Optimize OEM Administration with Best Practices

Session ID:
Prepared by:
Where did my day go?: Oracle
Enterprise Manager 12c/13c
Administration
282
Alfredo Krieg
@alfredokrieg

April 2-6, 2017 in Las Vegas, NV USA #C17LV
About me…
• Oracle ACE Associate
• Oracle Technologies since 2004 & 11g
Certified
• IOUG’s Cloud SIG Officer
• North East Ohio Oracle User Group Officer
• OEM Cloud Control 12c/13c and Database
Performance Tuning
@alfredokrieg
alfredokrieg@gmail.com
bitkode.blogspot.com

Motivation
• As an Enterprise Manager administrator you are responsible of a wide
variety of tasks including:
• Discovery and maintenance of targets
• Deploy plug-ins
• Tune OEM 12c/13c performance
• Maintain backups
• Others (Cloud, Self-Service, Alerts, etc.)
• With such time consuming tasks, administrators need to find the most
efficient ways to manage the manager.
• Best practices
• Task automation
• Command Line EMCLI
• New Features in 13c

Agenda
• Lifecycle Management
- Performing Mass Agent Deployment
- Agent Gold Image
• OEM new features
- "Always on" monitoring
- Notification blackouts
• Target Administration
- Creating Monitoring Templates
- Using Administration Groups
• Security
- Secure your SYSMAN schema account
- Setup credentials and private roles
- Secure and lock the OMS and Agents
- Use EMCLI to configure OEM Audit system

Perform Mass Agent Deployment

• Perform Mass Agent Deployment
• Fresh Install
• Installs the vanilla version of the agent.
• Clone Existing Agent
• Installs an agent using an existing source agent that is well tested and
patched.
• Add Host to Shared Agent
• Installs an agent using an existing master agent that is installed on a
NFS mounted drive.

emcli submit_add_host
-host_names=<host_list>
-platform=<platform_id>
-installation_base_directory=<install_base_dir>
-credential_name=<credential_name>
-port=<agent_port>]

Agent Gold Image
• Customized configuration of the OEM Agent
• Version
• Patch Level
• Plugins
• Gold Image can be used to:
• Deploy – Add Host
• Update
• Upgrade
• Patch agent or plugins
• Deploy plugins
Image Version

Agent Gold Image
• Restrictions:
• NFS agent – cannot install, update or upgrade
• Unsecure agent can’t be used
• Cannot subscribe to Agent Gold Image
• Central agent
• NFS agents
• Unsecure agents
• Agents on different platforms as the Gold Image
• Already subscribed agents

Agent Gold Image
• How to create agent gold image?
• Console
• EMCLI
emcli create_gold_agent_image

Agent Gold Image
• Agent Gold Image Console

Agent Gold Image
• How to create agent gold image?
• Console
• Manage All Images -> Create
• EMCLI
emcli create_gold_agent_image

Agent Gold Image
• How to create agent gold image version?
• Console
• Manage All Images -> Create

Agent Gold Image

Agent Gold Image
• Agent Gold Image Status
• Draft - new image version
• Current – ready to mass deploy or mass update (can’t go back!)
• Restricted – to test and agent config (up to 10 agents update)

Agent Gold Image
• Issues
• EM13c: Deploying 13c Agent Using Gold Agent Image Fails
With Error "agentDeploy.sh: No such file or directory" (Doc ID
2174189.1)
• EM13c: Deploying 13c Agent Using Gold Agent Image Fails
With Error "agentDeploy.sh : error=13, Permission denied"
(Doc ID 2134052.1)
• EM13c: Update Gold Agent Image Operation For Windows
Agent Fails With "java.lang.NullPointerException" (Doc ID
2191522.1)

Agent Gold Image
• Useful notes:
• EM 13c: How to Upgrade Agents From 12c to 13c Using Gold
Agent Image In 13c Cloud Control (Doc ID 2126427.1)
• EM 13C: How to Update Existing Gold Agent Image and Update
the Already Deployed Agents in 13c Cloud Control (Doc ID
2090976.1)
• EM13C: How to Deploy or Install a New Agent Using Gold
Agent Image in 13c Cloud Control (Doc ID 2093924.1)
• EM 13C: Understanding Gold Agent Image Functionality and
Deploying Agents Using Gold Agent Image (Doc ID 2090975.1)
• EM13C: How to Deploy or Install a New Agent Using Gold
Agent Image in 13c Cloud Control (Doc ID 2093924.1)

Always-On Monitoring
• What is it?
• Is a separate service
• Sync with OMS (default every 24 hours)
• Receives alerts from Agents and send emails
• Can turn notifications off/on
• Requirements
• Separate DB instance than OMR
• The Always-On Monitoring code installed in the
$MW_HOME/sysman/ems
• Java 1.7

• New DB instance
• 12.1.0.2 bundle 10 or higher (Oct 2015)
• OPTIMIZER_ADAPTER_FEATURES=FALSE;
• Same character set as OMR
• Can be a PDB
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
optimizer_adaptive_features boolean FALSE

cd $MW_HOME/sysman/ems
$ ls
ems_13.2.0.0.0.zip
$ unzip ems_13.2.0.0.0.zip
$ emctl config emkey -copy_to_repos
Oracle Enterprise Manager Cloud Control 13c Release 2
Copyright (c) 1996, 2016 Oracle Corporation. All rights reserved.
Enter Enterprise Manager Root (SYSMAN) Password :
The EMKey has been copied to the Management Repository. This
operation will cause the EMKey to become unsecure.
After the required operation has been completed, secure the
EMKey by running "emctl config emkey -remove_from_repos".

cd $MW_HOME/sysman/ems/ems/scripts
$ export JAVA_HOME=$MW_HOME/oracle_common/jdk/jre
$ export PATH=$JAVA_HOME/bin:$PATH
$ java -fullversion
java full version "1.7.0_111-b13"
$ ./emsca

Copyright (c) 2015, 2016, Oracle Corporation. All rights reserved.
---------------------------------------------------------------
Always-On Monitoring Repository Connection String : (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = host)(PORT = 1521))(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME =
emxxxx)))
Always-On Monitoring Repository Username [ems] :
Always-On Monitoring Repository Password [ems] :
User "ems" cannot be found in the database.
In order to create this user, SYSDBA credentials are required. If you do not want to continue, answer "n" to the question below.
Create the Always-On Monitoring Repository user [y] : y
Always-On Monitoring Repository SYSDBA Username : sys
Always-On Monitoring Repository SYSDBA Password :
Enterprise Manager Repository Connection String : (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = host)(PORT = 1521))(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME =
emxxxx)))
Enterprise Manager Repository Username : sysman
Enterprise Manager Repository Password :
Creating Always-On Monitoring repository user ems
Agent Registration Password :
Keystore for host hostxxxx created successfully.
Connecting to Always-On Monitoring Repository.
Creating Always-On Monitoring Repository schema
Creating repository storage for Targets data.
Creating repository storage for Alerts and Availability data.
Creating repository storage for Notification Metadata data.
Creating repository storage for Target Metric Metadata data.
Registering Always-On Monitoring instance
Always-On Monitoring Upload URL: https://hostxxxx:8081/upload

• Define downtime contacts
• System wide
$ emcli set_oms_property -
property_name='oracle.sysman.core.events.ems.downtimeCont
act' -property_value='alfredokrieg@gmail.com‘
• Per target: emcli set_target_property_value

• emsctl
• status
• sync
• start
• stop
• ping
• enable_notification
• disable_notification
https://docs.oracle.com/cd/E63000_01/EMADM/em_mon_svc.htm#EMADM15626

• Sync AOM with EM
$ ./emsctl sync
Copyright (c) 2015, 2016, Oracle Corporation. All rights reserved.
------------------------------------------------------------------
Connecting to Always-On Monitoring Repository.
Starting synchronization with Enterprise Manager.
Synchronizing with Enterprise Manager repository: sysman@(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = host)(PORT = 1521))(CONNECT_DATA
= (SERVER = DEDICATED) (SERVICE_NAME = db)))
Synchronizing Targets data.
Synchronizing Alerts and Availability data.
Synchronizing Notification Metadata data.
Synchronizing Target Metric Metadata data.
Synchronization complete at : Thu Mar 16 14:36:15 EDT 2017

• emsctl start
• emsctl enable_notification
• Test notification
Host=hostname
Target type=Type
Target name=Name
Incident creation time=Mar 10, 2017 5:11:09 AM
Last updated time=Mar 10, 2017 7:20:43 PM
Message=Database is down
Severity=Fatal
Incident ID=281
Event count=1
Incident Status=New
Escalated=No
Priority=High
Incident owner=SYSMAN
Incident Acknowledged By Owner=No
Categories=Availability
Sent by Oracle Enterprise Manager - Always-On Monitoring

Notification Blackouts
• Blackouts
• Suspend monitoring for a defined period of time
• Agent won’t collect monitoring data for the target
• Useful when
• Patching or planned maintenance
• Not useful when
• Dealing with unplanned maintenance
• DB crash
• Network issues
• Agent having issues?

• Notification Blackouts
• Suppress notifications on targets during a period of time
• Agent will continue collecting monitoring data for the target
• Types
• Maintenance Notification Blackout (default)
• Planned downtime
• Notification-only Notification Blackout
• Unplanned downtime

• Notification Blackouts

Monitoring Templates
• Group of metrics and their thresholds for a particular
target type

• a

Administration Groups
50

Administration Groups – Target Properties
51

52

53

54

55

56

57

58

59

60
$ emcli login -username=sysman
Enter password :
Login successful
$ emcli set_target_property_value
-property_records="Development DB:composite:LifeCycle Status:Development"
-propagate_to_members
Properties updated successfully
$ emcli logout
Logout successful

Secure your SYSMAN account
62
• SYSMAN is the schema owner, as a result is more privileged
than a Super Administrator.
• Users and Administrators should login using their own accounts, this is
helpful while auditing operations.
• There’s a method to disable SYSMAN access from the console and emcli.
DB access and “emctl status oms –details” still work.
SQL> UPDATE MGMT_CREATED_USERS
SET SYSTEM_USER='-1'
WHERE user_name='SYSMAN';
http://bitkode.blogspot.com/2014/12/oracle-
enterprise-manager-security.html
Set it to 1 to re-enable it

Secure and Lock OMS and Agents
63
• Is recommended that all communications between OMS,
agents, repository and users is made by secure mode (HTTPS).
• In secure mode, HTTP port is locked.
• Secure mode is enabled by default, but upgrade does not secure-lock the
OMS.
• Agents should be secured in order to make use of HTTPS port.
• Agents not secured, will not be able to communicate with a secured
OMS.

64
• Not secured OMS
$ emctl status oms –details
EM Instance Home : /u01/oracle/oms/12.1.0.4/gc_inst/em/EMGC_OMS1
OMS Log Directory Location : /u01/oracle/oms/12.1.0.4/gc_inst/em/EMGC_OMS1/sysman/log
SLB or virtual hostname: host1-em.localdomain
HTTPS SLB Upload Port : 4900
HTTPS SLB Console Port : 443
Agent Upload is unlocked.
OMS Console is unlocked.
Active CA ID: 1
Console URL: https://host1-em.localdomain:443/em
Upload URL: https://host1-em.localdomain:4900/empbs/upload
Agent Upload is unlocked.
OMS Console is unlocked.

65
• Secure OMS
$ emctl secure lock
OMS Console is locked. Access the console over HTTPS ports.
Agent Upload is locked. Agents must be secure and upload over HTTPS port.
Restart OMS.
$emctl stop oms
$emctl start oms

66
• Secured OMS
$ emctl status oms –details
Console Server Host : host1.localdomain
HTTP Console Port : 7788
HTTPS Console Port : 7799
HTTP Upload Port : 4889
HTTPS Upload Port : 4900
EM Instance Home : /u01/oracle/oms/12.1.0.4/gc_inst/em/EMGC_OMS1
OMS Log Directory Location : /u01/oracle/oms/12.1.0.4/gc_inst/em/EMGC_OMS1/sysman/log
SLB or virtual hostname: host1-em.localdomain
HTTPS SLB Upload Port : 4900
HTTPS SLB Console Port : 443
Agent Upload is locked.
OMS Console is locked.
Active CA ID: 1
Console URL: https://host1-em.localdomain:443/em
Upload URL: https://host1-em.localdomain:4900/empbs/upload
Agent Upload is locked.
OMS Console is locked.

67
• Secure agent
$ emctl secure agent
Agent successfully stopped... Done.
Securing agent... Started.
Enter Agent Registration Password : <Type agent registration password>
Agent successfully restarted... Done.
Securing agent... Successful.
Securing agent... Successful.

Use EMCLI to configure OEM Audit
68
• Basic OEM audit is enabled by default.
• Whenever a user login-logout, the action is audited.
• More default audit operations include:
• Apply Update
• Change MGMT_VIEW User Password
• Change Repository Password
• Configure Authentication
• Copy EM Key to Repository
• Remove EM Key from Repository
• Create Custom CA
• Remove Update
• Secure Console
• Secure Lock
• Secure OMS

69
• You can configure the Enterprise Manager Audit System by
using the following EM CLI commands:
• enable_audit: Enables auditing for all user operations.
• disable_audit: Disables auditing for all user operations.
• show_operations_list: Shows a list of the user operations being audited.
• show_audit_settings: Shows the audit status, operation list, externalization
service details, and purge period details.
• update_audit_settings: Updates the current audit settings in the
repository.

70
• The update_audit_settings command updates the current
audit settings in the repository and
restarts the Management Service.
emcli update_audit_settings -audit_switch="ENABLE/DISABLE"
-operations_to_enable="name of the operations to enable, for all
oprtations use ALL"
-operations_to_disable="name of the operations to disable, for
all oprtations use ALL"
-externalization_switch="ENABLE/DISABLE"
-directory_name="directory_name (DB Directory)"
-file_prefix="file_prefix" -file_size="file_size (Bytes)"
-data_retention_period="data_retention_period (Days)"

71
• -audit_switch: Enables auditing across Enterprise Manager.
The values are ENABLE/DISABLE. Default value is DISABLE.
• -operations_to_enable: Enables auditing for specified operations.
Enter All to enable all operations.
• -operations_to_disable: Disables auditing for specified operations.
Enter All to disable all operations.
• -externalization_switch: Enables the audit data export service. The possible
values are ENABLE/DISABLE. Default value is DISABLE.
• -directory: The database directory that is mapped to the OS directory where
the export service archives the audit data files.

72
• -file_prefix: The file prefix to be used by the export
service to create the file in which audit data is to be stored.
• -file_size: The size of the file on which the audit data is to be stored. The
default value is 5000000 bytes.
• data_retention_period: The period for which the audit data is to be retained
inside the repository. The default value is 365 days.
http://docs.oracle.com/cd/E24628_01/doc.121/e36415/sec_features.htm#
EMSEC12907

Please Complete Your
Session Evaluation
Evaluate this session in your COLLABORATE app.
Pull up this session and tap "Session Evaluation"
to complete the survey.
Session ID: 282

Optimize OEM Administration with Best Practices

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Optimize OEM Administration with Best Practices

Ähnlich wie Optimize OEM Administration with Best Practices (20)

Mehr von Alfredo Krieg

Mehr von Alfredo Krieg (9)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Optimize OEM Administration with Best Practices