1 Description

The Oracle Key Manager (OKM) appliance plug-in for Oracle Enterprise Manager (OEM) Cloud Control provides monitoring for OKM clusters. Each KMA belonging to a cluster is monitored by the plug-in. The plug-in provides the following primary features:

  • Gathers and presents key management system, configuration, and performance information for OKM clusters

  • Raises alerts for pre-selected configuration and monitoring data

  • Ties together Oracle ZFS storage appliances and Oracle databases that use OKM for its encrypted data.

  • Supports monitoring by remote agents in the Cloud Control environment.

Overview

The OKM Cluster plug-in for OEM Cloud Control can support a variety of OKM configurations. Before you deploy the plug-in, your planning process should consider the number of OKM clusters and each OKM cluster topology, along with the enterprise monitoring requirements.

Figure 1-1 presents a large hypothetical enterprise including OKM clusters on three continents: North America, Europe, and South America. By presenting a large enterprise example, the diagram demonstrates a variety of possibilities for deploying the plug-in.

Figure 1-1 shows details for the North America cluster where there are three OKM sites configured:

  • An Admin Site that is not servicing any OKM agents

  • Sites A and B that service OKM agents with keys.

Sites A and B contain isolated service networks for their agents. Your planning process should consider which KMA within each cluster will be used for the monitoring target.

In this example, the North American cluster uses KMA-Admin as the KMA within the Admin site for the plug-in. This plug-in will be hosted in the Management Agent with the target labeled ”OKM-NA.” You can configure other KMAs, but selecting this particular KMA minimizes traffic on KMAs that also service agents. You would need to perform a similar selection process for the other OKM clusters in Europe and South America.

Figure 1-1 Large Enterprise Plug-in Deployment Example

Description of Figure 1-1 follows
Description of "Figure 1-1 Large Enterprise Plug-in Deployment Example"

Supported Versions

Deployment of the Oracle Enterprise Manager System Monitoring Plug-in for OKM requires that the following software versions already be installed:

  • Oracle Enterprise Manager Cloud Control 12c Release 4 (12.1.0.4.0) or higher (Oracle Management Server and Oracle Management Agent).

  • The KMA used to monitor the OKM Cluster must be at Version 2.5.2 or later.

Note:

Additional software requirements, such as the correct Java version in Cloud Control, are met through the required applications listed, provided the correct versions are installed. The plug-in can be installed on any operating system in which Enterprise Manager Cloud Control is running.

To enable the plug-in to communicate with the OKM AES-256 encryption key, you must first install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files on Management Agents that the plug-in is deployed to. See "Enabling Java Unlimited Cryptographic Strengths".

Prerequisites

Before you can deploy the plug-in and monitor OKM appliances, you must:

  • Install the Oracle Enterprise Manager Cloud Control environment. Be sure to pay attention to security sections in the Oracle Enterprise Manager Administrator's Guide.

  • Configure the OKM appliance by creating a new user or utilizing an existing user with an Operator role and exporting its certificates. See "Configuring the OKM Appliance".

  • Review the Oracle Enterprise Manager Plug-in for OKM Security Guide.

Configuring the OKM Appliance

For the following procedure, use the Windows version of the OKM GUI if you are running the OKM Manager 3.0 GUI.

  1. Create a user with an Operator role. Skip this step if you are using an existing user.

    1. Log into the OKM Manager GUI as a Security Officer and click User List.

    2. Click the Create button.

    3. In the Create User dialog box, enter the User ID and select the Operator check box.

    4. Under the Passphrase tab, enter the passphrase.

  2. Export the Operator's certificates.

    1. Log into the OKM Manager GUI as an Operator.

    2. Click System and select Save Certificates.

    3. Select PKCS12 under the Format drop-down.

    4. Enter a passphrase to use for the exported certificate. Make note of the password for the PKCS#12 file since it will be needed later. Click OK.

    Note:

    Both the CA Certificate File Name and the Client Certificate File Name need to be accessible to the Enterprise Manager Agent with the plug-in deployed to it. These files can be saved directly to this location now or copied later before adding the target.

Configuring Database-to-OKM / ZFS Storage Appliance-to-OKM Mappings

In order for reports that include database-to-OKM and ZFS storage appliance-to-OKM mappings to work, the database, the host on which the database resides, and the ZFS appliance must be monitored by Oracle Enterprise Manager Cloud Control. For instructions on monitoring host storage and database instances, refer to the documentation provided with Oracle Enterprise Manager Cloud Control software (see Appendix A, "Additional Resources").