3 Security Features

Describes the role of security in the product architecture.

Oracle Enterprise Manager Ops Center provides security services for user authentication, custom user authorization, and protection for data in repositories and during network transmissions. Oracle Enterprise Manager Ops Center also provides network authentication between its infrastructure components using standard certificates.

Oracle Enterprise Manager Ops Center uses standard protocols and third-party solutions to secure data and operations, using TLS and X.509v3 certificates, and secure HTTP and PAM (Pluggable Authentication Modules) protocols to provide the following services:

• Authentication

• Authorization

• Access Control

• Data Protection

Configuring and Using Authentication

Describes authentication.

Authentication allows a system to verify the identity of users and other systems that request access to services or data. In a multi-tier application, the entity or caller can be a human user, a business application, a host, or one entity acting on behalf of another entity.

Topics

• About Identity Management for Users

• Credentials for My Oracle Support

• Credentials for IAAS and Cloud Deployments

About Identity Management for Users

Describes how users are authenticated.

Users log in to the browser interface to use the product. The credentials must be valid for the Oracle Enterprise Manager Ops Center installation.

Add users to Oracle Enterprise Manager Ops Center from the local authentication subsystem of the Enterprise Controller's operating system or from a separate directory server.

About Configuring an LDAP Server

Procedure for changing the LDAP server..

You can add directory servers to Oracle Enterprise Manager Ops Center. Users and roles are added to the product from the directory server. The information in this section is also in the Oracle Enterprise Manager Ops Center Administration.

To grant roles to the users in a directory server, you create groups on the directory server that correspond to the roles in Enterprise Manager Ops Center. You grant a role to a user by adding the user to the corresponding group, and remove a role from a user by removing them from the group. You cannot edit the roles of a directory server user through the user interface.

Users that are added from a directory server begin with complete privileges for each of their roles.

You must configure the remote directory server before adding it to Oracle Enterprise Manager Ops Center.

To Configure the Directory Structure

Procedure for adding a new directory server for Oracle Enterprise Manager Ops Center to use.

1. Create the following user groups on the directory server:

   • ASSET_ADMIN

   • CLOUD_ADMIN

   • CLOUD_USER

   • EXALOGIC_ADMIN

   • FAULT_ADMIN

   • NETWORK_ADMIN

   • OPS_CENTER_ADMIN

   • PROFILE_PLAN_ADMIN

   • READ

   • REPORT_ADMIN

   • ROLE_ADMIN

   • SECURITY_ADMIN

   • SERVER_DEPLOY_ADMIN

   • STORAGE_ADMIN

   • Update_ADMIN

   • Update_SIM_ADMIN

   • USER_ADMIN

   • VIRT_ADMIN

2. Add users to these groups. The users within each group are given the role corresponding to the group.

To Add a Directory Server

Procedure for adding a new directory server for Oracle Enterprise Manager Ops Center to use.

1. Select Administration in the Navigation pane.
2. Click Directory Servers.
3. Click the Add Directory Server icon.

   The Remote Directory Server Connection Settings page is displayed.

4. Enter the following connection settings:

   • Name: The name of the directory server.

   • Host: The host name of the directory server.

   • Port: The port number to be used to access the directory server.

   • SSL: Check this box to use TLS to connect to the directory server.

   • Anonymous Bind: Check this box to use anonymous binding to access the directory server.

   • Username: The user name used to access the directory server. Username is required only if Anonymous Bind is not checked.

   • Password: The password for the given user name. Password is required only if Anonymous Bind is not checked.

   • Authentication: Select Use Directory Server for Authentication or Use Ops Center Local Authentication.

   Click Next.

   The Remote Directory Server Schema Settings page is displayed.

5. Enter the following schema settings:

   • Root suffix: The root node of the directory tree.

   • Group search DN: The container or operational unit in which to search for the role groups.

   • Group search scope: The scope of the group search. Select Search One Level or Search Subtree.

   • User search DN: The container or operational unit in which to search for users.

   • User search scope: The scope of the user search. Acceptable values are base, one, subtree, baseObject, singleLevel, wholeSubtree, or subordinateSubtree.

   • User search filter: An LDAP search filter which users must meet for inclusion.

   Click Next.

   The Summary page is displayed.

6. Review the summary, then click Add Directory Server.

About PAM Authentication

Procedure for setting the PAM authentication service.

Oracle Enterprise Manager Ops Center uses Pluggable Authentication Modules (PAM) to validate credentials for user accounts of users who log in to the browser interface. The default PAM service allows users to log in to the system in the standard way.

The pam-service-name parameter sets the PAM service for the oem-ec instance of the cacao daemon.

• Oracle Solaris: The default value is pam-service-name=other

• Linux: The default value is pam-service-name=passwd

If you require control of the PAM configuration, create a PAM service with a different service name, which uses different PAM modules.

Verifying PAM Authentication

Procedure for displaying the PAM service.

To see the current value of the pam-service-name parameter, use the following cacaoadm command:

./cacaoadm get-param -i oem-ec pam-service-name

Changing the PAM Authentication

Procedure for changing the the way PAM authentication is used..

To change the authentication service from the operating system's default to a different service name, use the following procedure. If this is a High Availability environment, perform the procedure on both the primary node and on the standby node.

1. On a Linux system, create a configuration file or edit the existing configuration file for the service to use. The configuration file has the same name as the service.

   /etc/pam.d/filename
   

   On an Oracle Solaris 10 system, edit the following file:

   /etc/pam.conf
   

2. Change the contents of the configuration file. For example:

   auth       required     pam_warn.so debug
   auth       required     pam_safeword.so.1 debug
   account    include      system-auth
   password   include      system-auth
   

3. To initialize the PAM service with the new configuration, stop the Enterprise Controller:

   /opt/sun/xvmoc/bin/satadm stop
   

4. Change the value of the pam-service-name parameter

   ./cacaoadm set-param -i oem-ec pam-service-name=opscenter
   

5. Verify the change:

   ./cacaoadm get-param -i oem-ec pam-service-name
   

6. Restart the Enterprise Controller:

   /opt/sun/xvmoc/bin/satadm start
   

Note:

If you use the SafeNet SafeWord® Agent for PAM software (pam_safeword.so), you can use the SafeWord static password mode or single-use dynamic password mode, but you cannot use the dynamic challenge password mode. To use single-use dynamic passwords, you must modify the pam_safeword.cfg file to ensure that the User ID source is set to SYSTEM and not USER. The SYSTEM setting causes the authentication process to get the User ID from the /etc/passwd file.

Credentials for My Oracle Support

Describes access to My Oracle Support.

In Connected mode, the Oracle Enterprise Manager Ops Center software requires the user to provide one or more sets of My Oracle Support credentials. These credentials are used to authenticate and authorize downloading product updates, creating Service Requests, and retrieving warranty information, in addition to the initial authentication between the Enterprise Controller's system and My Oracle Support.

Credentials for IAAS and Cloud Deployments

Describes the protection of the location of the private key.

Some commands for the IAAS platform require a parameter for the location of the private key file. Because the private key authenticates a cloud user, this file is sensitive and must be managed as a security risk:

• The file must be owned by the user running the IAAS command-line interface.

• The file must have the highest restrictive permission: read-only by file owner.

About Authorization

Describes authorization.

Authorization allows a system to determine the privileges which users and other systems have for accessing resources on that system.

Roles grant users the ability to use the different functions of Oracle Enterprise Manager Ops Center. By giving a role to a user, an administrator can control what functions are available to that user and for which groups of assets.

An Enterprise Controller Admin can grant users different roles for the Enterprise Controller, the All Assets group, and any user-defined groups. A user who is assigned a role for a group receives the same role for all subgroups.

Caution:

A user with the Apply Deployment Plans, Exalogic Systems Admin, or SuperCluster Systems Admin role can apply an operational profile to a managed system using root access. Take care when assigning these roles because the role allows the user to use an operational profile to run scripts.

About Credentials for Assets

Describes the types of credentials used to manage assets.

Oracle Enterprise Manager Ops Center uses credentials to discover and manage assets and to establish trust between internal components. Examples of the types of credentials managed by Oracle Enterprise Manager Ops Center include:

• SSH credentials for Operating System instances and hardware service processors.

• IPMI credentials for hardware service processors

To see a list of all the types of credentials, select Credentials in the Administration section, then click Create Credentials in the Actions pane. The drop-down list for the Protocols field shows all of the supported protocols.

Oracle Enterprise Manager Ops Center requires remote network access and administrative privileges to discover and manage an asset. This can be done either by using a privileged account or by combining the credentials of a non-privileged user account with the credentials for the administrative account. In this case, Oracle Enterprise Manager Ops Center uses the non-privileged user account to connect to the system and then uses the administrative account to inquire about the characteristics of the system.

To discover an ILOM system, the account must have administrator privileges on the system, and both IPMI and ssh credentials must be provided.

Note:

IPMI communications from the Proxy Controller to the ILOM system are not encrypted. To protect the transmissions, isolate the ILOM system and the Proxy Controller it uses within your private administrative network.

Using SSH Key-Based Authentication

Procedure for using an SSH key for access to assets.

If you prefer not to use password-based SSH credentials, create an SSH key to get access to remote assets, such as operating systems, ILOM service processors, and XSCF service processors. The assets must support the SSH protocol. Oracle Enterprise Manager Ops Center does not protect the SSH keys. If you choose to use this method, you must ensure the following:

• You must create the SSH key on each Proxy Controller that needs to get access to the asset.

• For an OS asset, you must add the SSH public key to the ~/.ssh/authorized_keys file. For a hardware asset, you must use the asset's Web interface to upload the public SSH key.

To create the SSH key, use the Create Credentials action.

1. Enter a name for the key.
2. Click the Custom SSH key button, as shown in Figure 3-1, to enable the remaining fields.

   Figure 3-1 Creating an SSH Public Key

   
   Description of "Figure 3-1 Creating an SSH Public Key"
3. In Login User, enter the name of the account that uses this key.
4. The location of the key file is set to the default location for the sshkey-gen utility. If your site uses a different location, edit this field.
5. (Optional) For OS assets, create a privileged user such as root, or a non-privileged user with keys. Provide a password for the role.

   The passphrase is an optional addition to the password and is created at the same time as the key.

6. Click Create to create the SSH key.

Creating Credentials for Access to the Serial Console or SSH Tunnel

Procedure for creating console or SSH credentials.

The information is this section is also in the Oracle Enterprise Manager Ops Center Configure Reference.

To enable a connection to a service processor or virtual machine, define the user account that Enterprise Manager Ops Center uses to open an SSH tunnel on the Enterprise Controller or to create a serial connection.

Note:

If you do not specify this account, Enterprise Manager Ops Center creates an account each time it accesses a serial console and deletes the account when the connection is no longer needed. This activity might not conform to your site's security policy.

The following types of assets use SSH to connect to a serial console. Create an account for each type and define the same password for each account.

• Proxy Controllers

• Global zones that use agents and require access to the consoles of non-global zones

• Control domains that use agents and require access to the consoles of logical domains

To create the account, define the ConsoleSSHCredname system property using the procedure in Defining the system property for console access and then define a user account for that property using either the procedure in Creating the account using Enterprise Manager Ops Center or the procedure in Creating the account using the useradd command.

Defining the system property for console access

Procedure configuring console access.

1. Select the Administration section in the Navigation pane.
2. Select the Configuration tab in the center pane.
3. In the Subsystem list, select Console Access Configuration. The ConsoleSSH.Credname system property is displayed.
4. Click in the Values column.
5. Enter the name of the new user account. For example, SERIALCONSOLE_CRED1.

   Figure 3-2 Configuring Console Access

   
   Description of "Figure 3-2 Configuring Console Access "
6. Click Save.

When the job is completed, define the account using the following procedure.

Creating the account using Enterprise Manager Ops Center

Procedure for creating a new account.

You must have the Security Admin role to perform this procedure.

After you define the user account, the account is created automatically in /etc/passwd the first time a job for console access is run. However, if your site's security policy requires that the operating system account must be created outside of Enterprise Manager Ops Center's control or if you prefer to create the account manually, use the procedure described in Creating the account using the useradd command.

1. Select the Administration in the Navigation pane.
2. Select Credentials in the Navigation pane.
3. Click Create Credentials in the Actions pane.
4. Select the SERIAL_CONSOLE_SSH protocol and enter the following details:

   • Name of the credential: Enter the value of the ConsoleSSH.Credname system property. In this example, SERIALCONSOLE_CRED1.

   • Login User: Enter a convenient or descriptive name for the user account, for example, ConsoleAccess.

   • Password for the user account and its confirmation.

   Figure 3-3 User Account for Console Access

   
   Description of "Figure 3-3 User Account for Console Access "
5. Click Create to submit the job.

Creating the account using the useradd command

Procedure for creating a new account.

1. Create the home directory for the account. In the following example, the account is named consolex:

   mkdir /var/tmp/consolex
   

2. Add the user account with its shell, /opt/sun/n1gc/bin/serial_console:

   useradd -s "/opt/sun/n1gc/bin/serial_console" -d /var/tmp/consolex -u uid -P "profile" -A "solaris.zone.manage" consolex
   

   where uid is an available user ID on the Enterprise Controller's system and profile is either LDoms Review for a control domain or Zone Management for a global zone. The -A option is a feature of Oracle Solaris 11's useradd(1m) command that includes an authorization defined in auth_attr(4).

3. Change the ownership of the home directory:

   /bin/chown consolex /var/tmp/consolex
   /bin/chmod 700 /var/tmp/consolex
   

4. Set and confirm the password for the account:

   passwd consolex
   

About Managing Assets Using the agentadm Command

Describes a method of managing assets without storing credentials.

The information in this section is also in the Oracle Enterprise Manager Ops Center Configure Reference.

Although it is possible to discover assets without providing credentials, Oracle Enterprise Manager Ops Center is limited in its ability to manage or monitor these assets. If you prefer not to store credentials for assets in the product software, install the Agent Controller on each asset manually.

Use these procedures to install an Agent Controller and to register the target system.

Before You Install an Agent Controller

Lists prerequisites for installing an agent.

To use the agentadm command, you need the following information:

• To configure your Agent Controller software using an administrative user account on the Enterprise Controller you need:

  • User name: the user account provides authentication that supports Agent Controller registration. Use the user name of this account as the argument for the -u option of the agentadm command.

  • Password: use this password to populate the /var/tmp/OC/mypasswd file. Then use this file name as the argument for the -p option of the agentadm command.

• The auto-reg-token registration token from the /var/opt/sun/xvm/persistence/scn-proxy/connection.properties file on the appropriate Proxy Controller – If you decide not to use user credentials to configure your Agent Controller software, use this token to populate the /var/tmp/OC/mytoken file. Then use this file name as the argument for the agentadm -t option.

• IP address or host name of the Proxy Controller with which you will associate the Agent Controller – Use this IP address or host name as the argument for the agentadm -x option. Typically, you would associate the Agent Controller with the Proxy Controller that is connected to the same subnet as the target system.

• The IP address of the network interface that the Agent Controller will use for registration – Use this IP address as the argument for the agentadm -a option.

Some example agentadm commands in this procedure use the alternative administrative user name droot. In these examples, the droot user exists on the Enterprise Controller.

When you install an Agent Controller on a global zone, the installation installs, or upgrades to, Oracle Java Runtime Environment (JRE) 1.6.0_91. If a later version of JRE is installed, the installation does not downgrade.

Using User Credentials to Install and Configure an Agent Controller Manually

Procedure for installing an Agent Controller manually.

This procedure creates a file that holds the password of the administrative user for your Enterprise Manager Ops Center installation.

1. On the Enterprise Controller, change to the /var/opt/sun/xvm/images/agent/ directory, and list the files that it contains to see the Agent Controller installation archives. For example:

   # cd /var/opt/sun/xvm/images/agent/
   # ls
   OpsCenterAgent.Linux.i686.12.2.0.2503.zip
   OpsCenterAgent.Linux.i686.12.2.0.2503.zip.sig
   OpsCenterAgent.Solaris.i386.12.2.0.2503.zip
   OpsCenterAgent.Solaris.i386.12.2.0.2503.zip.sig
   OpsCenterAgent.Solaris.sparc.12.2.0.2503.zip
   OpsCenterAgent.Solaris.sparc.12.2.0.2503.zip.sig
   OpsCenterAgent.SolarisIPS.all.12.2.0.2503.zip
   OpsCenterAgent.SolarisIPS.all.12.2.0.2503.zip.sig
   #
   

2. Identify the Agent Controller archive that is appropriate for the system where you intend to install the Agent Controller, the target system. See Table 3-1 for a description of the available packages.

   ---

   Table 3-1 Agent Controller Packages and Their Operating System and Architecture

   File prefix	Operating System / Architecture
   OpsCenterAgent.Linux.i686	Oracle Linux/x86
   OpsCenterAgent.Solaris.i386	Oracle Solaris 10/x86
   OpsCenterAgent.Solaris.sparc	Oracle Solaris 10 / Oracle SPARC
   OpsCenterAgent.SolarisIPS.all	Oracle Solaris 11 / x86 and Oracle SPARC

   ---

3. On the system where you want to install the Agent Controller, create the following directory:

   # mkdir /var/tmp/OC
   

4. Use scp or ftp to transfer the Agent Controller archive from the Enterprise Controller to the /var/tmp/OC directory. Respond to any authentication or confirmation prompts that are displayed. For example:

   # scp OpsCenterAgent.Solaris.sparc.12.2.0.2503.zip root@10.0.0.0:/var/tmp/OC
   Password:
   OpsCenterAgent.S 100% |*********************************************************************| 187078 KB 00:32
   #
   

5. Navigate to the /var/tmp/OC directory:

   # cd /var/tmp/OC
   #
   

6. Use the unzip command to uncompress the Agent Controller archive. For example:

   # unzip OpsCenterAgent.Solaris.sparc.12.2.0.2503.zip
   (output omitted)
   

7. If you are installing the Agent Controller on Oracle Solaris 8-10, run the install -a script in the OpsCenterAgent directory. For example:

   # OpsCenterAgent/install -a
   Installing Ops Center Agent Controller.
   No need to install 120900-04.
   No need to install 121133-02.
   No need to install 119254-63.
   No need to install 119042-09.
   No need to install 121901-02.
   No need to install 137321-01.
   Installed SUNWjdmk-runtime.
   Installed SUNWjdmk-runtime-jmx.
   (output omitted)
   6 patches skipped.
   19 packages installed.
   Installation complete.
   Detailed installation log is at /var/scn/install/log.
   Uninstall using /var/scn/install/uninstall.
   

   If you are installing the Agent Controller on Oracle Solaris 11, run the install command with the -p option and specify the IP address. The command configures a local IPS repository using the IP address. For example:

   # OpsCenterAgent/install -p 10.0.0.1
   

   If you are installing an Oracle VM Server Virtualization Controller Agent, use the -l (or --ldom) option.

8. Create an empty file named /var/tmp/OC/mypasswd, and set its permission mode to 400. For example:

   # touch /var/tmp/OC/mypasswd
   # chmod 400 /var/tmp/OC/mypasswd
   

9. Edit the /var/tmp/OC/mypasswd file to add the password for the administrative user that exists on the Enterprise Controller to which the Proxy Controller is connected. The following echo command appends the password to the /var/tmp/OC/mypasswd file. Replace the password with the correct password. For example:

   # echo 'password' > /var/tmp/OC/mypasswd
   

10. Use the agentadm command to associate the Agent Controller with the Proxy Controller.

    • Oracle Solaris OS: /opt/SUNWxvmoc/bin/agentadm configure

    • Linux OS: /opt/sun/xvmoc/bin/agentadm configure

      The example commands below use the following options:

    • -u: Specifies the administrative user that exists on the Enterprise Controller to which the Proxy Controller is connected. Be certain that the password that you specified in the /var/tmp/OC/mypasswd file is correct for the user that you specify for this option.

      Note:

      The examples use droot as the administrative user.

    • -p: Specifies the absolute path name of the file that contains the password for the user that you specified with the -u option.

    • -x: Specifies the IP address or host name of the Proxy Controller to which this Agent Controller will connect.

    • -a: Specifies the IP address to use during Agent Controller registration. This selects the network interface that the Agent Controller will use for registration. Accept the server's certificate when prompted. For example:

      # /opt/SUNWxvmoc/bin/agentadm configure -u droot -p /var/tmp/OC/mypasswd -x 10.0.0.0
      agentadm: Version 1.0.3 launched with args: configure -u droot -p /var/tmp/OC/mypasswd -x 10.0.0.1
      workaround configuration done.
      Certificate:
      Serial Number: 947973225
      Version: 3
      Issuer: CN=flyfishing_scn-proxy_ca
      Subject: CN=flyfishing_scn-proxy_Agent Controller
      Not valid before: Thu Jun 19 15:36:59 MDT 1969
      Not valid after: Thu Apr 19 15:36:59 MDT 2029
      Certificate:
      Serial Number: 1176469424
      Version: 3
      Issuer: CN=flyfishing_scn-proxy_ca
      Subject: CN=flyfishing_scn-proxy_ca
      Not valid before: Thu Jun 19 15:36:56 MDT 1969
      Not valid after: Thu Apr 19 15:36:56 MDT 2029
      Accept server's certificate? (y|n)
      y
      Connection registered successfully.
      scn-Agent Controller configuration done.
      Checking if UCE Agent Controller process is still running, it may take a couple of minutes ...
      Process is no longer running
      UCE Agent Controller is stopped.
      UCE Agent Controller is in [online] state.
      Checking if UCE Agent Controller process is up and running ...
      The process is up and running.
      UCE Agent Controller is started.
      Added the zone configuration automation successfully.
      Added the service tags recreate script successfully.
      #
      

      Error messages similar to Connection cannot be registered in the following example typically indicate problems with the user credentials that you specified in the agentadm command. In this example, the user droot was not authenticated on the Enterprise Controller. If you see this error, check that the user name that you supplied for the agentadm -u option, and the password in the file that you specified for the agentadm -p option, match an existing administrative user on the Enterprise Controller.

      Accept server's certificate? (y|n)
      y
      Error with connection to CRS: com.sun.scn.connmgt.SCNRegClientException: droot, Code: 4, Code: 4
      ERROR : Connection cannot be registered.
      Code--2
      sc-console registration failed on [2].
      sc-console : User authentication error.
      Error executing step : sc_console
      

      If the system where you are installing the Agent Controller has multiple active network interfaces, you can use the -a option to specify the IP address of the interface that you want to use for Agent Controller registration. For example:

      # /opt/SUNWxvmoc/bin/agentadm configure -u droot -p /var/tmp/OC/mypasswd -x 10.0.0.0 -a 10.0.0.1
      (output omitted)
      

11. If you encountered a Connection cannot be registered error message from the agentadm command, use agentadm to unconfigure the Agent Controller. For example:

    # /opt/SUNWxvmoc/bin/agentadm unconfigure
    agentadm: Version 1.0.3 launched with args: unconfigure
    verified sc_console command is OK
    End of validation
    {output omitted}
    End of configuration.
    

    After the Agent Controller has been unconfigured, correct the problem that was indicated by the error message, and re-run the agentadm configure command.

12. Use the sc-console command to list the Agent Controller connection. For example:

    # sc-console list-connections
    scn-Agent Controller https://10.0.0.0:21165 urn:scn:clregid:abcdef12-6899-4bcc-9ac7-a6ebaf71c1f5:20090420171121805
    #
    

Using a Token to Install and Configure an Agent Controller Manually

Procedure to install an Agent Controller.

This procedure uses a token to configure your Agent Controller software.

1. On the Enterprise Controller, change to the /var/opt/sun/xvm/images/agent/ directory, and list the files that it contains. This directory contains the Agent Controller installation archives. For example:

   # cd /var/opt/sun/xvm/images/agent/
   # ls
   OpsCenterAgent.Linux.i686.12.1.0.zip
   OpsCenterAgent.Linux.i686.12.1.0.zip.sig
   OpsCenterAgent.SunOS.i386.12.1.0.zip
   OpsCenterAgent.SunOS.i386.12.1.0.zip.sig
   OpsCenterAgent.SunOS.sparc.12.1.0.zip
   OpsCenterAgent.SunOS.sparc.12.1.0.zip.sig
   #
   

2. Identify the Agent Controller archive that is appropriate for the system where you intend to install the Agent Controller. See Table 3-1 for a description of the available packages.
3. On the system where you want to install the Agent Controller, create the following directory:

   # mkdir /var/tmp/OC
   

4. Use scp or ftp to transfer the Agent Controller archive from the Enterprise Controller to the /var/tmp/OC directory. Respond to any authentication or confirmation prompts that are displayed. For example:

   # scp OpsCenterAgent.Solaris.sparc.12.2.0.2503.zip root@10.0.0.0:/var/tmp/OC
   Password:
   OpsCenterAgent.S 100% |*********************************************************************| 187078 KB 00:32
   #
   

5. On the target system, change to the /var/tmp/OC directory.

   # cd /var/tmp/OC
   #
   

6. Use the unzip command to uncompress the Agent Controller archive. For example:

   # unzip OpsCenterAgent.SunOS.sparc.12.1.0.zip
   (output omitted)
   

7. If you are installing the Agent Controller on Oracle Solaris 8-10, run the install -a script in the OpsCenterAgent directory. For example:

   # OpsCenterAgent/install -a
   Installing Ops Center Agent Controller.
   No need to install 120900-04.
   No need to install 121133-02.
   No need to install 119254-63.
   No need to install 119042-09.
   No need to install 121901-02.
   No need to install 137321-01.
   Installed SUNWjdmk-runtime.
   Installed SUNWjdmk-runtime-jmx.
   (output omitted)
   6 patches skipped.
   19 packages installed.
   Installation complete.
   Detailed installation log is at /var/scn/install/log.
   Uninstall using /var/scn/install/uninstall.
   #
   

   If you are installing the Agent Controller on Oracle Solaris 11, run the install command with the -p option and specify the IP address. The command configures a local IPS repository using the IP address. For example:

   # OpsCenterAgent/install -p 10.0.0.1
   #
   

8. On the Proxy Controller that will communicate with this Agent Controller instance, examine the /var/opt/sun/xvm/persistence/scn-proxy/connection.properties file. The last line in this file contains the auto-reg-token that is required for Agent Controller registration. For example:

   # cat /var/opt/sun/xvm/persistence/scn-proxy/connection.properties
   #Generated by a program. Do not edit. All manual changes subject to deletion.
   
   (output omitted)
   
   trust-store=/var/opt/sun/xvm/security/jsse/scn-proxy/truststore
   auto-reg-token=abcdef12-1700-450d-b038-ece0f9482474\:1271743200000\:T
   #
   

9. On the system where you have installed the Agent Controller software, create an empty file named /var/tmp/OC/mytoken, and set its permission mode to 400. For example:

   # touch /var/tmp/OC/mytoken
   # chmod 400 /var/tmp/OC/mytoken
   

10. Edit the /var/tmp/OC/mytoken file so that it contains the auto-reg-token string from Proxy Controller with the following changes:

    • Remove the auto-reg-token=.

    • Remove any backslash characters from the token string. For example:

      abcdef12-1700-450d-b038-ece0f9482474:1271743200000:T
      

11. Use the agentadm command to associate the Agent Controller with a Proxy Controller.

    • Oracle Solaris OS: /opt/SUNWxvmoc/bin/agentadm configure

    • Linux OS: use the /opt/sun/xvmoc/bin/agentadm configure

      The example commands use the following options:

    • -t: specifies the absolute path name of the file that contains the registration token.

    • -x: specifies the IP address or host name of the Proxy Controller to which this Agent Controller will connect.

    • -a: specifies the IP address to use during Agent Controller registration. This selects the network interface that the Agent Controller will use for registration. Accept the server's certificate when prompted. For example:

      # /opt/SUNWxvmoc/bin/agentadm configure -t /var/tmp/OC/mytoken -x 10.0.0.0
      agentadm: Version 1.0.3 launched with args: configure -t /var/tmp/OC/mytoken -x 10.0.0.0
      workaround configuration done.
      
      Certificate:
      Serial Number: 947973225
      Version: 3
      Issuer: CN=flyfishing_scn-proxy_ca
      Subject: CN=flyfishing_scn-proxy_Agent Controller
      Not valid before: Thu Jun 19 15:36:59 MDT 1969
      Not valid after: Thu Apr 19 15:36:59 MDT 2029
      
      Certificate:
      Serial Number: 1176469424
      Version: 3
      Issuer: CN=flyfishing_scn-proxy_ca
      Subject: CN=flyfishing_scn-proxy_ca
      Not valid before: Thu Jun 19 15:36:56 MDT 1969
      Not valid after: Thu Apr 19 15:36:56 MDT 2029
      
      Accept server's certificate? (y|n)
      y
      Connection registered successfully.
      scn-Agent Controller configuration done.
      Checking if UCE Agent Controller process is still running, it may take a couple of minutes ...
      Process is no longer running
      UCE Agent Controller is stopped.
      UCE Agent Controller is in [online] state.
      Checking if UCE Agent Controller process is up and running ...
      The process is up and running.
      UCE Agent Controller is started.
      Added the zone configuration automation successfully.
      Added the service tags recreate script successfully.
      #
      

      If the system where you are installing the Agent Controller has multiple active network interfaces, you can use the -a option to specify the IP address of the interface that you want to use for Agent Controller registration. For example:

      # /opt/SUNWxvmoc/bin/agentadm configure -t /var/tmp/OC/mytoken -x 10.0.0.0 -a 10.0.0.1
      (output omitted)
      

12. If you encountered a Connection cannot be registered error message from the agentadm command, use agentadm to unconfigure the Agent Controller. For example:

    # /opt/SUNWxvmoc/bin/agentadm unconfigure
    agentadm: Version 1.0.3 launched with args: unconfigure
    verified sc_console command is OK
    End of validation
    
    {output omitted}
    End of configuration.
    

    After the Agent Controller has been unconfigured, correct the problem that was indicated by the error message, and re-run the agentadm configure command.

13. Use the sc-console command to list the Agent Controller connection. For example:

    # sc-console list-connections
    scn-Agent Controller https://10.0.0.0:21165 urn:scn:clregid:abcdef12-6899-4bcc-9ac7-a6ebaf71c1f5:20090420171121805
    #
    

Changing Credentials of Managed Assets

Lists the procedures for managing the credentials for assets.

The information is this section is also in the Oracle Enterprise Manager Ops Center Configure Reference.

Topics

• Upgrading Management Credentials From a Previous Version

• Updating Management Credentials

• Creating Management Credentials

• Editing Management Credentials

• Copying Management Credentials

• Deleting Management Credentials

Preparing to Use sudo

Procedure to enable escalation of SSH credentials on discovered assets in Oracle Enterprise Manager Ops Center.

1. Log into the asset as root.
2. Enter the visudo command to edit the asset’s sudoers file safely.
3. Edit the sudoers file to conform with the example. Add the command aliases for discovery and provisioning in the following way according to the operating system of the asset and whether it :
   • For agentless Oracle Solaris assets, add the SOLARIS_DISCOVERY section of the file.
   • For agent-managed Oracle Solaris assets, add the SOLARIS_DISCOVERY and SOLARIS_PROVISIONING
   • For agentless Oracle Linux assets, add the LINUX_DISCOVERY section of the file.
   • For agent-managed Oracle Linux assets, add the LINUX_DISCOVERY and LINUX_PROVISIONING
4. In the ## User privilege specification section, add the name of the new SSH credential that you created or will create using the procedure in “Creating Management Credentials.”. Because a password is mandatory, do not add the NOPASSWD parameter.
5. Save and close the file.
6. Repeat this procedure on each asset.

Example 3-1 Format of sudoers File for Ops Center

## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##

##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias    WEBSERVERS = www1, www2, www3

##
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
 User_Alias    OPSCENTER = <username>
 
##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
 
        Cmnd_Alias SOLARIS_DISCOVERY = /sbin/ifconfig -a, \
                /usr/sbin/virtinfo -ap, \
                /usr/sbin/dladm, \
                /opt/SUNWldm/bin/ldm
    
        Cmnd_Alias SOLARIS_PROVISIONING = /usr/bin/sc-console, \
                /var/scn/install/uninstall, \
                /usr/sbin/zlogin, \
                /bin/cat */opt/SUNWxvm/xvm_zone_id, \
                /var/tmp/OpsCenterAgent/install, \
                /opt/SUNWxvmoc/bin/agentadm, \
                /usr/lib/cacao/bin/cacaoadm, \
                /usr/bin/unzip -q -o -d /var/tmp/ /var/tmp/OpsCenterAgent*
 
        Cmnd_Alias LINUX_DISCOVERY = /sbin/ifconfig -a, \
                /usr/sbin/virtinfo -ap
        
        Cmnd_Alias LINUX_PROVISIONING = /usr/bin/sc-console, \
                /var/scn/install/uninstall, \
                /tmp/OpsCenterAgent/install, \
                /opt/sun/xvmoc/bin/agentadm, \
                /opt/sun/cacao2/bin/cacaoadm, \
                /usr/bin/unzip -q -o -d /tmp/ /tmp/OpsCenterAgent*
 
##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file.  Note that other programs use HOME to find
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods.  Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!/sbin/reboot !log_output
 Defaults logfile=/var/log/sudo.log

##
## Runas alias specification
##

##
## User privilege specification
##
 root ALL=(ALL) ALL

## The password of OPSCENTER must be mandatory.
 OPSCENTER ALL=(root) SOLARIS_DISCOVERY,SOLARIS_PROVISIONING

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL 

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw' 

## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d

Upgrading Management Credentials From a Previous Version

Procedure for use new credentials to manage assets discovered by an earlier version of Oracle Enterprise Manager Ops Center.

Assets that were discovered and managed in prior versions of Enterprise Manager Ops Center might not have management credentials associated with them. You can associate new or existing sets of credentials with these assets.

If a discovered asset is blacklisted, the same can be removed by updating the management credentials.

To upgrade management credentials, perform the following steps:

1. On the Navigation pane, select All Assets.
2. In the Actions pane, click Upgrade Management Credentials.
3. Select an asset category: operating systems; servers; or chassis, m-series, and switches.
4. Select one or more assets of that category.

   • To assign an existing set of credentials, select Assign existing set and then select an existing set of credentials.

   • To assign a new set of credentials, select Create and assign new set and then enter a protocol, name, and credential information.

Updating Management Credentials

Procedure for updating credentials used to manage an asset.

You can change the set of management credentials used by an asset or group of assets.

To update management credentials, perform the following steps:

1. On the Navigation pane, select an asset or group.
2. In the Actions pane, click Update Management Credentials.

   Figure 3-4 Wizard for Update Management Credentials

   
   Description of "Figure 3-4 Wizard for Update Management Credentials"
3. Select the credentials that you want to change. You can select more than one type of credentials.
4. Click Modify the current credential values.
5. Edit the username and/or password.

   Note:

   If you are modifying the SNMPv3 credentials, then you can edit the username, authentication protocol, authentication password, privacy protocol, or privacy password.

6. Click Finish to submit the change.

Creating Management Credentials

Procedure for creating credentials used to manage an asset.

You can create a new set of management credentials. These credentials can then be used to discover and manage new assets or to manage existing assets.

To create management credentials, perform the following steps:

1. On the Navigation pane, under Administration, select Credentials.
2. In the Actions pane, click Create Credentials.
3. Click on the drop-down list to see the list of available protocols. Accept the default SSH protocol or select a different protocol. Depending on the type of protocol you select, the remaining fields change to collect the required information for the credentials. For specific examples, see Creating SSH Credentials or Creating SNMPV3 Credentials.
4. Specify a name and description, such as the purpose of the credentials.
5. Select or specify the required information for the type of credential, such as the username and password.
6. Click Create to create the management credentials.

The new credentials are now available to be used in discovery profiles.

Creating SSH Credentials

Create a set of SSH credentials to discover and manage new assets or to manage existing assets.

The default protocol for managing assets is SSH. To create SSH credentials, perform the following steps:

1. On the Navigation pane, under Administration, select Credentials.
2. In the Actions pane, click Create Credentials.
3. Specify a name and description, such as their purpose for the credentials.
4. Specify the username and password.
5. Accept the default authentication type or choose one of the alternatives. Each type has different requirements for authentication.

   • Password: This is the default type of authentication and requires a login username and password.

   • Custom SSH Key: Creates a public SSH key by specifying the Login User name, a Private Key file name, and a passphrase. In the Private Key File on Proxy Controller(s) field, accept the default file or change it to refer to other keys. The Proxy Controller installs the SSH public key on the asset's privileged user's authorized SSH key.

   • Ops Center Key: Oracle Enterprise Manager Ops Center generates a new SSH key pair, based on the username you provide, and installs the public key in the asset’s login account during discovery. This method requires a set of credentials to begin the discovery. After discovery, the SSH key pair is used. This method does not provide a way to escalate privileges.

6. You can allow the new account to use escalated privileges. The default method is to not allow a change in privileges. The alternatives are to specify a role for the account or to add sudo to the account.

   • If you choose the Role method, the Privileged Role field is displayed. Enter the name of an Ops Center role and specify a password. The new account has this level of access.

   • If you choose the Sudo method, the Privileged Role field is displayed. Enter the name of an Ops Center account and specify a password. This account must be included in the asset’s /etc/sudoers file. The privileges defined in the /etc/sudoers file will be used by the new account. See “Preparing to Use sudo” for instructions in creating this file. You can edit this file after you complete this procedure, but the Ops Center account must be in the file before the new credentials are effective.

7. Accept the default port for SSH of 22, unless your site has a different requirement.
8. Click Create to create the management credentials.

   For more information on creating SSH Credentials, see Oracle Enterprise Manager Ops Center Configuration Reference.

Creating SNMPV3 Credentials

Procedure for creating credentials for accessing assets in Oracle Enterprise Manager Ops Center.

Create a set of management credentials to discover and manage new assets or to manage existing assets.

To create credentials that use the SNMPV3 protocol, perform the following steps:

1. On the Navigation pane, under Administration, select Credentials.
2. In the Actions pane, click Create Credentials.
3. Click on the drop-down list to see the list of available protocols. Click SNMPV3.
4. Specify a name and description, such as their purpose for the credentials.
5. Specify the user name with the prefix OC for the credential.

   Note:

   The user name for SNMPV3 protocol is always prefixed with OC.

6. Accept the default authentication protocol, MD5, or choose SHA, which is a stronger authentication protocol.
7. Enter a password for authentication.
8. Accept the default privacy protocol, DES, or choose AES, which is a stronger encryption protocol.
9. Enter a password for encryption.
10. Click Create to create the management credentials.

    For more information on creating SSH Credentials, see Oracle Enterprise Manager Ops Center Configuration Reference.

Editing Management Credentials

Procedure for changing the credentials that manage and asset.

You can edit an existing set of management credentials to reflect changes to the managed assets.

To edit management credentials, perform the following steps:

1. On the Navigation pane, under Administration, select Credentials.
2. In the center pane, select a set of credentials and click the Edit Credentials icon.
3. Edit the description and the information required by the protocol, then click Update to save the changes.

Copying Management Credentials

Procedure for duplicating credentials used to manage an asset.

You can copy an existing set of management credentials to create a new set.

To copy management credentials, perform the following steps:

1. On the Navigation pane, under Administration, select Credentials.
2. In the center pane, select a set of credentials and click the Copy Credentials icon.
3. Edit the name, description, and the information required by the protocol, then click Copy to save the new set of credentials.

Deleting Management Credentials

Procedure for removing credentials used to manage an asset.

You can delete an existing set of management credentials. Discovery profiles that use the credentials might no longer function, and Agentless assets that are managed using the credentials must be given a new set.

To delete management credentials, perform the following steps:

1. On the Navigation pane, under Administration, select Credentials.
2. In the center pane, select a set of credentials and click the Delete Credentials icon.
3. Click OK to delete the credentials.

Creating a Credential Plan

Procedure for creating a deployment plan for credentials.

As an alternative to using the Create Credential and Edit Credential actions, create and apply a plan that updates credentials.

1. Expand Plan Management in the Navigation pane.
2. Scroll down to the Credentials section and click it.
3. Click Create Credentials in the Action pane.
4. Click the drop-down list of protocols to select the type of protocol. Enter a name and description of the purpose of these credentials, for example, the type of asset they support.
5. Enter the credentials.
6. Click the Create button.

Applying the Credential Plan

Procedure for setting up credentials for an asset.

To apply a credential plan to an asset:

1. Expand Plan Management in the Navigation pane.
2. Scroll down to the Credentials section and click a plan.

   The window displays the assets that use these credentials and are affected by any change.

3. Click Apply.

About Certificates

Describes self-signed certificates.

By default, Oracle Enterprise Manager Ops Center uses self-signed certificates for authentication between the web container and the browser client. Oracle Enterprise Manager Ops Center does not provide certificates signed by a Certificate Authority such as Verisign because an Authority requires the name of the domain where the certificate will be used. The Oracle Enterprise Manager Ops Center software cannot be delivered with a generated signed certificate because the domain where the Web server of the Enterprise Controller runs is unknown until the customer installs the software. However, after installation, use the procedure in Substituting Certificates for the Glassfish Web Container to replace the self-signed certificate with a certificate from a Certificate Authority.

Configuring and Using Access Control

Lists the procedures for configuring an asset so that it can be managed.

Access control allows a system to grant access to resources only in ways that are consistent with security policies defined for those resources:

Topics

• Verifying Security of Session Cookies

• Setting the Expiration Time for Sessions

• Removing Code Examples

Verifying Security of Session Cookies

Procedure for displaying information about a certificate.

Oracle Enterprise Manager Ops Center uses cookies to store session data for individual users. The cookies are encrypted using JSESSIONID and use the http-only flag to deny access to scripting languages.

The HTTP protocol includes the TRACE method to echo input. Because it is possible to use TRACE requests to view session cookies, Oracle Enterprise Manager Ops Center redirects HTTP transactions to HTTPS where the TRACE method is disabled.

To confirm that TRACE is disabled, use the following command on the Enterprise Controller's system or a Proxy Controller's system:

# curl -v --insecure -X TRACE https://<hostname>:9443
(output omitted)
HTTP/1.1 405 TRACE method is not allowed

Setting the Expiration Time for Sessions

Procedure for setting the activity timer for a session.

The browser controls a session's inactivity timer with a default time of 30 minutes. Consider changing the expiration time to a shorter duration, using the following procedure:

1. Click Setup in the title bar of the browser window.
2. Click My Preferences and then User Interface Preferences, as in Figure 3-5.

   Figure 3-5 User Interface Preferences

   
   Description of "Figure 3-5 User Interface Preferences"
3. In the Time Intervals section of the User Interface Preferences window, change the value in the Session Timeout field.

Removing Code Examples

Procedure for removing code from the product’s command line interface.

The command-line interface includes code examples. If you consider these examples to be a security risk, remove them with the following procedure:

1. Log in as root user.
2. Issue the following command:

   rm -rf /opt/SUNWoccli/doc/examples  
   

Configuring and Using Data Protection

Lists the procedures for backing up information about the assets.

Topics

• Using an NFS Server

• About Backing Up and Restoring the Enterprise Controller

Using an NFS Server

Procedure for setting up an NFS server for Oracle Enterprise Manager Ops Center.

NFS protocol requires agreement on the Domain Name System (DNS) that the NFS server and NFS clients use. The server and a client must agree on the identity of the authorized users accessing the share.

The Oracle Enterprise Manager Ops Center software prepares an NFS client to mount the share. Use the following procedure to prepare the NFS server on an Oracle Solaris 10. The same procedure is also supported in Oracle Solaris 11 system, or you can use a new procedure, described in Oracle Solaris Administration: ZFS File Systems.

1. Create the directory to share, and set its ownership and permission modes. For example:

   # mkdir -p /export/lib/libX
   # chmod 777 /export/lib/libX
   

2. Open the /etc/dfs/dfstab file on the NFS server.
3. Add an entry to share the directory. For example, to share the directory named /export/lib/libX, create the following entry:

   share -F nfs -o rw,"Share 0" /export/lib/libX
   

   If you want the NFS share to be accessible from other network domains, use the rw option to specify a list of allowed domains:

   share -F nfs -o rw=IPaddress1,IPaddress2 "Share 0" export/lib/libX
   

4. Share the directory and then verify that the directory is shared. For example:

   # shareall
   # share
   export/lib/libX   rw, "Share 0"
   

   The share now allows a root user on the NFS clients to have write privileges.

About Backing Up and Restoring the Enterprise Controller

Oracle Enterprise Manager Ops Center has several tools that can be used for disaster recovery. These tools let you preserve Oracle Enterprise Manager Ops Center data and functionality if the Enterprise Controller or Proxy Controller systems fail.

The information is this section is also in the Oracle Enterprise Manager Ops Center Administration.

The ecadm backup and ecadm restore commands back up and restore the Enterprise Controller. They also back up and restore the co-located Proxy Controller unless otherwise specified. The proxyadm backup and proxyadm restore commands back up and restore remote Proxy Controllers.

The ecadm backup command creates a tar file that contains all of the Oracle Enterprise Manager Ops Center information stored by the Enterprise Controller, including asset data, administration data, job history, and the database password, but not including software and storage library contents. The proxyadm backup command creates a tar file that contains all of the Oracle Enterprise Manager Ops Center information stored by the Proxy Controller, including asset data. You can specify the name and location of the backup file and the log file for each command.

Run the ecadm backup and proxyadm backup commands regularly and save the backup files on a separate system.

If the Enterprise Controller system fails, you can use the ecadm restore command and the backup file to restore the Enterprise Controller to its previous state on the original system or on a new system. The ecadm restore command accepts the name of the backup file as input, and restores the Enterprise Controller to the state it had at the time of the backup.

If you are restoring the Enterprise Controller on a new system, you must verify that the new system is compatible.

• The new system must have the same architecture and operating system as the old system. It is recommended that the operating system versions be identical, including updates and SRUs.

• The host name of the new system should be the same as the old system. You can change the host name of the new system, provided the old host name is added as an alias host name in the new system.

• The IP address of the new system can be different. If the new system has a different IP address, the restore process includes a step to configure any remote Proxy Controllers to use the new Enterprise Controller IP address. The MAC address of the new system can be different.

• The new system's Enterprise Controller software version must also match those of the backed up system.

For a regular back up and restore procedure, the IP address and the host name of the new system should match that of the old system. For a disaster recovery procedure, the IP address and the host name of the new system can be different than that of the old system.

If a remote Proxy Controller system fails, you can use the proxyadm restore command and the backup file to restore the Proxy Controller. The proxyadm restore command accepts the name of the backup file as input, and restores the Proxy Controller to the state it had at the time of the backup.

Some of the procedures described in this section use the ecadm and proxyadm commands. See the Oracle Enterprise Manager Ops Center Administration for more information about these commands.

• On Oracle Solaris systems, these commands are in the /opt/SUNWxvmoc/bin/ directory.

• On Linux systems, these commands are in the /opt/sun/xvmoc/bin/ directory.

The following features and topics are covered in this chapter:

• Backing Up an Enterprise Controller

• Restoring an Enterprise Controller

Backing Up an Enterprise Controller

You can create a backup for the Enterprise Controller using the ecadm command with the backup subcommand.

You can create a backup for the Enterprise Controller using the ecadm command with the backup subcommand.

Note:

The ecadm backup command does not back up the /var/opt/sun/xvm/images/os directory because the size of some of the OS image files in this directory can be prohibitively large.

In addition to running the ecadm backup command, back up the /var/opt/sun/xvm/images/os directory and archive the files to another server, file-share facility, or a location outside of the /var/opt/sun directory.

By default, the server data is saved in a backup file in the /var/tmp directory with a file name that includes a date and time stamp. You can define the file name and location during the backup, as shown in the example below.

If you are using an embedded database, the backup file includes the product schema from the embedded database. If you are using a customer-managed database, you can back up the database schema using the --remotedb option, or you can use the existing backup and recover processes implemented by your database administrator.

1. From the command line, log in to the Enterprise Controller system.
2. Use the ecadm command with the backup subcommand to back up the Enterprise Controller.

   The following options can be used with the ecadm command:

   • -o|--output <backup file>: Specify the file in which the backup archive is generated. Do not specify a path inside the /opt/*xvm* directories. The default output file is /var/tmp/sat-backup-<date>-<time>.tar.

   • -l|--logfile <logfile>: Save output from command in <logfile>. Log files are stored in the /var/tmp/ directory.

   • -d|--description <description string>: Embed the <description string> as the description of the backup archive.

   • -r|--remotedb: If the Enterprise Controller uses a customer-managed database, export the database schema to a .dmp file in the Oracle Enterprise Manager Ops Center dump directory on the database server. This directory is /var/tmp/ocdumpdir in the examples used in the installation documentation, but any directory can be specified as the dump directory during installation and configuration. The .dmp file lets the restore operation restore the database schema. This option only backs up the Oracle Enterprise Manager Ops Center database schema; other schemas and data are not included.

   • -t|--tag <tag>: Embed <tag> as a single-word tag in the backup archive

   • -T|--tempdir <dir>: Specify the temporary staging directory location.

   • -v|--verbose: Increase verbosity level. This option may be repeated.

   For example:

   ecadm backup -o /var/backup/EC-17December.tar
   ecadm: using logFile = /var/opt/sun/xvm/logs/sat-backup-2012-12-17-16:21:12.log
   ecadm: *** PreBackup Phase
   ecadm: *** Backup Phase
   ecadm: *** PostBackup Phase
   ecadm: *** Backup complete
   ecadm: *** Output in /var/backup/EC-12December.tar
   ecadm: *** Log in /var/opt/sun/xvm/logs/sat-backup-2012-12-17-16:21:12.log
   

3. Copy the backup file to a separate system.
4. Start the Enterprise Controller by running the ecadm command with the start subcommand and the -w option.

   For example:

   ecadm start -w
   

Restoring an Enterprise Controller

You can use a backup file to restore the state of the Enterprise Controller to the state it had at the time of the backup.

This procedure restores the data from the backup file, which is the archive created by the backup operation. It also defines the procedure to change the IP address of an Enterprise Controller.

If you are using an embedded database, the restore process restores the product schema from the embedded database. If you are using a customer-managed database, you can use the --remotedb option to restore the product schema on the customer-managed database, or do not use this option to restore the Enterprise Controller without restoring the database.

Note:

Before you restore on a system, you must uninstall any previously existing Enterprise Controllers, Proxy Controllers, and Agent Controllers from the system.

1. Prepare the Enterprise Controller system.

   • If you are restoring the backup on a new system, then the new system must have the same architecture and operating system as the old system. It is recommended that the operating system versions be identical, including updates and SRUs. The new system's host name and Enterprise Controller software version must also match those of the backed up system. If the host name does not match, add the old host name as an alias to the /etc/hosts file.

   • If you are restoring the backup on the same system, but the software has become corrupt or an upgrade failed, uninstall the Enterprise Controller software.

     Run the install script with the -e and -k options. The -e option uninstalls the Enterprise Controller and co-located Proxy Controller, and the -k option preserves the Oracle Configuration Manager software. For example:

     # cd /var/tmp/OC/xvmoc_full_bundle
     # install -e -k
     

2. Install the Enterprise Controller to the same version that was running when the backup was made, but do not configure the Enterprise Controller, as the ecadm restore command restores your configuration settings.

   • Oracle Solaris OS: See Oracle Enterprise Manager Ops Center Installation for Oracle Solaris Operating System.

   • Linux OS: See Oracle Enterprise Manager Ops Center Installation for Linux Operating Systems.

   Note:

   If you are using a customer-managed database which is still functioning, the Enterprise Controller installation procedure indicates several steps that you must skip and an additional option that you must use to avoid overwriting your existing database schema.

3. Run the ecadm command with the restore subcommand and the -i <backup directory location and file name> flag.

   The following options may be used with the ecadm command:

   • -i|--input <backup file>: (Required) Specify the location of the backup file.

   • -l|--logfile <logfile>: Save output from command in <logfile>. Log files are stored in the /var/tmp/ directory.

   • -r|--remotedb: If the Enterprise Controller uses a customer-managed database, this option restores the product schema on that database. If you are restoring on a new database system, copy the .dmp file from the /var/tmp/ocdumpdir directory that corresponds with your backup file to the new system and verify that it is owned by the oracle user on the new system.

   • -e|--echa: If the Enterprise Controller is configured in HA mode, this option indicates that the co-located Proxy Controller should not be restored.

   • -d|--tempdir <dir>: Specify the temporary staging directory location.

   • -v|--verbose: Increase verbosity level (may be repeated)

   For example:

    restore -i /var/backup/EC-17December.tar
   ecadm: using logFile = /var/opt/sun/xvm/logs/sat-restore-2012-12-17-21:37:22.log
   ecadm: *** PreRestore Phase
   ecadm: *** Restore Phase
   ecadm: *** PostRestore Phase
   ecadm: *** Log in /var/opt/sun/xvm/logs/sat-restore-2012-12-17-21:37:22.log
   

4. For an Enterprise Controller with an enabled co-located Proxy Controller, the restore should restore and start the co-located Proxy Controller. The co-located Proxy Controller starts only if the Proxy Controller was enabled during the backup procedure. Check the co-located Proxy Controller's status using the proxyadm command with the status subcommand. If the Proxy Controller is stopped, restart it using the proxyadm command with the start subcommand and the -w option.

   # proxyadm status
   offline
   # proxyadm start -w
   proxyadm: Starting Proxy Controller with SMF...
   proxyadm: Proxy Controller services have started
   

5. If you restored the Enterprise Controller on a new system, restart each remote Proxy Controller to use the new Enterprise Controller.

   1. Stop the Proxy Controller using the proxyadm command with the stop subcommand and the -w option. For example:

      # proxyadm stop -w
      

   2. On the remote Proxy Controller, update the /var/opt/sun/xvm/persistence/scn-proxy/connection.properties URL property to point to the IP address of the new Enterprise Controller. Update this URL property through the command line interface using the proxyadm command with the update subcommand and the -s option:

      proxyadm update -s|--satellite-ip <ip>
      

   3. Restart the Proxy Controller using the proxyadm command with the start subcommand and the -w option. For example:

      # proxyadm start -w
      

6. Restart the co-located Agent Controllers using the agentadm command with the start subcommand and the -w option. For example:

   /opt/SUNWxvmoc/bin/agentadm start -w
   

Note:

After restoring the Enterprise Controller, the asset details might take several minutes to display completely in the user interface.

Note:

During the database schema restore, an import log is created. The name of the import log appears in the Enterprise Controller restore log file with the OC_import<timestamp>.log format. You can check the progress of the database import status using this import log.

Example: Restoring an Enterprise Controller With an Embedded Database

Sample command for restoring an Enterprise Controller.

In this example, the ecadm restore command includes options to set the restore in verbose mode (-v), and to create a restore log (-l) for debugging purposes. The input (-i) option specifies the backup file location.

# /opt/SUNWxvmoc/bin/ecadm restore -v -i /var/tmp/OC/server1/EC-17December.tar -l logfile-restore-15January.log

Example: Restoring an Enterprise Controller With a Customer-Managed Database

Sample command for restoring an Enterprise Controller.

In this example, the ecadm restore command includes the (-r) option to restore the database schema on a customer-managed database. The input (-i) option specifies the backup file location.

# /opt/SUNWxvmoc/bin/ecadm restore -i /var/tmp/OC/server1/EC-17December.tar -r

Example: Restoring an Enterprise Controller With a Customer-Managed Database Without Restoring the Database Schema

Sample command for restoring an Enterprise Controller.

In this example, the ecadm restore command includes options to set the restore in verbose mode (-v), and to create a restore log (-l) for debugging purposes. The input (-i) option specifies the backup file location. The (-r) option is not included.

# /opt/SUNWxvmoc/bin/ecadm restore -v -i /var/tmp/OC/server1/EC-17December.tar -l logfile-restore-15January.log