Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
10. Managing Users and Groups With dsconfig
11. Managing Password Policies
13. Monitoring Oracle Unified Directory
Configuring Logs With the Log Publisher
To List Existing Log Publishers
Configuring Log Retention Policies
To View the Log Retention Policies
To Create a Log Retention Policy
To Modify a Log Retention Policy
Configuring Log Rotation Policies
To View the Log Rotation Policies
To Create a Log Rotation Policy
To Set Log Rotation or Retention for a Specific Log File
Configuring Alerts and Account Status Notification Handlers
To View All Configured Alert Handlers
Managing Account Status Notification Handlers
To View the Configured Account Status Notification Handlers
To Enable Account Status Notification Handlers
To Create a New Account Status Notification Handler
To Delete an Account Status Notification Handler
Monitoring the Server With LDAP
Viewing Monitoring Information Using the cn=monitor Entry
Monitored Attributes in the Oracle Unified Directory proxy
To View the Available Monitoring Information
To Monitor General-Purpose Server Information
To Monitor Version Information
To Monitor the User Root Back End
To Monitor the Backup Back End
To Monitor the monitor Back End
To Monitor the Schema Back End
To Monitor the adminRoot Back End
To Monitor the ads-truststore Back End
To Monitor the LDAP Connection Handler
To Monitor LDAP Connection Handler Statistics
To Monitor Connections on the LDAP Connection Handler
To Monitor the Administration Connector
To Monitor Administration Connector Statistics
To Monitor Connections on the Administration Connector
To Monitor the LDIF Connection Handler
To Monitor JVM Stack Trace Information
To Monitor the JVM Memory Usage
To Monitor the userRoot Database Environment
To Monitor Remote LDAP Servers
To Monitor a Global Index Catalog
Monitoring Using the manage-tasks Command
Monitoring the Server With JConsole
To Configure JMX on a Server Instance
Accessing a Server Instance From JConsole
Viewing Monitoring Information With JConsole
To View the Replication Repair Logs
Monitoring the Server With SNMP
Configuring the SNMP Connection Handler and Its Dependencies
To Configure SNMP in the Server
To View the SNMP Connection Handler Properties
To Access SNMP on a Server Instance
SNMP Security Configuration: V1 and V2c
Monitoring a Replicated Topology
Monitoring Replication Status With dsreplication
Advanced Replication Monitoring
To Monitor the Topology and Its Connections
To Monitor Replication Latency
To Monitor Replication Security
To Monitor Replication Conflicts
Oracle Unified Directory provides a jar file extension that contains a Simple Network Management Protocol (SNMP) connection handler for Management Information Base (MIB) 2605 support. The extension contains the SNMP connection handler, the required classes to support MIB 2605 objects and SNMP requests, and the SNMP adapter that allows an SNMP manager to access the server monitoring information.
Before you start on the procedures in this section, ensure that you have set up an SNMP-managed network for your particular system.
Oracle Unified Directory provides an SNMP connection handler that you can enable and configure. The SNMP connection handler is provided as a jar file extension and is located in install-dir/lib/extensions/snmp-mib2605.jar.
Oracle Unified Directory can be configured for monitoring through the Simple Network Management Protocol (SNMP). The server uses the Java Dynamic Management Kit (JDMK) to create smart agents for the SNMP connection handler.
Use dsconfig to view the list of current connection handlers.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ list-connection-handlers Connection Handler : Type : enabled : listen-port : use-ssl -------------------------:------:---------:-------------:-------- JMX Connection Handler : jmx : false : 1689 : false LDAP Connection Handler : ldap : true : 1389 : false LDAPS Connection Handler : ldap : false : 636 : true LDIF Connection Handler : ldif : true : - : - SNMP Connection Handler : snmp : false : 161 : -
$ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w password -n -X \ set-connection-handler-prop \ --handler-name "SNMP Connection Handler" --set enabled:true --set listen-port:8085
Use the following dsconfig command.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ get-connection-handler-prop \ --handler-name "SNMP Connection Handler"
The connection handler properties are listed with their values, as follows.
Property : Value(s) --------------------:------------------------------------------ allowed-client : - allowed-manager : * allowed-user : * community : OUD denied-client : - enabled : false listen-port : 161 opendmk-jarfile : - registered-mbean : false security-agent-file : config/snmp/security/oud-snmp.security security-level : authnopriv trap-port : 162 traps-community : OUD traps-destination : -
If the server was started and no modifications were made to the configuration, the restart operation is not required.
$ snmpwalk -v 2c -c OUD@OUD localhost:8085 mib-2.66 SNMPv2-SMI::mib-2.66.1.1.1.1 = STRING: "Oracle Unified Directory Server 11.1.1.5.0 - 20090310152800Z" SNMPv2-SMI::mib-2.66.1.1.2.1 = STRING: "instance-dir/bin" SNMPv2-SMI::mib-2.66.1.1.3.1 = Gauge32: 35 SNMPv2-SMI::mib-2.66.1.1.4.1 = Gauge32: 1 SNMPv2-SMI::mib-2.66.1.1.5.1 = Gauge32: 0 SNMPv2-SMI::mib-2.66.1.1.6.1 = Counter32: 0 SNMPv2-SMI::mib-2.66.1.1.7.1 = Counter32: 1 SNMPv2-SMI::mib-2.66.2.1.1.1.1 = INTEGER: 1 SNMPv2-SMI::mib-2.66.2.1.1.1.2 = INTEGER: 2 SNMPv2-SMI::mib-2.66.2.1.1.1.3 = INTEGER: 3 SNMPv2-SMI::mib-2.66.2.1.2.1.1 = OID: SNMPv2-SMI::internet.27.3.8085 SNMPv2-SMI::mib-2.66.2.1.2.1.2 = OID: SNMPv2-SMI::internet.27.3.1389 SNMPv2-SMI::mib-2.66.2.1.2.1.3 = OID: SNMPv2-SMI::enterprises.42 SNMPv2-SMI::mib-2.66.2.1.3.1.1 = Counter32: 1 SNMPv2-SMI::mib-2.66.2.1.3.1.2 = Counter32: 1 SNMPv2-SMI::mib-2.66.2.1.3.1.3 = Counter32: 1 SNMPv2-SMI::mib-2.66.2.1.4.1.1 = Counter32: 1 SNMPv2-SMI::mib-2.66.2.1.4.1.2 = Counter32: 1 SNMPv2-SMI::mib-2.66.2.1.4.1.3 = Counter32: 1 SNMPv2-SMI::mib-2.66.2.1.5.1.1 = Counter32: 1 SNMPv2-SMI::mib-2.66.2.1.5.1.2 = Counter32: 1 ...
The managed objects included in the MIB 2605 are divided into three tables: dsTable, dsAppliIfOpsTable, and dsIntTable. Currently, the dsIntTable table is not implemented.
SNMP security configuration depends on the version of SNMP as you are using. This topic discusses security configuration for SNMP V1 and V2c, and vor V3.
Under SNMP v1 and SNMP v2c, agents act as information servers, and the IP-based access control protects this information from unauthorized access. By default, the MIB 2605 is accessible in v1 and v2c by using the community string OUD@OUD. All managers are allowed to read the monitoring information exposed by the MIB 2605.
Note - Only read access is authorized on the MIB 2605.
You can configure SNMP v1 and SNMP v2c by setting the SNMP connection handler properties with the dsconfig command. Properties related to the SNMP v1 and SNMP v2c security configuration include:
allowed-manager
community
SNMP v1 traps are sent on server startup and server shutdown. By default, these traps are sent to localhost and use the trap community string "OUD".
Note - The default trap port might have to be changed to a value that is allowed by the system.
SNMP traps are also configured by setting the SNMP connection properties with the dsconfig command. Properties related to SNMP traps include:
trap-port
traps-community
traps-destination
The ACL file that corresponds to the default values of the SNMP connection handler would be represented as follows:
acl = { { communities = OUD access = read-only managers = all } } trap = { { traps-community = OUD hosts = localhost } }
The SNMP v3 protocol provides more sophisticated security mechanisms than SNMP v1 and SNMP v2c. SNMP v3 implements a user-based security model (USM) that authenticates and encrypts the requests sent between agents and their managers, and provides user-based access control. A defaultUser template is provided for adding authorized users in the agent engine using the SNMP cloning mechanism.
Under SNMP v3, the community string described in the previous section is used as the "context" from which the MIB 2605 is registered. By default, the MIB2605 is accessible in v3 by using the context "OUD". All users have access to it.
The SNMP v3 UACL is configured by setting the SNMP connection handler properties with the dsconfig command-line utility. The properties related to SNMP v3 UACL configuration include:
community
allowed-user
security-level
The UACL file corresponding to the default values of the SNMP connection handler would be represented as follows:
uacl = { { context-names = OUD access = read-only security-level = authNoPriv users = * } }
The USM MIB (that is, the MIB that defines allowed users) is registered in the null context and only a snmpAdmin user with a security level authNoPriv has read-write access to it. This snmpAdmin user can add additional users who can access the MIB 2605 information.
The SNMP v3 USM configuration is read from a template file that is located at install-dir/config/snmp/security/oud-snmp.security. The template file is not encrypted.
To access the MIB 2605 in the server agent, use the SNMP clone mechanism to add a user in the security file. Use snmpAdmin to send the SNMP request for the clone mechanism as shown here. The user to clone is defaultUser. The snmpAdmin and defaultUser users cannot access the MIB 2605 information.
Admin User to add and configure other users.
userEntry=localEngineID,snmpAdmin,null,usmHMACMD5AuthProtocol,passadmin
Template user to be cloned with no read or write access.
userEntry=localEngineID,defaultUser,,usmHMACMD5AuthProtocol,password,,,3,true
Note - The security file is also used to make the users persistent.