Quickly check and fix the POODLE vulnerability on Apache, WebLogic Server, and OHS

If you are running SSL 3.0, you need to be aware of the POODLE vulnerability:

• https://www.us-cert.gov/ncas/alerts/TA14-290A
• http://www.techrepublic.com/article/poodle-vulnerability-hastens-the-death-of-ssl-3-0/
• https://access.redhat.com/articles/1232123

There are no patches since the POODLE vulnerability is a design flaw in the protocol itself and not an implementation bug. TLS is now the preferred encryption protocol.


Are you vulnerable?

Courtesy of this website, you can check if your website is available over SSLv3 with:

curl -v -3 -X HEAD https://www.raastech.com

If you are not vulnerable, you should not be able to connect, and your output should look something like this:

* SSL peer handshake failed, the server most likely requires a client certificate to connect

If you are vulnerable, you should see normal connection output, including the line:

* SSL 3.0 connection using SSL_NULL_WITH_NULL_NULL

Fix for Apache

1. Edit the ssl.conf and add the following:

SSLProtocol All -SSLv2 -SSLv3

Fix for WebLogic Server

1. Add the following to all the JVMs:

-Dweblogic.security.SSL.protocolVersion=TLS1 

2. Remove the following line if found in the configuration:

-Dweblogic.security.SSL.protocolVersion=SSL3

3. Restart.



Fix for Oracle HTTP Server (OHS)

1. Edit httpd.conf and edit the SSLProtocol directive as follows:

OLD: SSLProtocol ALL –SSLv2

NEW: SSLProtocol ALL –SSLv2 –SSLv3

2. Restart.



References:

• http://serverfault.com/questions/637053/how-can-i-tell-if-my-website-is-vulnerable-to-cve-2014-3566-poodle

 

WebLogic JMS: Failed to create managed connection due to NullPointerException

Problem:

Our SOA composite is using the JMSAdapter to poll messages from a JMS queue. However, no messages were being polled.

Our JCA file looked like this. Nothing special about it and you can see that our connection factory JNDI is set to eis/jms/Order and our queue JNDI is jms/OrderQueue.

<adapter-config name="ConsumeOrder" adapter="JMS Adapter" wsdlLocation="ConsumeOrder.wsdl" xmlns="http://platform.integration.oracle/blocks/adapter/fw/metadata">
  <connection-factory location="eis/jms/Order" UIJmsProvider="WLSJMS" UIConnectionName="EBIZPROD"/>
  <endpoint-activation portType="Consume_Message_ptt" operation="Consume_Message">
    <activation-spec className="oracle.tip.adapter.jms.inbound.JmsConsumeActivationSpec">
      <property name="PayloadType" value="TextMessage"/>
      <property name="UseMessageListener" value="false"/>
      <property name="DestinationName" value="jms/OrderQueue"/>
    </activation-spec>
  </endpoint-activation>
</adapter-config>

When we enabled the oracle.soa.adapter logger to TRACE:32, not much additional information was revealed, but these are the recurring entries we see in the soa_server1-diagnostic.log file:

[2014-11-06T00:43:18.826-05:00] [soa_server1] [TRACE] [] [oracle.soa.adapter] [tid: [ACTIVE].ExecuteThread: '27' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 7fecb0f5a423ee5f:-2152fc99:1497985c034:-8000-0000000002803edb,0] [APP: soa-infra] [SRC_CLASS: oracle.integration.platform.blocks.adapter.fw.log.LogManagerImpl] [SRC_METHOD: log] JMSAdapter SOAOrder JMSConnectionFactoryFactory_getConnectionFactory: looking up 'null' 

[2014-11-06T00:43:18.826-05:00] [soa_server1] [ERROR] [] [oracle.soa.adapter] [tid: [ACTIVE].ExecuteThread: '27' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 7fecb0f5a423ee5f:-2152fc99:1497985c034:-8000-0000000002803edb,0] [APP: soa-infra] JMSAdapter SOAOrder JMSMessageConsumer_init:[destination = JMSServer_1@jms/OrderQueue (payload = 1)]:Failed to create managed connection: java.lang.NullPointerException 

[2014-11-06T00:43:18.826-05:00] [soa_server1] [ERROR] [] [oracle.soa.adapter] [tid: [ACTIVE].ExecuteThread: '27' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 7fecb0f5a423ee5f:-2152fc99:1497985c034:-8000-0000000002803edb,0] [APP: soa-infra] JMSAdapter SOAOrder [[
javax.resource.spi.ResourceAdapterInternalException: Failed to create managed connection: java.lang.NullPointerException
        at weblogic.connector.outbound.ConnectionFactory.createResource(ConnectionFactory.java:152)
        at weblogic.common.resourcepool.ResourcePoolImpl.makeResources(ResourcePoolImpl.java:1322)
        at weblogic.common.resourcepool.ResourcePoolImpl.reserveResourceInternal(ResourcePoolImpl.java:428)
        at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:352)
        at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:332)
        at weblogic.connector.outbound.ConnectionPool.reserveResource(ConnectionPool.java:620)
        at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:326)
        at weblogic.connector.outbound.ConnectionManagerImpl.getConnectionInfo(ConnectionManagerImpl.java:380)
        at weblogic.connector.outbound.ConnectionManagerImpl.getConnection(ConnectionManagerImpl.java:320)
        at weblogic.connector.outbound.ConnectionManagerImpl.allocateConnection(ConnectionManagerImpl.java:129)
        at oracle.tip.adapter.jms.JmsConnectionFactory.getConnection(JmsConnectionFactory.java:93)
        at oracle.tip.adapter.jms.JMS.JMSMessageConsumer.createConsumer(JMSMessageConsumer.java:321)
        at oracle.tip.adapter.jms.JMS.JMSMessageConsumer.init(JMSMessageConsumer.java:920)
        at oracle.tip.adapter.jms.inbound.JmsConsumer.init(JmsConsumer.java:894)
        at oracle.tip.adapter.jms.JmsDDEndpoint.onDestinationsAvailable(JmsDDEndpoint.java:175)
        at weblogic.jms.extensions.JMSDestinationAvailabilityHelper$DestinationAvailabilityListenerWrapper$2.run(JMSDestinationAvailabilityHelper.java:386)
        at weblogic.jms.extensions.JMSDestinationAvailabilityHelper$DestinationAvailabilityListenerWrapper.callOutListener(JMSDestinationAvailabilityHelper.java:402)
        at weblogic.jms.extensions.JMSDestinationAvailabilityHelper$DestinationAvailabilityListenerWrapper.onDDMembershipChange(JMSDestinationAvailabilityHelper.java:383)
        at weblogic.jms.common.CDS$DD2Listener.run(CDS.java:1279)
        at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: java.lang.NullPointerException
        at javax.naming.InitialContext.lookup(InitialContext.java:392)
        at oracle.tip.adapter.jms.JMS.JMSConnectionFactoryFactory.getConnectionFactory(JMSConnectionFactoryFactory.java:132)
        at oracle.tip.adapter.jms.JMS.JMSConnectionFactoryFactory.getQueueConnectionFactory(JMSConnectionFactoryFactory.java:86)
        at oracle.tip.adapter.jms.JMS.JMSConnection.init(JMSConnection.java:156)
        at oracle.tip.adapter.jms.JMS.JMSConnection.<init>(JMSConnection.java:113)
        at oracle.tip.adapter.jms.JMS.WLJMSConnection.<init>(WLJMSConnection.java:76)
        at oracle.tip.adapter.jms.JmsManagedConnectionFactory.createConnection(JmsManagedConnectionFactory.java:311)
        at oracle.tip.adapter.jms.JmsManagedConnectionFactory.createDefaultConnection(JmsManagedConnectionFactory.java:305)
        at oracle.tip.adapter.jms.JmsManagedConnectionFactory.createConnection(JmsManagedConnectionFactory.java:286)
        at oracle.tip.adapter.jms.JmsManagedConnectionFactory.createManagedConnection(JmsManagedConnectionFactory.java:92)
        at weblogic.connector.security.layer.AdapterLayer.createManagedConnection(AdapterLayer.java:803)
        at weblogic.connector.outbound.ConnectionFactory.createResource(ConnectionFactory.java:91)
        ... 20 more

Navigating to the JmsAdapter in the WebLogic Server Administration Console (navigate to Deployments > JmsAdapter > Monitoring > Outbound Connection Pools), we can see that there are considerable "Rejected Connections":

In the Oracle documentation, the definition of a "Rejected Connection" does not yield too much information:

Rejected Connections:
The total number of rejected requests for a Connector connections in this Connector Pool since the pool is instantiated.

Solution:

Looking deeper into the stack trace in the log above, it seems that getting the connection factory is returning 'null'.

1. Log in to the WebLogic Server Administration Console

2. Navigate to Deployments > JmsAdapter > Configuration > Outbound Connection Pools

3. Expand oracle.tip.adapter.jms.IJmsConnectionFactory and click on the JNDI eis/jms/Order

4. The ConnectionFactoryLocation is empty. Populate this with the appropriate value.

5. Save and redeploy the JmsAdapter.


Applicable Versions:

• Oracle WebLogic Server 11g (10.3.5+)
• Oracle SOA Suite 11g (11.1.1.5+) 

 

Resolving BEA-101216 and MDS-00054 (composite.xml does not exist) at SOA server startup

Problem:

The soa-infra application was causing the soa_server1 to go into ADMIN mode with the following error in the logs:

<Nov 4, 2014 12:43:22 PM EDT> <Error> <oracle.integration.platform.blocks.cluster> <BEA-000000> <Starting in multicast, rather than unicast, mode for SOA/Coherence clustering. This is not the configuration recommended by the Oracle Enterprise Deployment Guide (EDG). If continuing to use multicast you may run into deployment issues if there are multicast address conflicts with other servers on your network. If attempting unicast operation, make sure the unicast well-known addresses (-Dtangosol.coherence.wka1, -Dtangosol.coherence.wka2,..) and ports are set for scaling out to multiple servers per the EDG.>
INFO: FaultPoliciesParser.<init> ------->Constructed Policy parser 

<Nov 4, 2014 12:44:02 PM EDT> <Warning> <oracle.soa.services.notification> <BEA-000000> <<.> With the current setting, only Email notifications will be sent; Notifications via voice, SMS or IM will not be sent. If you would like to enable them, please configure corresponding sdpmessaging driver. Then modify the accounts and set NotificationMode attribute to ALL in workflow-notification-config.xml>
BPMNServiceEngine=> constructed ....
log4j:WARN No appenders could be found for logger (wsif).
log4j:WARN Please initialize the log4j system properly. 

<Nov 4, 2014 12:45:02 PM EDT> <Warning> <oracle.as.jmx.framework.MessageLocalizationHelper> <J2EE JMX-46041> <The resource for bundle "oracle.soa.management.config.identity.mbeans.MessageBundle_en" with key "ProviderMXBean.SearchableUserAttributMapAdd" cannot be found.> 

<Nov 4, 2014 12:45:23 PM EDT> <Error> <HTTP> <BEA-101216> <Servlet: "FabricInit" failed to preload on startup in Web application: "/soa-infra".
oracle.fabric.common.FabricException: Error in getting XML input stream: oramds:/deployed-composites/HelloWorld_rev1.0/composite.xml: oracle.mds.exception.MDSException: MDS-00054: The file to be loaded oramds:/deployed-composites/HelloWorld_rev1.0/composite.xml does not exist.
at oracle.fabric.common.metadata.MetadataManagerImpl.getInputStreamFromAbsoluteURL(MetadataManagerImpl.java:288)
at oracle.integration.platform.common.MDSMetadataManagerImpl.getInputStreamFromAbsoluteURL(MDSMetadataManagerImpl.java:624)
at oracle.fabric.common.metadata.MetadataManagerImpl.getDocumentAsInputStream(MetadataManagerImpl.java:164)
at oracle.integration.platform.common.MDSMetadataManagerImpl.getDocumentAsInputStream(MDSMetadataManagerImpl.java:486)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet.deployComposite(FabricKernelInitializerServlet.java:762)
Truncated. see log file for complete stacktrace
Caused By: java.io.IOException: oracle.mds.exception.MDSException: MDS-00054: The file to be loaded oramds:/deployed-composites/HelloWorld_rev1.0/composite.xml does not exist.

We are unable to undeploy the faulty composite HelloWorld while the soa-infra application is down.


Solution:

To undeploy a SOA composite application while the soa-infra application is down, perform the following steps.

1. See Oracle Support Doc ID 1380835.1 and download ShareSoaInfraPartition.ear

2. Run the following commands:

cp ShareSoaInfraPartition.ear /u01/app/oracle/middleware/oracle_common/common/bin 

cd /u01/app/oracle/middleware/oracle_common/common/bin 

./wlst.sh 

connect() 

deploy('ShareSoaInfraPartition','ShareSoaInfraPartition.ear',upload='true') 

exportMetadata(application='ShareSoaInfraPartition',server='AdminServer',toLocation='/tmp/ahmed',docs='/deployed-composites/deployed-composites.xml') 

vi /tmp/ahmed/deployed-composites/deployed-composites.xml

3. Delete the lines of that are of the composite you want removed. For example, delete these lines in the file:

<composite-series name="default/HelloWorld" default="default/HelloWorld!1.0"> 

  <composite-revision dn="default/HelloWorld!1.0" state="on" mode="active" location="dc/soa_642a5dc3-5453-447e-b8a8-b707907cb6f6"> 

    <composite dn="default/HelloWorld!1.0*soa_e566512d-69ef-4d29-83dd-c3d38ce14916" deployedTime="2014-02-27T19:02:26.120-05:00"/> 

    <composite dn="default/HelloWorld!1.0*soa_642a5dc3-5453-447e-b8a8-b707907cb6f6" deployedTime="2014-06-23T14:41:03.155-04:00"/> 

  </composite-revision> 

</composite-series>

4. Then run this final command:

importMetadata(application='ShareSoaInfraPartition',server='AdminServer',fromLocation='/tmp/ahmed',docs='/deployed-composites/deployed-composites.xml')

References:

• Oracle Support Doc ID 1380835.1

Applicable Versions:

• Oracle SOA Suite 11g (11.1.1.5+) 

 

Big Data by Raastech at WMOUG Fall 15

Getting Started with Big Data Technologies: A Technical Overview
Interested in learning about big data? Please come and join us for an educational presentation by Raastech.

Our very own Apurva Singh will be talking about big data at the upcoming West Michigan Oracle Users Group (WMOUG) conference on November 18 in Grand Rapids, Michigan.

Full agenda: http://wmoug.org/conferences/WMOUGFall14.html