Wednesday, May 29, 2013

Oracle Unified Directory TNS and EUS - Part 1: TNS Resolving

Part two of OUD.

Start it up

# su - oracle
$ /oracle/Middleware/asinst-1/OUD/bin/start-ds
Just to make things happen, I shut down the firewall:
# service iptables stop
But at least, I can do things like:
frank@ubuntu64:~$ ldapsearch -D "cn=Directory Manager" -w Welcome1 -h oud -p 1389 -b dc=home,dc=local cn=groups -LLL dn: cn=Groups,cn=OracleContext,dc=home,dc=local cn: Groups objectClass: orclContainer objectClass: top

TNS Name resolution

Easy, if you have many database instances, and it comes automatically if you want Enterprise User Security (EUS) as well.
First step is to register the database (needed for EUS; if you just want TNS name resolving, use the Net Manager ($ORACLE_HOME/bin/netmgr), navigate to Command-> Directory-> Export Net Service Names). you can do that with the Database Creation Assistant, but the timing is wrong: dbca usually comes in when the networking is not yet configured.
So, let's do the ldap part of network configuration:
[oracle@idm1 ~]$ cd $ORACLE_HOME/network/admin [oracle@idm1 admin]$ cat ldap.ora DIRECTORY_SERVERS= (oud.home.local:1389:1636) DEFAULT_ADMIN_CONTEXT = "dc=home,dc=local" DIRECTORY_SERVER_TYPE = OID
I want to use the command line version of dbca:
dbca -silent -configureDatabase -sourceDB $ORACLE_SID \ -registerWithDirService true -dirServiceUserName "cn=Directory Manager" \ -dirServicePassword Welcome1 -walletPassword Welkom123
However, it comes back with
Manager is an invalid command line argument.
So I used the GUI. DBCA should be patched to be able to pass parameters with spaces (something with replacing $* with "$@"?!?)
The result is that the instance is registered:
frank@ubuntu64:~$ ldapsearch -D "cn=Directory Manager" -w Welcome1 -h oud -p 1389 -b dc=home,dc=local cn=idm1 -LLL dn: cn=idm1,cn=OracleContext,dc=home,dc=local orclVersion: 112000 orclcommonrpwdattribute: {SASL-MD5}XjChkyAf9xCbtif/veeBqg== objectClass: orclApplicationEntity objectClass: orclService objectClass: orclDBServer_92 objectClass: orclDBServer objectClass: top orclServiceType: DB orclSid: idm1 orclOracleHome: /oracle/db/product/11.2.0 cn: idm1 orclSystemName: idm1.home.local userPassword:: e1NTSEF9ZDdHb1BJeHZ4cktQdVduWE1vYzRlVklFaUprT1NpRGtsWFhEcWc9PQ= = orclNetDescString: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=idm1.home.local)( PORT=1521))(CONNECT_DATA=(SERVICE_NAME=idm1.home.local))) orclDBGlobalName: idm1 orclNetDescName: 000:cn=DESCRIPTION_0
Now, if I did a tnsping, I used to use tnsnames.ora. However, now I can also use the LDAP server. in order to do that, I have to tell the client environment to use LDAP:
[oracle@idm1 admin]$ tnsping idm1 TNS Ping Utility for Linux: Version - Production on 22-MAY-2013 14:33:08 Copyright (c) 1997, 2011, Oracle. All rights reserved. Used parameter files: Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = idm1.home.local)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = idm1.home.local))) OK (10 msec) [oracle@idm1 admin]$ vi sqlnet.ora [oracle@idm1 admin]$ cat sqlnet.ora NAMES.DIRECTORY_PATH= (LDAP, TNSNAMES) [oracle@idm1 admin]$ tnsping idm1 TNS Ping Utility for Linux: Version - Production on 22-MAY-2013 14:33:52 Copyright (c) 1997, 2011, Oracle. All rights reserved. Used parameter files: /oracle/db/product/11.2.0/network/admin/sqlnet.ora Used LDAP adapter to resolve the alias Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=idm1.home.local)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=idm1.home.local))) OK (10 msec)
So, there you have it: Using Oracle Unified Directory server as mechanism to resolve TNS Names.

Saturday, May 18, 2013

Oracle Unified Directory configure

Configure ODSM with ADF for OUD

Of course, add new domain. There's nothing yet!

Select ODSM and EM; JRF will come automagically

Changing the defaults

Don't forget to document the passwords...

Production mode; I will not develop new apps, so there's
no need to scan for these - it will speed up
the start process. can still be used.

You can do it here, or later, but the installer won't (bug?)

Defining a (WebLogic) machine

Select the servers...

...and add them to the machine


Configure Unified Directory

export ORACLE_INSTANCE=/oracle/Middleware/Oracle_OUD1 export PATH=/oracle/jrockit-jdk1.6.0/bin:$PATH export JAVA_HOME=/oracle/jrockit-jdk1.6.0 $ORACLE_INSTANCE/oud-setup
Welcome screen
Fill in hostname, and press the Secure Access
button - I want to do Enterprise User Security
Do not try to run off the standard ports 389 & 636,
these are privileged, and there's no actual process.
If wanted, configure port forwarding.
Give the standard user a password, and document that!
TIP: Do NOT use the default, but use a name without spaces
For now, just stand alone
Directory Components - adjust to your liking
Radio buttons... Seems you cannot have both?
Well, you can: take EUS and you can also do TNS resolving:
there is an overlap in classes.
You may want to adjust other settings.
Almost done. There's a dropdown in the upper right corner?
Ah - the command line - for reference.

Now start the services, and weblogic:
/oracle/Middleware/asinst_1/OUD/bin/start-ds /oracle/user_projects/domains/OUD_domain/bin/ &
After creating the /oracle/middleware/user_projects/domains/OUD_domain/servers/AdminServer/security/ file.
Log in to enterprise manage
Log on to ODSM
And see what's there

Friday, May 17, 2013

Oracle Unified Directory Installation

Installation and use.

Having worked on a proof-of-concept which heavily depends on all sorts of Oracle Identity suites, I learned Oracle will probably dump OID (Internet Directory) and OVD (Virtual Directory) over the next 5 years in favor of Oracle Unified Directory (OUD - which means "old" in Ducth).
So, I thought I'd give it a swing and see how I can use it asif it were OID, with which I am familiar. This means I will not only install and configure it, but will also try to use it for:
  • TNS name resolving 
  • Enterprise User Security (EUS) 
  • Integration platform with MS Active Directory (DIP) 
Of course, I want it to do WNA (Windows Native Authentication) as well, hence the Directory Integration (DIP).

Installation of Oracle Unified Directory

Pretty straightforward; you need three components, which are installed quickly:
  1. OUD (Oracle Unified Directory) 
  2. WLS (WebLogic Server) 
  3. ADF (Application Development Framework)

Download locations are eDelivery for OUD (V37478-01), OTN for WebLogic and OTN for ADF. Weblogic version would be 10.3.6, and the matching ADF version is
Make sure you have the correct versions! You will also need some Java runtime; I use JRockit.

You may then fire up the installer: 

Specify the inventory location - if you have installed oracle stuff before, you won't see this screen.

Just run the script, then click OK.

Go through the screens; no Updates or news. Make sure all requirements are met:

Left locations and names default.

Go, go, go! And... done!

WebLogic Installation

This has been documented before. See previous entries. Shorthand:
java -jar /oracle/install/Software/weblogic/wls1036_generic.jar -jreLoc /usr/lib/jvm/jre-1.6.0-openjdk.x86_64

ADF Installation

Start the installer:
/oracle/install/Software/OFM/ -jreLoc /usr