Tuesday, September 18, 2018

PingAccess Windows service will not start


Once Ping Access is installed and configured as Windows service. The service then fails to start.

One possible most common issue is with JAVA_HOME environment variable. 


Check if JAVA_HOME env and set at SYSTEM level not just USER level if not already set. It may be necessary to restart the Windows server to pick up the system variable change.

Then try starting the service again.


Thursday, September 13, 2018

OIM 12C - Design Console alert

Below screenshot refers new and updated alert from OIM 12c:


Monday, September 10, 2018

How to enable HTTPS / SSL in Tomcat with self signed certificate

Below steps tested with Tomcat 9.0.11 on both Windows & Linux machine.

Open command prompt/terminal and execute below keytool command to create a new key store with a self-signed certificate by replacing the alias and keystore values.

keytool.exe -genkey -alias <<certaliasname>>-keyalg RSA -keystore <<location to save keystore>>\<<keystorename>>

provide the details of the certificate as it asks questions.

Open server.xml file from <<TOMCAT_HOME>>/conf/ location

and add below text by replacing keystoreFile and keystorePass values.

 <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="<<path to keystore file>>"
       keystorePass="<<keystore password>>" />

then restart the tomcat server and access https://<<hostname>>:8443


Thursday, September 6, 2018

The process cannot access the flie because it is being used by another process exception from HRESULT:0*80070020

Issue:-At times you may notice that one or more Web sites are not started in IIS 7.0. If you try to manually start the Web site, it may fail with the following error message:

Internet Information Services (IIS) Manager - The process cannot access the file because it is being used by another process.
(Exception from HRESULT: 0x80070020)

Environment:-Windows 2012R2 server

Error Cause:-The error code 0x80070020 translates to ERROR_SHARING_VIOLATION (The process cannot access the file because it is being used by another process.)

This issue may occur if TCP port 80 and/or 443 is grabbed by a different service.

Solution:-First check to see what is listening on port 80.
                Open a command prompt and enter the following command:

                 netstat -ano | find ":80"

 netstat -aon | find ":443"
  In this case process ID 4228 was listening on port 80.
                  To check what this process is open task manager and locate that PID.
  (Note you may need to select View -> Select columns -> PID first).

  1.It turns out a developer installed Apache which was listening
                     on port 80 and causing a conflict.To resolve the conflict change one service to run
                     on a different port or uninstall the unnecessary web server.
          2.In Task bar we can select httpd.exe running on  port 80 and end process

Now you can start and stop IIS website.


Keytool & OpenSSL handy commands

OpenSSL command to extract SSL host certificate

openssl s_client -servername <<servername>> -connect <<servername>>:<<portnumber>>

Java Keytool Commands for Creating and Importing

  • Generate a Java keystore and key pair
    keytool -genkey -alias mydomain -keyalg RSA -keystore keystorename.jks -keysize 2048
  • Generate a certificate signing request for an existing Java keystore
    keytool -certreq -alias domainname -keystore keystore.jks -file domainname.csr
  • Import a root or intermediate CA certificate to an existing Java keystore
    keytool -import -trustcacerts -alias root -file serverchain1.crt -keystore keystore.jks
  • Import a signed primary certificate to an existing Java keystore
    keytool -import -trustcacerts -alias mydomainname -file mydomainname.crt -keystore keystore.jks
  • keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Checking

  • Check a stand-alone certificate
    keytool -printcert -v -file mydomain.crt
  • Check which certificates are in a Java keystore
    keytool -list -v -keystore keystore.jks
  • Check a particular keystore entry using an alias
    keytool -list -v -keystore keystore.jks -alias mydomain
  • Delete a certificate from a Java Keytool keystore
    keytool -delete -alias mydomain -keystore keystore.jks
  • Change a Java keystore password
    keytool -storepasswd -new new_storepass -keystore keystore.jks
  • Export a certificate from a keystore
    keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
  • List Trusted CA Certs
    keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
  • Import New CA into Trusted Certs
    keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Tuesday, August 28, 2018

Oracle Access Manager 12c useful docs

OAM 12c installation & configuration instructions

IAM infrastructure(weblogic) installation:


OAM 12c configuration steps:


Configure OUD as directory server for OAM 12c:


Install & Configure OHS 12c:


Configure OHS 12c OAM webgate:


Protect application deployed in Weblogic using OAM 12c:


Siva Pokuri.

Thursday, August 16, 2018

OAM 11g IDP SAML Federation authorization policies

This post is on how to enable and configure authorization policies for federated applications with OAM 11g as Identity Provider.

Note: Tested with an application integrated with OAM 11g R2 PS2 as IDP and I think this article still applies to later versions also. 

By default, Federation Authorization is disabled. Execute below steps to enable federation authorization using WLST commands.

  • Enter the WLST environment by executing
  • Connect to the WLS Admin server
  • Navigate to the Domain Runtime
  • Execute the configureFedSSOAuthz() command
    • To enable authorization:
    • To disable authorization:
  • Exit the WLST environment:

Authorization policies can be configured to allow/deny to individual accounts (OR) groups (OR) combination of both groups & individual accounts from OAM 11g backend LDAP server.

Steps to configure Token Issuance policy

  • Go to the OAM Administration Console: https://oam-admin-host:port/oamconsole
  • Navigate to Access Manager -> Application Domains
  • Click Search
  • Click in IAM Suite in the list of results
  • Click on the Token Issuance Policies tab
  • Click “Create Token Issuance Policy”
  • Enter a name (Example: AdministratorsOnlyPolicy)
  • Click on Conditions tab
  • Click Add to add a constraint for the AdministratorsOnly group
  • Enter the details of the constraints:
    • Name: example AdministratorsGroup
    • Type: Token Requestor Identity
Note: If you would like to allow all the users with valid credentials  to login into application just select "True" in condition type drop down and click "Add selected" button.
  • Click Add Selected
  • Select the newly created constraint to configure it
    • In the conditions details, click Add and select Add Identities
    • Select the Identity Store and enter Administrators group name
    • Click search
    • Select the AdministratorsOnly Group
  • Click Add Selected
  • Click on the Rules tab
  • In the Allow Rule section, select the AdministratorsGroup condition and add it to the Selected Conditions, since we want to allow users belonging to the Administrators group to do Federation SSO with the partners listed in this policy
  • Click Apply
Execute the following steps to create a new resource and add it to the AdministratorsOnlyPolicy Token Issuance Policy:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:port/oamconsole
  • Navigate to Access Manager -> Application Domains
  • Click Search
  • Click in IAM Suite in the list of results
  • Click on the Resources tab
  • Click on New Resource and create a new resource for the Token Issuance Policy:
    • Type: TokenServiceRP
    • Resource URL, name of the SP Partner as it was created in the Federation Admin section: Example: XYZAppAdmin
    • Operations: all
    • Token Issuance Policy: AdministratorsOnlyPolicy
    • Apply

Expect "User is not authorized to perform Federation SSO" SAML status message in IDP SAML response in case any user try to login other than user from Admin group.

Happy SSO'ing

Siva Pokuri

Wednesday, July 18, 2018

Enable TLS 1.1 & TLS 1.2 in Java JDK

Starting from Java JDK 1.8. XX versions TLS 1.1 & TLS 1.2 is enabled by default.

But, what if you are in JDK 1.7. XX versions you will have to go enable them explicitly.

How you do it? One way is that you can enable from Java Control panel console.


Navigate to JAVA_HOME\jre\bin folder and execute javacpl.exe from command prompt.


 Navigate to JAVA_HOME\jre\bin folder and execute ./ControlPanel from terminal.

This will render Java control panel console. Click on Advanced tab and scroll down where you see Advanced Security settings section.

Select the check boxes associated with "Use TLS 1.1" & "Use TLS 1.2" then click Apply and OK.

Siva Pokuri.

Friday, June 29, 2018

Weblogic Stuck threads

One way to check if you have stuck threads is through Weblogic Admin console.

  1. Login to weblogic admin console with admin credentials.
  2. Expand Environment and click on Servers in the left menu
  3. Click on the Admin server or any managed server you want to check the stuck threads
  4. Click on the Monitoring tab in the server properties
  5. click on Threads tab.
  6. Check the Health column in Self-Tuning Thread Pool table. If it says OK there are no stuck threads.
  7. If Health column value shows "Warning" there are stuck threads in JVM.
  8. Next thing is that you will have to find the root cause of the stuck threads. For that JVM thread dump needs to be taken.
  9. There is a tool called jstack starting from JDK 1.6 version.
  10. Find out the process ID of the weblogic service and execute "jstack <<PID>> > threaddump.log"command.
  11. Above command generates threaddump.log file with JVM thread dump.
  12. Check the STUCK threads and fix the issue. It might be in application code or connection to external services.
Happy debugging.

Siva Pokuri.

Wednesday, June 13, 2018

List Of Oracle Identity Manager 12C Connector

                                  Oracle Identity Manager 12C Connector Downloads

Here is below link where you can download Oracle Identity Manager 12C Connectors 


Below are list of Oracle Identity Manager 12C Connectors  


Sunday, June 10, 2018

Single Sign-On recommendations

It's increasingly challenging to manage multiple identities of an individual and it's operational overhead to the organizations.
Implementing the Single sign-on solution in an organization to authenticate and SSO'ing for applications access within an enterprise will reduce operational overhead and cost to the organization.
Traditionally, there is header based Single Sign-On as it's still out there lingering in the market. In Early 2000's, it's noted that SAML is widely accepted mechanism for SSO requirements. Later in the game, late 2000's where mobile applications and API based designs came into the picture there comes OAuth authorization mechanism.
The goal of each SSO mechanism is very simple "One login to multiple applications". Well, definitely it's not that easy to enable SSO as stated.
When it comes to the recommendation on Single Sign-On to an enterprise application, I would suggest considering below list of choices and take the wise decision to implementing Single Sign-On.
Option 1: Legacy application with no delegated authentication capability to external authentication engine with Header based authentication. Note that this approach needs code change in the application authentication mechanism.
Option 2: Application that's fitted of delegating authentication to SAML Identity provider (IDP) then just go with it without further thought.
Option 3: Planning for developing a new application and studying about the authentication mechanisms in architecture then consider Open ID / OAuth (3 legged )as a primary option.
It's recommended to read and understand each Single Sign-On mechanism before going to the implementation phase.
Happy SSO'ing.

Friday, May 25, 2018

Header Based application SSO integration with Azure AD + Ping Access

Header Based application SSO integration with Azure AD

  • Azure AD with premium subscription
  • Ping Access
  • Azure AD Application connector

Configure Azure Application proxy

1.       Login to portal.zure.com with global admin credentials
2.       Download Application proxy connector from Azure
3.       Install Application proxy in on-premise Windows Server 2012 R2 or 2016

Configure Azure AD for application

1.       Navigate to Azure AD Connect and then Enterprise applications
2.       Click on New Application
3.       Select On-premises application from the options
4.       Fill the application form
a.       Name: <<Application Name>>
b.       Internal Url: <<Normally you provide the URL that takes you to the app’s sign in page when you’re on the corporate network. For this scenario the connector needs to treat the PingAccess proxy as the front page of the app. Use this format: https://<host name of your PA server>:<port>. The port is 3000 by default, but you can configure it in PingAccess.>>
c.       External URL: <<Will be built automatically>>
d.       Pre- Authentication: <<Leave default>>
e.       Connector Group: <<leave default>>
f.        Backend application Timeout: <<leave default>>
g.       Headers: No
h.       Application Body: no
5.       Click on Add
6.       Select Assign user for testing in quick start menu of the application and add a user to application
7.       Click on App management and select Single sign-on
8.       Select Header-based sign-on from the drop down and click on Save
9.       Click on App registration and select the All Apps from the drop down
10.   Click on the application you just created
11.   Click on settings button on the top
12.   Click on Reply URLs
13.   Check and confirm if the application External URL it was built in Step 7. If not present add it.
14.    Click on Required permissions section
15.   Select Add, For the API, choose Windows Azure Active Directory, then Select. For the permissions, choose Read and write all applications and Sign in and read user profile, then Select and Done.
16.   Grant permissions before you close the permissions screen.
17.   Click on the Properties section and save Application ID value. This is used for the client ID when you configure PingAccess.
18.   On the app settings blade, select Keys.
19.   Create a key by entering a key description and choosing an expiration date from the drop-down menu.
20.   Select Save. A GUID appears in the Value field. Save this value now, as you won’t be able to see it again after you close this window.
21.   Close the App registrations blade or scroll all the way to the left to return to the Azure Active Directory menu.
22.   Select Properties.
23.   Save the Directory ID GUID.

Ping Access Configuration as a token provider

1.       Navigate to Settings → System → Token Provider.
2.       In the Issuer field, enter the Microsoft Azure AD Directory ID. To obtain the Directory ID from Azure AD, in the Azure AD directory, navigate to Manage → Properties and copy the Directory ID value.
3.       Provide a Description of the token provider.
4.       In the Trusted Certificate Group list, select Java Trust Store or Trust Any.
5.       Click Save.
Ping Access Configuration for application
Note: Assuming you have installed Ping Access and can access the Administrative console.
1.       Creating virtual host
a.       Navigate to Settings → Access → Virtual Hosts.
b.       Click Add Virtual Host.
c.       In the Host field, enter the FQDN portion of the Azure AD External URL. For example, external URLs of https://app-sivapokuri.msappproxy.net/ and https://app-sivapokuri.msappproxy.net/Welcome.html will both demand a Host entry of app-sivapokuri.msappproxy.net.
d.       In the Port field, enter 443.
e.       Click Save.
2.       Creating web session
a.       Navigate to Settings → Access → Web Sessions.
b.       Click Add Web Session.
c.       Provide a Name for the web session.
d.       Select the Cookie Type, either Signed JWT or Encrypted JWT.
e.       Provide a unique value for the Audience.
f.        In the Client ID field, enter the Azure AD Application ID.
g.       In the Client Secret field, enter the Key you generated for the application in Azure AD.
h.       Click Save.
3.       Create identity mapping
a.       Navigate to Settings → Access → Identity Mappings.
b.       Click Add Identity Mapping.
c.       Specify a Name.
d.       Select the identity mapping Type of Header Identity Mapping.
e.       In the Attribute Mapping table, specify the required mappings. Example: family_name, given_name
f.        Click Save.

4.       Create a site
a.       Navigate to Main → Sites → Sites.
b.       Click Add Site.
c.       Specify a Name for the site.
d.       Enter the site Target. The target is the hostname:port pair for the server hosting the application. Do not enter the path for the application in this field. For example, an application at https://mysite:9999/AppName will have a target value of mysite:9999
e.       Indicate whether or not the target is expecting Secure connections.
f.        If the target is expecting secure connections, set the Trusted Certificate Group to Trust Any.
g.       Click Save.
5.       Create an application
a.       Navigate to Main → Applications.
b.       Click Add Application.
c.       Specify a Name for the application.
d.       Optionally, enter a Description for the application.
e.       Specify the Context Root for the application. For example, an application athttps://mysite:9999/AppName will have a context root of /AppName. If the application is on the root of the server, you can set the context root as /. The context root must begin with a slash (/), must not end with a slash (/), and can be more than one layer deep, for example,/Apps/MyApp.
f.        Select the Virtual Host you created.
g.       Select the Web Session you created.
h.       Select the Site you created that contains the application.
i.         Select the Identity Mapping you created.
j.         Select Enabled to enable the site when you save.
k.       Click Save.
Now, access your application URL using external URL generated in Azure AD portal for your application.