| Oracle® Guardian User's Guide 10.3.2 Part Number E15055-01 |
|
|
View PDF |
| Oracle® Guardian User's Guide 10.3.2 Part Number E15055-01 |
|
|
View PDF |
This chapter provides detailed instructions for using and managing the following Guardian features and components:
There are many ways to configure and use Guardian to diagnose the health of your domains. However, there are four essential tasks that can be considered the primary functions of Guardian. These are as follows:
Activate Domain — Activating a domain prepares the domain for evaluation and conducts an initial inventory of the domain configuration. To activate a domain, use the Domain Activation Wizard.
Inventory Domain — A Domain Inventory is an assessment of your current domain environment. The results are displayed in a Domain Inventory Overview in the Document Pane. The inventory is also added to the Inventory History folder in the Domain Explorer. Domain Inventories are also created automatically whenever you activate or evaluate domains. To inventory a domain, use the Inventory Wizard.
Evaluate Domain — To detect which signatures apply to your domain, you conduct an evaluation. Guardian collects data about your domain environment, and identifies which signatures apply to the domain.When the evaluation is complete, the results are displayed in an Evaluation Summary in the Document Pane. The Evaluation Summary lists all of the detected signatures, along with the severity level, description, and recommended remedy for each. You can review the Evaluation Summary to determine your response to any signatures that are detected. If you need more help resolving the potential problem the signature identified, you can use Guardian to create and submit an Oracle service request.
Updates and Upgrades — Oracle Support Engineers create new signatures every day, and application enhancements to Guardian are also periodically released. The Guardian Update feature enables Guardian to connect directly to the Guardian Update Site to automatically download and install new signatures and product updates. To update Guardian on servers without Internet access, you can perform a manual update.
There are numerous other Guardian tasks and activities, which are categorized according to the following topics:
The following sections provide detailed instructions for performing the tasks in each of these categories.
This section explains how to perform the following tasks:
The steps you take to deploy the Guardian Agent depend on the version of WebLogic Server you are running, as follows:
If you are using WebLogic Server version 10.0 or later, the Guardian Agent is already installed and ready for on-demand deployment. Complete the steps described in Section 2.2.1.1, "Enabling Automatic Deployment," to deploy the Guardian Agent on all server instances in your WebLogic domain.
If you are using WebLogic Server version 9.x or earlier, you need to manually deploy the Guardian Agent on all server instances in your domain. Complete the steps described in the following sections:
Note the following:
If you are upgrading from Guardian version 1.0.7 or later, you need to install the new Guardian Agent in the WL_HOME/server/lib directory before you can deploy the Guardian Agent, as explained in the sections that follow.
If you are upgrading from a release of Guardian prior to version 1.0.7, and you are running Guardian on WebLogic Server 9.x or earlier, you might not be able to activate domains in Guardian until you manually deploy the new Guardian Agent in WebLogic Server. To do this, you must first undeploy the old Guardian Agent, and then deploy and start the new Agent.
To enable deployment, which causes the Guardian Agent to be automatically deployed when servers are started in the domain, complete the following steps:
Start the WebLogic Server Administration Console, and click Domain > Configuration > General > Enable Oracle Guardian Agent.
If you are upgrading from Guardian version 1.0.7 or later, install the new Guardian Agent by copying the WAR file named bea-guardian-agent.war from the following directory:
<root>\guardian\plugins\com.bea.guardian.agent.weblogic_<guard-version>\weblogic9>
In the preceding directory path name:
<root> represents the parent directory for the Guardian installation. For example, C:\Program Files.
<guard-version> represents the current (updated) Guardian version.
You then insert the copy of the bea-guardian-agent.war file into the WL_HOME/server/lib directory.
Caution:
Do not change the name of the Guardian Agent WAR file when deploying it. Be sure to retain the name
bea-guardian-agent.war.Restart WebLogic Server.
For complete instructions on installing an enterprise application and enabling automatic deployment, see the Oracle WebLogic Server Administration Console Online Help.
Note:
If you want to deploy the Guardian Agent to multiple servers or multiple domains, you can also use a WebLogic Scripting Tool script to automate this task. For complete instructions on using the WebLogic Scripting tool to deploy applications, see Oracle WebLogic Scripting ToolYou can use the WebLogic Server Administration Console to manually deploy the Guardian Agent on that server. This section provides a summary of the basic steps required for WebLogic Server versions 9.x and earlier. For complete instructions for your specific version of WebLogic Server, please see your WebLogic Server documentation and the Oracle WebLogic Server Administration Console Online Help. Also see the Oracle Guardian Installation Guide and the Oracle Guardian Release Notes for additional important information.
To deploy the Guardian Agent from the WebLogic Server Administration Console, complete the following steps:
Start the WebLogic Administration Console, and select Lock & Edit in the left pane.
Caution:
Make sure that Lock & Edit is selected for each of the following procedures.Note:
For detailed instructions about this procedure, see "Delete an Enterprise Application" in Oracle WebLogic Server Administration Console Online Help.If you have an existing Guardian Agent deployment, stop it, delete it from WebLogic Server, and activate your changes.
By default, the Guardian Agent is named bea-guardian-agent.war.
Note:
For detailed instructions about this procedure, see the following topics in Oracle WebLogic Server Administration Console Online Help:"Start and stop a deployed Enterprise Application"
"Delete an Enterprise Application"
Install the new Guardian Agent in the WL_HOME/server/lib directory and activate your changes.
The Guardian Agent is a WAR file named bea-guardian-agent.war and is located in the following directory:
<root>\guardian\plugins\com.bea.guardian.agent.weblogic_<guard-version>\weblogic<wls-version>
In the preceding directory name:
<root> represents the parent directory for the Guardian installation. For example:
C:\\Program Files
<guard-version> represents the current (updated) Guardian version.
<wls-version> represents the version of WebLogic Server in which you are deploying this Agent.
Caution:
Do not change the name of the Guardian Agent WAR file when deploying it. Be sure to retain the namebea-guardian-agent.war.If you are installing the Agent on WebLogic 8.1.x, copy the bea-guardian-agent.war file located in the Guardian ..\weblogic8 installation directory into the WL_HOME/server/lib directory. For WebLogic Server 9.x and 10.0, copy the bea-guardian-agent.war file located in the Guardian ..\weblogic9 installation directory into the WL_HOME/server/lib directory.
Note:
For detailed instructions about this procedure, see "Install an Enterprise Application" in Oracle WebLogic Server Administration Console Online Help.Start the new Guardian Agent in the WebLogic Server.
Note:
For detailed instructions about this procedure, see "Start and stop a deployed Enterprise Application" in Oracle WebLogic Server Administration Console Online Help.Start Guardian and activate the appropriate domains in Guardian.
Note:
See Section 2.5.1, "Activate Domain," for detailed instructions about this procedure.You can now use Guardian to evaluate the activated domains in your environment.
If you need to deploy the Guardian Agent on multiple servers in a cluster environment using WebLogic Server version 9.x or earlier, you can use the weblogic.Deployer utility to automate this task. (If you are using WebLogic Server version 10.0 or later, see Section 2.2.1.1, "Enabling Automatic Deployment.") You can also use the Oracle WebLogic Scripting Tool (WLST) to deploy the Agent on multiple servers or multiple domains. This section provides basic instructions for using the weblogic.Deployer utility for this purpose. For instructions on using WLST, see Oracle WebLogic Scripting Tool.
Note:
Please also see the Oracle Guardian Installation Guide and Oracle Guardian Release Notes for additional important information.Caution:
Do not change the name of the Guardian Agent when deploying it. Be sure to use the default name,bea-guardian-agent.war.To use the weblogic.Deployer utility to deploy the Guardian Agent on multiple servers, complete the following steps:
Set up your environment to use the weblogic.Deployer utility.
For detailed instructions, see "Required Environment for weblogic.Deployer" in Deploying Applications to Oracle WebLogic Server.
From a command window, enter the following command:
java weblogic.Deployer -debug -adminurl http://admin_url:port -username username -password password –targets adminserver,cluster1,cluster2 -deploy -sourcerootforupload dir_path\bea-guardian-agent.war
In the preceding command:
admin_url represents the URL for the WebLogic Server Administration Server.
port represents the port number for the WebLogic Server Administration Server.
cluster1,cluster2 represent the names of all configured clusters.
dir_path represents the directory path to the Guardian Agent WAR file bea-guardian-agent.war.
If you have one or more managed servers in a domain, the Guardian Agent spawns the appropriate number of threads for communicating between the Guardian Agent on the WebLogic Administration Server and the Guardian Agent running on the Managed Servers. However, an excessive number of threads can affect the performance of the Administration Server. When tuning for better performance, you can specify the maximum number of Agent threads to allocate to the WebLogic Server Administration Server for a specified domain. The Max. Agent Threads parameter setting determines this value. The default is 10.
There are two ways to tune this parameter:
When activating the domain, you can set the Max. Agent Threads parameter in the Advanced tab page of the Domain Activation Wizard (see Section 2.5.1, "Activate Domain," for details).
If the domain is already activated, you can set the Max. Agent Threads parameter in the Domain Properties dialog box (see below).
You can set the Max. Agent Threads parameter in the Guardian > Evaluation page of the Preferences pages. See Section 2.4, "Preferences," for instructions on setting Preferences.
To tune the Max. Agent Threads value for an activated domain:
In the Navigation pane, click the Domain Explorer tab to open the Domain Explorer.
Right-click on the domain name and select Modify Domain from the context menu.
This displays the Domain Properties dialog box.
Select or enter a value in the Max. Agent Threads field.
This can be an integer value from 1 to 20. The default is 10.
Click OK.
This resets Max. Agent Threads to the specified value for the selected domain.
In order to manage Agent resources on both the WebLogic Administration Server and Managed Servers, Guardian enables you to specify the maximum amount of time (in seconds) that can elapse before a thread is terminated. The Agent Thread Timeout parameter governs this timeout. The default is 60.
There are three ways for tuning the Agent Thread Timeout parameter:
When activating the domain, you can set the Agent Thread Timeout parameter in the Advanced tab page of the Domain Activation Wizard (see Section 2.4, "Preferences," for details).
If the domain is already activated, you can set the Agent Thread Timeout parameter in the Domain Properties dialog box (see below).
You can set the Agent Thread Timeout parameter in the Guardian > Evaluation page of the Preferences pages. See Section 2.4, "Preferences," for instructions on setting Preferences.
To tune the Agent Thread Timeout value for an activated domain:
In the Navigation pane, click the Domain Explorer tab to open the Domain Explorer.
Right-click on the domain name and select Modify Domain from the context menu.
This displays the Domain Properties dialog box.
Select or enter a value in the Agent Thread Timeout field.
This can be an integer value from 10 to 600. The default is 60.
Click OK.
This resets Agent Thread Timeout to the specified value for the selected domain.
This section explains how to perform the following tasks:
The Guardian Workspace is the directory in which all of your Guardian data is stored. It includes the following data for each domain you have defined in Guardian:
Preferences
Domain Inventories
Evaluation Summaries
Service Request Archives (optional)
To prevent loss of work when Guardian is updated or uninstalled, your Workspace directory must be located outside of the Guardian installation directory. You can safely back up your Workspace data by exporting your Workspace to a file also located outside of your Guardian Installation directory. See Section 2.3.2, "Export Workspace," for instructions.
To specify the location for your Guardian Workspace, you must restart Guardian and specify a new location in the Select Workspace dialog box during startup.
Caution:
To prevent loss of work when Guardian is updated or uninstalled, your Workspace directory must be located outside of the Guardian installation directory. You can safely back up your Workspace data by exporting your Workspace to a file also located outside of your Guardian Installation directory. See Section 2.3.2, "Export Workspace," for instructions.To select a Guardian Workspace when starting Guardian:
Start Guardian.
Guardian first displays the initial splash screen while loading, and then displays the Select Workspace dialog box.
Click Browse.
This opens the Browse For Folder dialog.
Select or create the folder (directory) to use as your Workspace folder.
Caution:
Make sure this directory is not located within the Guardian installation directory.To use an existing folder, browse to the folder location and select the folder.
To create a new folder:
Click Make New Folder.
Select the location for the folder.
Enter the name of the folder
Click OK.
This creates or selects the file and returns to the Select Workspace dialog box.
(Optional) Specify this as the default Workspace.
If you do not want to select the Workspace each time you start Guardian, select the checkbox for Use this as the default workspace and do not ask again.
To change this setting at a later time:
Select Window > Preferences to open the Preferences page.
In the Preferences tree on the left, select Guardian.
Select the Prompt for workspace on startup checkbox.
Click OK.
The Select Workspace dialog box is displayed the next time you start Guardian.
Click Finish.
Guardian loads the selected Workspace and completes the startup procedure.
You can export your Guardian Workspace data to a file, which you can use for backup and recovery purposes, or to import to another Guardian instance.
Caution:
To prevent loss of work when Guardian is updated or uninstalled, make sure your Workspace and any Workspace export files are located outside of your Guardian Installation directory.To export a Guardian Workspace:
Select File > Export.
This opens the Export Workspace Wizard.
In the Export dialog box, open the Guardian folder and select Guardian Workspace.
Note:
To clear a typed entry, click the Clear icon (file page icon) to the right of the destination field. This clears the Select an export destination field and re-displays the default folder tree.Click Next.
For Select File, specify the file name and location to which to save your Workspace data.
Use one of the following methods to specify the file:
Type in the absolute path name and file name.
Click Browse to display a file browser from which you can select the file. Click Save to select the file and return to the Export Workspace Wizard.
Click Finish.
This saves your current Workspace as a .zip file containing all of your Workspace data, including the guardian.registry, .project, and .refresh files.
You can import a Guardian Workspace from another Guardian instance, or an exported Workspace data file.
To import a Guardian Workspace:
Select File > Import.
This opens the Import Workspace Wizard.
In the Import Workspace Wizard, open the Guardian folder and select Guardian Workspace.
Note:
To clear a typed entry, click the Clear icon (file page icon) to the right of the destination field. This clears the Select an import source field and re-displays the default folder tree.Click Next.
For Select File, specify the Workspace file you want to import.
Use one of the following methods to specify the file:
Type in the absolute path name and file name.
Click Browse to display a file browser from which you can select the file. Click Save to select the file and return to the Import Workspace Wizard.
Click Finish.
This imports the selected Workspace data and returns to the main Guardian window.
This section explains how to perform the following tasks:
You can use the Preferences page to configure your Guardian Preferences and customize your Guardian environment.
To configure your Guardian Preferences:
Open the Preferences page.
You can use either of the following methods to open the Preferences page:
Press Ctrl+Shift+P.
Select Window > Preferences from the title bar menu.
Open a folder and click on a category name to display the preferences in that category.
The left pane of the Preferences page is a navigation tree containing an extensive series of hierarchical folders and subfolders. Each folder and subfolder in the hierarchy is a category of preference attributes that you can configure.
The top level folders are as follows:
General
Guardian
Help
Install/Update
Note:
See Section 3.5, "Preferences," for more information.(Optional) Click Apply to apply your preference settings for the current category, or click Restore Defaults to restore the default values for all Preference page parameters.
When you have finished setting your preferences for each category, click OK.
This applies and saves all of your new Preference page settings.
You can export your Guardian Preferences to a file for backup and recovery purposes, or to import to another Guardian instance.
To export your Guardian Preferences to a file:
Select File > Export.
This opens the Export Preferences Wizard.
In the Export Preferences Wizard, open the General folder and select Preferences.
Note:
To clear a typed entry, click the Clear icon (file page icon) to the right of the destination field. This will clear the Select an export destination field and re-display the default folder tree.Click Next.
Specify the preferences to export.
Do one of the following:
Select Export all to export all of your Guardian Preferences information.
Select Choose specific preferences to export to display a selection list of preferences in the Preferences box. Then select the individual preferences you want to export, or click Select All.
In To preference file, specify the file name and location to which to save your preferences information.
Use one of the following methods to specify the file:
Type in the absolute path name and file name.
Click Browse to display a file browser from which you can select the file. Then click Save to select the file and return to the Export Preferences Wizard.
Click Finish.
This saves your current preferences information as a .epf file in the specified location.
To import a Guardian Preferences from a file:
Select File > Import.
This opens the Import Preferences Wizard.
In the Import Preferences Wizard, open the General folder and select Preferences.
Note:
To clear a typed entry, click the Clear icon (file page icon) to the right of the destination field. This clears the Select an import source field and re-displays the default folder tree.Click Next.
For From preference file, specify the file name and location of the file you want to import.
Use one of the following methods to specify the file:
Type in the absolute path name and file name.
Click Browse to display a file browser from which you can select the file. Then click Save to select the file and return to the Import Preferences Wizard.
Specify the preferences to import.
Do one of the following:
Select Import all to import all preference information.
Select Choose specific preferences to import to display a selection list of preferences in the Preferences box. Then select the individual preferences you want to import, or click Select All.
Click Finish.
This replaces your current Preference page settings with the settings from the imported file.
This section explains how to perform the following tasks:
A domain is active when it has been defined in Guardian and has been enabled for evaluation.
Note:
"Active" does not refer to the state of the domain servers themselves, but rather to whether you have enabled that domain for evaluation.Activating a domain also results in the following:
The new domain node is added to the Domain Explorer Target Domains folder.
Guardian inventories the domain, and displays the Domain Inventory Overview in the Document Pane. In the Domain Explorer, the new inventory is added to the Inventory History folder for that domain.
The domain is added to the Active Domain Table.
The domain is added to the Guardian Registry.
A folder for the domain is added to the Guardian Workspace. The domain folder contains the data from all Domain Inventories and Evaluation Summaries for the domain.
To activate a domain:
Note:
If you are unable to activate any domains, you may need to manually deploy the Guardian Agent. See Section 2.2.1, "Deploy the Guardian Agent," for instructions.Open the Domain Activation Wizard.
You can use any of the following methods to open the wizard:
Press Ctrl+Shift+A.
Click Activate in the Main Toolbar.
Select New > Domain from the File menu.
Click the Domain Explorer tab to open the Domain Explorer. Then, right-click anywhere in the Domain Explorer and select Activate Domain from the context menu.
Click the General tab and configure the General Domain Properties.
The General tab contains the following fields:
Protocol — Select one of the following from the drop-down menu:
Note:
Oracle recommends using SSL encryption for communication between the client and the Guardian Agent.http:// — Select this to use the HTTP protocol without encryption.
https:// — Select this to use HTTP protocol with Secure Sockets Layer (SSL) encryption (recommended). Guardian uses 128 bit open source encryption for SSL. However, the configuration on the server for the domain determines whether or not Guardian will use 128 bit SSL encryption when activating that domain.
Host Name — The listen address for the WebLogic Administration Server in the target domain.
Port Number — The listen port for the WebLogic Administration Server for the target domain.
Username — The username of a WebLogic Server Administrator or Monitor account on the target domain.
Password — The password for the WebLogic Server Administrator or Monitor account on the target domain.
Remember Username/Password — Specifies that the domain credentials are to be stored so that you do not have to re-enter them for future domain operations. Usernames and passwords are encrypted when stored.
Note:
If you preselect a deactivated domain when you invoke the Domain Activation Wizard, the Protocol, Hostname, and Port fields are automatically filled with the appropriate values.(Optional) Click the Advanced tab and enter the Advanced Domain Properties.
The Advanced tab contains the following fields and options:
Enable Proxy Connection — Select this if a proxy server is to be used to access the target domain. Then, select a proxy server from the drop-down list. Click Add Proxy Servers to add proxy servers to this list (see Section 2.7.1, "Add Inbound Proxy Servers," for complete instructions).
Max. Agent Threads — Select the maximum number of Agent threads to allocate in the WebLogic Server Administration Server. This can be an integer value from 1 to 20. The default is 10.
Agent Thread Timeout (secs) — Specify the maximum number of seconds that can elapse before an Agent thread is deactivated when collecting data from managed servers. This can be an integer value in the range of 10 to 600. The default is 60.
Domain Notes — Enter a text description or other details pertaining to this domain. These notes are displayed in inventories and evaluations for this domain.
Click Finish.
You can now evaluate and inventory the domain.
If you need to activate multiple domains in Guardian, you can use a script to automate this procedure.
Note:
Oracle recommends using SSL encryption for communication between the client and the Guardian Agent. Guardian uses 128 bit open source encryption for SSL. However, the configuration on the server for the domain determines whether or not Guardian will use 128 bit SSL encryption when activating that domain.Caution:
You must deploy the Guardian Agent to each domain that is to be activated prior to running the activation script. See Section 2.2.1.3, "Deploying the Guardian Agent on Multiple Servers," for instructions.The following is an example script for activating multiple domains:
-gactivateDomain -t https://slp7:7001 -u un -p pw -c true -gactivateDomain -t https://slp8:7001 -u un -p pw -c true -gactivateDomain -t https://sqa-lldev:4044 -u un -p pw -c true
The script can then be run in Guardian Headless Mode by entering the following command:
guardianHeadless.cmd -gscript -f activatingScript.txt
See Section 2.13.3, "Running Scripts," for more information about running scripts.
When you deactivate a domain, it is no longer available for evaluation. Any shortcuts that use the domain are removed from the Shortcuts Table and Shortcut Explorer. The Domain Inventory and Evaluation Summary data persists after deactivation, but is not available for viewing in Domain Explorer. You must reactivate the domain before you can view the data or evaluate the domain.
To deactivate a domain:
Open the Domain Deactivation Wizard.
Do one of the following:
Click on the Domain Explorer tab to open the Domain Explorer. Then, right-click on a domain and select Deactivate from the context menu.
Select Window > Show View > Active Domains Table. Then, select a domain from the table and click Deactivate Domain.
Click on a domain entry to select it.
Click Finish.
Note:
If you click Finish, you will not be prompted to confirm the deactivate operation. The domain will be deactivated immediately.This deactivates the domain and returns to the Domain Explorer or Active Domain Table.
Note:
The Domain Deactivation Wizard does not remove the Oracle Guardian Agents that were installed when you activated the domains. For instructions on removing Agents, see Oracle WebLogic Server Administration Console Online Help. See Section 2.5.5, "Purge All Inactive Domains," for instructions about purging inactive domains from Guardian.You can modify the Domain Properties for a domain to customize the way Oracle Guardian communicates with that domain.
To modify the Domain Properties for a domain:
Open the Domain Properties configuration page.
Do one of the following:
Select Window > Show View > Active Domains Table to open the Active Domains Table. Then select a domain and click Modify Domain.
Click the Domain Explorer tab to open the Domain Explorer. Then right-click on a domain in the Domain Explorer tree and select Modify Domain from the context menu.
Configure the Domain Properties.
The Domain Properties configuration page contains the following fields and options:
Name — The name for this domain. You cannot modify this value.
Username — The username of an WebLogic Server Administrator or Monitor account on the target domain.
Password — The password for the WebLogic Server Administrator or Monitor account on the target domain.
Remember Username/Password — Specifies that the domain credentials are to be stored so that you do not have to enter them for future domain operations.
Enable Proxy Connection — Select this if a proxy server is to be used to access the target domain. Then, select a proxy server from the drop-down list. This option is disabled if the Proxy Servers list is empty. See Section 2.7.1, "Add Inbound Proxy Servers," for instructions on populating and enabling the list.
Max. Agent Threads — Select the maximum number of Agent threads to allocate in the WebLogic Server Administration Server. This can be an integer value in the range of 1 to 20. The default is 10.
Agent Thread Timeout (secs) — Specify the maximum number of seconds that can elapse before an Agent thread is deactivated when collecting data from managed servers. This can be an integer value from 10 to 600. The default is 60.
Notes — Enter a text description or other details pertaining to this domain.
Click OK.
This applies your new Domain Properties settings to the selected domain.
To remove all deactivated domains from the Domain Explorer, select Tools > Purge Inactive Domains.
Caution:
You are not prompted to confirm the purge operation. The domains are purged immediately. Purging the inactive domains also deletes the associated Domain Inventories and Evaluation Summaries from the Guardian Workspace and removes the domains from the Guardian Registry.This section explains how to perform the following tasks:
To create and populate a new Domain Group:
In the Navigation Pane, click the Domain Explorer tab to open the Domain Explorer.
Right-click on Target Domains and select Add Domain Group from the context menu.
This opens the Add Domain Group dialog box.
In the Name field, enter a name for the Domain Group.
Click OK.
This adds the new Domain Group to the Domain Explorer tree, and closes the Add Domain dialog box.
Populate the Domain Group.
In the Domain Explorer Domain tree, click on a domain name to select it, then drag and drop it into the new Domain Group folder. Repeat this step for each domain you want to include in the new Domain Group.
To rename an existing Domain Group:
In the Navigation Pane, click the Domain Explorer tab to open the Domain Explorer.
Right-click on Target Domains and select Rename Domain Group from the context menu.
This opens the Rename Domain Group dialog box.
In the Name field, enter the new name for the Domain Group.
Click OK.
This renames the Domain Group in the Domain Explorer tree and closes the Rename Domain dialog box.
To delete a Domain Group:
Click on the Domain Explorer tab to open the Domain Explorer.
Remove any domains from the Domain Group.
You cannot delete a Domain Group that contains a domain. If there are domains in the Domain Group, you can drag and drop the domains into the Target Domains folder or into another Domain Group folder.
Right-click on the Domain Group you want to delete and select Delete Domain Group from the context menu.
This displays a Domain Group Delete Confirmation dialog box prompting you to confirm the delete request.
Click OK.
This deletes the Domain Group from the Domain Explorer tree and closes the Delete Confirmation dialog box.
This section explains how to perform the following tasks:
If you want to use an inbound proxy server for communications between Guardian and the WebLogic Server Administration Server, you must first add the proxy server to Guardian.
To add an inbound proxy server:
Click Activate to open the Domain Activation Wizard.
Click the Advanced tab.
Click Add Proxy Servers to open the Proxy Servers Preferences page.
Click Add to open the Proxy Properties dialog box.
Enter the proxy server Hostname, Port, Username, and Password information.
Click OK.
This adds the proxy server to the Proxy Servers list in the Proxy Servers configuration page, and dismisses the Proxy Properties dialog box.
(Optional) Repeat steps four through six to add additional proxy servers to the list.
Click OK.
This adds the new proxy server to the Proxy Server drop-down list in the Advanced tab of the Domain Activation Wizard and dismisses the dialog box.
If you want to use an inbound proxy server for communications between Guardian and the WebLogic Administration Server, you must enable the proxy connection.
To enable an inbound proxy connection:
Manually deploy the Guardian Agent onto the target domain.
If you have not already done so, add the proxy server to the Proxy Server list in the Domain Activation Wizard.
See Section 2.7.1, "Add Inbound Proxy Servers," for instructions.
Open the Domain Activation Wizard.
You can use any of the following methods to open the wizard:
Press Ctrl+Shift+A.
Click Activate in the Main Toolbar.
Select New > Domain from the File menu.
Click the Domain Explorer tab to open the Domain Explorer. Then right-click in the Domain Explorer panel and select Activate Domain from the context menu.
Click the Advanced tab in the Activate Domain Wizard.
Check the Enable Proxy Connection checkbox.
Select the proxy server from the drop down list.
Click Finish.
If you are using an outbound proxy server for communications between Guardian and the outside world, you will need to test the outbound proxy connection.
Note:
if the outbound proxy server normally requires you to enter your username and password credentials for getting access to the internet, there is a chance that Guardian cannot support the proxy configuration. This is particularly true if the proxy server delegates the authentication function to a third party tool. Guardian's support for outbound proxy servers extends only to those servers that perform the authentication in line with the outbound request.If you are unsure how the outbound proxy server authenticates users, contact your local network administrator or My Oracle Support for more information.
To enable and test an outbound proxy server connection:
Select Window > Preferences from the title bar menu.
This displays the Preferences page.
In the Preferences folder tree (left pane) open the Guardian folder and select Oracle Support.
This displays the Oracle Support preferences, which include some settings for proxy testing.
In the Oracle Support preferences, select the Requires Proxy checkbox.
Click Test Proxy.
After the test completes, a status message is displayed at the top of the page as to whether or not it was successful.
This section explains how to perform the following tasks:
A Domain Inventory is an assessment of your current domain environment. The results are displayed in a Domain Inventory Overview in the Document Pane. The inventory is also added to the Inventory History folder in the Domain Explorer. Domain Inventories are also created automatically whenever you activate or evaluate domains.
To inventory a domain:
Open the Inventory Wizard.
You can use any of the following methods to open the wizard:
Press Ctrl+Shift+I.
Click Inventory on the Main Toolbar.
Select File > New > Inventory.
Click the Domain Explorer tab to open the Domain Explorer. Then, right-click on a domain name in the Domain Explorer tree and select Inventory from the context menu.
If you did not preselect a domain when opening the wizard, select a domain from the Inventory Wizard domain table.
Enter the Username and Password of the WebLogic Server Administrator or Monitor account for the target domain.
Click Finish.
This initiates the Domain Inventory and displays the results in a Domain Inventory Overview in the Document Pane.
To view an existing Domain Inventory:
Click the Domain Explorer tab to open the Domain Explorer.
Open the Inventory History folder for the domain.
Double-click on the inventory name to view the selected Domain Inventory Overview in the Document Pane.
Note that you can redirect the display of Domain Inventories and Evaluation Summaries to a Web browser instead of the Document Pane. See Section 2.15, "Redirecting Display of Evaluation Summaries and Domain Inventories," for details.
To identify potential problems before they occur, you can use the Evaluation Wizard to evaluate one or more domains.
Note:
The evaluation of some signatures may hang the evaluation. To prevent this, open the Preferences page, and set the Guardian > Signature Evaluation Threshold parameter (in milliseconds). Then select the Enable Safe Evaluation checkbox. If enabled, the evaluation of a signature is terminated when this threshold is reached, and the Signature ID is written to the Hung Signature List. In addition, if a signature evaluation fails due to a runtime error, that Signature ID is written to the Problem Signature List. Guardian will not attempt to evaluate signatures in the Problem Signature List. See Section 2.4, "Preferences," for general instructions on setting Preferences.Caution:
If a server is down when the evaluation is conducted, some signatures might not be detected.To evaluate a domain:
In the Navigation Pane, click the Domain Explorer tab to open the Domain Explorer.
Select a domain and open the Evaluation Wizard.
Use any of the following methods to select a domain and open the wizard:
In the Domain Explorer, select a domain and then click the Evaluation button. To select multiple domains, press the Ctrl or Shift key while selecting additional items.
Right-click on a domain and then select Evaluate from the context menu.
Double-click a domain name in the Domain Explorer.
Select File > New > Evaluation from the title bar.
Select Window > Show View > Active Domains Table to display the Active Domains Table. Then double-click a domain name to open the wizard for the selected domain.
In the Bundle field, select the Signature Bundle to evaluate.
Click the Bundle field for an entry to display a down-arrow icon at the far right of the field. Then click the arrow to open the Bundle drop down menu and select a Signature Bundle. The default is Default Signatures.
Enter the credentials for the WebLogic Server for the selected domain.
In the Domain Credentials section, enter the following:
Username — The username for the WebLogic Server Administrator or Monitor account on the target domain.
Password — The password for the WebLogic Server Administrator or Monitor account on the target domain.
If you selected multiple domains, you must supply the login credentials for each domain before you can launch the evaluation.
(Optional) Select the Remember username/password checkbox to save your login credentials for the selected domains.
Select this option if you want your login information to persist so that you do not have to re-enter it each time you evaluate this domain. This is especially useful if you routinely evaluate multiple domains concurrently. Usernames and passwords are encrypted when stored.
(Optional) Create a shortcut for this evaluation.
This is useful if you routinely perform this particular type of evaluation. To create a shortcut, select the Create Shortcut checkbox and enter a brief name for the shortcut in the text field. See Section 2.12, "Shortcuts," for detailed instructions on creating, evaluating, and managing shortcuts.
Click Finish.
This initiates the evaluation and displays an Evaluation Summary of the results in the Document Pane. In the Domain Explorer, the new Domain Inventory is added to the Inventory History folder and the new Evaluation Summary is added to the Evaluation History folder. See Section 3.3.2, "Domain Explorer," for a complete description of the Domain Explorer.
A Snapshot Evaluation is a complete assessment of all of the configuration details for a specific domain at the particular moment the evaluation is executed. The process for performing a Snapshot Evaluation is the same as for any other type of evaluation. The primary difference is in the type of Signature Bundle you select for the evaluation, and the type of information the evaluation collects and evaluates.
As with other evaluations, you can compare Snapshot Evaluations. Comparing two Snapshot Evaluations enables you to see very quickly the differences between configurations for those two domains. See Section 2.8.5, "Compare Inventories or Evaluations," for instructions.
Notes:
Note the following about Snapshot Evaluations:If a server is down when the evaluation is conducted, some signatures might not be detected.
Generating a Snapshot Evaluation of a large domain may consume a lot of memory and take a long time to complete.
To evaluate a snapshot of a domain configuration:
In the Navigation Pane, click the Domain Explorer tab to open the Domain Explorer.
Select a domain and open the Evaluation Wizard.
Do one of the following:
In the Domain Explorer, select a domain and then click the Evaluation button.
Right-click on a domain name and then select Evaluate from the context menu.
In the Bundle field, select the type of snapshot to create and evaluate.
Click the Bundle field for an entry to display a down-arrow icon at the far right of the field. Then click the arrow to open the Bundle drop down menu, and select one of the following:
Snapshot - All
Snapshot - JDBC
Snapshot - JMS
Snapshot - Security
Enter the credentials for the WebLogic Server for the selected domain.
In the Domain Credentials section, enter the following:
Username — The username for the WebLogic Server Administrator or Monitor account on the target domain.
Password — The password for the WebLogic Server Administrator or Monitor account on the target domain.
Click Finish.
This initiates the Snapshot Evaluation and displays an Evaluation Summary of the results in the Document Pane. In the Domain Explorer, the new Domain Inventory is added to the Inventory History folder and the new Evaluation Summary is added to the Evaluation History folder.
You can compare inventories or evaluations from the same or different domains. Both objects must be of the same type—that is, two inventories or two evaluations. You cannot compare an inventory against an evaluation.
You can compare any two Evaluation Summaries. Comparing two Snapshot Evaluations is particularly useful, as a Snapshot Evaluation collects and evaluates all of the configuration data for the evaluated domain. Such a comparison enables you to see very quickly the differences between the configurations and their issues for those two domains.
To compare two Domain Inventories or Evaluation Summaries:
In the Navigation pane, open the Domain Explorer.
Click the Domain Explorer tab, or select Window > Show View > Domain Explorer.
Open the History folder containing the resources to be compared (Inventory History or Evaluation History).
Select the two documents to be compared.
Click on the first item to select it, then press Ctrl+click on the second item.
Right-click on the selected items and then select Compare from the context menu.
Note:
The Compare option remains deactivated until two like items have been selected.Selecting Compare opens the Text Compare display in the Document Pane. The differences between the two documents are highlighted and related segments are shown in boxed sections, with connectors indicating the relationships.
See Section 3.4.7, "Text Compare View," for a description of the Text Compare View navigation controls and context menu.
You can export a Domain Inventory or Evaluation Summary report to a PDF or HTML file for external viewing or archiving.
To export a report:
Click the Domain Explorer tab in the Navigation Pane to open the Domain Explorer.
Open the History folder containing the report you want to save.
The Domain Explorer contains two History folders:
Inventory History — Contains a linked list of the available Domain Inventory reports.
Evaluation History — Contains a linked list of the available Evaluation Summary reports.
Open the report.
Double-click on a report name to open the report and display it in the Document Pane.
Select File > Save As.
This opens a standard Save As file browser.
Browse to the location to which to save the file.
Select the type of file to which to save the report.
For the Save as type: field, select one of the following from the drop-down menu:
PDF Files (*.pdf)
HTML Files (*.html)
Enter a file name in the File name field.
Click OK.
This section explains how to perform the following tasks:
To display the Overview for a signature — also called the Signature View — complete the following steps:
In the Navigation Pane, click on the Signature Explorer or Bundle Explorer tab.
This opens the Signature Explorer or Bundle Explorer, respectively. Signature Overviews are accessible only through these two Explorers.
Double-click on a signature name in the Navigation Pane.
This displays the overview for that signature in the Document Pane.
You can use Signature Filters to specify which signatures are to be displayed in the Signature Explorer, Bundle Explorer, and Evaluation Summaries.
To apply Signature Filters:
Open the Filters dialog box.
From the Signature Explorer or Bundle Explorer:
Click the Menu icon (small white triangle in the upper right corner) and select Filters from the context menu.
From an Evaluation Summary:
Right-click on any signature in the Detected Signatures table and select Filters from the context menu.
Specify your filter settings.
Click a radio button to specify Show or Hide for each filter. The Signature Filters are as follows:
Name — Filter according to name. Specify all or a portion of a signature name to use as the filter criteria. This can be a character string or standard regular expression. Enter .* to filter all signatures. The default is Show all (.*).
Severity — Filter according to severity. Click a checkbox to select/deselect a severity level. These are: Critical, Warning, and Information. The default is Show all (all selected).
Type — Filter annotated signatures according to Annotation Type. Click a checkbox to select/deselect a type. There are two Annotation Types: Flag and Ignore. The default is Hide signatures with an Annotation Type of Ignore. See Section 1.5.10, "Signature Annotations," for more information on Annotation Types.
Annotation Name — Filter annotated signatures according to Annotation Name. Specify all or a portion of an Annotation Name to use as the filter criteria. This can be a character string or standard regular expression. Enter .* to filter all annotated signatures. The default is Show all (.*).
Comment — Filter annotated signatures according to annotation comment. Specify all or a portion of a comment to use as the filter criteria. This can be a character string or standard regular expression. Enter .* to filter all signatures. The default is Show all (.*).
Domain — Filter annotated signatures in this domain, as specified above.
Evaluation — Filter annotated signatures in this Evaluation, as specified above.
Click OK.
This applies your filter specifications and returns to the Guardian main window.
You can sort the list of signatures displayed in the Signature Explorer, Bundle Explorer, and Evaluation Summaries.
You can sort signatures via either of the following methods:
The following sections describe each of these methods.
To use the Sort menu to sort signatures:
In the Navigation Pane, click the Signature Explorer or Bundle Explorer tab to open one of these Explorers.
Click the Menu icon to open the Explorer menu.
Select Sort Signatures to open the Sort submenu.
Select the category by which to sort.
Select one of the following:
By Name
By Severity
The signature lists are automatically reordered according to the selected category.
You can use the Sorting dialog box to sort signatures in the Detected Signatures table of an Evaluation Summary.
To specify your sort criteria:
Right-click on a signature title in the table and select Sorting from the context menu.
This opens the Sorting dialog box for specifying the sort order.
Specify the sort criteria.
There are four drop-down menus from which you can select a table field. The order in which you select the fields determines the hierarchy of the sort order. For each field, select one of the following:
By Name
By Severity
Impact
Product
Topic
Click a radio button next to each field selection to specify Ascending or Descending order for that field.
Click OK to apply your sort criteria to the Detected Signatures table for that Evaluation Summary.
This section explains how to perform the following tasks:
You can use the Annotations Wizard to create, edit, delete, and view signature annotations.
You can access the Annotations Wizard from the Signatures List in any of the following contexts:
Evaluation Summary
Signature Explorer
Bundle Explorer
To open the wizard, right-click on a signature title and select Annotations > Manage Annotations from the context menu.
To create an annotation and add it to a signature:
Navigate to the Signatures List containing the signature you want to annotate.
The contents of a Signatures List may vary according to the context in which it occurs. Signatures Lists can be found in the following locations:
Evaluation Summary
Signature Explorer
Bundle Explorer
Open the Annotations Wizard.
Right-click on the signature title and select Annotations > Manage Annotations from the context menu.
Click Add.
This displays the Add dialog box.
Select an Annotation Type.
Select one of the following:
Ignore — Ignore this signature for the specified targets.
Flag — Flag this signature for the specified targets.
(Optional) Enter a Name and Comment for the annotations.
Select an Annotation Target.
Note:
This field is available only if you invoked the wizard from an Evaluation Summary. For all other contexts, the default applies (All Domains).Click the down-arrow next to the Apply to field to display a drop-down menu of Annotation Targets. Select one of the following:
All Domains — Apply this annotation to this signature for all domains.
This Domain — Apply this annotation to this signature for this domain, only. This option is available only if you are annotating a signature in an Evaluation Summary.
This Evaluation — Apply this annotation to this signature in this evaluation, only. This option is available only if you are annotating a signature in an Evaluation Summary.
Click Finish.
This adds the new annotation to the Annotations list for the selected signature.
Click OK.
This returns to the Guardian main window. Note that a decoration is added to the icon for the annotated signature.
To change an existing annotation:
Navigate to the Signatures List containing the signature with the annotation you want to modify.
Note:
If the signature is not included in the Signatures List, you may need to temporarily set one or more filter attributes to Show. See Section 2.9.2, "Filter Signatures," for instructions.Open the Annotations Wizard.
Right-click on the title of the annotated signature and select Annotations > Manage Annotations from the context menu.
Select the annotation to be modified and click Edit.
Note:
The Edit button will be greyed out (deactivated) until you select an annotation.This displays the Edit dialog box for the selected annotation.
Enter your changes.
Click Finish.
This updates the Annotations list with your changes.
Click OK.
This updates the appropriate Signatures Lists and returns to the Guardian main window.
Note:
If you modified any filter settings in step 1, you can reset the filters to their original settings now. See Section 2.9.2, "Filter Signatures," for instructions.To delete an annotation:
Navigate to the Signatures List containing the signature with the annotation you want to delete.
Note:
If the signature is not included in the Signatures List, you may need to temporarily set one or more filter attributes to Show. See Section 2.9.2, "Filter Signatures," for instructions.Open the Annotations Wizard.
Right-click on the title of an annotated signature and select Annotations > Manage Annotations from the context menu.
Select the annotation to be modified and click Delete.
Note:
The Delete button remains deactivated until you select an annotation.This removes the annotation from the Annotations list for that signature.
Click OK.
This updates the appropriate Signatures Lists and returns to the Guardian main window.
Note:
If you modified any filter settings in step 1, you can reset the filters to their original settings now. See Section 2.9.2, "Filter Signatures," for instructions.You can view the annotations for a signature by selecting the signature and then opening the Annotations Wizard. The Annotations Wizard displays a table of all annotations for the selected signature.
You can access the Annotations Wizard from the Signatures List in any of the following contexts:
Evaluation Summary
Signature Explorer
Bundle Explorer
To open the wizard, right-click on a signature title and select Annotations > Manage Annotations from the context menu.
You can use Signature Filters to specify which signatures to display in the Signature Explorer, Bundle Explorer, and Evaluation Summaries. Some filters apply specifically to annotated signatures and their attributes.
This section provides instructions for applying filters to annotated signatures, only. See Section 2.9.2, "Filter Signatures," for complete instructions on using Signature Filters.
To apply Annotation Filters:
Open the Evaluation Summary to which you want to apply the filter.
Open the Filter Configuration wizard.
In the Signatures List, right-click on a signature name and select Filters from the context menu.
Specify your filter settings.
Click a radio button to specify Show or Hide for each filter. The Signature Filters that apply to annotations are as follows:
Type — Filter annotated signatures according to Annotation Type. Click a checkbox to select/deselect a type. There are two Annotation Types: Flag and Ignore. The default is Hide signatures with an Annotation Type of Ignore.
Annotation Name — Filter annotated signatures according to Annotation Name. Specify all or a portion of an Annotation Name to use as the filter criteria. This can be a character string or a standard regular expression. Enter .* to filter all annotated signatures. The default is Show all (.*).
Comment — Filter annotated signatures according to annotation comment. Specify all or a portion of a comment to use as the filter criteria. This can be a character string or standard regular expression. Enter .* to filter all signatures. The default is Show all (.*).
Click OK.
This applies your filter specifications and returns to the Guardian main window.
This section explains how to perform the following tasks:
You can use the Bundle Explorer to view the available Signature Bundles and their contents. See Section 3.3.4, "Bundle Explorer," for a detailed description of the Bundle Explorer.
To display an overview of the contents of a Bundle:
In the Navigation Pane, click the Bundle Explorer tab to open the Bundle Explorer.
In the Bundle Explorer, double-click on a bundle name.
This displays the selected Bundle Overview in the Document Pane.
Use the Bundle Evaluation Wizard to preselect a domain and Bundle for Evaluation, and then initiate the evaluation.
Note:
The evaluation of some signatures may hang the evaluation. To prevent this, open the Preferences page, and set the Guardian > Signature Evaluation Threshold parameter (in milliseconds). Then select the Enable Safe Evaluation checkbox. If enabled, the evaluation of a signature is terminated when this threshold is reached, and the Signature ID is written to the Hung Signature List. In addition, if a signature evaluation fails due to a runtime error, that Signature ID is written to the Problem Signature List. Guardian does not attempt to evaluate signatures in the Problem Signature List. See Section 2.4, "Preferences," for general instructions on setting Preferences.Caution:
If a server is down when the evaluation is conducted, some signatures might not be detected.To open the Bundle Evaluation Wizard:
In the Domain Explorer, open the Evaluation History folder.
Right-click on an Evaluation Summary and select Evaluate Bundle from the context menu.
This opens a submenu containing a list of Bundles available for evaluation.
Select a Bundle from the submenu to open the Bundle Evaluation Wizard for that Bundle.
The Bundle Evaluation Wizard opens with the selected domain and Bundle preselected, just as if you had invoked a Shortcut.
Enter the credentials for the WebLogic Server for the selected domain.
In the Domain Credentials section, enter the following:
Username — The username for the WebLogic Server Administrator or Monitor account on the target domain.
Password — The password for the WebLogic Server Administrator or Monitor account on the target domain.
If you selected multiple domains, you must supply the login credentials for each domain before you can launch the Evaluation.
(Optional) Select the Remember username/password checkbox to save your login credentials for the selected domains.
Select this option if you want your login information to persist so that you do not have to enter it each time you evaluate this domain. This is especially useful if you routinely evaluate multiple domains concurrently. Usernames and passwords are encrypted when stored.
Click Finish.
This initiates the evaluation and displays an Evaluation Summary of the results in the Document Pane. In the Domain Explorer, the new Domain Inventory is added to the Inventory History folder, and the new Evaluation Summary is added to the Evaluation History folder.
This section explains how to perform the following tasks:
A Shortcut enables you to streamline the evaluation procedure by predefining and storing the domain, Signature Bundle, and other parameters for evaluations that you perform frequently. You can then evaluate the Shortcut, saving you the effort of re-entering the values each time you want to run the evaluation.
A Shortcut enables you to predefine the evaluation parameters for evaluations you perform frequently, saving you the effort of re-entering the values each time you run the evaluation.
You may use either of the following methods to create a Shortcut:
Create Shortcut with Shortcut Wizard — Use this method if you want to quickly create a Shortcut without evaluating the selected domain.
Create Shortcut with Evaluation Wizard — Use this method if you want to create a Shortcut when evaluating a domain. The parameters you set for the evaluation are then used to create the Shortcut. This method also enables you to enter and save the Administrator login credentials so that you do not have to re-enter them each time you evaluate the Shortcut.
The following sections describe each of these procedures.
Use the Shortcut Wizard if you want to quickly create a Shortcut without evaluating the selected domain. However, you will not be able to enter and save the login credentials for the WebLogic Server Administrator or Monitor account. Consequently, you will need to enter these each time you evaluate the Shortcut. See Section 2.12.1.2, "Create Shortcut with Evaluation Wizard," for instructions on storing the login credentials when creating a Shortcut.
To use the Shortcut Wizard to create a Shortcut:
Open the Shortcut Wizard.
You can use any of the following methods to open the wizard:
Press Ctrl+Shift+S.
Select File > New > Shortcut.
Select Window > Show View > Shortcuts Table to open the Shortcuts Table. Then, click Add Shortcut in the Shortcuts Table toolbar.
Right-click in the Domain Explorer or Shortcut Explorer and select Add Shortcut from the context menu.
Select the domain to associate with the Shortcut.
Select the Signature Bundle to associate with the Shortcut.
Select a Signature Bundle from the Bundle field drop-down menu. This is the Bundle that will be evaluated against the specified domain when you evaluate the Shortcut. The default is Default Signatures.
Select the Create Shortcut checkbox and enter a brief name for the Shortcut.
Click Finish.
This adds the new Shortcut to the Shortcuts Table and the Shortcut Explorer tree. See Section 2.12.2, "Evaluate Shortcut," for instructions on evaluating a Shortcut.
You can create a Shortcut by selecting the Save as Shortcut option when using the Evaluation Wizard to evaluate a domain. This method of creating a Shortcut enables you to enter and store the Administrator login credentials so that you need not enter them each time you evaluate the Shortcut.
To use the Evaluation Wizard to create a Shortcut:
Open the Evaluation Wizard.
You can use any of the following methods to open the wizard:
Press Ctrl+Shift+E.
Select File > New > Evaluation.
Right-click in the Domain Explorer and select Evaluate from the context menu.
Select the domain to associate with the Shortcut.
In the Bundle field, select the Signatures Bundle to associate with the Shortcut.
Select a Signature Bundle from the Bundle field drop-down menu. This is the bundle that will be evaluated against the specified domain when you evaluate the Shortcut. The default is Default Signatures.
Enter the Username and Password for the WebLogic Server Administrator or Monitor account on the target domain.
(Optional) Select the Remember username/password checkbox to store your login credentials for the selected domains.
Select this option if you want your login information to persist so that you do not have to enter it each time you evaluate this Shortcut. This is especially useful if you will be evaluating the Shortcut on a frequent basis. Usernames and passwords are encrypted when stored.
Select the Create Shortcut checkbox and enter a brief name for the Shortcut.
Click Finish.
This adds the new Shortcut to the Shortcuts Table and the Shortcut Explorer tree. See Section 2.12.2, "Evaluate Shortcut," for instructions on evaluating a Shortcut.
A Shortcut enables you to predefine the evaluation parameters for evaluations you perform frequently, saving you the effort of re-entering the values each time you run the evaluation. To evaluate a Shortcut, use the Shortcut Evaluation Wizard.
To evaluate a Shortcut:
Open the Shortcut Evaluation Wizard.
You can do this using any of the following methods:
Select Window > Show View > Shortcuts Table to open the Shortcuts Table. Then double-click on a Shortcut name in the Shortcut Table.
Click the Shortcut Explorer tab to open the Shortcut Explorer. Then double-click on a Shortcut name in the Shortcut list.
Click the Shortcut Explorer tab to open the Shortcut Explorer. Then right-click on a Shortcut name in the Shortcut list, and select Evaluate Shortcut from the context menu.
The Shortcut Evaluation Wizard opens with the predefined values for the selected Shortcut displayed in the domain table. You can change the Bundle selection.
If necessary, enter the Username and Password for the WebLogic Server Administrator or Monitor account for the target domain.
If you selected the Remember username/password option when you activated the domain or defined the Shortcut, the Username and Password fields are pre-filled. Otherwise, you must enter this information before launching the evaluation.
Click Finish.
This launches the evaluation and returns you to the Guardian main window when the evaluation completes. As with a standard evaluation, the Domain Explorer History folders are updated to include an entry for the resulting Domain Inventory and Evaluation Summary. The results of the evaluation are displayed in an Evaluation Summary Overview in the Document Pane.
You can use either of the following methods to delete a Shortcut:
Select Window > Show View > Shortcuts Table to open the Shortcuts Table. Then select a Shortcut from the Shortcut list and click Delete.
Click the Shortcut Explorer tab to open the Shortcut Explorer. Then right-click on a Shortcut in the Shortcut list and select Delete Shortcut from the context menu.
This section explains how to perform the following tasks:
The Guardian Command Line Interface (CLI) — also called Guardian Headless Mode — is a set of Guardian commands that you can enter directly in the operating system command window. Guardian CLI commands are available for the most common tasks performed via Guardian's User Interface. See Section 3.8, "Command Line Interface," for a complete description of these commands and their syntax. See Section 2.13.1, "Start Guardian Headless Mode," for instructions about starting the Command Line Interface.
To start the Guardian Command Line Interface:
Note:
Guardian Command Line Interface commands are case sensitive.At the operating system command prompt, change to the Guardian installation directory.
cd <root>\guardian\
In the preceding command, <root> represents the parent directory for the Guardian installation directory.
Enter the Guardian Headless command:
Windows:
guardianHeadless.cmd
Linux:
guardianHeadless.sh
(Optional) To display a list of CLI commands and their syntax, enter the following command:
Windows:
guardianHeadless.cmd -ghelp
Linux:
guardianHeadless.sh -ghelp
Note:
Each command must include the prefix-g with no trailing space, as shown in the following example:
guardianHeadless.cmd -glistActiveDomains
The output file is created in the current directory, and is overwritten each time you run a Guardian Headless Mode command. See Section 2.13.2, "Redirecting Guardian CLI Command Output," for instructions about redirecting this to a different file.
See Section 3.8, "Command Line Interface," for a complete description of Guardian Command Line Interface commands.
The following sections explain how to redirect Guardian Headless Mode command output on Windows and Linux systems, respectively.
On Windows systems, the command output is written to the following file:
headless_output.txt
The output file is created in the current directory, and is overwritten each time you run a Guardian Headless Mode command.
On Windows systems, you can change the name of this file by modifying the following line in the guardianHeadless.cmd script:
guardian.exe -noSplash -application com.bea.support.guardian.ui.headless.Headless
%command% %arg1% %val1% %arg2% %val2% %arg3% %val3% %arg4% %val4% %arg5%
%val5% %arg6% %val6% %arg7% %val7% > headless_output.txt 2>&1
Replace headless_output.txt with the new file name. For example:
guardian.exe -noSplash -application com.bea.support.guardian.ui.headless.Headless
%command% %arg1% %val1% %arg2% %val2% %arg3% %val3% %arg4% %val4% %arg5%
%val5% %arg6% %val6% %arg7% %val7% > MyOutputFile.txt 2>&1
You can create a Guardian Command Line script that contains a series of Guardian Command Line Interface commands. You can schedule a script to run at specific times and intervals by using utilities such as the Windows Task Scheduler or the Linux crontab command.
See Section 3.8, "Command Line Interface," for a complete description of Guardian Command Line Interface commands.
To run a script, enter the following command:
Windows:
guardianHeadless.cmd -gscript -f <script_name>
Linux:
guardianHeadless.sh -gscript -f <script_name>
In the preceding commands, <script_name> represents the path and name of your CLI script.
On Windows systems, the output for CLI commands is written to the following file:
headless_output.txt
The output file is created in the current directory, and is overwritten each time you run a Guardian Headless Mode command. See Section 2.13.2, "Redirecting Guardian CLI Command Output," for instructions about redirecting command output.
For inventory and evaluation operations, the resulting Domain Inventory or Evaluation Summary document is saved in the appropriate History folder in your Guardian Workspace, and an entry is added to the appropriate History folder in the Domain Explorer tree. These can be viewed using the Domain Explorer, just as you would view any other Domain Inventory or Evaluation Summary document.
To view a Domain Inventory or Evaluation Summary document:
Open the Guardian User Interface and click the Domain Explorer tab to open the Domain Explorer.
Open the History folder containing the document you want to view.
Select the document to view the contents in the Document Pane.
See Section 3.3.2, "Domain Explorer," for a complete description of the Domain Explorer.
To schedule a script to run automatically at a specific time, you can use utilities such as the Windows Task Scheduler or the Linux crontab command. For instructions about scheduling scripts, see your operating system documentation.
To receive notification of detected signatures, create an evaluation script and use the Windows Task Scheduler or the Linux crontab command to schedule the script to run at regular intervals. Each time the script runs, the signature.log file in the Guardian installation directory is updated with an entry for each detected signature. You can then configure a third party management tool to scan the log for detected signatures and to send notification when one is found.
Each signature.log entry starts with four number signs (####) and includes a timestamp. Each entry with a detected signature contains the label <detected> and is followed by a brief description that is enclosed by angle brackets. The description includes the domain name.
The following is a sample signature.log file:
####<Tue Aug 01 16:03:47 EDT 2006> <0> <g-dev_slp7_7001> <un> <0> <000022> <not detected> <Signature 000022 (Rotational Upgrade may cause java.io.StreamCorruptedException) not detected by username un evaluating bundle ID 0 in domain ID g-dev_slp7_7001.> ####<Tue Aug 01 16:03:47 EDT 2006> <0> <g-dev_slp7_7001> <un> <0> <000027> <detected> <Signature 000027 (Native IO should be enabled in production mode for better performance) detected by username un evaluating bundle ID 0 in domain ID g-dev_slp7_7001.> ####<Tue Aug 01 16:03:47 EDT 2006> <0> <g-dev_slp7_7001> <un> <0> <000055> <not detected> <Signature 000055 (JDK 1.5 is not certified for WebLogic 8.1) not detected by username un evaluating bundle ID 0 in domain ID g-dev_slp7_7001.>
Oracle Guardian supports the use of custom signatures to detect and identify one or more configuration settings among the WebLogic Server installations in your environment that you want to correct.
To create, package, and deploy custom signatures in Oracle Guardian, complete the following steps:
Section 2.14.3, "Custom Signature File," provides an example of a custom signature.
Using an ordinary text editor, create the custom signature file in any directory on your machine. Note the following requirements:
Make sure you have Java SDK version 5 or later installed on the machine on which you are creating and packaging the custom signature.
Name the signature file using the .sig file name extension; for example, my-signature.sig.
Specify the CUSTOM signature keyword using the <sig:keyword> XML element (as shown in Section 2.14.3, "Custom Signature File").
After you create the custom signature, you package and deploy it as follows:
Open a command window and change to the following directory:
<guardian_home>/plugins/com.oracle.guardian.custom.signature_x.y.z
In the preceding directory name, guardian_home represents the Oracle Guardian installation directory. For example, on Windows, c:\Program Files\Guardian.
Enter the package command. On Windows platforms, enter package.cmd. On Unix platforms, enter package.sh.
Guardian prompts you to specify the name and location of your custom signature. For example:
[input] Enter the full directory path of your .sig files:
When the package command is executed, Guardian does the following:
Builds a JAR file containing the custom signature. When the JAR file is successfully built, a message similar to the following is displayed:
BUILD SUCCESSFUL Total time: 2 minutes 2 seconds
Deploys the custom signature.
After the custom signature is deployed, restart Guardian. You can now conduct an evaluation to determine whether the custom signature applies to your domain.
Example 2-1 provides an example of a custom signature. This custom signature is used to identify WebLogic Server instances in domain to which patch CR284362 has not been applied, and is triggered when the following conditions exist for each server instance in the domain:
The server is a Managed Server instance running WebLogic Server 8.1 SP5 or 6.
The server is not a member of a cluster.
The server has not already had patch CR284362 applied.
Example 2-1 Custom Signature File
<?xml version="1.0" encoding="UTF-8"?>
<sig:signature xmlns:sig="http://support.bea.com/ns/guardian/10/signature">
<sig:name>My Custom Signatures</sig:name>
<sig:severity>2-WARNING</sig:severity>
<sig:publicationDate>2008-07-14T18:11:20.506-04:00</sig:publicationDate>
<sig:product>WebLogic Server</sig:product>
<sig:description>My Custom Signature</sig:description>
<sig:keywords>
<sig:keyword>CUSTOM</sig:keyword>
</sig:keywords>
<sig:target xmlns:aut="http://support.bea.com/guardian/Authoring">
<sig:namespaces>
<sig:namespace prefix="web">http://support.bea.com/ns/guardian/10/weblogicInventory</sig:namespace>
</sig:namespaces>
<sig:query>(: Target at WLS 8.1 SP5 or SP6 :)
//web:weblogicServer[@major=8 and @minor=1 and (@servicepack=5 or @servicepack=6)]</sig:query>
</sig:target>
<sig:dataSpec xmlns:jmx="http://support.bea.com/ns/guardian/10/jmxCollector" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="jmx:JmxDataSpec">
<jmx:mbean type="Cluster">
<jmx:attributeParam name="Name"/>
</jmx:mbean>
<jmx:mbean type="Server">
<jmx:attributeParam name="Name"/>
</jmx:mbean>
<jmx:mbean type="ServerRuntime">
<jmx:attributeParam name="Name"/>
</jmx:mbean>
</sig:dataSpec>
<sig:impact>Administration</sig:impact>
<sig:topic>WLS:Cluster</sig:topic>
<sig:subtopic>Not Listed</sig:subtopic>
<sig:logic xmlns:xqu="http://support.bea.com/ns/guardian/10/xqueryLogic"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aut="http://support.bea.com/guardian/Authoring"
xsi:type="xqu:xqueryLogicType">
<xqu:imports>
<xqu:module prefix="serverFunc" fileName="/serverFunctions.xq">http://bea.com/guardian/signature/serverFunctions</xqu:module>
<xqu:module prefix="utilityFunc" fileName="/UtilityFunctions.xq">http://bea.com/guardian/signature/utilityFunctions</xqu:module>
</xqu:imports>
<xqu:namespaces>
<sig:namespace prefix="jmx">http://support.bea.com/ns/guardian/10/jmxCollector</sig:namespace>
</xqu:namespaces>
<xqu:query>
(: for any server that is wls81sp5 or sp6 without patch CR284362 and has server not configured
as a cluster member, need to trigger this signature. :)
for $ServerRuntime in serverFunc:getServerRuntimesEqualToVersionWithoutPatch(/, 8,1,5,"CR284362")|
serverFunc:getServerRuntimesEqualToVersionWithoutPatch(/, 8,1,6,"CR284362")
let $ClusterMembers := for $Cluster in //jmx:data/Domain/Cluster
return //jmx:data/Domain/Server[@ObjectName=utilityFunc:getServerObjectNamesFromClusterObjectName(/,$Cluster/@ObjectName)]/@Name
where count(fn:index-of($ClusterMembers, $ServerRuntime/@Name))=0
return <Server Name="{fn:data($ServerRuntime/@Name)}" />
</xqu:query>
</sig:logic>
<sig:remedy xmlns:aut="http://support.bea.com/guardian/Authoring">
<sig:head>The following Server(s) are susceptible to this issue:<br/></sig:head>
<sig:details><li>${/Server/@Name}</li></sig:details>
<sig:foot>Oracle recommends contacting Oracle support for patch CR284362.<br/><br/><br/><br/><br/>Reminder: When applying patches, install them on each server running in the cluster.</sig:foot>
<sig:links/>
</sig:remedy>
<sig:action xmlns:cas="http://support.bea.com/ns/guardian/10/caseAction" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="cas:CaseAction">
<cas:partNum>WLS</cas:partNum>
<cas:reason>Known Issue/Proactive Inquiry</cas:reason>
<cas:note/>
<cas:attachment>Configuration Files</cas:attachment>
<cas:attachment>Server Logs</cas:attachment>
</sig:action>
</sig:signature>
As an alternative to displaying Domain Inventories and Evaluation Summaries in the Document Pane of the Guardian user interface, you can have this information sent to the default Web browser on your machine instead. To do this, you create a properties file named .browser, which must be located in either the Guardian installation directory or your Workspace directory. Then whenever you perform an operation in Guardian that results in conducting an evaluation or an inventory, the information is automatically displayed in the browser.
The .browser properties file can be created in a regular text editor and can contain either of the following arguments:
openBrowser=true
Causes Domain Inventories and Evaluation Summaries to always be displayed in the default browser.
openBrowser=false
Causes Domain Inventories and Evaluation Summaries to always be displayed in the Document Pane (default setting).
If displaying the output of an evaluation or inventory in the Document Pane is adequate for your needs, you do not need to create a .browser file.
This section explains how to perform the following tasks:
The Oracle Guardian log files contain information that My Oracle Support can use to diagnose and resolve issues with your system.
The Guardian log file names, contents, and locations are as follows:
guardian.log — Contains information about every operation the Guardian application performs. This file is located in the Guardian installation directory you specified during installation.
signature.log — Contains information about each evaluation performed, including entries for all detected signatures. This file is located in the Guardian installation directory you specified during installation. You can also use a command line script to automatically scan the signature.log for detected signatures and to notify you when new signatures are detected.
.log — Contains information about certain Guardian operations. This file is located in the .metadata subdirectory of the Guardian Workspace directory you specified when starting Guardian.
install.log — Contains Guardian installation details. This file is located in the ../configuration/org.eclipse.update subdirectory of the Guardian installation directory you specified during installation.
Guardian crashes are extremely unlikely because Guardian uses the Eclipse Rich Client Platform. If Guardian does crash, simply restart Guardian. No additional cleanup operations are required.
In the unlikely event of an exception, the following steps are recommended for resolving the issue:
Read the text of the error message to determine what is wrong.
Save the Exception Error window text with a screen capture, or cut and paste the text into a file.
Retry the operation to see if the issue recurs.
Copy the Oracle Guardian log files to a different location and save them for future reference.
Contact My Oracle Support for assistance.
Tip:
To save log files and make it easier to identify the error, copy them to a different location on your machine. The error is among the last entries in the log file, making it easier to find. See Section 2.16.1, "View Log Files," for the location of Guardian log files.You can use the Service Request Wizard to create a service request archive based on a detected signature, and save the service request information as an archive file that you can optionally send to My Oracle Support. Service request archives are stored as files with a .car file name extension.
Note:
The Service Request Wizard does not connect to My Oracle Support. To obtain support services, you must log in to My Oracle Support athttps://myoraclesupport.oracle.com/CSP/ui/index.html.The wizard automatically creates the service request with all of the signature-specific information required for an Oracle support engineer to begin working on your service request upon receipt of the archive. You can also add any additional attachments and notes before sending the service request archive to Oracle.
To create service request:
Open the Evaluation Summary containing the signature you want to include in the service request.
Click the Domain Explorer tab to open the Domain Explorer.
Open the Evaluation History folder for the domain in which the signature was detected.
Double-click on the entry for the Evaluation Summary containing the detected signature you want to report. This opens the Evaluation Summary View in the Document Pane.
Select the signature you want to include in the service request.
Click on a signature entry to highlight it. This displays the Description and Remedy for the signature in the bottom portion of the Evaluation Summary display in the Document Pane.
Open the Service Request Wizard.
Click the Get more help from Oracle support link at the bottom of the signature Remedy section to open the wizard. This automatically includes the signature contents in the new service request, and displays the first page of the Service Request Wizard, which is the Service Request Notes page.
Note:
Clicking Get more help from Oracle support does not connect Guardian with Oracle Support. Clicking this link only launches the Service Request Wizard. For more information, see Section 1.5.16, "Service Request Archive."(Optional) Enter any additional service request notes.
In the Additional Service Request Notes field, enter any additional text that may be helpful to My Oracle Support in resolving your service request.
Click Next to proceed to the Select Service Request Attachments page.
Select the background information files to include with the service request. You can select one or more of the following:
Service Request Attachments:
Domain Inventory
Detected Signature Results
Recommended Attachments:
Server Log
Other Attachments:
Click the + icon to open a file browser from which you can select files to include.
Click the X icon to remove a file from the list.
Click Next to proceed to the Domain Login page.
Enter the credentials for the WebLogic Server for the selected domain.
In the Domain Credentials section, enter the following:
Username — The username for the WebLogic Server Administrator or Monitor account on the target domain.
Password — The password for the WebLogic Server Administrator or Monitor account on the target domain.
If you select multiple domains, you must supply the login credentials for each domain before you can launch the Evaluation.
(Optional) Select the Remember username/password checkbox to save your login credentials for the selected domains.
Select this option if you want your login information to persist so that you do not have to re-enter it each time you submit a service request.
Click Next to proceed to the Select Service Request Archive Destination page.
In the Select Archive Location field, save the service request as an archive for uploading later. Enter the location to which to save the file, or click the ellipsis (...) to open a file browser from which you can select the location.
Click Finish to create the service request archive.
A Service Request Creation Complete dialog box displays the date, time, and location of the file.
Click OK.
This closes the wizard and returns to the Guardian main window.
The service request archive is now created and is available to optionally be sent to My Oracle Support, as appropriate, to assist with issue resolution.
This section explains how to perform the following tasks:
Note:
If you are using a proxy server for outbound Guardian communications, make sure that you have enabled and tested the outbound proxy connection. See Section 2.7.3, "Enable and Test Outbound Proxy," for instructions.To update Guardian, use the Update Wizard to download new Oracle Guardian software and signatures from My Oracle Support.
To update Guardian:
Open the Update Wizard.
Use one of the following methods to open the wizard:
Press Ctrl+Shift+U.
Click the Update button on the Main toolbar.
Select Help > Software Updates > Guardian Updates.
Enter your My Oracle Support Username and Password.
(Optional) Select the Remember Username/Password checkbox to store your login credentials for future use.
Select this option if you want your login information to persist so that you do not have to enter it each time you create a service request.
On the Search Results page, expand the folders in the Select the features to install tree to see the available selections.
To select features:
(Optional) To filter the results, you can select from the following filter options:
Select Show the latest version of a feature only to display only the current version of each feature in the results.
Select Filter patches included in other patches on the list to filter out duplicate patch entries.
(Optional) Click More Info to see details about a selection.
(Optional) Click Properties to display the properties for a selection.
(Optional) Click Select Required to automatically select all required updates.
Click the checkbox beside a feature name to select or deselect it.
Click Next to proceed to the Feature License page.
Accept the terms in the license agreement to proceed with the installation.
Click Next to proceed to the Installation page.
Select the installation location, or accept the default.
Click Change Location to open a directory browser from which you can select the location. Click OK to enter your selection and close the browser. Click Next to proceed.
Verify the list of features to install, and click Install or Install All.
After the updates are installed, you are prompted as to whether to restart Guardian.
Click Yes to restart Guardian and incorporate the new features.
To update a Guardian installation that does not have Internet access, or to upgrade from Guardian 1.x to the current release, you can perform a manual update. To do so, first update Guardian on a server that has Internet access using the Update Wizard, then copy the updated files to the machines that do not have Internet access.
Note:
To upgrade from Guardian 1.0.x to Guardian 10.3.2, you can still use the Update Wizard.Caution:
If you are upgrading from Guardian 1.0.x, see Section 2.18.3, "Manually Update Guardian Registry," for details. Please also refer to the Oracle Guardian Installation Guide and Oracle Guardian Release Notes for additional important information.To manually update Guardian:
Automatically update Guardian on a server that has Internet access.
See Section 2.18.1, "Automatically Update Guardian," for instructions.
Shut down Guardian on the offline servers.
Select File > Exit from the title bar menu.
Update the Guardian Signatures Repository on the secure (offline) machine.
Copy the following directory and all of its contents from the updated server to the offline servers you want to update, overwriting the old contents:
<..>\guardian\repository\archives
In the preceding path, <..> represents the parent directory of the Guardian installation root directory. The Guardian installation root directory is named guardian.
Note:
If you only want to update the Guardian Signatures Repository but not the Guardian application itself, you can skip the remainder of these steps.(Optional) Remove the old Signature Features directories from the offline servers.
The Signature Features directories are kept in the following directory:
<..>\guardian\features\
In the preceding path, <..> represents the parent directory of the Guardian installation root directory. The Guardian installation root directory is named guardian.
The Signature Features directories are named according to the following convention:
com.bea.guardian.feature.signature.weblogic_<old_version>
In the preceding directory name, <old_version> represents the old signature release version. For example:
..\guardian\features\com.bea.guardian.feature.signature.weblogic_1.0.42
Copy the updated Signatures Features directory to the offline servers.
Copy the following directory and all of its contents from the updated machine to the offline servers:
<..>\guardian\features\com.bea.guardian.feature.signature.weblogic_<CurVersion>
In the preceding path:
<..> represents the parent directory of the Guardian installation root directory. The Guardian installation root directory is named guardian.
<CurVersion> represents the most current signature release version.
(Optional) Remove the old Signature Plug-ins JAR files from the offline servers.
The Signature Plug-ins JAR files reside in the following directory:
<..>\guardian\plugins\
In the preceding path, <..> represents the parent directory of the Guardian installation root directory. The Guardian installation root directory is named guardian.
The files are named according to the following convention:
com.bea.guardian.signature.weblogic_<old_version>
In the preceding name, <old_version> represents the old signature release version.
Copy the updated Signatures Plug-ins file to the offline servers.
Copy the following file from the updated machine to each of the offline servers:
..\guardian\plugins\com.bea.guardian.signature.weblogic_<CurVersion>
In the preceding path:
<..> represents the parent directory of the Guardian installation root directory. The Guardian installation root directory is named guardian.
<CurVersion> represents the most current signature release version.
Restart Guardian on the newly-updated offline servers.
Check the new configuration:
Select Help > Manage Guardian to open the Product Configuration page.
In the Product Configuration tree (left pane), expand the Oracle Guardian folder and subfolders.
Check the version numbers for each item.
If you are upgrading from Guardian 1.0.x, you must manually update the Guardian Registry. For instructions, please see the Oracle Guardian Installation Guide and the Oracle Guardian Release Notes.
You can use the Product Configuration page to check the current configuration for a Guardian installation. This is especially useful if you have manually updated Guardian and want to check that the update was completed correctly.
To check the current Guardian configuration:
Select Help > Manage Guardian to open the Product Configuration page.
In the Product Configuration tree (left pane), expand the Guardian folder and subfolders.
Check the version numbers for each item.
|
 Copyright © 2008, 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|