Setting up an external AWS RDS Oracle database for OpenPages

You can use an Oracle database that is outside of IBM® Software Hub.

Before you begin

Ensure you're only using the supported Oracle database server software, including any fix packs, patches, or other service updates:

Oracle Enterprise Edition (EE) 19c (19.3 and later 19.x)
Oracle Standard Edition 2 (SE2) 19c (19.3 and later 19.x)

To set up and configure an Oracle RDS instance on AWS, see Setting up an Oracle RDS instance on AWS.

Procedure

Complete the following tasks to set up the Oracle RDS external database:

Preparing the database
Preparing the files
Configuring the RDS parameter group
Running the steps that require DBA privileges
Preparing to run the non-DAB database scripts
Restoring the OpenPages database schemas (Oracle)
Retrieving the certificate from the database server
Setting up a vault to store the database credentials
Creating a secret in OpenShift that references the database secrets
Verifying the installation

Preparing the database

Use the AWS EC2 node for setting up the OpenPages Database.

Set up SQLPlus with the following steps:
1. Log in to your EC2 instance:
```
ssh -i /<path-to-access-certificate>/<key>.pem ec2-user@ec2-<instance-id>.<region>.compute.amazonaws.com
```
2. To connect to the Oracle RDS instance, create a VM and make sure that the SQLPlus client, Docker, and AWS cli are installed on the VM.
Determine the version number of the external database package you need to download based on the version of IBM Software Hub that you are using. Use the following list for guidance.
- 5.4.09.1.2.1-433
- 5.4.0 9.1.3.1-730
Download the external database setup files and transfer them to the VM which has access to the RDS instance.
For example, you can use the following commands to get the files from the IBM Entitled Registry:
The following command extracts the OpenPages database backup file from the image:
```
docker cp $(docker create --rm cp.icr.io/cp/cpd/openpages-cpd-provisioner-oracle:<db_package_version>):/app-root/backup .
```
Replace <db_package_version> with the database package version number you chose in step 1. For example, the command will be the following if you're using IBM Software Hub version 5.3:
```
docker cp $(docker create --rm cp.icr.io/cp/cpd/openpages-cpd-provisioner-oracle:9.1.2.1-433):/app-root/backup .
```
The following command extracts the setup scripts from the image:
```
docker cp $(docker create --rm cp.icr.io/cp/cpd/openpages-cpd-provisioner-oracle:<db_package_version>):/opt/ibm/OpenPages/ORACLE/
```
Note: The image name (cp.icr.io/cp/cpd/openpages-cpd-provisioner-oracle:<db_package_version>) might be different if you mirrored the images to a local container registry.

Preparing the files

The sql-wrapper.sql file contains information that is used by the database scripts. You need to enter the values for your environment, such as the name of the database instance for OpenPages.

When you install OpenPages, use the same values that you set in the sql-wrapper.sql file.

Log in to your EC2 instance.
Go to the $oracle-dir/ORACLE/INSTALL_SCRIPTS directory.
Verify that you have write permission on the sql-wrapper.sql file. If not, change the permission on the file by using the chmod command.

Edit the sql-wrapper.sql file.

Restriction: Change only the parameters that are described in this step.

These parameters are used by the scripts that your DBA will run.

Table 1. Parameters in the sql-wrapper.sql file for Oracle databases
Property	Description
`opx_datafile_storage_dir`	Defines the physical locations of the datafiles that are associated with the tablespaces that are created. This should be set to a value that is appropriate for your environment
`opx_dflt_sid`	The TNS alias of the Oracle database for OpenPages. For example, `define opx_dflt_sid='<rds_end_point>:<port>/ORC`.
`opx_oracle_dba_user`	Enter the RDS Master username, for example, `admin`.
`opx_db_owner`	The database owner, also the name of the schema. For example, `OPENPAGE`
`opx_dflt_stor_srv_root`	The path to the OpenPages storage directory. Example: `define opx_dflt_stor_srv_root='define opx_dflt_stor_srv_root='/home/oracle/OP/OpenPages/openpages-storage'`
`opx_aws_saas_install`	Example: `define opx_aws_saas_install='Y'`

Configuring the RDS parameter group

Before running the installation script, create a custom parameter group in Oracle RDS and update each parameter with the following values:

Table 2. Custom parameter group in Oracle RDS
Parameter	Value
`open_cursors`	1000
`nls_length_semantics`	CHAR
`optimizer_index_caching`	100
`optimizer_index_cost_adj`	1
`optimizer_mode`	FIRST_ROWS
`optimizer_secure_view_merging`	false
`cursor_sharing`	force
`_optimizer_skip_scan_enabled`	false

After updating the parameters, associate them with the RDS instance by setting it as the DB instance parameter group.

Running the steps that require DBA privileges

You can run a script to do the database schema creation steps that require DBA privileges. Do this procedure if you do not want to enter DBA credentials when you install IBM OpenPages or if your organization's security policies require the separation of DBA and non-DBA tasks.

Before you begin

The Oracle RDS database is provisioned
The sql-wrapper.sql is configured for your environment
Run the following script: op-database-dba-install.sh|.bat. The script uses the properties that are defined in the sql-wrapper.sql file

You can do the following configurations:

You can specify a custom name for the OpenPages schema
If you are a database administrator, get the scripts from your OpenPages team.
Or, you can get the scripts from the $oracle-dir/ORACLE/INSTALL_SCRIPTS directory.

Verify that you have execute permission on the scripts.

Open the sql-wrapper.sql file. Verify that the values are suitable for your environment.

Run the op-database-dba-install.sh|.bat script from the command line:

./op-database-dba-install.sh '<dba_password>' '<RDS_Master_Password>'

Note: Quotation marks are required around a password only if the password contains special characters. See Special characters in passwords.

Verify that the return code is 0, which indicates success. You can also check the log file, op-database-dba-install-.log.

Preparing to run the non-DAB database scripts

Verify that the DBA portion of the database setup completed successfully:

./op-validate-dba-install.sh '<op_schema_owner_password>'

You can view the log file: op-validate-dba-install-.log.

Restoring the OpenPages database schemas (Oracle)

Complete the following tasks to successfully import the OpenPages database schema.

Importing the OpenPages database schema

Create an S3 bucket and move the openpages_dump_file to the S3 bucket. Ensure that the AWS CLI is configured with the appropriate credentials (aws configure).

aws s3 cp /home/ec2-user/cpd-or/backup/opdb-oracle.dmp s3://cp4d-oracle-rds-import-bucket

Note: The opdb-oracle.dmp backup file is obtained from the docker command in step 3 under Preparing the database:

docker cp $(docker create --rm cp.icr.io/cp/openpages-cpd-provisioner-oracle:<db_package_version>):/app-root/backup .

Check IAM role association:

  aws rds describe-db-instances \
   --db-instance-identifier <your-db-id> \
   --query "DBInstances[0].AssociatedRoles"

Sample output:

[
    {
        "RoleArn": "arn:aws:iam::230957186347:role/rds-s3-import-role",
        "FeatureName": "S3_INTEGRATION",
        "Status": "ACTIVE"
    }
]

If S3_INTEGRATION is Not Active, then do the following:

Create an IAM Policy. Name the policy as RDS-S3ImportAccessPolicy. The following is the policy in JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::cp4d-oracle-rds-import-bucket",
                "arn:aws:s3:::cp4d-oracle-rds-import-bucket/*"
            ]
        }
    ]
}

Create an IAM Role. Name the role as rds-s3-import-role. Attach the RDS-S3ImportAccessPolicy policy. The following is the Trust Relationship JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "rds.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Create an Option Group for S3 Integration. Name the option group as cpd-rds-s3-og. Add the option S3_INTEGRATION.

Bind the Role to RDS:

aws rds add-role-to-db-instance \
   --db-instance-identifier cpd-rds-oracle \
   --role-arn arn:aws:iam::230957186347:role/rds-s3-import-role \
   --feature-name S3_INTEGRATION

Update the Option Group in RDS. Associate the newly created option group with your RDS instance.

Copying the Dump File from S3 to RDS

On your EC2 instance, create a file named s3_download.sql with the following contents:

set pages 0;
set head off;
set feedback off;
SET VERIFY OFF
WHENEVER OSERROR EXIT 9;
WHENEVER SQLERROR EXIT SQL.SQLCODE;

SELECT rdsadmin.rdsadmin_s3_tasks.download_from_s3(
      p_bucket_name    => '&1', 
      p_s3_prefix      => '&2', 
      p_directory_name => 'DATA_PUMP_DIR'
   ) AS TASK_ID 
FROM DUAL;

exit;

Run the following SQLPlus command:

sqlplus -s admin/"<admin_password>"@cpd-rds-oracle.<instance_id>.amazonaws.com:1521/ORCL
      @s3_download.sql  cp4d-oracle-rds-import-bucket opdb-oracle.dmp

Check the S3 Download Task Status in Oracle RDS:

 SELECT text 
 FROM table(rdsadmin.rds_file_util.read_text_file(
   'BDUMP', 
   'dbtask-<ID_from above command>.log'
 ));

Grant access to an OpenPages user to DATA_PUMP_DIR:

 GRANT READ, WRITE ON DIRECTORY DATA_PUMP_DIR TO < opx_db_owner>;
 GRANT EXECUTE ON rdsadmin.rds_file_util TO < opx_db_owner>;

 SELECT * 
 FROM table(rdsadmin.rds_file_util.listdir('DATA_PUMP_DIR'));

 SELECT directory_name, directory_path 
 FROM dba_directories 
 WHERE directory_name = 'DATA_PUMP_DIR';

Importing OpenPages database with impdp command

Open a shell window.
Open the user profile (for example, .profile) that is in the home directory of the user who is currently logged in.
Set the NLS_LANG variable if it's missing from the file. For example, export NLS_LANG=AMERICAN_AMERICA.AL32UTF8
Save the file.
Refresh the profile by opening a shell window and running the following command:
```
. /home/oracle/.bash_profile
```

Import the OpenPages database schema by running the following command:

impdp <opx_db_owner >/"< op_schema_owner_password>"@<rds_instance_id>.<location>.rds.amazonaws.com:1521/ORCL \ 
  DIRECTORY=DATA_PUMP_DIR \ 
  DUMPFILE=<Dump_file_name>\ 
  SCHEMAS="OPENPAGE" \ 
  REMAP_SCHEMA=OPENPAGE:< opx_db_owner> \ 
  TRANSFORM=OID:N \  
  EXCLUDE=INDEX_STATISTICS \ 
  EXCLUDE=JOB \ 
  EXCLUDE=USER

Execution should be completed with the output `Job "OPENPAGE_DEV"."SYS_IMPORT_SCHEMA_01" successfully completed`.

Retrieving the certificate from the database server

The following command retrieves the chain of SSL certificates:

echo | openssl s_client -showcerts \
-connect <rds_instance_id>.<location>.rds.amazonaws.com:2484 \
-servername <rds_instance_id>.<location>.rds.amazonaws.com

From the certificate chain, two certificates need to be added: Root CA and Intermediate CA.

Root CA

Subject CN: Amazon RDS

Issuer CN: Amazon RDS us-west-1 Root CA 

This is self-signed → Root CA for Amazon RDS in the us-west-1 region.

Purpose: Trust anchor that verifies the intermediate CA.

Intermediate CA

Subject CN: Amazon RDS us-west-1 Subordinate CA RSA2048 G1.A.4

Issuer CN: Amazon RDS us-west-1 Root CA 

This is signed by the root CA → Intermediate CA.

Purpose: Signs the actual RDS instance certificate.

Setting up a vault to store the database credentials

The database credentials must be stored in a vault. You can use the vault that is provided in IBM Software Hub or you can use an external vault. For more information about vaults, see Managing secrets and vaults.

Within the vault, you create two secrets: one for the DBA username and password (<opx_db_owner>, <dba_password>) and another secret for the database user username and password (<opx_oracle_dba_user>, <RDS_Master_Password>).

The DBA and database user secrets must be created by the same IBM Software Hub user.
The DBA and database user credentials must be stored in separate secrets within the same vault.
Each secret must be of the type username and password in the vault.
The secrets must either be owned by the user who provisions OpenPages instances or shared with the owner of the OpenPages instances.
OpenPages does not support storing the SSL certificate in a vault.

Do the following steps:

If you want to use an external vault, set up the vault. For more information, see Adding integrations to external vaults.
In the vault, add two secrets: one for the DBA user credentials and another for the database user credentials. Make a note of the secret details. For example, if you're using HashiCorp, note the secret names and paths.
In IBM Software Hub, set up references to the DBA user secret and the database user secret.
- If you're using an external vault, see Adding references to secrets in external vaults
- If you're using the IBM Software Hub vault, see Adding secrets to the internal vault
For each secret, use the following settings:
1. For the information type, choose Username and password.
2. Enter the database credentials.
3. If the user who will provision OpenPages is different from the user who is creating the secret, share the secret with the user who provisions OpenPages instances.
In IBM Software Hub, click Administration > Configurations, click the Vaults and secrets tab, and then click Secrets. Make a note of the following information for the DBA user secret and the database user secret:
- Name is the name of the secret.
- Vault name
- Created by is the owner of the secret.

Creating a secret in OpenShift that references the database secrets

The secret references your vault and the database secrets that are defined in IBM Software Hub.

If you're using a tethered project for OpenPages, then create the secret in the tethered project.

OpenPages uses the secret to connect to the database. The following example shows the required format. This example creates a secret that is called openpages-external-db-info. This example references secrets in the IBM Software Hub vault.

kind: Secret
apiVersion: v1
metadata:
  name: openpages-external-db-info
  namespace: <cpd_namespace>
  labels:
    app.kubernetes.io/name: openpages
    app.kubernetes.io/version: "<version>"
    app.kubernetes.io/managed-by: ibm-openpages-cpd-operator
stringData:
  host: <rds_endpoint_url>
  port: "1521"                  # Standard Oracle listener port
  sslport: "2484"               # SSL-enabled port for RDS
  alias: ORCL                   
  vault: <vault_name>
  secretowner: <created_by>
  usercred: "<db_user_secret>"  
  dbacred: "<dba_secret>"     
  sysdbacred: "<sysdba_secret>"
  schemaname: "<schema_name>"
  opdb-cert.pem: |-
    -----BEGIN CERTIFICATE-----
     Root Certificate
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
     Intermediate Certificate
    -----END CERTIFICATE-----
type: Opaque

Table 3. Paramaters for RDS
Parameter	Description
`host`	The AWS RDS Oracle endpoint (for example, `mydb.abcdefghijk.us-west-1.rds.amazonaws.com`).
`port`	The standard Oracle listener port (1521 for non-SSL).
`sslport`	The RDS Oracle SSL port (2484).
`alias`	Logical alias for the DB connection (can be `ORCL` or custom).
`vault`	The vault name where secrets are stored. For example, `internal`
`secretowner`	The user or service that created the secret. For example, `cpadmin/admin`
`usercred`	The name of the secret in IBM Software Hub for the database user credentials. The secret name is displayed in the Name column on the Secrets tab.
`dbacred`	The name of the secret in IBM Software Hub for the DBA user credentials. The secret name is displayed in the Name column on the Secrets tab.
`schemaname`	The schema to be used by OpenPages.
`opdb-cert.pem`	SSL certificate for RDS connection.
`version`	The version of OpenPages that you want to install. For IBM Software Hub 5.4.0, use 10.0.0.

Save your changes, for example:

oc apply -f openpages-external-db-info

The DBA and database user credentials are ready to use.

When you provision OpenPages, you need to provide the name of the Kubernetes secret. In this example, the name is openpages-external-db-info.

Note: If the database connection information changes in the future, update the secrets in the vault. The connection information in the secrets must always match the values for your environment. For example, if the password of the openpage user changes, update the <db_user_secret> secret in the vault.

Add the certificate you retrieved earlier to the OpenShift secret.

Verifying the installation

Review the log file, setup-extdb.<date_time_stamp>.log for any errors.

Verify that you can connect to the database by running the following command:

sqlplus openpage/<op_db_password>@<SID>