(1 votes, average: 1.00 out of 5)
Loading...
Below I am continuation on how to migrate from ODSEE, ISW To OUD, DIP. you can access the other parts here – Part 1, Part 2, and Part 3.
Since the migration is quite complex, I am splitting the configuration into separate parts.
- Part 1: Downloading required software, Creating required environment, Installing OUD
- Part 2: Configuring OUD, Install and configure OUD Gateway (ODSEE replication) and required changes.
- Part 3: Install, Configure WLS, OID, OUD required for DIP Instance.
- Part 4: Configure WLS And DIP instance.
- Part 5: Configure ISW => DIP migration, configure OUD <=> AD mappings.
- Part 6: OUD Backups.
Configure WLS And DIP instance
Note: Before continuing with the below, please make sure to check out part 2 and part 3, how to install and configure WLS, OID, OUD instances. Lets start by configuring Weblogic, you do so by running the below$ORACLE_HOME/oracle_common/common/bin/config.sh select temples as oud >Oracle unified directory [oud] Click next, set user > user > admin > password > password Change Domain to > domain > production jdk > (default os jdk 1.8) check node manager and Admin server check off ssl with port 7002 Next > node manager type > per domain > user > admin > password > password.Completed the setup. Next, we are going to set a password for the domain to start without user intervention.
cd /oud/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/bin mkdir -p /oud/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/servers/AdminServer/security/ echo "username=admin" >/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/servers/AdminServer/security/boot.properties echo "password=password">>/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/servers/AdminServer/security/boot.propertiesNow, we need to start the domain(s)
nohup ./startNodeManager.sh & nohup ./startWebLogic.sh &Tail -f the nohup.out for progress, untill you see somethingwith the words RUNNING.
Configuring / creating DIP domain(s)
Note: To be able to run the configuration with out an Oracle DB you have to include Oudsm as part of the configuration. Below we are creating an OUDSM domain by using the wlst command line interface.cd /oud/Oracle/Middleware/Oracle_Home/oracle_common/common/bin ./wlst.sh wls:/offline createOUDSMDomain(domainLocation='/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1',weblogicPort=7001,weblo gicSSLPort=7002,weblogicUserName='admin',weblogicUserPassword='password') Successfully created OUDSM domain wls:/offline>setTopologyProfile('Compact') wls:/offline>readDomain('/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1') wls:/offline/dip1>cd('Servers/AdminServer') wls:/offline/dip1/Server/AdminServer>cmo.getListenPort() 7001 wls:/offline/dip1/Server/AdminServer>cmo.getListenAddress() 'All Local Addresses' wls:/offline/dip1/Server/AdminServer>cd('SSL/AdminServer') wls:/offline/dip1/Server/AdminServer/SSL/AdminServer>cmo.getListenPort() 7002 wls:/offline/dip1/Server/AdminServer/SSL/AdminServer>closeDomain() wls:/offline>setTopologyProfile('Compact') wls:/offline>readDomain('/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1') wls:/offline/dip1>selectTemplate('Oracle Directory Integration Platform') wls:/offline/dip1>loadTemplates() wls:/offline/dip1>updateDomain() wls:/offline/dip1>closeDomain() wls:/offline>exit()Next, Stop the weblogic instance which is running (leave the NodeManager running).
DIP and OUD certificate key configuration
In order for DIP to use SSL for communication. the DIP instance needs to import the OUD and Active Directory(AD) or any other directory certificate keys. For DIP I will be using a key stored in /oud/certs/dip1-dip2oud.jks Note: I will be using the same OUD key for the DIP instance, as the CN is alrday included i.e. the below steps are needed in our configuration) . Below is just for a reference, if you would like to create a new DIP certificate key (CA and key). Creating a DIP CA and key# Create CA keytool -genkeypair -alias ca-cert \ -keystore CA.jks \ -keyalg RSA -validity 3560 \ -dname "C=US,ST=New York,L=New York,O=domain.com,CN=ldap-ca.domain.com" \ -storepass password -keypass password \ -storetype JKS -deststoretype pkcs12 \ -ext bc=ca:true # export CA keytool -exportcert -alias ca-cert \ -trustcacerts \ -keystore CA.jks \ -keypass password \ -storepass password \ -ext bc=ca:true \ -file dip1-ca.csr # import CA keytool -import -trustcacerts \ -noprompt \ -alias root-ca \ -keystore ldap-cert.jks \ -file dip1-ca.csr \ -storepass password # Create servr cert keytool -genkeypair -alias ldap-cert \ -keyalg RSA -keysize 2048 \ -validity 3560 \ -dname "C=US,ST=New York,L=New York,O=domain.com,CN=dip1.domain.com" \ -ext "SAN=DNS:dip1.domain.com,DNS:dip1,IP:127.0.0.1,IP:0.0.0.0,IP:10.10.10.45" \ -keystore ldap-cert.jks \ -keypass password \ -storetype JKS \ -storepass password # Create cert req keytool -certreq -alias ldap-cert \ -keystore ldap-cert.jks \ -storepass password \ -file dip1-wl.csr # sign cert keytool -gencert -keystore CA.jks \ -keyalg RSA -validity 3560 \ -dname "C=US,ST=New York,L=New York,O=domain.com,CN=dip1.domain.com" \ -ext "SAN=DNS:dip1.domain.com,DNS:dip1,IP:127.0.0.1,IP:0.0.0.0,IP:10.10.10.45" \ -storepass password -alias ca-cert \ -infile dip1-wl.csr -outfile dip1-wl.cer \ -storetype JKS keytool -importcert -keystore ldap-cert.jks \ -storepass password -alias ldap-cert \ -file dip1-wl.cer \ -noprompt -trustcacerts \ -storetype JKSNow, lets continue with the OUD DIP keys. You will need to export the OUD admin key for DIP to connect in SSL, to do so just run the below. To get the OUD regular and admin certificates you run the below.
# Get your OUD key keytool -export -alias ldap-cert -file /tmp/dip1-ca-root.csr -rfc -keystore /oud/certs/ldap-cert.jks -storetype JKS # Create your DIP key from OUD key keytool -importcert -trustcacerts -alias oud-cert -file /tmp/dip1-ca-root.csr -keystore /oud/certs/dip1-dip2oud.jks # export admin-key keytool -export -alias admin-cert -file /tmp/dip1-admin-cert -rfc -storepass `cat admin-keystore.pin` -keystore admin-keystore -storetype JKS # Import OUD admin key keytool -importcert -trustcacerts -alias dip1-admin-cert -file /tmp/dip1-admin-cert -keystore /oud/certs/dip1-dip2oud.jksYou can also get the admin certificate by running the below (copy the BEGIN….END CERTIFICATE).
openssl s_client -connect dip1.domain.com:4444 -verify 5 --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----Now lets start the weblogic domain instance, you do so by running the below.
cd /oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1/bin/ nohup ./startWebLogic.sh & # For logs, run. tail -f nohup.outNext, lets start the DIP weblogic instance, you do so by running the below. But first cerate a boot.properties file (so no password is prompted at startup)
mkdir -p /oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1/servers/wls_ods1/security/ echo "username=admin" >/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1/servers/wls_ods1/security/boot.properties echo "password=password" >>/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1/servers/wls_ods1/security/boot.properties # Startup nohup ./startManagedWebLogic.sh wls_ods1 & # For logs, run. tail -f nohup.outAccess console http://dip1.domain.com:7001/console/ Access DIP http://dip1.domain.com:7001/em/ Access OUDSM http://dip1.domain.com:7001/oudsm Next, we modify DIP configuration with the JKS (certificate) location, this JKS certificate(s) is used for all SSL communication between DIP and OUD/AD/etc..
/oud/Oracle/Middleware/Oracle_Home/bin/manageDIPServerConfig set \ -h localhost \ -p 7005 \ -D admin \ -attribute keystorelocation \ -val \ /oud/certs/dip1-dip2oud.jks [Weblogic user password] Connection parameters initialized. Connecting at localhost:7005, with userid "admin".. Connected successfully. The attribute keystorelocation is successfully changed to value /oud/certs/dip1-dip2oud.jks.Next, we need to create a new weblogic pass key credentials store.
cd /oud/Oracle/Middleware/Oracle_Home/oracle_common/common/bin ./wlst.sh connect('admin','password','t3://localhost:7001') createCred(map="dip",key="jksKey",user="jksuser",password="password") exit()
DIP binding configuration
We are now ready to configure DIP with the the OUD instance, you do so by running the below.cd /oud/Oracle/Middleware/Oracle_Home/bin ./dipConfigurator setup \ -wlshost dip1.domain.com \ -wlsport 7001 \ -wlsuser admin \ -ldaphost dip1.domain.com \ -ldapport 1636 \ -ldapuser 'cn=directory manager' \ -isldapssl true \ -ldapadminport 4444 # If clustered add the below. -isclustered falseNote: To view DIP initialize logs tail the /oud/Oracle/Middleware/Oracle_Home/ldap/log/dipConfig.log log file. # Add DIP ACI’s to your OUD instance.
ldapmodify -h localhost -p 1389 -D "cn=directory manager" -w - <We are now ready to change/modify DIP to SSL communication (mode 2). follow the below steps to do so. cd /oud/Oracle/Middleware/Oracle_Home/bin ./manageDIPServerConfig \ set -attribute sslmode -val 2 -h localhost -p 7005 -D "admin" [Weblogic user password] Connection parameters initialized. Connecting at localhost:7005, with userid "admin".. Connected successfully. The attribute sslmode is successfully changed to value 2.Next, Modify the OUD SSL port../manageDIPServerConfig set \ -attribute backendhostport \ -val dip1.domain.com:1636 \ -h localhost -p 7005 -D "admin" [Weblogic user password] Connection parameters initialized. Connecting at localhost:7005, with userid "admin".. Connected successfully. The attribute backendhostport is successfully changed to value dip1.domain.com:1636.Finaly, verify DIP still works with SSL on working. Note: You can do test this from the DIP Web UI as well./oud/Oracle/Middleware/Oracle_Home/bin/dipStatus -h localhost -p 7005 -D admin [Weblogic user password] Connection parameters initialized. Connecting at localhost:7005, with userid "admin".. Connected successfully. ODIP Application is active at this host and port.If all works, Restart the DIP wls_ods1 instance. this is required for DIP to start using SSL.Adding / Configuring SSL From DIP <-> AD communication
To get the ad certificates, run the below.ldapsearch -h ad1.domain.local -D "CN=Adm account,OU=Admin Accounts,DC=domain,DC=local" -w 'password' -b "cn=configuration,dc=domain,dc=local" "cacertificate=*" dn ldapsearch -h ad1.domain.local -D "CN=Adm account,OU=Admin Accounts,DC=domain,DC=local" -w 'password' -b "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" "cacertificate=*" # Note: You can also use openssl to retrieve the certificate. openssl s_client -connect ad1.domain.com:636 -verify 5Now, import/add the key to the DIP trusted store.keytool -importcert -trustcacerts -keystore /oud/certs/dip1-dip2oud.jks -file /oud/certs/ad-cert.csr -alias ad1-ca-certNote: AD 2008r2 and below do not support TLS1.2 out of the box, to set DIP to accept min TLS to 1.0, follow the below https://docs.oracle.com/middleware/12213/dip/administer/GUID-5792E326-0A9E-4B16-83A7-CA8A7E1E1CC9.htm#OIMIG-GUID-89E0E64B-A175-4B22-BB86-AC7BC13059F2 WebLogic to allow TL1.0From the domain home page, select the Managed Server (wls_ods1) > >From the WebLogic Server menu, choose System MBean Browser. The System MBean Browser page is displayed > >Expand Configuration MBeans in the MBean navigation tree and then select com.bea > Server > >Expand the Server node and then expand the Managed Server node (wls_ods1). >From the Managed Server node, expand SSL and then select the Managed Server MBEAN. The Configuration MBEAN page is displayed. >Select Attributes tab and then select MinimumTLSProtocolVersion. The Attribute: MinimumTLSProtocolVersion page is displayed. I select the below (other options detilas is avalble in the dcos) TLSv1: Specifies TLS V1.0 as the minimum protocol version enabled in SSL connections.Note: Specify the lowest version i.e. TLSv1, includes TLSv1.1 and TLSv1.2OUD changes required for DIP
Allow already hashed passwords in OUD.cd /oud/Oracle/Middleware/Oracle_Home/asinst_1/OUD/bin ./dsconfig -h localhost -p 4444 -D "cn=directory manager" -j /oud/certs/pw.txt -X -n \ set-password-policy-prop --policy-name "Default Password Policy" \ --set allow-pre-encoded-passwords:trueEnable change-log if not already done for the cn=oraclecontextdsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j /oud/certs/pw.txt -r 8989 -b cn=oraclecontext --trustAll --no-promptConfiguring Password Sync
If using password ether from AD => OUD or from OUD => AD Run the below. From AD => OUD Synchronize the password from a connected directory to Oracle Unified Directory, by runing the setupPlugin, like the below.$ORACLE_HOME/bin/dipConfigurator setupPlugin \ -wlshost dip1.domain.com \ -wlsport 7001 \ -wlsuser admin \ -ldaphost dip1.domain.com \ -ldapport 1389 \ -ldapuser 'cn=directory manager' \ -isldapssl false \ -ldapadminport 4444Note: To view the Password Filter initialize logs tail the /oud/Oracle/Middleware/Oracle_Home/ldap/log/dipConfig.log log file. From OUD => AD Enable / configure OUD password Translation by running the setupPasswordTranslation, like the below.$ORACLE_HOME/bin/dipConfigurator setupPasswordTranslation \ -wlshost localhost \ -wlsport 7001 \ -wlsuser admin \ -ldaphost dip1.domain.com \ -ldapport 1389 \ -ldapuser "cn=Directory Manager" \ -isldapssl false \ -ldapadminport 4444Note: To view the Password Filter initialize logs tail the /oud/Oracle/Middleware/Oracle_Home/ldap/log/dipConfig.log log file.Troblshuting and logging
To increase DIP logging you can do so in the Web UI or in the logging.xml. The log location is./oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1/config/fmwconfig/servers/wls_ods1/logging.xml # Add the next lines to set logging to the max (32).Helpful links The Pythian has also relased a very helpful slideshare, that can be found here Oracle support master notes for DIP - Doc ID 1563196.1 In the article we have completed the Configure WLS And DIP instance. In Part 5 I am going to show you - how to Configure ISW => DIP migration, configure OUD <=> AD mappings.. To continue reading Part 5 click here. Like what you're reading? please provide feedback, any feedback is appreciated.
0
0
votes
Article Rating