Friday, September 29, 2017

Apache hardening

Don't forget to add these to your Apache (or OHS) configuration in httpd.conf:
Header set X-XSS-Protection "l;mode=block"Header set Content-Security-Policy "default-src *;"Header set X-Content-Type-Options "nosniff"Header set Cache-Control "no-store"Header set X-Frame-Options SAMEORIGIN

Happy hardening!


Applicable Versions
  • Apache
  • Oracle HTTP Server (OHS) 11g/12c

 
0 comments

Thursday, September 28, 2017

Include multiple domains in ALLOW-FROM for X-Frame-Options (Apache)

Every single forum, blog post, and documentation online will tell you the same thing... that it's not possible to whitelist multiple domains with X-Frame-Options and to use Content-Security-Policy instead or some complicated and messy JavaScript as alternatives.

I'm here to tell you that they're all wrong.

Here is a snippet of my httpd.conf file:
# For obvious security reasonsHeader set X-Frame-Options SAMEORIGIN 
<Location /myapp>  # For the context /myapp, whitelist multiple domains  Header append X-Frame-Options "ALLOW-FROM https://raastech.com"  Header append X-Frame-Options "ALLOW-FROM https://raastechmobile.com"</Location>

If you open up Developer Tools (F12) in IE 11, you can confirm that the header will show the following:
X-Frame-Options: SAMEORIGIN, ALLOW-FROM https://raastech.com, ALLOW-FROM https://raastechmobile.com


Applicable Versions
  • Apache

 
3 comments

Thursday, September 14, 2017

IAU-5047: Problem in transferring audit record

Problem

You may receive these errors in the logs when starting up the OAM AdminServer:
####<Jun 28, 2017 7:35:08 PM GMT> <Error> <oracle.jps.common> <oamhost1.raastech.com> <AdminServer> <AuditLoaderRunner> <<WLS Kernel>> <> <0000LngIa0d3V805zzc9yW1PKkHg00000T> <1498678508558> <BEA-000000> <IAU:IAU-5047: Problem in transferring audit record from file:/u01/app/oracle/middleware/user_projects/domains/oamdomain/servers/AdminServer/logs/auditlogs/OAM/audit.log position:12,485 will retry in next cycle. caught exception oracle.security.audit.AuditException: javax.naming.NameNotFoundException: Unable to resolve 'jdbc.AuditDB'. Resolved 'jdbc'; remaining name 'AuditDB'
        at oracle.security.audit.ajl.loader.OracleRepository.createConnection(OracleRepository.java:131)
        at oracle.security.audit.ajl.loader.OracleRepository.<init>(OracleRepository.java:75)
        at oracle.security.audit.ajl.loader.JDBCLogWriter.reinit(JDBCLogWriter.java:68)
        at oracle.security.audit.ajl.loader.JDBCLogWriter.write(JDBCLogWriter.java:115)
        at oracle.security.audit.ajl.loader.AuditLoader.readMessages(AuditLoader.java:516)
        at oracle.security.audit.service.AuditLoaderManager.readMessages(AuditLoaderManager.java:324)
        at oracle.security.audit.service.AuditLoaderManager$Runner.run(AuditLoaderManager.java:410)
Caused by: javax.naming.NameNotFoundException: Unable to resolve 'jdbc.AuditDB'. Resolved 'jdbc'; remaining name 'AuditDB'
        at weblogic.jndi.internal.BasicNamingNode.newNameNotFoundException(BasicNamingNode.java:1148)
        at weblogic.jndi.internal.BasicNamingNode.lookupHere(BasicNamingNode.java:258)
        at weblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:182)
        at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:206)
        at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:220)
        at weblogic.jndi.internal.WLEventContextImpl.lookup(WLEventContextImpl.java:254)
        at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:412)
        at javax.naming.InitialContext.lookup(InitialContext.java:411)
        at oracle.security.audit.ajl.loader.OracleRepository.createConnection(OracleRepository.java:110)
        ... 6 more
>
####<Jun 28, 2017 7:35:08 PM GMT> <Error> <oracle.jps.common> <oamhost1.raastech.com> <AdminServer> <AuditLoaderRunner> <<WLS Kernel>> <> <0000LngIa0d3V805zzc9yW1PKkHg00000T> <1498678508558> <BEA-000000> <IAU:IAU-5048: Problem in transferring audit record to Audit Store null null. Please verify your Audit Store configuration>
Solution

1. Target the AuditDB datasource to the AdminServer.

Applicable Versions
  • Oracle Access Manager 11g

 
2 comments

Tuesday, September 12, 2017

Getting "An unexpected error occurred" when deploying an OSB project

Problem:

When deploying an OSB project, you may get the following undescriptive error on the OSB Console:
An unexpected error occurred.
The following error would appear in the AdminServer.out file:
####<Mar 3, 2017 5:03:21 PM GMT> <Error> <netuix> <osbhost1> <AdminServer> <[ACTIVE] ExecuteThread: '39' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <685ea1de428af539:-5fcff8e9:82f2515a61f:-8000-0000000000003938> <1488560601009> <BEA-423137> <There was an error loading the requested URI null.>

 ####<Mar 3, 2017 5:03:21 PM GMT> <Error> <netuix> <osbhost1> <AdminServer> <[ACTIVE] ExecuteThread: '39' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <de428af5685ea139:-5fcff8e9:15a61f82f25:-8000-0000000000003938> <1488560601009> <BEA-423223> <There was an error while running a lifecycle stage :: Lifecycle: UIControl.render :: for the control :: null ::.
com.bea.netuix.nf.UIControlException: com.bea.portlet.adapter.scopedcontent.ActionLookupFailedException: java.lang.NoSuchMethodError: org.apache.commons.io.IOUtils.readFully(Ljava/io/InputStream;[B)V
        at com.bea.netuix.servlets.controls.content.NetuiContent.checkPreRenderExceptions(NetuiContent.java:404)
        at com.bea.netuix.servlets.controls.content.NetuiContent.beginRender(NetuiContent.java:343)
        at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:485)
        at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:518)

Solution:

1. OSB JAR is missing the ExportInfo file.


Applicable Version:

  • Oracle Service Bus (OSB) 11g (11.1.1.9)


0 comments

Monday, September 11, 2017

"The user account is locked or disabled" when logging in with Oracle Access Manager SSO

Problem

When trying to log in with SSO against Oracle Access Manager 11g, you see the error on the screen:

The user account is locked or disabled. Please contact the System Administrator.

Solution

Check all the following.

1. OID is down or the password for cn=orcladmin password in OAM needs updating.

2. Confirm that OID is running:
oracle@oamhost1:/home/oracle> ${MW_HOME}/asinst_1/bin/opmnctl status -l
3. Confirm that OAM can connect to OID.

a. Log in to the OAM Console.

b. Navigate to Configuration > User Identity Stores.

c. Edit OIDStore.

d. Click on "Test Connection".


Applicable Versions
  • Oracle Access Manager 11g

 
1 comments

Wednesday, September 6, 2017

Getting "httpd.worker': double free or corruption" when starting up OHS

Problem

Starting up OHS fails.

This error appears in ${OHS_LOGS}/ohs1.log:
--------
17/06/17 02:37:46 Start process
--------
/u01/app/oracle/middleware/Oracle_WT1/ohs/bin/apachectl startssl: execing httpd
[Sat Jun 17 02:37:46 2017] [warn] Errors will be logged into /u01/app/oracle/middleware/Oracle_WT1/instances/obiee/diagnostics/logs/OHS/ohs1/ohs1.log
[Sat Jun 17 02:37:47 2017] [warn] Errors will be logged into /u01/app/oracle/middleware/Oracle_WT1/instances/obiee/diagnostics/logs/OHS/ohs1/ohs1.log
*** Error in `/u01/app/oracle/middleware/Oracle_WT1/ohs/bin/httpd.worker': double free or corruption (out): 0x0000000001821300 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7c503)[0x7f3a1f9ab503]
/u01/app/oracle/middleware/Oracle_WT1/lib/libnnz11.so(nzumfree+0x64)[0x7f3a1f03aefa]
/u01/app/oracle/middleware/Oracle_WT1/lib/libnnz11.so(nztiFIC_Free_Identity_Contents+0x45)[0x7f3a1f06f2d3]
/u01/app/oracle/middleware/Oracle_WT1/lib/libnnz11.so(nztiDI_Destroy_Identity+0x3a)[0x7f3a1f06f268]
/u01/app/oracle/middleware/Oracle_WT1/lib/libnnz11.so(nztiFIL_Free_Identity_List+0x5a)[0x7f3a1f06f21a]
/u01/app/oracle/middleware/Oracle_WT1/lib/libnnz11.so(nztnFPC_Free_Persona_Contents+0x45)[0x7f3a1f072ec1]
If you comment out the ssl.conf line in httpd.conf, it starts up fine.


Solution

1. This was because the certificate chain was not complete in trust.jks.

For example, the identity cert was signed by a CA4, so the trust was missing the intermediate and root certs for that CA.

To import those certificates into the trust keystore:
keytool -import -alias PRODCA4 -file PRODCA4.crt -keystore /u01/app/oracle/middleware/keystore/trust.jks

keytool -import -alias PRODTreasury -file PRODTreasury.crt -keystore /u01/app/oracle/middleware/keystore/trust.jks 
Applicable Versions
  • Oracle HTTP Server (OHS) 11g (11.1.1.9.0)

 
0 comments
Subscribe to: Posts (Atom)