Migrating from ODSEE, ISW To OUD, DIP. WLS, OID, Configure WLS, OID, OUD required for DIP Instances – Part 4

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Below I am continuation on how to migrate from ODSEE, ISW To OUD, DIP. you can access the other parts here – Part 1, Part 2, and Part 3.

Since the migration is quite complex, I am splitting the configuration into separate parts.

This is part 4, Install, Configure WLS, OID, OUD to work with DIP.

Configure WLS And DIP instance

Note: Before continuing with the below, please make sure to check out part 2 and part 3, how to install and configure WLS, OID, OUD instances.

Lets start by configuring Weblogic, you do so by running the below

$ORACLE_HOME/oracle_common/common/bin/config.sh
select temples as oud
>Oracle unified directory [oud]
Click next, set user
> user > admin
> password > password
Change Domain to
> domain > production
jdk > (default os jdk 1.8)
check node manager and Admin server
check off ssl with port 7002
Next
> node manager type > per domain
> user > admin
> password > password.

Completed the setup.

Next, we are going to set a password for the domain to start without user intervention.

cd /oud/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/bin
mkdir -p /oud/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/servers/AdminServer/security/
echo "username=admin" >/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/servers/AdminServer/security/boot.properties
echo "password=password">>/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/servers/AdminServer/security/boot.properties

Now, we need to start the domain(s)

nohup ./startNodeManager.sh &
nohup ./startWebLogic.sh &

Tail -f the nohup.out for progress, untill you see somethingwith the words RUNNING.

Configuring / creating DIP domain(s)

Note: To be able to run the configuration with out an Oracle DB you have to include Oudsm as part of the configuration.

Below we are creating an OUDSM domain by using the wlst command line interface.

cd /oud/Oracle/Middleware/Oracle_Home/oracle_common/common/bin
./wlst.sh
wls:/offline createOUDSMDomain(domainLocation='/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1',weblogicPort=7001,weblo
gicSSLPort=7002,weblogicUserName='admin',weblogicUserPassword='password')
Successfully created OUDSM domain
wls:/offline>setTopologyProfile('Compact')
wls:/offline>readDomain('/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1')
wls:/offline/dip1>cd('Servers/AdminServer')
wls:/offline/dip1/Server/AdminServer>cmo.getListenPort()
7001
wls:/offline/dip1/Server/AdminServer>cmo.getListenAddress()
'All Local Addresses'
wls:/offline/dip1/Server/AdminServer>cd('SSL/AdminServer')
wls:/offline/dip1/Server/AdminServer/SSL/AdminServer>cmo.getListenPort()
7002
wls:/offline/dip1/Server/AdminServer/SSL/AdminServer>closeDomain()
wls:/offline>setTopologyProfile('Compact')
wls:/offline>readDomain('/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1')
wls:/offline/dip1>selectTemplate('Oracle Directory Integration Platform')
wls:/offline/dip1>loadTemplates()
wls:/offline/dip1>updateDomain()
wls:/offline/dip1>closeDomain()
wls:/offline>exit()

Next, Stop the weblogic instance which is running (leave the NodeManager running).

DIP and OUD certificate key configuration

In order for DIP to use SSL for communication. the DIP instance needs to import the OUD and Active Directory(AD) or any other directory certificate keys.
For DIP I will be using a key stored in /oud/certs/dip1-dip2oud.jks

Note:
I will be using the same OUD key for the DIP instance, as the CN is alrday included i.e. the below steps are needed in our configuration) .
Below is just for a reference, if you would like to create a new DIP certificate key (CA and key).
Creating a DIP CA and key

# Create CA
keytool -genkeypair -alias ca-cert \
-keystore CA.jks \
-keyalg RSA  -validity 3560 \
-dname "C=US,ST=New York,L=New York,O=domain.com,CN=ldap-ca.domain.com" \
-storepass password -keypass password \
-storetype JKS -deststoretype pkcs12 \
-ext bc=ca:true

# export CA
keytool -exportcert -alias ca-cert \
-trustcacerts \
-keystore CA.jks \
-keypass password \
-storepass password \
-ext bc=ca:true \
-file dip1-ca.csr

# import CA
keytool -import -trustcacerts \
-noprompt \
-alias root-ca \
-keystore ldap-cert.jks \
-file dip1-ca.csr \
-storepass password

# Create servr cert
keytool -genkeypair -alias ldap-cert \
-keyalg RSA -keysize 2048 \
-validity 3560 \
-dname "C=US,ST=New York,L=New York,O=domain.com,CN=dip1.domain.com" \
-ext "SAN=DNS:dip1.domain.com,DNS:dip1,IP:127.0.0.1,IP:0.0.0.0,IP:10.10.10.45" \
-keystore ldap-cert.jks \
-keypass password \
-storetype JKS \
-storepass password

# Create cert req
keytool -certreq -alias ldap-cert \
-keystore ldap-cert.jks \
-storepass password \
-file dip1-wl.csr

# sign cert
keytool -gencert -keystore CA.jks \
-keyalg RSA  -validity 3560 \
-dname "C=US,ST=New York,L=New York,O=domain.com,CN=dip1.domain.com" \
-ext "SAN=DNS:dip1.domain.com,DNS:dip1,IP:127.0.0.1,IP:0.0.0.0,IP:10.10.10.45" \
-storepass password -alias ca-cert \
-infile dip1-wl.csr -outfile dip1-wl.cer \
-storetype JKS

keytool -importcert -keystore ldap-cert.jks \
-storepass password -alias ldap-cert \
-file dip1-wl.cer \
-noprompt -trustcacerts \
-storetype JKS

Now, lets continue with the OUD DIP keys.
You will need to export the OUD admin key for DIP to connect in SSL, to do so just run the below.
To get the OUD regular and admin certificates you run the below.

# Get your OUD key
keytool -export -alias ldap-cert -file /tmp/dip1-ca-root.csr -rfc -keystore /oud/certs/ldap-cert.jks -storetype JKS
# Create your DIP key from OUD key
keytool -importcert -trustcacerts -alias oud-cert -file /tmp/dip1-ca-root.csr -keystore /oud/certs/dip1-dip2oud.jks

# export admin-key
keytool -export -alias admin-cert -file /tmp/dip1-admin-cert -rfc -storepass `cat admin-keystore.pin` -keystore admin-keystore -storetype JKS

# Import OUD admin key
keytool -importcert -trustcacerts -alias dip1-admin-cert -file /tmp/dip1-admin-cert -keystore /oud/certs/dip1-dip2oud.jks

You can also get the admin certificate by running the below (copy the BEGIN….END CERTIFICATE).

openssl s_client -connect dip1.domain.com:4444 -verify 5
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Now lets start the weblogic domain instance, you do so by running the below.

cd /oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1/bin/
nohup ./startWebLogic.sh &

# For logs, run.
tail -f nohup.out

Next, lets start the DIP weblogic instance, you do so by running the below.
But first cerate a boot.properties file (so no password is prompted at startup)

mkdir -p /oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1/servers/wls_ods1/security/
echo "username=admin" >/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1/servers/wls_ods1/security/boot.properties
echo "password=password" >>/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1/servers/wls_ods1/security/boot.properties

# Startup
nohup ./startManagedWebLogic.sh wls_ods1 &
# For logs, run.
tail -f nohup.out

Access console
http://dip1.domain.com:7001/console/
Access DIP
http://dip1.domain.com:7001/em/
Access OUDSM
http://dip1.domain.com:7001/oudsm

Next, we modify DIP configuration with the JKS (certificate) location, this JKS certificate(s) is used for all SSL communication between DIP and OUD/AD/etc..

/oud/Oracle/Middleware/Oracle_Home/bin/manageDIPServerConfig set \
-h localhost \
-p 7005 \
-D admin \
-attribute keystorelocation \
-val \
/oud/certs/dip1-dip2oud.jks
[Weblogic user password]
Connection parameters initialized.
Connecting at localhost:7005, with userid "admin"..
Connected successfully.

The attribute keystorelocation is successfully changed to value /oud/certs/dip1-dip2oud.jks.

Next, we need to create a new weblogic pass key credentials store.

cd /oud/Oracle/Middleware/Oracle_Home/oracle_common/common/bin
./wlst.sh
connect('admin','password','t3://localhost:7001')
createCred(map="dip",key="jksKey",user="jksuser",password="password")
exit()

DIP binding configuration

We are now ready to configure DIP with the the OUD instance, you do so by running the below.

cd /oud/Oracle/Middleware/Oracle_Home/bin
./dipConfigurator setup \
-wlshost dip1.domain.com \
-wlsport 7001 \
-wlsuser admin \
-ldaphost dip1.domain.com \
-ldapport 1636 \
-ldapuser 'cn=directory manager' \
-isldapssl true \
-ldapadminport 4444

# If clustered add the below.
-isclustered false

Note: To view DIP initialize logs tail the /oud/Oracle/Middleware/Oracle_Home/ldap/log/dipConfig.log log file.

# Add DIP ACI’s to your OUD instance.

ldapmodify -h localhost -p 1389 -D "cn=directory manager" -w - <

We are now ready to change/modify DIP to SSL communication (mode 2).
follow the below steps to do so.

cd /oud/Oracle/Middleware/Oracle_Home/bin
./manageDIPServerConfig \
set -attribute sslmode -val 2 -h localhost -p 7005 -D "admin"
[Weblogic user password]
Connection parameters initialized.
Connecting at localhost:7005, with userid "admin"..
Connected successfully.

The attribute sslmode is successfully changed to value 2.

Next, Modify the OUD SSL port.

./manageDIPServerConfig set \
-attribute backendhostport \
-val dip1.domain.com:1636 \
-h localhost -p 7005 -D "admin"
[Weblogic user password]
Connection parameters initialized.
Connecting at localhost:7005, with userid "admin"..
Connected successfully.

The attribute backendhostport is successfully changed to value dip1.domain.com:1636.

Finaly, verify DIP still works with SSL on working.
Note: You can do test this from the DIP Web UI as well.

/oud/Oracle/Middleware/Oracle_Home/bin/dipStatus -h localhost -p 7005 -D admin
[Weblogic user password]
Connection parameters initialized.
Connecting at localhost:7005, with userid "admin"..
Connected successfully.

ODIP Application is active at this host and port.

If all works, Restart the DIP wls_ods1 instance. this is required for DIP to start using SSL.

Adding / Configuring SSL From DIP <-> AD communication

To get the ad certificates, run the below.

ldapsearch -h ad1.domain.local -D "CN=Adm account,OU=Admin Accounts,DC=domain,DC=local" -w 'password' -b "cn=configuration,dc=domain,dc=local" "cacertificate=*" dn
ldapsearch -h ad1.domain.local -D "CN=Adm account,OU=Admin Accounts,DC=domain,DC=local" -w 'password' -b "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" "cacertificate=*"

# Note: You can also use openssl to retrieve the certificate.
openssl s_client -connect ad1.domain.com:636 -verify 5

Now, import/add the key to the DIP trusted store.

keytool -importcert -trustcacerts -keystore /oud/certs/dip1-dip2oud.jks -file /oud/certs/ad-cert.csr -alias ad1-ca-cert

Note: AD 2008r2 and below do not support TLS1.2 out of the box, to set DIP to accept min TLS to 1.0, follow the below
https://docs.oracle.com/middleware/12213/dip/administer/GUID-5792E326-0A9E-4B16-83A7-CA8A7E1E1CC9.htm#OIMIG-GUID-89E0E64B-A175-4B22-BB86-AC7BC13059F2

WebLogic to allow TL1.0

From the domain home page, select the Managed Server (wls_ods1) >
>From the WebLogic Server menu, choose System MBean Browser. The System MBean Browser page is displayed >
>Expand Configuration MBeans in the MBean navigation tree and then select com.bea > Server >
>Expand the Server node and then expand the Managed Server node (wls_ods1).
>From the Managed Server node, expand SSL and then select the Managed Server MBEAN.
The Configuration MBEAN page is displayed.

>Select Attributes tab and then select MinimumTLSProtocolVersion.
The Attribute: MinimumTLSProtocolVersion page is displayed.
I select the below (other options detilas is avalble in the dcos)
TLSv1: Specifies TLS V1.0 as the minimum protocol version enabled in SSL connections.

Note: Specify the lowest version i.e. TLSv1, includes TLSv1.1 and TLSv1.2

OUD changes required for DIP

Allow already hashed passwords in OUD.

cd /oud/Oracle/Middleware/Oracle_Home/asinst_1/OUD/bin
./dsconfig -h localhost -p 4444 -D "cn=directory manager" -j /oud/certs/pw.txt -X -n \
  set-password-policy-prop --policy-name "Default Password Policy" \
  --set allow-pre-encoded-passwords:true

Enable change-log if not already done for the cn=oraclecontext

dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j /oud/certs/pw.txt -r 8989 -b cn=oraclecontext --trustAll --no-prompt

Configuring Password Sync

If using password ether
from AD => OUD
or
from OUD => AD
Run the below.
From AD => OUD
Synchronize the password from a connected directory to Oracle Unified Directory, by runing the setupPlugin, like the below.

$ORACLE_HOME/bin/dipConfigurator setupPlugin \
-wlshost dip1.domain.com \
-wlsport 7001 \
-wlsuser admin \
-ldaphost dip1.domain.com \
-ldapport 1389 \
-ldapuser 'cn=directory manager' \
-isldapssl false \
-ldapadminport 4444

Note: To view the Password Filter initialize logs tail the /oud/Oracle/Middleware/Oracle_Home/ldap/log/dipConfig.log log file.

From OUD => AD
Enable / configure OUD password Translation by running the setupPasswordTranslation, like the below.

$ORACLE_HOME/bin/dipConfigurator setupPasswordTranslation \
-wlshost localhost \
-wlsport 7001 \
-wlsuser admin \
-ldaphost dip1.domain.com \
-ldapport 1389 \
-ldapuser "cn=Directory Manager" \
-isldapssl false \
-ldapadminport 4444

Note: To view the Password Filter initialize logs tail the /oud/Oracle/Middleware/Oracle_Home/ldap/log/dipConfig.log log file.

Troblshuting and logging

To increase DIP logging you can do so in the Web UI or in the logging.xml.
The log location is.

/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/dip1/config/fmwconfig/servers/wls_ods1/logging.xml

# Add the next lines to set logging to the max (32).






Helpful links
The Pythian has also relased a very helpful slideshare, that can be found here

Oracle support master notes for DIP - Doc ID 1563196.1

In the article we have completed the Configure WLS And DIP instance. In Part 5 I am going to show you - how to Configure ISW => DIP migration, configure OUD <=> AD mappings..
To continue reading Part 5 click here.

Like what you're reading? please provide feedback, any feedback is appreciated.

Leave a Reply

avatar
3000
  Subscribe  
Notify of