[Disclaimer: I'm not in a RAC environment, and (because we use AIX) can't yet install 10gR2. Anything I might post about my experiences with Grid Control can only be sure to apply to 10gR1 in a non-RAC environment.]
I mentioned yesterday believe in encrypting the traffic between the management agent (OMA) and the management service (OMS). This encryption is by virtue of Enterprise Manger Framework Security. It combines PKI and HTTPS and (properly done) ensures the service won't accept communications from unauthorized agents.
Steps to Secure OMS-OMA communications:
(Assumes $OMS_HOME is set to the management service's oracle home and $OMA_HOME is set to the agent's oracle home)
- Stop all OMS services by issuing $OMS_HOME/opmn/bin/opmnctl stopall
- Secure OMS by issuing $OMS_HOME/bin/emctl secure oms
- When asked for Enterprise Manager Root Password, provide sysman's password
- When asked for Agent Registration Password, provide the password you want the agents to use during their part of the security process.
- When asked for Hostname for this OMS, provide the name of the host upon which the OMS resides.
- A series of messages will be displayed to screen as the wallet is generated and appropriate files are updated
- Start OMS by issuing $OMS_HOME/opmn/bin/opmnctl startall
- Issue $OMS_HOME/opmn/bin/opmnctl status to make sure everything started correctly (LogLoader isn't needed -- at least on my systems)
- Find out what port (typically 4888) was assigned for communiction by issuing $OMS_HOME/bin/emctl secure status
- Test the port by pointing your browser to https://servername:secureport/em/upload. You should get see a message saying the receiver servlet's active
- At this point, the OMS accepts both HTTP and HTTPS connections. We'll turn off HTTP connections later.
- For each agent:
- $OMA_HOME/bin/emctl stop agent
- $OMA_HOME/bin/emctl secure agent
- When prompted for password, provide the same Agent Registration password you provided the OMS.
- $OMA_HOME/bin/emctl start agent
- The Grid Control's web page for the agent should now show the agent as using secure uploads. (Note that it takes a while, sometimes over 5 minutes, for the monitored targets to be displayed as "up" after the agent comes back online.)
- When all agents are able to upload securely, it's time to configure OMS to refuse insecure uploads.
- On OMS machine, issue $OMS_HOME/opmn/bin/opmnctl stopall
- $OMS_HOME/bin/emctl secure lock
- $OMS_HOME/opmn/bin/opmnctl startall
- $OMS_HOME/opmn/bin/opmnctl status
- (Note that you can begin accepting unsecured uploads again issuing an opmnctl stopall, emctl secure unlock, and opmnctl startall)
Next time I'll post about securing the conversation between the OMS and the Oracle Management Repository (OMR) database, as well as for the agent that monitors it.
For all the details regarding grid security, see the Oracle Enterprise Manager Advanced Configuration doc for 10gR1 or 10gR2.
1 comments:
When the following command
$OMA_HOME/bin/emctl secure agent
is issued, the agent will be stopped first. So we don't need to stop agent first.
Please let me know if I am wrong.
Thanks,
Kevin
Post a Comment