Install and configure Oracle Internet Directory to resolve database names
Everyone who has worked with this type of DBMS knows about setting up access to the Oracle DBMS, which is stored in the tnsnames.ora file.
The data is stored in the tnsnames.ora file in a plain text form and can be easily changed using any text editor. It is good if there are not many records in it, but what to do if there are hundreds of databases in the organization, access to which needs to be provided from the hosts of users at various levels or from terminal servers. And if at one point the database moves to another host, or other changes occur that change the database access parameters, you need to change the access parameters everywhere.
Solutions can be offered a lot, including redirects, aliases, etc.
')
I'll describe here how to set up and configure a single repository for resolving database names using the Oracle Internet Directory OID, and how to apply for LDAP name resolution. This is much more convenient than keeping the tnsnames.ora file up to date in hundreds of places.
Installing and configuring the DBMS for the OID repository database is not described here; the key points are indicated for this particular configuration. With the licensing policy of Oracle in terms of products RDBMS Database, Oracle Fusion Middleware and Oracle Internet Directory you can find on the company's website.
The software was installed on a Linux OS (SUSE Linux Enterprise Server 11), for your OS you need to check with the compatibility matrix on oracle.com.
To install Standalone server (running NodeManager), the following versions of distributions were taken that are relevant at the time of setup:
JAVA: jdk-8u171-linux-x64.tar.gz
OID: fmw_12.2.1.3.0_oid_linux64_Disk1_1of1.zip
RDBMS: 12.1.0.2 + PSU + Opatch of current versions
Install the software for the repository , which will store the OID scheme
DBMS Version 12.1.0.2 + PSU
DB. Create an “empty” database:
You must specify
AL32UTF8 encoding, include ORACLE TEXT in software installation
DB parameters:
open_cursors = 800
processes = 500
In addition, it was necessary to run the xaview.sql script, which turned out at the stage of checking the OID installation.
configure and raise LISTENER for the database.
So, an empty database is created by uhost-oid1: 1521 / oid1 (in this case, oid1-SID database) and is ready to create a repository in it.
Hereinafter, the home directory of the user oracle - / u / app / oracle
Unpack java and set the JAVA_HOME variable
Unpacking the OID
It turns out the file ./fmw_12.2.1.3.0_oid_linux64.bin
Check that it is executable if it is not doing so
Run:
(X-server forwarding must be configured beforehand), the java-based installer will start.
As ORACLE_HOME it was specified:
/ u / app / oracle / product / middleware / Oracle_IDM1
The software for oracle fusion middleware (FMW) and the Oracle Internet Directory will be installed along this path.
At the stage “installation type” we indicate STANDALONE.
Create schemas for the repository in the database, for this run rcu
At this stage, ODSSM, ODS and DEV_STB schemes are created (remember the password, it will be required when setting up domain components)
We create the domain in a separate folder from the software. For example, we specify:
/ u / app / oracle / config / domains / oid_domain
For the connection to the database, specify the parameters of the previously created schemes (and passwords)
When installing, set the login and password for the NodeManager (will be used later for connecting to the NodeManager and starting / stopping through the OID itself)
To run NodeManager, you need to generate a file with the keys: DemoIdentity.jks. (If, in addition to installing the OID, you install updates, then this step may not be necessary)
We will generate the “default” one so that we don’t have to worry about the keystore boot options in the domain config. It works with such parameters - this is the password for the default storage:
perform
(always with a dot, it doesn't work differently)
Go to the directory in which the file should be stored:
The key phrase DemoIdentityPassPhrase is just that, otherwise you will have to edit the domain config.
We need to deal with this, but we must first start to work.
It is necessary to configure the OID itself, otherwise the domain will not be able to connect to the repository database (see Problem 1 )
it is necessary in order that there were necessary libraries and were pulled up from necessary ORACLE_HOME
If anything, check with ldd where they look:
Must be on ORACLE_HOME with FMW software:
Errors, if this is not the case, see Problem2
Make sure the NodeManager is running.
Logs and configuration: / u / app / oracle / config / domains / oid_domain / nodemanager
Problem1:
Solution 1 : Go and generate DemoIdentity.jks as described above.
Problem2 :
Decision 2 : set the TNS_ADMIN variable and check the correctness of the login / password
At this point, variables should be set.
TNS_ADMIN
LD_LIBRARY_PATH
It is assumed that the NodeManager is already running.
Run the WLST utility:
We expose the variables that are needed to run the WLST utility.
then use the WLST utility to connect to the NodeManager. We will need the login and password specified during the installation (specified for the NodeManager, we have this weblogic)
Example output :
We start initialization, during which an instance is created with the name oid1.
In the line below:
odsPassword - password for the ODS scheme based on the repository, which was set during the execution of ./rcu
orcladminPassword - the password that will be used as cn = orcladmin to access LDAP
realmDN - LDAP - scheme to be configured
After execution, a component will be created (instance in terms of FMW) with the name oid1
Problem3 :
Log /u/app/oracle/config/domains/oid_domain/servers/OID/logs/oid1/oidmon*.log
contains
Solution3 :
Set the environment variable
LD_LIBRARY_PATH = / u / app / oracle / product / middleware / Oracle_IDM1 / lib: $ LD_LIBRARY_PATH
restart NodeManager
Run the component:
If for this reason the component was created but does not work, then we kill the oidmon process, change the process status parameters in the DBMS:
Connect Check:
You may need to re-initialize oid_setup
Problem4 . When trying to save to NetManager:
Solution4:
Run oid_setup again
Check the ldap.ora settings on the client from which Net Manager is launched
DEFAULT_ADMIN_CONTEXT = "dc = mycompany, dc = en"
Change OID parameter (to allow requests from anonymous users)
When creating a TNS name using net manager, but tnsping does not work.
Create a file:
cat anonymousbind.ldif
and modify the parameters using this file:
Diagnostics:
tnsping mytest does not work, a ldapsearch works
Check availability of ports 3060 and 3131 (for SSL)
so everything works (with the password)
mytest is an alias created earlier.
On the client side, the files in $ ORACLE_HOME / network / admin are:
ldap.ora
sqlnet.ora
tnsnames.ora
The tnsnames.ora file contains “local” aliases, as usual, and is used if no name is found in LDAP.
The sqlnet.ora file contains the description of the resolv order:
sqlnet.ora
LDAP file access parameters are set in ldap.ora
ldap.ora
In the described configuration, the following order is used.
First, the tnsnames.ora file is viewed, if the record was not found there, then we ask LDAP (if you need to change the order, change the order in the NAMES.DIRECTORY_PATH parameter
Next comes the query to the main LDAP server, if it is unavailable for some reason, go to the second server in the DIRECTORY_SERVERS list
The order of the survey in this case is not important, the first is better to specify the geographically closest server.
The default admin context (LDAP) is used for the default context so as not to specify mycompany.ru each time.
For the same reason, it is not recommended to use a dot in the alias entry, it perceives it as a domain.
Further I will tell how to configure replication between servers
The data is stored in the tnsnames.ora file in a plain text form and can be easily changed using any text editor. It is good if there are not many records in it, but what to do if there are hundreds of databases in the organization, access to which needs to be provided from the hosts of users at various levels or from terminal servers. And if at one point the database moves to another host, or other changes occur that change the database access parameters, you need to change the access parameters everywhere.
Solutions can be offered a lot, including redirects, aliases, etc.
')
I'll describe here how to set up and configure a single repository for resolving database names using the Oracle Internet Directory OID, and how to apply for LDAP name resolution. This is much more convenient than keeping the tnsnames.ora file up to date in hundreds of places.
Installing and configuring the DBMS for the OID repository database is not described here; the key points are indicated for this particular configuration. With the licensing policy of Oracle in terms of products RDBMS Database, Oracle Fusion Middleware and Oracle Internet Directory you can find on the company's website.
Software installation
The software was installed on a Linux OS (SUSE Linux Enterprise Server 11), for your OS you need to check with the compatibility matrix on oracle.com.
To install Standalone server (running NodeManager), the following versions of distributions were taken that are relevant at the time of setup:
JAVA: jdk-8u171-linux-x64.tar.gz
OID: fmw_12.2.1.3.0_oid_linux64_Disk1_1of1.zip
RDBMS: 12.1.0.2 + PSU + Opatch of current versions
Install the software for the repository , which will store the OID scheme
DBMS Version 12.1.0.2 + PSU
DB. Create an “empty” database:
You must specify
AL32UTF8 encoding, include ORACLE TEXT in software installation
DB parameters:
open_cursors = 800
processes = 500
In addition, it was necessary to run the xaview.sql script, which turned out at the stage of checking the OID installation.
configure and raise LISTENER for the database.
So, an empty database is created by uhost-oid1: 1521 / oid1 (in this case, oid1-SID database) and is ready to create a repository in it.
Set OID
Hereinafter, the home directory of the user oracle - / u / app / oracle
Unpack java and set the JAVA_HOME variable
unzip jdk-8u171-linux-x64.tar.gz export JAVA_HOME=/u/app/oracle/jdk1.8.0_171 Unpacking the OID
unzip fmw_12.2.1.3.0_oid_linux64_Disk1_1of1.zip It turns out the file ./fmw_12.2.1.3.0_oid_linux64.bin
Check that it is executable if it is not doing so
chmod +x Run:
./fmw_12.2.1.3.0_oid_linux64.bin (X-server forwarding must be configured beforehand), the java-based installer will start.
As ORACLE_HOME it was specified:
/ u / app / oracle / product / middleware / Oracle_IDM1
The software for oracle fusion middleware (FMW) and the Oracle Internet Directory will be installed along this path.
At the stage “installation type” we indicate STANDALONE.
Create a repository (required schemas in the database)
Create schemas for the repository in the database, for this run rcu
cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/bin/ ./rcu.sh At this stage, ODSSM, ODS and DEV_STB schemes are created (remember the password, it will be required when setting up domain components)
Create a domain in which OID will work for us (domain in terms of FMW)
cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin ./config.sh We create the domain in a separate folder from the software. For example, we specify:
/ u / app / oracle / config / domains / oid_domain
For the connection to the database, specify the parameters of the previously created schemes (and passwords)
When installing, set the login and password for the NodeManager (will be used later for connecting to the NodeManager and starting / stopping through the OID itself)
Start NodeManager
To run NodeManager, you need to generate a file with the keys: DemoIdentity.jks. (If, in addition to installing the OID, you install updates, then this step may not be necessary)
We will generate the “default” one so that we don’t have to worry about the keystore boot options in the domain config. It works with such parameters - this is the password for the default storage:
cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin perform
. setWlstEnv.sh (always with a dot, it doesn't work differently)
Go to the directory in which the file should be stored:
cd /u/app/oracle/config/domains/oid_domain/security java utils.CertGen -keyfilepass DemoIdentityPassPhrase -certfile democert -keyfile demokey -strength 1024 -noskid java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfile demokey -keyfilepass DemoIdentityPassPhrase -certfile democert.pem -keyfile demokey.pem -alias demoidentity The key phrase DemoIdentityPassPhrase is just that, otherwise you will have to edit the domain config.
We need to deal with this, but we must first start to work.
export TNS_ADMIN=/u/app/oracle/config/domains/oid_domain/config/fmwconfig/components/OID/config It is necessary to configure the OID itself, otherwise the domain will not be able to connect to the repository database (see Problem 1 )
export LD_LIBRARY_PATH=/u/app/oracle/product/middleware/Oracle_IDM1/lib:$LD_LIBRARY_PATH it is necessary in order that there were necessary libraries and were pulled up from necessary ORACLE_HOME
If anything, check with ldd where they look:
ldd /u/app/oracle/product/middleware/Oracle_IDM1/bin/oiddispd Must be on ORACLE_HOME with FMW software:
libclntsh.so.12.1 => /u/app/oracle/product/middleware/Oracle_IDM1/lib/libclntsh.so.12.1 Errors, if this is not the case, see Problem2
cd /u/app/oracle/config/domains/oid_domain/bin/ ./setStartupEnv.sh – . ./startNodeManager.sh & Make sure the NodeManager is running.
Logs and configuration: / u / app / oracle / config / domains / oid_domain / nodemanager
Problem1:
Jun 22, 2018 10:27:58 AM MSK Fatal error in NodeManager server weblogic.nodemanager.common.ConfigException: Identity key store file not found: /u/app/oracle/config/domains/oid_domain/security/DemoIdentity.jks Solution 1 : Go and generate DemoIdentity.jks as described above.
Problem2 :
Jun 28, 2018 12:20:08 PM MSK INFO /u/app/oracle/config/domains/oid_domain>><< password: confirm password: Unable to Connect to Database: Incorrect location for tnsnames.ora (derived from DOMAIN_HOME) or Incorrect TNS Connect string or Invalid Password > <createDbWallet domain: /u/app/oracle/config/domains/oid_domain, oidpasswd output: password: confirm password: Decision 2 : set the TNS_ADMIN variable and check the correctness of the login / password
Primary OID Configuration
At this point, variables should be set.
TNS_ADMIN
LD_LIBRARY_PATH
It is assumed that the NodeManager is already running.
Run the WLST utility:
cd /u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin export MW_HOME=$ORACLE_HOME We expose the variables that are needed to run the WLST utility.
./setHomeDirs.sh ./setWlstEnv.sh ./wlst.sh then use the WLST utility to connect to the NodeManager. We will need the login and password specified during the installation (specified for the NodeManager, we have this weblogic)
nmConnect(username='weblogic',password=' NodeManager ',domainName='oid_domain') Example output :
[13:45][uhost-oid1.oracle.:/u/app/oracle/product/middleware/Oracle_IDM1/oracle_common/common/bin]$ ./wlst.sh Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands wls:/offline> nmConnect(username='weblogic',password='*****',domainName='oid_domain') Connecting to Node Manager ... Successfully Connected to Node Manager. We start initialization, during which an instance is created with the name oid1.
In the line below:
odsPassword - password for the ODS scheme based on the repository, which was set during the execution of ./rcu
orcladminPassword - the password that will be used as cn = orcladmin to access LDAP
realmDN - LDAP - scheme to be configured
oid_setup(orcladminPassword='****',odsPassword='***',realmDN='dc=mycompany,dc=ru') After execution, a component will be created (instance in terms of FMW) with the name oid1
Problem3 :
Log /u/app/oracle/config/domains/oid_domain/servers/OID/logs/oid1/oidmon*.log
contains
/u/app/oracle/product/middleware/Oracle_IDM1/wlserver/../bin/oiddispd: <b>error while loading shared libraries</b>: libclntshcore.so.12.1: cannot open shared object file: No such file or directory Solution3 :
Set the environment variable
LD_LIBRARY_PATH = / u / app / oracle / product / middleware / Oracle_IDM1 / lib: $ LD_LIBRARY_PATH
restart NodeManager
Run the component:
cd /u/app/oracle/config/domains/oid_domain/bin/ nohup ./startNodeManager.sh & ./startComponent.sh oid1 If for this reason the component was created but does not work, then we kill the oidmon process, change the process status parameters in the DBMS:
ps –ef|grep oidmon kill oidmon sqlplus / as sysdba update ods.ods_process_status set pid=0 where compname='oid1'; update ods.ods_process_status set state=4 where compname='oid1'; Connect Check:
./ldapbind -h localhost -p 3060 ./ldapbind -h localhost -p 3131 -U 1 -D 'cn=orcladmin' -w **** You may need to re-initialize oid_setup
Problem4 . When trying to save to NetManager:
oracle.net.common.dataStore.DataStoreException: error writing ServiceAlias to: LDAPDataStore [svr: uhost-oid1.mycompany.ru:3060:3131, type: OID, ctxt: cn=OracleContext,dc=mycompany,dc=ru, home: C:\oracle\product\12.1.0\client_1] original exception message: TNS-04409: caused by: oracle.net.config.DirectoryServiceException: TNS-04405: caused by: oracle.net.ldap.NNFLException original stack trace: oracle.net.config.ServiceAliasException: TNS-04409: caused by: oracle.net.config.DirectoryServiceException: TNS-04405: caused by: oracle.net.ldap.NNFLException oracle.net.config.DirectoryServiceException: TNS-04405: caused by: oracle.net.ldap.NNFLException oracle.net.ldap.NNFLException Solution4:
Run oid_setup again
Check the ldap.ora settings on the client from which Net Manager is launched
DEFAULT_ADMIN_CONTEXT = "dc = mycompany, dc = en"
Change OID parameter (to allow requests from anonymous users)
When creating a TNS name using net manager, but tnsping does not work.
Create a file:
cat anonymousbind.ldif
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclAnonymousBindsFlag orclAnonymousBindsFlag: 1 and modify the parameters using this file:
ldapmodify -D cn=orcladmin -W -p 3131 -h localhost -f anonymousbind.ldif Diagnostics:
tnsping mytest does not work, a ldapsearch works
Check availability of ports 3060 and 3131 (for SSL)
so everything works (with the password)
ldapsearch -h uhost-oid1.mycompany.ru -p 3060 -D "cn=orcladmin" -w password_hear -b "cn=mytest,cn=OracleContext,dc=mycompany,dc=ru" -s base "objectclass=*" mytest is an alias created earlier.
Client settings
On the client side, the files in $ ORACLE_HOME / network / admin are:
ldap.ora
sqlnet.ora
tnsnames.ora
The tnsnames.ora file contains “local” aliases, as usual, and is used if no name is found in LDAP.
The sqlnet.ora file contains the description of the resolv order:
sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES,LDAP)
LDAP file access parameters are set in ldap.ora
ldap.ora
DIRECTORY_SERVERS = (uhost-oid1.mycompany.ru:3060:3131,rephost-oid1.mycompany.ru:3060:3131) DIRECTORY_SERVER_TYPE = OID DEFAULT_ADMIN_CONTEXT = "dc=mycompany,dc=ru" In the described configuration, the following order is used.
First, the tnsnames.ora file is viewed, if the record was not found there, then we ask LDAP (if you need to change the order, change the order in the NAMES.DIRECTORY_PATH parameter
Next comes the query to the main LDAP server, if it is unavailable for some reason, go to the second server in the DIRECTORY_SERVERS list
The order of the survey in this case is not important, the first is better to specify the geographically closest server.
The default admin context (LDAP) is used for the default context so as not to specify mycompany.ru each time.
For the same reason, it is not recommended to use a dot in the alias entry, it perceives it as a domain.
Further I will tell how to configure replication between servers
Source: https://habr.com/ru/post/426273/
All Articles