2 Managing ODI Setup

This chapter helps you to manage the ODI setup that you have provisioned on Oracle Cloud Marketplace.

It contains the following sections:

2.1 Working with ODI Linux Services

The following table lists all the available services in ODI marketplace installation for applicable technology and stack deployment:

Name of the Linux Service Database Technology Type of Stack Deployment Supported Release Versions Funtions
agentodi.service MYSQL,ADB ODI Studio Supported in release(s) prior to 12.2.1.4.200618 version of ODI Marketplace. You can start, stop and check the status of the service.
mysqlodi.service MYSQL ODI Studio Supported in release(s) prior to 12.2.1.4.200618 version of ODI Marketplace. You can start, stop and check the status of the service.
manageodiapps.service MYSQL,ADB ODI Studio, Oracle Data Transforms Supported only from ODI Web V12.2.1.4.200618 and later versions of ODI Marketplace. You can only check the status of the service. Use the python commands listed below, to start, stop and restart the ODI Agent and/or Oracle Data Transforms.

2.2 Changing Repository in Oracle Data Transforms / Oracle Data Transforms Administrator

Follow the below procedure to change repository in Oracle Data Transforms (if not already created):
  1. Launch ODI Studio.
  2. Select the option Connect to Repository.
  3. Create new login using '+' icon and provide the connection details.
  4. Click Test and then click OK, if test connection is successful.
  5. Click OK on the Oracle Data Integrator Login dialog.

2.3 Switching Repositories of the ODI App Server

You can switch to any existing ADB or DBCS repository from existing ODI VM Instance.

Note:

You can switch between repositories only when the repositories in stack mode and repo mode match.

In ODI App Server, you can switch repository in the following technologies:

  • Switching from ADB to ADB
  • Switching from MYSQL to ADB or DBCS

    Note:

    But the reverse (switching back to MYSQL from ADB or DBCS) is not supported.
  • Switching from DBCS to DBCS
  • Switching from DBCS or ADB

Note:

Stop the server before running any configuration using the following command:
python manageOdiApps.py shutdown

For more information, refer to Managing ODI App Server.

Switching Between ADB Repositories

If you already have a ADB repository in which you have your transformation project developed and wish to continue with your development in the same repository, follow the below procedure to switch from the new ADB repository (that you just created) to your existing ADB repository:

  1. Create odi-setup.properties file in the location $MW_HOME/odi/common/scripts and if the file already exists, clear the existing content of the file and then add the following properties:
    dbTech=ADB
    rcuCreationMode=false
    odiSchemaPassword=<valid password>
    odiSchemaUser=<odi schema username>
    odiSupervisorPassword=<odi SUPERVISOR password>
    walletZipLoc=<path_to_zipped_wallet>
    workRepoName=<WORK REPO NAME>
    adwInstancePassword= <adw Instance password>

    Note:

    • workRepoName=<WORK REPO NAME> is an optional property but you may have to configure this property if your default work repository name is not WORKREP.
    • adwInstancePassword= <adw Instance password> is an optional property but configure this property only when you have used OPTACH for applying a patch on your ODI instance and wish to run Upgrade Assistant (UA) using the configuration script odiMPConfiguration.py.
  2. Create repository.properties file in the location $MW_HOME/odi/common/scripts and if the file already exists, clear the existing content of the file and then add the following properties:
    masterReposDriver=oracle.jdbc.OracleDriver
    masterReposUser=<odi schema username>
    workReposName=<WORK REPO NAME>
  3. Navigate to the location $MW_HOME/odi/common/scripts directory and execute the following python scripts in the given order:
    python odiMPConfiguration.py
    python manageOdiApps.py start

Note:

Stop the server before running any configuration. For more information on this, refer to Managing ODI App Server.

Switching Between DBCS Repositories

If you already have a DBCS repository in which you have your transformation project developed and wish to continue with your development in the same repository, follow the below procedure to switch from the new DBCS repository (that you just created) to your existing DBCS repository:

  1. Create odi-setup.properties file in the location $MW_HOME/odi/common/scripts and if the file already exists, clear the existing content of the file and then add the following properties:
    dbTech=DBCS
    dbHost=<IP Address of the DBCS Instance>
    dbPort=<port of DBCS Instance>
    dbServiceName=<Service Name of DBCS Instance>
    odiSchemaUser=<odi schema username>
    odiSchemaPassword=<valid password>
    odiSupervisorPassword=<odi SUPERVISOR password>
    workRepoName=<WORK REPO NAME>
  2. Create repository.properties file in the location $MW_HOME/odi/common/scripts and if the file already exists, clear the existing content of the file and then add the following properties:
    masterReposDriver=oracle.jdbc.OracleDriver
    masterReposUser=<odi schema username>
    workReposName=<WORK REPO NAME>
  3. Navigate to the location $MW_HOME/odi/common/scripts directory and execute the following python scripts in the given order:
    python odiMPConfiguration.py
    python manageOdiApps.py start

2.4 Managing ODI App Server

The following commands help you to manage ODI App server associated with your provisioned ODI instance on Oracle Cloud Marketplace.

Applications available in Oracle Data Transforms are:

APPODIAGENT, APPODIREST, APPODIWEBSTUDIO

Application available in ODI Studio are:

APPODIAGENT

You can use ODI App Server to manage all the ODI applications deployed in ODI App Server.

Navigate to the location $MW_HOME/odi/common/scripts to run the following commands:

  • Use the following command to check the status of the service (as the oracle user):

    Note:

    This command is not applicable for Oracle Data Transforms.
    systemctl status manageodiapps.service

    Note:

    You cannot use this command to start or stop the service.
  • Use the following command to start the service:
    python manageOdiApps.py start
  • Use the following command to shutdown the service:
    python manageOdiApps.py shutdown
  • Use the following command to restart the service:
    python manageOdiApps.py restart

    Note:

    When you execute any of the above python manageOdiApps.py commands, the terminal holds the session to run the jetty sever. Open a new terminal, if you wish to perform any other operations.
  • Use the following command to start all the applications associated with the service:
    python manageOdiApps.py start -apps=<allowed values>
    
    allowed values: all or APPODIWEBSTUDIO/APPODIREST/APPODIAGENT with combination separated by ","

    Note:

    For starting the applications,
    • In Oracle Data Transforms, use APPODIWEBSTUDIO/APPODIREST/APPODIAGENT as allowed values
    • In ODI Studio, use APPODIAGENT. Other values are not supported.
  • Use the following command to stop all the applications associated with the service:

    Note:

    For stopping the applications,
    • In Oracle Data Transforms, use APPODIWEBSTUDIO/APPODIREST/APPODIAGENT as allowed values
    • In ODI Studio, use APPODIAGENT to stop the applications without stopping the jetty server. Other values are not supported.
    python manageOdiApps.py stop -apps=<allowed values>
    
    allowed values: all or APPODIWEBSTUDIO/APPODIREST/APPODIAGENT with combination separated by ","

    Note:

    When you execute the command python manageOdiApps.py, two log files odiagent.log and odi_adp_rest_txt.log are created. For details on the location of the files, refer to Log Files Location.
  • Use the following command to get the status of all applications associated with the service:
    python manageOdiApps.py status
  • If you have provisioned this stack prior to 12.2.1.4.200618 release version of ODI Marketplace or if you have provisioned this stack for ODI Studio, follow the below procedure to manage your ODI Agent lifecycle:
    • To stop the ODI Agent:
      python stopAgent.py
    • To start the ODI Agent:
      python startAgent.py $MW_HOME

    Note:

    The script files stopAgent.py and startAgent.py are not applicable for Oracle Data Transforms stack deployment.

2.5 Managing ODI Credential

If you have either updated the odi schema password on the database or the SUPERVISOR password in ODI repository, you can use the manageCredentials.py script to update or manage ODI credentials required to start the ODI App Server successfully.

Navigate to the location $MW_HOME/odi/common/scripts to run the following commands:

S.No. Key Name
1 odiSchemaPassword
2 odiSupervisorPassword
Use the following command to set the credential key in the Credential Store:
python manageCredentials.py set <Key Name>=<value>

Use the following command to get the credential key value stored in the Credential Store:

python manageCredentials.py read <key Name>

2.6 Configuring Proxy Settings

Depending on your network, you can setup a proxy for ODI. Proxy may be required for accessing certain hosts, for example - Oracle Object Storage.

Note:

Depending on your OCI network configurations, you may or may not require access through proxy-hosts. While you are connecting through proxy, make sure that the proxy address/port or the source dataserver is allowed through OCI VCN configurations.

You can set proxy:

  • In ODI Studio or ODI Studio Administrator
  • For ODI Agent
  • In ODI App server

To set proxy in ODI Studio and Oracle Data Transforms Administrator, navigate to Tools, Preferences, Web Browser and Proxy, to setup a proxy for your network.

Follow the below procedure to set proxy for ODI Agent if, you have provisioned this stack prior to 12.2.1.4.200618 release version of ODI Marketplace:

Note:

For backward compatibility, use the scripts startAgent.py and stopAgent.py to manage ODI Agent Lifecycle.
  1. From the location $MW_HOME/oracle/odi/common/scripts, locate and edit the file startAgent.py and add the following lines after the property after -Drepo.props=
    -Xms1024m -Xmx4048 -cp
    -Dhttp.proxyHost=www-proxy-xxx.com -Dhttp.proxyPort=80 
    -Dhttps.proxyHost=www-proxy-xxx.com -Dhttps.proxyPort=80 -cp 

    For example, after adding the above lines, your file should be like this:

    subprocess.call('nohup java 
    -Drepo.props=odi-setup.properties
     -Xms1024m -Xmx4048 -cp
    -Dhttp.proxyHost=www-proxy-xxx.com -Dhttp.proxyPort=80 
    -Dhttps.proxyHost=www-proxy-xxx.com -Dhttps.proxyPort=80 -cp 
    $AGENTCLASSPATH oracle.odi.OdiStandaloneAgentStarter'+' '+oraclediagentPath+" 
    &", shell=True) 
  2. Save the file and use the following command to start the agent:
    python startAgent.py $MW_HOME

    Note:

    Ensure you do not add any extra lines or space or tab on the file startAgent.py. Just add -D option within the line content. It is a python script and it requires proper line indentation to work.
  3. Test the standalone agent from ODI studio to see if the agent has started successfully. Then execute the packages/mappings using the standalone agent.

Note:

If you are using a BI Cloud Connector Dataserver, you may need to add the BI Cloud Connector host to the Proxy Exclusion field.

Follow the below procedure to set proxy in ODI App Server:

  1. Open the script file manageOdiApps.py.
  2. Find the below lines in the file:
    JETTY_SERVER_COMMAND_STR = 'java -DAPP_LOGS='+APP_LOGS+' -Dconfig.template.file=../../apps/webapps.template.yaml -Dapps.config=../../apps/webapps.yaml -Drepo.props=odi-setup.properties -Drestrepo.props=repository.properties -Djetty.enabled=true -Dagent.logging.config=../logging/agent-logging-config.xml -cp $CLASSPATH oracle.odi.setup.util.ODIMPJettyServerAppsManager
  3. After the above lines, add the below line before -cp:
    -Dhttp.proxyHost=<proxyhost> -Dhttp.proxyPort=<proxy port> -Dhttps.proxyHost=<proxyhost> -Dhttps.proxyPort=<proxy port>
  4. Save the file.
  5. Restart the ODI App server.

2.7 Configuring Email Delivery Service

Oracle Cloud Marketplace Email Delivery is an email sending service that provides a fast and reliable managed solution for sending high-volume emails that need to reach your recipients' inbox.

Email Delivery provides the tools necessary to send application-generated email for mission-critical communications such as receipts, fraud detection alerts, multi-factor identity verification, and password resets. You can set up the Email Delivery service within the Console. To begin sending email with Email Delivery, complete the following steps:
  • Generate SMTP credentials for a user
  • Set up permissions
  • Create an approved sender
  • Configure SPF on the approved sender domain
  • Configure the SMTP connection
  • Begin sending email

Note:

Before configuring the Email Delivery service, make sure to have permissions to Generate SMTP credentials and create Email Approved Senders. Also, the Email Approved Sender must be in a group that has IAM policy permissions to send outgoing emails. For more details, refer to Generate SMTP Credentials for a User section of OCI documentation.

Generating a SMTP Credential

Simple Mail Transfer Protocol (SMTP) credentials are necessary to send email through Email Delivery. Each user is limited to a maximum of two SMTP credentials. If more than two are required, SMTP credentials must be generated on other existing users or more users must be created.

  • To generate SMTP credentials for a user, login to Oracle Cloud Infrastructure and navigate to Email DeliveryManage Credentials and select the option Generate SMTP Credentials. It allows you to generate the SMTP user name and password details. Copy the generated password for your future reference. Click Close.

Setting Up Permissions

An email approved sender must be in a group that has IAM policy permissions to send emails. The approved sender must be in a compartment with permissions to manage approved senders. You have to create a policy to manage approved senders in the entire tenant, if the approved senders exist in root compartment.

Add the following policy statement to enable odi_group to manage approved senders:

Allow dynamic-group odi_group to use approved-senders in compartment odi

For more information about policies and policy syntax, see Policy Basics.

Creating your Email Approved Sender

You must set up an approved sender for all “From:” addresses sending email via Oracle Cloud Infrastructure or the email will be rejected. An approved sender is associated with a compartment and only exists in the region where the approved sender was configured.

Note:

Approved senders should not be created in the root compartment.

Creating approved senders in a compartment other than the root allows the policy to be specific to that compartment.

  • To create your Email Approved Sender, login to Oracle Cloud Infrastructure and navigate to Email DeliveryEmail Approved Senders and select the option Create Approved Senders.

    Note:

    Configure this option for the user already created on the instance.

    For example, opc@oracle-odi-inst-3mnc.localdomain, where oracle-odi-inst-3mnc is the hostname.

Configuring SPF on the Approved Sender Domain

Configure SPF, if necessary. The Approved Senders section within the Console provides validation of an SPF record for each of your approved senders. SPF is required for subdomains of oraclegovcloud.com and recommended in other cases.

Refer to Configure SPF for detailed steps on configuring SPF.

Configuring the SMTP connection

For securing your email connections, get SSL/TLS CA details from OCI email SMTP hosts

  1. Log in to the instance using ssh as opc user and sudo su and create a directory nss-config-dr and then run certutil to manage keys and certificate in both NSS databases.
    [root@localhost ~]# mkdir /etc/certs
    [root@localhost ~]# cd /etc/certs
    [root@localhost certs]# certutil -N -d /etc/certs/
    Enter a password which will be used to encrypt your keys.
    The password should be at least 8 characters long,
    and should contain at least one non-alphabetic character.
    Enter new password:
    Re-enter password:
    [root@localhost certs]# ls
    cert8.db key3.db secmod.db
    [root@localhost certs]#
  2. To get SMTP domain CA details, run openssl s_client to smtp host.

    Note:

    • If it is on ashburn: openssl s_client -showcerts -connect smtp.us-ashburn-1.oraclecloud.com:587 -starttls smtp > /etc/certs/mycerts-ashburn
    • If it is on phoenix : openssl s_client -showcerts -connect smtp.us-phoenix-1.oraclecloud.com:587 -starttls smtp > /etc/certs/mycerts-phoenix
    For example:
    [root@localhost certs]# openssl s_client -showcerts -connect smtp.us-phoenix-1.oraclecloud.com:587 -starttls smtp > /etc/certs/mycerts-phoenix
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
    verify return:1
    depth=0 C = US, ST = California, L = Redwood City, O = Oracle Corporation, OU = Oracle DYN-DEV US, CN = smtp.us-phoenix-1.oraclecloud.com
    verify return:1
    250 Ok
    [root@localhost certs]#
  3. Execute cat on mycerts-phoenix or ashburn and copy each certificate including the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- and paste it to their respective files.
    For example -
    ocismtp-phoenix1.pem ocismtp-phoenix2.pem ocismtp-phoenix3.pem
    [root@localhost certs]# ls -la | grep -i ocism
    -rw-r--r--. 1 root root 2443 Jan 31 18:00 ocismtp-phoenix1.pem
    -rw-r--r--. 1 root root 1648 Jan 31 18:01 ocismtp-phoenix2.pem
    -rw-r--r--. 1 root root 1338 Jan 31 18:01 ocismtp-phoenix3.pem
    [root@localhost certs]#
     
    [root@localhost certs]# cat ocismtp-phoenix1.pem
    -----BEGIN CERTIFICATE-----
    MIIG3jCCBcagAwIBAgIQDD6TwDfguDbn1CI1U46l0zANBgkqhkiG9w0BAQsFADBN
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
    aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgxMjA3MDAwMDAwWhcN
    MjEwMTA1MTIwMDAwWjCBnjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
    aWExFTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEbMBkGA1UEChMST3JhY2xlIENvcnBv
    cmF0aW9uMRowGAYDVQQLExFPcmFjbGUgRFlOLURFViBVUzEqMCgGA1UEAxMhc210
    cC51cy1waG9lbml4LTEub3JhY2xlY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEF
    AAOCAQ8AMIIBCgKCAQEA2ZUXc/xjwwlmsaSKxy2e0Y3K9UeWs/MQSBkQALC0+Pi9
    tIdS7BLmYtpTjGmUpwiNzG9pMYHpWjQlQFkxNpqd6JwegpgdEG/8SnbrhH9kRsRg
    MG8kRNZiJYsDrpwLnjE74gNIjVldqbcMHmBinfKbfFAcPzp5sqOFw3hfSz8TU45A
    7UHfbWmF3HiLF+Ozhnr0cUdiVb79HVYH4fm15V4uwewj/ZvALmK000jdOaeOgOna
    vrx30WSqfkoqOpferIrW4a6wsrj82vaAjuxgBU3rbuaJb2KFYYes3SeUoFkFAZp7
    URMy3DZD7MmgmWIXnjGu75xqF4Ul/uEF6cjnYeuDpwIDAQABo4IDZjCCA2IwHwYD
    VR0jBBgwFoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFCN96Xt5uS1q
    xt2ZgTWONBD4VHfdMCwGA1UdEQQlMCOCIXNtdHAudXMtcGhvZW5peC0xLm9yYWNs
    ZWNsb3VkLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
    CCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0
    LmNvbS9zc2NhLXNoYTItZzYuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2Vy
    dC5jb20vc3NjYS1zaGEyLWc2LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAq
    MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeB
    DAECAjB8BggrBgEFBQcBAQRwMG4wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
    Z2ljZXJ0LmNvbTBGBggrBgEFBQcwAoY6aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu
    Y29tL0RpZ2lDZXJ0U0hBMlNlY3VyZVNlcnZlckNBLmNydDAJBgNVHRMEAjAAMIIB
    fQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdgDuS723dc5guuFCaR+r4Z5mow9+X7By
    2IMAxHuJeqj9ywAAAWeJXuinAAAEAwBHMEUCIQDqeInMySXAN1UDIJOLG3v/ViBJ
    xsY3lK2JY/zwebUaugIgepOPAwKQdVrnY7CMCzWGGGqJbLgkFWIRMGK0FUJ8+RsA
    dQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWeJXumPAAAEAwBG
    MEQCIA1jRQ0797YV7BLzCANvicAsYk2QdGjCuZ4YxxRgTIs+AiBRztTbnjiT9WGE
    HIRVEJa/Bx7eSlcu7J2gpEZruOWrFwB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1Lo
    GpCWZDaOHtGFAAABZ4le6LcAAAQDAEcwRQIgMk9G/KNM9xR3GR9q/2vEB85skPlL
    EgDFVpKBQxQN2f8CIQD2Cn54OAL8HkDDYglLpAjTnzaSUJeP2h07NG90xS5VOjAN
    BgkqhkiG9w0BAQsFAAOCAQEAP8q05wiAKVkvv+Y6l0aPclFiW5/yZmnQeGNE85kx
    CmQgbdeGcNUgQ9PjDaBMhHMErVasq1E//oYjuRuF4bFO9QYYMn2QOuz1p61s+60/
    IDNCP8xJuBAJ61Gu0mAw7mm44Z+jfD1LMdg/xyZwlH9wFZID9lgVdqpvhlLiYRNy
    zBtKfgLhzu2B08T4a/V3w2SaDyhPIED2ry+HV+9B7CnzpmLrSqRFw7kk9ihm9Iwq
    YlyJV3qzO1tIykRALDvYAT50yd+d9ZfTcEQvSrMLoM6N0HJezdTnf67UqwYFF5jT
    KhyG/2LIAn4XGK0AyS8ieCmmEnW1Hku2ykCo4Ls0gdcYOA==
    -----END CERTIFICATE-----
    [root@localhost certs]#
     
    [root@localhost certs]# cat ocismtp-phoenix2.pem
    -----BEGIN CERTIFICATE-----
    MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
    QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
    MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
    U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
    nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
    KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
    /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
    kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
    /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
    AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
    aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
    Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
    oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
    QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
    d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
    xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
    CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
    5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
    8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
    2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
    c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
    j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
    -----END CERTIFICATE-----
     
    [root@localhost certs]# cat ocismtp-phoenix3.pem
    -----BEGIN CERTIFICATE-----
    MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
    QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
    MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
    b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
    9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
    CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
    nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
    43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
    T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
    gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
    BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
    TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
    DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
    hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
    06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
    PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
    YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
    CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
    -----END CERTIFICATE-----
    [root@localhost certs]#
    
  4. Import to the location nss-config-dr /etc/certs by using following commands:
    [root@localhost certs]# certutil -A -n "DigiCert SHA2 Secure Server CA" -t "TC,," -d /etc/certs -i /etc/certs/ocismtp-phoenix1.pem
    [root@localhost certs]#
    [root@localhost certs]# certutil -A -n "DigiCert SHA2 Secure Server CA smtp " -t "TC,," -d /etc/certs -i /etc/certs/ocismtp-phoenix2.pem
    [root@localhost certs]#
    [root@localhost certs]# certutil -A -n "DigiCert SHA2 Secure Server CA smtp2 " -t "TC,," -d /etc/certs -i /etc/certs/ocismtp-phoenix3.pem  
    
  5. To check whether the imports are done correctly, execute the command certutil -L -d /etc/certs
    [root@localhost certs]# certutil -L -d /etc/certs
    
    Certificate Nickname Trust Attributes
    SSL,S/MIME,JAR/XPIDigiCert SHA2 Secure Server CA CT,,
    
    DigiCert SHA2 Secure Server CA smtp CT,,
    DigiCert SHA2 Secure Server CA smtp2 CT,,  
    

Configuring PostFix for Relaying Host with Authentication

  • Make sure the latese version of Postfix is installed along with cyrus-sasl-* packages.
    [root@localhost ~]# rpm -qa | grep -i postfix
    postfix-2.6.6-8.el6.x86_64
    [root@localhost ~]# yum install postfix
    Loaded plugins: security, ulninfo
    Setting up Install Process
    Package 2:postfix-2.6.6-8.el6.x86_64 already installed and latest version
    Nothing to do
    [root@localhost ~]#
    [root@localhost ~]#yum install -y cyrus-sasl-*

    Note:

    All the available SASL mechanisms can be installed on the system by pulling in the relevant cyrus-sasl-* packages.
  • Add the following config directives in the file /etc/postfix/main.cf:
    #OCI SMTP Relay Host:
    #relayhost = <Replace with your OCI SMTP server>
    relayhost = smtp.us-phoenix-1.oraclecloud.com:587
    #SASL Authentication settings:
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options =
    #TSL Settings:
    smtp_tls_loglevel = 2
    smtp_use_tls = yes
    smtpd_tls_security_level = may
    smtp_tls_CApath = /etc/certs
  • Create the file /etc/postfix/sasl_passwd to store the credentials created in the Generating a SMTP Credential step and make sure permissions are set to 600.
    #vi /etc/postfix/sasl_passwd
    relay_host:587 username:password
    Example:
    [root@localhost postfix]# cat /etc/postfix/sasl_passwd
    smtp.us-phoenix-1.oraclecloud.com:587 ocid1.user.oc1..aaaaaaaajjcwynf4ebqp32wdpdy6h4lpeknqiyld7s35t2psfmmfw3y4iosq@ocid1.tenancy.oc1..aaaaaaaavcpbui4wu2ttfnipykravgudbooie2eucf3odrsltgwj236epvha.fa.com:pP)QB&[YIz2ehe>7}fj_
    [root@localhost postfix]#
    
    
    [root@localhost postfix]# chmod 600 /etc/postfix/sasl_passwd
    [root@localhost postfix]#  
    
  • Create sasl_passwd.db that Postfix can read:
    [root@localhost postfix]# postmap /etc/postfix/sasl_passwd
    [root@localhost postfix]#
    [root@localhost postfix]# ls -l | grep -i passwd
    -rw-------. 1 root root 224 Jan 31 18:17 sasl_passwd
    -rw-------. 1 root root 12288 Jan 31 18:21 sasl_passwd.db
    [root@localhost postfix]#
    

Starting Postfix

[root@localhost postfix]# chkconfig postfix on
[root@localhost postfix]# service postfix start
[root@localhost postfix]# service postfix status
master (pid 12162) is running...
[root@localhost postfix]#
 
If you are running Oracle Linux 7 run
#systemctl start --now postfix

Configuring Firewall Ports

Add these ports to firewall list of the smtp client machines (VM from where we have to send emails )

sudo firewall-cmd --zone=public --permanent --add-port=25/tcp
sudo firewall-cmd --zone=public --permanent --add-port=587/tcp
sudo firewall-cmd --reload

Beginning to Send Email

  • Send Email
    approval is : user@<instancename.localdomain> e.g. opc@oracle-odi-inst-31up.localdomain
    In this case, login as user and test it with mailx
    [user@localhost ~]$ echo "test" | mailx -v -s "OCI Test Message [mailx]" user@oracle.com
    Mail Delivery Status Report will be mailed to <user>.
    [user@localhost ~]
    
  • Verify /var/log/maillog for any error messages:
    Jan 31 18:24:36 localhost postfix/pickup[13812]: ECF9BA00B4: uid=501 from=<user>
    Jan 31 18:24:36 localhost postfix/cleanup[14692]: ECF9BA00B4: message-id=<20190131182436.ECF9BA00B4@localhost.sub12182009561.cnvmau.oraclevcn.com>
    Jan 31 18:24:36 localhost postfix/qmgr[12172]: ECF9BA00B4: from=<user@localhost.sub12182009561.cnvmau.oraclevcn.com>, size=549, nrcpt=1 (queue active)
    Jan 31 18:24:36 localhost postfix/smtp[14694]: initializing the client-side TLS engine
    Jan 31 18:24:37 localhost postfix/smtp[14694]: setting up TLS connection to smtp.us-phoenix-1.oraclecloud.com[Public IP]:587
    Jan 31 18:24:37 localhost postfix/smtp[14694]: smtp.us-phoenix-1.oraclecloud.com[Public IP]:587: TLS cipher list "ALL:+RC4:@STRENGTH"
    Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:before/connect initialization
    Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv2/v3 write client hello A
    Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 read server hello A
    Jan 31 18:24:37 localhost postfix/smtp[14694]: smtp.us-phoenix-1.oraclecloud.com [Public IP]:587: certificate verification depth=2 verify=1 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    Jan 31 18:24:37 localhost postfix/smtp[14694]: smtp.us-phoenix-1.oraclecloud.com[Public IP]:587: certificate verification depth=1 verify=1 subject=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
    Jan 31 18:24:37 localhost postfix/smtp[14694]: smtp.us-phoenix-1.oraclecloud.com [Public IP]:587: certificate verification depth=0 verify=1 subject=/C=US/ST=California/L=Redwood City/O=Oracle Corporation/OU=Oracle DYN-DEV US/CN=smtp.us-phoenix-1.oraclecloud.com
    Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 read server certificate A
    Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 read server key exchange A
    Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 read server done A
    Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 write client key exchange A
    Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 write change cipher spec A
    Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 write finished A
    Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 flush data
    Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 read finished A
    Jan 31 18:24:37 localhost postfix/smtp[14694]: Trusted TLS connection established to smtp.us-phoenix-1.oraclecloud.com[public ip]:587: TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
    Jan 31 18:24:38 localhost postfix/smtp[14694]: ECF9BA00B4: to=<user@oracle.com>, relay=smtp.us-phoenix-1.oraclecloud.com[public ip]:587, delay=1.6, delays=0.02/0.03/0.57/1, dsn=2.0.0, status=sent (250 Ok)
    Jan 31 18:24:38 localhost postfix/cleanup[14692]: 94136A00B8: message-id=<20190131182438.94136A00B8@localhost.sub12182009561.cnvmau.oraclevcn.com>
    Jan 31 18:24:38 localhost postfix/bounce[14696]: ECF9BA00B4: sender delivery status notification: 94136A00
    
  • The email has been delivered correctly:
    -------- Forwarded Message --------
    Subject: OCI Test Message [mailx]
    Date: Thu, 31 Jan 2019 18:24:36 +0000
    From: user@localhost.sub12182009561.cnvmau.oraclevcn.com
    To: user@oracle.com