ORA-24247: network access denied by access control list (ACL) Demantra

When attempting to execute a new
ORA-29273: HTTP request failed
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at “SYS.UTL_HTTP”, line 1491
ORA-06512: at “DEMANTRA_INTG.AU_TRIGGERWORKFLOW”, line 17
ORA-06512: at “DEMANTRA_INTG.XXDM_UPDATE_CONTAINER_DATA”, line 228
ORA-06512: at “DEMANTRA_INTG.XXDM_BUILD_CONTAINER”, line 344
ORA-06512: at line 1
Starting Demantra: Hardware. LOG. JAVA Compatibility ACL / SYS_GRANTS. SYNC WKS. Setup MAIL (Doc ID 1372253.1)
Here is an example of Demantra installed directory where the sql files located:
C:\Program Files (x86)\Oracle Demantra 12.2.4.1\Demand Planner\Database Objects\Oracle Server\admin
SYS_GRANTS
SYS_GRANTS.SQL or ACL error

Have you met this error on db_exception_log? ~ This is how you can fix it!:

29273 : ORA-29273: HTTP request failed
ORA-06512: at “”SYS.UTL_HTTP””, line 1817

ORA-24247: network access denied by access control list (ACL)”

SYS_GRANTS.sql performs the following:
– Adds EXECUTE privileges to access DBMS_CRYPTO (UPGRADE_PASSWORDS): Provides the highest level of user password encryption.

– Adds EXECUTE privileges to access DBMS_LOCK: Provides as SLEEP operation for improved concurrency.

– Adds EXECUTE privileges to access V_$PARAMETER so that Oracle Demantra can better adapt to your database configuration.

– (10g only) Adds GRANT privileges to access the package UTL_HTTP, which enables Oracle Demantra to send notification messages to the application server and engine.

– (11g only) Adds an ACL to enable HTTP communications for Oracle Demantra to send notification messages to the application server and engine.

Find it in Demantra_Folder\Demand Planner\Database Objects\Oracle Server\admin
or directly in the root of the Demantra installation package.


Please also verify you have the correct data in

SQL> select * from sys_params where lower(pname) like ‘%url%’;

You need to run this script manually after installing or upgrading Demantra only if you did not specify a database user with full SYSDBA privileges when running the Installer.
1. !! Login AS sys, WITH sysdba privileges:
2. C:\> cd DEMANTRA_INSTALL_DIRECTORY
3. C:\DEMANTRA_INSTALL_DIRECTORY> sqlplus SYS@SERVER as sysdba@sys_grants.sql DM_SCHEMA_USER ACL_for_WebServerURL ACL_for_EngineServerURL
Example execution:
C:\DEMANTRA_INSTALL_DIRECTORY> sqlplus SYS@SERVER as sysdba@sys_grants.sql DM_SCHEMA_USER ‘/sys/acls/demantra.xml’ ‘ /sys/acls/demantra.xml’
OR by Default: if you are not sure, they will be created if they do not exist, or updated in /sys/acls/demantra.xml:
SQL> @sys_grants.sql DM_USER ACL_DEFAULT ACL_DEFAULT;
General Checks:
— select * from dba_network_acls;
— select * from dba_network_acl_privileges;
Check also in sys_params or Business Modeler
— AppServerURL and
— EngineServerURL
— select * from sys_params where lower(pname) like ‘%url%’;
Check:
— SQL> select * from DBA_tab_privs where grantee = ‘DEMANTRA’ ; — (dem schema)
Be sure from system user run if needed entry for APPS user against demantra.xml in dba_network_acl_privileges table: BEGIN DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE ( ‘/sys/acls/demantra.xml’, ‘APPS’,TRUE,’connect’); COMMIT; END;
—Also check entry for UTL_HTTP table for the query – select * from DBA_tab_privs where grantee = ‘DEMANTRA’ ;
Check
For failed login problem to Collaborator Workbench, check if sys_grants is needed to be applied again:
1. SQL> select distinct encryption_type from user_id; — This should return a single value like “SHA-1”
2. SQL> select encryption.get_highest_desc() from dual; — This should return the same value returned in step (1).
If the result of (1) is “SHA-1” but the return of (2) is something else, then you need to fix your sys_grants.

 

References:

Document: 454369.1 Roles and Privileges that are granted to the Demantra database during the install process
Document: 730883.1 Additional Database Privilege needed for Demantra Schema when Running on Oracle 11g Database
Document: 1064995.1 Additional Configurations needed when Running Demantra on Oracle 11g Databases
Oracle Demantra Installation Guide for Release 7.3 Document: 825082.1

2016-05 May Shinnyo Podcast – Practice –

2016-05 May Shinnyo Podcast – Practice – 2016-05 May Shinnyo Podcast – Practice What is a Practice? Why do we Practice (and not Preach?) The Story of Buddha and the 3 Monks Practice is Not Perfect Balance of Time – Working with Karma Subscribe to this Podcast (RSS) or iTunes or via Flipboard What is a practice? Pretty much anything you do. … Continue reading 2016-05 May Shinnyo Podcast – Practice → http://ow.ly/X67g500xssz

2016-05 May Shinnyo Podcast – Practice

2016-05 May Shinnyo Podcast – Practice

  • What is a Practice?
  • Why do we Practice (and not Preach?)
  • The Story of Buddha and the 3 Monks
  • Practice is Not Perfect
  • Balance of Time – Working with Karma

Subscribe to this Podcast (RSS) or iTunes or via Flipboard

theoryintopractice
Courtesy of creative-remembering-techniques.com

What is a practice? Pretty much anything you do.  What is not practice? Thinking without action, although philosophically-speaking, inaction is still action, as it results in an outcome whether intended or not.

Practice in this context, is not limited to something specific you’re trying to learn, Philosophically, we could say we’re learning throughout our lives, each and every day, so that’s how our “practice” extends throughout our days, indeed throughout our lives.

But isn’t it good enough to be really loud and speak your thoughts like a broadcast?

the-brixton-evangelist
Street evangelism 1950’s Brixton, UK

What happens when you hear such a person?  Is it a moment to stop, listen and contemplate carefully what they’re saying?  Or do you mentally try to block out the extreme noise, and make a mental note to avoid that place in the future.  After all, if it works for cheerleading, why wouldn’t it work for all communication?

51176-318x283-megaphone2
Cheerleading with megaphone

If you observe the difference in context, you can see or maybe hear, the difference between an audience that wants to hear you (and can’t because you’re very far away,) versus one who is trying to tune you out and being viewed as an irritant rather than a example.

Master Shinjo once related how different types of people react to guidance with a story about Shakyamuni Buddha and his disciple Ananda walking home one night. They came across three monks who had been drinking something that was forbidden for monks at the time. The first monk quickly hid on the side of the road behind the bushes hoping not to be discovered.  The second monk averted his gaze and walked quickly past the Tathagata hoping not to be noticed.  The third monk thought that the money he spent was his own and boldly walked calmly right in front of the Buddha without care.  Master Shinjo’s notes on this encounter mention that the first monk represents readily instructable people who are open to new ideas, the second person might need more specific examples and might question reasoning but are motivated by emotional care and compassion, and the third person might need actual correction and regulation in order to learn a new behavior.  Depending on the person, your words and actions might be absorbed readily like a thirsty sponge, or discarded as so much hearsay and opinion.  For those interested in delving further into this story, next month’s podcast will explore the realms of the three areas of Intrinsic, Compassionate and Strict styles of teaching (the 3-Wheel Turning Bodies of the Buddha, Kannon Boddhissatva and Mahavairochana Achala.)

About 2 years ago, I decided that collecting guitars was not the same as actually playing them and signed up for formal lessons.  A long time had passed since I last had something that needed periodic and continued effort to get past my own mental and physical blocks to mastery, and this instrument had become one of those – the kind of situation where you can play “Stairway to Heaven” until people don’t want to hear you any more, but you can’t pick up a random music score and play it because you’re not familiar with how it goes. It’s very similar to saying, “I’m a very religious person,” and everyone nods their heads and thinks, “yes, and one day we’ll see it by actual example.” In this way, you can be doing or saying something quite clear, honest and with great intent, but without reflection upon the outcome of such actions, there really isn’t any measure for improvement or failure.

Just as much as every day we are sedentary, we lose some 1% of our muscle mass per year after 50, the same goes with both our minds, and our efforts to practice. Like that slowly leaking balloon that looks really great floating around, but it’s ever so slowly losing its helium and eventually grounds itself as a deflated rubber raisin, when we don’t do something each day to offset our little sack of karma, it too gets slowly heavier and heavier through natural entropy. To keep our momentum going and that sack staying as light as it can be, it takes daily efforts, and renewed exertion to offset the gentle though persistent waves of sediment that slowly build up over time, and eventually can solidify into much harder to break stone.  This is an example of the same person transitioning between starting out like the first monk described above, and later developing into the third monk even without intent to do so.

/* That’s it for this session. Thank you for listening. For more information feel free to e-mail me at jlui at jlui dot net, or twitter @jhlui1 With Gassho, James*/

Oracle DataGuard and Standby Database Archive Logs

Users see your wonderful DataGuard implementation like this:

Simple Oracle Dataguard Architecture
Simple Oracle Dataguard Architecture courtesy of https://appsdbatraining.files.wordpress.com

And yet, you know the actual picture looks more like this:

A map of Oracle DataGuard Architecture components
A map of Oracle DataGuard Architecture components

High-availability – the concept behind it makes every DBA shudder because every time it seems you deal with one element and have it protected, there’s another underlying component that also needs protection and redudancy, or else your solution is still insufficient.

Real Application Clusters (RAC) covers individual database host failures but is sensitive to failure of the storage subsystem or the network interconnections between the hosts.

Recovery Manager (RMAN) is your vital tool to keeping track of what’s backed up and where is it.  And its catalog of recovery information could reside locally in copies of the controlfiles, or centrally in another database.  Depends on your backup strategies, really.  Are you using SAN-based backups (snaps, virtual images, deduplicated block replication) or off-site methods that would have to be shipped back to start recovery?

But the typical first-time setup scenario, is you use the OEM-based jiffy whizbang method to setup your new DataGuard environment at the recommendation of one of the steps int the Maximum Availability Advisor (MAA), and everything’s up and running nicely.  You schedule a new weekly full backup, plus daily incremental backup as Oracle recommended practices prescribe, and notice everything’s running smoothly.

Except on your standby database, the archivelogs are piling up and not being deleted automatically.  What’s next?

This thread was a basic discussion in the Oracle Community forums of the topic:

https://community.oracle.com/thread/2388130?start=0&tstart=0

This is a typical RMAN-based configuration:

On Primary

RMAN> CONFIGURE ARCHIVELOG DELETION POLICY TO APPLIED ON STANDBY;

On Standby ( Depends upon where backup is preformed )

RMAN> CONFIGURE ARCHIVELOG DELETION POLICY TO NONE;

Or

RMAN> CONFIGURE ARCHIVELOG DELETION POLICY TO APPLIED ON ALL STANDBY;

/* if Standby Where Backups Are Not Performed  */

Source:

Data Guard Concepts and Administration 12c

http://docs.oracle.com/database/121/SBYDB/toc.htm

12 Using RMAN to Back Up and Restore FilesRMAN Configurations at the Primary Database
12.3.4 RMAN Configurations at a Standby Where Backups Are Not Performed

The following RMAN configurations are recommended at a standby database where backups are not done:

  1. Connect RMAN to the standby database as target, and to the recovery catalog.
  2. Enable automatic deletion of archived logs once they are applied at the standby database (this is also applicable to all terminal databases when the cascading or far sync instance features are in use):
  3. CONFIGURE ARCHIVELOG DELETION POLICY TO APPLIED ON ALL STANDBY;

 

** However, that doesn’t really take into consideration what might happen if a final archivelog before switchover of roles doesn’t quite make it on the standby (for whatever reason, it gets corrupted during playback or something similar which results in a Database Needs More Recovery error.)

Based upon:

12.3.3 RMAN Configurations at a Standby Database Where Backups are Performed

The following RMAN configurations are recommended at a standby database where backups are done:

  1. Connect RMAN to the standby database (where backups are performed) as target, and to the recovery catalog.
  2. Enable automatic backup of the control file and the server parameter file:

3.  RMAN > CONFIGURE CONTROLFILE AUTOBACKUP ON;

  1. Skip backing up data files for which there already exists a valid backup with the same checkpoint:

5.  RMAN > CONFIGURE BACKUP OPTIMIZATION ON;

  1. Configure the tape channels to create backups as required by media management software:

7.  RMAN > CONFIGURE CHANNEL DEVICE TYPE SBT PARMS ‘<channel parameters>’;

  1. Because the archived logs are backed up at the standby database, Oracle recommends that you configure the BACKED UP option for the log deletion policy:

9.  RMAN > CONFIGURE ARCHIVELOG DELETION POLICY BACKED UP n TIMES TO [DEVICE TYPE SBT];

 

I came up with the configuration of:

 

On Standby ( Depends upon where backup is preformed )

# If no DataGuard is present (single DB host):

# Ensure daily RMAN backup job is being executed in OEM or via cron.

RMAN> CONFIGURE ARCHIVELOG DELETION POLICY TO BACKED UP 1 TIMES TO DISK;

 

And setup a 2nd backup set for the Standby Host DB.  This puts the backups into the defined Fast Recovery Area and manages both the backups and archivelog retention in the same mountpoint.

 

Each has its pros and cons depending on the scenario.You need to lay out your entire architecture scheme including backup solutions and play out the various scenarios that you’re required to cover as far as your Quality of Service (QOS) guarantee to your end-user population.

And of course, if you’re using the advanced cross-WAN FarSync DataGuard implementation architecture (wherein there’s a separate Failover Archive Log (FAL) standby database whose sole purpose in life is to cache archivelogs in case the data replication stream is too much for WAN bandwidth to handle in real-time.) this all still applies because the FAL server is basically just another standby target which needs managing just as much as any regular LAN-based full DataGuard standby instance (it’s just missing the big datafiles and handles all the archivelog traffic.)  You’ll just have even more servers and services involved in keeping the whole thing running (like your Global Names Service servers and databases, which might also be RAC and DataGuard protected, or your Single-Sign On authentication services, or even the OEM Cloud Control OMS itself orchestrating all of that.)

 

Nespresso Vertuoline Coffee Capsule Brew Formulas

I like Nespresso’s Vertuoline single brew appliance – not because it’s convenient (which it is), nor because it’s quick (ditto). But because of inventive others like My-Cap.com, the rather otherwise wasteful aluminum capsules can be re-used indefinitely (as long as you’re careful not to pierce or dent them too much through handling.)

My-Cap.com foil kit for Nespresso Vertuoline
My-Cap.com foil kit for Nespresso Vertuoline

My-Cap.com makes foils, replacement capsules, little plastic quick caps, and all sorts of accessories for single-use pod/capsule coffee makers which definitely extends their environmental friendliness geometrically (which otherwise, at 1 plastic or aluminum pod per cup creates a ridiculous amount of landfill over time, if not properly recycled – Nespresso is one of the only company that provides free shipping for recycling capsules.)

My full user review is up at Amazon.com:

Nespresso Vertuoline Finished Lungo Custom Deathwish

https://www.amazon.com/review/R2CA7L5M1YTU1M/ref=cm_cr_rdp_perm

But this post is about a more in-depth feature about the Vertuoline capsule brewing formulation coded into the barcodes that surround the bottoms of each capsule.

Only recently has Nespresso started revealing the numerous formulas used in each version of the capsules, allowing those of us doing the re-use/re-pack/re-foil thing, to properly select a barcode that will work best with the coffee being refilled.

I’ll try to keep the following table updated as new information arrives on this subject:

Capsule Type Color Prewetting Flow Temperature
Altissio Espresso Dk Purple Short Slow High
Diavolitto Espresso Dk Blue Long Slow High
Voltesso Espresso Bright Gold Short Slow Low
Decaf Intenso Espresso Dk Red Long Fast High
Giornio Lungo Orange Long Slow Low
Solelio Lungo Yellow Short Fast Low
Intensio Lungo Dk Brown Long Med High
Stormio Lungo Dk Green Long Slow High
Odacio Lungo Med Blue Long Med High
Melozio Lungo Dk Gold Short Fast High
Elvazio Lungo Pink Short Slow->Fast Low->High
Decaffeinato Lungo Red Short Med Low
Half Caffeinato Lungo Red/Black Short Med Low
Flavored Lungo Various Short Med Low

 

My-Cap.com custom Deathwish after brewing
My-Cap.com custom Deathwish after brewing

I use #2 espresso grind for the Lungo size capsules (taking 10-12g of coffee grounds), and #1 espresso for the Espresso size (which take from 5-8g by comparison).  I pack each to within 1mm of the top of the flat rim of the capsule, which allows plenty of expansion room during the pre-wetting stage.

To remove the original foil, just hobby knife around the rounded part of the rim inside the flatter portion that the foil is glued to leaving a nice flat foil ring for the reusable foils to adhere to during extraction.

A cardboard my-cap storage sleeve
A cardboard my-cap storage sleeve

I also made up a few cardboard sleeves (ala Pringles style cans) that close-fit to the edges of the capsules to better keep the re-use foils on the capsules (the adhesive works well during extraction, but I disliked all the extra clamping and crimping others were doing to attempt to seal them better.  I find just placing them on top,  and running around the edge with the fan-brush handle is fine, then just gently fold over the edges.  The adhesive is enough to seal against the rim lip during extraction, and as long as you keep the capsules upright, they won’t spill.)

The price for convenience is that these little capsules do use about 200% more coffee per cup in order to reach the strength level of a standard French press style cup of coffee, but produce a good 2cm of crema in the process (more like a Vev-Vigano stove-top pressure coffee extractor.)  The espresso versions are a little lighter,  in that the brewing process is modified and thus consume closer to the “normal” puck’s worth of coffee per espresso (and they can be double-brewed – reset the cycle by turning the lock open, but don’t open it, then re-lock again to allow the 2nd button press, and re-trigger the pre-wetting cycle, if you prefer something like a 1-1/2 Espresso.)

OEM 12c SSL Certificate Swapping (HowTo)

"This Connection is Untrusted" error message
“This Connection is Untrusted” error message

Oracle Enterprise Manager out of the box, comes with demonstration SSL certificates that are generally okay for getting the basic system up and running, but should not be left as your long-term solution for SSL/HTTPS connections to your Oracle Management Server (OMS).

Similar to how e-Business Suite installations delivered a DEMO Certificate Authority certificate with the bundled Internet Application Server (iAS) installation, OEM packages do the same thing.  But eventually, forced by browser and client workstation OS upgrades, you will eventually need to install “real” certificates by a true trusted Root Certification Authority (RCA) so that your client browsers don’t begin rejecting encrypted connections to your OMS.

If you search for SSL Certificate authorities, there are many well-known public RCA’s  such as, DigiCert, Verisign, Thawte, GeoTrust, and others, or even those available from your domain registrar.  Larger organizations probably have their own Certificate Authority signing server on-premise that allow generation of trusted certificates, as well. The only really important thing is that the CA is actually available in your browser and OS as a Trusted Root Authority, and that the signing chain is verifiable to prevent issues with SSL/HTTPS handshaking.  For each middle-tier OMS host, or virtual host if you are set up for high-availability with multiple WebLogic servers, a certificate request is generated, signed and then imported back into the keychains related to the OMS Weblogic hosts, and the OMS Servicing Agents (the OEM Agents installedo on the OMS middle-tier hosts.)

Once a new certificate is installed to the OMS itself (in WebLogic), you will also need to install the related RCA to the OMS-side OEM Agent servicing all of the connections to the other OEM Agents, so that they too, will be SSL enabled.

# OEM SSL Certificate swapping
#    EM 12c Cloud Control: How to Create a Wallet With Third Party Trusted Certificate that Can Be Imported into the OMS Console application ? (Doc ID 1937457.1)
#     EM 12c: Steps to Create and Import Third Party / Self-Signed SSL Certificates for WebLogic Server in an Enterprise Manager 12c Cloud Control Installation (Doc ID 1527874.1)
STAGE_DIR=/mnt/nfs/FMW/certs
EM_INSTANCE_HOME=/oemgc/Oracle/gc_inst2/em/EMGC_OMS1      #WebTierIH2 OHS/ohs2 on (alternate hostname

oemmgr@(primary hostname) $> cd $STAGE_DIR

oemmgr@(primary hostname) $> cat import.sh
export JAVA_JREBIN=$JAVA_HOME/jre/bin
export CERTS=/mnt/nfs/FMW/certs
$JAVA_JREBIN/keytool -import -file $CERTS/ORGPOLICYCA.cer -trustcacerts -alias ORGROOTCA -storepass changeit -noprompt  -keystore $JAVA_HOME/jre/lib/security/cacerts
$JAVA_JREBIN/keytool -import -file $CERTS/ORGROOTCA.cer -trustcacerts -alias ORGRootPolicyCA -storepass changeit -noprompt   -keystore $JAVA_HOME/jre/lib/security/cacerts
$JAVA_JREBIN/keytool -import -file $CERTS/ORGHOSTISSUECA1.cer -trustcacerts -alias ORGHOSTissueca1 -storepass changeit -noprompt  -keystore  $JAVA_HOME/jre/lib/security/cacerts

oemmgr@(primary hostname) $> . ./import.sh
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore

# Determine keystore directory (found by locating your Oracle Home Service (OHS) installation filesystem)
oemmgr@(primary hostname) $> ps -ef | grep ohs
oemmgr     873  9334  0 Jan13 ?        00:47:48 /oemgc/Oracle/MW3/Oracle_WT/ohs/bin/httpd.worker -DSSL
oemmgr    9334  9305  0 Jan13 ?        00:00:06 /oemgc/Oracle/MW3/Oracle_WT/ohs/bin/httpd.worker -DSSL
oemmgr    9342  9334  0 Jan13 ?        00:00:11 /oemgc/Oracle/MW3/Oracle_WT/ohs/bin/odl_rotatelogs -l /oemgc/Oracle/gc_inst2/WebTierIH1/diagnostics/logs/OHS/ohs1/ohs1-%Y%m%d%H%M%S.log 10M 70M
oemmgr    9344  9334  0 Jan13 ?        00:00:11 /oemgc/Oracle/MW3/Oracle_WT/ohs/bin/odl_rotatelogs /oemgc/Oracle/gc_inst2/WebTierIH1/diagnostics/logs/OHS/ohs1/access_log 10M 100M
oemmgr    9345  9334  0 Jan13 ?        00:00:01 /oemgc/Oracle/MW3/Oracle_WT/ohs/bin/odl_rotatelogs /oemgc/Oracle/gc_inst2/WebTierIH1/diagnostics/logs/OHS/ohs1/em_upload_http_access_log 10M 100M
oemmgr    9346  9334  0 Jan13 ?        00:02:13 /oemgc/Oracle/MW3/Oracle_WT/ohs/bin/odl_rotatelogs /oemgc/Oracle/gc_inst2/WebTierIH1/diagnostics/logs/OHS/ohs1/em_upload_https_access_log 10M 100M
oemmgr    9349  9334  0 Jan13 ?        00:00:07 /oemgc/Oracle/MW3/Oracle_WT/ohs/bin/odl_rotatelogs /oemgc/Oracle/gc_inst2/WebTierIH1/diagnostics/logs/OHS/ohs1/mod_wl_ohs.log 10M 100M
oemmgr    9350  9334  0 Jan13 ?        00:00:00 /oemgc/Oracle/MW3/Oracle_WT/ohs/bin/odl_rotatelogs -l -h:/oemgc/Oracle/gc_inst2/WebTierIH1/config/OHS/ohs1/component_events.xml_ohs1 /oemgc/Oracle/gc_inst2/WebTierIH1/auditlogs/OHS/ohs1/audit-pid9334-%Y%m%d%H%M%S.log 1M 4M
oemmgr    9351  9334  0 Jan13 ?        00:00:28 /oemgc/Oracle/MW3/Oracle_WT/ohs/bin/httpd.worker -DSSL
oemmgr    9352  9334  0 Jan13 ?        00:47:55 /oemgc/Oracle/MW3/Oracle_WT/ohs/bin/httpd.worker -DSSL
oemmgr    9353  9334  0 Jan13 ?        00:47:52 /oemgc/Oracle/MW3/Oracle_WT/ohs/bin/httpd.worker -DSSL

# Confirm settings
oemmgr@(primary hostname) $> grep keystore /oemgc/Oracle/gc_inst2/WebTierIH1/config/OHS/ohs1/ssl.conf
SSLWallet file:/oemgc/Oracle/gc_inst2/WebTierIH1/config/OHS/ohs1/keystores/console

# Stage copy of revised CA wallet                                  #WebTierIH2/config/OHS/ohs2 on (secondary hostname)
oemmgr@(primary hostname) $> cp -r /mnt/nfs/FMW/certs/oemgc.domain /oemgc/Oracle/gc_inst2/WebTierIH1/config/OHS/ohs1/keystores
cp -r /mnt/nfs/FMW/certs/oemgc.domain /oemgc/Oracle/gc_inst2/WebTierIH2/config/OHS/ohs2/keystores

# Check permissions 770 on wallet dir, 600 on wallets
oemmgr@(secondary hostname) $> ls -la /oemgc/Oracle/gc_inst2/WebTierIH2/config/OHS/ohs2/keystores/oemgc.domain
ls -la /oemgc/Oracle/gc_inst2/WebTierIH1/config/OHS/ohs1/keystores/oemgc.domain
total 32
drwxrwx— 2 oemmgr oinstall  4096 Mar  9 12:50 .
drwx—— 7 oemmgr oinstall  4096 Mar  9 12:50 ..
-rw——- 1 oemmgr oinstall 11653 Mar  9 12:50 cwallet.sso
-rw——- 1 oemmgr oinstall 11576 Mar  9 12:50 ewallet.p12

# Primary wallet for the OMS console
oemmgr@(primary hostname) $> cd /oemgc/Oracle/MW3/oracle_common/bin
oemmgr@(primary hostname) $> ./orapki wallet display -wallet /oemgc/Oracle/gc_inst2/WebTierIH1/config/OHS/ohs1/keystores/console
Oracle PKI Tool : Version 11.1.1.7.0
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=oemgc.domain
Trusted Certificates:
Subject:        CN=(primary hostname).domain,C=US,ST=CA,L=EnterpriseManager on (primary hostname).domain,OU=EnterpriseManager on (primary hostname).domain,O=EnterpriseManager on (primary hostname).domain

# Confirm new wallet contents
oemmgr@(primary hostname) $> ./orapki wallet display -wallet /oemgc/Oracle/gc_inst2/WebTierIH1/config/OHS/ohs1/keystores/oemgc.domain
Oracle PKI Tool : Version 11.1.1.7.0
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=*.domain,OU=Information Technology,O=ORG My Org,L=My City,ST=California,C=US
Trusted Certificates:
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=ORG POLICY CA
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        CN=ORG ROOT CA
Subject:        CN=HOSTISSUECA1,DC=fss,DC=ORG,DC=com
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

#Add certificates to monitoring agent for the OMS:
cd $AGENT_HOME/bin
./emctl stop agent
# Default jks keyring password – welcome
./emctl secure add_trust_cert_to_jks -trust_certs_loc /mnt/nfs/FMW/certs/ORGROOTCA.cer -alias ORGROOTCA
./emctl secure add_trust_cert_to_jks -trust_certs_loc /mnt/nfs/FMW/certs/ORGPOLICYCA.cer -alias ORGPOLICYCA
./emctl secure add_trust_cert_to_jks -trust_certs_loc /mnt/nfs/FMW/certs/ORGHOSTISSUECA1.cer -alias HOSTISSUECA1
./emctl start agent

# Support virtual host ignore hostname verification
export EM_COMMON_JAVA_OPTIONS=”-Dweblogic.security.SSL.ignoreHostnameVerification=true -Djava.security.egd=file:///dev/./urandom -Dweblogic.log.FileName=/oemgc/Oracle/gc_inst2/em/EMGC_OMS1/sysman/log/wls.log”

# Backup the EM_INSTANCE_BASE/em/EMGC_OMS1/emgc.properites file
cd /oemgc/Oracle/gc_inst2/em/EMGC_OMS1                               #OMS2 on (secondary hostname)
cp emgc.properties emgc.properties_selfsign

# Requires SYSMAN password
# (secondary hostname)
$OMS_TOP/bin/emctl secure console -wallet /oemgc/Oracle/gc_inst2/WebTierIH2/config/OHS/ohs2/keystores/oemgc.domain

# Example output
# Oracle Enterprise Manager Cloud Control 12c Release 5
# Copyright (c) 1996, 2015 Oracle Corporation.  All rights reserved.
# Securing Console… Started.
# Enter Enterprise Manager Root (SYSMAN) Password :
# Securing Console… Successful
# Restart OMS

# (primary hostname)
$OMS_TOP/bin/emctl secure console -wallet /oemgc/Oracle/gc_inst2/WebTierIH1/config/OHS/ohs1/keystores/oemgc.domain
$OMS_TOP/bin/emctl stop oms
$OMS_TOP/bin/emctl start oms

#Section 4: Rolling back to the Demonstration WLS Certificate
#If you need to switch back the WLS components in the OMS installation to use the default WebLogic Server demonstration certificates, execute the following steps on each OMS.

1.Stop the OMS:

cd <OMS_HOME>/bin
emctl stop oms

2.Run the following command:

cd <OMS_HOME>/bin>
emctl secure wls -use_demo_cert
emctl secure console -self_signed

3.Stop the OMS:

cd <OMS_Home>/bin
emctl stop oms -all

4.Start the OMS:

cd <OMS_Home>/bin
emctl start oms

Wire Bail Canning Jar Gasket Sizes – Fido, Bormioli, Le Parfait, et.al.

5.0L Common Canning Jar - Glass
5.0L Common Wire Bail Canning Jar – Glass

The rubber or silicone ring invariably wears out, cracks, splits or otherwise no longer seals properly.

Interestingly, I noticed that when browsing for replacements, there are a number of different pseudo-standard sizes involved.

Since they are flexible, one size too small may fit anyway, even if the gasket slightly buckles or curls, and sometimes the thickness varies enough (especially if too thick) that means you will need to adjust the wire band to accommodate the additional thickness (sometimes the lower band – the one on the jar itself, can be flipped upside down to give an additional 2mm of closure clearance for thicker 4mm gaskets – most gaskets are of the 2mm variety.)

Modern canning jar gaskets 70mm, 80mm, 100mm
Modern canning jar gaskets 70mm, 80mm, 100mm

Common Canning Wire Bail Jar Gasket Sizes with Inside and Outside Diameter measurements:

Antique 1/4" width canning jar gaskets
Antique 1/4″ width canning jar gaskets

* Antique gaskets were usually only 1/4″ wide instead of the modern 1/2″ width.

 

 

 

 

 

Ball wide-mouth versus regular-mouth glass canning jars
Ball wide-mouth versus regular-mouth glass canning jars

For reference, Modern Standard Ball/Mason Screw-on Canning Lid sizes:

  • Standard Mouth Ball 2-1/2″ (on center at lid seal) – 2-3/8″ (60mm) ID 2-5/8″ (67mm) OD – at jar opening.
  • Wide Mouth Ball 3-1/8″ (on center at lid seal) – 3.0″ (76mm) ID 3-1/4″ (83mm) OD – at jar opening.

 

 

 

There are also any number of decorative model jars which were very tiny in comparison (1″ 25mm ID) which were not meant for actual canning use, but were often used for salt and pepper shakers or for gifting jam samples. Naturally, getting replacement lids or gaskets for these is pretty much impossible other than finding something that would work at your local hardware store in the pipe and plumbing department.

Miniature 1-7/10" 42mm wire bail decorative canning jar
Miniature 1-7/10″ 42mm wire bail decorative canning jar
2" 51mm mini decorative mason jar
2″ 51mm mini decorative mason jar

#C16LV Collaborate 2016 Networking Opportunity Events

collab16-2015-08-750

Where I can keep track of the special events (note: these are not “parties” as so many people are misled to believe) at Collaborate (April 10-14, 2016 – Las Vegas, Nevada). To attend one of these events:

  1. You’re registered as an Collaborate Attendee.
  2. You’re either a prospect, customer, or goodwill contact for the host.
  3. You visit the host’s booth at Collaborate in order to pick up whatever is required for entry.
  4. Do not just show up at the event and attempt to “crash” it – just spend your time at a regular #C16LV reception the same evening and you’ll still get plenty of party time.

To be confirmed (replicated from last years’ schedule):

+IOUG Volunteer Reception, Sat 8-9:30p, Tacos & Tequila (Luxor Mezz)
+Kaygen CA, Tue 7-9p, Veranda Italian (4Seasons)
+Cisco
#NightSliders, Tue 9-12p, Suite 30-001 (MB – Tweet Req’d)
+Hyperion Connect Reception, Tue 7-8:30p, North CC, Islander C
+OAUG Young Professionals Cocktail MeetUp, Wed 6:30-7:30p, North CC, Islander C
+#C16LV Young & New Professionals Dine-Around (non-hosted), Tue, 7p, Meet at Main Entrance of Exh Shwcse
+Data Intensity CA, Tue 7-9p, Eyecandy Lounge
+InsightSoftware
VIP, Tue 7-10p, Franklin Lounge (Delano Tower MB)
+Mercury Technology
CA, Tue 7-9:30p, Border Grill (MB)
+Quest
Members Welcome, Sun 6:30-8p, MB Ballroom Lvl2 I,J (JD Edwards)/L (Peoplesoft)
+Oracle Data Mgt Lunch (KPIT Sponsored), Mon 12-1:30p, Slice of Vegas (MP Shoppes)
+DatAvail 
CA, Mon 7:30-9:30p, Strip Steak (MB)

 

 

My sessions for this year:

 

Big Data Cloud Storage Framework Solutions

Based upon a recent meeting of minds at MESS (Media Entertainment & Scientific Systems) http://www.meetup.com/MESS-LA the challenge facing the industries is how to deal with petabyte-sized amassed data that still needs to be accessible in real-time for secured editing purposes by downstream customers and suppliers.
Here’s a multi-phase solution idea:

big_data_arch_model
My idea for a secure big file delivery model. Figured by J. H. Lui (c) 2016

Using torrent technology for access, with authenticated peer-to-peer hosts. private SSL-encrypted trackers/announcers, and encrypted bit streams, this maintains access to the fundamental data source using minimal infrastructure.
Add two-factor authentication to the authentication protocol to allow time- and role-based security to be enforced (so-and-so p2p host is authorized to connect to the torrent during X days/N hours per day/etc.)
Use generic two-factor authentication providers (e.g. Symantec VIP or SAASPass) to allow the small service providers to access data without excessive overhead cost, or dedicated hardware solutions.
Store the data source files using a torrent+sharding+bit-slicing protocol (similar to the Facebook imaging storage model.) Without authenticated access to the cloud torrent, any individual data chunk or shard grabbed by a sniffer becomes useless.
Segregate and divide the data files using a role-based security architecture (e.g. Scene 1 needed by X post-production editor, during N time-period.) Individual torrent participants can select the individual virtual file segments they need for work, without downloading the data chunks unrelated to them. Similarly, the above described time+role based security prevents access to/from data segments that are not authorized for that endpoint. Could even add password-protection to individual sensitive segments to provide one more level of turn-key security.
Use a Google Drive/Dropbox style OS protocol to allow mounting of the torrent sources to the end-user workstations with transparent access.  Whichever mechanism can provide adequate latency for the block replication should be sufficient.  Rather than mounting the same cloud torrent to every local workstation, use local NFS servers to provide local home-basing of the cloud mount (WAN speed), then export that mount locally (LAN speed) to the various workstations that need access to it.  That way, there’s only one penetration point to/from the cloud torrent, which can be adequately firewalled locally by the end-user. This is a solution for the end consumers that need access to the largest portion of the cloud data set.
The source data hives can use multi-path networking protocol ( https://jhlui1.wordpress.com/2015/05/21/multi-path-multiplexed-network-protocol-tcpip-over-mmnp-redundant-connections ) to further split and sub-divide the data streams (which are already encrypted), to maximize performance to bandwidth-limited consumer endpoints.
Media companies have a rather different data value model to deal with because during pre-production the data value is extremely high, but it drops off rapidly post-production release once the market consumes it. But the same model at a lower protection level would work for actual distribution – wherein end subscribers are authenticated for access to a particular resolution or feature set of the original cloud segments (e.g. 8K versus 1K media, or audio-only, or with or without Special Features access.)

2016-01 Shinnyo Podcast Divine Protectio

2016-01 Shinnyo Podcast Divine Protection and Luck – 2016-01 Shinnyo Podcast Divine Protection and Luck A Heap of Good Fortune For Some Bullets and Bracelets Against the Bad and Wicked Being Fed to Death The Lesser Trodden Path Subscribe to this Podcast (RSS) or iTunes or via Flipboard Ever noticed when some people seem to live a charmed life? Not referring to being … Continue reading 2016-01 Shinnyo Podcast Divine Protection and Luck → http://ow.ly/3aL2jt

2016-01 Shinnyo Podcast Divine Protection and Luck

2016-01 Shinnyo Podcast Divine Protection and Luck

  • A Heap of Good Fortune For Some
  • Bullets and Bracelets Against the Bad and Wicked
  • Being Fed to Death
  • The Lesser Trodden Path
electrical-work-funny-safety-fails
https://nationalsafety.files.wordpress.com/2012/12/electrical-work-funny-safety-fails.jpg?w=587

Subscribe to this Podcast (RSS) or iTunes or via Flipboard

Ever noticed when some people seem to live a charmed life? Not referring to being lucky, or fortunate success-wise, but more towards how some people haven’t had a lot of bad things happen to them. Accidents are few and far between, or never broken a bone, or became really ill. Some are winning every contest they enter, and seem to go through life with an ever-present ray of sunshine falling upon them, never casting a shadow.

Every accident I’ve ever had came from my own action or inaction. I was either unaware of my surroundings because of distraction or focus on something else, or thought I could do something that would get me there faster or presumed someone else was responsible for an action (whether avoiding me because I was there, or was otherwise responsible for predicting what I was about to do.)

I’ve driven always as though I’m invisible, because for all practical purposes, people have the most accidents when something predicted doesn’t happen (the person isn’t supposed to be there; the fan I tripped on wasn’t supposed to in my path; the food I’m eating wasn’t supposed to be spoiled, though it tasted oddly metallic, etc.)

One of the puzzling observations I’ve made has to do with how some people have many people in their lives that are in some way negatively influential, or critical, or even just chronically unhappy with life.  While I don’t have any definitive idea where that comes from, I know that for myself, those kinds of people simply aren’t naturally attracted to me.  I do encounter plenty of people who have ideas for improvement, or ways to do things better or more effectively in my daily life, but none who see the world as impossible to solve, or are faced with challenges beyond their capacity to cope. Much of that could be attributed to my belief that I can’t really do anything in someone else’s life other than show a different way of handling things. But it’s ultimately still their choice to make a difference for themselves. Whether that forms its own kind of invisible force-field against being surrounded by naysayers and prophets of doom, is up to pure speculation, but it is what it is.

Many years ago, I subscribed to the concept of rescuer mentality, developing sort of a Pygmalion attitude about relationships, which in turn attracted many people of similar belief. You became attractive both to those seeking refuge from circumstance and wanting a hand-up to a better life, as well as those who sought to rescue those in need. By itself this would seem to be an amicable relationship, seeing that those wanting support are matched with those seeking to provide it. But I think you can also see the co-dependency aspect of this situation – how the hungry never learn to satiate their own hunger, and the providers never fulfill the illusion of creating independence. Instead of a symbiotic relationship of mutual support, it becomes a parasitic relationship with each party needing the other to continue unfulfilled, lest the relationship (and the emotional satisfaction derived from it) collapse.  The tensions of the need becomes the energy fueling the connections.

To this very day, I still find an innate sense of wanting to rescue, but with a realization that people are not stray dogs and cats, you do what you can to provide an example of self-sufficiency and ability, and do your best to embrace whatever life deals you. There’s a subtle but real difference between when one of those stray animals wanders into your life, looking for solace, versus the ones you go out and trap and domesticate.  Similarly, you can be a great teacher and inspire people to learn, or just talk a lot about great things, and never pay attention that your audience isn’t really listening or learning.

While it makes no sense to try and draw direct relationships between bad luck and how one behaves in life, it may be worth noticing that the little rumbles and ripples from broken promises, and living a life of incongruity is often accompanied with a certain over-abundance of misfortune and misfeasance.   Or if screaming at the top of your lungs that life isn’t fair and the world needs to treat you better hasn’t worked, maybe it’s time to instead invite a few faeries of good fortune and the leprechauns of luck into your life by trying the nicer road. Bad times are challenging, but not a curse, and at the time you encounter them, you do have the muster to overcome them. But if you insist on encouraging the worst by spouting your bravado, I’m pretty sure it will prove to be an entertaining event at the very least. Enjoy the lesser trodden path of life; it often comes filled with surprises and unforeseen opportunities.

Subscribe to this Podcast (RSS) or iTunes or via Flipboard

/* For more information and discussion feel free to e-mail me at jlui at jlui dot net, or twitter @jhlui1; With Gassho _()_, James*/

 

DataGuard and OEM 12c OMS DB Failover Configuration

# When Oracle DataGuard high-availability for the OMS database is configured using the OEM DataGuard Administration Wizard, and fast-start failover is configured, fail-overs automatically rename the standby as primary, and vice-versa and establish the change-over in roles.  While this accomplishes the database staying online and available on the secondary host (or all other databases in the DG group), the Enterprise Manager OMS must be told how to connect to it – preferably transparently.

# DataGuard OMS Registration
# Enterprise Manager Grid Control 11g: How to Configure the OMS Connect String when Repository is in a Dataguard setup (Doc ID 1328768.1)
# OEMPR11 is our primary DB SID/Service Name
# OEMPR11_DGMGRL is our alias for the fail-over service (pointing to all DG instances)

SQLPLUS as SYS:
SQL> exec DBMS_SERVICE.CREATE_SERVICE (service_name => ‘OEMPR11_DGMGRL’,network_name => ‘OEMPR11_DGMGRL’,aq_ha_notifications => true,failover_method => ‘BASIC’,failover_type => ‘SELECT’,failover_retries => 180,failover_delay => 1);

SQL> exec dbms_service.start_service(‘OEMPR11_DGMGRL’);

# Verify operation:

$> lsnrctl services     # Should see the new OEMPR11_DGMGRL service listed

# Create a Database Trigger so that the service can be stopped when the Database role becomes standby and started only when the Database role is Primary:

SQL> CREATE OR REPLACE TRIGGER manage_OCIservice after startup on database
DECLARE
role VARCHAR(30);
BEGIN
SELECT DATABASE_ROLE INTO role FROM V$DATABASE;
IF role = ‘PRIMARY’ THEN
DBMS_SERVICE.START_SERVICE(‘OEMPR11_DGMGRL’);
ELSE
DBMS_SERVICE.STOP_SERVICE(‘OEMPR11_DGMGRL’);
END IF;
END;

# Re-configure the OMS (All MT hosts) to have the connection string as:
$>  cd <OMS_HOME>/bin
# Following is a single-line command (basically an entire JDBC style connect string)
$> ./emctl config oms -store_repos_details -repos_conndesc ‘(DESCRIPTION=(FAILOVER=ON)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=<primaryDBHostnameFQDN>)(PORT=1522))(ADDRESS=(PROTOCOL=TCP)(HOST=<secondaryDBHostnameFQDN>)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=OEMPR11_DGMGRL))(FAILOVER_MODE=(TYPE=select)(METHOD=basic)))’ -repos_user sysman

# Example output
$> ./emctl config oms <…> TYPE=select)(METHOD=basic)))’ -repos_user sysman               <
Oracle Enterprise Manager Cloud Control 12c Release 5
Copyright (c) 1996, 2015 Oracle Corporation.  All rights reserved.
Enter Repository User’s Password :
Successfully updated datasources and stored repository details in Credential Store.
If there are multiple OMSs in this environment, run this store_repos_details command on all of them.
And finally, restart all the OMSs using ’emctl stop oms -all’ and ’emctl start oms’.
It is also necessary to restart the BI Publisher Managed Server.

# Add the tnsnames.ora entry (all DB hosts at minimum)
OEMPR11_DGMGRL=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=TCP)(HOST=<primaryDBHostnameFQDN>)(PORT=1522))
(ADDRESS=(PROTOCOL=TCP)(HOST=<secondaryDBHostnameFQDN>)(PORT=1521))
)
(CONNECT_DATA=(SERVICE_NAME=OEMPR11_DGMGRL))
(FAILOVER_MODE=(TYPE=select)(METHOD=basic))
)

# Testing connectivity:

$> sqlplus sysman/$SYSMAN_PW@'(DESCRIPTION=(FAILOVER=ON)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=<primaryDBHostnameFQDN>)(PORT=1522))(ADDRESS=(PROTOCOL=TCP)(HOST=<secondaryDBHostnameFQDN>)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=OEMPR11_DGMGRL))(FAILOVER_MODE=(TYPE=select)(METHOD=basic)))’

# Test the Failover Service:

# Connect to the Database from sqlplus using SYSMAN user via the new service created above:

$> sqlplus sysman/$SYSMAN_PW@OEMPR11_DGMGRL

# Execute these queries to verify the Database name and service names:

SQL> select db_unique_name from v$database;

DB_UNIQUE_NAME
——————-
OEMPR11

SQL> show parameter service_names

NAME            TYPE     VALUE
————-   ——-  ————————————
service_names   string   OEMPR11, OEMPR11_DGMGRL

# Re-start the OMS once so that the connection string change is saved:

cd <OMS_HOME>/bin
./emctl stop oms -all    #on AdminServer MT
./emctl stop oms         #other MTs
./emctl start oms

If you Care a Little More, Things Happen. Bees can be dangerous. Always wear protective clothing when approaching or dealing with bees. Do not approach or handle bees without proper instruction and training.

Follow

Get every new post delivered to your Inbox.

Join 397 other followers

%d bloggers like this: