Sunday, March 19, 2023

Data Guard Broker Configuration in 19c

Data Guard broker is a centralized framework to manage entire Data Guard configuration through a client connection to any database in the configuration

From Primary

  1. Enable Broker configuration parameters

    2. SQL> alter system set dg_broker_start=true;
    SQL> alter system set local_listener='(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 10.196.210.135)(PORT = 1521))) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = smsprod_bos03)))';

  2. Add entry for data guard broker on listener.ora

    3. [oracle@bo3upsmsxodb01 ~]$ vi $ORACLE_HOME/network/admin/listener.ora

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = bo3upsmsxodb01.pearsoncmg.com)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (GLOBAL_DBNAME = smsprod_bos03_DG)
      (ORACLE_HOME = /data01/app/oracle/product/19.0.0/dbhome_1)
      (SID_NAME = smsprod)
    )
  )

  3. Reload listener to effective the changes

    4. [oracle@bo3upsmsxodb01 ~]$ lsnrctl reload

LSNRCTL for Linux: Version 19.0.0.0.0 - Production on 22-JAN-2023 04:28:17

Copyright (c) 1991, 2022, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=bo3upsmsxodb01.pearsoncmg.com)(PORT=1521)))
The command completed successfully

  4. Makesure service for dataguard has been initiated 

    5. [oracle@bo3upsmsxodb01 ~]$ lsnrctl status

LSNRCTL for Linux: Version 19.0.0.0.0 - Production on 22-JAN-2023 04:28:22

Copyright (c) 1991, 2022, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=bo3upsmsxodb01.pearsoncmg.com)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 19.0.0.0.0 - Production
Start Date                21-JAN-2023 06:55:52
Uptime                    0 days 21 hr. 32 min. 30 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /data01/app/oracle/product/19.0.0/dbhome_1/network/admin/listener.ora
Listener Log File         /data01/app/oracle/diag/tnslsnr/bo3upsmsxodb01/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=bo3upsmsxodb01.pearsoncmg.com)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
Services Summary...
Service "smsprodXDB" has 1 instance(s).
  Instance "smsprod", status READY, has 1 handler(s) for this service...
Service "smsprod_bos03" has 1 instance(s).
  Instance "smsprod", status READY, has 1 handler(s) for this service...
Service "smsprod_bos03_DG" has 1 instance(s).
  Instance "smsprod", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully

From Standby

  1. Enable Broker configuration parameters

    2. SQL> alter system set dg_broker_start=true;
    SQL> ALTER SYSTEM SET local_listener='(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 10.196.210.38)(PORT = 1521))) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = smsprod_stby)))';

  2. Add entry for data guard broker on listener.ora

    3. [oracle@bo3upsmsxdrs01 ahussmo]$ vi $ORACLE_HOME/network/admin/listener.ora

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = bo3upsmsxdrs01.pearsoncmg.com)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (GLOBAL_DBNAME = smsprod_stby_DG)
      (ORACLE_HOME = /data01/app/oracle/product/19.0.0/dbhome_1)
      (SID_NAME = smsprod)
    )
  )

  3. Reload listener to effective the changes

    4. [oracle@bo3upsmsxdrs01 ahussmo]$ lsnrctl reload

LSNRCTL for Linux: Version 19.0.0.0.0 - Production on 22-JAN-2023 04:33:14

Copyright (c) 1991, 2022, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=bo3upsmsxdrs01.pearsoncmg.com)(PORT=1521)))
The command completed successfully

  4. Makesure service for dataguard has been initiated 

    5. [oracle@bo3upsmsxdrs01 ahussmo]$ lsnrctl status

LSNRCTL for Linux: Version 19.0.0.0.0 - Production on 22-JAN-2023 04:33:18

Copyright (c) 1991, 2022, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=bo3upsmsxdrs01.pearsoncmg.com)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 19.0.0.0.0 - Production
Start Date                20-JAN-2023 22:33:24
Uptime                    1 days 5 hr. 59 min. 54 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /data01/app/oracle/product/19.0.0/dbhome_1/network/admin/listener.ora
Listener Log File         /data01/app/oracle/diag/tnslsnr/bo3upsmsxdrs01/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=bo3upsmsxdrs01.pearsoncmg.com)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
Services Summary...
Service "smsprod_stby" has 1 instance(s).
  Instance "smsprod", status READY, has 1 handler(s) for this service...
Service "smsprod_stby_DG" has 1 instance(s).
  Instance "smsprod", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
Enable Data guard configuration

  1. Login to data guard command line interface via sys user

    2. [oracle@bo3upsmsxodb01 ~]$ dgmgrl sys/f1Nal#cak3

  2. Create new configuration

    3. DGMGRL> create configuration 'smsprod_bos03_DG_config' as primary database is 'smsprod_bos03' connect identifier is smsprod;
Configuration "smsprod_bos03_DG_config" created with primary database "smsprod_bos03"

  3. Make sure primary configuration is available

    4. DGMGRL> show configuration;

Configuration - smsprod_bos03_DG_config

  Protection Mode: MaxPerformance
  Members:
  smsprod_bos03 - Primary database

Fast-Start Failover:  Disabled

Configuration Status:
DISABLED

  4. Reset 'LOG_ARCHIVE_DEST_n' to avoid 'ORA-16698' Errors

    5. [oracle@bo3upsmsxodb01 ~]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Sun Jan 22 05:25:38 2023
Version 19.15.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.


Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.15.0.0.0
    SQL> sho parameter log_archive_dest_2;

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
log_archive_dest_2                   string      SERVICE=smsprod_stby NOAFFIRM ASYNC VALID_FOR=(ONLINE_LOGFILES,PRIMARY_ROLE) DB_UNIQUE_NAME=smsprod_stby
    SQL> alter system set LOG_ARCHIVE_DEST_2='';

  5. Add standby database to dataguard broker

    6. DGMGRL> Add database 'smsprod_stby' as connect identifier is smsprod_stby;
Database "smsprod_stby" added

  6. Make sure both primary and standby configurations are available

    7. DGMGRL> show configuration;

Configuration - smsprod_bos03_DG_config

  Protection Mode: MaxPerformance
  Members:
  smsprod_bos03 - Primary database
    smsprod_stby  - Physical standby database 

Fast-Start Failover:  Disabled

Configuration Status:
DISABLED

  7. Reset 'LOG_ARCHIVE_DEST_n' to valid value

    8. [oracle@bo3upsmsxodb01 ~]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Sun Jan 22 05:25:38 2023
Version 19.15.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.


Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.15.0.0.0
    SQL> alter system set LOG_ARCHIVE_DEST_2='SERVICE=smsprod_stby NOAFFIRM ASYNC VALID_FOR=(ONLINE_LOGFILES,PRIMARY_ROLE) DB_UNIQUE_NAME=smsprod_stby';

    SQL> sho parameter log_archive_dest_2;

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
log_archive_dest_2                   string      SERVICE=smsprod_stby NOAFFIRM ASYNC VALID_FOR=(ONLINE_LOGFILES,PRIMARY_ROLE) DB_UNIQUE_NAME=smsprod_stby

  8. Enable configuration

    9. DGMGRL> enable configuration;

Enabled.

  9. Verify configuration status is 'SUCCESS'

    10. DGMGRL> show configuration

Configuration - smsprod_bos03_DG_config

  Protection Mode: MaxPerformance
  Members:
  smsprod_bos03 - Primary database
    smsprod_stby  - Physical standby database 

Fast-Start Failover:  Disabled

Configuration Status:
SUCCESS   (status updated 38 seconds ago)
Posted by at No comments:

Thursday, March 9, 2023

Configure SSL on Oracle E-Business Suite 12.2 using Self-Signed Certificate

1. Creating wallet

  1. Surce run edition environemnt variable

    2. $ source EBSapps.env run

  2. Navigate to s_web_ssl_directory/Apache, If not create the the directory

    3. cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs
    mkdir Apache

  3. Create an Auto-Login Wallet on Apache directory

    4. cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache
    $ orapki wallet create -wallet ./ -auto_login_only

  4. Create a Certificate Request

    5. cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache
    $ orapki wallet add -wallet ./ -dn 'CN=devoracleebs@nsb.local' -asym_alg RSA -keysize 2048 -sign_alg sha256 -self_signed -validity 3650 -auto_login_only
2. Modify the Oracle HTTP Server Wallet

  1. Copy wallet into $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OHS/<s_ohs_component>/keystores/default

    2. cd /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OHS/EBS_web_DEVEGL/keystores/default
    cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso  .

  2. Copy wallet into $EBS_DOMAIN_HOME/opmn/<s_ohs_instance_loc>/<s_ohs_component>/wallet

    3. cd /finsys/DEVEGL/fs1/FMW_Home/user_projects/domains/EBS_domain_DEVEGL/opmn/EBS_web_DEVEGL_OHS1/EBS_web_DEVEGL/wallet
    cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .

  3. Copy wallet into $EBS_DOMAIN_HOME/opmn/<s_ohs_instance_loc>/wallet

    4. cd /finsys/DEVEGL/fs1/FMW_Home/user_projects/domains/EBS_domain_DEVEGL/opmn/EBS_web_DEVEGL_OHS1/wallet
    cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .

  4. Copy wallet into $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OHS/<s_ohs_component>/proxy-wallet

    5. cd /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OHS/EBS_web_DEVEGL/proxy-wallet
    cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .

  5. Copy wallet into $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OPMN/opmn/wallet

    6. cd /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OPMN/opmn/wallet
    cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .
3. Configure Protocol and Cipher Suite for FMW Internal Communication

  1. shutdown all services

    2. ./adstpall apps/apps

  2. Edit opmn.xml from $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OPMN/opmn

    3. vi /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OPMN/opmn/opmn.xml
    change
<ssl enabled="true"
     wallet-file="<path to the wallet file>"/>

to
<ssl enabled="true"
    wallet-file="/finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.0,TLSv1.1,TLSv1.2"
ssl-ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"/>

  3. Edit admin.conf from $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OHS/<s_ohs_component>

    4. vi /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OHS/EBS_web_DEVEGL/admin.conf
    change
SSLCipherSuite SSL_RSA_WITH_RC4_128_SHA
SSLProtocol nzos_Version_1_0 nzos_Version_3_0

to
SSLCipherSuite HIGH:MEDIUM
SSLProtocol nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2
4. Update the Context File and Config Files

  1. Start Application services

    2. cd $ADMIN_SCRIPT_HOME
./adstrtall apps/apps

  2. Login to Fusion Middlewere EM console via http://<host_name>:<port>/em

    3. http://192.168.133.10:7021/em

  3. Select web tier target under the EBS domain

  4. Navigate to Administration, then Advanced Configuration

  5. Select ssl.conf file for edit

  6. Update the Listen and the VirtualHost default port as follows 

    7. change
Listen 4463 to Listen 4443
VirtualHost _default_:4463

to
Listen 4443
VirtualHost _default_:4443
    change
SSLProtocol    -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

to
SSLProtocol    nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2
SSLCipherSuite HIGH:MEDIUM

  7. Click on Apply

  8. Run following command to propagate the changes made through the FMW console to the context file 

    9. $ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Enter the APPS user password:
Enter the WebLogic AdminServer password:
./adstrtall apps/apps
    Review the adSyncContext.log for the changes that have been picked up and made to the context file

  9. Edit Application contex file as per below

    10. $vi $CONTEXT_FILE
    change
<url_protocol oa_var="s_url_protocol">http</url_protocol>

to
<url_protocol oa_var="s_url_protocol">https</url_protocol>
    change
<local_url_protocol oa_var="s_local_url_protocol">http</local_url_protocol>

to
<local_url_protocol oa_var="s_local_url_protocol">https</local_url_protocol>
    change
<webentryurlprotocol oa_var="s_webentryurlprotocol">http</webentryurlprotocol>

to
<webentryurlprotocol oa_var="s_webentryurlprotocol">https</webentryurlprotocol>
    change
<activewebport oa_var="s_active_webport" oa_type="DUP_PORT" base="8000" step="1" range="-1" label="Active Web Port">8020</activewebport>

to
<activewebport oa_var="s_active_webport" oa_type="DUP_PORT" base="8000" step="1" range="-1" label="Active Web Port">4443</activewebport>
    change
<web_ssl_port oa_var="s_webssl_port" oa_type="PORT" base="4443" step="1" range="-1" label="Web SSL Port">4443</web_ssl_port>

to
<web_ssl_port oa_var="s_webssl_port" oa_type="PORT" base="4443" step="1" range="-1" label="Web SSL Port">4443</web_ssl_port>
    change
<httpslistenparameter oa_var="s_https_listen_parameter">4443</httpslistenparameter>

to
<httpslistenparameter oa_var="s_https_listen_parameter">4443</httpslistenparameter>
    change
<login_page oa_var="s_login_page">http://devoracleebs.nsb.local:8020/OA_HTML/AppsLogin</login_page>

to
<login_page oa_var="s_login_page">https://devoracleebs.nsb.local:4443/OA_HTML/AppsLogin</login_page>
    change
<externURL oa_var="s_external_url">http://devoracleebs.nsb.local:8020</externURL>

to
<externURL oa_var="s_external_url">https://devoracleebs.nsb.local:4443</externURL>
5. Run Autoconfig on application tier 
cd $ADMIN_SCRIPT_HOME
adautocfg.sh
6. Re-start Application tier services 
cd $ADMIN_SCRIPT_HOME
./adstpall.sh apps/apps
./adstrtal.sh apps/apps
7. Access the system via following URL 
https://devoracleebs.nsb.local:4443/OA_HTML/AppsLocalLogin.jsp
Enable TLS for WLS AdminServer 1. Setup a WebLogic Server Identity Keystore

  1. Surce run edition environemnt variable

    2. $ source EBSapps.env run

  2. set an alias for orapki in order to pickup the executable from the $FMW_HOME and not the one under the 10.1.2 home

    3. $ alias orapki=$FMW_HOME/oracle_common/bin/orapki

  3. Create following directories

    4. mkdir /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts -p

  4. Copy wallet file into newly created directory

    5. cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts

  5. Copy following to newly created directory

    6. cp /finsys/DEVEGL/fs1/EBSapps/comn/util/jdk64/jre/lib/security/cacerts /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts
2. Convert the Oracle Wallet to a JKS Keystore

  1. Change directory to wlsSSLArtifacts

    2. cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts

  2. Run the orapki command

    3. orapki wallet pkcs12_to_jks -wallet ./ -jksKeyStoreLoc ./ewallet.jks -jksKeyStorepwd Ebs#1234

  3. The ewallet.jks file will be generate. Extract alias using following command and note down the alias

    4. keytool -list -keystore ewallet.jks -v
3. Configure SSL on WLS

  1. Take a backup of $EBS_DOMAIN_HOME/config/config.xml file

  2. Use the adstpall.sh script to stop everything on the run file system and start only admin server

    3. cd $ADMIN_SCRIPT_HOME
adstpall.sh
./adadminsrvctl.sh start

  3. login to the admin console via http://192.168.133.10:7021/console

  4. In the WebLogic Server Administration console, under the Domain Configuration, click on Environment and Servers

  5. Click Lock & Edit

  6. Click on the AdminServer to configure

  7. Under the Configuration tab, click on the Keystores sub-tab

  8. Click Change next to the Keystores setting

  9. Select the Custom Identity and Custom Trust option and click Save

  10. Enter the identity details

    11. For example:
Custom Identity Keystore: /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts/ewallet.jks
Custom Identity Keystore Type: JKS (This must be in uppercase.)
Custom Identity Keystore Passphrase: This must match the password used from the orapki command previously in Step 2. Ebs#1234
Confirm Custom Identity Keystore Passphrase

  11. Enter the trust information

    12. For example:
Custom Trust Keystore: /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts/cacerts
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase: Enter the cacerts keystore password. See The cacerts Certificates File, keytool. initial password is changeit
Confirm Custom Trust Keystore Passphrase: Confirm the cacerts keystore password

  12. Click Save

  13. Click the SSL tab

  14. Enter the identity details

    15. For example:
Private Key Alias: orakey. This would correspond to the alias extracted from the keystore previously in Step 2.
Private Key Passphrase: This must match the password used from the orapki command previously in Step 2. Ebs#1234
Confirm Private Key Passphrase

  15. Click Save

  16. Click the General tab

  17. Select SSL Listen Port Enabled check box

  18. Enter the SSL Listen Port

    19. Note: The SSL Listen Port base values are available through the context variable s_wls_admin_sslport. Based on the server type, you need to choose the corresponding port value for the SSL Listen Port. You need to manually calculate SSL Listen Port value. For simplicity, the default SSL Listen port value is 1 prefixed with the server default Non SSL Listen port value.
For example, for port pool 0, the AdminServer Non SSL Listen port is 7001, so the AdminServer SSL Listen port will be 17001. 17021

  19. Click Save

  20. Select the SSL tab

  21. Select the Advanced option and then perform the following

    22. Set the Hostname Verification to Custom Hostname Verifier and the Custom Hostname Verifier field to weblogic.security.utils.SSLWLSWildcardHostnameVerifier

  22. Click Save

  23. Click Activate Changes

Post-Configuration Tasks

  1. Restart everything including the Admin and Managed Servers using the adstpall.sh and adstrtal.sh

    2. ./adstpall.sh
./adstrtal.sh

  2. Sync Changes to the Context File

    3. perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE

following changes will be reflect in contex file.
s_custom_trustKeyStoreFile - complete path of trust keystore
s_wls_admin_sslEnabled - true
s_wls_admin_sslport - AdminServer SSL port.
In the case where these listed context variables are not already populated, restart the middle tier services and re-run the following command:

$ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Posted by at No comments:
Subscribe to: Posts (Atom)