Wednesday Apr 06, 2016

Moving On

After 12 years working with Stellent/Oracle Content Management products I am moving to the Oracle Consulting Security Practice. I have worked with a lot of great companies and fantastic people over the last 12 years. My last count of customers was 43. I am looking forward to the new challenges of helping customers solve their security challenges. Thanks to everyone I have worked with over the past 12 years. I have learned a lot from all of you. 

This blog will remain available and you can find me blogging about my new experiences with Oracle Security products at the Consulting Security Corner blog.

Friday Oct 02, 2015

SSL Issues in Google Chrome

I am starting to hate Google Chrome. First they take away Java applet support and now they are making my web sites look bad by giving warning on the SSL certificates for my sites that other browsers don't seem to care about.

Of course this is probably a good idea. We don't want our web sites using insecure protocols.

I ran into this at a customer recently for a WebCenter Portal site. We had Oracle HTTP Server (OHS) as the web front-end to WebCenter Portal and all pages were SSL encrypted. The customer was switching from Internet Explorer to Chrome as their default browser. The first time they launched the site in Chrome the URL icon showed them a nasty icon.

 When you click on the icon, Chrome tells you that it doesn't like the SSL configuration of the site because the SSL certificate is signed with SHA-1.

It also warns you that the connection is using TLS 1.0.

I will cover both of these issues.


Chrome considers any certificates signed by SHA-1 to be no good. It is important to note that this not only applies to the user certificate for your site, but also the trusted certificate(s) used to sign the user certificate. You should view the user certificate for your site and determine if it is signed by SHA-1 or if the problem is up the chain. You want a certificate signed with SHA256.

This note on My Oracle Support contains details on how to determine which certificate is the cause of your problems.

Oracle Support Document 1368940.1 (How To Identify The Correct Trusted Root Certificate Authority Certificate(s) for a User Certificate?)

To get a certificate signed with SHA256 you need to create a new Certificate Signing Request (CSR) and send it to your certificate authority who will reissue the certificate signed with SHA256.

The problem we ran into with this is that the current versions of Oracle tools like orapki do not allow you to generate a SHA256 CSR. We found a workaround by exporting the wallet to a PKCS#12 file and using openssl to generate the CSR. You can find the details on how to generate a SHA256 CSR from this note on My Oracle Support.

Oracle Support Document 1939223.1 (Is it Possible to Generate SHA2 Certificate Signing Requests with Oracle Wallet Manager or ORAPKI in FMW 11g)

We used these steps as part of our overall procedure to update our certificates to SHA256:

Create a new wallet. You could probably use the existing wallet used by your site, but we decided to create a new wallet.

orapki wallet create -wallet walletdir -auto_login

Add the CSR to the wallet.There is a bug with the orapki command that requires the password to be specified on the command line. If you omit -pwd option it will not prompt you for the password and the command will fail.

orapki wallet add -wallet walletdir -dn 'XXX' -keysize 2048 -pwd PWD

Generate the CSR. We will not use this CSR, but this step still needs to be done.

orapki wallet export -wallet walletdir -dn 'XXX' -request mysite.csr -pwd PWD

Export the wallet to a PKCS#12 file.

openssl pkcs12 -in ewallet.p12 -nodes -out oracle_wallet.pem

Generate the sha256 CSR.

openssl req -new -key oracle_wallet.pem -sha256 -out mysite.csr openssl req -new -key oracle_wallet.pem -sha256 -out mysite.csr

Submit the CSR to your certificate authority (CA). When you receive the updated certificate from the CA make sure you also get the root CA certificate used to sign the certificate and any interim CA certificates. In our case we were using GeoTrust as the CA. They signed the certificate with one interim certificate that was given to us as a crt file. We also downloaded the root CA certificate as a pem file from the GeoTrust web site.

Import the trusted certificates into the wallet.

orapki wallet add -wallet walletdir -trusted_cert -cert GeoTrust_Global_CA.pem -pwd PWD

orapki wallet add -wallet walletdir -trusted_cert -cert mysite_company_com_i1.crt -pwd PWD

Import the user certificates into the wallets. Replace PASSWORD with the wallet password.

orapki wallet add -wallet walletdir -user_cert -cert mysite_company_com_ee.crt -pwd PWD

Once we have the wallet loaded with the certificates we can replace the existing wallet used by OHS with our new wallet

Stop OHS server

opmnctl stopall

Copy the new wallet file and replace the existing wallet file.

Restart OHS

opmnctl startall

After starting OHS launch the web site in Chrome and hopefully you will see a green icon and a SHA256 signed certificate.

TLS 1.0

At this point even though the URL icon comes up with a green lock it is still using TLS 1,0. The problem we had it is that we were running OHS, which does not support TLS 1.2. The most recent protocol that is supports is TLS 1.0. We needed to upgrade OHS to See this note on My Oracle Support for the details on SSL support in OHS and FMW in general.

Oracle Support Document 1485047.1 (Is SSLHonorCipherOrder and TLS 1.1/1.2 Supported for Oracle HTTP Server?)

The steps for upgrading OHS to are quite simple. You run the standard installer, it recognises you already have OHS installed and it upgrades your existing installation. You can find the download link and the detailed upgrade steps in the Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.

One you upgrade OHS you also need to update the SSLProtocol setting in your ssl.conf and admin.conf files to disable the older protocols. Change the SSLProtocol settings to this:

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

This setting will allow support of newer protocols as they become available, but disables support for older protocols. The -protocol setting, e.g. -TLSv1.1, explicitly removes support for that protocol.

Once you upgrade OHS and update the SSLProtocol settings when you launch your site in Chrome you should see that it is using TLS 1.2.

If you want more information on SSL there are some great notes on My Oracle Support. This is a good starting point.

Oracle Support Document 1218695.1 (Master Note for SSL Configuration in Fusion Middleware 11g)

Displaying Wallets

Through the steps above it will be useful to display the contents of the wallet as various points and especially if you have any problems with the commands.The orapki display command will display the contents of the wallet in the directory you specify.

orapki wallet display -wallet walletdir

When you first display the wallet after the initial creation it will be empty, except for the trusted certificates that are added by default by orapki.

Oracle PKI Tool : Version
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Trusted Certificates:
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

After you add the certificate request it will be displayed in the wallet.

Oracle PKI Tool : Version
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:,OU=Consulting,O=Oracle,L=Redwood City,ST=California,C=US
User Certificates:
Trusted Certificates:
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US

After you add your user certificate the certificate request will now longer be shown, but your user certificate will be displayed.

Monday Jun 29, 2015

Oracle Documents Links

There has been a lot of activity with Oracle Documents. Here are the links I have collected to various Oracle Documents information.

Title (Link) Source Author
Being RESTful with Oracle Documents Cloud and Oracle ADF Oracle Consulting Justin Paul
JDeveloper REST Connection for Oracle Documents Cloud Oracle Consulting Justin Paul
Creating a Documents Cloud Service REST Client from the DOCS WADL Oracle A-Team Peter Flies
Using Oracle Documents Cloud REST API with Python Requests Oracle A-Team Peter Flies
Calling Oracle Documents Cloud Service REST APIs from WebCenter Content Custom Components Oracle A-Team Peter Flies
Integrating with Documents Cloud using a Text Editor as an example Oracle A-Team Adao Junior
Embedded Oracle Documents Cloud Service Web User Interfaces for folder contents and search results Oracle A-Team Nick Montoya
Oracle Documents Cloud Service - Sample Code OTN

Thursday Jun 25, 2015

Changing the OPSS Schema Password

In a clustered WebCenter Content (WCC) environment you are going to need to use something other than the internal WebLogic file-based credential and policy store. You can use either an Oracle Internet Directory (OID) server or an Oracle Platform Security Service (OPSS) database schema.

If you use an OPSS database schema for your credential and policy store you may need to change the database schema password. You will need to follow these steps documented in Oracle® Fusion Middleware Securing Applications with Oracle Platform Security Services. There steps are:

  1. Use the DB command ALTER USER to reset the password in the DB. Remember the new password entered, as it will be used in the next two steps.
  2. Using the Oracle WebLogic Administration Console, update the password that the data source the domain uses to connect to the OPSS schema with the new password.
  3. Using the WLST command modifyBootStrapCredential, update the bootstrap wallet with the new password. For details, see Oracle Fusion Middleware Infrastructure Security WLST Command Reference.

Wednesday Jun 24, 2015

Keeping Your WebCenter Content File System Clean

If you have configured WebCenter Content (WCC) to store your content in the database you are probably not expecting it to be storing any content on the file system. You may choose to go with a minimal file system to hold the vault and weblayout directories. You need to be aware that WCC will store content on the file system for two reasons:

  1. During the check in process WCC needs to store the native file in the vault directory so it is available for full-text indexing and for rendition processing. Any webviewable files are also stored on the file system after they are generated by the Inbound Refinery (IBR).
  2. Whenever a content item is retrieved, WCC will store the file on the file system after retrieving it from the database. The file system is used as a cache so that if the content item is retrieved again it can be retrieved from the file system instead of the database.

For #1 this can have an impact when you are either loading a large amount of content into WCC or rebuilding your full-text index. When doing a full-text index rebuild every file in WCC will be retrieved from the database and stored on the file system.

If you want the files on the file system removed after the content item has been indexed you can add this configuration setting:


If you want to keep the file system as small as possible you can also add these configuration settings to minimize the amount of files keep on the file system as a cache:


Thursday May 14, 2015

WebCenter Content has been released

See the WebCenter Content OTN Page for the download links. still uses WebLogic 10.3.6.

If you are upgrading an existing installation such as you install the new version on top of your existing version. You then need to run the Patch Set Assistant to upgrade the schema. See Upgrading Your Schemas with Patch Set Assistant in the Oracle Fusion Middleware Patching Guide for details. Make sure to backup your schema before running the Patch Set Assistant.

If you are doing a new install you will need to download the version of RCU which is available under the Required Additional Software section. 

Oracle Support is recommending that existing customers wait for the first bundle patch before upgrading to That is because there are a lot of bugs addressed in the latest bundle patch that did not make it into the release. EXISTING customers are likely to run into regression issues that were already fixed if they had the latest bundle patch installed.

If you are starting a new project I would recommend installing and working around any bugs you find. The first bundle patch for should be released within a month or so and would be aailable before you go into production.

One of the major features in this release is the addition of Digital Asset Management (DAM) to the Content UI.

The link to the documentation is Someone was reporting that the link on OTN was wrong.

Wednesday May 13, 2015

Oracle Documents REST API Sample #2

In this sample I will show how to check the response status of your REST call before processing the result.

Instead of returning a string containing the results we have the REST call return a Response object which we can use to check the status of the call before processing the results. A successful call can return either a 200 or 201 status code. If there is an error the getStatusInfo method will return details of the error.

Response response = invocationBuilder.get();

System.out.println("Status: " + response.getStatus());

if (response.getStatus() != 200 && response.getStatus() != 201) {
  System.out.println("Error: " + response.getStatusInfo());
  System.out.println("\nResponse ...\n");

The details of the possible status codes can be found in the online documentation here

Here is the entire Java program.

import org.glassfish.jersey.client.*;
import org.glassfish.jersey.client.authentication.*;

public class docsSample2 {

  static String m_user = "USER";
  static String m_pass = "PASS";
  static String m_docs_base_url = "https://DOCSURL/documents/api/1.1";

  public static void main(String[] args) {
    try {
      HttpAuthenticationFeature feature = HttpAuthenticationFeature.basic(m_user, m_pass);

      ClientConfig clientConfig = new ClientConfig();
      clientConfig.register(feature) ;

      Client client = ClientBuilder.newClient(clientConfig);

      WebTarget target = + "/users/items?info=smith");

      Invocation.Builder invocationBuilder = target.request("text/plain");

      Response response = invocationBuilder.get();

      System.out.println("Status: " + response.getStatus());

      if (response.getStatus() != 200 && response.getStatus() != 201) {
        System.out.println("Error: " + response.getStatusInfo());
        System.out.println("\nResponse ...\n");

    } catch (Exception e) {

Monday May 11, 2015

Converting Java Code for Display on a Web Page

When creating the blog post about Oracle Documents REST API I found this neat tool for converting my Java code into HTML so it can be displayed nicely in the blog posting.

My First Oracle Documents REST API Sample

Here is my first sample. It is very simple. It calls the User resource to get a list of users that match a search. The documentation says that it uses a fuzzy search on user names and email addresses to determine the list of users to return. I found that if I put my first name or last name in the search I would get a list of all the other Kevins or Smiths defined in our Oracle Documents instance. I tried searching on email and received the same result as if I had used Kevin.

Here is the entire java program. It sends the request and just prints the result to standard output.

import org.glassfish.jersey.client.*;
import org.glassfish.jersey.client.authentication.*;

public class docsSample1 {

  static String m_user = "USER";
  static String m_pass = "PASS";
  static String m_docs_base_url = "https://DOCSURL/documents/api/1.1";

  public static void main(String[] args) {
    try {

      ClientConfig clientConfig = new ClientConfig();

      HttpAuthenticationFeature feature = HttpAuthenticationFeature.basic(m_user, m_pass);
      clientConfig.register(feature) ;

      Client client = ClientBuilder.newClient(clientConfig);

      WebTarget target = + "/users/items?info=smith");

      Invocation.Builder builder = target.request("text/plain");
      Invocation invocation = builder.buildGet();

      String responseData = invocation.invoke(String.class);


    } catch (Exception e) {


I will go through some of important parts of the code.

To pass the authentication information you need to add a HttpAuthenticationFeature to your Jersey client. Oracle Documents only support Basic Authentication. These two lines of code adds the basic authentication information to the client.

HttpAuthenticationFeature feature = HttpAuthenticationFeature.basic(m_user, m_pass);

The URL that you use to submit the request will be based on your Oracle Documents instance URL which contains your service and identity domain.

static String m_docs_base_url = "https://DOCSURL/documents/api/1.1";

In this sample I am passing all the information to invoke the user resource in the URL.

WebTarget target = + "/users/items?info=smith");

You can also pass in the resource and parameters uisng other methods. I will cover those in later samples.

I use Invocation.Builder to set up for the call. In this get we are doing a GET.

Invocation.Builder builder = target.request("text/plain");
Invocation invocation = builder.buildGet();

I then submit the request and get the results back as a string.

String responseData = invocation.invoke(String.class);

Since I have not specified a result format the result will be returned using the default JSON format.

"count": "10",
"errorCode": "0",
"items": [
"type": "user",
"id": "XXX",
"displayName": "XXX Smith"
"type": "user",
"id": "XXX",
"displayName": "XXX Smith"
"type": "user",
"id": "XXX",
"displayName": "XXX Smith"
"type": "user",
"id": "XXX",
"displayName": "XXX Smith"
"type": "user",
"id": "XXX",
"displayName": "XXX Smith"
"type": "user",
"id": "XXX",
"displayName": "Kevin Smith"
"type": "user",
"id": "XXX",
"displayName": "XXX Smith"
"type": "user",
"id": "XXX",
"displayName": "XXX Smith"
"type": "user",
"id": "XXX",
"displayName": "XXX Smith"
"type": "user",
"id": "XXX",
"displayName": "XXX Smith"

I have replaced all the actual first names and ids with XXX. The id will be a 36 long character string representing the users unique ID. You can use this ID is you are going to share a folder with a user.

Sunday May 10, 2015

Oracle Documents REST API

Over the next few days and weeks I am going to be working on some sample code for integrating with Oracle Documents using the REST API. I will post the samples as I create them.

For details on the Oracle Documents REST API, see the Developing for Oracle Documents Cloud Service Book.

I will be using the Jersey framework in my code. For more details on the Jersey framework see You can find the documentation on the Jersey framework and download the Jersey jar files.

For other examples of integrating with Oracle Documents see these pages.

Calling Oracle Documents Cloud Service REST APIs from WebCenter Content Custom Components by Peter Flies.

JDeveloper REST Connection for Oracle Documents Cloud by Justin Paul.

Friday Mar 21, 2014

Visual C++ Libraries

If you see this error message when trying to start the WebCenter Content managed server for the first time on Windows

java.lang.UnsatisfiedLinkError: C:\Oracle\Middleware\Oracle_ECM1\ucm\idc\components\NativeOsUtils\lib\windows-amd64\\JniNativeOsUtils.dll: The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail

You have not installed the required Visual C++ Libraries.

See section 3.7.3 Downloading Visual C++ Libraries for a Windows Operating System in the WebCenter Content Installation Guide.

Monday Dec 03, 2012

Migrating from Oracle Content DB to WebCenter Content

Someone asked about migrating from Oracle Content DB (CDB) to WebCenter Content (WCC)

There is no product offering that supports migrating content from CDB to WCC. Oracle Consulting has done some migrations for customers and has some internal tools that are available to assist with the migration. If you need assistance migrating from CDB to WCC you should contact Oracle Consulting.

Wednesday Oct 17, 2012

Questions Anyone?

I've been working with WebCenter Content for almost 9 years now and have a ton of topics rolling around my head that I'm sure would make excellent blog post once I find the time to write them up.

Does anyone have any questions they would like answered? Like why does WCC do ...? How does this feature work? I can't seem to get this working?

Post your question to the comments and if it is something on my list of topics I had planned on creating a blog post about I will move it to the top of the list.

A very useful custom component

Whenever I am debugging a problem in WebCenter Content (WCC) I often find it useful to see the contents of the internal data binder used by WCC when executing a service. I want to know the value of all parameters passed in by the caller, either a user in the web GUI or from an application calling the service via RIDC or web services. I also want to the know the value of binder variables calculated by WCC as it processes a service. What defaults has it applied based on configuration settings or profile rules? What values has it derived based on the user input?

To help with this I created a  component that uses a java filter to dump out the contents of the internal data binder to the WCC trace file. It dumps the binder contents using the toString() method. You can register this filter code using many different filter hooks to see how the binder is updated as WCC processes the service.

By default, it uses the validateStandard filter hook which is useful during a CHECKIN service. It uses the system trace section, so make sure that trace section is enabled before looking for the output from this component.

Here is some sample output

>system/6    10.09 09:57:40.648    IdcServer-1    filter: postParseDataForServiceRequest, binder start --
 system/6    10.09 09:57:40.698    IdcServer-1    *** LocalData ***
 system/6    10.09 09:57:40.698    IdcServer-1    (10 keys + 0 defaults)
 system/6    10.09 09:57:40.698    IdcServer-1    ClientEncoding=UTF-8
 system/6    10.09 09:57:40.698    IdcServer-1    IdcService=CHECKIN_UNIVERSAL
 system/6    10.09 09:57:40.698    IdcServer-1    NoHttpHeaders=0
 system/6    10.09 09:57:40.698    IdcServer-1    UserDateFormat=iso8601
 system/6    10.09 09:57:40.698    IdcServer-1    UserTimeZone=UTC
 system/6    10.09 09:57:40.698    IdcServer-1    dDocTitle=Check in from RIDC using Framework Folder
 system/6    10.09 09:57:40.698    IdcServer-1    dDocType=Document
 system/6    10.09 09:57:40.698    IdcServer-1    dSecurityGroup=Public
 system/6    10.09 09:57:40.698    IdcServer-1    parentFolderPath=/folder1/folder2
 system/6    10.09 09:57:40.698    IdcServer-1    primaryFile=testfile5.bin   
 system/6    10.09 09:57:40.698    IdcServer-1    ***  RESULT SETS  ***
>system/6    10.09 09:57:40.698    IdcServer-1    binder end --------------------------------------------

See the readme included in the component for more details.

You can download the component from here.

Tuesday Oct 16, 2012

Framework Folders and Duplicate File Names

I have been working with Framework folders a little bit in the past few days and found one unexpected behavior that is different from Contribution Folders (Folders_g). If you try and check a file into a Framework Folder that already exists in the folder it will allow it and rename the file for you.

In Folders_g this would have generated an error and prevented you from checking in the file.

A quick check of the Framework Folder configuration settings in the Application Administrator’s Guide for Content Server does not show a configuration parameter to control this. I'm still thinking about this and not sure if I like this new behavior or not. I guess from a user perspective this more closely aligns Framework Folders to how Windows handle duplicate file names, but if you are migrating from Folders_g and expect a duplicate file name to be rejected, this might cause you some problems.

Thursday Oct 11, 2012

One of my most frequently used commands

On a Linux or UNIX server this is one of my most frequently used commands.

find . -name "*.htm" -exec grep -iH "alter session" {} \;

It is an easy way to find a string you know is in a group of files, but don't know or can't remember which file it is in.

For the example above, I knew that WebCenter Content sends a bunch of alter session commands to the database when it opens a new database connection. I wanted to find where these were defined and what all the alter session commands were.

So, I ran these commands:

cd /opt/oracle/middleware/Oracle_ECM1/ucm/idc/resources/core
find . -name "*.htm" -exec grep -iH "alter session" {} \;

And the results were:

./tables/query.htm: ALTER SESSION SET optimizer_mode = ?
./tables/query.htm: ALTER SESSION SET NLS_SORT = ?
./tables/query.htm: ALTER SESSION SET NLS_COMP = ?
./tables/query.htm: ALTER SESSION SET CURSOR_SHARING = ?
./tables/query.htm: ALTER SESSION SET EVENTS '30579 trace name context forever, level 2'
./tables/query.htm: ALTER SESSION SET NLS_DATE_FORMAT = ?
./tables/query.htm: alter session set events '30579 trace name context forever, level 2'

I could then go edit the query.htm file and find the include that contained all the ALTER SESSION commands.

Friday Oct 05, 2012

Solving Inbound Refinery PDF Conversion Issues, Part 1

Working with Inbound Refinery (IBR)  and PDF Conversion can be very frustrating. When everything is working smoothly you kind of forgot it is even there. Documents are cheeked into WebCenter Content (WCC), sent to IBR for conversion, converted to PDF, returned to WCC, and viola your Office documents have a nice PDF rendition available for viewing.

Then a user checks in a bunch of password protected Word files, the conversions fail, your IBR queue starts backing up, users start calling asking why their document have not been released yet, and your spend a frustrating afternoon trying to recover and get things back running properly again.

Password protected documents are one cause of PDF conversion failures, and I will cover those in a future blog post, but there are many other problems that can cause conversions to fail, especially when working with the WinNativeConverter and using the native applications, e.g. Word, to convert a document to PDF. There are other conversion options like PDFExportConverter which uses Oracle OutsideIn to convert documents directly to PDF without the need for the native applications. However, to get the best fidelity to the original document the native applications must be used. Many customers have tried PDFExportConverter, but have stayed with the native applications for conversion since the conversion results from PDFExportConverter were not as good as when the native applications are used.

Of course it is important to mention that most IBR "problems" are not really problems with the IBR itself, but more likely problems with the documents being converted or problems with the third-party applications IBR is using to convert the documents to PDF.

One problem I ran into recently, that at least has a easy solution, are Word documents that display a Show Repairs dialog when the document is opened. If you open the problem document yourself you will see this dialog.

This will cause the conversion to time out. Any time the native application displays a dialog that requires user input the conversion will time out. The solution is to set add a setting for BulletProofOnCorruption to the registry for the user running Word on the IBR server. See this support note from Microsoft for details. The support note says to set the registry key under HKEY_CURRENT_USER, but since we are running IBR as a service the correct location is under HKEY_USERS\.DEFAULT. Also since in our environment we were using Office 2007, the correct registry key to use was:


Once you have done this restart the IBR managed server and resubmit your problem document. It should now be converted successfully.

For more details on IBR see the Oracle® WebCenter Content Administrator's Guide for Conversion.

Wednesday Sep 26, 2012

How to run RCU from the command line

When I was trying to figure out how to run RCU on 64-bit Linux I found this post. It shows how to run RCU from the command line. It didn't actually work for me, so you can see my post on how to run RCU on 64-bit Linux.

But, seeing how to run RCU from the command got me started thinking about running RCU from the command line to create the schema for WebCenter Content. That post got me part of the way there since it shows how run RCU silently from the command line, but to do this you need to know the name of the RCU component for WebCenter Content. I poked around in the RCU files and found the component name for WCC is CONTENTSERVER11. There is a contentserver11 directory in rcuHome/rcu/integration and when you look at the contentserver11.xml file you will see

<RepositoryConfig COMP_ID="CONTENTSERVER11">

With the component name for WCC in hand I was able to use this command line to run RCU and create the schema for WCC.

.../rcuHome/bin/rcu -silent -createRepository -databaseType ORACLE -connectString localhost:1521:orcl1 -dbUser sys -dbRole sysdba -schemaPrefix TEST -component CONTENTSERVER11 -f <rcu_passwords.txt

To make the silent part work and not have it prompt you for the passwords needed (sys password and password for each schema) you use the -f option and specify a file containing the passwords, one per line, in the order the components are listed on the -component argument. Here is the output from rcu when I ran the above command.

Processing command line ....
Repository Creation Utility - Checking Prerequisites
Checking Global Prerequisites

Repository Creation Utility - Checking Prerequisites
Checking Component Prerequisites
Repository Creation Utility - Creating Tablespaces
Validating and Creating Tablespaces
Repository Creation Utility - Create
Repository Create in progress.
Percent Complete: 0
Percent Complete: 100
Repository Creation Utility: Create - Completion Summary
Database details:
Host Name              : localhost
Port                   : 1521
Service Name           : ORCL1
Connected As           : sys
Prefix for (prefixable) Schema Owners : TEST
RCU Logfile            : /u01/app/oracle/logdir.2012-09-26_07-53/rcu.log
Component schemas created:
Component                            Status  Logfile
Oracle Content Server 11g - Complete Success /u01/app/oracle/logdir.2012-09-26_07-53/contentserver11.log

Repository Creation Utility - Create : Operation Completed

This works fine if you want to use the default tablespace sizes and options, but there does not seem to be a way to specify the tablespace options on the command line. You can specify the name of the tablespace and temp tablespace, but they must already exist in the database before running RCU. I guess you can always create the tablespaces first using your desired sizes and options and then run RCU and specify the tablespaces you created.

When looking up the command line options in the RCU doc I found it has the list of components for each product that it supports. See Appendix B in the RCU User's Guide.

WebCenter Content (WCC) Trace Sections

Kyle has a good post on how to modify the size and number of WebCenter Content (WCC) trace files. His post reminded me I have been meaning to write a post on WCC trace sections for a while.

searchcache - Tells you if you query was found in the WCC search cache.

searchquery - Shows the processing of the query as it is converted form what the user submitted to the end query that will be sent to the database. Shows conversion from the universal query syntax to the syntax specific to the search solution WCC is configured to use.

services (verbose) - Lists the filters that are called for each service. This will let you know what filters are available for each service and will also tell you what filters are used by WCC add-on components and any custom components you have installed. The How To Component Sample has a list of filters, but it has not been updated since 7.5, so it is a little outdated now. With each new release WCC adds more filters. If you have a filter that has no code attached to it you will see output like this:

services/6    09.25 06:40:26.270    IdcServer-423    Called filter event computeDocName with no filter plugins registered
When a WCC add-on or custom component uses a filter you will see trace output like this:
services/6    09.25 06:40:26.275    IdcServer-423    Calling filter event postValidateCheckinData on class collections.CollectionValidateCheckinData with parameter postValidateCheckinData
services/6    09.25 06:40:26.275    IdcServer-423    Calling filter event postValidateCheckinData on class collections.CollectionFilters with parameter postValidateCheckinData
As you can see from this sample output it is possible to have multiple code points using the same filter.

systemdatabase - Dumps the database call AFTER it executes. This can be somewhat troublesome if you are trying to track down some weird database problems. We had a problem where WCC was getting into a deadlock situation. We turned on the systemdatabase trace section and thought we had the problem database call, but it turned out since it printed out the database call after it was executed we were looking at the database call BEFORE the one causing the deadlock. We ended up having to turn on tracing at the database level to see the database call WCC was making that was causing the deadlock.

socketrequests (verbose) - dumps the actual messages received and sent over the socket connection by WCC for a service. If you have gzip enabled you will see junk on the response coming back from WCC. For debugging disable the gzip of the WCC response.Here is an example of the dump of the request for a GET_SEARCH_RESULTS service call.

socketrequests/6 09.25 06:46:02.501 IdcServer-6 request: REMOTE_USER=sysadmin.USER-AGENT=Java;.Stel
socketrequests/6 09.25 06:46:02.501 IdcServer-6 request: lent.CIS.11g.CONTENT_TYPE=text/html.HEADER
socketrequests/6 09.25 06:46:02.501 IdcServer-6 request: _ENCODING=UTF-8.REQUEST_METHOD=POST.CONTEN
socketrequests/6 09.25 06:46:02.501 IdcServer-6 request: T_LENGTH=270.HTTP_HOST=CIS.$$$$.NoHttpHead
socketrequests/6 09.25 06:46:02.501 IdcServer-6 request: ers=0.IsJava=1.IdcService=GET_SEARCH_RESUL
socketrequests/6 09.25 06:46:02.501 IdcServer-6 request: TS...?hda.jcharset=UTF-8?...@Properties.Lo
socketrequests/6 09.25 06:46:02.501 IdcServer-6 request: calData.SortField=dDocName.ClientEncoding=
socketrequests/6 09.25 06:46:02.501 IdcServer-6 request: UTF-8.IdcService=GET_SEARCH_RESULTS.UserTi
socketrequests/6 09.25 06:46:02.501 IdcServer-6 request: meZone=UTC.UserDateFormat=iso8601.SortDesc
socketrequests/6 09.25 06:46:02.501 IdcServer-6 request: =ASC.QueryText=dDocType..matches..`Documen
socketrequests/6 09.25 06:46:02.501 IdcServer-6 request: t`.@end.

userstorage, jps - Provides trace details for user authentication and authorization. Includes information on the determination of what roles and accounts a user has access to. In 11g a new trace section, jps, was added with the addition of the JpsUserProvider to communicate with WebLogic Server.

The WCC developers decide when to use the verbose option for their trace output, so sometime you need to try verbose to see what different information you get.

One of the things I would always have liked to see if the ability to turn on verbose output selectively for individual trace sections. When you turn on verbose output you get it for all trace sections you have enabled. This can quickly fill up your trace files with a lot of information if you have the socket trace section turned on.

How to run Repository Creation Utility (RCU) on 64-bit Linux

I was setting up WebCenter Content (WCC) on a new virtual box running 64-bit Linux and ran into a problem when I tried to run the Repository Creation Utility (RCU). I saw this error when trying to start RCU

.../rcuHome/jdk/jre/bin/java: /lib/ bad ELF interpreter: No such file or directory

I think I remember running into this before and reading something about RCU only being supported on 32-bit Linux. I decided to try and see if I could get it to run on 64-bit Linux.

I saw it was using it's own copy of java (.../rcuHome/jdk/jre/bin/java), so I decided to try and get it to use the 64-bit JRockit I had already installed. I edited the rcu script in rcuHome/bin and replaced




Sure enough that fixed it. I was able to run RCU and create the WCC schema.

Tuesday Sep 25, 2012

A Generic RIDC Test Program

Many times I have found it useful to use a java program that communicates with WebCenter Content (WCC) using RIDC for testing. I might not have access to the web GUI or need to test a service running as a specific user. In the past I had created a number of "one off" programs that submitted specific services, e.g GET_SEARCH_RESULTS, DOCINFO, etc. Recently I decided to create a generic RIDC test program that could submit any service with the desired parameters based on a configuration file.

The programs gets the following information from the configuration file:

  • WCC connection information (host, port)
  • User to use to run service
  • Service to run
  • Any parameters for the service

The program will make a connection to the WCC server, send the service request, and print the results of the service call using the getResponseAsString() method.

Here is a sample configuration file:
idcservice.QueryText=dDocType <matches> `Document`

There is a readme file included in the zip with instructions for how to configure and run the program. The program takes one command line argument, the configuration file name. The configuration file name is optional and defaults to

If you have any suggestions for improvements let me know. Right now it only submits a single service call each time you run it. One enhancement I have already thought about would be to allow you to specify multiple services to tun in the configuration file. You can do that with the current program by having multiple configuration files and running the program multiple times, each with a different configuration file.

You can download the program here.

Friday Sep 21, 2012

Always disable the 8.3 name creation on Windows before installing WebCenter Content or WebLogic Server

You should always disable the 8.3 name creation feature when installing WebCenter Content on a Windows platform. The installs will normally work without it disabled, but you will find the weird 8.3 file and directory names in all the config files. Disabling it can also improve performance.

On Windows XP and Windows Server 2003 and above you can do it with this command:

fsutil.exe behavior set disable8dot3 1

To make sure it is disabled you can run this command to check:

fsutil.exe behavior query disable8dot3

If the 8.3 file name creation is disabled you will see the following output from the command:

The registry state of NtfsDisable8dot3NameCreation is 1 (Disable 8dot3 name creation on all volumes).

Here is a Microsoft note on how to do this on Windows 2000 and Windows NT.

How to Disable the 8.3 Name Creation on NTFS Partitions

I see now they have added this to the WebCenter Content Install Guide. They suggest doing it using a Windows registry settings.

Thursday Sep 20, 2012

Be aware of the difference between CURRENT_DATE and SYSDATE

I was running some queries in SQL Developer against the WebCenter Content (WCC) schema that included date fields such as dInDate. I was comparing the dates against CURRENT_DATE. I was not getting the expected results. I did some googlng and didn’t find a solution, but I did run across a reference to SYSDATE. I tried SYSDATE in my queries and got the expected results.

I did a TO_CHAR on the two date fields and found they returned different times. CURRENT_DATE returned the time from my laptop which was  in the EDT time zone. SYSDATE returned the time from the database server which happened to be in the PDT time zone. I guess if both the database server and my laptop were in the same time zone I would not have seen any problem.

Here is the query I ran to display the two fields.

select to_char(current_date,'DD-MON-YY HH:MI:SS'), to_char(sysdate,'DD-MON-YY HH:MI:SS') from dual;

As you can see from the screen shot from SQL Developer they definitely returned different times.

I’m sure there is some command or setting you can use to prevent this problem, but for me the take away is to use SYSDATE in your queries when you want to do any date comparison.

Wednesday Sep 19, 2012

When is the default storage rule not really the default storage rule?

In 11g WebCenter Content (WCC) introduced dispersion rules in the vault and weblayout directory paths to better distribute content across the directories. The dispersion rule was based on dRevClassID. The only problem with this is that dRevClassID did not remain the same when you copied content from one WCC instance to another using Archiver like in a contribution-consumption scenario. This could cause problems because the web-viewable path would not be the same between the contribution and consumption instances.

In the PS5 ( release of WCC they addressed this by configuring the File Store Provider (FSP) so that all new content would use a storage rule with a dispersion rule based on dDocName, which would stay the same when content was copied to another WCC instance. To support migration from older versions of WCC they left the default storage rule unchanged and created a new storage rule called DispByContentId and made that the default storage rule for all new content.

I only stumbled upon this a while back when I was trying to change the FSP configuration so that all content used a webless storage rule. I changed the default storage rule, restarted WCC, and checked in a new content item. To my surprise the new content was not created as webless. I struggled with this for a while until I noticed there were multiple storage rules defined in the FSP configuration. When I looked at the default value for the xStorageRule field in Configuration Manager, sure enough it was no longer default, but was now DispByContentId.

Once I updated the DispByContentId storage rule to webless and restarted WCC all my new content was now created using the webless storage rule, just like I wanted.

I noticed when I was creating this blog post that the default storage rule is also listed on the File Store Provider Information page, but I guess I didn't see that when I originally did this.

Wednesday Jul 25, 2012

ScriptDebugTrace is now IsPageDebug in 11g

I keep forgetting what they changed this option to in 11g. Luckily Kyle has a nice blog post on it.

Friday Jul 20, 2012

If you ever need to replace a key on your keyboard

I recently popped one of the keys off my laptop keyboard and was left with the key, and two little white pieces of plastic that were somehow supposed to all go back together to get the key back on the keyboard. After messing around with it for 30 minutes I did a quick search and found this site.

It has a video instruction for how to replace keys on what seems every model of laptop and keyboard. I never would have figured out how to put the pieces back together again.

Of course the people who created the web site did not do it out of the goodness of their heart. You can also purchase replacement keys for your keyboard on the site.

Friday Oct 14, 2011

Yet another FSP Post

I found another problem with the default FSP rules in The default dispersion rule use dRevClassID


The problem is that dRevClassID will change if you use Archiver to copy your content to another UCM instance. This is a common practice using a "Contribution - Consumption Model". Content is created and updated on a "Contribution" UCM instance and then Archiver is used to copy the content to a "Consumption" instance where it is viewed by users/consumers. If dRevClassID is used in the dispersion rule the webviewable URL will change when the content is copied from contribution to consumption. If you have any links to the content, say from a Site Studio site, they will not work on the consumption instance.

I talked to development about this and they said they realized the problem existed a while back and it will be addressed in the next patch set ( by using dDocName instead of dRevClassID.


You may want to consider changing the dispersion rules in your system to match this if you are going to be using a contribution - consumption model

Friday May 27, 2011

WebDAV in UCM 11g

The format for the WebDAV URL has changed in 11g. It is now


If you are using OHS in front of UCM it will be


and you will have to add _dav location to themod_wl_ohs.conf file

   <Location /_dav>

P.S. If you are creating a connection from the Desktop Integration Suite to WebCenter Content make sure to include the / at the end of the URL. I left it off by mistake and it would not connect.

Friday May 20, 2011

More on File Store Provider

In PS4 ( you can now fully edit the FSP storage rule using the web interface instead of having to edit the hda files. I think this was actually added in a patch for PS3 ( This makes it easier to manage FSP storage rules.

When I was researching the FSP behavior I found this in the Admin User's Guide.

4.3.2 FileStoreProvider Upgrade

The FileStoreProvider component is installed, enabled, and upgraded by default for a new Oracle Content Server instance (with no documents in it). The upgrade includes creation of metadata fields with default values for the file store system (DefaultFileStore). Earlier versions of the Oracle Content Server software did not automatically upgrade the file store system, and sites could choose to not use the file store system, to not upgrade to use FileStoreProvider, and to uninstall the FileStoreProvider component and metadata fields. If you do not want to upgrade FileStoreProvider from your current settings, prior to installation you must enter the configuration variable FsAutoConfigure=false in the Additional Configuration Variables field on the General Configuration page of the Oracle Content Server Admin Server page.

I'm not exactly sure how you get to the Admin Server before you actually do the install. That would be quite a trick if you could do it. What I think they mean is that you need to add it to the config.cfg file that exists before you start the install, or actually before you create the WebLogic domain or add UCM to an existing domain. I have not tried this myself, but I would suspect that you would add it to the following file:


The other place you might want to try adding it is to the config.cfg that is created in the ucm/cs/config directory AFTER you add UCM to a WebLogic domain, but BEFORE you start it for the first time. I suspect that the FSP upgrade is done as part of the initial start up of UCM.

You would do this if you were installing a new 11g UCM instance and wanted it to work that same way as a 10g instance that was not using  the FSP.

Wednesday May 11, 2011

PS4 is out

Patch Set 4 (PS4) for all the Fusion Middleware products including UCM has been released. The release number for this version is

The full installer for UCM is available on the Oracle Universal Content Management 11gR1 Downloads page on OTN.

Here is the Download, Installation, and Configuration ReadMe for all the FMW products. It contains links to download the patch installers from My Oracle Support.

For ECM there does not seem to be many new features or enhancements. It is mostly a bug fix release.

There are some details in this My Oracle Support Note, 1316076.1

  • Google Chrome 10
  • Support for JRockit 6 Update 24 Release 28.1.3
  • IRM Desktop support for Windows 7 64-bit
  • Internet Explorer 9 certification

Kevin Smith is a Technical Director in Oracle Consulting's WebCenter practice. He has been working with content management products since 2004 when he joined Stellent.


« July 2016