EnterpriseOne

The EnterpriseOne category will include all posts and pages pertaining to EnterpriseOne.

Windows 2003 Firewall Rules Allow UNC Access To Shared Folders

E1Tips FireA couple weeks ago I wrote a post about setting up Windows Firewall on a Windows 2003 Server running Oracle JD Edwards EnterpriseOne.

Well, looks like I wrote that article a little too quickly. Because although Oracle JD Edwards EnterpriseOne ran perfectly, the users were not able to access the exported files on the shared folders. Actually, neither was I. In fact, I couldn’t get to any of the shared folders using a basic UNC path (i.e. \\servername\foldername\file.name).

Windows Firewall File and Print SharingI thought this would be easily resolved by checking a box on the Windows Firewall Exceptions tab like on the image to the right. I was wrong. Although, it seemed like it should work, it didn’t.

Then, I did some checking and found that I could access the shared folders from the servers on the same segment as the Windows 2003 Server but not from my laptop. Since I’ve been out of the Windows networking arena for a while and I had no idea what the Infrastructure Team might have setup, I decided to submit a Service Request to our Support Desk and hope for the best. Unfortunately, because Windows Server 2003 reached it’s End-of-Life in 2009, the extremely limited options of the Windows Firewall at that time and the number of different things that have been tried to segregate these servers from the rest of the network, my support options were pretty limited. Our Infrastructure Team worked with me for a while on the issue until we both gave up.

Defeated, I let it sit for a day or so.

Since I was getting tired of seeing that Service Request sitting in my queue, I took a look at it again. I did some research into the exact ports that needed to be opened up on any firewall to allow Windows Shared Folders to be used. Those ports are listed here:

  • udp 137: NetBIOS Name Service (nbname)
  • udp 138: NetBIOS Datagram Service (nbdatagram)
  • tcp 139: NetBIOS Session Service (nbsession)
  • tcp 445: SMB Over TCP

I tried to insert exceptions for those ports but kept getting errors notifying me that “An entry for the same port ‘TCP 445 (SMB over TCP)’ already exists” and I couldn’t make port_can_not_be_addedanother one. So, that made me want to see the raw settings in the registry rather than through the GUI. I did some searching and finally figured out that what I wanted could be found at the following registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

 

I found the entries to allow Windows Shared Folders and noticed that they were different than the entries that I had added manually. They indicated that the scope was for the “LocalSubNet” rather than “*”. No wonder I could only get to the shared folders from servers that were on the same network segment.

I replace the “LocalSubnet” with “*” and everything worked!

You can use a .reg file like the following to make the changes:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"

That was fun! I think…

Submit a Tip or Trick

Results: Where Does The CNC Function Reside In Your IT Department?

Where do you put CNC?

That was the question I asked in my first survey attempt. Needless to say, the CNC community is a quiet group. I only got 7 responses. I know there are many people that read this blog but rarely do I get comments, suggestions or flat out criticisms. Maybe that’s due to me staying pretty factual (translate “geeky”). For those that actually know me, I don’t seem to hold back when it comes to my opinions.

Anyway, here are the results:

CNC_function_IT Department Survey Chart

So, are you surprised?

Securing Oracle JD Edwards EnterpriseOne with Windows Firewall

EnterpriseOne Windows Firewall

On one of the Oracle JD Edwards EnterpriseOne installations that I manage, we have a few Windows 2003 Servers. Yeah, I know, it’s no longer supported but the Tools Release is 8.98.4.7 and there are a couple third-party applications that are not able to be upgraded. It’s crazy how messy, real-life situations cannot be duplicated in the squeaky-clean confines of the Oracle lab.

Since Windows 2003 Server is no longer supported by Microsoft, our IT Security Team has tried locking down these servers using several different methods. One of them has been to try and implement a software firewall on the server itself. Unfortunately, any third-party solution that we tried had such a negative impact on the performance of EnterpriseOne that we had to remove it. So, they asked that we turn on the Windows Firewall. While not as robust as they would have liked, it would provide another layer of security.

The good thing about the Windows Firewall, other than how simple it is, is that it shuts down all communication and only allows what you specify. That means, for EnterpriseOne to function, you need to make sure that all the applications and ports are allowed through the firewall. There were a few different documents that I used to come up with the correct recipe for successfully securing Oracle JD Edwards EnterpriseOne with Windows Firewall:

The easiest way to access the Windows Firewall settings is to go to [Start] -> Run -> firewall.cpl. I created a shortcut to firewall.cpl on the desktop to make it easier.

The following is a breakdown of what I came up with but since everyone’s configuration is different (CNC = Configurable Network Computing) your mileage may vary.

  • Made the following change to the jde.ini of the affected Windows Server:
    enablePredefinedPorts=1
  • Specified the following applications
    • E:\JDE_HOME\jdk\jre\bin\java.exe – Used by the JDE Server Manager
    • E:\JDEdwards\E900\DDP\system\bin32\jdenet_k.exe – Part of JDE Services
    • E:\JDEdwards\E900\DDP\system\bin32\jdenet_n.exe – Part of JDE Services
    • E:\JDE_HOME\bin\scfagent_64.exe – Used by the JDE Server Manager
    • E:\JDEdwards\E900\DDP\system\bin32\jdesnet.exe – Part of JDE Services
  • Specified the following ports
    • Oracle_Database_Port – Oracle DB communication port 1521
    • Server_Manager_Port – Oracle JDE Server Manager port 14501
    • Server_Manager_Port – Oracle JDE Server Manager port 14502
    • Server_Manager_Port – Oracle JDE Server Manager port 14503
  • Specified the following ports that correspond to the enablePredfinedPorts setting above:
    • Oracle_E1_Port_6015 – 6015
    • Oracle_E1_Port_6016 – 6016
    • Oracle_E1_Port_6017 – 6017
    • Oracle_E1_Port_6018 – 6018
  • Allowed PING for monitoring server availability by using the [Advanced] tab
    Windows Firewall Ping

There were a few more settings that I added to allow for our third-party applications but those are not related to EnterpriseOne.

Do you have any other tips or tricks to get Oracle JD Edwards EnterpriseOne to work with Windows Firewall?

Submit a Tip or Trick

Oracle JD Edwards EnterpriseOne Multi-Foundation

EnterpriseOne Multi-Foundation

Oracle JD Edwards EnterpriseOne Multi-Foundation configuration is used to run at least two separate tools releases on the same installation. This is usually done to facilitate an environment or pathcode that can be updated to a new Tools Release without effecting your production environment.

It’s also a great way to remove the dependency of your production environment and non-production environments being on the same set of EnterpriseOne services. That means you can bounce non-production services without effecting production. This is great for troubleshooting as well as applying OS updates.

The easiest way to setup multi-foundation is to follow the steps outlined in the following Oracle doc: Working With Multiple Tools Release Foundations

Do you have an tips or tricks when it comes to working with EnterpriseOne Multi-Foundation?

Submit a Tip or Trick

EnterpriseOne Package Build Completed With Errors

Don’t ya just hate that message when on the PDF at the completion of an EnterpriseOne package build… Build Completed With Errors?

Well, I came across this the other day and I just couldn’t get the EnterpriseOne package build to rebuild successfully. There were no usual suspects, like coding errors or running out of disk space. The only error I had was:

Attempting to Link.
Command: 'chdir=E:\JDEdwards\E900\DDP\packages\PDF6000\obj\CLOC'
Entering DoTheLink.
Executing: 'dir /b *.obj  >> link_cmd'.
Executing: 'link @link_cmd >> CLOC.log'.
Entering RunMtExe.
Executing: 'mt.exe -manifest E:\JDEdwards\E900\DDP\packages\PDF6000\bin32\CLOC.dll.manifest -outputresource:E:\JDEdwards\E900\DDP\packages\PDF6000\bin32\CLOC.dll;#2'.
builddll.c:4719 BUILDDLL0191 ERROR: Failed to run mt.exe successfully
Exiting RunMtExe.
builddll.c:2394 BUILDDLL0082 ERROR: Exiting DoTheLink with failure.
Finished Linking. Copying .c, .h, .hxx, and bin32 to Package Location.

So, I started messing around with the mt.exe command that it was trying to run and came up with this:

C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin>mt.exe -manifest E:\JDEdwards\
E900\DDP\packages\PDF6000\bin32\CLOC.dll.manifest -outputresource:E:\JDEdwards\E
900\DDP\packages\PDF6000\bin32\CLOC.dll

Then, I resubmitted the build using Package Build History and it completed successfully.

Do you have any tricks for getting by odd package build issues?

Submit a Tip or Trick