Managing ODI Setup

2 Managing ODI Setup

This chapter helps you to manage the ODI setup that you have provisioned on Oracle Cloud Marketplace.

It contains the following sections:

2.1 Working with ODI Linux Services

The following table lists all the available services in ODI marketplace installation for applicable technology and stack deployment:

Name of the Linux Service	Database Technology	Type of Stack Deployment	Supported Release Versions	Funtions
`agentodi.service`	`MYSQL,ADB`	ODI Studio	Supported in release(s) prior to 12.2.1.4.200618 version of ODI Marketplace.	You can start, stop and check the status of the service.
`mysqlodi.service`	`MYSQL`	ODI Studio	Supported in release(s) prior to 12.2.1.4.200618 version of ODI Marketplace.	You can start, stop and check the status of the service.
`manageodiapps.service`	`MYSQL,ADB`	ODI Studio	Supported only from ODI Web V12.2.1.4.200618 and later versions of ODI Marketplace.	You can only check the status of the service. Use the python commands listed below, to start, stop and restart the ODI Agent.

2.2 Changing Repository in Oracle Data Transforms Administrator

Follow the below procedure to change repository in Oracle Data Transforms (if not already created):

Launch ODI Studio.
Select the option Connect to Repository.
Create new login using '+' icon and provide the connection details.
Click Test and then click OK, if test connection is successful.
Click OK on the Oracle Data Integrator Login dialog.

2.3 Switching Repositories of the ODI App Server

You can switch to any existing ADB or DBCS repository from existing ODI VM Instance.

Note:

You can switch between repositories only when the repositories in stack mode and repo mode match.

In ODI App Server, you can switch repository in the following technologies:

Switching from ADB to ADB
Switching from MYSQL to ADB or DBCS

Note:
But the reverse (switching back to MYSQL from ADB or DBCS) is not supported.
Switching from DBCS to DBCS
Switching from DBCS or ADB

Note:

Stop the server before running any configuration using the following command:

python manageOdiApps.py shutdown

For more information, refer to Managing ODI App Server.

Switching Between ADB Repositories

If you already have a ADB repository in which you have your transformation project developed and wish to continue with your development in the same repository, follow the below procedure to switch from the new ADB repository (that you just created) to your existing ADB repository:

Create odi-setup.properties file in the location $MW_HOME/odi/common/scripts and if the file already exists, clear the existing content of the file and then add the following properties:
```
dbTech=ADB
rcuCreationMode=false
odiSchemaPassword=<valid password>
odiSchemaUser=<odi schema username>
odiSupervisorPassword=<odi SUPERVISOR password>
walletZipLoc=<path_to_zipped_wallet>
workRepoName=<WORK REPO NAME>
adwInstancePassword= <adw Instance password>
```
Note:
- workRepoName=<WORK REPO NAME> is an optional property but you may have to configure this property if your default work repository name is not WORKREP.
- adwInstancePassword= <adw Instance password> is an optional property but configure this property only when you have used OPTACH for applying a patch on your ODI instance and wish to run Upgrade Assistant (UA) using the configuration script odiMPConfiguration.py.
Create repository.properties file in the location $MW_HOME/odi/common/scripts and if the file already exists, clear the existing content of the file and then add the following properties:
```
masterReposDriver=oracle.jdbc.OracleDriver
masterReposUser=<odi schema username>
workReposName=<WORK REPO NAME>
```
Navigate to the location $MW_HOME/odi/common/scripts directory and execute the following python scripts in the given order:
```
python odiMPConfiguration.py
python manageOdiApps.py start
```

Note:

Stop the server before running any configuration. For more information on this, refer to Managing ODI App Server.

Switching Between DBCS Repositories

If you already have a DBCS repository in which you have your transformation project developed and wish to continue with your development in the same repository, follow the below procedure to switch from the new DBCS repository (that you just created) to your existing DBCS repository:

Create odi-setup.properties file in the location $MW_HOME/odi/common/scripts and if the file already exists, clear the existing content of the file and then add the following properties:

dbTech=DBCS
dbHost=<IP Address of the DBCS Instance>
dbPort=<port of DBCS Instance>
dbServiceName=<Service Name of DBCS Instance>
odiSchemaUser=<odi schema username>
odiSchemaPassword=<valid password>
odiSupervisorPassword=<odi SUPERVISOR password>
workRepoName=<WORK REPO NAME>

Create repository.properties file in the location $MW_HOME/odi/common/scripts and if the file already exists, clear the existing content of the file and then add the following properties:
```
masterReposDriver=oracle.jdbc.OracleDriver
masterReposUser=<odi schema username>
workReposName=<WORK REPO NAME>
```
Navigate to the location $MW_HOME/odi/common/scripts directory and execute the following python scripts in the given order:
```
python odiMPConfiguration.py
python manageOdiApps.py start
```

2.4 Managing ODI App Server

The following commands help you to manage ODI App server associated with your provisioned ODI instance on Oracle Cloud Marketplace.

Application available in ODI Studio are:

APPODIAGENT

You can use ODI App Server to manage all the ODI applications deployed in ODI App Server.

Navigate to the location $MW_HOME/odi/common/scripts to run the following commands:

Use the following command to check the status of the service (as the oracle user):
```
systemctl status manageodiapps.service
```
Note:
You cannot use this command to start or stop the service.
Use the following command to start the service:
```
python manageOdiApps.py start
```
Use the following command to shutdown the service:
```
python manageOdiApps.py shutdown
```
Use the following command to restart the service:
```
python manageOdiApps.py restart
```
Note:
When you execute any of the above python manageOdiApps.py commands, the terminal holds the session to run the jetty sever. Open a new terminal, if you wish to perform any other operations.

Use the following command to start all the applications associated with the service:

python manageOdiApps.py start -apps=<allowed values>

allowed values: all or APPODIAGENT with combination separated by ","

Use the following command to stop all the applications associated with the service:
```
python manageOdiApps.py stop -apps=<allowed values>

allowed values: all or APPODIAGENT with combination separated by ","
```
Note:
When you execute the command python manageOdiApps.py, two log files odiagent.log and odi_adp_rest_txt.log are created. For details on the location of the files, refer to Log Files Location.
Use the following command to get the status of all applications associated with the service:
```
python manageOdiApps.py status
```
If you have provisioned this stack prior to 12.2.1.4.200618 release version of ODI Marketplace or if you have provisioned this stack for ODI Studio, follow the below procedure to manage your ODI Agent lifecycle:
- To stop the ODI Agent:
```
python stopAgent.py
```
- To start the ODI Agent:
```
python startAgent.py $MW_HOME
```

2.5 Managing ODI Credential

If you have either updated the odi schema password on the database or the SUPERVISOR password in ODI repository, you can use the manageCredentials.py script to update or manage ODI credentials required to start the ODI App Server successfully.

Navigate to the location $MW_HOME/odi/common/scripts to run the following commands:

S.No.	Key Name
1	`odiSchemaPassword`
2	`odiSupervisorPassword`

Use the following command to set the credential key in the Credential Store:

python manageCredentials.py set <Key Name>=<value>

Enclose the password string with single quotes so that the Linux shell treats the string as an exact value and does not parse the contents. For example:

python manageCredentials.py set odiSchemaPassword='pas$word'

Use the following command to get the credential key value stored in the Credential Store:

python manageCredentials.py read <key Name>

2.6 Configuring Proxy Settings

Depending on your network, you can setup a proxy for ODI. Proxy may be required for accessing certain hosts, for example - Oracle Object Storage.

Note:

Depending on your OCI network configurations, you may or may not require access through proxy-hosts. While you are connecting through proxy, make sure that the proxy address/port or the source dataserver is allowed through OCI VCN configurations.

You can set proxy:

In ODI Studio or ODI Studio Administrator
For ODI Agent
In ODI App server

To set proxy in ODI Studio and Oracle Data Transforms Administrator, navigate to Tools, Preferences, Web Browser and Proxy, to setup a proxy for your network.

Follow the below procedure to set proxy for ODI Agent if, you have provisioned this stack prior to 12.2.1.4.200618 release version of ODI Marketplace:

Note:

For backward compatibility, use the scripts startAgent.py and stopAgent.py to manage ODI Agent Lifecycle.

From the location $MW_HOME/oracle/odi/common/scripts, locate and edit the file startAgent.py and add the following lines after the property after -Drepo.props=

-Xms1024m -Xmx4048 -cp

-Dhttp.proxyHost=www-proxy-xxx.com -Dhttp.proxyPort=80 
-Dhttps.proxyHost=www-proxy-xxx.com -Dhttps.proxyPort=80 -cp

For example, after adding the above lines, your file should be like this:

subprocess.call('nohup java 
-Drepo.props=odi-setup.properties
 -Xms1024m -Xmx4048 -cp
-Dhttp.proxyHost=www-proxy-xxx.com -Dhttp.proxyPort=80 
-Dhttps.proxyHost=www-proxy-xxx.com -Dhttps.proxyPort=80 -cp 
$AGENTCLASSPATH oracle.odi.OdiStandaloneAgentStarter'+' '+oraclediagentPath+" 
&", shell=True)

Save the file and use the following command to start the agent:
```
python startAgent.py $MW_HOME
```
Note:
Ensure you do not add any extra lines or space or tab on the file startAgent.py. Just add -D option within the line content. It is a python script and it requires proper line indentation to work.
Test the standalone agent from ODI studio to see if the agent has started successfully. Then execute the packages/mappings using the standalone agent.

Note:

If you are using a BI Cloud Connector Dataserver, you may need to add the BI Cloud Connector host to the Proxy Exclusion field.

Follow the below procedure to set proxy in ODI App Server:

Open the script file manageOdiApps.py.

Find the below lines in the file:

JETTY_SERVER_COMMAND_STR = 'java -DAPP_LOGS='+APP_LOGS+' -Dconfig.template.file=../../apps/webapps.template.yaml -Dapps.config=../../apps/webapps.yaml -Drepo.props=odi-setup.properties -Drestrepo.props=repository.properties -Djetty.enabled=true -Dagent.logging.config=../logging/agent-logging-config.xml -cp $CLASSPATH oracle.odi.setup.util.ODIMPJettyServerAppsManager

After the above lines, add the below line before -cp:

-Dhttp.proxyHost=<proxyhost> -Dhttp.proxyPort=<proxy port> -Dhttps.proxyHost=<proxyhost> -Dhttps.proxyPort=<proxy port>

Save the file.
Restart the ODI App server.

2.7 Configuring Email Delivery Service

Oracle Cloud Marketplace Email Delivery is an email sending service that provides a fast and reliable managed solution for sending high-volume emails that need to reach your recipients' inbox.

Email Delivery provides the tools necessary to send application-generated email for mission-critical communications such as receipts, fraud detection alerts, multi-factor identity verification, and password resets. You can set up the Email Delivery service within the Console. To begin sending email with Email Delivery, complete the following steps:

Generate SMTP credentials for a user
Set up permissions
Create an approved sender
Configure SPF on the approved sender domain
Configure the SMTP connection
Begin sending email

Note:

Before configuring the Email Delivery service, make sure to have permissions to Generate SMTP credentials and create Email Approved Senders. Also, the Email Approved Sender must be in a group that has IAM policy permissions to send outgoing emails. For more details, refer to Generate SMTP Credentials for a User section of OCI documentation.

Generating a SMTP Credential

Simple Mail Transfer Protocol (SMTP) credentials are necessary to send email through Email Delivery. Each user is limited to a maximum of two SMTP credentials. If more than two are required, SMTP credentials must be generated on other existing users or more users must be created.

To generate SMTP credentials for a user, login to Oracle Cloud Infrastructure and navigate to Email Delivery → Manage Credentials and select the option Generate SMTP Credentials. It allows you to generate the SMTP user name and password details. Copy the generated password for your future reference. Click Close.

Setting Up Permissions

An email approved sender must be in a group that has IAM policy permissions to send emails. The approved sender must be in a compartment with permissions to manage approved senders. You have to create a policy to manage approved senders in the entire tenant, if the approved senders exist in root compartment.

Add the following policy statement to enable odi_group to manage approved senders:

Allow dynamic-group odi_group to use approved-senders in compartment odi

For more information about policies and policy syntax, see Policy Basics.

Creating your Email Approved Sender

You must set up an approved sender for all “From:” addresses sending email via Oracle Cloud Infrastructure or the email will be rejected. An approved sender is associated with a compartment and only exists in the region where the approved sender was configured.

Note:

Approved senders should not be created in the root compartment.

Creating approved senders in a compartment other than the root allows the policy to be specific to that compartment.

To create your Email Approved Sender, login to Oracle Cloud Infrastructure and navigate to Email Delivery → Email Approved Senders and select the option Create Approved Senders.

Note:
Configure this option for the user already created on the instance.

For example, opc@oracle-odi-inst-3mnc.localdomain, where oracle-odi-inst-3mnc is the hostname.

Configuring SPF on the Approved Sender Domain

Configure SPF, if necessary. The Approved Senders section within the Console provides validation of an SPF record for each of your approved senders. SPF is required for subdomains of oraclegovcloud.com and recommended in other cases.

Refer to Configure SPF for detailed steps on configuring SPF.

Configuring the SMTP connection

For securing your email connections, get SSL/TLS CA details from OCI email SMTP hosts

Log in to the instance using ssh as opc user and sudo su and create a directory nss-config-dr and then run certutil to manage keys and certificate in both NSS databases.

[root@localhost ~]# mkdir /etc/certs
[root@localhost ~]# cd /etc/certs
[root@localhost certs]# certutil -N -d /etc/certs/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
[root@localhost certs]# ls
cert8.db key3.db secmod.db
[root@localhost certs]#

To get SMTP domain CA details, run openssl s_client to smtp host.

Note:

If it is on ashburn: openssl s_client -showcerts -connect smtp.us-ashburn-1.oraclecloud.com:587 -starttls smtp > /etc/certs/mycerts-ashburn
If it is on phoenix : openssl s_client -showcerts -connect smtp.us-phoenix-1.oraclecloud.com:587 -starttls smtp > /etc/certs/mycerts-phoenix

For example:

[root@localhost certs]# openssl s_client -showcerts -connect smtp.us-phoenix-1.oraclecloud.com:587 -starttls smtp > /etc/certs/mycerts-phoenix
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Redwood City, O = Oracle Corporation, OU = Oracle DYN-DEV US, CN = smtp.us-phoenix-1.oraclecloud.com
verify return:1
250 Ok
[root@localhost certs]#

Execute cat on mycerts-phoenix or ashburn and copy each certificate including the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- and paste it to their respective files.

For example -

ocismtp-phoenix1.pem ocismtp-phoenix2.pem ocismtp-phoenix3.pem
[root@localhost certs]# ls -la | grep -i ocism
-rw-r--r--. 1 root root 2443 Jan 31 18:00 ocismtp-phoenix1.pem
-rw-r--r--. 1 root root 1648 Jan 31 18:01 ocismtp-phoenix2.pem
-rw-r--r--. 1 root root 1338 Jan 31 18:01 ocismtp-phoenix3.pem
[root@localhost certs]#
 
[root@localhost certs]# cat ocismtp-phoenix1.pem
-----BEGIN CERTIFICATE-----
MIIG3jCCBcagAwIBAgIQDD6TwDfguDbn1CI1U46l0zANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgxMjA3MDAwMDAwWhcN
MjEwMTA1MTIwMDAwWjCBnjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExFTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEbMBkGA1UEChMST3JhY2xlIENvcnBv
cmF0aW9uMRowGAYDVQQLExFPcmFjbGUgRFlOLURFViBVUzEqMCgGA1UEAxMhc210
cC51cy1waG9lbml4LTEub3JhY2xlY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA2ZUXc/xjwwlmsaSKxy2e0Y3K9UeWs/MQSBkQALC0+Pi9
tIdS7BLmYtpTjGmUpwiNzG9pMYHpWjQlQFkxNpqd6JwegpgdEG/8SnbrhH9kRsRg
MG8kRNZiJYsDrpwLnjE74gNIjVldqbcMHmBinfKbfFAcPzp5sqOFw3hfSz8TU45A
7UHfbWmF3HiLF+Ozhnr0cUdiVb79HVYH4fm15V4uwewj/ZvALmK000jdOaeOgOna
vrx30WSqfkoqOpferIrW4a6wsrj82vaAjuxgBU3rbuaJb2KFYYes3SeUoFkFAZp7
URMy3DZD7MmgmWIXnjGu75xqF4Ul/uEF6cjnYeuDpwIDAQABo4IDZjCCA2IwHwYD
VR0jBBgwFoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFCN96Xt5uS1q
xt2ZgTWONBD4VHfdMCwGA1UdEQQlMCOCIXNtdHAudXMtcGhvZW5peC0xLm9yYWNs
ZWNsb3VkLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0
LmNvbS9zc2NhLXNoYTItZzYuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2Vy
dC5jb20vc3NjYS1zaGEyLWc2LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAq
MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeB
DAECAjB8BggrBgEFBQcBAQRwMG4wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
Z2ljZXJ0LmNvbTBGBggrBgEFBQcwAoY6aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0U0hBMlNlY3VyZVNlcnZlckNBLmNydDAJBgNVHRMEAjAAMIIB
fQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdgDuS723dc5guuFCaR+r4Z5mow9+X7By
2IMAxHuJeqj9ywAAAWeJXuinAAAEAwBHMEUCIQDqeInMySXAN1UDIJOLG3v/ViBJ
xsY3lK2JY/zwebUaugIgepOPAwKQdVrnY7CMCzWGGGqJbLgkFWIRMGK0FUJ8+RsA
dQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWeJXumPAAAEAwBG
MEQCIA1jRQ0797YV7BLzCANvicAsYk2QdGjCuZ4YxxRgTIs+AiBRztTbnjiT9WGE
HIRVEJa/Bx7eSlcu7J2gpEZruOWrFwB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1Lo
GpCWZDaOHtGFAAABZ4le6LcAAAQDAEcwRQIgMk9G/KNM9xR3GR9q/2vEB85skPlL
EgDFVpKBQxQN2f8CIQD2Cn54OAL8HkDDYglLpAjTnzaSUJeP2h07NG90xS5VOjAN
BgkqhkiG9w0BAQsFAAOCAQEAP8q05wiAKVkvv+Y6l0aPclFiW5/yZmnQeGNE85kx
CmQgbdeGcNUgQ9PjDaBMhHMErVasq1E//oYjuRuF4bFO9QYYMn2QOuz1p61s+60/
IDNCP8xJuBAJ61Gu0mAw7mm44Z+jfD1LMdg/xyZwlH9wFZID9lgVdqpvhlLiYRNy
zBtKfgLhzu2B08T4a/V3w2SaDyhPIED2ry+HV+9B7CnzpmLrSqRFw7kk9ihm9Iwq
YlyJV3qzO1tIykRALDvYAT50yd+d9ZfTcEQvSrMLoM6N0HJezdTnf67UqwYFF5jT
KhyG/2LIAn4XGK0AyS8ieCmmEnW1Hku2ykCo4Ls0gdcYOA==
-----END CERTIFICATE-----
[root@localhost certs]#
 
[root@localhost certs]# cat ocismtp-phoenix2.pem
-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
-----END CERTIFICATE-----
 
[root@localhost certs]# cat ocismtp-phoenix3.pem
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
[root@localhost certs]#

Import to the location nss-config-dr /etc/certs by using following commands:

[root@localhost certs]# certutil -A -n "DigiCert SHA2 Secure Server CA" -t "TC,," -d /etc/certs -i /etc/certs/ocismtp-phoenix1.pem
[root@localhost certs]#
[root@localhost certs]# certutil -A -n "DigiCert SHA2 Secure Server CA smtp " -t "TC,," -d /etc/certs -i /etc/certs/ocismtp-phoenix2.pem
[root@localhost certs]#
[root@localhost certs]# certutil -A -n "DigiCert SHA2 Secure Server CA smtp2 " -t "TC,," -d /etc/certs -i /etc/certs/ocismtp-phoenix3.pem

To check whether the imports are done correctly, execute the command certutil -L -d /etc/certs

[root@localhost certs]# certutil -L -d /etc/certs

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPIDigiCert SHA2 Secure Server CA CT,,

DigiCert SHA2 Secure Server CA smtp CT,,
DigiCert SHA2 Secure Server CA smtp2 CT,,

Configuring PostFix for Relaying Host with Authentication

Make sure the latese version of Postfix is installed along with cyrus-sasl-* packages.

[root@localhost ~]# rpm -qa | grep -i postfix
postfix-2.6.6-8.el6.x86_64
[root@localhost ~]# yum install postfix
Loaded plugins: security, ulninfo
Setting up Install Process
Package 2:postfix-2.6.6-8.el6.x86_64 already installed and latest version
Nothing to do
[root@localhost ~]#
[root@localhost ~]#yum install -y cyrus-sasl-*

Note:

All the available SASL mechanisms can be installed on the system by pulling in the relevant cyrus-sasl-* packages.

Add the following config directives in the file /etc/postfix/main.cf:

#OCI SMTP Relay Host:
#relayhost = <Replace with your OCI SMTP server>
relayhost = smtp.us-phoenix-1.oraclecloud.com:587
#SASL Authentication settings:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
#TSL Settings:
smtp_tls_loglevel = 2
smtp_use_tls = yes
smtpd_tls_security_level = may
smtp_tls_CApath = /etc/certs

Create the file /etc/postfix/sasl_passwd to store the credentials created in the Generating a SMTP Credential step and make sure permissions are set to 600.

#vi /etc/postfix/sasl_passwd
relay_host:587 username:password
Example:
[root@localhost postfix]# cat /etc/postfix/sasl_passwd
smtp.us-phoenix-1.oraclecloud.com:587 ocid1.user.oc1..aaaaaaaajjcwynf4ebqp32wdpdy6h4lpeknqiyld7s35t2psfmmfw3y4iosq@ocid1.tenancy.oc1..aaaaaaaavcpbui4wu2ttfnipykravgudbooie2eucf3odrsltgwj236epvha.fa.com:pP)QB&[YIz2ehe>7}fj_
[root@localhost postfix]#


[root@localhost postfix]# chmod 600 /etc/postfix/sasl_passwd
[root@localhost postfix]#

Create sasl_passwd.db that Postfix can read:

[root@localhost postfix]# postmap /etc/postfix/sasl_passwd
[root@localhost postfix]#
[root@localhost postfix]# ls -l | grep -i passwd
-rw-------. 1 root root 224 Jan 31 18:17 sasl_passwd
-rw-------. 1 root root 12288 Jan 31 18:21 sasl_passwd.db
[root@localhost postfix]#

Starting Postfix

[root@localhost postfix]# chkconfig postfix on
[root@localhost postfix]# service postfix start
[root@localhost postfix]# service postfix status
master (pid 12162) is running...
[root@localhost postfix]#
 
If you are running Oracle Linux 7 run
#systemctl start --now postfix

Configuring Firewall Ports

Add these ports to firewall list of the smtp client machines (VM from where we have to send emails )

sudo firewall-cmd --zone=public --permanent --add-port=25/tcp
sudo firewall-cmd --zone=public --permanent --add-port=587/tcp
sudo firewall-cmd --reload

Beginning to Send Email

Send Email

approval is : user@<instancename.localdomain> e.g. opc@oracle-odi-inst-31up.localdomain
In this case, login as user and test it with mailx
[user@localhost ~]$ echo "test" | mailx -v -s "OCI Test Message [mailx]" user@oracle.com
Mail Delivery Status Report will be mailed to <user>.
[user@localhost ~]

Verify /var/log/maillog for any error messages:

Jan 31 18:24:36 localhost postfix/pickup[13812]: ECF9BA00B4: uid=501 from=<user>
Jan 31 18:24:36 localhost postfix/cleanup[14692]: ECF9BA00B4: message-id=<20190131182436.ECF9BA00B4@localhost.sub12182009561.cnvmau.oraclevcn.com>
Jan 31 18:24:36 localhost postfix/qmgr[12172]: ECF9BA00B4: from=<user@localhost.sub12182009561.cnvmau.oraclevcn.com>, size=549, nrcpt=1 (queue active)
Jan 31 18:24:36 localhost postfix/smtp[14694]: initializing the client-side TLS engine
Jan 31 18:24:37 localhost postfix/smtp[14694]: setting up TLS connection to smtp.us-phoenix-1.oraclecloud.com[Public IP]:587
Jan 31 18:24:37 localhost postfix/smtp[14694]: smtp.us-phoenix-1.oraclecloud.com[Public IP]:587: TLS cipher list "ALL:+RC4:@STRENGTH"
Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:before/connect initialization
Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv2/v3 write client hello A
Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 read server hello A
Jan 31 18:24:37 localhost postfix/smtp[14694]: smtp.us-phoenix-1.oraclecloud.com [Public IP]:587: certificate verification depth=2 verify=1 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
Jan 31 18:24:37 localhost postfix/smtp[14694]: smtp.us-phoenix-1.oraclecloud.com[Public IP]:587: certificate verification depth=1 verify=1 subject=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
Jan 31 18:24:37 localhost postfix/smtp[14694]: smtp.us-phoenix-1.oraclecloud.com [Public IP]:587: certificate verification depth=0 verify=1 subject=/C=US/ST=California/L=Redwood City/O=Oracle Corporation/OU=Oracle DYN-DEV US/CN=smtp.us-phoenix-1.oraclecloud.com
Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 read server certificate A
Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 read server key exchange A
Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 read server done A
Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 write client key exchange A
Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 write change cipher spec A
Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 write finished A
Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 flush data
Jan 31 18:24:37 localhost postfix/smtp[14694]: SSL_connect:SSLv3 read finished A
Jan 31 18:24:37 localhost postfix/smtp[14694]: Trusted TLS connection established to smtp.us-phoenix-1.oraclecloud.com[public ip]:587: TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
Jan 31 18:24:38 localhost postfix/smtp[14694]: ECF9BA00B4: to=<user@oracle.com>, relay=smtp.us-phoenix-1.oraclecloud.com[public ip]:587, delay=1.6, delays=0.02/0.03/0.57/1, dsn=2.0.0, status=sent (250 Ok)
Jan 31 18:24:38 localhost postfix/cleanup[14692]: 94136A00B8: message-id=<20190131182438.94136A00B8@localhost.sub12182009561.cnvmau.oraclevcn.com>
Jan 31 18:24:38 localhost postfix/bounce[14696]: ECF9BA00B4: sender delivery status notification: 94136A00

The email has been delivered correctly:

-------- Forwarded Message --------
Subject: OCI Test Message [mailx]
Date: Thu, 31 Jan 2019 18:24:36 +0000
From: user@localhost.sub12182009561.cnvmau.oraclevcn.com
To: user@oracle.com