2 Setting Up the Cloud Management Infrastructure

This chapter describes the initial setup needed before you can begin using the Enterprise Manager Cloud Management solution.

The chapter includes the following sections:

Note:

From the Enterprise Manager 12.1.0.4 release, the Software Library is configured during the installation of Enterprise Manager. It need not to be separately configured.

Setting Up Self Update

The Self Update feature allows you to expand Enterprise Manager's capabilities by updating Enterprise Manager components whenever new and updated features become available between official releases. Oracle makes functional updates available between releases by publishing them to the Enterprise Manager Store, an external site that is periodically checked by Enterprise Manager to obtain information about available updates.

The updatable entities for the Oracle Cloud platform include:

Before you can use the Self Update feature, you must satisfy these prerequisites:

  • If you are applying an update in online mode, ensure that the My Oracle Support credentials have been set up using the SYSMAN user. This is required to enable entities to be downloaded from the My Oracle Support site.

  • The Software Library (also known as the local store) has been configured. Updates are downloaded to this local store before being deployed into Enterprise Manager.

Review the following sections for instructions on setting up Self Update:

Setting Up Enterprise Manager Self Update Mode

In order to set up or modify the Enterprise Manager Self Update feature, you must have Enterprise Manager Super Administrator privileges.

  1. Log in to Enterprise Manager as an administrator with Super Administrator privileges.
  2. From the Setup menu, select Extensibility, then select Self Update. The Self Update console appears with the default setup displayed.
  3. From the General status area, click the Connection Mode status to set either offline or online mode. Enterprise Manager takes you to the Patching Setup page to specify online and offline settings.
  4. Once the desired connection mode has been selected, return to the Self Update console.

    From here you can select entity types and schedule updates from the Enterprise Manager Update Store.

Assigning Self Update Privileges to Users

Enterprise Manager administrators must have the requisite privileges to use the Self Update feature. The Enterprise Manager Super Administrator must assign the following Self Update roles to these administrators:

  • VIEW_SELF_UPDATE: The user can view the Self Update console and can monitor the status of download and apply jobs.

  • MANAGE_SELF_UPDATE: The user can schedule download and apply jobs. User can also suppress/unsuppress updates. This privilege implicitly contains VIEW_SELF_UPDATE.

  • EM_INFRASTRUCTURE_ADMIN: The user can perform all self update operations. This privilege implicitly contains MANAGE_SELF_UPDATE.

By default, the Super Administrator will be granted EM_INFRASTRUCTURE_ADMIN privilege.

To assign Self Update privileges to regular Enterprise Manager administrators:

  1. From the Setup menu, select Security, then select Administrators.
  2. Select an administrator and click Edit.
  3. From the Roles page, assign the appropriate Self Update roles.

Setting Up the EM CLI Utility (Optional)

If you plan to apply software updates in offline mode, you will need to use the Enterprise Manager Command Line Utility, or EM CLI, to import entity archives for deployment to Enterprise Manager.

A page is provided in the Enterprise Manager Cloud Control console with instructions on setting up EMCLI. Access the page by appending /console/emcli/download to the URL used to access the Cloud Control console:

https://emcc_host:emcc_port/em

For example:

https://emcc_host:emcc_port/em/console/emcli/download

Deploying the Required Plug-ins

Much of the functionality available in Enterprise Manager Cloud Control is made available through plug-ins. As its name implies, a plug-in is a component or module that can be plugged into an existing Enterprise Manager installation to extend its management and monitoring capabilities.

The features that collectively comprise the Oracle Cloud Management solution are provided via several plug-ins which must be deployed to your Oracle Management Service (OMS). The plug-ins that must be deployed to enable each Cloud model are listed below.

There are two methods for deploying required the plug-ins to enable Cloud:

  • If you have not yet installed Enterprise Manager Cloud Control, or have not yet upgraded to the latest Enterprise Manager release, you can deploy the plug-ins as part of the installation or upgrade process. You will select the Advanced Install mode and in the Select Plug-ins screen, select the plug-ins that you wish to install.
  • If you already have Enterprise Manager installed, you must download the needed plug-ins to the Software Library. You can then deploy the plug-ins to your Oracle Management Service (OMS).

    See the Enterprise Manager Cloud Control Administrator's Guide for instructions on downloading and deploying the plug-ins.

The default plug-ins available are:
  • Oracle Database
  • Oracle Fusion Middleware
  • Oracle Cloud Framework

Note:

The Oracle Consolidation Planning and Chargeback plug-in is an optional plug-in for all service families and is required only you are using the Chargeback features.

For a complete list of all cloud plug-ins along with the version numbers, see Supported Plug-ins. Check for any plug-ins updates that are available and ensure that the latest version has been downloaded.

Plug-ins Required for Direct Monitoring of Xen Based Systems

  • Oracle Virtual Infrastructure

Defining Roles and Assigning Users

Roles are named groups of related system and object privileges. You can create roles and then assign them to users and to other roles. You can assign any of the existing roles to a new role and the associated privileges. Enterprise Manager contains four out-of-the-box roles for the Cloud Self Service Portal, namely:

  • EM_CLOUD_ADMINISTRATOR: Users with this role can set up and manage the cloud infrastructure. This role is responsible for deploying the cloud infrastructure (servers, zones, storage, and networks) and infrastructure cloud operations for performance and configuration management. This user has the following privileges:

    • Access to all services and service families.

    • Privileges to manage any service or service family.

    • Privileges to view any target.

  • EM_SSA_ADMINISTRATOR: Users with this role can define quotas and constraints for the self service users and grant them access privileges. Users with this role also have provisioning and patching designer privileges that allow them to create and save deployment procedures, create and view patch plans, and support the plug-in lifecycle on the Management Agent. These privileges are required for initial setup and on going maintenance of the infrastructure. This user has the following privileges:

    • Access to all services and service families.

    • Privileges to manage any service or service family.

    • Privileges to view any target.

    Apart from this default role, you can create custom self service administrator roles with access to specific service families and specific services.

  • EM_SSA_ADMINISTRATOR_BASE: Users with this role do not have access to any services or service family. This user has View Any Target privilege only.

  • EM_SSA_USER: Users with this role, by default, can only access the Self Service Portal and all the service families. An administrator with the EM_SSA_ADMINISTRATOR role can provide additional privileges that allow users with the EM_SSA_USER role to access other features in Enterprise Manager.

  • EM_SSA_USER_BASE: Users with this role can access the Self Service Portal but will not have access to any service family. Access to a specific service family (DBaaS, and so on) needs to be explicitly granted to the users with this role. This user has the following privileges:

    • Can submit service requests.

    • Can view PaaS Infrastructure Zone targets.

The table below lists the roles associated with each user.

User Profile EM_CLOUD_ADMINISTRATOR EM_SSA_ADMINISTRATOR EM_SSA_USER EM_SSA_USER_BASE

Minimum roles required to create a user

  • EM_CLOUD_ADMINISTRATOR

  • PUBLIC

  • EM_USER

  • EM_SSA_ADMINISTRATOR

  • PUBLIC

  • EM_USER

EM_SSA_USER

EM_SSA_USER_BASE

EM_SSA_USER_BASE

Roles to be removed when creating a user

NONE

NONE

  • PUBLIC

  • EM_USER

NONE

NONE

Additional roles may be added as required

NONE

NONE

The Oracle Cloud Self Service Portal is intended for end-users to be able to provision and manage their own cloud services. Since the functions performed by users with the EM_CLOUD_ADMINISTRATOR and EM_SSA_ADMINISTRATOR roles are consistent across Enterprise Manager, these out-of-box roles can be used as they are. All you need to create users with the EM_CLOUD_ADMINISTRATOR and EM_SSA_ADMINISTRATOR roles.

If you want to restrict access to certain service families and specific service types, you can create custom self service administrator roles based on the out-of-the-box EM_SSA_ADMINISTRATOR role.

But the EM_SSA_USER and EM_SSA_USER_BASE roles are used for quota assignment, and to limit access to PaaS Infrastructure zones, and service templates. In this case, the pre-defined role cannot be used as it is defined. You must create custom self service user roles based on the standard EM_SSA_ROLE and EM_SSA_USER_BASE roles as described in Creating Custom Roles for Self Service Application Administrators and Users. After creating a custom role, you must assign users to this role.

For example, in a DBaaS Cloud setup, you may want to create the following users:

  • CLOUD_ADMIN: This user will have the EM_CLOUD_ADMINISTRATOR role and is responsible for network, system, storage, and administration activities.

  • SSA_ADMIN_DBAAS: This user will have the EM_SSA_ADMINISTRATOR role but will have access only to the Database Service Family. Users with this role will be responsible for all database administration activities. You can further restrict access by granting access to only to a certain service type within the Database Service Family.

  • SSA_USER_DBAAS: In this case, the default EM_SSA_USER role must be customized and a custom role must be created. A user in this role is typically a junior database administrator, developer, or tester.

  • SSA_USER_BASE_DBAAS: In this case, you need to create a copy of the EM_SSA_USER_BASE role and grant access to the Database Service Family to this role. You can then create the SSA_USER_BASE user who will have access the Database Cloud Self Service Portal.

For more details on Users and Roles, see the Enterprise Manager Cloud Control Security Guide.

Creating Custom Roles for Self Service Application Administrators and Users

This section describes the following:

Creating a Custom Role Based on the EM_SSA_ADMINISTRATOR Role

You can create a custom self service administrator role and grant access to the Database Service Family. You can grant privileges to users with this role to access all service types or specific service types and view or manage the services. To create a custom role, follow these steps:

  1. Log in to Enterprise Manager as a Super Administrator user.
  2. From the Setup menu, select Security, then select Roles.
  3. Click Create in the Roles page to launch the Create Role wizard.
  4. Provide a name and description (SSA_ADMIN_DBAAS) for the role and click Next.
  5. From the list of Available Roles, select the EM_SSA_ADMINISTRATOR role and move it to the Selected Roles table. Click Next.
  6. Accept the default target privileges and click Next.
  7. In the Resource Privileges page, click the Edit icon for the Cloud Service Families. In the Resource Privileges page, click Add and select DBAAS and click Continue to return to the Manage Privileges page.

    Note:

    If you want users with this role to view and manage all the DBaaS service types, click the Manage Resource Privilege Grants icon and select the following privileges:

    • View Service Family

    • Manage Service Family

  8. Click Continue to return to the Resource Privileges page. Click the Edit icon for the Cloud Service Types. Click Add and select the database service type for which the privileges should be granted. You can select one of the following:

    • DB

    • PDB

    • Schema

  9. Click the Manage Resource Privilege Grants for the Cloud Service Types resource type. Select the following privileges:

    • Manage Service Type

    • View Service Type

  10. Click Continue to return to the Resource Privileges page.
  11. Review the changes and click Finish to create the custom SSA user (SSA_ADMIN_DBAAS) role.
Creating a Custom Role Based on the EM_SSA_USER Role

Typically, you need to create new SSA User roles either for different functional groups like developers, testers, production DBAs, or for different customer teams like the Siebel DBA team, BRM DBA team, and operations team for hosting custom Java applications, and so on. To create a custom SSA user role who has access only to the Database Service Family and can submit requests, follow these steps:

  1. Log in to Enterprise Manager as a Super Administrator user.
  2. From the Setup menu, select Security, then select Roles.
  3. Click Create in the Roles page to launch the Create Role wizard.
  4. Provide a name and description (SSA_USER_DBAAS) for the role.
    You can also select Private Role, this role grants secure privileges to Super Administrators that are not granted by default (FULL_CREDENTIAL or FULL_JOB, etc). Private roles can not be converted into System Roles. Creator of a private role handles the life cycle of it.

    Click Next.

  5. From the list of Available Roles, select the EM_SSA_USER role and Move to the Selected Roles table. Click Next.
  6. Accept the default target privileges and click Next.
  7. In the Resource Privileges page make sure following resource types are not selected.
    • Cloud Self Service Portal for JVM Diagnostics
    • Cloud Self Service Portal for Test
    • Infrastructure Self Service Portal
  8. Click the Pencilicon under Manage Privilege Grants for the Cloud Service Families resource type. In the Resource Type Privileges region, select the View Any Service Family check box.
  9. Click Add under Resource Privileges and select the DBAAS service family and click Continue.
  10. Skip the Create Role: Administrators step and click Next.
  11. Review the changes and click Finish to create the custom SSA user (SSA_USER_DBAAS) role.
Creating a Custom Role Based on the EM_SSA_USER_BASE Role

You may want to restrict some self service users from using all service families and allow them to access only certain service types depending on their requirements. In this case, you can create a custom role based on the EM_SSA_USER_BASE role and grant them access to only certain service types.

To create a custom SSA user role, follow these steps:

  1. Log in to Enterprise Manager as a Super Administrator user.
  2. From the Setup menu, select Security, then select Roles.
  3. Click Create in the Roles page to launch the Create Role wizard.
  4. Provide a name and description (SSA_USER_BASE_DBAAS) for the role and click Next.
  5. From the list of Available Roles, select the EM_SSA_USER_BASE role and move it to the Selected Roles table. Click Next.
  6. Select the default target privileges and click Next.
  7. In the Resource Privileges page, click the Manage Privilege Grants icon for the Cloud Requests resource type.
  8. In the Resource Privileges page, deselect the Create Any Cloud Request checkbox and click Continue.
  9. Click the Manage Privilege Grants icon next to the Cloud Service Families and Cloud Service Types resource types and select the service families and service types for which you need access.
  10. Skip the Create Role: Administrators step and click Next.
  11. Review the changes and click Finish to create the custom SSA user (SSA_USER_BASE_DBAAS) role. This user can only access the Database Cloud Self Service Portal.

Creating a User and Assigning Roles

To create a user called SSA_USER1 and grant the custom role created earlier (SSA_USER_DBAAS), follow these steps:

  1. Log in to Enterprise Manager as a Super Administrator user.
  2. From the Setup menu, select Security, then select Administrators.
  3. Click Create in the Administrators page to launch the Create Administrator wizard.
  4. Enter a name, password and confirm the password for the user (SSA_USER1). These fields are mandatory.
    You can also enter the following optional information:
    • Password Profile: Select from a list of profiles.
    • Prevent Password Change: The administrator is not allowed to change his/her own password.
    • Expire Password Now: The administrator account is created as expired forcing a password change on next log in.
    • E-mail Address: Set one or more email addresses for notifications.
    • Contact: Contact name.
    • Location: Database location.
    • Department: Department associated to the database.
    • Cost Center: Cost center associated to the database.
    • Line of Business: Business line associated with the database.
    • Description: Description of the database.
    • Super Administrator: Check mark to enable the user as a Super Administrator.
    When complete click Next.
  5. In the Create Administrator Test_Admin: Roles page from the list of Available Roles, select SSA_USER_DBAAS role and Move it to the Selected Roles table. Remove EM_USER and PUBLIC roles from the Selected Roles table.
    Click Next.
  6. Accept the default target privileges and click Next.
  7. Accept the default resource privileges and click Next.
  8. Review all the changes and click Finish to create the SSA_USER1 user.

    Tip:

    To create multiple users with the same role, select the user and click Create Like. This creates a new user with the same source properties. Update the name, description, and optional fields for the new user.

Note:

For users with the EM_CLOUD_ADMINISTRATOR and EM_SSA_ADMINISTRATOR roles, the EM_USER and PUBLIC roles must be retained as these users need access to additional features.

Granting Roles and Privileges for Managing Storage Servers for Snap Clone

To perform various storage server activities, you need to grant the following roles and privileges:

Granting General Privileges

Table 2-1displays the general privileges you need to set before you register a storage server.

Table 2-1 General Privileges for Storage Server Registration and Management

Privilege Description Scope Notion Included Privilege

VIEW_ANY_STORAGE

Ability to view any storage.

class

VIEW

nil

REGISTER_STORAGE

Ability to register storage.

class

CREATE

nil

VIEW_STORAGE

Ability to view storage details.

object

VIEW

nil

MANAGE_STORAGE

Ability to synchronize storage.

object

EDIT

VIEW_STORAGE

CREATE_JOB

MANAGE_ANY_STORAGE

Ability to manage any of the registered storage servers.

object

EDIT

VIEW_ANY_STORAGE

CREATE_JOB

FULL_STORAGE

Ability to modify or remove storage.

object

FULL

MANAGE_STORAGE

Granting Target Privileges

Table 2-2 displays the target privilege you need to set, for enabling or disabling Snap Clone for a target.

Table 2-2 Target Privilege for Enabling or Disabling Snap Clone

Target Privilege Scope Notion Include In Privilege Included Privilege Applicable Target Type

SNAP_CLONE_TARGET

object

Manage

FULL_TARGET

VIEW_TARGET

oracle_database

rac_database
Granting Roles

Table 2-3 displays the roles you need to grant to be able to register a storage server and perform various activities on the registered storage server.

Table 2-3 Roles for Registering and Managing the Storage Server

Role Description Security Class Privilege Granted To Role

EM_STORAGE_ADMINISTRATOR

Role has privileges to register storage hardware for Snap Clone.

STORAGE

STORAGE

TARGET

TARGET

NAMED_CREDENTIALS

JOB

SWLIB_ENTITY_MGMT

MANAGE_ANY_STORAGE

REGISTER_STORAGE

VIEW_ANY_TARGET

PERFORM_OPERATION_ANYWHERE

CREATE_CREDENTIAL

CREATE_JOB

SWLIB_CREATE_ANY_ENTITY

SWLIB_VIEW_ANY_ENTITY

EM_ALL_ADMINISTRATOR

EM_STORAGE_OPERATOR

Role has privileges to manage storage hardware for Snap Clone.

STORAGE

TARGET

TARGET

JOB

SWLIB_VIEW_ANY_ENTITY

MANAGE_ANY_STORAGE

VIEW_ANY_TARGET

PERFORM_OPERATION_ANYWHERE

CREATE_JOB

SWLIB_VIEW_ANY_ENTITY

EM_ALL_OPERATOR
Granting Privileges for Provisioning

You need the following privileges to be able to use the storage server for provisioning:

  • VIEW_STORAGE on the storage server
  • GET_CREDENTIAL on the storage server
  • GET_CREDENTIAL on all the Management Agent credentials of the storage server
  • PERFORM_OPERATION on the storage server Management Agent

Configuring LDAP Authentication

Oracle Enterprise Manager provides tools and procedures to help you ensure that you are managing your Oracle environment in a secure manner. Enterprise Manager's authentication framework consists of pluggable authentication schemes that let you use the type of authentication protocol best suited to your environment. The following authentication schemes are available:

  • Oracle Access Manager (OAM) SSO

  • Repository-Based Authentication

  • SSO-Based Authentication

  • Enterprise User Security Based Authentication

  • Oracle Internet Directory (OID) Based Authentication

  • Microsoft Active Directory Based Authentication

Enterprise User Security (EUS) provides automatic authentication to users and roles from the LDAP compliant directory server.

For more details on Enterprise User Security, see the Enterprise Manager Cloud Control Security Guide.

Configuring Privilege Delegation Settings

Privilege delegation allows a logged-in user to perform an activity with the privileges of another user. Sudo and PowerBroker are privilege delegation tools that allow a logged-in user to be assigned these privileges. These privilege delegation settings will be used for all provisioning and patching activities on these hosts.

For details on how to configure the privilege delegation settings, see the Enterprise Manager Cloud Control Security Guide.

Customizing the Self Service Login Page

You can configure Enterprise Manager and provide specific access to SSA users. To configure Enterprise Manager for SSA users, you must set some properties on the OMS and copy the required images to a specified directory. This section describes the following:

Configuring the Self Service Login Page

To launch a separate SSA login page for all SSA users, you must do the following:

  • Set the following mandatory property on all OMSes:

    $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.ssa_oms -value true

    If this property is not set to true, the standard Enterprise Manager login page is displayed.

  • Set the following optional OMS properties.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.show_cloud_provider_brand -value true

      If this property is not set to true, the default Oracle Enterprise Manager 12c logo is displayed.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.show_cloud_tenant_brand -value true

      If this property is not set to true, the tenant logo is not displayed.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.cloud_provider_alt_text -value "Cloud Provider"

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.cloud_tenant_alt_text -value "Cloud Tenant"

      These properties are optional and if not set, the default values for "Cloud Provider", and "Cloud Tenant" are displayed.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.show_disclaimer_text -value true

      If this property is not set to true, the default Oracle copyright message is displayed.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.disclaimer_text -value "Customer specified Disclaimer text"

      If this property is set to true, the specified disclaimer text is displayed instead of the default Oracle copyright message.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.show_em_branding_text -value true

      If this property is not set to false, the "Powered by Oracle Enterprise Manager" text will appear on the Self Service Login page.

  • Copy the following images to the $ORACLE_HOME/sysman/config/ directory.

    • cloud_provider_small_brand.png

    • cloud_tenant_small_brand.png

      If a single image is used, the maximum recommended size is 500 * 20 px. If 2 images are used, the maximum recommended size is 200 * 20 px per image. After login, these images are displayed instead of the Oracle logo, if the OMS properties oracle.sysman.ssa.logon.show_cloud_provider_brand and oracle.sysman.ssa.logon.show_cloud_tenant_brand are set. If the OMS property oracle.sysman.ssa.logon.show_cloud_provider_brand is not set to true, along with the tenant logo, the default Oracle logo appears.

    • cloud_provider_large_brand.png

    • cloud_tenant_large_brand.png

      If a single image is used, then the maximum recommended size is 525 * 60 px. If 2 images are used, the maximum recommended size is 250 * 50 px per image. These images are displayed on the login page, if the OMS properties oracle.sysman.ssa.logon.show_cloud_provider_brand and oracle.sysman.ssa.logon.show_cloud_tenant_brand are set.

Switching Back to the Enterprise Manager Login Page

To revert to the default Enterprise Manager login page, set the following property:

$ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.ssa_oms -value false

Routing SSA Requests to a Specific OMS Pool

Oracle Management Service (OMS) is one of the core components of Enterprise Manager Cloud Control that works with the Oracle Management Agents (Management Agents) and plug-ins to discover targets, monitor and manage them, and store the collected information in a repository for future reference and analysis.

When you install Enterprise Manager for the very first time, by default, one OMS is installed along with one Management Agent. This default configuration is suitable for small environments. In larger production environments with several SSA users, you may need to install additional OMS instances to reduce the load on a single OMS and improve the efficiency of the data flow. You can then configure the Server Load Balancer (SLB) to redirect all SSA requests to a specific OMS pool. The other OMS pools will then be available for administration usage. To learn more about setting up multiple OMS instances and the SLB, see Adding Additional Oracle Management Service section in the Enterprise Manager Cloud Control Basic Installation Guide.

To redirect SSA requests, you must specify the following SLB configuration:

https://<slb_host_name>:<slb_em_port>/em redirecting to oms for em

https://<slb_host_name>:<slb_ssa_port>/em redirecting to oms for ssa

The SSA and non-SSA OMS pools are differentiated based on the port number. All requests with a particular port number will be redirected to a specific OMS pool (SSA OMS pool) and all the other requests will be redirected to the other pool.