Notes for Oracle as External database in IM&P

For a while I’ve been running an Oracle XE as my external database for chat persistence and message archiving. Trying to remember how to add an additional database when it was time configure Managed File Transfer was a pain for sure. Hopefully these notes will help me the next time!

[oracle@HOSTNAME ~]$ sqlplus / AS SYSDBA
SQL*Plus: Release 11.2.0.2.0 Production on Mon Jul 6 13:37:44 2015

Copyright (c) 1982, 2011, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

SQL> CREATE TABLESPACE DB_CHATFILE DATAFILE '/u01/app/oracle/oradata/XE/db_chatfile.dbf' SIZE 100M
  2  AUTOEXTEND ON NEXT 1M MAXSIZE UNLIMITED LOGGING EXTENT MANAGEMENT
  3  LOCAL SEGMENT SPACE MANAGEMENT AUTO;

Tablespace created.

SQL> CREATE USER CHATFILE IDENTIFIED BY "pAsSw0rd" DEFAULT TABLESPACE db_chatfile TEMPORARY
  2  TABLESPACE "TEMP" QUOTA UNLIMITED ON db_chatfile ACCOUNT UNLOCK;

User created.

SQL> GRANT DBA TO CHATFILE;

Grant succeeded.

SQL> ALTER SYSTEM SET service_names='XE, CHATCOMP, CHATPERS, CHATFILE';

System altered.

SQL> exit
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
[oracle@HOSTNAME dbs]$ exit

Once configured, verify that the newly configured database show up using lsnrctl;

[root@HOSTNAME bin]# lsnrctl status

LSNRCTL for Linux: Version 11.2.0.2.0 - Production on 06-JUL-2015 13:42:07

Copyright (c) 1991, 2011, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC_FOR_XE)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.2.0 - Production
Start Date                06-JUL-2015 13:29:24
Uptime                    0 days 0 hr. 12 min. 43 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Default Service           XE
Listener Parameter File   /u01/app/oracle/product/11.2.0/xe/network/admin/listener.ora
Listener Log File         /u01/app/oracle/product/11.2.0/xe/log/diag/tnslsnr/HOSTNAME/.../log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC_FOR_XE)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=FQDN)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=FQDN)(PORT=8080))(Presentation=HTTP)(Session=RAW))
Services Summary...
Service "CHATCOMP" has 1 instance(s).
  Instance "XE", status READY, has 1 handler(s) for this service...
Service "CHATFILE" has 1 instance(s).
  Instance "XE", status READY, has 1 handler(s) for this service...
Service "CHATPERS" has 1 instance(s).
  Instance "XE", status READY, has 1 handler(s) for this service...
Service "PLSExtProc" has 1 instance(s).
  Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "XE" has 1 instance(s).
  Instance "XE", status READY, has 1 handler(s) for this service...
Service "XEXDB" has 1 instance(s).
  Instance "XE", status READY, has 1 handler(s) for this service...
The command completed successfully
[root@HOSTNAME bin]#

The Cisco documentation does mention that it should be possible with a more restrictive grant, but that is something I’ll leave for another day to verify.

Enterprise Groups in Jabber

I just configured the Enterprise Groups for Cisco Unified Communications Manager.

I attempted to keep my original agreement for Users and added a second agreement for Groups to align with my directory structure;

Capture
(one existing agreement for ou=Users,ou=XX,ou=YY,dc=domain,dc=tld and one added for ou=Groups,ou=XX,ou=YY,dc=domain,dc=tld)

When running the synchronizations, the groups were added to CUCM as expected and it become possible to add them in the Jabber client. The groups were however empty! I made a few attempts with manually running both of my sync agreements without any success – the groups stayed empty.

Reconfigured the synchronization to start at one higher level in our directory (ou=XX,ou=YY,dc=domain,dc=tld), fetching users and groups within the same agreement, and it worked as a charm! (Be careful here though, you might end up with more users that you’re not expecting – depending on your AD-layout and previous filters in place).

The result; (with actual members in the groups) 😉

Capture

As an additional note, remember that there are currently no search feature from within Jabber for the group, you will have to know the exact name of the group, and it is case sensitive. Add the groups from File, New, Directory Group.

CUCM Native Call Queuing

A few important notes regarding Native Call Queuing in CUCM;

  • If “Allow Multi-casting” is checked, orInitial Announcement Played” is set to “Always” – initial announcement is played by ANN
  • If “Allow Multi-casting” is un-checked, andInitial Announcement Played” is set to “Only for queued calls“, initial announcement is played by MOH
  • Periodic announcements are always played by MOH, but beware of CSCui60607
  • Do NOT use extensions that are associated with an RDP or MI in the line group (add secondary extensions on the phone to dodge this one)
  • Announcements played by ANN is played in the locale of the calling party
  • Announcements played by MOH is played in the locale configured for the announcement

Thanks to CSCuj05744 for clearing out some details on the way here.

Signing CUCM certificates

When signing CUCM certificates using a Microsoft CA, not all extensions that are present in the self-signed certificate will be available.

Create the template as a duplicate from Web Server, add Client Authentication and IP security end system (in addition to Server Authentication) as Application Policy and make sure that Digital Signature, Allow key exchange only with key encryption and Allow encryption of user data is selected under under Key Usage Extension.

Issue the certificate using the newly defined template.

Failed Presence/IM&P upgrade

Attempted CUP/IM&P upgrade from 8.6(4) to 10.5(2)a but ended up with failed refresh upgrade (RU) and system booting back to 8.6.

Investigating install.log shows the following;

03/24/2015 02:13:32 IPM|Internal Error, File:ipm.c:2011, Function: ipmReadNormalizedInputLine(), "/usr/local/cm/script/cm-dbl-install RU PostInstall 10.5.2.20000-1 8.6.4.10000-28 /usr/local/cm/ /common/component/database /common/log/install/capture.txt " failed (1)|<LVL::Critical>
03/23/2015 18:13:34 InstallWizard|Platform Install: view|<LVL::Info>
03/24/2015 02:13:34 IPM| end-of-session "Installing database component": 4387.198 secs.|<LVL::Info>
03/24/2015 02:13:34 IPM|Close progress meter "Component Install"|<LVL::Info>
03/24/2015 02:13:34 component_install|Writing database into /common/log/install/component_failed.xml file.|<LVL::Info>
03/24/2015 02:13:34 component_install|/common/log/install/component_failed.xml created : 0|<LVL::Info>
...
03/24/2015 02:13:34 component_install|File:/opt/cisco/install/bin/component_install:807, Function: exec_progmeter(), /opt/cisco/install/bin/progmeter failed (1)|<LVL::Error>
03/24/2015 02:13:34 appmanager.sh|Internal Error, File:/usr/local/bin/base_scripts/appmanager.sh:273, Function: refresh_upgrade(), failed to refresh_upgrade infrastructure_post components|<LVL::Critical>
03/24/2015 02:13:34 post_install|File:/opt/cisco/install/bin/post_install:961, Function: install_applications(), /usr/local/bin/base_scripts/appmanager.sh -refresh-upgrade failed (1)|<LVL::Error>
03/24/2015 02:13:34 post_install|Exiting with result 1|<LVL::Info>
...
03/24/2015 02:13:38 post_install|_set_upgrade_status_attribute: status set to upgrade.stage.error|<LVL::Debug>
03/24/2015 02:13:38 post_install|File:/opt/cisco/install/bin/post_install:624, Function: handle_refresh_upgrade_failure(), Refresh upgrade failed. Trying to reboot to currently active version.|<LVL::Error>

Investigating syslog/messages on the INACTIVE partition after the RU failure shows multiple avc denials, similar to the following examples;

Mar 23 18:12:01 HOSTNAME kern 6 kernel:SELinux:  Context admin_u:object_r:cli_tmp_t:s0 is not valid (left unmapped).
Mar 23 18:12:01 HOSTNAME kern 5 kernel:type=1400 audit(1427159521.658:796866): avc:  denied  { getattr } for  pid=1842 comm="installdb" path="/common/log/install/downloaded_versions" dev=sda6 ino=1769674 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:12:03 HOSTNAME kern 5 kernel:type=1400 audit(1427159523.390:796867): avc:  denied  { setattr } for  pid=2085 comm="chown" name="drfuser" dev=sda1 ino=612031 scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Mar 23 18:13:16 HOSTNAME kern 5 kernel:type=1400 audit(1427159596.820:796876): avc:  denied  { ioctl } for  pid=6070 comm="sftp_connect.sh" path="/home/sftpuser/sftp_connect.sh" dev=sda1 ino=612018 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.576:796877): avc:  denied  { remove_name } for  pid=1842 comm="installdb" name="sqlhosts_9BoX7x" dev=sda1 ino=612082 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.576:796878): avc:  denied  { unlink } for  pid=1842 comm="installdb" name="sqlhosts_9BoX7x" dev=sda1 ino=612082 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.841:796879): avc:  denied  { getattr } for  pid=6158 comm="cupl2_new.py" path="/common/component/database/cupl2.export" dev=sda6 ino=1000180 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.851:796880): avc:  denied  { getattr } for  pid=6158 comm="cupl2_new.py" path="/common/component/database/cupl2.export/dependency.txt" dev=sda6 ino=1000181 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:30 HOSTNAME kern 5 kernel:type=1400 audit(1427159610.036:796881): avc:  denied  { read } for  pid=6310 comm="installdb" name="dependency.txt" dev=sda6 ino=1000181 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:30 HOSTNAME kern 5 kernel:type=1400 audit(1427159610.036:796882): avc:  denied  { open } for  pid=6310 comm="installdb" name="dependency.txt" dev=sda6 ino=1000181 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:30 HOSTNAME kern 5 kernel:type=1400 audit(1427159610.246:796883): avc:  denied  { write } for  pid=6333 comm="rm" name="cupl2.export" dev=sda6 ino=1000180 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Mar 23 18:13:32 HOSTNAME kern 5 kernel:type=1400 audit(1427159612.023:796889): avc:  denied  { read } for  pid=6563 comm="cp" name="id_dsa.pub" dev=sda1 ino=612062 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:32 HOSTNAME kern 5 kernel:type=1400 audit(1427159612.023:796890): avc:  denied  { open } for  pid=6563 comm="cp" name="id_dsa.pub" dev=sda1 ino=612062 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:32 HOSTNAME kern 5 kernel:type=1400 audit(1427159612.023:796891): avc:  denied  { write } for  pid=6563 comm="cp" name="id_dsa.pub" dev=sda1 ino=612071 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:34 HOSTNAME kern 5 kernel:type=1400 audit(1427159614.949:796893): avc:  denied  { create } for  pid=8184 comm="sed" name="sedYOAA0s" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:34 HOSTNAME kern 5 kernel:type=1400 audit(1427159614.949:796894): avc:  denied  { write } for  pid=8184 comm="sed" name="sedYOAA0s" dev=sda6 ino=1769710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:34 HOSTNAME kern 5 kernel:type=1400 audit(1427159614.950:796895): avc:  denied  { rename } for  pid=8184 comm="sed" name="sedYOAA0s" dev=sda6 ino=1769710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

Workaround;
This does not seem to be documented, but with the bad feeling from avc denials – applying workaround from similar bugs – CSCul25056 and CSCue18397 did the trick. Boot to a linux-disc and modify grub.conf to include enforcing=0.

So. CCIE you say? Voice? 2014.

With this blog, I’ll keep a track of where I am and what needs to be done.

For those of you who already know me, you also know that it has been several attempts on this quest before. Hopefully this will be the last on this topic. Err, it will be the last. IF I would fail, there is probably not another chance that I’d be able to retake the Voice exam. Cisco has updated the exam which will be in effect mid-february, so in that case – we are talking about a new blueprint, new rules of engagement and new topics.

During this past weekend, my dearly beloved father has passed away but I really hope I’ll still be able to focus properly on the preparations.

So. Here is the plan;

Mon 30th Dec
Prepare the physical lab-environment. Start reading up on different scenarios and QoS-theory.

Tue 31st Dec
New Years, and hopefully some theory.

Wed 1st Jan
..a decent hangover, and hopefully some theory.

Thu 2nd Jan
First attempt with IPExperts practice labs. Most important, find pitfalls and time-consumers that can be done more efficiently.

Fri 3rd Jan
Lab attempt. Hopefully? Might have to take the day going to Stockholm, we’ll see.

Sat 4th Jan
Lab attempt.

Sun 5th Jan
Lab attempt.

Mon 6th Jan
Lab attempt.

Tue 7th Jan
Lab attempt.

Wed 8th Jan
Travel to Brussel, possible to recap on theoretical things.

Thu 9th Jan
D-day.

…and then?
WAIT! Hopefully I’ll never get the email stating that my score report is available. If I do, I’m screwed and have to a.) immediately check for lab openings before the version changes, or, b.) start preparing for collaboration instead. If I don’t, I’ll get an email stating “Congratulations” and I’ll be on my way to pop a bottle of Churchill.