Oracle by Example brandingConfiguring Network and Database Connectivity for OUD 12c and EUS

section 0Before You Begin

This tutorial provides a step-by-step example of how to configure network and database connectivity ready for Oracle Unified Directory (OUD) Proxy Server 12c PS3 integration with Active Directory, Oracle Enterprise Security (EUS) and Kerberos Authentication. This tutorial takes approximately 15 minutes to complete.

This is the fifth tutorial in the series Integrating Oracle Unified Directory 12c with Microsoft Active Directory, Oracle Enterprise User Security and Kerberos. Read them sequentially.

Background

Oracle EUS enables Oracle Database users to authenticate against identities stored in an LDAP-compliant directory service such as OUD. In this tutorial you configure network and database connectivity so the OUD Proxy Server and databases can communicate with each other for EUS.

What Do You Need?


section 1Configure Network Connectivity for EUS

EUS stores its configuration metadata in an Oracle Context which corresponds to the Directory Base DN in the DIT. In this example the Directory Base DN is dc=example,dc=com. In this section you configure an ldap.ora so the database knows how to connect to OUD, and where it's metadata is located.

  1. Launch a terminal window as oracle on the database server that you want to register for EUS, and run the following command to launch the Net Configuration Assistant:
    cd $ORACLE_HOME/bin/
    ./netca
  2. Follow the table below to guide you through the configuration screens:

    Window Description Choices or Values
    Welcome Screen Select Directory Usage Configuration
    Directory Usage Configuration Directory Type: Oracle Internet Directory
    Directory Service Location Hostname: oud.example.com
    Port:
    2389
    SSL Port:
    2636
    Select Oracle Context Select cn=OracleContext, dc=example,dc=com from the drop down list.
    Done Click Next
    Welcome Click Close
  3. In the terminal window run the following command to verify the Net Configuration Assistant:
    cat $ORACLE_HOME/network/admin/ldap.ora
    # ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora
    # Generated by Oracle configuration tools.
    DIRECTORY_SERVERS= (oud.example.com:2389:2636)
    DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"
    DIRECTORY_SERVER_TYPE = OID

section 2Register the Database in OUD

In this section you use the Database Configuration Assistant to register the database in OUD.

  1. Launch a terminal window as oracle on the database server that you want to register for EUS, and run the following command to launch the Database Configuration Assistant:
    cd $ORACLE_HOME/bin/
    ./dbca
  2. Follow the table below to guide you through the configuration screens:
    Window Description Choices or Values
    Database Operation Select Configure Database Option
    Database List Select the radio button for the database you want to register e.g.: orcl
    Username
    : <leave blank>
    Password: <leave blank>
    Network Configuration Select Yes, register the database
    Database CN: orcl
    User DN: cn=eusadmin,cn=oraclecontext
    Password:
    Welcome1
    Wallet Password:
    Welcome1
    Confirm Password: Welcome1
    Database Options Click Next.
    Database Vault Credentials Deselect Configure Database Vault
    Deselect Configure Label Security
    Connection Mode Click Next
    Summary Click Finish
    Finish Click Close

    Note: If the Network Configuration panel does not appear in the above workflow, check that the database is defined in /etc/oratab.
  3. In the same terminal window, run the following command to verify the Database Configuration Assistant successfully created a new entry for the database.
    ./ldapsearch -h oud.example.com -p 2389 -D "cn=eusadmin,cn=oraclecontext" -w Welcome1 -b cn=OracleContext,dc=example,dc=com "(cn=orcl)"
    If registration was successful you should see the following:
    cn=orcl,cn=OracleContext,dc=example,dc=com
    orclVersion=121000
    cn=orcl
    orclServiceType=DB
    orclSid=orcl
    objectClass=orclApplicationEntity
    objectClass=orclDBServer_92
    objectClass=orclService
    objectClass=orclDBServer
    objectClass=top
    orclOracleHome=/u01/app/oracle/product/12.1.0/db_1
    orclSystemName=db.example.com
    orclNetDescString=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=db.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl.example.com)))
    orclDBGlobalName=orcl
    orclcommonrpwdattribute={SASL-MD5}DCnQFtAXHyQLbKuIzCuKTA==
    userPassword={SSHA}/NxLZ1gNIPtzyMGkevhAd71dGWRmOxw4bm5Flw==
    orclNetDescName=000:cn=DESCRIPTION_0


section 3Configuring the Oracle Wallets

In this section you ensure the database knows where to find the Wallet. You also ensure that the EUSM ldap client can verify the certificate sent in the SSL handshake by OUD.

  1. Launch a terminal window as oracle on the database server that you want to register for EUS, and edit the $ORACLE_HOME/network/admin/sqlnet.ora. Check an entry exists for the Oracle Wallet. If it does not exist, add it as follows, replacing the DIRECTORY path with the correct Wallet path for your Wallet ($ORACLE_BASE/admin/<SID>/wallet). Save the file.
    WALLET_LOCATION=   
         (SOURCE=
            (METHOD=file)
              (METHOD_DATA=
                 (DIRECTORY=/u01/app/oracle/admin/orcl/wallet)))
  2. On the OUD server. launch a terminal window as oracle and run the following command to export the root CA certificate from the OUD Directory Server.
    Note: In this case the OUD was configured using self signed certificates in OBE III Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration. If your OUD is using a certificate signed by a different Certificate Authority (CA) make sure you export the correct CA certificate or chain of CA certificates. (See OUD Keystore and Truststore (Doc ID 1958191.1) for information on how to determine the root CA(s) to export).
    cd /u01/app/oracle/config/oud_instances/oud_proxy/config
    keytool -export -alias server-cert -file /stage/oudca.crt -keystore keystore -storepass `cat keystore.pin`  -v
  3. Move the certificate to the database server that you want to register for EUS. Launch a terminal window as oracle and run the following command to Import the certificate into the database wallet referenced in 1. above:
    cd $ORACLE_HOME/bin
    ./orapki wallet add -wallet /u01/app/oracle/admin/orcl/wallet -trusted_cert -cert /stage/oudca.crt -pwd Welcome1               
  4. Restart the Database and Listener to pick up the changes made to the wallet.


section 4Configuring a TNS Alias in OUD

In this section you create a new TNS Alias within OUD so you can connect to the database via LDAP Naming rather than use a tnsnames.ora file.

  1. Launch a terminal window as oracle on the database server and run the following command to launch Oracle Net Manager:
    cd $ORACLE_HOME/bin
    ./netmgr
  2. In Oracle Net Manager, in the navigation tree expand Oracle Net Configuration > Local and click Profile.
  3. In Available Methods, select LDAP and click the right arrow to move it to Selected Methods.
  4. With LDAP highlighted, click the Promote button and move it to the top of the list. This allows Oracle Net connections to resolve TNS entries via OUD first.
  5. Click File > Save Network Configuration from the top menu.
  6. In the navigation tree, expand Directory and click Service Naming. In the Directory Server Authentication pop up window enter user cn=eusadmin,cn=oraclecontext and password Welcome1. Click OK.
  7. In the navigation tree, under Service Naming click Aliases. In the left hand panel, click the green '+' icon in the left hand panel.
  8. In the Create Net Service Alias window enter the following and click Create:
    • Net Service Alias: myorcl
    • Oracle Context: cn=OracleContext,dc=example,dc=com
    • Name: orcl
  9. Click File > Save Network Configuration. Click File > Exit.
  10. Run the following command to verify that Oracle Net Manager successfully created a new TNS alias entry for the database:
    cd $ORACLE_HOME/bin  
    ./ldapsearch -h oud.example.com -p 2389 -D "cn=eusadmin,cn=oraclecontext" -w Welcome1 -b cn=OracleContext,dc=example,dc=com "(cn=myorcl)"
    If registration was successful you should see the following:
    cn=myorcl,cn=OracleContext,dc=example,dc=com
    aliasedObjectName=cn=orcl,cn=OracleContext,dc=example,dc=com
    objectClass=alias
    objectClass=top
    objectClass=orclNetServiceAlias
    cn=myorcl



next stepNext Tutorial

Configuring Schemas, Roles and Mapping for EUS and OUD 12c