Where did my day go?: OEM 12c Administration #em12c #C15LV @IOUG

#C

15

LV

REMINDER

Check in on the COLLABORATE mobile app

Where did my day go?: Oracle Enterprise Manager 12c Administration

Prepared by:Alfredo KriegSr. Oracle Enterprise Cloud AdministratorThe Sherwin-Williams Company

Session ID#: 230

@alfredokrieg

#C

15

LV

2

Where did my day go?: Oracle Enterprise Manager 12c Administration

Session ID#: 230

#C

15

LV

3

About me…

■ Work: [email protected])■ Personal: [email protected]

■ Senior Oracle Cloud Administrator at The Sherwin-Williams Company based in Cleveland, Oh

■ Oracle ACE Associate

■ OEM Cloud Control 12c and Database Performance Tuning

■ Oracle Technologies since 2004 & 11g Certified

■ Blog bitkode.blogspot.com

#C

15

LV

4

The Sherwin-Williams Company

■ Largest Producer of Paint & Coatings in US, among Top 3 worldwide

■ Founded in 1866 in Cleveland, OH

■ 2016 is 150th Anniversary

■ 2013 - $10.19 billion in sales

■ Business in 120+ Countries

■ 34,000+ employees

■ 4,000+ Company Owned Stores

■ 90+ Manufacturing Facilities Globally

#C

15

LV

5

The Sherwin-Williams Company

The Sherwin-Williams Company was founded by

Henry Sherwin and Edward Williams in 1866.

Today, we are global leader in the manufacture,

development, distribution and sale of coatings and related

products to professional, industrial, commercial and retail

customers.

The Company manufactures products under well-known brands such as Sherwin-Williams®, Dutch Boy®, Krylon®, Minwax®, Thompson’s® Water Seal® and many more. With global headquarters in Cleveland, Ohio, Sherwin-Williams® branded products are sold exclusively through more than 4,000 company-operated stores and facilities, while the Company’s other brands are sold through leading mass merchandisers, home centers, hardware stores, automotive retailers and industrial distributors.

www.sherwin-williams.com

#C

15

LV

6

Motivation■ As an Enterprise Manager administrator you are responsible

of a wide variety of tasks including:▪ Discovery and maintenance of targets

▪ Deploy plug-ins

▪ Tune OEM 12c performance

▪ Maintain backups

▪ Others (Cloud, Self-Service, Alerts, etc.)

■ With such time consuming tasks, administrators need to find the most efficient ways to manage the manager.▪ Best practices

▪ Task automation

▪ Command Line EMCLI

#C

15

LV

7

Agenda■ Lifecycle Management

▪ EMCLI to deploy multiple Plug-ins at once

▪ Apply OMS, Plug-in and Agent patches during the same maintenance window

▪ Mass Agent Deployment

■ Target Monitoring▪ Monitoring Templates

▪ Alerts Report

▪ Administration Groups

■ Security▪ Secure your SYSMAN schema account

▪ Secure and lock the OMS and Agents

▪ Use EMCLI to configure OEM Audit system

#C

15

LV

8

Lifecycle Management■ Use EMCLI to deploy multiple plug-ins at once - OMS

#C

15

LV

9

Lifecycle Management■ Use EMCLI to deploy multiple plug-ins at once - OMS

#C

15

LV

10

Lifecycle Management■ Use EMCLI to deploy multiple plug-ins at once - OMS

#C

15

LV

11

Lifecycle Management■ Use EMCLI to deploy multiple plug-ins at once - OMS

#C

15

LV

12

Lifecycle Management■ Use EMCLI to deploy multiple plug-ins at once - OMS

#C

15

LV

13

Lifecycle Management■ Use EMCLI to deploy multiple plug-ins at once - OMS

▪ deploy_plugin_on_server— Deploys a plug-in on the Management Servers. The deployment

process for some plug-ins might restart the Management Servers. If the plug-in is already deployed on one of the servers, this server is skipped. If a lower version of the plug-in is already deployed, the plug-in is upgraded. If a lower revision of the plug-in is already deployed, the new revision is applied.

emcli deploy_plugin_on_server -plugin="oracle.sysman.db:12.1.0.5.0;oracle.sysman.emas.oms.plugin_12.1.0.5“ -sys_password=<sys_password> -use_last_prereq_result

#C

15

LV

14

Lifecycle Management■ Use EMCLI to deploy multiple plug-ins at once – OMS

$emcli deploy_plugin_on_server -plugin="oracle.sysman.db;oracle.sysman.emas" -prereq_check

Performing pre-requisites check... This will take a while.

Oracle recommends that you take a backup of the repository, and export the first management server configuration using the command "emctl exportconfig oms". Otherwise ensure that appropriate recovery plan is in place prior to deploying the plug-in.

Retry plug-in deployment once you have backed up the repository and configuration of first management server. Use the option "-repo_backup_taken" to confirm that these have been backed up.

#C

15

LV

15

Lifecycle Management■ Use EMCLI to deploy multiple plug-ins at once – OMS

■ Savings around 91 minutes

#C

15

LV

16

Lifecycle Management■ Use EMCLI to deploy multiple plug-ins at once - Agent

▪ deploy_plugin_on_agent— Deploys a plug-in on Management Agents. Agent names must be

provided for plug-in deployment.

emcli deploy_plugin_on_agent -plugin=" oracle.sysman.db:12.1.0.5.0;

oracle.sysman.emas.oms.plugin_12.1.0.5.0" -agent_names="myhost1.example.com:1838;

myhost2.example.com:1838"

#C

15

LV

17

Lifecycle Management■ Apply OMS, Plug-in and Agent patches during the same

maintenance window▪ I suggest to perform monthly maintenance on the OMS’s

▪ Test all patches and plug-ins on your QA environment first

▪ Always verify if your OPatch is up to date

▪ Always shutdown JVMD and APD before applying a patch

▪ Try to apply all the required changes on the same window— Deploy new plug-ins (use emcli)

— Apply OMS patches (PSU’s & patches)

— Apply plug-in patches

— Apply patches to your standby OMS

▪ Agent patching can be done while OMS’s is up, but don’t forget to patch the agents as well!

#C

15

LV

18

Lifecycle Management■ Perform Mass Agent Deployment

#C

15

LV

19

Lifecycle Management■ Perform Mass Agent Deployment

#C

15

LV

20

Lifecycle Management■ Perform Mass Agent Deployment

#C

15

LV

21

Lifecycle Management■ Perform Mass Agent Deployment

#C

15

LV

22

Lifecycle Management■ Perform Mass Agent Deployment

▪ Fresh Install— Installs the vanilla version of the agent.

▪ Clone Existing Agent— Installs an agent using an existing source agent that is well tested

and patched.

▪ Add Host to Shared Agent— Installs an agent using an existing master agent that is installed on a

NFS mounted drive.

#C

15

LV

23

Lifecycle Management■ Perform Mass Agent Deployment

#C

15

LV

24

Lifecycle Management■ Perform Mass Agent Deploymentemcli submit_add_host –host_names=<host_list>

-platform=<platform_id> - installation_base_directory=<installation_base_

directory> -credential_name=<credential_name>

-port=<agent_port>] [-instance_directory=<instance_directory>] [-credential_owner=<credential_owner>]

[-wait_for_completion] [-source_agent=<clone_source_agent_name>] [-master_agent=<master_agent_name>]

[ ] indicates that the parameter is optional

#C

15

LV

25

Agenda■ Lifecycle Management

▪ EMCLI to deploy multiple Plug-ins at once

▪ Apply OMS, Plug-in and Agent patches during the same maintenance window

▪ Mass Agent Deployment

■ Target Monitoring▪ Monitoring Templates

▪ Alerts Report

▪ Administration Groups

■ Security▪ Secure your SYSMAN schema account

▪ Secure and lock the OMS and Agents

▪ Use EMCLI to configure OEM Audit system

#C

15

LV

26

Monitoring Templates■ Group of metrics and their thresholds for a particular target

type

#C

15

LV

27

Monitoring Templates

#C

15

LV

28

Monitoring Templates

#C

15

LV

29

Monitoring Templates

#C

15

LV

30

Monitoring Templates

#C

15

LV

31

Monitoring Templates

#C

15

LV

32

Monitoring Templates

#C

15

LV

33

Monitoring Templates

#C

15

LV

34

Monitoring Templates

#C

15

LV

35

Monitoring Templates

#C

15

LV

36

Monitoring Templates

#C

15

LV

37

Monitoring Templates

#C

15

LV

38

Alerts Report

#C

15

LV

39

Alerts Report

#C

15

LV

40

Administration Groups

#C

15

LV

41

Administration Groups – Target Properties

#C

15

LV

42

Administration Groups

#C

15

LV

43

Administration Groups

#C

15

LV

44

Administration Groups

#C

15

LV

45

Administration Groups

#C

15

LV

46

Administration Groups

#C

15

LV

47

Administration Groups

#C

15

LV

48

Administration Groups

#C

15

LV

49

Administration Groups

#C

15

LV

50

Administration Groups

$ emcli login -username=sysmanEnter password : Login successful$ emcli set_target_property_value -property_records="Development DB:composite:LifeCycle Status:Development" -propagate_to_membersProperties updated successfully$ emcli logoutLogout successful

#C

15

LV

51

Agenda■ Lifecycle Management

▪ EMCLI to deploy multiple Plug-ins at once

▪ Apply OMS, Plug-in and Agent patches during the same maintenance window

▪ Mass Agent Deployment

■ Target Monitoring▪ Monitoring Templates

▪ Alerts Report

▪ Administration Groups

■ Security▪ Secure your SYSMAN schema account

▪ Secure and lock the OMS and Agents

▪ Use EMCLI to configure OEM Audit system

#C

15

LV

52

Secure your SYSMAN account■ SYSMAN is the schema owner, as a result is more privileged that a

Super Administrator.

■ Users and Administrators should login using their own accounts, this is helpful while auditing operations.

■ There’s a method to disable SYSMAN access from the console and emcli. DB access and “emctl status oms –details” still work.

SQL> UPDATE MGMT_CREATED_USERS

SET SYSTEM_USER='-1'

WHERE user_name='SYSMAN';

http://bitkode.blogspot.com/2014/12/oracle-enterprise-manager-security.html

Set it to 1 to re-enable it

#C

15

LV

53

Secure and Lock OMS and Agents ■ Is recommended that all communications between OMS, agents,

repository and users is made by secure mode (HTTPS).

■ In secure mode, HTTP port is locked.

■ Secure mode is enabled by default, but upgrade does not secure-lock the OMS.

■ Agents should be secured in order to make use of HTTPS port.

■ Agents not secured, will not be able to communicate with a secured OMS.

#C

15

LV

54

Secure and Lock OMS and Agents ■ Not secured OMS$ emctl status oms –details

Oracle Enterprise Manager Cloud Control 12c Release 4

Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved.

Enter Enterprise Manager Root (SYSMAN) Password :

Console Server Host : host1.localdomain

HTTP Console Port : 7788

HTTPS Console Port : 7799

HTTP Upload Port : 4889

HTTPS Upload Port : 4900

EM Instance Home : /u01/oracle/oms/12.1.0.4/gc_inst/em/EMGC_OMS1

OMS Log Directory Location : /u01/oracle/oms/12.1.0.4/gc_inst/em/EMGC_OMS1/sysman/log

SLB or virtual hostname: host1-em.localdomain

HTTPS SLB Upload Port : 4900

HTTPS SLB Console Port : 443

Agent Upload is unlocked.

OMS Console is unlocked.

Active CA ID: 1

Console URL: https://host1-em.localdomain:443/em

Upload URL: https://host1-em.localdomain:4900/empbs/upload

Agent Upload is unlocked.OMS Console is unlocked.

#C

15

LV

55

Secure and Lock OMS and Agents ■ Secure OMS

$ emctl secure lock

Oracle Enterprise Manager Cloud Control 12c Release 4

Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved.

Enter Enterprise Manager Root (SYSMAN) Password :

OMS Console is locked. Access the console over HTTPS ports.

Agent Upload is locked. Agents must be secure and upload over HTTPS port.

Restart OMS.

$emctl stop oms

$emctl start oms

#C

15

LV

56

Secure and Lock OMS and Agents ■ Secured OMS$ emctl status oms –details

Oracle Enterprise Manager Cloud Control 12c Release 4

Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved.

Enter Enterprise Manager Root (SYSMAN) Password :

Console Server Host : host1.localdomain

HTTP Console Port : 7788

HTTPS Console Port : 7799

HTTP Upload Port : 4889

HTTPS Upload Port : 4900

EM Instance Home : /u01/oracle/oms/12.1.0.4/gc_inst/em/EMGC_OMS1

OMS Log Directory Location : /u01/oracle/oms/12.1.0.4/gc_inst/em/EMGC_OMS1/sysman/log

SLB or virtual hostname: host1-em.localdomain

HTTPS SLB Upload Port : 4900

HTTPS SLB Console Port : 443

Agent Upload is locked.

OMS Console is locked.

Active CA ID: 1

Console URL: https://host1-em.localdomain:443/em

Upload URL: https://host1-em.localdomain:4900/empbs/upload

Agent Upload is locked.OMS Console is locked.

#C

15

LV

57

Secure and Lock OMS and Agents ■ Secure agent$ emctl secure agent

Oracle Enterprise Manager Cloud Control 12c Release 4  Copyright (c) 1996, 2014 Oracle Corporation.  All rights reserved.Agent successfully stopped...   Done.Securing agent...   Started.Enter Agent Registration Password : <Type agent registration password>Agent successfully restarted...   Done.Securing agent...   Successful.

Securing agent...   Successful.

#C

15

LV

58

Use EMCLI to configure OEM Audit system■ Basic OEM audit is enabled by default.

■ Whenever a user login-logout, the action is audited.

■ More default audit operations include:

▪ Apply Update

▪ Change MGMT_VIEW User Password

▪ Change Repository Password

▪ Configure Authentication

▪ Copy EM Key to Repository

▪ Remove EM Key from Repository

▪ Create Custom CA

▪ Remove Update

▪ Secure Console

▪ Secure Lock

▪ Secure OMS

#C

15

LV

59

Use EMCLI to configure OEM Audit system■ You can configure the Enterprise Manager Audit System by using

the following EM CLI commands:

▪ enable_audit: Enables auditing for all user operations.

▪ disable_audit: Disables auditing for all user operations.

▪ show_operations_list: Shows a list of the user operations being audited.

▪ show_audit_settings: Shows the audit status, operation list, externalization service details, and purge period details.

▪ update_audit_settings: Updates the current audit settings in the repository.

#C

15

LV

60

Use EMCLI to configure OEM Audit system■ The update_audit_settings command updates the current audit

settings in the repository and restarts the Management Service.

emcli update_audit_settings -audit_switch="ENABLE/DISABLE" -operations_to_enable="name of the operations to enable, for all oprtations use ALL" -operations_to_disable="name of the operations to disable, for all oprtations use ALL" -externalization_switch="ENABLE/DISABLE" -directory_name="directory_name (DB Directory)" -file_prefix="file_prefix" -file_size="file_size (Bytes)" -data_retention_period="data_retention_period (Days)"

#C

15

LV

61

Use EMCLI to configure OEM Audit system▪ -audit_switch: Enables auditing across Enterprise Manager. The

possible values are ENABLE/DISABLE. Default value is DISABLE.

▪ -operations_to_enable: Enables auditing for specified operations. Enter All to enable all operations.

▪ -operations_to_disable: Disables auditing for specified operations. Enter All to disable all operations.

▪ -externalization_switch: Enables the audit data export service. The possible values are ENABLE/DISABLE. Default value is DISABLE.

▪ -directory: The database directory that is mapped to the OS directory where the export service archives the audit data files.

#C

15

LV

62

Use EMCLI to configure OEM Audit system▪ -file_prefix: The file prefix to be used by the export service to create the

file in which audit data is to be stored.

▪ -file_size: The size of the file on which the audit data is to be stored. The default value is 5000000 bytes.

▪ data_retention_period: The period for which the audit data is to be retained inside the repository. The default value is 365 days.

http://docs.oracle.com/cd/E24628_01/doc.121/e36415/sec_features.htm#EMSEC12907

#C

15

LV

63

Want More?■ Enterprise Manager Cloud Control Security Guidehttp://docs.oracle.com/cd/E24628_01/doc.121/e36415/toc.htm

■ Enterprise Manager Cloud Control Administrator's Guidehttp://docs.oracle.com/cd/E24628_01/doc.121/e24473/toc.htm

■ Enterprise Manager Command Line Interfacehttp://docs.oracle.com/cd/E24628_01/em.121/e17786/cli_verb_ref.htm#EMCLI200

#C

15

LV

Please complete the session evaluationWe appreciate your feedback and insight

You may complete the session evaluation either on paper or online via the mobile app