Oracle has some guides / steps on setting up ODSEE to OUD replication but I find that they don’t really work very well. Maybe just because of my setup, but I doubt it. This seems to be a recurring issue. So after a few days of figuring this whole process out, here are the steps that I took to get Oracle Directory Server Enterprise Edition to Oracle Unified Directory two-way replication working (yes, passwords work too =):
Install OUD:
/opt/installers/oud/Disk1/runInstaller -silent -responseFile /opt/installers/responseFiles/oud-install.rsp -ignoreSysPrereqs -jreLoc /opt/apps/oracle/java/jdk170_25/
Response File contents:
[ENGINE]#DO NOT CHANGE THIS.
Response File Version=1.0.0.0.0
#Set this to true if you wish to specify a directory where latest updates are downloaded. This option would use the software updates from the specified directory
SPECIFY_DOWNLOAD_LOCATION=false
#Set this to true to skip the Software updates
SKIP_SOFTWARE_UPDATES=true
#If the Software updates are already downloaded and available on your local system, then specify the path to the directory where these patches are available and set SPECIFY_DOWNLOAD_LOCATION to true
SOFTWARE_UPDATES_DOWNLOAD_LOCATION=
#Provide the Oracle Home location. The location has to be the immediate child under the specified Middleware Home location. The Oracle Home directory name may only contain alphanumeric , hyphen (-) , dot (.) and underscore (_) characters, and it must begin with an alphanumeric character. The total length has to be less than or equal to 128 characters. The location has to be an empty directory or a valid SOA Oracle Home.
ORACLE_HOME=/opt/apps/oracle/Middleware/Oracle_OUD1
#Provide existing Middleware Home location.
MIDDLEWARE_HOME=/opt/apps/oracle/Middleware
#
CONFIG_WIZARD_RESPONSE_FILE_LOCATION=0
[SYSTEM]
[APPLICATIONS]
[RELATIONSHIPS]
(wait and tail the log file before continuing)
Configure OUD Instance:
/opt/apps/oracle/Middleware/Oracle_OUD1/oud-setup –cli –baseDN dc=idmrockstar –addBaseEntry –ldapPort 1389 –adminConnectorPort 4444 –rootUserDN cn=Directory\ Manager –rootUserPasswordFile /opt/installers/pw.txt –serverTuning “-server -XX:-OptimizeStringConcat” –importTuning -server –no-prompt –noPropertiesFile
Login to ODSM > Configuration > Delete the suffix
Bounce OUD:
/opt/apps/oracle/Middleware/asinst_1/OUD/bin/stop-ds
/opt/apps/oracle/Middleware/asinst_1/OUD/bin/start-ds
Verify current pwd mode on ODSEE:
cd /opt/apps/oracle/Middleware/dsee7/bin
./dsconf get-server-prop -h oamserver -P 2636 pwd-compat-mode
Change it in 2 steps:
./dsconf pwd-compat -h oamserver -P 2636 to-DS6-migration-mode
./dsconf pwd-compat -h oamserver -P 2636 to-DS6-mode
(Enable master replication if not already done)
./dsconf enable-repl -h oamserver -p 2389 master dc=idmrockstar
Run the precheck:
cd /opt/apps/oracle/Middleware/asinst_1/OUD/bin
./ds2oud –diagnose -D “cn=Directory Manager” -j /opt/installers/pw.txt -h oamserver -p 2389
[Answer yes for all options]Migrate all the changes:
./ds2oud –migrateAll -D “cn=directory manager” -j /opt/installers/pw.txt -h oamserver -p 2389 –oudBindDN “cn=directory manager” –oudBindPasswordFile /opt/installers/pw.txt –oudHostname oamserver –oudAdminPort 4444 –oudPort 1389
Create the admin account:
vi /opt/installers/addadmin.ldif
dn: cn=admin,cn=Administrators,cn=admin data
objectClass: person
objectClass: top
userPassword: Passw0rd123
description: The Administrator that can manage all the OUD instances.
cn: admin
sn: admin
ds-privilege-name: bypass-acl
ds-privilege-name: modify-acl
ds-privilege-name: config-read
ds-privilege-name: config-write
ds-privilege-name: ldif-import
ds-privilege-name: ldif-export
ds-privilege-name: backend-backup
ds-privilege-name: backend-restore
ds-privilege-name: server-shutdown
ds-privilege-name: server-restart
ds-privilege-name: disconnect-client
ds-privilege-name: cancel-request
ds-privilege-name: password-reset
ds-privilege-name: update-schema
ds-privilege-name: privilege-change
ds-privilege-name: unindexed-search
./ldapmodify -a -p 4444 -Z -X -D “cn=Directory manager” -w Passw0rd123 -f /opt/installers/addadmin.ldif
Export the data:
cd /opt/apps/oracle/Middleware/dsee7/bin
./dsadm stop /opt/apps/oracle/Middleware/dsee7/instances/odsee
./dsadm export -f opends-export /opt/apps/oracle/Middleware/dsee7/instances/odsee dc=idmrockstar /opt/installers/exportODSEE.ldif
Prepare the OUD server for import:
cd /opt/apps/oracle/Middleware/asinst_1/OUD/bin
./dsreplication pre-external-initialization -h oamserver -p 4444 –adminUID admin –adminPasswordFile /opt/installers/pw.txt –baseDN dc=idmrockstar -X -n –noPropertiesFile
Import LDIF:
./import-ldif -h oamserver -p 4444 -D “cn=admin,cn=Administrators,cn=admin data” -j /opt/installers/pw.txt –includeBranch dc=idmrockstar –ldifFile /opt/installers/exportODSEE.ldif –clearBackend –trustAll –noPropertiesFile
Post initialization:
./dsreplication post-external-initialization -h oamserver -p 4444 –adminUID admin -j /opt/installers/pw.txt –baseDN dc=idmrockstar -X -n –noPropertiesFile
Start ODSEE:
cd /opt/apps/oracle/Middleware/dsee7/bin
./dsadm start /opt/apps/oracle/Middleware/dsee7/instances/odsee
Setup Replication Gateway:
cd /opt/apps/oracle/Middleware/Oracle_OUD1
./oud-replication-gateway-setup –cli
Enter in the following settings
OUD Instance location successfully created – /opt/apps/oracle/Middleware/Oracle_OUD1/../asinst_2″
The migration utility ds2oud must be run to configure the OUD servers before
setting up the replication gateway.
If you have executed ds2oud type ‘yes’ to continue, type ‘no’ otherwise (yes /
no) [yes]:
Oracle Unified Directory 11.1.2.2.0
Please wait while the replication gateway setup program initializes ….. Done.
====================================================================
Replication gateway administration settings
====================================================================
You must provide the fully-qualified name of the host where the replication
gateway will be installed. The ODSEE server and Oracle Unified Directory
servers in the replication topology must be able to access this host name
[oamserver]:What would you like to use as the initial root user DN for the replication
gateway? [cn=Directory Manager]:
Please provide the password to use for the initial root user:
Please re-enter the password for confirmation:
On which port would you like the Administration Connector to accept
connections? [5444]:
====================================================================
ODSEE server settings
====================================================================
ODSEE Server Host Name: [oamserver]:
Do you want to encrypt the replication communication between the replication gateway and the ODSEE server oamserver?
1) Send replication updates using non-encrypted connection
2) Send replication updates using encrypted connection (SSL)
Enter choice [1]: 2
ODSEE Server Port (SSL): [636]: 2636
ODSEE Server Bind DN: [cn=Directory Manager]:
ODSEE Server Bind Password:
Do you want the changes made in the Oracle Unified Directory servers to be
propagated to the ODSEE server? (yes / no) [yes]:
Choose which kind of authentication will be used by the replication mechanism to send replication updates from the replication gateway to the ODSEE server oamserver:2636
1) Use Simple Authentication (password based)
2) Use Client Authentication (certificate based)
Enter choice [1]: 1
The trust store used by the replication gateway must be updated with the
server certificate of the ODSEE server for replication to work.
Do you want to update replication gateway trust store automatically? (If you
select no, you will have to update it after the setup completes) (yes / no)
[yes]:Do you want to enable DSCC monitoring between ODSEE and Replication Gateway ?
(yes / no) [yes]:
DSCC Registry Host Name: [oamserver]:
DSCC Registry Port: [3998]:
DSCC Directory Service Manager: [admin]:
DSCC Directory Service Manager Password:
On which port (configured in the replication gateway) should the ODSEE server
connect to the replication gateway to send replication updates? (The port
must accept SSL communication) [3636]:
You have chosen to encrypt the replication communication with port 3636. You must choose the server certificate for the replication gateway:
1) Generate self-signed certificate (recommended for testing purposes
only)
2) Use an existing certificate located on a Java Key Store (JKS)
3) Use an existing certificate located on a JCEKS key store
4) Use an existing certificate located on a PKCS#12 key store
5) Use an existing certificate on a PKCS#11 token
Enter choice [1]: 1
Do you want the ODSEE server to use client (certificate based) authentication
when sending replication updates to the replication gateway? (yes / no) [no]:
====================================================================
Oracle Unified Directory server settings
====================================================================
Directory server hostname or IP address [oamserver]:
Directory server administration port number [4444]:
How do you want to trust the server certificate?
1) Automatically trust
2) Use a truststore
3) Manually validate
Enter choice [3]: 1
Global Administrator User ID, or bind DN if no Global Administrator is defined
[admin]:Password for user ‘admin’:
There is no replication port configured in oamserver:4444.
Replication port for the Oracle Unified Directory server [8989]:
Do you want the Replication Gateway to use encrypted communication when
connecting to the Oracle Unified Directory servers? (yes / no) [no]: yes
Replicate base DN dc=idmrockstar? (yes / no) [yes]:
Do you want the replication gateway to be started when the configuration is
completed? (yes / no) [yes]:
====================================================================
Replication Gateway Setup Summary
====================================================================
Host Name: oamserver
Root User DN: cn=Directory Manager
Administration Connector Port: 5444
Replication Port for ODSEE Server: 3636 (secure)
Create a new Self-Signed Certificate
Replicated Base DNs: dc=idmrockstar
Start the replication gateway when the configuration is completed
——————————————————————–
ODSEE Server Settings
——————————————————————–
Host Name: oamserver
Port: 2636
Port Type: Encrypted (LDAPS)
Propagate replication updates made in Oracle Unified Directory servers to the
ODSEE Server
——————————————————————–
Oracle Unified Directory Server Settings
——————————————————————–
Host Name: oamserver
Administration Port: 4444
Replication Port: 8989 (encrypted)
Encrypted Communication Between Gateway and OUD Servers: Enabled
What would you like to do?
1) Setup the replication gateway with the parameters above
2) Provide the setup parameters again
3) Print equivalent non-interactive command-line
4) Cancel the setup
Enter choice [1]:
Once the setup of the replication gateway will be completed (if not already
done) you have to initialize the contents of the Oracle Unified Directory
servers with the contents of the ODSEE server for replication to work.
You can follow these steps to synchronize the contents of the replicated base
DNs:
1. Run the following command in the ODSEE host (oamserver):
dsadm export \
-f opends-export \
/opt/apps/oracle/Middleware/dsee7/instances/odsee \
dc=idmrockstar \
{exportedLDIFPath}
Where {exportedLDIFPath} is the path of the resulting LDIF file containing the
replicated data.
2. Run the following command:
asinst/OUD/bin/dsreplication pre-external-initialization \
–hostname oamserver \
–port 4444 \
–adminUID admin \
–adminPasswordFile ****** \
–baseDN dc=idmrockstar \
–trustAll \
–no-prompt \
–noPropertiesFile
3. Copy the LDIF file generated in the first step in a directory accessible by
the Oracle Unified Directory servers and run the following command for every
Oracle Unified Directory server that contains data to be replicated:
asinst/OUD/bin/import-ldif \
–hostname oamserver \
–port 4444 \
–bindDN cn=admin,cn=Administrators,cn=admin\ data \
–bindPasswordFile ****** \
–includeBranch dc=idmrockstar \
–ldifFile {exportedLDIFPath} \
–clearBackend \
–trustAll \
–noPropertiesFile
4. Run the following command:
asinst/OUD/bin/dsreplication post-external-initialization \
–hostname oamserver \
–port 4444 \
–adminUID admin \
–adminPasswordFile ****** \
–baseDN dc=idmrockstar \
–trustAll \
–no-prompt \
–noPropertiesFile
Check the documentation to find more information about the procedure to be
followed
You have specified to use an encrypted connection between the ODSEE server and
the replication gateway. You must update the truststore used by the ODSEE
server in order the ODSEE server to be able to connect with the replication
gateway to send replication updates.
You can use the following command-line to export the certificate of the
replication gateway to a file:
keytool -export \
-alias replication-gateway-cert \
-file {exportedCertificatePath} \
-keystore /opt/apps/oracle/Middleware/asinst_2/OUD/config/keystore \
-storepass ****** \
-storetype JKS
Where the value for argument -storepass is the value stored in the file
‘/opt/apps/oracle/Middleware/asinst_2/OUD/config/keystore.pin’
Copy the resulting file ({exportedCertificatePath}) from the replication
gateway host to a file system accessible by the ODSEE server and import the
certificate using the following command:
dsadm add-cert \
–ca \
/opt/apps/oracle/Middleware/dsee7/instances/odsee \
replication-gateway-cert \
{copiedCertificatePath}
The equivalent command-lines displayed above can be found in the following
file:
/opt/apps/oracle/Middleware/asinst_2/OUD/logs/oud-setup
See /opt/apps/oracle/Middleware/asinst_2/OUD/logs/oud-setup for a detailed log of this operation.
Initializing basic replication gateway configuration ….. Done.
Configuring Certificates ….. Done.
Starting Replication Gateway …… Done.
Updating Registration Information ….. Done.
Configuring Oracle Unified Directory server oamserver:4444 ….. Done.
Initializing Registration Information ….. Done.
Configuring Replication Gateway ….. Done.
Configuring ODSEE server oamserver:2636 ….. Done.
The replication gateway setup has completed successfully
** NOW DO THIS
Get the PW:
cat /opt/apps/oracle/Middleware/asinst_2/OUD/config/keystore.pin
Replace PW with one from above and run:
keytool -export -alias replication-gateway-cert -file /opt/installers/key.cert -keystore /opt/apps/oracle/Middleware/asinst_2/OUD/config/keystore -storepass OkkJ7MU2XOBU5RwE232ZQWjSAinZotQt36OjJTU2ewdFE80zF3 -storetype JKS
** COPY THE CERT OVER
Install Cert:
cd /opt/apps/oracle/Middleware/dsee7/bin
./dsadm add-cert –ca /opt/apps/oracle/Middleware/dsee7/instances/odsee replication-gateway-cert /opt/installers/key.cert
Restart ODSEE:
./dsadm stop /opt/apps/oracle/Middleware/dsee7/instances/odsee
./dsadm start /opt/apps/oracle/Middleware/dsee7/instances/odsee
You can now test it out by making changes in OUD and seeing them replication to ODSEE and vice versa.
Cheers!
.: Adam
ps. Image is of the SR I had opened to attempt to get Oracle to try and help with the roadblocks I kept facing…. thought I’d share the funny =)