Archive for October, 2014

Fix WCI Publisher Search with a simple tweak

Saturday, October 11th, 2014

Ever seen this error in WebCenter Publisher when using Friendly URLs?

INFO | ERROR java.lang.StringIndexOutOfBoundsException: String index out of range: -1
INFO | ERROR at java.lang.String.substring(String.java:1768)
INFO | ERROR at org.apache.jsp.published_005ftools.search_jsp._jspService(search_jsp.java:101)
INFO | ERROR at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
INFO | ERROR at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
INFO | ERROR at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:324)

Yeah, it’s not the first time that Friendly URLs breaks existing functionality, and like that Excel issue, fortunately the fix is pretty easy. Basically, you’ll need to open up the ptcs.war file and edit the /published_tools/search.jsp file in there. Specifically, there’s a section that looks like this:

       String baseURL = (cspRequest.getReturnURI().toString());

       //SE-VV: 57027 - With the recent portal code changes in Merced, the string "gateway"
       //is not present in the baseURL anymore. As a workaround, we instead look for "?" so that index is a 
       //non-negative integer. Now, when we search for a CI from within a news portlet, it'll take us to
       //the correct search results page instead of throwing an error.
       int index = baseURL.indexOf("gateway");
       if(index < 0){
              index = baseURL.indexOf("?") + 1;
       }
              baseURL = baseURL.substring(0, index - 1);

(more…)

WCI 10gR4 (10.3.3) won’t work without a hotfix

Tuesday, October 7th, 2014

I was recently helping a client upgrade from Plumtree 5.0.4 (!) to WebCenter Interaction 10gR4 (aka 10.3.3), and after running through all the DB upgrade scripts, the classic navigation was still showing this error:

Error displaying the Category tabs: -2147205114 – Invalid community id provided: 123 . The community does not exist or the user does not have access to it.

The strange thing about the error was that the “Community ID” shown in the error message is actually the ObjectID of the first PAGE in the community, not the community itself.

wci-10gR4-hotfix

After doing all the standard debugging and ruling out the DB upgrade scripts, it turns out that this is a known issue (KB article 1422352.1, Bug 13775312 – login required). It is resolved with Hotfix 14745949 (login required), which addresses other issues such as:

  1. UNINSTALLING ONLY AUTOMATION SERVICE CAUSES THE PTPORTAL DIRECTORY TO BE REMOVED (Issue 14745949)
  2. FIX FOR BUG 9691984 CAUSES PERFORMANCE DEGRADATION IN AUTH SYNC (Issue 14565631)
  3. COMMUNITIES WITH MORE THAN ONE PAGE WILL ERROR IN CLASSIC UI (Issue 13775312)
  4. ORACLE WCI PORTAL CANNOT COMMUNICATE WITH PORTLET REMOTE SERVER VIA SSL (Issue 13332531)
  5. PORTAL MEMORY LEAK IN SEARCH CLIENT – BASIC/ADV SEARCH, SNAPSHOT QUERIES (Issue 12988569)
  6. HTTPSTREAMPARSER CANT FIND END OF RESPONSE HEADERS CAUSING NETWORK FAILURES (Issue 12677959)
  7. HIGH CPU USAGE FROM QUERYD WHEN ONE OF THE NODES IS RESTARTED (Issue 12578166)
  8. ENABLE FUNCTION TRACING AND CLEAN UP LOGGING FOR FUTURE EASIER DEBUGGING (Issue 12382745)
  9. ADVANCED LAYOUT EDITOR: WIDE PORTLETS ARE NOT ACKNOWLEDGED IN ONE-COLUMN LAYOUT (Issue 10199005)
  10. LDAP PWS SYNC JOB PERFORMANCE AND STABILITY IMPROVEMENTS (Issue 7822564)

Use a BigIP iRule to further defend against ShellShock

Saturday, October 4th, 2014

By now you’ve no doubt heard about ShellShock, and have quickly worked to patch all your systems to close the most vulnerable aspects of this pervasive exploit. You may even be aware that some users are reporting that even the patch hasn’t fully closed the vulnerability (it seems that while the patch prevents execution from arbitrary code execution, aliasing commands is still possible).

The exploit is pretty simple to execute; the user-agent header here will write the text “HACKED” to a file named hack.txt in the /tmp directory on a vulnerable server:

GET /cgi-bin/anypage.html HTTP/1.1
Host: yourhost
User-Agent: () { :;}; echo HACKED >>/tmp/hack.txt 
Accept: text/xml,application/xml
Accept-Language: en-us

So, in addition to patching your servers, if you’ve got a BigIP server in front of your systems, you can also set up an iRule on your system to prevent the traffic from even getting through to your servers by looking for those characters ( “(){” ) in any of your headers:
big-ip-irule-shellshock

The details of the iRule are posted on F5’s forum and F5 even maintains a dedicated up-to-date ShellShock information page. Basically there are two versions of the iRule; one that trades off a tiny bit of performance to log the attack attempts, and one that’s designed to be slightly more performant but lacks logging.

Sure enough, within minutes of applying this iRule to our front-end servers at a client site, we started seeing attack attempts in the BigIP logs. So be warned: the bad guys are out there and they’re actively exploiting this bug, so do everything you can to secure your systems!
(more…)