This chapter provides an overview of Guardian components, features, and key concepts. Also provided are basic instructions for using and navigating the Guardian User Interface and Online Help System. Topics include the following:
Guardian is a diagnostic tool for identifying potential problems in your environment before they occur, and provides specific instructions for resolving them. Guardian is like having the entire Oracle Customer Support Team scrutinize your domain and immediately present their findings and recommendations to you, at your convenience.
Guardian can run on Windows or Linux systems that have Java Version 5 or higher installed. Guardian can evaluate any platform based on WebLogic Server version 8.1 through 10.3, regardless of the operating system on which it is running.
To use Guardian, you must first activate one or more Domains in Guardian. A domain is a logically related group of WebLogic Server resources that you manage as a unit. Activating a domain enables it for Guardian evaluation. You can also organize multiple domains into Domain Groups. Then, select one or more domains, select a Signature Bundle, and launch an Evaluation. Guardian then proceeds to evaluate the Signature Bundle against the specified domain(s), and generates a detailed report of potential issues and their remedies. You can then review the report and decide how to proceed.
For a description of fundamental Guardian concepts, see Key Concepts on page 21 . For a description of and instructions for basic Guardian tasks, see Basic Tasks on page 38 in Tasks.
The following section provides an overview and basic navigation instructions for the Guardian User Interface.
This section provides an overview and basic navigation instructions for the Guardian User Interface. For a complete, detailed description of all interface components, see Reference. For detailed instructions for specific Guardian tasks, see Tasks.
In general, you will use the Guardian User Interface to perform the majority of Guardian tasks and activities. For some highly repetitive or complex tasks—for example, activating multiple Guardian domains in multiple Guardian instances—you may want to create a Guardian Command Line Interface (CLI) script to automate a series of tasks. For basic instructions on using the CLI, see Command Line Interface in Tasks. For a detailed description of all CLI commands, use, and syntax, see Command Line Interface of Reference.
The sections below provide a description and basic navigation instructions for each of the following elements:
For a complete detailed description of the Guardian User Interface, see Reference.
The Main Menu Bar is at the top of the Oracle Guardian main window just below the Oracle Guardian titlebar. The Menu Bar contains the following menus:
The Menu Bar menus in turn contain a series of options and submenus, some of which also lead to additional menus, dialog boxes, or wizards. The following sections provide an overview of each of these menus, and instructions for invoking them.
You can invoke many menus, submenus, and menu options by using a keyboard shortcut. To display Menu Bar menus, press the Alt key and type the menu selection key for the menu you want to display. The menu selection key is the letter underlined in the menu name when you press the Alt key.
Some menu options also have keyboard shortcuts, which consist of a specific sequence of characters pressed simultaneously. If a menu item has a keyboard shortcut, the key sequence is listed next to the item in the menu. To see the complete list of keyboard shortcuts, press Ctrl+Shift+L.
Table 1-1 describes the File menu options and submenus.
Table 1-3 describes the Edit menu options.
Table 1-3 describes the Tools menu options and submenus.
Table 1-4 describes the Window menu options and submenus.
Table 1-5 describes the Help menu options and submenus.
The Main Toolbar is located below the Main Menu, and contains action buttons for the most common Guardian tasks. To identify a button, move your mouse pointer over the button; this displays the tool tip text for that button.
Table 1-6 describes the Main Toolbar buttons.
Many views and displays contain context menus. Right-click on an item or anywhere in a display to open the associated context menu. For a complete description of context menus, see Context Menus in Reference.
The Navigation Pane resides in the left side of the Oracle Guardian main window. The Navigation Pane contains several tabs leading to Explorer Views. You can have multiple Views open at once, but only one can be displayed at a time. Click on a tab to display an Explorer view.
At the top of the Navigation Pane are the Explorer View tabs. Select a tab to display that View. Table 1-7 provides an overview of the Navigation Pane Explorer Views.
Open the Domain Explorer. This View enables you to browse, manage, and monitor the domains you have defined in Guardian. Right-click in the Domain Explorer to open a context menu of domain operations. For a complete description, see
Domain Explorer in Reference. For instructions on Domain Explorer tasks, see
Domains in
Tasks.
|
|
Open the Signature Explorer. This View enables you to browse the available signatures and view the contents of a selected signature. For a complete description, see
Signature Explorer
in Reference. For instructions on Signature Explorer tasks, see
Signatures in
Tasks.
|
|
Open the Bundle Explorer. This View enables you to browse the available Signature Bundles and their contents. For a complete description, see
Bundle Explorer in Reference. For instructions on Bundle Explorer tasks, see
Bundles in
Tasks.
|
|
Open the Shortcut Explorer. This View enables you to view and manage your Evaluation Shortcuts. For a complete description, see
Shortcut Explorer
in Reference. For instructions on Shortcut Explorer tasks, see
Shortcuts in
Tasks.
|
For a detailed description of each of the Explorer views, see Navigation Pane of Reference.
Below each Explorer titlebar is the Explorer toolbar. An Explorer toolbar may contain all or some of the following active icons:
The Domain Explorer, Signature Explorer, and Bundle Explorer each contain a Menu icon in the right corner of the toolbar. Click the Menu icon to display a menu of operations for that Explorer.
Table 1-9 describes the Explorer menus.
|
|
|
|
|
Right-click in an Explorer View to display the context menu of tasks and operations you can perform from that View. You can also right-click on a specific item to select it and open the context menu for that item. Menu options that do not apply to your selection are deactivated (greyed out).
For a complete description, see Explorer Context Menus in Reference.
The Document Pane is located in the central portion of the Oracle Guardian main window. The Document Pane displays the Document Views.
Table 1-10 describes the Guardian Views that can be displayed in the Documentation Pane.
Note: | You can have multiple Views open in the Document Pane, but only one can be active at a time. |
Each View has a titlebar that contains the name of the View, an identity icon, and buttons to close, minimize, maximize, and restore the display.
You can also use Document View titlebars to group multiple Views together on a titlebar as a tab group. Tab groups can be moved together as a unit, using either the System Menu > Move menu option or drop cursors. You can also move Views by dragging their titlebars to different locations.
For a complete description of titlebar features, see Document View Titlebars in Reference.
Each tab page for a View has a context menu specific to the tab contents. Some context menus—for example, Edit menus—may be available only for certain items within that View. To open a context menu, right-click on an item in that View.
Oracle Guardian provides the several wizards for guiding you through some of the more complex or common Guardian tasks.
Table 1-11 describes the Guardian wizards and how to invoke them.
Right-click on a signature title in the Signature Explorer or Bundle Explorer and select Annotations from the context menu. This opens a submenu with a single option, Manage Annotations. Select this to open the Annotations Wizard. This contains fields and options for annotating the selected signature. For details, see
Annotations Wizard. in
Reference. For instructions on using this wizard, see
Signature Annotations in Tasks.
|
|
Right-click in the Domain Explorer and select Evaluate Bundle from the context menu. This opens a submenu listing the Bundles available for evaluation. Select a Bundle to open the Bundle Evaluation Wizard for that Bundle. For details, see
Bundle Evaluation Wizard in
Reference.
For instructions on using this wizard, see
Evaluate Bundles in
Tasks.
|
|
This contains fields and options for configuring and activating a domain in Guardian. Click Activate to open the Domain Activation Wizard. For details, see
Domain Activation Wizard
in
Reference.
For instructions on using this wizard, see
Activate Domain in
Tasks.
|
|
In Domain Explorer, right-click on a domain entry and select Deactivate Domain from the context menu to open this wizard. This contains a table of all active domains. For details, see
Domain Deactivation Wizard
. For instructions on using this wizard, see
Deactivate Domain in
Tasks.
|
|
Click Evaluate to open the Evaluation Wizard for evaluating one or more domains. For details, see
Evaluation Wizard
in
Reference.
For instructions on using this wizard, see
Evaluate Domain in
Tasks.
|
|
Click the Signature Explorer menu icon and select the Filters menu option. The Filters Wizard enables you to specify which signatures to display in Signature Lists. For details, see
Filters Wizard
in
Reference.
For instructions on using this wizard, see
Filter Signatures in
Tasks.
|
|
Click Inventory to open the Inventory Wizard. A Domain Inventory is a snapshot of all of the configuration details for a domain as it exists at that moment. For details, see
Inventory Wizard
in
Reference.
For instructions on using this wizard, see
Inventory Domain in
Tasks.
|
|
Select File > New > Shortcut to open the Shortcut Wizard for creating and modifying Shortcuts. For details, see
Shortcut Wizard
in
Reference.
For instructions on using this wizard, see
Create Shortcut in
Tasks.
|
|
Click the Shortcut Explorer tab to open the Shortcut Explorer. Then, double-click on a Shortcut name in the Shortcut list to open the Shortcut Evaluation Wizard. For details, see
Shortcut Evaluation Wizard
in
Reference.
For instructions on using this wizard, see
Evaluate Shortcut in
Tasks.
|
|
Select a signature in an Evaluation Summary and click Get more help from Oracle Support. This opens the Service Request Wizard for the selected signature. This enables you to create a service request based on the selected signature. For details, see
Service Request Wizard
in
Reference.
For instructions on using this wizard, see
Creating a Service Request Archive in
Tasks.
|
|
Click Update to open the Update Wizard. This wizard enables you to automatically download new Oracle Guardian software and signatures from the Oracle Guardian update site. For details, see
Update Wizard
in
Reference.
For instructions on using this wizard, see
Automatically Update Guardian in
Tasks.
WARNING: Upgrading from Guardian 1.0.x to Guardian 1.1 must be done manually. For instructions, see
Manually Update Guardian and
Manually Update Guardian Registry in
Tasks.
|
For a detailed description of each of the Guardian Wizards, see Wizards of Reference.
Right-click a wizard titlebar to open a context menu of options to Move, Size, or Close the wizard. You can also move or resize a Wizard by dragging the titlebar or window borders.
The Guardian Online Help system has the following structure:
The Guardian Command Line Interface is a command interpreter that is an executable .cmd
batch file for Windows, and a .sh
shell script for Linux. Both the Windows batch file and the Linux shell script are wrappers that accumulate and organize arguments to the Java command. You can invoke the Command Line Interface from a Windows Command Prompt window or a Linux terminal window.
For basic instructions on using the CLI, see Command Line Interface on Tasks. For a detailed description of all CLI commands, use, and syntax, see Command Line Interface of Reference.
This section provides an overview of Guardian components, features, and key concepts. These include:
The Guardian Agent is a lightweight web application that gathers the data used for evaluations.
The Guardian Agent collects the following data:
If you have one or more managed servers in a domain, the Guardian Agent spawns the appropriate number of threads for communicating between the Guardian Agent on the WebLogic Administration Server, and the Guardian Agent running on the Managed Server(s).
An excessive number of threads can affect the performance of the Administration Server, so Guardian enables you to specify the maximum number of Agent threads that can be spawned. In addition, in order to manage Agent resources on both the Administration and Managed Servers, you can specify the maximum amount of time (in seconds) that can elapse before a thread is terminated. For instructions, see Configure Maximum Agent Threads and Configure Agent Thread Timeout in Tasks.
The Guardian Workspace is the directory in which all of your Guardian data is stored. It includes the following data for each domain you have defined in Guardian:
When you invoke Guardian, you are prompted to select a location for your Guardian Workspace. To prevent loss of work when Guardian is updated or uninstalled, select a Workspace location outside of the Guardian installation directory (see Select Workspace).You can also safely back up your Workspace data by exporting your Workspace to a file also located outside of your Guardian Installation directory. For instructions, see Export Workspace of About Oracle Guardian.
Although the documents in the Guardian Workspace are persisted as XML files, they are best viewed through the Guardian User Interface. The Guardian User Interface provides a number of tools for viewing, managing, and processing your data, as well as better protection against unintended edits or deletions. For basic instructions on using the interface, see Guardian User Interface . For a detailed description of Guardian User Interface components and features, see Reference. See Tasks, for detailed instructions for using the interface to perform specific Guardian tasks.
The Guardian Registry is an XML document in which your Oracle Guardian configuration specifications are maintained. The Guardian Registry is created during product installation, and updated whenever you modify your configuration or perform certain Guardian operations. The Guardian Registry identifies the domains you have activated, the Signature Bundles available for evaluation, the Shortcuts you have defined, and your Guardian Workspace location(s).
A domain is a logically related group of WebLogic Server resources that are managed as a unit. A domain always includes at least one WebLogic Server instance called the Administration Server. The Administration Server acts as a central point of contact for server instances and system administration tools. A domain may also include additional WebLogic Server instances called Managed Servers.
Each Oracle Guardian installation maintains a Guardian Registry of active domains. A domain is considered active when it is capable of being evaluated. You can activate and deactivate domains at will, and select which to evaluate at any given time.
A domain node represents a domain that has been defined in Guardian. When you activate a domain for the first time in Guardian, a node for the new domain is added to the Target Domains folder in the Domain Explorer tree. A unique name is automatically generated for the new domain, based upon your entries in the Domain Activation Wizard.
Note: | In the Command Line Interface, the domain node name is referred to as the domainId for the domain. |
The Domain Explorer displays only the active domain nodes. An active domain is a domain that has been activated (defined for evaluation) in Guardian. This does not refer to the state of the domain servers. If you deactivate a domain in Guardian, that domain is removed from the Domain Explorer tree. However, if you reactivate the domain, the node for that domain is again displayed, and the original contents of the History folders are also again available. Deactivating a domain does not remove the Workspace data for that domain.
For more information, see Domain Nodes in Reference.
You can organize the domains in Guardian into Domain Groups for easier management. For instructions on creating and managing Domain Groups, see Domain Groups in Tasks.
A Domain Inventory is an XML document that describes the products in a Guardian domain. The inventory includes descriptions of your servers, Java Virtual Machines, operating systems, and databases. The descriptions include product versions as well as some configuration settings.
A Domain Inventory is created when you activate or evaluate a domain. The Inventory History is also refreshed each time a domain is evaluated. You can use the Domain Inventory Wizard in the Guardian User Interface to define and generate a new Domain Inventory.
Domain Inventory files are stored and maintained in your Guardian Workspace. You can use the Domain Explorer in the Guardian User Interface to view and manage Domain Inventories.
Oracle Support has identified patterns in user domains that can cause problems. These patterns are described in XML documents called signatures.
Signatures describe potential problems based on information about your Oracle WebLogic Servers and the environment in which they are deployed, including Java Virtual Machines (JVMs), operating systems, and databases. Signatures contain executable logic that can identify specific versions of these products as well as their configuration settings.
In addition to the potential problem description, signatures also contain a remedy recommendation and a severity level: 1-Critical, 2-Warning, or 3-Info.
To detect which signatures apply to your domain, you conduct an evaluation. When the evaluation is complete, the results are displayed in an Evaluation Summary. The Evaluation Summary lists all of the detected signatures, along with the severity level, description, and recommended remedy for each.
Signatures form a primary component of Oracle Guardian, since they contain the distilled knowledge of Oracle Support for both detecting potential problems and resolving them.
A Signature Bundle is a group of signatures that are evaluated together against one or more specified domains. Signatures are grouped into bundles based on their characteristics. For example, the Security Advisories bundle contains signatures that detect potential security problems for which Oracle has issued Security Advisories. The Service Pack Remedy bundle contains signatures whose resolution requires installation of a specific service pack.
You can select which bundle to evaluate against which domain(s). Bundles determine the signatures—and consequently, the potential issues—for which to search. The domain(s) you specify determine where to search.
You can use the Bundle Explorer Navigator view to browse the available Signature Bundles and their contents.
For details, see Bundle Explorer in Reference. For instructions on using Bundles, see Bundles in Tasks.
Signature Annotations enable you to tag a detected signature with one or more persistent annotations about that signature.
An annotation contains the following information:
You can use the Annotations Wizard to create, edit, and delete annotations. For details, see Annotations Wizard in Reference. For instructions, see Signature Annotations in Tasks.
In addition, you can use Signature Filters to specify which annotated signatures are to be displayed in the Signature Explorer, Bundle Explorer, and Evaluation Summaries. For instructions, see Filter Annotated Signatures in Tasks. For complete instructions on using filters, see Filter Signatures in Tasks.
To detect which signatures apply to your domain, you conduct an evaluation. When the evaluation is complete, the results are displayed in an Evaluation Summary. The Evaluation Summary lists all of the detected signatures, along with the severity level, description, and recommended remedy for each.
A Snapshot Evaluation is a complete assessment of all of the configuration details for a specific domain, at the particular moment the evaluation is executed.
You can compare two Snapshot Evaluations to see very quickly the differences between configurations for two domains, or the same domain at different points in its history. For instructions, see Compare Inventories or Evaluations of Tasks.
The results of an evaluation are displayed in an Evaluation Summary. The Evaluation Summary lists all of the signatures from the specified bundle that were detected for the evaluated domain, along with the severity level, description, and recommended remedy for each signature.
The Signature Repository contains the locally persisted store of signatures available for evaluation. When you download signatures from the Guardian update site, they arrive in a Java Archive (JAR) file. The JAR file is stored in the repository/archives
directory of your Guardian installation directory.
A Shortcut enables you to streamline the evaluation procedure by predefining and storing the domain, Signature Bundle, and other parameters for evaluations that you perform frequently. You can then evaluate the Shortcut, saving you the effort of re-entering the parameter values each time you want to run the evaluation.
A support service request is a record created when you submit technical questions or issues to Oracle Support. Customers with a support contract can open a service request on the Oracle eSupport website or by calling Oracle Customer Support.
Guardian enables you to open a Oracle Customer Service Request directly from a Guardian evaluation. When you conduct an evaluation that detects a signature, you can create a service request directly from a selected signature in an Evaluation Summary. Guardian creates and saves the service request data as a Service Request Archive for later submission to Oracle Support. Service Request Archives include all of the information from the signature and are stored as files with the file name extension .car
. This enables a Oracle support engineer to begin working on your service request upon receipt of the archive. You can also add any additional attachments and notes before sending the service request archives to Oracle.
To learn more about Oracle Support and service requests, see the Oracle Customer Support Guidebook, which you can download from the Oracle Customer Support website.
To safeguard your domains, Guardian requires valid login credentials for all communications between Guardian and your Guardian domains. Whenever you conduct an evaluation or activate a domain, Guardian prompts you for the username and password of an Administrator or Monitor account on the target domain. You can choose to store the username and password so you do not have to enter them for every evaluation. All usernames, passwords, and server names persisted on disk are encrypted.
Any passwords, usernames, or server names persisted on disk are encrypted. This encryption helps prevent the disclosure of any clear text data that could compromise the security of your domain. SSL encryption is available for communication between Guardian and your domains and between Guardian and Oracle. Guardian uses 128 bit open source encryption for SSL. However, the configuration on the server for the domain determines whether or not Guardian will use 128 bit SSL encryption when activating that domain.
Note: | Oracle recommends using SSL encryption for communication between the client and the Guardian Agent. |
Secure Sockets Layer (SSL) encryption is available for all communication with Oracle over the Internet, and all communication with Guardian Agents in your target domain(s).
Note: | Oracle recommends using SSL encryption for communication between the client and the Guardian Agent. Guardian uses 128 bit open source encryption for SSL. However, the configuration on the server for the domain determines whether or not Guardian will use 128 bit SSL encryption when activating that domain. |
If you want to use SSL, there are three types of communication to consider:
When you download signatures into Guardian from Oracle Support, Oracle collects high level statistics about your signature usage, including the number of times each signature was evaluated and detected. No customer data is included in the usage statistics. This information is used only in aggregate to assess the effectiveness of each signature. This data is crucial to the continuous improvement of Oracle Guardian.
The signature usage statistics contain the following information:
signature id
— This is the unique identifier for the signature. type
— This is the category of the signature.fired
— This is the number of times the signature was considered for use. This also includes the number of times the signature was disqualified before evaluation due to targeting products not present on the domain. evaluated
— This is the number of times the signature was actually compared against the target domain.detected
— This is the number of times the signature was actually found on the target domain The following is a sample signature usage statistic:
<?xml version="1.0" encoding="UTF-8"?>
<usage>
<signature id="123456.sig" type="Evaluation" fired="30" evaluated="18" detected="2" />
<signature id="234567.sig" type="Evaluation" fired="30" evaluated="20" detected="1" />
</usage>
There are many ways to configure and use Guardian to diagnose the health of your domains. However, there are four essential tasks that can be considered the primary functions of Guardian. These are as follows:
The following sections provide a brief description of each of these tasks. For a complete description of all Guardian tasks and procedures, see Tasks.
Activating a domain prepares the domain for evaluation and conducts an initial inventory of the domain configuration.
To activate a domain, use the Domain Activation Wizard. For instructions, see Activate Domain of Tasks.
A Domain Inventory is a snapshot of all of the configuration details for a domain as it exists at that moment. The results are displayed in a Domain Inventory Overview in the Document Pane. The inventory is also added to the Inventory History folder in the Domain Explorer. Domain Inventories are also generated automatically whenever you activate or evaluate domains.
To inventory a domain, use the Inventory Wizard. For instructions, see Inventory Domain of Tasks.
To detect which signatures apply to your domain, you conduct an evaluation. Guardian collects data about your domain environment, and identifies which signatures apply to the domain.When the evaluation is complete, the results are displayed in an Evaluation Summary. The Evaluation Summary lists all of the detected signatures, along with the severity level, description, and recommended remedy for each.
You can review the Evaluation Summary to determine your response to any signatures that are detected. If you need more help resolving the potential problem identified by the signature, you can use Guardian to create an Oracle service request archive.
For instructions on conducting evaluations, see Evaluate Domain of Tasks.
Oracle Support Engineers create new signatures every day, and new application enhancements to Guardian are also periodically released. The Guardian Update feature enables Guardian to connect directly to the Guardian Update site to automatically download and install new signatures and product updates. To update Guardian on servers that do not have Internet access, you can perform a manual update.
For instructions for performing both automatic and manual updates, see Updates and Upgrades of Tasks.
The following scenarios are examples of some of the different ways you can use Guardian to find problems before they impact your environment.
As you develop an application and migrate from development to quality assurance to production, you can run an evaluation at each stage. Guardian will help ensure that each phase of your development process is compliant with Oracle best practices.
Some signatures are designed to evaluate runtime domain settings. Running an evaluation under heavy load can detect potential problems that would not otherwise be detected. Oracle recommends conducting these evaluations during load and performance testing.
After you update an existing application, you can run an evaluation to assess the deployment. Guardian will help you find any potential problems that could impact your upgrade.
After you install a new Oracle patch, service pack, or upgrade, or install or upgrade third party software, you can run an evaluation to identify any new issues that may have been introduced.
If Guardian earlier detected a signature, and you subsequently applied the remedy or made other changes to your system, you can run an evaluation to confirm that the signature is no longer detected and no new issues were introduced.
If you made changes to your domain configuration or settings, you can run an evaluation to confirm that the result is compliant with Oracle best practices.
If you are concerned about domain settings being incorrectly changed overnight, or your domain is approaching certain resource limits, you can schedule evaluations to run overnight. You can review the Evaluation Summary in the morning and decide if any detected signatures merit further investigation.
Guardian evaluations are designed to have as minimal an impact on throughput and CPU usage as possible. If your domain has extra capacity, you can schedule Guardian to run evaluations at regular intervals; for example, every 15 minutes. Then, if any changes are made or certain thresholds are reached, you can be notified quickly.
If you notice a problem on your domain, you can run an evaluation. Even if an earlier evaluation detected no signatures, something may have changed since that time to cause the new problem. Guardian can be your first line of defense in diagnosing and repairing domain problems.
Supported Targets are the environments that Oracle Guardian can target for evaluations.
Basically, Guardian can target any platform for evaluation that allows it to install and communicate with the Guardian Agent. In addition, the Guardian Agent itself must have access to a specific set of Java system information properties and methods. The Oracle products capable of supporting these operations are based on WebLogic Server versions 8.1 and above.
The following Oracle product versions are supported:
Note: | For the most current information on Supported Oracle product versions, please see the Oracle Guardian Installation Guide. |