DOWNLOAD Oracle Identity Management 10.1.4.0.1

TAGS security, middleware, idmgt, All

Managing Net Service Names in Oracle Internet Directory

Learn how to use Oracle Internet Directory to resolve net service names.

Published August 2006

Ever experience the frustration of managing several copies of the tnsnames file on servers or desktops, or coordinating the distribution of the file to all your corporate users only to realize later that an incorrect file was distributed? These hassles can easily be avoided with centralized name services. Oracle Internet Directory (OID) is Oracle’s solution to centrally store and manage net service names. Oracle Internet Directory 10g is an implementation of Lightweight Directory Access Protocol (LDAP) v3 directory service, used for querying and modifying any directory-like entities, such as people, organizations, printers, or database service names. OID, a component of Oracle Identity Management 10g (10.1.4.0.1), is a specialized hierarchical database ideal for storing read-intensive entries that rarely change. It delivers the best of both worlds by having the scalability, performance, and availability of an Oracle 10g database and the extensibility and flexibility of an LDAP directory service.

OID has many uses. Database service names resolution is just one of its many features. This article aims to familiarize you with setting up, configuring, and using OID as a centralized repository for storing Oracle’s net service names on Red Hat Enterprise Linux 4 (RHEL 4). I will also walk through the set up of a replica OID using two-way LDAP-based replication to eliminate a single point of failure. Two-way LDAP-based replication propagates changes between sponsor and consumer replicas.

Overview

This guide is structured in the following steps:

1. Introduction
2. Install the OID sponsor replica node
3. Install the OID consumer replica node
4. Create the LDAP user
5. Create service names on the sponsor node
6. Configure the client
7. Test OID failover capability
8. Conclusion

Below is an overview of the OID database environment:

Introduction

Oracle Net Services names are stored hierarchically in an inverted tree–like structure called Directory Information Tree (DIT). Each service identifier and connect descriptor is an entry in the tree.

Service names are uniquely identified by Distinguished Names (DNs) in OID. For example, the DN entry for the service name nydb is

dn: cn=nydb, cn=OracleContext, dc=mycorpdomain, dc=com 

From the above DN entry for nydb, the root of the tree or the directory base DN is dc=com, and underneath that you have dc=mycorpdomain, cn=OracleContext, and cn=nydb. The connect descriptor information, which contains the network location of the service, is located beneath cn=nydb.

cn=OracleContext is a special entry used for Oracle Net Services–relatedentries to support directory naming. All Oracle Net Services fall under this special entry.

Here are some of the attributes we will use in this guide:

Install the OID Sponsor Replica Node

Install the Oracle Indentity Management software on the sponsor node, oidsrv1. The installer installs the binaries and a preconfigured OID database and starts up the OID processes.

Edit the oracle user environment file

[oracle@oidsrv1 ~]$ more .bash_profile
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
 . ~/.bashrc
fi

export PATH=$PATH:$HOME/bin
export ORACLE_SID=asdb1
export ORACLE_BASE=/u01/app/oracle
export ORACLE_HOME=$ORACLE_BASE/product/as10g
export LD_LIBRARY_PATH=$ORACLE_HOME/lib
export PATH=$ORACLE_HOME/bin:$PATH
umask 022

Create the file system directory structure

[oracle@oidsrv1 ~]$ mkdir -p $ORACLE_HOME
[oracle@oidsrv1 ~]$ mkdir -p /u01/app/oracle/admin
[oracle@oidsrv1 ~]$ mkdir -p /u01/oradata

Install the Oracle Identity Management Software

Download the OID software from Oracle Technology Network (OTN).

[oracle@oidsrv1 ~]$ . ./.bash_profile 
[oracle@oidsrv1 ~]$ /staging/as10g/Disk1/runInstaller 

1. Welcome: Click Next.
2. Specify file locations:
   a. Name: oracleas1
   b. Path: /u01/app/oracle/product/as10g
3. Select a product to install:
   a. Select Oracle Application Server Infrastructure 10g.
4. Select installation type:
   a. Select Identity Management and Metadata Repository.
5. Perform product-specific prerequisite checks:
   a. Verify that all checks are successful before proceeding.
6. Confirm preinstallation requirements:
   a. Select Root Privileges.
7. Deselect all configuration options except Oracle Internet Directory.
8. Specify port configuration options:
   a. Select Automatic.
9. Specify namespace in Oracle Internet Directory:
   a. Select Suggested Namespace: dc=mycorpdomain, dc=com.
10. Specify database configuration options:
    a. Global database name: asdb1.mycorpdomain.com
    b. SID: asdb1
    c. Select database character set: Unicode standard UTF-8 AL32UTF8.
    d. Specify database file location: /u01/oradata/
11. Specify database schema passwords:
    a. Select Use the same password for all the accounts.
    b. Enter password: oracle
    c. Confirm password: oracle
12. Specify instance name and ias_admin password: a. Instance Name: infra1
    b. ias_admin Password: ias_admin1
    c. Confirm password: ias_admin1
13. Summary: Click Install.
14. Execute /u01/app/oracle/product/as10g/root.sh script from another window as the root user.
15. Setup privileges: Click OK after the root.shscript has run on the node.
16. End of installation: Click Exit.

OID Process

 [oracle@oidsrv1 ~]$ ps -ef | grep oidmon | grep -v grep
oracle 10786 1 0 09:03 ? 00:00:00 /u01/app/oracle/product/as10g/bin/oidmon 
 connect=asdb1 -opmnuid 1287913475 start

[oracle@oidsrv1 ~]$ ps -ef | grep oidldapd | grep -v grep
oracle 10792 1 0 09:03 ? 00:00:00 /u01/app/oracle/product/as10g/bin/oidldapd 
 connect=asdb1 -p 389 -i 1 -conf 0 -sport 636 -sslenable 2 key=706903885
oracle 10796 1 0 09:03 ? 00:00:24 oidldapd 
 connect=asdb1 control=10792 dispatcher=1 worker=2 debug=33554432 configset=0 instance=1 key=706903885 host=oidsrv1.mycorpdomain.com trcdimension=511 logchange=TRU

[oracle@oidsrv1 ~]$ ps -ef | grep odisrv | grep -v grep
oracle 10892 1 0 09:04 ? 00:00:00 /bin/sh /u01/app/oracle/product/as10g/bin/odisrv instance=1 configset=0 port=636 sslauth=1 host=oidsrv1.mycorpdomain.com

[oracle@oidsrv1 ~]$ ps -ef | grep oidrepld | grep -v grep
[oracle@oidsrv1 ~]$

Verify OID Connectivity

Verify that you can bind to OID using the appropriate LDAP ports in your environment. The port numbers are located at /u01/app/oracle/product/as10g/install/portlist.ini. The ports used in this guide are 389 (non-SSL) and 636 (SSL).

[oracle@oidsrv1 ~]$ $ORACLE_HOME/bin/ldapbind -p 389 -h oidsrv1 -D cn=orcladmin -w ias_admin1
bind successful

Install the OID Consumer Replica Node

OID plays an important role in service names resolution. To ensure that OID is highly available, install a consumer replica node to provide continual service if the sponsor replica node should become unavailable.

Install the OID software on the replica node, oidsrv2.The installer installs the binaries and a preconfigured OID database, starts up the OID processes, and replicates the sponsor OID to the consumer OID.

Edit the oracle user environment file

[oracle@oidsrv2 ~]$ more .bash_profile
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
 . ~/.bashrc
fi

export PATH=$PATH:$HOME/bin
export ORACLE_SID=asdb2
export ORACLE_BASE=/u01/app/oracle
export ORACLE_HOME=$ORACLE_BASE/product/as10g
export LD_LIBRARY_PATH=$ORACLE_HOME/lib
export PATH=$ORACLE_HOME/bin:$PATH
umask 022

Create the file system directory structure

[oracle@oidsrv2 ~]$ mkdir -p $ORACLE_HOME
[oracle@oidsrv2 ~]$ mkdir -p /u01/app/oracle/admin
[oracle@oidsrv2 ~]$ mkdir -p /u01/oradata

Install the OID Software

Copy the OID software used earlier from oidsrv1.

[oracle@oidsrv2 ~]$ . ./.bash_profile 
[oracle@oidsrv2 ~]$ /staging/as10g/Disk1/runInstaller 

1. Welcome: Click Next.
2. Specify file locations:
   a. Name: oracleas1
   b. Path: /u01/app/oracle/product/as10g
3. Select a product to install:
   a. Select Oracle Application Server Infrastructure 10g.
4. Select installation type:
   a. Select Identity Management and Metadata Repository.
5. Perform product-specific prerequisite checks:
   a. Verify that all checks are successful before proceeding.
6. Confirm preinstallation requirements:
   a. Select Root Privileges.
7. Select configuration options:
   a. Select Oracle Internet Directory.
   b. Select Oracle Application Server Single Sign-On.
   c. Select Oracle Application Server Delegated Administration Service.
   d. Select Oracle Directory Integration Platform.
   e. Select High Availability and Replication.
8. Specify port configuration options:
   a. Select Automatic.
9. Select high availability or replication option:
   a. Select Replication.
10. Select Oracle Internet Directory replication mode:
    a. Select Two-way LDAP replication.
11. Specify Oracle Internet Directory master node:
    a. Hostname: oidsrv1.mycorpdomain.com
    b. Port: 636
    c. Select Use only SSL connections with this Oracle Internet Directory.
12. Specify master Oracle Internet Directory login:
    a. Username: cn=orcladmin
    b. Password: ias_admin1
13. Specify namespace in Oracle Internet Directory:
    a. Select Suggested Namespace: dc=mycorpdomain, dc=com.
14. Specify database configuration options:
    a. Global database name: asdb2.mycorpdomain.com
    b. SID: asdb2
    c. Select database character set: Unicode standard UTF-8 AL32UTF8.
    d. Specify database file location: /u01/oradata/
15. Specify database schema passwords:
    a. Select Use the same password for all the accounts.
    b. Enter password: oracle
    c. Confirm password: oracle
16. Specify instance name and ias_admin password:
    a. Instance name: infra2
    b. ias_admin password: ias_admin2.
    c. Confirm password: ias_admin2.
17. Summary: Click Install.
18. Execute /u01/app/oracle/product/as10g/root.sh script from another window as the root user.
19. Setup privileges: Click OK after the root.shscript has run on the node.
20. End of installation: Click Exit.

OID Processes

[oracle@oidsrv2 ~]$ ps -ef | grep oidmon | grep -v grep
oracle 11078 1 0 10:58 ? 00:00:00 /u01/app/oracle/product/as10g/bin/oidmon 
 connect=asdb2 -opmnuid 1745158147 start

[oracle@oidsrv2 ~]$ ps -ef | grep oidldapd | grep -v grep
oracle 11086 1 0 10:58 ? 00:00:00 /u01/app/oracle/product/as10g/bin/oidldapd 
 connect=asdb2 -p 389 -i 1 -conf 0 -sport 636 -sslenable 2 key=726047326
oracle 11090 1 1 10:58 ? 00:00:18 oidldapd 
 connect=asdb2 control=11086 dispatcher=1 worker=2 debug=33554432 configset=0 instance=1 key=726047326 host=oidsrv2.mycorpdomain.com trcdimension=511 logchange=TRU

[oracle@oidsrv2 ~]$ ps -ef | grep oidrepld | grep -v grep
oracle 12995 1 0 11:05 ? 00:00:01 /u01/app/oracle/product/as10g/bin/oidrepld -h oidsrv2.mycorpdomain.com -p 636 -inst 1

[oracle@oidsrv2 ~]$ ps -ef | grep odisrv | grep -v grep
oracle 11198 1 0 11:00 ? 00:00:00 /bin/sh /u01/app/oracle/product/as10g/bin/odisrv instance=1 configset=0 port=636 sslauth=1 host=oidsrv2.mycorpdomain.com

Start the replication process manually on the sponsor node

[oracle@oidsrv1 ~]$ oidctl server=oidrepld connect=asdb1 instance=2 flags="-p 636 -h oidsrv1.mycorpdomain.com" start
NLS_LANG not set in environment
Setting NLS_LANG to AMERICAN_AMERICA.AL32UTF8
oidctl:Waiting for oidmon to start OIDREPLD (instance=2)
oidctl:Started OIDREPLD (instance=2) with PID : 29716 successfully

[oracle@oidsrv1 ~]$ ps “ef | grep oidrepl | grep -v grep
oracle 29716 1 2 11:35 ? 00:00:00 /u01/app/oracle/product/as10g/bin/oidrepld -p 636 -h oidsrv1.mycorpdomain.com -inst 2

Verify OID connectivity

Verify you can bind to OID using the appropriate LDAP ports in your environment. The port numbers are located at /u01/app/oracle/product/as10g/install/portlist.ini. The ports used in this guide are 389 (non-SSL) and 636 (SSL).

[oracle@oidsrv2 ~]$ $ORACLE_HOME/bin/ldapbind -p 389 -h oidsrv2 -D cn=orcladmin -w ias_admin2
bind successful

Create the LDAP user

The OID installation creates a default administrator user called orcladmin. You should create additional users to manage the Oracle net services using either the GUI Oracle Directory Manager (oidadmin) administration tool or the command-line utility (ldapadd). Each user created is a directory entry in OID.

Adding users using the LDAP command-line utility is simple. We will create two LDAP Data Interchange format (LDIF) files:

1. cruser.ldif—defines the structure of the directory user.
2. addgrp.ldif—defines the user’s group (OracleNetAdmins).

LDIF file is the standardized text file format used to describe changes to directory entries.

cruser.ldif
dn: cn=vchan,cn=OracleNetAdmins,cn=OracleContext,dc=mycorpdomain,dc=com
userpassword: vchan1
objectclass: person
sn: Chan

The first line in cruser.ldif is the DN of the user, and the rest of the lines specify the attributes. The object class, person, describes the DN entry and consists of one or more attributes such as userpassword and sn. sn is a mandatory attribute in the person object class.

addgrp.ldif
dn: cn=OracleNetAdmins,cn=OracleContext,dc=mycorpdomain,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=vchan,cn=OracleNetAdmins,cn=OracleContext,dc=mycorpdomain,dc=com

Create the directory user, and add the user to the OracleNetAdmins group:

[oracle@oidsrv1 ~]$ ldapadd -p 389 -h oidsrv1 -D cn=orcladmin -w ias_admin1 -f /tmp/cruser.ldif
adding new entry cn=vchan,cn=OracleNetAdmins,cn=OracleContext,dc=mycorpdomain,dc=com

[oracle@oidsrv1 ~]$ ldapmodify -p 389 -h oidsrv1 -D cn=orcladmin -w ias_admin1 -f /tmp/addgrp.ldif
modifying entry cn=OracleNetAdmins,cn=OracleContext,dc=mycorpdomain,dc=com

Create service names on the sponsor node

Net service name entries are easily created in OID using Oracle Net Manager (netmgr).

Import service names into OID

tnsnames.ora

DCDB =
 (DESCRIPTION =
 (ADDRESS = (PROTOCOL = TCP)(HOST = trout1)(PORT = 1521))
 (CONNECT_DATA =
 (SERVER = DEDICATED)
 (SERVICE_NAME = dcdb)
 )
 )

NYDB =
 (DESCRIPTION =
 (ADDRESS = (PROTOCOL = TCP)(HOST = trout2)(PORT = 1521))
 (CONNECT_DATA =
 (SERVER = DEDICATED)
 (SERVICE_NAME = nydb)
 )
 )

[oracle@oidsrv1 ~]$ netmgr

1. Expand the Directory folder.
2. Expand the Service Naming folder.
3. Directory server authentication:
   a. User: cn=vchan,cn=oraclenetadmins,cn=oraclecontext,dc=mycorpdomain,dc=com
   b. Password: vchan1
4. Click Command.
5. Select Directory.
6. Select Export Net Service Names.
7. Directory server migration wizard: Introduction: Click Next.
8. Select net service names:
   a. Select DCDB.
   b. Select NYDB.
9. Select destination context:
   a. Directory naming context: <Directory Root>
   b. Oracle context: cn=OracleContext,dc=mycorpdomain,dc=com
10. Directory server update: Click Finish.

Verify service name entries in the sponsor and consumer replica nodes

The net service names created in the sponsor node should automatically propagate to the consumer node. Log in to the Oracle Directory Manager on both the sponsor and consumer replica nodes to verify the newly created service name entries.

[oracle@oidsrv2 ~]$ oidadmin

Configure the Client

After adding the service names into OID, configure the client to test service name resolution.

There are two files to add and modify:

1. sqlnet.ora—directs client to using OID instead of tnsnames.ora for name resolution.
2. ldap.ora—specifies the host name and port numbers of the sponsor and consumer replica OID servers.

sqlnet.ora

NAMES.DIRECTORY_PATH= (LDAP)

ldap.ora

DIRECTORY_SERVERS= (oidsrv1:389:636,oidsrv2:389:636)
DEFAULT_ADMIN_CONTEXT = "dc=mycorpdomain,dc=com"
DIRECTORY_SERVER_TYPE = OID

Test OID name resolution by connecting to dcdb:

SQL> connect vchan/vchan@dcdb
Connected.
SQL> select name from v$database;

NAME
---------
DCDB

Test OID failover capability

When there is an outage on the sponsor node, all requests are automatically routed to the consumer node. To demonstrate the failover mechanism, we will simulate an outage on the sponsor node and test database connectivity to nydb.

SQL> connect sys/oracle@asdb1 as sysdba
Connected.
SQL> select name from v$database;

NAME
---------
ASDB1

SQL> shutdown abort
ORACLE instance shut down.

SQL> connect vchan/vchan@nydb
Connected.
SQL> select name from v$database;

NAME
---------
NYDB
	
[oracle@grouper ~]$ tnsping nydb

TNS Ping Utility for Linux: Version 10.2.0.1.0 - Production on 24-AUG-2006 18:38:39

Copyright (c) 1997, 2005, Oracle. All rights reserved.

Used parameter files:
/u01/app/oracle/product/10.2.0/db_1/network/admin/sqlnet.ora

Used LDAP adapter to resolve the alias
Attempting to contact (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=trout2)(PORT=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=nydb)))
OK (10 msec)

Conclusion

Oracle Internet Directory is simple to install, configure, and use and is the preferred product for storing Oracle Net Services names. Storing service names in a central repository simplifies management of name services, especially when you have many client machines to deal with. An approach to achieving high availability in OID is to use LDAP-based replication—an option in Oracle Identity Management—to synchronize changes between the sponsor and the consumer. For more-comprehensive information about using or administering Oracle Internet Directory, refer to Oracle Internet Directory Administrator’s Guide 10g (10.1.4.0.1).