Oracle Cloud Infrastructure Documentation

Perform Prerequisites for Deploying Management Gateway

Note

For specific prerequisites when configuring the Management Gateway in high availability mode, see Perform Prerequisites for Management Gateway High Availability.

Set Up Oracle Cloud Infrastructure for Management Gateway

The Management Gateway and Management Agent use the Management Agent service from Oracle Cloud Infrastructure (OCI). Before installing the Management Gateway, you must complete the instructions to set up the Oracle Cloud Infrastructure environment to use the Management Agent service. For details, see Set Up Oracle Cloud Infrastructure for Management Agent Service.

Generic Prerequisites for Deploying Management Gateway

Before deploying Management Gateway, ensure the following prerequisites are met:

Oracle Cloud Infrastructure Requirements

Supported Operating Systems

Table 7-1 Supported Operating Systems

Operating System Version

Oracle Linux

6 (64 bit), 7 (64 bit), 8 (64 bit), 9 (64 bit)

Red Hat Enterprise Linux

6 (64 bit), 7 (64 bit), 8 (64 bit)
Windows Server 2022 (64 bit), 2019 (64 bit), 2016 (64 bit), 2012 R2 (64 bit)

Operating System Requirements

  • Minimum disk requirement: 300 Mb of free disk space and an additional 100 Mb for the Management Gateway software download.

    It also requires disk space for writing buffered messages to disk. This area should have at least 1 GB of free disk space.

  • A user with sudo privileges responsible of installing the Management Gateway software on the host.

  • Java Development Kit (JDK) or Java Runtime Environment (JRE) must be installed on your host prior to installing the Management Gateway software.

    Ensure you have downloaded and installed JDK or JRE version 1.8u281 or higher before starting the Management Gateway software installation process. See Java Downloads.

  • Management Gateway requires a dedicated host. If Management Agent is already installed on the host, install the Management Gateway on another host, dedicated to it.

  • Ensure /tmp doesn't have the noexec flag set if you are mounting it.

Network Prerequisites

  • If your network setup has a firewall, ensure that HTTPS communication (port 443) is allowed from the host where the Management Gateway is deployed to the appropriate Oracle Cloud Infrastructure domain(s). The relevant domain will depend on the realm. For example, Management Agents using the Oracle Cloud Infrastructure commercial realm OC1 will need to connect to *.oraclecloud.com domain.

    Oracle Cloud Infrastructure is hosted in regions. Regions are grouped into realms. Your tenancy exists in a single realm and can access all regions that belong to that realm. You cannot access regions that are not in your realm. Currently, Oracle Cloud Infrastructure has multiple realms. For more information about regions and realms, see Regions and Availability Domains.

    Each Gateway belongs to a specific OCI compartment. All Agents connecting through a Gateway must be in the same compartment as that Gateway.

    You can use any available network connectivity tool to verify connectivity with the data center.

    For information about the IP address ranges for services that are deployed in Oracle Cloud Infrastructure, see IP Address Ranges.

    The following example table lists the ports that need to be open for communication.
    Direction Port Protocol Reason

    Management Gateway host to external

    443

    HTTPS

    Communication with Oracle Cloud Infrastructure services.

Configure Certificates for Management Gateway

Starting with Management Agent version 221019.0021 and Management Gateway version 221019.0021.1667404647, the communication between Agent, Gateway and OCI requires certificates. The certificates and other required entities will be automatically created, but certain OCI policies need to be set up for this to work.

There are two options available:

Automatic Certificate Creation (Recommended)

This is the recommended method to create certificates.

If the parameter GatewayCertOcid is not set in the response file, the Management Gateway attempts to create the required certificates and other required entities automatically.

If the Management Gateway is configured in high availability mode, and the load balancer and Management Gateway are in different domains, see Advanced Configuration Management Gateway High Availability for details.

Required Dynamic Groups:

You must create dynamic groups in the default identity domain, see Subjects for Identity Domains for more information.

  1. Create Credential_Dynamic_Group with below rule: 

    ALL  {resource.type='certificateauthority', resource.compartment.id='<>'}

  2. Create Management_Gateway_Dynamic_Group with below rule: 

    ALL {resource.type='managementagent', resource.compartment.id='<>'}
Note

The compartment ID is an OCID.

Required Policies: 


Allow DYNAMIC-GROUP Credential_Dynamic_Group to USE certificate-authority-delegates in compartment <>

Allow DYNAMIC-GROUP Credential_Dynamic_Group to USE vaults in compartment <>

Allow DYNAMIC-GROUP Credential_Dynamic_Group to USE keys in compartment <>

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to READ certificate-authority-bundle in compartment <>

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to READ leaf-certificate-bundle in compartment <>

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to MANAGE certificate-authorities in compartment <> where  any{request.permission='CERTIFICATE_AUTHORITY_CREATE', request.permission='CERTIFICATE_AUTHORITY_INSPECT', request.permission='CERTIFICATE_AUTHORITY_READ'} 

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to MANAGE leaf-certificates in compartment <> where  any{request.permission='CERTIFICATE_CREATE', request.permission='CERTIFICATE_INSPECT', request.permission ='CERTIFICATE_UPDATE', request.permission='CERTIFICATE_READ'}

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to MANAGE vaults in compartment <> where any{request.permission='VAULT_CREATE', request.permission='VAULT_INSPECT', request.permission='VAULT_READ', request.permission='VAULT_CREATE_KEY', request.permission='VAULT_IMPORT_KEY', request.permission='VAULT_CREATE_SECRET'} 

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to MANAGE keys in compartment <> where any{request.permission='KEY_CREATE', request.permission='KEY_INSPECT', request.permission='KEY_READ'} 

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to USE certificate-authority-delegates in compartment <>

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to USE key-delegate in compartment <> 

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group TO MANAGE leaf-certificates in compartment <> where all{request.permission='CERTIFICATE_DELETE', target.leaf-certificate.name=request.principal.id}

If the dynamic groups were previously created in the non-default domains, then all the policies should change.

To change the policies to the non-default identity domain, modify all the above policies using the syntax below.

Allow DYNAMIC-GROUP <Domain Name>/Credential_Dynamic_Group to USE certificate-authority-delegates in compartment <>

Allow DYNAMIC-GROUP <Domain Name>/Management_Gateway_Dynamic_Group to READ certificate-authority-bundle in compartment <>
Note

You can install the Management Gateway Quickstart OCI Marketplace Application to automatically install the dynamic groups, policies, and manage the certificates for Management Gateway.

Manual Certificate Management

It's possible to set up certificates manually. The administrator can create a certificate using the OCI console. Afterwards, specify the OCID of that certificate in the response file using the parameter GatewayCertOcid.

For information about creating a certificate, see Overview of Certificate.htm.

Required Dynamic Groups:

  1. Create Credential_Dynamic_Group with below rule: 

    ALL  {resource.type='certificateauthority', resource.compartment.id='<>'}

  2. Create Management_Gateway_Dynamic_Group with below rule: 

    ALL {resource.type='managementagent', resource.compartment.id='<>'}
Note

The compartment ID is an OCID.

Required Policies: 

Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to READ certificate-authority-bundle in compartment <>
Allow DYNAMIC-GROUP Management_Gateway_Dynamic_Group to READ leaf-certificate-bundle in compartment <>
Note

Policies are per compartment. The same compartment must be used for the Gateway and all Agents connecting to it.

Enable Management Agents on Compute Instances

When using a compute instance, you can use the Oracle Cloud Agent capabilities to enable the Management Agent plug-in.

Before proceeding, confirm you have completed the prerequisites. For details, see Perform Prerequisites for Deploying Management Agents on Compute Instances.

Enable Management Agents

Management Agents can be enabled by using the OCI Console or Compute API.
Note

The Management Agent plugin on compute instances runs on the Java virtual machine (JVM). Starting March 2023, the Management Agent plugin is deployed with a Java runtime (JRE).

The Java runtime is always kept up-to-date as part of the Management Agent upgrade process in order to address newly discovered security vulnerabilities. After enabling the Management Agent plugin, it's important to run the latest version of the Management Agent plugin software by enabling automatic upgrades or manually invoking the upgrade operation periodically. For details, see Upgrade Management Agents on Compute Instances.

Enable Management Agents Using the Console

To confirm if the Management Agent plugin is enabled for an instance:
  1. Open the navigation menu and click Compute. Under Compute, click Instances.
  2. Click the instance that you're interested in.
  3. Click the Oracle Cloud Agent tab.

    The list of plugins displays.

  4. Toggle the Enabled switch for the Management Agent plugin.

For more information, see Managing Plugins Using the Console.

Enable Management Agents Using Compute API

For information about using the API, see REST APIs.

For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following API operations to manage the Management Agent as an Oracle Cloud Agent plugin:

  • LaunchInstance - enables or disables plugins, or stops all plugins, when you create an instance.

  • UpdateInstance - enables or disables individual plugins, and stops or starts all plugins, for an existing instance.

The following is an extract from the Java Sample found in the LaunchInstance or UpdateInstance API operations which allows the user to enable Management Agent during Launch or Update of the compute instance respectively: 
... 
    .agentConfig(LaunchInstanceAgentConfigDetails.builder()
			.isMonitoringDisabled(false)
			.isManagementDisabled(true)
			.areAllPluginsDisabled(false)
			.pluginsConfig(new ArrayList<>(Arrays.asList(InstanceAgentPluginConfigDetails.builder()
					.name("Management Agent")   
					.desiredState(InstanceAgentPluginConfigDetails.DesiredState.Enabled).build()))).build())
...

Where .name("Management Agent") indicates it's for Management Agent plugin and .desiredState(InstanceAgentPluginConfigDetails.DesiredState.Enabled).build()))).build()) indicates to enable the Management Agent.

For more information, see Managing Plugins Using the API.

Configure Oracle Cloud Agent with Management Gateway

To configure Management Gateway for a Management Agent that's enabled on a Oracle Cloud Compute instance:

  1. Update emd.properties file.
    1. Go to the emd.properties file, typically at the following location:
      /var/lib/oracle-cloud-agent/plugins/oci-managementagent/polaris/agent_inst/config/emd.properties
    2. At the end of the file, add the following 3 entries:
      GatewayServerHost=<gateway host>
GatewayServerPort=<gateway port>
GatewayServerCredentialTimeout=30s
  2. Next, if the Management Gateway is configured with a proxy user name and password then you must seed the Management Gateway Credentials to the Management Agent.
    1. Use the following command to view the contents of /tmp/cred.json file. 
      cat /tmp/cred.json |sudo -u oracle-cloud-agent /var/lib/oracle-cloud-agent/plugins/oci-managementagent/polaris/agent_inst/bin/credential_mgmt.sh -o upsertCredentials -s Agent
    2. In the /tmp/cred.json file, replace the following values with the actual Management Agent credentials for your environment:
      • OCID using the following format: agent.ocid1.managementagent.oc1.phx.unique-id
      • example-username
      • example-password
        {"source":"agent.ocid1.managementagent.oc1.phx.unique-id",
"name":"ManagementAgent-Proxy",
"type":"ProxyCreds",
"description":"Proxy Credentials",
"properties":[
{"name":"ProxyUser","value":"example-username"},
{"name":"ProxyPassword","value":"example-password"}]}
  3. Enter the following command to restart the Oracle Cloud Agent:
    systemctl restart oracle-cloud-agent