Oracle Enterprise Manager Ops Center is a data center management solution for managing both hardware and software from one console. This document presents good practices for managing the security of Oracle Enterprise Manager Ops Center deployments.
The Oracle Enterprise Manager Ops Center software has a distributed architecture with a single master controller (Enterprise Controller) and multiple controllers (Proxy Controllers). Each Proxy Controller connects either to multiple Agent Controllers hosted on an Operating System instance or to managed systems or to both. Figure 1-1 shows a deployment with one Proxy Controller, which can be located on the same system as the Enterprise Controller.
The Knowledge Base is the repository for metadata about Oracle Solaris 10-8 and Linux OS components, which resides on Oracle's website. Oracle Enterprise Manager Ops Center can connect to the Knowledge Base through the Internet to obtain OS updates and updates to the product software itself. In a similar way, the Enterprise Controller can get access to the Oracle Solaris 11 Package Repository for updates to components of Oracle Solaris 11.
The Enterprise Controller is the central server for Oracle Enterprise Manager Ops Center and there is only one Enterprise Controller in each installation. The Enterprise Controller stores firmware and OS images, plans, profiles, and policies. The Enterprise Controller also stores the asset data and site customizations in a database and hosts the web container for the user interface components. The Enterprise Controller handles all user authentication and authorization. All operations are initiated from the Enterprise Controller.
Although the Enterprise Controller stores firmware and OS images, these images are not included in a backup of the Enterprise Controller. As a good practice, create the software library for OS images on networked storage (NAS). Then include the network storage device in your site's backup plan.
A Proxy Controller links the managed assets to the Enterprise Controller and acts for the Enterprise Controller in operations that must be located close to managed assets, such as OS provisioning. The Proxy Controller provides fan-out capabilities to minimize network load and to support complex network topologies. The Proxy Controller also contains the logic for agent-less monitoring and management of hardware.
An Agent is lightweight Java software that represents and manages an OS asset or OS instance and responds to requests from a Proxy Controller. Hardware management does not require an agent. The Agent receives the command, performs the required action, and reports results to the Proxy Controller. An agent never communicates directly with the Enterprise Controller.
The Enterprise Controller uses an Oracle Database 11g Enterprise Edition database to store Oracle Enterprise Manager Ops Center data. The database can be local or remote:
The local database is embedded in the Enterprise Controller, created during product installation.
A remote database is a new or existing customer-managed database.
Oracle Enterprise Manager Ops Center provides utilities to help you manage the local database, migrate your data from a local database to a customer-managed database, back up and recover the database schema, and change database credentials.
For a secure deployment, each communication direction must be protected. Use the procedures in Table 1-1to secure each connection.
Connection | To Make Secure |
---|---|
From Internet to the Enterprise Controller |
|
Between Enterprise Controller and database |
|
Between Enterprise Controller and LDAP server |
Use SSL authorization as described in the To Add a Directory Server procedure |
Between Enterprise Controller and the NFS server |
Verify that a firewall does not separate the Enterprise Controller and the NFS server. Verify that the NFS server uses the NFSv4 protocol. |
Between Enterprise Controller and remote Proxy Controllers |
Configure a reverse SSH tunnel when you install the product software. This option is described in the |
Between Proxy Controller and assets |
Authentication is configured when the asset is discovered and managed as described in Authentication Between the Proxy Controller and Agents |
In the normal operation of the product, various Proxy Controllers make requests for asset data or status and receive the response from each asset. For each transaction, the Proxy Controller must authenticate the asset and each asset must authenticate the Proxy Controller, as described in the next section. For an agentless-managed asset, authentication requires an SSH password as described in Credential Management for Assets. An alternative procedure for an OS asset that does not require a password is to install a token manually, also described in that section.
For an agent-managed asset, authentication is configured when the asset is discovered and managed. The Enterprise Controller installs an agent controller on the asset. This triggers two actions:
Agent creates a public/private key pair
Agent saves the key pair in /var/opt/sun/xvm/persistence/scn-agent/connection.properties
Only the root user can read the agent properties file.
Agent sends the public key to the Enterprise Controller (through its Proxy Controller)
Enterprise Controller creates a unique client registration ID for this agent.
Enterprise Controller saves the public key and the client registration ID together in the database
Enterprise Controller sends the client registration ID to the agent,
Agent saves the client registration ID in t/var/opt/sun/xvm/persistence/scn-agent/connection.properties
file.
Authentication of the Proxy Controller
Proxy Controller's server-side certificate was prompted to the agent as part of SSL handshake.
Agent accepts the certificate.
Agent saves the certificate locally in /var/opt/sun/xvm/security/jsse/scn-agent/truststore
Whenever an agent gets an inquiry:
Proxy Controller's web server sends its certificate to the agent.
Agent confirms this certificate with the already-accepted certificate saved in /var/opt/sun/xvm/security/jsse/scn-agent/truststore
. This is the SSL handshake.
If the agent does not confirm the Proxy Controller's certificate, the SSL handshake fails. No data is sent. This protects against an interloper.
When an agent responds to an inquiry:
Agent creates a string from the client reg ID and the private key. The string is its signature
Agent sends an HTTPS POST of the signature and the requested data to the Proxy Controller.
Proxy Controller retrieves the public key for the agent's client reg ID from the database.
Proxy Controller verifies that the message's signature was created from the private key that matches the public key.
If the Proxy Controller detects that the message's private key does not match the public key, the Proxy Controller does not allow the connection. This protects against an entity misrepresenting itself as the agent.
This section describes the principles fundamental to using the software securely.
Good security is maintained when all software versions and patches are up to date. This document discusses Oracle Enterprise Manager Ops Center version 12c Release 1 (12.1.4.0.0). As new versions or updates of Oracle Enterprise Manager Ops Center become available, install the new software as soon as possible.
Firewalls restrict access to systems to a specific network route that can be monitored and controlled. When firewalls are used in combination, they create a DMZ, a term for a subnetwork that controls access from an untrusted network to the trusted network. Using firewalls to create a DMZ provide two essential functions:
Blocks traffic types that are known to be illegal.
Contains any intrusion that attempts to take over processes or processors.
In your deployment, design an environment that locates the Enterprise Controller's system in a DMZ, that is, with a firewall between the system and the Internet and a firewall between the system and the corporate intranet, as in Figure 1-2. This type of environment allows the Enterprise Controller to get access to the Internet to perform operations while in Connected mode, and restricts access to assets to only those operations that manage the assets. When the Enterprise Controller is in Disconnected mode, it operates without access to the Internet.
Figure 1-2 Firewalls Restrict Access to Enterprise Controller
If your data center includes remote Proxy Controllers, use firewalls between the Enterprise Controller's system and the Proxy Controllers' systems.
To use Oracle Enterprise Manager Ops Center in Connected mode, use the information in Table 1-2 to configure the firewall between the Enterprise Controller and the Internet.
Table 1-2 IP Address and Port Requirements
Site | IP Address | Port | Purpose |
---|---|---|---|
|
192.9.164.103 |
Port 443 |
Updates to OCDoctor utility |
|
192.9.164.103 |
Port 443 |
Access to Oracle Solaris Cluster profiles and scripts. |
|
141.146.8.119 |
Port 443 |
Logging into Oracle sites |
|
141.146.44.51 |
Port 443 |
Access to Oracle Knowledge Base for OS updates |
|
192.18.110.10 |
Port 443 |
Product registration |
|
192.18.110.11 |
Port 443 |
Product registration |
|
141.146.54.16 |
Port 443 |
My Oracle Support |
|
96.17.111.33 96.17.111.49 |
Port 80 |
- |
|
na |
Port 80 |
Provides local IP addresses to optimize download speed. Use |
|
na |
Port 443 |
Provides local IP addresses to optimize download speed. Use |
To configure the firewall between the Enterprise Controller and a Proxy Controller or a corporate network, allow the ports and protocols in Table 1-3.
Table 1-3 Required Ports and Protocols
Communication Direction | Protocol and Port | Purpose |
---|---|---|
Enterprise Controller |
Port 443, then Port 11165 Port 8005 |
Enterprise Controller in Disconnected mode |
Enterprise Controller |
Port 443, then Port 11165 |
Enterprise Controller in Connected mode |
Browser to Enterprise Controller |
HTTP, TCP: Port 80 |
Redirects to port 9443 |
Browser to Enterprise Controller |
HTTPS, TCP: Port 9443 |
Web interface |
Enterprise Controller to Local Database |
Port 11176 |
Oracle Listener port |
Enterprise Controller to Proxy Controller |
SSH, TCP: Port 22 ICMP ping: Type 8 Code 0 (echo request) |
Enterprise Controller installs or upgrades a Proxy Controller through the UI. |
Proxy Controllers to Enterprise Controller |
HTTPS, TCP: Port 443 |
Proxy Controller pushes data about assets to Enterprise Controller. Proxy Controller pulls data for jobs, updates, Agent Controllers, and OS images from the Enterprise Controller. |
Proxy Controllers to Enterprise Controller |
HTTP: Port 8004 |
WAN Boot traffic |
Proxy Controllers to Enterprise Controller |
ICMP ping: Type 0 Code 0 (echo reply) |
During upgrades, Proxy Controllers use ICMP ping. |
Remote Proxy Controller to Enterprise Control through an SSH Tunnel |
SSH, Port 21161 |
When a Proxy Controller is deployed on a network outside of the firewall, the SSH Tunnel and Port 21161 change the direction of communication so that the remote Proxy Controller does not initiate communication with the Enterprise Controller. |
Proxy Controller to ALOM Service Processors |
SSH, TCP: Port 22 or Telnet, TCP: Port 23 SNMP, UDP: Port 161 TCP: Port 6481 (for discovery by service tags) ICMP, Type 8 Code 0 |
Proxy Controller discovers, manages, and monitors the service processor. |
Proxy Controller to ILOM Service Processors |
SSH, TCP: Port 22 SNMP, UDP: Port 161 IPMI, TCP, UDP: Port 623 TCP: Port 6481 (for discovery by service tags) ICMP, Type 8 Code 0 |
Proxy Controller discovers, manages, and monitors the service processor. |
Proxy Controller to ALOM or XCSF Service Processor |
FTP, TCP: Port 21 |
Proxy Controller provisions firmware on an ALOM service processor. Port 21 transfers the firmware image. A transient random port is opened for the duration of the operation. |
Proxy Controller to ILOM Service Processor |
TFTP, UDP: Port 69 |
Proxy Controller provisions firmware on an ILOM service processor. Port 69 transfers the firmware image. A transient random port is opened for the duration of the operation. |
Service Processor to Proxy Controller |
SNMP, UDP: Port 162 ICMP ping: Type 0 (echo reply) |
For monitoring hardware, the service processor sends SNMP traps to the Proxy Controller. For a failed connection, Proxy Controller receives ICMP ping Type 3 (destination unreachable). |
Proxy Controller to OS Host |
SSH, TCP: Port 22 or Telnet, TCP: Port 23 TCP: Port 6481 (for discovery and monitoring by service tags) ICMP, Type 8 Code 0 (heartbeat) |
Proxy Controller discovers, manages, and monitors an asset. |
Proxy Controller to OS Host |
DHCP, UDP: Port 67 |
Proxy Controller provisions an OS. |
OS Host to Proxy Controller |
HTTP, TCP: Port 8004 Oracle Solaris 11 Automated Installer Web Server: Port 5555 to accept requests from the OS Host during provisioning
|
OS Host reports status of OS updates and status of Agent Controller installation. OS Host downloads Agent Controller archive file. |
OS Host to Proxy Controller |
DHCP, UDP: Port 68 TFTP, UDP: Port 69 TCP+UDP: Port 37 HTTP, TCP: Port 8004 |
OS Host responds to Proxy Controller inquiries during bare-metal OS provisioning |
Agent Controller to Proxy Controller |
HTTPS, TCP: Port 21165 |
Agent Controllers push asset data to Proxy Controller. Agent Controllers pull data for jobs. |
Agent Controller to Proxy Controller |
HTTPS, TCP: Port 8002 |
Agent Controllers pull updates from Proxy Controller. |
Agent Controller on Oracle Solaris OS or on Oracle hardware to co-located Proxy Controller |
SNMP: Port 1162, or a port in the range of 1100 through 1200 |
For monitoring assets, the Agent Controller sends trap notifications and fault management alerts (FMA) to the Proxy Controller as local traffic. Because the Proxy Controller is using Port 162, a co-located Agent Controller uses Port 1162, if it is available, or a port in the range of Ports 1100 through 1200. |
Java client to public APIs |
TLS: Port 11172 |
JMX access from clients |
WMI client on Proxy Controller to Agent Controller |
Port 11162 |
WMI client resides on the Proxy Controller and communicates with the WMI server on the Agent Controller. The Proxy Controller uses the DCOM protocol to monitor a Windows system. The Proxy Controller opens a TCP connection to the Windows DCOM registry port, TCP 135, which provides a lookup service to the WMI scripting DCOM object. The Proxy Controller connects to the DCOM object. The port number for this connection is allocated by the Windows system. |
Proxy Controller to NFS server |
Use an NFS server that is on the same side of the firewall as the Proxy Controller. Refer to your OS documentation to set up the NFS server. |
Proxy Controller pulls provisioning images from NAS Library |
Global Zones or Oracle VM Servers to NFS server |
Use an NFS server that is on the same side of the firewall as the Proxy Controller. Refer to your OS documentation to set up the NFS server. |
Global Zones and Oracle VM Servers push their metadata and virtual host images to NAS Library |
OCDoctor to |
HTTPS, TCP: Port 80 |
Acquires product updates. |
The principle of least privilege states that users are given the lowest level of permissions to perform their tasks. Granting roles or privileges in excess of a user's responsibilities leaves a system open for non-compliance. Review privileges periodically to determine whether they remain appropriate for each user's current job responsibilities.
You give each user a set of roles, which determine the tasks the user can and cannot perform, and a set of privileges which specify the assets, networks, or other objects to which the user's roles apply. This gives you fine-grained control of the actions that users can take.
Table 1-4 shows the permission needed to perform each action. Oracle Enterprise Manager Ops Center groups permissions into roles and assigns one or more roles to a user account. Table 1-5 shows the permissions granted by each role.
Table 1-4 Tasks and Permissions
Tasks | Permission |
---|---|
Read Access |
Read Access |
Add Assets Find Assets |
Discover Assets |
Manage Assets Delete Assets |
Manage Assets |
Create Group Edit Group Add Assets to Group Delete Group |
Asset Group Management |
New Update OS Job Deploy or Update Software Compare System Catalog Create Catalog Snapshot View and Modify Catalog |
Update |
New Simulated OS Update Job |
Update Simulation |
Configure and Deploy Server Install Server Configure RAID |
Server Deployment |
Add or delete storage Assign or detach network Start Guest Shut Down Guest Migrate Guest Clone Guest Lifecycle actions |
Virtualization Guest Management |
Assign Incidents Add Annotation to incidents Acknowledge incidents Take Actions on Incidents Mark Incidents as Repaired Close Incidents Delete Notifications Take Actions on Notification |
Fault Management |
Update Management Credentials Any Actions related to changing credentials |
Credential Management |
Edit Network Domain Edit Network Attributes Edit Network Services |
Network Management |
Fabric Management |
Fabric Management |
Import ISO Upload image Edit Attributes |
Storage Management |
Create reports Delete reports |
Report Management |
Create, delete, and modify profiles and plans |
Plan/Profile Management |
Create/Update/Delete Instance Attach/Detach Volume to Instance Create/Delete/Update Security Group Create/Update/Delete Volume Upload/Register/Delete templates Create/RollbackTo/Delete Snapshot Shutdown All servers Link/Launch OVAB |
Cloud Usage |
Create/Delete/Update Cloud Create/Delete/Update Cloud Domain Create Public Security Group Share Public Security Group Create VM Instance Type |
Cloud Management |
Manage Enterprise Controller |
Enterprise Controller Management |
Unconfigure/Uninstall Proxy Controller Configure Agent Controller Unconfigure Agent Controller DHCP configuration Subnets External DHCP Servers |
Proxy Controller Management |
Configure/Connect Disconnect/Unconfigure Cloud Control Console |
Cloud Control Management |
Unconfigure SCCM Configuration |
Windows Update Management |
Add Users Remove Users |
User Management |
Assign Roles |
Role Management |
Asset Management |
Asset Management |
Write Access |
Write Access |
Open Service Request |
Service Request |
Power On Power Off Power on with Net Boot Set Power Policy |
Power Management |
Chassis Management |
Chassis Management |
Storage Server Management |
Storage Server Management |
Launch Switch UI |
Switch Management |
Reset Servers Reset Service Processors Refresh Locator Light On/Off Snapshot Bios Configuration Update Bios Configuration |
Server Management |
Reboot Upgrade Agent Controller |
Operating System Management |
Cluster Management |
Cluster Management |
Aggregate Links |
Link Aggregation |
IPMP Groups |
IPMP Groups |
Update Firmware |
Update Firmware |
Upgrade Proxy Controller |
Proxy Controller Upgrade |
Execute Operation |
Operation Execution |
Unconfigure Enterprise Controller |
Unconfigure EC |
Add Product Alias |
Add Product Alias |
Upgrade Enterprise Controller |
EC Upgrade |
Set Enterprise Controller Storage Library |
EC Storage Library Management |
Configure Local Agent Unconfigure Local Agent |
EC Local Agent Management |
Proxy Deployment Wizard |
EC Proxy Management |
Set up Connection Mode |
EC Connection Mode Management |
Register Enterprise Controller |
EC Registration |
Change HTTP Proxy |
EC HTTP Proxy Management |
Edit Energy Cost |
EC Energy Cost Management |
Ops Center Downloads |
Ops Center Downloads |
Activate Boot Env and Reboot Create New Boot Env. Synchronize Boot Env. |
Boot Environment Management |
Create Server Pool |
Server Pool Creation |
Delete Server Pool |
Server Pool Deletion |
Rebalance Resource Edit Server Pool Attribute Attach Network to Server Pool Associate Library to Server Pool Add/Remove Virtual Host |
Server Pool Management |
Create OVM virtual Servers Create zone servers Create Logical Domains |
Server Pool Usage |
Create Virtualization Host |
Virtualization Host Creation |
Delete Virtualization Host |
Virtualization Host Deletion |
Add/Remove Virtual Host to/from Server Pool Edit Tags Edit Attributes Reboot Change Routing Configuration Change NFS4 Domain Change Naming Service Change Remote Logging Configuration |
Virtualization Host Management |
Create Logical Domains Create zones Create OVM virtual servers |
Virtualization Host Usage |
Create Logical Domains Create zones Create OVM virtual servers |
Virtualization Guest Creation |
Delete Logic Domain Delete Zones Delete OVM Virtual Servers. |
Virtualization Guest Deletion |
Start Guest Shutdown Guest Migrate Guest Clone Guest |
Virtualization Guest Usage |
Create Library |
Storage Creation |
Delete Library |
Storage Deletion |
Associate Library |
Storage Usage |
Create Network Domain Create Network |
Network Creation |
Delete Network Domain Delete Network |
Network Deletion |
Assign Network Connect Guests |
Network Usage |
Create Fabric |
Fabric Creation |
Delete Fabric |
Fabric Deletion |
Fabric Management |
Fabric Usage |
Chassis Usage |
Chassis Usage |
Storage Server Usage |
Storage Server Usage |
Switch Usage |
Switch Usage |
Launch LOM Controller Edit Tags |
Server Usage |
Edit Tags Edit Attributes |
Operating System Usage |
Create Rack |
Rack Creation |
Directory Server Management |
Directory Server Management |
Power Distribution Unit Usage |
Power Distribution Unit Usage |
Power Distribution Unit Management |
Power Distribution Unit Management |
Rack Creation |
Rack Creation |
Rack Deletion |
Rack Deletion |
Rack Management |
Rack Management |
Rack Usage |
Rack Usage |
OVM Manager Usage |
OVM Manager Usage |
OVM Manager Management |
OVM Manager Management |
Network Domain Creation |
Network Domain Creation |
Network Domain Deletion |
Network Domain Deletion |
Network Domain Management |
Network Domain Management |
Network Domain Usage |
Network Domain Usage |
Asset Network Management |
Asset Network Management |
Job Management |
Job Management |
Table 1-5 Roles and Permissions
Role | Permissions |
---|---|
Asset Admin |
Asset Management Asset Network Management Boot Environment Management Chassis Management Chassis Usage Cluster Management Discover Assets IPMP Groups Link Aggregation Manage Assets Network Management Operating System Management Operating System Usage Power Distribution Unit Management Power Distribution Unit Usage Power Management Rack Creation Rack Deletion Rack Management Rack Usage Read Access Server Management Server Usage Service Request Storage Server Management Storage Server Usage Switch Management Switch Usage Write Access |
Cloud Admin |
Asset Management Asset Network Management Cloud Management Cloud Usage Fabric Creation Fabric Deletion Fabric Management Fabric Usage IPMP Groups Link Aggregation Manage Assets Network Creation Network Deletion Network Domain Creation Network Domain Deletion Network Domain Management Network Domain Usage Network Management Network Usage Operating System Management Operating System Usage OVM Manager Management OVM Manager Usage Profile Plan Management Read Access Role Management Server Management Server Pool Management Server Pool Usage Server Usage Storage Management Storage Server Management Storage Server Usage Storage Usage Switch Management Switch Usage Virtualization Guest Creation Virtualization Guest Deletion Virtualization Guest Management Virtualization Guest Usage Virtualization Host Management Virtualization Host Usage Write Access |
Cloud User |
Asset Management Asset Network Management Cloud Usage Fabric Creation Fabric Deletion Fabric Usage Manage Assets Network Creation Network Deletion Network Domain Management Network Domain Usage Network Management Network Usage Operating System Management Operating System Usage OVM Manager Usage Read Access Server Pool Usage Server Usage Storage Management Storage Server Usage Storage Usage Switch Usage Virtualization Guest Creation Virtualization Guest Deletion Virtualization Guest Management Virtualization Guest Usage Virtualization Host Management Virtualization Host Usage Write Access |
Exalogic Systems Admin |
Asset Management Credential Management Directory Server Management EC Energy Cost Management EC HTTP Proxy Management EC Registration Fabric Creation Fabric Deletion Fabric Management Fabric Usage Job Management Link Aggregation Network Creation Network Deletion Network Domain Creation Network Domain Deletion Network Domain Management Network Domain Usage Network Management Network Usage Operating System Management Operating System Usage Operation Execution OVM Manager Management OVM Manager Usage Power Distribution Unit Management Power Distribution Unit Usage Profile Plan Management Proxy Controller Management Read Access Report Management Role Management Server Deployment Server Management Server Usage Service Request Storage Creation Storage Deletion Storage Management Storage Server Management Storage Server Usage Storage Usage Switch Usage Update Firmware User Management Write Access |
Fault Admin |
Fault Management Read Access Write Access |
Network Admin |
Asset Management Asset Network Management Fabric Creation Fabric Deletion Fabric Management Fabric Usage IPMP Groups Link Aggregation Network Creation Network Deletion Network Domain Creation Network Domain Deletion Network Domain Management Network Domain Usage Network Management Network Usage Read Access Write Access |
Ops Center Admin |
Add Product Alias Discover Assets EC Connection Mode Management EC Energy Cost Management EC HTTP Proxy Management EC Local Agent Management EC Proxy Management EC Registration EC Storage Library Management EC Upgrade Enterprise Controller Management Cloud Control Management Job Management Manage Assets Ops Center Downloads OVM Manager Management OVM Manager Usage Proxy Controller Management Proxy Controller Upgrade Read Access Unconfigure EC Windows Update Management Write Access |
Plan/Profile Admin |
Plan/Profile Management Read Access Write Access |
Read |
Read Access |
Report Admin |
Read Access Report Management Update Simulation Write Access |
Role Management Admin |
Read Access Role Management Write Access |
Security Admin |
Credential Management Read Access Write Access |
Apply Deployment Plans |
Operation Execution Read Access Server Deployment Update Firmware Write Access |
Storage Admin |
Asset Management Read Access Storage Creation Storage Deletion Storage Management Storage Server Management Storage Server Usage Storage Usage Write Access |
Supercluster Systems Admin |
Asset Management Cluster Management Credential Management Directory Server Management EC Energy Cost Management EC HTTP Proxy Management EC Registration Fabric Creation Fabric Deletion Fabric Management Fabric Usage Job Management Link Aggregation Network Creation Network Deletion Network Domain Creation Network Domain Deletion Network Domain Management Network Domain Usage Network Management Network Usage Operating System Management Operating System Usage Operation Execution Power Distribution Unit Management Power Distribution Unit Usage Profile Plan Management Proxy Controller Management Read Access Report Management Role Management Server Deployment Server Management Server Usage Service Request Storage Creation Storage Deletion Storage Management Storage Server Management Storage Server Usage Storage Usage Switch Usage Update Firmware User Management Write Access |
Update Admin |
Boot Environment Management Read Access Update Update Simulation Windows Update Management Write Access |
Update Simulation Admin |
Read Access Update Simulation Write Access |
User Management Admin |
Directory Server Management Read Access User Management Write Access |
Virtualization Admin |
Asset Management Asset Network Management Fabric Creation Fabric Deletion Fabric Management Fabric Usage IPMP Groups Link Aggregation Manage Assets Network Creation Network Deletion Network Domain Creation Network Domain Deletion Network Domain Management Network Domain Usage Network Management Network Usage Operating System Management OVM Manager Management OVM Manager Usage Read Access Server Deployment Server Management Server Pool Creation Server Pool Deletion Server Pool Management Server Pool Usage Storage Creation Storage Deletion Storage Management Storage Server Management Storage Server Usage Storage Usage Virtualization Guest Creation Virtualization Guest Deletion Virtualization Guest Management Virtualization Guest Usage Virtualization Host Creation Virtualization Host Deletion Virtualization Host Management Virtualization Host Usage Write Access |
The user accounts are created from the local authentication subsystem of the Enterprise Controller's operating system or from a separate directory server, as described inConfiguring an LDAP Server.
You must have the Role Admin role to grant roles to user accounts and to change privileges.
Select Administration in the Navigation pane.
Click the Roles tab. The Roles page is displayed.
Select a user from the list of users.
Click the Manage User Roles icon.
Add or remove one or more roles from the roles list. By default, a user has all the permissions of the assigned role. To control the scope of a user's role, remove a specific permission:
Deselect the Use the default Role associations box. Click Next.
The privileges for each type of target are displayed on separate pages. Select the roles to apply to each target, then click Next.
The Summary page is displayed. Review the roles and privileges assigned to the user, then click Finish.
Each Oracle Enterprise Manager Ops Center component has some auditing capability. Follow audit advice in this document and regularly monitor audit records.
Oracle Enterprise Manager Ops Center performs each action as a job. The details of a job show the order of operations in the job and the managed assets that were targets of the job. You can view the details of a job from either the browser or the command-line interface. Oracle Enterprise Manager Ops Center stores each job until the job is deleted explicitly.
In addition to the jobs record, log files can be a source of activity records. Logs are written during operations and can provide additional detail about system activity. Log files are protected by file permissions and therefore requires a privileged user to get access to them.
User session activity is included in the BUI log file and in the audit-logs file, which also include activity from the command-line interface.:
/var/opt/sun/xvm/logs/emoc.log
has the following format with the timestamp:
User login: User <username> logged in. User logout: User <username> logged out. User login session expire: User <username> logged in.
/var/opt/sun/xvm/logs/audit-logs*
has the following format:
6/6/13 9:39 AM LOGIN rmi://127.0.0.1 root 7 6/6/13 9:39 AM REMOTE_INFO rmi://127.0.0.1 root 7, Remote Info: User root connected from 10.166.78.167:54179 / JMX Session: com.sun.cacao.session^Armi://127.0.0.1:1 com.sun.cacao.user^Aroot
Sessions with IP address and port: /var/opt/sun/xvm/logs/audit-logs*
BUI: /var/opt/sun/xvm/logs/emoc.log
Actions of the BUI and remote clients on the Enterprise Controller:
On Oracle Solaris: /var/cacao/instances/oem-ec/audits/
On Linux: /var/opt/sun/cacao/instances/oem-ec/audits/
Events between controllers and agents:
On an Oracle Solaris Enterprise Controller: /var/cacao/instances/oem-ec/logs/cacao.
n
On a Linux Enterprise Controller: /var/opt/sun/cacao/instances/oem-ec/logs/cacao
n
On each Oracle Solaris Proxy Controller: /var/cacao/instances/scn-proxy/logs/cacao.
n
On each Linux Proxy Controller: /var/opt/sun/cacao/instances/scn-proxy/logs/cacao.
n
When Oracle Enterprise Manager Ops Center is in a High Availability configuration, each Enterprise Controller is a Clusterware node. The Clusterware resource activity is logged and the following log file is updated each time the active Enterprise Controller's resource action script's check()
function is executed. The default interval is 60 seconds.
On Oracle Solaris: /var/opt/sun/xvm/ha/EnterpriseController.log
The Software Update component has its own server with its own logs. The following logs provide information on the activity for this server:
Audit Log
On Oracle Solaris: /var/opt/sun/xvm/uce/var.opt/server/logs/audit.log
On Linux: /usr/local/uce/server/logs/audit.log
Errors
On Oracle Solaris: /var/opt/sun/xvm/uce/var.opt/server/logs/error.log
On Linux: /usr/local/uce/server/logs/error.log
Download jobs: /opt/SUNWuce/server/logs/SERVICE_CHANNEL/error.log
Job Log
On Oracle Solaris: /var/opt/sun/xvm/uce/var.opt/server/logs/job.log
On Linux: /usr/local/uce/server/logs/job.log
For installation events:
/var/opt/sun/xvm/oracle/cfgtoollogs/dbca/OCDB/*
/var/tmp/installer.log.latest
For operational events reported by the ecadm sqlplus
utility:
/var/opt/sun/xvm/oracle/diag/rdbms/ocdb/OCDB/alert/log.xml.*
/var/opt/sun/xvm/oracle/diag/rdbms/ocdb/OCDB/trace/alert_OCDB.log.*
/var/opt/sun/xvm/oracle/diag/tnslsnr/<hostname>/oclistener/alert/log.xml.*
/var/opt/sun/xvm/oracle/diag/tnslsnr/<hostname>/oclistener/trace/listener.log.*
For schema changes:
/var/opt/sun/xvm/log/satadmsqlplus.log
/var/opt/sun/xvm/logs/alter_oracle_schema.out
/var/opt/sun/xvm/logs/alter_oracle_storage.out
For backup, restore, and migrate operations:
/var/opt/sun/xvm/logs/sat-backup
-date-time
.log
/var/opt/sun/xvm/logs/sat-restore
-date-time
.log
/var/opt/sun/xvm/logs/migrate.log
On the Proxy Controller: /var/opt/sun/xvm/proxydb/*
On each agent: /var/opt/sun/xvm/agentdb/*