Gavin's Blog

I was pretty chuffed when I saw my "Oracle Beehive - Installed? Now what" blog entry on the home page of THE Oracle Technology Network site.

Except now I think they're just taking the mickey....

"My Three Favourite Experiences at Oracle OpenWorld 2008"... As much as I would have liked to be there to write such an entry, unfortunately I was on the other side of the earth during OOW2008, having to satisfy myself with watching choppy phone camera images and checking out the OracleOpenWorld blog for information...

Jim Lein over at Applications for Midsize Organizations needs the credit for that entry. (It's a good read too, I felt like I was wading in the water with him in his One Fish entry :-)

Alrighty, first attempt at hooking Beehive up with OID and SSO. I love the fact that Beehive is a standalone product, making it easier to deploy quickly and without scrolling through certification matrices making sure it's compatible with your particular version of OID and SSO and Portal and blah blah....

But, what happens when you actually do have OID as your identity source and want to hook it up. I mean, why wouldn't you, you've spent the last 5 years ensuring OID is the source of identity, now Beehive comes along and says, "yeah you can do it, but you don't have to...", well, I WANT TO!

So lets give it a try. This post will concentrate on OID, I'll fire in another entry for the SSO integration.

You may have seen my Beehive 1.3 install not so long ago...

I also just happen to have a fresh new instance of OID 10.1.4.1 sitting around as well.. it's straight out of the box, nothing fancy.

Only one users has been created so far, nice and original:

firstname: first1
lastname: last1
uid: flast1
email: flast1@acme.com

I'm going to be taking my lead from Chapter 11 - Integrating and Synchronizing LDAP with Oracle Beehive of the Oracle Beehive Installation Guide for Linux

I won't go into the in's and out's of how and why and what happens. You can read the install guide for that. I want to actually do it, you can come along for the ride and watch me get bruised and battered by the experience.

Just quickly, this is what it says I should do:

• Create a map between OID and UDS (Oracle Beehive User Directory Service) users/groups - called a profile
• Plug the profile into Beehive
• Enable it
• Test it.
• Get a coffee and relax.

I admit, that last one I put in, but seriously, if you get Beehive hooked up to OID, the jobs almost done. You'll have all your users able to access Beehive, sweet!. OK, so there's the little issue of trying to import the existing data from email and calendar and chat and discussions and workspaces and stuff like that...

OK breathe... in....out....in....out....Sorry, didn't mean to scare you.

Lets get this OID thing done.

Thankfully, (and as expected), to create the map for UDS - OID, a template is provided. (In fact there's more templates than you can poke a stick at!)

Under $ORACLE_HOME/beehive/template/uds is the file - oidprofile_template.xml

We need to update it with our details, I'm not going to write down what I did, coz it's not going to mean much to you, check the guide to see what needs to change.

Here's a tip for new players, make sure you remove the < and > from comments within the xml file...

ie
...
<user_search_base><enter user search base></user_search_base>
<group_search_base><enter group search base></group_search_base>
...

Sounds obvious doesn't it. Depending on where you accidentally leave one, it'll let you upload no probs, then you sit around scratching your head for a few minutes trying to figure out why

[orabee@radium ~]$ beectl list_directory_profiles --file oidprofile.xml

doesn't return anything.... My accidental > was on

<primary_authentication_attribute>uid></primary_authentication_attribute>

No wonder it didn't work.

Another tip, you require the Enterprise name and Organization name for the map, which you can get via

[orabee@radium ~]$ beectl list_enterprises
and
[orabee@radium ~]$ beectl list_organizations --scope <Identifier returned from above query>

But, for some reason, I was getting errors with this last one.

ErrorCode:[BEES-06000,SEVERE,Unexpected error.]
Effect: The requested operation cannot be performed
Action: Contact system administrator.

I ended up restarting the whole lot and it worked after that... strange.

Hmm, another tip, since I'm here...

If an entry in the XML file is not mandatory (don't ask me how you figure that out :-) you can just remove the line. Don't leave the line in with the default comment, or remove the comment and leave the <field></field> there, neither get past the XML parser. (And yet the added > did...)

Ummm, what else.

You need the obfuscated password for orcladmin in the profile. This is an easy one:

$ beectl obfuscate
--DON'T FORGET, it's the ORCLADMIN password you're obfuscating, not beeadmin's...

Final tip.

Step E: Providing Scope and Membership Mapping Information was a bit confusing at first, until I read the bit below

This excerpt maps the following entries:
* A user that is under the attribute OU=Alpha will be scoped within the organization My_Organization.
* A user that is under the DN dc=us,dc=oracle,dc=com will scoped within the enterprise My_Enterprise. A user that is under the attribute dc=external,dc=us,dc=example,dc=com will scoped within the same enterprise (My_Enterprise). The same user will be a member of the organization My_Organization.

Which, because my OID install is Vanilla, I don't care about, so the first section in the guide can be ignored... might be handy in future when trying to map multiple Organizations.

The whole back half of the map I didn't touch, from <directory_attribute_map> down, as I don't have anything in particular in OID I want mapped across. If you've got something you require mapping, you'll need to look at that bit in more detail.

So after all that, this is how the profile upload should look...

[orabee@radium uds]$ beectl add_directory_profile --file oidprofile_template.xml

Start profile OID_BEEHIVE_PROFILE validation.
Successfully validated the profile OID_BEEHIVE_PROFILE.
Changes to configuration repository are not activated.
Successfully added 1 directory profiles.

Even though it shows it's already ENABLED, I figured why not:
[orabee@radium uds]$ beectl modify_property --component OID_BEEHIVE_PROFILE --name ProfileState --value ENABLE

[orabee@radium uds]$ beectl activate_configuration
Proposed configuration is saved successfully and activated now.

Let's grab the users from OID ready to test the map.

[orabee@radium uds]$ beectl download_ldap_user_data --file UsersFromLdap.xml --profile OID_BEEHIVE_PROFILE

File:$ORACLE_HOME/templates/uds/UsersFromLdap.xml is generated on host:radium
See the log files for this run on machine radium.
LDAP User extraction messages.
Successfully extracted data for 3 users.
Failed to extract data for 0 users.
Total users 3.
User XML generation messages.
Successfully generated xml data for 3 users.
Failed to generate xml data for 0 users.
Total users 3.

Looking at the file generated, I've got orcladmin, PUBLIC, and my flast1 user.

Let's add them to Beehive.

[orabee@radium uds]$ beectl add_user --file UsersFromLdap.xml --ldapbootstrap

Created 1 users.
Failed to create 2 users.
Total users 3.
User : PUBLIC addition failed. Reason: The specified address is invalid
User : orcladmin addition failed. Reason: The specified address is invalid

Sounds about right, neither PUBLIC or orcladmin had email addresses, so why should it add them.

BTW, the reason for adding the users is that since we've got the synchronisation happening between OID and Beehive's UDS (User Directory Service), all future changes will be brought across, it's everything before now that we needed to get.

OK, time to switch across to ldap for the Authentication Service

[orabee@radium uds]$ beectl list_properties --component _AuthenticationService --name AuthStoreType

-----------------+--------------------------------------------------------------
Property name | Property value
-----------------+--------------------------------------------------------------
AuthStoreType | db
-----------------+--------------------------------------------------------------

[orabee@radium uds]$ beectl modify_property --component _AuthenticationService --name AuthStoreType --value ldap

Changes to configuration repository are not activated.
Successfully stored the property for component id 2a7e1102-4ceb-4a14-8815-72503ba958f1.

[orabee@radium uds]$ beectl activate_configuration ; beectl modify_local_configuration_files

BEECTL figured out it needs a restart to move across, so down it goes, and up it comes...

[orabee@radium uds]$ beectl list_properties --component _AuthenticationService --name AuthStoreType

-----------------+--------------------------------------------------------------
Property name | Property value
-----------------+--------------------------------------------------------------
AuthStoreType | ldap
-----------------+--------------------------------------------------------------

Check if the user authenticates...

orabee@radium uds]$ beectl
beectl> login --authuser flast1 --authpassword XXXXXX
User flast1 is successfully authenticated and logged in.

Awesome, now for the big test, create a user in OIDDAS and see how it goes. Yep you guessed it:

firstname: first2
lastname: last2
uid: flast2
email: flast2@acme.com
User created, now, remembering the following entry in the profile...

[orabee@radium uds]$ beectl list_properties --component OID_BEEHIVE_PROFILE --name PollInterval

-----------------+--------------------------------------------------------------
Property name | Property value
-----------------+--------------------------------------------------------------
PollInterval | 600
-----------------+--------------------------------------------------------------

I've got 5 minutes to wait before getting worried, I'm off for a coffee...

Would you look at that. my flast2 user can log in (on the right), but not only that, have a look at where I'm coming from.. my DMZ install.

How easy was that... Next time, SSO.

If you've been following my installing and configuring antics over the last few weeks, get ready for some fun as we go through our first upgrade....

That's right people, Beehive 1.4.1 has just been released, so get your skates on, class starts as soon as I've downloaded 1.4.1...

In the meantime, we should update the bookmarks as well..

Beehive 1.4.1 Doco Home is where to go for all the latest.

But specifically for our install / config purposes... is the Linux Install Guide.

While I'm here and have your attention, lets look at What's New in Beehive 1.4.1

• Oracle Beehive Central
• OpenLDAP Support
• Support for Microsoft Windows Terminal Services
• Profile Migration Tool for Oracle Beehive Integration for Outlook
• Oracle Universal Records Management (Oracle URM) Configuration Using Oracle Beekeeper
• Task Coexistence with Microsoft Exchange Server 2003 Deployments
• SMPP Certification for Clickatell
• Actionable Notifications
• Automatic Groups for Managers, Peers, and Direct Reports

Bit of a list. I won't be going through all of them, (as I don't have a spare Microsoft SBS 2003 server to test Windows Terminal Services OBIO and Task coexistence, etc etc) but pretty cool stuff.

I know the Profile Migration Tool and Oracle Beehive Central will be quite important when it comes to migrating users into Beehive, so I'll probably cover them when the first migration rolls along...

The Automatic Groups for Managers, Peers and Direct Reports is nice. It's something in effect within Oracle ( we run Beehive internally @ Oracle). It means that to get hold of your boss, you don't have to feel bad about trying to get them to authorize you as a buddy, just so you can get hold of them, they're just there.

The Oracle URM configuration would be cool to do. Maybe one day...

BTW, there was also a new Release of Beekeeper 1.4.1 the other day I forgot to mention... I'll install that as part of the upgrade. Now that I know how to use beectl in anger I don't feel so bad becoming a point & click DBA :-)

I don't know about you, but I always try and get to know a product on the command line fully before migrating to the GUI version. I like to know that if things really go bad, and you can only get to the environment via SSH. You're not left there thinking "How do I extend that tablespace? I need a browser to get to DBControl...". Which is why I haven't covered Beekeeper yet...

So, exciting times ahead.

BTW, if you didn't take the plunge with me when I installed Beehive against 11.1.0.6. It's time to upgrade as :

Oracle Beehive requires an existing database with the following characteristics: Uses one of the follwing databases installed on any supported operating system:

• Oracle Database 10g Release 2 (10.2.0.1) Enterprise Edition with one of the following patch sets:
  • Oracle Database 10g Release 2 (10.2.0.3) Patch Set 2
  • Oracle Database 10g Release 2 (10.2.0.4) Patch Set 3
• Oracle Database 11g Release 1 (11.1.0.6) Enterprise Edition

Until next time.

OK. Oracle Homes backed up, check. Database backed up, check. Beehive1.4.1 software downloaded and extracted, check.

I'm in a bit of a dilemma though... Do I upgrade my 1.3.1 to 1.4.1, or just do a fresh install of 1.4.1? In my Post install config, you'll notice I'm not quite up to configuring and testing Mail. So is doing an upgrade really worth seeing with my measly 2 users. I suppose theoretically it shouldn't matter if I've got 2 or 20,000 users, or any data stored for these users. I mean, obviously the timing may differ (I assume), but I doubt you the reader would be wondering how long it takes me to do an upgrade, (that's why you have test systems - do it yourself). So, 1.4.1 install would be cleaner.

Before we get to that, I kind of need to warn you about something, I've only just found it, and therefore haven't found the solution yet.

I can't log in as beeadmin....

I know I know, it's just a small issue. I didn't notice the other day after finishing the LDAP sync (as I was just excited to get it working). I hadn't had a chance until now to look at the environment to get ready for the Beehive 1.4.1 upgrade. (Those long time readers know I'm an Oracle Consultant, so I only get to play with Beehive after hours.)

I tried logging in as beeadmin. It didn't work, I thought I'd had the wrong password, (being a Consultant, you have to remember dozens of passwords). So went to change the password. Which then meant spending the next 1/2 hour figuring out if I had the right syntax. Every time I ran

[orabee@radium ~]$ beectl modify_user --user loginid=beeadmin --login_password

I got:

[orabee@radium ~]$ beectl command failed. See the log file for more details.
Profile doesnot have attribute mapping

Looking at the log I don't see much at all... Even when I fire it up with --log_level FINER I couldn't see anything pinpointing the error, so I'm assuming there's something wrong with my map between LDAP and UDS.

Maybe that's why I can't log in as beeadmin...Back I go.

[orabee@radium ~]$ beectl modify_property --component _AuthenticationService --name AuthStoreType --value db
[orabee@radium ~]$ beectl activate_configuration ; beectl modify_local_configuration_files

Tried logging in again as beeadmin, which... of course, works with the password I thought it was. Hmmm.

OK, so where does that leave me. My beeadmin password was correct after all, and if I tie in OID again, it's not going to let me log back in because of this attribute mapping issue.

Time to pull apart and rebuild my map. I'll let you know how I go.

If you have any suggestions, let me know.

In case you missed it...

Beehive is now available to download from OTN. License agreements exist of course, please read before downloading.

Oracle Beehive Server Release 1 (1.4.1.0.0)

Download for Linux x86 (1,347,603,286 bytes) (cksum 2044562054)

Oracle Beekeeper Release 1 (1.4.1.0.0)

Download for Linux x86 (391,197,087 bytes) (cksum 2194524481)

At the moment it's Linux only. Windows and Solaris people, I'll let you know when I do...

Gavin

OK. So if you didn't see my entry on my little mishap with beeadmin, you might not know what I mean when I say:

We're back on track people!

OID is back as the Authentication Store type...

[orabee@radium ~]$ beectl modify_property --component _AuthenticationService --name AuthStoreType --value ldap

Which means beeadmin is no longer available. So (going in the opposite direction of what Richard and I talked about in the last entry...) I'll just give flast1 the same privileges as beeadmin and carry on...

Which was harder that I expected. Not having Beekeeper installed I couldn't just follow ML Note 738077.1, I thought, "no probs, I'll just do the same thing from the beectl command line and that'll be that."

I started my investigations at the "Managing and Provisioning Oracle Beehive Users" chapter of the Beehive 1.3 Administrator's Guide. Good a place as any.

I'm always on the look out for little gems of information, I found a good one:

[orabee@radium ~]$ beectl list_commands --category users

Gives you all the commands you could run to do with users. (in this case) ie

[orabee@radium ~]$ beectl list_commands --category users

----------------------------+---------------------------------------------------
Name | Description
----------------------------+---------------------------------------------------
add_external_contact | Creates an external contact in the given scope
add_group | Adds a group containing users
add_preference_property | Adds a new preference property to a preference set
add_preference_set | Adds a preference set to a preference profile.
add_user | Creates a user in the given scope
.
.
.
modify_group | Modifies group
modify_preference_set | Modifies the preference set by setting the extends
modify_user | Modifies a user present in an enterprise or organization

Pretty nifty I thought as I tested a few more categories.

Getting back on track, I skipped down to "Managing User Accounts"

Roles are an intrinsic part of Oracle Beehive access control.

Hmmm, sounds ominous..

It sent me across to Managing Oracle Beehive Access Control to continue investigating..

OK. I'm not going to go too far into it, coz it gets pretty hairy around the privileges and roles and role definitions and assigned roles and access control entities, did my head in... but to summarise...

I wanted to give my user flast1 the same privileges as beeadmin......right
I found out the role is called enterprise-system......right
I figured the way to see any details on this role is to look at the currently assigned roles coz it IS currently assigned to beeadmin.....

[orabee@radium seed]$ beectl list_assigned_roles

Lots of good information, look for the enterprise-system role, and whatever the ID which includes ....acar... in it

Which theoretically means I can assign that same role to flast1 by doing....

[orabee@radium seed]$ beectl modify_assigned_role --assigned_role 5C66:6F68:acar:AC85D09E2F5247D08F0E60DB12F57335000000000001 --add_accessor loginid=flast1

(You're obviously going to have a different role id...)

done.

DO YOU KNOW HOW LONG IT TOOK ME TO FIGURE THAT OUT!! And here I am giving it to you for free...

All because I want to hurry up and get the 1.4.1 installed, so I can install Beekeeper 1.4.1 and stop my brain hurting like that again...

Anyway. As my blog title says. Onward and Upgrade...

Upgrade Beehive 1.3.1 to Beehive 1.4.1

It was pretty straight forward really. Extract out the Beehive141 installer, run it.

It'll say "hey, I've found an old install, wanna upgrade it" (ok, not in those words exactly..)

You say "Yes, Yes I would thankyou".

It shows you the old ORACLE_HOME path, (just to show off,) you say "Yep, that's the one.)

It then wanders off for a few seconds, to come back and say "hey, shut it down for me, oh and by the way, I can't tell if your DMZ install is down, since it's on the other side of a firewall, so click here when you reckon it's down." (again, not quite the same words)

The summary tab, and then we're off and running.

BTW, I did end up jumping in Thunderbird and sending a few emails between my two users... so I've now got heaps of data to have upgraded... (all of 4 emails and a draft...)

OK, File updates done, now onto the config..

And there you go. Upgraded. Now to go test it.

Interesting that SMTP and IMAP aren't listening on the ports I specified earlier (25,143)...

Lets see why.. first port of call.. hasbind..

[orabee@radium bin]$ cd $ORACLE_HOME/beehive/bin
[orabee@radium bin]$ ls -l hasbind*
-rwx------ 1 orabee oinstall 32530 Oct 24 21:51 hasbind
-rws--s--x 1 root oinstall 32538 Aug 18 19:02 hasbind.orig

There you go, new binary without the root permissions. Let's change it and restart..

Yep, All looks good. All three of my emails are there too :-)

Oh, and by the way. Guess what I found after all this...

This, here it is if you're too lazy to click a link...

Note: If you configure Oracle Beehive with an external, LDAP-based user directory, unless there is a BEEadmin account in that external directory which is marked to synchronize with Oracle Beehive, the BEEadmin account will be deleted when you first synchronize. This is because all Oracle Beehive accounts must be mastered in the external directory.

So does that mean I can just create a beeadmin account in OID and viola. hmmm. I'll have to try that later...

Oracle Beehive 1.4.1 has been released for Windows (32-bit) and Solaris (SPARC 64-bit). Keeping up with it, is Beekeeper 1.4.1, which has also been released for the two platforms. Download from OTN or eDelivery.

Oracle Beehive Server Release 1 (1.4.1.0.0)

• Download for Linux x86 (1,347,603,286 bytes) (cksum 2044562054)
• Download for Windows (32-bit) (1,310,988,839 bytes)
• Download for Solaris (SPARC 64-bit) (1,395,744,737 bytes) (cksum 249453655 )

Oracle Beekeeper Release 1 (1.4.1.0.0)

• Download for Linux x86 (391,197,087 bytes) (cksum 2194524481)
• Download for Windows (32-bit) (351,663,926 bytes)
• Download for Solaris (SPARC 64-bit) (422,951,416 bytes) (cksum 2201227006)

It would be interesting to hear what other platforms people are hoping to see... post a comment below.

Happy installing. Let me know how you go.

Gavin

Just a quick entry this time, not because I don't have anything to say, just because I reckon installing Beekeeper 1.4.1 will be so easy...

Here we go. Extract the installer, run it, plug in the Oracle Home, database location and credentials, hit GO.

I was going to get some screenshots for you, but by the time I jumped to my other screen to open "Grab" (my Mac screenshot program) to jump back and get a screen shot, it was too late...

All I got was this.

The installer had finished, and was now 1/2 way through the config.

So now as I write this and try to remember how to upload images, it's probably already finished config...let me check.

hmm. ok. One slight issue.. the config screen has fallen in a heap. OK. So not quite... the "Oracle Beekeeper Framework Deployment" failed, lets retry (I always retry straight away just incase it's a glitch), nup, failed.

I'm sure that's not what it's meant to do. Time for some investimigating...

Looking at the output in the configwizard shows you to the error log $OC4J_HOME/log/oc4j/diagnostics.log which I would interpret as $ORACLE_HOME/j2ee/home/log,etc,etc.

Oh, easy one.

oracle.ocs.management.config.OcsConfigException: java.io.FileNotFoundException: $ORACLE_HOME/beehive/conf/beehiveconfig.xml (Too many open files)

what's my files limit?

[orabee@radium ~]$ ulimit -n
1024

Yep, that'd do. Especially since this is the same user/server as my main Beehive install.

Quick jaunt into /etc/security/limits.conf as root and we're back on track. Obviously I can't continue the installer with the current limits. So time to cancel and start again.

Just a few tips before jumping back into it...

• If you're on a VNC connection, make sure you've got the correct limits before restarting the installer so you don't hit the error again,
• and don't forget, OPMN was started with the old limits, so that needs to go down and come up with the correct limits.

Processes in Instance: Beekeeper
---------------------------------+--------------------+---------+---------
ias-component | process-type | pid | status
---------------------------------+--------------------+---------+---------
BEEHIVECONTROL | BEEHIVECONTROL | 2556 | Alive

[orabee@radium bin]$ ./opmnctl stopall
opmnctl: stopping opmn and all managed processes...
[orabee@radium bin]$ ulimit -n
10000 --- muuuchh better. :-)
[orabee@radium bin]$ ./opmnctl startall
opmnctl: starting opmn and all managed processes...
[orabee@radium bin]$ ./opmnctl status

Processes in Instance: Beekeeper
---------------------------------+--------------------+---------+---------
ias-component | process-type | pid | status
---------------------------------+--------------------+---------+---------
BEEHIVECONTROL | BEEHIVECONTROL | 3269 | Alive

OK. So where to from here? Here's an assumption for ya.... When I installed Beekeeper, it didn't give me the option to just install and do the config later, (I mean why would it - you've obviously got Beehive running already to want to install BK).. but we've just canceled the configuration wizard, which means it's installed and only 1/2 configured.

So, let's see if $ORACLE_HOME/beehive/oobwiz/configWizard is there.. (that's the same spot the Beehive configuration wizard is.)

Isn't that handy, it's there, so i fired it up, it asked for the schema password and then continued from where it failed. Nice one.

And we're done.

Time to have a look around.

Interesting that I can't log into Beekeeper as my flast1 user, but I can with Beeadmin. I know, I haven't done Configuring Oracle Beekeeper for LDAP-Based Authentication yet. One of the post installation steps of Beekeeper. But it's interesting that the two admin tools use different authentication methods.

Login as Beeadmin (I remember the password :-) .

I'll leave it there for now, slightly longer than originally though.