Set Up Access to Storage Servers
You must perform certain tasks to set up access to the storage servers that you want to monitor using Database Management.
The following tasks must be performed before adding a connection to the storage server during the Exadata Infrastructure discovery process because the storage server user credentials and the SSL certificate imported to the Management Agent truststore are tested against the storage server. The connection to the storage server from the Management Agent can be added only after a test query is sent from the Management Agent to the storage server.
-
Ensure the availability of an ExaCLI user to access and monitor storage servers
-
Ensure the availability of the storage server's SSL certificate in the Management Agent truststore
Ensure the availability of an ExaCLI user to access and monitor storage servers
The Management Agent used to connect to the storage servers requires ExaCLI credentials to collect metrics through the storage server's REST endpoint.
For External Exadata Infrastructure
Recommended option: It's recommended that you use the out-of-the-box cellmonitor user.
Secondary option: You also have the option of creating a new
ExaCLI administrative user. If you choose to create a new ExaCLI administrative
user, then the new user must be created in all storage servers. Also, the new user
must have list privileges on all objects. For example:
> ssh root@<storage server>
> cellcli
CellCLI> CREATE ROLE monitor
CellCLI> GRANT PRIVILEGE list ON ALL OBJECTS ALL ATTRIBUTES WITH ALL OPTIONS TO ROLE monitor
CellCLI> CREATE USER mycellmon password=*
CellCLI> GRANT ROLE monitor TO USER mycellmonTo create a new ExaCLI user across multiple storage servers using the
dcli utility:
dcli -l <OS User> -c <storage_server_1>,<storage_server_2>,... "cellcli -e CREATE ROLE monitor; cellcli -e GRANT PRIVILEGE list ON ALL OBJECTS ALL ATTRIBUTES WITH ALL OPTIONS TO ROLE monitor; cellcli -e CREATE USER mycellmon password=*; cellcli -e GRANT ROLE monitor TO USER mycellmon"For information on how to:
- Create a new ExaCLI administrative user, see Creating Users for Use with ExaCLI in Oracle Exadata Database Machine Maintenance Guide.
- Use CellCLI utility, see Using the CellCLI Utility in Oracle Exadata System Software User's Guide.
- Use
dcliutility, see Using the dcli Utility in Oracle Exadata System Software User's Guide.
For Oracle Cloud Exadata Infrastructure deployed in ExaDB-D or ExaDB-C@C
Use the preconfigured ExaCLI user available with the service to access and monitor storage servers. The preconfigured user is cloud_user_<clustername>, where <clustername> is the name of your VM cluster. For more information, see:
- Monitoring and Managing Exadata Storage Servers with ExaCLI in Exadata Database Service on Dedicated Infrastructure documentation
- Monitoring and Managing Exadata Storage Servers with ExaCLI in Exadata Database Service on Cloud@Customer documentation
Ensure the availability of the storage server's SSL certificate in the Management Agent truststore
SSL certificates are required to verify the identity of storage servers in the Exadata Infrastructure to the Management Agent. Communication between the storage servers and the Management Agent uses HTTPS and requires the storage server's SSL certificates to be present in the Management Agent truststore.
Before importing the storage server's SSL certificate into the Management Agent truststore, it's recommended that you test the certificate against the storage server REST endpoint in the agent host:
curl -u [cellmonitorUserName:cellmonitoruserpassword] --cacert [certificate file] 'https://[storage_server_name]:[port]/MS/RESTService/?cmd=list+cell'For example:
curl -u monitor_user1:monitor_password --cacert ./my_storage_server.pem 'https://my_storage_server:443/MS/RESTService/?cmd=list+cell'You can import the storage server's SSL certificate into the Management Agent's default truststore within the agent installation directory or into a custom truststore located outside the agent installation directory.
- To use the Management Agent's default truststore:
- Download the certificate from the storage server:
echo | openssl s_client -showcerts -servername [storage_server_name] -connect [storage_server_name:port] 2>/dev/null | openssl x509 -out storage_server_certificate.pem - Import the certificate into the Management Agent truststore. The Management Agent truststore has an optional password, which is defined in the
CredentialWalletPasswordparameter of the agent installation response file. Here are the agent truststore locations:- For a standalone Management Agent:
/opt/oracle/mgmt_agent/agent_inst/config/security/comm/commwallet.jks - For a Management Agent installed as an Oracle Cloud Agent (OCA) plug-in:
/var/lib/oracle-cloud-agent/plugins/oci-managementagent/polaris/agent_inst/config/security/comm/commwallet.jks
Note
If you're using custom SSL certificates with a common domain name for all storage servers (where all storage servers use the same certificate), you only need to import the certificate once into the truststore, even if you're using the same Management Agent to monitor multiple storage servers. - For a standalone Management Agent:
- Download the certificate from the storage server:
- To use a custom truststore outside the agent directory:
- Download the certificate from the storage server:
echo | openssl s_client -showcerts -servername [storage_server_name] -connect [storage_server_name:port] 2>/dev/null | openssl x509 -out storage_server_certificate.pem - Import it into the custom truststore using the following command:
keytool -importcert -alias [storage_server_name] -file [path_to_storage_server_certificate.pem] -trustcacerts -keystore [path_to_JKS_truststore_file] -storetype JKS
Note
If you use a truststore located outside the agent installation directory, for example/etc/pki/ca-trust/extracted/java/cacerts, ensure that themgmt_agentuser has the required permissions to access thecacertstruststore file and its parent directories. - Download the certificate from the storage server:
For more information, see Import Certificates for Management Agent.