19.11.09

UCM WebService CheckinUniversal and Setting Target Folder

Oracle Universal Content Management (UCM) 10g has built-in SOAP interfaces to integrate with surrounding applications and tools.

For check-in purposes there is “CheckInUniversal” SOAP operation where you can check-in new documents into UCM. By default you can set all the main metadata but not folder information.

There is a way to set the target folder, if you needed to show the document in “traditional” file folder structure. For some reason the information how to do this seems to be a bit hard to find, that is why I publish this for wider audience (search engines should find).

There are two extra CustomDocMetaData properties you could use:

  • xCollectionName

  • xCollectionID

You specify one of the above properties. The end result is something like this:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:chec="http://www.stellent.com/CheckIn/">
<soapenv:Header/>
<soapenv:Body>
<chec:CheckInUniversal>
<chec:dDocName>OracleLogoSmall</chec:dDocName>
<chec:dDocTitle>Oracle logo</chec:dDocTitle>
<chec:dDocType>DOCUMENT</chec:dDocType>
<chec:dDocAuthor>weblogic</chec:dDocAuthor>
<chec:dSecurityGroup>WebCenter</chec:dSecurityGroup>
<chec:dDocAccount></chec:dDocAccount>
<chec:CustomDocMetaData>
<chec:property>
<chec:name>xComments</chec:name>
<chec:value>This is Oracle small logo</chec:value>
</chec:property>
<!--
<chec:property>
<chec:name>xCollectionID</chec:name>
<chec:value>31</chec:value>
</chec:property>
-->
<chec:property>
<chec:name>xCollectionName</chec:name>
<chec:value>/Contribution Folders/Logos/</chec:value>
</chec:property>
</chec:CustomDocMetaData>
<chec:primaryFile>
<chec:fileName>oracle_logo_small.gif</chec:fileName>
<chec:fileContent>R0lGODlhhQASAPcAAP////8AAP/o6P/29v/a2v8vL/+Tk/+Uk/8BAP/6+v/+/v8wL/8yMv8zM//3
9//8/P8sLP+4uP9vb//X1//p6f8zMv/09P/9/f9eXv/7+/8CAv/f3/8BAf/19f8FBP+ysv/4+P/y
8v81Nf+Qj/8wMP/Ly/+Pj/8EBP9ubv8XF//V1f+UlP8VFP+0tP8HB/8qKv+Bgf/n5/9iYv8WFf/P
z/82Nv82Nf8iIv/i4v8fH/+np//W1v+5uf9fXv+xsf8WFv+mpv/b2/8TE/8aGv/v7/+urv9HR//Y
2P/AwP84OP/Z2f+vr/9zcv/l5f9AQP8nJ/8lJP99ff9cXP8dHP87Ov+2tv+/vv+zs//Gxv9ZWP8m
Jv+env+Vlf8SEv9JSf88PP9oaP/d3f9VVf/r6/9EQ//Jyf+6uv+oqP+trf80M//Nzf/c3P9dXf/u
7v+qqv/T0/8pKf/s7P/x8f8REP+Xl//R0f8NDf/e3v/MzP+3t/93d/9xcf8/P//m5v9LS/8hIf94
ef+IiP9NTP9OTv+Ghv+kpP8FBf+Liv88O//t7f9kZP80NP/Dw/+iov8gIP8ICP8KCv8VFf+cnP9M
TP/k5P9lZf+wsP8xMf8uLv8DAv/z8/9rav/ExP8eHv/S0v/Kyv/q6v8PDv+rq/8oKP9TUv8REf+K
if8MC/9hYf8eHf/w8P8gH/+npv+Skv+gn/8GBf/Dwv8OD/9eXf+0s/8QD/8tLP/9/v+Wlf+YmP/z
9P9OTP+Eg//a2/91dP8YF/96ev/u7f/Z2v8yMf8IB/8SEf8rK//x8v/y8f/29f+mpf/19v9jY/+T
kv96ef8UE//X1v8qKf+5uP8PEP/5+f84N/8tLf8QEP+MjP+Ojf8CAf+pqf/w8f+Yl/+ys/+Pjv8i
If8DA/8cG/8fHv81NP+Ojv8xMP89Pf8KCf/f4P9CQf9CQv8nJv9paf/Ew//Mzf8GBv8HBv+goP9I
Sf/r6v9NTf9JSP8ODv9oZ/9fX/8PD/95ev+Rkf9QUP9SUf+bnP/CwiH5BAAAAAAALAAAAACFABIA
AAj/AAEIFLimygoDBw4YQIhQoQFRKgYO3LDQYUKFGA3c0oFEokeJahZi+UhSE5ItDBNWdLgCxJuF
bh6QnDkQz5KGGDMeuEbgQpF9EWQKlCOBwakASJMqTfpCzxqJbpZKVfpDkTGaAILcQBquDNZpzLxE
mrqUD4hASG8MwPoxgpQ/J8gmdVEHz7oAOWgININIrlw4Swb6CIDA71InwGZ2UES48CUBM5v0M5x0
CgUA3pCKcMBWYqMflJGiAdDiXioqagDc6aK0AAMGDSo0eD07zahXSWPNEvgBqR1MaV5XYCC7wWzQ
SAFlIHnG2lIYJJt4UVqKGuzisSuUKyTQBFIbnDsD/+BiJ+mJ4MaJy2YwSk8CAM+EFXiipkMSpBqk
tLAwoL///x3IIYYGSCURBgC9BVAMDf81OMAOIiA1hQUfgfICUo4IgVQnn3h0gSlJ+YJGCA76h8xA
3gVQQ3hsBTEHUo/s0UaJ/XVwgUAKTBBICQ8UgR8qFIoHABOEBRAFaUhBcARblhAYwAYfSVAkOZYc
FUA/QQr0hjgSuiMkACN8xyJWm/jmypceTYKUFgd+CYITSOkSQhVJTsCWFfAgxYlHJSSlTh8AyJAU
HRIVgpQLjKAZZgCbdbZBKEiB8UAClFZqaaUx3CgRLYTtoQCaAACB1DlrRINULTuwRWQAw2QJQAYX
Bv8QSYcAUAJJYRDgIJADyxQYApopgtfZYIXxAQYGyGLQA7Js9NCDLD2IwcNyEqUQQDb+gAoAFk6q
wEOSYXhyRQQ8kBtBBGb4IMM7hZExZhROViLRFklVAgIAidSDVBSaCrloo2zlEZpSOQDqkbUcEAoq
EhwUpkIESW5AwyJdzMCCxRcTk1QmsHwqUDsvBgBFDBJd4AdShnwAABFqBgDGvV8GO+ZMAiNQWGja
kGRtAHtoC2IAQ+AgcABKPnDHVmQZIopEyggyaiMAPCC11FiwFgAcFiigz5qXfbnoip1BjFQ6gEgg
AQpnn422BOwQkghJgyAFRQlobrAKUk4QQSfRdgL/QMEXSNnsQg7f4KOER7gkNUgv41DxxReImEOF
hkgxAUA3SXGjqGYzkxQC0lJoAoACpJdeer8f+YiUF1CKRwEbhHHABQBX1DmQHGzEFYAjQJBUhxZI
OeNJMoZ5YAY64SCVAh5eI0WNkGghtUwH2grkNFIVaENDEAR07333QaigjRFFktIGgrYPpEAzSXFg
AOoJ0JPUmYsF4IEHJ9zvgQtJFXDMChxASihg8I87fO+ASpjAAFqBlEu84YAQ7F4Z4JAUDLSAFxH0
XgI/ggMyKOUPJChAARYwQhIWgATQCFwAhLAk9PHNIxk4RCaSgoJfCQQNRZKHLQQyBknoAAhA0IEO
6FjhBikEEAHQKVNS5rCIBZhQhCJcQDWMIAA6IMUemCjhE58oQh+UwFqF4QAJuDjCEj5hBSQJBj8G
phQyjIQ36fMIF3KQFC9cZgc1QMoPvMKWbZAAKSxgRC5+wUb3YIONQPuVFSIUmk607iNEiIcYdGcY
I2wBFBJZAlKekCqSqGAGTKFEFpKyC4+x5QrgGFscHkADCeTDMFCgUASkwUa6CaQJJvijXzRgBbYM
gAICCKYwhylMVwkEBMGMA7VIEodgxgAHGZhHDIL5HiEBUwAUoFYCxkDMbp4vatzspjgh4xFVjFOY
XfNIQAAAOw==
</chec:fileContent>
</chec:primaryFile>
</chec:CheckInUniversal>
</soapenv:Body>
</soapenv:Envelope>


Word of Warning





I recognized some in some situations inconsitent behaviour (somebody might call it bug ;). Once you create a new virtual folder and try to check in documents into this folder using SOAP interface and xCollectionName, for some reason the documents end up not having the folder name. I recognized that once I called the check-in service first time with xCollectionID and then continued with xCollectionName, everything seemed to work ok.




This seems to have something to do with UCM interface folder data structures not being populated properly when a new folder is created. Bouncing the UCM server after creating the folder didn’t have any effect so the recommendation is to use xCollectionID at least once to enable using xCollectionName later.

25.10.09

ADF 11g on WebLogic (class not found errors)

 

Simple use case is here:

1. You want to create your first ADF portal or other ADF 11g based application.

 

2. You wanted to deploy it on your custom WebLogic 11g (10.3.1) domain, which you extended with Oracle JRF libraries.

 

3. On deployment time you would get something like this:

 

[09:31:02 PM] Deploying Application...
[09:31:06 PM] [Deployer:149193]Operation 'deploy' on application 'harriportalapp' has failed on 'AdminServer'
[09:31:06 PM] [Deployer:149034]An exception occurred for task [Deployer:149026]deploy application harriportalapp on AdminServer.: Failed to load webapp: 'HarriPortal-PortalViewController-context-root'.
[09:31:06 PM] Weblogic Server Exception: weblogic.application.ModuleException: Failed to load webapp: 'HarriPortal-PortalViewController-context-root'
[09:31:06 PM] Caused by: java.lang.ClassNotFoundException: javax.faces.webapp.FacesServlet
[09:31:06 PM]   See server logs or server console for more details.
[09:31:06 PM] weblogic.application.ModuleException: Failed to load webapp: 'HarriPortal-PortalViewController-context-root'
[09:31:06 PM] ####  Deployment incomplete.  ####
[09:31:06 PM] Deployment Failed

 

The problem might be in weblogic.xml file where you need to replace the

 

<library-ref>
  <library-name>adf.oracle.domain</library-name>
</library-ref>

with:

<library-ref>
  <library-name>adf.oracle.domain.webapp</library-name>
</library-ref>

 

Remember to deploy the ADF application from the application contect menu, not from project deployment menu.

15.9.09

XML DB: Forced XSD Schema deregistering

I played with OracleDB 11.1.0.7 XML DB and ended up in the situation where I couldn’t get my registered schema to disappear from Enterprise manager console.

Tried with all the options in the deletion mode, still the schema appears in the schema list and I get ORA-31000 errors while trying to delete the schema both from EM console and SQL*Plus:

SQL> exec DBMS_XMLSCHEMA.DELETESCHEMA('http://www.oracle.com/emp.xsd', DBMS_XMLS
CHEMA.DELETE_CASCADE_FORCE);
BEGIN DBMS_XMLSCHEMA.DELETESCHEMA('http://www.oracle.com/emp.xsd', DBMS_XMLSCHEM
A.DELETE_CASCADE_FORCE); END;

*
ERROR at line 1:
ORA-31000: Resource 'http://www.oracle.com/emp.xsd' is not an XDB schema
document
ORA-06512: at "XDB.DBMS_XMLSCHEMA_INT", line 106
ORA-06512: at "XDB.DBMS_XMLSCHEMA", line 102
ORA-06512: at line 1

Purging Schema

The solution for this is purging the schema. First of all, take a look at the registered schemas using SQL statement:

SQL> select schema_url from user_xml_schemas;

SCHEMA_URL
---------------------------------------------

http://www.oracle.com/emp.xsd

SQL>

select schema_id from user_xml_schemas;

SCHEMA_ID
--------------------------------
91429F33C64A4D60B16294C670DD86C7

Now, copy that schema ID as the parameter to PURGESCHEMA and execute following:

SQL> exec DBMS_XMLSCHEMA.PURGESCHEMA('91429F33C64A4D60B16294C670DD86C7');

PL/SQL procedure successfully completed.

After this you shouldn’t have that extra schema hanging in your schema list anymore.

11.9.09

SOA Suite 11g installation – How to start BAM and SOA servers the first time

 

After installing SOA Suite 11g there has been a few questions asked why SOA or BAM servers are not started up. After you start the Admin server from $ORACLE_HOME/user_projects/domains/soadomain –using startWebLogic.cmd, you will get the Admin server up with the built-in Enterprise Manager. When you login to the enterprise manager using http://hostname:port/em, you will see the status of other servers, like this:

image

Indication is that BAM server or SOA server are not started. You can try starting these servers from GUI (click on server and mouse right-click) if you have your node manager up and running. If you don’t, here are my steps to do this form command line (replace the “C:\product\FMW11G” with your installation directory and “soadomain” with your domain name) :

C:\product\FMW11G\user_projects\domains\soadomain\bin>startManagedWebLogic.cmd soa_server1

Enter username to boot WebLogic server: weblogic

Enter password to boot WebLogic server:

 

After this, the SOA server starts up and SOA server runtime files gets created under C:\product\FMW11G\user_projects\domains\soadomain\servers –directory.

To automate the startup, not having to enter username and password, you need to create file called boot.properties and place this under security directory. In my example the directory would be C:\product\FMW11G\user_projects\domains\soadomain\servers\soa_server1\security. You need to create this directory manually if you don’t have it.

Editing the boot.properties is familiar if you have dealt with WebLogic server:

username=weblogic
password=mypassword

Next time server is started up, it reads the credentials from boot.properties, encrypts them in this file and continues with startup process.

Above instructions apply to BAM server as well.

This should be the end result:

image

“Start all” script for Windows

Here is a sample Windows script to start all servers that belong to SOA Suite (defaults to being on SOA domain directory):

start "SOA Admin Server" startWebLogic.cmd
start "SOA Server" bin\startManagedWeblogic.cmd soa_server1
start "BAM Server" bin\startManagedWeblogic.cmd bam_server1

31.8.09

File name too long – Error on WebLogic Portal domain removal

Sometimes you need to recreate domain or just remove the domain for good. On Windows you might end up with situation where simple recursive WebLogic domain folder delete will cause “File Name too Long” errors and one or two files out of the domain directory cannot be deleted.

The reason for this is that the complete path (including sub-directories) is longer than 256 characters. The workaround is to reduce the names of the subdirectories one-by-one until you are able to delete the whole domain directory tree. You can start with “rename AdminServer 1” etc. until you are able to remove.

23.4.09

ODI Public Web Services on WebLogic 10.3

 

For some reason trying to run ODI (Oracle Data Integrator) public web services on axis2 (1.2.1) container on top of WebLogic 10.3 seemed problematic. Axis2 WAR deployment was successful, but for some reason Axis2 refuses to upload/install the ODI web services AAR file. Nothing in the logs.

After cratching the head a while I figured out the way to get ODI public services installed on WebLogic 10.3. Here are the steps:

Step 1 (please adjust according to your env)

Copy €ODI_HOME/oracledi\tools\web_services\odi-public-ws.aar –file to the Web Logic Axis2 deployment directory:

C:\product\OSB103\osb_10.3\samples\domains\servicebus\servers\xbusServer\tmp\_WL_user\axis2\1sft87\war\WEB-INF\services>

Step 2: Edit services.list

Edit services.list, add:
odi-public-ws.aar

Step 3: Bounce the axis2 application

Stop the axis2 application and start. Now you should have the ODI public web services API available as Axis2 service.

26.3.09

Adding ODI Public Services to JDeveloper Service Explorer

Oracle Data Integrator 10.1.3.5 has now a simple (static) WSIL definition file that can be utilized in SOA development. How this should show up in practical SOA development, you should see the ODI public web service as a service in the "Service Explorer" window in JDeveloper.

This is what I want:

image

In order to get this working requires couple of manual/trivial configuration steps. First of all I assume that you have deployed the axis2 container to e.g. OracleAS or some other servlet/Java EE container. In my installation I've created a dedicated "odi" OC4J instance for ODI services. Axis2 shows up in my installation using http://localhost:8889/axis2.

Also assumed is that you use ODI 10.1.3.5 that has the required WSIL file. You could use also earlier versions of ODI, just by creating the WSIL file shown in this article.

Step 1: Copy OdiInvoke.wsil file from ODI to axis2 directory

The wanted file is located in $ODIHOME/oracledi/lib/OdiInvoke.wsil. You should copy this file to axis2 web application directory.

In my installation I copied it under this kind of directory:

D:\product\10.1.3.1\soasuite\j2ee\odi\applications\axis2\axis2-1_2\axis2-web

In your installation you might use SOA suite's OC4J for deployment, in which case you should change the "j2ee\odi" part to "j2ee\home" or "j2ee\oc4j_soa".

Step 2: Fix the OdiInvoke.wsil

There is a small issue in the WSDL location that prevents the WSDL path working correctly under OC4J/axis2.

Edit OdiInvoke.wsil, change the WSDL location to match your axis2 deployment context.

<?xml version="1.0" encoding="UTF-8"?>
<inspection xmlns="http://schemas.xmlsoap.org/ws/2001/10/inspection/"
    xmlns:wsilwsdl="http://schemas.xmlsoap.org/ws/2001/10/inspection/wsdl/"
    xmlns:wsiluddi="http://schemas.xmlsoap.org/ws/2001/10/inspection/uddi/"
    xmlns:uddi="urn:uddi-org:api">
    <service>
        <abstract xml:lang="en-US">
            Oracle Data Integrator Public Web Services
        </abstract>
        <description referencedNamespace="http://schemas.xmlsoap.org/wsdl/"
            location="./services/OdiInvoke?wsdl">
            <wsilwsdl:reference endpointPresent="true">
                <wsilwsdl:referencedService xmlns:impl="xmlns.oracle.com/odi/OdiInvoke/">
                    impl:OdiInvoke</wsilwsdl:referencedService>
            </wsilwsdl:reference>
        </description>
    </service>
</inspection>

to

<?xml version="1.0" encoding="UTF-8"?>
<inspection xmlns="http://schemas.xmlsoap.org/ws/2001/10/inspection/"
    xmlns:wsilwsdl="http://schemas.xmlsoap.org/ws/2001/10/inspection/wsdl/"
    xmlns:wsiluddi="http://schemas.xmlsoap.org/ws/2001/10/inspection/uddi/"
    xmlns:uddi="urn:uddi-org:api">
    <service>
        <abstract xml:lang="en-US">
            Oracle Data Integrator Public Web Services
        </abstract>
        <description referencedNamespace="http://schemas.xmlsoap.org/wsdl/"
            location="/axis2/services/OdiInvoke?wsdl">
            <wsilwsdl:reference endpointPresent="true">
                <wsilwsdl:referencedService xmlns:impl="xmlns.oracle.com/odi/OdiInvoke/">
                    impl:OdiInvoke</wsilwsdl:referencedService>
            </wsilwsdl:reference>
        </description>
    </service>
</inspection>

Step 3: Configure JDeveloper 10.1.3.4 to show local WSIL registry

Edit

$JDEVHOME\integration\bpm\designer\config\serviceexplorer_plugin.xml

Uncomment:

<!-- Commenting WSIL as xmethods wsil is no more valid (accessible)
    <ExternalSource name="WSIL" class="oracle.tip.tools.ide.pm.datasources.wsil.WSILDataSourceContainer" enable="true">
    </ExternalSource>
-->

 

Step 4: Create inspection.wsil file for JDeveloper local WSIL registry

JDeveloper 10.1.3.4 no longer has inspection.wsil file shipped with it. You must create it manually to the same directory where serviceexplorer_plugin.xml is located.

Create file

$JDEVHOME\integration\bpm\designer\config\inspection.wsil

Contents of the file (please change the OdiInvoke.wsil URL to match your environment):

<?xml version="1.0"?>
<inspection xmlns="http://schemas.xmlsoap.org/ws/2001/10/inspection/"
            xmlns:wsilwsdl="http://schemas.xmlsoap.org/ws/2001/10/inspection/wsdl/">

<link referencedNamespace="http://schemas.xmlsoap.org/ws/2001/10/inspection/"
            location="http://localhost:8889/axis2/axis2-web/OdiInvoke.wsil">
        <abstract>Oracle Data Integrator Public Web Service</abstract>
</link>
</inspection>

Step 5: Restart JDeveloper 10.1.3.x and test

Now you should have everything ready for testing. Service Explorer should have a new folder called "Local Registry" and one subfolder called "Oracle Data Integrator Public Web Service" underneath it. The name of the folder can be changed just by editing the inspection.wsil file (created in step 4).

Now to use it, you could create a SOAP service in OESB or partner link in BPEL. Recommended way is to create a routing service to virtualize the ODI public web service details. My recommendation would be to create a well defined public routing WSDL with strongly typed payload, instead of generic ODI web service API.

Have fun!

28.1.09

Enabling Subversion on Oracle BPM Studio 10.3

Are you using Subversion and wanted to import your BPM Studio 10.3 project to Subversion repository for sharing amongst your project team?

Here are quick and dirty steps to setup subversion (SVN abbreviated) connection and importing the BPM Studio project into the version control.

Sharing BPM project

image

Click the context menu (mouse right click) on the main level of your BPM project.

 

image

Choose "Share Project..."

 

image

Choose SVN as versioning repository type.

 

image 

Enter the URL for the repository. In this example I used Windows based VisualSVN server with https protocol. You might want to point this to your repository URL or subfolder under it. Please note that you will have the possibility to define the BPM project folder later on (e.g. if you wanted to use the "trunk" -practice with subversion).

Depending on the security settings you might need to enter username / password for the repository.

 

image

Either let the wizard automatically use the BPM project name as folder name or define your own folder name (e.g. when using trunk's). In my sample I let the wizard derive the folder name from the BPM project name.

 

image

Ready to rock. Enter the comment for the folder name. Please note that at this point the wizard will not commit the resources to the repository. You will need to commit the files later. Press Finish.

 

image

Sharing the project...

 

image

The synchronization perspective view will show all the source code for the project. If you wanted to commit all the changes you can do it in the next step, after pressing "Yes".

 

image

If you pressed "Yes" you will get this perspective. You could commit the changes (your BPM project source code) from this Eclipse perspective, but in my tutorial I switch to BPM perspective and commit the changes directly there.

Switching to BPM Perspective

 

image

Look at Eclipse top right corner. To switch back to BPM Perspective, press the perspective Icon and choose Other...

 

image

Choose BPM (default) and you will get the BPM design view back.

 

image

From the log window you can see that only the project folder was created in the first phase.

 

Committing Changes

 

image

Now when you really want to commit all the BPM project source files to version control, you should choose the project context menu Team -> Commit...

 

image

Commit wizard will show you all the files that are changed since the original check out. Since this was the very first import, you will see all the BPM project files marked as changed. Enter a propert explanation for the project and just press Ok to commit the changes.

 

image

Status window to show the files being committed.

 

image

After the commit, you will see all the files committed in the log window.

 

image

(Optional) Looking at SVN repository you wout see the BPM project source files (this application is only available if you have access to server having the subversion repository).

 

image

If you made any change in the BPM project and chose Team -> Commit... the wizard will show all the files affected by your change. You should give a description of your change and press Ok to submit the changes to version control.

 

That's it, very basic introduction to subversion and Oracle BPM Studio 10.3.

20.1.09

Enforcing WebLogic 10.3 Admin Console to use Finnish HST Card Authentication

By default WebLogic admin console is deployed on the same port as other applications, non-encrypted HTTP traffic, and using username and password as authentication.

To give the highest level of security on the admin console here are some steps to take:

  1. Change the admin console from the standard port to SSL secured admin port
  2. Enable Two-Way Authentication so that only clients with valid digital certificate can access the admin console

In Finland, one of the easy ways to get official  client certificate is to use your HST smart card for authentication. To use that in your workstation, you need smart card reader and software for that. Software can be downloaded free from http://www.fineid.fi/ (Follow the link "Lataa kortinlukijaohjelmisto").

In this article I've tried to summarize steps to enable WebLogic 10.3 server two-way SSL setup with HST client certificate.

To summarize the steps:

  1. Create self signed server certificate and store if into custom keystore file
  2. Extract VRK's trusted CA certificates and import them to the custom keystore file
  3. Setup custom keystores (for server identity and trust keystore) in WebLogic server
  4. Create user that corresponds the HST card username. Assign Administrative group to the user.
  5. Change management port
  6. Change admin console authentication method from FORM to CLIENT-CERT
  7. Test

Please note that at some point you will get a browser error stating that the server certificate is not valid. This is because of using self-signed server certificates. If you used "official" server certificates e.g. from Verisign you wouldn't get these errors. When using self signed certificates, you just need to accept the error and import the certificate on browser keystore. This error would only happen the first time(s) accessing the site protected with https (SSL).

Warning: These instructions are experimental and you should make full backup of your environment before trying anything in here. DO NOT TRY THIS IN PRODUCTION BEFORE MAKING SURE IT WORKS IN DEVELOPMENT AND TESTING FIRST.

 

Extracting the Trusted CA Certificates from HST Card

You will need the trusted CA (certificate authority) public certificates later in WebLogic key storage to verify the client HST card certificates. If you don't have those trusted VRK (Väestörekisterikeskus) certificates yet, here is one way to get them:

1. Open up the smart card application (here mPollux as an example):

image

Navigate to "Luotetut varmenteet" and first choose "VRK Gov. Root CA":

image

Double click on the certificate and you will get this window:

image

Press Details -tab.

image

Press "Copy to file..."

image

Press next.

image

Choose Base-64 encoded X.509 (.CER)

Press Next.

image

Enter the name of the certificate file and press Next.

image

Press Finish.

image

After successful export, you should have an OK window.

 

Repeat the same for the "VRK Gov. CA for Citizen Qualified Certificates".

 

After these two steps, you should have files with names e.g. vrk_root.cer and vrk_citizen.cer in your chosen folder. These are base64 encoded text files.

 

Creating a Self Signed Custom Keystore for Two-way SSL

Now we create a custom keystore to store the identity of the WebLogic server certificate and also to include the VRK public certificates so that WebLogic can verify the HST card client certificate against them.

Here is an example (server certificate for 10 years = 3600 days):

keytool -genkey -dname "cn=localhost, ou=Oracle Finland, o=Oracle, c=FI" -alias localhost -keypass mypassword
    
-keystore D:\product\JDEV11\wlserver_10.3\server\lib\harri.jks -storepass mypassword -validity 3600

Above command (by the way, keytool is found from the Java binaries) creates a keystore file named "harri.jks". You can list the contents of the file with following command:

keytool -list -storepass mypassword -keystore harri.jks

 

Now, import the VRK trusted certificates next:

keytool -import -file D:\temp\vrk_root.cer -trustcacerts -alias VRK_ROOT -keystore harri.jks
keytool -import -file D:\temp\vrk_citizen.cer -trustcacerts -alias VRK_CITIZEN -keystore harri.jks

Now you should have the keystore ready for two-way authentication. Next step is to configure WebLogic server to use this keystore.

 

Setting up the custom keystores in WebLogic

Navigate to admin console: Home >Summary of Servers >DefaultServer

Choose Configuration tab and Keystores tab.

image

Choose "Custom Identity and Custom Trust" from the "Keystores" popup list.

Specify the exact path to the keystore you just created above, keystore type "jks" and enter the password for the keystore.

Press Save.

Press "SSL" tab.

image

Choose "Private Key Alias" as the same you used in earlier chapter "Creating a Self Signed Custom Keystore for Two-way SSL".

For example if you used:

keytool -genkey -dname "cn=localhost, ou=Oracle Finland, o=Oracle, c=FI" -alias localhost -keypass mypassword -keystore D:\product\JDEV11\wlserver_10.3\server\lib\harri.jks -storepass mypassword -validity 3600'

you should enter "localhost" as the alias here to mark the unique key to the server certificate.

 

Press the "Advanced" link.

image

Change "Two Way Client Cert Behaviour" to wanted value, like "Client Certs Requested But Not Enforced" or "Client Certs Requested And Enforced".

Press Save and reboot the WebLogic server.

 

What Is My HST Card Username?

To see your username in the Finnish Government ID card, you can do it e.g. by looking at the smart card reader application. In my example I am using mPollux software and I can launch the software by choosing the context menu from mPollux tray icon (yellow icon below):

image

image

Choose the first option to start the application.

From the "Lukijat ja kortit" -tab choose the card reader -> Käyttäjän varmenteet -> todentamis- ja salausvarmenne. Double-click on that item.

image 

You will see following window, where the "Issued to:" field will show the username you should write down for later use.

image

Create User and Assign Admin Privileges

Navigate to Security Realms page on admin console.

image

Press "myrealm" (or whatever you have in your server) link.

image

Press "New" to enter new user.

image

Enter the username that is stored in your HST card on "Name" field. You can set whatever password you like, but this is not used when enforcing client certificates. If you don't know the value to put on "Name" -field, please follow the chapter "What Is My HST Card Username?".

Assign the needed Groups to the user:

image

You would need at least "Administrators" group to enter the admin console application.

 

Change management port

To ensure security, you should change the admin console to use administration port (9002 or whichever you choose). This is done from Home -> DefaultDomain -> Configuration -> General.

image

After the port change, the URL is moved to this admin port right away.

Change Console Authentication Method

By default WebLogic admin console uses form based authentication (username / password). To enforce using client certification from the Finnish HST card you need to change console application slightly.

In this example I use JDeveloper 11.1 and the WebLogic that is shipped with it. On this installation, console application is found under:

D:\product\JDEV11\wlserver_10.3\server\lib\consoleapp

web.xml file is here

D:\product\JDEV11\wlserver_10.3\server\lib\consoleapp\webapp\WEB-INF\web.xml

 

Edit web.xml as follows. Comment out the FORM based authentication method and replace it with CLIENT-CERT method, like this:

  <login-config>
<!-- Commented out
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login/LoginForm.jsp</form-login-page>
      <form-error-page>/login/LoginError.jsp</form-error-page>
    </form-login-config>
-->
        <auth-method>CLIENT-CERT</auth-method>
  </login-config>

You could also change the auth-method to value “CLIENT-CERT,FORM” to fall back to username / password authentication if client certificate authentication fails.

After the changes, restart WebLogic server.

 

FireFox / Mozilla Setup

If you used mPollux and FireFox or Mozilla, you need to setup the security device manually (this is done only once). You do this by choosing the Tools -> Options -> Advanced and pressing "Security Devices".

image

Press "Load" to choose to load a new security device.

image

Give it a name and choose file. With mPollux it looks something like:

image

If you needed to do this setup, just to make sure, exit the browser and startup again.

Test Run

Close all browser windows and remove the Finnish HST card from the card reader.

Enter the HST card into the smart card reader.

Open up a browser (IE, Mozilla, FireFox ...) and enter the console URL:

https://localhost:9002/console

 

You should now get the smart card PIN window. An example when using Fujitsu DigiSign software, is below:

image

When entering the PIN code, you are allowed to enter the console, if your username is assigned to Admin group:

image

15.1.09

New Extensions Available from JDeveloper Official Update Center

During the years I've developed few JDeveloper extensions for ESB, BAM, Python (migration from 10.1.2) and JDev Projects. These extensions are now available from the official third party extensions exchange listed here:

http://www.oracle.com/technology/products/jdev/101/update/exchange.xml

To install the extensions, you just need to choose Help -> Check for updates and all the available extensions are listed for installation.