Oracle® Guardian User's Guide 10.3.2 Part Number E15055-01 |
|
|
View PDF |
This chapter provides an overview of Guardian components, features, and key concepts. Also provided are basic instructions for using and navigating the Guardian User Interface and Online Help System. Topics include the following:
Guardian is a diagnostic tool for identifying potential problems in your environment before they occur, and provides specific instructions for resolving them. Guardian is like having the entire Oracle Support Team scrutinize your domain and immediately present their findings and recommendations to you, at your convenience.
Guardian can run on Windows or Linux systems that have Java Version 5 or higher installed. Guardian can evaluate any platform based on WebLogic Server version 8.1 and higher, regardless of the operating system on which it is running.
To use Guardian, you must first activate one or more domains in Guardian. A domain is a logically related group of WebLogic Server resources that you manage as a unit. Activating a domain enables it for Guardian evaluation. You can also organize multiple domains into domain groups. Then, select one or more domains, select a signature bundle, and launch an evaluation. Guardian then proceeds to evaluate the Signature Bundle against the specified domains, and generates a detailed report of potential issues and their remedies. You can then review the report and decide how to proceed.
See Section 1.5, "Key Concepts," for a description of fundamental Guardian concepts. See Section 2.1, "Basic Tasks," for a description of and instructions for basic Guardian tasks.
The following section provides an overview and basic navigation instructions for the Guardian User Interface.
This section provides an overview and basic navigation instructions for the Guardian User Interface. See Chapter 3, "Command Reference," for a complete, detailed description of all interface components. See Chapter 2, "Tasks," for detailed instructions for specific Guardian tasks.
In general, you will use the Guardian User Interface to perform the majority of Guardian tasks and activities. For some highly repetitive or complex tasks—for example, activating multiple Guardian domains in multiple Guardian instances—you may want to create a Guardian Command Line Interface (CLI) script to automate a series of tasks. See Section 2.13, "Command Line Interface," for basic instructions on using the CLI. See Section 3.8, "Command Line Interface," for a detailed description of all CLI commands, use, and syntax.
The following sections summarize each of the following elements:
See Chapter 3, "Command Reference," for a complete detailed description of the Guardian User Interface.
The Main Menu Bar is at the top of the Oracle Guardian main window just below the Oracle Guardian title bar. The Menu Bar contains the following menus:
File Menu — Use this to launch one of the Guardian wizards for activating domains, performing an inventory, or conducting an evaluation. For details about this menu, see Section 3.1.2, "File Menu."
Tools Menu — Use this to modify, deactivate, or remove domains from Guardian. For details about this menu, see Section 3.1.4, "Tools Menu."
Window Menu — Use this to open one of the Guardian explorers or to set display preferences. For details about this menu, see Section 3.1.5, "Window Menu."
Help Menu — Use this to display Guardian online help. For details about this menu, see Section 1.3, "Guardian Online Help System," and Section 3.1.6, "Help Menu."
The Menu Bar menus in turn contain a series of options and submenus, some of which also lead to additional menus, dialog boxes, or wizards.
The Main Toolbar is located below the Main Menu, and contains action buttons for the most common Guardian tasks. To identify a button, move your mouse pointer over the button; this displays the tool tip text for that button.
For details about each of the Main Toolbar buttons, see Section 3.2, "Main Toolbar."
Many views and displays contain context menus. Right-click on an item or anywhere in a display to open the associated context menu. See Section 3.2.1, "Context Menus," for a complete description of context menus.
The Navigation Pane resides in the left side of the Oracle Guardian main window. The Navigation Pane contains several tabs leading to Explorer Views. You can have multiple Views open at once, but only one can be displayed at a time. Click on a tab to display an Explorer view.
At the top of the Navigation Pane are the Explorer View tabs. Select a tab to display that View. See Section 3.3.1.1, "Explorer Views," for a description of the Navigation Pane Explorer Views.
Below each Explorer title bar is the Explorer toolbar. The icons that may be displayed in this toolbar are listed in Section 3.3.1.2, "Explorer Toolbar Icons."
The Domain Explorer, Signature Explorer, and Bundle Explorer each contain a Menu icon in the right corner of the toolbar. Click the Menu icon to display a menu of operations for that Explorer. For a description of each of the Explorer menus, see Section 3.3.1.3, "Explorer Toolbar Menus."
Right-click in an Explorer View to display the context menu of tasks and operations you can perform from that View. You can also right-click on a specific item to select it and open the context menu for that item. Menu options that do not apply to your selection are deactivated (greyed out).
See Section 3.3.1.4, "Explorer Context Menus," for a complete description.
The Document Pane is located in the central portion of the Oracle Guardian main window. The Document Pane displays the following views:
Active Domains Table — Lists all domains currently activated in Guardian and a set of action buttons for tasks that can be performed with those domains.
Domain Inventory — Displays details for an inventory, which includes descriptions of your servers, Java Virtual Machines, operating systems, databases, product versions, and certain configuration settings.
Evaluation Summary View — Contains a table of all detected signatures for the evaluated domain.
Shortcuts Table — Lists all shortcuts, and provides action buttons for creating or removing shortcuts.
Signature View — When you double click a signature entry in the Signature Explorer or Bundle Explorer, details about the signature are displayed in this view.
Signature Bundle View — When you double click a Bundle node in the Bundle Explorer, details about the Bundle are displayed in this view.
Note:
You can have multiple Views open in the Document Pane, but only one can be active at a time.For details about the Document Pane, see Section 3.4.1, "Document Views."
Each View has a title bar that contains the name of the View, an identity icon, and buttons to close, minimize, maximize, and restore the display.
You can also use Document View title bars to group multiple Views together on a title bar as a tab group. Tab groups can be moved together as a unit, using either the System Menu > Move menu option or drop cursors. You can also move Views by dragging their title bars to different locations.
See Section 3.4.3, "Document View Title Bars," for a complete description of title bar features.
Oracle Guardian provides the several wizards for guiding you through some of the more complex or common Guardian tasks, including the following:
Table 1-1 summarizes each of the Guardian wizards. For more details, including how to invoke them, see Section 3.6, "Wizards."
Table 1-1 Guardian Wizards
The following wizard . . . | . . . is used for . . . |
---|---|
Annotations Wizard |
Creating, editing, deleting, and viewing signature annotations. |
Bundle Evaluation Wizard |
Preselecting a domain and Bundle for Evaluation, and then initiating the evaluation. |
Domain Activation Wizard |
Preparing a domain for evaluation and conducting an initial inventory of the domain configuration. |
Domain Deactivation Wizard |
Making a domain no longer available for evaluation. Any shortcuts that use the domain are removed from the Shortcuts Table and Shortcut Explorer. The Domain Inventory and Evaluation Summary data for a domain persists after its deactivation, but is not available for viewing in Domain Explorer. |
Evaluation Wizard |
Launching an evaluation of one or more domains, during which Guardian evaluates a Signature Bundle against the specified domains and generates a detailed report of potential issues and their remedies. |
Filters Wizard |
Specifying the signatures that are to be displayed in the Signature Explorer, Bundle Explorer, and Evaluation Summaries. |
Inventory Wizard |
Conducting an assessment of your current domain environment. The results are displayed in a Domain Inventory Overview in the Document Pane. The inventory is also added to the Inventory History folder in the Domain Explorer. |
Shortcut Wizard |
Creating a shortcut that contains predefined evaluation parameters for evaluations you perform frequently, saving you the effort of re-entering the values each time you run the evaluation. |
Shortcut Evaluation Wizard |
Conducting an evaluation that has its parameters defined by a shortcut that you have created using the Shortcut Wizard. |
Service Request Wizard |
Creating a service request archive based on a detected signature and saving the service request information as an archive file, which you can send to My Oracle Support. |
Update Wizard |
Downloading new Oracle Guardian software and signatures from My Oracle Support. |
The Guardian Online Help system has the following structure:
About Oracle Guardian — This section provides an overview of Guardian components, features, and key concepts. Also provided are basic instructions for using and navigating the Guardian User Interface and Online Help System.
Tasks — This section provides detailed instructions for Guardian tasks and procedures. Tasks are categorized according to the component or feature to which they apply. The Tasks Help folder contains a number of subfolders, one for each task category. Expand a category folder to see the tasks relating to that topic.
Command Reference — This section provides a detailed description of the Guardian User Interface components and features, and a detailed reference guide to the Guardian Command Line Interface.
The Guardian Command Line Interface (CLI) is a command interpreter that is a .cmd
batch file for Windows, and a .sh
shell script for Linux. Both the Windows batch file and the Linux shell script are wrappers that accumulate and organize arguments to the Java command. You can invoke the CLI from a Windows Command Prompt window or a Linux terminal window.
See Section 2.13, "Command Line Interface," for basic instructions on using the CLI. See Section 3.8, "Command Line Interface," for a detailed description of all CLI commands, use, and syntax.
This section provides an overview of Guardian components, features, and key concepts. These include:
The Guardian Agent is a lightweight web application that gathers the data used for evaluations.
The Guardian Agent can collect the following data:
JMX data
Java system properties
Database metadata for your JDBC connection pools
J2EE Deployment Descriptors from WebLogic instances
JRockit JMAPI data
JRockit Runtime Analyzer data
JRockit thread dump data
PKI certificate expiration dates
If you have one or more managed servers in a domain, the Guardian Agent spawns the appropriate number of threads for communicating between the Guardian Agent on the WebLogic Administration Server, and the Guardian Agent running on the Managed Servers.
An excessive number of threads can affect the performance of the Administration Server, so Guardian provides performance tuning capabilities by enabling you to specify the maximum number of Agent threads that can be spawned. In addition, in order to manage Agent resources on both the Administration and Managed Servers, you can specify the maximum amount of time (in seconds) that can elapse before a thread is terminated.
See Section 2.2.2, "Tune Maximum Agent Threads," and Section 2.2.3, "Tune Agent Thread Timeout," for instructions.
The Guardian Workspace is the directory in which all of your Guardian data is stored. It includes the following data for each domain you have defined in Guardian:
Preferences
Domain Inventories
Evaluation Summaries
When you invoke Guardian, you are prompted to select a location for your Guardian Workspace. To prevent loss of work when Guardian is updated or uninstalled, select a Workspace location outside of the Guardian installation directory (see Section 2.3.1, "Select Workspace"). You can also safely back up your Workspace data by exporting your Workspace to a file also located outside of your Guardian installation directory. See Section 2.3.2, "Export Workspace," for instructions.
Although the documents in the Guardian Workspace are persisted as XML files, they are best viewed through the Guardian User Interface. The Guardian User Interface provides a number of tools for viewing, managing, and processing your data, as well as better protection against unintended edits or deletions. See Section 1.2, "Guardian User Interface," for basic instructions on using the interface. See Chapter 3, "Command Reference," for a detailed description of Guardian User Interface components and features. See Chapter 2, "Tasks," for detailed instructions for using the interface to perform specific Guardian tasks.
The Guardian registry is an XML document in which your Oracle Guardian configuration specifications are maintained. The Guardian Registry is created during product installation and is updated whenever you modify your configuration or perform certain Guardian operations.
The Guardian Registry identifies the following:
The domains you have activated
The Signature Bundles available for evaluation
The shortcuts you have defined
Your Guardian workspace locations
A domain is a logically related group of WebLogic Server resources that are managed as a unit. A domain always includes at least one WebLogic Server instance called the Administration Server. The Administration Server acts as a central point of contact for server instances and system administration tools. A domain may also include additional WebLogic Server instances called Managed Servers.
Each Oracle Guardian installation maintains a registry of active domains. A domain is considered active when it is capable of being evaluated. You can activate and deactivate domains at will, and select which to evaluate at any given time.
See Section 2.5, "Domains," for more information.
A domain node represents a domain that has been defined in Guardian. When you activate a domain for the first time in Guardian, a node for the new domain is added to the Target Domains folder in the Domain Explorer tree. A unique name is automatically generated for the new domain, based upon your entries in the Domain Activation Wizard.
Note:
In the Command Line Interface, the domain node name is referred to as the domainId for the domain.The Domain Explorer displays only the active domain nodes. An active domain is a domain that has been activated (defined for evaluation) in Guardian. This does not refer to the state of the domain servers. If you deactivate a domain in Guardian, that domain is removed from the Domain Explorer tree. However, if you reactivate the domain, the node for that domain is again displayed, and the original contents of the History folders are also again available. Deactivating a domain does not remove the Workspace data for that domain.
See Section 3.3.2.1, "Domain Nodes," for more information.
You can organize the domains in Guardian into Domain Groups for easier management.
see Section 2.6, "Domain Groups," for instructions on creating and managing Domain Groups.
A Domain Inventory is an XML document that describes the products in a Guardian domain. The inventory includes descriptions of your servers, Java Virtual Machines, operating systems, and databases. The descriptions include product versions as well as some configuration settings.
A Domain Inventory is created when you activate or evaluate a domain. The Inventory History is also refreshed each time a domain is evaluated. You can use the Domain Inventory Wizard in the Guardian User Interface to define and generate a new Domain Inventory.
Domain Inventory files are stored and maintained in your Guardian Workspace. You can use the Domain Explorer in the Guardian User Interface to view and manage Domain Inventories.
Oracle Support has identified patterns in user domains that can cause problems. These patterns are described in XML documents called signatures.
Signatures describe potential problems based on information about your Oracle WebLogic Servers and the environment in which they are deployed, including Java Virtual Machines (JVMs), operating systems, and databases. Signatures contain logic that can identify specific versions of these products as well as their configuration settings.
In addition to the potential problem description, signatures also contain a remedy recommendation and a severity level: 1-Critical, 2-Warning, or 3-Info.
To detect which signatures apply to your domain, you conduct an evaluation. When the evaluation is complete, the results are displayed in an Evaluation Summary. The Evaluation Summary lists all of the detected signatures, along with the severity level, description, and recommended remedy for each.
Signatures form a primary component of Oracle Guardian, since they contain the distilled knowledge of Oracle Support for both detecting potential problems and resolving them.
A Signature Bundle is a group of signatures that are evaluated together against one or more specified domains. Signatures are grouped into bundles based on their characteristics. For example, the Security Advisories bundle contains signatures that detect potential security problems for which Oracle has issued Security Advisories. The Service Pack Remedy bundle contains signatures whose resolution requires installation of a specific service pack.
You can select the bundle to evaluate against one or more domains. Bundles determine the signatures—and consequently, the potential issues—for which to search. The domains you specify determine where to search.
You can use the Bundle Explorer Navigator view to browse the available Signature Bundles and their contents.
See see Section 2.11, "Bundles," for instructions about using Bundles. See Section 3.3.4, "Bundle Explorer," for details.
Signature Annotations enable you to tag a detected signature with one or more persistent annotations about that signature.
An annotation contains the following information:
Type — This indicates the Annotation Type. There are two types: Ignore and Flag.
Name — (Optional) This is a text field into which you can enter a short name for this annotation.
Comment — This is a text field into which you can enter comments or other notes about the signature.
Timestamp — This records the date and time the annotation was created.
Domains — This specifies the Annotation Target for this annotation for this signature. This can be All Domains, This Domain, or This Evaluation.
Evaluations — (Automatic) This specifies one or more Evaluations to which this annotation applies for this signature.
You can use the Annotations Wizard to create, edit, and delete annotations. See Section 2.10, "Signature Annotations," for instructions. See Section 3.6.2, "Annotations Wizard," for details.
In addition, you can use Signature Filters to specify which annotated signatures are to be displayed in the Signature Explorer, Bundle Explorer, and Evaluation Summaries. See Section 2.10.5, "Filter Annotated Signatures," for instructions. See Section 2.9.2, "Filter Signatures," for complete instructions on using filters.
To detect which signatures apply to your domain, you conduct an evaluation. When the evaluation is complete, the results are displayed in an Evaluation Summary. The Evaluation Summary lists all of the detected signatures, along with the severity level, description, and recommended remedy for each.
See Section 2.8, "Inventories and Evaluations," for more information.
A Snapshot Evaluation is a complete assessment of all of the configuration details for a specific domain, at the particular moment the evaluation is executed.
You can compare two Snapshot Evaluations to see very quickly the differences between configurations for two domains, or the same domain at different points in its history.
See Section 2.8.5, "Compare Inventories or Evaluations," for instructions.
The results of an evaluation are displayed in an Evaluation Summary. The Evaluation Summary lists all of the signatures from the specified bundle that were detected for the evaluated domain, along with the severity level, description, and recommended remedy for each signature.
The Signature Repository contains the locally persisted store of signatures available for evaluation. When you download signatures from the Guardian update site, they arrive in a Java Archive (JAR) file. The JAR file is stored in the repository/archives
directory of your Guardian installation directory.
A Shortcut enables you to streamline the evaluation procedure by predefining and storing the domain, Signature Bundle, and other parameters for evaluations that you perform frequently. You can then evaluate the Shortcut, saving you the effort of re-entering the parameter values each time you want to run the evaluation.
A service request archive is a file that you create that can optionally be included with technical questions or issues that you send to My Oracle Support. Customers with a support contract can open a service request on the My Oracle Support website at http://www.oracle.com/support/premier/myoraclesupport.html
.
When you conduct an evaluation that detects a signature, you can create a service request archive directly from a selected signature in an Evaluation Summary. Guardian creates and saves the service request archive, which you can optionally send to Oracle Support. Service request archives include all of the information from the signature and are stored as files with the file name extension .car
. This enables a Oracle support engineer to begin working on your service request upon receipt of the archive. You can also add any additional attachments and notes before sending the service request archive to Oracle.
To learn more about My Oracle Support and service requests, see the My Oracle Support Getting Started Guide, available at https://metalink.oracle.com/cgi-bin/cr/getfile.cgi?p_attid=735496.1:doc
.
This section includes the following topics:
To safeguard your domains, Guardian requires valid login credentials for all communications between Guardian and your Guardian domains. Whenever you conduct an evaluation or activate a domain, Guardian prompts you for the username and password of an Administrator or Monitor account on the target domain. You can choose to store the username and password so you do not have to enter them for every evaluation. All usernames, passwords, and server names persisted on disk are encrypted.
Any passwords, usernames, or server names persisted on disk are encrypted. This encryption helps prevent the disclosure of any clear text data that could compromise the security of your domain. SSL encryption is available for communication between Guardian and your domains and between Guardian and Oracle. Guardian uses 128 bit open source encryption for SSL. However, the configuration on the server for the domain determines whether or not Guardian will use 128 bit SSL encryption when activating that domain.
Note:
Oracle recommends using SSL encryption for communication between the client and the Guardian Agent.Secure Sockets Layer (SSL) encryption is available for all communication with Oracle over the Internet, and all communication with Guardian Agents in your target domains.
Note:
Oracle recommends using SSL encryption for communication between the client and the Guardian Agent. Guardian uses 128 bit open source encryption for SSL. However, the configuration on the server for the domain determines whether or not Guardian will use 128 bit SSL encryption when activating that domain.If you want to use SSL, there are three types of communication to consider:
Target domain communication - To use SSL encryption for communications between Oracle Guardian and your target domains, select the https:// communications protocol option in the Domain Activation Wizard. See Section 2.5.1, "Activate Domain," for instructions.
Signature downloads - To use SSL encryption when downloading signatures from Oracle Support, select Require SSL in the Guardian Preferences page. See Section 2.4, "Preferences," for instructions about configuring your Guardian preferences.
There are many ways to configure and use Guardian to diagnose the health of your domains. However, there are four essential tasks that can be considered the primary functions of Guardian. These are as follows:
The following sections provide a brief description of each of these tasks. See Chapter 2, "Tasks," for a complete description of all Guardian tasks and procedures.
Activating a domain prepares the domain for evaluation and conducts an initial inventory of the domain configuration.
To activate a domain, use the Domain Activation Wizard. See Section 2.5.1, "Activate Domain," for instructions.
A Domain Inventory is a snapshot of all of the configuration details for a domain as it exists at that moment. The results are displayed in a Domain Inventory Overview in the Document Pane. The inventory is also added to the Inventory History folder in the Domain Explorer. Domain Inventories are also generated automatically whenever you activate or evaluate domains.
To inventory a domain, use the Inventory Wizard. See Section 2.8.1, "Inventory Domain," for instructions.
To detect which signatures apply to your domain, you conduct an evaluation. Guardian collects data about your domain environment, and identifies which signatures apply to the domain.When the evaluation is complete, the results are displayed in an Evaluation Summary. The Evaluation Summary lists all of the detected signatures, along with the severity level, description, and recommended remedy for each.
You can review the Evaluation Summary to determine your response to any signatures that are detected. If you need more help resolving the potential problem identified by the signature, you can use Guardian to create an Oracle service request archive.
See Section 2.8.3, "Evaluate Domain," for instructions on conducting evaluations.
Oracle Support Engineers create new signatures every day, and new application enhancements to Guardian are also periodically released. The Guardian Update feature enables Guardian to connect directly to the Guardian Update site to automatically download and install new signatures and product updates. To update Guardian on servers that do not have Internet access, you can perform a manual update.
See Section 2.18, "Updates and Upgrades," for instructions about performing both automatic and manual updates.
The following scenarios are examples of some of the different ways you can use Guardian to find problems before they impact your environment.
As you develop an application and migrate from development to quality assurance to production, you can run an evaluation at each stage. Guardian will help ensure that each phase of your development process is compliant with Oracle best practices.
Some signatures are designed to evaluate runtime domain settings. Running an evaluation under heavy load can detect potential problems that would not otherwise be detected. Oracle recommends conducting these evaluations during load and performance testing.
After you update an existing application, you can run an evaluation to assess the deployment. Guardian will help you find any potential problems that could impact your upgrade.
After you install a new Oracle patch, service pack, or upgrade, or install or upgrade third party software, you can run an evaluation to identify any new issues that may have been introduced.
If Guardian earlier detected a signature, and you subsequently applied the remedy or made other changes to your system, you can run an evaluation to confirm that the signature is no longer detected and no new issues were introduced.
If you made changes to your domain configuration or settings, you can run an evaluation to confirm that the result is compliant with Oracle best practices.
If you are concerned about domain settings being incorrectly changed overnight, or your domain is approaching certain resource limits, you can schedule evaluations to run overnight. You can review the Evaluation Summary in the morning and decide if any detected signatures merit further investigation.
Guardian evaluations are designed to have as minimal an impact on throughput and CPU usage as possible. If your domain has extra capacity, you can schedule Guardian to run evaluations at regular intervals; for example, every 15 minutes. Then, if any changes are made or certain thresholds are reached, you can be notified quickly.
If you notice a problem on your domain, you can run an evaluation. Even if an earlier evaluation detected no signatures, something may have changed since that time to cause the new problem. Guardian can be your first line of defense in diagnosing and repairing domain problems.
Supported Targets are the environments that Oracle Guardian can target for evaluations.
Basically, Guardian can target any platform for evaluation that allows it to install and communicate with the Guardian Agent. In addition, the Guardian Agent itself must have access to a specific set of Java system information properties and methods that are managed by WebLogic Server MBeans. The Oracle products capable of supporting these operations are based on WebLogic Server versions 8.1 and above. Because some Oracle products supported by Guardian contain configuration data that is not managed by WebLogic Server MBeans, Guardian can provide only partial support for those products.
Table 1-2 identifies the Oracle product versions that are fully supported by Oracle Guardian.
Note:
For the most current information on Supported Oracle product versions, see the Oracle Guardian Installation Guide.Table 1-2 Oracle Product Versions Fully Supported by Oracle Guardian
Oracle Product | Versions |
---|---|
WebLogic Server |
8.1 and above |
WebLogic Virtual Edition |
1.1 |
Oracle JRockit JDK |
Java Version 5 (Version 1.5) and above |
Table 1-3 identifies the Oracle product versions for which support by Oracle Guardian is limited to the configuration data that is managed by WebLogic Server MBeans.
Table 1-3 Oracle Product Versions Partially Supported by Oracle Guardian
Oracle Product | Versions |
---|---|
AquaLogic Data Services Platform |
2.0 and above |
AquaLogic Service Bus |
2.1 and above |
WebLogic Communications Platform SIP Server |
3.0 and above |
WebLogic Integration |
8.1 and above |
WebLogic Platform |
8.1 and above |
WebLogic Portal |
8.1 and above |
WebLogic RFID Enterprise Server |
1.1 2.0 |