Tag Archives: Trivadis Content

Blog posts also posted on the Trivadis Blog (TriBlog)

DOAG Red Stack Magazin – Oracle Unified Directory in Docker

Mid June I wrote an article for the DOAG Red Stack magazin about my work on Oracle Unified Directory in Docker. Just about the same time I did my DOAG SIG Security presentation on the same topic. In the meantime the article has been published in the latest release of the DOAG Red Stack magazin. For this reason I use the opportunity to make the PDF version of the article available on oradba.ch. The article is written in German and available as Trivadis version as well Red Stack version. Although the articles versions differ only in the number of typos and layout.

None of the articles are currently available in English. On request I will write also articles about Oracle Unified Directory in English in the future. However, currently I still have a lot of ideas for more blog posts about database security, Oracle Enterprise User Security and Oracle Unified Directory on my to-do list. And blog posts I do usually write in English… ๐Ÿ™‚

Oracle Security at Trivadis TechEvent Fall 2018

A few days ago the semi-annual Trivadis TechEvent took place. As always, it was a great IT event where Trivadis employees and customers had the opportunity to exchange and discuss a variety of topics. I had the pleasure to give one lecture about Oracle 18c New Security Features as well one on Oracle Enterprise User Security, Kerberos and Oracle Unified directory. In the meantime, both presentations have been published via SlideShare.

Oracle 18c new Security Features

Abstract: The aim of the presentation is to discuss the various security enhancements which has been introduced with Oracle Release 18c. But which features are worth a closer look at? In what context do the new features and option do make sense? How can security be improved in general with Oracle database 18c? Where does it make sense to invest in additional database options? The aim of this lecture is to answer these and other questions around Oracle Database 18c security.

The demos for this presentation is rather small but also available as GitHub Gist oehrlis/EUS_demos.md.

Oracle EUS, Kerberos, SSL and OUD a guideline

Abstract: The configuration of a central user administration for Oracle DB is basically simple. The challenge is to integrate the different technologies in a meaningful and stable IT environment. Oracle EUS together with OUD, Kerberos or SSL can be implemented autonomously or in combination with existing directory services or an IAM solution. In addition to the technical challenges, other aspects such as users, roles and the security concept in general also play an important role. Within the scope of this lecture, the measures are discussed in order to establish a central user administration for Oracle.

The demos for this presentation is available as GitHub Gist oehrlis/EUS_demos.md.

Oracle Unified Directory Access Log Parsing System ALPS

For one of my customers I had to analyse the log files of Oracle Unified Directory from time to time. In particular the access log file. During my research I came across the MOS note 2042620.1 and the Access Log Parsing System or short ALPS. ALPS is a small and handy tool to analyse OUD and OUDSEE access logs. Written in Java it does run an a couple of different environments. The requirements to run it are rather simple. Just make sure you still have Java 8. ๐Ÿ™‚

A few features:

  • Graphical dashboard providing an overview of LDAP operations, connections, operations per seconds and elapsed times.
  • Information on connection with longest etimes
  • Analysis of LDAP operationen e.g. operations over time, most frequent search base, filters, attributes and more.
  • Connections and client adresses.
  • Overview of the result codes that occurred.
  • Log reader to browse through the logfiles.
  • Log replay
  • Load of individual log files, zip archives or entire log directories. Loading multiple access log files allows to simultaneous analysis of access logs from replicated OUD instances. Although this is some kind of a workaround.

The following print screen does show an ALPS dashboard. The access log has been taken from my OUD EUS AD proxy instance, which I did used during my TechEvent presentation on OUD and EUS. Not really a heavily loaded OUD instance.

An other view of the LDAP operations around 09:30. The time I’ve rund the demo and created the instance ๐Ÿ™‚

In the context of OUD 12c there are currently some limitations. Oracle changed the default log publisher to the Oracle Loggers using the ODL format. ALPS can not yet handle the new format. If you plan to analyse OUD access or admin logs you still have to use the legacy log publishers. Beside this, a small info message can cause, that your log’s are not recognised by ALPS. OUD 12c add’s the following info to the header of new log files.

This logger has been deprecated. Recommended to use Oracle Loggers
[14/Sep/2018:09:28:23 +0000] CONNECT CONN_POOL conn=0 protocol=LDAP extension=proxy1 from=te2018_oud.postgasse.org/172.17.0.4 to=mneme.postgasse.org/192.168.56.70 s_conn=0
...

Just remove the line starting with This logger has been deprecated... and ALPS is fine again. Beside fixing this issue, I do have a couple of more wishes for the next release of ALPS.

  • Officially support for new ODL format log files.
  • Support for log files from different sources. e.g. from multiple OUD instance in an replicated environment. The current version of ALPS allows to load multiple files, but there is no possibility to distinct the log file source.

Using ALPS to analysis OUD or ODSEE access logs will help to reduce you’re workload, so you have time to enjoy the real alps.

Oracle Unified Directory SSLHandshakeException with Java 1.8.0_181

A couple of days ago I did update my Oracle Unified Directory Docker images with the latest bundle patch for OUD as well the latest java version. With the new Docker images I was about to reproduce a use case from a customer. Everything actually worked at first glance, but after a while I did realise, that my OUD Docker remains in status “unhealthy”. It seems that my status script is not able to get a clear status of the OUD instance. In particular the command “status” does fail.

oracle@oud3:~/ [oud_docker] status --trustall \
-D "cn=Directory Manager" -j $PWD_FILE

Error reading configuration. Details:
javax.naming.CommunicationException: 0.0.0.0:4444 [Root exception is 
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
No subject alternative names present]

I’ve tried to drill down the root cause of this issue, but haven’t been successfully. After a hint from a workmate, I took a look into the release notes of Java 1.8.0 update 181. It looks like the latest java 1.8.0 update includes security improvements for LDAP support.

Changes
core-libs/javax.naming
โžœ Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.

To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

Define this system property (or set it to true) to disable endpoint identification algorithms.

JDK-8200666 (not public)

My first intention was to adjust the java.properties and disable endpoint identification just for status. But I was not successful. As a workaround I’ve set the java arguments -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true with the environment variable OPENDS_JAVA_ARGS. This seems to work as expected. 

oracle@oud3:~/ [oud_docker] export OPENDS_JAVA_ARGS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
oracle@oud3:~/ [oud_docker] status --trustall \
  -D "cn=Directory Manager" -j $PWD_FILE

--- Server Status ---
Server Run Status:        Started
Open Connections:         1

--- Server Details ---
Host Name:                oud3
Administrative Users:     cn=Directory Manager
Installation Path:        /u00/app/oracle/product/fmw12.2.1.3.0/oud
Instance Path:            /u01/instances/oud_docker/OUD
Version:                  Oracle Unified Directory 12.2.1.3.180626
Java Version:             1.8.0_181
Administration Connector: Port 4444 (LDAPS)

--- Connection Handlers ---
Address:Port : Protocol               : State
-------------:------------------------:---------
--           : LDIF                   : Disabled
0.0.0.0:161  : SNMP                   : Disabled
0.0.0.0:1389 : LDAP (allows StartTLS) : Enabled
0.0.0.0:1636 : LDAPS                  : Enabled
0.0.0.0:1689 : JMX                    : Disabled

--- Data Sources ---
Base DN:     cn=OracleContext
Backend ID:  OIDCompatibility
Entries:     34
Replication: Disabled

Base DN:     cn=OracleContext,dc=example,dc=com
Backend ID:  OracleContext0
Entries:     17
Replication: Disabled

Base DN:     cn=OracleSchemaVersion
Backend ID:  OIDCompatibility
Entries:     3
Replication: Disabled

Base DN:     cn=virtual acis
Backend ID:  virtualAcis
Entries:     0
Replication: Disabled

Base DN:     dc=example,dc=com
Backend ID:  userRoot
Entries:     1
Replication: Disabled

This workaround temporarily disable the endpoint identification, although the correct method would be to fix and use it. For now there is a MOS bug related to this issue. This enhance the chance that this will be fixed in a future release. Till then you can easily workaround setting the environment variable.

A few links related to this short blog post:

  • Blog post on Oracle Unified Directory on Docker
  • MOS Bug 28525374 SSLHANDSHAKEEXCEPTION WHEN CREATING OUD INSTANCE WITH JAVA 1.8.0_181
  • MOS Note OUD – How To Configure the Default JVM and Java Arguments with Environment Variables or by Modification of the java.properties File 2220584.1
  • My genuine Docker build scripts for Oracle Unified Directory on GitHub (oehrlis/docker)
  • Oracle Docker build scripts for Oracle Unified Directory on GitHub (oracle/docker-images) yep from me too ๐Ÿ™‚

OUDbase environment scripts for Oracle Unified Directory Part 1

Almost two years ago I started writing environment scripts for my Oracle Unified Directory installations. At the beginning there were only 2-3 scripts, from which at some point a small project on GitHub emerged. A lot has changed since my blog post Environment Scripts for OUD. The current version of OUDbase (v1.5.5) has a number of useful functions that make working with OUD on the command line much easier. This is one reason it is time to write about OUDbase once again. Or better to start a small blog series.

Features at a Glance

At the end of the day, it’s just a script that sets a series of aliases and environment variables. But this script does exactly what it should, it simplifies the work of the administrator. Initially it has been developed for Oracle Unified Directory (OUD), but to a certain degree other Oracle directory server and tools like Oracle Unified Directory Services Manager (OUDSM), Oracle Directory Server Enterprise Edition (ODSEE) and Oracle Internet Directory (OID) are supported as well.

  • Support of various Oracle directory servers and tools
  • Support for Oracle directory servers on Docker
  • Small foot print and minimal requirements
  • Simple and quick installation
  • Auto-configure for common environments and Oracle homes
  • Provide a kind of OFA environment for Oracle directory servers
  • Flexible environment handling eg. easy switching between different environments
  • Alias definitions
  • Platform-independent
  • More flexible and powerful than… wait, there is not oraenv for Oracle directory servers ๐Ÿ™‚
  • Customization of environment variables and aliases globally or per instance
  • Miscellaneous templates for cron.d, logrotate.d, systemd service and instance creation

In particular OUDbase provides the following scripts:

  • oudtab as a central configuration file for instance names, ports and directory types
  • oudenv.sh script to source and set the environment
  • oud_backup.sh script to backup specific or all Oracle Unified Directory instances
  • oud_export.sh script to export specific or all Oracle Unified Directory instances
  • oud_status.sh script to check the status of an Oracle Unified Directory instance including replication status
  • oud12c_eus template and scripts to create an Oracle Unified Directory server with Enterprise User Security integration
  • oud12c_eus_ad_proxy template and scripts to create an Oracle Unified Directory proxy server with Enterprise User Security and MS Active Directory integration
  • generic template and scripts as base for customisation

Requirements

OUDbase is modest. You just need a bash shell to run it and tar/gzip to install it. This is also one of the reasons why it perfectly fits on OUD Docker images. Although you do not run several directory servers in one Docker container, it is convenient to work on the command line. A little further up I mentioned that OUDBase is platform-independent. At least one operating system, which does not support bash out of the box. Guess which one? Yes, exactly Microsoft Windows. Basically, OUDbase should also run on MS Windows if bash is installed there. However, this has not yet been tested.

Installation

Before you can start the installation of OUDbase, you have to download the latest version from the GitHub repository oehrlis/oudbase. OUDbase is available as TAR file or as shell installation script. The shell script itself is regular Bash script with additional payload. This means that the TAR file is appended directly at the end of the script. Since the embedded TAR is base64 encoded, the installation script can be sent by mail without any problems. If you are interested in how to do this I recommend the How-To Add a Binary Payload to your Shell Scripts written by Mitch Frazier / Linux Journal.

The script does relay on the directory structure optimal flexible architecture (OFA) introduced by Oracle a couple of years ago. Starting from an ORACLE_BASE path, the installation script evaluates the required parameters based on OFA. If you do use a different structure you can give the necessary directory path via parameters. The following code block does show the oudbase_install.sh usage.

oracle@oudad:/u00/app/oracle/ [oud_ad] ./oudbase_install.sh -h
Start of oudbase_install.sh (Version v1.5.5) with -h
processing commandline parameter
Usage, oudbase_install.sh [-hav] [-b ]
[-i ] [-B ]
[-m ] [-f ] [-j ]

-h Usage (this message)
-v enable verbose mode
-a append to profile eg. .bash_profile or .profile
-b ORACLE_BASE Directory. Mandatory argument. This
directory is use as OUD_BASE directory
-o OUD_BASE Directory. (default $ORACLE_BASE).
-d OUD_DATA Directory. (default /u01 if available otherwise $ORACLE_BASE).
This directory has to be specified to distinct persistant data from software
eg. in a docker containers
-A Base directory for OUD admin (default $OUD_DATA/admin)
-B Base directory for OUD backups (default $OUD_DATA/backup)
-i Base directory for OUD instances (default $OUD_DATA/instances)
-m Oracle home directory for OUD binaries (default $ORACLE_BASE/products)
-f Oracle Fusion Middleware home directory. (default $ORACLE_BASE/products)
-j JAVA_HOME directory. (default search for java in $ORACLE_BASE/products)

Logfile : /u01/log/oudbase_install.log

The following table does provide an overview of installation path, environment variables, parameters and there default values.

Parameter ENV Variable Default Value Description
-v n/a n/a Enable verbose mode
-a n/a n/a Append to profile eg. .bash_profile or .profile
-b $ORACLE_BASE /u00/app/oracle Mandatory argument. This directory is use as ORACLE_BASE from which all other directories are evaluated.
-b $ORACLE_BASE /u00/app/oracle Mandatory argument. This directory is use as ORACLE_BASE from which all other directories are evaluated.
-o $OUD_BASE $ORACLE_BASE OUDbase base directory where the scripts, config etc. will be installed. Usually this is the same directory as used for ORACLE_BASE. Due to some legacy requirement this can be separate directory.
-d $OUD_DATA /u01 or $ORACLE_BASE Directory to store the persistant data eg. the OUD instance homes, backup and admin directories etc. It defaults /u01 if available otherwise $ORACLE_BASE. This directory has to be specified to distinct persistant data from software eg. in a docker containers.
-A $OUD_ADMIN_BASE $OUD_DATA/admin Base directory for an instance specific admin directory, similar to the admin directory of Oracle databases.
-B $OUD_BACKUP_BASE $OUD_DATA/backup Base directory for an instance specific directory to store backup’s and LDIF exports.
-i $OUD_INSTANCE_BASE $OUD_DATA/instances Base directory for the OUD instance homes.
-m $ORACLE_HOME $ORACLE_BASE/products Oracle home directory for binaries. The installation script does search below this path for the corresponding binaries.
-f $ORACLE_FMW_HOME $ORACLE_BASE/products Oracle Fusion Middleware home directory when separating the OUD and OUDSM binaries. The installation script does search below this path for the corresponding binaries.
-j $JAVA_HOME $ORACLE_BASE/products Location of the java home. The installation script does search below this path for the corresponding java binaries.

The installation script will guess the required parameter based on OFA. All parameter specified at the command line will be stored for future use in oudenv_core.conf. If something went wrong during installation, you always have the option of adjusting them manually.

Let’s create an installation as an example. We will use /u00/app/oracle as ORACLE_BASE, /u01 as OUD_DATA and /u00/app/oracle/product/fmw12.2.1.3.0 as ORACLE_HOME. Below you find the command and an excerpt of the output. Ok actually everything except the output of the TAR command.

oracle@oudad:/tmp/ [oud_ad] ./oudbase_install.sh -v -b /u00/app/oracle -d /u01 -m /u00/app/oracle/product/fmw12.2.1.3.0
2018-07-16_20:45:46 START: Start of oudbase_install.sh (Version v1.5.5) with -v -b /u00/app/oracle -d /u01 -m /u00/app/oracle/product/fmw12.2.1.3.0
2018-07-16_20:45:46 INFO : processing commandline parameter
2018-07-16_20:45:46 INFO : Define default values
2018-07-16_20:45:46 INFO : Using the following variable for installation
2018-07-16_20:45:46 INFO : ORACLE_BASE = /u00/app/oracle
2018-07-16_20:45:46 INFO : OUD_BASE = /u00/app/oracle/local/oudbase
2018-07-16_20:45:46 INFO : LOG_BASE = /u01/log
2018-07-16_20:45:46 INFO : ETC_CORE = /u00/app/oracle/local/oudbase/etc
2018-07-16_20:45:46 INFO : ETC_BASE = /u01/etc
2018-07-16_20:45:46 INFO : OUD_DATA = /u01
2018-07-16_20:45:46 INFO : OUD_INSTANCE_BASE = /u01/instances
2018-07-16_20:45:46 INFO : OUD_ADMIN_BASE = /u01/admin
2018-07-16_20:45:46 INFO : OUD_BACKUP_BASE = /u01/backup
2018-07-16_20:45:46 INFO : ORACLE_PRODUCT =
2018-07-16_20:45:46 INFO : ORACLE_HOME = /u00/app/oracle/product/fmw12.2.1.3.0
2018-07-16_20:45:46 INFO : ORACLE_FMW_HOME = /u00/app/oracle/product/fmw12.2.1.3.0
2018-07-16_20:45:46 INFO : JAVA_HOME = /usr/java/jdk1.8.0_172
2018-07-16_20:45:46 INFO : SCRIPT_FQN = /tmp/oudbase_install.sh
2018-07-16_20:45:46 INFO : Installing OUD Environment
2018-07-16_20:45:46 INFO : Create required directories in ORACLE_BASE=/u00/app/oracle
2018-07-16_20:45:46 INFO : Create Directory /u01/log
2018-07-16_20:45:46 INFO : Create Directory /u01/etc
2018-07-16_20:45:46 INFO : Create Directory /u00/app/oracle/local
2018-07-16_20:45:46 INFO : Create Directory /u01/admin
2018-07-16_20:45:46 INFO : Create Directory /u01/backup
2018-07-16_20:45:46 INFO : Create Directory /u01/instances
2018-07-16_20:45:46 INFO : Create Directory /u00/app/oracle/local/oudbase
2018-07-16_20:45:46 INFO : Backup existing config files
2018-07-16_20:45:47 INFO : Backup oudtab to oudtab.save
2018-07-16_20:45:47 INFO : Backup oud.<em>DEFAULT</em>.conf to oud.<em>DEFAULT</em>.conf.save
2018-07-16_20:45:47 INFO : Start processing the payload
2018-07-16_20:45:47 INFO : Payload is available as of line 470.
2018-07-16_20:45:47 INFO : Extracting payload into /u00/app/oracle/local
2018-07-16_20:45:47 INFO : Payload is set to base64. Using base64 decode before untar.
...
2018-07-16_20:45:47 INFO : Store customization in core config file /u00/app/oracle/local/oudbase/etc/oudenv_core.conf
2018-07-16_20:45:47 INFO : save customization for OUD_DATA (/u01)
2018-07-16_20:45:47 INFO : save customization for ORACLE_BASE (/u00/app/oracle)
2018-07-16_20:45:47 INFO : save customization for ORACLE_HOME (/u00/app/oracle/product/fmw12.2.1.3.0)
2018-07-16_20:45:47 INFO : Please manual adjust your .bash_profile to load / source your OUD Environment
2018-07-16_20:45:47 INFO : using the following code
#Check OUD_BASE and load if necessary
if [ "${OUD_BASE}" = "" ]; then
if [ -f "${HOME}/.OUD_BASE" ]; then
. "${HOME}/.OUD_BASE"
else
echo "ERROR: Could not load ${HOME}/.OUD_BASE"
fi
fi

#define an oudenv alias
alias oud='. ${OUD_BASE}/bin/oudenv.sh'

#source oud environment
. /u00/app/oracle/local/oudbase/bin/oudenv.sh
2018-07-16_20:45:47 INFO : update your .OUD_BASE file /home/oracle/.OUD_BASE
2018-07-16_20:45:47 END : of oudbase_install.sh

As you can see from the output above, you just have to source .OUD_BASE and ${OUD_BASE}/bin/oudenv.sh to start using OUDbase. The installation script either provides an example of what you need to add to your .bash_profile or adjusts it directly by specifying the parameter -a.

#Check OUD_BASE and load if necessary
if [ "${OUD_BASE}" = "" ]; then
if [ -f "${HOME}/.OUD_BASE" ]; then
. "${HOME}/.OUD_BASE"
else
echo "ERROR: Could not load ${HOME}/.OUD_BASE"
fi
fi

#define an oudenv alias
alias oud='. ${OUD_BASE}/bin/oudenv.sh'

#source oud environment
. /u00/app/oracle/local/oudbase/bin/oudenv.sh

The next time you login, you’ll see the status of you OUD instance. If you do not have an OUDTAB file, OUDbase will create one for you based on existing OUD instances, Oracle homes etc.

If you haven’t yet installed any Oracle software or created an OUD instance OUDbase can not guess your environment. Therefore you have to manually create an OUDTAB file.

WARN : oudtab (/u00/app/oracle/local/oudbase/etc/oudtab) does not exist or is empty. Create a new one.
WARN : No OUD Instance yet available or defined.

Conclusion

The first blog post of the serie on the OUDbase environment scripts should give you first impression. The installation is straight forward and simple. In the next blog post I’ll show how you can configure and customize OUDbase. Beside a couple of use cases, I’ll provide a deeper insight into environment variables, aliases and scripts. So stay tuned. If you can not wait get the latest version of OUDbase from GitHub and start using it. By the way, my Docker build scripts are configured to use OUDbase.

References

Below you find a few references related to the topics discussed in this post:

DOAG 2018 SIG Security – Oracle Unified Directory on Docker

A couple of days ago I did had the opportunity to give a presentation on Oracle Unified Directory on Docker at the DOAG SIG Security day in Stuttgart. It was a great opportunity to discuss how OUD engineering can be simplified using Docker. As proof how easy this can be, I set up and configured an OUD AD proxy in a short demo.

 

Besides the demo the following topics were discussed:

  • Docker in a nutshell
  • Requirements to setup Oracle Unified Directory in Docker
  • Oracle Unified Directory installation
  • Build an Oracle Unified Directory Docker image
  • Discuss the Dockerfile and build scripts
  • Digression on how to make Docker images smaller
  • Use the Oracle Unified Directory Docker image
  • Discuss the instance status and create scripts
  • Use cases for Oracle Unified Directory in Docker
  • Demo setup Oracle Unified Directory with Enterprise User Security and Active Directory proxy

With an Oracle Unified Directory Docker images and the OUD Base template scripts it took just a couple of minutes to setup and configure Enterprise User Security with an Oracle Unified Directory AD proxy. More complex use cases including high availability, replication etc. will take a bit more time, but it can also be automated.

The presentation and information related to event:

Some references and links related to this blog post and the presentation:

Oracle 18c new Security Features

Today I had the opportunity to give a presentation on Oracle 18c new Security Features at the SOUG day in Baden. It was a great opportunity to discuss the security enhancements in the latest Oracle database release. This release introduces some new security features that simplify the secure operation of on-premises or cloud-based databases. Especially the new central managed user with MS Active Directory.

Based on first experiences and insights, the following topics have been discussed:

  • Create schema only accounts
  • Integration of Active Directory services with Oracle Database
  • Encrypt sensitive credential data in the data dictionary
  • Write Unified Audit Trail records to SYSLOG or the Windows event viewer
  • Use Oracle Data Pump to export and import the Unified Audit Trail
  • Authentication and certification parameters
  • Enterprise User Security Manager (EUSM)
  • User defined master encryption key
  • Keystore for each Pluggable Database
  • User defined master encryption key
  • Enhancements to Oracle Database Vault simulation mode
  • Grant Data Pump-Database Vault authorizations to roles
  • Oracle Database Vault support for Oracle Database Replay

The Killer feature in this release is definitely the centrally managed user with its simple MS Active Directory integration. It is an ideal solution to simplify the user management in small / midsize environments. For larger and more complex environments it makes more sense to engineer central user management using Oracle Enterprise User Security. Many other improvements are due to Oracleโ€™s cloud strategy. Necessary and meaningful but not earth-shattering.

The presentation is available in English over the following links:

Oracle Unified Directory systemd unit file

About a year ago I explained in the blog post Start OUD Servers on Boot using systemd how to start Oracle Unified Directory automatically on system startup. In the meantime a lot has changed, so has my unit file. The simple unit file actually worked quite well. Until the time came when I installed an updated Java version for OUD. At this point I did realize, that it is not really optimal to have the JAVA_HOME respectively OPENDS_JAVA_HOME in the unit file. It all happened on a system where I didn’t have root access. OUD couldn’t be started any more using systemd, because the Java home path in the unit file was no longer correct. A change request and a few days later the problem was solved. Nevertheless this was a good opportunity to optimize the OUD unit file and get rid of static information. JAVA_HOME does not explicitly have to be specified when starting OUD. It is usually specified within the java.properties see also blog post Change default JAVA_HOME for OUD Instance.

What has been changed in the current unit file?

  • Environment The environment variable OPENDS_JAVA_HOME has been completely be removed. start-ds does use the JAVA_HOME specified by the java.properties.
  • WorkingDirectory The working directory has been set to the OUD instance home.
  • PIDFile Since the service type is forking, this directive is used to set the path of the PID file for the OUD instance. The file contains the process ID number of the directory server process respectively JVM which is monitored.
  • Restart Systemd will attempt to automatically restart the service on-failure.
  • RestartSec Amount of time to wait before attempting to restart the service.
  • SuccessExitStatus stop-ds does send a SIGTERM to the JVM to stop the directory server. This generates an exit code 143. By default, systemd interprets this as an error. By setting SuccessExitStatus we can overwrite this behavior and accept 143 or SIGTERM as successful.
  • User and Group Has been set to oud/oud rather than oracle/osdba. User and group for OUD highly depends on your environment.

Below you see the revised version of the OUD unit file. The OUD instance home path has been replaced with the placeholder OUD_INSTANCE_HOME.

[Unit]
Description=OUD Instance
Wants=network.target
After=network.target

[Service]
Type=forking
User=oud
Group=oud
WorkingDirectory=OUD_INSTANCE_HOME/OUD
PIDFile=OUD_INSTANCE_HOME/OUD/logs/server.pid
ExecStart=OUD_INSTANCE_HOME/OUD/bin/start-ds --quiet
ExecStop=OUD_INSTANCE_HOME/OUD/bin/stop-ds --quiet
ExecReload=OUD_INSTANCE_HOME/OUD/bin/stop-ds --restart --quiet
RestartSec=42s
Restart=on-failure
SuccessExitStatus=143 SIGTERM
TimeoutSec=300
StandardOutput=syslog+console
StandardError=syslog+console

[Install]
WantedBy=multi-user.target

This updated unit file is also part of the latest version of OUD Base, my environment scripts for OUD. If you want to use it, you have to replace OUD_INSTANCE_HOME with your specific OUD instance home path.

export OUD_INSTANCE="oudtest"
export OUD_INSTANCE_HOME="/u00/app/oud/instances/$OUD_INSTANCE"
export $cdl="/u00/app/oud/local"
export $cda="/u00/app/oud/admin/$OUD_INSTANCE"
cat $cdl/oudbase/templates/etc/oud_instance.service \
  >$cda/etc/oud_$OUD_INSTANCE.service
sed -i "s|OUD_INSTANCE_HOME|/app/oud/instances/$OUD_INSTANCE|" \
  $cda/etc/oud_$OUD_INSTANCE.service
cat $cda/etc/oud_$OUD_INSTANCE.service

Enable the new unit file by coping it to the systemd folder /etc/systemd/system. 

sudo cp $cda/etc/oud_$OUD_INSTANCE.service \
  /etc/systemd/system/oud_$OUD_INSTANCE.service

Run systemctl daemon-reload and enable the new service.

sudo systemctl daemon-reload
sudo systemctl enable oud_$OUD_INSTANCE.service

You OUD instance can now be started / stopped with systemctl as explained in the first blog post about OUD and systemd.

Some references and links related to this blog post:

Oracle CPU / PSU April 2018

Oracle recently released the spring Critical Patch Advisory. It is the first critical patch update, which also includes fixes for Oracle 18c. Over all it includes 254 new security fixes across the product families. Overall a rather large update, although only a security vulnerability is patched for the Oracle databases. This vulnerability is not remotely exploitable without authentication and is not applicable to client-only installations. The CVSS Rating is 8.5 for Oracle Database 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18.1.0.0 on any operating system. According to Oracle the following component is affected:

  • Java VM

Oracle Java VM is not installed by default. It is therefore recommended that you check your database environment to see if it is necessary to apply this critical patch update.

For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 30 fixes for vulnerabilities. Several of the vulnerabilities may be remotely exploitable without authentication and are rated with the highest CVSS rating of 9.8.

More details about the patch will follow soon on the Oracle Security Pages.

By the way, Oracle improved the table which lists the affected products and components in there advisory. Oracle Database is not a the top of the table any more.

Install Oracle Unified Directory 12c the smart way

Installing Oracle Unified Directory has always been easy. The installation guide for OUD 11c as well OUD 12 is simple and straight forward. Additionally Oracle does provide a couple of MOS notes for different deployment scenarios. Nevertheless there is always room for improvement ๐Ÿ™‚ During my work on OUD to go on Raspberry Pi Zero or on Docker images for OUD I’ve had to optimise the installation of OUD. In this blog post I’ll show how I did simplify respectively optimise my OUD installations.

Prerequisites

Standalone or Collocated?

Since the latest release, Oracle allows a couple of different ways how OUD can be deployed.

  • Standalone Oracle Unified Directory Server With this deployment method OUD is used as a straight forward LDAP server with a small footprint. Administration has to be done via command line (eg. dsconfig, ldapmodify, etc) or when possible with a third party LDAP Browser.
  • Collocated Oracle Unified Directory Server with OUD and OUDSM in a separate domains. OUD and Fusion Middleware (FMW) Infrastructure are installed in the same middleware home directory. In non-collocated mode, OUD and OUDSM will be deployed in different domains.
  • Collocated Oracle Unified Directory Server with OUD and OUDSM in a single domain. OUD and Fusion Middleware Infrastructure are installed in the same middleware home directory. In collocated mode OUD and OUDSM will be deployed under the same domain.
  • Collocated Oracle Unified Directory Server But just used for OUDSM. This is not really an official deployment method, but becomes quite handy when you’ve deployed a couple of standalone OUD server. The OUD software is just deployed into FMW Infrastructure to be able to create and start the OUDSM web application. There will only be an OUDSM domain deployed.

For simple OUD installation’s I usually just install and deploy a standalone OUD. This installation is fast and has a small foot print. I do use dsconfig for the administration and the Apache Directory Studio for general LDAP browsing. If I do need an OUDSM from time to time, I install a dedicated OUDSM (Collocated OUD Server) or use my OUDSM docker container.

Environment

OUD does not make great demands on the environment. Nevertheless, I usually follow the Oracle Flexible Architecture OFA and a couple of environment scripts similar to the Trivadis BasEnv. See my blog post about OUD environment scripts.

For the further installation steps I stick to the following environment variables.

export SOFTWARE=$HOME/software
export ORACLE_BASE=/u00/app/oracle
export JAVA_HOME=$ORACLE_BASE/product/jdk1.8.0_144
export OUD_HOME=$ORACLE_BASE/product/oud12.2.1.3.0
export FMW_HOME=$ORACLE_BASE/product/fmw12.2.1.3.0

In the table below you find a short description of the environment variables. For further explanations see blog post OUD environment scripts.

ENV Variable Path Description
$ORACLE_BASE, $cdob /u00/app/oracle Base directory for the oracle binaries
$ORACLE_HOME, $OUD_HOME $ORACLE_BASE/product/oud12.2.1.3.0 Standalone Oracle Unified Directory binaries
$ORACLE_HOME, $OUD_HOME $ORACLE_BASE/product/fmw12.2.1.3.0 Collocated Oracle Unified Directory binaries
$JAVA_HOME $ORACLE_BASE/product/jdk1.8.0_144 Java used for OUD
$OUD_INSTANCE_BASE, $cdib $ORACLE_BASE/instances Base directory for the instance homes
$SOFTWARE $HOME/software Software Depot for the JAR’s

To do a silent installation, we will require a response file. In case of OUD and FMW it is a simple text file to define a few generic installation values. The same response file can be used for either of the products. We add the missing value INSTALL_TYPE when calling the installer.

echo "[ENGINE]"                                    > $ETC_BASE/install.rsp
echo "Response File Version=1.0.0.0.0"            >> $ETC_BASE/install.rsp
echo "[GENERIC]"                                  >> $ETC_BASE/install.rsp
echo "DECLINE_SECURITY_UPDATES=true"              >> $ETC_BASE/install.rsp
echo "SECURITY_UPDATES_VIA_MYORACLESUPPORT=false" >> $ETC_BASE/install.rsp

Beside the response file we also have to have an inventory location file. You probably have to adjust the group name to fit your environment. 

echo "inventory_loc=$ORACLE_BASE/oraInventory" > $ETC_BASE/oraInst.loc
echo "inst_group=oinstall"                    >> $ETC_BASE/oraInst.loc

Software

To start the installation, you first have to get the required software packages. Oracle makes it easy, you can either download the software on Oracle Technology Network (OTN), Oracle Software Delivery Cloud (OSDC) or My Oracle Support (MOS). All download URLs are ok, but I prefer to do the download direct from MOS since this allows to use curl with a simple download URL. The downside is, that this requires a valid MOS account.

Create a netrc file for curl with your MOS credentials.

MOS_USER="<your MOS USER>"
MOS_PASSWORD="</your><your MOS PASSWORD>"
echo "machine login.oracle.com login $MOS_USER password $MOS_PASSWORD" >$SOFTWARE/.netrc

OK, lets download the software.

Java 1.8 update 144, Patch ID 26512979:

curl --netrc-file $SOFTWARE/.netrc \
  --cookie-jar $SOFTWARE/cookie-jar.txt \
  --location-trusted "https://updates.oracle.com/Orion/Services/download/p26512979_180144_Linux-x86-64.zip?aru=21443434&patch_file=p26512979_180144_Linux-x86-64.zip" \
  --output $SOFTWARE/java/p26512979_180144_Linux-x86-64.zip

Oracle Unified Directory 12.2.1.3.0, Patch ID 26270957:

curl --netrc-file $SOFTWARE/.netrc \
  --cookie-jar $SOFTWARE/cookie-jar.txt \
  --location-trusted "https://updates.oracle.com/Orion/Services/download/p26270957_122130_Generic.zip?aru=21504981&patch_file=p26270957_122130_Generic.zip" \
  --output $SOFTWARE/fmw/p26270957_122130_Generic.zip

FWM Infrastructure 12.2.1.3.0, Patch ID 26269885:

curl --netrc-file $SOFTWARE/.netrc \
  --cookie-jar $SOFTWARE/cookie-jar.txt \
  --location-trusted "https://updates.oracle.com/Orion/Services/download/p26269885_122130_Generic.zip?aru=21502041&patch_file=p26269885_122130_Generic.zip" \
  --output $SOFTWARE/fmw/p26269885_122130_Generic.zip

As soon as the software has been downloaded, we will unpack the OUD and FMW packages. In the example below it’s done directly by using the jar utility.

cd $SOFTWARE/fmw
$JAVA_HOME/bin/jar -xvf $SOFTWARE/fmw/p26270957_122130_Generic.zip
$JAVA_HOME/bin/jar -xvf $SOFTWARE/fmw/p26269885_122130_Generic.zip

Java

Although Java is probably already installed on you system, its recommended to install a dedicated JVM for OUD. This way we can keep our java installation for OUD independent from the OS default java. The installation is done with just a untar into the right directory. I do this with just one combined command of unzip and tar.

unzip -p $SOFTWARE/java/p26512979_180144_Linux-x86-64.zip \
*tar* |tar zxv -C $ORACLE_BASE/product

Install Standalone OUD

Start the silent installation with the extracted JAR file and the previously created response file. Set INSTALL_TYPE to Standalone Oracle Unified Directory Server (Managed independently of WebLogic server) will initiate a standalone installation into the defined ORACLE_HOME.

$JAVA_HOME/bin/java -jar $SOFTWARE/fmw/fmw_12.2.1.3.0_oud.jar -silent \
  -responseFile $ETC_BASE/install.rsp \
  -invPtrLoc $ETC_BASE/oraInst.loc \
  -ignoreSysPrereqs -force \
  -novalidation ORACLE_HOME=$OUD_HOME \
  INSTALL_TYPE="Standalone Oracle Unified Directory Server (Managed independently of WebLogic server)"

That’s it. After a couple of minutes the OUD binaries are installed and ready to deploy an Oracle Directory or Proxy server.

Install Collocated OUD

To do a collocated OUD installation, we first have to install FMW infrastructure before installing OUD. The installation is done again in silent mode by specifying the ORACLE_HOME and the INSTALL_TYPE. Execution of this JAR will take longer since it is around 1.5GB.

$JAVA_HOME/bin/java -jar $SOFTWARE/fmw/fmw_12.2.1.3.0_infrastructure.jar \
  -silent \
  -responseFile $ETC_BASE/install.rsp \
  -invPtrLoc $ETC_BASE/oraInst.loc \
  -ignoreSysPrereqs -force \
  -novalidation ORACLE_HOME=$FMW_HOME \
  INSTALL_TYPE="WebLogic Server"

As soon as the FMW installation has been successfully finished, we initiate the OUD installation. For ORACLE_HOME we have to choose the same directory as using for the FMW infrastructure. The INSTALL_TYPE is set to collocated mode.

$JAVA_HOME/bin/java -jar $SOFTWARE/fmw/fmw_12.2.1.3.0_oud.jar -silent \
  -responseFile $ETC_BASE/install.rsp \
  -invPtrLoc $ETC_BASE/oraInst.loc \
  -ignoreSysPrereqs -force \
  -novalidation ORACLE_HOME=$OUD_HOME \
  INSTALL_TYPE="Collocated Oracle Unified Directory Server (Managed through WebLogic server)"

In this newly created Oracle home directory we now have a collocated Oracle Unified Directory Server. These binaries can be used to deploy OUD and OUDSM in separate domains, in a single domain or just to deploy an OUDSM server.

Next Steps

For know we just have the OUD binaries. The next steps will be to deploy a OUD directory or proxy server using either oud-setup or oud-proxy-setup tool. Both tools can be used in command line mode, GUI mode or silently by specify the corresponding parameters. The statement below is an example to create an OUD directory server instance oud_demo for the base DN dc=postgasse,dc=org with 20 sample records. 

$OUD_HOME/oud/oud-setup \
--cli \
--instancePath $OUD_INSTANCE_BASE/oud_demo/OUD \
--adminConnectorPort 4444 \
--rootUserDN cn=Directory\ Manager \
--rootUserPasswordFile $ETC_BASE/oud_demo_pwd.txt \
--ldapPort 1389 \
--baseDN dc=postgasse,dc=org \
--sampleData 20 \
--serverTuning jvm-default \
--offlineToolsTuning jvm-default \
--no-prompt \
--noPropertiesFile

Files and References

Below you find a few references related to Oracle Unified Directory:

  • Oracle JDK 8 Update 144 for ARM 32Bit VFP HardFP MOS Patch 26512975
  • Oracle Unified Directory FMW 12.2.1.3.0 MOS Patch 26270957
  • Oracle Unified Directory 12.2.1.3.0 on Oracle Technology Network
  • Oracle Software Delivery Cloud OSDC
  • Environment Scripts for OUD on www.oradba.ch
  • Github repository for the OUD environment scripts oudbase
  • OUD base environment installation script. It’s a bash script including a TAR.  oudbase_install.sh
  • OUD base environment as TAR archive without installation script.  oudbase_install.tgz
  • Github repository for the OUD environment scripts oudbase
  • Oracle Unified Directory 12c PS3 Released [2300623.1]
  • OUD 12c – How to Download and Install OUD 12c in Standalone Mode (with No Domain Configuration) [2298379.1]
  • OUD 12c: How to Install OUD 12c and OUDSM 12c in Collocated Mode (Under Same Domain) or Non-Collocated Mode (Under Separate Domains) [2303721.1]
  • OUD 12c: Understanding the Oracle Unified Directory 12c Installation Directories MW_HOME, PRODUCT_HOME, OUD ORACLE_HOME, DOMAIN_HOME WLS_HOME ORACLE_COMMON Home [2302813.1]
  • All Java SE Downloads on MOS [1439822.1]
  • Information Center: Using Oracle Unified Directory (OUD) [1419823.2]