This chapter provides detailed instructions for using and managing the following Guardian features and components:
There are many ways to configure and use Guardian to diagnose the health of your domains. However, there are four essential tasks that can be considered the primary functions of Guardian. These are as follows:
There are numerous other Guardian tasks and activities, which are categorized according to the following topics:
The following sections provide detailed instructions for performing the tasks in each of these categories.
This section provides instructions for the following tasks:
If you upgrade from a Guardian version earlier than 1.0.7 to a Guardian version of 1.0.7 or above, you may not be unable to activate domains until you manually deploy the new Guardian Agent in the WebLogic Server. To do this, you must first undeploy the old Guardian Agent, and then deploy and start the new Agent.
Note: | If you are using WebLogic Server 10.3, the Guardian Agent is already installed and ready for on-demand deployment. To enable the deployment, open the WebLogic Server Administration Console and select Domain > Configuration > General > Enable Oracle Guardian Agent. For complete instructions, see the WebLogic Server Administration Console online help. |
You can use the WebLogic Server Administration Console to uninstall the existing Guardian Agent and then install and deploy the new Agent. The WebLogic Server Administration Console provides a series of Web-based deployment assistants that guide you through the deployment process. For basic instructions, see Deploy Guardian Agent from WebLogic Server Administration Console . For complete instructions on deploying applications, see the Administration Console Online Help, and WebLogic Server documentation.
If you want to deploy the Guardian Agent to multiple servers, you can use a WebLogic Scripting Tool to automate this task. For basic instructions, see Deploy Guardian Agent to Multiple Servers. For instructions on using a script to activate multiple domains in Guardian, see Activate Multiple Domains. For complete instructions on using the WebLogic Scripting tool to deploy applications, see the WebLogic Scripting Tool documentation.
You can use the WebLogic Server Administration Console to manually deploy the Guardian Agent on that server. This section provides a summary of the basic steps involved for WebLogic Server versions 9.0 and above. For complete instructions for your specific version of WebLogic Server, please see your WebLogic Server documentation and Administration Console Online Help. Please also refer to the Guardian 1.1 Installation Guide and Guardian 1.1 Release Notes for additional important information.
To use the Administration Console to manually deploy the Guardian Agent, do the following:
Caution: | Make sure that Lock & Edit is selected for each of the following procedures. |
By default, the Guardian Agent is named bea-guardian-agent.war
.
Note: | For detailed instructions for this procedure, see “Start and stop a deployed Enterprise Application” in the WebLogic Administration Console Online Help. |
Note: | For detailed instructions for this procedure, see “Delete an Enterprise Application” in the WebLogic Administration Console Online Help. |
The Guardian Agent is a WAR file named bea-guardian-agent.war
, and is located in the following directory:
WARNING: | Do not change the name of the Guardian Agent when deploying it. Be sure to use the default name, bea-guardian-agent.war . |
<
root
>\guardian\plugins\com.bea.guardian.agent.weblogic_<
guard-version
>\weblogic<
wls-version
>
<
root
>
is the parent directory for the Guardian installation. For example:C:\\Program Files
<
guard-version
>
is the current (updated) Guardian version.
<
wls-version
>
is the version of WebLogic Server in which you are deploying this Agent.
If you are installing the Agent on WebLogic 8.1.x, install the bea-guardian-agent.war
file located in the ..\weblogic8
directory. For WebLogic Server 9.x and 10.x, install the bea-guardian-agent.war
file located in the ..\weblogic9
directory.
Note: | For detailed instructions for this procedure, see the section entitled, “Install an Enterprise Application” in the Administration Console Online Help. |
Note: | For detailed instructions for this procedure, see “Start and stop a deployed Enterprise Application” in the WebLogic Administration Console Online Help. |
Note: | For detailed instructions for this procedure, see “Activate Domain” in the Oracle Guardian Online Help. |
You can now use Guardian to evaluate the activated domains in your environment.
If you need to deploy the Guardian Agent to multiple servers in a cluster environment, you can use the weblogic.Deployer
command in the WebLogic Server Command Line Interface to automate this task. You can also use the Oracle WebLogic Scripting Tool (WLST) to deploy the Agent. This section provides basic instructions for using the weblogic.Deployer
command for this purpose. For instructions on using WLST, please see the WebLogic Scripting Tool product documentation.
Note: | Please also refer to the Guardian 1.1 Installation Guide and Guardian 1.1 Release Notes for additional important information. |
WARNING: | Do not change the name of the Guardian Agent when deploying it. Be sure to use the default name, bea-guardian-agent.war. |
At the WebLogic Server CLI prompt, enter the following command line:
java weblogic.Deployer -debug -adminurl http://
<admin_url>:<
port> -username <
username> -password <
password> – targets adminserver,<
cluster1>,<
cluster2> -deploy -sourcerootforupload <
dir_path>\bea-guardian-agent.war
If you have one or more managed servers in a domain, the Guardian Agent spawns the appropriate number of threads for communicating between the Guardian Agent on the WebLogic Administration Server, and the Guardian Agent running on the Managed Server(s). However, an excessive number of threads can affect the performance of the Administration Server. To control this, you can specify the maximum number of Agent threads to allocate to the WebLogic Server Administration Server for a specified domain. The Max. Agent Threads parameter setting determines this value. The default is 10
.
There are two ways to set the value for this parameter:
To set the Max. Agent Threads value for an activated domain, do the following:
This displays the Domain Properties dialog box.
This can be an integer value from 1
to 20
. The default is 10
.
This resets Max. Agent Threads to the specified value for the selected domain.
In order to manage Agent resources on both the WebLogic Administration Server and Managed Servers, Guardian enables you to specify the maximum amount of time (in seconds) that can elapse before a thread is terminated. The Agent Thread Timeout parameter governs this timeout. The default is 60
.
There are two ways to set the Agent Thread Timeout parameter:
To set the Agent Thread Timeout value for an activated domain, do the following:
This displays the Domain Properties dialog box.
This can be an integer value from 10
to 600
. The default is 60
.
This resets Agent Thread Timeout to the specified value for the selected domain.
This section provides instructions for the following tasks:
The Guardian Workspace is the directory in which all of your Guardian data is stored. It includes the following data for each domain you have defined in Guardian:
To prevent loss of work when Guardian is updated or uninstalled, your Workspace directory must be located outside of the Guardian installation directory. You can safely back up your Workspace data by exporting your Workspace to a file also located outside of your Guardian Installation directory. For instructions, see Export Workspace.
To specify the location for your Guardian Workspace, you must restart Guardian and specify a new location in the Select Workspace dialog box during startup.
WARNING: | To prevent loss of work when Guardian is updated or uninstalled, your Workspace directory must be located outside of the Guardian installation directory. You can safely back up your Workspace data by exporting your Workspace to a file also located outside of your Guardian Installation directory. For instructions, see Export Workspace. |
To select a Guardian Workspace when starting Guardian, do the following:
Guardian first displays the initial splash screen while loading, and then displays the Select Workspace dialog box.
This opens the Browse For Folder dialog.
Caution: | Make sure this directory is not located within the Guardian installation directory. |
To use an existing folder: Browse to the folder location and select the folder.
This creates or selects the file and returns to the Select Workspace dialog box.
If you do not want to select the Workspace each time you start Guardian, select the checkbox for Use this as the default workspace and do not ask again.
To change this setting at a later time, do the following:
Guardian loads the selected Workspace and completes the startup procedure.
You can export your Guardian Workspace data to a file, which you can use for backup and recovery purposes, or to import to another Guardian instance.
WARNING: | To prevent loss of work when Guardian is updated or uninstalled, make sure your Workspace and any Workspace export files are located outside of your Guardian Installation directory. |
To export a Guardian Workspace, do the following:
This opens the Export Workspace Wizard.
Note: | To clear a typed entry, click the Clear icon (file page icon) to the right of the destination field. This clears the Select an export destination field and redisplays the default folder tree. |
Use one of the following methods to specify the file:
This saves your current Workspace as a .zip
file containing all of your Workspace data, including the guardian.registry
, .project
and .refresh
files.
You can import a Guardian Workspace from another Guardian instance, or an exported Workspace data file.
To import a Guardian Workspace, do the following:
This opens the Import Workspace Wizard.
Note: | To clear a typed entry, click the Clear icon (file page icon) to the right of the destination field. This clears the Select an import source field and redisplays the default folder tree. |
Use one of the following methods to specify the file:
This imports the selected Workspace data and returns to the main Guardian window.
This section provides instructions for the following tasks:
You can use the Preferences page to configure your Guardian Preferences and customize your Guardian environment.
To configure your Guardian Preferences, do the following:
You can use either of the following methods to open the Preferences page:
The left pane of the Preferences page is a navigation tree containing an extensive series of hierarchical folders and subfolders. Each folder and subfolder in the hierarchy is a category of preference attributes that you can configure.
The top level folders are as follows:
Note: | For more information, see Preferences in Reference. |
This applies and saves all of your new Preference page settings.
You can export your Guardian Preferences to a file for backup and recovery purposes, or to import to another Guardian instance.
To export your Guardian Preferences to a file, do the following:
This opens the Export Preferences Wizard.
Note: | To clear a typed entry, click the Clear icon (file page icon) to the right of the destination field. This will clear the Select an export destination field and redisplay the default folder tree. |
Use one of the following methods to specify the file:
This saves your current preferences information as a .epf
file in the specified location.
To import a Guardian Preferences from a file, do the following:
This opens the Import Preferences Wizard.
Note: | To clear a typed entry, click the Clear icon (file page icon) to the right of the destination field. This clears the Select an import source field and redisplays the default folder tree. |
Use one of the following methods to specify the file:
This replaces your current Preference page settings with the settings from the imported file.
This section provides instructions for the following tasks:
A domain is active when it has been defined in Guardian and has been enabled for evaluation.
Note: | “Active” does not refer to the state of the domain servers themselves, but rather to whether you have enabled that domain for evaluation. |
Activating a domain also results in the following:
To activate a domain, do the following:
Note: | If you are unable to activate any domains, you may need to manually deploy the Guardian Agent. For instructions, see Manually Deploy the Guardian Agent. |
You can use any of the following methods to open the wizard:
The General tab contains the following fields:
Note: | Oracle recommends using SSL encryption for communication between the client and the Guardian Agent. |
Note: | If you preselected a deactivated domain when you invoked the Domain Activation Wizard, the Protocol, Hostname, and Port fields will be automatically filled with the appropriate values. |
The Advanced tab contains the following fields and options:
1
to 20
. The default is 10
.10
to 600
. The default is 60
. If you need to activate multiple domains in Guardian, you can use a script to automate this procedure.
Note: | Oracle recommends using SSL encryption for communication between the client and the Guardian Agent. Guardian uses 128 bit open source encryption for SSL. However, the configuration on the server for the domain determines whether or not Guardian will use 128 bit SSL encryption when activating that domain. |
WARNING: | You must deploy the Guardian Agent to each domain that is to be activated prior to running the activation script. For instructions, see “ Deploy Guardian Agent to Multiple Servers ,” above. |
The following is an example script for activating multiple domains:
-gactivateDomain -t https://slp7:7001 -u un -p pw -c true
-gactivateDomain -t https://slp8:7001 -u un -p pw -c true
-gactivateDomain -t https://sqa-lldev:4044 -u un -p pw -c true
The script can then be run in Guardian Headless Mode, by using the following command line:
guardianHeadless.cmd -gscript -f activatingScript.txt
For more information about running scripts, see Run Scripts.
When you deactivate a domain, it is no longer available for evaluation. Any shortcuts that use the domain are removed from the Shortcuts Table and Shortcut Explorer. The Domain Inventory and Evaluation Summary data persists after deactivation, but is not available for viewing in Domain Explorer. You must reactivate the domain before you can view the data or evaluate the domain.
To deactivate a domain, do the following:
WARNING: | If you click Finish, you will not be prompted to confirm the deactivate operation. The domain will be deactivated immediately. |
This deactivates the domain and returns to the Domain Explorer or Active Domain Table.
Note: | The Domain Deactivation Wizard does not remove the Oracle Guardian Agents that were installed when you activated the domains. For instructions on removing Agents, see the WebLogic Server Administration Console Online Help. For instructions on purging inactive domains from Guardian, see Purge All Inactive Domains. |
You can modify the Domain Properties for a domain to customize the way Oracle Guardian communicates with that domain.
To modify the Domain Properties for a domain, do the following:
The Domain Properties configuration page contains the following fields and options:
1
to 20
. The default is 10
.10
to 600
. The default is 60
. This applies your new Domain Properties settings to the selected domain.
To remove all deactivated domains from the Domain Explorer, select Tools > Purge Inactive Domains.
WARNING: | You will not be prompted to confirm the purge operation. The domains are purged immediately. Purging the inactive domains also deletes the associated Domain Inventories and Evaluation Summaries from the Guardian Workspace, and removes the domains from the Guardian Registry. |
This section provides instructions for the following tasks:
To create and populate a new Domain Group, do the following:
This opens the Add Domain Group dialog box.
This adds the new Domain Group to the Domain Explorer tree, and closes the Add Domain dialog box.
In the Domain Explorer Domain tree, click on a domain name to select it, then drag and drop it into the new Domain Group folder. Repeat this step for each domain you want to include in the new Domain Group.
To rename an existing Domain Group, do the following:
This opens the Rename Domain Group dialog box.
This renames the Domain Group in the Domain Explorer tree, and closes the Rename Domain dialog box.
You cannot delete a Domain Group that contains a domain. If there are domains in the Domain Group, you can drag and drop the domains into the Target Domains folder, or into another Domain Group folder.
This displays a Domain Group Delete Confirmation dialog box prompting you to confirm the delete request.
This deletes the Domain Group from the Domain Explorer tree, and closes the Delete Confirmation dialog box.
This section provides instructions for the following tasks:
If you want to use an inbound proxy server for communications between Guardian and the WebLogic Administration Server, you must first add the proxy server to Guardian.
To add an inbound proxy server, do the following:
This adds the proxy server to the Proxy Servers list in the Proxy Servers configuration page, and dismisses the Proxy Properties dialog box.
This adds the new proxy server to the Proxy Server drop-down list in the Advanced tab of the Domain Activation Wizard and dismisses the dialog box.
If you want to use an inbound proxy server for communications between Guardian and the WebLogic Administration Server, you must enable the proxy connection.
To enable an inbound proxy connection, do the following:
For instructions, see Add Inbound Proxy Servers.
You can use any of the following methods to open the wizard:
If you are using an outbound proxy server for communications between Guardian and the outside world, you will need to test the outbound proxy connection.
To enable and test an outbound proxy server connection, do the following:
This displays the Preferences page.
This displays the Oracle Support preferences, which include some settings for proxy testing.
After the test completes, a status message is displayed at the top of the page as to whether it was successful or not.
This section provides instructions for the following tasks:
A Domain Inventory is an assessment of your current domain environment. The results are displayed in a Domain Inventory Overview in the Document Pane. The inventory is also added to the Inventory History folder in the Domain Explorer. Domain Inventories are also created automatically whenever you activate or evaluate domains.
To inventory a domain, do the following:
You can use any of the following methods to open the wizard:
This initiates the Domain Inventory and displays the results in a Domain Inventory Overview in the Document Pane.
To view an existing Domain Inventory, do the following:
To identify potential problems before they occur, you can use the Evaluation Wizard to evaluate one or more domains.
Note: | The evaluation of some signatures may hang the evaluation. To prevent this, open the Preferences page, and set the Guardian > Signature Evaluation Threshold parameter (in miliseconds). Then select the Enable Safe Evaluation checkbox. If enabled, the evaluation of a signature is terminated when this threshold is reached, and the Signature ID is written to the Hung Signature List. In addition, if a signature evaluation fails due to a runtime error, that Signature ID is written to the Problem Signature List. Guardian will not attempt to evaluate signatures in the Problem Signature List. For general instructions on setting Preferences, see Preferences. |
WARNING: | If a server is down when the evaluation is conducted, this can prevent some signatures from being detected. |
To evaluate a domain, do the following:
Use any of the following methods to select a domain and open the wizard:
Click the Bundle field for an entry to display a down-arrow icon at the far right of the field. Then click the arrow to open the Bundle drop down menu, and select a Signature Bundle. The default is Default Signatures.
In the Domain Credentials section, enter the following:
If you selected multiple domains, you must supply the login credentials for each domain before you can launch the evaluation.
Select this option if you want your login information to persist so that you do not have to enter it each time you evaluate this domain. This is especially useful if you routinely evaluate multiple domains concurrently. Usernames and passwords are encrypted when stored.
This is useful if you routinely perform this particular type of evaluation. To create a shortcut, select the Create Shortcut checkbox, and enter a brief name for the shortcut in the text field. For detailed instructions on creating, evaluating, and managing shortcuts, see the section entitled, Shortcuts.
This initiates the evaluation and displays an Evaluation Summary of the results in the Document Pane. In the Domain Explorer, the new Domain Inventory is added to the Inventory History folder, and the new Evaluation Summary is added to the Evaluation History folder. For a complete description of the Domain Explorer, see Domain Explorer in Reference.
A Snapshot Evaluation is a complete assessment of all of the configuration details for a specific domain, at the particular moment the evaluation is executed. The process for performing a Snapshot Evaluation is the same as for any other type of evaluation. The primary difference is in the type of Signature Bundle you select for the evaluation, and the type of information the evaluation collects and evaluates.
Note: | As with other evaluations, you can compare Snapshot Evaluations. Comparing two Snapshot Evaluations enables you to see very quickly the differences between configurations for those two domains. For instructions, see Compare Inventories or Evaluations. |
Note: | If a server is down when the evaluation is conducted, this can prevent some signatures from being detected. |
Caution: | Generating a Snapshot Evaluation of a large domain may consume a lot of memory, and take a long time to complete. |
To evaluate a snapshot of a domain configuration, do the following:
Click the Bundle field for an entry to display a down-arrow icon at the far right of the field. Then click the arrow to open the Bundle drop down menu, and select one of the following:
In the Domain Credentials section, enter the following:
This initiates the Snapshot Evaluation and displays an Evaluation Summary of the results in the Document Pane. In the Domain Explorer, the new Domain Inventory is added to the Inventory History folder, and the new Evaluation Summary is added to the Evaluation History folder.
You can compare inventories or evaluations from the same or different domains. Both objects must be of the same type—that is, two inventories or two evaluations. You cannot compare an inventory against an evaluation.
You can compare any two Evaluation Summaries. Comparing two Snapshot Evaluations is particularly useful, as a Snapshot Evaluation collects and evaluates all of the configuration data for the evaluated domain. Such a comparison enables you to see very quickly the differences between the configurations and their issues for those two domains.
To compare two Domain Inventories or Evaluation Summaries, do the following:
Click the Domain Explorer tab, or select Window > Show View > Domain Explorer.
Click on the first item to select it, and then Ctrl+click to select the second item.
Note: | The Compare option remains deactivated until two like items have been selected. |
Selecting Compare opens the Text Compare display in the Document Pane. The differences between the two documents are highlighted, and related segments are shown in boxed sections, with connectors indicating the relation.
For a description of the Text Compare View navigation controls and context menu, see Text Compare View in Reference.
You can export a Domain Inventory or Evaluation Summary report to a PDF or HTML file for external viewing or archiving.
To export a report, do the following:
The Domain Explorer contains two History folders:
Double-click on a report name to open the report and display it in the Document Pane.
This opens a standard Save As file browser.
For the Save as type: field, select one of the following from the drop-down menu:
This section provides instructions for the following tasks:
To display the Overview for a signature—also referred to as the Signature View—do the following:
This opens the Signature Explorer or Bundle Explorer, respectively. Signature Overviews are accessible only through these two Explorers.
This displays the overview for that signature in the Document Pane.
You can use Signature Filters to specify which signatures are to be displayed in the Signature Explorer, Bundle Explorer, and Evaluation Summaries.
To apply Signature Filters, do the following:
Click a radio button to specify Show or Hide for each filter. The Signature Filters are as follows:
Name — Filter according to name. Specify all or a portion of a signature name to use as the filter criteria. This can be a character string or standard regular expression. Enter .* to filter all signatures. The default is Show all (.*).
Severity — Filter according to severity. Click a checkbox to select/deselect a severity level. These are: Critical, Warning, and Information. The default is Show all (all selected).
Type — Filter annotated signatures according to Annotation Type. Click a checkbox to select/deselect a type. There are two Annotation Types: Flag and Ignore. The default is Hide signatures with an Annotation Type of Ignore. For more information on Annotation Types, see Signature Annotations in About Oracle Guardian.
Annotation Name — Filter annotated signatures according to Annotation Name. Specify all or a portion of an Annotation Name to use as the filter criteria. This can be a character string or standard regular expression. Enter .* to filter all annotated signatures. The default is Show all (.*).
Comment — Filter annotated signatures according to annotation comment. Specify all or a portion of a comment to use as the filter criteria. This can be a character string or standard regular expression. Enter .* to filter all signatures. The default is Show all (.*).
Domain — Filter annotated signatures in this domain, as specified above.
Evaluation — Filter annotated signatures in this Evaluation, as specified above.
This applies your filter specifications and returns to the Guardian main window.
You can sort the list of signatures displayed in the Signature Explorer, Bundle Explorer, and Evaluation Summaries.
There are two ways to sort signatures, depending on the context of the signature display:
The following sections describe each of these methods.
The signature lists are automatically reordered according to the selected category.
You can use the Sorting dialog box to sort signatures in the Detected Signatures table of an Evaluation Summary.
To specify your sort criteria, do the following:
This opens the Sorting dialog box for specifying the sort order.
There are four drop-down menus from which you can select a table field. The order in which you select the fields determines the hierarchy of the sort order. For each field, select one of the following:
This section provides instructions for the following tasks:
You can use the Annotations Wizard to create, edit, delete, and view signature annotations.
You can access the Annotations Wizard from the Signatures List in any of the following contexts:
To open the wizard, right-click on a signature title and select Annotations > Manage Annotations from the context menu.
To create an annotation and add it to a signature, do the following:
The contents of a Signatures List may vary according to the context in which it occurs. Signatures Lists can be found in the following locations:
Right-click on the signature title and select Annotations > Manage Annotations from the context menu.
This displays the Add dialog box.
Note: | This field is available only if you invoked the wizard from an Evaluation Summary. For all other contexts, the default applies (All Domains). |
Click the down-arrow next to the Apply to field to display a drop-down menu of Annotation Targets. Select one of the following:
This adds the new annotation to the Annotations list for the selected signature.
This returns to the Guardian main window. Note that a decoration has been added to the icon for the annotated signature.
To change an existing annotation, do the following:
Note: | If the signature is not included in the Signatures List(s), you may need to temporarily set one or more filter attributes to Show. For instructions, see Filter Signatures. |
Right-click on the title of the annotated signature and select Annotations > Manage Annotations from the context menu.
Note: | The Edit button will be greyed out (deactivated) until you select an annotation. |
This displays the Edit dialog box for the selected annotation.
This updates the Annotations list with your changes.
This updates the appropriate Signatures Lists and returns to the Guardian main window.
Note: | If you modified any filter settings in step 1, you can reset the filters to their original settings now. For instructions, see Filter Signatures. |
To delete an annotation, do the following:
Note: | If the signature is not included in the Signatures List(s), you may need to temporarily set one or more filter attributes to Show. For instructions, see Filter Signatures. |
Right-click on the title of an annotated signature and select Annotations > Manage Annotations from the context menu.
Note: | The Delete button remains deactivated until you select an annotation. |
This removes the annotation from the Annotations list for that signature.
This updates the appropriate Signatures Lists and returns to the Guardian main window.
Note: | If you modified any filter settings in step 1, you can reset the filters to their original settings now. For instructions, see Filter Signatures. |
You can view the annotations for a signature by selecting the signature and then opening the Annotations Wizard. The Annotations Wizard displays a table of all annotations for the selected signature.
You can access the Annotations Wizard from the Signatures List in any of the following contexts:
To open the wizard, right-click on a signature title and select Annotations > Manage Annotations from the context menu.
You can use Signature Filters to specify which signatures to display in the Signature Explorer, Bundle Explorer, and Evaluation Summaries. Some filters apply specifically to annotated signatures and their attributes.
This section provides instructions for applying filters to annotated signatures, only. For complete instructions on using Signature Filters, see Filter Signatures.
To apply Annotation Filters, do the following:
In the Signatures List, right-click on a signature name and select Filters... from the context menu.
Click a radio button to specify Show or Hide for each filter. The Signature Filters that apply to annotations are as follows:
Type — Filter annotated signatures according to Annotation Type. Click a checkbox to select/deselect a type. There are two Annotation Types: Flag and Ignore. The default is Hide signatures with an Annotation Type of Ignore.
Annotation Name — Filter annotated signatures according to Annotation Name. Specify all or a portion of an Annotation Name to use as the filter criteria. This can be a character string or a standard regular expression. Enter .* to filter all annotated signatures. The default is Show all (.*).
Comment — Filter annotated signatures according to annotation comment. Specify all or a portion of a comment to use as the filter criteria. This can be a character string or standard regular expression. Enter .* to filter all signatures. The default is Show all (.*).
This applies your filter specifications and returns to the Guardian main window.
This section provides instructions for the following tasks:
You can use the Bundle Explorer to view the available Signature Bundles and their contents. For a detailed description of the Bundle Explorer, see Bundle Explorer in Reference.
To display an overview of the contents of a Bundle, do the following:
Use the Bundle Evaluation Wizard to preselect a domain and Bundle for Evaluation, and then initiate the evaluation.
Note: | The evaluation of some signatures may hang the evaluation. To prevent this, open the Preferences page, and set the Guardian > Signature Evaluation Threshold parameter (in miliseconds). Then select the Enable Safe Evaluation checkbox. If enabled, the evaluation of a signature is terminated when this threshold is reached, and the Signature ID is written to the Hung Signature List. In addition, if a signature evaluation fails due to a runtime error, that Signature ID is written to the Problem Signature List. Guardian will not attempt to evaluate signatures in the Problem Signature List. For general instructions on setting Preferences, see Preferences. |
WARNING: | If a server is down when the evaluation is conducted, this can prevent some signatures from being detected. |
To open the Bundle Evaluation Wizard, do the following:
This opens a submenu containing a list of Bundles available for evaluation.
The Bundle Evaluation Wizard opens with the selected domain and Bundle preselected, just as if you had invoked a Shortcut.
In the Domain Credentials section, enter the following:
If you selected multiple domains, you must supply the login credentials for each domain before you can launch the Evaluation.
Select this option if you want your login information to persist so that you do not have to enter it each time you evaluate this domain. This is especially useful if you routinely evaluate multiple domains concurrently. Usernames and passwords are encrypted when stored.
This initiates the evaluation and displays an Evaluation Summary of the results in the Document Pane. In the Domain Explorer, the new Domain Inventory is added to the Inventory History folder, and the new Evaluation Summary is added to the Evaluation History folder.
This section provides instructions for the following tasks:
A Shortcut enables you to streamline the evaluation procedure by predefining and storing the domain, Signature Bundle, and other parameters for evaluations that you perform frequently. You can then evaluate the Shortcut, saving you the effort of re-entering the values each time you want to run the evaluation.
A Shortcut enables you to predefine the evaluation parameters for evaluations you perform frequently, saving you the effort of re-entering the values each time you run the evaluation.
There are two ways to create a Shortcut:
The following sections describe each of these procedures.
Use the Shortcut Wizard if you want to quickly create a Shortcut without evaluating the selected domain. However, you will not be able to enter and save the login credentials for the WebLogic Server Administrator or Monitor account. Consequently, you will need to enter these each time you evaluate the Shortcut. For instructions on storing the login credentials when creating a Shortcut, see Create Shortcut with Evaluation Wizard.
To use the Shortcut Wizard to create a Shortcut, do the following:
You can use any of the following methods to open the wizard:
Select a Signature Bundle from the Bundle field drop-down menu. This is the Bundle that will be evaluated against the specified domain when you evaluate the Shortcut. The default is Default Signatures.
This adds the new Shortcut to the Shortcuts Table and the Shortcut Explorer tree. For instructions on evaluating a Shortcut, see Evaluate Shortcut.
You can create a Shortcut by selecting the Save as Shortcut option when using the Evaluation Wizard to evaluate a domain. This method of creating a Shortcut enables you to enter and store the Administrator login credentials so that you need not enter them each time you evaluate the Shortcut.
To use the Evaluation Wizard to create a Shortcut, do the following:
You can use any of the following methods to open the wizard:
Select a Signature Bundle from the Bundle field drop-down menu. This is the bundle that will be evaluated against the specified domain when you evaluate the Shortcut. The default is Default Signatures.
Select this option if you want your login information to persist so that you do not have to enter it each time you evaluate this Shortcut. This is especially useful if you will be evaluating the Shortcut on a frequent basis. Usernames and passwords are encrypted when stored.
This adds the new Shortcut to the Shortcuts Table and the Shortcut Explorer tree. For instructions on evaluating a Shortcut, see Evaluate Shortcut.
A Shortcut enables you to predefine the evaluation parameters for evaluations you perform frequently, saving you the effort of re-entering the values each time you run the evaluation. To evaluate a Shortcut, use the Shortcut Evaluation Wizard.
To evaluate a Shortcut, do the following:
You can do this using any of the following methods:
The Shortcut Evaluation Wizard opens with the predefined values for the selected Shortcut displayed in the domain table. You can change the Bundle selection.
If you selected the Remember username/password option when you activated the domain or defined the Shortcut, the Username and Password fields are pre-filled. Otherwise, you must enter this information before launching the evaluation.
This launches the evaluation, and returns you to the Guardian main window when the evaluation completes. As with a standard evaluation, the Domain Explorer History folders are updated to include an entry for the resulting Domain Inventory and Evaluation Summary. The results of the evaluation are displayed in an Evaluation Summary Overview in the Document Pane.
You can use either of the following methods to delete a Shortcut:
This section provides instructions for the following tasks:
The Guardian Command Line Interface (CLI)—also referred to as Guardian Headless Mode—is a set of Guardian commands that you can issue directly from the operating system command prompt. There is a Guardian CLI command for each of the most common tasks you can perform using the Guardian User Interface. For a complete description of these commands and their syntax, see Command Line Interface in Reference.For instructions on starting the Command Line Interface, see the next section, Start Guardian Headless Mode.
To start the Guardian Command Line Interface, do the following:
Note: | Guardian Command Line Interface commands are case sensitive. |
<root>
is the parent directory for the Guardian installation directory.
Note: | Each command must include the prefix -g with no trailing space, as shown in the following example: |
Note: | guardianHeadless.cmd -glistActiveDomains |
The output file is created in your current directory, and is overwritten each time you run a Guardian Headless Mode command. For instructions on redirecting this to a different file, see Redirecting Guardian CLI Command Output.
For a complete description of Guardian Command Line Interface commands, their use, and syntax, see Command Line Interface in Reference.
Below are instructions for redirecting Guardian Headless Mode command output on Windows and Linux platforms, respectively.
On Windows, the command output is written to the following output file:
The output file is created in your current directory, and is overwritten each time you run a Guardian Headless Mode command.
On Windows, you can change the name of this file by editing the following line in the guardianHeadless.cmd
script:
guardian.exe -noSplash -application com.bea.support.guardian.ui.headless.Headless %command% %arg1% %val1% %arg2% %val2% %arg3% %val3% %arg4% %val4% %arg5% %val5% %arg6% %val6% %arg7% %val7% >
headless_output.txt 2>&1
Replace the string headless_output.txt at the end of this line with the new filename.
guardian.exe -noSplash -application com.bea.support.guardian.ui.headless.Headless %command% %arg1% %val1% %arg2% %val2% %arg3% %val3% %arg4% %val4% %arg5% %val5% %arg6% %val6% %arg7% %val7% >
MyOutputFile.txt
2>&1
On Linux, by default Guardian CLI command output is directed to stdout
and stderr
, and can be redirected in the usual manner by using the “pipe” (|
) operator. Please refer to your Linux operating system documentation for instructions.
You can create a Guardian Command Line script containing a series of Guardian Command Line Interface commands. You can schedule scripts to run at specified times and intervals by using utilities such as the Windows Task Scheduler or the Linux crontab
command.
For a complete description of Guardian Command Line Interface commands, their use, and syntax, see Command Line Interface in Reference.
To run a script, enter the following command at the operating system prompt:
<script_name>
is the path and name of your CLI script.
On Windows, the output for CLI commands is written to the following output file:
The output file is created in your current directory, and is overwritten each time you run a Guardian Headless Mode command. For instructions on redirecting command output, see Redirecting Guardian CLI Command Output.
For inventory and evaluation operations, the resulting Domain Inventory or Evaluation Summary document is saved in the appropriate History folder in your Guardian Workspace, and an entry is added to the appropriate History folder in the Domain Explorer tree. These can be viewed using the Domain Explorer, just as you would view any other Domain Inventory or Evaluation Summary document.
To view a Domain Inventory or Evaluation Summary document, do the following:
For a complete description of the Domain Explorer, see Domain Explorer in Reference.
To schedule a script to run automatically at a specified time, you can use utilities such as the Windows Task Scheduler or the Linux crontab
command. For instructions on scheduling scripts, see your operating system documentation.
To receive notification of detected signatures, create an evaluation script and use the Windows Task Scheduler or the Linux crontab
command to schedule the script to run at regular intervals. Each time the script runs, the signature.log
file in the Guardian installation directory is updated with an entry for each detected signature. You can the configure a third party management tool to scan the log for detected signatures, and notify you when one is found.
Each signature.log
entry starts with four number signs (####) and includes a timestamp for the entry. Each entry with a detected signature contains the label <detected>
and is followed by a brief description which is also surrounded by angle brackets. The description includes the domain name.
The following is a sample signature.log
file:
####<Tue Aug 01 16:03:47 EDT 2006> <0> <g-dev_slp7_7001> <un> <0> <000022> <not detected> <Signature 000022 (Rotational Upgrade may cause java.io.StreamCorruptedException) not detected by username un evaluating bundle ID 0 in domain ID g-dev_slp7_7001.>
####<Tue Aug 01 16:03:47 EDT 2006> <0> <g-dev_slp7_7001> <un> <0> <000027> <detected> <Signature 000027 (Native IO should be enabled in production mode for better performance) detected by username un evaluating bundle ID 0 in domain ID g-dev_slp7_7001.>
####<Tue Aug 01 16:03:47 EDT 2006> <0> <g-dev_slp7_7001> <un> <0> <000055> <not detected> <Signature 000055 (JDK 1.5 is not certified for WebLogic 8.1) not detected by username un evaluating bundle ID 0 in domain ID g-dev_slp7_7001.>
This section provides instructions for the following tasks:
The Oracle Guardian log files contain information that Oracle Customer Support can use to diagnose and resolve issues with your system.
The Guardian log files are as follows:
guardian.log
—This is located in the Guardian installation directory you specified during installation. This file contains information about every operation the Guardian application performs. signature.log
— This is located in the Guardian installation directory you specified during installation. This file contains information about each evaluation performed, including entries for all detected signatures. You can also use a command line script to automatically scan the signature.log
for detected signatures, and automatically notify you when new signatures are detected..log
— This is located in the .metadata
subdirectory of the Guardian Workspace directory you specified when starting Guardian. This file contains information about certain Guardian operations. install.log
— This is located in the ../configuration/org.eclipse.update
subdirectory of the Guardian installation directory you specified during installation. This contains Guardian installation details. Guardian crashes are extremely unlikely, since Guardian uses the Eclipse Rich Client Platform. If Guardian does crash, simply restart Guardian. No additional cleanup operations are required.
In the unlikely event of an exception, the recommended steps for resolving the issue are as follows:
Tip: | To save log files, copy them to another location so that the error is among the last entries in the log file, making it easier to identify. For the location of Guardian log files, see View Logfiles. |
This section provides instructions for the following task:
You can use the Service Request Wizard to create a service request archive based on a detected signature, and save the service request information as an archive file that you can send to Oracle Customer Support. Service request archives are stored as files with a .car
file name extension.
The wizard automatically creates the service request with all of the signature-specific information required for an Oracle support engineer to begin working on your service request upon receipt of the archive. You can also add any additional attachments and notes before sending the service request archive to Oracle.
To create service request, do the following:
Click on a signature entry to highlight it. This displays the Description and Remedy for the signature in the bottom portion of the Evaluation Summary display in the Document Pane.
Click the Get more help from Oracle support link at the bottom of the signature Remedy section to open the wizard. This automatically includes the signature contents in the new service request, and displays the first page of the Service Request Wizard, which is the Service Request Notes page.
In the Additional Service Request Notes field, enter any additional text that may be helpful to Oracle Customer Support in resolving your service request.
In the Domain Credentials section, enter the following:
If you selected multiple domains, you must supply the login credentials for each domain before you can launch the Evaluation.
Select this option if you want your login information to persist so that you do not have to enter it each time you submit a service request.
A Service Request Creation Complete dialog box displays the date, time, and location of the file.
This closes the wizard and returns to the Guardian main window.
This section provides instructions for the following tasks:
Note: | If you are using a proxy server for outbound Guardian communications, make sure that you have enabled and tested the outbound proxy connection. For instructions, see Enable and Test Outbound Proxy. |
To update Guardian, use the Update Wizard to download new Oracle Guardian software and signatures from the Oracle Guardian update site, http://guardian.bea.com/update
.
To update Guardian, do the following:
Use one of the following methods to open the wizard:
Select this option if you want your login information to persist so that you do not have to enter it each time you create a service request.
To select features, do the following:
Accept the terms in the license agreement to proceed with the installation.
Click Change Location to open a directory browser from which you can select the location. Click OK to enter your selection and close the browser. Click Next to proceed.
After the updates are installed, you are prompted as to whether to restart Guardian.
To update Guardian on servers that do not have Internet access, or to upgrade from Guardian 1.0.x to Guardian 1.1.0, you can perform a manual update. To do so, first automatically update Guardian on a server that has Internet access, and then copy the updated files to the server(s) without access.
Note: | To upgrade from Guardian 1.0.x to Guardian 1.1.0, you must perform a manual update. You cannot use the Update Wizard to upgrade in this case. However, to upgrade from Guardian 1.1.x to Guardian 10g R3 (10.3.1), you can still use the Update Wizard. |
WARNING: | If you are upgrading from Guardian 1.0.x to Guardian 1.1.0 and want to preserve your Guardian Registry, you must first back up and then manually update the Guardian Registry. For instructions, see Manually Update Guardian Registry. Please also refer to the Guardian 1.1 Installation Guide and Guardian 1.1 Release Notes for additional important information. |
To manually update Guardian, do the following;
For instructions, see Automatically Update Guardian.
Select File > Exit from the titlebar menu.
Copy the following directory and all of its contents from the updated server to the offline server(s) you want to update, overwriting the old contents:
<..>\guardian\repository\archives
<..
> is the parent directory of the Guardian installation root directory. The Guardian installation root directory is named guardian
.
Note: | If you only want to update the Guardian Signatures Repository but not the Guardian application itself, you can skip the remainder of these steps. |
The Signature Features directories are kept in the following directory:
<..
> is the parent directory of the Guardian installation root directory. The Guardian installation root directory is named guardian
.
The Signature Features directories are named according to the following convention:
com.bea.guardian.feature.signature.weblogic_<
old_version
>
<
old_version
>
is the old signature release version.
..\guardian\features\com.bea.guardian.feature.signature.weblogic_1.0.42
Copy the following directory and all of its contents from the updated machine to the offline server(s):
..\guardian\features\com.bea
.guardian.feature.signature.weblogic_<CurVersion>
<..
> is the parent directory of the Guardian installation root directory. The Guardian installation root directory is named guardian
.
<
CurVersion
>
is the most current signature release version.
The Signature Plug-ins JAR files reside in the following directory:
<..
> is the parent directory of the Guardian installation root directory. The Guardian installation root directory is named guardian
.
The files are named according to the following convention:
com.bea.guardian.signature.weblogic_<
old_version
>
<
old_version
>
is the old signature release version.
Copy the following file from the updated machine to the offline server(s):
..\guardian\plugins\com.bea
.guardian.signature.weblogic_<CurVersion>
<..
> is the parent directory of the Guardian installation root directory. The Guardian installation root directory is named guardian
.
<
CurVersion
>
is the most current signature release version.
If you are upgrading from Guardian 1.0.x to Guardian 1.1, you must manually update the Guardian Registry. For instructions, please see the Guardian 1.1 Installation Guide and the Guardian 1.1 Release Notes.
You can use the Product Configuration page to check the current configuration for a Guardian installation. This is especially useful if you have manually updated Guardian and want to check that the update was completed correctly.
To check the current Guardian configuration, do the following: