Hello Friend's,
In This Post we will discuss about how to manage server ssh public keys with OKV
So let's get started
Step 1 : Create Directory for wallet and log
[oracle@dm01db01 extra]$ mkdir -p okvrestcli/wallet
[oracle@dm01db01 extra]$ mkdir -p okvrestcli/log
Step 2 download the software using the IP used in OK server installation
[oracle@dm01db01 extra]$ cd okvrestcli/
[oracle@dm01db01 okvrestcli]$ curl -O -k https://192.168.136.146:5695/okvrestclipackage.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3865k 100 3865k 0 0 5928k 0 --:--:-- --:--:-- --:--:-- 5937k
[oracle@dm01db01 okvrestcli]$ ls -ltr
total 3868
drwxr-xr-x. 2 oracle oinstall 6 Mar 9 16:53 wallet
drwxr-xr-x. 2 oracle oinstall 6 Mar 9 16:53 log
-rw-r--r--. 1 oracle oinstall 3957977 Mar 9 17:02 okvrestclipackage.zip
Step 3: Unzip the downloaded Package
[oracle@dm01db01 okvrestcli]$ unzip --q okvrestclipackage.zip
Archive: okvrestclipackage.zip
creating: lib/
creating: bin/
inflating: bin/okv
inflating: bin/okv.bat
creating: conf/
inflating: conf/okvrestcli.ini
inflating: conf/okvrestcli_logging.properties
inflating: lib/okvrestcli.jar
[oracle@dm01db01 okvrestcli]$ ls -ltr
total 3868
drwx------. 2 oracle oinstall 28 Oct 13 10:53 lib
drwx------. 2 oracle oinstall 65 Oct 13 11:17 conf
drwx------. 2 oracle oinstall 32 Oct 13 11:18 bin
drwxr-xr-x. 2 oracle oinstall 6 Mar 9 16:53 wallet
drwxr-xr-x. 2 oracle oinstall 6 Mar 9 16:53 log
-rw-r--r--. 1 oracle oinstall 3957977 Mar 9 17:02 okvrestclipackage.zip
step 4 : Set the Enviornment
[oracle@dm01db01 okvrestcli]$ echo 'export OKV_REST_CLI_CONFIG=/extra/okvrestcli/conf' > /extra/okvrestcli/set_okv_rest_api_env.sh
[oracle@dm01db01 okvrestcli]$ echo "export JAVA_HOME=/oracle/app/orawork/product/19.0.0/db_1/jdk" > /extra/okvrestcli/set_okv_rest_api_env.sh
[oracle@dm01db01 okvrestcli]$ echo 'export PATH=$PATH:/extra/okvrestcli/bin' >> /extra/okvrestcli/set_okv_rest_api_env.sh
[oracle@dm01db01 okvrestcli]$ source /extra/okvrestcli/set_okv_rest_api_env.sh
[oracle@dm01db01 okvrestcli]$
[oracle@dm01db01 okvrestcli]$ export JAVA_HOME=/oracle/app/orawork/product/19.0.0/db_1/jdk
[oracle@dm01db01 okvrestcli]$ export PATH=$PATH:/extra/okvrestcli/bin
[oracle@dm01db01 okvrestcli]$ export OKV_RESTCLI_CONFIG=/extra/okvrestcli/conf/okvrestcli.ini
step 5 :Edit the files okvrestcli_logging.properties and okvrestcli.ini
[oracle@dm01db01 okvrestcli]$ vi /extra/okvrestcli/conf/okvrestcli_logging.properties
/extra/okvrestcli/conf/okvrestcli_logging.properties
java.util.logging.FileHandler.pattern = /extra/okvrestcli/log/okv%u.log
[oracle@dm01db01 okvrestcli]$ vi /extra/okvrestcli/conf/okvrestcli.ini
/extra/okvrestcli/conf/okvrestcli.ini
[Default]
log_property=/extra/okvrestcli/conf/okvrestcli_logging.properties
server=192.168.136.146
#okv_client_config=./conf/okvclient.ora
user=ADMIN
client_wallet=/extra/okvrestcli/wallet
Step 6 : check the unzipped software version
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv
{
"restCLIVersion" : "21.7.0.0.0"
}
Step 7 : Create the wallet to store the password of ADMIN user so we dont have to alasy provide the password
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv admin client-wallet add --client-wallet /extra/okvrestcli/wallet --wallet-user ADMIN
Password:
{
"result" : "Success"
}
[oracle@dm01db01 okvrestcli]$
Step 8 : create end point using Jason
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv admin endpoint create --generate-json-input > /tmp/t.json
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv admin endpoint create --from-json /tmp/t.json
{
"result" : "Success"
}
[oracle@dm01db01 okvrestcli]$ cat /tmp/t.json
{
"service" : {
"category" : "admin",
"resource" : "endpoint",
"action" : "create",
"options" : {
"endpoint" : "dm01db01",
"description" : "SSH for FLYDB",
"platform" : "LINUX64",
"type" : "SSH_SERVER",
"strictIpCheck" : "FALSE",
"sshServerHostName" : "dm01db01"
}
}
}
If the endpoint is a database, additionally we need to have the $ORACLE_HOME and $ORACLE_BASE defined and the WALLET_ROOT database parameter. In this case the okvutil will be installed in the WALLET_ROOT/okv path.
Step 9 : Provision Endpoint
[oracle@dm01db01 okvrestcli]$ export ORACLE_HOME=/oracle/app/orawork/product/19.0.0/db_1
[oracle@dm01db01 okvrestcli]$ export ORACLE_BASE=/oracle/app/orawork/
[oracle@dm01db01 okvrestcli]$ export ORACLE_BASE=/oracle/app/orawork
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv admin endpoint provision --generate-json-input > /tmp/p.json
[oracle@dm01db01 okvrestcli]$
[oracle@dm01db01 okvrestcli]$ cat /tmp/p.json
{
"service" : {
"category" : "admin",
"resource" : "endpoint",
"action" : "provision",
"options" : {
"endpoint" : "#VALUE",
"location" : "#VALUE",
"autoLogin" : "#TRUE|FALSE"
}
}
}
[oracle@dm01db01 okvrestcli]$ vi /tmp/p.json
[oracle@dm01db01 okvrestcli]$ cat /tmp/p.json
{
"service" : {
"category" : "admin",
"resource" : "endpoint",
"action" : "provision",
"options" : {
"endpoint" : "dm01db01",
"location" : "/extra/okvutil",
"autoLogin" : "TRUE"
}
}
}
/extra/okvrestcli/bin/okv admin endpoint provision --from-json /tmp/p.json ./log/okv0.log.0.lck
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv admin endpoint provision --from-json /tmp/p.json
{
"result" : "Success"
}
[oracle@dm01db01 okvrestcli]$
Step 10 : At the end the /extra/okvutil directory contains all files needed by okvutil. The okvutil will work in autologin ("autoLogin" : "TRUE")mode so there is a wallet created in ssl directory:
tree /extra/okvutil
[oracle@dm01db01 okvrestcli]$ tree /extra/okvutil
/extra/okvutil
├── bin
│ ├── ep_healthcheck.sh
│ ├── okveps.x64
│ ├── okv_ssh_ep_lookup_authorized_keys
│ ├── okvutil
│ └── root.sh
├── conf
│ ├── logging.properties
│ ├── okvclient.lck
│ ├── okvclient.ora
│ └── okvsshendpoint.conf
├── csdk
│ └── lib
│ └── liborasdk.so
├── jlib
│ └── okvutil.jar
├── lib
│ └── liborapkcs.so
├── log
│ └── okvutil.deploy.log
└── ssl
├── cwallet.sso
└── ewallet.p12
8 directories, 15 files
Step 11 : Run Root.sh as given below
sudo su -
/extra/okvutil/bin/root.sh
[root@dm01db01 ~]# /extra/okvutil/bin/root.sh
Creating directory: /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Copying PKCS library to /opt/oracle/extapi/64/hsm/oracle/1.0.0/
Setting PKCS library file permissions
Installation successful.
[root@dm01db01 ~]#
Step 12 : Now we need to configure the OKV REST api to get the correct okvclient.ora file from the okvutil
[oracle@dm01db01 okvrestcli]$ vi /extra/okvrestcli/conf/okvrestcli.ini
[oracle@dm01db01 okvrestcli]$ cat /extra/okvrestcli/conf/okvrestcli.ini
#Provide absolute path for log_property, okv_client_config properties
[Default]
[Default]
log_property=/extra/okvrestcli/conf/okvrestcli_logging.properties
server=192.168.136.146
okv_client_config=/extra/okvutil/conf/okvclient.ora
user=ADMIN
client_wallet=/extra/okvrestcli/wallet
Step 13 : Next step is to create a dedicated wallet, named oracle_ssh_wallet in this example, (an ssh wallet type) for this endpoint and give the rights on this wallet to the endpoint. We can use an SSH Server wallet to manage the authorisation for an SSH server host user on the multiple SSH servers if the same set of the SSH client users need to log in as that host user on all of these SSH servers. Such shared use of SSH Server wallets may further simplify the SSH access management at scale.
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv manage-access wallet create --generate-json-input > /tmp/shw.json
[oracle@dm01db01 okvrestcli]$
[oracle@dm01db01 okvrestcli]$ cat /tmp/shw.json
{
"service" : {
"category" : "manage-access",
"resource" : "wallet",
"action" : "create",
"options" : {
"wallet" : "#VALUE",
"type" : "#GENERAL|SSH_SERVER",
"description" : "#VALUE",
"unique" : "#TRUE|FALSE",
"sshServerHostUser" : "#VALUE"
}
}
}
[oracle@dm01db01 okvrestcli]$ vi /tmp/shw.json
[oracle@dm01db01 okvrestcli]$
[oracle@dm01db01 okvrestcli]$ cat /tmp/shw.json
{
"service" : {
"category" : "manage-access",
"resource" : "wallet",
"action" : "create",
"options" : {
"wallet" : "Oracle_SSH_Wallet",
"type" : "SSH_SERVER",
"description" : "ssh wallet for user oracle on servers dm01db01",
"sshServerHostUser" : "oracle"
}
}
}
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv manage-access wallet create --from-json /tmp/shw.json
{
"result" : "Success"
}
[oracle@dm01db01 okvrestcli]$
Step 14 : Provide access to wallet created in last step
/extra/okvrestcli/bin/okv manage-access wallet add-access --generate-json-input > /tmp/DSHW.json
{
"service" : {
"category" : "manage-access",
"resource" : "wallet",
"action" : "add-access",
"options" : {
"wallet" : "Oracle_SSH_Wallet",
"endpoint" : "dm01db01",
"access" : "RM_MW"
}
}
}
[oracle@dm01db01 okvrestcli]$ vi /tmp/DSHW.json
{
"service" : {
"category" : "manage-access",
"resource" : "wallet",
"action" : "add-access",
"options" : {
"wallet" : "Oracle_SSH_Wallet",
"endpoint" : "dm01db01",
"access" : "RM_MW"
}
}
}
[oracle@dm01db01 okvrestcli]$ /extra/okvrestcli/bin/okv manage-access wallet add-access --from-json /tmp/DSHW.json
{
"result" : "Success"
}
[oracle@dm01db01 okvrestcli]$
Step 15 : When the endpoint was enrolled the okvutil command was downloaded in the /opt/okvutil path. We need to configure the okvutil to use the oracle_ssh_wallet with the oracle user.
[oracle@dm01db01 okvrestcli]$ cat /extra/okvutil/conf/okvsshendpoint.conf
# Configuration file for Oracle Key Vault SSH server endpoints
#[ user1 ]
#ssh_server_wallet=
#[ user2 ]
#ssh_server_wallet=
[oracle@dm01db01 okvrestcli]$ vi /extra/okvutil/conf/okvsshendpoint.conf
[oracle@dm01db01 okvrestcli]$ cat /extra/okvutil/conf/okvsshendpoint.conf
# Configuration file for Oracle Key Vault SSH server endpoints
[ oracle ]
ssh_server_wallet= Oracle_SSH_Wallet
#[ user2 ]
#ssh_server_wallet=
At this moment we have an enrolled endpoint okvcli which is an ssh server, an wallet oracle_ssh_wallet for oracle user, and the enrolled endpoint which have access to manage the wallet.
We will continue the rest of steps in next post .
Regards
Sultan Khan
ConversionConversion EmoticonEmoticon