OCI-c: Installation of the PSM CLI on OL6x

To install the PaaS Service Manager (psm) CLI on OL6.x, first install, as root, both Python 3.4.8 and the psm CLI python module, then configure psm from a standard user.

 

First install some possible prerequisites:

yum install wget tar make gcc tcl tk openssl-devel

 

Then download the latest python:

wget https://www.python.org/ftp/python/3.4.8/Python-3.4.8.tgz

 

Install python:

tar -xvfz Python-3.4.8.tgz
cd Python-3.4.8
./configure
make 
make install
cp python /usr/local/bin

 

Check the version installed:

export PATH=/usr/local/bin:$PATH
python --version

 

Download the PSM cli utility, replace ‘id’ with the identify domain:

curl -X GET -u "user:password" -H X-ID-TENANT-NAME:id https://psm.us.oraclecloud.com/paas/core/api/v1.1/cli/<id>/client -o psmcli.zip

 

Install psm as a python module, still from the root account:

pop3 install -U psmcli.zip

 

Then from a standard user, configure psm:

$ psm setup
Username: user
Password: 
Retype Password: 
Identity domain: id
Region [us]: 
Output format [short]: short
Use OAuth? [n]: 
----------------------------------------------------
'psm setup' was successful. Available services are:

 o ADWC : Oracle Autonomous Data Warehouse Cloud
 o ADWCP : Oracle Autonomous Data Warehouse Cloud Platform
 o ANALYTICS : Oracle Analytics Cloud
 o APICS : Oracle API Platform Cloud Service
 o APICatalog : Oracle API Catalog Service
 o APISearch : Oracle APICatalog Elasticsearch Service
 o BDCSCE : Oracle Big Data Cloud
 o BOTSCFG : Oracle Bots Configuration Service
 o BOTSCON : Oracle Bots Connector Service
 o BOTSINT : Oracle Bots Intent Service
 o BOTSMGM : Oracle Bots Management API Service
 o BOTSPIP : Oracle Bots Pipeline Service
 o BigDataAppliance : Oracle Big Data Cloud Service
 o CONTAINER : Oracle Container Cloud Service
 o CXAANA : Oracle CxA Analytics Service 
 o CXACFG : Oracle CxA Configuration Service 
 o CXACOL : Oracle CxA Collector Service 
 o CXAPOD : Oracle CxA Pod Cloud Service 
 o ContainerRegistry : Oracle Container Registry Service
 o DHCS : Oracle Data Hub Cloud Service
 o IDCS : Oracle Identity Cloud Service
 o IDCSControlPlane : Oracle Identity Cloud Service
 o IOTAssetMon : Oracle IoT Asset Monitoring Cloud Service
 o IOTConnectedWrker : Oracle IoT Connected Worker Cloud Service
 o IOTEnterpriseApps : Oracle Internet of Things Cloud - Enterprise
 o IOTFleetMon : Oracle IoT Fleet Monitoring Cloud Service
 o IOTProdMonitoring : Oracle IoT Production Monitoring Cloud Service
 o IOTSvcAsset : Oracle IoT Asset Monitoring CX Cloud Service
 o IntegrationCloud : Oracle Integration Cloud
 o jcs : Oracle Java Cloud Service
 o MobileCCC : Oracle Mobile Custom Code Container
 o MobileCorePOD : Oracle Mobile Core POD
 o MySQLCS : Oracle MySQL Cloud Service
 o OAICS : Oracle Adaptive Intelligence Applications Offers Cloud Service
 o OEHCS : Oracle Event Hub Cloud Service
 o OEHPCS : Oracle Event Hub Cloud Service - Dedicated
 o OMCE : Oracle Mobile Cloud Metering Service
 o OMCEXTERNAL : Oracle Management Cloud Service
 o OMCP : Oracle Management Cloud Platform Service
 o SOA : Oracle SOA Cloud Service
 o VisualBuilder : Oracle Visual Builder Cloud Service

 

To check the proper setup, list for example the DBCs services:

psm dbcs services 
 Service Status 
 abcdef Running 
 ghijkl Running

 

To update the utility, run:

psm update

 

Verify the version with:

psm -v

PSM CLI Client – version 1.1.20

Advertisements

OCI SLBaaS: Configuring a listener on a restricted (443) port

There are 3 solutions to configure a listener on a restricted port on Oracle Traffic Director (OTD), for example 80 or 443.

Option 1: Use a non restricted port, for example 8443, and use a port redirection using xinetd

Configure the following file as as example, in the /etc/xinet.d directory

service otd
 {
 type = UNLISTED
 disable = no
 socket_type = stream
 protocol = tcp
 user = root
 wait = no
 port = 443
 redirect = 127.0.0.1 8443
 }

Then restart xinetd

# service xinetd restart

PS: To troubleshoot, uses /usr/sbin/xinetd -d -dontfork

 

Option 2: Use a non restricted port, for example 8443, and use the iptables for redirection

# /sbin/iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
# /sbin/iptables -t nat -A PREROUTING -p udp -m udp --dport 443 -j REDIRECT --to-ports 8443

 

Option 3: Modify the file protection of the portbind executable and use 443 as the listener port

# chown root /u01/app/oracle/middleware/otd/lib/portbind
# chmod 4751 /u01/app/oracle/middleware/otd/lib/portbind

This option 3 may not be persistent across a system reboot on OCI classic.

OCI: Implement a certificate for ORDS

To implement a certificate on a running DBCS instance running on OCI classic, you need:

  • The combined certificate combined.cer, in pem format
  • The certificate private key privatekey.txt, in pem format

 

Navigate in the ORDS configuration directory

cd /u01/app/oracle/product/ords/conf/ords/standalone

 

Convert the key into a pkcs8 format:

openssl pkcs8 -topk8 -inform pem -outform der -in privatekey.txt -out privatekey_pkcs8.der -nocrypt

 

Now reference the certificate concatenated with the intermediate certificate IN THIS ORDER, and the certificate key in pkcs8 format from the configuration file standalone.properties

#Fri Feb 02 18:30:47 UTC 2017
jetty.port=8080
jetty.secure.port=8181
ssl.cert=/u01/app/oracle/product/ords/conf/ords/standalone/combined.cer
ssl.cert.key=/u01/app/oracle/product/ords/conf/ords/standalone/privatekey_pkcs8.key
ssl.host=<hostname>
standalone.context.path=/ords
standalone.doc.root=/u01/app/oracle/product/ords/conf/ords/standalone/doc_root
standalone.scheme.do.not.prompt=true
standalone.static.context.path=/i
standalone.static.do.not.prompt=true

 

Restart now the ORDS service

sudo /etc/init.d/ords restart

OCI: Installing a public certificate on OTD

To install a certificate into the soft load balancer Oracle Traffic Director 12c 12.2.1.2 running on the Oracle Public Cloud, you need to own:

  • The certificate certificate.cer, in pem format
  • The intermediate certificate intermediate.cer, in pem format
  • The root certificate root.cer, in perm format
  • The PFX certificate.pfx, in pfx format and remember its password
  • The certificate private key privatekey.txt

 

Transfer these files on the SLB host.

 

Process as follow to to generate the combined certificate chain:

cat certificate.cer intermediate.cer root.cer >combined.cer

 

Then generate the identify store as follow:

. /u01/data/otd-instance/otd_domain/bin/setDomainEnv.sh

export LPATH=<WORK DIRECTORY>
rm ${LPATH}/new_identity_keystore.jks

echo "Convert the pfx, including both the key and the certificate into a pem file"
openssl pkcs12 -in ${LPATH}/certificate.pfx -out ${LPATH}/temp_certificate.crt -nodes

echo "Generating the new identity key store"
java utils.ImportPrivateKey -keystore ${LPATH}/new_identity_keystore.jks -storepass welcome1 -storetype JKS -keypass welcome1 -alias <cert alias> -certfile ${LPATH}/temp_certificate.crt -keyfile ${LPATH}/privatekey.txt -keyfilepass <pfx password>

 

Then import the identity keystore then the combined certificate via wlst

"$ORACLE_HOME/oracle_common/common/bin/wlst.sh 

connect('weblogic','<wls_password>',"t3s://localhost:8989")

svc = getOpssService('KeyStoreService')
svc.importKeyStore(appStripe='OTD', name='opc-config', password='', aliases='<cert alias>', keypasswords='welcome1', type='JKS', filepath='new_identity_keystore.jks',permission=true)
svc.importKeyStoreCertificate(appStripe='OTD', name='opc-config', password='', alias='<cert alias>', keypassword='', type='CertificateChain', filepath='combined.cer')


 

From now on, the certifcate <cert-alias> can be used with any SSL listener configured with OTD.

Certificates 101

To view the details of a certificate:

openssl x509 -in <certificate.cer> -text

To view the details of cacerts file:

keytool -list -keystore <cacerts>

To view the details of a specific certificate included in a cacerts file:

keytool -list -v -keystore <cacerts> -alias "<alias>"

To export, in a der format, a certificate from a cacerts file:

keytool -export -keystore <cacerts> -alias "<alias>" -file <certificate.der>

To convert a certificate from a der format into a pem format:

 openssl x509 -inform der -in <certificate.der> -out <certificate.cer>

To generate a concatenate certificate chain:

cat certificate.cer intermediate.cer root.cer >combiner.cer