Tag Archives: Trivadis Security eXperts

DOAG Red Stack Magazin – Oracle Unified Directory in Docker

Mid June I wrote an article for the DOAG Red Stack magazin about my work on Oracle Unified Directory in Docker. Just about the same time I did my DOAG SIG Security presentation on the same topic. In the meantime the article has been published in the latest release of the DOAG Red Stack magazin. For this reason I use the opportunity to make the PDF version of the article available on oradba.ch. The article is written in German and available as Trivadis version as well Red Stack version. Although the articles versions differ only in the number of typos and layout.

None of the articles are currently available in English. On request I will write also articles about Oracle Unified Directory in English in the future. However, currently I still have a lot of ideas for more blog posts about database security, Oracle Enterprise User Security and Oracle Unified Directory on my to-do list. And blog posts I do usually write in English… 🙂

Oracle CPU / PSU Advisory October 2018

Oracle has recently published the Critical Patch Update Advisory for the October 2018. It’s once more quite a heavy update with not less than 301 security vulnerability fixes across the Oracle products. The Oracle database is relatively prominently represented with 3 security vulnerabilities and a maximal CVSS rating of 9.8. The problem CVE-2018-3259 with such a high CVSS rating is related to OJVM and affects all Oracle releases on various platforms. In addition, two of the vulnerabilities are remotely exploitable without authentication. None of the security bug fixes are for client-only installations. So you just have to patch your database servers.

Oracle Unified Directory itself is not mentioned in the Oracle Critical Patch Update Advisory. But the MOS note 2385785.1 Information And Bug Listing of Oracle Unified Directory Bundle Patches: 12.2.1.3.x (12cR2PS3) Version does provide information on the latest bundle patch for OUD. Beside this patch, There are updates for Oracle WebLogic and Oracle Java as well (see links below).

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.8. The following components are affected:

  • Oracle Text
  • Java VM
  • Rapid Home Provisioning

Oracle Java VM is not installed by default. It is therefore recommended that you check your database environment to see if it is necessary to apply this critical patch update.

For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 56 fixes for vulnerabilities. Several of the vulnerabilities may be remotely exploitable without authentication and are rated with the highest CVSS rating of 9.8.

A few links related to this Critical Patch Update.

Oracle CPU / PSU Pre-Release Announcement July 2018

Today Oracle has published the Pre-Release Announcement for the July 2018 Critical Patch Update. It’s quite a heavy update with not less than 334 security vulnerability fixes across the Oracle products. The Oracle database is relatively prominently represented with 3 security vulnerabilities and a maximal CVSS rating of 9.8. Of the vulnerabilities is remotely exploitable without authentication. But none of the security bug fixes is for client-only installations. So you just have to patch your database servers.

Oracle Unified Directory itself is not mentioned in the Oracle Critical Patch Update Pre-Release Announcement. But since there are updates for Oracle WebLogic, Oracle Java and Oracle Internet Directory, I assume there will follow a patch update for Oracle Unified Directory in a couple of days.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.8. The following components are affected:

  • Core RDBMS
  • Java VM
  • Oracle Spatial (jackson-databind)

We will see all the details next Tuesday when Oracle is officially releasing the Critical Patch Update for July 2018. Next week I’ll have a closer look and do some test installations. I am particularly interested in why there is a patch for Oracle Database Server 18.2. Still just Oracle Cloud and Exadata or will we soon see an Oracle Database release 18c for on-premises?

More details about the patch will follow soon on the Oracle Security Pages.

DOAG 2018 SIG Security – Oracle Unified Directory on Docker

A couple of days ago I did had the opportunity to give a presentation on Oracle Unified Directory on Docker at the DOAG SIG Security day in Stuttgart. It was a great opportunity to discuss how OUD engineering can be simplified using Docker. As proof how easy this can be, I set up and configured an OUD AD proxy in a short demo.

 

Besides the demo the following topics were discussed:

  • Docker in a nutshell
  • Requirements to setup Oracle Unified Directory in Docker
  • Oracle Unified Directory installation
  • Build an Oracle Unified Directory Docker image
  • Discuss the Dockerfile and build scripts
  • Digression on how to make Docker images smaller
  • Use the Oracle Unified Directory Docker image
  • Discuss the instance status and create scripts
  • Use cases for Oracle Unified Directory in Docker
  • Demo setup Oracle Unified Directory with Enterprise User Security and Active Directory proxy

With an Oracle Unified Directory Docker images and the OUD Base template scripts it took just a couple of minutes to setup and configure Enterprise User Security with an Oracle Unified Directory AD proxy. More complex use cases including high availability, replication etc. will take a bit more time, but it can also be automated.

The presentation and information related to event:

Some references and links related to this blog post and the presentation:

Oracle 18c new Security Features

Today I had the opportunity to give a presentation on Oracle 18c new Security Features at the SOUG day in Baden. It was a great opportunity to discuss the security enhancements in the latest Oracle database release. This release introduces some new security features that simplify the secure operation of on-premises or cloud-based databases. Especially the new central managed user with MS Active Directory.

Based on first experiences and insights, the following topics have been discussed:

  • Create schema only accounts
  • Integration of Active Directory services with Oracle Database
  • Encrypt sensitive credential data in the data dictionary
  • Write Unified Audit Trail records to SYSLOG or the Windows event viewer
  • Use Oracle Data Pump to export and import the Unified Audit Trail
  • Authentication and certification parameters
  • Enterprise User Security Manager (EUSM)
  • User defined master encryption key
  • Keystore for each Pluggable Database
  • User defined master encryption key
  • Enhancements to Oracle Database Vault simulation mode
  • Grant Data Pump-Database Vault authorizations to roles
  • Oracle Database Vault support for Oracle Database Replay

The Killer feature in this release is definitely the centrally managed user with its simple MS Active Directory integration. It is an ideal solution to simplify the user management in small / midsize environments. For larger and more complex environments it makes more sense to engineer central user management using Oracle Enterprise User Security. Many other improvements are due to Oracle’s cloud strategy. Necessary and meaningful but not earth-shattering.

The presentation is available in English over the following links:

Oracle Unified Directory systemd unit file

About a year ago I explained in the blog post Start OUD Servers on Boot using systemd how to start Oracle Unified Directory automatically on system startup. In the meantime a lot has changed, so has my unit file. The simple unit file actually worked quite well. Until the time came when I installed an updated Java version for OUD. At this point I did realize, that it is not really optimal to have the JAVA_HOME respectively OPENDS_JAVA_HOME in the unit file. It all happened on a system where I didn’t have root access. OUD couldn’t be started any more using systemd, because the Java home path in the unit file was no longer correct. A change request and a few days later the problem was solved. Nevertheless this was a good opportunity to optimize the OUD unit file and get rid of static information. JAVA_HOME does not explicitly have to be specified when starting OUD. It is usually specified within the java.properties see also blog post Change default JAVA_HOME for OUD Instance.

What has been changed in the current unit file?

  • Environment The environment variable OPENDS_JAVA_HOME has been completely be removed. start-ds does use the JAVA_HOME specified by the java.properties.
  • WorkingDirectory The working directory has been set to the OUD instance home.
  • PIDFile Since the service type is forking, this directive is used to set the path of the PID file for the OUD instance. The file contains the process ID number of the directory server process respectively JVM which is monitored.
  • Restart Systemd will attempt to automatically restart the service on-failure.
  • RestartSec Amount of time to wait before attempting to restart the service.
  • SuccessExitStatus stop-ds does send a SIGTERM to the JVM to stop the directory server. This generates an exit code 143. By default, systemd interprets this as an error. By setting SuccessExitStatus we can overwrite this behavior and accept 143 or SIGTERM as successful.
  • User and Group Has been set to oud/oud rather than oracle/osdba. User and group for OUD highly depends on your environment.

Below you see the revised version of the OUD unit file. The OUD instance home path has been replaced with the placeholder OUD_INSTANCE_HOME.

[Unit]
Description=OUD Instance
Wants=network.target
After=network.target

[Service]
Type=forking
User=oud
Group=oud
WorkingDirectory=OUD_INSTANCE_HOME/OUD
PIDFile=OUD_INSTANCE_HOME/OUD/logs/server.pid
ExecStart=OUD_INSTANCE_HOME/OUD/bin/start-ds --quiet
ExecStop=OUD_INSTANCE_HOME/OUD/bin/stop-ds --quiet
ExecReload=OUD_INSTANCE_HOME/OUD/bin/stop-ds --restart --quiet
RestartSec=42s
Restart=on-failure
SuccessExitStatus=143 SIGTERM
TimeoutSec=300
StandardOutput=syslog+console
StandardError=syslog+console

[Install]
WantedBy=multi-user.target

This updated unit file is also part of the latest version of OUD Base, my environment scripts for OUD. If you want to use it, you have to replace OUD_INSTANCE_HOME with your specific OUD instance home path.

export OUD_INSTANCE="oudtest"
export OUD_INSTANCE_HOME="/u00/app/oud/instances/$OUD_INSTANCE"
export $cdl="/u00/app/oud/local"
export $cda="/u00/app/oud/admin/$OUD_INSTANCE"
cat $cdl/oudbase/templates/etc/oud_instance.service \
  >$cda/etc/oud_$OUD_INSTANCE.service
sed -i "s|OUD_INSTANCE_HOME|/app/oud/instances/$OUD_INSTANCE|" \
  $cda/etc/oud_$OUD_INSTANCE.service
cat $cda/etc/oud_$OUD_INSTANCE.service

Enable the new unit file by coping it to the systemd folder /etc/systemd/system. 

sudo cp $cda/etc/oud_$OUD_INSTANCE.service \
  /etc/systemd/system/oud_$OUD_INSTANCE.service

Run systemctl daemon-reload and enable the new service.

sudo systemctl daemon-reload
sudo systemctl enable oud_$OUD_INSTANCE.service

You OUD instance can now be started / stopped with systemctl as explained in the first blog post about OUD and systemd.

Some references and links related to this blog post:

Oracle CPU / PSU April 2018

Oracle recently released the spring Critical Patch Advisory. It is the first critical patch update, which also includes fixes for Oracle 18c. Over all it includes 254 new security fixes across the product families. Overall a rather large update, although only a security vulnerability is patched for the Oracle databases. This vulnerability is not remotely exploitable without authentication and is not applicable to client-only installations. The CVSS Rating is 8.5 for Oracle Database 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18.1.0.0 on any operating system. According to Oracle the following component is affected:

  • Java VM

Oracle Java VM is not installed by default. It is therefore recommended that you check your database environment to see if it is necessary to apply this critical patch update.

For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 30 fixes for vulnerabilities. Several of the vulnerabilities may be remotely exploitable without authentication and are rated with the highest CVSS rating of 9.8.

More details about the patch will follow soon on the Oracle Security Pages.

By the way, Oracle improved the table which lists the affected products and components in there advisory. Oracle Database is not a the top of the table any more.

Smaller Oracle Docker images

One of the important challenges with Docker is to get used to the image layers and the layered file system. It quickly happens that you unintentionally have too much data in an intermediate layer. Either log files, installation software or login credentials. Whereby the first two “only” blow up the Docker image unnecessarily, while the last point can be a major security vulnerability. It also happens to me when I build Docker images for Oracle Unified Directory. See my blog post on Oracle Unified Directory on Docker.

Problem

Each instruction in the Dockerfile adds a layer to the image, and you need to remember to clean up any artifacts you don’t need before moving on to the next layer. If you do use COPY or ADD in particular a clean up is not possible. Every credential file or software package which is copied during build will remain. Later attempts to remove the intermediate files will only result in the corresponding files no longer being visible in the next layers.

Although there is a way to work around this by using the new build parameter --squash. Squash does merge newly built layers into a single new layer. But --squash is only available in the latest Docker releases. In older releases not at all or at best as experimental feature. Beside this it also has some other downside eg. losing the history or intermediate layers, issue with ONBUILD command etc. Squash does also not help if you specify your credentials as build arguments via ARG.

So why not make small, secure and clean Docker image at first place.

Idea

Rather than put the software packages or credential files to the Docker build context and using COPY or ADD, we will download them in a RUN command using curl. But from where? Oracle software can not be downloaded unattended without credentials. And we do not want to set up a web server just for software, secrets, credentials, etc.

Hei, you are using Docker. Setting up a local web server is a pice of cake. 🙂

  • Put your software, credentials, etc in a dedicated folder
  • Run a Docker container with an Apache HTTP server and make sure it has access to the folder mentioned before
  • Change your Dockerfile to download the software or credentials for the HTTP server
  • Make sure that you docker build can get access to the intermediate HTTP server

Solution

Let’s see how I did use a local HTTP sever to set up small Oracle Unified Directory Docker images.

HTTP Server

Create a folder with all required Oracle software, patch’s etc. But make sure, that you Docker can use this folder as Docker volume.

ls -alh /Data/vm/docker/volumes/orarepo
total 5009896
drwxr-xr-x 11 oracle staff 352B 26 Mär 23:52 .
drwxr-xr-x 4 oracle staff 128B 26 Mär 22:50 ..
-rw-r--r-- 1 oracle staff 1,5G 26 Mär 23:03 p26269885_122130_Generic.zip
-rw-r--r-- 1 oracle staff 404M 26 Mär 22:55 p26270957_122130_Generic.zip
-rw-r--r-- 1 oracle staff 94M 26 Mär 22:49 p26540481_111230_Generic.zip
-rw-r--r-- 1 oracle staff 157M 26 Mär 22:45 p26724938_111170_Linux-x86-64.zip
-rw-r--r-- 1 oracle staff 56M 26 Mär 22:55 p27217121_904_Linux-x86-64.zip
-rw-r--r-- 1 oracle staff 52M 26 Mär 22:56 p27217289_180162_Linux-x86-64.zip
-rw-r--r-- 1 oracle staff 1,3M 26 Mär 22:44 p27438258_122130_Generic.zip
-rw-r--r-- 1 oracle staff 56M 26 Mär 22:54 p27478886_100000_Linux-x86-64.zip
-rw-r--r-- 1 oracle staff 52M 26 Mär 22:53 p27638647_180162_Linux-x86-64.zip

Get your revered HTTP server. For this case I do use the official Apache HTTP server-based on alpine linux. This image is way smaller and more than enough for our purpose.

docker pull httpd:alpine

alpine: Pulling from library/httpd
605ce1bd3f31: Pull complete
6e4ededbced2: Pull complete
03b3c72c9962: Pull complete
bf08478b6930: Pull complete
222d70b58166: Pull complete
Digest: sha256:80d69271825a27c41f41609707095a1cdec381d22f772511ae6e30156c2b788f
Status: Downloaded newer image for httpd:alpine

Start a container for the HTTP server. Define a hostname, volume and external http port. For more information on configuration, see the official httpd Docker image.

docker run -dit --hostname orarepo --name orarepo \
-p 8080:80 \
-v /Data/vm/docker/volumes/orarepo:/usr/local/apache2/htdocs/ \
httpd:alpine

Get the IP address with docker inspect of the orarepo for later use.

orarepo_ip=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' orarepo)

A test via curl on command line curl http://localhost:8080 or with your favorite browser will show the files mentioned above. Be aware this test does access the HTTP container from your host network via exposed port 8080.

Dockerfile

Now we just have to adopt the Dockerfile to make sure it does get the software from the HTTP server orarepo. See excerpt from my Dockerfile.

...
RUN curl -f http://orarepo/p26270957_122130_Generic.zip \
-o /tmp/download/p26270957_122130_Generic.zip && \
...

To be more flexible and allow both local files as well download via curl I did extend my RUN command with an extra file check [ -s ... ]. In this case it first check’s if the file is available and not zero. If the file is not available it will use curl to download the file from orarepo. See excerpt from my Dockerfile.

...
COPY p26270957_122130_Generic.zip* /tmp/download/
...
RUN [ -s "/tmp/download/p26270957_122130_Generic.zip" ] || \
curl -f http://orarepo/p26270957_122130_Generic.zip \
-o /tmp/download/p26270957_122130_Generic.zip && \
...

If the OUD software package p26270957_122130_Generic.zip is part of the build context it will be copied to the image and used to build and setup OUD. In case it is not part of the build context the file check will fail and start to use curl.

Build using COPY

Let’s build the Docker image with the software package copied during build. Check the build context.

ls -alh

total 858168
drwxr-xr-x 9 oracle staff 288B 28 Mär 09:31 .
drwxr-xr-x 6 oracle staff 192B 19 Mär 14:19 ..
-rw-r--r-- 1 oracle staff 4,9K 27 Mär 21:40 Dockerfile
-rw-r--r-- 1 oracle staff 225B 19 Mär 11:18 install.rsp
-rw-r--r-- 1 oracle staff 63B 19 Mär 10:57 oraInst.loc
-rw-r--r-- 1 oracle staff 404M 28 Mär 09:31 p26270957_122130_Generic.zip
-rw-r--r-- 1 oracle staff 754B 12 Mär 14:18 p26270957_122130_Generic.zip.download
drwxr-xr-x 6 oracle staff 192B 20 Mär 11:46 scripts

And run docker build.

docker build -t oracle/oud:12.2.1.3.0-copy .

Build using curl

Now let’s build the docker image using curl and not the local software package. For this p26270957_122130_Generic.zip has to be removed from the build context. Additionally the Docker build requires the IP of the orarepo, which is used to download the software image.
Check the build context.

rm p26270957_122130_Generic.zip
ls -alh

total 858168
drwxr-xr-x 9 oracle staff 288B 28 Mär 09:31 .
drwxr-xr-x 6 oracle staff 192B 19 Mär 14:19 ..
-rw-r--r-- 1 oracle staff 4,9K 27 Mär 21:40 Dockerfile
-rw-r--r-- 1 oracle staff 225B 19 Mär 11:18 install.rsp
-rw-r--r-- 1 oracle staff 63B 19 Mär 10:57 oraInst.loc
-rw-r--r-- 1 oracle staff 754B 12 Mär 14:18 p26270957_122130_Generic.zip.download
drwxr-xr-x 6 oracle staff 192B 20 Mär 11:46 scripts

And run docker build with --add-host. Add host does use the variable defined above for the IP address of the orarepo.

docker build --add-host=orarepo:${orarepo_ip} -t oracle/oud:12.2.1.3.0-curl .

The Docker images

When we compare the two image we see, that they differ by around 400MB. More or less the size of the OUD software package.

docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
oracle/oud 12.2.1.3.0-curl f7c80fa69db3 2 minutes ago 754MB
oracle/oud 12.2.1.3.0-copy a5e1751d534d 7 minutes ago 1.18GB

Docker history for the image oracle/oud:12.2.1.3.0-copy does also show the size of the COPY layer.

docker history oracle/oud:12.2.1.3.0-copy
IMAGE CREATED CREATED BY SIZE COMMENT
...
07614f386e0f 16 minutes ago /bin/sh -c #(nop) COPY multi:b8206d7811ce917… 424MB
832c9d0bf308 34 hours ago /bin/sh -c #(nop) COPY multi:58a01d5459f0ac6… 20kB
9c9531205281 34 hours ago /bin/sh -c groupadd --gid 1000 oracle && … 8.29MB
96278dfe7c12 34 hours ago /bin/sh -c #(nop) ENV PATH=/usr/local/sbin:…
...

Conclusion

With little effort it is possible to create secure and especially small Docker images. Creating a HTTP server to share software or credentials during build is a piece of cake. Reducing the docker image by 400MB is nice. Depending on the Oracle software this will be even more. Although the downside is, that this does not work for automated builds on Docker Hub. but I’m still working on that 🙂

References

Below you find a few references related to the topics discussed in this post:

Oracle Unified Directory on Docker

A bit a while ago I’ve started to use Docker for miscellaneous purposes. Not really an early adopter, but I still hope I caught the train just in time. 🙂 In one of my customer project, I did have to set up a couple of OUD instance to develop and test the transition from Oracle Directory Server Enterprise Edition (ODSEE) to Oracle Unified Directory (OUD). This did include more engineering and troubleshooting work as initially planned. So I eventually got to set up my OUD instances in docker containers rather than in dedicated Virtualbox VM. Unfortunately Oracle does not provide any Docker images or build templates for Oracle Unified Directory. Indeed they do have a bunch of official Docker configurations, images, and examples on GitHub for a couple of Oracle products. But just not for Oracle unified Directory. Ok, there is a issue requesting such a Docker image see Issue #656. Well… challenge accepted. I did build my own OUD GitHub Repository for OUD Docker deployments.

My GitHub repository oehrlis/docker-oud does contain the Docker build files to facilitate installation, configuration, and environment setup for Docker DevOps users. The project allows you to create two different types of docker images.

  • Standalone Oracle Unified Directory 12.2.1.3.0 to setup and run Oracle Unified Directory. This is the smaller image with only the OUD binaries used to set up and run an OUD directory or proxy server. Administration has to be done via dsconfig, ldapmodify or any other regular LDAP command line or GUI tools.
  • Collocated Oracle Unified Directory 12.2.1.3.0 and Oracle Fusion Middleware Infrastructure 12.2.1.3.0. A rather big docker image to setup and run an Oracle Unified Directory Server Manager (OUDSM). My intention was to use this docker image primarily for OUDSM. Nevertheless, it can also be used to build an OUD directory or proxy server which is operated in a WLS domain. So in Collocated Mode (Under Same Domain) or Non-Collocated Mode (Under Separate Domains).

To setup my Docker OUD images, I’ve tried to follow a few best practice, rules (Oracle’s golden rules for contributing to oracle/docker-images) as well hints by my workmates (Philipp Salvisberg and others).

  • Always aim to produce the smallest possible image. I did not push this to the maximum and start to remove unused components in the Oracle binaries. Oracle Fusion Middleware Infrastructure is currently outrageous large to only running OUDSM.
  • Separate persistent data from the image / container and put it on a volume. Or at least let the user decide, if he want to put it on a volume or not.
  • No public distribution of Docker images containing Oracle software. That’s a legal requirement. My docker build scripts do provide a couple of possibilities to install the software.
  • Allow flexible configuration via –build-arg or -e but provide useful default values.
  • Use Oracle Linux as the base image and install only as much as you need.
  • And much more…

Build Docker Images

The Docker images have to be build manually based on oehrlis/docker-oud from GitHub. To assist in building the images, you can use the scripts/buildDockerImage.sh script. See below for instructions and usage. The buildDockerImage.sh script is just a utility shell script to setup the docker build command and is an easy way for beginners to get started. Expert users are welcome to directly call docker build with their preferred set of parameters.

Usage of buildDockerImage.sh:

buildDockerImage.sh [-hv] [-t TYPE] [-o DOCKER_BUILD_OPTION]
-h Usage (this message)
-v Enable verbose mode
-t TYPE OUD image and installation type to build.
Possible types are:
OUD : Standalone Oracle Unified Directory Server
OUDSM : Collocated Oracle Unified Directory Server.
Default is type is OUD.
-o DOCKER_BUILD_OPTION Passes on Docker build option

Logfile : buildDockerImage.log

Due to license restrictions from Oracle, the Docker images containing Oracle software can not provided on a public Docker repository (see [OTN Developer License Terms](http://www.oracle.com/technetwork/licenses/standard-license-152015.html)). This is the reason why you have to build the images yourself and downloaded the required software prior image build. Alternatively it is possible to specify MOS credentials in scripts/.netrc or via build arguments. Using MOS download during image build will lead into smaller images, since the software will not be part of an intermediate container.

Obtaining Product Distributions

The software can either be downloaded from My Oracle Support, Oracle Technology Network (OTN) or Oracle Software Delivery Cloud (OSDC). The following steps will refer to the MOS software download to simplify the build process.

The following software is required for the Oracle Unified Directory Docker image:

  • Oracle Java Development Kit (JDK) 1.8 (1.8u152) Patch 26595894 for the OUD and OUDSM image
  • Oracle Unified Directory 12.2.1.3.0 Patch 26270957 for the OUD and OUDSM image
  • Oracle Fusion Middleware Infrastructure 12.2.1.3.0 Patch 26269885 just for OUDSM image

Manual Download Software

Simplest method to build the OUD or OUDSM image is to manually download the required software. However this will lead to bigger docker images, since the software is copied during build, which temporary blow up the container file-system. But its more safe because you do not have to store any MOS credentials. If you’ve enabled Docker experimental features, you could work around this and squash Squash newly built layers with docker build parameter --squash.

The corresponding links and checksum can be found in *.download files in the software folder. Alternatively the direct Oracle Support Download Links:

Copy all files to the software folder.

cp p26595894_180152_Linux-x86-64.zip docker-oud/software
cp p26270957_122130_Generic.zip docker-oud/software
cp p26269885_122130_Generic.zip docker-oud/software

Build the docker image either by using docker build or buildDockerImage.sh.


docker build -t oehrlis/oud -f Dockerfile.oud .
docker build -t oehrlis/oudsm -f Dockerfile.oudsm .

scripts/buildDockerImage.sh -v -t OUD
scripts/buildDockerImage.sh -v -t OUDSM

Automatic download with .netrc

The advantage of an automatic software download during build is the reduced image size. No additional image layers are created for the software and the final docker image is about 3GB smaller. But the setup script’s setup_oud.sh, setup_oud.sh and setup_oudsm.sh requires MOS credentials to download the software with using curl. Curl does read the credentials from the .netrc file in scripts folder. The .netrc file will be copied to /opt/docker/bin/.netrc, but it will be removed at the end of the build.

Create a .netrc file with the credentials for login.oracle.com.

echo "machine login.oracle.com login $MOS_USER password $MOS_PASSWORD" >docker-oud/scripts/.netrc

Build the docker image either by using docker build or buildDockerImage.sh.

docker build -t oehrlis/oud -f Dockerfile.oud .
docker build -t oehrlis/oudsm -f Dockerfile.oudsm .

scripts/buildDockerImage.sh -v -t OUD
scripts/buildDockerImage.sh -v -t OUDSM

Although this method has some security issues. The credentials will always remains in the intermediate layer. It is recommended to use a different approach discussed in the new blog post Smaller Oracle Docker images.

Automatic download with Build Arguments

This method is similar to the automatic download with .netrc file. Instead of manually creating a .netrc file it will created based on build parameters. Also with this method the .netrc file is deleted at the end.

Build the docker image with MOS credentials as arguments using docker build or buildDockerImage.sh.

docker build --build-arg MOS_USER=$MOS_USER \
--build-arg MOS_PASSWORD=$MOS_PASSWORD \
-t oehrlis/oud -f Dockerfile.oud .

scripts/buildDockerImage.sh -v -t OUD \

-o "--build-arg MOS_PASSWORD=$MOS_PASSWORD --build-arg MOS_USER=$MOS_USER"

The time taken to build the OUD or OUDSM image will depend on your internet speed. In any case it shouldn’t be more than a couple of minutes. Although this method has as well some security issues. The credentials will always remains in the intermediate layer. It is recommended to use a different approach discussed in the new blog post Smaller Oracle Docker images.

Next Steps

You are now the happy owner of OUD Docker images with a standalone and / or collocated Oracle Directory Server installations. The next step is to start using these Docker images to run your OUD containers and deploy different kind of OUD and OUDSM configurations. I’ll provide how to build the containers as well some “behind the seance” information in my upcoming blog posts about OUD on Docker. Stay tuned.

Files and References

Below you find a few references related to Oracle Unified Directory on Docker:

DOAG 2017 Oracle 12c Release 2 Datenbank-Sicherheit in a Nutshell

DOAG Konferenz 2017Below you will find a list of the different demo scripts used during the DOAG training day 2017 Oracle 12c Release 2 Datenbank-Sicherheit in a Nutshell. In general the script do need a SCOTT or a HR demo schema. Some of the scripts may have more requirements eg. Kerberos configuration, Oracle Enterprise User Security etc. The scripts are available free for anyone to use. I do not accept any responsibility for any damage, errors or anything whatsoever caused by running or using these scripts. The scripts have been tested thoroughly but as there are many platforms, Oracle versions and possible configurations, it does not mean that they will work for you when they work for me. Please check the file header for further information on the scripts, references etc before running them especially on production system.

 

Script Description
 01_authentication.sql Show authentication information of the connected user and its USERENV context
 02_privileges.sql Database privileges analysis demo
 03_vpd.sql Virtual Private Database demo with default and column masking.
 04_audit.sql Unified audit demo script
 05_redaction.sql Oracle Data Redaction demo script
 06_tsdp_redact.sql Transparent Sensitive Data Protection and Data Redaction demo
 07_tsdp_audit.sql Transparent Sensitive Data Protection and Unified Audit demo
 aui.sql Script to show authentication information of the connected user and from its USERENV context.
 hip.sql List init.ora parameter including hidden parameters.
 create_password_hash.sql Calculate Oracle DES based password hash from username and password.
 verify_user_password.sql Wrapper script to check if a user has a weak DES based password. Passwords will be displayed.
 verify_user_password_no.sql Wrapper script to check if a user has a weak DES based password. Passwords will not be displayed
 verify_alluser_passwords.sql Wrapper script to check if any user in sys.user$ has a weak DES based password. Passwords will be displayed.
 verify_alluser_passwords_no.sql Wrapper script to check if any user in sys.user$ has a weak DES based password. Passwords will not be displayed.
 verify_passwords.sql Check if user in sys.user$ has a weak DES based password
 verify_password_hash.sql Check if user has a weak password