3 Setting Up the Cloud Management Infrastructure

This chapter describes the initial setup needed before you can begin using the Enterprise Manager Cloud Management solution.

The chapter includes the following sections:

Note:

From the Enterprise Manager 12.1.0.4 release, the Software Library is configured during the installation of Enterprise Manager. It need not to be separately configured.

3.1 Setting Up Self Update

The Self Update feature allows you to expand Enterprise Manager's capabilities by updating Enterprise Manager components whenever new and updated features become available between official releases. Oracle makes functional updates available between releases by publishing them to the Enterprise Manager Store, an external site that is periodically checked by Enterprise Manager to obtain information about available updates.

The updatable entities for the Oracle Cloud platform include:

Before you can use the Self Update feature, you must satisfy these prerequisites:

  • If you are applying an update in online mode, ensure that the My Oracle Support credentials have been set up using the SYSMAN user. This is required to enable entities to be downloaded from the My Oracle Support site.

  • The Software Library (also known as the local store) has been configured. Updates are downloaded to this local store before being deployed into Enterprise Manager.

Review the following sections for instructions on setting up Self Update:

3.1.1 Setting Up Enterprise Manager Self Update Mode

In order to set up or modify the Enterprise Manager Self Update feature, you must have Enterprise Manager Super Administrator privileges.

  1. Log in to Enterprise Manager as an administrator with Super Administrator privileges.

  2. From the Setup menu, select Extensibility, then select Self Update. The Self Update console appears with the default setup displayed.

  3. From the General status area, click the Connection Mode status to set either offline or online mode. Enterprise Manager takes you to the Patching Setup page to specify online and offline settings.

  4. Once the desired connection mode has been selected, return to the Self Update console.

    From here you can select entity types and schedule updates from the Enterprise Manager Update Store.

3.1.2 Assigning Self Update Privileges to Users

Enterprise Manager administrators must have the requisite privileges to use the Self Update feature. The Enterprise Manager Super Administrator must assign the following Self Update roles to these administrators:

  • VIEW_SELF_UPDATE: The user can view the Self Update console and can monitor the status of download and apply jobs.

  • MANAGE_SELF_UPDATE: The user can schedule download and apply jobs. User can also suppress/unsuppress updates. This privilege implicitly contains VIEW_SELF_UPDATE.

  • EM_INFRASTRUCTURE_ADMIN: The user can perform all self update operations. This privilege implicitly contains MANAGE_SELF_UPDATE.

By default, the Super Administrator will be granted EM_INFRASTRUCTURE_ADMIN privilege.

To assign Self Update privileges to regular Enterprise Manager administrators:

  1. From the Setup menu, select Security, then select Administrators.

  2. Select an administrator and click Edit.

  3. From the Roles page, assign the appropriate Self Update roles.

3.1.3 Setting Up the EM CLI Utility (Optional)

If you plan to apply software updates in offline mode, you will need to use the Enterprise Manager Command Line Utility, or EM CLI, to import entity archives for deployment to Enterprise Manager.

A page is provided in the Enterprise Manager Cloud Control console with instructions on setting up EMCLI. Access the page by appending /console/emcli/download to the URL used to access the Cloud Control console:

https://emcc_host:emcc_port/em

For example:

https://emcc_host:emcc_port/em/console/emcli/download

3.2 Deploying the Required Plug-ins

Much of the functionality available in Enterprise Manager Cloud Control is made available through plug-ins. As its name implies, a plug-in is a component or module that can be plugged into an existing Enterprise Manager installation to extend its management and monitoring capabilities.

The features that collectively comprise the Oracle Cloud Management solution are provided via several plug-ins which must be deployed to your Oracle Management Service (OMS). The plug-ins that must be deployed to enable each Cloud model are listed below.

You can deploy the plug-ins needed to enable Cloud in two ways:

  • If you have not yet installed Enterprise Manager Cloud Control, or have not yet upgraded to the latest Enterprise Manager release, you can deploy the plug-ins as part of the installation or upgrade process. You will select the Advanced Install mode and in the Select Plug-ins screen, select the plug-ins that you wish to install.

  • If you already have Enterprise Manager Cloud Control 12c installed, you must download the needed plug-ins to the Software Library. You can then deploy the plug-ins to your Oracle Management Service (OMS).

    See the Enterprise Manager Cloud Control Administrator's Guide for instructions on downloading and deploying the plugins.

Note:

For a complete list of all cloud plug-ins along with the version numbers, see Supported Plug-ins. You must check for any plug-ins updates that are available and ensure that the latest version has been downloaded.

Plug-ins Required to Enable Infrastructure as a Service (IaaS)

  • Enterprise Manager for Oracle Cloud (listed as Oracle Cloud Application in Self Update)

  • Enterprise Manager for Oracle Virtualization (listed as Oracle Virtualization in Self Update)

  • Enterprise Manager for Oracle Virtualization Infrastructure (listed as Oracle Virtual Infrastructure in Self Update)

  • Enterprise Manager for Oracle Cloud Framework (listed as Oracle Cloud Framework in Self Update)

  • Enterprise Manager for Oracle Consolidation Planning and Chargeback (listed as Oracle Consolidation Planning and Chargeback in Self Update)

Plug-ins Required to Enable Database as a Service (DBaaS) and Snap Clone

  • Enterprise Manager for Oracle Cloud (listed as Oracle Cloud Application in Self Update)

  • Enterprise Manager for Oracle Virtualization (listed as Oracle Virtualization in Self Update)

  • Enterprise Manager for Oracle Consolidation Planning and Chargeback (listed as Oracle Consolidation Planning and Chargeback in Self Update)

  • Enterprise Manager for Oracle Database (listed as Oracle Database in Self Update)

  • Enterprise Manager for Storage Management (listed as Oracle Storage Management Framework in Self Update)

  • Enterprise Manager for Oracle Cloud Framework (listed as Oracle Cloud Framework in Self Update)

Plug-ins Required to Enable Middleware as a Service (MWaaS)

  • Enterprise Manager for Oracle Cloud (listed as Oracle Cloud Application in Self Update)

  • Enterprise Manager for Oracle Virtualization (listed as Oracle Virtualization in Self Update)

  • Enterprise Manager for Oracle Consolidation Planning and Chargeback (listed as Oracle Consolidation Planning and Chargeback in Self Update)

  • Enterprise Manager for Oracle Fusion Middleware (listed as Oracle Fusion Middleware in Self Update)

  • Enterprise Manager for Oracle Cloud Framework (listed as Oracle Cloud Framework in Self Update)

Plug-ins Required to Enable Testing as a Service (TaaS)

  • Enterprise Manager for Oracle Cloud (listed as Oracle Cloud Application in Self Update)

  • Enterprise Manager for Oracle Virtualization (listed as Oracle Virtualization in Self Update)

  • Enterprise Manager for Oracle Consolidation Planning and Chargeback (listed as Oracle Consolidation Planning and Chargeback in Self Update)

  • Enterprise Manager for Oracle Cloud Framework (listed as Oracle Cloud Framework in Self Update)

3.3 Defining Roles and Assigning Users

Roles are named groups of related system and object privileges. You can create roles and then assign them to users and to other roles. You can assign any of the existing roles to a new role and the associated privileges. Enterprise Manager contains four out-of-the-box roles for the Cloud Self Service Portal, namely:

  • EM_CLOUD_ADMINISTRATOR: Users with this role can set up and manage the cloud infrastructure. This role is responsible for deploying the cloud infrastructure (servers, zones, storage, and networks) and infrastructure cloud operations for performance and configuration management.

  • EM_SSA_ADMINISTRATOR: Users with this role can define quotas and constraints for the self service users and grant them access privileges. Users with this role also have provisioning and patching designer privileges that allow them to create and save deployment procedures, create and view patch plans, and support the plug-in lifecycle on the Management Agent. These privileges are required for initial setup and on going maintenance of the infrastructure.

  • EM_SSA_USER: Users with this role, by default, can only access the Self Service Portal and all the service families. An administrator with the EM_SSA_ADMINISTRATOR role can provide additional privileges that allow users with the EM_SSA_USER role to access other features in Enterprise Manager.

  • EM_SSA_USER_BASE: Users with this role can access the Self Service Portal but will not have access to any service family. Access to a specific service family (DBaaS, MWaaS, and so on) needs to be explicitly granted to the users with this role.

The table below lists the roles associated with each user.

User Profile EM_CLOUD_ADMINISTRATOR EM_SSA_ADMINISTRATOR EM_SSA_USER EM_SSA_USER_BASE
Minimum roles required to create a user
  • EM_CLOUD_ADMINISTRATOR
  • PUBLIC

  • EM_USER

  • EM_SSA_ADMINISTRATOR
  • PUBLIC

  • EM_USER

EM_SSA_USER

EM_SSA_USER_BASE

EM_SSA_USER_BASE
Roles to be removed when creating a user NONE NONE
  • PUBLIC
  • EM_USER

NONE
  Additional roles may be added as required    

The Oracle Cloud Self Service Portal is intended for end-users to be able to provision and manage their own cloud services. Since the functions performed by users with the EM_CLOUD_ADMINISTRATOR and EM_SSA_ADMINISTRATOR roles are consistent across Enterprise Manager, these out-of-box roles can be used as they are. All you need to create users with the EM_CLOUD_ADMINISTRATOR and EM_SSA_ADMINISTRATOR roles.

But the EM_SSA_USER and EM_SSA_USER_BASE roles are used for quota assignment, and to limit access to PaaS Infrastructure zones, and service templates. In this case, the pre-defined role cannot be used as it is defined. You must create custom SSA User roles based on the standard EM_SSA_ROLE and EM_SSA_USER_BASE roles as described in Creating a Custom Role for Self Service Application Users. After creating a custom role, you must assign users to this role.

For example, in a DBaaS Cloud setup, you may want to create the following users:

  • CLOUD_ADMIN: This user will have the EM_CLOUD_ADMINISTRATOR role and is responsible for network, system, storage, and administration activities.

  • SSA_ADMIN: This user will have the EM_SSA_ADMINISTRATOR role and is responsible for database administration activities.

  • SSA_USER: In this case, the default EM_SSA_USER role must be customized and a custom role must be created. A user in this role is typically a junior database administrator, developer, or tester.

  • SSA_USER_BASE: In this case, you need to create a copy of the EM_SSA_USER_BASE role and grant DBAAS_ACCESS privileges to this role. You can then create the SSA_USER_BASE user who will have access the Database Cloud Self Service Portal.

For more details on Users and Roles, see the Enterprise Manager Cloud Control Security Guide.

3.3.1 Creating a Custom Role for Self Service Application Users

This section describes the following:

  • Creating a Custom Role Based on the EM_SSA_USER Role.

  • Creating a Custom Role Based on EM_SSA_USER_BASE Role.

3.3.1.1 Creating a Custom Role Based on the EM_SSA_USER Role

Typically, you need to create new SSA User roles either for different functional groups like developers, testers, production DBAs, or for different customer teams like the Siebel DBA team, BRM DBA team, and operations team for hosting custom Java applications, and so on. To create a custom SSA user role, follow these steps:

  1. Log in to Enterprise Manager as a Super Administrator user.

  2. From the Setup menu, select Security, then select Roles.

  3. Click Create in the Roles page to launch the Create Role wizard.

  4. Provide a name and description (SSA_DEV_ROLES) for the role and click Next.

  5. From the list of Available Roles, select the EM_SSA_USER role and move it to the Selected Roles table. Click Next.

  6. Accept the default target privileges and click Next.

  7. Accept the default resource privileges and click Next.

  8. Skip the Create Role: Administrators step and click Next.

  9. Review the changes and click Finish to create the custom SSA user (SSA_DEV_USERS) role.

3.3.1.2 Creating a Custom Role Based on the EM_SSA_USER_BASE Role

You may want to restrict some self service users from using all service families and allow them to access only certain service types depending on their requirements. In this case, you can create a custom role based on the EM_SSA_USER_BASE role and grant them access to only certain service types.

To create a custom SSA user role, follow these steps:

  1. Log in to Enterprise Manager as a Super Administrator user.

  2. From the Setup menu, select Security, then select Roles.

  3. Click Create in the Roles page to launch the Create Role wizard.

  4. Provide a name and description (SSA_USER_DBAAS) for the role and click Next.

  5. From the list of Available Roles, select the EM_SSA_USER_BASE role and move it to the Selected Roles table. Click Next.

  6. Accept the default target privileges and click Next.

  7. In the Resource Privileges page, click the Manage Privilege Grants for the Cloud Self Service Portal for Database resource type. In the Resource Type Privilege page, select the Access the Cloud Self Service Portal for Database check box and click Continue.

  8. Skip the Create Role: Administrators step and click Next.

  9. Review the changes and click Finish to create the custom SSA user (SSA_USER_DBAAS) role. This user can only access the Database Cloud Self Service Portal.

3.3.2 Creating a User and Assigning Roles

To create a user called SSA_USER1 and grant the custom role created earlier (SSA_DEV_USERS), follow these steps:

  1. Log in to Enterprise Manager as a Super Administrator user.

  2. From the Setup menu, select Security, then select Administrators.

  3. Click Create in the Administrators page to launch the Create Administrator wizard.

  4. Enter the name and password for the user (SSA_USER1) and create Next.

  5. From the list of Available Roles, select the SSA_DEV_USERS role and move it to the Selected Roles table. Remove the EM_USER and PUBLIC roles from the Selected Roles table. Click Next.

  6. Accept the default target privileges and click Next.

  7. Accept the default resource privileges and click Next.

  8. Review all the changes and click Finish to create the SSA_USER1 user.

    Tip:

    To create multiple users with the same role, select the newly created user and click Create Like. This will create a new user that will have the same properties as the source. You can then update the name, description, and email address for the new user.

Note:

Repeat these steps to create other users. For users with the EM_CLOUD_ADMINISTRATOR and EM_SSA_ADMINISTRATOR roles, the EM_USER and PUBLIC roles must be retained as these users need access to additional features.

3.3.3 Granting Roles and Privileges for Managing Storage Servers

To perform various storage server activities, you need to grant the following roles and privileges:

3.3.3.1 Granting General Privileges

Table 3-1displays the general privileges you need to set before you register a storage server.

Table 3-1 General Privileges for Storage Server Registration and Management

Privilege Description Scope Notion Included Privilege

VIEW_ANY_STORAGE

Ability to view any storage.

class

VIEW

nil

REGISTER_STORAGE

Ability to register storage.

class

CREATE

nil

VIEW_STORAGE

Ability to view storage details.

object

VIEW

nil

MANAGE_STORAGE

Ability to synchronize storage.

object

EDIT

VIEW_STORAGE

CREATE_JOB

MANAGE_ANY_STORAGE

Ability to manage any of the registered storage servers.

object

EDIT

VIEW_ANY_STORAGE

CREATE_JOB

FULL_STORAGE

Ability to modify or remove storage.

object

FULL

MANAGE_STORAGE


3.3.3.2 Granting Target Privileges

Table 3-2 displays the target privilege you need to set, for enabling or disabling Snap Clone for a target.

Table 3-2 Target Privilege for Enabling or Disabling Snap Clone

Target Privilege Scope Notion Include In Privilege Included Privilege Applicable Target Type

SNAP_CLONE_TARGET

object

Manage

FULL_TARGET

VIEW_TARGET

oracle_database

rac_database


3.3.3.3 Granting Roles

Table 3-3 displays the roles you need to grant to be able to register a storage server and perform various activities on the registered storage server.

Table 3-3 Roles for Registering and Managing the Storage Server

Role Description Security Class Privilege Granted To Role

EM_STORAGE_ADMINISTRATOR

Role has privileges to register storage hardware for Snap Clone.

STORAGE

STORAGE

TARGET

TARGET

NAMED_CREDENTIALS

JOB

SWLIB_ENTITY_MGMT

MANAGE_ANY_STORAGE

REGISTER_STORAGE

VIEW_ANY_TARGET

PERFORM_OPERATION_ANYWHERE

CREATE_CREDENTIAL

CREATE_JOB

SWLIB_CREATE_ANY_ENTITY

SWLIB_VIEW_ANY_ENTITY

EM_ALL_ADMINISTRATOR

EM_STORAGE_OPERATOR

Role has privileges to manage storage hardware for Snap Clone.

STORAGE

TARGET

TARGET

JOB

SWLIB_VIEW_ANY_ENTITY

MANAGE_ANY_STORAGE

VIEW_ANY_TARGET

PERFORM_OPERATION_ANYWHERE

CREATE_JOB

SWLIB_VIEW_ANY_ENTITY

EM_ALL_OPERATOR


3.3.3.4 Granting Privileges for Provisioning

You need the following privileges to be able to use the storage server for provisioning:

  • VIEW_STORAGE on the storage server

  • GET_CREDENTIAL on the storage server

  • GET_CREDENTIAL on all the Management Agent credentials of the storage server

  • PERFORM_OPERATION on the storage server Management Agent

Note:

Snap Clone supports Sun ZFS storage on HP-UX hosts only if the OS version is B.11.31 or higher. If the OS version is lower than that, the Sun Storage may not function properly thereby Snap Clone gives unexpected results.

3.4 Configuring LDAP Authentication

Oracle Enterprise Manager provides tools and procedures to help you ensure that you are managing your Oracle environment in a secure manner. Enterprise Manager's authentication framework consists of pluggable authentication schemes that let you use the type of authentication protocol best suited to your environment. The following authentication schemes are available:

  • Oracle Access Manager (OAM) SSO

  • Repository-Based Authentication

  • SSO-Based Authentication

  • Enterprise User Security Based Authentication

  • Oracle Internet Directory (OID) Based Authentication

  • Microsoft Active Directory Based Authentication

Enterprise User Security (EUS) provides automatic authentication to users and roles from the LDAP compliant directory server.

For more details on Enterprise User Security, see the Enterprise Manager Security Guide.

3.5 Configuring Privilege Delegation Settings

Privilege delegation allows a logged-in user to perform an activity with the privileges of another user. Sudo and PowerBroker are privilege delegation tools that allow a logged-in user to be assigned these privileges. These privilege delegation settings will be used for all provisioning and patching activities on these hosts.

For details on how to configure the privilege delegation settings, see the Enterprise Manager Cloud Control Security Guide.

3.6 Customizing the Self Service Login Page

You can configure Enterprise Manager and provide specific access to SSA users. To configure Enterprise Manager for SSA users, you must set some properties on the OMS and copy the required images to a specified directory. This section describes the following:

3.6.1 Configuring the Self Service Login Page

To launch a separate SSA login page for all SSA users, you must do the following:

  • Set the following mandatory property on all OMSes:

    $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.ssa_oms -value true

    If this property is not set to true, the standard Enterprise Manager login page is displayed.

  • Set the following optional OMS properties.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.show_cloud_provider_brand -value true

      If this property is not set to true, the default Oracle Enterprise Manager 12c logo is displayed.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.show_cloud_tenant_brand -value true

      If this property is not set to true, the tenant logo is not displayed.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.cloud_provider_alt_text -value "Cloud Provider"

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.cloud_tenant_alt_text -value "Cloud Tenant"

      These properties are optional and if not set, the default values for "Cloud Provider", and "Cloud Tenant" are displayed.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.show_disclaimer_text -value true

      If this property is not set to true, the default Oracle copyright message is displayed.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.disclaimer_text -value "Customer specified Disclaimer text"

      If this property is set to true, the specified disclaimer text is displayed instead of the default Oracle copyright message.

    • $ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.show_em_branding_text -value true

      If this property is not set to false, the "Powered by Oracle Enterprise Manager" text will appear on the Self Service Login page.

  • Copy the following images to the $ORACLE_HOME/sysman/config/ directory.

    • cloud_provider_small_brand.png

    • cloud_tenant_small_brand.png

      If a single image is used, the maximum recommended size is 500 * 20 px. If 2 images are used, the maximum recommended size is 200 * 20 px per image. After login, these images are displayed instead of the Oracle logo, if the OMS properties oracle.sysman.ssa.logon.show_cloud_provider_brand and oracle.sysman.ssa.logon.show_cloud_tenant_brand are set. If the OMS property oracle.sysman.ssa.logon.show_cloud_provider_brand is not set to true, along with the tenant logo, the default Oracle logo appears.

    • cloud_provider_large_brand.png

    • cloud_tenant_large_brand.png

      If a single image is used, then the maximum recommended size is 525 * 60 px. If 2 images are used, the maximum recommended size is 250 * 50 px per image. These images are displayed on the login page, if the OMS properties oracle.sysman.ssa.logon.show_cloud_provider_brand and oracle.sysman.ssa.logon.show_cloud_tenant_brand are set.

For example, if ACME Corp is the Cloud Service Provider and XYZ is the Cloud Tenant, the customized login page appears as follows:

Figure 3-1 Customized SSA Login Page

Customized SSA Login Page

After the SSA user has logged in, the customized Infrastructure Self Service Portal is displayed as shown below:

Figure 3-2 Customized Post-Login Page

Customized Post-Login Page

3.6.2 Switching Back to the Enterprise Manager Login Page

To revert to the default Enterprise Manager login page, set the following property:

$ORACLE_HOME/bin/emctl set property -name oracle.sysman.ssa.logon.ssa_oms -value false

3.6.3 Routing SSA Requests to a Specific OMS Pool

Oracle Management Service (OMS) is one of the core components of Enterprise Manager Cloud Control that works with the Oracle Management Agents (Management Agents) and plug-ins to discover targets, monitor and manage them, and store the collected information in a repository for future reference and analysis.

When you install Enterprise Manager for the very first time, by default, one OMS is installed along with one Management Agent. This default configuration is suitable for small environments. In larger production environments with several SSA users, you may need to install additional OMS instances to reduce the load on a single OMS and improve the efficiency of the data flow. You can then configure the Server Load Balancer (SLB) to redirect all SSA requests to a specific OMS pool. The other OMS pools will then be available for administration usage. To learn more about setting up multiple OMS instances and the SLB, see Adding Additional Oracle Management Service section in the Enterprise Manager Cloud Control Basic Installation Guide.

To redirect SSA requests, you must specify the following SLB configuration:

https://<slb_host_name>:<slb_em_port>/em redirecting to oms for em

https://<slb_host_name>:<slb_ssa_port>/em redirecting to oms for ssa

The SSA and non-SSA OMS pools are differentiated based on the port number. All requests with a particular port number will be redirected to a specific OMS pool (SSA OMS pool) and all the other requests will be redirected to the other pool.