OCI-c: Installation of the PSM CLI on OL6x

To install the PaaS Service Manager (psm) CLI on OL6.x, first install, as root, both Python 3.4.8 and the psm CLI python module, then configure psm from a standard user.


First install some possible prerequisites:

yum install wget tar make gcc tcl tk openssl-devel


Then download the latest python:

wget https://www.python.org/ftp/python/3.4.8/Python-3.4.8.tgz


Install python:

tar -xvfz Python-3.4.8.tgz
cd Python-3.4.8
make install
cp python /usr/local/bin


Check the version installed:

export PATH=/usr/local/bin:$PATH
python --version


Download the PSM cli utility, replace ‘id’ with the identify domain:

curl -X GET -u "user:password" -H X-ID-TENANT-NAME:id https://psm.us.oraclecloud.com/paas/core/api/v1.1/cli/<id>/client -o psmcli.zip


Install psm as a python module, still from the root account:

pop3 install -U psmcli.zip


Then from a standard user, configure psm:

$ psm setup
Username: user
Retype Password: 
Identity domain: id
Region [us]: 
Output format [short]: short
Use OAuth? [n]: 
'psm setup' was successful. Available services are:

 o ADWC : Oracle Autonomous Data Warehouse Cloud
 o ADWCP : Oracle Autonomous Data Warehouse Cloud Platform
 o ANALYTICS : Oracle Analytics Cloud
 o APICS : Oracle API Platform Cloud Service
 o APICatalog : Oracle API Catalog Service
 o APISearch : Oracle APICatalog Elasticsearch Service
 o BDCSCE : Oracle Big Data Cloud
 o BOTSCFG : Oracle Bots Configuration Service
 o BOTSCON : Oracle Bots Connector Service
 o BOTSINT : Oracle Bots Intent Service
 o BOTSMGM : Oracle Bots Management API Service
 o BOTSPIP : Oracle Bots Pipeline Service
 o BigDataAppliance : Oracle Big Data Cloud Service
 o CONTAINER : Oracle Container Cloud Service
 o CXAANA : Oracle CxA Analytics Service 
 o CXACFG : Oracle CxA Configuration Service 
 o CXACOL : Oracle CxA Collector Service 
 o CXAPOD : Oracle CxA Pod Cloud Service 
 o ContainerRegistry : Oracle Container Registry Service
 o DHCS : Oracle Data Hub Cloud Service
 o IDCS : Oracle Identity Cloud Service
 o IDCSControlPlane : Oracle Identity Cloud Service
 o IOTAssetMon : Oracle IoT Asset Monitoring Cloud Service
 o IOTConnectedWrker : Oracle IoT Connected Worker Cloud Service
 o IOTEnterpriseApps : Oracle Internet of Things Cloud - Enterprise
 o IOTFleetMon : Oracle IoT Fleet Monitoring Cloud Service
 o IOTProdMonitoring : Oracle IoT Production Monitoring Cloud Service
 o IOTSvcAsset : Oracle IoT Asset Monitoring CX Cloud Service
 o IntegrationCloud : Oracle Integration Cloud
 o jcs : Oracle Java Cloud Service
 o MobileCCC : Oracle Mobile Custom Code Container
 o MobileCorePOD : Oracle Mobile Core POD
 o MySQLCS : Oracle MySQL Cloud Service
 o OAICS : Oracle Adaptive Intelligence Applications Offers Cloud Service
 o OEHCS : Oracle Event Hub Cloud Service
 o OEHPCS : Oracle Event Hub Cloud Service - Dedicated
 o OMCE : Oracle Mobile Cloud Metering Service
 o OMCEXTERNAL : Oracle Management Cloud Service
 o OMCP : Oracle Management Cloud Platform Service
 o SOA : Oracle SOA Cloud Service
 o VisualBuilder : Oracle Visual Builder Cloud Service


To check the proper setup, list for example the DBCs services:

psm dbcs services 
 Service Status 
 abcdef Running 
 ghijkl Running


To update the utility, run:

psm update


Verify the version with:

psm -v

PSM CLI Client – version 1.1.20


OCI SLBaaS: Configuring a listener on a restricted (443) port

There are 3 solutions to configure a listener on a restricted port on Oracle Traffic Director (OTD), for example 80 or 443.

Option 1: Use a non restricted port, for example 8443, and use a port redirection using xinetd

Configure the following file as as example, in the /etc/xinet.d directory

service otd
 type = UNLISTED
 disable = no
 socket_type = stream
 protocol = tcp
 user = root
 wait = no
 port = 443
 redirect = 8443

Then restart xinetd

# service xinetd restart

PS: To troubleshoot, uses /usr/sbin/xinetd -d -dontfork


Option 2: Use a non restricted port, for example 8443, and use the iptables for redirection

# /sbin/iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
# /sbin/iptables -t nat -A PREROUTING -p udp -m udp --dport 443 -j REDIRECT --to-ports 8443


Option 3: Modify the file protection of the portbind executable and use 443 as the listener port

# chown root /u01/app/oracle/middleware/otd/lib/portbind
# chmod 4751 /u01/app/oracle/middleware/otd/lib/portbind

This option 3 may not be persistent across a system reboot on OCI classic.

OCI: Implement a certificate for ORDS

To implement a certificate on a running DBCS instance running on OCI classic, you need:

  • The combined certificate combined.cer, in pem format
  • The certificate private key privatekey.txt, in pem format


Navigate in the ORDS configuration directory

cd /u01/app/oracle/product/ords/conf/ords/standalone


Convert the key into a pkcs8 format:

openssl pkcs8 -topk8 -inform pem -outform der -in privatekey.txt -out privatekey_pkcs8.der -nocrypt


Now reference the certificate concatenated with the intermediate certificate IN THIS ORDER, and the certificate key in pkcs8 format from the configuration file standalone.properties

#Fri Feb 02 18:30:47 UTC 2017


Restart now the ORDS service

sudo /etc/init.d/ords restart

OCI: Installing a public certificate on OTD

To install a certificate into the soft load balancer Oracle Traffic Director 12c running on the Oracle Public Cloud, you need to own:

  • The certificate certificate.cer, in pem format
  • The intermediate certificate intermediate.cer, in pem format
  • The root certificate root.cer, in perm format
  • The PFX certificate.pfx, in pfx format and remember its password
  • The certificate private key privatekey.txt


Transfer these files on the SLB host.


Process as follow to to generate the combined certificate chain:

cat certificate.cer intermediate.cer root.cer >combined.cer


Then generate the identify store as follow:

. /u01/data/otd-instance/otd_domain/bin/setDomainEnv.sh

rm ${LPATH}/new_identity_keystore.jks

echo "Convert the pfx, including both the key and the certificate into a pem file"
openssl pkcs12 -in ${LPATH}/certificate.pfx -out ${LPATH}/temp_certificate.crt -nodes

echo "Generating the new identity key store"
java utils.ImportPrivateKey -keystore ${LPATH}/new_identity_keystore.jks -storepass welcome1 -storetype JKS -keypass welcome1 -alias <cert alias> -certfile ${LPATH}/temp_certificate.crt -keyfile ${LPATH}/privatekey.txt -keyfilepass <pfx password>


Then import the identity keystore then the combined certificate via wlst



svc = getOpssService('KeyStoreService')
svc.importKeyStore(appStripe='OTD', name='opc-config', password='', aliases='<cert alias>', keypasswords='welcome1', type='JKS', filepath='new_identity_keystore.jks',permission=true)
svc.importKeyStoreCertificate(appStripe='OTD', name='opc-config', password='', alias='<cert alias>', keypassword='', type='CertificateChain', filepath='combined.cer')


From now on, the certifcate <cert-alias> can be used with any SSL listener configured with OTD.

Certificates 101

To view the details of a certificate:

openssl x509 -in <certificate.cer> -text

To view the details of cacerts file:

keytool -list -keystore <cacerts>

To view the details of a specific certificate included in a cacerts file:

keytool -list -v -keystore <cacerts> -alias "<alias>"

To export, in a der format, a certificate from a cacerts file:

keytool -export -keystore <cacerts> -alias "<alias>" -file <certificate.der>

To convert a certificate from a der format into a pem format:

 openssl x509 -inform der -in <certificate.der> -out <certificate.cer>

To generate a concatenate certificate chain:

cat certificate.cer intermediate.cer root.cer >combiner.cer