There is always that one problem that you want to analyze or that new feature that you briefly want to test. But often you lack a corresponding LAB environment. Especially if several systems and services like MS Active Directory have to be tested in combination. In this presentation we will show how IaC, scripts etc. can be used to create LAB environments quickly and easily. We will show how to configure VMs with Vagrant to test specific topics like Oracle Database Integration with Active Directory. In addition to Vagrant, we will also take a brief look at Docker Containers and Terraform Deployment on OCI, and see how you can create a corresponding LAB environment with moderate effort. The presentation will be complemented by corresponding demos and examples.
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
IaC MeetUp Active Directory Setup for Oracle Security LAB
1. IaC Meetup – LAB Environments
Stefan Oehrli
2021.09.16
2. HALLO, GRÜESSECH, HI!
STEFAN OEHRLI
PLATFORM ARCHITECT
§ Since 1997 active in various IT areas
§ More than 24 years of experience in Oracle databases
§ Focus: Protecting data and operating databases securely
o Security assessments and reviews
o Database security concepts and their implementation
o Oracle Backup & Recovery concepts and troubleshooting
o Oracle Enterprise User and Advanced Security, DB Vault, …
o Oracle Directory Services
§ Co-author of the book The Oracle DBA (Hanser, 2016/07)
5. AGENDA
§ Introduction
§ A set of scripts to rule them all
§ Trivadis LAB Company
§ AD Scripts
§ Vagrant
§ Oracle Init Scripts
§ Docker
§ Terraform
§ Use Cases
§ Conclusion
7. MOTIVATION
Training, testing and engineering are part of
everyday life in IT
§ Onboarding new employees
§ Specific employee training or self-study
§ Regular training of operating activities
o validate disaster recovery
o Train backup & recovery use cases
§ PoC environment for complex
architectures
§ Or simply the latest feature
8. BUT WE DO HAVE A TEST SYSTEM...
8
… indeed, but it is ...
§ … currently being used by someone else
§ … under maintenance
§ … not up to date
§ … not configured appropriately
§ … not scalable (number of concurrent users)
§ … not scalable (system resources)
Time for engineering / training is limited and
most of the time you don't want to spend it on
setup task. Source: Stefan Oehrli, CERN LHC Data Center
9. SOLUTION APPROACHES
9
§ Flexibility through large on-premises setup
o Fixed costs?
§ VM local or on-premises environments
§ Cloud Lab and Engineering environment
o Manual setup? Click, click, J
§ Establish or reuse of IT automation
o Scripts, Ansible, Puppet,…
§ What about know-how on trainings itself?
But why not a setup using IaC?
Source: Stefan Oehrli, CERN LHC
11. WORKING WITH ORACLE SECURITY FEATURES
11
§ Dependencies on other infrastructure
components e.g.,
o MS Active Directory
o Oracle Directory / LDAP Server
§ Focus on testing, engineering of features
o No time setup the LAB
§ Possibility to test different variants and
versions
o Does Kerberos authentication still
work with Oracle 19c?
o New config required?
12. WHERE TO PUT THE LAB?
12
Cloud based would be state of the art…
§ Availability of resources
§ Scalability
§ Pay as you go
Business Travels perfect time to...
§ Test new features
§ Troubleshoot / reproduce issues
Have you ever tried working in the cloud while traveling on the ICE
from Zurich to Stuttgart?
§ Being offline for 30m and longer is common
13. BUCKET LIST FOR THE ENGINEERING LAB
13
qOracle Database Server with the latest Oracle Binaries
qTest Database preferable with Container database and
single tenant database
qSome fancy test schema.
qOptional additional Oracle Database Server with other
releases.
qOracle Unified Directory Server to setup an LDAP and
configure EUS or Oracle Names resolution.
qActive Directory Server matching my fancy test schema
somehow
qKDC for Kerberos Authentication
q….
15. STAY FLEXIBLE - DIFFERENT APPROACHES
15
Set of common scripts
§ Public available in GitHub
§ Reusable for different implementation
§ Manual to fully automatic setups
16. GITHUB REPOSITORIES
16
§ Vagrant Configuration trivadislabs.com
§ AD Setup scripts ad-lab
§ Oracle Database Init Scripts oradba_init
§ Docker Oracle Engineering doe
§ Docker Build Scripts for Oracle docker
§ A couple Terraform Modules e.g.,
o Trivadis/terraform-oci-tvdlab-bastion
o Trivadis/terraform-oci-tvdlab-host
23. BUT WAIT, WHY NOT….
23
Why stay on plain Bash / PowerShell Scripts?
§ There was no bigger picture / plan
§ Now initial roadmap
§ Historically grown
o based on own needs / requirements
§ Lack of experience with Ansible, Puppet, etc.
If I still would do it in plain script?
§ In the meantime, I would probably use a tool
Contribution to those projects is highly welcome
25. TRIVADIS LAB COMPANY
§ Engineering of User / Roles concepts requires data
o dump of production data is usually "below optimal”
§ The fictitious company Trivadis Lab serves as a training vehicle
§ Company with different departments
o Misc Groups and Oranisational Units OU
§ Oracle Database Schema TVD_HR does match the organization
o Oracle Virtual Private Database
o Oracle Enterprise Security
27. DEPARTMENTS
27
ID Department Distinguished Name (DN)
10 Senior Management ou=Senior Management,ou=People,dc=trivadislabs,dc=com
20 Accounting ou=Accounting,ou=People,dc=trivadislabs,dc=com
30 Research ou=Research,ou=People,dc=trivadislabs,dc=com
40 Sales ou=Sales,ou=People,dc=trivadislabs,dc=com
50 Operations ou=Operations,ou=People,dc=trivadislabs,dc=com
60 Information Technology ou=Information Technology,ou=People,dc=trivadislabs,dc=com
70 Human Resources ou=Human Resources,ou=People,dc=trivadislabs,dc=com
28. GROUPS
28
Group Distinguished Name (DN) Description
Trivadis LAB APP Admins ou=Trivadis LAB APP Admins,ou=Groups,dc=trivadislabs,dc=com Application Administrators
Trivadis LAB DB Admins ou=Trivadis LAB DB Admins,ou=Groups,dc=trivadislabs,dc=com DB Admins from IT department
Trivadis LAB Developers ou=Trivadis LAB Developers,ou=Groups,dc=trivadislabs,dc=com Developers from the Research
Department
Trivadis LAB Management ou=Trivadis LAB Management,ou=Groups,dc=trivadislabs,dc=com Management and Managers
Trivadis LAB System Admins ou=Trivadis LAB System Admins,ou=Groups,dc=trivadislabs,dc=com System Admins from IT
Department
Trivadis LAB Users ou=Trivadis LAB Users,ou=Groups,dc=trivadislabs,dc=com All Users
30. AD-LAB – POWERSHELL SCRIPTS
30
§ Set of PowerShell scripts to setup AD and some Tools
§ Step by step setup and configuration
o Sequence in file name
o Not every step is necessary
§ Script 00_init_environment.ps1 is sourced in any script
§ Dedicated configuration file
o Allows customization e.g., IP, Domain Name etc.
§ Direct download of AD-LAB in your setup
$StageFolder = "C:stage"
$GitHubURL = "https://github.com/oehrlis/ad-lab/archive/refs/heads/main.zip"
New-Item -ItemType Directory -Force -Path $StageFolder
Invoke-WebRequest -Uri $GitHubURL -OutFile "$StageFoldermain.zip"
32. SCRIPTS PART I
32
§ 00_init_environment.ps1 script to Initialize and configure the default
values.
§ 01_install_ad_role.ps1 PowerShell script to install MS Active Directory
server role
§ 11_config_ad.ps1 PowerShell script to configure Active Directory
§ 12_config_dns.ps1 PowerShell script to configure DNS server
§ 13_config_ca.ps1 Script to configure Certification Authority
§ 19_sum_up_ad.ps1 PowerShell script to display a summary of Active
Directory Domain and install Windows updates
§ 22_install_chocolatey.ps1 PowerShell script to install Chocolatey package
manager
33. SCRIPTS PART II
33
§ 27_config_cmu.ps1 PowerShell script to configure CMU on MS Active
Directory
§ 28_config_misc.ps1 PowerShell script to configure NAT zone records for
AD domain
§ 28_install_oracle_client.ps1 PowerShell script to install the Oracle Client
§ 99_template.ps1 PowerShell template for other scripts
§ 40_reset_ad_users.ps1 PowerShell script to reset all domain user
password
Although the script 27_config_cmu.ps1 and 28_install_oracle_client.ps1 are
just skeletons.
34. A FEW NOTES
34
§ I am not a Windows specialist
§ There is certainly room for improvement in the scripts
o Error handling, logging, automation, etc.
§ Windows is sometimes mmh…
o … not my best friend
§ Certain configuration require a delay until they can be executed
o Services must be available
o Certification authority CA could not be setup at an early stage
o I do not understand every reboot
§ Not sure if this AD configuration does meet common best practice
o It does work for my use cases
36. BASE IMAGES
36
§ Oracle Enterprise Linux as base Images for Oracle Databases
o https://yum.oracle.com/boxes/
o Carefree package for Oracle DB’s
o Linux optimization is / was not my goal
§ Windows Based VMs using images from the vagrant cloud
o Stefan Scherer did maintain a bunch of different images
https://app.vagrantup.com/StefanScherer
o Ready to use with all kind of preconfigured e.g., WinRM
o Based on the development License i.e., the images will not
work after 180 renewal is possible.
37. TRIVADIS LAB
37
§ Virtualbox based test and engineering environment
§ Infrastructure as Code with Vagrant
o Vagrant Scripts available in GitHub Repository
https://github.com/oehrlis/trivadislabs.com
§ Requires Vagrant, Virtualbox and the various images, software etc.
o HashiCorp Vagrant https://www.vagrantup.com
o Oracle VM Virtualbox https://www.virtualbox.org/wiki/Downloads
§ Different VM for different applications
o win2019ad.trivadislabs.com Windows 2019 Active Directory
o ol7oud12.trivadislabs.com Oracle Unified Directory Server 12c
o ol7db21.trivadislabs.com Oracle DB Server with 21c
o As well VMs for Oracle DB Server 19c, 18c, 12c and 11g
39. TRIVADIS LAB STRUCTURE
39
§ All VM share a common config and script folder
o Generic setup scripts
o Vagrant config file vagrant.yml
o Folder mounted as /vagrant_common
§ Dedicate folder for Lab and demo scripts
o Folder mounted as /vagrant_labs
§ Dedicate vagrant folder for each VM
o Location of the vagrant file
o Software like Oracle binaries / RU
o Specific Setup and configuration scripts
o Folder mounted as /vagrant
§ Oracle 11g VM is also available
Common config and
scripts
Lab and demos scripts
12g DB VM specific stuff
18c DB VM specific stuff
19c DB VM specific stuff
OUD VM specific stuff
Windows VM specific
stuff
40. VAGRANT CONFIG FILE
40
# - Configuration ------------------------------------------------
params = YAML.load_file '../common/config/vagrant.yml'
# shared configuration
var_default_password= params['common']['default_password']
# Configuration valid for AD server
win2019ad:
box: StefanScherer/windows_2019
vm_name: win2019ad
§ YAML based configuration file vagrant.yml
§ Define common but also VM specific stuff like hostname, IP
addresses, VM names, DB Version scripts and much more
§ Loaded in each Vagrant file to load config
§ Can be sourced with 00_init_environment.sh to load values
from Vagrant config file
41. COMMON CONFIG SCRIPTS PART I
41
Generic configuration scripts. Primarily used for OUD and DB VMs
§ 00_init_environment.sh Init script to source the Vagrant config
values as variables
§ 01_common_setup_os_db.sh Configure OS of DB VM
§ 01_common_setup_os_oud.shConfigure OS of OUD VM
§ 10_install_binaries.sh Wrapper script to install Oracle binaries.
oradba_init scripts from GitHub are used to
do the installation
§ 11_install_basenv.sh Wrapper script to install Trivadis BasEnvTM
§ 12_config_tnsadmin.sh Configure TNS Admin related stuff
42. COMMON CONFIG SCRIPTS PART II
42
§ 12_config_tnsadmin.sh Configure TNS Admin related stuff
§ 20_create_databases.sh Wrapper script to setup the Oracle DB’s
§ 80_create_tvd_hr_pdb1.sqlSQL script to install TVD_HR schema in a
Container DB
§ 81_create_tvd_hr.sql SQL script to install TVD_HR schema
43. VAGRANT FILE
43
§ Each VM hast its own Vagrant file Vagrantfile
§ The file contains all information how the VM should be setup
o VM memory and CPU configuration
o Shared folder configuration
o Setup respectively provisioning scripts
§ Configuration is loaded from the Vagrant config file vagrant.yml
o Corresponding values are loaded as variables
§ A few things can easily be configured. Complex disk and network
configuration a bit tricky
§ the easiest thing is to just look at a file…
44. DB VM BUILD PROCESS
44
§ VM is based on the official Oracle Vagrant box
§ Resources 4GB, 2 CPU and a simple disk
§ Setup from OS config up to DB creation:
o 01_common_setup_os_db.sh
o 10_install_binaries.sh
o 11_install_basenv.sh
o 12_config_tnsadmin.sh
o 20_create_databases.sh
§ Up and ready in about 20min depending on
network speed and Host performance
45. OUD VM BUILD PROCESS
45
§ VM is based on the official Oracle Vagrant box
§ Resources 1GB, 1 CPU and a simple disk
§ Setup OS config and binary installation:
o 01_common_setup_os_oud.sh
o 10_install_binaries.sh
§ Currently on OUD instance configuration
§ Up and ready in about 10min depending on
network speed and Host performance
46. WINDOWS AD VM BUILD PROCESS
46
§ VM is based on Stefan Scherer windows_2016
box on the Vagrant cloud
§ Resources 1GB, 1 CPU and a simple disk
o 00_init_ad-lab.ps1
o 01_config_ad-lab_part1.ps1
o 02_config_ad-lab_part2.ps1
o 03_config_ad-lab_part3.ps1
§ Up and ready in about 10min depending on
network speed and Host performance
47. REQUIREMENTS IN DETAIL
47
§ Vagrant Scripts available in GitHub Repository
https://github.com/oehrlis/trivadislabs.com
§ Vagrant CLI Vagrant https://www.vagrantup.com
§ Vagrant Plugin vagrant-reload used for releoad / reboot during
provisioning of VM
§ Vagrant Box or base images.
o These will be downloaded during initial config of VM
o Windows base Image is about 4G and will take while
§ Oracle VM Virtualbox https://www.virtualbox.org/wiki/Downloads
§ Oracle Binaries and Patch as ZIP files
o Check the *.download files for the download information and links
§ Last but not least a little memory, disk and CPU resources
48. VAGRANT IN A NUTSHELL
48
cd win2016ad
vagrant up
git clone https://github.com/oehrlis/trivadislabs.com.git
§ Clone Git Repository
§ Copy the corresponding Oracle software into the ../software
directories
§ Initial starting and provisioning of the VM (win2016ad, ol7db18,
ol7db19 ol7oud12,…)
vagrant ssh
sudo su – oracle
vagrant rdp
§ Access via vagrant ssh or rdp
49. SUMMARY
49
§ Vagrant allows to building reproducible Lab
environments
§ A lot is possible but not yet everything
o Complex network configuration
o Highly customized storage configuration
§ There are still a few miles to go to have all 100%
automated
§ The current setup allows to focus on
engineering…
… without spending hours on setups.
§ If you screw it up just rebuild it!
51. ORACLE INIT SCRIPTS
§ Bunch of Bash Scripts to install / configure Oracle Databases
o Rather simple configuration via environment variables
o Focus on Linux and Oracle setups
o Includes response files to create databases
§ Initially setup for Oracle Docker container
§ Now used for…
o ... Manually deployments and installation on-premises
o … Vagrant setups
o … Docker Images / Container
o … Terraform bootstrap of cloud Database Resources
§ Strong integration with Docker, Vagrant and Terraform configuration
53. SETUP ORACLE DATABASE
§ Prepare the OS environment for an Oracle installation
o Install the oracle-database-preinstall-19c
o Create oracle user / groups / directories
o …
§ Install the Oracle binaries including additional RU’s
§ Adjust the environment, SQLNet, Listener etc.
§ Create a database using DBCA or custom scripts
§ Configure database and database features
§ Add a couple of customization
Quite some work, isn’t it?
Time to simplify your setup using Docker images
Source: https://www.docker.com
54. OPTIONS TO BUILD ORACLE DATABASE IMAGES PART I
54
§ Use the official pre build Docker image provide by
Oracle on https://container-registry.oracle.com/
o Limited release / version available e.g. no
RU / No customization
o Images are based on
https://github.com/oracle/docker-images
§ Use third party pre build Docker images for Oracle Databases
o Not supported.
o Providing Oracle software for download not allowed at all.
55. OPTIONS TO BUILD ORACLE DATABASE IMAGES PART II
55
§ Build you own Oracle Database Images based on
https://github.com/oracle/docker-images
o Does provide build scripts for a couple of Oracle Products
including Oracle Database RAC
§ Build you own Oracle Database Images based
https://github.com/oehrlis/docker
o Similar approach as Oracle with a couple of customization.
§ Start with your own build environment from scratch or based on a
project above or
any other like ORACLE-BASE and much more on GitHub
56. ORADBA BUILD SCRIPTS
56
§ The GitHub Repository oehrlis/docker does provide a bunch of alternative
build Scripts.
o Similar approach as Oracle with a couple of customization.
o Continuously developed and improved.
o Some improvements are added as pull requests to the official Oracle
Docker build scripts.
E.g. Oracle Unified Directory build scripts.
§ OraDBA GitHub Repository does include build scripts for the following
product / version
o Oracle Unified Directory (11.1.2.3.x, 12.2.1.3.x and 12.2.1.4.x)
o Oracle Database Server EE 11g-21c with any kind of PSU/RU
§ The build scripts are modified at least every quarter to include the latest
Oracle Critical Patch Updates.
57. USING ORADBA BUILD SCRIPTS
57
./common/buildDB.sh 19.0.0.0
git clone https://github.com/oehrlis/docker.git docker
§ Clone the Oracle GitHub Repository
§ Download the required Oracle binary package. See the
software/*.download files
§ Run the build wrapper script buildDB.sh or buildAllDB.sh
docker build –t oracle/database:19.5.0.0 .
docker build –t oracle/database:18.6.0.0 –f 18.6.0.0.Dockerfile .
§ Alternatively run docker build manually
§ Oracle does provide similar build script for different version as well
Oracle editions.
59. PROCEDURE FOR CONTAINER START
59
§ 50_run_database.sh checks the
volume and starts the database with…
§ 50_start_database.sh starts the
listener and the database instance
§ 52_create_database.sh creates a
database with the dbca.
§ 55_config_database.sh checks
whether configuration files (*.sh or
*.sql) are present
o ${INSTANCE_INIT}/setup
o ${INSTANCE_INIT}/startup
§ 55_check_database.sh
60. CONTAINER SCRIPTS
60
§ 50_run_database.sh checks the volume and starts the database
with…
o 50_start_database.sh If no database exists, the script
o 52_create_database.sh is called
§ 50_start_database.sh starts the listener and the database instance
§ 52_create_database.sh creates a database with the dbca. Base
parameters can be adjusted with environment variables
§ 55_config_database.sh checks whether configuration files (*.sh or
*.sql) are present in the directory ${INSTANCE_INIT}/setup or
${INSTANCE_INIT}/startup respectively.
§ 55_check_database.sh is used for the health check of the Docker
container and checks the status of the database instance
61. DOCKERIZED TESTS AT ANY PRICE?
61
But does everything make sense?
§ Performance test?
§ Complex test with high workload?
§ Tests with very large data sets?
It depends…
§ Docker in particular its volumes are not high performance
§ Hardware-dependent tests do not make sense.
§ It takes time to create large and comprehensive databases.
In general, do not test what is outside the scope of a Docker platform.
Image Credit: Docker Inc. / Laurel Duermaël
63. OCI BASED LABS
Oracle Cloud
§ Run the LAB environment
§ Scale resources or environments
Initialisation
§ Bootstrap scripts or Ansible workflows
§ Configure DBs, LAB etc.
Terraform
§ plan, apply, destroy the env
§ Command line, Build Pipeline, OCI Stack
Git as the basis for the code
§ Terraform Code
§ Setup Scripts
§ LAB / Training documentation
Infrastructure as Code in GIT
Terraform Configuration
Oracle Cloud Infrastructure
System Initialisation
69. SYSTEM ACCESS
69
Different access paths
§ Direct via public IP addresses
§ Bastion Host
o Public IP address
o SSH access (putty, OpenSSH, etc)
o Port forwarding
o Apache Guacamole Remote Desktop
§ VPN Access
o OpenVPN
o Site2Site VPN
71. TERRAFORM BOOTSTRAP AND WINDOWS
71
§ Not yet best friends
§ Full automated bootstrap does not work
o Reboot required
§ Manual or semi automated approach required.
73. ORACLE PATCH AND RELEASE UPDATES
73
Background
§ It can happen that you have to patch Oracle databases.
§ Critical Patch Updates, Release Updates, one-off Patch
Idea
§ Build dedicated Docker images (tags!) for the different RU
§ Use the persistent volume with a new Docker database containers e.g.
19.4.0.0 to 19.5.0.0
Solution
§ Add a script to startup which run’s datapatch on every database start.
§ Allows to apply and remove release updates.
§ Drawback slow down Container startup. Could be workaround by
adding script only when required
§ https://github.com/oehrlis/docker/tree/master/samples/patch
74. DATABASE UPGRADE
74
Idea
§ Build dedicated Docker images for the different major releases.
§ Use the persistent volume with a new Docker database container
Problem
§ Database upgrades are not straight forward.
§ Some scripts must be executed with old binaries were others with
new binaries.
Solution
§ Not as easy as release updates.
§ Upgrade process must be split in pre and post tasks.
§ Pre-task have to be executed before the old container is stopped.
§ The Oracle datafiles do not show in which upgrade state they are.
75. UNIFIED AUDIT
75
Background for Use Case Unified Audit
§ Customer Project to engineer Oracle Unified
Audit for a PDB environment.
§ Struggle with a couple of bug and other challenges.
Idea testing Unified Audit
§ Be able to test a similar setup with Versions
§ Test dedicated one-off patch
§ Test multitenant and single tenant databases
Solution approach
§ Add script to container setup folder to enable and
configure unified audit.
§ Add script to container startup to check and enable unified audit.
§ https://github.com/oehrlis/docker/tree/master/samples/audit
76. CENTRALLY MANAGED USERS
Background
§ New Oracle security feature introduced with
Oracle 18c
§ Simple replacement of Oracle Enterprise
User Security
Idea
§ Setup a test environment based on
Oracle Database
§ Use docker-compose to simplify setup
Solution
§ Add scripts to setup sample schema
§ Add scripts to configure CMU
§ Requires preparation on Active Directory
§ https://github.com/oehrlis/docker/tree/master/samples/cmu
77. ORACLE ENTERPRISE USER SECURITY
77
Background
§ Customer Projects to engineer Oracle Enterprise User Security.
§ Test different Oracle releases, configurations, SSL settings etc.
Idea
§ Setup a test environment based on Oracle Database and
Oracle Unified Directory on Docker
Solution
§ Add scripts to OUD container setup folder to create an OUD
instance with EUS suffix.
§ Add scripts to DB container setup folder to configure Enterprise
User Security in the database.
§ Script to register database
§ Script to configure EUS mapping
§ https://github.com/oehrlis/docker/tree/master/samples/eus
78. ORACLE ENTERPRISE USER SECURITY
78
§ Oracle Database Container
o Demo Schema with VPD
§ Oracle Unified Directory Container
o Directory with EUS suffix
§ Initial start of containers
o Creating the DB / Directory
o Registration of the DB
o Configuration of EUS
§ Available on GitHub
80. CONCLUSION
80
§ There are way to much possibilities
to setup LAB environment
o I use to do more engineering on
this J
§ Vagrant is a simple and easy solution
to setup local system
§ Script could easily be reused for
different technologies
§ New approach probably should be
based on something like Ansible