Skip Headers
Oracle® Developer Suite Release Notes
10g Release 2 (10.1.2) for Solaris, Windows and Linux x86
B16010-03
  Go To Documentation Library
Library
Go To Product List
Product
Go To Table Of Contents
Contents

Previous
Previous
 

7 Oracle Application Server Containers

This chapter describes issues with Oracle Application Server Containers for J2EE (OC4J). It includes the following topics:

7.1 OC4J Bugs Fixed in 10.1.2.0.2

The following OC4J-related bugs have been resolved in 10.1.2.0.2:

7.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds for OC4J. It includes the following topics:

7.2.1 Oracle JDBC-OCI driver upgrade in the Oracle Application Server

It is not possible to upgrade to an arbitrary Oracle JDBC-OCI driver version due to client library compatibility constraints. Upgrading to OCI driver versions with matching Oracle Client libraries that are installed within the Oracle Application Server 10g (10.1.2) is supported. For example, Oracle JDBC 10.1.x drivers are supported, but the Oracle JDBC 9.2.x drivers are not.

Where the use of JDBC-OCI within the Oracle Application Server is supported, it is also necessary for the opmn.xml entry for each OC4J instance to propagate appropriate ORACLE_HOME and library path values to its startup environment.

The environment variable ORACLE_HOME is common to all platforms, but the name of the environment variable that specifies the library path is different depending on the operating systems:

  • LD_LIBRARY_PATH for Solaris

  • SLIB_PATH for AIX

  • SHLIB_PATH for HP-UX

  • PATH for Windows

The generic syntax for specifying the library paths in opmn.xml looks like this:

<variable id="<LIB_PATH_VARIABLE>" value="<LIB_PATH_VARIABLE_VALUE>"/>

where <LIB_PATH_VARIABLE> should be replaced with the appropriate platform-specific variable name that specifies the library path, and

<LIB_PATH_VARIABLE_VALUE>

should be replaced with that variable's value.

Here is an example, assuming the Solaris OS:

    <process-type id="OC4J_SECURITY" module-id="OC4J">
      <environment>
        <variable id="ORACLE_HOME"
         value="/u01/app/oracle/product/inf10120"/>
        <variable
          id="LD_LIBRARY_PATH"
          value="/u01/app/oracle/product/inf10120/lib"
        />
      </environment>
      ...
   

7.2.2 OC4J Out of Memory Errors

If the OC4J default JVM heap size is too small for applications that you deploy, then you may see Out Of Memory errors from your OC4J processes. If you review the log files for the OC4J Instance in the directory$ORACLE_HOME/opmn/logs, you may find errors similar to the following:

java.lang.OutOfMemoryError

To work around this problem, increase the specified heap memory by changing the Java command line options for the OC4J Instance.

Using Application Server Control Console, go to the OC4J instance homepage and perform the following steps:

  1. Stop the OC4J Instance.

  2. Drill down to the Server Properties page.

  3. In the Command Line Options area of the Server Properties page, under the heading Multiple VM Configuration, set the Java Options.

    For example, enter the following to set the JVM heap sizes to 512 Megabytes:

    -Xmx512m 
     
    
  4. Use the Apply button to apply the changes.

  5. Start the OC4J instance.

For more information, see the Oracle Application Server Performance Guide.

7.2.3 JDK 1.3 With OC4J 10.1.2.02

In order to use JDK 1.3, which is not shipped with OC4J 10.1.2, modify JDK 1.3 as follows:

  1. Download and install JAAS1.0_01 from http://java.sun.com/products/jaas

  2. Drop jaas.jar from the JAAS1.0_01 distribution into jre/lib/ext

  3. Add the following lines into jre/lib/security/java.security.

    #These two lines are Oracle-specific definitions 
    # 
    auth.policy.provider=oracle.security.jazn.spi.PolicyProvider 
    @ login.configuration.provider=oracle.security.jazn.spi.LoginConfigProvider 
    
    

7.2.4 Configuring Maximum Connections with Oracle HTTP Server

In standalone OC4J, you can configure the maximum number of connections by using the <max-http-connections> subelement of <application-server> in the server.xml file. (This is documented in the Oracle Application Server Containers for J2EE User's Guide.)

Now there is also a <max-ajp-connections> subelement of <application-server> to configure a maximum number of connections for use with Oracle HTTP Server. For example:

<application-server>
   ...
   <max-ajp-connections value="10000" max-connections-queue-timeout="10" 
                        close-idle-connection="allow">
        http://optional.redirect.url/page.jsp
   </max-ajp-connections>
   ...
<application-server>

The (optional) value of the element indicates a "redirect-URL", the usage of which is described below.

Attributes of <max-ajp-connections>:

  • value: The maximum number of connections allowed. The default value is -1, for no limit. (0 is a reserved value.)

  • max-connections-queue-timeout: How many seconds to wait for the number of connections to drop below the maximum number. If a connection is attempted when the maximum number of connections has been reached, and there are still no available connections after the timeout expires, then appropriate action is taken depending on other settings (see below). The default is 0 seconds.

  • close-idle-connection: A setting of "allow" (the default) makes a new connection possible by allowing the least-recently used (LRU) idle connection to be closed if the maximum number of connections has been reached and the queue timeout has expired. Use "deny" to disallow the LRU idle connection to be closed.

  • socket-backlog: The number of connections to queue up before denying connections at the socket level. The default is 30. This is inherited from <max-http-connections> functionality, but has no particular use in addition to other <max-ajp-connections> attribute settings; there should be no reason to use a value other than the default.

There are three possible responses when a connection is being attempted after the maximum number of connections has been reached and the timeout has expired:

  • If close-idle-connection="allow", the connection listener will close the oldest open idle connection by closing the client socket (but the working thread is allowed to finish its work). This allows the attempted connection to be accepted.

  • If close-idle-connection="deny" and a redirect-URL is specified in the <max-ajp-connections> element value (as shown in the example above), then the connection listener will reject the attempted connection with a 302 "Moved Temporarily" HTTP response. (The client system is expected to immediately retry the alternate URL.) The client socket of the attempted connection is then closed.

  • If close-idle-connection="deny" and no redirect-URL is specified, then the connection listener will reject the attempted connection and send a 503 "Service Unavailable" HTTP response. The client socket of the attempted connection is then closed.

7.3 Enterprise Java Beans

This section describes issues with Enterprise Java Beans (EJB). It includes the following topics:

7.3.1 Deprecated orion-ejb-jar.xml Attributes

The following orion-ejb-jar.xml attributes are deprecated in releases 9.0.4.1 and 10.1.2 and will be removed in release 10.1.3:

  • max-instances-per-pk

  • min-instances-per-pk

  • disable-wrapper-cache

  • disable-wrapper-cache

In addition, the following locking-mode attribute setting is deprecated:

  • locking-mode="old_pessimistic"

7.3.2 Big EAR File Deployment Runs Out of Memory

OutOfMemory exceptions occur when deploying EAR files with a large number of EJBs.

As part of the deployment process, wrapper code classes are generated for each EJB. The size of these classes is proportional to the number of business methods on the bean. As a performance optimization, OC4J compiles all wrapper code classes in one compiler invocation. An error can occur if the amount of generated wrapper code is too much for available memory.

A workaround is to direct the deployment process to compile each EJB module's wrapper code individually. You can do this by starting OC4J with the ejbdeploy.batch system property and setting it to false, as in the following example:

-Dejbdeploy.batch=false


Note:

This workaround should only be used when this specific exception occurs.

This workaround may result in an increased deployment time for the application.


7.3.3 EJB Wrapper Code Compilation Fails When Running in zh_CN.GB18030 Locale.

EJB wrapper code compilation fails when running in zh_CN.GB18030 locale. When running in zh_CN.GB18030 locale, parts of the EJB wrapper source code may be generated with missing characters. This causes compilation errors. The missing characters in the generated source code are due to a Sun bug documented at:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4954023

The workaround is to use a different locale. See the Sun bug for details.

7.3.4 Package Name for RMIInitialContextFactory Has Changed

The package name for RMIInitialContextFactory has changed from oracle.j2ee.rmi.server to oracle.j2ee.rmi.

7.3.5 How To Disable EJB Instance Pooling

To disable instance pooling, use the new <max-instances> setting with any negative number in the orion-ejb-jar.xml file. This creates a new instance at the start of the EJB call and releases it at the end of the call.

7.3.6 How To Compile in Non-Batch Mode

To compile in non-batch mode (for example, if OC4J throws java.lang.OutOfMemory exceptions while compiling in batch mode), use the -Dejbdeploy.batch=false option. Although non-batch mode requires less memory allocation, this mode results in a longer deployment time.

7.4 OC4J Services

This section describes release notes for OC4J services. OC4J Services include: Java Naming and Directory Interface (JNDI), Java Message Service (JMS), Data Sources, Oracle Remote Method Invocation (ORMI), J2EE Interoperability (IIOP), Java Transaction API (JTA), J2EE Connector Architecture (J2CA), and Java Object Cache.

The section contains the following release note(s):

7.4.1 Data Sources

This section describes issues with Data Sources. It includes the following topics:

7.4.1.1 Data Sources Creates the Correct Number of Connection Pools in 10.1.2

In the 9.0.4 release, Data Sources incorrectly created multiple connection pools for the same data source: One pool for transactional connections and one pool for non-transactional connections.

This behavior is corrected for release 10.1.2.

7.4.1.2 Fatal Error Code Enhancement

For each data source defined in data-sources.xml, you can define fatal error codes that indicate that the back-end database with which the data source communicates is no longer accessible. When OC4J detects one of these error codes (stated when a SQLException is thrown by the JDBC driver), OC4J will clean its connection pool. That is, it closes all connections in the connection pool. For Oracle, the predefined fatal error codes are: 3113, 3114, 1033, 1034, 1089, and 1090.

Use the following procedure to add additional fatal error codes for Oracle.

Use the <fatal-error-codes> element, which is a subtag of the <data-source> element. The <fatal-error-codes> element uses the child element <error-code> to define one fatal error code. You can define 0 - n <error-code> elements for each <fatal-error-codes> element. For example, for fatal error codes 10, 20, and 30, the data source definition would look like this:

<data-source 
class="com.evermind.sql.DriverManagerDataSource" 
name="ds" 
location="jdbc/ds" 
xa-location="jdbc/xa/ds" 
ejb-location="jdbc/ejb/ds" 
@ connection-driver="oracle.jdbc.driver.OracleDriver" 
username="scott" 
@ password="tiger" 

@ url="jdbc:oracle:thin:@//localhost:1521/oracle.regress.rdbms.dev.us.oracle.com">
 
         <fatal-error-codes> 
            <error-code code='10'/> 
            <error-code code='20'/> 
            <error-code code='30'/> 
         </fatal-error-codes> 

</data-source> 

7.4.1.3 Fixed Connection Pool Problems

The following connection pool problems are fixed in 10.1.2.0.2.

In pre-10.1.2.0.2 versions of OC4J, the data sources subsystem would create multiple connection pools for the same data source for the following cases:

  • When a connection was used inside a global transaction and outside a global transaction during the same thread of execution (during the execution of a servlet for example.) In this case one connection pool was created for connections used inside global transactions and one connection pool was created for connections used outside of the global transaction.

  • When a connection was retrieved from the data source using the non-default user/password. For example, the use of getConnection() caused one connection pool to be created and getConnection("user", "password") caused another connection pool to be created. This is especially bad because each user/password combination created another, separate connection pool.

  • Indicating via configuration that a data source's connections are to be shared caused an additional data source to be created under the covers which would then duplicate all of the connection pool issues described above.

This resolves code bug 4226465 and documentation bug 4373802.

7.4.2 ORMI

This section describes issues with ORMI. It includes the following topics:

7.4.2.1 ORMI - OC4J Only Creates IPv4 Sockets

OC4J only creates IPv4 sockets. Even on dual network stack machines (with both IPv4 and IPv6 stacks available) OC4J creates only IPv4 sockets. This may cause a problem if client-issued requests are from a IPv6 system. This is indicated by connection-refused messages from the server to the IPv6 client. To avoid this problem, start the client process with the system property java.net.preferIPv4Stack=true. This forces the client to only issue IPv4 requests, allowing it to communicate with the server.

7.4.2.2 ORMI Protocol Is Not Secure

It should be noted that the ORMI protocol is not secure. Any and all communication over ORMI is not encrypted including security credentials. Customers that want to encrypt ORMI traffic are advised to use ORMI over HTTPS, which will encrypt all communication between the client and the server.

7.5 Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider

Be aware of the following notes when using the Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider (OracleAS JAAS Provider) in release 10.1.2.0.2:

7.5.1 Using the 9.0.4 Oracle Internet Directory Server with 10.1.2.0.2 OracleAS JAAS Provider

Prior to the 10.1.2 Oracle Internet Directory implementation, Access Control List (ACL) features are not set up properly for JAZNAdminGroup. To use the 9.0.4 Oracle Internet Directory implementation with the 10.1.2 OracleAS JAAS Provider implementation, place the following contents into a file, replacing %s_MgmtRealmDN% with the appropriate ID management realm (for example, dc=us,dc=oracle,dc=com), then execute the steps that follow.

dn: cn=JAZNContext,cn=Products,cn=OracleContext,%s_MgmtRealmDN%
changetype: modify
replace: orclaci
orclaci: access to entry
   by group= "cn=JAZNAdminGroup,cn=Groups,cn=JAZNContext,cn=Products,cn=OracleContext" 
(browse, add, delete)
   by group= "cn=IASAdmins,cn=Groups,cn=OracleContext,%s_MgmtRealmDN%
added_object_constraint=(objectclass=orclApplicationEntity) (add, delete, browse)
   by * (none)
orclaci: access to attr=(*)
   by group= "cn=JAZNAdminGroup,cn=Groups,cn=JAZNContext,cn=Products,cn=OracleContext"
(search, read, write, compare)
   by group= "cn=IASAdmins,cn=Groups,cn=OracleContext,%s_MgmtRealmDN%" 
(read, search, write, compare)
   by * (none)

  1. Name the file with the .ldif extension, such as jaznacl.ldif.

  2. Run the ldapmodify utility with the newly created file as input, specifying oidport, oidhost, adminuser_dn, password, and filename as appropriate:

    ldapmodify -c -a -p oidport -h oidhost -D adminuser_dn -w password \
               -f filename.ldif
    

7.5.2 Support for auth-method="DIGEST" in <jazn-web-app>

The 10.1.2.0.2 OracleAS JAAS Provider implementation now supports the setting auth-method="DIGEST" in the <jazn-web-app> element, in either the orion-web.xml file or orion-application.xml file. This is in addition to the already supported setting auth-method="SSO". Support for DIGEST is already noted in the 10.1.2.0.2 Oracle Application Server Containers for J2EE Servlet Developer's Guide (which includes reference documentation for orion-web.xml), but is not indicated in the 10.1.2.0.2 Oracle Application Server Containers for J2EE User's Guide (which includes reference documentation for orion-application.xml). "SSO" is to use Oracle Application Server Single Sign-On for HTTP client authentication; "DIGEST" is to use the digest authentication mechanism. See the 10.1.2.0.2 Oracle Application Server Containers for J2EE Security Guide for complete information.

7.6 Documentation Errata

This section describes known errors in the OC4J documentation in Oracle Application Server 10g Release 2 (10.1.2). It covers the following books:

7.6.1 Oracle Application Server Containers for J2EE User's Guide Documentation Errata

This section describes known errors in the Oracle Application Server Containers for J2EE User's Guide. It includes the following topic(s):

7.6.1.1 An OC4J Process Is Not "Contained" in an OC4J Instance

The following incorrect statement appears in the Oracle Application Server Containers for J2EE User's Guide Chapter 8, OC4J Clustering:

"Each OC4J process is contained in an OC4J instance and inherits its configuration from the OC4J instance. All applications deployed to an OC4J instance are deployed to all OC4J processes in the OC4J instance."

The statement is incorrect in that an OC4J process as such can only be "contained" in other processes, an OC4J instance is not a process.

The correct statement in this case is:

"Each OC4J process is associated to an OC4J instance and inherits its configuration from that OC4J instance. All applications deployed to an OC4J instance are started in all the OC4J processes associated to that OC4J instance."

7.6.1.2 Correct Cross Reference for Metric-Based Load Balancing Information

In the description of the <metric-collector> element of the server.xml file in Appendix B - Additional Information of the Oracle Application Server Containers for J2EE User's Guide, the following incorrect cross reference is given:

"For details on using the <metric-collector> element and using metric-based load balancing with mod_oc4j, see the Oracle Application Server 10g Performance Guide."

Replace the incorrect cross reference with the following correct cross reference:

For details on using metric-based load balancing with mod_oc4j, see the Oracle HTTP Server Administrator's Guide.

7.6.1.3 JDK 1.4.2 Supported and Installed with OC4J

Chapter 1: "OC4J Overview" of the Oracle Application Server Containers for J2EE User's Guide contains incorrect references to the Java Development Kit (JDK) used with Oracle Application Server Containers for J2EE 10g Release 2 (10.1.2).

The "Using JDK With OC4J" section lists JDK 1.3.1 and 1.4.1 as the supported versions. This list should also include JDK 1.4.2.

The "Requirements" section incorrectly states that JDK 1.3.x is installed with OC4J. The correct version is JDK 1.4.2.

7.6.1.4 Primers Content Removed from OC4J User's Guide

Chapter 1: "OC4J Overview" of the Oracle Application Server Containers for J2EE User's Guide contains a reference to "primers", which are no longer included in the User's Guide.

7.6.1.5 Deprecated Oc4JUserKeepalive Parameter in OC4J User's Guide and OC4J Standalone User's Guide

The solution documented in the "Connection Timeouts Through a Stateful Firewall Affect System Performance" topic in Appendix A: "Troubleshooting OC4J" incorrectly references a deprecated parameter, Oc4jUserKeepalive. Contrary to statements made in this topic, this parameter should not be set in either the httpd.conf or mod_oc4j.conf configuration files.

7.6.1.6 Additional OC4J Deployment Notes

The following notes on undeployment and redeployment are intended to supplement the deployment discussion in the Oracle Application Server Containers for J2EE User's Guide.

General undeployment/redeployment notes:

  • Once an application is undeployed from OC4J, it is no longer accessible to clients. In an Oracle Application Server environment, Oracle HTTP Server will be restarted to remove the OC4J mount point. This will result in the loss of existing HTTP sessions.

  • During a redeployment, OC4J removes the existing application (EAR/WAR) before redeploying the new EAR. This means, for example, that attempts to access an HTML file that was included in the previous application, but not the new one, will result in "File Not Found" errors.

  • Also note that a redeployed WAR file overlays the previously expanded WAR, meaning that some older files may persist in the new deployment and will need to be deleted. For example, static HTML files from the previous deployment that are not included in the new WAR may continue to reside in the expanded WAR directory structure, and would have to be manually deleted.

"Hot redeployment" notes:

  • When an EAR is redeployed or "hot redeployed" on a running OC4J instance, the status of the classes loaded in the JVM from the previous application may vary. In some cases a classloader may recognize that a class or JAR file in the file system has changed, and reload the class or library. In other cases whether a new class definition is loaded may depend on whether the JVM tuning allows the garbage collector to flush the existing class definition.

  • Issues may also exist with respect to serialized objects containing session data. If the class related to a session object changes, it may not be possible to cast the generic session object back to the class, since the class has changed and its variables may occupy a different memory footprint. This may result in lost session data.

  • In an Oracle Application Server environment, a "hot deployment" - deploying an application without restarting OC4J - adds Oc4jMount directives to mod_oc4j.conf, which in turn forces a restart of Oracle HTTP Server. This will result in the loss of existing HTTP sessions.

7.6.2 Oracle XML API Reference Documentation Errata

This section describes known errors in the Oracle XML API Reference. It includes the following topic:

7.6.2.1 Add Information for formDocument() Method

In the Oracle XML API Reference, Chapter 15, "Package Dom APIs for C++", add the following entries:

  • On page 15-22, in Table 15-7 "Summary of DOMImplRef Methods; Dom Package", add an entry for formDocument() method, description: "Forms a document reference given a pointer to the document."

  • On page 15-24, add the following method description:

    formDocument()

    Description

    Forms a document reference given a pointer to the document.

    Syntax

    DocumentRef< Node>* formDocument( Node* node); 
    
    

    ----------------------------------------------------

    Parameter Description

    ----------------------------------------------------

    node Pointer to the document node.

    ----------------------------------------------------

    Returns

    DocumentRef< Node>* pointer to the document reference.

7.6.3 Oracle Application Server Containers for J2EE Services Guide Documentation Errata

This section describes known errors in the Oracle Application Server Containers for J2EE Services Guide. It includes the following topics:

7.6.3.1 Corrected JDBC Connect String for Third-Party Databases

In the "Example DataDirect Data Source Entries" section of the "Data Sources" chapter of the Oracle Application Server Containers for J2EE Services Guide for 9.0.4 and 10.1.2.x, the URLs in the examples are incorrect.

The INCORRECT part of the URL is as follows:

 url="jdbc:databasevendor://... 

The CORRECT URL fragment is as follows:

 url="jdbc:oracle:databasevendor://... 

The corrected example DataDirect Data Source Entries are as follows:

SQLServer

Here is a data source configuration sample for a SQLServer database.

<data-source 
                 class="com.evermind.sql.DriverManagerDataSource" 
                 name="OracleDS" 
                 location="jdbc/OracleCoreDS" 
                 xa-location="jdbc/xa/OracleXADS" 
                 ejb-location="jdbc/OracleDS" 
                 schema="database-schemas/ms-sql.xml" 
                 
 connection-driver="com.oracle.ias.jdbc.sqlserver.SQLServerDriver" 
                 username="mssql" 
                 password="mssql" 
                 
 url="jdbc:oracle:sqlserver://PZWU-PC\WUPZIAS;User=mssql;Password=mssql" 
                 inactivity-timeout="30" 
 /> 

DB2

Here is a data source configuration sample for a DB2 database:

  <data-source 
                   class="com.evermind.sql.DriverManagerDataSource" 
                   connection-driver="com.oracle.ias.jdbc.db2.DB2Driver" 
                   name="OracleDS" 
                   location="jdbc/OracleCoreDS" 
                   xa-location="jdbc/xa/OracleXADS" 
                   ejb-location="jdbc/OracleDS" 
                   schema="database-schemas/db2.xml" 
                   username="db2admin" 
                   password="db2admin" 
                   
 url="jdbc:oracle:db2://ying.us.oracle.com:50000;DatabaseName=sample;CreateDefa ultPackage=TRUE" 
                   inactivity-timeout="30" 
/> 

Sybase

Here is a data source configuration sample for a Sybase database:

  <data-source 
                 class="com.evermind.sql.DriverManagerDataSource" 
                 name="OracleDS" 
                 location="jdbc/OracleCoreDS" 
                 xa-location="jdbc/xa/OracleXADS" 
                 ejb-location="jdbc/OracleDS" 
                 schema="database-schemas/sybase.xml" 
                 connection-driver="com.oracle.ias.jdbc.sybase.SybaseDriver" 
                 username="JDBC_TEST" 
                 password="JDBC_TEST" 
                 url="jdbc:oracle:sybase://dlsun150:4101" 
                 inactivity-timeout="30" 
 /> 

Informix

Here is a data source configuration sample for an Informix database:

 <data-source 
                 class="com.evermind.sql.DriverManagerDataSource" 
                 name="OracleDS" 
                 location="jdbc/OracleCoreDS" 
                 xa-location="jdbc/xa/OracleXADS" 
                 ejb-location="jdbc/OracleDS" 
                 schema="database-schemas/informix.xml" 
                 
 connection-driver="com.oracle.ias.jdbc.informix.InformixDriver" 
                 username="tg4odbc" 
                 password="tg4odbc" 
                 
 url="jdbc:oracle:informix://dlsun150:3900;informixServer=gtw93;DatabaseName=ga tewaydb" 
                 inactivity-timeout="30" 
 /> 

7.6.4 Oracle Application Server Containers for J2EE Security Guide

This section describes issues with the Oracle Application Server Containers for J2EE Security Guide. It includes the following topics:

7.6.4.1 Incorrect Example in Deployment Roles and Users

On page 3-8 of the Oracle Application Server Containers for J2EE Security Guide, under "Deployment Roles and Users", there is an example that does not properly close the <type> and <name> subelements of a <member> element. Here is the corrected example:

<role>
 <name>developer</name>
  <members>
   <member>
    <type>user</type>
    <name>john</name>
   </member>
  </members>
</role> 

7.6.4.2 Incorrect internal-settings.xml Information

The Oracle Application Server Containers for J2EE Security Guide incorrectly states that the internal-settings.xml file supports password indirection for keystore-password and truststore-password (page 14-2). This is incorrect; the internal-settings.xml file does not support password indirection.