Before You Begin
This tutorial provides a step-by-step example of how to configure network and database connectivity ready for Oracle Unified Directory (OUD) Proxy Server 12c PS3 integration with Active Directory, Oracle Enterprise Security (EUS) and Kerberos Authentication. This tutorial takes approximately 15 minutes to complete.
This is the fifth tutorial in the series Integrating Oracle Unified Directory 12c with Microsoft Active Directory, Oracle Enterprise User Security and Kerberos. Read them sequentially.
- Installing Oracle Unified Directory 12c for Active Directory and EUS Integration
- Configuring OUDSM 12c for EUS
- Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration
- Configuring Active Directory and Database with Kerberos for OUD 12c and EUS Integration
- Configuring Network and Database Connectivity for OUD 12c and EUS
- Configuring Schemas, Roles and Mapping for EUS and OUD 12c
- Testing the EUS, OUD 12c, Active Directory and Kerberos Integration
Background
Oracle EUS enables Oracle Database users to authenticate against identities stored in an LDAP-compliant directory service such as OUD. In this tutorial you configure network and database connectivity so the OUD Proxy Server and databases can communicate with each other for EUS.
What Do You Need?
- To have completed OBE IV: Configuring Active Directory and Database with Kerberos for OUD 12c and EUS Integration
Configure Network Connectivity for EUS
EUS stores its configuration metadata in an Oracle Context which corresponds to the Directory Base DN in the DIT. In this example the Directory Base DN is dc=example,dc=com
. In this section you configure an ldap.ora so the database knows how to connect to OUD, and where it's metadata is located.
- Launch a terminal window as
oracle
on the database server that you want to register for EUS, and run the following command to launch the Net Configuration Assistant:
cd $ORACLE_HOME/bin/
./netca - Follow the table below to guide you through the configuration screens:
Window Description Choices or Values Welcome Screen Select Directory Usage Configuration Directory Usage Configuration Directory Type: Oracle Internet Directory
Directory Service Location Hostname: oud.example.com
Port:2389
SSL Port:2636
Select Oracle Context Select cn=OracleContext, dc=example,dc=com from the drop down list. Done Click Next Welcome Click Close - In the terminal window run the following command to verify the Net Configuration Assistant:
cat $ORACLE_HOME/network/admin/ldap.ora # ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora # Generated by Oracle configuration tools.
DIRECTORY_SERVERS= (oud.example.com:2389:2636)
DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"
DIRECTORY_SERVER_TYPE = OID
Register the Database in OUD
In this section you use the Database Configuration Assistant to register the database in OUD.
- Launch a terminal window as
oracle
on the database server that you want to register for EUS, and run the following command to launch the Database Configuration Assistant:
cd $ORACLE_HOME/bin/ ./dbca
- Follow the table below to guide you through the configuration screens:
Window Description Choices or Values Database Operation Select Configure Database Option Database List Select the radio button for the database you want to register e.g.: orcl
Username:<leave blank>
Password:<leave blank>
Network Configuration Select Yes, register the database
Database CN:orcl
User DN:cn=eusadmin,cn=oraclecontext
Password:Welcome1
Wallet Password:Welcome1
Confirm Password:Welcome1
Database Options Click Next. Database Vault Credentials Deselect Configure Database Vault
Deselect Configure Label SecurityConnection Mode Click Next Summary Click Finish Finish Click Close
Note: If the Network Configuration panel does not appear in the above workflow, check that the database is defined in/etc/oratab
. - In the same terminal window, run the following command to verify the Database Configuration Assistant successfully created a new entry for the database.
If registration was successful you should see the following:./ldapsearch -h oud.example.com -p 2389 -D "cn=eusadmin,cn=oraclecontext" -w Welcome1 -b cn=OracleContext,dc=example,dc=com "(cn=orcl)"
cn=orcl,cn=OracleContext,dc=example,dc=com orclVersion=121000
cn=orcl
orclServiceType=DB
orclSid=orcl
objectClass=orclApplicationEntity
objectClass=orclDBServer_92
objectClass=orclService
objectClass=orclDBServer
objectClass=top
orclOracleHome=/u01/app/oracle/product/12.1.0/db_1
orclSystemName=db.example.com
orclNetDescString=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=db.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl.example.com)))
orclDBGlobalName=orcl
orclcommonrpwdattribute={SASL-MD5}DCnQFtAXHyQLbKuIzCuKTA==
userPassword={SSHA}/NxLZ1gNIPtzyMGkevhAd71dGWRmOxw4bm5Flw==
orclNetDescName=000:cn=DESCRIPTION_0
Configuring the Oracle Wallets
In this section you ensure the database knows where to find the Wallet. You also ensure that the EUSM ldap client can verify the certificate sent in the SSL handshake by OUD.
- Launch a terminal window as
oracle
on the database server that you want to register for EUS, and edit the$ORACLE_HOME/network/admin/sqlnet.ora.
Check an entry exists for the Oracle Wallet. If it does not exist, add it as follows, replacing the DIRECTORY path with the correct Wallet path for your Wallet ($ORACLE_BASE/admin/<SID>/wallet
). Save the file.
WALLET_LOCATION= (SOURCE= (METHOD=file) (METHOD_DATA= (DIRECTORY=/u01/app/oracle/admin/orcl/wallet)))
- On the OUD server. launch a terminal window as
oracle
and run the following command to export the root CA certificate from the OUD Directory Server.
Note: In this case the OUD was configured using self signed certificates in OBE III Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration. If your OUD is using a certificate signed by a different Certificate Authority (CA) make sure you export the correct CA certificate or chain of CA certificates. (See OUD Keystore and Truststore (Doc ID 1958191.1) for information on how to determine the root CA(s) to export).
cd /u01/app/oracle/config/oud_instances/oud_proxy/config keytool -export -alias server-cert -file /stage/oudca.crt -keystore keystore -storepass `cat keystore.pin` -v
- Move the certificate to the database server that you want to register for EUS. Launch a terminal window as
oracle
and run the following command to Import the certificate into the database wallet referenced in 1. above:
cd $ORACLE_HOME/bin ./orapki wallet add -wallet /u01/app/oracle/admin/orcl/wallet -trusted_cert -cert /stage/oudca.crt -pwd Welcome1
- Restart the Database and Listener to pick up the changes made to the wallet.
Configuring a TNS Alias in OUD
In this section you create a new TNS Alias within OUD so you can connect to the database via LDAP Naming rather than use a tnsnames.ora file.
- Launch a terminal window as
oracle
on the database server and run the following command to launch Oracle Net Manager:
cd $ORACLE_HOME/bin
./netmgr - In Oracle Net Manager, in the navigation tree expand Oracle Net Configuration > Local and click Profile.
- In Available Methods, select LDAP and click the right arrow to move it to Selected Methods.
- With LDAP highlighted, click the Promote button and move it to the top of the list. This allows Oracle Net connections to resolve TNS entries via OUD first.
- Click File > Save Network Configuration from the top menu.
- In the navigation tree, expand Directory and click Service Naming. In the Directory Server Authentication pop up window enter user
cn=eusadmin,cn=oraclecontext
and passwordWelcome1
. Click OK. - In the navigation tree, under Service Naming click Aliases. In the left hand panel, click the green '+' icon in the left hand panel.
- In the Create Net Service Alias window enter the following and click Create:
- Net Service Alias:
myorcl
- Oracle Context:
cn=OracleContext,dc=example,dc=com
- Name:
orcl
- Net Service Alias:
- Click File > Save Network Configuration. Click File > Exit.
- Run the following command to verify that Oracle Net Manager successfully created a new TNS alias entry for the database:
If registration was successful you should see the following:cd $ORACLE_HOME/bin
./ldapsearch -h oud.example.com -p 2389 -D "cn=eusadmin,cn=oraclecontext" -w Welcome1 -b cn=OracleContext,dc=example,dc=com "(cn=myorcl)"
cn=myorcl,cn=OracleContext,dc=example,dc=com
aliasedObjectName=cn=orcl,cn=OracleContext,dc=example,dc=com
objectClass=alias
objectClass=top
objectClass=orclNetServiceAlias
cn=myorcl