Wednesday Nov 03, 2010

Oracle Directory Server Enterprise Edition on OpenSolaris b150, with DSCC7 in bundled Tomcat6

Objective: Install Oracle Directory Server Enterprise Edition (ODSEE11g) and DSCC7 on OpenSolaris without using privileged users.


Since we'll run the Directory Server instances unprivileged, let's create a group:

mm206378@vesuvio:~$ pfexec groupadd -g 389 oragrp

and a user with a password, so that it will be able to login:

mm206378@vesuvio:~$ pfexec useradd -u 389 -g oragrp -d /opt/dsee7 oradir
mm206378@vesuvio:~$ pfexec passwd oradir
New Password: \*\*\*\*\*\*\*\*
Re-enter new Password: \*\*\*\*\*\*\*\*
passwd: password successfully changed for oradir
mm206378@vesuvio:~$


Since this user should be able to manage network services on privileged ports (TCP < 1024), we shall explicitly grant this privilege:

mm206378@vesuvio:~$ pfexec usermod -K defaultpriv=basic,net_privaddr oradir

This test machine (my laptop, hostname 'vesuvio') has only one internal disk, so I won't be creating any dedicated zpool to host binaries and/or Directory Server instances. To insure logical separation, we'll just create the datasets to isolate the deployment:

mm206378@vesuvio:~$ pfexec zfs create -o mountpoint=/opt/dsee7 rpool/dsee7-bin
mm206378@vesuvio:~$ pfexec zfs create -o mountpoint=/opt/dsee7/var rpool/dsee7-var


and change the ownership of these datasets to user oradir:

mm206378@vesuvio:~$ ls -ltRa /opt/dsee7/

/opt/dsee7/:
total 5
drwxr-xr-x 3 root root 3 2010-11-12 00:12 .
drwxr-xr-x 2 root root 2 2010-11-12 00:12 var
drwxr-xr-x 8 root sys  8 2010-11-11 23:48 ..

/opt/dsee7/var:
total 3
drwxr-xr-x 3 root root 3 2010-11-12 00:12 ..
drwxr-xr-x 2 root root 2 2010-11-12 00:12 .
mm206378@vesuvio:~$ pfexec chown -R oradir:oragrp /opt/dsee7/
mm206378@vesuvio:~$ ls -ltRa /opt/dsee7/
/opt/dsee7/:
total 5
drwxr-xr-x 3 oradir oragrp 3 2010-11-12 00:12 .
drwxr-xr-x 2 oradir oragrp 2 2010-11-12 00:12 var
drwxr-xr-x 8 root   sys    8 2010-11-11 23:48 ..

/opt/dsee7/var:
total 3
drwxr-xr-x 3 oradir oragrp 3 2010-11-12 00:12 ..
drwxr-xr-x 2 oradir oragrp 2 2010-11-12 00:12 .
mm206378@vesuvio:~$


Uncompress the packages:

mm206378@vesuvio:~$ pfexec su - oradir
Oracle Corporation    SunOS 5.11    snv_150    October 2010
oradir@vesuvio:~$ pwd
/opt/dsee7
oradir@vesuvio:~$ ls -tlra
total 11
drwxr-xr-x   8 root     sys            8 Nov 11 23:48 ..
drwxr-xr-x   2 oradir   oragrp         2 Nov 12 00:12 var
drwxr-xr-x   3 oradir   oragrp         4 Nov 12 00:41 .
-rw-------   1 oradir   oragrp        18 Nov 12 00:41 .sh_history
oradir@vesuvio:~$ mkdir inst && cd inst
oradir@vesuvio:~/inst$ unzip -q /tmp/ODSEE11g\\-S10x86.zip
oradir@vesuvio:~$ ls -l /opt/dsee7/ && cd /opt
total 6
drwxr-xr-x   4 oradir   oragrp         7 Nov 12 00:42 inst
drwxr-xr-x   2 oradir   oragrp         2 Nov 12 00:12 var
oradir@vesuvio:/opt$ unzip -q dsee7/inst/ODSEE_ZIP_Distribution/sun\\-dsee7.zip
oradir@vesuvio:/opt$ ls -ltra dsee7/
total 38
drwxr-xr-x   7 oradir   oragrp        12 Apr 26  2010 jre
drwxr-xr-x   3 oradir   oragrp         6 Jun 30 23:09 include
drwxr-xr-x   2 oradir   oragrp         4 Jun 30 23:09 etc
drwxr-xr-x   6 oradir   oragrp         6 Jun 30 23:10 dsrk
drwxr-xr-x   8 root     sys            8 Nov 11 23:48 ..
drwxr-xr-x   4 oradir   oragrp         7 Nov 12 00:42 inst
drwxr-xr-x   4 oradir   oragrp         4 Nov 12 00:46 ext
drwxr-xr-x  10 oradir   oragrp        10 Nov 12 00:46 resources
drwxr-xr-x   3 oradir   oragrp         3 Nov 12 00:47 var
drwxr-xr-x  12 oradir   oragrp        13 Nov 12 00:47 .
drwxr-xr-x   7 oradir   oragrp        18 Nov 12 00:47 lib
drwxr-xr-x   4 oradir   oragrp        23 Nov 12 00:47 bin
-rw-------   1 oradir   oragrp       450 Nov 12 00:50 .sh_history
oradir@vesuvio:/opt$


Now we have to configure CACAO and the DSCC instance:


oradir@vesuvio:~/bin$ dsccsetup initialize



The initialization will start and we'll have to provide the credentials for the admin user, but at the end we'll have both CACAO and the ADS instance up and running:

oradir@vesuvio:~/bin$ ps -aef | grep oradir
  oradir  7936  7934   0 00:54:32 ?           0:08 /opt/dsee7/jre/bin/java -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding
  oradir  8007  5002   0 01:00:51 pts/2       0:00 ps -aef
  oradir  8008  5002   0 01:00:51 pts/2       0:00 grep oradir
  oradir  5002  3339   0 00:41:41 pts/2       0:00 -sh
  oradir  7934     1   0 00:54:32 ?           0:00 /opt/dsee7/ext/cacao_2/usr/lib/cacao/lib/tools/launch -w /opt/dsee7/ext/cacao_2
  oradir  7958     1   0 00:54:44 ?           0:04 /opt/dsee7/lib/64/ns-slapd -D /opt/dsee7/var/dcc/ads -i /opt/dsee7/var/dcc/ads/
oradir@vesuvio:~/bin$

The web container in which will be deployed the Directory Service Control Center should have access at least to the /opt/dsee7/var/dcc/ads/config to fetch the basic informations, so we will switch the runtime user of the 'tomcat6' service to oradir [it's still an unprivileged user, with the only additional right to run servers on privileged ports (<1024/TCP)].

mm206378@vesuvio:~$ svccfg -s tomcat6
svc:/network/http:tomcat6> listprop start/user
start/user  astring  webservd
svc:/network/http:tomcat6> listprop start/group
start/group  astring  webservd
svc:/network/http:tomcat6> refresh
svc:/network/http:tomcat6> end
mm206378@vesuvio:~$


We can now deploy the Directory Service Control Center manually:

oradir@vesuvio:/var/tomcat6/webapps/dscc7$ unzip -q /opt/dsee7/var/dscc7.war

and enabled the service:

mm206378@vesuvio:~$ svcadm enable tomcat6

now, take a browser, navigate to


http://vesuvio:8080/dscc7


et volia' DSCC7 is there. You can now login and create/manage instances.



P.S.: I've 'tied up' this post following the suggestion of the first comment and I've found extremely useful the following post: Locking Down Apache .


The next logical step, would be tuning the TCP/IP stack... but I've already covered this steps on a previous post



Thursday May 07, 2009

Make X listen on external TCP ports (Solaris and OpenSolaris)


In Solaris 10 and OpenSolaris X Server is enabled per default and controlled via SMF (Service Management Facility):



# ps -aef | grep Xsun
root 4767 4764 0 15:10:44 ? 0:01
/usr/openwin/bin/Xsun :0 -defdepth 24 -nolisten tcp -nobanner -auth
/var/dt/A:0


# svcs -xv cde-login

svc:/application/graphical-login/cde-login:default (CDE login)

State: online since Thu May 07 15:10:43 2009

See: man -M /usr/dt/share/man -s 1 dtlogin

See: /var/svc/log/application-graphical-login-cde-login:default.log

Impact: None.

#



The default installation doesn't makes the X Server listen on the TCP port:



# netstat -naf inet | grep 6000

#



and this is indeed a noticeable security feature, but sometimes it's
also useful having the X Server available and responsive on TCP.


X properties are defined in the /application/x11/x11-server service;
and we can see all the properties with the following command:


# svccfg -s /application/x11/x11-server listprop
options                       application
options/default_depth         integer  24
options/server                astring  /usr/openwin/bin/Xsun
options/server_args           astring
options/stability             astring  Evolving
options/value_authorization   astring  solaris.smf.manage.x11
options/tcp_listen            boolean  false
fs-local                      dependency
fs-local/entities             fmri     svc:/system/filesystem/local
fs-local/grouping             astring  require_all
fs-local/restart_on           astring  none
fs-local/type                 astring  service
network-service               dependency
network-service/entities      fmri     svc:/network/service
network-service/grouping      astring  require_all
network-service/restart_on    astring  none
network-service/type          astring  service
name-services                 dependency
name-services/entities        fmri     svc:/milestone/name-services
name-services/grouping        astring  require_all
name-services/restart_on      astring  refresh
name-services/type            astring  service
general                       framework
general/action_authorization  astring  solaris.smf.manage.x11
general/entity_stability      astring  Evolving
start                         method
start/exec                    astring  "/lib/svc/method/x11-server -d 0 -c %i %m"
start/timeout_seconds         count    0
start/type                    astring  method
stop                          method
stop/exec                     astring  ":kill -TERM"
stop/timeout_seconds          count    10
stop/type                     astring  method
tm_common_name                template
tm_common_name/C              ustring  "X Window System server"
tm_man_Xserver                template
tm_man_Xserver/manpath        astring  /usr/openwin/share/man
tm_man_Xserver/section        astring  1
tm_man_Xserver/title          astring  Xserver
tm_man_Xsun                   template
tm_man_Xsun/manpath           astring  /usr/openwin/share/man
tm_man_Xsun/section           astring  1
tm_man_Xsun/title             astring  Xsun
tm_man_Xorg                   template
tm_man_Xorg/manpath           astring  /usr/X11/share/man
tm_man_Xorg/section           astring  1
tm_man_Xorg/title             astring  Xorg


In particular the switch that controls whether or not the X server has to listen on the TCP is:



# svccfg -s /application/x11/x11-server listprop options/tcp_listen

options/tcp_listen boolean false

#



So in this case we would like to enable with the following command:



# svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen = true

# svccfg -s /application/x11/x11-server listprop options/tcp_listen

options/tcp_listen boolean true

#



and stop/start the cde-login service to make the change effective:



# svcadm disable cde-login

# svcadm enable cde-login



and now we see the different behaviour:



# ps -aef | grep Xsun

root 4844 4834 1 15:22:07 ? 0:00 /usr/openwin/bin/Xsun :0 -defdepth 24 -nobanner -auth /var/dt/A:0-N_aqCj

#



and also that the service is listening on the tcp port:



# netstat -naf inet | grep 6000

\*.6000 \*.\* 0 0 49152 0 LISTEN

\*.6000 \*.\* 0 0 49152 0 LISTEN

#



now it displays that the server is listening also on the TCP port 6000, and we can connect to X from outside.


About

Marco Milo

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today