL:VALUE-OF SELECT="NORMALIZE-SPACE(.)" XML:ID="ID_18"/>
    </XSL:TEMPLATE> 

To utilize this XSLT transformation, add an XSLT transformation activity in your SOA process and assign the input and output variables.  Add the above code snippet to the newly created XSLT transformation.  Use the source view to make this change. The end result will look similar to the attached XSLT file, included for your reference.

1

Reference XSLT

Tagged with: , , ,

Oracle Service Bus (OSB) 12C has been simplified by enabling creation and modification of services right inside JDeveloper, alongside SOA development.  However, this has introduced a learning curve for developers to learn and adapt to OSB development using JDeveloper IDE.  A common use case for OSB service development is to allow attachments to pass through as part of the response.  In this post, we discuss about how it can be done in OSB 12C using JDeveloper.

Unlike SOA web service adaptors, OSB does not support attaching MTOM policy (oracle/wsmtom_policy) to the proxy or business services.

1

At design time, JDeveloper doesn’t restrict usage of MTOM policy, and it will compile without any errors. However, when the service is deployed, it will fail with the following error:

“[OSB-387177]OWSM Policy oracle/wsmtom_policy is not supported.”

To get our use case working, three steps are required.  The first is to remove the attached MTOM policies from the Proxy and Business services.  This will ensure there are no deployment failures.

The second change should be in the pipeline.  Open the pipeline and switch it to the “Configuration” view (the default is “Design” view).  Then, go to the “Message Handling” sub-tab and select the checkbox:  “XOP/MTOM Support”.

2

The third and final change required is in the Business Service.  Open the Business Service and go to the “Message Handling” sub-tab.  Select the checkbox:  “XOP/MTOM Support”.  Here, select the appropriate option, depending on whether you want an attachment (Include Binary Data by Reference) or inline data (Include Binary Data by Value).

3

After completing this configuration, the compilation and deployment will proceed without any issues.

Note: The output structure should be defined in XML schema with base64Binary as the element type. Here is a sample type definition:

<xsd:complexType name=”Document”> <xsd:sequence> <xsd:element name=”docId” type=”xsd:string”/> <xsd:element name=”documentData” type=”xsd:base64Binary”/> <xsd:element name=”documentMimeType” type=”xsd:string”/> </xsd:sequence> </xsd:complexType>

If you have any questions or comments, please leave them below and we’ll get back to you!

Tagged with: , , , , , , , ,

Oracle Cloud Service, with its array of IaaS, PaaS, and SaaS offerings, is slowly becoming the tool of choice for business and IT teams when it comes to maximizing development efficiency and improving application roll outs.  For Oracle SOA Suite, setting up the development (dev) environment, which was once a considerably technical process prior to Oracle SOA Suite 11g, has improved greatly with the introduction of Oracle SOA Suite 12c.

Now, with the ability to provision Oracle SOA Suite on the cloud as a Cloud Service instance, it has become even more business friendly and efficient. All of the steps have been neatly documented by Oracle at https://docs.oracle.com/cloud/latest/soacs_gs/index_soa.html.

We recently worked on setting up a development environment for our internal use with SOA-CS.  However, after following all of the steps mentioned in the above link, our provisioning failed at the final step while configuring Oracle SOA Cloud Service, providing an error such as the one below:

Failed to create JCS Service.

This error was visible after clicking on the failed provisioning request, as shown below:

1

Navigating to the JCS Service console for more details revealed the actual error to be:

Failed to configure WebLogic Administration Server. JCS-ERR-20027. Cannot establish connection using connect string ‘DatabaseService12c:1521/PDB1.acmeinternationalomw.oraclecloud.internal’ and userName ‘SYS as sysdba’. Reason: ‘IO Error: Unknown host specified

As part of the provisioning steps, the access rules are not enabled by default, but need to be enabled manually. After completing Section 1 from the link above, login to your DBaaS service console and click on the DB Service instance initially created as part of the process. Then, click on Access Rules, as shown in the following screenshot:

2

You will see that the rule ‘ora_p2_dblistener’ is disabled by default:

3

Click on the Actions column for that rule and enable the rule, after which you should see the rule enabled:

4

Once this has been enabled, you can start provisioning and connect to your Oracle SOA Cloud Service; this database error should no longer occur.

If you would like additional detailed steps regarding our particular use case and provisioning considerations, please leave a comment and we will elaborate on the steps involved.

Tagged with: , , , , , ,

shutterstock_313024049With the introduction of Oracle SOA Suite 12c, it has become imperative for any organization using Oracle SOA Suite 11g to migrate to the newer and better stack.  This upgrade offers a host of benefits, such as added features, bug fixes, and the ability to stay current with the latest technologies.  However, as is the case with any other software upgrade, appropriate and thorough planning is crucial to realizing the full benefit of the upgraded solution.

Recently, we’ve had the opportunity with some of our customers to migrate their SOA Suite 11g applications into Oracle SOA Suite 12c. This post is the first in a series that will provide the observations and lessons learned from these experiences, and we hope you find this information helpful in your application migrations.

In this first post, we tackle issues pertaining to the developer team.  As main characters in any migration, the developer team should understand the following obstacles, and their solutions, likely to be faced while performing the upgrade.

Migrating Code

One of the promises of Oracle SOA Suite 12c is its commitment to ensuring high developer productivity. This is evident with JDeveloper 12c having integrated servers and OSB Development support, among others.

To migrate any Oracle SOA Suite 11g applications, open the application file (e.g. HelloWorld.jws) in JDeveloper 12c. The editor automatically prompts for migration and completes the migration successfully.

Once the migration is completed by JDeveloper, the development team should begin looking into the following areas for fixing any issues, should they arise.

Usage of Older XPath Functions

Earlier releases of Oracle SOA Suite 11g encouraged the use of getCompositeInstanceID() as a way to identify and track the running instances. With the advent of the Flow ID concept, it is advisable to use the getFlowID() function where the FlowID of the instance needs to be tracked.

getCompositeInstanceID() →  getFlowID()

*The use of FlowID to track instances will be explained in a later blog post, and this post will be updated with the link.

Also, be observant for the change in the namespace prefix for some of the functions.  For example, bpelx:copyList() should be used instead of ora:copyList(), although both the functions are available.

Older Composites Failing to Migrate

If you have certain SOA composites built using JDeveloper 11.1.1.6.0, then you might face issues while migrating in JDeveloper 12c. The error type would be:

oracle.bali.xml.model.XmlContext_setSourceModel
 SEVERE: Exception thrown when initializing 
 model:oracle.tip.tools.ide.bpel.v1.designer.addin.model.BPELXmlModelImpl@5a2e258d
 java.lang.RuntimeException: SOA component BPELProcess does not have a <componentType> element.
 If you are opening a project created in 12C, you will need to manually migrate the project by copying the complete
 contents of the componentType file, including the root element, to the second
 child of the component element (after the implementation element) in the composite.xml.

The resolution for this error is to download and apply Patch 18532283, according to your SOA 12c version – for now, available on 12.1.3.0.1.

Composite Definition not Showing up in Enterprise Manager

A new feature in Oracle SOA Suite 12c EM is the ability to see the composite definition (the process flow) in EM. This is helpful for multiple reasons, such as testers understanding the various components, providing a high level view of the flow. For Oracle SOA Suite components/composites developed in JDeveloper 12c, one can easily see the composite definition in EM under the tab ‘Composite Definition’, as shown below.

1

However, since you will be working on migrating projects from previous versions to 12c, you might face an error message displayed as follows for any composites which were initially developed using JDeveloper 11g:

Unable to read the diagram details. This is likely because the SOA Composite was designed using an older version of JDeveloper. The problem should go away by re-opening the SOA application in the latest JDeveloper and redeploying it.

Solution:

In the composite.xml file, find the following two properties:

<property name=”originalProductVersion” type=”xs:string” many=”false”>11.0.0.0.0</property>
<property name=”productVersion” type=”xs:string” many=”false”>12.1.3.0.0.140013</property>

Remove the originalProductVersion property, then compile and deploy again to your 12c environment.  You should now be able to see the composite definition.

JDeveloper OSB Workspace Set Up

JDeveloper 12c is an excellent IDE, improving developer productivity with such features such as Integrated Server for quick start, as well as an integrated IDE, in which you can develop both SOA composites and OSB components.  When it comes to OSB development, one feature that makes JDeveloper 12c take a backseat compared to Oracle Enterprise Pack for Eclipse (for OSB Development), is the lack of ability to import projects from an existing workspace to the OSB application.

Plan your development set-up for OSB projects carefully.  Once you import OSB projects by selecting the option for “Import sbconfig”, the projects are created in JDeveloper’s own workspace, and you must then sync them with your central repository system.  Similarly, plan the development strategy accordingly, choosing whether to have OSB applications for each OSB project, or bundle them together into one application.  The latter approach is recommended since your projects might have inter-dependencies with each other.

XQuery Files Improperly Displayed in the Graphical Editor in JDeveloper

Once the OSB projects have been migrated, right-click on each project and select the option shown below:

Service Bus → Convert To XQuery 1.0

2

Your transformations will now be displayed in the graphical editor in JDeveloper 12c without any issues.

Using In-Memory Optimization

In-Memory Optimization was a feature present in SOA Suite 10g, but was dropped in SOA Suite 11g.  It has now been re-introduced in Oracle SOA Suite 12c and greatly improves the performance of transient BPEL processes; however, exercise caution with this implementation.  It is advisable to perform a load test on the sample application on which you plan to use In-Memory Optimization in order to verify whether the performance is, indeed, improved.

In one of our migration implementations, we found that the In-Memory Optimization was not providing the expected results.  Be sure to make a calculated decision as to whether you really need In-Memory Optimization and, if needed, follow up with Oracle Support should you not get expected results.

This blog series will continue to cover other areas in which the team should plan ahead, as well as additional issues for the Middleware team to look out for.  Also, be advised that this post will be updated as we discover new scenarios to be mindful of.

Tagged with: , , , , , ,