Saturday, December 3, 2016

Oracle API Gateway: Failed to connect admin node manager in policy studio

I was trying to connect to admin server but getting invalid credential every time.


I tried by resetting the admin password to "changeme" and then after connecting admin node manager again change your password.

  • Stop all the servers.
  • Go to OAG/apigateway/conf/ directory and open adminUsers.json.
  • look for following in file
       "adminUserCredentials" : {
                 "user-1" : {
                    "passwordHistory" : [                           "$/8Ior+VsgFNBS2TUQNEljw==$RUAJebwyScFlFDowiIb1UaD1mjCADwb8W5OuEnEPAF0=" ],
                              "passwordTimestamp" : 1480673759834

  • change the passwordHistory value to $YnvZfrp5j1q3xJPhPuUL5w==$DcnmqeXQO8T/TmRa2kPyYSJbf8DD/JUg3v3i6xF0HQk (this is a encrypted password i.e. changeme)
  • now restart the server
  • try to connect admin node manager in policy studio.

  • Oracle support document - Doc ID 2056193.1

Sunday, October 16, 2016

Oracle API Gateway: Docker image for OAG

I was working on the Docker which is used to create virtual machines based on container. As per docker documentation Docker is still maturing for the production type environment but it can be used for development and other non-prod environments.

you can get the docker file from github location :

Build Docker Image

docker build -t oracle/oag: -f ./DockerFile .

Run OAG Docker Image

--run docker image
docker run -d -p 9090:8090 --user=oracle -e "DISPLAY=localhost:0.0" --name=OAG --shm-size=2g -t oracle/oag:

--run oag nodemanager in docker container
docker exec -it OAG /u01/oracle/product/OAG- &

--run oag instance in docker container
docker exec -it OAG /u01/oracle/product/OAG- -n "Gateway1" -g "Group1" &

Oracle API Gateway : File based KPS collection in OAG

KPS stands for Key Property Store is a collection of data stored in table structure referenced by policies running on Oracle API Gateway instance. KPS data can be stored in three different ways:

  • Embedded Apache Cassandra database
  • Relational SQL Database
  • JSON File System.

In this blog post I am going to discuss about configuring kps using json file system and how to access these kps collection in OAG policies.


In my scenario, I have used kps as key-value pair to store the environment properties like hostname, port, URI etc. as shown below:

These values changes for different environments like prod or non-prod.

Steps to configure KPS 
  • Open oag policy studio -> right click on Key Property Stores and select Add KPS Collection
  • Create new kps collection with name "Settings"

  • Right click on Settings KPS collection and select Add Table
  • Create table with name "Properties" and create structure as below
  • deploy the configuration.

Edit the values of KPS
  • Open node manager console -> https://host:port/8090
  • Go to settings tab -> Key Property Stores as shown below
  • Select table and add new entry or you can edit the value of existing record. you can not edit the column marked as a primary key i.e. in this case you cannot edit the value of column key.
  • When you create the entry schema json file is automatically created at this location i.e. OAG- with file as settings_properties.json.
  • Now you can edit this file also to add or modify the values in kps.
  • you need to restart the oag instance to reflect the updated values.
Access kps collection in OAG policies

KPS data can be access in oag policies by using the selectors as below:

for example: to access value of OAMHOST the selector expression is as follows


Sunday, August 7, 2016

Oracle webcenter portal 12c: failure to authenticate the user weblogic

I was working on webcenter portal 12.2.1 and trying to enable the discussion and forum for the portal. After Installing and configuring the discussion server when I try to connect from the portal I was getting below error:

failure to authenticate the user weblogic, due to: Unexpected error occurred, due to : Client received SOAP Fault from server : SOAP must understand error. MustUnderstand headers:["{}Security"] are not understood.


This error comes because internally webcenter portal uses saml token to authenticate the services provided by the discussion server. And webservice security is not configured as part of post installation task.


You need to configure the saml message protection policy in webcenter as shown below:

  • Go to EM console => from left navigation, select discussions

  • Now select owc_discussions => click on OWCDiscussionsServiceAuthenticated

  • On this service attach this policy i.e. oracle/wss11_saml_token_with_message_protection_service_policy

  • Now go back to owc_discussions again and select OWCDiscussionsServicePublic and attach the policy oracle/wss11_message_protection_service_policy

  • Now go to the service configuration to edit the values of discussion server connection as below:

  • Edit discussion connection and select message protection policy as shown below

  • Orakey is an alias from the certificate you generated in keystore see next section below

Generate certificate in keystore

  • Go to EM console => select keystore as shown below:

  • Create a stripe name OWSM and create a keystore with a name keystore as shown below:

  • select keystore and click on manage and generate new keypair and give the alias name as orakey.

  • Restart all the servers and its done.

Oracle SOA 12c: Error while deploying soa composite using maven : error: javax/el/ELContext

Today I was working on the Build automation for Oracle SOA 12c and configure the maven and Hudson tool for Continuous Integration. After configuring the maven on my local machine , I tried to compile the soa project but I was getting the following error:

"you may getting el context error while building soa project"
i.e. java.lang.NoClassDefFoundError: javax/el/ELContext


This problem can be solved by adding EL context dependency in maven plugin

Go to oracle maven home repository folder i.e.


open the oracle-soa-plugin-12.2.1-0-0.pom in any editor and add the following dependency


save the file and try to compile the soa project again.

Wednesday, June 8, 2016

Weblogic 12c: start and stop script for starting weblogic admin and managed server

As in my previous blog post I share the concept of starting and stopping nodemanager. In this blog post I am going to show you how you can start and stop weblogic admin server and managed server using admin server connection.

Start scripts for admin server and managed server

Well the basic logic to start admin and managed server is as:

  • Start the admin server using ./ script stored at the domain directory.
  • check for the admin server status is running or not by using same way as did for nodemanager in this post. But here we check for the string "RUNNING"
  • After admin started we invoke to start all the managed server cluster (all the server in a cluster will automatically start).
Here is the script:

rm -rf  *_Server.out AdminServer.out


nohup ./ > AdminServer.out &


while [ "$AdminStatus" = "STOP" ]; do
                echo $tfile

                count=$(cat $tfile | grep "RUNNING" | wc -l)

echo "The value of count is ${count}"

                if [[ "$count" -gt 0 ]]; then
                        echo "AdminServer Started..."
nohup $WEBLOGIC_HOME/common/bin/ > OSB_Server.out &
                        nohup $WEBLOGIC_HOME/common/bin/ > SOA_Server.out &
                        nohup $WEBLOGIC_HOME/common/bin/ > WSM_Server.out &

                        rm -f $tfile
                        exit 0
                    echo "Waiting For AdminServer To Start..."
        sleep 5s

echo "Please check ${tfile} log file for more issues"
exit 1 

In the above scripts I am calling three more scripts which are used to start the managed server cluster.

Content of the script is as follow:

connect('weblogic', 'welcome1', 't3://adminhostname:port')



Content of the script is as follow:

connect('weblogic', 'Oracle123', 't3://adminhostname:port')



Content of the script is as follow:

connect('weblogic', 'Oracle123', 't3://adminhostname:port')



Note: you can start the server instead of start cluster, refer this documentation 

Stop scripts for admin and managed server

For stopping managed server scripts first connect to the nodemanager and use the nmkill() method to kill the managed server

nmConnect('weblogic', 'Oracle123', '', '5556', 'BPMDomain', '/u02/oracle/config/domains/BPMDomain','ssl')




so you have to kill each server because there is no such method available to stop the cluster.

After that stop the admin server using this script.

nohup sh /u01/oracle/config/domains/BPMDomain/bin/ &

Weblogic 12c: start and stop script for nodemanager

Recently I was working on the automated script to start and stop the nodemanager, AdminServer and all managed server (ESS, SOA, OSB, WSM) in a domain. So in this post I am going to share my work, it may be possible that these scripts may not be suited for your environment but yes It must give you a basic idea of how to start and stop nodemanager automatically.

Start scripts for nodemanager

Well the basic logic that I used to start the nodemanager is

  • check if nodemanager is running or not
  • start the nodemanager and take the output in a temporary file.
  • while the nodemanager is starting keep looking for the string "socket listener started on port" in a temporary file. 
  • if the matching string is found that means node manager is started and exit().
rm -rf nodemanage.*

status= ps -eaf | grep "weblogic.NodeManager" | grep -v grep| wc -l
echo $status
echo "Node Manager Directory: " $1

if [[ "$status" -eq 0 ]]; then
echo  $date " :Starting Weblogic NodeManager..."
echo $1
nohup $1 > $tfile 2>&1 &

echo  $date " :NodeManager is already RUNNING.."

if [ "$?" != 0 ]; then
echo "Command Failed To Execute Properly"
exit 1;

export a=0;
while [ $a -lt 10 ]; do
echo $tfile

count=$(cat $tfile | grep "socket listener started on port" | wc -l)

echo "The value of count is ${count}"                 

if [[ "$count" -gt 0 ]]; then
echo "NodeManager Started..."
rm -f $tfile
exit 0
echo "Waiting For NodeManager To Start..."
echo $a
sleep 5s
echo "Please check ${tfile} log file for more issues"
exit 1

Save the above script in .sh file e.g. Now to run this script you have to pass the location of the nodemanager i.e.

nohup ./ $DOMAIN_HOME/bin/ > nodemanage.out &

Stop script for nodemanager

To stop the nodemanager find the process id of nodemanager instance and kill that process id, here is the script below:

node1=$(ps -ef | grep weblogic.nodemanager | grep config=/u01 | awk '{printf $2}')

kill -9 $node1

Save the above code in the .sh file e.g. and execute the script as below:

nohup sh &

In the next post I am going to share the start and stop script for weblogic AdminServer and Managed server.

Thursday, June 2, 2016

Change default /tmp path to other alternate tmp path for middleware installation

Some times when you install middleware component like oracle soa, weblogic etc. then it requires some temp space to extract content and install on the location but there may be case your /tmp directory is full or not having write permissin etc. (in my case there was no space in the tmp directory) you middleware installation stops in between.


you can create a new directory as tmp only in some other location (/home/oracle/tmp) and map to the symbolic link of the directory /tmp (previously created).

Command : ln {source} {link}

i.e. ln -s /home/oracle/tml /tmp

Friday, May 13, 2016

Linux: SSH login without password

I was writing the custom shell scripts for starting and stopping the remote server and these scripts required to executed on the remote server itself using ssh. Now but everytime you run ssh command it ask for the password to avoid that I use the public key authentication without the pass phrase (well you should always use the pass phrase from the security perspective).

Steps to configure public key authentication

  • Create ssh public and private keys, i.e. run the command ssh-keygen -t rsa
  • Do not give the pass phrase if you do not want to enter password every time you do the ssh.
  • Add Keys to the server by using the command ssh-copy-id username@hostname
  • Enter the password for first time.
  • now connect the machine using ssh, you will directly connected to the machine without passing the password.

Wednesday, May 11, 2016

OER 12c: Configure oracle enterprise repository to browse and upload file from local system

I was working on the oracle enterprise repository 12.1.3, and trying to upload an asset in oer from my local machine. But in the submit asset window its only showing the file location url i.e. add a file by reference

Steps to configure file upload option

  • Open oer console i.e. http://<host>:<port>/oer in browser, login with admin user.
  • Go to Admin tab -> System Settings -> search for property cmee.server.paths.upload

  • set the location value to upload the file in submission upload directory i.e. /tmp/upload, as shown below

  • Save the setting and go to asset tab and try to create new asset. This time file upload option is visible.

Deployment Failed: XML-24500: (Error) Can not build schema '' located at ''.

Today I was deploying soa composite for oracle enterprise repository on soa server and getting the following exception:

Deploying on partition "default" of "/Domain_base_domain/base_domain/AdminServer" ...
Deploying on "/Domain_base_domain/base_domain/AdminServer" failed!
There was an error deploying the composite on AdminServer: Deployment Failed: Error occurred during deployment of component: TimedEventClass to service engine: implementation.spring for composite: OERWorkflows: SCA Engine deployment failure.: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 10 in XML document from URL [oramds:/deployed-composites/default/OERWorkflows_rev1.0/TimedEventClass.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 10; columnNumber: 834; <Line 10 Column 834>: XML-24500: (Error) Can not build schema '' located at ''.


This problem comes in oracle product version and on windows-7 64 bit system. It occurs due to the parameter -Doracle.xml.schema\Ignore_Duplicate_components=true has back slash in setDomainEnv.cmd file.


  1. Go to <DOMAIN_HOME>/bin/setDomainEnv.cmd
  2. Change -Doracle.xml.schema\Ignore_Duplicate_components=true to -Doracle.xml.schema/Ignore_Duplicate_components=true i.e. change back slash to forward slash.
  3. Restart the server.
Reference: check the oracle support document Doc ID 2092104.1

Saturday, March 19, 2016

Oracle API Gateway: How to rename ftp file name in OAG

I was working on a requirement in which I have to read a txt file from ftp directory and uploaded to the another ftp server, but the uploaded file name should be appended with the DateTime i,e suppose the file name is code_confuse_sheet.txt and then after uploading the name should change to code_confuse_sheet_20160319.txt
In this blog post I am going to show you how you can rename your ftp file name.

Note: I am not going to show end to end OAG policy and configuration, will show the code snippet and how to use it in your OAG policies.

Steps to rename ftp file name:

When you create FTP Poller listener then it reads the file from the ftp location and pass the file name in attribute ${}
  • First step is to save the file name in local attribute say ftpfilename. This you can done by using Set Attribute Filter as shown below

  • After that alter the value of this attribute i.e. ftpfilename. This can be done by using Scripting Language Filter and configure as below

function invoke(msg)         {          
var file = msg.get("ftpfilename");
java.lang.System.out.println("Filename is " + file);
var splitstr =  file.substring(0,file.indexOf("."));
java.lang.System.out.println("Filename is after split " + splitstr);
var newFile = splitstr +"_20160319" + ".txt" ;
Trace.debug("End of scripting");
java.lang.System.out.println("New File Name " +newFile );
java.lang.System.out.println("End of scripting");
msg.put("",newFile );
return true;

Note: here I have hard coded the value of date just to show how you can add new string, you just change according to your usecase.
  • Use the file upload filter to upload the file and pass the name of the file as ${}

  • Deploy and test the configurations.

Thursday, March 17, 2016

Oracle BPM 12c: how to change PAM repository path in oracle bpm

By default BPM tries to create a repository under the following path:


The following steps need to be performed to change the repository path
  • Login to 12c EM console.
  • Right click on soa-infra and go to Administration--> System MBean Browser.
  • Now click on the search icon and do an Attribute search for RespositotyPatch attribute.
  • The search results display a page showing the  BacNode MBean.
  • One can change the repository path by editing the RepositoryPath attribute on the BacNode Bean.

Oracle API Gateway: Configure Outbound one way ssl from OAG

In my previous post Oracle API Gateway: Configure Inbound one way ssl in OAG I showed you how to enable one way ssl in oracle application gateway for the inbound communication. In this blog post I am going to configure one way ssl certificate for outbound communication for example suppose you want to call a http service which is secured by SSL certificates.

Note: I don't have the ssl service so that I can show as an example but I will list down all the basic steps require to configure outbound ssl communication

Steps to configure outbound one way SSL in OAG:
  • Extract the Public Key cert
  • Import Certificate in OAG
  • Create Policy for SSL outbound connection in OAG
  • Create HTTP listener to consume this policy

Extract the Public Key cert
  • Go to Command Prompt or Putty --> run the command openssl s_client -connect HOSTNAME:PORT
  • The Key is printed on the screen, copy the key and save it to the file e.g. testcert.cer
Import Certificate in OAG
  • Go to Certificates and Keys --> certificates tab --> click on create/import
  • Click import to import the finacle certificate created above, and give some alias name e.g. testcert.cer

Create Policy for SSL outbound connection in OAG
  • Go to Policies --> Create container "Outbound" --> Add Policy "SSL"
  • Drag and drop Connect to URL filter, configure as below
  • Go to SSL Tab --> and select the finacle cert you have imported before like below
  • Click OK and Finish wizard
Create HTTP listener to consume this policy
  • Go to Listerners --> Oracle API Gateway --> Default Services --> Paths --> Add new Relative path and use the policy created above
  • Click OK and deploy all the configurations.

Known Issues:


hostname verification error


Hostname verification should be disable. If the issue persist try to make machine hostname and CN name in the certificate same.

Oracle API Gateway: Configure Inbound one way ssl in OAG

In production environment generally ssl interface is enable for safe and secure communication. In this blog post I am going to show you how to enable one way ssl interface in oracle api gateway.

Steps to enable SSL in OAG

  • Generate SSL certificate
  • Import Certificate in OAG
  • Configure Https Interface in OAG

Generate SSL certificate

You need openssl to create ssl certificate. you can download the openssl from here :

Please follow below blog post to configure ssl certificate

Import Certificate in OAG
  • Go to Certificates and Keys --> certificates tab --> click on create/import
  • Click import to import the CA certificate, and give some alias name e.g. IA Cert
  • Import the private key as well if key is provided separately otherwise it is automatically imported in step 2

Configure Https Interface in OAG
  • Go to Listeners --> Oracle API Gateway --> Default Services --> Ports --> Add new Https interface and configure as below
  • Don't forget to select the x.509 certificate that you have imported above.
  • Go to Advance SSL tab and uncheck the box shown below

  • Click ok and finish the wizard
Now HTTPS interface is enabled, and you can use it on any path.

Wednesday, March 16, 2016

Oracle API Gateway: Enable embedded JMS in OAG

I was working on one of the requirement in which we have to communicate third party application using JMS queues. We are using oracle application gateway as a inbound/outbound interface so all the communication done through OAG, so in this case we are using JMS configured on oracle application gateway. Well in this blog post I am not going to describe my usecase but I will describe the basic step required to enable JMS in oracle application gateway (OAG).


I am going to enable jms in OAG first. I will create two queues incoming and outgoing. OSB application put the data on to incoming queue then jms listener in oag listen this incoming queue and put the data on outgoing queue. Well I am just showing here how to create a api gateway policy for jms communication so I am not going to tell how to configure your osb application to put the data on incoming (I hope you all know how to configure that).

Steps require to enable JMS in OAG:

  • Enable Embedded Active MQ on OAG
  • Create JMS Service External Connection in OAG
  • Create Queue in OAG Embedded Active MQ
  • Create OAG outgoing policy
  • Create JMS listener in OAG
  • Configure Embedded Active MQ jms connection on osb server
  • Test application

Enable Embedded Active MQ on OAG
  • Open policystudio --> go to server setting --> Messaging --> Embedded Active MQ -> configure as below

  • Check the box Enable Embedded Active MQ Broker
  • Active MQ connection details.
    • Address - localhost
    • Port: 62626
    • username: weblogic
    • password: welcome1
  • Apply changes.

Create JMS Service External Connection in OAG

  • Expand External Connection --> JMS Service --> Add a JMS Service 
  • JMS service Connection Details
    • Name: Embedded OAG JMS Service
    • Provider url : tcp://localhost:62626
    • Initial Context Factory : org.apache.activemq.jndi.ActiveMQInitialContextFactory
    • Connection Factory : QueueConnectionFactory
    • Username : weblogic
    • Password : welcome1

  •   Click Ok. Deploy your configurations.
Create Queue in OAG Embedded Active MQ
  • open url : https://localhost:8090 in browser
  • Go to Messaging --> Queues --> Actions --> Create Queue
  • create two queues i.e. InQueue and OutQueue.

Create OAG outgoing policy
  • Under policies --> create a policy container name "JMS Policies"
  • Create policy i.e. "OAG Outgoing"
  • Drag and drop messaging system from the Routing menu (from right panel)
  • Configure as below:
  • Click Ok to create a policy.
Create JMS listener in OAG
  • In the left panel under Listeners --> right click on Oracle API Gateway --> Messaging --> JMS Session, select the jms session you have created before

  • Add JMS consumer inside this JMS listener.

  • Click ok and deploy.

Configure Embedded Active MQ jms connection on osb server

This step is not require if you are not using osb application to test, you can configure other applicatoin to put the data on the incoming queue so that OAG Policy will work. Well my configurations is like below: 

Test the application

Now test your application and check if you are getting the messages in outgoing queue as below : 

Oracle API Gateway: Binary file issue in file upload filter in OAG

I was working on the oracle api gateway policy and using the file upload filter to upload the file onto the  ftp server. But I was unable to upload the correct file i.e. whenever the binary file uploaded to the server it gets corrupted


As recommended by oracle that you should apply the patch SP4 and its working fine then.

the patch number is 22805555

Oracle API Gateway: Role based authorization using oracle XE database

Role based authorization enables you to restrict service access to authorized users based on their assigned roles or groups. In this blog post I am going to show you how authorization could be achieved in oracle api gateway without using any ldap server but using oracle xe database for storing the roles or groups and requested URI.


Suppose we have four services as follows
now we want to authorize these service based on roles or groups.

Steps to enable authorization in OAG:
  • Create users in OAG
  • Create Groups in OAG
  • Create table in database
  • Create database connection in OAG
  • Create a Group Authorization policy
  • Create Role Based Policies in OAG
  • Create Http Listener in OAG
  • Test the service in browser

Create Users in OAG

Lets create 5 user to demonstrate the role based authorization. Five user needed because 4 user for each services and 1 user is authorize to access all the service
  • Open Policystudio -> left navigation expand users and groups -> select users -> Add new user name that user user12c and password as welcome1

  • Similarly create 4 other user with name usersoa, userosb, userweblogic and useradmin with password as welcome1

Create Groups in OAG

 we create four groups for example

Critical - can access 12c service url
High - can access SOA service url
Medium - can access OSB service url
Low - can access weblogic service url

  • Go to groups tab -> add new group name as Low and assign user userweblogic and useradmin to this group

  • Simlarly create 3 more groups with name as Critical, High and Medium
    • Assign user usersoa and useradmin to group High
    • Assign user userosb and useradmin to group Medium
    • Assign user user12c and useradmin to group Critical

Create table in database

  • Open Sqlplus -> create a table name URI with two columns Groups and URL

  • Insert the following data into the table URI
    • insert into URI value ('Critical','/12c');
    • insert into URI value ('High','/soa');
    • insert into URI value ('Medium','/osb');
    • insert into URI value ('Low','/weblogic');
    • Commit ;

Create database connection in OAG

  • Go to External Connection --> Database connection --> Add a database connection

  • Click Ok and finish the wizard
Create a Group Authorization policy

This policy is common policy which authorize user to access the service based on roles and groups

  • Go to Policies --> Add policy --> give name Group Authorization policy
  • Drag and drop HTTP Basic filter, configure as below 
  • set http basic as set as start
  • Drag and drop Retrieve from or write to database, configure as below

SELECT * FROM uri where url = ${http.request.path}
  • Go to Advance tab. and configure as below
  • Click OK.
  • Drag and Drop Scripting Language, configure as below 

Here what is happening is the db query executed in the previous step retuns the a groups and url, this data stored in the user attribute list as groups and url and it can be access as user.groups or user.url. After extracting the value of groups then it passed to userGroup attribute which is use in the next step to check the group membership. The code snippet is below:

function invoke(msg)         {           

java.lang.System.out.println("Message is " + msg.get("attribute.lookup.list"));
var userGroup = msg.get("user.groups");

java.lang.System.out.println("user group is " + userGroup );

msg.put("", userGroup );

return true;       

  • Drag and drop Check Group Memebership, configure as below 
  • Finally connect all the filters and it looks like below

Create Role Based Policies in OAG

This policy is created for each service URI and it reuse the Group Authorization Policy created above and finally connect to the url.

  • Add container in Policies and name Role Based Policies
  • Create 4 Policies
    • 12c Policy
    • SOA Policy
    • OSB Policy
    • Weblogic Policy

  • one by one configure each policies. Open Google policy --> drag and drop policy shortcut and select the Group Authorization Policy
  • Drag and drop Connect to URL filter and configure as below
  • Finally connect all the filter and it looks like below

  • Similarly configure for other policies.

Create Http Listener in OAG

  • Go to Listeners --> Oracle API Gateway --> Default Services --> Paths --> Click Add and select Relative Path, configure as below

  • Click OK
  • Similarly create for other 3 service url's
Test the service in browser

Now if your api gateway is configure with http port as 8080, so to access the above services from the api gateway is
  • http://localhost:8080/12c
  • http://localhost:8080/soa
  • http://localhost:8080/osb
  • http://localhost:8080/weblogic

Run the above url and it will prompt for the username and password. Pass the username and password you have created above and check the authorization is working or not.