Tag Archives: Oracle Unified Directory

Oracle Security EUS Snippets – Setup Proxy User Privileges

Since I’m always short of time for a longer blog post, I’ll just try a short one. Intended as a mini-series, I will show different configuration examples for Oracle Enterprise User Security. Today I’ll start with the configuration of EUS based proxy privileges. The environment I use is DOE, my Docker based Oracle Engineering environment. In particular the EUS configuration. For more information, see the corresponding GitHub repository oehrlis/doe respectively in the folder eus for the EUS specific environment.

Background

Database proxy privileges are used relatively often to give certain users rights to access a different schema. The user authenticates himself with his credentials and becomes a proxy user in the database. Below an example where the user RMAN, gets access to a different schema, specifically an other RMAN catalog schema (see also blog post about SEPS and RMAN).

CREATE USER rman IDENTIFIED BY welcome1;
CREATE USER rman19000 NO AUTHENTICATION QUOTA UNLIMITED ON rman_data;
GRANT RECOVERY_CATALOG_OWNER TO rman19000;
ALTER USER rman19000 GRANT CONNECT THROUGH rman; 
ALTER USER rman19000 DEFAULT TABLESPACE rman_data;

The following users were created

RMAN1900 is the schema owner for an Oracle 19c RMAN catalog stored in the tablespace RMAN_DATA. The user is created without any authentication but with a proxy privilege for the user RMAN.
RMAN is the user which will be used to connect to the catalog. There are other catalogs as well but not shown in this example

SQL> connect rman[RMAN19000]/welcome1@CATALOG
Connected.
SQL> show user
USER is "RMAN19000"
SQL> SELECT sys_context('userenv','PROXY_USER') PROXY_USER,
sys_context('userenv','SESSION_USER') SESSION_USER from dual;

PROXY_USER SESSION_USER
---------- ---------------
RMAN	   RMAN19000D

With pure database authentication or authorisation, the configuration of proxy users is easy. With Enterprise User Security, proxy privileges are no longer managed in the database but in the directory. Let’s take a look at that.

Database Configuration

For Enterprise User Security based proxy privileges, only ENTERPRISE USERS is specified in the database. The rest is done in the OracleContext of the directory. See also ALTER USER in Oracle® Database SQL Language Reference 19c.

ALTER USER scott GRANT CONNECT THROUGH ENTERPRISE USERS;

Enterprise User Security Configuration

The configuration can be either done via Oracle Enterprise Manager Cloud Control as documented in Oracle® Database Enterprise User Security Administrator’s Guide 19c or with the command line utility eusm. I prefer the command line utility as I often do not have an OEM by hand.

Create the proxy permission in the directory.

eusm createProxyPerm proxy_permission="Scott Proxy" \
domain_name="OracleDefaultDomain" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)

Define a target user for this proxy permission.

eusm addTargetUser proxy_permission="Scott Proxy" \
database_name="TEUS01" \
target_user="SCOTT" dbuser="system" \
dbuser_password=$(cat /u00/app/oracle/admin/TEUS01/etc/TEUS01_password.txt) \
dbconnect_string="eusdb.trivadislabs.com:1521/TEUS01.trivadislabs.com" \
domain_name="OracleDefaultDomain" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)

Explicit granting of proxy permission to the user KING. Can also be assigned to a group.

eusm grantProxyPerm proxy_permission="Scott Proxy" \
user_dn="cn=Ben King,ou=Senior Management,ou=People,dc=trivadislabs,dc=com" \
domain_name="OracleDefaultDomain" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)

Display the proxy permissions defined for the EUS default domain.

eusm listProxyPermissions domain_name="OracleDefaultDomain" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)

Display information for the proxy permission Scott Proxy

eusm listProxyPermissionInfo proxy_permission="Scott Proxy" \
domain_name="OracleDefaultDomain" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)

Display proxy permissions for the user KING.

eusm listProxyPermissionsOfUser \
user_dn="cn=Ben King,ou=Senior Management,ou=People,dc=trivadislabs,dc=com" \
realm_dn="dc=trivadislabs,dc=com" \
ldap_host=eusoud.trivadislabs.com ldap_port=1389 \
ldap_user_dn=cn=eusadmin,cn=oraclecontext \
ldap_user_password=$(cat /u01/common/etc/eusadmin_pwd.txt)

Using the Proxy Permissions

Let’s test the permissions and connect as user KING.

Regular connection to the database as schema owner SCOTT.

SQL> connect SCOTT/tiger@TEUS01
Connected.
SQL> show user
USER is "SCOTT"
SQL> select sys_context('userenv','PROXY_USER') PROXY_USER,
sys_context('userenv','SESSION_USER') SESSION_USER from dual;

PROXY_USER	SESSION_USER
--------------- ---------------
                SCOTT

Regular connection to the database as KING.

SQL> connect king/welcome1@TEUS01
Connected.
SQL> show user
USER is "KING"
SQL> select sys_context('userenv','PROXY_USER') PROXY_USER,
sys_context('userenv','SESSION_USER') SESSION_USER from dual;

PROXY_USER	SESSION_USER
--------------- ---------------
                KING

Proxy connection to the database

SQL> connect king[SCOTT]/welcome1@TEUS01
Connected.
SQL> show user
USER is "SCOTT"
SQL> select sys_context('userenv','PROXY_USER') PROXY_USER,
sys_context('userenv','SESSION_USER') SESSION_USER from dual;

PROXY_USER	SESSION_USER
--------------- ---------------
KING            SCOTT

Conclusion

Configuration of proxy permissions in connection with Oracle Enterprise User Security is not as complicated as you might think. It is also useful if shared global users need access to certain schemas. For example, a power user is allowed to access the application schema.

Oracle® Database SQL Language Reference 19c ALTER USER and CREATE USER
Oracle® Database Enterprise User Security Administrator’s Guide 19c Granting Proxy Permissions to Enterprise Users
Oracle® Database Enterprise User Security Administrator’s Guide 19c Enterprise User Security Manager (EUSM) Command Reference

OUD 12c – SSLHandshakeException with “no cipher suites in common”

Recently I’ve update the java installation of my Oracle Unified Directory (OUD) 12.2.1.0.3 to the latest release. Java 1.8.0 update 202 to be exact (p28916775_180202_Linux-x86-64.zip). Actually a piece of cake, I’ve done this a few times in the past. My Enterprise User Security (EUS) test environment is running in Docker. A container for the database and an other one for the directory server. Updates are usually straight forward. Stop the containers, rebuild the images with the latest software / patches and recreate the containers. But not this time. After restarting OUD, my EUS authentication seems to be broken. When trying to log in, I did get a friendly ORA-01017 error.

 SQL> connect blofeld/******** ERROR: ORA-01017: invalid username/password; logon denied Warning: You are no longer connected to ORACLE.

The control of the OUD access log file did show a cipher error.

 [21/Feb/2019:06:21:27] CONNECT conn=5 from=172.20.0.3:50376 to=172.20.0.2:1636 protocol=LDAPS [21/Feb/2019:06:21:27] DISCONNECT conn=5 reason="I/O Error" msg="no cipher suites in common"

Groundhog Day? Endless loop? I knew I did fix this before. So I’ve checked again the solution in MOS Note 2397791.1 and 2304757.1. According to my understanding the java.security file did look ok. The required legacy ciphers has been enabled by removing 3DES_EDE_CBC from the list of jdk.tls.disabledAlgorithms.
I finally did several tests with different Java versions (1.8.0 update 192 and 1.8.0 update 202) and different java.security files. In the third attempt, database authentication with EUS and OUD in combination with Java 1.8.0 Update 202 also worked. The solution was rather simple. I did use the java.security file from java 1.8.0 update 192 rather than using the new version and enable 3DES_EDE_CBC. Running diff on both files has uncovered the culprits.

 diff java.security java.security_202_default 645c645 < EC keySize < 224 --- > EC keySize < 224, 3DES_EDE_CBC, anon, NULL 700c700,701 < RC4_128, RC4_40, DES_CBC, DES40_CBC --- > RC4_128, RC4_40, DES_CBC, DES40_CBC, \ > 3DES_EDE_CBC

Or just the lines with jdk.tls.disabledAlgorithms.

 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL

A difference due to 3DES_EDE_CBC was to be expected, since I made the comparison to the standard file java.security and there this algorithm was not yet removed. But anon, NULL

is new. The list of disabled algorithms jdk.tls.disabledAlgorithms has been altered in Java 1.8.0 update 202. I could have seen this myself if I had looked through the release notes before installing the software 🙂 . There is a java bug related to this, see JDK-8211883 Disable anon and NULL cipher suites. The problem is now that my EUS is working again, but it will use unsecure and legacy algorithms. A proper fix of this issue has to be implemented in the LDAP / EUS stack of the Oracle database binaries.

Conclusion

First of all do read the release notes before updating production environments 🙂 . As always in IT, do a little change on one side can unexpectedly break something on the other side. The solution presented here can only be a workaround, because we endanger security with legacy algorithms. Oracle should soon update the LDAP / EUS stack in the Oracle binaries.

Fix for Java 1.8.0 update 192 and older: Use the solution described in MOS note 2304757.1 update java.security and remove 3DES_EDE_CBC from the jdk.tls.disabledAlgorithms
Fix for Java 1.8.0 update 201 and newer: Use either an old java.security which does work for you EUS environment or remove 3DES_EDE_CBC, anon and NULL from the jdk.tls.disabledAlgorithms in your java.security

Install Oracle Unified Directory 12c the smart way

Installing Oracle Unified Directory has always been easy. The installation guide for OUD 11c as well OUD 12 is simple and straight forward. Additionally Oracle does provide a couple of MOS notes for different deployment scenarios. Nevertheless there is always room for improvement 🙂 During my work on OUD to go on Raspberry Pi Zero or on Docker images for OUD I’ve had to optimise the installation of OUD. In this blog post I’ll show how I did simplify respectively optimise my OUD installations.

Prerequisites

Standalone or Collocated?

Since the latest release, Oracle allows a couple of different ways how OUD can be deployed.

Standalone Oracle Unified Directory Server With this deployment method OUD is used as a straight forward LDAP server with a small footprint. Administration has to be done via command line (eg. dsconfig, ldapmodify, etc) or when possible with a third party LDAP Browser.
Collocated Oracle Unified Directory Server with OUD and OUDSM in a separate domains. OUD and Fusion Middleware (FMW) Infrastructure are installed in the same middleware home directory. In non-collocated mode, OUD and OUDSM will be deployed in different domains.
Collocated Oracle Unified Directory Server with OUD and OUDSM in a single domain. OUD and Fusion Middleware Infrastructure are installed in the same middleware home directory. In collocated mode OUD and OUDSM will be deployed under the same domain.
Collocated Oracle Unified Directory Server But just used for OUDSM. This is not really an official deployment method, but becomes quite handy when you’ve deployed a couple of standalone OUD server. The OUD software is just deployed into FMW Infrastructure to be able to create and start the OUDSM web application. There will only be an OUDSM domain deployed.

For simple OUD installation’s I usually just install and deploy a standalone OUD. This installation is fast and has a small foot print. I do use dsconfig for the administration and the Apache Directory Studio for general LDAP browsing. If I do need an OUDSM from time to time, I install a dedicated OUDSM (Collocated OUD Server) or use my OUDSM docker container.

Environment

OUD does not make great demands on the environment. Nevertheless, I usually follow the Oracle Flexible Architecture OFA and a couple of environment scripts similar to the Trivadis BasEnv. See my blog post about OUD environment scripts.

For the further installation steps I stick to the following environment variables.

export SOFTWARE=$HOME/software
export ORACLE_BASE=/u00/app/oracle
export JAVA_HOME=$ORACLE_BASE/product/jdk1.8.0_144
export OUD_HOME=$ORACLE_BASE/product/oud12.2.1.3.0
export FMW_HOME=$ORACLE_BASE/product/fmw12.2.1.3.0

In the table below you find a short description of the environment variables. For further explanations see blog post OUD environment scripts.

ENV Variable	Path	Description
$ORACLE_BASE, $cdob	/u00/app/oracle	Base directory for the oracle binaries
$ORACLE_HOME, $OUD_HOME	$ORACLE_BASE/product/oud12.2.1.3.0	Standalone Oracle Unified Directory binaries
$ORACLE_HOME, $OUD_HOME	$ORACLE_BASE/product/fmw12.2.1.3.0	Collocated Oracle Unified Directory binaries
$JAVA_HOME	$ORACLE_BASE/product/jdk1.8.0_144	Java used for OUD
$OUD_INSTANCE_BASE, $cdib	$ORACLE_BASE/instances	Base directory for the instance homes
$SOFTWARE	$HOME/software	Software Depot for the JAR’s

To do a silent installation, we will require a response file. In case of OUD and FMW it is a simple text file to define a few generic installation values. The same response file can be used for either of the products. We add the missing value INSTALL_TYPE when calling the installer.

echo "[ENGINE]"                                    > $ETC_BASE/install.rsp
echo "Response File Version=1.0.0.0.0"            >> $ETC_BASE/install.rsp
echo "[GENERIC]"                                  >> $ETC_BASE/install.rsp
echo "DECLINE_SECURITY_UPDATES=true"              >> $ETC_BASE/install.rsp
echo "SECURITY_UPDATES_VIA_MYORACLESUPPORT=false" >> $ETC_BASE/install.rsp

Beside the response file we also have to have an inventory location file. You probably have to adjust the group name to fit your environment.

echo "inventory_loc=$ORACLE_BASE/oraInventory" > $ETC_BASE/oraInst.loc
echo "inst_group=oinstall"                    >> $ETC_BASE/oraInst.loc

Software

To start the installation, you first have to get the required software packages. Oracle makes it easy, you can either download the software on Oracle Technology Network (OTN), Oracle Software Delivery Cloud (OSDC) or My Oracle Support (MOS). All download URLs are ok, but I prefer to do the download direct from MOS since this allows to use curl with a simple download URL. The downside is, that this requires a valid MOS account.

Create a netrc file for curl with your MOS credentials.

MOS_USER="<your MOS USER>"
MOS_PASSWORD="</your><your MOS PASSWORD>"
echo "machine login.oracle.com login $MOS_USER password $MOS_PASSWORD" >$SOFTWARE/.netrc

OK, lets download the software.

Java 1.8 update 144, Patch ID 26512979:

curl --netrc-file $SOFTWARE/.netrc \
  --cookie-jar $SOFTWARE/cookie-jar.txt \
  --location-trusted "https://updates.oracle.com/Orion/Services/download/p26512979_180144_Linux-x86-64.zip?aru=21443434&patch_file=p26512979_180144_Linux-x86-64.zip" \
  --output $SOFTWARE/java/p26512979_180144_Linux-x86-64.zip

Oracle Unified Directory 12.2.1.3.0, Patch ID 26270957:

curl --netrc-file $SOFTWARE/.netrc \
  --cookie-jar $SOFTWARE/cookie-jar.txt \
  --location-trusted "https://updates.oracle.com/Orion/Services/download/p26270957_122130_Generic.zip?aru=21504981&patch_file=p26270957_122130_Generic.zip" \
  --output $SOFTWARE/fmw/p26270957_122130_Generic.zip

FWM Infrastructure 12.2.1.3.0, Patch ID 26269885:

curl --netrc-file $SOFTWARE/.netrc \
  --cookie-jar $SOFTWARE/cookie-jar.txt \
  --location-trusted "https://updates.oracle.com/Orion/Services/download/p26269885_122130_Generic.zip?aru=21502041&patch_file=p26269885_122130_Generic.zip" \
  --output $SOFTWARE/fmw/p26269885_122130_Generic.zip

As soon as the software has been downloaded, we will unpack the OUD and FMW packages. In the example below it’s done directly by using the jar utility.

cd $SOFTWARE/fmw
$JAVA_HOME/bin/jar -xvf $SOFTWARE/fmw/p26270957_122130_Generic.zip
$JAVA_HOME/bin/jar -xvf $SOFTWARE/fmw/p26269885_122130_Generic.zip

Java

Although Java is probably already installed on you system, its recommended to install a dedicated JVM for OUD. This way we can keep our java installation for OUD independent from the OS default java. The installation is done with just a untar into the right directory. I do this with just one combined command of unzip and tar.

unzip -p $SOFTWARE/java/p26512979_180144_Linux-x86-64.zip \
*tar* |tar zxv -C $ORACLE_BASE/product

Install Standalone OUD

Start the silent installation with the extracted JAR file and the previously created response file. Set INSTALL_TYPE to Standalone Oracle Unified Directory Server (Managed independently of WebLogic server) will initiate a standalone installation into the defined ORACLE_HOME.

$JAVA_HOME/bin/java -jar $SOFTWARE/fmw/fmw_12.2.1.3.0_oud.jar -silent \
  -responseFile $ETC_BASE/install.rsp \
  -invPtrLoc $ETC_BASE/oraInst.loc \
  -ignoreSysPrereqs -force \
  -novalidation ORACLE_HOME=$OUD_HOME \
  INSTALL_TYPE="Standalone Oracle Unified Directory Server (Managed independently of WebLogic server)"

That’s it. After a couple of minutes the OUD binaries are installed and ready to deploy an Oracle Directory or Proxy server.

Install Collocated OUD

To do a collocated OUD installation, we first have to install FMW infrastructure before installing OUD. The installation is done again in silent mode by specifying the ORACLE_HOME and the INSTALL_TYPE. Execution of this JAR will take longer since it is around 1.5GB.

$JAVA_HOME/bin/java -jar $SOFTWARE/fmw/fmw_12.2.1.3.0_infrastructure.jar \
  -silent \
  -responseFile $ETC_BASE/install.rsp \
  -invPtrLoc $ETC_BASE/oraInst.loc \
  -ignoreSysPrereqs -force \
  -novalidation ORACLE_HOME=$FMW_HOME \
  INSTALL_TYPE="WebLogic Server"

As soon as the FMW installation has been successfully finished, we initiate the OUD installation. For ORACLE_HOME we have to choose the same directory as using for the FMW infrastructure. The INSTALL_TYPE is set to collocated mode.

$JAVA_HOME/bin/java -jar $SOFTWARE/fmw/fmw_12.2.1.3.0_oud.jar -silent \
  -responseFile $ETC_BASE/install.rsp \
  -invPtrLoc $ETC_BASE/oraInst.loc \
  -ignoreSysPrereqs -force \
  -novalidation ORACLE_HOME=$OUD_HOME \
  INSTALL_TYPE="Collocated Oracle Unified Directory Server (Managed through WebLogic server)"

In this newly created Oracle home directory we now have a collocated Oracle Unified Directory Server. These binaries can be used to deploy OUD and OUDSM in separate domains, in a single domain or just to deploy an OUDSM server.

Next Steps

For know we just have the OUD binaries. The next steps will be to deploy a OUD directory or proxy server using either oud-setup or oud-proxy-setup tool. Both tools can be used in command line mode, GUI mode or silently by specify the corresponding parameters. The statement below is an example to create an OUD directory server instance oud_demo for the base DN dc=postgasse,dc=org with 20 sample records.

$OUD_HOME/oud/oud-setup \
--cli \
--instancePath $OUD_INSTANCE_BASE/oud_demo/OUD \
--adminConnectorPort 4444 \
--rootUserDN cn=Directory\ Manager \
--rootUserPasswordFile $ETC_BASE/oud_demo_pwd.txt \
--ldapPort 1389 \
--baseDN dc=postgasse,dc=org \
--sampleData 20 \
--serverTuning jvm-default \
--offlineToolsTuning jvm-default \
--no-prompt \
--noPropertiesFile

Files and References

Below you find a few references related to Oracle Unified Directory:

Oracle JDK 8 Update 144 for ARM 32Bit VFP HardFP MOS Patch 26512975
Oracle Unified Directory FMW 12.2.1.3.0 MOS Patch 26270957
Oracle Unified Directory 12.2.1.3.0 on Oracle Technology Network
Oracle Software Delivery Cloud OSDC
Environment Scripts for OUD on www.oradba.ch
Github repository for the OUD environment scripts oudbase
OUD base environment installation script. It’s a bash script including a TAR. oudbase_install.sh
OUD base environment as TAR archive without installation script. oudbase_install.tgz
Github repository for the OUD environment scripts oudbase
Oracle Unified Directory 12c PS3 Released [2300623.1]
OUD 12c – How to Download and Install OUD 12c in Standalone Mode (with No Domain Configuration) [2298379.1]
OUD 12c: How to Install OUD 12c and OUDSM 12c in Collocated Mode (Under Same Domain) or Non-Collocated Mode (Under Separate Domains) [2303721.1]
OUD 12c: Understanding the Oracle Unified Directory 12c Installation Directories MW_HOME, PRODUCT_HOME, OUD ORACLE_HOME, DOMAIN_HOME WLS_HOME ORACLE_COMMON Home [2302813.1]
All Java SE Downloads on MOS [1439822.1]
Information Center: Using Oracle Unified Directory (OUD) [1419823.2]

Oracle Unified Directory to go on Raspberry Pi Zero

Recently I ran out of movies on one of my longer train rides. Coincidentally, I had my Raspberry Pi Zero with me and thought, “There’s Java running on it, right?”. Doesn’t Oracle Unified Directory also require a JVM? OK, I guess Raspberry Pi or ARM wasn’t in focus when Oracle defined the certified platforms of Unified Directory. But hey, I don’t want to set up a production environment, I just need a small project for a long train ride…

The aim is to setup an Raspberry Pi in OTG Mode, install Java and Oracle Unified Directory and configure a small Directory Server, available whenever you need an OUD instance :-). First of all, yes, it works. But before we begin, a few things we need

Raspberry Pi Zero I do use a Zero 1.3 without WiFi.
USB OTG host cable Dedicated cable supporting USB On-The-Go (OTG). Regular USB cables usually do not support OTG. See Wikipedia On-The-Go (OTG).
Raspbian-Image I do recommend the latest Raspbian Stretch Lite. See Raspbian.
Oracle JDK 8 for ARM I do use Oracle JDK 8 Update 144 for ARM 32Bit VFP HardFP MOS Patch 26512975. Other Java version are available on MOS Note 1439822.1.
Oracle Unified Directory 12.2.1.3 Available through Oracle Technology Network, Oracle Software Delivery Cloud or as My Oracle Support patch 26270957. See also OUD 12.2.1.3 documentation or MOS Note 2300623.1.
Temorary System to install OUD Although unified directory does work on ARM, the OUI installer does not. Due to this OUD first have to be “installed” on a supported system. But later more.
Environment Scripts for OUD This is optional but quite handy when working on OUD environments. See blog post Environment Scripts for OUD.

In the following chapters I’ll now go through the different steps to setup the OUD “on the go” device. I work primarily on MacOS. Therefore, the individual steps are related to this operating system, but can be easily adapted to other operating systems. Depending on your individual environment, you may skip one or the other step. Shall we get started?

Setup Raspberry Pi

Install Raspian OS

After download the latest release of Raspbian Stretch Lite, we have to create the SD card to setup the OS on raspberry pi. I usually prefer to do this via commandline. Other methods are decribed on www.raspberrypi.org.

PlugIn the SD card and identify the disk via diskutil list. My SD Card is identified disk2. Your output may look different.

soe@gaia:~/ [ic12102] diskutil list
...

/dev/disk2 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *32.0 GB disk2
1: Windows_NTFS SD Card 32.0 GB disk2s1

Unmount the disk

soe@gaia:~/ [ic12102] diskutil unmountDisk /dev/disk2
Unmount of all volumes on disk2 was successful

Copy the Raspian image to the SD card.

soe@gaia:~/ sudo dd bs=1m \
if=/Data/ISO-Images/2017-09-07-raspbian-stretch-lite.img \
of=/dev/rdisk2 conv=sync

1768+1 records in
1769+0 records out
1854930944 bytes transferred in 73.667297 secs (25179843 bytes/sec)

soe@gaia:~/ [ic12102] diskutil list
...

/dev/disk2 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *32.0 GB disk2
1: Windows_FAT_32 boot 43.8 MB disk2s1
2: Linux 1.8 GB disk2s2

That’s it, the OS basically has been setup. But before we plug the SD card into the Raspberry Pi we first have to configure the OTG mode.

Configure OTG Mode

Configuring the OTG mode is straight forward, since the latest Rasbian OS does provide all. Eg. modules, kernel, etc. You just have to adjust the boot configuration.

Update cmdline.txt and add the g_ether module. You have to add modules-load=dwc2,g_ether after rootwait and before quiet. If you use vi to edit cmdline.txt your fine. But if you do use an other editor make sure you do not change the file suffix or add extra lines or line breaks to the file cmdline.txt. Everything must be on one line.
Change to the boot directory on the SD Card. Mounted as /Volumes/boot on my Mac.

soe@gaia:~/ [ic12102] cd /Volumes/boot

Update cmdline.txt

soe@gaia:/Volumes/boot/ [ic12102] vi cmdline.txt

dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=PARTUUID=11eccc69-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait modules-load=dwc2,g_ether quiet init=/usr/lib/raspi-config/init_resize.sh

Update config.txt and add dtoverlay=dwc2 at the end of the file.

soe@gaia:/Volumes/boot/ [ic12102] vi config.txt

As last task, make sure to create an empty file named ssh in the boot folder. This tells Raspian to configure and start the ssh daemon at first system boot. Unmount the SD card and the basic OS setup is finished.

soe@gaia:/Volumes/boot/ [ic12102] touch ssh
soe@gaia:/Volumes/boot/ [ic12102] cd
soe@gaia:~/ [ic12102] diskutil unmountDisk /dev/disk2
Unmount of all volumes on disk2 was successful

Now put the SD card back in your Raspberry Pi Zero and plug in the USB cable. The first system boot will take slightly longer, since the filesystem is getting extended to the maximum size of the SD card. To be on the safe side, wait up to 5 minutes and then try to login via ssh.

soe@gaia:~/ [ic12102] ssh pi@raspberrypi.local

The Raspberry Pi Zero is now ready as headless server in OTG mode.

Setup Environment

General Configuration

This step is not really mandatory, nevertheless I do prefer to adjust a few configuration settings on my pi. First of all upgrade OS to the latest release using apt-get.

pi@raspberrypi:~ $ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

By default the Raspberry Pi hostname is set to raspberrypi. If you do have several Raspberry Pi’s it makes sense to assign names. In my case I do set the hostname to oud2go by changing /etc/hostname and /etc/hosts. In both files you have to replace raspberry with the new name.

pi@raspberrypi:~ $ sudo vi /etc/hostname
pi@raspberrypi:~ $ sudo vi /etc/hosts
pi@raspberrypi:~ $ sudo reboot

sudo: unable to resolve host raspberrypi: Connection timed out
Connection to raspberrypi.local closed by remote host.
Connection to raspberrypi.local closed.

As soon the Pi is back it’s now available by its new name.

soe@gaia:~/ [ic12102] ssh pi@oud2go.local
The authenticity of host 'oud2go.local (fe80::6554:bfdd:7283:3fa9%bridge100)' can't be established.
ECDSA key fingerprint is SHA256:E7WxvWlYDOi0RLNJxEu7rrmA9PH+GlwEJsz0OdHSgCY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'oud2go.local,fe80::6554:bfdd:7283:3fa9%bridge100' (ECDSA) to the list of known hosts.
pi@oud2go.local's password:
Linux oud2go 4.9.41+ #1023 Tue Aug 8 15:47:12 BST 2017 armv6l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Sep 7 16:22:54 2017 from fe80::acde:48ff:fe00:3364%usb0

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
pi@oud2go.local:~ $

It is a good moment to adjust the time zone from UTC to an appropriate for your Raspberry Pi’s. This can either be done using raspi-config or dpkg-reconfigure.

root@oud2go:~# dpkg-reconfigure tzdata

Current default time zone: 'Europe/Zurich'
Local time is now: Mon Oct 30 19:55:21 CET 2017.
Universal Time is now: Mon Oct 30 18:55:21 UTC 2017.

Change the softlinks for localtime will also do the job.

root@oud2go:~# ln -s -f /usr/share/zoneinfo/Europe/Zurich /etc/localtime

Oracle User

In the oracle context it is common practice to create a dedicated user and group. To keep it simple and clear I name it oracle. Indeed I did set up the environment as described in post about the OUD Base environment.

root@oud2go:~# groupadd --gid 1010 oinstall
root@oud2go:~# useradd --create-home --gid oinstall --shell /bin/bash \
--groups oinstall oracle

To install the OUD software, instance and scripts I do use a limited OFA directory structure. See also my Blog Post on OUD Base.

root@oud2go:~# mkdir -p /u00 /u01
root@oud2go:~# mkdir -p /u00/app/oracle
root@oud2go:~# mkdir -p /u00/app/oracle/etc /u00/app/oracle/local
root@oud2go:~# mkdir -p /u00/app/oracle/product /u00/app/oracle/software

root@oud2go:~# chmod a+xr /u00 /u01
root@oud2go:~# chown oracle:oinstall -R /u00 /u01

The newly created user should be allowed to use sudo similar the pi. For this a new sudoers file has to be created.

root@oud2go:~# echo "oracle ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/020_oracle-nopasswd
root@oud2go:~# chmod 440 /etc/sudoers.d/020_oracle-nopasswd

As the last custom configuration I usually distribute the ssh key’s to allow login without password authentication. You only have to include your public key in the file authorized_keys. Lets create the required .ssh user directory for root, pi and the user oracle.

root@oud2go:~# mkdir .ssh
root@oud2go:~# vi .ssh/authorized_keys
root@oud2go:~# chmod 600 .ssh/authorized_keys
root@oud2go:~# chmod 700 .ssh/
root@oud2go:~# cp -r .ssh /home/oracle
root@oud2go:~# cp -r .ssh /home/pi
root@oud2go:~# chown -R pi:pi /home/pi/.ssh
root@oud2go:~# chown -R oracle:oinstall /home/oracle/.ssh

One more thing. Until now all user still have some default password. It’s more than appropriate to change the passwords for the user root, pi and oracle.

root@oud2go:~# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@oud2go:~# passwd pi
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@oud2go:~# passwd oracle
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Install OUD Base

Install the OUD Base environment scripts according to blog post OUD Base. First we have to get the install scripts using curl.

oracle@oud2go:~ $ cd /u00/app/oracle
oracle@oud2go:/u00/app/oracle $ curl --cookie-jar /tmp/cookie-jar.txt \
--location-trusted "https://github.com/oehrlis/oudbase/raw/master/build/oudbase_install.sh" \
-o oudbase_install.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 147 100 147 0 0 141 0 0:00:01 0:00:01 --:--:-- 141
100 25556 100 25556 0 0 16704 0 0:00:01 0:00:01 --:--:-- 60273
oracle@oud2go:/u00/app/oracle $ chmod 755 oudbase_install.sh

The installation is straight forward. Just run oudbase_install.sh and specify the ORACLE_BASE directory. More options are available via oudbase_install.sh -h.

oracle@oud2go:/u00/app/oracle/ [oud_pi] ./oudbase_install.sh -v -b /u00/app/oracle
2017-11-13_21:13:23 START: Start of oudbase_install.sh (Version 0.1) with -v -b /u00/app/oracle
2017-11-13_21:13:23 INFO : processing commandline parameter
2017-11-13_21:13:23 Using the following variable for installation
2017-11-13_21:13:23 ORACLE_BASE = /u00/app/oracle
2017-11-13_21:13:23 OUD_BASE = /u00/app/oracle
2017-11-13_21:13:23 OUD_DATA = /u00/app/oracle
2017-11-13_21:13:23 ORACLE_INSTANCE_BASE = /u00/app/oracle/instances
2017-11-13_21:13:23 ORACLE_HOME_BASE = /u00/app/oracle/middleware
2017-11-13_21:13:23 OUD_BACKUP_BASE = /u00/app/oracle/backup
2017-11-13_21:13:23 SCRIPT_FQN = /u00/app/oracle/oudbase_install.sh
2017-11-13_21:13:23 Installing OUD Environment
2017-11-13_21:13:23 Create required directories in ORACLE_BASE=/u00/app/oracle
2017-11-13_21:13:23 Create Directory /u00/app/oracle/local/log
2017-11-13_21:13:23 Create Directory /u00/app/oracle/local/etc
2017-11-13_21:13:23 Create Directory /u00/app/oracle/local
2017-11-13_21:13:23 Create Directory /u00/app/oracle/backup
2017-11-13_21:13:23 Create Directory /u00/app/oracle/instances
2017-11-13_21:13:23 Extracting file into /u00/app/oracle/local
bin/
bin/oud_backup.sh
bin/oud_export.sh
bin/oud_status.sh
bin/oudenv.sh
config/
certificates/
doc/
doc/README.md
etc/
etc/oud._DEFAULT_.conf
etc/oudenv.conf
etc/oudtab
lib/
log/
templates/
templates/.bash_profile
templates/cron.d/
templates/etc/
templates/ldif/
templates/logrotate.d/
templates/logrotate.d/oud
templates/ldif/oud_pi_init.ldif
templates/etc/install.rsp
templates/etc/oraInst.loc
templates/etc/oud_instance.service
templates/etc/wls_oudsm.service
templates/cron.d/oud
2017-11-13_21:13:23 Store customization for OUD_DATA (/u00/app/oracle)
2017-11-13_21:13:23 Store customization for OUD_BASE (/u00/app/oracle)
2017-11-13_21:13:23 Store customization for ORACLE_BASE (/u00/app/oracle)
2017-11-13_21:13:23 Please manual adjust your .bash_profile to load / source
2017-11-13_21:13:23 your OUD Environment
2017-11-13_21:13:23 END : of oudbase_install.sh

To start using OUD Base you have to update your .profile file with the following lines.

# Check OUD_BASE and load if necessary
if [ "${OUD_BASE}" = "" ]
then
if [ -f "${HOME}/.OUD_BASE" ]
then
. "${HOME}/.OUD_BASE"
else
echo "ERROR: Could not load ${HOME}/.OUD_BASE"
fi
fi

# define an oudenv alias
alias oud=". $(find $OUD_BASE -name oudenv.sh)"

# source oud environment
. $(find $OUD_BASE -name oudenv.sh)

Install Oracle Software

Install Java

Since a while, Oracle does also provide Java for Raspberry Pi respectively ARM. See Oracle Java on Raspberry Pi. For OUD it’s recommend to use Oracle Java 8 rather than OpenJDK. You can download either download OracleJDK on Java SE Development Kit 8 Downloads or via My Oracle Support. I do prefer the download via My Oracle Support, since this method allows the use of wget or curl.

Create a .netrc file for curl.

oracle@oud2go:~/ [oud_pi] cd /u00/app/oracle/software
oracle@oud2go:/u00/app/oracle/software/ [oud_pi]
oracle@oud2go:/u00/app/oracle/software/ [oud_pi] echo "machine login.oracle.com login password " >.netrc

Download JDK from My Oracle Support:

oracle@oud2go:/u00/app/oracle/software/ [oud_pi] export JAVA_URL="https://updates.oracle.com/Orion/Services/download/p26512975_180144_Linux_VFP.zip?aru=21442384&patch_file=p26512975_180144_Linux_VFP.zip"
oracle@oud2go:/u00/app/oracle/software/ [oud_pi] export JAVA_PKG="p26512975_180144_Linux_VFP.zip"
oracle@oud2go:/u00/app/oracle/software/ [oud_pi] curl --netrc-file .netrc --cookie-jar cookie-jar.txt --location-trusted $JAVA_URL -o $JAVA_PKG
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
100 1959 0 1959 0 0 820 0 --:--:-- 0:00:02 --:--:-- 1839
0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
100 77.6M 100 77.6M 0 0 3262k 0 0:00:24 0:00:24 --:--:-- 3578k

Install the JDK as root:

oracle@oud2go:/u00/app/oracle/software/ [oud_pi] sudo su -
root@oud2go:~# unzip -p /u00/app/oracle/software/$JAVA_PKG *tar* |tar zvx -C /usr/java

# set the JAVA alternatives directories and links
root@oud2go:~# export JAVA_DIR=$(ls -1 -d /usr/java/*)
root@oud2go:~# ln -s $JAVA_DIR /usr/java/latest
root@oud2go:~# ln -s $JAVA_DIR /usr/java/default

root@oud2go:~# update-alternatives --install /usr/bin/java java $JAVA_DIR/bin/java 20000
update-alternatives: using /usr/java/jdk1.8.0_144/bin/java to provide /usr/bin/java (java) in auto mode

root@oud2go:~# update-alternatives --install /usr/bin/javac javac $JAVA_DIR/bin/javac 20000
update-alternatives: using /usr/java/jdk1.8.0_144/bin/javac to provide /usr/bin/javac (javac) in auto mode

root@oud2go:~# update-alternatives --install /usr/bin/jar jar $JAVA_DIR/bin/jar 20000
update-alternatives: using /usr/java/jdk1.8.0_144/bin/jar to provide /usr/bin/jar (jar) in auto mode

root@oud2go:~# which java
/usr/bin/java

root@oud2go:~# java -version
java version "1.8.0_144"
Java(TM) SE Runtime Environment (build 1.8.0_144-b01)
Java HotSpot(TM) Client VM (build 25.144-b01, mixed mode)

Install OUD

In principle, one should be able to install OUD directly on the Respberry Pi. OUD is unpacked and installed directly with java. But the Oracle Universal Installer or at least a small part of the installation does not work on the ARM platform. Due to this you have to install OUD on an other OS and move the installation directory onto your Raspberry Pi. In my case I do use my MacBook Pro to temporarily install OUD. Alternatively you may also copy the OUD installation from my OUD docker image. But that’s an other story. I’ll post on this topic in a couple of days.

Prepare the download installation path, variables .netca file.

soe@gaia:~/ [ic12102] export DOWNLOAD=/tmp/download
soe@gaia:~/ [ic12102] mkdir -p $DOWNLOAD
soe@gaia:~/ [ic12102] chmod 777 $DOWNLOAD

soe@gaia:~/ [ic12102] export FMW_OUD_URL="https://updates.oracle.com/Orion/Services/download/p26270957_122130_Generic.zip?aru=21504981&patch_file=p26270957_122130_Generic.zip"
soe@gaia:~/ [ic12102] export FMW_OUD_PKG="p26270957_122130_Generic.zip"
soe@gaia:~/ [ic12102] export FMW_OUD_JAR=fmw_12.2.1.3.0_oud.jar

soe@gaia:~/ [ic12102] echo "machine login.oracle.com login password " >/tmp/download/.netrc

soe@gaia:~/ [ic12102] curl --netrc-file /tmp/download/.netrc --cookie-jar \
 /tmp/download/cookie-jar.txt  --location-trusted $FMW_OUD_URL \
 -o $DOWNLOAD/$FMW_OUD_PKG

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
100 1927 0 1927 0 0 963 0 --:--:-- 0:00:02 --:--:-- 1715
0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0
100 404M 100 404M 0 0 1847k 0 0:03:44 0:03:44 --:--:-- 1689k

Create a bunch of local Directories in ORACLE_BASE

soe@gaia:~/ [ic12102] export ORACLE_BASE=/u00/app/oracle
soe@gaia:~/ [ic12102] mkdir -p $ORACLE_BASE/etc $ORACLE_BASE/product

To install OUD in silent mode, we need a response file. For OUD this is a simple and straight forward text file.

soe@gaia:~/ [ic12102] echo "[ENGINE]" > $ORACLE_BASE/etc/install.rsp
soe@gaia:~/ [ic12102] echo "Response File Version=1.0.0.0.0" >> $ORACLE_BASE/etc/install.rsp
soe@gaia:~/ [ic12102] echo "[GENERIC]" >> $ORACLE_BASE/etc/install.rsp
soe@gaia:~/ [ic12102] echo "DECLINE_SECURITY_UPDATES=true" >> $ORACLE_BASE/etc/install.rsp
soe@gaia:~/ [ic12102] echo "SECURITY_UPDATES_VIA_MYORACLESUPPORT=false" >> $ORACLE_BASE/etc/install.rsp

The installer does also require a OraInventory Location file:

soe@gaia:~/ [ic12102] echo "inventory_loc=$ORACLE_BASE/oraInventory" > $ORACLE_BASE/etc/oraInst.loc
soe@gaia:~/ [ic12102] echo "inst_group=oinstall" >> $ORACLE_BASE/etc/oraInst.loc

The JAR and the response file will then be used to install OUD in silent mode

soe@gaia:/tmp/download/ [ic12102] java -jar $DOWNLOAD/$FMW_OUD_JAR -silent \
-responseFile $ORACLE_BASE/etc/install.rsp \
-invPtrLoc $ORACLE_BASE/etc/oraInst.loc \
-ignoreSysPrereqs -force \
-novalidation ORACLE_HOME=$ORACLE_BASE/product/fmw12.2.1.3.0 \
INSTALL_TYPE="Standalone Oracle Unified Directory Server (Managed independently of WebLogic server)"

Launcher log file is /private/var/folders/80/xtg0v0r16sl6z5sjmxhkvr540000gn/T/OraInstall2017-10-30_08-47-41PM/launcher2017-10-30_08-47-41PM.log.
Extracting the installer . . . . . Done
Checking if CPU speed is above 300 MHz. Actual 2969.6 MHz Passed
Checking swap space: must be greater than 512 MB. Actual 257166 MB Passed
Checking if this platform requires a 64-bit JVM. Actual 64 Passed
Checking temp space: must be greater than 300 MB. Actual 257166 MB Passed
Preparing to launch the Oracle Universal Installer from /private/var/folders/80/xtg0v0r16sl6z5sjmxhkvr540000gn/T/OraInstall2017-10-30_08-47-41PM
Log: /private/var/folders/80/xtg0v0r16sl6z5sjmxhkvr540000gn/T/OraInstall2017-10-30_08-47-41PM/install2017-10-30_08-47-41PM.log
Setting ORACLE_HOME to /u00/app/oracle/product/fmw12.2.1.3.0
Setting INSTALL_TYPE to Standalone Oracle Unified Directory Server (Managed independently of WebLogic server)
Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved.
Reading response file..
Skipping Software Updates
Validations are disabled for this session.
Verifying data
Copying Files
Percent Complete : 10
Percent Complete : 20
Percent Complete : 30
Percent Complete : 40
Percent Complete : 50
Percent Complete : 60
Percent Complete : 70
Percent Complete : 80
Percent Complete : 90
Percent Complete : 100

The installation of Oracle Unified Directory 12.2.1.3.0 completed successfully.
Logs successfully copied to /u00/app/oracle/oraInventory/logs.

Copy the OUD binaries to your Raspberry Pi.

soe@gaia:~/ [ic12102] scp -r /u00/app/oracle/product/fmw12.2.1.3.0 oracle@oud2go.local:/u00/app/oracle/product

Clean up the temporary installation on the MacBook Pro:

soe@gaia:~/ [ic12102] rm -rf $ORACLE_BASE/etc/install.rsp
soe@gaia:~/ [ic12102] rm -rf $ORACLE_BASE/etc/oraInst.loc
soe@gaia:~/ [ic12102] rm -rf $ORACLE_BASE/oraInventory
soe@gaia:~/ [ic12102] rm -rf $ORACLE_BASE/product/fmw12.2.1.3.0
soe@gaia:~/ [ic12102] rm -rf /tmp/download

Thats it. You not have your OUD software on your pi. Now lets create an OUD instance.

Setup OUD Directory Server

Depending on your need, you may create an OUD directory server or an OUD proxy server. The setup scripts can either be execute interactive via GUI or command line or as on command. On my Raspberry Pi I do setup a directory server with just one command.

Create a password file for the OUD instance oud_pi_pwd.txt

oracle@oud2go:/u00/app/oracle/ [oud_pi] echo "manager" >/u00/app/oracle/local/etc/oud_pi_pwd.txt

Create the OUD directory server for Base DN dc=postgasse,dc=org with a bunch of dummy entries using oud-setup.

oracle@oud2go:/u00/app/oracle/ [oud_pi] $ORACLE_HOME/oud/oud-setup \
--cli \
--instancePath /u00/app/oracle/instances/oud_pi/OUD \
--adminConnectorPort 4444 \
--rootUserDN cn=Directory\ Manager \
--rootUserPasswordFile /u00/app/oracle/local/etc/oud_pi_pwd.txt \
--ldapPort 1389 \
--baseDN dc=postgasse,dc=org \
--sampleData 20 \
--serverTuning jvm-default \
--offlineToolsTuning jvm-default \
--no-prompt \
--noPropertiesFile

Oracle Unified Directory 12.2.1.3.0
Please wait while the setup program initializes...

Creating instance directory /u00/app/oracle/instances/oud_pi/OUD ..... Done.
See /u00/app/oracle/instances/oud_pi/OUD/logs/oud-setup for a detailed log of
this operation.

Configuring Directory Server ......... Done.
Importing Automatically-Generated Data (20 Entries) ....................................... Done.
Starting Directory Server ........................................ Done.

To see basic server configuration status and configuration you can launch
/u00/app/oracle/instances/oud_pi/OUD/bin/status

That’s it, we now have an empty directory server with 20 sample records 🙂 Since the Raspberry Pi only has limited resources, I’ve just configure the LDAP port. For a simple test and engineering system LDAPS is not really required. Specially because we do not setup any EUS integration.

Conclusion

It works… but the directory server is far away from a high performance setup. Nevertheless it’s a nice and handy setup for simple engineering work and simple demos. Striving for a bit more performance? You may also setup OUD in a docker container. I’ll provide more information on this topic in a couple of day’s. If you can’t wait, take a look at my Docker OUD Repository on GitHub now (docker-oud or docker-oudsm).

Files and References

Below you find a few references related to Raspberry Pi, USB OTG or Oracle Unified Directory:

Wikipedia about On-The-Go (OTG)
Heise c’t (20/2017) article Kopflos glücklich, Raspberry Zero per USB-Kabel einrichten (paid content).
Andrew’s blog Raspberry Pi Zero – Programming over USB! Part 1 and Part 2
Raspberry Pi Zero OTG Mode HowToOTG
Installing operating system images on Mac OS www.raspberrypi.org
Pi Town Change a Raspberry Pi’s Hostname without Rebooting
Environment Scripts for OUD on www.oradba.ch
Github repository for the OUD environment scripts oudbase
Github repository for the docker setup of OUD directory or proxy server docker-oud
Docker Hub repository for an OUD docker image oehrli/oud
Github repository for the docker setup of OUD Server Manager docker-oudsm

Software related to this project:

Raspbian Stretch Lite latest
Oracle JDK 8 Update 144 for ARM 32Bit VFP HardFP MOS Patch 26512975
Oracle Unified Directory 12.2.1.3.0 on Oracle Technology Network
Oracle Software Delivery Cloud OSDC
Oracle Unified Directory FMW 12.2.1.3.0 MOS Patch 26270957
OUD base environment installation script. It’s a bash script including a TAR. oudbase_install.sh
OUD base environment as TAR archive without installation script. oudbase_install.tgz

My Oracle Support Notes:

Oracle Unified Directory 12c PS3 Released [2300623.1]
All Java SE Downloads on MOS [1439822.1]
Information Center: Using Oracle Unified Directory (OUD) [1419823.2]

Oracle Unified Directory 12 Released

Finally end of working day. But while reading some newsletter and mails on my way home, I realised that there will be some work at home. After a long wait, Oracle has finally released Oracle Unified Directory 12c 🙂

A overview of the new features:

Improved performance and scalability
Support for TNS aliases for Oracle Unified Directory deployments with Oracle Enterprise User Security (EUS) configured
Support for TLS 1.2 Protocols and Cipher Suites
Password-Based Key Derivation Function 2 Password Storage Schemes
ODSM Rebranding
Support for new log publishers that are configurable via OUDSM
Support for the Upgrade OUD Instance script
Support for WebLogic Scripting Tool provisioning commands
Support for new log publishers that are configurable via OUDSM
Support for Oracle Fusion Middleware configuration tools
Support for Oracle WebLogic Server 12.2.1.3
Support for Oracle JDK 1.8

See Fusion Middleware Release Notes What’s New in Oracle Identity Management 12c (12.2.1.3.0) for a full list of new features.

Links related to Oracle Unified Directory 12c:

Oracle Unified Directory 12.2.1.3.0 online documentation
MOS Note OUD 12c Has Been Released! [2300623.1]
MOS Certification Search
Oracle Unified Directory download via MOS Patch 26270957. Other downloads via OTN or OSDC seem to be not yet available. Check the documentation Obtaining Product Distributions for other download sources.
Oracle Unified Directory White Paper
Oracle Unified Directory Data Sheet
Oracle Directory Services Buyer’s Guide White Paper

Stay tuned, I’ll definitely write more blog posts on Oracle Unified Directory 12 soon.

Environment Scripts for OUD

At Trivadis we do have the TVD-BasEnv™ to standardizes and simplifies the handling of environments for Oracle database and application server landscapes. This inspired me to create something similar for Oracle Unified Directory environments. Although current versions of TVD-BasEnv™ already support OUD and OID environment. I’ve had the situation, where I need some small and slimmed down environment scripts for dedicated OUD test servers. TVD-BasEnv™ is rather complex and brings a lot of nice features for Oracle Database environments with ASM, RAC, DataGuard and more stuff which is in general not required on a simple OUD server.

My OUD Base is basically just the oudenv.sh script, some configuration files and a bunch of aliases. The directory structure for the OUD binaries, scripts and configuration files is similar to what we use in TVD-BasEnv™ and based on OFA. It is written in bash and tested on my Oracle Linux VM’s and Raspberry Pi’s with Raspbian Jessy. It should also run on any other bash environment. Um, well OUD and Raspberry Pi? Yes I’ll explain this soon in an other blog post.

Setup the Environment

In general I do use a dedicated OS user for my Oracle installations. To keep it simple and clear I name it oracle. The following commands are run on my Raspberry Pi and therefore as OS user pi. Please adjust it accordingly. Create the user and the corresponding OS groups as pi user with sudo.

pi@oud2go:~ $ sudo adduser oracle
Adding user oracle ...
Adding new group oracle (1001) ...
Adding new user oracle (1001) with group oracle ...
Creating home directory /home/oracle ...
Copying files from /etc/skel ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for oracle
Enter the new value, or press ENTER for the default
	Full Name []: oracle
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y
pi@oud2go:~ $ sudo addgroup oinstall
Adding group oinstall (GID 1002) ...
Done.
pi@oud2go:~ $ sudo addgroup osdba
Adding group osdba (GID 1003) ...
Done.
pi@oud2go:~ $ sudo adduser oracle oinstall
Adding user oracle to group oinstall ...
Adding user oracle to group oinstall
Done.
pi@oud2go:~ $ sudo adduser oracle osdba
Adding user oracle to group osdba ...
Adding user oracle to group osdba
Done.

Create an ORACLE_BASE directory which is used for OUD and provide access to OS user oracle.

pi@pi2go:~ $ sudo mkdir -p /u00/app/oracle
pi@pi2go:~ $ sudo chown -R oracle:oinstall /u00/app/oracle

My OUD Base is available as Bash Install script with an embedded TAR ( oudbase_install.sh) or as plain TAR file ( oudbase_install.tgz). If you use the TAR file a few manuell configuration steps are required.

Install using oudbase_install.sh

This installation is straightforward as you can see in the usage.

2016-10-15_11:41:58  START: Start of oudbase_install.sh (Version 0.1) with 
2016-10-15_11:41:58  INFO : Usage, oudbase_install.sh [-hv] [-b <oracle_base>] 
2016-10-15_11:41:58  INFO :   [-i <oracle_instance_base>] [-m <oracle_home_base>] [-B <oud_backup_base>]
2016-10-15_11:41:58  INFO : 
2016-10-15_11:41:58  INFO :   -h                          Usage (this message)
2016-10-15_11:41:58  INFO :   -v                          enable verbose mode
2016-10-15_11:41:58  INFO :   -b <oracle_base>            ORACLE_BASE Directory. Mandatory argument.
2016-10-15_11:41:58  INFO :   -i <oracle_instance_base>   Base directory for OUD instances (default $ORACLE_BASE/instances)
2016-10-15_11:41:58  INFO :   -m <oracle_home_base>       Base directory for OUD binaries (default $ORACLE_BASE/middleware)
2016-10-15_11:41:58  INFO :   -B <oud_backup_base>        Base directory for OUD backups (default $ORACLE_BASE/backup)
2016-10-15_11:41:58  INFO : 
2016-10-15_11:41:58  INFO : Logfile : /u00/app/oracle/local/log/oudbase_install.log
2016-10-15_11:41:58  ERR  : Exit Code 1. Wrong amount of arguments. See usage for correct one.

We will just provide the ORACLE_BASE and use the default values for all other settings.

oracle@pi2go:~ $ ./oudbase_install.sh -v -b /u00/app/oracle
2016-10-15_11:44:03  START: Start of oudbase_install.sh (Version 0.1) with -v -b /u00/app/oracle
2016-10-15_11:44:03  INFO : processing commandline parameter
2016-10-15_11:44:03  Installing OUD Environment
2016-10-15_11:44:03  Create required directories in ORACLE_BASE=/u00/app/oracle
2016-10-15_11:44:03  Create Directory /u00/app/oracle/etc
2016-10-15_11:44:03  Create Directory /u00/app/oracle/local
2016-10-15_11:44:03  Create Directory /u00/app/oracle/backup
2016-10-15_11:44:03  Create Directory /u00/app/oracle/middleware
2016-10-15_11:44:03  Create Directory /u00/app/oracle/instances
2016-10-15_11:44:03  Extracting file into /u00/app/oracle/local
bin/
bin/oud_export.sh
bin/oud_backup.sh
bin/oudenv.sh
bin/oudbase_install.sh
bin/oud_status.sh
config/
certificates/
doc/
etc/
etc/oudtab
etc/oudenv.conf
etc/oud._DEFAULT_.conf
lib/
log/
log/oud_status.log
log/oud_export.log
log/oud_backup.log
log/oudbase_install.log
templates/
templates/cron.d/
templates/cron.d/oud
templates/.bash_profile
templates/ldif/
templates/ldif/oud_pi_init.ldif
templates/logrotate.d/
templates/logrotate.d/oud
2016-10-15_11:44:03  Please manual adjust your .profile to load / source your OUD Environment
2016-10-15_11:44:03  END  : of oudbase_install.sh

You have to change your bash profile to make sure that the environment is loaded. Just add the following lines.

oracle@pi2go:~ $ vi .profile
# Check OUD_BASE and load if necessary
if [ "${OUD_BASE}" = "" ]
  then
    if [ -f "${HOME}/.OUD_BASE" ]
      then
        . "${HOME}/.OUD_BASE"
      else
        echo "ERROR: Could not load ${HOME}/.OUD_BASE"
    fi
fi

# define an oudenv alias
alias oud='. ${OUD_BASE}/bin/oudenv.sh'

# source oud environment
. ${OUD_BASE}/bin/oudenv.sh

During the next logon you have the OUD Base available

Manual installation using oudbase_install.tgz

Ok, it is not really more complex just un-tar the file in a directory. Normally it is $ORACLE_BASE/local. Other directory probably have to be specified in the config file.

oracle@pi2go:~ $ cd /u00/app/oracle/
oracle@pi2go:~ $ mkdir local
oracle@pi2go:~ $ cd local
oracle@pi2go:~ $ tar zxvf oudbase_install.tgz

You also have to change your bash profile as mentioned above.

Examples

A few example how to use OUD Base to simplify OUD management.

Change environment to OUD instance oud_pi.

oracle@pi2go:~/ [oud_pi] oud_pi
Source environment for OUD Instance oud_pi
--------------------------------------------------------------
 Instance Name   : oud_pi
 Instance Home   : /u00/app/oracle/instances/oud_pi
 Oracle Home     : /u00/app/oracle/middleware/oud_11.1.2.3
 Instance Status : up
 LDAP Port       : 1389
 LDAPS Port      : 1636
 Admin Port      : 4444
 Replication Port: 8989
--------------------------------------------------------------

List available / running OUD instances using oudup or via alias u.

oracle@pi2go:~/ [oud_pi] oudup
TYPE INSTANCE   STATUS PORT HOME
---- ---------- ------ ---- ----------------------------------
OUD  oud_pi     up     4444 /u00/app/oracle/instances/oud_pi

Configuration and Architecture

Config Files

The OUD Base does have the following configuration files.

File	Description
.OUD_BASE	This is a simple file in the user home directory. It includes the pointer to the OUD Base directory. This file is used to initiate $OUD_BASE.
oudtab	oudtab is a simple file which includes all OUD instance and there ports eg. default LDAP port, admin port, SSL port and replication port.
oudenv.conf	This is the main configuration file for environment variables and aliases. It is loaded when an environment is set or changed. Location of oudenv.conf is $ETC_BASE.
oud._DEFAULT_.conf	This configuration file for custom environment variables. Location of oud._DEFAULT_.conf is $ETC_BASE.
oud._INSTANCE_.conf	This configuration file for custom environment variables for a dedicated OUD instance eg. oud_pi Location of oud._oud_pi_.conf is $ETC_BASE.

Directories and its variables

The following directory, environment variables and aliases are defined and used in OUD Base. Most of them are inspired by OFA (Oracle Flexible Architecture) and TVD-BasEnv™.

ENV Variable	Alias	Path	Description
$ORACLE_BASE, $cdob	cdob	/u00/app/oracle	Base directory for the oracle binaries
$OUD_BASE, $cdl	cdl	$ORACLE_BASE/local	OUD Base directory with the scripts, config etc
	cdl.bin	$ORACLE_BASE/bin	Scripts directory in OUD_BASE
$ETC_BASE, $etc	etc, cdl.etc	$ORACLE_BASE/etc	OUD Base configuration directory
$LOG_BASE, $log	log, cdl.log	$ORACLE_BASE/log	OUD Base log directory
		$ORACLE_BASE/doc	OUD Base documentation directory
		$ORACLE_BASE/config	Local directory for configuration files, LDIF etc to build an OUD instance
		$ORACLE_BASE/certificates	Local directory for certificates
$ORACLE_HOME, $cdh	cdh	$ORACLE_BASE/middleware/oud_11.1.2.3	Oracle Unified Directory binaries eg. 11.1.2.3
$JAVA_HOME		/usr/lib/jvm/jre-1.7.0-oracle-1.7.0.101-1jpp.1.el7.x86_64	Java used for OUD
$OUD_INSTANCE_BASE, $cdib	cdib	$ORACLE_BASE/instances	Base directory for the instance homes
	oud_pi		Alias to set environment for OUD instance oud_pi
$OUD_INSTANCE_HOME, $cdih	cdih	$ORACLE_BASE/instances/oud_pi	OUD Instance Home directory for Instance oud_pi
$cdic	cdic	$OUD_INSTANCE_HOME/OUD/config	Config directory for OUD instance oud_pi
$cdil	cdil	$OUD_INSTANCE_HOME/OUD/logs	Log directory for OUD instance oud_pi

Variables

Variable besides the ones mentioned above.

Variable	Description
$OUD_INSTANCE	Name of the current OUD instance
$OUD_INST_LIST	List of OUD instances taken from $OUDTAB
$PWD_FILE	Password file for the OUD instance eg. ${ETC_BASE}/$OUD_INSTANCE_pwd.txt or ${ETC_BASE}/pwd.txt
$PORT	OUD instance port taken from oudtab file
$PORT_ADMIN	OUD instance admin port taken from oudtab file
$PORT_REP	OUD instance replication port taken from oudtab file
$PORT_SSL	OUD instance SSL port taken from oudtab file
$OUDTAB	oudtab config file eg. ${ETC_BASE}/oudtab

Aliases

Alias	Description
dsc	dsconfig including hostname, $PORT_ADMIN and $PWD_FILE
dsrs	dsreplication status
oud_pi	OUD Base does generate an alias for each OUD instance based on its name. This allows to easily change the environment from one to an other OUD instance.
oud INSTANCE	Use oud INSTANCE name to change the environment to a particular OUD instance
taa	tea will do a tail -f on the OUD instance access log
tae	tea will do a tail -f on the OUD instance error log
tas	tea will do a tail -f on the OUD instance server.out log
tarep	tea will do a tail -f on the OUD instance replication log
task	task does run a manage-tasks with hostname, port etc parameter
u	u runs oudup to display the current OUD Instances
vio	vio opens the oudtab file eg. ${ETC_BASE}/oudtab

Conclusion

Although there is the possibility to use property files for OUD I’m still happy, that I have a bunch of aliases to set or change a few directories. Eg. jump to the log directory, view config files etc. Feel free to use the OUD Base as it is on your OUD environments at your own risk. It simplifies a few settings in particular if you have multiple OUD instance on one system. You may change, modify the scripts as you like. I can not guarantee, that the scripts do not have any errors or bugs. Please test before you start using them on a production environment.

Files and References

Below you find a few references related to Raspberry Pi, USB OTG or Oracle Unified Directory:

OUD base environment installation script. It’s a bash script including a TAR. oudbase_install.sh
OUD base environment as TAR archive without installation script. oudbase_install.tgz
The genuine Trivadis base environment scripts TVD-BasEnv™

DOAG Databank 2016

Just finished my presentation about Enterprise User Security at the DOAG Datenbank 2016 in Düsseldorf. It is about how to set up and use Enterprise User Security with Oracle Unified Directory. The slides are available for download DOAG__EUS_mit_OUD_Oehrli.pdf. Thanks to Florian I can also offer some, ok one “impressions” from my presentation 🙂 As promised in my presentation, I’ll post a few more information from my engineering and tests on Oracle Unified Directory in the next weeks. All of them will be tagged with Oracle Unified Directory.

Foto_Praesentation

WALLET_LOCATION in sqlnet.ora for Container Databases

Recently I’ve setup Oracle Enterprise User Security (EUS) with Oracle Unified Directory (OUD) on my favorite linux test system. Among regular 11.2.0.4 and 12.1.0.2 databases I do also have a 12.1.0.2 Container Database. EUS work like a charm on the regular databases but not on the PDB.

SQL> conn soe
Enter password: 
ERROR:
ORA-28305: WALLET_LOCATION in sqlnet.ora file for container database is not
supported.


Warning: You are no longer connected to ORACLE.

The error seems to be a bit weird. So fare I’ve explicitly set the wallet location to make sure the wallet it somewhere I decided. I have a shared sqlnet.ora file, where I use $ORACLE_SID in the path for the different instances. An excerpt from my sqlnet.ora file

...
WALLET_LOCATION =
  (SOURCE =
    (METHOD = File)
    (METHOD_DATA = (DIRECTORY = /u00/app/oracle/admin/$ORACLE_SID/wallet)))

ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=FILE)
   (METHOD_DATA=
    (DIRECTORY=/u00/app/oracle/admin/$ORACLE_SID/tde_wallet/)))
...

The action described for the Oracle Error Message ORA-28305 is clear. Remove WALLET_LOCATION from sqlnet.ora to use EUS also for Container Databases.

SQL> conn soe
Enter password: 
Connected.
SQL> @sousrinf
Database Information
--------------------
- DB_NAME		: TDB12C
- DB_DOMAIN		:
- INSTANCE		: 1
- INSTANCE_NAME 	: TDB12C
- SERVER_HOST		: o-sec
-
Authentification Information
----------------------------
- SESSION_USER		: C##SOE
- PROXY_USER		:
- AUTHENTICATION_METHOD : PASSWORD
- IDENTIFICATION_TYPE	: GLOBAL SHARED
- NETWORK_PROTOCOL	:
- OS_USER		: oracle
- AUTHENTICATED_IDENTITY: SOE
- ENTERPRISE_IDENTITY	: cn=soe,cn=Users,dc=trivadistraining,dc=com
-
Other Information
-----------------
- ISDBA 		: FALSE
- CLIENT_INFO		:
- PROGRAM		: sqlplus@o-sec (TNS V1-V3)
- MODULE		: SQL*Plus
- IP_ADDRESS		:
- SID			: 39
- SERIAL#		: 47117
- SERVER		: DEDICATED
- TERMINAL		: pts/6

PL/SQL procedure successfully completed.

The corresponding Oracle Bug 17758886 has been rejected as “not a Bug”. Oracle® Database Net Services Reference 12c Release 1 (12.1) WALLET_LOCATION does not mention PDB’s. There is only some information in the Oracle® Database Reference 12c Release 1 (12.1) Using LDAP_DIRECTORY_ACCESS with PDBs.

Conclusion

It seems, that with PDB’s it is not possible to explicitly set a wallet location. If the default location is not appropriate for your database environment, you have to use soft links use an alternative location for your wallet.

By the way, the wallet for TDE or for Secure External Password Store (SEPS) is not affected. You may still set WALLET_LOCATION for SEPS or ENCRYPTION_WALLET_LOCATION for TDE.

References

Some links related to this topic.

Oracle® Database Error Messages 12c Release 1 (12.1) ORA-28305
Oracle® Database Reference 12c Release 1 (12.1) Using LDAP_DIRECTORY_ACCESS with PDBs
Bug 17758886 ENABLING EUS FOR PDB BREAKS SSL CLIENT-SERVER CONNECTIVITY
How to configure SEPS for the pluggable databases [1980698.1]

If time permits, I’ll write a few blog post about setting up and configuring EUS with OUD.