Wednesday, November 28, 2012

Exception - Invalid key version - Kerberos with WebLogic

If you see the below message and feel like you've exhausted all options, try Logging out of and back in to your Microsoft Client Machine. Simple Fix for me.

#### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1354129635369>
#### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1354129635554>
#### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1354129635554> <   major: (11) : Failure unspecified at GSS-API level>
#### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1354129635555> <   minor: (-1) : Specified version of key is not available (44)>
#### <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1354129635556> com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
        at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
        at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
        at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:227)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
Posted by at No comments:

Monday, April 23, 2012

Oracle Schema Version Database Table

When the Repository Creation Utility (RCU) is used to create schemas for Oracle products (esp. Fusion Middleware), very useful version information is logged in the SCHEMA_VERSION_REGISTRY database table. This is a Registry table containing the version of each schema installed by the RCU.

Here is a query I often use:

select COMP_NAME, OWNER, VERSION from schema_version_registry;
Posted by at No comments:

Friday, April 13, 2012

OIF 11g Federation Data Store

This blog post will provide information regarding Oracle Identity Federation's (OIF) Federation Data Store of type LDAP and how NameID values and SessionIDs are used.
NOTE: NameID: Transient/One-Time Federations are NOT stored in the LDAP Directory.The below example is with Persistent NameID.

Assumptions
Fed Store Base: cn=myfed,dc=mycompany,dc=com
LDAP Directory: Oracle Internet Directory (OID)

I completed a SP-initiated Federation and the orafed-nameid-value returned was id-hNALa-Rg3q-ttU-XtAgkvQX2wyY-

This value can be taken and used to query OID:

ldapsearch -h idmdemo.mycompany.com -p 389 -D "cn=orcladmin" -q -s sub -b cn=myfed,dc=mycompany,dc=com "orclFedNameValue=id-hNALa-Rg3q-ttU-XtAgkvQX2wyY-" "*"

cn=9dd073b781098b0604715a052b1bd9e2fca4d817,cn=4271ebcd87b93af798f186d788942accaa75e161,cn=myfed,dc=mycompany,dc=com
orclfednamenewvalue=id-cJcpuxFcLr9dvwH9ltUdjem70zo-
orclfednamenewqualifier=https://sso.mycompany.com:443/fed/idp
orclfednamenewformat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
orclfednamenewcreationtime=1332883593718
orclfednamevalue=id-hNALa-Rg3q-ttU-XtAgkvQX2wyY-
orclfedserverid=wls_oif1
orclfedownerguid=seth.malmberg
orclfedproviderid=https://idmdemo.yourcompany.com:7600/fed/sp
orclfedversion=SAML2.0
orclfedownerdescription=seth.malmberg
cn=9dd073b781098b0604715a052b1bd9e2fca4d817
orclfedfederationtype=1
objectclass=orclFedUserInfo
objectclass=top

Then use the cn value to query the database to find the correct value for the ORA_OSFS_SESSION cookie

SQL> select sessionid, fedid from orafedactivespfed where fedid = 'cn=9dd073b781098b0604715a052b1bd9e2fca4d817,cn=4271ebcd87b93af798f186d788942accaa75e161,cn=myfed,dc=mycompany,dc=com';

id-Kx-zCDBWGBAsP2WOymcFufu6wOQ-
cn=9dd073b781098b0604715a052b1bd9e2fca4d817,cn=4271ebcd87b93af798f186d788942accaa75e161,cn=myfed,dc=mycompany,dc=com
Now we have the correct value for the Federation's ORA_OSFS_SESSION cookie.
Posted by at 1 comment:

Monday, April 2, 2012

Adding and Deleting Custom Plugins in OVD 11g

To add a custom plugin in OVD, Oracle Directory Services Manager (ODSM) must be used.

Navigate to the Advanced tab. Click the Libraries section. Click the Books icon (Upload New Library).

Navigate to the Plugin jar file and click Add.

Click the refresh icon in order to see your new plugin.

Any time you want to redeploy simply click the Upload New Library icon and point to an update jar file and the plugin will be updated. OVD must be restarted for the new Plugin to be used.

In order to delete the Plugin you must manually delete the jar file from the $ORACLE_INSTANCE.

rm $ORACLE_INSTANCE/ovd/ovd1/MyCustomPlugin.jar
Posted by at 1 comment:

Wednesday, March 28, 2012

Viewing SAMLResponse from OIF

I recently came across the need to view the SAMLResponse from an Identity Provider when using HTTP POST.

I used this URL Decoder and BASE64 Decoder: http://ostermiller.org/calc/encode.html

With Oracle Identity Federation (OIF) 11g, I copied the POST parameters from the Response using Live HTTP Headers.


I copied all POST Parameters (mine began with SAMLResponse=) into the textbox in the above link.

I clicked Decode next to URL.

I then deleted 'samlResponse=' from the beginning of the text and everything after and including 'relayState=' at the end of the text.

I then clicked Decode next to BASE64.

Then I am able to see the SAML Response. NOTE: Some of the data may be encrypted depending on how you've configured your Identity Provider.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)