KV's Archive: June 2019

Note:

Modify the script as per the environment and test specific to the environment. After SSL configuration, in desired path keep a copy of (s_web_ssl_directory)/Apache directory used in the environment and use the same path for CERT_SSL_DIR_PATH in the script.

##----------------------- Script Starts Here ----------------------
### Script to Configure SSL after Clone in R12.2
### Modify port, hostname as per environment in the script
### Modify the certs path in CERT_SSL_DIR_PATH as per environment

read -s -p "Enter the APPS Username: " APPS_USR
echo $'\n'
read -s -p "Enter the APPS Password: " APPS_PWD
echo $'\n'
read -s -p "Enter the Weblogic Password: " WLS_PWD
echo $'\n'

echo "............................................................"
echo ">>> if script not modified as per environment,stop the script ctrl+c and Change and re-run the script <<<"
echo "............................................................"
sleep 10

#cd $HOME/post_apclone_script/ssl_file/etcc
#sh checkMTpatch.sh

NOW=$(date +"%d_%b_%Y")
CERT_SSL_DIR_PATH=$HOME/post_apclone_script/ssl_file
mkdir $NE_BASE/cert_ap_bkp_ssl

cd $CERT_SSL_DIR_PATH
ls
sleep 10

cp -r $CERT_SSL_DIR_PATH/Apache $NE_BASE/inst/$CONTEXT_NAME/certs

echo ">>>>>>>>>>>>>>> certs file copied <<<<<<<<<<<<<"
echo "..............................................."

cp -r $ORACLE_HOME/sysman/config/b64InternetCertificate.txt $NE_BASE/cert_ap_bkp_ssl/b64InternetCertificate_$NOW.txt
cd $NE_BASE/inst/$CONTEXT_NAME/certs/Apache
cat ca.crt >> $ORACLE_HOME/sysman/config/b64InternetCertificate.txt

echo ">>>>>>>> certs imported to home config <<<<<<<<<"
echo "................................................"

cd $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OHS/EBS_web/keystores/default
cp -r cwallet.sso $NE_BASE/cert_ap_bkp_ssl/cwallet_BKP_OHS1_$NOW.sso
cp -r $NE_BASE/inst/$CONTEXT_NAME/certs/Apache/cwallet.sso .

echo ">>>>>>>>>>>> cwallet copied to OHS <<<<<<<<<<<<<"
echo "................................................"

cd $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OPMN/opmn/wallet
cp -r cwallet.sso $NE_BASE/cert_ap_bkp_ssl/cwallet_BKP_OPMN1_$NOW.sso
cp -r $NE_BASE/inst/$CONTEXT_NAME/certs/Apache/cwallet.sso .

echo ">>>>>>>>>>>>>> cwallet copied to OPMN <<<<<<<<<"
echo "..............................................."

cd $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OPMN/opmn
cp -r opmn.xml $NE_BASE/cert_ap_bkp_ssl/opmn_bkp_$NOW.xml
sed -i 's/TLSv1.0/TLSv1.0,TLSv1.1,TLSv1.2/g' opmn.xml
sed -i 's/SSL_RSA_WITH_3DES_EDE_CBC_SHA/SSL_RSA_WITH_AES_256_CBC_SHA/g' opmn.xml

echo ">>>>>>>>>>>>> OPMN xml file modified <<<<<<<<<"
echo ".............................................."

cd $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OHS/EBS_web
cp -r admin.conf $NE_BASE/cert_ap_bkp_ssl/admin_BKP_$NOW.conf
sed -i 's/SSL_RSA_WITH_3DES_EDE_CBC_SHA/SSL_RSA_WITH_AES_256_CBC_SHA/g' admin.conf
sed -i 's/nzos_Version_1_0/nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2/g' admin.conf

echo ">>>>>>>>> admin conf file modified <<<<<<<<<<"
echo "............................................."

cd $EBS_DOMAIN_HOME/opmn/EBS_web_OHS1/EBS_web/wallet
cp -r cwallet.sso $NE_BASE/cert_ap_bkp_ssl/cwallet_BKP_OHS2_$NOW.sso
$FMW_HOME/oracle_common/bin/orapki wallet create -wallet ./ -auto_login_only
$FMW_HOME/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert $NE_BASE/inst/$CONTEXT_NAME/certs/Apache/ca.crt -auto_login_only

echo ">>>>>>> wallet created to EBS Domain <<<<<<<<<"
echo ".............................................."

cd $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OHS/EBS_web/proxy-wallet
cp -r cwallet.sso $NE_BASE/cert_ap_bkp_ssl/cwallet_BKP_OHS3_$NOW.sso
cp -r $EBS_DOMAIN_HOME/opmn/EBS_web_OHS1/EBS_web/wallet/cwallet.sso .

echo ">>>>>>> wallet copied to EBS Domain OHS <<<<<<"
echo ".............................................."

cd $EBS_DOMAIN_HOME/opmn/EBS_web_OHS1/wallet
cp -r cwallet.sso $NE_BASE/cert_ap_bkp_ssl/cwallet_BKP_OPMN2_$NOW.sso
cp -r $NE_BASE/inst/$CONTEXT_NAME/certs/Apache/cwallet.sso .

echo ">>>>>> wallet copied to EBS Domain OPMN <<<<<<"
echo ".............................................."

cd $IAS_ORACLE_HOME/instances/EBS_web_OHS1/config/OHS/EBS_web
cp -r ssl.conf $NE_BASE/cert_ap_bkp_ssl/ssl_bkp_$NOW.conf
sed -i 's/SSLProtocol all -SSLv2 -SSLv3/SSLProtocol TLSv1 TLSv1.1 TLSv1.2/g' ssl.conf
sed -i 's/SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM/SSLCipherSuite HIGH:MEDIUM:!aNULL:!RC4:!3DES:!SEED:!IDEA:!CAMELLIA:+HIGH:+MEDIUM/g' ssl.conf

echo ">>>>>>>>>>> ssl conf file modified <<<<<<<<<<"
echo "............................................."

### Modify the credentials of apps and weblogic
perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE <<EOF
apps
weblogic123
EOF

echo ">>>>>> adsynccontext script completed <<<<<<<"
echo "............................................."
echo "............................................."

cp -r $CONTEXT_FILE $NE_BASE/cert_ap_bkp_ssl
cp -r $CONTEXT_FILE $NE_BASE
#sed -i 's/http<\/url_protocol>/https<\/url_protocol>/g' $CONTEXT_FILE
#sed -i 's/http<\/local_url_protocol>/https<\/local_url_protocol>/g' $CONTEXT_FILE
#sed -i 's/http<\/webentryurlprotocol>/https<\/webentryurlprotocol>/g' $CONTEXT_FILE
sed -i 's/8003<\/activewebport>/4446<\/activewebport>/g' $CONTEXT_FILE
sed -i 's/https:\/\/test.example.com:8003\/OA_HTML\/AppsLogin<\/login_page>/https:\/\/test.example.com:4446\/OA_HTML\/AppsLogin<\/login_page>/g' $CONTEXT_FILE
sed -i 's/https:\/\/test.example.com:8003<\/externURL>/https:\/\/test.example.com:4446<\/externURL>/g' $CONTEXT_FILE
#sed -i 's/http:\/\/test.example.com:8003\/OA_HTML\/AppsLogin<\/login_page>/https:\/\/test.example.com:4446\/OA_HTML\/AppsLogin<\/login_page>/g' $CONTEXT_FILE
#sed -i 's/http:\/\/test.example.com:8003<\/externURL>/https:\/\/test.example.com:4446<\/externURL>/g' $CONTEXT_FILE
echo ">>>>>>>>>>>>> contextfile updated for SSL <<<<<<<<<<<<<<<<<<<"
echo "............................................................."

echo ">>>> Contextfile difference for reference Starts Here <<<<<<<"
echo "............................................................."

diff $CONTEXT_FILE $NE_BASE/$CONTEXT_NAME.xml
echo "............................................................."
echo ">>>>>> contextfile difference for reference Ends Here <<<<<<<"
echo "............................................................."

### Modify the credentials of apps
sh $ADMIN_SCRIPTS_HOME/adautocfg.sh <<EOF
$APPS_PWD
EOF

sleep 10
echo ">>>>>>>>>>>>> autoconfig script completed <<<<<<<<<<<<<<<<<<<"
echo "............................................................."

### Modify the credentials of apps
sh $ADMIN_SCRIPTS_HOME/adstrtal.sh <<EOF
$APPS_USR
$APPS_PWD
$WLS_PWD
EOF

sleep 10
echo ">>>>>>>>>>>>>> adstrtal script completed <<<<<<<<<<<<<<<<<<<"
echo "............................................................"

cd $APPL_TOP_NE/ad/custom
cp -r adop_sync.drv $NE_BASE/cert_ap_bkp_ssl/adop_sync_bkp_$NOW.drv
ex -s -c '63i|
#TLS SECTION - START
# Required for TLS setup migration from RUN to PATCH file-system.
# Please alter the commands in the event that rsync is not available or the platform does not support the example syntax.

#10.1.2 b64InternetCertificate.txt
rsync -zr %s_current_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt %s_other_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt

#Oracle HTTP Server Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso

#OPMN Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso

#Fusion Middleware Control Wallets - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/user_projects/domains/%s_wls_domain_name%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/%s_wls_domain_name%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso

rsync -zr %s_current_base%/FMW_Home/user_projects/domains/%s_wls_domain_name%/opmn/%s_ohs_instance%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/%s_wls_domain_name%/opmn/%s_ohs_instance%/wallet/cwallet.sso

rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso

#JDK keystore
rsync -zr --include=jdk* --include=jdk*/jre --include=jdk*/jre/lib --include=jdk*/jre/lib/security --include=cacerts --exclude=* %s_current_base%/EBSapps/comn/util/ %s_other_base%/EBSapps/comn/util/
#TLS SECTION – END' -c x adop_sync.drv

#echo "#######################################################"
#echo "##### SSL Configuration for Application completed #####"
#echo "#######################################################"
##----------------------- Script Ends Here ----------------------

OCFS2 Configuration High Level Steps:
- Download and install the module and tools rpms
- Create cluster.conf and propagate to all nodes
- Configure and start the O2CB cluster service
- Format the volume
- Mount the volume

Configuration Steps:

RPMs:
# rpm -qa ocfs*
ocfs2-tools-1.8.6-11.el7.x86_64

# uname -r
4.14.35-1818.3.3.el7uek.x86_64

Create cluster.conf:
# o2cb add-cluster adr12ap
# o2cb add-node adr12ap hebsap01 --ip 10.1.11.162
# o2cb add-node adr12ap hebsap02 --ip 10.1.11.163
# o2cb heartbeat-mode adr12ap global
# o2cb add-heartbeat adr12ap /dev/sdd

NOTE: IT WILL CREATE /etc/ocfs2/cluster.conf FILE in NODE1, COPY THE FILE TO REMAINING NODES IN CLUSTER. ENTRIES IN THE FILE SHOULD HAVE PROPER SPACING.

Configure O2CB:
# /sbin/o2cb.init configure
Configuring the O2CB driver.This will configure the on-boot properties of the O2CB driver. The following questions will determine whether the driver is loaded on
boot. The current values will be shown in brackets ('[]'). Hitting <ENTER> without typing an answer will keep that current value. Ctrl-C will abort.

Load O2CB driver on boot (y/n) [y]:
Cluster stack backing O2CB [o2cb]:
Cluster to start on boot (Enter "none" to clear) [adr12ap]:
Specify heartbeat dead threshold (>=7) [31]:
Specify network idle timeout in ms (>=5000) [30000]:
Specify network keepalive delay in ms (>=1000) [2000]:
Specify network reconnect delay in ms (>=2000) [2000]:
Writing O2CB configuration: OK
checking debugfs...
Setting cluster stack "o2cb": OK
Registering O2CB cluster "adr12ap": OK
Setting O2CB cluster timeouts : OK
NOTE: REPEAT THIS STEP IN ALL NODES IN CLUSTER

# /sbin/o2cb.init status
Driver for "configfs": Loaded
Filesystem "configfs": Mounted
Stack glue driver: Loaded
Stack plugin "o2cb": Loaded
Driver for "ocfs2_dlmfs": Loaded
Filesystem "ocfs2_dlmfs": Mounted
Checking O2CB cluster "adnicr12ap": Online
Heartbeat dead threshold: 61
Network idle timeout: 30000
Network keepalive delay: 2000
Network reconnect delay: 2000
Heartbeat mode: Local
Checking O2CB heartbeat: Not active
Debug file system at /sys/kernel/debug: mounted

# systemctl enable o2cb
Created symlink from /etc/systemd/system/multi-user.target.wants/o2cb.service to /usr/lib/systemd/system/o2cb.service.
# systemctl enable ocfs2
Created symlink from /etc/systemd/system/multi-user.target.wants/ocfs2.service to /usr/lib/systemd/system/ocfs2.service.
NOTE: REPEAT THIS STEP IN ALL NODES IN CLUSTER

Format the volume:
# fdisk -l |grep Disk
Disk /dev/sdd: 268.4 GB, 268435456000 bytes, 524288000 sectors
NOTE: VERIFY THE DISK LABEL NAME SAME ACCROSS NODES

# fdisk /dev/sdd
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0xdd71e5fa.

The device presents a logical sector size that is smaller than
the physical sector size. Aligning to a physical sector (or optimal
I/O) size boundary is recommended, or performance may be impacted.

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-524287999, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-524287999, default 524287999):
Using default value 524287999
Partition 1 of type Linux and of size 250 GiB is set

Command (m for help): p

Disk /dev/sdd: 268.4 GB, 268435456000 bytes, 524288000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 65536 bytes
Disk label type: dos
Disk identifier: 0xdd71e5fa

   Device Boot      Start         End      Blocks   Id System
/dev/sdd1            2048   524287999   262142976   83 Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Node 2: # fdisk -l |grep sdd
Disk /dev/sdd: 268.4 GB, 268435456000 bytes, 524288000 sectors
/dev/sdd1            2048   524287999   262142976   83 Linux

# mkfs.ocfs2 -L vol01 --cluster-name=adr12ap --cluster-stack=o2cb --global-heartbeat /dev/sdd1
NOTE: USE FORCE OPTION (--force) IF FILESYSTEM ALREADY CREATED

# cat /etc/sysconfig/o2cb
NOTE: CHECK THE ENTRIES ARE SAME ACROSS ALL NODES.
# /sbin/o2cb.init load
# /sbin/o2cb.init offline
# /sbin/o2cb.init online

# /sbin/o2cb.init status
Driver for "configfs": Loaded
Filesystem "configfs": Mounted
Stack glue driver: Loaded
Stack plugin "o2cb": Loaded
Driver for "ocfs2_dlmfs": Loaded
Filesystem "ocfs2_dlmfs": Mounted
Checking O2CB cluster "adr12ap": Online
Heartbeat dead threshold: 61
Network idle timeout: 30000
Network keepalive delay: 2000
Network reconnect delay: 2000
Heartbeat mode: Global
Checking O2CB heartbeat: Active
01BC2D8CFC674F02B423FDC1B291A588 /dev/sdd1
Nodes in O2CB cluster: 0 1
Debug file system at /sys/kernel/debug: mounted

Mount the volume:
fstab entry:
/dev/sdd1     /u04    ocfs2   _netdev,defaults     0 0

# mount -a
# mount -L vol01 /u04
# umount /u04

Reference:
# cat /etc/ocfs2/cluster.conf
cluster:
        heartbeat_mode = global
        node_count = 2
        name = adr12ap

node:
        number = 0
        cluster = adr12ap
        ip_port = 7777
        ip_address = 10.1.11.162
        name = hebsap01

node:
        number = 1
        cluster = adr12ap
        ip_port = 7777
        ip_address = 10.1.11.163
        name = hebsap02

heartbeat:
        cluster = adr12ap
        region = 01BC2D8CFC674F02B423FDC1B291A588



# cat /etc/sysconfig/o2cb
#
# This is a configuration file for automatic startup of the O2CB
# driver. It is generated by running /etc/init.d/o2cb configure.
# On Debian based systems the preferred method is running
# 'dpkg-reconfigure ocfs2-tools'.

# O2CB_ENABLED: 'true' means to load the driver on boot.
O2CB_ENABLED=true

# O2CB_STACK: The name of the cluster stack backing O2CB.
O2CB_STACK=o2cb

# O2CB_BOOTCLUSTER: If not empty, the name of a cluster to start.
O2CB_BOOTCLUSTER=adr12ap

# O2CB_HEARTBEAT_THRESHOLD: Iterations before a node is considered dead.
O2CB_HEARTBEAT_THRESHOLD=61

# O2CB_IDLE_TIMEOUT_MS: Time in ms before a network connection is considered dead.
O2CB_IDLE_TIMEOUT_MS=30000

# O2CB_KEEPALIVE_DELAY_MS: Max time in ms before a keepalive packet is sent
O2CB_KEEPALIVE_DELAY_MS=2000

# O2CB_RECONNECT_DELAY_MS: Min time in ms between connection attempts
O2CB_RECONNECT_DELAY_MS=2000

KV's Archive

Script to configure SSL in EBS R12.2

OCFS2 Installation & Configuration