Oracle® Database Advanced Security Administrator's Guide 10g Release 1 (10.1) Part Number B10772-01 |
|
|
View PDF |
This chapter describes the User Migration Utility, which can be used to perform bulk migrations of database users to an LDAP directory where they are stored and managed as enterprise users. It contains the following topics:
Migrating from a database user model to an enterprise user model provides solutions to administrative, security, and usability challenges in an enterprise environment. In an enterprise user model, all user information is moved to an LDAP directory service.
Enterprise user security provides the ability to easily and securely manage enterprise-wide users by providing the following benefits:
Because an enterprise user model is easier to manage, security administrators can perform necessary maintenance changes to user information immediately so they have better control over access to critical network resources. In addition, an enterprise user model is easier for users to use because they have fewer passwords to remember so they are less likely to choose easily guessed passwords or write them down where others can copy them.
See Also:
"Introduction to Enterprise User Security" for detailed conceptual information about enterprise user security. |
The User Migration Utility is a command-line utility that is used when enterprise user administrators decide to move their users from a local database model to an enterprise user model. This utility makes it easy to migrate thousands of local and external database users to an enterprise user environment in an LDAP directory where they can be managed from a central location. It uses the Oracle JDBC OCI driver to connect to the database.
Enterprise user administrators can select for migration any combination of the following user subsets in a database:
In addition, enterprise user administrators can specify values for utility parameters that determine how the users are migrated such as
The following sections explain the migration process and the changes that occur to users' schemas.
Bulk user migration is a two-phase process. In phase one, you start the migration process by populating user information into an interface database table, where enterprise user administrators can verify that the information is accurate before committing the changes to the database and the directory in phase two. The process is described in the following steps:
In the first part of the migration process, the utility checks if the ORCL_GLOBAL_USR_MIGRATION_DATA
interface table exists in the enterprise user administrator's schema. If it exists, then the administrator can choose to reuse the table (clearing its contents), reuse the table and its contents, or re-create the table. Phase one can be run multiple times, each time adding to the interface table. If the table does not exist, then the utility creates it in the administrator's schema. The interface table is populated with information about the migrating users from the database and the directory. The command line options used determine what information populates this table.
This is an intermediate step to allow the enterprise user administrator to verify that the user information is correct in the interface table before committing the changes to the database and the directory.
After the interface table user information is checked, then in phase two the utility retrieves the information from the table and updates the directory and the database.
Depending on whether directory entries exist for migrating users, the utility creates random passwords as follows:
In either case, after generating the required random passwords, the utility then stores them in the DBPASSWORD
and DIRPASSWORD
interface table columns. The enterprise user administrator can read these passwords from the interface table and inform migrating users.
See Also:
"User Migration Utility Parameters" for a list of command line options and their descriptions. |
This is the interface table which is populated with information about the migrating users during phase one of the bulk user migration process. The information that populates this table is pulled from the database and checked against existing entries in the directory. If there is corresponding information in the directory, then that is marked in the table for that user. After enterprise user administrators verify the information in this table, changes are made to the directory and the database in phase two.
Caution: The |
The table columns are listed in Table G-1.
After running phase one of the utility, if necessary, enterprise user administrators can change the interface table columns that are listed in Table G-2.
If shared schema mapping is not used, then users retain their old database schemas. If shared schema mapping is used, then users' local schemas are dropped from the database and they are mapped to a shared schema that the enterprise user administrator creates for this purpose before performing the migration. When migrated users own database objects in their old local database schemas, administrators can specify that the schema and objects are not to be dropped by setting the CASCADE
parameter to NO
. When the CASCADE
parameter is set to NO
, users who own database objects in their old local schemas do not migrate successfully so their objects are not dropped.
If some users want to retain the objects in their local database schemas and be mapped to a shared schema, then the administrator can manually migrate those objects to the shared schema before performing the bulk user migration. However, when objects are migrated to a shared schema, they are shared among all users who share that new schema.
Table G-3 summarizes the effects of setting the MAPSCHEMA
and CASCADE
parameters.
MAPSCHEMA Parameter Setting | CASCADE Parameter Setting | User Migration Successful? | User Schema Objects Dropped? |
---|---|---|---|
PRIVATE |
NO (default setting) |
Yes |
No |
SHARED |
NO |
YesFoot 1 |
No |
SHARED |
YES |
YesFoot 2 |
Yes |
1 Users migrate successfully only if they do not own objects in their old database schemas; otherwise, they fail. 2 Users migrate successfully and their old database schemas are dropped. |
See Also:
"User Migration Utility Parameters" for detailed information about the |
Enterprise users, those that are defined and managed in the directory, can be authenticated to the database either with a password or with a certificate. Users that authenticate with a password require an Oracle database password, which is stored in the directory. Users that authenticate with a certificate must have a valid X.509 v3 certificate.
This utility performs the following steps during migration:
See Also:
|
The User Migration Utility is automatically installed in the following location when you install Oracle Database Client:
$ORACLE_HOME/rdbms/bin/umu
The following sections describe what programs must be running and what user privileges are required to successfully migrate users with the User Migration Utility.
To successfully use this utility, enterprise user administrators must have the following database privileges:
These privileges enable the enterprise user administrator to alter users, drop users, look at dictionary views, and create the interface table that is used by this utility.
In addition to the required database privileges, enterprise user administrators must have the directory privileges which allow them to perform the following tasks:
Perform the following steps before using the User Migration Utility:
cn=users
subtree in the identity management realm.ldap.ora
file. Note that the ldap.ora
file must include the identity management realm DN so the utility can locate the correct administrative context. The utility searches for this file under $LDAP_ADMIN
, $ORACLE_HOME/ldap/admin
, $TNS_ADMIN
, $ORACLE_HOME/network/admin
, and, finally, the Domain Name System (DNS) server, if you are using DNS discovery. (See Oracle Internet Directory Administrator's Guide for information about DNS server discovery.)
See Also:
|
To perform a bulk migration of database users to enterprise users, use the following syntax:
umu parameter1 parameter2 ...
For parameters that take a single value use the following syntax:
keyword=value
For parameters that take multiple values, use a colon (:) to separate the values as in the following syntax:
keyword=value1:value2:...
Example 13-1 shows the syntax used to run the utility through both phases of the bulk user migration process.
umu PHASE=ONE DBADMIN=dba_username:password ENTADMIN=enterprise_admin_DN:password USERS=[ALL_GLOBAL | ALL_EXTERNAL | LIST | FILE] DBLOCATION=database_host:database_port:database_sid DIRLOCATION=ldap_directory_host:ldap_directory_port USERSLIST=username1:username2:username3:... USERSFILE=filename MAPSCHEMA=[PRIVATE | SHARED]:schema_name MAPTYPE=[DB | DOMAIN]:[ENTRY | SUBTREE] CASCADE=[YES | NO] CONTEXT=user_entries_parent_location LOGFILE=filename PARFILE=filenameumu PHASE=TWO
DBADMIN=dba_username:password ENTADMIN=enterprise_admin_DN:password DBLOCATION=database_host:database_port:database_sid DIRLOCATION=ldap_directory_host:ldap_directory_port LOGFILE=filename PARFILE=filename
Note: If the enterprise user administrator does not specify the mandatory parameters on the command line, then the utility will prompt the user for those parameters interactively. |
See Also:
|
To display the command-line syntax for using the User Migration Utility, enter the following command at the system prompt:
umu HELP=YES
While the HELP
parameter is set to YES
, the utility cannot execute.
The following sections list the available parameter keywords and the values that can be used with them when running this utility. The keywords are not case-sensitive.
Valid Values: |
Values can be:
This parameter takes multiple values. Separate values with a colon (:). (These values are not case-sensitive.) |
Default Setting: |
No default setting. |
Syntax Examples: |
|
Description: |
Specifies which users are to be migrated. If multiple values are specified for this parameter, then the utility uses the union of these sets of users. |
Restrictions: |
This parameter is mandatory for phase one only, and it is ignored in phase two. |
Valid Values: |
Schema type can be:
(These values are not case-sensitive.) |
Default Setting: |
|
Syntax Examples: |
|
Description: |
Specifies whether the utility populates the interface table with schema mapping information. |
Restrictions: |
Valid Values: |
Mapping type can be: Mapping level can be: Separate mapping type from mapping level with a colon (:). (These values are not case-sensitive.) |
Default Setting: |
|
Syntax Examples: |
|
Description: |
Specifies the type of schema mapping that is to be applied when "Keyword: MAPSCHEMA" is set to |
Restrictions: |
This parameter is effective only when |
See Also:
"About Using the SUBTREE Mapping Level Option" for more information about using this mapping level option. |
Valid Values: |
Distinguished Name (DN) of the parent for user entries. This is the same as the user search base or user create base in an Oracle Internet Directory identity management realm. Parent DN can also be specified within double quotation marks ("..."). |
Default Setting: |
This value is automatically populated from the In 10g Release 1 (10.1), this is not the preferred location for user entries, so do not use the default setting for this parameter unless it is specifically desired. Instead, Oracle recommends that you use " |
Syntax Examples: |
|
Description: |
Specifies the DN of the parent entry under which user entries are created in the directory if there is no directory entry that matches the userID for the user. |
Restrictions: |
This parameter is only valid for phase one. |
The following sections contain examples of the syntax for some typical uses of this utility.
To migrate users while retaining their old database schemas, set the MAPSCHEMA
parameter to PRIVATE
, which is the default setting. For example, to migrate users scott1
, scott2
, and all external database users, while retaining their old schemas, to the directory at c=Users, c=us
with the newly generated database and directory passwords, the syntax shown in Example 13-2 is used.
umu PHASE=ONE DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST USERSLIST=scott1:scott2 DIRLOCATION=machine2:636 CONTEXT="c=Users,c=us" ENTADMIN="cn=janeadmin":welcomeumu PHASE=TWO
DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome
After phase one completes successfully, the interface table is populated with the user migration information. Then the enterprise user administrator can review the table to confirm its contents. Because no value was specified for the MAPSCHEMA
parameter, the utility runs phase one using the default value, PRIVATE
, so all users' old database schemas and objects are retained.
To migrate users and map them to a new shared schema, dropping their old database schemas, set the MAPSCHEMA
parameter to SHARED
. The shared schema must already exist or the enterprise user administrator must create it before running the utility with this parameter setting. In the following example, users scott1
, scott2
, and all external database users are migrated to the directory at c=Users, c=us
with newly generated database and directory passwords, while mapping all migrated users to a new shared schema in the database.
Use the syntax shown in Example G-1 to run the migration process with MAPSCHEMA
set to SHARED
.
umu PHASE=ONE DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST USERSLIST=scott1:scott2 MAPSCHEMA=SHARED:schema_32 DIRLOCATION=machine2:636 CONTEXT="c=Users, c=us" ENTADMIN="cn=janeadmin":welcomeumu PHASE=TWO
DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome
After phase one completes successfully, the interface table is populated with the user migration information. Then the administrator can review the table to confirm its contents. Users scott1
, scott2
, and the external users are assigned new randomly generated database and directory passwords. Because no value was specified for the CASCADE
parameter, the utility runs phase one using the default value, NO
, which means that migrating users who own database objects in their old database schemas will fail and their schemas will not be automatically dropped. To determine which users have failed, review the log file that is located at $ORACLE_HOME/network/log/umu.log
by default.
The CASCADE
parameter setting determines whether users' old database schemas are automatically dropped when mapping to a shared schema during migration. CASCADE
can be used only when MAPSCHEMA
is set to SHARED
.
By default, the CASCADE
parameter is set to NO
. This setting means that when mapping migrating users to a shared schema, users who own database objects in their old schemas are not migrated. For users who do not own database objects, their old database schemas are automatically dropped and they are mapped to the new shared schema.
See Also:
Example G-1 for a syntax example to map users to a shared schema with |
If it is known that no migrating users own database objects or want to retain the objects that they own in their old database schemas, then setting the CASCADE
parameter to YES
automatically drops all users' schemas and schema objects and maps them to the new shared schema. Example G-2 shows the syntax to use when setting CASCADE
to YES
. In this example, users scott1
, scott2
, and all external database users are migrated to the directory at c=Users, c=us
, while mapping all migrating users to a new shared schema in the database.
umu PHASE=ONE DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST USERSLIST=scott1:scott2 MAPSCHEMA=SHARED:schema_32 CASCADE=YES DIRLOCATION=machine2:636 CONTEXT="c=Users, c=us" ENTADMIN="cn=janeadmin":welcomeumu PHASE=TWO
DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome
After phase one completes successfully, the interface table is populated with the user migration information. Then the administrator can review the table to confirm its contents. Because the CASCADE
parameter is set to YES, all migrated users' old database schemas are automatically dropped, including those who own database objects.
When MAPSCHEMA
is set to SHARED
, the mapping type can be set by specifying a value for the MAPTYPE
parameter. This parameter takes two values, which are the mapping type and the mapping level.
Mapping type can be set at DB
, for database, or DOMAIN
, for enterprise domain. When mapping type DB
is specified, the mapping is applied only to the database where the shared schema is stored. When DOMAIN
is specified as the mapping type, then the mapping is applied to the enterprise domain that contains the database where the shared schema is stored and also applies to all databases in that domain.
Mapping level can be set to ENTRY
or SUBTREE
. When ENTRY
is specified then users are mapped to the shared schema using their full distinguished name (DN). This results in one mapping for each user. When SUBTREE
is specified then groups of users who share part of their DNs are mapped together. This results in one mapping for user groups already grouped under some common root in the directory tree. Example G-3 shows the syntax to use when using the MAPTYPE
parameter. In this example, users scott1
, scott2
, and all external database users are migrated to the directory at c=Users, c=us
, while mapping all migrated users to a new shared schema in the database. In this example, the mapping will apply to the enterprise domain that contains the database and the mapping will be performed at the entry level, resulting in a mapping for each user.
umu PHASE=ONE DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST USERSLIST=scott1:scott2 MAPSCHEMA=SHARED:schema_32 MAPTYPE=DOMAIN:ENTRY DIRLOCATION=machine2:636 CONTEXT="c=Users, c=us" ENTADMIN="cn=janeadmin":welcomeumu PHASE=TWO
DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome
If a user (scott
, for example) who is being migrated will have future user entries in a subtree under it, then it makes sense to create a subtree level mapping from this user entry (cn=scott
) to a schema. However, the database does not interpret the user to be in the subtree so the mapping does not apply to scott
himself. For example, if you are migrating the user scott
with the DN cn=scott,o=acme
, and you choose SUBTREE
as the mapping level when you run the utility, then a new mapping is created from cn=scott,o=acme
to the shared schema, but the user scott
is not mapped to that schema. Only new users who are created under the scott
directory entry are mapped to the shared schema. Consequently, the SUBTREE
mapping level should only be specified when user directory entries are placed under other user directory entries, which would be an unusual directory configuration.
If you want an arbitrary subtree user to be mapped to a single shared schema with only one mapping entry, then you must use Enterprise Security Manager to create that mapping.
See Also:
"Managing Enterprise Domain Database Schema Mappings" for information about using Enterprise Security Manager. |
It is possible to enter user information and User Migration Utility parameters into a text file and pass the information and parameters to the utility using the PARFILE
and USERSFILE
parameters. The LOGFILE
parameter sets the directory path for the log file where details about the migration for each user are written.
The PARFILE
parameter tells the utility where a text file is located that contains the parameters for a bulk user migration. The USERSFILE
parameter works like the PARFILE
parameter, except it contains database users instead of parameters. The parameters and users lists contain one parameter or user for each line. The LOGFILE
parameter tells the utility where to write the system events that occur during a user migration, such as errors. Use the USERSFILE
parameter during phase one of the migration process. The PARFILE
and LOGFILE
parameters can be used in both phases.
Example G-4 shows the syntax for a typical parameter text file to migrate users scott1
, scott2
, and all external database users, while retaining their old schemas, to the directory at c=Users, c=us
. In this example a log of migration events is written to the file errorfile1
in the directory where the utility is run. If another location is desired, then include the path with the file name.
DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST:FILE USERSLIST=scott1:scott2 USERSFILE=usrs.txt DIRLOCATION=machine2:636 CONTEXT="c=Users, c=us" ENTADMIN="cn=janeadmin":welcome LOGFILE=errorfile1
Example G-5 shows the syntax for a typical users list text file.
user1 user2 user3
To execute phase one of the migration process with these parameters and users list text files, use the syntax shown in Example G-6.
umu PHASE=ONE DBADMIN=system:manager PARFILE=par.txt LOGFILE=errorfile2
Note: Although the |
Migration failures are reported to the enterprise user administrator with error messages and log messages. The following sections describe common error and log messages and what administrators can do to resolve them.
See Also:
"Summary of User Migration Utility Error and Log Messages" for an alphabetical listing of error and log messages and links to where they are described in this section. |
When the utility encounters any error while running, it displays an error message and stops running. The following sections describe these messages and explain how to resolve the errors:
The following error messages may display while the utility is running either phase one or phase two of the migration:
Cause: The nickname attribute is not set in the directory in the root identity management realm.
Action: Use Enterprise Security Manager Console to set the nickname attribute for the identity management realm.
Cause: The utility was unable to connect to the database.
Action: Perform these steps:
Cause: The utility encountered a database error.
Action: Check the database error message details for the database.
See Also:
Oracle Database Error Messages for information about resolving database error messages. |
Cause: The database is not a member of any enterprise domain.
Action: Use Enterprise Security Manager to add the database to an enterprise domain in the directory.
Cause: There is no entry for the database in the Oracle context that the ldap.ora file points to.
Action: Use Database Configuration Assistant or Enterprise Security Manager to register the database in the directory.
Cause: The utility was unable to connect to the directory.
Action: Perform these steps:
Cause: The utility encountered a directory error.
Action: Check the directory error message details for the directory.
See Also:
Oracle Internet Directory Administrator's Guide for information about resolving error messages for Oracle Internet Directory. |
Cause: The database belongs to more than one enterprise domain in the directory.
Action: Use Enterprise Security Manager or Oracle Directory Manager to ensure that the database belongs to only one enterprise domain.
While the utility is running phase one of the migration, syntax or other types of errors may occur. The following error messages may display while the utility is running phase one of the migration:
Cause: Syntax error. A parameter is missing or has been entered multiple times.
Action: Check the usage syntax.
Cause: The shared schema is not present in the database.
Action: Create the shared schema.
Cause: Syntax error. The utility cannot read the file that contains the users list that is specified in the USERSFILE parameter.
Action: Perform these steps:
Cause: Syntax error. The utility cannot read the file that contains the list of parameters that is specified in the PARFILE parameter.
Action: Perform these steps:
Cause: Syntax error. The utility is unable to read the local host name for the database location or the directory location.
Action: Explicitly enter the hostname information with the DBLOCATION
and DIRLOCATION
parameters.
Cause: The interface table cannot be created in the SYS
schema.
Action: Specify another user in the DBADMIN
parameter.
See Also:
"Keyword: DBADMIN" for information about setting the |
Cause: Syntax error. The argument name or value has been entered incorrectly.
Action: Check the usage syntax.
See Also:
For information about using the command line syntax for this utility. |
Cause: Syntax error. This occurs when you have used a command line argument that is only intended for phase one, but you are running phase two.
Action: Check the usage syntax.
Cause: Syntax error. The user that is specified in this error message is invalid because they are not a user in the database that is specified in the DBLOCATION
parameter.
Action: Remove the invalid user from the file that is specified with the USERSFILE
parameter.
Cause: Syntax error. The file that is specified in the USERSFILE
parameter contains the user who is running the migration utility.
Action: Remove that user from the file.
Cause: Syntax error. The user that is specified in this error message is invalid because they are not a user in the database that is specified in the DBLOCATION
parameter.
Action: Remove the invalid user from the USERSLIST
parameter.
Cause: Syntax error. The USERSLIST
parameter contains the user who is running the migration utility.
Action: Remove that user from the USERSLIST
.
Cause: Syntax error. The utility cannot find the log file or it cannot open the file to write to it.
Action: Perform these steps:
Cause: The CONTEXT
entry is not present in the directory.
Action: Perform one of the following options:
Most of the error messages that you encounter while running this utility occur in phase one. After phase one has completed successfully, and while phase two is running, the following error may occur:
Cause: The utility cannot find the interface table.
Action: Perform one of the following options:
Typically, log messages are written to the log file for each user who is migrated, whether the user was migrated successfully or not. The following sections describe these messages and explain how to resolve the errors:
While the utility is running phase one of the migration, messages that indicate a user's information has not been successfully populated in the interface table may be written to the log file. After the utility completes phase one, review the log file to check for the following messages:
Cause: The nickname attribute matches multiple users or the user matches with multiple nickname attributes.
Action: Resolve the multiple matches and run the utility again for the users whose log file entry displayed this message.
Cause: No entry was found for the nickname matching, but an entry already exists for the DN in the directory.
Action: Specify a different DN for the user.
While the utility is running phase two of the migration, messages that indicate a user has not successfully migrated may be written to the log file. After the utility completes phase two, review the log file to check for the following messages:
This message typically occurs with the message Invalid value::<column_name>=<column_value>
.
Cause: The entry already contains a value for the orclPassword
attribute.
Action: Check the DBPASSWORD_EXIST_FLAG
column in the interface table for a T/F
value that correctly reflects whether a database password exists for this user.
This message typically occurs with the message Invalid value::<column_name>=<column_value>
.
Cause: The orclPassword
attribute of this user's entry has a null value.
Action: Check the DBPASSWORD_EXIST_FLAG
column in the interface table for a T/F
value that correctly reflects whether a database password exists for this user.
Cause: The shared schema that was specified for this user does not exist in the database.
Action: Perform one of the following options:
SHARED_SCHEMA
column of the interface table and run phase two of the utility for this user again.This message typically occurs with the message Invalid value::<column_name>=<column_value>
.
Cause: An entry already exists for the specified user DN.
Action: Check the USERDN_EXIST_FLAG
column in the interface table for a T/F
value that correctly reflects whether a user entry already exists in the directory for this DN.
Cause: The value in the interface table column for this user is invalid. Typically, this message is accompanied by additional log messages for this user.
Action: Check to ensure that the correct value has been entered for this user.
This message typically occurs with the message Invalid value::<column_name>=<column_value>
.
Cause: The entry for the DN is missing in the directory.
Action: Check the USERDN_EXIST_FLAG
column in the interface table for a T/F
value that correctly reflects whether a user entry already exists in the directory for this DN.
Table G-4 and Table G-5 list all of the error and log messages in alphabetical order and provides links to the section in this chapter that describes the message and how to resolve it.
User Migration Utility Error Message | Phase |
---|---|
1 | |
Both | |
Both | |
Both | |
Both | |
Database not registered with the directory : : DB-NAME = < dbName > |
Both |
Database object missing : : SHARED-SCHEMA = <shared_schema_name > |
1 |
Database object missing : : TABLE = ORCL_GLOBAL_USR_MIGRATION_DATA |
2 |
Both | |
Both | |
Error reading file : : < file_name > : : < io_error_message > |
1 |
Error reading file : : PARFILE = < file_name > : : < io_error_message> |
1 |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
Both | |
1 |