Install and configure Oracle Internet Directory to resolve database names
Everyone who has worked with this type of DBMS knows about setting up access to the Oracle DBMS, which is stored in the tnsnames.ora file.
The data is stored in the tnsnames.ora file in a plain text form and can be easily changed using any text editor. It is good if there are not many records in it, but what to do if there are hundreds of databases in the organization, access to which needs to be provided from the hosts of users at various levels or from terminal servers. And if at one point the database moves to another host, or other changes occur that change the database access parameters, you need to change the access parameters everywhere.
Solutions can be offered a lot, including redirects, aliases, etc.
I'll describe here how to set up and configure a single repository for resolving database names using the Oracle Internet Directory OID, and how to apply for resolving names using the LDAP protocol. This is much more convenient than keeping the tnsnames.ora file up to date in hundreds of places.
The installation and configuration of the DBMS for the OID repository database is not described here; the key points are indicated for this particular configuration. With the licensing policy of Oracle in terms of products RDBMS Database, Oracle Fusion Middleware and Oracle Internet Directory you can find on the company's website.
The software was installed on the Linux OS (SUSE Linux Enterprise Server 11), for your OS you need to check with the compatibility matrix on oracle.com.
To install the Standalone server (running NodeManager), the following distribution versions were taken that are relevant at the time of configuration:
JAVA: jdk-8u171-linux-x64.tar.gz
OID: fmw_12.2.1.3.0_oid_linux64_Disk1_1of1.zip
RDBMS: 12.1.0.2 + PSU + Opatch of current versions
Install the software for the repository , which will store the OID schema of the
DBMS version 12.1.0.2 + PSU
DB. Create an “empty” database: You
must specify the
AL32UTF8 encoding, enable ORACLE TEXT in the software installation,
the database parameters:
open_cursors = 800
processes = 500
Additionally, it was necessary to run the xaview.sql script, which was found out at the stage of checking the OID installation.
configure and raise LISTENER for the database.
So, an empty database is created by uhost-oid1: 1521 / oid1 (in this case, oid1-SID database) and is ready to create a repository in it.
Here and further, the home directory of the user oracle - / u / app / oracle
Unpack java and set the variable JAVA_HOME
Unpacking the OID
It turns out the file ./fmw_12.2.1.3.0_oid_linux64.bin We
check that it is executable, if it is not doing so
Run:
(X-server forwarding must be configured beforehand), the java-based installer will start.
The following was specified as ORACLE_HOME:
/ u / app / oracle / product / middleware / Oracle_IDM1
The software for oracle fusion middleware (FMW) and Oracle Internet Directory will be installed along this path.
At the “installation type” stage, we indicate STANDALONE.
Create schemas for the repository in the database, for this run rcu
At this stage ODSSM, ODS and DEV_STB schemes are created (remember the password, it will be required when setting up domain components)
We create a domain in a separate folder from the software. For example, set as follows:
/ u / app / oracle / config / domains / oid_domain
For connecting to the database, specify the parameters of the previously created schemes (and passwords).
During installation, set the login and password for the NodeManager (will later be used to connect to the NodeManager and start / stop through him OID)
To run NodeManager, you need to generate a file with the keys: DemoIdentity.jks. (If, in addition to the OID installation, you install updates, then you probably will not need this step)
We will generate the “default” one so that you don’t have to worry about the keystore boot options in the domain config. It works with such parameters - this is the password for the default storage:
perform
(always with a dot, does not work differently)
Go to the directory where the file should be stored:
The key phrase DemoIdentityPassPhrase is just that, otherwise you will have to edit the domain config.
We need to deal with this, but we must first start to work.
It is necessary to configure the OID itself, otherwise the domain will not be able to connect to the repository database (see Problem 1 )
it is needed so that the necessary libraries are found and pulled up from the required ORACLE_HOME.
If anything, we check with the help of ldd where they look:
Must be on ORACLE_HOME with FMW software:
Errors, if this is not the case, see Problem2
Make sure the NodeManager is running.
Logs and configuration: / u / app / oracle / config / domains / oid_domain / nodemanager Problem1
:
Solution 1 : Go and generate DemoIdentity.jks as described above.
Problem 2 :
Decision 2 : set the TNS_ADMIN variable and check the correctness of the login / password
At this point, the
TNS_ADMIN
LD_LIBRARY_PATH variables should be set.
It is assumed that the NodeManager is already running.
Run the WLST utility:
We expose the variables that are needed to run the WLST utility.
then use the WLST utility to connect to the NodeManager. We will need the login and password specified during the installation (specified for the NodeManager, we have this weblogic)
Example output :
We launch initialization, during which an instance is created with the name oid1.
In the line below:
odsPassword — password for the ODS scheme based on the repository that was set when executing ./rcu
orcladminPassword — password that will be used as cn = orcladmin for accessing LDAP
realmDN — LDAP scheme that will be configured
After execution should component (FMW in terms instance) is created with the name oid1
Problema3 :
/u/app/oracle/config/domains/oid_domain/servers/OID/logs/oid1/oidmon*.log Log
contains
Solution3 :
Set the environment variable
LD_LIBRARY_PATH = / u / app / oracle / product / middleware / Oracle_IDM1 / lib: $ LD_LIBRARY_PATH
restart the NodeManager,
start the component:
If for this reason the component was created but does not work, then we kill the oidmon process, change the process status parameters in the DBMS:
Connect Check:
You may have to again initialize oid_setup
Problema4 . When trying to save to NetManager:
Solution4: Run oid_setup
again
Check the ldap.ora settings on the client from which the Net Manager is launched
DEFAULT_ADMIN_CONTEXT = "dc = mycompany, dc = ru"
Changing the OID parameter (to allow requests from anonymous users)
When creating a TNS name using a net manager, but tnsping doesn't work.
Create a file:
cat anonymousbind.ldif
and modify the parameters using this file:
Diagnostics:
tnsping mytest does not work, a ldapsearch is working
Checking the availability of ports 3060 and 3131 (for SSL)
so everything works (with the password)
mytest is an alias created earlier.
On the client side, the following files are
stored in $ ORACLE_HOME / network / admin: ldap.ora
sqlnet.ora
tnsnames.ora
The tnsnames.ora file contains “local” aliases, as usual, and is used if no name is found in LDAP.
The sqlnet.ora file contains a description of the rezolv order:
sqlnet.ora
LDAP file access parameters are set in ldap.ora
ldap.ora
In the described configuration, the following order is used.
First, the tnsnames.ora file is scanned, if the record was not found there, then we ask LDAP (if you need to change the order, change the order in the NAMES.DIRECTORY_PATH parameter.
Next comes the query to the main LDAP server, if it is unavailable for some reason, go to the second server in the list DIRECTORY_SERVERS
The polling order is not important in this case, the first is better to specify the geographically closest server
Default admin context (LDAP) is used for the default context so as not to specify mycompany.ru each time
For the same reason it is not recommended to use a dot in the alias entry he her in spryimaet as a domain.
Further I will tell how to configure replication between servers
The data is stored in the tnsnames.ora file in a plain text form and can be easily changed using any text editor. It is good if there are not many records in it, but what to do if there are hundreds of databases in the organization, access to which needs to be provided from the hosts of users at various levels or from terminal servers. And if at one point the database moves to another host, or other changes occur that change the database access parameters, you need to change the access parameters everywhere.
Solutions can be offered a lot, including redirects, aliases, etc.
I'll describe here how to set up and configure a single repository for resolving database names using the Oracle Internet Directory OID, and how to apply for resolving names using the LDAP protocol. This is much more convenient than keeping the tnsnames.ora file up to date in hundreds of places.
The installation and configuration of the DBMS for the OID repository database is not described here; the key points are indicated for this particular configuration. With the licensing policy of Oracle in terms of products RDBMS Database, Oracle Fusion Middleware and Oracle Internet Directory you can find on the company's website.
Software installation
The software was installed on the Linux OS (SUSE Linux Enterprise Server 11), for your OS you need to check with the compatibility matrix on oracle.com.
To install the Standalone server (running NodeManager), the following distribution versions were taken that are relevant at the time of configuration:
JAVA: jdk-8u171-linux-x64.tar.gz
OID: fmw_12.2.1.3.0_oid_linux64_Disk1_1of1.zip
RDBMS: 12.1.0.2 + PSU + Opatch of current versions
Install the software for the repository , which will store the OID schema of the
DBMS version 12.1.0.2 + PSU
DB. Create an “empty” database: You
must specify the
AL32UTF8 encoding, enable ORACLE TEXT in the software installation,
the database parameters:
open_cursors = 800
processes = 500
Additionally, it was necessary to run the xaview.sql script, which was found out at the stage of checking the OID installation.
configure and raise LISTENER for the database.
So, an empty database is created by uhost-oid1: 1521 / oid1 (in this case, oid1-SID database) and is ready to create a repository in it.
Set OID
Here and further, the home directory of the user oracle - / u / app / oracle
Unpack java and set the variable JAVA_HOME
unzip jdk-8u171-linux-x64.tar.gz
export JAVA_HOME=/u/app/oracle/jdk1.8.0_171Unpacking the OID
unzipfmw_12.2.1.3.0_oid_linux64_Disk1_1of1.zipIt turns out the file ./fmw_12.2.1.3.0_oid_linux64.bin We
check that it is executable, if it is not doing so
chmod +xRun:
./fmw_12.2.1.3.0_oid_linux64.bin(X-server forwarding must be configured beforehand), the java-based installer will start.
The following was specified as ORACLE_HOME:
/ u / app / oracle / product / middleware / Oracle_IDM1
The software for oracle fusion middleware (FMW) and Oracle Internet Directory will be installed along this path.
At the “installation type” stage, we indicate STANDALONE.
Create a repository (required schemas in the database)
Create schemas for the repository in the database, for this run rcu
cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/bin/
./rcu.sh
At this stage ODSSM, ODS and DEV_STB schemes are created (remember the password, it will be required when setting up domain components)
Create a domain in which OID will work for us (domain in terms of FMW)
cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin
./config.sh
We create a domain in a separate folder from the software. For example, set as follows:
/ u / app / oracle / config / domains / oid_domain
For connecting to the database, specify the parameters of the previously created schemes (and passwords).
During installation, set the login and password for the NodeManager (will later be used to connect to the NodeManager and start / stop through him OID)
Start NodeManager
To run NodeManager, you need to generate a file with the keys: DemoIdentity.jks. (If, in addition to the OID installation, you install updates, then you probably will not need this step)
We will generate the “default” one so that you don’t have to worry about the keystore boot options in the domain config. It works with such parameters - this is the password for the default storage:
cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin
perform
. setWlstEnv.sh(always with a dot, does not work differently)
Go to the directory where the file should be stored:
cd /u/app/oracle/config/domains/oid_domain/security
java utils.CertGen -keyfilepass DemoIdentityPassPhrase -certfile democert -keyfile demokey -strength 1024 -noskid
java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfile demokey -keyfilepass DemoIdentityPassPhrase -certfile democert.pem -keyfile demokey.pem -alias demoidentity
The key phrase DemoIdentityPassPhrase is just that, otherwise you will have to edit the domain config.
We need to deal with this, but we must first start to work.
export TNS_ADMIN=/u/app/oracle/config/domains/oid_domain/config/fmwconfig/components/OID/configIt is necessary to configure the OID itself, otherwise the domain will not be able to connect to the repository database (see Problem 1 )
export LD_LIBRARY_PATH=/u/app/oracle/product/middleware/Oracle_IDM1/lib:$LD_LIBRARY_PATH
it is needed so that the necessary libraries are found and pulled up from the required ORACLE_HOME.
If anything, we check with the help of ldd where they look:
ldd /u/app/oracle/product/middleware/Oracle_IDM1/bin/oiddispdMust be on ORACLE_HOME with FMW software:
libclntsh.so.12.1 => /u/app/oracle/product/middleware/Oracle_IDM1/lib/libclntsh.so.12.1Errors, if this is not the case, see Problem2
cd /u/app/oracle/config/domains/oid_domain/bin/
./setStartupEnv.sh – выставляет доп. переменные окружения
./startNodeManager.sh &
Make sure the NodeManager is running.
Logs and configuration: / u / app / oracle / config / domains / oid_domain / nodemanager Problem1
:
Jun 22, 201810:27:58 AM MSK Fatal error in NodeManager server
weblogic.nodemanager.common.ConfigException: Identity key store file notfound: /u/app/oracle/config/domains/oid_domain/security/DemoIdentity.jks
Solution 1 : Go and generate DemoIdentity.jks as described above.
Problem 2 :
Jun 28, 201812:20:08 PM MSK INFO /u/app/oracle/config/domains/oid_domain>><< password:
confirm password:
Unable to Connect to Database: Incorrect location for tnsnames.ora (derived from DOMAIN_HOME) or Incorrect TNS Connect stringor Invalid Password
> <createDbWallet domain: /u/app/oracle/config/domains/oid_domain, oidpasswd output: password:
confirm password:
Decision 2 : set the TNS_ADMIN variable and check the correctness of the login / password
Primary OID Configuration
At this point, the
TNS_ADMIN
LD_LIBRARY_PATH variables should be set.
It is assumed that the NodeManager is already running.
Run the WLST utility:
cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin
export MW_HOME=$ORACLE_HOMEWe expose the variables that are needed to run the WLST utility.
./setHomeDirs.sh
./setWlstEnv.sh
./wlst.sh
then use the WLST utility to connect to the NodeManager. We will need the login and password specified during the installation (specified for the NodeManager, we have this weblogic)
nmConnect(username='weblogic',password='пароль от NodeManager ',domainName='oid_domain')
Example output :
[13:45][uhost-oid1.oracle.:/u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin]$ ./wlst.sh
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline> nmConnect(username='weblogic',password='*****',domainName='oid_domain')
Connecting to Node Manager ...
Successfully Connected to Node Manager.
We launch initialization, during which an instance is created with the name oid1.
In the line below:
odsPassword — password for the ODS scheme based on the repository that was set when executing ./rcu
orcladminPassword — password that will be used as cn = orcladmin for accessing LDAP
realmDN — LDAP scheme that will be configured
oid_setup(orcladminPassword='****',odsPassword='***',realmDN='dc=mycompany,dc=ru')After execution should component (FMW in terms instance) is created with the name oid1
Problema3 :
/u/app/oracle/config/domains/oid_domain/servers/OID/logs/oid1/oidmon*.log Log
contains
/u/app/oracle/product/middleware/Oracle_IDM1/wlserver/../bin/oiddispd: <b>errorwhile loading shared libraries</b>: libclntshcore.so.12.1: cannot openshared object file: No such fileor directorySolution3 :
Set the environment variable
LD_LIBRARY_PATH = / u / app / oracle / product / middleware / Oracle_IDM1 / lib: $ LD_LIBRARY_PATH
restart the NodeManager,
start the component:
cd /u/app/oracle/config/domains/oid_domain/bin/
nohup ./startNodeManager.sh &
./startComponent.sh oid1
If for this reason the component was created but does not work, then we kill the oidmon process, change the process status parameters in the DBMS:
ps –ef|grep oidmon
kill oidmon
sqlplus / as sysdba
update ods.ods_process_status set pid=0where compname='oid1';
update ods.ods_process_status set state=4where compname='oid1';
Connect Check:
./ldapbind -h localhost -p 3060
./ldapbind -h localhost -p 3131 -U 1 -D 'cn=orcladmin' -w ****
You may have to again initialize oid_setup
Problema4 . When trying to save to NetManager:
oracle.net.common.dataStore.DataStoreException: errorwritingServiceAliasto: LDAPDataStore[svr: uhost-oid1.mycompany.ru:3060:3131, type: OID, ctxt: cn=OracleContext,dc=mycompany,dc=ru, home: C:\oracle\product\12.1.0\client_1]originalexceptionmessage: TNS-04409: Ошибка службы каталогов
causedby: oracle.net.config.DirectoryServiceException: TNS-04405: Общая ошибка
causedby: oracle.net.ldap.NNFLExceptionoriginalstacktrace: oracle.net.config.ServiceAliasException: TNS-04409: Ошибка службы каталогов
causedby: oracle.net.config.DirectoryServiceException: TNS-04405: Общая ошибка
causedby: oracle.net.ldap.NNFLExceptionoracle.net.config.DirectoryServiceException: TNS-04405: Общая ошибка
causedby: oracle.net.ldap.NNFLExceptionoracle.net.ldap.NNFLExceptionSolution4: Run oid_setup
again
Check the ldap.ora settings on the client from which the Net Manager is launched
DEFAULT_ADMIN_CONTEXT = "dc = mycompany, dc = ru"
Changing the OID parameter (to allow requests from anonymous users)
When creating a TNS name using a net manager, but tnsping doesn't work.
Create a file:
cat anonymousbind.ldif
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclAnonymousBindsFlag
orclAnonymousBindsFlag: 1and modify the parameters using this file:
ldapmodify -D cn=orcladmin -W -p 3131 -h localhost -f anonymousbind.ldifDiagnostics:
tnsping mytest does not work, a ldapsearch is working
Checking the availability of ports 3060 and 3131 (for SSL)
so everything works (with the password)
ldapsearch -h uhost-oid1.mycompany.ru -p 3060 -D "cn=orcladmin" -w password_hear -b "cn=mytest,cn=OracleContext,dc=mycompany,dc=ru" -s base"objectclass=*"mytest is an alias created earlier.
Client settings
On the client side, the following files are
stored in $ ORACLE_HOME / network / admin: ldap.ora
sqlnet.ora
tnsnames.ora
The tnsnames.ora file contains “local” aliases, as usual, and is used if no name is found in LDAP.
The sqlnet.ora file contains a description of the rezolv order:
sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES,LDAP)
LDAP file access parameters are set in ldap.ora
ldap.ora
DIRECTORY_SERVERS = (uhost-oid1.mycompany.ru:3060:3131,rephost-oid1.mycompany.ru:3060:3131)
DIRECTORY_SERVER_TYPE = OID
DEFAULT_ADMIN_CONTEXT = "dc=mycompany,dc=ru"In the described configuration, the following order is used.
First, the tnsnames.ora file is scanned, if the record was not found there, then we ask LDAP (if you need to change the order, change the order in the NAMES.DIRECTORY_PATH parameter.
Next comes the query to the main LDAP server, if it is unavailable for some reason, go to the second server in the list DIRECTORY_SERVERS
The polling order is not important in this case, the first is better to specify the geographically closest server
Default admin context (LDAP) is used for the default context so as not to specify mycompany.ru each time
For the same reason it is not recommended to use a dot in the alias entry he her in spryimaet as a domain.
Further I will tell how to configure replication between servers