Perform Prerequisite Tasks for Vulnerability Detection and Patching
Here's information on the required prerequisites to get started with Observability and Management Vulnerability Detection and Patching.
Currently only External Databases running on on-premise or Oracle Cloud Infrastructure Virtual Machines on Linux operating system are supported.
| Task | Description | More Information |
|---|---|---|
| Install Management Agents | The Oracle Cloud Infrastructure Management Agent service enables the communication and data collection between Database Management and an External Database.
You must install a Management Agent on a host that has a connection to the External Database. Database Management will use the Management Agent for operations such as collecting data and metrics from the External Database. Note that for single instance databases, a Management Agent 201215.1850 or later is required and for RAC databases, a Management Agent 210403.1349 or later is required. |
For information on how to install Management Agents, see Install Management Agents. Watch the video: OCI Database Management Service: Install and Configure Management Agents. If you encounter issues when installing the Management Agent, see Errors Encountered When Enabling Database Management for External Databases for the likely cause and solution. To grant
mgmt_agent user permissions, you must execute the setfacl -Rm u:mgmt_agent:rwx $ORACLE_HOME and setfacl -Rm u:mgmt_agent:rwx <OraInventory Location> commands.
Note
Ensure the correct OraInventory location is used. Avoid using the local OraInventory location. |
| Grant the required privileges to monitor and manage external databases and save the database user password in a secret | You must grant the database user the required privileges to monitor and manage external databases in Database Management. Use the DBSNMP user as the monitoring user, this is a recommended option as this user has the required privileges to monitor databases within Oracle Cloud Infrastructure and comes built-in with Oracle databases. Use the available SQL scripts to create a new database user with the required set of privileges to monitor the external databases, or to perform advanced diagnostics and administrative tasks.
Configure Gradual Password Rollover For Oracle Databases 19c and later, we recommend that you define a gradual password rollover time, this allows you to connect to the database using both the old and new passwords during a gradual rollover period. Since both old and new passwords are valid for some time, downtime is minimized. By using a gradual password rollover, you can avoid disruptions in the use of Database Management features for your databases. |
For information on the required database user privileges, see Database User Privileges Required for Database Management. For information on the SQL script, see Creating the Oracle Database Monitoring Credentials for Database Management (Doc ID 2857604.1) |
| Obtain Required Permissions | Create the required permissions to enable Vulnerability Detection. | For more information on creating the required permissions, see Obtain Required Permissions |
| Discover External Database Systems - Add connection | You must ensure that you register the Oracle Database by creating a resource or handle in the External Database service. This handle functions as a representation of the Oracle Database located outside of Oracle Cloud Infrastructure.
You can register an External Database in the External Database service or by clicking Register external databases on the Managed databases page for External Databases in Database Management. |
For information on how to create an External Database handle, see Create a Handle for an External Database. Watch the video: OCI Database Management Service: Register and Connect to an External Database. |
| Connect the Oracle Database to the External Database handle | After creating an External Database handle, you must connect the Oracle Database to the handle. Note that you can use TCPS protocol to securely create a connection to the Oracle Database and monitor and manage it.
You can add a connection to an External Database in the External Database service or by clicking Connect in the Status column on the Managed databases page for External Databases in Database Management. |
For information on how to connect an Oracle Database to an External Database handle, see Create a Connection to an External Database. Watch the video: OCI Database Management Service: Enable Database Management for an External Database. |
| Create a DBLM directory for patching | This directory will contain all the script execution results.
The patching scripts will be copied into this directory for execution. |
Create the DBLM directory under/opt/oracle/dblm for all hosts containing databases to be patched.
Set the directory permission as Set the ownership to the Management Agent user and its primary group. Example: |
| Create the patch users | A patch user must be created in all the hosts where the database to be patched is installed. | A patch user will be used to run the patching scripts as either Oracle Home or root use.
For RAC databases, the patch user must have password-less SSH equivalence across the nodes to run the scripts on RAC nodes where the Management Agent is not running. For more information see: About Passwordless SSH Configuration. Example: |
| Set the Patch user's primary group to be the same as Oracle Home owner's primary group | The Patch user's primary group must be same as Oracle Home owner's primary group . | Example: |
| Add the Patch user to the Management Agent user's primary group | The patch user must be added to Management Agent user's primary group for patching. | Example: |
| Add the Management Agent user to the Oracle Home owner's primary group | The Management Agent user must be added to the Oracle Home owner's primary group for patching. | Example: |
| Add the Oracle Home owner to the Management Agent user's primary group | The Oracle home owner must be added to the Management Agent user's primary home for patching. | Example: |
Setup SUDO on all database hosts
|
Permissions must be added in the SUDOERS file to allow the following user switches
On hosts where Management Agent is running, the Management Agent user will only switch as the Patch user, and then the Patch user will switch to the Oracle Home/root user for patching. The Management Agent is installed on only one of the RAC nodes, all other RAC nodes must have permissions in the |
For more information on granting SUDOaccess to users see: Granting sudo Access to UsersSudoers permission on Agent Hosts example:
Sudoers permissions on RAC nodes example:
|
Required Users, Directories, and Utilities
The following users, directories, and utilities are required to correctly orchestrate the patching process:| User | Example |
|---|---|
| Patch user | patchUser
|
| Database Home owner | oracle |
| Database Home owner primary group | oinstall |
| Management Agent user | mgmt_agent |
| Management Agent user primary group | mgmt_agent |
| Directories and Utilities Required | Location example |
|---|---|
| SUDO location | /scratch/sudo_setup/bin/sudo |
| Sudoers file Location | /scratch/sudo_setup/etc/sudoers |
| DBLM directory | /opt/oracle/dblm |