Month: January 2011

Troubleshooting errors starting #OID #11g #Oracle #Identity #LDAP


I have an Oracle Identity 11g environment running on VirtualBox 4.0. This is a development environment that I use to test out various installations and configurations. I noticed the other day that I wasn’t able to start the Oracle Internet Directory (OID) instance.

Screen shot 2011-01-26 at 2.21.25 PM.png

When I checked the log file I can see that I am not able to connect to the Database. By the way, the log that is referenced doesn’t show anything of value. The log that actually contained the error is called: oidmon-0000.log

Screen shot 2011-01-26 at 2.23.11 PM.png

According to ora-code.com ora-28000 the error means that the user account that is connecting to the database ‘ODS’ is locked.

ORA-28000:

the account is locked
Cause: The user has entered wrong password consequently for maximum number of times specified by the user’s profile parameter FAILED_LOGIN_ATTEMPTS, or the DBA has locked the account
Action: Wait for PASSWORD_LOCK_TIME or contact DBA

It’s typically trivial to unlock an account from the sqlplus command line

Screen shot 2011-01-26 at 2.29.30 PM.png

So, we should be good now. I will try to start the process again.

Screen shot 2011-01-26 at 2.30.42 PM.png

But now my log shows

Screen shot 2011-01-26 at 2.31.14 PM.png

So, now I am getting an ORA-01017 error. Which means “Invalid username/password”. So, it seems that the Database doesn’t like the password that OID is supplying to connect to the ODS schema.

I’ll use SQL Developer to try and connect to the database with the ODS user

Screen shot 2011-01-26 at 2.38.10 PM.png


Interesting, SQL Developer is showing an ORA-28000 error.

Let’s try connecting using SQLPlus …

Screen shot 2011-01-26 at 2.42.11 PM.png

So, it seems we have a consensus (and yes, I did just include my password in the screenshot … it doesn’t matter)

Let’s see what the database has to say about this user. Make sure you reconnect to the DB as oracle.

Screen shot 2011-01-26 at 2.52.15 PM.png

Ok, didn’t we just unlock it? Let’s try again …

Screen shot 2011-01-26 at 3.00.20 PM.png

So, now what is the status?

Screen shot 2011-01-26 at 3.01.39 PM.png

Hey! This is good right? … the account seems to be open again.

So, let’s try to start OID again.

Screen shot 2011-01-26 at 3.15.29 PM.png

Ok, this is looking pretty ugly right about now…

Screen shot 2011-01-26 at 3.16.38 PM.png

… and the account is locked again. So, let’s see if we can figure out why this is happening.

Maybe the wallet that holds the ODS password for OID has become corrupt. We can recreate it using oidpasswd.

Note: Before you run oidpasswd it’s important to have your Oracle environment set up correctly. Here is what I am using (yours may vary):

ORACLE_SID=orcl

ORACLE_BASE=/opt/oracle

ORACLE_INSTANCE=/opt/oracle/Middleware/asisnt_1

ORACLE_HOME=/opt/oracle/Middleware/Oracle_IDM1

MW_HOME=/opt/oracle/Middleware


Screen shot 2011-01-26 at 4.14.39 PM.png

Now with this output … I have verified the location of the tnsnames.ora file and the information in it … so I am going to assume for the moment that the issue is with the password (at least until I prove otherwise).

Typically, changing the password will unlock the account

Screen shot 2011-01-26 at 4.37.18 PM.png

But here we are and the account is still locked.

… I am spending some time just fishing around on the Internet and looking around at my system

Screen shot 2011-01-26 at 5.08.25 PM.png

Wait a second … I wasn’t even thinking about ODSSM …


Screen shot 2011-01-26 at 5.11.50 PM.png

Change the ODSSM’s password and then unlock ODS.

Screen shot 2011-01-26 at 5.13.24 PM.png

So, both accounts should now be “OPEN”

Screen shot 2011-01-26 at 5.15.48 PM.png

Now restart the OIDMON process

Screen shot 2011-01-26 at 5.17.41 PM.png

What does the log say

Screen shot 2011-01-26 at 5.18.12 PM.png

Completely different error this time. At least I feel like we are making some progress …

hmmm … if the wallet can’t be read … maybe we can recreate the wallet. Let’s re-run the “create wallet” command that we tried earlier.

Screen shot 2011-01-26 at 5.29.48 PM.png

Hey! … it was successful this time. So, let’s try starting the OID processes

Screen shot 2011-01-26 at 5.31.59 PM.png

That was successful!

Now to check the status of the OPMN Processes

Screen shot 2011-01-26 at 5.33.09 PM.png

All of the OID related processes are now Alive. The ohs1 process is down because I turned it off earlier.

Advertisements

Recover Weblogic server admin password (on Linux)


On a virtual machine that I installed Oracle Identity Federation I found that I could not remember what I  had set the Weblogic Server (WLS) password to.  I needed a way to recover this password so that I would not have to reinstall WLS.  This isn’t the first time I have forgotten the password to start and login to WLS … I needed to find a reusable solution that would give me the password quickly. I found Kenneth Xu’s blog (“Program It”) where he defined a solution, in great detail.  Kenneth’s solution was geared towards Windows … I needed a solution for Linux (fortunately there were very minor changes required).   In other words … I borrowed heavily from: http://kennethxu.blogspot.com/2006/04/how-to-recover-weblogic-admin-password.html

Update (12/15/12):  It’s important to note that this recovery process is dependent on the instance having the username and password in a boot.properties file.  For those of you that are entering the username and password on the command line at startup time … this probably won’t help you.  Also, if you get a Java NPE when running this code … come back to the java that you wrote and check the value of the BPF variable.  Make sure that points to an actual boot.properties file that has the weblogic username and password.

Step 1:  On the Linux server (I am logged in as Oracle) create a development directory

I created one called: /home/oracle/deve

Step 2:  Create a file called:  RecoverPassword.java and then copy in the following code

import weblogic.security.internal.BootProperties;
public class RecoverPassword {
public static void main(String[] args) {
String BPF =
"/opt2/oracle/Middleware/user_projects/domains/IDMDomain/servers/wls_oif1/data/
nodemanager/boot.properties";
BootProperties.load(BPF, false);
BootProperties bootp = BootProperties.getBootProperties();
System.out.println(
"##############################[" + bootp.getOneClient() +
         "/" + bootp.getTwoClient() + "]#############################");   } }

Step 3:  Compile:

javac -classpath /opt2/oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar RecoverPassword.java

Step 4:  Copy WLS Startup File to development directory

cp /opt2/oracle/Middleware/user_projects/domains/IDMDomain/bin/startWebLogic.sh .

** make sure to include the period at the end of the line. This means copy “here”. The current directory that you are in.

Step 5: Rename to: recoverPassword.sh

Step 6:  Edit recoverPassword.sh

${JAVA_HOME}/bin/java ${JAVA_VM} -version // this is an existing line
### Custom Code inserted to Recover Password ###
CLASSPATH=/home/oracle/deve/:$CLASSPATH; export CLASSPATH
echo $CLASSPATH
SERVER_CLASS=RecoverPassword; export SERVER_CLASS
doExitFlag=false; export doExitFlag
if [ "${WLS_REDIRECT_LOG}" = "" ] ; then // this is en existing line

Step 7:  Change to the domain home directory

cd /opt2/oracle/Middleware/user_projects/domains/IDMDomain/

Step 8:  Run the recoverPassword.sh script

/home/oracle/deve/recoverPassword.sh

Output will look like:

ware/Oracle_IDM1 -Xms512m -Xmx1024m -Xss512K -Djava.net.preferIPv6Addresses=true -DuseIPv6Address=true -Djava.protocol.handler.pkgs=oracle.mds.net.protocol -Dweblogic.management.discover=false -Djava.net.preferIPv6Addresses=true -Dweblogic.management.discover=true  -Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false -Dweblogic.ext.dirs=/opt2/oracle/Middleware/patch_wls1032/profiles/default/sysext_manifest_classpath

RecoverPassword

##############################[weblogic/Passw0rd1]#############################

The password is displayed on the line with the hashmarks.