After having the pleasure to work with EUS there is no going back. I like EUS so much it makes me wonder why the adoption of this feature is so small. Maybe because it’s such a huge PITA to install and setup (just kidding, I know the licenses cost some a bag full of money. Moreover, most organization don’t seem to care enough about their total mess in identity and access management).
What I’m going to show in this series is what is necessary to make EUS happen on the currently latest version of OUD (11.1.2.3) and the Oracle database (12.1.0.2). As usual, there is some patching and working around to do.
But, first things first. What software do we need and what is each component for?
Oracle Unified Directory
OUD is the directory service to which the database is making requests about users, credentials and privileges (roles). OUD is a LDAP directory based on OpenDS. It’s a pure Java application with a integrated Berkley DB backend.
Oracle Directory Services Manager
This component is optional but will make your life so much easier. ODSM is a web-based GUI to manage OUD. You use it to configure OUD, setup replication between multiple OUD’s and manage your users, groups, etc. ODSM is an application deployed on Weblogic and is using ADF.
Download Software
Java JDK: Version 7 (latest Update)
– download from support.oracle.com / Patch 1307984
Weblogic Server 11gR1 (Generic and Coherence): Version 10.3.6
– download from edelivery.oracle.com / Part-No.: V29856-01
Oracle Application Development Framework (ADF): Version 11.1.1.9.0
– download from support.oracle.com (Patch 20996481 / p20996481_111190_Generic.zip)
Oracle Unified Directory (OUD): Version 11.1.2.3.0
– download from edelivery.oracle.com / Part-No.: V75929-01
Required Patches
As I said before, there are some patches required for everything playing nice together.
Database 12.1.0.2 requires patch to support SHA-2 with SSL:
– p19285025_121020_Linux-x86-64.zip
– get latest OPatch (6880880) for your database home version as per patch note
OUD 11.1.2.3 requires patch to allow EUSM tool to connect:
– p20529805_111230_Generic.zip
– your current opatch version in the MW home should be high enough (OPatch version 11.1.0.11.0) to apply this patch
Happy downloading…
…
…
…
Wrap your head around EUS
Meanwhile, let’s quickly look at what it’s all about – in case you’re new to this EUS business. The following diagram is an attempt to put everything in one picture what is scattered in the documentation: Database Enterprise User Security Administrator’s Guide.
Coloring scheme:
– Green: objects in the database
– Blue: groups of objects in the LDAP directory
– Red: user entities in the LDAP directory
– Yellow: enterprise roles in the LDAP directory
There’s a group of users and each user is a member of one or more (functional) groups. The “Users” group is mapped to a database schema EUS_USER. This means every database login from one of these users will physically connect to the EUS_USER schema in the databases. Every functional group is granted one or more enterprise roles. Each enterprise role is mapped to a role in one or more databases.
What’s next
I’m going to show you how to install and configure all the components so you can start registering databases for EUS. And, we’re going to do this in silent mode – meaning it’s all command line and response files instead of OUI screen shots.
Pingback: Enterprise User Security – Part 4 | Spot on Oracle