Enterprise User Security – Part 2

1 Reply

By now, you should have all the sources ready to start installing.

As OUD is a pure Java application we first install the JDK (run this as the root user).

Install JDK

mkdir /tmp/tmpjava
unzip p13079846_17000_Linux-x86-64.zip -d /tmp/tmpjava

rpm -Uhv /tmp/tmpjava/jdk-7u85-linux-x64.rpm

rm -rf /tmp/tmpjava

As I’m an Oracle database guy I’m going to install OUD under the “oracle” user. Make sure to have the the JDK set in your installation user’s environment.

vi ~/.bash_profile

export JAVA_HOME=/usr/java/jdk1.7.0_85
export PATH=${JAVA_HOME}/bin:${PATH}

 
Install OUD

Create the response file:

vi /tmp/silent_oud.rsp

[ENGINE]
Response File Version=1.0.0.0.0

[GENERIC]
SPECIFY_DOWNLOAD_LOCATION=false
SKIP_SOFTWARE_UPDATES=true
SOFTWARE_UPDATES_DOWNLOAD_LOCATION=
# where the OUD software will be installed
ORACLE_HOME=/u01/app/oracle/product/mdlw11119/oud11123
MIDDLEWARE_HOME=/u01/app/oracle/product/mdlw11119
CONFIG_WIZARD_RESPONSE_FILE_LOCATION=0

[SYSTEM]
[APPLICATIONS]
[RELATIONSHIPS]

Feed the response file to the OUD installer:

mkdir /tmp/tmpoud
unzip V75929-01.zip -d /tmp/tmpoud

cd /tmp/tmpoud
./Disk1/runInstaller -silent \
  -responseFile /tmp/silent_oud.rsp \
  -jreLoc /usr/java/jdk1.7.0_85

rm -rf /tmp/tmpoud

Done. OUD software is installed on your server.
 
Patch OUD

As mentioned in the previous blog post we need to patch OUD for Oracle 12c “eusm” utility to be able to connect.

export ORACLE_HOME=/u01/app/oracle/product/mdlw11119/oud11123
export PATH=${ORACLE_HOME}/OPatch:${PATH}

mkdir /tmp/oudpatch
unzip p20529805_111230_Generic.zip -d /tmp/oudpatch

# if patching a running OUD we need to stop it for patching
# cd /u01/app/oracle/product/mdlw11119/asinst_1/OUD/bin
# ./stop-ds

cd /tmp/oudpatch/20529805
opatch apply

rm -r /tmp/oudpatch/

 
Configure OUD

By default, the instance created is MW_HOME/asinst_1. By exporting following variable before calling oud-setup the instance name can be set:
# export INSTANCE_NAME=;

cd /u01/app/oracle/product/mdlw11119/oud11123

# we write the password of the directory root user into a file
#   unfortunately, that's how the OUD tools work
#   personally, I think this is one of the worst command line tool design
_PWFILE_ADM_=/tmp/pwfile-adm.txt
echo "Complex-1-Password" > ${_PWFILE_ADM_}

# create the OUD instance with default name asinst_1;
./oud-setup --cli \
  --baseDN dc=spotonoracle,dc=com \
  --addBaseEntry \
  --integration eus \
  --ldapPort 1389 \
  --adminConnectorPort 4444 \
  --rootUserDN cn=diradmin \
  --rootUserPasswordFile ${_PWFILE_ADM_} \
  --enableStartTLS \
  --ldapsPort 1636 \
  --generateSelfSignedCertificate \
  --hostname $(hostname) \
  --no-prompt --noPropertiesFile

# delete the password file
rm ${_PWFILE_ADM_}

Check the status of the OUD instance.

/u01/app/oracle/product/mdlw11119/asinst_1/OUD/bin/status

 
Why exactly did we patch?

By default OUD only supports irreversible hashing algorithms for the root user password policy. The patch allows us to configure AES as an additional method.

_PWFILE_ADM_=/tmp/pwfile-adm.txt
echo "Complex-1-Password" > ${_PWFILE_ADM_}

cd /u01/app/oracle/product/mdlw11119/asinst_1/OUD/bin

# check what's currently configured
./dsconfig -h $(hostname) -p 4444 -D "cn=diradmin" \
  --bindPasswordFile ${_PWFILE_ADM_} \
  get-password-policy-prop --policy-name "Root Password Policy" \
  --no-prompt \
  --trustAll
# shoud be SHA-512

# add AES as additional algorithm
./dsconfig -h $(hostname) -p 4444 -D "cn=diradmin" \
  --bindPasswordFile ${_PWFILE_ADM_} \
  set-password-policy-prop --policy-name "Root Password Policy" \
    --add default-password-storage-scheme:AES \
  --no-prompt \
  --trustAll

# always delete the password file
rm ${_PWFILE_ADM_}

As it happens the password was hashed using SHA-512 during the installation. We must change the password in order to make OUD hashing the password using the AES algorithm. Let’s change the password back and forth.

cd /u01/app/oracle/product/mdlw11119/asinst_1/OUD/bin
_PWFILE_ADM_=/tmp/pwfile-adm.txt

# change the password to some temporary value
echo "Complex-1-Password" > ${_PWFILE_ADM_}
./ldappasswordmodify -h $(hostname) -p 4444 -D "cn=diradmin" \
  -j ${_PWFILE_ADM_} \
  --useSSL \
  --trustAll \
  -c Complex-1-Password \
  -n Temp-1-Password

# change it back to the original value
echo "Temp-1-Password" > ${_PWFILE_ADM_}
./ldappasswordmodify -h $(hostname) -p 4444 -D "cn=diradmin" \
  -j ${_PWFILE_ADM_} \
  --useSSL \
  --trustAll \
  -c Temp-1-Password \
  -n Complex-1-Password

# verify that AES was used as well as SHA-512
echo "Complex-1-Passowrd" > ${_PWFILE_ADM_}
./ldapsearch -h $(hostname) -p 4444 -D "cn=diradmin" \
  --useSSL \
  --trustAll \
  -j ${_PWFILE_ADM_} \
  -b "cn=Directory Manager,cn=Root DNs,cn=config" \
  -s base objectclass=* userpassword
# should show 2 lines output: one with SHA-512, one with AES

# never forget to delete the password file
rm ${_PWFILE_ADM_}

 
Your OUD instance is ready for use with Enterpise User Security.
Next, I’m going to show how to install ODSM so you easily browse and configure the directory in your web browser.

Start and stop the OUD service

cd /u01/app/oracle/product/mdlw11119/asinst_1/OUD/bin

# start OUD
./start-ds

# stop OUD
./stop-ds

One thought on “Enterprise User Security – Part 2

  1. Pingback: Enterprise User Security – Part 3 | Spot on Oracle

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.