Documente Academic
Documente Profesional
Documente Cultură
Presentation Notes
Mark Luszczynski Arch Coal, Inc.
Purpose and Scope ................................................................................................................................................2 1 1.1 High level overview of steps .............................................................................................................................2 2 Why a global naming system ................................................................................................................................3 3 Linux Server Requirements ..................................................................................................................................4 3.1 Linux VM settings ............................................................................................................................................4 3.2 Disable selinux ..................................................................................................................................................4 3.3 Firewall issues ( iptables ) .................................................................................................................................4 3.4 Kernel parameters .............................................................................................................................................5 3.5 Create database to hold OID data ......................................................................................................................5 4 Download the OID software .................................................................................................................................6 5 OID Installation ....................................................................................................................................................7 5.1 Getting started screens ......................................................................................................................................7 5.2 Software options ...............................................................................................................................................9 5.3 Start the install ................................................................................................................................................ 14 5.4 Enable anonymous binds................................................................................................................................. 15 6 Manage Service Names ...................................................................................................................................... 16 6.1 sqlnet.ora change ............................................................................................................................................. 16 6.2 ldap.ora............................................................................................................................................................ 16 6.3 Net Manager.................................................................................................................................................... 17 6.3.1 Load OID from tnsnames.ora ...................................................................................................................... 18 6.3.2 Adding a Service Name ............................................................................................................................... 18 6.4 Proving that its working ................................................................................................................................. 22 7 OID Process control............................................................................................................................................ 23 7.1 Environment variables .................................................................................................................................... 23 7.2 OID Management ............................................................................................................................................ 23 8 Patch to 11.1.1.6 ................................................................................................................................................ 24 8.1 Finding the patchset ........................................................................................................................................ 24 8.2 Applying the software patch ........................................................................................................................... 25 8.3 Applying the database schema patch .............................................................................................................. 29 9 Adding Nodes ..................................................................................................................................................... 30 9.1 Set up additional node ..................................................................................................................................... 30 9.2 Configure replication ...................................................................................................................................... 30 9.2.1 Set your environment .................................................................................................................................. 30 9.2.2 Remtool on first node .................................................................................................................................. 30 9.2.3 Seed the 2nd node ........................................................................................................................................ 31 9.3 Start replication on both nodes ........................................................................................................................ 31 9.4 Confirming replication .................................................................................................................................... 32 10 Miscellaneous Topics ......................................................................................................................................... 33 10.1 Auto stop/start for linux .................................................................................................................................. 33 10.2 Using Round Robin DNS ................................................................................................................................ 34 10.3 Manually adding ldap entries .......................................................................................................................... 35 10.4 View all ldap tns entries .................................................................................................................................. 35 10.5 Moving the OID database ............................................................................................................................... 37
The goal is to use Oracle Internet Directory for a centralized naming authority for oracle service names. This document describes, in detail, the steps for the different tasks associated with installing Oracle Internet Directory in a stand-alone configuration without the full Fusion Middleware install. The idea behind this document is to reduce all the pertinent information regarding the install steps into one document to produce a repeatable procedure. The focus is on the steps required to accomplish this objective and not on all the other features and theory of Oracle Identity Management. If you are planning to use Oracle Identity Management for Single Sign-on and the like, do not use this procedure.
OID Installation
Mark Luszczynski
The advantages of managing anything centrally is always a benefit in a fast-changing environment with many configurable end points. In the oracle world, tnsnames.ora files have been around for a long time. As installation sizes grow, it can become very cumbersome to maintain dozens if not hundreds of tnsnames.ora files that sit on individual servers and desktops. The tnsnames.ora file is logically equivalent to an /etc/hosts file on unix or c:\Windows\System32\drivers\etc on windows. Normally for an IP connection the address or url is converted to an IP address by querying a central DNS server. Think of a DNS server as a master /etc/hosts that everybody can access. Your local hosts file would only be used if you wanted to create your own alias for an IP address that is not registered in your companys DNS. For many years, the oracle client has been able to leverage aliases in the DNS. This is known as the host naming method. This works very well if you can live with all the default sqlnet settings. All databases must listen on port 1521 and so on. It is not useful for failover/standby configurations. To resolve a database name via a DNS alias, simply have the DNS administrator add a CNAME alias record for the database name. This cname entry must point to the hosting server for the database. Eg: mydb.com CNAME myhost.com You will also need to make sure that every clients sqlnet.ora file contains a names.directory_path=(hostname,..) line. Oracle Corp created Oracle Names several years ago as a central naming service. This was replaced with Oracle Internet Directory. Oracle Internet Directory is an ldap server that logically functions as the directory for oracle tns information. ( It is capable of much more but that is beyond the scope of this presentation. ) Unlike the host naming method, OID does allow for tns entries with all the optional settings such as failover and load balancing. After the first Oracle Internet Directory node is created, you will want to have one or more additional OID nodes to provide redundancy. Setting this up is also discussed in this document. Oracle also offers a methodology for leveraging an existing Microsoft Active Directory (AD) as the naming authority. This approach is not considered in this presentation.
OID Installation
Mark Luszczynski
This presentation focuses on using Redhat Linux as the o/s. The procedure should be the same if you choose to use Oracle Enterprise Linux or Centos. OID is not certified against any version of Linux 6 as of this writing. We were unable to use Oracle Enterprise Linux as vmware and OEL 5 do not get along. Oracle says its vmwares problem; Vmware says a patch is due in May 2012. We did not wish to wait so we proceeded with Redhat 5.7.
The linux o/s software is installed in the usual fashion. You will later probably need to download additional packages required by OID and the database software.
OID Installation
Mark Luszczynski
After making changes to this file, the easiest thing to do is reboot. This will be a good test to verify that the firewall and selinux changes stick after reboot. ( Linux kernel parameters can also be modified dynamically if you really dont want to reboot )
OID Installation
Mark Luszczynski
Now we are ready to download the software. Downloading the exact correct software isnt as easy as it sounds. The software is available on technet.oracle.com Go to this link: Click the
http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html
as usual.
Here is where the first opportunity to waste time comes in. When the software page appears, one might be led to believe that the most current Identity Management listing is the software to download. However, if you attempt to install OID using Identity Management 11.1.1.3 you will be told by the installer that this is a patchset.
The correct base software to download is further down the page in the Earlier Identity and Access Management section.
After the installation, there is a software patch to apply as well. This will be described in a later step.
OID Installation
Mark Luszczynski
OID Installation
After unzipping etc, change to the Disk1 directory which contains runInstaller for OID. Then type the command: ./runInstaller The Oracle documentation used in this section is the Oracle FMW Installation Guide for Oracle Identity Management: http://docs.oracle.com/cd/E12839_01/install.1111/e12002/oid.htm
Click the
OID Installation
Mark Luszczynski
Step 3 is the Prerequisites Check At this point, you may need to install additional linux packages.
The installer will tell you which required linux packages are missing. Consult with your linux administrator on installing the needed packages. If you have the root access yourself, you can either use gui system-config-packages or command line yum to install the oracle required packages. Yum example: yum install gcc-c++.x86_64 Kernel parameters should have already been addressed in section 3.4
OID Installation
Mark Luszczynski
Select Configure Without a Domain as we are installing OID without the FMW framework.
Step 5 will prompt you for software locations and the oracle instance name. In this context, oracle instance refers to the software instance, not a database.
You will probably want to change the default locations presented by the installer. Although not required, we have placed the Oracle Instance ( OID instance that is ) inside the middleware home. We left the instance name at the default of asinst_1.
OID Installation
Mark Luszczynski
The Step 7 screen is probably the most important one. This is where you are going to tell the installer that we are installing OID only.
Make sure your selection matches the above before continuing. Oracle Internet Directory must be the only item with a check mark.
Step 9 prompts for details about the database that you created earlier. In this example, database oradba4 was created on server oidsrv1.
At this point, the install is prompting for a DBA account signon ( not the ODS schema ). You will be prompted for that later.
OID Installation
Mark Luszczynski
11
If you are using a database newer than 11.1, you get this puzzling message. It can be ignored.
Step 10 prompts for the passwords for the database schemas required for OID.
The ODS schema will contain the data for Oracle Internet Directory. This password will be needed for maintenance operations. Be sure to make a record of it. The ODSSM schema apparently is not used in a stand-alone OID installation. I have not needed the password to date.
OID Installation
Mark Luszczynski
12
On this screen, you set the default realm for your OID. The Administrator User Name will be the signon used to maintain your Oracle Internet Directory service name information. This will be the password you use most. For example you will need it when using Net Manager to modify the tns data that it stored in your directory.
OID Installation
Mark Luszczynski
13
Run the script as indicated, then click on OK. The install will now continue through several more steps.
OID Installation
Mark Luszczynski
14
After the installation is complete the status screen should look similar to the following:
The software install is now complete. Your Oracle Internet Directory processes should be up and running. You can go ahead and exit the installer.
OID Installation
Mark Luszczynski
15
Now that you have installed Oracle Internet Directory, you are naturally interested to see if it actually works. The easiest way to do this is from your desktop. If you installed a full sqlnet client, then you should already have the Net Manager in the menu. However, you must first make some configuration changes in your pcs network/admin directory so that it will look at the ldap directory. In a typical install, the admin directory is in <something>\product\11.2.0\client_1\network\admin Make a note of these changes as these will also need to be done once on each desktop or server when you are ready to fully deploy OID to your enterprise.
6.2 ldap.ora
You will also need an ldap.ora file in the same directory. This file tells the oracle client which type of ldap directory is being used as well as the list of servers to query. In the example below, there are two ldap servers listed.
DIRECTORY_SERVERS=( oidsrv1:3060:3131, oidsrv2:3060:3131 ) DEFAULT_ADMIN_CONTEXT = "dc=aci,dc=corp,dc=net" DIRECTORY_SERVER_TYPE = OID
Note that the DEFAULT_ADMIN_CONTEXT must match the Realm that you entered during Step 11 of the OID install. Unfortunately, at this time, the list of ldap servers is processed sequentially. This means that if you distribute this ldap.ora to all clients, everybody will hit oidsrv1. The second server will only see traffic if oidsrv1 is down. It would be nice if the oracle client had an option to pick one at random for pseudo load-balancing. Currently tns entries allow this sort of load-balancing. I have filed an enhancement SR for this feature in ldap.ora.
OID Installation
Mark Luszczynski
16
Click on the + next to Directory, then click on the + next to Service Naming. Now you will be prompted for the ldap signon. This will be the same credentials you entered during Step 11 of the install. Service name entries can be added either manually, or by loading in an existing tnsnames.ora file.
OID Installation
Mark Luszczynski
17
To load a tnsnames.ora file into OID, you use what Net Manager calls Export. A little confusing at first. Select Command from the menu, then Directory, then Export Net Service Names.
Although not immediately obvious you must first select Service Naming and then press the green + to start the process of adding an ldap service name entry.
Now you will be prompted for the details regarding your service. You will recognize that these are the same elements that would comprise a corresponding tnsnames.ora entry.
OID Installation
Mark Luszczynski
18
Equivalent to
mark1=
Equivalent to
(PROTOCOL=TCP)
OID Installation
Mark Luszczynski
19
Equivalent to (HOST=devdb1)(PORT=1521)
Equivalent to (SERVICE_NAME=fred1)
OID Installation
Mark Luszczynski
20
Here is an example of a service name with failover. Notice that there are multiple Address tabs.
OID Installation
Mark Luszczynski
21
If you see Used LDAP Adapter then your OID resolution is working. See section 10.4 if you want to see your entries in ldap form.
OID Installation
Mark Luszczynski
22
When the installer finished, it started the OID processes. Of course, there will come a time when you need to shut these down for patches or whatever. There are several basic commands that stop and start the OID stack.
PATH=${ORACLE_HOME}/bin:${ORACLE_HOME}/ldap/bin:${ORACLE_INSTANCE}/bin:${PATH};export PATH
These variable settings must match the entries you made during Step 5 of the install. By adding the paths for each of the bin directories, you can save some typing. Most of the examples presented in this document rely on this script having been run.
-- starts all components ( including replication once its setup ) -- stops all components ( including replication once its setup ) -- reports status of OID components except for replication
We havent installed replication yet but to view the status of replication there is a separate command.
oidctl connect=OIDDB server=oidrepld instance=1 componentname=oid1 status
These commands have lots of other options but these are the ones needed for basic management. See section 10.1 for information on having OID start and stop on server bootup and shutdown.
OID Installation
Mark Luszczynski
23
Patch to 11.1.1.6
The base version has a more recent patchset available. As of this writing, it is Version 11.1.1.6. There are two parts. There is a an upgrade for the OID software as well as the ODS database schema.
Mouse over Oracle Fusion Middleware and navigate to your platform and select the second 11.1.1.6
OID Installation Mark Luszczynski 24
A list of Fusion Middleware components appears. We are interested in the patch for Oracle Identity Management:
Change to the directory containing the unzipped patchset, cd to Disk1 and run the runInstaller utility.
OID Installation
Mark Luszczynski
25
The prerequisites are checked again. There should not be any surprises here. Next to continue.
OID Installation
Mark Luszczynski
26
IMPORTANT: Notice that the installer does not know where your current middleware home is. You need to retype the correct home. You entered this in Step 5 of the original install. Two confirmation screens appear.
OID Installation
Mark Luszczynski
27
As with other installs, you are presented with the pre-install summary.
After running the script, return to the installer and click OK, then Finish.
OID Installation
Mark Luszczynski
28
You can either use psa in GUI mode, or more simply give it a response file to use. NOTE: if you use commandline and a response file, psa still expects to see an X server even though it does not produce any graphical output ( kind of reminds one of the old days when the oracle installer used to need this for silent installs ) Create a response file, such as /tmp/psa_1116.rsp, containing these lines: [GENERAL] fileFormatVersion = 3 [OID.OID11] pluginInstance = 2 OID.databaseType = Oracle Database OID.schemaUserName = ODS OID.dbaUserName = sys as sysdba OID.databaseConnectionString = oidsrv1:1521/oradba4 OID.cleartextDbaPassword = yoursyspassword
The databaseConnectionString is specified using the so called ezconnect syntax: //dbhost:port/dbname. The host name of the database must be specified after the //; the database name containing the ODS schema is specified after the slash. If you are using a listener port other than 1521, that will need to be changed as well. To run psa with the response file, simply issue:
$ORACLE_HOME/bin/psa -response /tmp/psa1116.rsp
OID Installation
Mark Luszczynski
29
Adding Nodes
To add high availability and redundancy to our Oracle Internet Directory deployment, we need to add one or more additional nodes. These nodes will replicate amongst each other once everything is set up.
In this scenario, we have successfully installed OID on server oidserver1. This OID instance uses the database oradba1 as its backend database. Now we want to set up multi-master replication to the second node we just built. This is oidserver2 using database oradba2.
<Output suppressed>
Enter Enter Enter Enter consumer directory details: hostname of host running OID server : oidserver2 port on which OID server is listening : 3060 replication dn password : <ODS password of 2nd node>
OID Installation
Mark Luszczynski
30
Enter replica type [1 - LDAP read-only replica; 2 - LDAP updateable replica; 3 - LDAP multimaster replica] : 3
<Output suppressed>
List of available naming contexts in supplier replica ldap://orasrv02:3060 1. * [replicate whole directory] Enter naming context [Enter "e" to end selection] : * Enter naming context [Enter "e" to end selection] : e Following naming contexts will be included for replication: -----------------------------------------------------------------------------1. * Do you want to continue? [y/n] : y -----------------------------------------------------------------------------Selected naming contexts have been included for replication. ------------------------------------------------------------------------------
( type *, not 1 )
( Notice that the orclreplicaid is comprised of the hostname and the database name of the second OID instance. ) Then apply this file to the second node: ldapmodify -p 3060 -D cn=orcladmin -w <ODS password of 2nd node> \ -f /tmp/seed.ldif
OID Installation
Mark Luszczynski
31
Note: You wont usually need to start the replication this way. From now on, when you issue opmnctl startall, it will also start the replication. Note: the OIDDB refers to a service name entry which exists in OIDs own tnsnames.ora file. It is an alias for the database that you created. When the second node is in synch, you will see an entry in its oidrepld.log like the following:
"[2011-10-26T04:37:52+00:00] [OID] [NOTIFICATION:16] [] [OIDREPLD] [host: oidserver2t] [pid: 27563] [tid: 1] Reader(Transport):: gslrbsbBootStrap: BOOTSTRAP DONE SUCCESSFULLY"
You can query the status of replication on a node with the following:
oidctl connect=OIDDB server=oidrepld instance=1 componentname=oid1 status
As far as I know, this is the only way to query the status of replication. If you need to stop only the replication, you can use this command to stop the replication component on a given host. oidctl connect=OIDDB server=oidrepld instance=1 componentname=oid1 \ flags="host=oidserver2 port=3060" stop
OID Installation
Mark Luszczynski
32
start () { echo -n $"Starting Oracle Internet Directory: " su - oracle -c "lsnrctl start" su - oracle -c "dbstart" su - oracle -c ". setoidenv ; opmnctl startall" RETVAL=$? return $RETVAL } stop () { # stop daemon echo -n $"Stopping Oracle Internet Directory: " su - oracle -c ". setoidenv; opmnctl stopall" su - oracle -c "dbshut" RETVAL=$? } status () { echo -n $"Querying Oracle Internet Directory: " su - oracle -c ". setoidenv; opmnctl status ; oidctl connect=OIDDB server=oidrepld instance=1 componentname=oid1 status" RETVAL=$? } restart() { stop start } case $1 in start) start ;; stop) stop OID Installation Mark Luszczynski 33
;; restart) restart ;; status) status RETVAL=$? ;; *) echo $"Usage: $prog {start|stop|restart|status}" exit 3 esac exit $RETVAL
Use the chkconfig command to have this script included in startups and shutdowns /sbin/chkconfig --level 2345 oid on
www.diapers.com ---------------------------------------Record Name . . . . . : www.diapers.com Record Type . . . . . : 1 Time To Live . . . . : 240 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 72.22.187.68 Record Name . . Record Type . . Time To Live . Data Length . . Section . . . . A (Host) Record . . . . . . . . . . . . . . . . . . : : : : : : www.diapers.com 1 240 4 Answer 75.98.67.132
The one drawback with this method, is that while it gives you good pseudo load balancing, failing over to another address in the list could take as long as the Time To Live setting. The TTL setting tells your dns client how often it needs to go back to the DNS server to refresh the info regarding this entry.
OID Installation Mark Luszczynski 34
The actual DNS entry for your oid might look like this:
oid.archcoal.com oid.archcoal.com 300 300 IN IN A A 10.10.10.1 10.10.10.2
To add this new service name "mydb" to OID, use the "ldapadd" command: ldapadd -D "cn=orcladmin" -w <password> \ -h oidsrv1 -p 389 -v -f /tmp/addnew.ldif
The server name is the hostname of the OID server. The password needed is the password for cn=orcladmin. The b option needs to include your default realm. This produces output like:
cn=ORADBA2,cn=OracleContext,dc=aci,dc=corp,dc=net objectclass=top objectclass=orclNetService cn=ORADBA2 orclnetdescstring=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=acioem)(PORT =1521)))(CONNECT_DATA=(SERVICE_NAME=ORADBA2))) orclnetdescname=000:cn=DESCRIPTION_0 cn=PRDWHSE1,cn=OracleContext,dc=aci,dc=corp,dc=net objectclass=top objectclass=orclNetService
OID Installation
Mark Luszczynski
35
OID Installation
Mark Luszczynski
36
OID Installation
Mark Luszczynski
37