{"id":84,"date":"2016-01-09T15:09:11","date_gmt":"2016-01-09T15:09:11","guid":{"rendered":"https:\/\/www.spotonoracle.com\/?p=84"},"modified":"2016-05-10T15:14:09","modified_gmt":"2016-05-10T15:14:09","slug":"enterprise-user-security-part-2","status":"publish","type":"post","link":"https:\/\/www.spotonoracle.com\/?p=84","title":{"rendered":"Enterprise User Security – Part 2"},"content":{"rendered":"

By now<\/a>, you should have all the sources ready to start installing.<\/p>\n

As OUD is a pure Java application we first install the JDK (run this as the root user).<\/p>\n

Install JDK<\/strong><\/p>\n

\r\nmkdir \/tmp\/tmpjava\r\nunzip p13079846_17000_Linux-x86-64.zip -d \/tmp\/tmpjava\r\n\r\nrpm -Uhv \/tmp\/tmpjava\/jdk-7u85-linux-x64.rpm\r\n\r\nrm -rf \/tmp\/tmpjava\r\n<\/pre>\n
As I’m an Oracle database guy I’m going to install OUD under the “oracle” user. Make sure to have the the JDK set in your installation user’s environment.<\/p>\n
\r\nvi ~\/.bash_profile\r\n\r\nexport JAVA_HOME=\/usr\/java\/jdk1.7.0_85\r\nexport PATH=${JAVA_HOME}\/bin:${PATH}\r\n<\/pre>\n
 
\nInstall OUD<\/strong><\/p>\n
Create the response file:<\/p>\n
\r\nvi \/tmp\/silent_oud.rsp\r\n\r\n[ENGINE]\r\nResponse File Version=1.0.0.0.0\r\n\r\n[GENERIC]\r\nSPECIFY_DOWNLOAD_LOCATION=false\r\nSKIP_SOFTWARE_UPDATES=true\r\nSOFTWARE_UPDATES_DOWNLOAD_LOCATION=\r\n# where the OUD software will be installed\r\nORACLE_HOME=\/u01\/app\/oracle\/product\/mdlw11119\/oud11123\r\nMIDDLEWARE_HOME=\/u01\/app\/oracle\/product\/mdlw11119\r\nCONFIG_WIZARD_RESPONSE_FILE_LOCATION=0\r\n\r\n[SYSTEM]\r\n[APPLICATIONS]\r\n[RELATIONSHIPS]\r\n<\/pre>\n
Feed the response file to the OUD installer:<\/p>\n
\r\nmkdir \/tmp\/tmpoud\r\nunzip V75929-01.zip -d \/tmp\/tmpoud\r\n\r\ncd \/tmp\/tmpoud\r\n.\/Disk1\/runInstaller -silent \\\r\n  -responseFile \/tmp\/silent_oud.rsp \\\r\n  -jreLoc \/usr\/java\/jdk1.7.0_85\r\n\r\nrm -rf \/tmp\/tmpoud\r\n<\/pre>\n
Done. OUD software is installed on your server.
\n 
\nPatch OUD<\/strong><\/p>\n
As mentioned in the previous blog post we need to patch OUD for Oracle 12c “eusm” utility to be able to connect.<\/p>\n
\r\nexport ORACLE_HOME=\/u01\/app\/oracle\/product\/mdlw11119\/oud11123\r\nexport PATH=${ORACLE_HOME}\/OPatch:${PATH}\r\n\r\nmkdir \/tmp\/oudpatch\r\nunzip p20529805_111230_Generic.zip -d \/tmp\/oudpatch\r\n\r\n# if patching a running OUD we need to stop it for patching\r\n# cd \/u01\/app\/oracle\/product\/mdlw11119\/asinst_1\/OUD\/bin\r\n# .\/stop-ds\r\n\r\ncd \/tmp\/oudpatch\/20529805\r\nopatch apply\r\n\r\nrm -r \/tmp\/oudpatch\/\r\n<\/pre>\n
 
\nConfigure OUD<\/strong><\/p>\n
By default, the instance created is MW_HOME\/asinst_1. By exporting following variable before calling oud-setup the instance name can be set:
\n# export INSTANCE_NAME=;<\/p>\n
\r\ncd \/u01\/app\/oracle\/product\/mdlw11119\/oud11123\r\n\r\n# we write the password of the directory root user into a file\r\n#   unfortunately, that's how the OUD tools work\r\n#   personally, I think this is one of the worst command line tool design\r\n_PWFILE_ADM_=\/tmp\/pwfile-adm.txt\r\necho "Complex-1-Password" > ${_PWFILE_ADM_}\r\n\r\n# create the OUD instance with default name asinst_1;\r\n.\/oud-setup --cli \\\r\n  --baseDN dc=spotonoracle,dc=com \\\r\n  --addBaseEntry \\\r\n  --integration eus \\\r\n  --ldapPort 1389 \\\r\n  --adminConnectorPort 4444 \\\r\n  --rootUserDN cn=diradmin \\\r\n  --rootUserPasswordFile ${_PWFILE_ADM_} \\\r\n  --enableStartTLS \\\r\n  --ldapsPort 1636 \\\r\n  --generateSelfSignedCertificate \\\r\n  --hostname $(hostname) \\\r\n  --no-prompt --noPropertiesFile\r\n\r\n# delete the password file\r\nrm ${_PWFILE_ADM_}\r\n<\/pre>\n
Check the status of the OUD instance.<\/p>\n
\r\n\/u01\/app\/oracle\/product\/mdlw11119\/asinst_1\/OUD\/bin\/status\r\n<\/pre>\n
 
\nWhy exactly did we patch?<\/strong><\/p>\n
By default OUD only supports irreversible hashing algorithms for the root user password policy. The patch allows us to configure AES as an additional method.<\/p>\n
\r\n_PWFILE_ADM_=\/tmp\/pwfile-adm.txt\r\necho "Complex-1-Password" > ${_PWFILE_ADM_}\r\n\r\ncd \/u01\/app\/oracle\/product\/mdlw11119\/asinst_1\/OUD\/bin\r\n\r\n# check what's currently configured\r\n.\/dsconfig -h $(hostname) -p 4444 -D "cn=diradmin" \\\r\n  --bindPasswordFile ${_PWFILE_ADM_} \\\r\n  get-password-policy-prop --policy-name "Root Password Policy" \\\r\n  --no-prompt \\\r\n  --trustAll\r\n# shoud be SHA-512\r\n\r\n# add AES as additional algorithm\r\n.\/dsconfig -h $(hostname) -p 4444 -D "cn=diradmin" \\\r\n  --bindPasswordFile ${_PWFILE_ADM_} \\\r\n  set-password-policy-prop --policy-name "Root Password Policy" \\\r\n    --add default-password-storage-scheme:AES \\\r\n  --no-prompt \\\r\n  --trustAll\r\n\r\n# always delete the password file\r\nrm ${_PWFILE_ADM_}\r\n<\/pre>\n
As it happens the password was hashed using SHA-512 during the installation. We must change the password in order to make OUD hashing the password using the AES algorithm. Let’s change the password back and forth.<\/p>\n
\r\ncd \/u01\/app\/oracle\/product\/mdlw11119\/asinst_1\/OUD\/bin\r\n_PWFILE_ADM_=\/tmp\/pwfile-adm.txt\r\n\r\n# change the password to some temporary value\r\necho "Complex-1-Password" > ${_PWFILE_ADM_}\r\n.\/ldappasswordmodify -h $(hostname) -p 4444 -D "cn=diradmin" \\\r\n  -j ${_PWFILE_ADM_} \\\r\n  --useSSL \\\r\n  --trustAll \\\r\n  -c Complex-1-Password \\\r\n  -n Temp-1-Password\r\n\r\n# change it back to the original value\r\necho "Temp-1-Password" > ${_PWFILE_ADM_}\r\n.\/ldappasswordmodify -h $(hostname) -p 4444 -D "cn=diradmin" \\\r\n  -j ${_PWFILE_ADM_} \\\r\n  --useSSL \\\r\n  --trustAll \\\r\n  -c Temp-1-Password \\\r\n  -n Complex-1-Password\r\n\r\n# verify that AES was used as well as SHA-512\r\necho "Complex-1-Passowrd" > ${_PWFILE_ADM_}\r\n.\/ldapsearch -h $(hostname) -p 4444 -D "cn=diradmin" \\\r\n  --useSSL \\\r\n  --trustAll \\\r\n  -j ${_PWFILE_ADM_} \\\r\n  -b "cn=Directory Manager,cn=Root DNs,cn=config" \\\r\n  -s base objectclass=* userpassword\r\n# should show 2 lines output: one with SHA-512, one with AES\r\n\r\n# never forget to delete the password file\r\nrm ${_PWFILE_ADM_}\r\n<\/pre>\n
 
\nYour OUD instance is ready for use with Enterpise User Security.
\nNext, I’m going to show how to install ODSM so you easily browse and configure the directory in your web browser.<\/p>\n
Start and stop the OUD service<\/strong><\/p>\n
\r\ncd \/u01\/app\/oracle\/product\/mdlw11119\/asinst_1\/OUD\/bin\r\n\r\n# start OUD\r\n.\/start-ds\r\n\r\n# stop OUD\r\n.\/stop-ds\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
By now, you should have all the sources ready to start installing. As OUD is a pure Java application we first install the JDK (run this as the root user). Install JDK mkdir \/tmp\/tmpjava unzip p13079846_17000_Linux-x86-64.zip -d \/tmp\/tmpjava rpm -Uhv \/tmp\/tmpjava\/jdk-7u85-linux-x64.rpm rm -rf \/tmp\/tmpjava As I’m an Oracle database guy I’m going to install OUD […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,7],"tags":[],"class_list":["post-84","post","type-post","status-publish","format-standard","hentry","category-eus","category-oud"],"_links":{"self":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/84","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=84"}],"version-history":[{"count":3,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/84\/revisions"}],"predecessor-version":[{"id":87,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/84\/revisions\/87"}],"wp:attachment":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=84"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=84"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=84"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}