OID OVD Tuning

OID Tuning

 

1. OID Search limits
   Minimize the number for ‘Max no. of entries to be returned by a search’  to utilize the optimum memory resources ; Below screen is the default settings.  Should change based on the requirements.
   Maximum time allowed for a search to complete (sec) – change to 600
   Anonymous Bind change to Disallow

2. OID Performance properties
   Below screen tells the default setting..
   
   

Change the following parameters:

Number of OID LDAP Server Processes  = 4
                [should be equal to the OS allocated CPUs ; for archTest CPUs are 4]
Number of DB Connections per Server Process= 10 
                [if 4 processes then 40 ldap connections]         
LDAP Idle Connection Timeout (min) = 60
                [default is 0]
Number of Dispatcher Threads per Server Process = 5120
Number of Dispatcher Threads per Server Process =10

Example:

3. Indexing the OID Attributes:

1.      Make sure the following attributes are Indexed in OID :[from ODSM-Schemas tab and select the specified attribute  in Attr definition screen right should be checked the Indexed field] :
uid
cn
FTBUserList

2.      Indexing attributes using the catalog tool:

a)      Set the ORACLE_HOME environment variable to the your IDM ORACLE_HOME installation. If you’ve accepted the names given to you by the Oracle Installer, this value is typically $MW_HOME/Oracle_IDM1. The catalog tool is found under $ORACLE_HOME/ldap/bin

b) Set the ORACLE_INSTANCE environment variable to your IDM instance installation. If you’ve accepted the names given to you by the Oracle Installer, this value is typically $MW_HOME/asinst_1. Under $ORACLE_INSTANCE you should find a tnsnames.ora under the config folder. This is where the catalog tool gets your database connection details.

c) Run
$ORACLE_HOME/ldap/bin/catalog connect=”OIDDB” add=true attribute=”assistant”

4. OID DB Tuning

a. DB global settings : Make sure the following parameters values should not be less than the specified below values.
sga_target & sga_max_size  - set upto DB HOST RAM 60%
processes  - 500
pga_aggregate_target - set this to 1-4GB, if sufficient RAM is available
job_queue_processes - Tune this parameter only if you are using Oracle Database Advanced Replication-based multi master replication

b. Increase the DB connections (Optional):

Increase the DB connections for each process:  Refer the step 2 for this param change..

 Number of DB Connections per Server Process  - 10  [this case, if we increasing the server processes to 4 then 40 db connections will consume]

Note: 
* For all the above changes, requires to bounce the Oracle DB, OPMN processes.
* Requires to follow the above configurations for each OID instance installed host machine.

OVD Tuning

1. OVD- OS Tuning:

Change the ulimit param to 8192  or unlimited

2. OVD – JVM Tuning

a)   Set OVD admin & wls_ods  instances JVM settings
current:
/usr/java6_64/bin/java    -Xms1024m -Xmx2048m
-Xms512m -Xmx1024m -Xss512K  ???:
change to:
/usr/java6_64/bin/java    -Xms2048m -Xmx2048m

b)   Latest JDK:
Make sure the OVD configured to the Latest JDK installed on the host machine configured..
Presently Oracle_IDM1/jdk version is lower than the IBM Host machine default JDK version.
So, change the OVD JDK steps:
In opmn.xml file  under <ias-component id=”ovd1”> change the jdk paths for the following tags..
    <data id="java-bin" value="/usr/java6_64/bin/java"/>
     ----
     <action value="exec /usr/java6_64/bin/java
     ----
     <launch-targets>
        <launch-target id="logquery">
          <exec path="/usr/java6_64/bin/java"/>

c)   Set the jvm memory parameters in opmn.xml file

JVM Tuning in opmn.xml file..Change OVD JVM Memory to 2048m.
Change backend ldaps time out to 120sec [2 mins or least connection timeout of any configured backend ldap timeout]

Increase the ping interval to 60 seconds (or more as needed) in the opmn.xml file.

When the system is busy, a ping from the Oracle Process Manager and Notification Server (OPMN) to Oracle Virtual Directory may fail. As a result, OPMN will restart Oracle Virtual Directory after 20 seconds (the default ping interval). To avoid this, consider increasing the ping interval to 60 seconds or more.

The ping interval can be modified in the $ORACLE_INSTANCE/config/OPMN/opmn/opmn.xml as shown below:

<process-type id="OVD" module-id="OVD">
               <module-data>
                  <category id="start-options">
                     <data id="java-bin" value="$ORACLE_HOME/jdk/bin/java"/>
                     <data id="java-options" value="-server -Xms2056m -Xmx2056m -Dvde.soTimeoutBackend=120  -DdisableECID=1  -Didm.oracle.home=$ORACLE_HOME -Dcommon.components.home=$ORACLE_HOME/../oracle_common                               -Doracle.security.jps.config=$ORACLE_INSTANCE/config/JPS/jps-config-jse.xml"/>
                     <data id="java-classpath" value="$ORACLE_HOME/ovd/jlib/vde.jar$:$ORACLE_HOME/jdbc/lib/ojdbc6.jar"/>
                  </category>
               </module-data>
               <stop timeout="120"/>
              <ping interval="60"/>
            </process-type>

3. OVD-Server configurations
   
   

a)   Set the Threads configurations based on the Server Processor cores
If the 4CPUs exists then 40 threads configurable
( A common configuration is to have 10 threads per CPU. For example, if there are 4 central processing units on the system, then there would be 40 threads.);

Connection Timeout set to specific time period;
Connection Timeout – 60 (minutes)

Set the following param values in Listeners.os_xml (OVD/ovd1) file
<threads>1040</threads>
<anonymousBind>deny</anonymousBind>
<workQueueCapacity>8096</workQueueCapacity>
<socketOptions>

  <tcpNoDelay>true</tcpNoDelay>
  ...
 </socketOptions>

<socketOptions>

  <keepAlive>false</keepAlive>  ...

 </socketOptions>
----

<readTimeout>360000</readTimeout>

Make sure to apply the same changes for “LDAP Endpoint”  & “LDAP SSL Endpoint” instances under Listener.os_xml file.

b)   Set the higher level of logger settings.
Logging Levels – change to Warning

c)   Set the Anonymous search to limit to restrict the load from anonymous calls.

Anonymou search : disable
  default: 1000 – change to  lower the number.. or 0

Set the following param values in server.os_xml

<searchLimit>

      <anonymous>1000</anonymous>

      <authenticated>10000</authenticated>

   </searchLimit>

*******Not now the below.

d)   Close the inactive connections of client from OVD
change the following in  server.os_xml

<inactiveConnectionTimeout>5</inactiveConnectionTimeout>

                                                                          

By default, OVD does not close any connections to a client no matter how long the connection is idle. I recommend setting this to a value of 5 minutes so that connections that are idle are automatically closed. In such cases, OVD will close the connection and a FIN will be sent to the client so as to inform the client that the connection is closed by the server. The client can send an ACK and terminate the connection to the server. This parameter is in minutes.

4. OVD-Adapter tuning
   
   a) Access the ODSM interface, open the  OIDGroups Adapter and change the source LDAP servers ‘Weight Value’ to 50 for each if there are 2 hosts exists – this change OVD will share the load equally to source ldaps.

b) in Routing tab , priority value set to ‘20’ – this change will give OVD 1st preference to search this branch when there is any search performs from root if other adapter priority is higher than this branch.
c) Repeat the same a & b steps for JOINADOID adapter
d) Repeat the same a & b steps for AD adapter but the priority value set to 30

Note: 
* For all the above changes, requires to bounce the Oracle DB, OPMN processes.
* Requires to follow the above configurations for each OID instance installed host machine.

JKS & Keystore commands

Set the following env variables for the following section command to run

export MW_HOME=<</opt/appbin/oracle/idm_middleware>>
export JAVA_HOME=<<$MW_HOME/Oracle_IDM1/jdk>>
export ORACLE_HOME=<<$MW_HOME/Oracle_IDM1>>
export ORACLE_INSTANCE=<<$MW_HOME/asinst_1>>
export PATH=$JAVA_HOME/bin:$PATH:$MW_HOME/oracle_common/bin:$ORACLE_HOME/bin

Convert Wallets to JKS keystore

A) run the following command to convert the wallet cert entiries including privatekey, root ca  and signed cert types by specifying the list in alias with : delimeter.

pkcs12_to_jks -wallet p12wrl -pwd p12pwd [-jksKeyStoreLoc jksKSloc -jksKeyStorepwd jksKS_pwd][-jksTrustStoreLoc loc -jksTrustStorepwd pwd]

where the parameters are as follows:

wallet is the p12 wallet location
pwd is the wallet password
jksKeyStoreLoc is the JKS keystore location
jksKeyStorepwd is the JKS keystore password
jksTrustStoreLoc is the JKS truststore location
jksTrustStorepwd is the JKS truststore password

Note:
Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters.

B) List the keystore to get the aliasname for Private Key Entry with below command:

keytool -list -v -keystore <path_to_keystore_file>

 

Convert JKS Keystore to Wallet

1. The following command will only work with JDK 1.6.X, and will not work with JDK 1.4/1.5 that ships with AS 10.1.2/10.1.3. So first it is necessary to download and install JDK 1.6. Alternatively install a Fusion Middleware 11.1.1.X Webtier, and follow the instructions for FMW 11g further down in this article.

2. Convert the Java Keystore to an Oracle Wallet:
a) create a empty Wallet using OWM GUI or thru command
   orapki wallet create -wallet . -pwd <<walletPswd>>
b)convert the jks to pkcs12 using keytool
  keytool -importkeystore -srckeystore <<jks file path>> -destkeystore <<same jks file path>> -deststoretype pkcs12
c) Run the following command:

%JDK16_HOME\bin\keytool -importkeystore -srckeystore <keystore> -destkeystore <wallet_loc> -srcstoretype JKS -deststoretype PKCS12 -srcstorepass <jks_storepasswd> -deststorepass <wallet_passwd> -srcalias <key_alias>
-destalias <key_alias> -srckeypass <jks_keypasswd> -destkeypass <wallet_passwd>

Note that the <wallet_passwd> must conform to Oracle standards.

• Minimum password length (8 characters)
• Maximum password length unlimited
• Alphanumeric character mix required

For example:

%JDK16_HOME\bin\keytool -importkeystore -srckeystore keystore -destkeystore <path_to>/ewallet.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass jkspasswd -deststorepass Welcome1 -srcalias mykey -destalias mykey -srckeypass jkspasswd -destkeypass Welcome1

OR

i) Open the Wallet in Wallet Manager:

• Run $ORACLE_HOME/bin/owm
• Select "Wallet" -> "Open" and select the <path_to>/ewallet.p12
• Select "Wallet" -> "Auto-Login" and "Save" the Wallet.

     or
    [It really seems that you can only provide the “-auto_login” option while creating the wallet but not after that point. well, this is an example of misleading syntax as you actually can change the option with “orapki wallet create” without destroying the original wallet:]

   $orapki wallet create -wallet . -pwd <<walletpswd>> -auto_login 

ii)convert the jks to pkcs12 using keytool
  keytool -importkeystore -srckeystore <<jks file path>> -destkeystore <<same jks file path>> -deststoretype pkcs12

iii)  $orapki wallet jks_to_pkcs12 -wallet /opt/appbin/oracle/Keystore/wallet -pwd <<WalletPswd>> -keystore <<servername.jks>> -jkspwd <<servername>>

Keystore Generation

Example:
$ cd /opt/AppBin/oracle
$ export JAVA_HOME=/usr/java6_64
$ export PATH=$JAVA_HOME/bin:$PATH
$ keytool -genkey -alias servName11 -keyalg RSA -keysize 2048 -sigalg SHA2withRSA -dname "CN=servName11,OU=<<Organization Name>>,O=<organization name>,L=Sacramento,ST=Ca,C=US" -keypass servName11 -keystore servName11.jks -storepass servName11

Cert Request

$ keytool -certreq -v -alias servName11 -file servName11.csr -keypass servName11  -storepass servName11 -keystore servName11.jks

Output

Certification request stored in file <servName11.csr>

servername11

Submit the generated csr to your CA

Once CA signed the csr request will send you the rootCA & signed crt

place the rootCA & Signed crt files into tmp/keystore location

Run the following command to import the root CA

Import rootCA

$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file /opt/appbin/oracle/Keystore/RootCA.cer -keystore servName11.jks -storepass servName11

Output

Certificate was added to keystore

[Storing servName11.jks]

Verify whether the the cert is imported into the keystore

$ keytool -list -v -keystore servName11.jks -storepass servName11

Import server Cert - signed

Import the Server Certificate into your keystore using the following command:

Note: alias name should be same as the cert request time specicied alias name.

$keytool -import -v -alias <alias> -file <server_cert_file> -keystore <keystore> -keypass <password> -storepass <password>

 Modify the cert alias

$keytool -changealias -keystore keystore.jks -storepass storepw -alias hostname -keypass keypw -destalias newhostname

Modify the keystore password

$keytool -storepasswd -storetype jks -keystore keystore.jks -storepass storepw -new newstorepw

Modify the certificate key password

$keytool -keypasswd -keystore keystore.jks -storepass storepw -alias hostname -keypass keypw -new newkeypw

Renewal of Server Signed Certificate & Root Certificate @Keystore Steps:

Renew the Server signed Certificate :

• Assuming  originally created CSR exists
• Send the csr to Certificate Authority to renew the Certificate.
• On the server take the backup of the existing jks file and the old signed certificate.
• Once received the newly signed server certificate, place the Certificate at jks keystore location.
• Run the following command to delete the server signed certificate from the jks keystore.
  
  keytool –list –keystore <<hostname>>.jks –storepass <<hostname>>
   keytool -delete -v -alias< alias> -keystore <<hostname>>.jks -storepass <hostname>
• Run the following command to add the server signed certificate into the jks keystore with same server alias as deleted in the above step.
  keytool -import -v -alias <alias> -file <<hostname>>.cer -keystore <<hostname>>.jks -keypass <hostname> -storepass <hostname>
• Verify the server signed certificate is installed as desired.
  keytool –list –keystore <<hostname>>.jks –storepass <<hostname>> -alias <<alias>> -v
• Restart the App servers where this jks keystore configured.

Renew the Root Certificate:

• Assuming got the new root certificate from Certificate Authority.
• Take the backup of the existing root cert & jks keystore.
• Place the root certificate into the jks keystore location.

• Run the following command to delete the root certificate from the jks keystore.
  keytool –list –keystore <<hostname>>.jks –storepass <<hostname>>
   keytool -delete -v -alias <root -aliasName>-keystore <<hostname>>.jks -storepass <hostname>
• Run the following command to add the root certificate into the jks keystore with same server alias as deleted in the above step.
  keytool -import -v -noprompt -trustcacerts -alias <rootca-aliasName> -file<< hostname>>.crt -keystore <<hostname>>.jks -keypass <hostname> -storepass <hostname>
• Verify the server signed certificate is installed as desired.
  keytool –list –keystore <<hostname>>.jks –storepass <<hostname>> -alias <<rootca>> -v

Renew the Server signed Certificate :

• Assuming  originally created CSR exists
• Send the csr to Certificate Authority to renew the Certificate.
• On the server take the backup of the existing jks file and the old signed certificate.
• Once received the newly signed server certificate, place the Certificate at jks keystore location.
• Run the following command to delete the server signed certificate from the jks keystore.
  
  keytool –list –keystore <<hostname>>.jks –storepass <<hostname>>
   keytool -delete -v -alias< alias> -keystore <<hostname>>.jks -storepass <hostname>
• Run the following command to add the server signed certificate into the jks keystore with same server alias as deleted in the above step.
  keytool -import -v -alias <alias> -file <<hostname>>.cer -keystore<< hostname>>.jks -keypass <hostname> -storepass <hostname>
• Verify the server signed certificate is installed as desired.
  keytool –list –keystore <<hostname>>.jks –storepass <<hostname>> -alias <<alias>> -v
• Restart the App servers where this jks keystore configured.

Renew the Root Certificate:

• Assuming got the new root certificate from Certificate Authority.
• Take the backup of the existing root cert & jks keystore.
• Place the root certificate into the jks keystore location.

• Run the following command to delete the root certificate from the jks keystore.
  keytool –list –keystore <<hostname>>.jks –storepass <<hostname>>
   keytool -delete -v -alias <root -aliasName> -keystore <<hostname>>.jks -storepass <hostname>
• Run the following command to add the root certificate into the jks keystore with same server alias as deleted in the above step.
  keytool -import -v -noprompt -trustcacerts -alias <rootca-aliasName> -file <<hostname>>.crt -keystore <<hostname>>.jks -keypass< hostname> -storepass <hostname>
• Verify the server signed certificate is installed as desired.
  keytool –list –keystore <<hostname>>.jks –storepass <<hostname>> -alias <<rootca>> -v

Renewal for Server certificate & root certificate @ Wallet Steps:

Renewal of Server signed certificate:

  1. set the env variables
  2. make the current wallet files & old server signed cert into the backup
  3. find the old csr file and submit to the Certicate authority to get the renewed server certificate.
  4. place the newly signed server certificate into the wallet located host.
  5. make sure if this is Unix host set the DISPLAY varaible setting to allow the GUI tools to open from Unix host.
  6. open the Wallet Manager thru owm command tool
  7. open the wallet from wallet Manager
  7. remove the User Certificate by select the user certificate -> remove the user Certificate
  5. install the user certificate from the user certificate [ requested] -> install the user certificate and choose the newely renewed server certificate.
  6. save. [make sure auto save is selected]

Renew the root Certificate :

  1. set the env variables
  2. make the current wallet files & old root certificate file into the backup
  3. Get the renewed server certificate from certificate Authority
  4. Place the new root certificate into the wallet located host.
  5. make sure if this is Unix host set the DISPLAY varaible setting to allow the GUI tools to open from Unix host.
  6. open the Wallet Manager thru owm command tool
  7. open the wallet from wallet Manager
  7. remove the Trusted Certificate by selecting the Trusted certificates -> remove the expired root Certificate [trusted cert] from the list
  5. install the root certificate from the Trusted certificates -> import Trusted certificate  menu to choose the newely renewed server certificate.
  6. save. [make sure auto save is selected]

Converting Oracle Access Manager Certificates to Java Keystore Format

ref: https://docs.oracle.com/cd/E25178_01/core.1111/e10043/osso_b_oam11g.htm#BABEDBBA

Oracle Internet Directory (OID) is LDAP compliant directory server and stores its data ( schema -attributes/object class/access policy, users and groups) in RDBMS (Oracle Database) under schema ODS (Oracle Directory Store).

These are possible cases ODS account can be locked:
1) ods account logged frequently with wrong passwords (Once wrong password attempt count as per DB  configuration exceeds then acct gets locked)
2) ods account password expires
3) File system is full on OID app install host and when started the OID then few files might corrupt or deleted like ODS passwd stored wallet

Steps to reset the password or unlock the ODS DB account and reset the OID process:

1. set ORACLE_HOME & ORACLE_INSTANCE variables
2.Shutdown OID using opmnctl stopall
3. Login to OID database with sys or system account and change password
SQL> alter user ODS identified by New_PASSWORD;
4. Login to OID tier and move wallet file (password file to connect from OID tier to database) $ORACLE_INSTANCE/OID/admin/oidpwdXXXX
5. Recreate wallet using
$ORACLE_HOME/ldap/bin/oidpasswd connect=OIDDB create_wallet=true  (Set ORACLE_HOME to OID ORACLE_HOME mentioned above, set ORACLE_INSTANCE environment. Make sure TNS_ADMIN is not set . If this is set then set it to $ORACLE_INSTANCE/config)
6. If you have multiple OID instances (OID running on multiple PCs) then copy wallet files to all other OID instances $ORACLE_INSTANCE/OID/admin/oidpwdXXXX
or 
open a new command window and repeat the above steps from 1 to 5

7. start the OID using opmnctl startall

If you know ODS password and wish to change password then follow below process
1. Shutdown OID using opmnctl stopall
2. Login to OID tier and recreate database password for ODS schema
$ORACLE_HOME/ldap/bin/oidpasswd connect=OIDDB change_oiddb_pwd=true  (Set ORACLE_HOME to OID ORACLE_HOME mentioned above, set ORACLE_INSTANCE variable. Make sure TNS_ADMIN is not set . If this is set then set it to $ORACLE_INSTANCE/config). This command will update password in database and also in wallet (OID tier)
3.If you have multiple OID instances (OID running on multiple PCs) then copy wallet files to all other OID instances $ORACLE_INSTANCE/OID/admin/oidpwdXXXX


oidpasswd command syntax:

$ORACLE_HOME/ldap/bin/oidpasswd  

Usage: oidpasswd connect=<Net8 Connect Descriptor> [change_oiddb_pwd=true | create_wallet=true | unlock_su_acct=true| reset_su_password=true | manage_su_acl=true]

 connect: Database connect string

 change_oiddb_pwd: Change OID database password (default operation)

 create_wallet: Create LDAP and Replication server wallets

 unlock_su_acct: Unlock OID super user account

 reset_su_password: Reset OID super user password

 manage_su_acl: Manage super user restriced ACL

$ORACLE_HOME/bin/orapki  wallet display -wallet /u03/app/oracle/admin/oid_inst1/config/OPMN/opmn/wallet

Oracle PKI Tool : Version 11.1.1.6.0

Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

------

 Trusted Certificates:

 ----------

Ref:
http://orafapp.blogspot.com/2012/09/creating-wallet-with-oidpasswd-in-oid.html
http://onlineappsdba.com/index.php/2010/12/10/how-to-change-oid-11g-database-schema-ods-password/
http://onlineappsdba.com/index.php/2010/09/20/oid-11g-down-unable-to-start-oid-11g-using-opmn-ods-schema-locked-ora-28002/

support.oracle.com: 
What oidpasswd Utility Does and the Objects it Modifies (ODS and ODSCOMMON) (Doc ID 204900.1)