2 Installing the Enterprise Manager Management Agent

This chapter provides the instructions for installing the Enterprise Manager (EM) Management Agent onto the Audit Vault Server and Database Firewall Appliance.

Prerequisites to Installing Enterprise Manager Agent

There are multiple prerequisites that need to be done in the Audit Vault console before installing the Enterprise Manager agent.

Allow SSH Access to User oracle

  1. Open a terminal window and edit the file: /etc/ssh/sshd_config to allow SSH access to user oracle.
    vi /etc/ssh/sshd_config
  2. Append oracle to the AllowUsers line.
    AllowUsers support oracle
  3. Restart sshd.
    service sshd restart

Configure User oracle

  1. Create the agent home directory:
    mkdir $ORACLE_BASE/agent13c
  2. Edit the oraenv command inside .bashrc:
    1. vi $HOME/.bashrc
    2. Add a -s to oraenv.
      ./usr/local/bin/oraenv -s

Unlock dbsnmp and asmsnmp Accounts

  1. Change user to dvaccountmgr:
    su dvaccountmgr
  2. Run the following command:
    sqlplus /
    alter user dbsnmp identified by <password> account unlock;
  3. Change user to grid:
    su grid
  4. Run the following command:
    orapwd file=/var/lib/oracle/grid/dbs/orapw+ASM password=<password>
    sqlplus / as sysasm
    alter user asmsnmp identified by <password> account unlock;
    grant sysdba to asmsnmp;

    Oracle recommends creating a Oracle Database user asmsnmp with sysdba privileges.

Assign a Hostname

  1. Log in to the Audit Vault Server console as a user with the AV_ADMIN role or to a Database Firewall appliance console as a user with Firewall Admin privileges.
  2. Set the hostname to a fully qualified hostname (for example, location.mycompany.com).
    • On the Audit Vault server, click Settings, then Network under the Systems group header. On the Network page, change the host name.
    • On the Database Firewall appliance console, click Network under the System header, and then click the Change button on the lower right-hand corner of the page.
  3. Configure the DNS on each appliance, which are to be monitored, to be the same as that on the OMS server. Click System or Settings, then Services under the System group header. On the Services page, configure the DNS, and change the host name.
    By default, SSH access into Audit Vault Server and Database Firewall is disabled. For the following steps, SSH is required. Therefore, on the same Services page, replace disabled inside the SSH box either with the IP address of the machine from which you will connect or with all to allow SSH connections from all machines on the network.

Unblock the EM Agent Network Port

  1. Log in to the operating system of the Audit Vault Server or Database Firewall appliance as the root user.
  2. Unblock the network port through which the EM Management Agent and the Enterprise Manager server communicate:
    1. Edit the file /usr/local/dbfw/templates/template-iptables. By default, the permissions for this file is read-only. You must change the permissions to allow editing. As root, change the permissions:
      chmod 644 template-iptables
      Edit the line as described below. There may be similar entries in this file for database listener ports. Make your entry below these. For AVDF Server version earlier than 20.1, add a line as shown:
      -A RH-Firewall-1-INPUT -p tcp -m state --state NEW --dport <EM agent port number> -j ACCEPT
      For AVDF Server version 20.1 and above, add a line as shown:
      -A INPUT -p tcp -m state --state NEW --dport <EM agent port number> -j ACCEPT
      • --dport is the port number for your EM Agent. Typically, the default port number used by the EM agent is 3872.
      • An optional “-s” option limits the IP range to specific OMS. The best practice is to add the additional optional switch: "-s ip1,ip2" and limit the IP ranges.
      Take extreme care when modifying the template-iptables file. Any editing mistakes could make the system inoperable. Change the permissions of the template-iptables file back to read-only:
      chmod 444 template-iptables
    2. Run the following command as root:
    3. Test your change. If your agent port number is the default value 3872, which is officially registered with IANA by Oracle under oem-agent, use:
      iptables -L | grep oem
      If another port was used, use:
      iptables -L n | grep <EM agent port number>
You will see that there is now an ACCEPT rule for the Management Agent.


Changes made here to the template-iptables file might be rolled back by a subsequent Oracle Audit Vault and Database Firewall patch or upgrade. If you notice after applying the next patch or upgrade that Enterprise Manager is no longer collecting information about AV Server correctly, then repeat steps a and b above.

The next step is to install and configure an EM Management Agent on each server where an AVDF agent resides. The EM management agents can be installed using the Enterprise Manager graphical user interface (using a “push” method) or by manually ”pulling” the agent software onto the Audit Vault Server or Database Firewall Appliance.

Installing the Enterprise Manager Agent With UI

Installing the Oracle Enterprise Manager Cloud Control 13c agent is done via a push method from the OEM console.

Be sure to perform the prerequisites detailed in Prerequisites to Installing Enterprise Manager Agent.

  1. From the Setup dropdown select Add Target > Add Target Manually.
  2. Click Install Agent on Host.
  3. Click the + Add button, fill in the Host Name and Platform and click Next.
  4. Fill in the Installation Base Directory as /var/lib/oracle/agent13c.
  5. Create a Named Credential for user oracle.
  6. Leave the root credential blank.
  7. Click Deploy Agent.


    During the installation phase, you may see a message about sudo not being setup with visible password. Click Continue All Hosts.
  8. Open a terminal window in the Audit Vault Server as root and run the following command:

Manually Installing the EM Management Agent on an Audit Vault Server or a Database Firewall Appliance

Follow the steps below to install the EM Management Agent manually by pulling the agent files and configuring an agent on an Audit Vault Server or a Database Firewall Appliance.

Be sure to perform the prerequisites detailed in Prerequisites to Installing Enterprise Manager Agent.

  1. Log in as the root user on the Audit Vault Server and run the following command to become the oracle user:

    su - oracle
  2. Download the AgentPull.sh script as follows:

    cd /tmp
              "https://<OMS_HOST>:<OMS_PORT>/em/install/getAgentImage" -k -o AgentPull.sh
  3. Give execute permission to the AgentPull.sh script:

    chmod +x AgentPull.sh
  4. Create a response agent.rsp file with the following content:

             PLATFORM="Linux x86-64"
  5. Run the AgentPull.sh script to download and install the Management Agent:

    ./AgentPull.sh RSPFILE_LOC=/tmp/agent.rsp
              ORACLE_HOSTNAME=location.mycompany.com AGENT_PORT=3872


    ORACLE_HOSTNAME is the fully qualified hostname of the Audit Vault Server where the EM Management Agent is being installed.

    You will be prompted for two passwords immediately upon executing this command.

The installation of the EM Management Agent starts automatically as soon as the download has finished. At the end of the installation, you will be prompted to run a script as root.

After running that script, continue with Discovering the Oracle AVDF Target.