Articles in DOAG Red Stack Magazin

A while ago I wrote two articles for the DOAG Red Stack Magazin. In the meantime both articles have been published. For this reason I use the opportunity to make the PDF versions of the articles available on oradba.ch. The articles are written in German and available as Trivadis version as well Red Stack version. Although the articles versions differ only in the number of typos and layout.

None of the articles are currently available in english. On request I will write also articles about Oracle Unified Directory in English in the future. However, currently I still have a lot of ideas for blog posts about database security, enterprise user security and unified directory on my to-do list. And blog posts I usually write in english… 🙂

Start ODSM on boot using systemd

A couple of month ago I wrote blog on how to start Oracle Unified Directory (OUD) on system boot (see Start OUD Servers on Boot using systemd) using a unit file and systemd. Quite a simple and straightforward way to start OUD. Why not using the same approach for ODSM? This can be easily implemented, because my weblog infrastructure is only used for the ODSM domain.

Boot Properties File for ODSM

Normally the credentials must be specified when the weblogic server is started. To avoid this, a boot.properties file is defined. This file does contain the username and password of the weblogic admin. Excerpt from my weblogic startup log including the prompt for username and password.

...
<sep 7, 2017 6:01:09 AM CEST> <info> <weblogicserver> <bea -000377> <starting WebLogic Server with Java HotSpot(TM) 64-Bit Server VM Version 24.141-b31 from Oracle Corporation>
<sep 7, 2017 6:01:10 AM CEST> <info> <management> <bea -141107> <version: WebLogic Server 10.3.6.0.170418 PSU Patch for BUG25388747 WED MAR 21 18:34:42 IST 2017
WebLogic Server 10.3.6.0  Tue Nov 15 08:52:36 PST 2011 1441050 >
<sep 7, 2017 6:01:11 AM CEST> <info> <security> <bea -090065> <getting boot identity from user.>
Enter username to boot WebLogic server:weblogic
Enter password to boot WebLogic server:
<sep 7, 2017 6:01:39 AM CEST> <notice> <weblogicserver> <bea -000365> <server state changed to STARTING>
<sep 7, 2017 6:01:39 AM CEST> <info> <workmanager> <bea -002900> <initializing self-tuning thread pool>
...

ODSM just has an admin server. So let’s create the boot.properties file in the security folder of the admin server. Since this security directory may not already exist, we must create it beforehand. On my environment I’ve put the user projects outside of my middleware folder in /u00/app/oracle/user_projects. The working directory for the next couple of commands will be /u00/app/oracle/user_projects/domains/ODSM_domain.

cd /u00/app/oracle/user_projects/domains/ODSM_domain

ls servers/AdminServer
adr  cache  data  logs  sysman  tmp

mkdir -p servers/AdminServer/security
touch servers/AdminServer/security/boot.properties

Add values for username and password to the boot.properties file.

vi servers/AdminServer/security/boot.properties

username=weblogic
password=manager

The boot.properties file fortunately does not stay like this. so. During the first start of the weblogic server, the username and password is encrypted with AES.

cat servers/AdminServer/security/boot.properties
#Thu Sep 07 06:34:11 CEST 2017
password={AES}lCtDx2TYm8rHZt/n9CiwmCgbiPjE+noBdyI+1MmJ21o\=
username={AES}4ROGb6gIkFWhqQA6uoV2mTN7cZy/jdM/pUO4aDbB74k\=

Unit File for ODSM

After the weblogic server can now be started without password input, one only need the corresponding unit file to automatically start the ODSM domain during system boot. The unit file will be created as root in the folder /usr/lib/systemd/system. For my environment I do create the following unity file. Working directory, domain name, user name etc has to be adjusted accordingly for other environments. Add the following content to the new unit file.

sudo vi /usr/lib/systemd/system/wls_odsm.service

# -----------------------------------------------------------------------
#  Trivadis AG, Infrastructure Managed Services
#  Saegereistrasse 29, 8152 Glattbrugg, Switzerland
# -----------------------------------------------------------------------
#  File-Name........: wls_odsm.service
#  Author...........: Stefan Oehrli, stefan.oehrli at trivadis.com
#  Date.............: 07. Sept 2017
#  Revision.........: 1.0
#  Purpose..........: Unit file for ODSM domain
#  Usage............: systemctl enable wls_odsm.service
#  Notes............: --
# -----------------------------------------------------------------------
#  Revision history.:  
#  07.09.2017  soe     initial release
# -----------------------------------------------------------------------

[Unit]
Description=WLS ODSM Instance
Wants=network.target
After=network.target
 
[Service]
Type=simple
User=oracle
Group=osdba
WorkingDirectory=/u00/app/oracle/user_projects/domains/ODSM_domain
ExecStart=/u00/app/oracle/user_projects/domains/ODSM_domain/startWebLogic.sh
ExecStop=/u00/app/oracle/user_projects/domains/ODSM_domain/bin/stopWebLogic.sh
StandardOutput=syslog
 
[Install]
WantedBy=multi-user.target

As soon as we have the new unit file we have to enable the service. This also creates a softlink in /etc/systemd/system/multi-user.target.wants to the new unit file.

sudo systemctl enable wls_odsm.service
Created symlink from /etc/systemd/system/multi-user.target.wants/wls_odsm.service to /usr/lib/systemd/system/wls_odsm.service.

Start the admin server for the ODSM domain using systemctl.

sudo systemctl start wls_odsm.service

Stop the admin server for the ODSM domain using systemctl.

sudo systemctl stop wls_odsm.service

Display the status of the admin server for the ODSM domain.

sudo systemctl status wls_odsm.service
 wls_odsm.service - WLS ODSM Instance
   Loaded: loaded (/usr/lib/systemd/system/wls_odsm.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2017-09-07 06:55:25 CEST; 1min 32s ago
 Main PID: 10645 (startWebLogic.s)
   CGroup: /system.slice/wls_odsm.service
           ├─10645 /bin/sh /u00/app/oracle/user_projects/domains/ODSM_domain/startWebLogic.sh
           ├─10648 /bin/sh /u00/app/oracle/user_projects/domains/ODSM_domain/bin/startWebLogic.sh
           └─10695 /u00/app/oracle/product/jdk1.7.0_141/bin/java -server -Xms256m -Xmx512m -XX:MaxPermSize=512m -Dweblogic.Name=AdminServer -Djava.security.polic...

Sep 07 06:56:19 euterpe startWebLogic.sh[10645]: <sep 7, 2017 6:56:19 AM CEST> <notice> <server> <bea -002613> <channel "Default[4]" is now listening on ...p, http.>
Sep 07 06:56:19 euterpe startWebLogic.sh[10645]: <sep 7, 2017 6:56:19 AM CEST> <notice> <server> <bea -002613> <channel "Default" is now listening on fd1...p, http.>
Sep 07 06:56:19 euterpe startWebLogic.sh[10645]: <sep 7, 2017 6:56:19 AM CEST> <notice> <server> <bea -002613> <channel "Default[1]" is now listening on ...p, http.>
Sep 07 06:56:19 euterpe startWebLogic.sh[10645]: <sep 7, 2017 6:56:19 AM CEST> <notice> <server> <bea -002613> <channel "Default[5]" is now listening on ...p, http.>
Sep 07 06:56:19 euterpe startWebLogic.sh[10645]: <sep 7, 2017 6:56:19 AM CEST> <notice> <server> <bea -002613> <channel "Default[6]" is now listening on ...p, http.>
Sep 07 06:56:19 euterpe startWebLogic.sh[10645]: <sep 7, 2017 6:56:19 AM CEST> <notice> <server> <bea -002613> <channel "Default[7]" is now listening on ...p, http.>
Sep 07 06:56:19 euterpe startWebLogic.sh[10645]: <sep 7, 2017 6:56:19 AM CEST> <notice> <weblogicserver> <bea -000329> <started WebLogic Admin Server "Ad...ion Mode>
Sep 07 06:56:19 euterpe startWebLogic.sh[10645]: <sep 7, 2017 6:56:19 AM CEST> <warning> <server> <bea -002611> <hostname "
localhost", maps to multiple I...:0:0:0:1>
Sep 07 06:56:19 euterpe startWebLogic.sh[10645]: <sep 7, 2017 6:56:19 AM CEST> <notice> <weblogicserver> <bea -000365> <server state changed to RUNNING>
Sep 07 06:56:19 euterpe startWebLogic.sh[10645]: <sep 7, 2017 6:56:19 AM CEST> <notice> <weblogicserver> <bea -000360> <server started in RUNNING mode>
Hint: Some lines were ellipsized, use -l to show in full.

All in all, a simple and easy way to start the ODSM automatically at system boot.

Reference

Some references and links to MOS Notes:

Oracle Unified Directory 12 Released

Finally end of working day. But while reading some newsletter and mails on my way home, I realised that there will be some work at home. After a long wait, Oracle has finally released Oracle Unified Directory 12c 🙂

A overview of the new features:

  • Improved performance and scalability
  • Support for TNS aliases for Oracle Unified Directory deployments with Oracle Enterprise User Security (EUS) configured
  • Support for TLS 1.2 Protocols and Cipher Suites
  • Password-Based Key Derivation Function 2 Password Storage Schemes
  • ODSM Rebranding
  • Support for new log publishers that are configurable via OUDSM
  • Support for the Upgrade OUD Instance script
  • Support for WebLogic Scripting Tool provisioning commands
  • Support for new log publishers that are configurable via OUDSM
  • Support for Oracle Fusion Middleware configuration tools
  • Support for Oracle WebLogic Server 12.2.1.3
  • Support for Oracle JDK 1.8

See Fusion Middleware Release Notes What’s New in Oracle Identity Management 12c (12.2.1.3.0) for a full list of new features.

Links related to Oracle Unified Directory 12c:

Stay tuned, I’ll definitely write more blog posts on Oracle Unified Directory 12 soon.

GDPR and Database Security Speeches

The new EU GDPR and Database Security in general keeps me busy. I’ve updated the list of speeches and events for the next couple of month. It’s an interesting mix between GDPR, Oracle Database Security and MS SQL Server 2016 security. Depending on the feedback of the Call For Papers for the DOAG Conference and the Oracle OpenWorld there will probably be more. But for now I’ll definitely give a full day training on Oracle Database 12c Security at the Education day on DOAG Conference.

Upcoming events

Have you missed an event? In this case check out the download page or blog post categorized with speaking. If possible, I’ll provide all information online?

DOAG Webinar Oracle 12.2 New Security Features

A couple of days ago I’ve successfully finished the DOAG Webinar on Oracle 12c Release 2 new Security Feature. It was a great opportunity to discuss the security enhancements in the latest Oracle database release. This release introduces some new security features that simplify the secure operation of on-premises or cloud-based databases. Especially the online encryption of tablespaces with TDE.

Based on initial experiences and insights, the following topics have been discussed:

  • Authentication
  • Authorization
  • Database Auditing with Unified Audit
  • Encryption with Transparent Data Encryption
  • As well as an overview of further innovations in database security

The slides and the recording of the webinar is available in German over the following links:

Start OUD Servers on Boot using systemd

Starting Oracle Unified Directory on system boot is essential for production environment. Unfortunately OUD just provides a script to create the init.d script. But newer system in general use systemd initialise and startup. Nevertheless, creating a custom unit file for OUD is simple and straightforward. First, let’s create a regular init.d script with the create-rc-script from oud. The created custom script can be used as template for the systemd unit file.

create-rc-script does allow a couple of parameter to specify the script name, OS user for OUD and the JAVA_HOME. The following example of create-rc-script does show how to create a regular start script for OUD instance oud_ad_proxy.

export OUD_HOME=/u00/app/oracle/instances/oud_ad_proxy
export JAVA_HOME=/u00/app/oracle/product/jdk1.7.0_141

cd $OUD_HOME/OUD/bin
create-rc-script -f oud_ad_proxy.sh -u oracle -j $JAVA_HOME

This does create the following bornshell script for init.d.

#!/bin/sh
#
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
#
#
# chkconfig: 345 90 30
# description: Oracle Unified Directory startup script
#


# Set the path to the Oracle Unified Directory instance to manage
INSTALL_ROOT="/u00/app/oracle/instances/oud_ad_proxy/OUD"
export INSTALL_ROOT

# Specify the path to the Java installation to use
OPENDS_JAVA_HOME="/u00/app/oracle/product/jdk1.7.0_141"
export OPENDS_JAVA_HOME

# Determine what action should be performed on the server
case "${1}" in
start)
  /bin/su - oracle -- "${INSTALL_ROOT}/bin/start-ds" --quiet
  exit ${?}
  ;;
stop)
  /bin/su - oracle -- "${INSTALL_ROOT}/bin/stop-ds" --quiet
  exit ${?}
  ;;
restart)
  /bin/su - oracle -- "${INSTALL_ROOT}/bin/stop-ds" --restart --quiet
  exit ${?}
  ;;
*)
  echo "Usage:  $0 { start | stop | restart }"
  exit 1
  ;;
esac

The same start / stop commands can now be used in the unit file. So let’s create a new custom unit file in /etc/systemd/system. The unit file is named according the old instance.

sudo vi /etc/systemd/system/oud_ad_proxy.service

Add the following content to the new unit file.

[Unit]
Description=OUD AD Proxy Instance oud_ad_proxy
Wants=network.target
After=network.target

[Service]
Type=forking
User=oracle
Group=osdba
Environment=OPENDS_JAVA_HOME="/u00/app/oracle/product/jdk1.7.0_141"
ExecStart=/u00/app/oracle/instances/oud_ad_proxy/OUD/bin/start-ds --quiet
ExecStop=/u00/app/oracle/instances/oud_ad_proxy/OUD/bin/stop-ds --quiet
ExecReload=/u00/app/oracle/instances/oud_ad_proxy/OUD/bin/stop-ds --restart --quiet
StandardOutput=syslog

[Install]
WantedBy=multi-user.target

As soon as we have the new unit file we have to enable the service.

sudo systemctl enable oud_ad_proxy.service

Start the OUD instance using systemctl.

sudo systemctl start oud_ad_proxy.service

Stop the OUD instance using systemctl.

sudo systemctl stop oud_ad_proxy.service

Display the status of the OUD service.

sudo systemctl status oud_ad_proxy.service

 oud_ad_proxy.service - OUD AD Proxy Instance oud_ad_proxy
   Loaded: loaded (/etc/systemd/system/oud_ad_proxy.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2017-05-16 22:41:09 CEST; 28s ago
  Process: 18300 ExecStop=/u00/app/oracle/instances/oud_ad_proxy/OUD/bin/stop-ds --quiet (code=exited, status=0/SUCCESS)
  Process: 18397 ExecStart=/u00/app/oracle/instances/oud_ad_proxy/OUD/bin/start-ds --quiet (code=exited, status=0/SUCCESS)
 Main PID: 18477 (java)
   CGroup: /system.slice/oud_ad_proxy.service
           └─18477 /u00/app/oracle/product/jdk1.7.0_141/jre/bin/java -server -Dorg.opends.server.scriptName=start-ds org.opends.server.core.DirectoryServer --configClass org.opends.server.extensions.ConfigFileHandler -...

May 16 22:41:01 euterpe systemd[1]: Starting OUD AD Proxy Instance oud_ad_proxy...
May 16 22:41:09 euterpe systemd[1]: Started OUD AD Proxy Instance oud_ad_proxy.

Some references and links to MOS Notes:

EU GDPR, MS SQL Server 2016 and Oracle Security

I’ve just updated the list of my public appearances and planned events. For once, no just Oracle Events 🙂 I’ll speak about the new EU GDPR and its impact on databases in a Trivadis regional customer event together with my colleague Stephan Hurni. Beside this two events I’ll hold a webinar on Oracle 12c Release 2 new security features. This webinar is organised by DOAG.

Unfortunately all these events are in german. No matter, I’m about to register the one or other topic at upcoming Call For Papers. If the speeches get approved I’ll update my list of public appearance.