18 Configuring Enterprise Manager Federation
Enterprise Manager Federation allows customers to have a consolidated view of all Enterprise Manager sites providing a summary of all Enterprise Manager sites deployed across the enterprise.
This chapter contains the following sections:
For troubleshooting, see Enterprise Manager Federation Troubleshooting.
Overview
Enterprise Manager Federation allows customers to have a consolidated view of all Enterprise Manager sites providing a summary of all Enterprise Manager sites deployed across the enterprise.
The Enterprise Manager Federation user interface offers federated summary and also, links to specific Enterprise Manager sites summary pages for in depth analysis. The Federation Overview page offers federated summary for the following areas: Targets summary, Incidents summary, Problems summary and Jobs summary.
The Enterprise Manager Federation supports the use of cURL commands and REST API.
Enterprise Manager Federation Dashboard
- Targets
- Incidents
- Problems
- Jobs
You can also drill down from any of the summary options described above. For example, you can drill down into an individual Enterprise Manager's All Targets page, Job activity page or Incident overview page for details.
Enterprise Manager Federation Set Up and Configuration
The following steps are required to be executed only once by any EM Super Administrator user to set up the Enterprise Manager Federation:
Step 1: Specify name of AuthN Provider for Enterprise Manager Federation
The Enterprise Manager administrator needs to select a Primary Enterprise Manager site from the entire enterprise.
To set up the Primary Enterprise Manager site, you need to enable the Enterprise Manager Federation and implicitly make the site the Primary Enterprise Manager site for Federation by running the following:
emctl set property \
-name oracle.sysman.federation.masterEMAuthNProducerName \
-value EMFederation
Oracle Enterprise Manager ...
Copyright (c) ...
Enter Enterprise Manager Root (SYSMAN) Password : *****
Property oracle.sysman.federation.masterEMAuthNProducerName has
been set to value EMFederation for all Management Servers
OMS restart is not required to reflect the new property valueThe above command specifies the required name of the AuthN provider, EMFederation, which will be used in step 2.
Step 2: Create AuthN Provider on Primary Enterprise Manager site
To create an AuthN Provider on the Primary Enterprise Manager site, run the following:
emctl config apiauth \
-create_provider \
-name EMFederation \
-useDefaults \
-out EMFederation.json
Oracle Enterprise Manager ...
Copyright (c) ...
Enter Enterprise Manager Root (SYSMAN) Password : *****
Creating Provider named 'EMFederation' with Defaults ...
Successfully created a token provider named 'EMFederation'
The Contents of the provider are:
{"kty" : "oct" ,"kid" : "....-....", "k" : "W20_....."}
The provider details are in the file named 'EMFederation.json'
Commiting the changes ...
Done commiting the changes.
Provider created successfully.
Exit Code: SUCCESSThe above command generates a small JSON file named: EMFederation.json.
After the JSON file is generated, you need to establish trust between the primary Enterprise Manager site and the Enterprise Manager sites to be federated.
Do the following on each secondary Enterprise Manager site to be federated to establish the trust relationship between the primary Enterprise Manager site and the respective secondary site:
- Copy the generated JSON file from the primary site to each secondary site.
This operation is designed to be performed out-of-band from Enterprise Manager.
Typically, the file is copied using a secure copy command like the following:
Example:scp <generated_json_file> <em_secondary_site>scp EMFederation.json em_site1.example.com:. - Login to each secondary site and create an AuthN Asserter using the JSON file transferred to the respective secondary EM site by running the following:
emctl config apiauth \ -create_asserter \ -name EMFederation \ –in EMFederation.json Oracle Enterprise Manager... Copyright (c) ... Enter Enterprise Manager Root (SYSMAN) Password : ***** Registering Asserter Named 'EMFederation' using file 'EMFederation.json' ... Commiting the changes ... Done commiting the changes. Asserter named 'EMFederation' created successfully. Exit Code: SUCCESS
Step 3: Add list of Enterprise Manager sites to be federated
The Enterprise Manager administrator needs to add a list of the Enterprise Manager sites that will be part of the federation and their respective URLs to the Primary Enterprise Manager site using cURL command line tool. Any Enterprise Manager 13c Release 4 Update 4 (13.4.0.4) or higher can be a federated site.
cURL command line tool and run the following: curl -X POST <Primary_EM_host_URL>:<Primary_EM_host_port>/em/websvcs/restful/fed/emSites -u '<EM_user_from_Primary_EM_host>' -H 'content-type: application/json' -d '{"siteURL":
"<EM_site1_URL>:EM_site1_port>", "name": "host"}'curl -X POST https://primary_em.sample.com:5416/em/websvcs/restful/fed/emSites -u 'user1' -H 'content-type: application/json' -d '{"siteURL":
"https://em_site1.sample.com:5416", "name": "host"}'Response
-
Successful operation: It returns the newly generated
EM Site GUIDfor a successful response. This value will be used in the following step. For example, it will return "422cf85c13354336874a1971c1d57a70" as theEM Site GUIDfor em_site1.sample.com site. -
Invalid input: It returns an error code and a message for a failed response.
The cURL command supports one Enterprise Manager site at a time. Repeat this step to add more Enterprise Manager sites as federated sites. The maximum number of federated Enterprise Manager sites supported is 10.
Step 4: Import Certificates into Primary Enterprise Manager site's trust store
To allow https connectivity to other Enterprise Manager sites, the Enterprise Manager administrator imports the federated Enterprise Manager sites certificates into the Primary Enterprise Manager site's trust store.
The administrator needs to ensure the certificates provided are PEM encoded (DER encoded certificates are not supported).
The customer will provide other Enterprise Manager's certificate by using cURL command line tool
curl -X POST <Primary_EM_host_URL>:<Primary_EM_host_port>/em/websvcs/restful/fed/emSites/<EM Site GUID>/certificates -u '<EM_user_from_Primary_EM_host>' -H 'content-type: multipart/form-data' -F file=@<certificate file>
curl -X POST https://primary_em.sample.com:5416/em/websvcs/restful/fed/emSites/422cf85c13354336874a1971c1d57a70/certificates -u 'user1' -H 'content-type: multipart/form-data' -F file=@em_site1.pem
Response
-
Successful operation: It returns the
Certificate GUIDand thePEMcontent of the file uploaded for a successful response. -
Invalid input: It returns an error code and a message for a failed response.
The certificate is stored in Enterprise Manager credential framework.
For information about how to secure Enterprise Manager, including configuring custom certificates, see Custom Configurations in the Enterprise Manager Security Guide.
Enterprise Manager Federation Post Configuration Tasks
The following post configuration tasks are required to be performed by any individual user who wants to have access to the Enterprise Manager Federation Dashboard which resides in the Primary Enterprise Manager site. Users will need to create credentials and link it to the federated Enterprise Manager site. The credentials are private to that user and not shared.
-
(Optional) Configure groups to view federated Enterprise Manager sites by groups
Starting with Enterprise Manager 13 Release 5 Update 1 (13.5.0.0.1), group based filtering is supported by configuring groups to view information specific to selected group(s) across federated Enterprise Manager sites.
Groups are used to logically organize, manage and monitor the targets in individual Enterprise Manager sites or federated Enterprise Manger sites. Creating a federation group in the primary Enterprise Manager enables the federation dashboard to get data specific to the configured groups from the federated Enterprise Manager sites. For example, the super administrator can create groups for specific applications or business units: One group for Customer Service applications and other group for Finance applications. The groups created by the super administrator user are available to all users.
Requirement:- The Primary Enterprise Manager site must have installed Enterprise Manager 13c Release 5 Update 1 (13.5.0.0.1) or higher.
- The federated Enterprise Manager sites must have installed Enterprise Manager 13c Release 4 Update 9 (13.4.0.0.9) or higher.
To add a group, you can use the following
cURLcommand:curl -X POST https://<Primary_EM_host_name>.<Primary_EM_host_domain>/em/websvcs/restful/fed/composites -u '<EM_user_from_Primary_EM_host>' -H 'content-type: application/json' -d '{ "targetName":"<Group_Name>", "targetType":"composite"}'For example, to add a group called "Finance DB", use the following command:curl -X POST https://primary_em.sample.com/em/websvcs/restful/fed/composites -u 'superadmin' -H 'content-type: application/json' -d '{ "targetName":"Finance DB", "targetType":"composite"}'
-
By Sites
It allows filtering down data to specific federated group across all federated Enterprise Manager.
-
By Groups
It consolidates data for all federated groups across all federated Enterprise Manager sites. This dashboard is useful for users interested to see data only related to the federated groups, and not the whole enterprise.
Enterprise Manager Federation Troubleshooting
This section covers common troubleshooting tasks for Enterprise Manager
Federation using cURL command line tool for the following EM Federation
resources:
EM Site Management
-
Get EM site
curl -X GET <Primary_EM_host_URL>:<Primary_EM_host_port>/em/websvcs/restful/fed/emSites -u '<EM_user_from_Primary_EM_host>'For example:curl -X GET https://primary_em.sample.com:5416/em/websvcs/restful/fed/emSites -u 'user1'Display existing trust relationship
For an existing secondary Enterprise Manager site, display the existing trust relationship established from the primary Enterprise Manager site.
emctl config apiauth -list_asserters -name EMFederation Oracle Enterprise Manager 24ai Release 1 Copyright (c) 1996, 2024 ... Enter Enterprise Manager Root (SYSMAN) Password : Listing asserter with name = EMFederation TokenAsserter [id=xxx, name= EMFederation, tokenType=JWS] Done listing Asserter(s). Exit Code: SUCCESS -
Update EM site
curl -X PUT <Primary_EM_host_URL>:<Primary_EM_host_port>/em/websvcs/restful/fed/emSites/<EM-SITE_GUID> -u '<EM_user_from_Primary_EM_host>' -H 'content-type: application/json' -d ' {"siteURL": "<EM_site1_URL>:EM_site1_port>", "name": "ProdHost"} 'For example:curl -X PUT https://primary_em.sample.com/em/websvcs/restful/fed/emSites/422cf85c13354336874a1971c1d57a70 -u 'user1' -H 'content-type: application/json' -d ' {"siteURL": "https://em_site1.sample.com:5416", "name": "ProdHost"} ' -
Delete a secondary EM site
emctl config apiauth -delete_asserter -name EMFederationcurl -X DELETE <Primary_EM_host_URL>:<Primary_EM_host_port>/em/websvcs/restful/fed/emSites/<EM-SITE_GUID> -u '<EM_user_from_Primary_EM_host>'For example:curl -X DELETE https://primary_em.sample.com/em/websvcs/restful/fed/emSites/422cf85c13354336874a1971c1d57a70 -u ‘user’
Note:
The <EM-SITE_GUID> value is returned when
creating an EM Site. You can also obtain it using the GET
API.
EM Certificate Management
-
Get certificate
curl -X GET <Primary_EM_host_URL>:<Primary_EM_host_port>/em/websvcs/restful/fed/emSites/<EM-SITE_GUID>/certificates -u '<EM_user_from_Primary_EM_host>'For example:curl -X GET https://primary_em.sample.com/em/websvcs/restful/fed/emSites/422cf85c13354336874a1971c1d57a70/certificates -u ‘user1’ -
Delete certificate
curl -X DELETE <Primary_EM_host_URL>:<Primary_EM_host_port>/em/websvcs/restful/fed/emSites/<EM-SITE_GUID>/certificates -u '<EM_user_from_Primary_EM_host>'For example:curl -X DELETE https://primary_em.sample.com/em/websvcs/restful/fed/emSites/422cf85c13354336874a1971c1d57a70/certificates -u ‘user1’
Note:
The <EM-SITE_GUID> value is returned when
creating an EM Site. You can also obtain it using the GET
API.