Directory naming configuration and usage (ldap.ora) – part 1

 

Preamble

In a big company the need to have a central location for Oracle connect descriptors (SQL*Net connect strings) is more or less a must. At least the team handling PC support will ask for it to ease their job. Imagine that if you have a local tnsnames.ora file on all your clients, what if one day you need to change the name of one server when you migrate a database to a new hardware ?

The solution is called directory naming and is there since very long handle by different products as Oracle release is increasing.

The legacy product that centralize your Oracle connect descriptors (TNS string) entries is Oracle Names Server. This was a simple system process and a text file with all your entries, and yes we still have it:

orans1{oranames}# namesctl status
 
Oracle Names Control for HPUX: Version 9.2.0.6.0 - Production on 09-JUN-2016 11:22:05
 
Copyright (c) 1993, 2002 Oracle Corporation.  All rights reserved.
 
Currently managing name server "orans1.domain.com"
Version banner is "Oracle Names for HPUX: Version 9.2.0.6.0 - Production"
 
Version banner is "Oracle Names for HPUX: Version 9.2.0.6.0 - Production"
 
Server name:                              orans1.domain.com
Server has been running for:              249 days 11 hours 32 minutes 53.93 seconds
Request processing enabled:               yes
Request forwarding enabled:               yes
Requests received:                        2707
Requests forwarded:                       0
Foreign data items cached:                0
Region data next checked for reload in:   not set
Region data reload check failures:        0
Cache next checkpointed in:               not set
Cache checkpoint interval:                not set
Cache checkpoint file name:               /ora_names/software/network/names/ckpcch.ora
Statistic counters next reset in:         not set
Statistic counter reset interval:         not set
Statistic counters next logged in:        not set
Statistic counter logging interval:       not set
Trace level:                              0
Trace file name:                          /ora_names/software/network/trace/names.trc
Log file name:                            /ora_names/software/network/log/names.log
System parameter file name:               /ora_names/software/network/admin/names.ora
Command-line parameter file name:         ""
Administrative region name:               ""
Administrative region description:        ""
ApplTable Index:                          0
Contact                                   ""
Operational Status                        1
Save Config on Stop                       no

And the Oracle connect descriptors file:

orans1{oranames}# tail /ora_names/software/network/names/ckpdom.ora
        )
 
sid1_DB.world. = (DATA_LIST=(FLAGS=0x1)(TTL=86400)
    (DATA=(TYPE=a.smd.)(DESCRIPTION=(SOURCE_ROUTE=OFF)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=server1.domain.com)(PORT=1529)))(CONNECT_DATA=(SID=sid1)(SRVR=DEDICATED))) )
        )
 
sid2_eu.world. = (DATA_LIST=(FLAGS=0x1)(TTL=86400)
    (DATA=(TYPE=a.smd.)(DESCRIPTION=(SOURCE_ROUTE=OFF)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=server2.domain.com)(PORT=1525)))(CONNECT_DATA=(SID=sid2)(SRVR=DEDICATED))) )
        )

On your client you had to setup your sqlnet.ora file with something like:

NAMES.DEFAULT_DOMAIN = world
 
NAMES.PREFERRED_SERVERS =
  (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = TCP)(HOST = orans1.domain.com)(PORT = 1688))
  )
 
NAMES.DIRECTORY_PATH= (ONAMES)

It was really simple to setup and maintain. But starting with 10gR1 Oracle has decided this was too simple and replaced this implementation by a much complex one based on an LDAP-compliant directory. On latest 12cR1 Oracle client only Microsoft Active Directory (AD) and Oracle Internet Directory (OID) are supported. OID is part of Oracle Identity Management family. Their application server called WebLogic is not mandatory to run OID but without it you will have access to no graphical interface, which is ok if you are a bit familiar with LDAP.

If you install all those Oracle components to exclusively use them to serve Oracle connect descriptors then you have no licenses to purchase.

I started with Oracle Identity Management page and obviously tried latest release (at the time of writing this post) i.e. 11gR2 or more precisely 11gR2PS3 (11.1.2.3.0). After many unsuccessful tries I realized that OID was not yet available in this release which is confirmed by certification page where 1.1.1.9.0 is latest available certification page:

directory_naming01
directory_naming01

We also see that WebLogic 12cR2 cannot be used as only WebLogic 10.3.6 is certified !

My testing has been done on a virtual machine running Oracle Enterprise Linux 7.2 64 bits with an 12cR1 (12.1.0.2.0) Unicode (AL32UTF8) backend database.

You also need Java JDK on your server, at the time of writing it is 1.8.0_92, that I have installed with the provided rpm (jdk-8u92-linux-x64.rpm) and so under /usr/java. In certification page you can see that only Java 1.7 is certified and it should be the one you install. I’m anyway using latest one as from past experience Java descending compatibility as always been good even for product not yet certified on latest Java. Also from security point of view it makes no sense to install Java 1.7.

WebLogic installation

This component is optional, just remind that without it you will end up with no graphical interface.

From WebLogic 10.3.6 download page the generic Installers with Oracle WebLogic Server and Oracle Coherence cannot be used for OID as you will require below component for OID:

  • Java Required Files (JRF)

So the one to use is Installers with Oracle WebLogic Server, Oracle Coherence and Oracle Enterprise Pack for Eclipse, so downloading Linux x86 with 32-bit JVM (1.5 GB) hoping to use the 64 bits Java I have already installed on my server… File oepe-wls-indigo-installer-11.1.1.8.0.201110211138-10.3.6-linux32.bin is an executable so is not launched same as other with java -jar file.jar.

First installation screen:

directory_naming02
directory_naming02

Choose installation directory (/u01/Middleware for me):

directory_naming03
directory_naming03

Do you wish to receive security information:

directory_naming04
directory_naming04

Custom installation for better control:

directory_naming05
directory_naming05

Keep WebLogic installation option by default:

directory_naming06
directory_naming06

Choose to add Oracle Application Development Framework:

directory_naming07
directory_naming07

Choose the JDK you have installed, that is not default option, the ones that come with installation binaries are a bit obsolete. If you refer to certification picture above normally only JDK 1.7.0 is certified:

directory_naming08
directory_naming08

Let default installation sub directories:

directory_naming09
directory_naming09

Summary of what will be done:

directory_naming10
directory_naming10

Ending windows if you got no issue:

directory_naming11
directory_naming11

WebLogic configuration

Once WebLogic has been installed launch the configuration script available at /u01/Middleware/oracle_common/common/bin/config.sh. Choose to create a new WebLogic domain:

directory_naming12
directory_naming12

Add Oracle JRF mandatory option:

directory_naming13
directory_naming13

I have left default name and default deployment directory:

directory_naming14
directory_naming14

Choose a password for your WebLogic administrator account:

directory_naming15
directory_naming15

I have chosen production mode with my already installed Java release:

directory_naming16
directory_naming16

Check Administration Server to benefit from graphical administrative tool:

directory_naming17
directory_naming17

Feeding with server name and kept default port (7001):

directory_naming18
directory_naming18

Summary of what will be done:

directory_naming19
directory_naming19

Ending window with url to be used for graphical interface:

directory_naming20
directory_naming20

Finally start WebLogic with:

[oracle@server1 ~]$ /u01/Middleware/user_projects/domains/base_domain/startWebLogic.sh

This will most probably fail after you have interactively entered account with:

Enter username to boot WebLogic server:weblogic
Java HotSpot(TM) 64-Bit Server VM warning: You have loaded library /u01/Middleware/wlserver_10.3/server/native/linux/i686/libterminalio.so which might have disabled stack guard. The VM will try to fix the stack guard now.
It's highly recommended that you fix the library with 'execstack -c <libfile>', or link it with '-z noexecstack'.
<Jun 10, 2016 12:05:52 PM CEST> <Error> <Security> <BEA-090782> <Server is Running in Production Mode and Native Library(terminalio) to read the password securely from commandline is not found.>
<Jun 10, 2016 12:05:52 PM CEST> <Notice> <WebLogicServer> <BEA-000388> <JVM called WLS shutdown hook. The server will force shutdown now>
<Jun 10, 2016 12:05:52 PM CEST> <Alert> <WebLogicServer> <BEA-000396> <Server shutdown has been requested by <WLS Kernel>>
<Jun 10, 2016 12:05:52 PM CEST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>

Follow MOS note 1354736.1 to correct it.

Or you can also follow MOS note 475060.1 to avoid to be obliged to supply account/password each time you start it…

This is last one I have decided to follow. In short you create a boot.properties file with account and password:

[oracle@server1 ~]$ cd /u01/Middleware/user_projects/domains/base_domain/servers/server1.domain.com
[oracle@server1 server1.domain.com]$ mkdir security
[oracle@server1 server1.domain.com]$ cd security
[oracle@server1 server1.domain.com]$ vit boot.properties
[oracle@server1 server1.domain.com]$ cat boot.properties
username=weblogic
password=secure_password

When you start WebLogic server, of course account and password are no more requested, and the file is encrypted to protect password value:

[oracle@server1 ~]$ cat /u01/Middleware/user_projects/domains/base_domain/servers/server1.domain.com/security/boot.properties
#Fri Jun 10 12:16:32 CEST 2016
password={AES}mrdERtPxVBTSr5lsdau1gPC2rjVxBN1MdyAaIUD8qQo\=
username={AES}p4aYO8sUChgMxKINU2fc8dgc0kidumyPBlDVmKNGthU\=

You can then access to administrative web interface on http://server1.domain.com:7001/console:

directory_naming30
directory_naming30

This, optional, first part of the series for directory naming implementation is over (!!). I told you Oracle has not made it simple. Move on to second part with link in references section.

References

2 thoughts on “Directory naming configuration and usage (ldap.ora) – part 1

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>