Sunday, September 25, 2005

Finally: Enterprise Security

It's about time, so here we go:
Stop the 9i instance on my test server (limited memory...) and the listener, kick 10g Release 1 into live, and a listener, and start all iAS processes:
[oracle10@csdb01 oracle10]$ lsnrctl start
LSNRCTL for Linux: Version - Production on 25-SEP-2005 14:42:31
Copyright (c) 1991, 2004, Oracle. All rights reserved.
Starting /o/oracle10/10gR1/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version - Production
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "o10gR1" has 1 instance(s).
Instance "o10gR1", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully

[oracle10@csdb01 oracle10]$ sqlplus "/ as sysdba"
SQL*Plus: Release - Production on Sun Sep 25 14:42:40 2005
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 285212672 bytes
Fixed Size 778856 bytes
Variable Size 120593816 bytes
Database Buffers 163577856 bytes
Redo Buffers 262144 bytes
Database mounted.
Database opened.
[oracle10@csdb01 oracle10]$ /o/ias10/opmn/bin/opmnctl startall
opmnctl: starting opmn and all managed processes...
[oracle10@csdb01 oracle10]$ /o/ias10/bin/emctl start iasconsole
TZ set to Europe/Amsterdam
Oracle Enterprise Manager 10g Application Server Control Release
Copyright (c) 1996, 2004 Oracle Corporation. All rights reserved.
Starting Oracle Enterprise Manager 10g Application Server Control ....... started successfully.
[oracle10@csdb01 oracle10]$ /o/ias10/oca/bin/ocactl start

OracleAS Certificate Authority 10g (10.1.2)

Copyright (c) 2003, 2004, Oracle Corporation. All rights reserved.

OracleAS Certificate Authority administrator password:
OCA service started.

[oracle10@csdb01 oracle10]$
OK - ready for test 1: Verify the Database Server can Bind to OID; actually, I already did that, but here is the code once more:
ldapbind -h csdb01 -p 3160 -U 3 -W file:/etc/wallets/oracle10 -P welcome1
That results in a successful bind, and concludes test1.
Second in test (if you are wondering where these tests come from: it's the March 2005 revision of Metalink note 185275.1): Verify the database is registered:
SQL> show parameter RDBMS_SER NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ rdbms_server_dn string
Hmm.. Need to change that:
SQL> alter system set 2 rdbms_server_dn='CN=o10gR1,CN=OracleContext,DC=nl, DC=cs' scope=spfile; System altered.
OK Done. Need to bounce the database; and verify:
NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ rdbms_server_dn string CN=o10gR1,CN=OracleContext,DC= nl, DC=cs
Make sure you have the server in the correct context in the Enterprise Security Manager!

Steps 3 through 6 have been completed successfully, here are some snapshots:


Continued Jan, 25th, 2006: and this is where it ended... Why this post was in draft status for so long, I don't remember; I do remember however, I got really fed up with the horrible errors I received when testing the lot.
The listener core dumped, as well as under Windows, as under Linux. For all of these versions:,, and 10.2! By the time I'd figured all that out, I failed to see the (probable) cause of all this: dn has domain suffix in the wrong sequence. Just reread the 'Enterprise Security' threads... ;).

In the mean time, I discussed the setup and possibilities with a collegue, and he got it to work. Seen it, helped him out, just (...) need to document it properly. Will be done, rest assured.
Edit: Well, I got it working, finally - just take a look here.

No comments: