DevTech101

DevTech101
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 1.00 out of 5)
Loading...

Installing and configuring OUD proxy

Setup OUD user/group account

groupadd oud; useradd -g oud oud

Modify /etc/hosts

Make sure the FQDN is first in /etc/hosts

Create ZFS file systems

zfs create rpool/export/home/oud zfs create -o mountpoint=/oud rpool/oud zfs create -o mountpoint=/installs rpool/installs mkdir /installs/OUD

Configure proper owner

groupadd oud useradd -g oud oud cd ~oud cp /root/.bashrc . ln -s .bashrc .bash_profile chown -R oud:oud ~oud echo “export JAVA_HOME=/usr/java” >> ~oud/.bashrc chmod 777 /installs chown -R oud:oud /installs chown -R oud:oud /oud/

Install need packages

pkg install –accept pkg://solaris/SUNWxwplt java jdk-6 jdk pkg:/developer/xopen/xcu4 make gnu-make ucb

Configure passwords

passwd oud

OS Tuning

Create S50Net-Tunes.sh vi Net-Tunes.sh
echo "Applying the fowling IP tuning" 
set -x
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_send_redirects 0
# Directory Server Tuning
ndd -set /dev/tcp tcp_time_wait_interval        30000
ndd -set /dev/tcp tcp_conn_req_max_q            4096
ndd -set /dev/tcp tcp_keepalive_interval        600000
ndd -set /dev/tcp tcp_rexmit_interval_initial   500
ndd -set /dev/tcp tcp_smallest_anon_port        8192
ndd -set /dev/tcp tcp_deferred_ack_interval     5
set +x
chmod +x Net-Tunes.sh chown root:sys Net-Tunes.sh cd /etc/rc2.d/ ln -s /etc/init.d/Net-Tunes.sh S50Net-Tunes.sh

Copy and extract files

scp V37478-01.zip oud@ldap1:/installs/ cd /installs/OUD;unzip -qq ../V37478-01.zip

Install OUD Proxy

Note: Make sure to sue java 1.7.0_17-b02 for all products (included in sol11.1/SRU-6.0.4).

Options at installtion

./runInstaller -jreLoc /usr/java Select Inventory Directory: /oud/oraInventory Group: oud
  • run as root
/oud/oraInventory/createCentralInventory.sh skip regster OUD Base: /oud/Oracle/Middleware Oracle Home: Oracle_OUD1

Before configuring / create certificate

Generate self signed certificate

keytool -genkeypair -alias ldproxy1 -keyalg rsa -keysize 2048 -validity 3560 -dname “cn=ldproxy1.domain.com” -keystore /oud/certs/ldproxy1.jks -storetype JKS

Verify certificate key

keytool -list -alias ldproxy1 -keystore ldproxy1.jks -v

Get DSEE certifcate(s)

Note The below steps are not needed any more, since we accept the remote LDAP certificate at configure time. dsadm show-cert -F ascii /ldap1/ldap_inst1/ldap/ defaultCert > ldap1-cert-ascii keytool -importcert -alias ldap1 -file ldap1-cert-ascii -keystore ldap1.jks -storetype JCEKS -storepass password

Verify key

keytool -list -alias ldap1 -keystore ldap1.jks -storetype JCEKS -storepass password -v

Configuring OUD Proxy

Install the DS by running oud-proxy-setup

ssh -X oud@ldproxy1 /oud/Oracle/Middleware/Oracle_OUD1/oud-proxy-setup

Select the certificate

Select the certificate generate in /oud/certs Enter the cn=diretcory manager password

Select remote LDAP servers

Click next till the add remote LDAP servers screen Click Add remote server Select both ldap & ldaps Select get remote server certificate and save the certificate Add all Directory servers you would like to use with the proper ports
  • Set memory size:
Min: 256 Max: 2048 Complete the configuration Complete configuration

Add an SMTP alert handler

First enable / configure a server SMTP

/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig -h localhost -p 4444 -D “cn=directory manager” -j /tmp/pw.txt -n set-global-configuration-prop –set smtp-server:localhost –trustAll

Add in ODSM an SMTP alert ahndler

Add an SMTP alert handler Name: SMTP OUD-Alerts Email: sysadmin@domain.com

Proxy commend line tuning

OUD proxy thread performance tuning

Add the below commend list to a file, then execute dsconfig /oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig -j /tmp/pw.txt -n -F /installs/oud_config_cmds
delete-network-group --group-name network-group
create-network-group --group-name network-group --set enabled:true --set priority:100 --set allowed-auth-method:anonymous --set allowed-auth-method:simple --set allowed-auth-method:sasl --set workflow:workflow1 --set is-security-mandatory:false
set-connection-handler-prop --handler-name  LDAP\ Connection\ Handler --set num-request-handlers:2 --set max-request-size:0 --set max-blocked-write-time-limit:3600000\ ms
set-connection-handler-prop --handler-name  LDAPS\ Connection\ Handler --set num-request-handlers:2 --set max-request-size:0 --set max-blocked-write-time-limit:3600000\ ms
set-extension-prop --extension-name proxy1 --set remote-ldap-server-connect-timeout:5000 --set ssl-trust-all:true --set monitoring-connect-timeout:5000 --set monitoring-inactivity-timeout:120000 --set pool-initial-size:2 --set pool-increment:10 --set pool-max-size:1024 --set remote-ldap-server-read-timeout:20000
set-extension-prop --extension-name proxy2 --set remote-ldap-server-connect-timeout:5000 --set ssl-trust-all:true --set monitoring-connect-timeout:5000 --set monitoring-inactivity-timeout:120000 --set pool-initial-size:2 --set pool-increment:10 --set pool-max-size:1024 --set remote-ldap-server-read-timeout:20000

Modify the Max Size Limits

Under General Configuration Size Limit: 7000

How to start and stop the servers

As the OUD user just run

To start an instance

/oud/Oracle/Middleware/asinst_1/OUD/bin/start-ds

To stop an instance

/oud/Oracle/Middleware/asinst_1/OUD/bin/stop-ds

OUD LDAP error code list

OUD LDAP error code list

Add the new configured server to ODSM console

Appendix A – Create OUD proxy from commend line

Script to configure OUD proxy from commend line
# Create certificate 
keytool -genkeypair -alias ldproxy1 -keyalg rsa -keysize 2048 -validity 3560 -dname "cn=ldproxy1.domain.com" -keystore /oud/certs/ldproxy1.jks -storetype JKS
 
# Verify certificate
keytool -list -alias ldproxy1 -keystore ldproxy1.jks -v
 
# Create password files
echo password > /installs/certs/certPW.txt
echo dspassword > /installs/certs/pwdfile.txt
 
cp -r /installs/certs /oud/.
/oud/Oracle/Middleware/Oracle_OUD1/oud-proxy-setup --cli --ldapPort 1389 --adminConnectorPort 4444 --rootUserDN "cn=Directory Manager" --rootUserPasswordFile 
/installs/certs/pwdfile.txt --doNotStart --enableStartTLS --ldapsPort 1636 --useJCEKS /installs/certs/ldproxy1.jks --keyStorePasswordFile /installs/certs
/certPW.txt --certNickname ldproxy1
 
/oud/Oracle/Middleware/asinst_1/OUD/bin/start-ds
 
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-trust-manager-provider --provider-name "Backend Server ldap1.domain.com:389" --type file-based --set enabled:true --set trust-store-file:/oud/certs/ldap1.jks --set trust-store-type:JKS --set trust-store-pin-file:/oud/certs/certPW.txt --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
 
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-extension --type ldap-server --extension-name proxy1 --set enabled:true --set remote-ldap-server-address:ldap1.domain.com --set remote-ldap-server-port:389 --set remote-ldap-server-ssl-port:636 --set remote-ldap-server-ssl-policy:user --set ssl-trust-manager-provider:"Backend Server ldap1.domain.com:389" --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
 
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-workflow-element --set enabled:true --set client-cred-mode:use-client-identity --set ldap-server-extension:proxy1 --type proxy-ldap --element-name proxy-we1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
 
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-workflow-element --set enabled:true --type load-balancing --element-name load-bal-we1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
 
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-load-balancing-algorithm --type proportional --element-name load-bal-we1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
 
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-load-balancing-route --element-name load-bal-we1 --route-name load-bal-route1 --type proportional --set workflow-element:proxy-we1 --set add-weight:1 --set bind-weight:1 --set compare-weight:1 --set delete-weight:1 --set extended-weight:1 --set modify-weight:1 --set modifydn-weight:1 --set search-weight:1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
 
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-workflow --set base-dn:dc=domain,dc=com --set enabled:true --set workflow-element:load-bal-we1 --type generic --workflow-name workflow1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
 
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig set-network-group-prop --group-name network-group --add workflow:workflow1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt

Appendix B – keytool and certificates

keytool -genkeypair -alias ldproxy1 -keyalg rsa -keysize 2048 -validity 3560 -dname "cn=ldproxy1.domain.com" -keystore /var/tmp/ldproxy1.jks -storetype JKS
keytool -list -keystore /var/tmp/ldproxy1.jks -storepass password -storetype JKS -alias ldproxy1 -v
scp /var/tmp/ldproxy1.jks oud@ldproxy1:/installs/.
 
# export ODSEE in a pkcs#12 format
dsadm export-cert -o /tmp/ldap2.p12 /ldap1/ldap_inst1/ldap/ defaultCert
 
# save the cert in a java key store format
keytool -importkeystore -srckeystore ldap1.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore ldap1.jks
 
# to verfy the key store
keytool -list -keystore ldap1.jks -v
 
# Note: To convert the CA to pkcs#12
openssl pkcs12 -export -out cacert.pfx -inkey cakey.pem -in cacert.pem -certfile cacert.pem
 
# To add to key chain
keytool -importkeystore -srckeystore ldap1.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore ldap1.jks -srcalias defaultcert -destalias ldap1

Appendix C – ssltap

To capture ssl traffic
ssltap -p 1636 -vhfsxl ldproxy1.domain.com:1637 > /tmp/eli-out

References

keytool reference SL SASL ldapsearch examples Oracle Unified Directory Configuration Reference
%d bloggers like this: