Preparing a source EBS R12.2 instance for linking

This topic outlines the prerequisites for linking an EBS R12.2 instance to the Delphix Engine.

Ensure your EBS R12.2 instance is supported

See Source EBS R12.2 instance requirements to ensure you can link your EBS R12.2 instance to the Delphix Engine.

Ensure your EBS 12.2 environments comply with Oracle's documentation

Your environments must comply with Oracle's requirements for installing EBS. These requirements are outlined on Oracle E-Business Suite Release 12 Installation Guidelines (Doc ID 405565.1) found at https://support.oracle.com

Prepare the dbTier for linking

Delphix engine's Unix environment requirements

The dbTier must meet the source requirements outlined in Requirements for Unix environments. These requirements are generic to all source Unix environments added to the Delphix Engine.

oracle user

The Delphix Engine must have access to an oracle user on the dbTier.

• This user should be a member of both the EBS dba and oinstall groups.

• The user should own the stage directory for DBTechStack and database files that will be cloned.

• Ensure that the "expect" utility exists on the remote host.

dbTechStack binary permissions

Verify that the oracle user described above has read permissions at the group level for:

• $ORACLE_HOME/bin/nmb

• $ORACLE_HOME/bin/nmhs

• $ORACLE_HOME/bin/nmo

The Delphix Engine's Oracle database requirements

The dbTier must meet the source requirements outlined in Oracle support and requirements. These requirements are generic to all Unix environments containing an Oracle database to be linked.

Prepare the appsTier for linking

Delphix Engine's Unix environment requirements

The appsTier must meet the source requirements outlined in Requirements for unix environments. These requirements are generic to all source Unix environments added to the Delphix Engine.

applmgr user

The Delphix Engine must have access to an applmgr user on the appsTier.

• This user should be a member of the EBS oinstall group.

• The user should own the stage directory for Appstier files that will be cloned.

delphix_os OS user account

In order to separate authentication and perform privileged operations with a non-privileged OS account, first create an OS user account (i.e. "delphix_os") on the EBS DB Tier and appsTier node to be used as a source.
This user is easily created by the createDelphixOSUser.sh (located below on this page) script.

• The primary OS group of the Delphix Engine software owner account's (i.e. delphix_os) should be the same as the EBS Database/AppsTier software owner account (i.e. oravis or applmgr).

• Primary group = Oracle Install Group (typically oinstall), secondary group = OSDB Group (typically dba). There are lots of cases where the OS group named dba fills this role, so be sure to check the group membership of the EBS Database and AppsTier software owner account.

• Please note, the non-privileged OS account must have the same group as assigned to EBS Database or AppsTier privileged account (like oravis or applmgr).

Host requirements:

To accomplish necessary tasks on the EBS Database and appsTier source hosts, the Delphix OS user account (henceforth referred to as "delphix_os") requires privilege elevation specifications.

Here is an example specification for the "sudo" privilege elevation utility, using the "visudo" to edit the "sudoers" configuration file. This specification makes the following assumptions:

• OS = Linux

  • OS account owning Oracle EBS Database Tier is named oravis

  • OS account owning Oracle EBS appsTier is named applvis

• OS = Solaris

  • OS account owning Oracle EBS Database Tier is named oravis

  • OS account owning Oracle EBS appsTier is named oravis

• EBS Database and appsTier system base directory is /u01/oracle/VIS. This can be prefixed before all the below-mentioned commands to ensure the same are being executed from relevant paths.

The following sudoers entry is only for template purpose. Modify the path in the below sudoers entry with the appropriate binary paths of your environment.

Sudoers entry for Linux -

Sudoers entry for Solaris -

Requirement for privilege elevation script: DLPX_DB_EXEC

In order to elevate privileges from a non-privileged OS account (like delphix_os) to a privileged OS account (like applmgr), we need to push a privilege elevation script (dlpx_db_exec) up into the Delphix virtualization engine to become part of the Delphix common plugin.

Why we need DLPX_DB_EXEC

Some customers want to use low privilege users to perform delphix operations like linking and provisioning. It means their low privilege user should have sudo permissions to execute EBS application and DB related commands. The privilege elevation profile script dlpx_db_exec allows them to execute commands that require superuser privileges on customer source and target machines.

The privilege elevation script dlpx_db_exec can be created or pushed to Delphix Engine using Web API calls, CURL or dxtoolkit.

For steps on creating a Privilege Elevation Profile please refer to CLI Cookbook: How to create or edit a privilege elevation profiles and profile scripts

Content of DLPX_DB_EXEC Privilege Elevation Profile:

#!/bin/sh
#
# Copyright (c) 2018 by Delphix. All rights reserved.
#
# This script allows customization of command execution with an alternate user
# account.
# Arg $1 contains "-u<optional user account>" for the desired user under
# which database commands will be executed.
# By default this argument is ignored and the script is executed as the default
# account.
#
if [[ $1 != -u* ]]; then
   echo "Incorrect command line parameters, -u<optional user account> is required as the first parameter"
   exit 1
fi
user_id=`echo $1 | sed -e "s/^-u//"`
shift 1
if [[ $user_id != "delphix_os" ]]; then
    command=$(printf "%s " "$@")
    sudo su - $user_id -c "$command"
else
    $@
fi

Below is an example of how we can push privilege elevation script “dlpx_db_exec” on a customer Delphix Engine:

• Create a session to Delphix Engine as Delphix os user:

  CODE

  curl -i -c cookies.txt -X POST -H "Content-Type:application/json" http://<Delphix-Engine>/resources/json/delphix/session -d '{
      "version":{
          "minor":11,
          "major":1, 
          "micro": 5, 
          "type":"APIVersion"
          },
          "type":"APISession"}'

Note: The API Version needs to be identified as per the Delphix Engine installed at the customer site.

• Login to Delphix Engine as Delphix OS User:

  CODE

  curl -i -c cookies.txt -b cookies.txt -X POST -H "Content-Type:application/json" http://<Delphix-Engine>/resources/json/delphix/login -d '{
      "password":"delphix",
      "type":"LoginRequest",
      "target":"DOMAIN",
      "username":"delphix_admin"
      }'

• Push DLPX_DB_EXEC contents to Delphix Engine:

  CODE

  curl -i -b cookies.txt -X POST -H "Content-Type:application/json" http://<Delphix-Engine>/resources/json/delphix/host/privilegeElevation/profileScript/HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-7 -d '{
      "type": "HostPrivilegeElevationProfileScript",
      "contents": "#\n# Copyright (c) 2018 by Delphix. All rights reserved.\n#\n\n#\n# This script allows customization of command execution with an alternate user\n# account.\nif [[ $1 != -u* ]]; then\n    echo \"Incorrect command line parameters, -u<optional user account> is required as the first parameter\"\n exit 1\nfi\nuser_id=`echo $1 | sed -e \"s\/^-u\/\/\"`\n\nshift 1\nif [[ $user_id != \"delphix_os\" ]]; then\ncommand=$(printf \"%s \" \"$@\")\nsudo su - $user_id -c \"$command\"\nelse\n$@\nfi\n"
      }'

Script

createDelphixOSUser.sh