DB: Configuring wallet for http(s) calls

How to configure the wallet for https call from a 12c database

Before making https calls from the database, a wallet has to be created and an access security list must be created to allow outbound https connection.

In addition, the root or intermediate certificate s of the website being called must be stored into the wallet. With 12c, only the INTERMEDIATE certificate should be stored into the wallet. A good start to find the latest certificate is here.

Also, a database access list has to be created to grant the schema specified the privilege to access the host via the http call. When a proxy is used as a firewall, this access also must be part of this access list.

 

Setup the wallet

Here we create a wallet in the $ORACLE_HOME/wallet/<db> directory.

export LWALLET_DIR=$ORACLE_HOME/wallet/<db>

mkdir -p ${LWALLET_DIR}

orapki wallet create -wallet ${LWALLET_DIR} -pwd welcome1 -auto_login

# Example for www.oracle.com
orapki wallet add -wallet ${LWALLET_DIR} -trusted_cert -cert "GeoTrustSSLCA-G3.crt" -pwd welcome1
# Example for cloud.demo.com
orapki wallet add -wallet ${LWALLET_DIR} -trusted_cert -cert "SymantecClass3SecureServerCA-G4.crt" -pwd welcome1
ls -l ${LWALLET_DIR}

orapki wallet display -wallet ${LWALLET_DIR} -complete

In case of RAC, make sure to replicate the wallet over other RAC nodes.

 

Create the access list

connect sys/<password> as sysdba

ALTER SESSION SET CONTAINER=<pdb>;
begin
dbms_network_acl_admin.append_host_ace
 (host => '*'
 ,lower_port => 80
 ,upper_port => 443
 ,ace => xs$ace_type(privilege_list => xs$name_list('http','http_proxy')
 ,principal_name => 'schema'
 ,principal_type => xs_acl.ptype_db));
dbms_network_acl_admin.append_wallet_ace
 (wallet_path => 'file:/path to ORACLE_HOME/wallet/<db>'
 ,ace => xs$ace_type(privilege_list => xs$name_list('use_client_certificates','use_passwords')
 ,principal_name => 'schema'
 ,principal_type => xs_acl.ptype_db));

commit;
end;
/

 

To check the successful deployment of the wallet and certificate

sqlplus <sysman>/<password>
SQL> execute utl_http.set_wallet('file:<path to wallet>', 'welcome1');
SQL> select utl_http.request ('http://www.oracle.com') from dual;

or with a proxy:

sqlplus <sysman>/<password>
SQL> execute utl_http.set_wallet('file:<path to wallet>', 'welcome1');
SQL> select utl_http.request ('http://www.oracle.com','http://<proxy>:80') from dual;
Advertisements

OCI: Installing docker on OCI-c OL6

Installing docker on OPC

Provision an instance with EL 6.8 uek4 (uek4.1 or higher is a requirement for the docker package to install) with 50GB additional block storage.

Installation prerequisites

Login with opc

Update /etc/yum.repos.d/public-yum-ol6repo to enable ol6_addons

Create an oracle:oinstall user

Configure the extra volume on /u01, owned by oracle:oinstall

 

Docker installation and setup

Install docker and md5:

sudo yum install docker-engine md5

 

Change the following settings in the file /etc/sysconfig/docker for the 12.2 database to properly install:

[vi /etc/sysconfig/docker]
other_args="-g /u01/docker --storage-opt dm.basesize=40G"

Start docker:

sudo service docker start

Check that the system is property configured ‘in particular the ‘Data loop file’ and ‘Base Devise Size’ parameters.

docker info

Connected with oracle,download the docker build images on /u01, unzip the file, then download the 12.2 standard edition installation media into the 12.2 directory

cd /u01
wget https://github.com/oracle/docker-images/archive/master.zip
unzip master.zip
cd /u01/docker-images-master/OracleDatabase/dockerfiles/12.2.0.1
wget http://download.oracle.com/otn/linux/oracle12c/122010/linuxx64_12201_database.zip

 

Create the Oracle database docker image for 12.2

Build the docker image for the standard edition (this is the -s)

cd /u01/docker-images-master/OracleDatabase/dockerfiles
sudo ./buildDockerImage.sh -v 12.2.0.1 -s
 
. . .
Oracle Database Docker Image for 'se2' version 12.2.0.1 is ready to be extended:
--> oracle/database:12.2.0.1-se2
Build completed in 2186 seconds.

 

Create the containers

Create the first database container. Note that the password get generated automatically. Take a note of the displayed passwords:

sudo docker run -p 1531:1521 --name db01 -e oracle_pdb=pdb01 oracle/database:12.2.0.1-se2
ORACLE AUTO GENERATED PASSWORD FOR SYS, SYSTEM AND PDBAMIN: /N1H6CgQZV70=1
...
...

Create a second database container for process validation purpose:

sudo docker run -p 1532:1521 --name db01 -e oracle_pdb=pdb02 oracle/database:12.2.0.1-se2
ORACLE AUTO GENERATED PASSWORD FOR SYS, SYSTEM AND PDBAMIN: /N1H6CgQZV70=1
...
...

 

Change the password to respectively welcome1 and welcome2

sudo docker exec db01 ./setPassword.sh welcome1

sudo docker exec db02 ./setPassword.sh welcome2

 

Login to each database with the instant client by referencing the external port.

export LD_LIBRARY_PATH=/usr/lib/oracle/12.2/client64/lib
export PATH=/usr/lib/oracle/12.2/client64/bin:$PATH

 

sqlplus system/welcome1@localhost:1531/pdb01

sqlplus system/welcome1@localhost:1532/pdb02

EM13c and baremetal provisioning

EM13c baremetal provisioning

http://www.oracle.com/us/technologies/linux/linux-with-enterprise-manager-1959006.pdf

Two issues noted during X5-2L baremetal provisioning test:

  • When EMCC is running behind a load balancer that listen on the https default port 443, the OMS_PORT is left empty in the configuration file /scratch/stage/xx/agentInstall.properties
  • Irrespective of the ACPI settings set in the provisioning plan, the PXE file generated on /tftpboot/pxelinux.cfg/<mac-adress> contains a directive acpi=off which cause a server panic.

The workaround for both issues is to edit the provisioning script emcore/sysman/metadata/swlib/bmp/directives/provisioningDirective.pl to fix the port assignment issue and remove the directive acpi=off

Download oracle software with wget from OCI

How to download an oracle software from an OPC instance.

To download a software with wget from an Oracle Public Cloud instance, first attempt a download of the required software from your desktop from OTN then, once you have sign-on:

  • Pause the download
  • Export, from your browser, the cookie file. Some browser add-on may comes handy for that, for example cookie-manager
  • Cut/paste this cookie file into the OPC instance, into a file cookie.txt
  • Run the wget command by referencing the cookie text file and the software url.
Example for 12.2 standard edition
wget --load-cookie cookie.txt  http://download.oracle.com/otn/linux/oracle12c/122010/linuxx64_12201_database.zip
Example for the instant client
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/instantclient/122010/oracle-instantclient12.2-basic-12.2.0.1.0-1.x86_64.rpm
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/instantclient/122010/oracle-instantclient12.2-sqlplus-12.2.0.1.0-1.x86_64.rpm
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/instantclient/122010/oracle-instantclient12.2-tools-12.2.0.1.0-1.x86_64.rpm

Example for EMCC 13.2R1
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64.bin
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-2.zip
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-3.zip
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-4.zip
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-5.zip
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-6.zip
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-7.zip

 

Do not forget to remove the cookie file after the download has completed.

 

Chef and Apache compatibility

How to resolve compatibility issue between chef with an already running Apache web server.

When chef is installed on a server where Apache is already running on a port 80, proceed as follow to prevent the chef server to listen on the port 80.

Navigate in the chef webserver settings directory

cd /var/opt/opscode/nginx/etc

Edit the configuration file

vi nginx.conf

Comment the following lines

# server {
 # listen 80;
 # access_log /var/log/opscode/nginx/rewrite-port-80.log;
 # return 301 https://$host$request_uri;
 # }

Restart chef and check that no error is returned anymore

chef-server-ctl restart nginx
chef-server-ctl tail nginx