SlideShare a Scribd company logo

IaC MeetUp Active Directory Setup for Oracle Security LAB

Stefan Oehrli
Stefan Oehrli

The document discusses a variety of tools and methodologies for creating and managing lab environments for training and testing, specifically in the context of Oracle databases. It emphasizes the use of Infrastructure as Code (IaC) and automation scripts to streamline setup processes while addressing common challenges such as system scalability and configuration. The content features a mix of Vagrant, Docker, Terraform, and Active Directory scripts to facilitate flexible and reproducible environments for IT professionals.

Technology
1 of 80
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
IaC Meetup – LAB Environments Stefan Oehrli 2021.09.16
HALLO, GRÜESSECH, HI! STEFAN OEHRLI PLATFORM ARCHITECT § Since 1997 active in various IT areas § More than 24 years of experience in Oracle databases § Focus: Protecting data and operating databases securely o Security assessments and reviews o Database security concepts and their implementation o Oracle Backup & Recovery concepts and troubleshooting o Oracle Enterprise User and Advanced Security, DB Vault, … o Oracle Directory Services § Co-author of the book The Oracle DBA (Hanser, 2016/07)
IaC MeetUp Active Directory Setup for Oracle Security LAB
OUR WORKSPACES ROMANIA AUSTRIA GERMANY SWITZERLAND 4
AGENDA § Introduction § A set of scripts to rule them all § Trivadis LAB Company § AD Scripts § Vagrant § Oracle Init Scripts § Docker § Terraform § Use Cases § Conclusion
6 Introduction
MOTIVATION Training, testing and engineering are part of everyday life in IT § Onboarding new employees § Specific employee training or self-study § Regular training of operating activities o validate disaster recovery o Train backup & recovery use cases § PoC environment for complex architectures § Or simply the latest feature
BUT WE DO HAVE A TEST SYSTEM... 8 … indeed, but it is ... § … currently being used by someone else § … under maintenance § … not up to date § … not configured appropriately § … not scalable (number of concurrent users) § … not scalable (system resources) Time for engineering / training is limited and most of the time you don't want to spend it on setup task. Source: Stefan Oehrli, CERN LHC Data Center
SOLUTION APPROACHES 9 § Flexibility through large on-premises setup o Fixed costs? § VM local or on-premises environments § Cloud Lab and Engineering environment o Manual setup? Click, click, J § Establish or reuse of IT automation o Scripts, Ansible, Puppet,… § What about know-how on trainings itself? But why not a setup using IaC? Source: Stefan Oehrli, CERN LHC
ORACLE MAXIMUM DATA SECURITY ARCHITECTURE 10
WORKING WITH ORACLE SECURITY FEATURES 11 § Dependencies on other infrastructure components e.g., o MS Active Directory o Oracle Directory / LDAP Server § Focus on testing, engineering of features o No time setup the LAB § Possibility to test different variants and versions o Does Kerberos authentication still work with Oracle 19c? o New config required?
WHERE TO PUT THE LAB? 12 Cloud based would be state of the art… § Availability of resources § Scalability § Pay as you go Business Travels perfect time to... § Test new features § Troubleshoot / reproduce issues Have you ever tried working in the cloud while traveling on the ICE from Zurich to Stuttgart? § Being offline for 30m and longer is common
BUCKET LIST FOR THE ENGINEERING LAB 13 qOracle Database Server with the latest Oracle Binaries qTest Database preferable with Container database and single tenant database qSome fancy test schema. qOptional additional Oracle Database Server with other releases. qOracle Unified Directory Server to setup an LDAP and configure EUS or Oracle Names resolution. qActive Directory Server matching my fancy test schema somehow qKDC for Kerberos Authentication q….
14 A set of scripts to rule them all
STAY FLEXIBLE - DIFFERENT APPROACHES 15 Set of common scripts § Public available in GitHub § Reusable for different implementation § Manual to fully automatic setups
GITHUB REPOSITORIES 16 § Vagrant Configuration trivadislabs.com § AD Setup scripts ad-lab § Oracle Database Init Scripts oradba_init § Docker Oracle Engineering doe § Docker Build Scripts for Oracle docker § A couple Terraform Modules e.g., o Trivadis/terraform-oci-tvdlab-bastion o Trivadis/terraform-oci-tvdlab-host
TRIVADISLABS.COM 17
AD-LAB 18
ORADBA_INIT 19
DOCKER ORACLE ENGINEERING 20
DOCKER BUILD SCRIPTS 21
TERRAFORM MODULE 22
BUT WAIT, WHY NOT…. 23 Why stay on plain Bash / PowerShell Scripts? § There was no bigger picture / plan § Now initial roadmap § Historically grown o based on own needs / requirements § Lack of experience with Ansible, Puppet, etc. If I still would do it in plain script? § In the meantime, I would probably use a tool Contribution to those projects is highly welcome
24 Trivadis LAB Company
TRIVADIS LAB COMPANY § Engineering of User / Roles concepts requires data o dump of production data is usually "below optimal” § The fictitious company Trivadis Lab serves as a training vehicle § Company with different departments o Misc Groups and Oranisational Units OU § Oracle Database Schema TVD_HR does match the organization o Oracle Virtual Private Database o Oracle Enterprise Security
TRIVADIS LAB ORGANISATION CHART 26
DEPARTMENTS 27 ID Department Distinguished Name (DN) 10 Senior Management ou=Senior Management,ou=People,dc=trivadislabs,dc=com 20 Accounting ou=Accounting,ou=People,dc=trivadislabs,dc=com 30 Research ou=Research,ou=People,dc=trivadislabs,dc=com 40 Sales ou=Sales,ou=People,dc=trivadislabs,dc=com 50 Operations ou=Operations,ou=People,dc=trivadislabs,dc=com 60 Information Technology ou=Information Technology,ou=People,dc=trivadislabs,dc=com 70 Human Resources ou=Human Resources,ou=People,dc=trivadislabs,dc=com
GROUPS 28 Group Distinguished Name (DN) Description Trivadis LAB APP Admins ou=Trivadis LAB APP Admins,ou=Groups,dc=trivadislabs,dc=com Application Administrators Trivadis LAB DB Admins ou=Trivadis LAB DB Admins,ou=Groups,dc=trivadislabs,dc=com DB Admins from IT department Trivadis LAB Developers ou=Trivadis LAB Developers,ou=Groups,dc=trivadislabs,dc=com Developers from the Research Department Trivadis LAB Management ou=Trivadis LAB Management,ou=Groups,dc=trivadislabs,dc=com Management and Managers Trivadis LAB System Admins ou=Trivadis LAB System Admins,ou=Groups,dc=trivadislabs,dc=com System Admins from IT Department Trivadis LAB Users ou=Trivadis LAB Users,ou=Groups,dc=trivadislabs,dc=com All Users
29 AD Scripts
AD-LAB – POWERSHELL SCRIPTS 30 § Set of PowerShell scripts to setup AD and some Tools § Step by step setup and configuration o Sequence in file name o Not every step is necessary § Script 00_init_environment.ps1 is sourced in any script § Dedicated configuration file o Allows customization e.g., IP, Domain Name etc. § Direct download of AD-LAB in your setup $StageFolder = "C:stage" $GitHubURL = "https://github.com/oehrlis/ad-lab/archive/refs/heads/main.zip" New-Item -ItemType Directory -Force -Path $StageFolder Invoke-WebRequest -Uri $GitHubURL -OutFile "$StageFoldermain.zip"
CUSTOMIZATION 31 scripts/00_init_environment.ps1 config/default_configuration.txt § Update the default configuration file prior initiating the scripts § Modify the 00_init_environment.ps1 § Password are usually generated o Can be predefined in default_pwd_windows.txt
SCRIPTS PART I 32 § 00_init_environment.ps1 script to Initialize and configure the default values. § 01_install_ad_role.ps1 PowerShell script to install MS Active Directory server role § 11_config_ad.ps1 PowerShell script to configure Active Directory § 12_config_dns.ps1 PowerShell script to configure DNS server § 13_config_ca.ps1 Script to configure Certification Authority § 19_sum_up_ad.ps1 PowerShell script to display a summary of Active Directory Domain and install Windows updates § 22_install_chocolatey.ps1 PowerShell script to install Chocolatey package manager
SCRIPTS PART II 33 § 27_config_cmu.ps1 PowerShell script to configure CMU on MS Active Directory § 28_config_misc.ps1 PowerShell script to configure NAT zone records for AD domain § 28_install_oracle_client.ps1 PowerShell script to install the Oracle Client § 99_template.ps1 PowerShell template for other scripts § 40_reset_ad_users.ps1 PowerShell script to reset all domain user password Although the script 27_config_cmu.ps1 and 28_install_oracle_client.ps1 are just skeletons.
A FEW NOTES 34 § I am not a Windows specialist § There is certainly room for improvement in the scripts o Error handling, logging, automation, etc. § Windows is sometimes mmh… o … not my best friend § Certain configuration require a delay until they can be executed o Services must be available o Certification authority CA could not be setup at an early stage o I do not understand every reboot § Not sure if this AD configuration does meet common best practice o It does work for my use cases
35 Vagrant
BASE IMAGES 36 § Oracle Enterprise Linux as base Images for Oracle Databases o https://yum.oracle.com/boxes/ o Carefree package for Oracle DB’s o Linux optimization is / was not my goal § Windows Based VMs using images from the vagrant cloud o Stefan Scherer did maintain a bunch of different images https://app.vagrantup.com/StefanScherer o Ready to use with all kind of preconfigured e.g., WinRM o Based on the development License i.e., the images will not work after 180 renewal is possible.
TRIVADIS LAB 37 § Virtualbox based test and engineering environment § Infrastructure as Code with Vagrant o Vagrant Scripts available in GitHub Repository https://github.com/oehrlis/trivadislabs.com § Requires Vagrant, Virtualbox and the various images, software etc. o HashiCorp Vagrant https://www.vagrantup.com o Oracle VM Virtualbox https://www.virtualbox.org/wiki/Downloads § Different VM for different applications o win2019ad.trivadislabs.com Windows 2019 Active Directory o ol7oud12.trivadislabs.com Oracle Unified Directory Server 12c o ol7db21.trivadislabs.com Oracle DB Server with 21c o As well VMs for Oracle DB Server 19c, 18c, 12c and 11g
VAGRANT BASE LAB ENVRIONMENT
TRIVADIS LAB STRUCTURE 39 § All VM share a common config and script folder o Generic setup scripts o Vagrant config file vagrant.yml o Folder mounted as /vagrant_common § Dedicate folder for Lab and demo scripts o Folder mounted as /vagrant_labs § Dedicate vagrant folder for each VM o Location of the vagrant file o Software like Oracle binaries / RU o Specific Setup and configuration scripts o Folder mounted as /vagrant § Oracle 11g VM is also available Common config and scripts Lab and demos scripts 12g DB VM specific stuff 18c DB VM specific stuff 19c DB VM specific stuff OUD VM specific stuff Windows VM specific stuff
VAGRANT CONFIG FILE 40 # - Configuration ------------------------------------------------ params = YAML.load_file '../common/config/vagrant.yml' # shared configuration var_default_password= params['common']['default_password'] # Configuration valid for AD server win2019ad: box: StefanScherer/windows_2019 vm_name: win2019ad § YAML based configuration file vagrant.yml § Define common but also VM specific stuff like hostname, IP addresses, VM names, DB Version scripts and much more § Loaded in each Vagrant file to load config § Can be sourced with 00_init_environment.sh to load values from Vagrant config file
COMMON CONFIG SCRIPTS PART I 41 Generic configuration scripts. Primarily used for OUD and DB VMs § 00_init_environment.sh Init script to source the Vagrant config values as variables § 01_common_setup_os_db.sh Configure OS of DB VM § 01_common_setup_os_oud.shConfigure OS of OUD VM § 10_install_binaries.sh Wrapper script to install Oracle binaries. oradba_init scripts from GitHub are used to do the installation § 11_install_basenv.sh Wrapper script to install Trivadis BasEnvTM § 12_config_tnsadmin.sh Configure TNS Admin related stuff
COMMON CONFIG SCRIPTS PART II 42 § 12_config_tnsadmin.sh Configure TNS Admin related stuff § 20_create_databases.sh Wrapper script to setup the Oracle DB’s § 80_create_tvd_hr_pdb1.sqlSQL script to install TVD_HR schema in a Container DB § 81_create_tvd_hr.sql SQL script to install TVD_HR schema
VAGRANT FILE 43 § Each VM hast its own Vagrant file Vagrantfile § The file contains all information how the VM should be setup o VM memory and CPU configuration o Shared folder configuration o Setup respectively provisioning scripts § Configuration is loaded from the Vagrant config file vagrant.yml o Corresponding values are loaded as variables § A few things can easily be configured. Complex disk and network configuration a bit tricky § the easiest thing is to just look at a file…
DB VM BUILD PROCESS 44 § VM is based on the official Oracle Vagrant box § Resources 4GB, 2 CPU and a simple disk § Setup from OS config up to DB creation: o 01_common_setup_os_db.sh o 10_install_binaries.sh o 11_install_basenv.sh o 12_config_tnsadmin.sh o 20_create_databases.sh § Up and ready in about 20min depending on network speed and Host performance
OUD VM BUILD PROCESS 45 § VM is based on the official Oracle Vagrant box § Resources 1GB, 1 CPU and a simple disk § Setup OS config and binary installation: o 01_common_setup_os_oud.sh o 10_install_binaries.sh § Currently on OUD instance configuration § Up and ready in about 10min depending on network speed and Host performance
WINDOWS AD VM BUILD PROCESS 46 § VM is based on Stefan Scherer windows_2016 box on the Vagrant cloud § Resources 1GB, 1 CPU and a simple disk o 00_init_ad-lab.ps1 o 01_config_ad-lab_part1.ps1 o 02_config_ad-lab_part2.ps1 o 03_config_ad-lab_part3.ps1 § Up and ready in about 10min depending on network speed and Host performance
REQUIREMENTS IN DETAIL 47 § Vagrant Scripts available in GitHub Repository https://github.com/oehrlis/trivadislabs.com § Vagrant CLI Vagrant https://www.vagrantup.com § Vagrant Plugin vagrant-reload used for releoad / reboot during provisioning of VM § Vagrant Box or base images. o These will be downloaded during initial config of VM o Windows base Image is about 4G and will take while § Oracle VM Virtualbox https://www.virtualbox.org/wiki/Downloads § Oracle Binaries and Patch as ZIP files o Check the *.download files for the download information and links § Last but not least a little memory, disk and CPU resources
VAGRANT IN A NUTSHELL 48 cd win2016ad vagrant up git clone https://github.com/oehrlis/trivadislabs.com.git § Clone Git Repository § Copy the corresponding Oracle software into the ../software directories § Initial starting and provisioning of the VM (win2016ad, ol7db18, ol7db19 ol7oud12,…) vagrant ssh sudo su – oracle vagrant rdp § Access via vagrant ssh or rdp
SUMMARY 49 § Vagrant allows to building reproducible Lab environments § A lot is possible but not yet everything o Complex network configuration o Highly customized storage configuration § There are still a few miles to go to have all 100% automated § The current setup allows to focus on engineering… … without spending hours on setups. § If you screw it up just rebuild it!
50 Oracle Init Scripts
ORACLE INIT SCRIPTS § Bunch of Bash Scripts to install / configure Oracle Databases o Rather simple configuration via environment variables o Focus on Linux and Oracle setups o Includes response files to create databases § Initially setup for Oracle Docker container § Now used for… o ... Manually deployments and installation on-premises o … Vagrant setups o … Docker Images / Container o … Terraform bootstrap of cloud Database Resources § Strong integration with Docker, Vagrant and Terraform configuration
52 Docker
SETUP ORACLE DATABASE § Prepare the OS environment for an Oracle installation o Install the oracle-database-preinstall-19c o Create oracle user / groups / directories o … § Install the Oracle binaries including additional RU’s § Adjust the environment, SQLNet, Listener etc. § Create a database using DBCA or custom scripts § Configure database and database features § Add a couple of customization Quite some work, isn’t it? Time to simplify your setup using Docker images Source: https://www.docker.com
OPTIONS TO BUILD ORACLE DATABASE IMAGES PART I 54 § Use the official pre build Docker image provide by Oracle on https://container-registry.oracle.com/ o Limited release / version available e.g. no RU / No customization o Images are based on https://github.com/oracle/docker-images § Use third party pre build Docker images for Oracle Databases o Not supported. o Providing Oracle software for download not allowed at all.
OPTIONS TO BUILD ORACLE DATABASE IMAGES PART II 55 § Build you own Oracle Database Images based on https://github.com/oracle/docker-images o Does provide build scripts for a couple of Oracle Products including Oracle Database RAC § Build you own Oracle Database Images based https://github.com/oehrlis/docker o Similar approach as Oracle with a couple of customization. § Start with your own build environment from scratch or based on a project above or any other like ORACLE-BASE and much more on GitHub
ORADBA BUILD SCRIPTS 56 § The GitHub Repository oehrlis/docker does provide a bunch of alternative build Scripts. o Similar approach as Oracle with a couple of customization. o Continuously developed and improved. o Some improvements are added as pull requests to the official Oracle Docker build scripts. E.g. Oracle Unified Directory build scripts. § OraDBA GitHub Repository does include build scripts for the following product / version o Oracle Unified Directory (11.1.2.3.x, 12.2.1.3.x and 12.2.1.4.x) o Oracle Database Server EE 11g-21c with any kind of PSU/RU § The build scripts are modified at least every quarter to include the latest Oracle Critical Patch Updates.
USING ORADBA BUILD SCRIPTS 57 ./common/buildDB.sh 19.0.0.0 git clone https://github.com/oehrlis/docker.git docker § Clone the Oracle GitHub Repository § Download the required Oracle binary package. See the software/*.download files § Run the build wrapper script buildDB.sh or buildAllDB.sh docker build –t oracle/database:19.5.0.0 . docker build –t oracle/database:18.6.0.0 –f 18.6.0.0.Dockerfile . § Alternatively run docker build manually § Oracle does provide similar build script for different version as well Oracle editions.
PROCEDURE FOR CONTAINER START 58
PROCEDURE FOR CONTAINER START 59 § 50_run_database.sh checks the volume and starts the database with… § 50_start_database.sh starts the listener and the database instance § 52_create_database.sh creates a database with the dbca. § 55_config_database.sh checks whether configuration files (*.sh or *.sql) are present o ${INSTANCE_INIT}/setup o ${INSTANCE_INIT}/startup § 55_check_database.sh
CONTAINER SCRIPTS 60 § 50_run_database.sh checks the volume and starts the database with… o 50_start_database.sh If no database exists, the script o 52_create_database.sh is called § 50_start_database.sh starts the listener and the database instance § 52_create_database.sh creates a database with the dbca. Base parameters can be adjusted with environment variables § 55_config_database.sh checks whether configuration files (*.sh or *.sql) are present in the directory ${INSTANCE_INIT}/setup or ${INSTANCE_INIT}/startup respectively. § 55_check_database.sh is used for the health check of the Docker container and checks the status of the database instance
DOCKERIZED TESTS AT ANY PRICE? 61 But does everything make sense? § Performance test? § Complex test with high workload? § Tests with very large data sets? It depends… § Docker in particular its volumes are not high performance § Hardware-dependent tests do not make sense. § It takes time to create large and comprehensive databases. In general, do not test what is outside the scope of a Docker platform. Image Credit: Docker Inc. / Laurel Duermaël
62 Terraform
OCI BASED LABS Oracle Cloud § Run the LAB environment § Scale resources or environments Initialisation § Bootstrap scripts or Ansible workflows § Configure DBs, LAB etc. Terraform § plan, apply, destroy the env § Command line, Build Pipeline, OCI Stack Git as the basis for the code § Terraform Code § Setup Scripts § LAB / Training documentation Infrastructure as Code in GIT Terraform Configuration Oracle Cloud Infrastructure System Initialisation
INITIAL SITUATION 64
IDEA FOR A NEW ENVIRONMENT 65
BUILD PIPELINE 66
DEPLOYMENT 67
LAB USAGE 68
SYSTEM ACCESS 69 Different access paths § Direct via public IP addresses § Bastion Host o Public IP address o SSH access (putty, OpenSSH, etc) o Port forwarding o Apache Guacamole Remote Desktop § VPN Access o OpenVPN o Site2Site VPN
EXAMPLE ARCHITECTURE – ORACLE SECURITY TRAINING 70
TERRAFORM BOOTSTRAP AND WINDOWS 71 § Not yet best friends § Full automated bootstrap does not work o Reboot required § Manual or semi automated approach required.
72 Use Cases
ORACLE PATCH AND RELEASE UPDATES 73 Background § It can happen that you have to patch Oracle databases. § Critical Patch Updates, Release Updates, one-off Patch Idea § Build dedicated Docker images (tags!) for the different RU § Use the persistent volume with a new Docker database containers e.g. 19.4.0.0 to 19.5.0.0 Solution § Add a script to startup which run’s datapatch on every database start. § Allows to apply and remove release updates. § Drawback slow down Container startup. Could be workaround by adding script only when required § https://github.com/oehrlis/docker/tree/master/samples/patch
DATABASE UPGRADE 74 Idea § Build dedicated Docker images for the different major releases. § Use the persistent volume with a new Docker database container Problem § Database upgrades are not straight forward. § Some scripts must be executed with old binaries were others with new binaries. Solution § Not as easy as release updates. § Upgrade process must be split in pre and post tasks. § Pre-task have to be executed before the old container is stopped. § The Oracle datafiles do not show in which upgrade state they are.
UNIFIED AUDIT 75 Background for Use Case Unified Audit § Customer Project to engineer Oracle Unified Audit for a PDB environment. § Struggle with a couple of bug and other challenges. Idea testing Unified Audit § Be able to test a similar setup with Versions § Test dedicated one-off patch § Test multitenant and single tenant databases Solution approach § Add script to container setup folder to enable and configure unified audit. § Add script to container startup to check and enable unified audit. § https://github.com/oehrlis/docker/tree/master/samples/audit
CENTRALLY MANAGED USERS Background § New Oracle security feature introduced with Oracle 18c § Simple replacement of Oracle Enterprise User Security Idea § Setup a test environment based on Oracle Database § Use docker-compose to simplify setup Solution § Add scripts to setup sample schema § Add scripts to configure CMU § Requires preparation on Active Directory § https://github.com/oehrlis/docker/tree/master/samples/cmu
ORACLE ENTERPRISE USER SECURITY 77 Background § Customer Projects to engineer Oracle Enterprise User Security. § Test different Oracle releases, configurations, SSL settings etc. Idea § Setup a test environment based on Oracle Database and Oracle Unified Directory on Docker Solution § Add scripts to OUD container setup folder to create an OUD instance with EUS suffix. § Add scripts to DB container setup folder to configure Enterprise User Security in the database. § Script to register database § Script to configure EUS mapping § https://github.com/oehrlis/docker/tree/master/samples/eus
ORACLE ENTERPRISE USER SECURITY 78 § Oracle Database Container o Demo Schema with VPD § Oracle Unified Directory Container o Directory with EUS suffix § Initial start of containers o Creating the DB / Directory o Registration of the DB o Configuration of EUS § Available on GitHub
79 Conclusion
CONCLUSION 80 § There are way to much possibilities to setup LAB environment o I use to do more engineering on this J § Vagrant is a simple and easy solution to setup local system § Script could easily be reused for different technologies § New approach probably should be based on something like Ansible

More Related Content

What's hot (20)

PDF
Oracle and Docker
Stefan Oehrli
 
PDF
Security Best Practice: Oracle passwords, but secure!
Stefan Oehrli
 
PDF
DOAG Oracle Database Vault
Stefan Oehrli
 
PDF
UKOUG TechFest PDB Isolation and Security
Stefan Oehrli
 
PDF
TechEvent EUS, Kerberos, SSL and OUD
Trivadis
 
PDF
TechEvent Oracle 18c New Security Features
Trivadis
 
PPTX
Database 12c is ready for you... Are you ready for 12c?
Performance Tuning Corporation
 
PDF
Oracle Cloud deployment with Terraform
Stefan Oehrli
 
PPTX
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Andrejs Prokopjevs
 
PDF
DOAG Oracle Unified Audit in Multitenant Environments
Stefan Oehrli
 
PPTX
Postgre sql best_practices
Emiliano Fusaglia
 
PDF
Create non-cdb (traditional) oracle database 12c on windows
Biju Thomas
 
PDF
12 Things about Oracle WebLogic Server 12c
Guatemala User Group
 
PDF
Using VirtualBox - Learn Oracle Database 12c and EBS R12
Biju Thomas
 
PDF
UKOUG Techfest 2019 Central user Administration of Oracle Databases
Stefan Oehrli
 
PDF
MySQL 5.7 in a Nutshell
Emily Ikuta
 
PDF
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Alfredo Krieg
 
PDF
Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...
Trivadis
 
PPT
Oracle Active Data Guard 12c New Features
Emre Baransel
 
PDF
MySQL 5.7 NEW FEATURES, BETTER PERFORMANCE, AND THINGS THAT WILL BREAK -- Mid...
Dave Stokes
 
Oracle and Docker
Stefan Oehrli
 
Security Best Practice: Oracle passwords, but secure!
Stefan Oehrli
 
DOAG Oracle Database Vault
Stefan Oehrli
 
UKOUG TechFest PDB Isolation and Security
Stefan Oehrli
 
TechEvent EUS, Kerberos, SSL and OUD
Trivadis
 
TechEvent Oracle 18c New Security Features
Trivadis
 
Database 12c is ready for you... Are you ready for 12c?
Performance Tuning Corporation
 
Oracle Cloud deployment with Terraform
Stefan Oehrli
 
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Andrejs Prokopjevs
 
DOAG Oracle Unified Audit in Multitenant Environments
Stefan Oehrli
 
Postgre sql best_practices
Emiliano Fusaglia
 
Create non-cdb (traditional) oracle database 12c on windows
Biju Thomas
 
12 Things about Oracle WebLogic Server 12c
Guatemala User Group
 
Using VirtualBox - Learn Oracle Database 12c and EBS R12
Biju Thomas
 
UKOUG Techfest 2019 Central user Administration of Oracle Databases
Stefan Oehrli
 
MySQL 5.7 in a Nutshell
Emily Ikuta
 
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Alfredo Krieg
 
Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...
Trivadis
 
Oracle Active Data Guard 12c New Features
Emre Baransel
 
MySQL 5.7 NEW FEATURES, BETTER PERFORMANCE, AND THINGS THAT WILL BREAK -- Mid...
Dave Stokes
 

Similar to IaC MeetUp Active Directory Setup for Oracle Security LAB (20)

PDF
Avoid boring work_v2
Marcin Przepiórowski
 
PDF
configuring+oracle+rds+with+glasfish+server
hunghtc83
 
PDF
DCSF 19 Building Your Development Pipeline
Docker, Inc.
 
PDF
20160307 apex on_the_rocks
MT AG
 
PDF
What is this "docker"
Jean-Marc Meessen
 
PPTX
Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)
Andrejs Prokopjevs
 
PPTX
Using Docker EE to Scale Operational Intelligence at Splunk
Docker, Inc.
 
PDF
MySQL Document Store
Mario Beck
 
PDF
Con11257 schifano con11257-best practices for deploying highly scalable virtu...
Berry Clemens
 
PDF
TechEvent 2019: DB, CMU and EUS engineering with vagrant; Stefan Oehrli - Tri...
Trivadis
 
PDF
Developing with-devstack
Deepak Garg
 
PDF
Moving your APEX app to the Oracle Exadata Express Cloud
Dimitri Gielis
 
PDF
Continuous Integration & Continuous Delivery
Databricks
 
PDF
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
PDF
0396 oracle-goldengate-12c-tutorial
KlausePaulino
 
PDF
J1 T1 3 - Azure Data Lake store & analytics 101 - Kenneth M. Nielsen
MS Cloud Summit
 
PDF
Single Sign-On for APEX apps (Important: latest version on edocr!)
Niels de Bruijn
 
PDF
Practical guide to Oracle Virtual environments
Nelson Calero
 
PDF
APEX richtig installieren und konfigurieren
Oliver Lemm
 
PDF
Effective Spark with Alluxio at Strata+Hadoop World San Jose 2017
Alluxio, Inc.
 
Avoid boring work_v2
Marcin Przepiórowski
 
configuring+oracle+rds+with+glasfish+server
hunghtc83
 
DCSF 19 Building Your Development Pipeline
Docker, Inc.
 
20160307 apex on_the_rocks
MT AG
 
What is this "docker"
Jean-Marc Meessen
 
Running Oracle EBS in the cloud (OAUG Collaborate 18 edition)
Andrejs Prokopjevs
 
Using Docker EE to Scale Operational Intelligence at Splunk
Docker, Inc.
 
MySQL Document Store
Mario Beck
 
Con11257 schifano con11257-best practices for deploying highly scalable virtu...
Berry Clemens
 
TechEvent 2019: DB, CMU and EUS engineering with vagrant; Stefan Oehrli - Tri...
Trivadis
 
Developing with-devstack
Deepak Garg
 
Moving your APEX app to the Oracle Exadata Express Cloud
Dimitri Gielis
 
Continuous Integration & Continuous Delivery
Databricks
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
0396 oracle-goldengate-12c-tutorial
KlausePaulino
 
J1 T1 3 - Azure Data Lake store & analytics 101 - Kenneth M. Nielsen
MS Cloud Summit
 
Single Sign-On for APEX apps (Important: latest version on edocr!)
Niels de Bruijn
 
Practical guide to Oracle Virtual environments
Nelson Calero
 
APEX richtig installieren und konfigurieren
Oliver Lemm
 
Effective Spark with Alluxio at Strata+Hadoop World San Jose 2017
Alluxio, Inc.
 
Ad

More from Stefan Oehrli (6)

PDF
OracleBeer_Terraform_soe.pdf
Stefan Oehrli
 
PPTX
SOUG Oracle Unified Audit for Multitenant Databases
Stefan Oehrli
 
PPTX
Trivadis triCast Oracle Centrally Managed Users 18/19c
Stefan Oehrli
 
PDF
Oracle und Docker
Stefan Oehrli
 
PDF
AOUG 2019 Oracle Centrally Managed Users 18c / 19c
Stefan Oehrli
 
PDF
DOAG Webinar Oracle und Docker
Stefan Oehrli
 
OracleBeer_Terraform_soe.pdf
Stefan Oehrli
 
SOUG Oracle Unified Audit for Multitenant Databases
Stefan Oehrli
 
Trivadis triCast Oracle Centrally Managed Users 18/19c
Stefan Oehrli
 
Oracle und Docker
Stefan Oehrli
 
AOUG 2019 Oracle Centrally Managed Users 18c / 19c
Stefan Oehrli
 
DOAG Webinar Oracle und Docker
Stefan Oehrli
 
Ad

Recently uploaded (20)

PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
Advancing WebDriver BiDi support in WebKit
Igalia
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
July Patch Tuesday
Ivanti
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
Biography of Daniel Podor.pdf
Daniel Podor
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PDF
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
PPTX
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Advancing WebDriver BiDi support in WebKit
Igalia
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
July Patch Tuesday
Ivanti
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
Biography of Daniel Podor.pdf
Daniel Podor
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 

IaC MeetUp Active Directory Setup for Oracle Security LAB

  • 1. IaC Meetup – LAB Environments Stefan Oehrli 2021.09.16
  • 2. HALLO, GRÜESSECH, HI! STEFAN OEHRLI PLATFORM ARCHITECT § Since 1997 active in various IT areas § More than 24 years of experience in Oracle databases § Focus: Protecting data and operating databases securely o Security assessments and reviews o Database security concepts and their implementation o Oracle Backup & Recovery concepts and troubleshooting o Oracle Enterprise User and Advanced Security, DB Vault, … o Oracle Directory Services § Co-author of the book The Oracle DBA (Hanser, 2016/07)
  • 5. AGENDA § Introduction § A set of scripts to rule them all § Trivadis LAB Company § AD Scripts § Vagrant § Oracle Init Scripts § Docker § Terraform § Use Cases § Conclusion
  • 7. MOTIVATION Training, testing and engineering are part of everyday life in IT § Onboarding new employees § Specific employee training or self-study § Regular training of operating activities o validate disaster recovery o Train backup & recovery use cases § PoC environment for complex architectures § Or simply the latest feature
  • 8. BUT WE DO HAVE A TEST SYSTEM... 8 … indeed, but it is ... § … currently being used by someone else § … under maintenance § … not up to date § … not configured appropriately § … not scalable (number of concurrent users) § … not scalable (system resources) Time for engineering / training is limited and most of the time you don't want to spend it on setup task. Source: Stefan Oehrli, CERN LHC Data Center
  • 9. SOLUTION APPROACHES 9 § Flexibility through large on-premises setup o Fixed costs? § VM local or on-premises environments § Cloud Lab and Engineering environment o Manual setup? Click, click, J § Establish or reuse of IT automation o Scripts, Ansible, Puppet,… § What about know-how on trainings itself? But why not a setup using IaC? Source: Stefan Oehrli, CERN LHC
  • 10. ORACLE MAXIMUM DATA SECURITY ARCHITECTURE 10
  • 11. WORKING WITH ORACLE SECURITY FEATURES 11 § Dependencies on other infrastructure components e.g., o MS Active Directory o Oracle Directory / LDAP Server § Focus on testing, engineering of features o No time setup the LAB § Possibility to test different variants and versions o Does Kerberos authentication still work with Oracle 19c? o New config required?
  • 12. WHERE TO PUT THE LAB? 12 Cloud based would be state of the art… § Availability of resources § Scalability § Pay as you go Business Travels perfect time to... § Test new features § Troubleshoot / reproduce issues Have you ever tried working in the cloud while traveling on the ICE from Zurich to Stuttgart? § Being offline for 30m and longer is common
  • 13. BUCKET LIST FOR THE ENGINEERING LAB 13 qOracle Database Server with the latest Oracle Binaries qTest Database preferable with Container database and single tenant database qSome fancy test schema. qOptional additional Oracle Database Server with other releases. qOracle Unified Directory Server to setup an LDAP and configure EUS or Oracle Names resolution. qActive Directory Server matching my fancy test schema somehow qKDC for Kerberos Authentication q….
  • 14. 14 A set of scripts to rule them all
  • 15. STAY FLEXIBLE - DIFFERENT APPROACHES 15 Set of common scripts § Public available in GitHub § Reusable for different implementation § Manual to fully automatic setups
  • 16. GITHUB REPOSITORIES 16 § Vagrant Configuration trivadislabs.com § AD Setup scripts ad-lab § Oracle Database Init Scripts oradba_init § Docker Oracle Engineering doe § Docker Build Scripts for Oracle docker § A couple Terraform Modules e.g., o Trivadis/terraform-oci-tvdlab-bastion o Trivadis/terraform-oci-tvdlab-host
  • 23. BUT WAIT, WHY NOT…. 23 Why stay on plain Bash / PowerShell Scripts? § There was no bigger picture / plan § Now initial roadmap § Historically grown o based on own needs / requirements § Lack of experience with Ansible, Puppet, etc. If I still would do it in plain script? § In the meantime, I would probably use a tool Contribution to those projects is highly welcome
  • 25. TRIVADIS LAB COMPANY § Engineering of User / Roles concepts requires data o dump of production data is usually "below optimal” § The fictitious company Trivadis Lab serves as a training vehicle § Company with different departments o Misc Groups and Oranisational Units OU § Oracle Database Schema TVD_HR does match the organization o Oracle Virtual Private Database o Oracle Enterprise Security
  • 27. DEPARTMENTS 27 ID Department Distinguished Name (DN) 10 Senior Management ou=Senior Management,ou=People,dc=trivadislabs,dc=com 20 Accounting ou=Accounting,ou=People,dc=trivadislabs,dc=com 30 Research ou=Research,ou=People,dc=trivadislabs,dc=com 40 Sales ou=Sales,ou=People,dc=trivadislabs,dc=com 50 Operations ou=Operations,ou=People,dc=trivadislabs,dc=com 60 Information Technology ou=Information Technology,ou=People,dc=trivadislabs,dc=com 70 Human Resources ou=Human Resources,ou=People,dc=trivadislabs,dc=com
  • 28. GROUPS 28 Group Distinguished Name (DN) Description Trivadis LAB APP Admins ou=Trivadis LAB APP Admins,ou=Groups,dc=trivadislabs,dc=com Application Administrators Trivadis LAB DB Admins ou=Trivadis LAB DB Admins,ou=Groups,dc=trivadislabs,dc=com DB Admins from IT department Trivadis LAB Developers ou=Trivadis LAB Developers,ou=Groups,dc=trivadislabs,dc=com Developers from the Research Department Trivadis LAB Management ou=Trivadis LAB Management,ou=Groups,dc=trivadislabs,dc=com Management and Managers Trivadis LAB System Admins ou=Trivadis LAB System Admins,ou=Groups,dc=trivadislabs,dc=com System Admins from IT Department Trivadis LAB Users ou=Trivadis LAB Users,ou=Groups,dc=trivadislabs,dc=com All Users
  • 30. AD-LAB – POWERSHELL SCRIPTS 30 § Set of PowerShell scripts to setup AD and some Tools § Step by step setup and configuration o Sequence in file name o Not every step is necessary § Script 00_init_environment.ps1 is sourced in any script § Dedicated configuration file o Allows customization e.g., IP, Domain Name etc. § Direct download of AD-LAB in your setup $StageFolder = "C:stage" $GitHubURL = "https://github.com/oehrlis/ad-lab/archive/refs/heads/main.zip" New-Item -ItemType Directory -Force -Path $StageFolder Invoke-WebRequest -Uri $GitHubURL -OutFile "$StageFoldermain.zip"
  • 31. CUSTOMIZATION 31 scripts/00_init_environment.ps1 config/default_configuration.txt § Update the default configuration file prior initiating the scripts § Modify the 00_init_environment.ps1 § Password are usually generated o Can be predefined in default_pwd_windows.txt
  • 32. SCRIPTS PART I 32 § 00_init_environment.ps1 script to Initialize and configure the default values. § 01_install_ad_role.ps1 PowerShell script to install MS Active Directory server role § 11_config_ad.ps1 PowerShell script to configure Active Directory § 12_config_dns.ps1 PowerShell script to configure DNS server § 13_config_ca.ps1 Script to configure Certification Authority § 19_sum_up_ad.ps1 PowerShell script to display a summary of Active Directory Domain and install Windows updates § 22_install_chocolatey.ps1 PowerShell script to install Chocolatey package manager
  • 33. SCRIPTS PART II 33 § 27_config_cmu.ps1 PowerShell script to configure CMU on MS Active Directory § 28_config_misc.ps1 PowerShell script to configure NAT zone records for AD domain § 28_install_oracle_client.ps1 PowerShell script to install the Oracle Client § 99_template.ps1 PowerShell template for other scripts § 40_reset_ad_users.ps1 PowerShell script to reset all domain user password Although the script 27_config_cmu.ps1 and 28_install_oracle_client.ps1 are just skeletons.
  • 34. A FEW NOTES 34 § I am not a Windows specialist § There is certainly room for improvement in the scripts o Error handling, logging, automation, etc. § Windows is sometimes mmh… o … not my best friend § Certain configuration require a delay until they can be executed o Services must be available o Certification authority CA could not be setup at an early stage o I do not understand every reboot § Not sure if this AD configuration does meet common best practice o It does work for my use cases
  • 36. BASE IMAGES 36 § Oracle Enterprise Linux as base Images for Oracle Databases o https://yum.oracle.com/boxes/ o Carefree package for Oracle DB’s o Linux optimization is / was not my goal § Windows Based VMs using images from the vagrant cloud o Stefan Scherer did maintain a bunch of different images https://app.vagrantup.com/StefanScherer o Ready to use with all kind of preconfigured e.g., WinRM o Based on the development License i.e., the images will not work after 180 renewal is possible.
  • 37. TRIVADIS LAB 37 § Virtualbox based test and engineering environment § Infrastructure as Code with Vagrant o Vagrant Scripts available in GitHub Repository https://github.com/oehrlis/trivadislabs.com § Requires Vagrant, Virtualbox and the various images, software etc. o HashiCorp Vagrant https://www.vagrantup.com o Oracle VM Virtualbox https://www.virtualbox.org/wiki/Downloads § Different VM for different applications o win2019ad.trivadislabs.com Windows 2019 Active Directory o ol7oud12.trivadislabs.com Oracle Unified Directory Server 12c o ol7db21.trivadislabs.com Oracle DB Server with 21c o As well VMs for Oracle DB Server 19c, 18c, 12c and 11g
  • 38. VAGRANT BASE LAB ENVRIONMENT
  • 39. TRIVADIS LAB STRUCTURE 39 § All VM share a common config and script folder o Generic setup scripts o Vagrant config file vagrant.yml o Folder mounted as /vagrant_common § Dedicate folder for Lab and demo scripts o Folder mounted as /vagrant_labs § Dedicate vagrant folder for each VM o Location of the vagrant file o Software like Oracle binaries / RU o Specific Setup and configuration scripts o Folder mounted as /vagrant § Oracle 11g VM is also available Common config and scripts Lab and demos scripts 12g DB VM specific stuff 18c DB VM specific stuff 19c DB VM specific stuff OUD VM specific stuff Windows VM specific stuff
  • 40. VAGRANT CONFIG FILE 40 # - Configuration ------------------------------------------------ params = YAML.load_file '../common/config/vagrant.yml' # shared configuration var_default_password= params['common']['default_password'] # Configuration valid for AD server win2019ad: box: StefanScherer/windows_2019 vm_name: win2019ad § YAML based configuration file vagrant.yml § Define common but also VM specific stuff like hostname, IP addresses, VM names, DB Version scripts and much more § Loaded in each Vagrant file to load config § Can be sourced with 00_init_environment.sh to load values from Vagrant config file
  • 41. COMMON CONFIG SCRIPTS PART I 41 Generic configuration scripts. Primarily used for OUD and DB VMs § 00_init_environment.sh Init script to source the Vagrant config values as variables § 01_common_setup_os_db.sh Configure OS of DB VM § 01_common_setup_os_oud.shConfigure OS of OUD VM § 10_install_binaries.sh Wrapper script to install Oracle binaries. oradba_init scripts from GitHub are used to do the installation § 11_install_basenv.sh Wrapper script to install Trivadis BasEnvTM § 12_config_tnsadmin.sh Configure TNS Admin related stuff
  • 42. COMMON CONFIG SCRIPTS PART II 42 § 12_config_tnsadmin.sh Configure TNS Admin related stuff § 20_create_databases.sh Wrapper script to setup the Oracle DB’s § 80_create_tvd_hr_pdb1.sqlSQL script to install TVD_HR schema in a Container DB § 81_create_tvd_hr.sql SQL script to install TVD_HR schema
  • 43. VAGRANT FILE 43 § Each VM hast its own Vagrant file Vagrantfile § The file contains all information how the VM should be setup o VM memory and CPU configuration o Shared folder configuration o Setup respectively provisioning scripts § Configuration is loaded from the Vagrant config file vagrant.yml o Corresponding values are loaded as variables § A few things can easily be configured. Complex disk and network configuration a bit tricky § the easiest thing is to just look at a file…
  • 44. DB VM BUILD PROCESS 44 § VM is based on the official Oracle Vagrant box § Resources 4GB, 2 CPU and a simple disk § Setup from OS config up to DB creation: o 01_common_setup_os_db.sh o 10_install_binaries.sh o 11_install_basenv.sh o 12_config_tnsadmin.sh o 20_create_databases.sh § Up and ready in about 20min depending on network speed and Host performance
  • 45. OUD VM BUILD PROCESS 45 § VM is based on the official Oracle Vagrant box § Resources 1GB, 1 CPU and a simple disk § Setup OS config and binary installation: o 01_common_setup_os_oud.sh o 10_install_binaries.sh § Currently on OUD instance configuration § Up and ready in about 10min depending on network speed and Host performance
  • 46. WINDOWS AD VM BUILD PROCESS 46 § VM is based on Stefan Scherer windows_2016 box on the Vagrant cloud § Resources 1GB, 1 CPU and a simple disk o 00_init_ad-lab.ps1 o 01_config_ad-lab_part1.ps1 o 02_config_ad-lab_part2.ps1 o 03_config_ad-lab_part3.ps1 § Up and ready in about 10min depending on network speed and Host performance
  • 47. REQUIREMENTS IN DETAIL 47 § Vagrant Scripts available in GitHub Repository https://github.com/oehrlis/trivadislabs.com § Vagrant CLI Vagrant https://www.vagrantup.com § Vagrant Plugin vagrant-reload used for releoad / reboot during provisioning of VM § Vagrant Box or base images. o These will be downloaded during initial config of VM o Windows base Image is about 4G and will take while § Oracle VM Virtualbox https://www.virtualbox.org/wiki/Downloads § Oracle Binaries and Patch as ZIP files o Check the *.download files for the download information and links § Last but not least a little memory, disk and CPU resources
  • 48. VAGRANT IN A NUTSHELL 48 cd win2016ad vagrant up git clone https://github.com/oehrlis/trivadislabs.com.git § Clone Git Repository § Copy the corresponding Oracle software into the ../software directories § Initial starting and provisioning of the VM (win2016ad, ol7db18, ol7db19 ol7oud12,…) vagrant ssh sudo su – oracle vagrant rdp § Access via vagrant ssh or rdp
  • 49. SUMMARY 49 § Vagrant allows to building reproducible Lab environments § A lot is possible but not yet everything o Complex network configuration o Highly customized storage configuration § There are still a few miles to go to have all 100% automated § The current setup allows to focus on engineering… … without spending hours on setups. § If you screw it up just rebuild it!
  • 51. ORACLE INIT SCRIPTS § Bunch of Bash Scripts to install / configure Oracle Databases o Rather simple configuration via environment variables o Focus on Linux and Oracle setups o Includes response files to create databases § Initially setup for Oracle Docker container § Now used for… o ... Manually deployments and installation on-premises o … Vagrant setups o … Docker Images / Container o … Terraform bootstrap of cloud Database Resources § Strong integration with Docker, Vagrant and Terraform configuration
  • 53. SETUP ORACLE DATABASE § Prepare the OS environment for an Oracle installation o Install the oracle-database-preinstall-19c o Create oracle user / groups / directories o … § Install the Oracle binaries including additional RU’s § Adjust the environment, SQLNet, Listener etc. § Create a database using DBCA or custom scripts § Configure database and database features § Add a couple of customization Quite some work, isn’t it? Time to simplify your setup using Docker images Source: https://www.docker.com
  • 54. OPTIONS TO BUILD ORACLE DATABASE IMAGES PART I 54 § Use the official pre build Docker image provide by Oracle on https://container-registry.oracle.com/ o Limited release / version available e.g. no RU / No customization o Images are based on https://github.com/oracle/docker-images § Use third party pre build Docker images for Oracle Databases o Not supported. o Providing Oracle software for download not allowed at all.
  • 55. OPTIONS TO BUILD ORACLE DATABASE IMAGES PART II 55 § Build you own Oracle Database Images based on https://github.com/oracle/docker-images o Does provide build scripts for a couple of Oracle Products including Oracle Database RAC § Build you own Oracle Database Images based https://github.com/oehrlis/docker o Similar approach as Oracle with a couple of customization. § Start with your own build environment from scratch or based on a project above or any other like ORACLE-BASE and much more on GitHub
  • 56. ORADBA BUILD SCRIPTS 56 § The GitHub Repository oehrlis/docker does provide a bunch of alternative build Scripts. o Similar approach as Oracle with a couple of customization. o Continuously developed and improved. o Some improvements are added as pull requests to the official Oracle Docker build scripts. E.g. Oracle Unified Directory build scripts. § OraDBA GitHub Repository does include build scripts for the following product / version o Oracle Unified Directory (11.1.2.3.x, 12.2.1.3.x and 12.2.1.4.x) o Oracle Database Server EE 11g-21c with any kind of PSU/RU § The build scripts are modified at least every quarter to include the latest Oracle Critical Patch Updates.
  • 57. USING ORADBA BUILD SCRIPTS 57 ./common/buildDB.sh 19.0.0.0 git clone https://github.com/oehrlis/docker.git docker § Clone the Oracle GitHub Repository § Download the required Oracle binary package. See the software/*.download files § Run the build wrapper script buildDB.sh or buildAllDB.sh docker build –t oracle/database:19.5.0.0 . docker build –t oracle/database:18.6.0.0 –f 18.6.0.0.Dockerfile . § Alternatively run docker build manually § Oracle does provide similar build script for different version as well Oracle editions.
  • 59. PROCEDURE FOR CONTAINER START 59 § 50_run_database.sh checks the volume and starts the database with… § 50_start_database.sh starts the listener and the database instance § 52_create_database.sh creates a database with the dbca. § 55_config_database.sh checks whether configuration files (*.sh or *.sql) are present o ${INSTANCE_INIT}/setup o ${INSTANCE_INIT}/startup § 55_check_database.sh
  • 60. CONTAINER SCRIPTS 60 § 50_run_database.sh checks the volume and starts the database with… o 50_start_database.sh If no database exists, the script o 52_create_database.sh is called § 50_start_database.sh starts the listener and the database instance § 52_create_database.sh creates a database with the dbca. Base parameters can be adjusted with environment variables § 55_config_database.sh checks whether configuration files (*.sh or *.sql) are present in the directory ${INSTANCE_INIT}/setup or ${INSTANCE_INIT}/startup respectively. § 55_check_database.sh is used for the health check of the Docker container and checks the status of the database instance
  • 61. DOCKERIZED TESTS AT ANY PRICE? 61 But does everything make sense? § Performance test? § Complex test with high workload? § Tests with very large data sets? It depends… § Docker in particular its volumes are not high performance § Hardware-dependent tests do not make sense. § It takes time to create large and comprehensive databases. In general, do not test what is outside the scope of a Docker platform. Image Credit: Docker Inc. / Laurel Duermaël
  • 63. OCI BASED LABS Oracle Cloud § Run the LAB environment § Scale resources or environments Initialisation § Bootstrap scripts or Ansible workflows § Configure DBs, LAB etc. Terraform § plan, apply, destroy the env § Command line, Build Pipeline, OCI Stack Git as the basis for the code § Terraform Code § Setup Scripts § LAB / Training documentation Infrastructure as Code in GIT Terraform Configuration Oracle Cloud Infrastructure System Initialisation
  • 65. IDEA FOR A NEW ENVIRONMENT 65
  • 69. SYSTEM ACCESS 69 Different access paths § Direct via public IP addresses § Bastion Host o Public IP address o SSH access (putty, OpenSSH, etc) o Port forwarding o Apache Guacamole Remote Desktop § VPN Access o OpenVPN o Site2Site VPN
  • 70. EXAMPLE ARCHITECTURE – ORACLE SECURITY TRAINING 70
  • 71. TERRAFORM BOOTSTRAP AND WINDOWS 71 § Not yet best friends § Full automated bootstrap does not work o Reboot required § Manual or semi automated approach required.
  • 73. ORACLE PATCH AND RELEASE UPDATES 73 Background § It can happen that you have to patch Oracle databases. § Critical Patch Updates, Release Updates, one-off Patch Idea § Build dedicated Docker images (tags!) for the different RU § Use the persistent volume with a new Docker database containers e.g. 19.4.0.0 to 19.5.0.0 Solution § Add a script to startup which run’s datapatch on every database start. § Allows to apply and remove release updates. § Drawback slow down Container startup. Could be workaround by adding script only when required § https://github.com/oehrlis/docker/tree/master/samples/patch
  • 74. DATABASE UPGRADE 74 Idea § Build dedicated Docker images for the different major releases. § Use the persistent volume with a new Docker database container Problem § Database upgrades are not straight forward. § Some scripts must be executed with old binaries were others with new binaries. Solution § Not as easy as release updates. § Upgrade process must be split in pre and post tasks. § Pre-task have to be executed before the old container is stopped. § The Oracle datafiles do not show in which upgrade state they are.
  • 75. UNIFIED AUDIT 75 Background for Use Case Unified Audit § Customer Project to engineer Oracle Unified Audit for a PDB environment. § Struggle with a couple of bug and other challenges. Idea testing Unified Audit § Be able to test a similar setup with Versions § Test dedicated one-off patch § Test multitenant and single tenant databases Solution approach § Add script to container setup folder to enable and configure unified audit. § Add script to container startup to check and enable unified audit. § https://github.com/oehrlis/docker/tree/master/samples/audit
  • 76. CENTRALLY MANAGED USERS Background § New Oracle security feature introduced with Oracle 18c § Simple replacement of Oracle Enterprise User Security Idea § Setup a test environment based on Oracle Database § Use docker-compose to simplify setup Solution § Add scripts to setup sample schema § Add scripts to configure CMU § Requires preparation on Active Directory § https://github.com/oehrlis/docker/tree/master/samples/cmu
  • 77. ORACLE ENTERPRISE USER SECURITY 77 Background § Customer Projects to engineer Oracle Enterprise User Security. § Test different Oracle releases, configurations, SSL settings etc. Idea § Setup a test environment based on Oracle Database and Oracle Unified Directory on Docker Solution § Add scripts to OUD container setup folder to create an OUD instance with EUS suffix. § Add scripts to DB container setup folder to configure Enterprise User Security in the database. § Script to register database § Script to configure EUS mapping § https://github.com/oehrlis/docker/tree/master/samples/eus
  • 78. ORACLE ENTERPRISE USER SECURITY 78 § Oracle Database Container o Demo Schema with VPD § Oracle Unified Directory Container o Directory with EUS suffix § Initial start of containers o Creating the DB / Directory o Registration of the DB o Configuration of EUS § Available on GitHub
  • 80. CONCLUSION 80 § There are way to much possibilities to setup LAB environment o I use to do more engineering on this J § Vagrant is a simple and easy solution to setup local system § Script could easily be reused for different technologies § New approach probably should be based on something like Ansible