Configuring Network and Database Connectivity for OUD 12c and EUS

Before You Begin

This tutorial provides a step-by-step example of how to configure network and database connectivity ready for Oracle Unified Directory (OUD) Proxy Server 12c PS3 integration with Active Directory, Oracle Enterprise Security (EUS) and Kerberos Authentication. This tutorial takes approximately 15 minutes to complete.

This is the fifth tutorial in the series Integrating Oracle Unified Directory 12c with Microsoft Active Directory, Oracle Enterprise User Security and Kerberos. Read them sequentially.

Background

Oracle EUS enables Oracle Database users to authenticate against identities stored in an LDAP-compliant directory service such as OUD. In this tutorial you configure network and database connectivity so the OUD Proxy Server and databases can communicate with each other for EUS.

What Do You Need?

To have completed OBE IV: Configuring Active Directory and Database with Kerberos for OUD 12c and EUS Integration

Configure Network Connectivity for EUS

EUS stores its configuration metadata in an Oracle Context which corresponds to the Directory Base DN in the DIT. In this example the Directory Base DN is dc=example,dc=com. In this section you configure an ldap.ora so the database knows how to connect to OUD, and where it's metadata is located.

Launch a terminal window as oracle on the database server that you want to register for EUS, and run the following command to launch the Net Configuration Assistant:
```
cd $ORACLE_HOME/bin/
./netca
```

Follow the table below to guide you through the configuration screens:

Window Description	Choices or Values
Welcome Screen	Select Directory Usage Configuration
Directory Usage Configuration	Directory Type: `Oracle Internet Directory`
Directory Service Location	Hostname: `oud.example.com` Port: `2389` SSL Port: `2636`
Select Oracle Context	Select cn=OracleContext, dc=example,dc=com from the drop down list.
Done	Click Next
Welcome	Click Close

In the terminal window run the following command to verify the Net Configuration Assistant:

cat $ORACLE_HOME/network/admin/ldap.ora
# ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora
# Generated by Oracle configuration tools.
  DIRECTORY_SERVERS= (oud.example.com:2389:2636)
  DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"
  DIRECTORY_SERVER_TYPE = OID

Register the Database in OUD

In this section you use the Database Configuration Assistant to register the database in OUD.

Launch a terminal window as oracle on the database server that you want to register for EUS, and run the following command to launch the Database Configuration Assistant:
```
cd $ORACLE_HOME/bin/
./dbca
```

Follow the table below to guide you through the configuration screens:

Window Description	Choices or Values
Database Operation	Select Configure Database Option
Database List	Select the radio button for the database you want to register e.g.: orcl Username: `<leave blank>` Password: `<leave blank>`
Network Configuration	Select Yes, register the database Database CN: `orcl` User DN: `cn=eusadmin,cn=oraclecontext` Password: `Welcome1` Wallet Password: `Welcome1` Confirm Password: `Welcome1`
Database Options	Click Next.
Database Vault Credentials	Deselect Configure Database Vault Deselect Configure Label Security
Connection Mode	Click Next
Summary	Click Finish
Finish	Click Close

Note: If the Network Configuration panel does not appear in the above workflow, check that the database is defined in /etc/oratab.

In the same terminal window, run the following command to verify the Database Configuration Assistant successfully created a new entry for the database.

./ldapsearch -h oud.example.com -p 2389 -D "cn=eusadmin,cn=oraclecontext" -w Welcome1 -b cn=OracleContext,dc=example,dc=com "(cn=orcl)"

If registration was successful you should see the following:

cn=orcl,cn=OracleContext,dc=example,dc=com
orclVersion=121000
cn=orcl
orclServiceType=DB
orclSid=orcl
objectClass=orclApplicationEntity
objectClass=orclDBServer_92
objectClass=orclService
objectClass=orclDBServer
objectClass=top
orclOracleHome=/u01/app/oracle/product/12.1.0/db_1
orclSystemName=db.example.com
orclNetDescString=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=db.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl.example.com)))
orclDBGlobalName=orcl
orclcommonrpwdattribute={SASL-MD5}DCnQFtAXHyQLbKuIzCuKTA==
userPassword={SSHA}/NxLZ1gNIPtzyMGkevhAd71dGWRmOxw4bm5Flw==
orclNetDescName=000:cn=DESCRIPTION_0

Configuring the Oracle Wallets

In this section you ensure the database knows where to find the Wallet. You also ensure that the EUSM ldap client can verify the certificate sent in the SSL handshake by OUD.

Launch a terminal window as oracle on the database server that you want to register for EUS, and edit the $ORACLE_HOME/network/admin/sqlnet.ora. Check an entry exists for the Oracle Wallet. If it does not exist, add it as follows, replacing the DIRECTORY path with the correct Wallet path for your Wallet ($ORACLE_BASE/admin/<SID>/wallet). Save the file.
```
WALLET_LOCATION=   
     (SOURCE=
        (METHOD=file)
          (METHOD_DATA=
             (DIRECTORY=/u01/app/oracle/admin/orcl/wallet)))
```
On the OUD server. launch a terminal window as oracle and run the following command to export the root CA certificate from the OUD Directory Server.
Note: In this case the OUD was configured using self signed certificates in OBE III Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration. If your OUD is using a certificate signed by a different Certificate Authority (CA) make sure you export the correct CA certificate or chain of CA certificates. (See OUD Keystore and Truststore (Doc ID 1958191.1) for information on how to determine the root CA(s) to export).
```
cd /u01/app/oracle/config/oud_instances/oud_proxy/config
keytool -export -alias server-cert -file /stage/oudca.crt -keystore keystore -storepass `cat keystore.pin`  -v
```
Move the certificate to the database server that you want to register for EUS. Launch a terminal window as oracle and run the following command to Import the certificate into the database wallet referenced in 1. above:
```
cd $ORACLE_HOME/bin
./orapki wallet add -wallet /u01/app/oracle/admin/orcl/wallet -trusted_cert -cert /stage/oudca.crt -pwd Welcome1               
```
Restart the Database and Listener to pick up the changes made to the wallet.

Configuring a TNS Alias in OUD

In this section you create a new TNS Alias within OUD so you can connect to the database via LDAP Naming rather than use a tnsnames.ora file.

Launch a terminal window as oracle on the database server and run the following command to launch Oracle Net Manager:
```
cd $ORACLE_HOME/bin
./netmgr
```
In Oracle Net Manager, in the navigation tree expand Oracle Net Configuration > Local and click Profile.
In Available Methods, select LDAP and click the right arrow to move it to Selected Methods.
With LDAP highlighted, click the Promote button and move it to the top of the list. This allows Oracle Net connections to resolve TNS entries via OUD first.
Click File > Save Network Configuration from the top menu.
In the navigation tree, expand Directory and click Service Naming. In the Directory Server Authentication pop up window enter user cn=eusadmin,cn=oraclecontext and password Welcome1. Click OK.
In the navigation tree, under Service Naming click Aliases. In the left hand panel, click the green '+' icon in the left hand panel.
In the Create Net Service Alias window enter the following and click Create:
- Net Service Alias: myorcl
- Oracle Context: cn=OracleContext,dc=example,dc=com
- Name: orcl
Click File > Save Network Configuration. Click File > Exit.

Run the following command to verify that Oracle Net Manager successfully created a new TNS alias entry for the database:

cd $ORACLE_HOME/bin  
./ldapsearch -h oud.example.com -p 2389 -D "cn=eusadmin,cn=oraclecontext" -w Welcome1 -b cn=OracleContext,dc=example,dc=com "(cn=myorcl)"