Migrating from Oracle Directory Server (ODSEE), Identity Synchronization for Windows(ISW) To OUD, Directory Integration Platform(DIP) - Part 1

(No Ratings Yet)

I was recently involved with a complex Oracle Directory Server migration. In the next few posts I am going to share my experience in the migration process the steps to complete a successful migration, and of curse the pitfalls/issues.

The environment involved consist.
Coming from:
Oracle Directory Server (ODSEE) Multi master / Multi Datacenter,
And Identity Synchronization for Windows (ISW) – used for
Going to:
ODSEE => Oracle Unified Directory(OUD) (12c)
Weblogic Server (Infrastructure download) (12c) (used for DIP and OUDSM)
ISW => Directory Integration Platform(DIP) (12c)
Last, Oracle Unified Directory Gateway was used to keep the environments in sync at time of the migration.

Note: With the configuration below I avoided the OUD/OID Oracle Database requirement.

Since the migration is quite complex, I divided the configuration into separate parts.

Part 1: Downloading required software, Creating required environment, Installing OUD
Part 2: Configuring OUD, Install and configure OUD Gateway (ODSEE replication) and required changes.
Part 3: Install, Configure WLS, OID, OUD required for DIP Instance.
Part 4: Configure WLS And DIP instance.
Part 5: Configure ISW => DIP migration, configure OUD <=> AD mappings.
Part 6: OUD Backups.

This is part 1, Downloading required software.

Creating OUD related environment

First lets create the OUD environment.
Note: I am using Solaris + ZFS to mange the file systems, feel free to use your choose file system.

#Create group
groupadd oud; useradd -g oud oud

#Create OUD filesystem
zfs create rpool/export/home/oud
zfs create -o mountpoint=/oud rpool/oud
zfs create -o mountpoint=/installs rpool/installs
mkdir /installs/OUD

Create ~oud/.bashrc with the below content.

#OUD .bashrc
export PATH=$PATH:/oud/Oracle/Middleware/Oracle_Home/asinst_1/OUD/bin:$ORACLE_HOME/oud/bin:/oud/Oracle/Middleware/Oracle_Home/OPatch
export JAVA_HOME=/usr/java
export ORACLE_HOME=/oud/Oracle/Middleware/Oracle_Home

export DOMAIN_HOME=/oud/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain
export WL_HOME=$ORACLE_HOME/wlserver

export PATH=$PATH:$ORACLE_HOME/oracle_common/common/bin

#OUD file systems.
cd ~oud
ln -s .bashrc .bash_profile

chown -R oud:oud ~oud
chmod 777 /installs
chown -R oud:oud /installs
chown -R oud:oud /oud/

# set oud password
passwd oud

Downloading the required software

OUD requires java 1.8 and compiler software. on Solaris its as simple as running the below to install. (on linx its just you, apt, etc…)

pkg install --accept pkg://solaris/SUNWxwplt pkg:/developer/xopen/xcu4 make gnu-make ucb runtime/java/jre-8 developer/java/jdk-8 gcc

# Verify the java version
java -version

Create install directories.

mkdir /installs/OID  /installs/OUD  /installs/WLS

Below are software components you will need to successfully complete the migration.

Weblogic: Oracle Fusion Middleware Software Downloads
Select Oracle WebLogic Server 12cR2 (12.2.1.3) >
Fusion Middleware Infrastructure installer (about 1.5GB)
Save to /installs/WLS.
OUDDownload Oracle Unified Directory 12cPS3 (12.2.1.3.0)
Select Oracle Unified Directory 12cPS3 (12.2.1.3.0) – generic
Save to /installs/OUD
OIDDownload Oracle Internet Directory 12cPS3 (12.2.1.3.0)
Select Oracle Internet Directory 12cPS3 (12.2.1.3.0)
save to /installs/OID

Installing OUD Multi-Master

Installing OUD

cd /installs/OUD
java -jar fmw_12.2.1.3.0_oud.jar
select> /oud/Oracle/Middleware/Oracle_Home
select > Standalone Oracle Unified Directory Server (Managed independently of WebLogic server)
complete installation.

Below are a few screen captures on the OUD installation.

Install OUD patches.

apply patch
cd /installs/OUD/patch/27742743
opatch apply

Before we continue we will need to creating certificate keys, I will be using one key for all Multi-Master DNS,IP names outline below.
If using a self signed without CA certificate, run the below.

keytool -genkeypair -alias ldap-cert -keyalg rsa -keysize 2048 -validity 3560 -dname "C=US,ST=New York,L=New York,O=domain.com,CN=ldap.domain.com" -ext "SAN=DNS:ldap1,DNS:ldap2,DNS:ldap3,DNS:ldap4,DNS:dip1,DNS:dip1.domain.com,DNS:ldap1.domain.com,DNS:ldap2.domain.com,DNS:ldap3.domain.com,DNS:ldap4.domain.com,DNS:ldap.domain.com,IP:127.0.0.1,IP:0.0.0.0,IP:10.10.10.41,IP:10.10.10.42,IP:10.10.10.43,IP:10.10.10.44,IP:10.10.10.45" -keystore ldap-cert.jks -storetype JKS -deststoretype pkcs12

With a CA
If using a self signed with CA certificate, run the below.

# Create self signed CA
keytool -genkeypair -alias ca-cert \
-keystore CA.jks \
-keyalg RSA  -validity 3560 \
-dname "C=US,ST=New York,L=New York,O=domain.com,CN=ldap-ca.domain.com" \
-storepass password -keypass password \
-storetype JKS -deststoretype pkcs12 \
-ext bc=ca:true

# Create cert
keytool -genkeypair -alias ldap-cert \
-keystore CA.jks \
-dname "C=US,ST=New York,L=New York,O=domain.com,CN=ldap.domain.com" \
-ext "SAN=DNS:ldap1,DNS:ldap2,DNS:ldap3,DNS:ldap4,DNS:dip1,DNS:dip1.domain.com,DNS:ldap1.domain.com,DNS:ldap2.domain.com,DNS:ldap3.domain.com,DNS:ldap4.domain.com,DNS:ldap.domain.com,IP:127.0.0.1,IP:0.0.0.0,IP:10.10.10.41,IP:10.10.10.42,IP:10.10.10.43,IP:10.10.10.44,IP:10.10.10.45" \
-storepass password -keypass password \
-storetype JKS -deststoretype pkcs12

# Create cert req
keytool -certreq -alias ldap-cert \
-keystore CA.jks \
-file ldap-cert.csr \
-storepass password \
-storetype JKS -deststoretype pkcs12

# Self sign cert
keytool -gencert -keystore CA.jks \
-keyalg RSA  -validity 3560 \
-dname "C=US,ST=New York,L=New York,O=domain.com,CN=ldap.domain.com" \
-ext "SAN=DNS:ldap1,DNS:ldap2,DNS:ldap3,DNS:ldap4,DNS:dip1,DNS:dip1.domain.com,DNS:ldap1.domain.com,DNS:ldap2.domain.com,DNS:ldap3.domain.com,DNS:ldap4.domain.com,DNS:ldap.domain.com,IP:127.0.0.1,IP:0.0.0.0,IP:10.10.10.41,IP:10.10.10.42,IP:10.10.10.43,IP:10.10.10.44,IP:10.10.10.45" \
-storepass password -alias ca-cert \
-infile ldap-cert.csr -outfile ldap-cert.cer \
-storetype JKS -deststoretype pkcs12

# Final cert
keytool -importcert -keystore ldap-cert.jks \
-storepass password -alias ldap-cert \
-file ldap-cert.cer \
-noprompt -trustcacerts \
-storetype JKS -deststoretype pkcs12

# Or you can import it back to CA cert part of the chain
# keytool -importcert -keystore CA.jks \
# -storepass password -alias ldap-cert \
# -file ldap-cert.cer \
# -noprompt -trustcacerts \
# -storetype JKS -deststoretype pkcs12

# Verify certifcate
# keytool -v -list -keystore CA.jks
# keytool -v -list -keystore ldap-cert.jks

Lets copy the key we are going to use to /oud/certs.

cp ldap-cert.jks /oud/certs

So far we have completed the OUD installation. In Part 2 I am going to show you – how to Configuring OUD Multi-Master, Install and configure the OUD Gateway.
To continue reading Part 2 click here.

Like what you’re reading? please provide feedback, any feedback is appreciated.