Default wallet password for Oracle Golden Gate Microservices

 GoldenGate Microservices Architecture (MA) allows you to configure and manage data replication over homogeneous or heterogeneous database environments using RESTful services. These microservices can be accessed using various interfaces including a web interface, command line interface, REST API, or any other service that allows accessing REST-based microservices.

                        

                   Image Reference:-https://docs.oracle.com/en/middleware/goldengate/core/21.3/coredoc/overview-oracle-goldengate-microservices-architecture.html#GUID-8079B9E7-3925-46AD-9C45-172C5A248798

Now, when we install Oracle Golden Gate microservices from OCI Marketplace, it basically creates default wallet files under /u02/deployment. The two files are ewallet.p12 and cwallet.sso. When we install the GG microservices, it doesn't prompt for any wallet password and thus we can't open the wallet.

To create a secure distribution path, in order to send the redo logs from existing extract to the target(example here-Golden Gate for Big data), the wallet password is required. We can get the password from:-

For the client wallet password, you will find a file init-ogg-deployment.py under /usr/local/bin. The client wallet password is in the file if you have not changed it after the instance is created.

For V19c GG Marketplace Microservices Architecture, that information is in /usr/local/bin/common.py

For V21c GG Marketplace Microservices Architecture, that information is in /usr/local/bin/init-ogg-deployment.py. However, for v21c, you don’t need to manipulate the wallet directly under shell. You can do this from the Service Manager WebUI, which is recommended practice.

Reference:-https://docs.oracle.com/en/middleware/goldengate/core/19.1/oggmp/provisioning-oracle-goldengate-microservices-oci-marketplace.html#GUID-ED0DD115-6AB2-424F-8DE4-7DE145B5992C

The Golden Gate Microservices Upgrade from 19c to 21c using GUI Method

Oracle GoldenGate Microservices Architecture (MA) allows you to configure and manage data replication over homogeneous or heterogeneous database environments using RESTful services. These microservices can be accessed using various interfaces including a web interface, command line interface, REST API, or any other service that allows accessing REST-based microservices.

The first part of any upgrade would be to get the binaries from OTN.

For 21c binaries installation, create the directories as below:-

New ORACLE_HOME=/u01/app/ogg/oracle21

Install using the runInstaller

Before:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/u01/app/ogg/oracle19/lib

export ORACLE_HOME=/u01/app/ogg/oracle19/

export PATH=$PATH:$ORACLE_HOME/bin

export PATH=$PATH:/bin:$ORACLE_HOME/OPatch

NEW ORACLE_HOME= /u01/app/ogg/oracle21

Note down the extract and replicate trail file numbers and are in sync or not

e.g Extract-trail number- 579, Replicates-trail number-579

Stop the extract and replicate as they are in sync

 Go to the service manager console & check below services

Stop the respective deployments and go to the respective deployments and edit the respective environment variables

Now, do the changes in the Service manager and point it to new Oracle Home.

Do the changes and click apply.

Restart the service manager from service manager console.

If we get the 502 gateway error while accessing the service console page, then bounce the service manager from backend.

export OGG_ETC_HOME=/u02/deployments/ServiceManager/etc

export OGG_VAR_HOME=/u02/deployments/ServiceManager/var

export ORACLE_HOME= /u01/app/ogg/oracle21/

ps -ef|grep Service

Kill all the process from OS

start the service manager

cd $ORACLE_HOME/bin

./ServiceManager

ps -ef|grep Service

Access the service manager console page

Start the respective deployments one by one

Access the admin console page and start the extract & replicate.

References:-https://docs.oracle.com/en/middleware/goldengate/core/21.3/coredoc/overview-oracle-goldengate-microservices-architecture.html#GUID-8079B9E7-3925-46AD-9C45-172C5A248798

https://docs.oracle.com/cd/F44199_01/upgrading/upgrading-oracle-goldengate.pdf

Getting Started with Oracle Integration Cloud: A Beginner's Guide to create Service Account(Non Expiry) in OIC and Configure OIC Agent

 Before we start, let us understand some basics about two types of authentication which can used for publishing the integrations.

BASICAUTH is a type of authentication mechanism supported by Oracle Integration Cloud (OIC) that allows users to authenticate using a username and password combination. When using BASICAUTH, the user's username and password are transmitted in the HTTP header of the request. In OIC, you can use BASICAUTH to secure REST services that are exposed through an integration. When a client sends a request to a REST endpoint secured by BASICAUTH, they must include the appropriate username and password in the request header. If the provided credentials are valid, the client will be able to access the service.

OAuth (Open Authorization) is an authentication and authorization protocol supported by Oracle Integration Cloud (OIC) that allows users to securely grant access to their resources or data to third-party applications without sharing their login credentials. OAuth works by having the user grant access to their data to an application (referred to as a "client") through a process known as "authorization." This process involves the user being redirected to an authorization server (in this case, OIC) to authenticate and grant permission to the client to access their resources. Once permission is granted, the client receives an access token that allows it to access the user's resources.

The major problem which arise while using BASICAUTH and using an IDCS User is that it gets expired in every 120 days and thus again we need to change all integrations configurations. There are workaround available within IDCS using Group Policies through which we can make the user password as never expire which is all together an another topic for discussions. 

In this post, we will see, how we can create a service account for which the password will never expire using an OAuth token.

Go to IDCS:-

Go to the IDCS console and create a confidential application. Once the application is activated we will get the Client id and Client token.

 

using the above generated client id and token, we will invoke the the below curl command to get the access token.

curl -X POST https://idcs-*********************.identity.oraclecloud.com/oauth2/v1/token -u c086e**********4f0:dee***************54be57e -d 'grant_type=client_credentials&scope=urn%3Aopc%3Aidm%3A__myscopes__'

We will get the response for Access Token

Run the below curl command to create a new application

curl -X POST https://idcs-*****************.identity.oraclecloud.com/admin/v1/Apps -H 'Authorization: Bearer eyJ4NXQjUzI.............’  -H 'Content-Type: application/json' -d '{ "active": true, "isOAuthClient": true,"allowedGrants": ["client_credentials"],"basedOnTemplate": {"value": "CustomWebAppTemplateId"}, "clientType": "confidential", "displayName": "mgu_OIC_SVC_ACC_BASICAUTH", "name": "mgu_OIC_SVC_ACC_BASICAUTH", "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App"]}'

Associate newly created IDCS application with OIC

The next step is to associate this confidential application with an OIC application ServiceUser role. This role gets created by default during OIC provisioning, and can be managed in IDCS

My oic instance:- https://*****-idmfguxp1uca-ia.integration.ocp.oraclecloud.com/ic/home

in IDCS:-

Now all the configuration related to IDCS Confidential application and association of that application to default OIC application been completed.

Next, using the service account, we will now configure the OIC Agent. The step by step downloading the agent_installer and creating the agent Group will be discussed in the upcoming post. In this post, i am just passing the values inside the InstallerProfile.cfg file and checking if using the Oauth account, i am able to start the OIC agent or not

 cat InstallerProfile.cfg

# Required Parameters

# oic_URL format should be https://hostname:sslPort

oic_URL=https://*********-ia.integration.ocp.oraclecloud.com:443

agent_GROUP_IDENTIFIER=TEST

 

# Proxy Parameters

# proxy_NON_PROXY_HOSTS: a list of hosts that should be reached directly, bypassing the proxy. This is a list of patterns separated by '|'.

oic_IDCS_URL=https://idcs-*****.identity.oraclecloud.com:443

oic_CLIENT_ID=mgu_OIC_SVC_ACC_BASICAUTH

oic_CLIENT_SECRET=******************

oic_SCOPE=https://********-ia.integration.ocp.oraclecloud.com:443urn:opc:resource:consumer::all

proxy_HOST=

proxy_PORT=

proxy_USER=

proxy_PASSWORD=

proxy_NON_PROXY_HOSTS=

$ java -jar connectivityagent.jar

Proceeding to install a new agent ...

Enter your OIC username : *

Enter password:*

No Proxy Configuration Detected

Checking for trusted certificates ...

Making call to check OIC Version ...

Making call to check Agent group availability ...

Updating Agent with configuration details ...

Making call to register new agent instance ...

Making call for getting agent app id & keys...

Done with Agent installation & configuration... Starting Agent for message processing.

Agent started successfully...Now available for new messages...

 I hope this post will help someone. In the next post, i will talk about on step by step installing and configuring an OIC Agent. Till then, happy learning cloud.

References:-https://kumarsoablog.blogspot.com/2020/03/access-oic-rest-based-integrations.html

 https://docs.oracle.com/en/cloud/paas/integration-cloud/integration-cloud-auton/use-service-integration-account-no-password-expiration.html

Getting started with OIC(Oracle Integration Cloud) for PaaS Admins

The intention of this post is to give an overview on what exactly is OIC and what is expected out from a PaaS Administrator who manages Oracle Integration Cloud. This is first of the series of blog, i will be writing on Oracle Integration Cloud. 

Oracle Integration Cloud is a cloud-based integration platform offered by Oracle that enables businesses to integrate various applications, services, and data sources to streamline their business processes. It provides pre-built integration flows, adapters, and connectors to connect cloud and on-premises applications, databases, and services.

With Oracle Integration Cloud, users can easily create and manage integrations between different systems and automate business processes, such as order processing, customer service, and supply chain management. It offers features such as drag-and-drop integration design, built-in monitoring and error handling, and support for various integration patterns like REST, SOAP, and file-based integrations.

In addition, Oracle Integration Cloud also includes tools for API management, data mapping and transformation, and real-time data synchronization. It allows users to easily build, deploy, and manage APIs, and provides analytics and monitoring capabilities to ensure that APIs are performing optimally.

Oracle Integration Cloud has rich variety of connectors that they offer which also includes connection to other cloud products. This is one of the key differentiator when compared with SOA Suite on the Cloud which is intended for more hardcore developers.

The first step on OIC would be to have access to OCI Console with Administrative privileges and which is also federated with IDCS.

 

it takes 5-10 minutes for provisioning

Once it is in active state, we can get the URL for accessing the Oracle Integration Cloud from the Service Console URL.

How to start/Stop the OIC Instance:-

That's it for this post. In the next post, we will go through on how we can make a sample integrations active and test it. Till then, happy learning cloud.

I hope this post will help someone.....

A Step-by-Step Guide to Troubleshooting OCI Compute Instances Using Serial Console

 The Serial Console allows users to access the system console of a compute instance. Instance console connections should only be used for troubleshooting purposes only. For example, a successful boot is not happening, instance has malfunctioned or someone inadvertently played with the OPC keys. More details can be found under https://docs.oracle.com/en-us/iaas/Content/Compute/References/serialconsole.htm. In my case, on one fine day, i was not able to login to the instance using the OPC user. The SSH was not happening and i did not have any other choice rather than creating a serial console connection for Linux. I verified all the security lists rules and all seems to be fine at moment. I was getting the network error messages.

Thus, i went ahead and created the serial console connection for the malfunctioned instance.

 

Next, i logged in to an another working instance which was the same subnet as the malfunctioned instance. And under ~ directory, i pasted the content of the key used earlier during console connection to the id_rsa key file(this was converted via puttygen>conversion>export open SSH key(force new file format))

Now, keeping the shell open, reboot the malfunctioned instance. We will see in the shell screen that reboot process are going on. Immediately press the ESC or F5 button until a menu appears.

press ENTER and we will get the below screen

Press Enter and immediately press ESC repeatedly until the next screen comes

Press e and in the section at the bottom add the content init=/bin/bash

Press ctrl-x

At this moment, we are logged into root user and have supersonic powers.:)

[root@localhost .ssh]# /usr/sbin/load_policy -i

[root@localhost .ssh]# /bin/mount -o remount,rw /

[root@localhost .ssh]# cd /home/opc/.ssh

[root@localhost .ssh]# ls -lrt

total 4

-rw-------. 1 opc opc 402 Jan  7 15:25 authorized_keys

[root@localhost .ssh]# cp authorized_keys authorized_keys_bkup

[root@localhost .ssh]#

We could see that someone modified the OPC authorized_keys file and that is the reason, why we were not able to login. Luckily, we have a backup else we had to regenerate the keys content again...

Reverted to the old key file

bash-4.4# cp authorized_keys_bkup authorized_keys

bash-4.4# ls -lrt

total 8

-rw-------. 1 root root 402 Apr 15 11:58 authorized_keys_bkup

-rw-------. 1 opc  opc  402 Apr 15 12:32 authorized_keys

Now, let us reboot the server and try to login to the server again via opc user

Here we are,

We can now delete the console connection from OCI console.

From this activity, we learnt that, we should always have the backup of opc keys. Also for best practice, always have the backup of the boot volume.

I hope this post helps someone. Till then, keep learning cloud.

References:-https://docs.oracle.com/en-us/iaas/Content/Compute/References/serialconsole.htm#four__maintenancemode

whitelist the IP address for accessing the Compute Instance in OCI

In Oracle Cloud Infrastructure (OCI), a whitelist is a security feature that allows you to specify a list of IP addresses or CIDR blocks that are permitted to access your resources.

A whitelist IP in Oracle Cloud is a list of approved IP addresses that can access a particular OCI resource, such as an instance, database, or storage bucket. When a whitelist is configured, only requests originating from the approved IP addresses can access the resource. All other requests are rejected by the OCI network security policies.

To add a whitelist IP in Oracle Cloud, you need to provide the IP address or range of IP addresses that you want to allow access to your resource. You can add the IP addresses manually or import a list of IP addresses from a file. Once the whitelist is set up, you can manage it by adding, deleting, or modifying the IP addresses as required.

Using a whitelist can help improve the security of your OCI resources by reducing the attack surface and limiting access to authorized users or systems. 

I had an existing security list and rules were defined as publicly open to all(0.0.0.0/0). Anyone having the public IP address of the compute instance and the key should have the access to the instance. Now, as part of this post, i want the restrict the access to only my machine. So, i am going to edit the existing rule and put my machine's IP address.

Now, if i try to login to the Compute instance, it should allow me to login.

This post illustrates a very basic security posture which we should maintain we spin off the instance very easily on the cloud. The access should not be open to all. Try to restrict the access as much as possible.

That's all for this post. I hope it will help someone. Till then, enjoy learning cloud.

Access Control for WAF in OCI aka Oracle Cloud Infrastructure

 In my last post https://samappsdba.blogspot.com/2023/01/web-application-firewall-as-reverse-proxy-server-oci.html, we have seen how we can setup the WAF in OCI. In this post, we will see how we can setup access control for WAF in OCI. 

What are access Controls:-Describes the conditions for an access rule used with a WAF policy.As a WAF administrator, you can define explicit actions for requests that meet various conditions. Conditions use various operations. A rule action can be set to allow, check, and return HTTP response for all matched requests.

In this post, i have tried to simulate a scenario, wherein if the requests are coming from Region India, it will not allow it.

Publish the changes. Now if I try to login

In the log, I can see that it has been blocked

Now, for the same region, how to allow a single IP address.

Conditions will be:-

Save the changes and publish it. Publishing the changes takes around 10 mins of time.

There it is

 

I can access the site now

I hope this post will help someone. Till then keep learning cloud.

Reference:-https://docs.oracle.com/en-us/iaas/Content/WAF/AccessControl/access_control_management.htm