Copyright © 2012, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
The Oracle VM Administrator Tool, which can be invoked on the command line using the ovm_admin command, is used to perform typical administrative actions specific to Oracle VM Manager. These actions allow you to manage users that have access to Oracle VM Manager, reconfigure Oracle VM Manager's datastore, and control log rotation. To perform any action using the Oracle VM Administrator Tool, you must use the password that is configured for the weblogic user.
The Oracle VM Administrator Tool is installed as part of the
default Oracle VM Manager installation process. The full path to the
Oracle VM Administrator Tool is:
/u01/app/oracle/ovm-manager-3/bin/ovm_admin
The following is listed in the help page on the command line:
Usage: ./ovm_admin [options]
Options:
--help: Shows this message
--createuser: Create new Oracle VM Manager admin user
--deleteuser: <admin> Delete Oracle VM Manager admin user
--listusers: List Oracle VM Manager users
--modifyuser: Modify Oracle VM Manager user password
--lockusers: <tries> Max login tries before locking account. This setting is global.
--unlockuser: <admin> Unlock user account
--modifyds <SID> <host> <port> [<type>] Modify Data Store 'OVMDS'. Options of <type>:
oracle, mysql
--listconfig: List configuration
--rotatelogsdaily: <time> Rotate Logs Daily (HH:MM)
--rotatelogsbysize: <size> Rotate Logs By Size (KB)Do not use the --modifyds option in this command unless instructed to do so by an Oracle Support representative. This option can result in your Oracle VM Manager deployment becoming completely unusable. This option is used to migrate an existing Oracle VM Manager deployment to an alternate database backend. It does not handle the migration of the data within the database.
The Oracle VM Administrator Tool provides you with the ability to perform various user management functions directly from the command line. By default, the Oracle VM Manager installation process only creates and configures a single Oracle VM Manager administrative user. While this is often sufficient for many customers, creating separate administrative user accounts may be useful for security and auditing purposes.
A new user can be created for the Oracle VM Manager application using the Oracle VM Administrator Tool by running the following command:
# ./ovm_admin --createuser
The tool returns the following output:
Oracle VM Manager Release 3.3.1 Admin tool Please enter the username : [ovmuser] Please enter the password for [ovmuser] (minimum 8 chars. with one numeric/special char.) : Please re-enter the password :
Your password must conform to the password requirements suggested by the Oracle VM Administrator Tool, or the creation of your user fails in the final step.
Please enter the password for weblogic :
At this point you must enter the password for the Weblogic system. If you performed a Simple Installation of Oracle VM Manager, this password is the same as your default Oracle VM Manager admin user's password.
Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands Connecting to WebLogic server ... Connected ... Creating user '[ovmuser]' ... Created user '[ovmuser]' successfully ... Exiting...
Removing an Oracle VM Manager administrative user can be achieved using the Oracle VM Administrator Tool by running the following command:
# ./ovm_admin --deleteuser [ovmuser]You are prompted for the Weblogic password. This is the password for the Weblogic system as it was set up during installation. If you performed a Simple Installation of Oracle VM Manager, this password is the same as your default Oracle VM Manager admin user's password. Typical output is presented below:
Oracle VM Manager Release 3.3.1 Admin tool Please enter the password for weblogic : Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands Connecting to WebLogic server ... Connected ... Deleting user '[ovmuser]' ... Deleted user '[ovmuser]' successfully ... Exiting...
There are some users stored within Weblogic that are critical to the healthy functioning of your Oracle VM Manager environment. Do not delete either of these accounts:
OracleSystemUser
weblogic
It is also generally advisable to keep the default admin user account, so that there is always at least one administrative account that is able to access the Oracle VM Manager application.
It is possible to change any Oracle VM Manager administrative user's password using the Oracle VM Administrator Tool by running the following command:
# ./ovm_admin --modifyuser
The tool returns the following output:
Oracle VM Manager Release 3.3.1 Admin tool
Please enter the username : [ovmuser]
Please enter the current password : You must be able to provide the user's current password in order to modify the user account.
If you need to reset an account due to a lost password, you should delete the user account and create a new account.
Please enter a new password for [ovmuser] (minimum 8 chars. with one numeric/special char.) :
Please re-enter the password :Your password must conform to the password requirements suggested by the Oracle VM Administrator Tool, or the creation of your user fails in the final step.
Please enter the password for weblogic :
At this point you must enter the password for the Weblogic system. If you performed a Simple Installation of Oracle VM Manager, this password is the same as your default Oracle VM Manager admin user's password.
Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands Connecting to WebLogic server ... Connected ... Modifying user '[ovmuser]' ... Modified user '[ovmuser]' successfully ... Exiting...
You can use the Oracle VM Administrator Tool to obtain a list of users that have access to the Oracle VM Manager application by running the following command:
# ./ovm_admin --listusers
The tool prompts you for the Weblogic password and returns output similar to the following:
Oracle VM Manager Release 3.3.1 Admin tool
Please enter the password for weblogic :
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Connecting to WebLogic server ...
Connected ...
Listing Oracle VM users ...
User : OracleSystemUser
User : weblogic
User : admin
User : [ovmuser]
Listed users successfully ...
Exiting...
Some of the users stored within Weblogic and listed are critical to the healthy functioning of your Oracle VM Manager environment. These include:
OracleSystemUser
weblogic
The default admin user account is also typically listed. Any other user accounts listed, such as the [ovmuser] account, have been added to the system after installation.
In order to protect unauthorized access to Oracle VM Manager it is possible to configure an account locking facility that is triggered after a number of failed attempts to log in. This is achieved using the Oracle VM Administrator Tool in the following way:
# ./ovm_admin --lockusers [3]Account locking is enabled by default according to the base Weblogic configuration. The default settings allow for 5 invalid login attempts before the account is locked. The lock period is set to 30 minutes. The only way to change the lock period is to edit the underlying Weblogic configuration directly. For more information on configuring the Weblogic lockout parameters, please refer to the Weblogic documentation on this at:
http://docs.oracle.com/cd/E13222_01/wls/docs81/ConsoleHelp/security_realm_userlockout.html
This is a global parameter that applies to all users. Setting this parameter on an instance of Oracle VM Manager that makes use of a single administrator account can result in this account being locked for 30 minutes before anybody is able to use it again. To recover from this is it is possible to unlock the account. See Section 4.1.1.6, “Unlocking User Accounts”.
You are prompted to enter the Weblogic password in order to apply this setting. Typical output from the command follows:
Oracle VM Manager Release 3.3.1 Admin tool
Please enter the password for weblogic :
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Connecting to WebLogic server ...
Connected ...
Setting Invalid Login attemps to '[3]' ...
Exiting...
Restart of Oracle VM Manager is required for Data Store change to take effect ...
Note that you are required to restart Oracle VM Manager in order for the setting to take effect.
An account is locked for 30 minutes before it is automatically unlocked again.
When account locking is enabled (see Section 4.1.1.5, “Locking User Accounts”), it is possible for Oracle VM Manager user accounts to become locked for up to 30 minutes if a user fails to authenticate after the number of attempts that has been configured for this facility. When a user's account has become locked and the user enters the correct username and password combination, an error appears when the user attempts to authenticate:
Unexpected error during login (javax.security.auth.login.LoginException), please consult logs for details.
An investigation of the AdminServer.log
reveals:
000000000183> >1358953290200< >BEA-090078< >User ovmuser in security realm myrealm has had 3 invalid login attempts, locking account for 30 minutes.<
It is possible to override the 30 minute lock on an account by using the Oracle VM Administrator Tool in the following way:
# ./ovm_admin --unlockuser [ovmuser]You are prompted for the Weblogic account password in order to complete the operation.
The Oracle VM Administrator Tool allows you to control how and when log files are rotated. There are two options available:
--rotatelogsdaily: set the logs to be rotated on a daily basis at an allocated time
--rotatelogsbysize: set the logs to be rotated when they reach a specified size
In both cases, you are prompted for the Weblogic password in order to update the configuration.
To set the logs to rotate daily at an allocated time, run the Oracle VM Administrator Tool in the following way:
# ./ovm_admin --rotatelogsdaily [00:30]The time provided is specified in the format HH:MM.
Typical output from the command follows:
Oracle VM Manager Release 3.3.1 Admin tool
Please enter the password for weblogic :
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Connecting to WebLogic server ...
Connected ...
Configure log rotation setting to rotate daily at [00:30] ...
Modified log rotation setting successfully ...
Exiting...To set the logs to rotate when they reach a specified size, run the Oracle VM Administrator Tool in the following way:
# ./ovm_admin --rotatelogsbysize [1024]The size provided is specified according to the number of kilobytes before rotation.
Typical output from the command follows:
Oracle VM Manager Release 3.3.1 Admin tool
Please enter the password for weblogic :
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Connecting to WebLogic server ...
Connected ...
Configure log rotation setting to rotate the logs based on size ([1024] KB) ...
Modified log rotation setting successfully ...
Exiting...Copyright © 2012, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices