Install and configure Oracle Internet Directory to resolve database names

Everyone who has worked with this type of DBMS knows about setting up access to the Oracle DBMS, which is stored in the tnsnames.ora file.

The data is stored in the tnsnames.ora file in a plain text form and can be easily changed using any text editor. It is good if there are not many records in it, but what to do if there are hundreds of databases in the organization, access to which needs to be provided from the hosts of users at various levels or from terminal servers. And if at one point the database moves to another host, or other changes occur that change the database access parameters, you need to change the access parameters everywhere.

Solutions can be offered a lot, including redirects, aliases, etc.

I'll describe here how to set up and configure a single repository for resolving database names using the Oracle Internet Directory OID, and how to apply for resolving names using the LDAP protocol. This is much more convenient than keeping the tnsnames.ora file up to date in hundreds of places.

The installation and configuration of the DBMS for the OID repository database is not described here; the key points are indicated for this particular configuration. With the licensing policy of Oracle in terms of products RDBMS Database, Oracle Fusion Middleware and Oracle Internet Directory you can find on the company's website.

Software installation


The software was installed on the Linux OS (SUSE Linux Enterprise Server 11), for your OS you need to check with the compatibility matrix on oracle.com.

To install the Standalone server (running NodeManager), the following distribution versions were taken that are relevant at the time of configuration:

JAVA: jdk-8u171-linux-x64.tar.gz
OID: fmw_12.2.1.3.0_oid_linux64_Disk1_1of1.zip
RDBMS: 12.1.0.2 + PSU + Opatch of current versions

Install the software for the repository , which will store the OID schema of the

DBMS version 12.1.0.2 + PSU
DB. Create an “empty” database: You
must specify the
AL32UTF8 encoding, enable ORACLE TEXT in the software installation,
the database parameters:
open_cursors = 800
processes = 500

Additionally, it was necessary to run the xaview.sql script, which was found out at the stage of checking the OID installation.
configure and raise LISTENER for the database.

So, an empty database is created by uhost-oid1: 1521 / oid1 (in this case, oid1-SID database) and is ready to create a repository in it.

Set OID


Here and further, the home directory of the user oracle - / u / app / oracle
Unpack java and set the variable JAVA_HOME

unzip jdk-8u171-linux-x64.tar.gz
export JAVA_HOME=/u/app/oracle/jdk1.8.0_171

Unpacking the OID

unzipfmw_12.2.1.3.0_oid_linux64_Disk1_1of1.zip


It turns out the file ./fmw_12.2.1.3.0_oid_linux64.bin We

check that it is executable, if it is not doing so

chmod +x

Run:

./fmw_12.2.1.3.0_oid_linux64.bin

(X-server forwarding must be configured beforehand), the java-based installer will start.

The following was specified as ORACLE_HOME:

/ u / app / oracle / product / middleware / Oracle_IDM1

The software for oracle fusion middleware (FMW) and Oracle Internet Directory will be installed along this path.

At the “installation type” stage, we indicate STANDALONE.



Create a repository (required schemas in the database)



Create schemas for the repository in the database, for this run rcu

cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/bin/ 
./rcu.sh

At this stage ODSSM, ODS and DEV_STB schemes are created (remember the password, it will be required when setting up domain components)

Create a domain in which OID will work for us (domain in terms of FMW)


cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin
./config.sh


We create a domain in a separate folder from the software. For example, set as follows:

/ u / app / oracle / config / domains / oid_domain





For connecting to the database, specify the parameters of the previously created schemes (and passwords).
During installation, set the login and password for the NodeManager (will later be used to connect to the NodeManager and start / stop through him OID)

Start NodeManager


To run NodeManager, you need to generate a file with the keys: DemoIdentity.jks. (If, in addition to the OID installation, you install updates, then you probably will not need this step)
We will generate the “default” one so that you don’t have to worry about the keystore boot options in the domain config. It works with such parameters - this is the password for the default storage:

cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin

perform

. setWlstEnv.sh

(always with a dot, does not work differently)
Go to the directory where the file should be stored:

cd /u/app/oracle/config/domains/oid_domain/security
java utils.CertGen -keyfilepass DemoIdentityPassPhrase -certfile democert -keyfile demokey -strength 1024 -noskid
java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfile demokey -keyfilepass DemoIdentityPassPhrase -certfile democert.pem -keyfile demokey.pem -alias demoidentity

The key phrase DemoIdentityPassPhrase is just that, otherwise you will have to edit the domain config.
We need to deal with this, but we must first start to work.

export TNS_ADMIN=/u/app/oracle/config/domains/oid_domain/config/fmwconfig/components/OID/config

It is necessary to configure the OID itself, otherwise the domain will not be able to connect to the repository database (see Problem 1 )

export LD_LIBRARY_PATH=/u/app/oracle/product/middleware/Oracle_IDM1/lib:$LD_LIBRARY_PATH

it is needed so that the necessary libraries are found and pulled up from the required ORACLE_HOME.

If anything, we check with the help of ldd where they look:

ldd /u/app/oracle/product/middleware/Oracle_IDM1/bin/oiddispd

Must be on ORACLE_HOME with FMW software:

libclntsh.so.12.1 => /u/app/oracle/product/middleware/Oracle_IDM1/lib/libclntsh.so.12.1

Errors, if this is not the case, see Problem2

cd  /u/app/oracle/config/domains/oid_domain/bin/
./setStartupEnv.sh – выставляет доп. переменные окружения
./startNodeManager.sh &

Make sure the NodeManager is running.
Logs and configuration: / u / app / oracle / config / domains / oid_domain / nodemanager Problem1

:

Jun 22, 201810:27:58 AM MSK  Fatal error in NodeManager server
weblogic.nodemanager.common.ConfigException: Identity key store file notfound: /u/app/oracle/config/domains/oid_domain/security/DemoIdentity.jks

Solution 1 : Go and generate DemoIdentity.jks as described above.

Problem 2 :

Jun 28, 201812:20:08 PM MSK INFO /u/app/oracle/config/domains/oid_domain>><<        password:
confirm password:
Unable to Connect to Database: Incorrect location for tnsnames.ora (derived from DOMAIN_HOME) or Incorrect TNS Connect stringor Invalid Password
> <createDbWallet domain: /u/app/oracle/config/domains/oid_domain, oidpasswd output:        password:
confirm password:

Decision 2 : set the TNS_ADMIN variable and check the correctness of the login / password

Primary OID Configuration


At this point, the
TNS_ADMIN
LD_LIBRARY_PATH variables should be set.
It is assumed that the NodeManager is already running.
Run the WLST utility:

cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin
export MW_HOME=$ORACLE_HOME

We expose the variables that are needed to run the WLST utility.

./setHomeDirs.sh
./setWlstEnv.sh
./wlst.sh

then use the WLST utility to connect to the NodeManager. We will need the login and password specified during the installation (specified for the NodeManager, we have this weblogic)

nmConnect(username='weblogic',password='пароль от NodeManager ',domainName='oid_domain')

Example output :

[13:45][uhost-oid1.oracle.:/u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin]$ ./wlst.sh
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline> nmConnect(username='weblogic',password='*****',domainName='oid_domain')
Connecting to Node Manager ...
Successfully Connected to Node Manager.

We launch initialization, during which an instance is created with the name oid1.
In the line below:

odsPassword — password for the ODS scheme based on the repository that was set when executing ./rcu
orcladminPassword — password that will be used as cn = orcladmin for accessing LDAP
realmDN — LDAP scheme that will be configured

oid_setup(orcladminPassword='****',odsPassword='***',realmDN='dc=mycompany,dc=ru')

After execution should component (FMW in terms instance) is created with the name oid1

Problema3 :
/u/app/oracle/config/domains/oid_domain/servers/OID/logs/oid1/oidmon*.log Log
contains

/u/app/oracle/product/middleware/Oracle_IDM1/wlserver/../bin/oiddispd: <b>errorwhile loading shared libraries</b>: libclntshcore.so.12.1: cannot openshared object file: No such fileor directory

Solution3 :
Set the environment variable
LD_LIBRARY_PATH = / u / app / oracle / product / middleware / Oracle_IDM1 / lib: $ LD_LIBRARY_PATH
restart the NodeManager,
start the component:

cd  /u/app/oracle/config/domains/oid_domain/bin/
nohup ./startNodeManager.sh &
./startComponent.sh oid1

If for this reason the component was created but does not work, then we kill the oidmon process, change the process status parameters in the DBMS:

ps –ef|grep oidmon
kill oidmon

sqlplus / as sysdba
update ods.ods_process_status set pid=0where compname='oid1';
update ods.ods_process_status set state=4where compname='oid1';

Connect Check:

./ldapbind -h localhost -p 3060
./ldapbind  -h localhost -p 3131 -U 1 -D 'cn=orcladmin' -w ****

You may have to again initialize oid_setup
Problema4 . When trying to save to NetManager:

oracle.net.common.dataStore.DataStoreException: errorwritingServiceAliasto: LDAPDataStore[svr: uhost-oid1.mycompany.ru:3060:3131, type: OID, ctxt: cn=OracleContext,dc=mycompany,dc=ru, home: C:\oracle\product\12.1.0\client_1]originalexceptionmessage: TNS-04409: Ошибка службы каталогов
  causedby: oracle.net.config.DirectoryServiceException: TNS-04405: Общая ошибка
  causedby: oracle.net.ldap.NNFLExceptionoriginalstacktrace: oracle.net.config.ServiceAliasException: TNS-04409: Ошибка службы каталогов
  causedby: oracle.net.config.DirectoryServiceException: TNS-04405: Общая ошибка
  causedby: oracle.net.ldap.NNFLExceptionoracle.net.config.DirectoryServiceException: TNS-04405: Общая ошибка
  causedby: oracle.net.ldap.NNFLExceptionoracle.net.ldap.NNFLException



Solution4: Run oid_setup
again
Check the ldap.ora settings on the client from which the Net Manager is launched
DEFAULT_ADMIN_CONTEXT = "dc = mycompany, dc = ru"

Changing the OID parameter (to allow requests from anonymous users)
When creating a TNS name using a net manager, but tnsping doesn't work.
Create a file:
cat anonymousbind.ldif

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclAnonymousBindsFlag
orclAnonymousBindsFlag: 1

and modify the parameters using this file:

ldapmodify -D cn=orcladmin -W -p 3131 -h localhost -f anonymousbind.ldif

Diagnostics:
tnsping mytest does not work, a ldapsearch is working
Checking the availability of ports 3060 and 3131 (for SSL)

so everything works (with the password)

ldapsearch -h uhost-oid1.mycompany.ru -p 3060 -D "cn=orcladmin" -w password_hear -b "cn=mytest,cn=OracleContext,dc=mycompany,dc=ru" -s base"objectclass=*"

mytest is an alias created earlier.

Client settings


On the client side, the following files are
stored in $ ORACLE_HOME / network / admin: ldap.ora
sqlnet.ora
tnsnames.ora

The tnsnames.ora file contains “local” aliases, as usual, and is used if no name is found in LDAP.
The sqlnet.ora file contains a description of the rezolv order:

sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES,LDAP)


LDAP file access parameters are set in ldap.ora

ldap.ora

DIRECTORY_SERVERS = (uhost-oid1.mycompany.ru:3060:3131,rephost-oid1.mycompany.ru:3060:3131) 
DIRECTORY_SERVER_TYPE = OID
DEFAULT_ADMIN_CONTEXT = "dc=mycompany,dc=ru"

In the described configuration, the following order is used.

First, the tnsnames.ora file is scanned, if the record was not found there, then we ask LDAP (if you need to change the order, change the order in the NAMES.DIRECTORY_PATH parameter.

Next comes the query to the main LDAP server, if it is unavailable for some reason, go to the second server in the list DIRECTORY_SERVERS

The polling order is not important in this case, the first is better to specify the geographically closest server

Default admin context (LDAP) is used for the default context so as not to specify mycompany.ru each time

For the same reason it is not recommended to use a dot in the alias entry he her in spryimaet as a domain.

Further I will tell how to configure replication between servers

Also popular now: