I was recently involved with a complex Oracle Directory Server migration. In the next few posts I am going to share my experience in the migration process the steps to complete a successful migration, and of curse the pitfalls/issues.
The environment involved consist.
Coming from:
Oracle Directory Server (ODSEE) Multi master / Multi Datacenter,
And Identity Synchronization for Windows (ISW) – used for
Going to:
ODSEE
=> Oracle Unified Directory(OUD) (12c)
Weblogic Server (Infrastructure download) (12c) (used for DIP and OUDSM)
ISW
=> Directory Integration Platform(DIP) (12c)
Last, Oracle Unified Directory Gateway was used to keep the environments in sync at time of the migration.
Note: With the configuration below I avoided the OUD/OID Oracle Database requirement.
Since the migration is quite complex, I divided the configuration into separate parts.
This is part 1, Downloading required software.
Creating OUD related environment
First lets create the OUD environment.
Note: I am using Solaris + ZFS to mange the file systems, feel free to use your choose file system.
#Create group
groupadd oud; useradd -g oud oud
#Create OUD filesystem
zfs create rpool/export/home/oud
zfs create -o mountpoint=/oud rpool/oud
zfs create -o mountpoint=/installs rpool/installs
mkdir /installs/OUD
Create ~oud/.bashrc with the below content.
#OUD .bashrc
export PATH=$PATH:/oud/Oracle/Middleware/Oracle_Home/asinst_1/OUD/bin:$ORACLE_HOME/oud/bin:/oud/Oracle/Middleware/Oracle_Home/OPatch
export JAVA_HOME=/usr/java
export ORACLE_HOME=/oud/Oracle/Middleware/Oracle_Home
export DOMAIN_HOME=/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain
export WL_HOME=$ORACLE_HOME/wlserver
export PATH=$PATH:$ORACLE_HOME/oracle_common/common/bin
#OUD file systems.
cd ~oud
ln -s .bashrc .bash_profile
chown -R oud:oud ~oud
chmod 777 /installs
chown -R oud:oud /installs
chown -R oud:oud /oud/
# set oud password
passwd oud
Downloading the required software
OUD requires java 1.8 and compiler software. on Solaris its as simple as running the below to install. (on linx its just you, apt, etc…)
pkg install --accept pkg://solaris/SUNWxwplt pkg:/developer/xopen/xcu4 make gnu-make ucb runtime/java/jre-8 developer/java/jdk-8 gcc
# Verify the java version
java -version
Create install directories.
mkdir /installs/OID /installs/OUD /installs/WLS
Below are software components you will need to successfully complete the migration.
- Weblogic: Oracle Fusion Middleware Software Downloads
Select Oracle WebLogic Server 12cR2 (12.2.1.3) >
Fusion Middleware Infrastructure installer (about 1.5GB)
Save to /installs/WLS.
- OUDDownload Oracle Unified Directory 12cPS3 (12.2.1.3.0)
Select Oracle Unified Directory 12cPS3 (12.2.1.3.0) – generic
Save to /installs/OUD
- OIDDownload Oracle Internet Directory 12cPS3 (12.2.1.3.0)
Select Oracle Internet Directory 12cPS3 (12.2.1.3.0)
save to /installs/OID
Installing OUD Multi-Master
Installing OUD
cd /installs/OUD
java -jar fmw_12.2.1.3.0_oud.jar
select> /oud/Oracle/Middleware/Oracle_Home
select > Standalone Oracle Unified Directory Server (Managed independently of WebLogic server)
complete installation.
Below are a few screen captures on the OUD installation.
Install OUD patches.
apply patch
cd /installs/OUD/patch/27742743
opatch apply
Before we continue we will need to creating certificate keys, I will be using one key for all Multi-Master DNS,IP names outline below.
If using a self signed without CA certificate, run the below.
keytool -genkeypair -alias ldap-cert -keyalg rsa -keysize 2048 -validity 3560 -dname "C=US,ST=New York,L=New York,O=domain.com,CN=ldap.domain.com" -ext "SAN=DNS:ldap1,DNS:ldap2,DNS:ldap3,DNS:ldap4,DNS:dip1,DNS:dip1.domain.com,DNS:ldap1.domain.com,DNS:ldap2.domain.com,DNS:ldap3.domain.com,DNS:ldap4.domain.com,DNS:ldap.domain.com,IP:127.0.0.1,IP:0.0.0.0,IP:10.10.10.41,IP:10.10.10.42,IP:10.10.10.43,IP:10.10.10.44,IP:10.10.10.45" -keystore ldap-cert.jks -storetype JKS -deststoretype pkcs12
With a CA
If using a self signed with CA certificate, run the below.
# Create self signed CA
keytool -genkeypair -alias ca-cert \
-keystore CA.jks \
-keyalg RSA -validity 3560 \
-dname "C=US,ST=New York,L=New York,O=domain.com,CN=ldap-ca.domain.com" \
-storepass password -keypass password \
-storetype JKS -deststoretype pkcs12 \
-ext bc=ca:true
# Create cert
keytool -genkeypair -alias ldap-cert \
-keystore CA.jks \
-dname "C=US,ST=New York,L=New York,O=domain.com,CN=ldap.domain.com" \
-ext "SAN=DNS:ldap1,DNS:ldap2,DNS:ldap3,DNS:ldap4,DNS:dip1,DNS:dip1.domain.com,DNS:ldap1.domain.com,DNS:ldap2.domain.com,DNS:ldap3.domain.com,DNS:ldap4.domain.com,DNS:ldap.domain.com,IP:127.0.0.1,IP:0.0.0.0,IP:10.10.10.41,IP:10.10.10.42,IP:10.10.10.43,IP:10.10.10.44,IP:10.10.10.45" \
-storepass password -keypass password \
-storetype JKS -deststoretype pkcs12
# Create cert req
keytool -certreq -alias ldap-cert \
-keystore CA.jks \
-file ldap-cert.csr \
-storepass password \
-storetype JKS -deststoretype pkcs12
# Self sign cert
keytool -gencert -keystore CA.jks \
-keyalg RSA -validity 3560 \
-dname "C=US,ST=New York,L=New York,O=domain.com,CN=ldap.domain.com" \
-ext "SAN=DNS:ldap1,DNS:ldap2,DNS:ldap3,DNS:ldap4,DNS:dip1,DNS:dip1.domain.com,DNS:ldap1.domain.com,DNS:ldap2.domain.com,DNS:ldap3.domain.com,DNS:ldap4.domain.com,DNS:ldap.domain.com,IP:127.0.0.1,IP:0.0.0.0,IP:10.10.10.41,IP:10.10.10.42,IP:10.10.10.43,IP:10.10.10.44,IP:10.10.10.45" \
-storepass password -alias ca-cert \
-infile ldap-cert.csr -outfile ldap-cert.cer \
-storetype JKS -deststoretype pkcs12
# Final cert
keytool -importcert -keystore ldap-cert.jks \
-storepass password -alias ldap-cert \
-file ldap-cert.cer \
-noprompt -trustcacerts \
-storetype JKS -deststoretype pkcs12
# Or you can import it back to CA cert part of the chain
# keytool -importcert -keystore CA.jks \
# -storepass password -alias ldap-cert \
# -file ldap-cert.cer \
# -noprompt -trustcacerts \
# -storetype JKS -deststoretype pkcs12
# Verify certifcate
# keytool -v -list -keystore CA.jks
# keytool -v -list -keystore ldap-cert.jks
Lets copy the key we are going to use to /oud/certs.
cp ldap-cert.jks /oud/certs
So far we have completed the OUD installation. In Part 2 I am going to show you – how to Configuring OUD Multi-Master, Install and configure the OUD Gateway.
To continue reading
Part 2 click here.
Like what you’re reading? please provide feedback, any feedback is appreciated.
Loading...
I was recently involved with a complex Oracle Directory Server migration. In the next few posts I am going to share my experience in the migration process the steps to complete a successful migration, and of curse the pitfalls/issues.
The environment involved consist.
Coming from:
Oracle Directory Server (ODSEE) Multi master / Multi Datacenter,
And Identity Synchronization for Windows (ISW) – used for
Going to:
ODSEE => Oracle Unified Directory(OUD) (12c)
Weblogic Server (Infrastructure download) (12c) (used for DIP and OUDSM)
ISW => Directory Integration Platform(DIP) (12c)
Last, Oracle Unified Directory Gateway was used to keep the environments in sync at time of the migration.
Note: With the configuration below I avoided the OUD/OID Oracle Database requirement.
Since the migration is quite complex, I divided the configuration into separate parts.
Install OUD patches.