Installing and configuring OUD proxy
Setup OUD user/group account
groupadd oud; useradd -g oud oud
Modify /etc/hosts
Make sure the FQDN is first in /etc/hosts
Create ZFS file systems
zfs create rpool/export/home/oud
zfs create -o mountpoint=/oud rpool/oud
zfs create -o mountpoint=/installs rpool/installs
mkdir /installs/OUD
Configure proper owner
groupadd oud
useradd -g oud oud
cd ~oud
cp /root/.bashrc .
ln -s .bashrc .bash_profile
chown -R oud:oud ~oud
echo “export JAVA_HOME=/usr/java” >> ~oud/.bashrc
chmod 777 /installs
chown -R oud:oud /installs
chown -R oud:oud /oud/
Install need packages
pkg install –accept pkg://solaris/SUNWxwplt java jdk-6 jdk pkg:/developer/xopen/xcu4 make gnu-make ucb
Configure passwords
passwd oud
OS Tuning
Create S50Net-Tunes.sh
vi Net-Tunes.sh
echo "Applying the fowling IP tuning"
set -x
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_send_redirects 0
# Directory Server Tuning
ndd -set /dev/tcp tcp_time_wait_interval 30000
ndd -set /dev/tcp tcp_conn_req_max_q 4096
ndd -set /dev/tcp tcp_keepalive_interval 600000
ndd -set /dev/tcp tcp_rexmit_interval_initial 500
ndd -set /dev/tcp tcp_smallest_anon_port 8192
ndd -set /dev/tcp tcp_deferred_ack_interval 5
set +x
chmod +x Net-Tunes.sh
chown root:sys Net-Tunes.sh
cd /etc/rc2.d/
ln -s /etc/init.d/Net-Tunes.sh S50Net-Tunes.sh
Copy and extract files
scp V37478-01.zip oud@ldap1:/installs/
cd /installs/OUD;unzip -qq ../V37478-01.zip
Install OUD Proxy
Note: Make sure to sue java 1.7.0_17-b02 for all products (included in sol11.1/SRU-6.0.4).
Options at installtion
./runInstaller -jreLoc /usr/java
Select
Inventory Directory:
/oud/oraInventory
Group:
oud
/oud/oraInventory/createCentralInventory.sh
skip regster
OUD Base:
/oud/Oracle/Middleware
Oracle Home:
Oracle_OUD1
Before configuring / create certificate
Generate self signed certificate
keytool -genkeypair -alias ldproxy1 -keyalg rsa -keysize 2048 -validity 3560 -dname “cn=ldproxy1.domain.com” -keystore /oud/certs/ldproxy1.jks -storetype JKS
Verify certificate key
keytool -list -alias ldproxy1 -keystore ldproxy1.jks -v
Get DSEE certifcate(s)
Note The below steps are not needed any more, since we accept the remote LDAP certificate at configure time.
dsadm show-cert -F ascii /ldap1/ldap_inst1/ldap/ defaultCert > ldap1-cert-ascii
keytool -importcert -alias ldap1 -file ldap1-cert-ascii -keystore ldap1.jks -storetype JCEKS -storepass password
Verify key
keytool -list -alias ldap1 -keystore ldap1.jks -storetype JCEKS -storepass password -v
Configuring OUD Proxy
Install the DS by running oud-proxy-setup
ssh -X oud@ldproxy1
/oud/Oracle/Middleware/Oracle_OUD1/oud-proxy-setup
Select the certificate
Select the certificate generate in /oud/certs
Enter the cn=diretcory manager password
Select remote LDAP servers
Click next till the add remote LDAP servers screen
Click Add remote server
Select both ldap & ldaps
Select get remote server certificate and save the certificate
Add all Directory servers you would like to use with the proper ports
Min:
256
Max:
2048
Complete the configuration
Complete configuration
Add an SMTP alert handler
First enable / configure a server SMTP
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig -h localhost -p 4444 -D “cn=directory manager” -j /tmp/pw.txt -n set-global-configuration-prop –set smtp-server:localhost –trustAll
Add in ODSM an SMTP alert ahndler
Add an SMTP alert handler
Name:
SMTP OUD-Alerts
Email:
sysadmin@domain.com
Proxy commend line tuning
OUD proxy thread performance tuning
Add the below commend list to a file, then execute dsconfig
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig -j /tmp/pw.txt -n -F /installs/oud_config_cmds
delete-network-group --group-name network-group
create-network-group --group-name network-group --set enabled:true --set priority:100 --set allowed-auth-method:anonymous --set allowed-auth-method:simple --set allowed-auth-method:sasl --set workflow:workflow1 --set is-security-mandatory:false
set-connection-handler-prop --handler-name LDAP\ Connection\ Handler --set num-request-handlers:2 --set max-request-size:0 --set max-blocked-write-time-limit:3600000\ ms
set-connection-handler-prop --handler-name LDAPS\ Connection\ Handler --set num-request-handlers:2 --set max-request-size:0 --set max-blocked-write-time-limit:3600000\ ms
set-extension-prop --extension-name proxy1 --set remote-ldap-server-connect-timeout:5000 --set ssl-trust-all:true --set monitoring-connect-timeout:5000 --set monitoring-inactivity-timeout:120000 --set pool-initial-size:2 --set pool-increment:10 --set pool-max-size:1024 --set remote-ldap-server-read-timeout:20000
set-extension-prop --extension-name proxy2 --set remote-ldap-server-connect-timeout:5000 --set ssl-trust-all:true --set monitoring-connect-timeout:5000 --set monitoring-inactivity-timeout:120000 --set pool-initial-size:2 --set pool-increment:10 --set pool-max-size:1024 --set remote-ldap-server-read-timeout:20000
Modify the Max Size Limits
Under General Configuration
Size Limit:
7000
How to start and stop the servers
As the OUD user just run
To start an instance
/oud/Oracle/Middleware/asinst_1/OUD/bin/start-ds
To stop an instance
/oud/Oracle/Middleware/asinst_1/OUD/bin/stop-ds
OUD LDAP error code list
OUD LDAP error code list
Add the new configured server to ODSM console
Appendix A – Create OUD proxy from commend line
Script to configure OUD proxy from commend line
# Create certificate
keytool -genkeypair -alias ldproxy1 -keyalg rsa -keysize 2048 -validity 3560 -dname "cn=ldproxy1.domain.com" -keystore /oud/certs/ldproxy1.jks -storetype JKS
# Verify certificate
keytool -list -alias ldproxy1 -keystore ldproxy1.jks -v
# Create password files
echo password > /installs/certs/certPW.txt
echo dspassword > /installs/certs/pwdfile.txt
cp -r /installs/certs /oud/.
/oud/Oracle/Middleware/Oracle_OUD1/oud-proxy-setup --cli --ldapPort 1389 --adminConnectorPort 4444 --rootUserDN "cn=Directory Manager" --rootUserPasswordFile
/installs/certs/pwdfile.txt --doNotStart --enableStartTLS --ldapsPort 1636 --useJCEKS /installs/certs/ldproxy1.jks --keyStorePasswordFile /installs/certs
/certPW.txt --certNickname ldproxy1
/oud/Oracle/Middleware/asinst_1/OUD/bin/start-ds
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-trust-manager-provider --provider-name "Backend Server ldap1.domain.com:389" --type file-based --set enabled:true --set trust-store-file:/oud/certs/ldap1.jks --set trust-store-type:JKS --set trust-store-pin-file:/oud/certs/certPW.txt --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-extension --type ldap-server --extension-name proxy1 --set enabled:true --set remote-ldap-server-address:ldap1.domain.com --set remote-ldap-server-port:389 --set remote-ldap-server-ssl-port:636 --set remote-ldap-server-ssl-policy:user --set ssl-trust-manager-provider:"Backend Server ldap1.domain.com:389" --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-workflow-element --set enabled:true --set client-cred-mode:use-client-identity --set ldap-server-extension:proxy1 --type proxy-ldap --element-name proxy-we1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-workflow-element --set enabled:true --type load-balancing --element-name load-bal-we1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-load-balancing-algorithm --type proportional --element-name load-bal-we1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-load-balancing-route --element-name load-bal-we1 --route-name load-bal-route1 --type proportional --set workflow-element:proxy-we1 --set add-weight:1 --set bind-weight:1 --set compare-weight:1 --set delete-weight:1 --set extended-weight:1 --set modify-weight:1 --set modifydn-weight:1 --set search-weight:1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig create-workflow --set base-dn:dc=domain,dc=com --set enabled:true --set workflow-element:load-bal-we1 --type generic --workflow-name workflow1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
/oud/Oracle/Middleware/asinst_1/OUD/bin/dsconfig set-network-group-prop --group-name network-group --add workflow:workflow1 --hostname ldproxy1.domain.com --port 4444 --bindDN "cn=Directory Manager" --bindPasswordFile /oud/certs/pwdfile.txt --trustAll --no-prompt
Appendix B – keytool and certificates
keytool -genkeypair -alias ldproxy1 -keyalg rsa -keysize 2048 -validity 3560 -dname "cn=ldproxy1.domain.com" -keystore /var/tmp/ldproxy1.jks -storetype JKS
keytool -list -keystore /var/tmp/ldproxy1.jks -storepass password -storetype JKS -alias ldproxy1 -v
scp /var/tmp/ldproxy1.jks oud@ldproxy1:/installs/.
# export ODSEE in a pkcs#12 format
dsadm export-cert -o /tmp/ldap2.p12 /ldap1/ldap_inst1/ldap/ defaultCert
# save the cert in a java key store format
keytool -importkeystore -srckeystore ldap1.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore ldap1.jks
# to verfy the key store
keytool -list -keystore ldap1.jks -v
# Note: To convert the CA to pkcs#12
openssl pkcs12 -export -out cacert.pfx -inkey cakey.pem -in cacert.pem -certfile cacert.pem
# To add to key chain
keytool -importkeystore -srckeystore ldap1.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore ldap1.jks -srcalias defaultcert -destalias ldap1
Appendix C – ssltap
To capture ssl traffic
ssltap -p 1636 -vhfsxl ldproxy1.domain.com:1637 > /tmp/eli-out
References
keytool reference
SL SASL ldapsearch examples
Oracle Unified Directory Configuration Reference