Friday, December 16, 2016

javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE


While configuring the SSL I got some complications led to some error in other hosts.

When I tried to start the node manager in one of my clustered hosts I got below error

WARNING: Uncaught exception in server handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from HOSTNAME - HOST_IP. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from HOSTNAME - HOST_IP. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertReceived(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.ReadHandler.read(Unknown Source)
at com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source)
at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:283)
at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:325)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:177)
at java.io.InputStreamReader.read(InputStreamReader.java:184)
at java.io.BufferedReader.fill(BufferedReader.java:154)
at java.io.BufferedReader.readLine(BufferedReader.java:317)
at java.io.BufferedReader.readLine(BufferedReader.java:382)
at weblogic.nodemanager.server.Handler.run(Handler.java:71)
at java.lang.Thread.run(Thread.java:724)


In the other side (The AdminServer) I got below error:

<BEA-090504> <Certificate chain received from HOSTNAME - HOST_IP failed hostname verification check.


I checked the certificate and I found that the Common Name has been changed:

$ keytool -list -v -keystore DemoIdentity.jks
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: demoidentity
Creation date: Nov 15, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=rn360-a1-20, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Serial number: 5b04b231c13431ed67bdb087bcd009df
Valid from: Mon Nov 14 19:57:00 AST 2011 until: Sun Nov 15 19:57:00 AST 2026
Certificate fingerprints:
MD5:  CF:C6:F4:C7:9C:F2:D2:34:6D:58:B3:06:EE:46:FA:68
SHA1: 9D:5F:53:F2:96:EB:AA:03:01:33:F0:B4:85:EA:14:E3:24:04:03:B7
SHA256: B2:48:31:CC:A6:3F:B9:6C:F3:FD:E9:FA:57:DB:84:06:11:56:74:E9:63:C7:86:B6:D5:90:A9:D3:33:61:00:E7
Signature algorithm name: MD5withRSA
Version: 1


*******************************************
*******************************************

Solution:

$ . $WLS_HOME/server/bin/setWLSEnv.sh
$ cp DemoIdentity.jks DemoIdentity.jks.bkp16122016
$ rm DemoIdentity.jks

$ java utils.CertGen -keyfilepass DemoIdentityPassPhrase -certfile newcert -keyfile newkey
Generating a certificate with common name HOSTNAME and key strength 1024
issued by CA with certificate from CertGenCA.der file and key from CertGenCAKey.der file

$ java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfile newkey.pem -keyfilepass DemoIdentityPassPhrase -certfile newcert.pem -alias demoidentity
No password was specified for the key entry
Key file password will be used
<Dec 16, 2016 7:07:27 PM AST> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true> 
<Dec 16, 2016 7:07:27 PM AST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true> 
<Dec 16, 2016 7:07:28 PM AST> <Info> <Security> <BEA-090908> <Using default WebLogic SSL Hostname Verifier implementation.> 

Imported private key newkey.pem and certificate newcert.pem
into a new keystore DemoIdentity.jks of type jks under alias demoidentity

Finally, Start your node manager.


Thursday, August 11, 2016

Change all passwords after fresh installation of Exadata

Oracle ACS will leaves you with default passwords for all Exadata components which need to be changed before go live.

To change these passwords follow below steps:

1- Login to any of your compute nodes as root and change root, oracle and grid passwords on compute nodes:

--root
[root@xadbadm01 ~]# dcli -g dbs_group -l root "echo new_password | passwd --stdin root"
xadbadm01: Changing password for user root.
xadbadm01: passwd: all authentication tokens updated successfully.
xadbadm02: Changing password for user root.
xadbadm02: passwd: all authentication tokens updated successfully.

--oracle
[root@xadbadm01 ~]# dcli -g dbs_group -l root "echo new_password | passwd --stdin oracle"
xadbadm01: Changing password for user oracle.
xadbadm01: passwd: all authentication tokens updated successfully.
xadbadm02: Changing password for user oracle.
xadbadm02: passwd: all authentication tokens updated successfully.

--grid
[root@xadbadm01 ~]# dcli -g dbs_group -l root "echo new_password | passwd --stdin grid"
xadbadm01: Changing password for user grid.
xadbadm01: passwd: all authentication tokens updated successfully.
xadbadm02: Changing password for user grid.
xadbadm02: passwd: all authentication tokens updated successfully.


2- Login as root to any of your cell servers and change root, celladmin, and cellmonitor:

--root
[root@xadbadm01 ~]# dcli -g dbs_group -l root "echo new_password | passwd --stdin root"
xaceladm01: Changing password for user root.
xaceladm01: passwd: all authentication tokens updated successfully.
xaceladm02: Changing password for user root.
xaceladm02: passwd: all authentication tokens updated successfully.
xaceladm03: Changing password for user root.
xaceladm03: passwd: all authentication tokens updated successfully.

--celladmin
[root@xadbadm01 ~]# dcli -g dbs_group -l root "echo new_password | passwd --stdin celladmin"
xaceladm01: Changing password for user celladmin.
xaceladm01: passwd: all authentication tokens updated successfully.
xaceladm02: Changing password for user celladmin.
xaceladm02: passwd: all authentication tokens updated successfully.
xaceladm03: Changing password for user celladmin.
xaceladm03: passwd: all authentication tokens updated successfully.

--cellmonitor
[root@xadbadm01 ~]# dcli -g dbs_group -l root "echo new_password | passwd --stdin cellmonitor"
xaceladm01: Changing password for user cellmonitor.
xaceladm01: passwd: all authentication tokens updated successfully.
xaceladm02: Changing password for user cellmonitor.
xaceladm02: passwd: all authentication tokens updated successfully.
xaceladm03: Changing password for user cellmonitor.
xaceladm03: passwd: all authentication tokens updated successfully.


3- For ILOM passwwords, you can do it in one step by creating new set of comput nods and cell nods in dbs_cell_group:

[root@tudbadm01 ~]# cat dbs_cell_group 
xadbadm01
xadbadm02
xaceladm01
xaceladm02
xaceladm03
[root@xadbadm01 ~]# dcli -g dbs_cell_group -l root " ipmitool sunoem cli 'set /SP/users/root password=new_passwordnew_password "
tudbadm01: Changing password for user root.
tudbadm01: passwd: all authentication tokens updated successfully.
tudbadm02: Changing password for user root.
tudbadm02: passwd: all authentication tokens updated successfully.
[root@tudbadm01 ~]# cat dbs_cell_group 
tudbadm01
tudbadm02
tuceladm01
tuceladm02
tuceladm03
[root@tudbadm01 ~]# dcli -g dbs_cell_group -l root " ipmitool sunoem cli 'set /SP/users/root password=new_passwordnew_password "
xadbadm01: Connected. Use ^D to exit.
xadbadm01: -> set /SP/users/root password=new_password
xadbadm01: Changing password for user /SP/users/root...
xadbadm01: Enter new password again: ************
xadbadm01: New password was successfully set for user /SP/users/root
xadbadm01:
xadbadm01: -> Session closed
xadbadm01: Disconnected
xadbadm02: Connected. Use ^D to exit.
xadbadm02: -> set /SP/users/root password=new_password
xadbadm02: Changing password for user /SP/users/root...
xadbadm02: Enter new password again: ************
xadbadm02: New password was successfully set for user /SP/users/root
xadbadm02:
xadbadm02: -> Session closed
xadbadm02: Disconnected
xaceladm01: Connected. Use ^D to exit.
xaceladm01: -> set /SP/users/root password=new_password
xaceladm01: Changing password for user /SP/users/root...
xaceladm01: Enter new password again: ************
xaceladm01: New password was successfully set for user /SP/users/root
xaceladm01:
xaceladm01: -> Session closed
xaceladm01: Disconnected
xaceladm02: Connected. Use ^D to exit.
xaceladm02: -> set /SP/users/root password=new_password
xaceladm02: Changing password for user /SP/users/root...
xaceladm02: Enter new password again: ************
xaceladm02: New password was successfully set for user /SP/users/root
xaceladm02:
xaceladm02: -> Session closed
xaceladm02: Disconnected
xaceladm03: Connected. Use ^D to exit.
xaceladm03: -> set /SP/users/root password=new_password
xaceladm03: Changing password for user /SP/users/root...
xaceladm03: Enter new password again: ************
xaceladm03: New password was successfully set for user /SP/users/root
xaceladm03:
xaceladm03: -> Session closed

xaceladm03: Disconnected

4- Infiniband Switches: we need to change all of root, nm2user, ilom-operator, and ilom-admin passwords ;  login as root and execute the following:

-- root
 [root@xasw-iba01 ~]# passwd
Changing password for user root.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

-- nm2user
[root@xasw-iba01 ~]# passwd nm2user
Changing password for user nm2user.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

-- ilom-admin
[root@xasw-iba01 ~]# ssh -l ilom-admin xasw-iba01
ilom-admin@xasw-iba01's password: 
Last login: Tue Aug  2 19:33:17 2016 from tusw-iba01.tu.edu.sa
Oracle(R) Integrated Lights Out Manager
Version ILOM 3.0 r47111
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-> set /SP/users/ilom-admin password
Enter new password: *********
Enter new password again: *********

-- ilom-operator
-> set /SP/users/ilom-operator password
Enter new password: *********
Enter new password again: *********

Repeat the same on the second Infiniband Switch (xasw-ibb01).

5- Cisco Switch: Connect to cisco switch using admin user and execute the following:

xasw-adm01>enable
Password: 
xasw-adm01#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
xasw-adm01(config)#enable password new_password
The enable secret you have chosen is the same as your enable password.
This is not recommended.  Re-enter the enable secret.

xasw-adm01(config)#end
xasw-adm01#write memory


####
Reference:
How to change OS user password for Cell Node, Database Node , ILOM, KVM , Infiniband Switch , GigaBit Ethernet Switch and PDU on Exadata Database Machine (Doc ID 1291766.1)











Monday, January 4, 2016

Configuring DBFS on Oracle Exadata Database Machine

All steps and information below derived from Oracle Doc ID (1054431.1) with great details. I just wanted to reflect my own experience with DBFS configuration.

Create database group to facilitate your tasks
[root@ttdbadm01 ~]# cat /home/oracle/dbs_group
ttdbadm01
ttdbadm02

Prerequisites steps:
[root@ttdbadm01 ~]# id oracle
uid=1001(oracle) gid=1001(oinstall) groups=1001(oinstall),1004(asmdba),1002(dba),1003(racoper)
[root@ttdbadm01 ~]# dcli -g ~/dbs_group -l root usermod -a -G fuse oracle
[root@ttdbadm01 ~]# id oracle
uid=1001(oracle) gid=1001(oinstall) groups=499(fuse),1001(oinstall),1004(asmdba),1002(dba),1003(racoper)
 [root@ttdbadm01 ~]# dcli -g ~/dbs_group -l root "echo user_allow_other > /etc/fuse.conf"
[root@ttdbadm01 ~]# dcli -g ~/dbs_group -l root chmod 644 /etc/fuse.conf
[root@ttdbadm01 ~]# dcli -g ~/dbs_group -l root mkdir /dbfs_direct
[root@ttdbadm01 ~]# dcli -g ~/dbs_group -l root chown oracle:dba /dbfs_direct

Create new repository database as instructed in Oracle Doc ID (1191144.1):
1. Invoke DBCA
2. Choose Real Application Clusters database.
3. Choose Create a Database
4. Choose the General Purpose or Transaction Processing template (include datafiles)
5. Choose Admin-Managed and select all nodes
6. Name your database (e.g. fsdb)
7. Optionally configure Enterprise Manager and automatic maintenance tasks as per site requirements
8. Choose Automatic Storage Management and Oracle-Managed Files
9. Choose the desired Disk Group. In general, DBFS_DG is adequate for DBFS purposes
10. De-select Flash Recovery Area
11. Do not select Enable Archiving. Archivelog mode is not necessary for this use case.
12. In the Memory Tab:
12.1 Choose Custom and then Automatic Shared Memory Management
12.2 Set SGA size by entering 1536 (and choose M Bytes for units) in the SGA box and enter 6656 (and choose M Bytes for units) in the PGA Size box
     Note:  Required SGA size changes depending on versions and if too low, you will see an ora-0431 (SGA is set to 1536m for 12.1.0.2.)  If this message is seen increase sga to 2048m then the db will start without issues.
13. In the Character Sets tab choose AL32UTF8 as the Database Character Set
14. Open the All Initialization Parameters dialogue. Select "Show Advanced Parameters". Scroll down to parallel_max_servers and enter "2" under the Value column.

Create new tablespace on the newly created repository database.
SQL> create bigfile tablespace dbfsts datafile '+DBFS_DG' size 75g autoextend on next 8g maxsize 300g NOLOGGING EXTENT MANAGEMENT LOCAL AUTOALLOCATE  SEGMENT SPACE MANAGEMENT AUTO ;
Tablespace created.

Create new user for DBFS and grant appropriate privileges.
SQL> create user dbfs_user identified by dbfs_passwd default tablespace dbfsts quota unlimited on dbfsts;
User created.
SQL> grant create session, create table, create view, create procedure, dbfs_role to dbfs_user;
Grant succeeded.

Create dbfs database objects:
[oracle@ttdbadm01 ~]$ cd $ORACLE_HOME/rdbms/admin
[oracle@ttdbadm01 admin]$ sqlplus dbfs_user

SQL*Plus: Release 11.2.0.4.0 Production on Sun Jan 3 14:32:11 2016

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options

SQL> start dbfs_create_filesystem dbfsts FS1
No errors.
--------
CREATE STORE:
begin dbms_dbfs_sfs.createFilesystem(store_name => 'FS_FS1', tbl_name =>
'T_FS1', tbl_tbs => 'dbfsts', lob_tbs => 'dbfsts', do_partition => false,
partition_key => 1, do_compress => false, compression => '', do_dedup => false,
do_encrypt => false); end;
--------
REGISTER STORE:
begin dbms_dbfs_content.registerStore(store_name=> 'FS_FS1', provider_name =>
'sample1', provider_package => 'dbms_dbfs_sfs'); end;
--------
MOUNT STORE:
begin dbms_dbfs_content.mountStore(store_name=>'FS_FS1', store_mount=>'FS1');
end;
--------
CHMOD STORE:
declare m integer; begin m := dbms_fuse.fs_chmod('/FS1', 16895); end;
No errors.
Download mount-dbfs-20151013.zip from Oracle Doc ID (1054431.1) and place it to the server, then do the following:

[oracle@ttdbadm01 tmp]$ unzip mount-dbfs-20151013.zip
Archive:  mount-dbfs-20151013.zip
  inflating: mount-dbfs.conf        
  inflating: mount-dbfs.sh

Ensure from the file transfer
[oracle@ttdbadm01 tmp]$ dos2unix mount-dbfs.conf
dos2unix: converting file mount-dbfs.conf to UNIX format ...
[oracle@ttdbadm01 tmp]$ dos2unix mount-dbfs.sh
dos2unix: converting file mount-dbfs.sh to UNIX format ...

Open and Edit the file mount-dbfs.conf to reference all appropriate values such as (dbname, mountpoint, dbfsuser, ORACLE_HOME, GI_HOME..etc), ignoring any value related to WALLET or PDB since I’m not going to use them.
[oracle@ttdbadm01 tmp]$ vi mount-dbfs.conf

Copy mount-dbfs.sh and mount-dbfs.conf GI_HOME/crs/script and /etc/oracle respectively and then set the proper permissions.

[root@ttdbadm01 ~]# dcli -g ~/dbs_group -l root -d /u01/app/11.2.0.4/grid/crs/script/ -f /tmp/mount-dbfs.sh
[root@ttdbadm01 ~]# dcli -g ~/dbs_group -l root chown oracle:dba /u01/app/11.2.0.4/grid/crs/script/mount-dbfs.sh
[root@ttdbadm01 ~]# dcli -g ~/dbs_group -l root chmod 750 /u01/app/11.2.0.4/grid/crs/script/mount-dbfs.sh
[root@ttdbadm01 ~]# dcli -g ~/dbs_group -l root -d /etc/oracle -f /tmp/mount-dbfs.conf
[root@ttdbadm01 ~]# dcli -g ~/dbs_group -l root chown oracle:dba /etc/oracle/mount-dbfs.conf
[root@ttdbadm01 ~]# dcli -g ~/dbs_group -l root chmod 640 /etc/oracle/mount-dbfs.conf


Create and execute add-dbfs-resource.sh file to register clusterware resource.

[oracle@ttdbadm01 ~]$ vi add-dbfs-resource.sh
##### start script add-dbfs-resource.sh
#!/bin/bash
ACTION_SCRIPT=/u01/app/11.2.0/grid/crs/script/mount-dbfs.sh
RESNAME=dbfs_mount
DBNAME=fsdb
DBNAMEL=`echo $DBNAME | tr A-Z a-z`
ORACLE_HOME=/u01/app/11.2.0/grid
PATH=$ORACLE_HOME/bin:$PATH
export PATH ORACLE_HOME
crsctl add resource $RESNAME \
  -type local_resource \
  -attr "ACTION_SCRIPT=$ACTION_SCRIPT, \
         CHECK_INTERVAL=30,RESTART_ATTEMPTS=10, \
         START_DEPENDENCIES='hard(ora.$DBNAMEL.db)pullup(ora.$DBNAMEL.db)',\
         STOP_DEPENDENCIES='hard(ora.$DBNAMEL.db)',\
         SCRIPT_TIMEOUT=300"
##### end script add-dbfs-resource.sh
[oracle@ttdbadm01 ~]$ sh ./add-dbfs-resource.sh

Check status of dbfs_mount
[grid@ttdbadm01 bin]$ ./crsctl stat res dbfs_mount -t
--------------------------------------------------------------------------------
NAME           TARGET  STATE        SERVER                   STATE_DETAILS      
--------------------------------------------------------------------------------
Local Resources
--------------------------------------------------------------------------------
dbfs_mount
               OFFLINE OFFLINE      ttdbadm01                                   
               OFFLINE OFFLINE      ttdbadm02      

Please note that you must grant oracle execution privilege to Oracle user in order to start dbfs_mount resource, otherwise you will experience issues like:
CRS-4000: Command Start failed, or completed with errors.

Execute the following before attempting to star dbfs_mount
dcli -g ~/dbs_group -l root chmod +x /u01/app/oracle/product/11.2.0.4/dbhome_1/bin/dbfs_client

As Oracle user start dbfs_mount resource
[oracle@ttdbadm01 bin]$ ./crsctl start resource dbfs_mount
CRS-2672: Attempting to start 'dbfs_mount' on 'ttdbadm01'
CRS-2672: Attempting to start 'dbfs_mount' on 'ttdbadm02'
CRS-2676: Start of 'dbfs_mount' on 'ttdbadm01' succeeded
CRS-2676: Start of 'dbfs_mount' on 'ttdbadm02' succeeded
[oracle@ttdbadm01 bin]$ ./crsctl stat res dbfs_mount -t
--------------------------------------------------------------------------------
NAME           TARGET  STATE        SERVER                   STATE_DETAILS      
--------------------------------------------------------------------------------
Local Resources
--------------------------------------------------------------------------------
dbfs_mount
               ONLINE  ONLINE       ttdbadm01                                   
               ONLINE  ONLINE       ttdbadm02                


[oracle@ttdbadm01 bin]$ df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VGExaDb-LVDbSys1
                       30G   24G  4.4G  85% /
tmpfs                 252G  8.2G  244G   4% /dev/shm
/dev/sda1             504M   38M  441M   8% /boot
/dev/mapper/VGExaDb-LVDbOra1
                       99G   90G  3.8G  96% /u01
dbfs-dbfs_user@:/     100G  120K  100G   1% /dbfs_direct