{"id":2943,"date":"2019-03-01T16:14:05","date_gmt":"2019-03-01T15:14:05","guid":{"rendered":"https:\/\/www.oradba.ch\/?p=2943"},"modified":"2019-03-14T17:26:54","modified_gmt":"2019-03-14T16:26:54","slug":"configure-oracle-eusm-to-use-ldaps","status":"publish","type":"post","link":"https:\/\/www.oradba.ch\/wordpress\/2019\/03\/configure-oracle-eusm-to-use-ldaps\/","title":{"rendered":"Configure Oracle EUSM to use LDAPS"},"content":{"rendered":"<p>With the introduction of Oracle 18c, <code class=\"EnlighterJSRAW\">eusm<\/code> is officially designated as an Enterprise User Security Utility. It is now officially documented of the <a href=\"https:\/\/docs.oracle.com\/en\/database\/oracle\/oracle-database\/18\/dbimi\/index.html\" target=\"_blank\" rel=\"noopener noreferrer\">Enterprise User Security Administrator&#8217;s Guide<\/a>. Before we had to be content with the somewhat sparse MOS note <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1085065.1\" target=\"_blank\" rel=\"noopener noreferrer\">1085065.1<\/a> <em>EUSM, Command Line Tool For EUS Administration and Some EUS Good to Knows<\/em>. In addition, the tool was improved with the latest release. Up to and including Oracle 12c Release 2 it was not possible to establish a secure connection with the LDAP using <code class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">eusm<\/code>. The tool does use SASL authentication but still required always an unencrypted LDAP connection to the directory server. For sensitiv environments with enhanced security requirements like Banks, incurrence companies etc. is the use of unencrypted network traffic a nogo. But the new documentation for eusm starts with a short paragraph &#8220;About SSL Port Connectivity through EUSM to OID&#8221;, which made me confidence.<\/p>\n<p>So there are additional parameters to support SSL:<\/p>\n<ul>\n<li><code class=\"EnlighterJSRAW\">ldap_ssl_port<\/code> ssl port of the directory server.<\/li>\n<li><code class=\"EnlighterJSRAW\">keystore<\/code> path to PKCS12 format of keystore. A file path parameter takes the path to the PKCS12 format of the keystore (for example, ewallet.p12 file)<\/li>\n<li><code class=\"EnlighterJSRAW\">key_pass<\/code> to control the behavior of the keystore password eg. interactive or via commandline<\/li>\n<\/ul>\n<p>Initial I did get confused by the example. A file named <code class=\"EnlighterJSRAW\">ewallet.p12<\/code> is usually an Oracle wallet. Thats why I did start to use an Oracle wallet as keystone for <code class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">eusm<\/code>. But this was complete rubbish. Leaning back and thinking again helped. <code class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">eusm<\/code> is written in java and the parameter is named keystone. Java and keystore results in a <em>java kestore<\/em>, doesn&#8217;t it? So I was a bit more successful with my second attempt.<\/p>\n<h2>Configure the keystore<\/h2>\n<p>As soon as one realised that the required keystore file is a java keystore of type PKCS12 it is straight forward. <code class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">eusm<\/code> just requires the root certificate to validate the OUD certificate during the initialisation of the LDAPS connection. In an enterprise environment this certificate can be obtained from the internal certification authority. Alternatively this may also be exported from an other keystore. In my EUS test environment I do not have an enterprise CA. Therefor I have to get the corresponding certificate directly from Oracle directory server.<\/p>\n<p>Login to directory server to export the certificate.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\nkeytool -export -noprompt -rfc \\\n-alias server-cert \\\n-keystore ${OUD_INSTANCE_HOME}\/OUD\/config\/keystore \\\n-storepass $(cat ${OUD_INSTANCE_HOME}\/OUD\/config\/keystore.pin) \\\n-file \/u01\/config\/oud_trusted_cert.txt\n\nCertificate stored in file\n<\/pre>\n<p>Copy the file to the database server and import it into a java keystore. The java keytool will create a new java keystore, if you specify a keystore file which does not yet exist. Do not to specify PKCS12 as the store type. You an either specify the keystore password interactively or use <code class=\"EnlighterJSRAW\">-storepass<\/code> to provide the password via command line. I do use the password from the keystore pin file <code class=\"EnlighterJSRAW\">$ORACLE_BASE\/network\/admin\/keystore.pin<\/code>.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\n$ORACLE_HOME\/jdk\/bin\/keytool -import -trustcacerts \\\n-alias oud_root_certificate \\\n-storetype pkcs12 \\\n-keystore $ORACLE_BASE\/network\/admin\/keystore.jks \\\n-storepass $(cat $ORACLE_BASE\/network\/admin\/keystore.pin) \\\n-import -file \/u01\/oud\/oud_trusted_cert.txt\n\nOwner: CN=oud, O=Oracle Unified Directory Self-Signed Certificate\nIssuer: CN=oud, O=Oracle Unified Directory Self-Signed Certificate\nSerial number: c8cff33\nValid from: Thu Feb 28 06:39:40 UTC 2019 until: Sat Feb 27 06:39:40 UTC 2021\nCertificate fingerprints:\nMD5: E2:C2:43:8B:CD:EB:95:9E:F1:FC:D8:C3:FF:A7:91:AF\nSHA1: 80:0D:9E:89:1B:BC:69:99:02:6A:E7:B5:A6:D2:63:E9:59:5A:C3:BF\nSHA256: C7:14:54:1A:C3:FE:28:72:6E:B0:16:82:42:C9:6E:3B:43:BE:D6:C7:3A:31:60:1B:\n60:1D:8D:5E:7F:66:D9:7B\nSignature algorithm name: SHA1withRSA\nSubject Public Key Algorithm: 1024-bit RSA key\nVersion: 3\nTrust this certificate? [no]: yes\nCertificate was added to keystore\n<\/pre>\n<p>List the content of your java keystore file.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\n$ORACLE_HOME\/jdk\/bin\/keytool -list \\\n-keystore $ORACLE_BASE\/network\/admin\/keystore.jks \\\n-storepass $(cat $ORACLE_BASE\/network\/admin\/keystore.pin)\n\nKeystore type: JKS\nKeystore provider: SUN\n\nYour keystore contains 1 entry\n\noud_root_certificate, Mar 1, 2019, trustedCertEntry,\nCertificate fingerprint (SHA1): 80:0D:9E:89:1B:BC:69:99:02:6A:E7:B5:A6:D2:63:E9:\n59:5A:C3:BF\n<\/pre>\n<p>The method is the same if you use an enterprise certificate. You just have to use the root certificate provided by the CA.<\/p>\n<h2>Usage of <code class=\"EnlighterJSRAW\">eusm<\/code><\/h2>\n<p>To establish a connection via SSL, you have to enter the java keystore and the keystore password or <code class=\"EnlighterJSRAW\">-K<\/code> when invoking <code class=\"EnlighterJSRAW\">eusm<\/code>. The following command does list the EUS Domain. The password is omitted and has to be specified via command line.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\neusm listDomains realm_dn=&quot;dc=trivadislabs,dc=com&quot; \\\nldap_host=oud \\\nldap_ssl_port=1636 \\\nldap_user_dn=&quot;cn=eusadmin,cn=oraclecontext&quot; \\\nldap_user_password=eusadmin \\\nkeystore=$ORACLE_BASE\/network\/admin\/keystore.jks -K\n\nEnter keystore password (key_pass):\nLIST OF DOMAINS IN REALM: dc=trivadislabs,dc=com\n\nOracleDefaultDomain\n<\/pre>\n<p>This command does list all the domain mappings. The password is now specified via parameter <code class=\"EnlighterJSRAW\">key_pass<\/code>.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\neusm listMappings domain_name=&quot;OracleDefaultDomain&quot; \\\nrealm_dn=&quot;dc=trivadislabs,dc=com&quot; \\\nldap_host=oud \\\nldap_ssl_port=1636 \\\nldap_user_dn=&quot;cn=eusadmin,cn=oraclecontext&quot; \\\nldap_user_password=eusadmin \\\nkeystore=\/u00\/app\/oracle\/network\/admin\/keystore.jks \\\nkey_pass=$(cat $ORACLE_BASE\/network\/admin\/keystore.pin)\n\nLIST OF DATABASE SCHEMA MAPPINGS::\n\nMapping Name: MAPPING0\nMapping Type: SUBTREE\nMapping DN: ou=People,dc=trivadislabs,dc=com\nMapping schema:EUS_USERS\nMapping Level :DOMAIN\n<\/pre>\n<p>Below you see an excerpt of the OUD access log file. The log entry for the CONNECT command does show the LDAPS protocol.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\n[01\/Mar\/2019:14:49:12 +0000] CONNECT conn=1111 from=172.18.0.3:34126 to=172.18.0.2:1636 protocol=LDAPS\n[01\/Mar\/2019:14:49:13 +0000] BIND REQ conn=1111 op=0 msgID=1 type=SIMPLE dn=&quot;cn=eusadmin,cn=oraclecontext&quot; version=3\n[01\/Mar\/2019:14:49:13 +0000] BIND RES conn=1111 op=0 msgID=1 result=0 authDN=&quot;cn=eusadmin,cn=oraclecontext&quot; etime=0\n[01\/Mar\/2019:14:49:13 +0000] SEARCH REQ conn=1111 op=1 msgID=2 base=&quot;dc=trivadislabs,dc=com&quot; scope=base filter=&quot;(objectclass=*)&quot; attrs=&quot;orclversion&quot;\n[01\/Mar\/2019:14:49:13 +0000] SEARCH RES conn=1111 op=1 msgID=2 result=0 nentries=1 etime=1\n[01\/Mar\/2019:14:49:13 +0000] SEARCH REQ conn=1111 op=2 msgID=3 base=&quot;cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=trivadislabs,dc=com&quot; scope=one filter=&quot;(|(objectClass=orclDBEntryLevelMapping)(objectclass=orclDBSubtreeLevelMapping))&quot; attrs=&quot;cn,orcldbdistinguishedname,orcldbnativeuser,objectclass&quot;\n[01\/Mar\/2019:14:49:13 +0000] SEARCH RES conn=1111 op=2 msgID=3 result=0 nentries=1 etime=1\n[01\/Mar\/2019:14:49:13 +0000] DISCONNECT conn=1111 reason=&quot;Client Disconnect&quot;\n<\/pre>\n<h2>Conclusion<\/h2>\n<p>It took way to long until <code class=\"EnlighterJSRAW\">eusm<\/code> becomes officially available. Since it was part of the binaries already since Oracle 11c. The fact that LDAPS is finally also supported is a significant step towards general improvement of the security of databases as well directory servers. It does getting much easier to harden directory servers and limit access on the LDAPS protocol. A little unfortunate in my opinion is the Oracle documentation regarding the configuration of the java keystore. A simple example would have simplified the setup.<\/p>\n<p>Some links related to this blog post:<\/p>\n<ul>\n<li>Enterprise User Security Administrator&#8217;s Guide chapter 7 <a href=\"https:\/\/docs.oracle.com\/en\/database\/oracle\/oracle-database\/18\/dbimi\/enterprise-user-security-manager-eusm-command-summary.html#GUID-AF344DEB-92B4-4613-93C8-06F7F4CD9449\" target=\"_blank\" rel=\"noopener noreferrer\">Enterprise User Security Manager (EUSM) Command Reference<\/a><\/li>\n<li>Master Note For Enterprise User Security [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1376365.1\" target=\"_blank\" rel=\"noopener noreferrer\">1376365.1<\/a><\/em>]<\/li>\n<li>EUSM, Command Line Tool For EUS Administration and Some EUS Good to Knows [<em><a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1085065.1\" target=\"_blank\" rel=\"noopener noreferrer\">1085065.1<\/a><\/em>]<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>With the introduction of Oracle 18c, eusm is officially designated as an Enterprise User Security Utility. It is now officially documented of the Enterprise User Security Administrator&#8217;s Guide. Before we had to be content with the somewhat sparse MOS note 1085065.1 EUSM, Command Line Tool For EUS Administration and Some EUS Good to Knows. In [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"Configure Oracle EUSM to use LDAPS","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[180,181,154,5,142,11],"tags":[],"class_list":["post-2943","post","type-post","status-publish","format-standard","hentry","category-18c","category-19c","category-enterprise-user-security","category-oracle-database","category-oud","category-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1aErb-Lt","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":2185,"url":"https:\/\/www.oradba.ch\/wordpress\/2016\/09\/losing-the-oracle-wallet-for-enterprise-user-security\/","url_meta":{"origin":2943,"position":0},"title":"Losing the Oracle Wallet for Enterprise User Security","author":"Stefan","date":"14. September 2016","format":false,"excerpt":"Having a reliable backup solution for your Transparent Data Encryption (TDE) or Enterprise User Security (EUS) Wallets, is beyond discussion. Nevertheless it can happen that you lose or corrupt the Oracle Wallet. With Transparent Data Encryption (TDE), this is really bad luck, because you can not access your encrypted data.\u2026","rel":"","context":"In &quot;11gR2&quot;","block_context":{"text":"11gR2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/11gr2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2053,"url":"https:\/\/www.oradba.ch\/wordpress\/2015\/10\/wallet_location-in-sqlnet-ora-for-container-databases\/","url_meta":{"origin":2943,"position":1},"title":"WALLET_LOCATION in sqlnet.ora for Container Databases","author":"Stefan","date":"31. October 2015","format":false,"excerpt":"Recently I've setup Oracle Enterprise User Security (EUS) with Oracle Unified Directory (OUD) on my favorite linux test system. Among regular 11.2.0.4 and 12.1.0.2 databases I do also have a 12.1.0.2 Container Database. EUS work like a charm on the regular databases but not on the PDB. [cc lang=\"sql\"] SQL>\u2026","rel":"","context":"In &quot;12cR1&quot;","block_context":{"text":"12cR1","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/12cr1\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2786,"url":"https:\/\/www.oradba.ch\/wordpress\/2018\/09\/oracle-unified-directory-access-log-parsing-system-alps\/","url_meta":{"origin":2943,"position":2},"title":"Oracle Unified Directory Access Log Parsing System ALPS","author":"Stefan","date":"25. September 2018","format":false,"excerpt":"For one of my customers I had to analyse the log files of Oracle Unified Directory from time to time. In particular the access log file. During my research I came across the MOS note 2042620.1 and the Access Log Parsing System or short ALPS. ALPS is a small and\u2026","rel":"","context":"In &quot;Oracle Unified Directory&quot;","block_context":{"text":"Oracle Unified Directory","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oud\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/ALPS_Dashboard-300x221.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/ALPS_Dashboard-300x221.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/ALPS_Dashboard-300x221.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":3444,"url":"https:\/\/www.oradba.ch\/wordpress\/2019\/11\/oracle-enterprise-user-security-with-multiple-ldap-ora\/","url_meta":{"origin":2943,"position":3},"title":"Oracle Enterprise User Security with multiple ldap.ora","author":"Stefan","date":"28. November 2019","format":false,"excerpt":"Recently I came across the situation where I have to configure Enterpriser User Security for a database server with multiple databases for different directories. This is quite tricky when using a shared Oracle Home and a central TNS_ADMIN directory for SQLNet configuration. A common TNS_ADMIN also implies the use of\u2026","rel":"","context":"In &quot;12R2&quot;","block_context":{"text":"12R2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/12r2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":9608,"url":"https:\/\/www.oradba.ch\/wordpress\/2022\/02\/free-oracle-unified-directory-for-oracle-net-services\/","url_meta":{"origin":2943,"position":4},"title":"Free Oracle Unified Directory for Oracle Net Services","author":"Stefan","date":"14. February 2022","format":false,"excerpt":"The tnsnames.ora is a configuration file for Oracle database name resolution. It contains network service names that are mapped to connection descriptors for the local naming method. With the help of tnsnames.ora Oracle clients respectively the users can easily access Oracle databases. The connection descriptors provides all relevant information like\u2026","rel":"","context":"In &quot;19c&quot;","block_context":{"text":"19c","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/19c\/"},"img":{"alt_text":"Oracle Net Service Names","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":2799,"url":"https:\/\/www.oradba.ch\/wordpress\/2018\/09\/oracle-security-at-trivadis-techevent-fall-2018\/","url_meta":{"origin":2943,"position":5},"title":"Oracle Security at Trivadis TechEvent Fall 2018","author":"Stefan","date":"26. September 2018","format":false,"excerpt":"A few days ago the semi-annual Trivadis TechEvent took place. As always, it was a great IT event where Trivadis employees and customers had the opportunity to exchange and discuss a variety of topics. I had the pleasure to give one lecture about Oracle 18c New Security Features as well\u2026","rel":"","context":"In &quot;12cR2&quot;","block_context":{"text":"12cR2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/12cr2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/2943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/comments?post=2943"}],"version-history":[{"count":5,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/2943\/revisions"}],"predecessor-version":[{"id":2998,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/2943\/revisions\/2998"}],"wp:attachment":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/media?parent=2943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/categories?post=2943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/tags?post=2943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}