This section describes how to download, deploy, and use the Oracle Enterprise Manager System Monitoring Plug-in in the Oracle Enterprise Manager Cloud Control 12c environment.
You can download plug-ins in online or offline mode. Online mode refers to an environment where you have Internet connectivity, and can download the plug-in directly through Enterprise Manager from My Oracle Support. Offline mode refers to an environment where you do not have Internet connectivity, or where the plug-in is not available from My Oracle Support.
See the "Managing Plug-ins" chapter in the Oracle Enterprise Manager Cloud Control Administrator's Guide for details on downloading the plug-in in either mode:
http://docs.oracle.com/cd/E24628_01/doc.121/e24473/plugin_mngr.htm#CJGBEAHJ
You can deploy the plug-in to an Oracle Management Service instance using the Enterprise Manager Cloud Control console, or using the EM Command Line Interface (EMCLI). While the console enables you to deploy one plug-in at a time, the command line interface mode enables you to deploy multiple plug-ins at a time, thus saving plug-in deployment time and downtime, if applicable.
For instructions on deploying, see the "Managing Plug-ins" chapter in the Oracle Enterprise Manager Cloud Control Administrator's Guide:
http://docs.oracle.com/cd/E24628_01/doc.121/e24473/plugin_mngr.htm#CJGCDHFG
For instructions on undeploying, see the "Managing Plug-ins" chapter in the Oracle Enterprise Manager Cloud Control Administrator's Guide
http://docs.oracle.com/cd/E24628_01/doc.121/e24473/plugin_mngr.htm#CJGEFADI
The Self Update feature allows you to expand Enterprise Manager's capabilities by updating Enterprise Manager components whenever new or updated features become available. Updated plug-ins are made available through the Enterprise Manager Store, an external site that is periodically checked by Enterprise Manager Cloud Control to obtain information about updates ready for download. See the "Updating Cloud Control" chapter in the Oracle Enterprise Manager Cloud Control Administrator's Guide for steps to update the plug-in:
http://docs.oracle.com/cd/E24628_01/doc.121/e24473/self_update.htm
To allow the Enterprise Management Agent to communicate with the OKM, you must enable its Java installation for stronger cryptography. First, locate the Java version, then download and install the files for the Java instance.
To find out the Java location and version being used for the Enterprise Management Agent:
Log in to the Enterprise Management Agent as the oracle_user and locate the file named emd.properties in the Enterprise Management Agent's installation directory.
Search the file for JAVA_HOME and make a note of this location. For example, in file /export/home/Agent/agent_inst/sysman/config/emd.properties, there is this entry:
JAVA_HOME=/export/home/oracle/Agent/core/12.1.0.3.0/jdk
Check the Java version. This is needed to know which files to download. To find out the Java version, run java -version in $JAVA_HOME/bin. For example, using the previous JAVA_HOME setting,
/export/home/oracle/Agent/core/12.1.0.3.0/jdk/bin/java -version
returns
java version 1.6.0_43
Only the first two numbers are significant (1.6).
Download the corresponding Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for that version of Java. Download from the Oracle Technology Network at:
http://www.oracle.com/technetwork/java/javase/downloads
For Java 1.6, download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6; for Java 1.7, download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7.
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
Unzip the download and follow the instructions.
You are instructed to place some files in the Java location specified previously by JAVA_HOME in step 2.
If the OKM Operator's certificates that were exported are not yet accessible to the Enterprise Management Agent with the OKM plug-in deployed, copy or move them now to a location that can be reached by the Enterprise Management Agent's user ID. These files must also be owned by the Enterprise Management Agent's user ID (who you are logged in as).
To install the Oracle Enterprise Manager System Monitoring Plug-in on an Enterprise Management Agent, complete the following steps:
Log in to Enterprise Manager Cloud Control.
Select Setup > Add Targets > Add Targets Manually.
Select Add Targets Declaratively by Specifying Target Monitoring Properties.
In the Target Type drop-down list, select the OKM Cluster target type. Click Add Manually.
For the Monitoring Agent, click Search. In the window that is displayed, in the Target Type drop-down list, select Agent and from the table below, click and highlight the agent you want to use for monitoring your target. Click Select.
Click Add Manually.
Add the Target details and click OK. Wait until you see the confirmation and click OK.
To find the target, click Targets > All Targets.
Select OKM Cluster added above to go to the cluster summary page.
You access the OEM through a web browser. After you deploy the plug-in, the Oracle Enterprise Manager Cloud Control administrator can view information about the OKM cluster within OEM. Information includes a summary, agent performance, and KMA performance. The primary way to gather information about monitored instances of OKM appliances is viewing metrics.
As a rule, more ”point in time” information is available in raw metric information than in reports.
To view the raw information collected from the OKM storage appliance:
Log in to Enterprise Manager Cloud Control.
Go to Targets > All Targets and select the OKM Cluster as the target.
From the target's home page, select Oracle Key Manager > Monitoring > All Metrics.
View the categories and information collected from the last collection interval.
The raw metric information that you have access to can be found in "Metrics Collected by the Plug-In".
Oracle Enterprise Manager Cloud Control displays a direct mapping of information collected in the target OKM cluster. Table 2-1 shows this mapping information.
Note:
Information collected by the System Attributes from the Workflow data set indicates items that cannot be enabled/disabled by an administrator. This information is collected through scripts on each OKM storage appliance.Table 2-1 Metric and Collection Information
| Metric Name | Column | Polling Interval (Minutes) |
|---|---|---|
|
Response |
StatusFoot 1 |
5 |
|
Agent Performance |
AgentIDFoot 2 Requests per hourFootref 1 Failures per hour Warnings per hour |
60 |
|
Cluster Status |
HSM StatusFootref 1 KMA NameFootref 2 Lag SizeFootref 1 Locked status Ready Keys Backed Up (%) Responding Service RespondingFootref 1 Version |
10 |
|
Configuration |
Cluster Information FIPs ModeFootref 1 Latest Backup Replication Schema Version Sites Unenrolled Agents |
1440 (1 Day) |
|
Entity Security Violations |
Entity IDFootref 2 Violations per Hour |
60 |
|
KMA Availability |
KMAs Not Responding Responding |
10 |
|
KMA Lock Status |
KMAs Locked Unlocked |
10 |
|
KMA Performance |
Requests per HourFootref 1 Warnings per Hour KMA NameFootref 2 Failures per Hour |
60 |
|
KMA Security Violations |
KMA NamFootref 2 Violations per Hour |
60 |
Footnote 1 Conditions Disabled.
Footnote 2 Key Field.
You can set custom thresholds for some metrics within Oracle Enterprise Manager Cloud Control. The alerts received are contained within the product and are not set as Alerts and Thresholds on the OKM storage appliance itself.
Table 2-2 shows metrics that have thresholds set with their default values.
Table 2-2 Metrics and Default Threshold Values
| Metric/Columns | Comparison Operator | Warning | Critical | Purpose |
|---|---|---|---|---|
|
Agent Performance/Failures per Hour |
> |
5 |
NA |
Issued when an OKM client (such as a tape drive or ZFS Storage Appliance) gets many request failures within the last hour. |
|
Agent Performance/Requests per Hour |
< |
NA |
NA |
Issued when an OKM client is not sending any requests within the last hour (users can use this to indicate a client that is not encrypting). |
|
Cluster Status/HSM Status |
CONTAINS |
NA |
NA |
Issued when the HSM status text matches a certain condition. CONTAINS can be set to "SOFTWARE" to indicate that a KMA is using software for encryption rather than an SCA6000 card (if installed). CONTAINS can be set to "ERROR" to indicate that an error has occurred with either software or hardware encryption. |
|
Cluster Status/Lag Size |
> |
NA |
NA |
Issued if the lag size of a KMA gets large. A large lag size indicates a KMA is way behind on updates. |
|
Cluster Status/Ready Keys Backed Up (%) |
< |
15 |
1 |
Issued if the no keys in the ready key pool have been backed up. If the keys have not been backed up and something happens to the cluster, the keys cannot be retrieved and encrypted data will not be able to be decrypted. |
|
Cluster Status/Service Responding |
< |
NA |
NA |
Issued to indicate the service network of a KMA is not responding. 1 indicates the service network is responding, 0 indicates it is not responding, and a blank indicates it is not reachable or the response status is unknown. |
|
Configuration/FIPs Mode |
< |
NA |
NA |
FIPs mode is 1 if enabled, 0 if disabled. Users can use this to indicate the cluster is not running in FIPs mode. |
|
Configuration/Replication Schema Version |
< |
NA |
14 |
Issued if the cluster replication schema version is downlevel. After an upgrade of the cluster, the replication schema version should set to the maximum. |
|
Configuration/Unenrolled Agents |
> |
NA |
NA |
Issued to indicate potential incomplete configuration of a cluster if not all agents have yet enrolled. |
|
Entity Security Violations/Violations per Hour |
> |
1 |
5 |
Issued for an OKM client that has multiple security violations within the last hour. |
|
KMA Availability/Responding |
< |
2 |
1 |
Issued when KMAs in the cluster stop responding. |
|
KMA Lock Status/Locked |
> |
0 |
NA |
Issued when KMAs are locked. KMAs must be unlocked before they can provide encryption keys. |
|
KMA Performance/Failures per Hour |
> |
5 |
NA |
Issued when a KMA gets many key request failures within an hour. |
|
KMA Performance/Requests per Hour |
< |
NA |
NA |
Issued when a KMA has not provided any keys within an hour. Could be used for performance monitoring. |
|
KMA Security Violations/Violations per Hour |
> |
1 |
5 |
Issued for a KMA that has had multiple security violations within the last hour. |
The most common use of the Oracle Enterprise Manager Cloud Control Plug-in (besides simple capacity monitoring and high-level information collection) is analysis of application performance degradation. Using Oracle Enterprise Manager Cloud Control, you can provide information to the OKM administrator related to performance degradation in the OKM cluster.
In the event of a resource contention issue, you can study levels of client access to determine how and when individual clients are accessing a KMA in the OKM cluster, along with the resources they are accessing.
The plug-in shows a history of security violations, which OKM agents (such as tape drives) are accessing which KMAs the most, and availability history (for example, if a KMA goes down frequently). If an Oracle database or a Solaris 11 server is an OKM client and starts getting failures, then this plug-in can report these failures.