1. System Monitoring Plug-in User's Guide for Audit Vault and Database Firewall
  2. Install the Enterprise Manager Management Agent

2 Install the Enterprise Manager Management Agent

This chapter provides the instructions for installing the Enterprise Manager (EM) Management Agent onto the Audit Vault Server and Database Firewall Appliance.

Prerequisites for Installing Enterprise Manager Agent

There are multiple prerequisites that need to be done in the Audit Vault console before installing the Enterprise Manager agent.

Topics:

Allow SSH Access to User oracle

  1. Open a terminal window and edit the file: /etc/ssh/sshd_config to allow SSH access to user oracle.
    vi /etc/ssh/sshd_config
  2. Append oracle to the AllowUsers line.
    AllowUsers support oracle
  3. Restart sshd.
    service sshd restart

Determining Whether an Oracle Software Owner User Already Exists for Enterprise Manager

To determine whether an Oracle software owner user named oracle exists, run the following command: 

$ id oracle

If the oracle user exists, then the output from this command looks like this:

uid=440(oracle) gid=200(oinstall) groups=201(dba),202(oper)

If the user exists, then determine whether you want to use the existing user or create another oracle user.

To use the existing user, ensure that the user's primary group is the Oracle Inventory group.

Note:

If necessary, contact your system administrator before using or modifying an existing user.

Creating the Oracle Software Owner User for Enterprise Manager

If the Oracle software owner user does not exist or if you require a new Oracle software owner user, then follow these steps to create one. In the following procedure, use the user name oracle unless a user with that name already exists.

  1. To create the oracle user, enter a command similar to the following: 

    # /usr/sbin/useradd -g oinstall oracle

    In this command, the -g option defines the primary group, which must be the Oracle Inventory group, for example oinstall.

  2. Set the password of the oracle user: 

    # passwd oracle

Note:

Oracle recommends you to use the same UIDs across all the OMS instances, especially when you use Oracle Software Library. If the UIDs are different, then the files created by one OMS cannot be modified by another OMS.

Determining Whether the Oracle Inventory Group Already Exists for Enterprise Manager

When you install Oracle software on the system for the first time, the oraInst.loc file is created. This file identifies the name of the Oracle Inventory group and the path to the Oracle Inventory directory.

To determine whether the Oracle Inventory group exists, enter the following command:

$ more /etc/oraInst.loc

Note:

the oraInst.loc file is available in the /etc directory for Linux and other platforms. On Solaris platforms, it is available at /var/opt/oracle/.

If the oraInst.loc file exists, then the output from this command looks like: 

inventory_loc=/u01/app/oracle/oraInventory
inst_group=oinstall

The inst_group parameter shows the name of the Oracle Inventory group, oinstall.

Creating the Oracle Inventory Group for Enterprise Manager

If the oraInst.loc file does not exist, or if the file exists but the Oracle Inventory group is different, then create the Oracle Inventory group oinstall using the following command:

# /usr/sbin/groupadd oinstall

Configure User oracle

  1. Create the agent home directory:
    mkdir $ORACLE_BASE/agent13c
  2. Edit the oraenv command inside .bashrc:
    1. vi $HOME/.bashrc
    2. Add a -s to oraenv. 
      ./usr/local/bin/oraenv -s

Unlock dbsnmp and asmsnmp Accounts (for AVS only)

  1. Change user to dvaccountmgr:
    su dvaccountmgr
  2. Run the following command:
    sqlplus /
alter user dbsnmp identified by password account unlock;
  3. Change user to grid:
    su grid
  4. Run the following command:
    orapwd file=/var/lib/oracle/grid/dbs/orapw+ASM password=<password>
sqlplus / as sysasm
alter user asmsnmp identified by password account unlock;
grant sysdba to asmsnmp;

    Oracle recommends creating a Oracle Database user asmsnmp with sysdba privileges.

Assign a Hostname

  1. Log in to the Audit Vault Server console as a user with the AV_ADMIN role or to a Database Firewall appliance console as a user with Firewall Admin privileges.
  2. Set the hostname to a fully qualified hostname (for example, location.mycompany.com).
    • On the Audit Vault server, click Settings, then Network under the Systems group header. On the Network page, change the host name.
    • On the Database Firewall appliance console, click Network under the System header, and then click the Change button on the lower right-hand corner of the page.
  3. Configure the DNS on each appliance, which are to be monitored, to be the same as that on the OMS server. Click System or Settings, then Services under the System group header. On the Services page, configure the DNS, and change the host name.
    By default, SSH access into Audit Vault Server and Database Firewall is disabled. For the following steps, SSH is required. Therefore, on the same Services page, replace disabled inside the SSH box either with the IP address of the machine from which you will connect or with all to allow SSH connections from all machines on the network.

Unblock the EM Agent Network Port

  1. Log in to the operating system of the Audit Vault Server or Database Firewall appliance as the root user.
  2. Unblock the network port through which the EM Management Agent and the Enterprise Manager server communicate:
    1. Edit the file /usr/local/dbfw/templates/template-iptables. By default, the permissions for this file is read-only. You must change the permissions to allow editing. As root, change the permissions:
      chmod 644 template-iptables
      Edit the line as described below. There may be similar entries in this file for database listener ports. Make your entry below these. For AVDF Server version earlier than 20.1, add a line as shown:
      -A RH-Firewall-1-INPUT -p tcp -m state --state NEW --dport <EM agent port number> -j ACCEPT
      For AVDF Server version 20.1 and above, add a line as shown:
      -A INPUT -p tcp -m state --state NEW --dport <EM agent port number> -j ACCEPT
      Where:
      • --dport is the port number for your EM Agent. Typically, the default port number used by the EM agent is 3872.
      • An optional “-s” option limits the IP range to specific OMS. The best practice is to add the additional optional switch: "-s ip1,ip2" and limit the IP ranges.
      Take extreme care when modifying the template-iptables file. Any editing mistakes could make the system inoperable. Change the permissions of the template-iptables file back to read-only:
      chmod 444 template-iptables
    2. Run the following command as root:
      /usr/local/dbfw/bin/priv/configure-networking
    3. Test your change. If your agent port number is the default value 3872, which is officially registered with IANA by Oracle under oem-agent, use:
      iptables -L | grep oem
      If another port was used, use:
      iptables -L n | grep <EM agent port number>
You will see that there is now an ACCEPT rule for the Management Agent.

Note:

Changes made here to the template-iptables file might be rolled back by a subsequent Oracle Audit Vault and Database Firewall patch or upgrade. If you notice after applying the next patch or upgrade that Enterprise Manager is no longer collecting information about AV Server correctly, then repeat steps a and b above.

The next step is to install and configure an EM Management Agent on each server where an AVDF agent resides. The EM management agents can be installed using the Enterprise Manager graphical user interface (using a “push” method) or by manually ”pulling” the agent software onto the Audit Vault Server or Database Firewall Appliance.

Install the Enterprise Manager Agent Using UI

Installing the Oracle Enterprise Manager agent is done via a push method from the OEM console.

Be sure to perform the prerequisites detailed in Prerequisites to Installing Enterprise Manager Agent.

  1. From the Setup dropdown select Add Target > Add Target Manually.
  2. Click Install Agent on Host.
  3. Click the + Add button, fill in the Host Name and Platform and click Next.
  4. Fill in the Installation Base Directory as /var/lib/oracle/agent13c.
  5. Create a Named Credential for user oracle.
  6. Leave the root credential blank.
  7. Click Deploy Agent.

    Note:

    During the installation phase, you may see a message about sudo not being setup with visible password. Click Continue All Hosts.
  8. Open a terminal window in the Audit Vault Server as root and run the following command:
    ./var/lib/oracle/agent13c/<agent_version>/root.sh

Manually Install the EM Management Agent on an Audit Vault Server or a Database Firewall Appliance

Perform the following steps to install the EM Management Agent manually by pulling the agent files and configuring an agent on a Database Firewall Appliance 12.2.x or Audit Vault Server.

Be sure to perform the prerequisites detailed in Prerequisites for Installing Enterprise Manager Agent.

  1. Log in as the root user on the Audit Vault Server and run the following command to become the oracle user:
    su - oracle
  2. Download the AgentPull.sh script as follows:
    cd /tmp
curl "https://<OMS_HOST>:<OMS_PORT>/em/install/getAgentImage" -k -o AgentPull.sh
  3. Give execute permission to the AgentPull.sh script:
    chmod +x AgentPull.sh
  4. Run the AgentPull.sh script to download and install the Management Agent. The LOGIN_USER is the EM repository owner (SYSMAN) and the password is the repository owner password (SYSMAN password).:
    sh AgentPull.sh LOGIN_USER=<username> LOGIN_PASSWORD=password PLATFORM=<PLATFORM> AGENT_BASE_DIR=<EM agent install directory> AGENT_REGISTRATION_PASSWORD=password ORACLE_HOSTNAME=<ORACLE HOSTNAME>

    Note:

    ORACLE_HOSTNAME is the fully qualified hostname of the Audit Vault Server or Database Firewall Appliance where the EM Management Agent is being installed.

The installation of the EM Management Agent starts automatically as soon as the download has finished. At the end of the installation, you will be prompted to run a script as root.

After running that script, continue with Discovering the Oracle AVDF Target.

Manually Install the EM Management Agent on a Database Firewall Appliance 20.x

Perform the following steps to install the EM Management Agent manually by pulling the agent files and configuring an agent on a Database Firewall Appliance 20.x.

Be sure to perform the prerequisites detailed in Prerequisites for Installing Enterprise Manager Agent.

  1. As root user, add oinstall group, create oracle user and add it to the oinstall group: 

    /usr/sbin/groupadd oinstall
/usr/sbin/useradd -g oinstall oracle

  2. As root user navigate to the dbfw directory: 

    cd /var/dbfw

  3. Create the emagent directory, change the user and group ownership of the emagent directory: 

    mkdir emagent
chown oracle emagent
chgrp oinstall emagent

  4. Switch to the oracle user and navigate to the emagent directory: 

    su - oracle
cd /var/dbfw/emagent

  5. Transfer the Agent:

    curl https://<OMS Host>:<Port>/em/install/getAgentImage --insecure -o AgentPull.sh
chmod +x AgentPull.sh

  6. Run the AgentPull.sh script to download and install the Management Agent. The LOGIN_USER is the EM repository owner (SYSMAN) and the password is the repository owner password (SYSMAN password). 

    sh AgentPull.sh LOGIN_USER=<username> LOGIN_PASSWORD=password PLATFORM=<PLATFORM> AGENT_BASE_DIR=<EM agent install directory> AGENT_REGISTRATION_PASSWORD=password ORACLE_HOSTNAME=<ORACLE HOSTNAME>

    Note:

    ORACLE_HOSTNAME is the fully qualified hostname of the Database Firewall Appliance where the EM Management Agent is being installed.

The installation of the EM Management Agent starts automatically as soon as the download has finished. At the end of the installation, you will be prompted to run a script as root.

After running that script, continue with Discovering the Oracle AVDF Target.

Manually Install the EM Management Agent on an Audit Vault Server

Topics:

Configure the Oracle Software User

  1. Create the agent home directory:
    mkdir $ORACLE_BASE/emagent
  2. Edit the oraenv command inside .bashrc: 
    1. vi $HOME/.bashrc
    2. Add a -s to oraenv.
      ./usr/local/bin/oraenv -s

Unlock the dbsnmp account

  1. Change user to dvaccountmgr, using su - dvaccountmgr from root account.
  2. Run the following command, altering user dbsnmp identified by <password> account unlock:
    sqlplus /
  3. Change user to grid from root:
    su -grid
  4. Run the following command:
    orapwd file=+SYSTEMDATA password=<password> asm=Y
sqlplus
create user asmsnmp identified by <password>;
grant sysdba to asmsnmp;

    Oracle recommends creating the Oracle Database user asmsnmp with sysdba privileges.

Manually Install the EM Management Agent on the Audit Vault Server

Follow the steps below to set the host name, configure the DNS, and to download and install the EM Management Agent on the Audit Vault Server:

  1. Log in to the Audit Vault Server console as a user with the AV_ADMIN role.
  2. Configure the DNS on each appliance, which are to be monitored, to be the same as that on the OMS server. Click Settings, then Services under the System group header. On the Services page, configure the DNS, and change the host name. By default, SSH access into Audit Vault Server and Database Firewall is disabled. For the following steps, SSH is required. Therefore, on the same Services page, replace disabled inside the SSH box either with the IP address of the machine from which you will connect or with all to allow SSH connections from all machines on the network.
  3. Log in to the operating system of the Audit Vault Server as the root user.
  4. Unblock the network port through which the EM Management Agent and the Enterprise Manager server communicate:

    Note:

    Changes made here to the template-iptables file might be rolled back by a subsequent Oracle Audit Vault and Database Firewall patch or upgrade. If you notice after applying the next patch or upgrade that Enterprise Manager is no longer collecting information about AV Server correctly, then repeat steps 2a and 2b below.
    1. Edit the file /usr/local/dbfw/templates/template-iptables file with the following entry:

      Note:

      By default, the permissions for this file is read-only. You must change the permissions to allow editing, edit the file, and then change the permissions back to read-only:
      1. As root, change the permissions of the template-iptables file:
        chmod 644 template-iptables
      2. Add the following line as described below:
        #OEM
-A INPUT -p tcp -m state --state NEW --dport 3872 -j ACCEPT
      3. Change the permissions of the template-iptables file back to read-only:
        chmod 444 template-iptables

      There may be similar entries already for database listener ports. Make your entry below them.

      Note:

      Take extreme care when modifying the template-iptables file. Any mistakes here could make the system inoperable. Only make this change and no other.
    2. Run the following command as root:
      /usr/local/dbfw/bin/priv/configure-networking
    3. Test your change. If port 3872 is used (this port is officially registered with IANA by Oracle for oem-agent), use:
      iptables -L -n | grep 3872

      If another port was used, use:

      iptables -L | grep oem

      You will see that there is now an ACCEPT rule for the Management Agent.

  5. While logged in as the root user on the Audit Vault Server, run the following command to become the oracle user:
    su - oracle
  6. Download the AgentPull.sh script as follows:
    cd /tmp
curl "https://<OMS_HOST>:<OMS_PORT>/em/install/getAgentImage" -k -o AgentPull.sh
    OMS_HOST = OEM DNS or IP Address
OMS_PORT - OEM Port Number
  7. Give execute permission to the AgentPull.sh script:
    chmod 755 AgentPull.sh
  8. Run the AgentPull.sh script to download and install the Management Agent:
    ./AgentPull.sh AGENT_BASE_DIR=/var/lib/oracle/emagent ORACLE_HOSTNAME=<Fully Qualified Hostname> AGENT_PORT=3872 LOGIN_USER=sysman PLATFORM="Linux x86-64"

    where ORACLE_HOSTNAME is the fully qualified host name of the Audit Vault Server where the EM Management Agent is to be installed.

    Note:

    a. You will be prompted for two passwords immediately upon executing the above command. The EM SYSMAN password and an Agent Password (which you assign).

    b. The installation of the EM Management Agent starts automatically as soon as the download has finished.

    c. At the end of the installation, you will be prompted to run a script as root: /var/lib/oracle/emagent/agent_13.X.0.0.0/root.sh

  9. Run following agent emctl commands as oracle:
    cd /var/lib/oracle/emagent/agent_13.X.0.0.0/bin
./emctl secure agent
./emctl config agent addinternaltargets

Discover the Oracle AVDF Target

Follow the steps below to add the Oracle Audit Vault Server target:

  1. Log in to Enterprise Manager.
  2. Click Setup, then Add Target, and finally Configure Auto Discovery.
  3. On the Setup Discovery page, select a host on the Targets on Hosts tab and click Discovery Modules.
  4. On the Discovery Modules page, confirm that Discover Audit Vault and Database Firewall Entities and the Oracle Database, Listener and Automatic. Click OK.
  5. Returning to the previous page, highlight the host name of the Oracle Audit Vault Server and click Discover Now. A dialog box will appear while the discovery is in progress.
  6. Rename the Audit Vault Server and Database Firewall instances:
    1. Click Setup, then Add Target, and finally Auto Discovery Results.
    2. Click the Targets on the Hosts tab.
    3. In the Target Type column, look for Oracle Audit Vault and Database Firewall, this is your Audit Vault Server. Highlight the row and click Rename to rename it to any meaningful name, such as AVServer_Legal_and_HR.
    4. Next, highlight the row with Database Instance as a target type. Click Rename to rename it to any meaningful name, such as AVS_Repository.
  7. Promote the Audit Vault Server (AV Server):
    1. Highlight the row of the Audit Vault Server and click Promote.
    2. On the next page, provide user name and password of the AV Server user with AV_ADMINprivilege. The Preferred Connect String should be already populated . However, if it is not, go to the AV Server Web administration console and log in as a user with the AV_ADMIN privilege. Click Settings, then Status, and copy the preferred connect string from there. The ORACLE_HOME is:
      /var/lib/oracle/dbfw
    3. Click Promote.
  8. Promote AV Repository Database instance:
    1. Highlight the row with the AVS_Repository database instance. Click on Promote.
    2. On the next page, check AVS_Repository and click Configure.
    3. Enter the Monitor password (user is dbsnmp, unlock the account in the AVS repository database), change the port from 1522 to 1521, and change the Listener Machine Name to the fully qualified host name of your AV Server.
    4. Click Test Connection; when successful, click Save.
  9. Back on the previous page, click Next. On the following page, click Save.
  10. To navigate to your new AV Server home page in Enterprise Manager:
    1. From the Targets menu, select All Targets.
    2. Expand the Others list item.
    3. Select Oracle Audit Vault and Database Firewall. The AV repository database is listed under Targets, Databases.

The AVDF Plug-in Home Page

Once installed and configured, you can monitor Oracle Audit Vault and Database Firewall from Enterprise Manager. Each section and region of this page is described in Primary AVDF Plug-in Monitoring Overview.