Oracle Management Service (OMS) and Oracle Management Agent (Management Agent) are core components of Enterprise Manager Cloud Control. While the Management Agents discover and monitor targets in your environment, the OMS orchestrates with the Management Agents to manage the discovered targets and to store the collected information in a repository for future reference and analysis.
For this purpose, OMS and Management Agents constantly communicate with each other. To manage the HTTP and HTTPS requests more efficiently and to add an additional layer of security, you can choose to secure this communication by configuring an HTTP or HTTPS-based proxy between the OMS and the Management Agents.
This chapter describes how you can configure an HTTP proxy to secure the communication between the OMS and the Management Agents. In particular, this chapter covers the following:
About Using Proxies for OMS and Management Agent Communication
Configuring Proxies for OMS-to-Management Agent Communication
Configuring Proxies for Management Agent-to-OMS Communication After the Management Agent Is Deployed
Configuring Proxies for Management Agent-to-OMS Communication While Deploying the Management Agent
Configuring Proxies for OMS-to-My Oracle Support Communication
Updating Proxies Configured for OMS-to-Management Agent Communication
Associating Additional Management Agents to an Existing Proxy to Communicate with the OMS
Excluding Management Agents from Using Proxies to Communicate with the OMS
Viewing a List of Proxies by Proxy Names or Management Agents
Monitoring Proxies Configured for OMS-to-Management Agent Communication
Removing Proxies Configured for OMS-to-Management Agent Communication
EM CLI Verbs for Configuring Proxies for OMS and Management Agent Communication
Oracle Management Service (OMS) and Oracle Management Agent (Management Agent) are core components of Enterprise Manager Cloud Control. While the Management Agents discover and monitor targets in your environment, the OMS orchestrates with the Management Agents to manage the discovered targets and store the collected information in a repository for future reference and analysis. For this purpose, OMS and Management Agents constantly communicate with each other. To manage the HTTP and HTTPS requests more efficiently and to add an additional layer of security, you can choose to secure this communication by configuring an HTTP or HTTPS-based proxy between the OMS and the Management Agents.
A proxy is an application external to Enterprise Manager Cloud Control that acts as an intermediary for managing HTTP as well as HTTPS requests across network boundaries or firewalls. By using a proxy, you can expose only certain ports for communication between two or more components, thus making the communication more secure and reliable.
In the earlier releases of Enterprise Manager Cloud Control, you had the option of configuring only one proxy for an OMS to communicate with its Management Agents. However, from 13c Release 1 onwards, you have the following proxy configuration options:
No proxy at all.
One proxy for all the Management Agents.
One proxy for a few Management Agents and no proxy for the rest.
Different proxies for the same group of Management Agents (redundant proxies).
Different proxies for different groups of Management Agents.
A proxy is modeled and added as a manageable entity in Enterprise Manager Cloud Control, and is monitored much like other target type for its availability. Therefore, even a non-administrator can view the details of a proxy in Enterprise Manager Cloud Control. However, only administrators with full privileges on targets are permitted to modify the proxy configuration settings.
However, the proxies configured for Management Agent-to-OMS communication and for OMS-to-My Oracle Support communication are not modeled as target types and are not monitored in Enterprise Manager Cloud Control. Also, you cannot configure redundant proxies for them in any way.
In addition, from 13c Release 1 onwards, you can configure multiple proxies for the same group of Management Agents, as redundant proxies, to support high availability of the proxies configured for the OMS. In this case, since the OMS has multiple proxies configured to communicate with its Management Agents, the proxy that is up and running is selected for communication, regardless of the status of the other proxies.
Note:
NTLM-based Microsoft proxies are not supported. To enable access through such proxies, add all the available agent hosts to the Unauthenticated Sites Properties of the NTLM-based Microsoft proxy.
Local addresses of each OMS automatically bypass the proxy.
You can secure the communication between Oracle Management Service (OMS) and Oracle Management Agents (Management Agents) by configuring a proxy. A proxy is an application external to Enterprise Manager Cloud Control that acts as an intermediary for managing HTTP as well as HTTPS requests across network boundaries or firewalls. By using a proxy, you can expose only certain ports for communication, and thereby have a more secure and reliable communication between the OMS and the Management Agents.
You can configure one proxy for all Management Agents, one proxy for a set of Management Agents and none for the rest, or different proxies for different sets of Management Agents.
In addition, you can configure two or more proxies as redundant proxies to support high availability of the proxies configured for OMS and Management Agent communication. Under such circumstances, by default, the proxy that is up and running is selected for communication, regardless of the status of the other proxies. Before starting to communicate if a proxy is found to be inactive or down, then an alternate proxy configured for that Management Agent is selected. However, note that after the communication begins through a particular proxy, if that proxy turns inactive or shuts down, then no fallback mechanism is currently available to select an alternate proxy that is up and running.
Note:
NTLM-based Microsoft proxies are not supported. To enable access through such proxies, add all the available agent hosts to the Unauthenticated Sites Properties of the NTLM-based Microsoft proxy.
Local addresses of each OMS automatically bypass the proxy.
To configure proxies for OMS and Management Agent communication, follow these steps:
From the Setup menu, select Proxy Settings, then select Agents.
On the Proxy page, click Create.
On the Create a Proxy page, do the following:
In the Name field, enter a unique name for the proxy you are configuring. This is the name with which the proxy is modeled as a target type and monitored in Enterprise Manager Cloud Control. For example, oms-agent_proxy1.
In the Host field, enter the name of the host on which the proxy resides. For example, www-proxy.example.com.
In the Port field, enter the port used by the proxy.
From the Protocol options, select an appropriate protocol, either HTTP or HTTPS.
To verify if the OMS is able to successfully connect to the proxy you have specified, click Test Proxy.
If the proxy you are configuring is set up using a realm, or login credentials, or both, then select Associate a Named Credential, and in the Named Credential section, select the registered named credential you want to use.
Note:
If a named credential is not available for selection, then create a new one. To do so, from the Setup menu, select Security, then select Named Credentials. On the Named Credentials page, click Create. On the Create Credential page, in the General Properties section, enter a unique name for the credential, set Authenticating Target Type to Host, Credential Type to Host Credentials, and Scope to Global. In the Credential Properties section, enter the user name and password. Click Save.In the Associated Agents section, select the Management Agents that should communicate with the OMS using the proxy you are configuring. Select the Management Agents in one of the following ways. After selecting, if you want to verify if the Management Agents are able to successfully communicate with the proxy, click Test.
Click Select Agents, and in the Select Targets dialog, select one or more Management Agents.
This option is particularly useful when you have a short list of Management Agents, each with unique names, to select. For example, agent1.example.com, agent2.example.com, agent3.example.com.
In the Agent Patterns field, enter the agent patterns of the Management Agents. Use comma (,) to separate individual patterns. Use asterisk (*) to represent zero or more characters, and a question mark (?) to represent a single character.
This option is particularly useful when you have a short list of Management Agents, all with common prefixes to their unique names, to select. For example, to select all Management Agents running in Australia that start with the prefix aus_agent, such as aus_agent1.example, aus_agent2.example, aus_agent3.example.com. In this case, enter aus_agent*.
Note:
If a backslash (\) character precedes either a star (*), a question mark (?), a comma (,) or a backslash (\) itself in the pattern, it hides the special meaning associated with the following character. For example, while the pattern abc* matches with any string prefixed by the string: abc, the pattern abc* matches with just one string: abc* .In the Excluded Agent Patterns field, enter the agent patterns of the Management Agents that you want to exclude from associating with the proxy you are configuring, and include all the other Management Agents. Use comma (,) to separate individual patterns. Use asterisk (*) to represent zero or more characters, and a question mark (?) to represent a single character.
This option is particularly useful when you have a long list of Management Agents you want to exclude, each with either fully unique names or with common prefixes to their unique names. For example, to exclude all the Management Agents running in Hong Kong that start with the prefix hkg_agent, such as hkg_agent1.example.com, hkg_agent2.example.com, hkg_agent3.example.com.
Note:
Excluded Agent Patterns do not exclude the Management Agents from the list of Management Agents selected by their names. They exclude only those Management Agents that are derived from the agent patterns you have entered in the Agent Patterns field.Click Submit.
You can secure the communication between the Management Agents and the OMS by configuring a proxy. A proxy is an application external to Enterprise Manager Cloud Control that acts as an intermediary for managing HTTP as well as HTTPS requests across network boundaries or firewalls. By using a proxy, you can expose only certain ports for communication, and thereby have a more secure and reliable communication between the Management Agents and the OMS.
You can configure a proxy between the Management Agent and the OMS, after deploying the Management Agent, either using the Enterprise Manager Cloud Control Console or using the command-line interface (EMCTL commands).
To configure a proxy between the Management Agent and the OMS, after deploying the Management Agent, using the Enterprise Manager Cloud Control Console, follow these steps:
From the Targets menu, select All Targets.
On the All Targets page, in the Refine Search pane, under the heading Target Type, scroll down and expand the subheading Internal. Then click Agent.
From the list of Management Agents, click the Management Agent for which you want to configure the proxy.
On the Agent Home page, from the Agent menu, select Properties.
On the Properties page, from the Show drop down list, select Advanced Properties.
Expand Runtime Settings.
Set the following properties:
REPOSITORY_PROXYHOST
REPOSITORY_PROXYPORT
REPOSITORY_PROXYPWD
REPOSITORY_PROXYREALM
REPOSITORY_PROXYUSER
Click Apply.
To configure a proxy between the Management Agent and the OMS, after deploying the Management Agent, using the command-line interface (EMCTL), follow these steps:
Set the proxy properties in the <AGENT_HOME>/sysman/config/emd.properties file. To do so, run the following EMCTL commands from the Management Agent home:
emctl setproperty agent -name REPOSITORY_PROXYHOST -value <proxy_host>
emctl setproperty agent -name REPOSITORY_PROXYPORT -value <proxy_port>
emctl setproperty agent -name REPOSITORY_PROXYREALM –value <proxy_realm>
emctl setproperty agent -name REPOSITORY_PROXYUSER –value <proxy_user>
emctl setproperty agent -name REPOSITORY_PROXYPWD –value <proxy_password>
For example,
emctl setproperty agent -name REPOSITORY_PROXYHOST -value www-proxy.example.com
emctl setproperty agent -name REPOSITORY_PROXYPORT -value 80
emctl setproperty agent -name REPOSITORY_PROXYREALM –value realm1
emctl setproperty agent -name REPOSITORY_PROXYUSER –value u01
emctl setproperty agent -name REPOSITORY_PROXYPWD –value password
Restart the Management Agent.
You can secure the communication between the Management Agents and the OMS by configuring a proxy. A proxy is an application external to Enterprise Manager Cloud Control that acts as an intermediary for managing HTTP as well as HTTPS requests across network boundaries or firewalls. By using a proxy, you can expose only certain ports for communication, and thereby have a more secure and reliable communication between the Management Agents and the OMS.
To configure a proxy between the Management Agent and the OMS while deploying the Management Agent, follow the steps outlined in Installing a Fresh Oracle Management Agent or Provisioning Management Agents Using An Agent Gold Image, and deploy the Management Agent. While providing the details for Management Agent deployment, on the Installation Details page of the Add Target Wizard, expand the Optional Details section, and in the Additional Parameters field, enter the following parameters with the appropriate proxy settings. Separate the parameters with a comma (,).
REPORSITORY_PROXYHOST=<proxy_host_name>, REPORSITORY_PROXYPORT=<proxy_host_port>
For example,
REPORSITORY_PROXYHOST=www-proxy.example.com, REPORSITORY_PROXYPORT=1523
Oracle Management Service (OMS) uses the Internet connectivity on its host to connect to My Oracle Support periodically to download patches, patch sets, patch recommendations, and Automated Release Updates (ARU) seed data. To secure this communication, you can add a proxy between the OMS and My Oracle Support.
To configure a proxy between the OMS and My Oracle Support, follow these steps:
From the Setup menu, select Proxy Settings, then select My Oracle Support.
On the Proxy Settings for My Oracle Support page, select Manual Proxy Configuration.
In the HTTPS field, enter the name of the host where the proxy resides. For example, www-proxy.example.com.
In the Port field, enter the port used by the proxy.
If the specified proxy is configured using a security realm, login credentials, or both, then select Password/Advanced Setup and enter the realm and the credentials.
To verify if the OMS can successfully connect to My Oracle Support using the specified proxy details, click Test.
If the connection is successful, click Apply.
Note:
The proxy you configure applies to all OMS instances in a multi-OMS environment.
If you are using a proxy in your setup, ensure that it allows connectivity to aru-akam.oracle.com, ccr.oracle.com, login.oracle.com, support.oracle.com, and updates.oracle.com.
NTLM or NT LAN Manager-based Microsoft proxies are not supported. If you are using an NTLM-based Microsoft proxy to enable access to the aforementioned sites, then add the aforementioned URLs to the Unauthenticated Sites Properties of the proxy.
You can modify the proxy you have configured for secure communication between Oracle Management Service (OMS) and Oracle Management Agents (Management Agent). You might want to modify the proxy port, the protocol, the credentials, or a more common requirement—you might want to add more or remove some Management Agents that are associated with the proxy.
Note:
You cannot modify the proxy name with which the proxy is monitored in Enterprise Manager Cloud Control, and you cannot map a different proxy to the proxy name.To update or modify the proxy configured for OMS and Management Agent communication, follow these steps:
From the Setup menu, select Proxy Settings, then select Agents.
On the Proxy page, select the proxy (the row in the table) you want to update, and click Modify.
On the Modify a Proxy page, edit the port, the protocol, the named credentials, or the Management Agents associated with the proxy.
For instructions to update the port, the protocol, and the proxy credentials, see Section 14.2.
For instructions to associate additional Management Agents to an existing proxy, see Section 14.7. For instructions to exclude Management Agents from using an existing proxy, see Section 14.8.
You can secure the communication between Oracle Management Service (OMS) and Oracle Management Agents (Management Agent) by configuring a proxy and associating a set of Management Agents to communicate with the OMS only through that proxy. Under certain circumstances, after configuring a proxy, you might have to modify the proxy to include additional Management Agents to communicate using that proxy.
To associate additional Management Agents to an existing proxy, follow these steps:
From the Setup menu, select Proxy Settings, then select Agents.
On the Proxy page, select the proxy (the row in the table) you want to modify to exclude the Management Agents, and click Modify.
On the Modify Proxy page, do one of the following:
In the Associated Agents section, click Select Agents, and in the Select Targets dialog, select one or more Management Agents.
This option is particularly useful when you have a short list of Management Agents, each with unique names, to select. For example, agent1.example.com, agent2.example.com, agent3.example.com.
In the Associated Agents section, in the Agent Patterns field, enter the agent patterns of the Management Agents. Use comma (,) to separate individual patterns. Use asterisk (*) to represent zero or more characters, and a question mark (?) to represent a single character.
This option is particularly useful when you have a short list of Management Agents, all with common prefixes to their unique names, to select. For example, to select all Management Agents running in Australia that start with the prefix aus_agent, such as aus_agent1.example, aus_agent2.example, aus_agent3.example.com. In this case, enter aus_agent*.
Note:
If a backslash (\) character precedes either a star (*), a question mark (?), a comma (,) or a backslash (\) itself in the pattern, it hides the special meaning associated with the following character. For example, while the pattern abc* matches with any string prefixed by the string: abc, the pattern abc* matches with just one string: abc* .You can also use the Agent Patterns field in combination with the Excluded Agent Patterns field to add any additional Management Agents to the list. For example, if you have 100 Management Agents in Australia that start with the prefix aus_agent, and if you want to exclude aus_agent98.example, aus_agent99.example.com, and aus_agent100.example.com, then you can enter aus_agent* in the Agent Patterns field, and enter aus_agent98.example, aus_agent99.example.com, and aus_agent100.example.com in the Excluded Agent Patterns field.
You can secure the communication between Oracle Management Service (OMS) and Oracle Management Agents (Management Agent) by configuring a proxy and associating a set of Management Agents to communicate with the OMS only through that proxy. However, under certain circumstances, after configuring a proxy, you might have to modify it to exclude some Management Agents from using that proxy, and have only the remaining Management Agents use that proxy.
To exclude Management Agents from using a proxy to communicate with the OMS, follow these steps:
From the Setup menu, select Proxy Settings, then select Agents.
On the Proxy page, select the proxy (the row in the table) you want to modify to exclude the Management Agents, and click Modify.
On the Modify Proxy page, do one of the following:
In the Associated Agents section, select the Management Agents you want to exclude, and click Remove Agents.
In the Associated Agents section, in the Excluded Agent Patterns field, enter the agent patterns of the Management Agents that you want to exclude. Use comma (,) to separate individual patterns. Use asterisk (*) to represent zero or more characters, and a question mark (?) to represent a single character.
This option is particularly useful when you have a long list of Management Agents you want to exclude, each with either fully unique names or with common prefixes to their unique names. For example, to exclude all the Management Agents running in Hong Kong that start with the prefix hkg_agent, such as hkg_agent1.example.com, hkg_agent2.example.com, hkg_agent3.example.com, enter hkg_agent* in the Excluded Agent Patterns field.
Note:
Excluded Agent Patterns do not exclude the Management Agents from the list of Management Agents selected by their names. They exclude only those Management Agents that are derived from the agent patterns you have entered in the Agent Patterns field.To view a list of proxies configured for OMS and Management Agent communication, from the Setup menu, select Proxy Settings, then select Agents.
By default, the proxies are sorted by proxy names.
To search for a particular proxy, in the Search Proxy section, enter the proxy name and click the search icon. You can enter the full proxy name, a few characters of the proxy name, or the percentage (%) wildcard character. The table filters itself to list the proxy you searched for.
To drill down and view more details about a proxy, in the Proxy Name column, click the proxy name.
To view a list of Management Agents that are associated with a proxy, select a proxy name row in the table and view the details in the Associated Agents table.
To drill down further and view more details about a Management Agent that is associated with a particular proxy, in the Agent Name column of the Associated Agents section, click the Management Agent name.
To sort the proxies by Management Agent names, from the View by options, select Agents.
To drill down and view more details about the Management Agent, in the Agent Name column, click the Management Agent name.
To drill down and view more details about the proxy, in the Associated Proxy Targets column, click the proxy name.
All proxies configured for OMS to Management Agent communication are modeled as targets in Enterprise Manager Cloud Control. To monitor a proxy, you must access its Home page from either the Proxy page or from the All Targets page.
To access the Home page of a particular proxy from the Proxy page, follow these steps:
From the Setup menu, select Proxy Settings, then select Agents.
On the Proxy page, in the Proxy Name column, click the proxy name.
To access the Home page of a particular proxy from the All Targets page, follow these steps:
From the Targets menu, select All Targets.
On the All Targets page, in the Refine Search pane, expand Others, then click Proxy. The resultant table lists all the proxies configured. Click the proxy name to access its Home page.
On the Proxy Home page, click Help for more information.
To remove a proxy that is configured for OMS and Management Agent communication, follow these steps:
From the Setup menu, select Proxy Settings, then select Agents.
On the Proxy page, in the Proxy Name column, select the proxy you want to remove, and click Remove.
Table 14-1 lists the EM CLI verbs for configuring proxies for OMS and Management Agent communication. For more information about these verbs, see the Oracle Enterprise Manager Cloud Control Command Line Interface Guide.
Table 14-1 EM CLI Verbs for Configuring Proxies for OMS and Management Agent Communication
| EM CLI Verb | Description |
|---|---|
|
|
Adds a proxy that mediates the HTTP or HTTPS traffic from the OMS to the Management Agent. This proxy is modeled as |
|
|
Deletes an HTTP or HTTPS proxy that is configured for the OMS and Management Agent communication. |
|
|
Lists all HTTP and HTTPS proxies that are configured for the OMS and Management Agent communication. By default, the output is in tabular format, listing the proxy name, the protocol, the host name (with its port), and the status. |
|
|
Modifies an HTTP or HTTPS proxy that is configured for the OMS and Management Agent communication. |
|
|
Shows the details of an HTTP or HTTPS proxy that is configured for the OMS and Management Agent communication. |
|
|
Tests whether or not an HTTP or HTTPS proxy, which is configured for the OMS and Management Agent communication, is reachable. |