2 Installing the Enterprise Manager Management Agent
This chapter provides the instructions for installing the Enterprise Manager (EM) Management Agent onto the Audit Vault Server and Database Firewall Appliance.
Prerequisites to Installing Enterprise Manager Agent
There are multiple prerequisites that need to be done in the Audit Vault console before installing the Enterprise Manager agent.
Determining Whether an Oracle Software Owner User Already Exists for Enterprise Manager Cloud Control
To determine whether an Oracle software owner user named oracle
exists, run the following command:
$ id oracle
If the oracle
user exists, then the output from this command looks like this:
uid=440(oracle) gid=200(oinstall) groups=201(dba),202(oper)
If the user exists, then determine whether you want to use the existing user or create another oracle
user.
To use the existing user, ensure that the user's primary group is the Oracle Inventory group.
Note:
If necessary, contact your system administrator before using or modifying an existing user.
Creating the Oracle Software Owner User for Enterprise Manager Cloud Control
If the Oracle software owner user does not exist or if you require a new Oracle software owner user, then follow these steps to create one. In the following procedure, use the user name oracle
unless a user with that name already exists.
-
To create the
oracle
user, enter a command similar to the following:# /usr/sbin/useradd -g oinstall oracle
In this command, the
-g
option defines the primary group, which must be the Oracle Inventory group, for exampleoinstall
. -
Set the password of the
oracle
user:# passwd oracle
Note:
Oracle recommends you to use the same UIDs across all the OMS instances, especially when you use Oracle Software Library. If the UIDs are different, then the files created by one OMS cannot be modified by another OMS.
Determining Whether the Oracle Inventory Group Already Exists for Enterprise Manager Cloud Control
When you install Oracle software on the system for the first time, the oraInst.loc
file is created. This file identifies the name of the Oracle Inventory group and the path to the Oracle Inventory directory.
To determine whether the Oracle Inventory group exists, enter the following command:
$ more /etc/oraInst.loc
Note:
the oraInst.loc file is available in the /etc
directory for Linux and other platforms. On Solaris platforms, it is available at /var/opt/oracle/.
If the oraInst.loc
file exists, then the output from this command looks like:
inventory_loc=/u01/app/oracle/oraInventory
inst_group=oinstall
The inst_group
parameter shows the name of the Oracle Inventory group, oinstall
.
Creating the Oracle Inventory Group for Enterprise Manager Cloud Control
If the oraInst.loc
file does not exist, or if the file exists but the Oracle Inventory group is different, then create the Oracle Inventory group oinstall
using the following command:
# /usr/sbin/groupadd oinstall
Unblock the EM Agent Network Port
- Log in to the operating system of the Audit Vault Server or Database Firewall appliance as the root user.
- Unblock the network port through which the EM Management Agent and the Enterprise Manager server communicate:
- Edit the file
/usr/local/dbfw/templates/template-iptables.
By default, the permissions for this file is read-only. You must change the permissions to allow editing. As root, change the permissions:
Edit the line as described below. There may be similar entries in this file for database listener ports. Make your entry below these. For AVDF Server version earlier than 20.1, add a line as shown:chmod 644 template-iptables
For AVDF Server version 20.1 and above, add a line as shown:-A RH-Firewall-1-INPUT -p tcp -m state --state NEW --dport <EM agent port number> -j ACCEPT
Where:-A INPUT -p tcp -m state --state NEW --dport <EM agent port number> -j ACCEPT
--dport
is the port number for your EM Agent. Typically, the default port number used by the EM agent is 3872.- An optional “-s” option limits the IP range to specific OMS. The best practice is to add the additional optional switch: "-s ip1,ip2" and limit the IP ranges.
template-iptables
file. Any editing mistakes could make the system inoperable. Change the permissions of thetemplate-iptables
file back to read-only:chmod 444 template-iptables
- Run the following command as
root
:/usr/local/dbfw/bin/priv/configure-networking
- Test your change. If your agent port number is the default value 3872, which is officially registered with IANA by Oracle under
oem-agent
, use:
If another port was used, use:iptables -L | grep oem
iptables -L n | grep <EM agent port number>
- Edit the file
Note:
Changes made here to the template-iptables file might be rolled back by a subsequent Oracle Audit Vault and Database Firewall patch or upgrade. If you notice after applying the next patch or upgrade that Enterprise Manager is no longer collecting information about AV Server correctly, then repeat steps a and b above.
The next step is to install and configure an EM Management Agent on each server where an AVDF agent resides. The EM management agents can be installed using the Enterprise Manager graphical user interface (using a “push” method) or by manually ”pulling” the agent software onto the Audit Vault Server or Database Firewall Appliance.
Installing the Enterprise Manager Agent With UI
Installing the Oracle Enterprise Manager Cloud Control 13c agent is done via a push method from the OEM console.
Be sure to perform the prerequisites detailed in Prerequisites to Installing Enterprise Manager Agent.
- From the Setup dropdown select Add Target > Add Target Manually.
- Click Install Agent on Host.
- Click the + Add button, fill in the Host Name and Platform and click Next.
- Fill in the Installation Base Directory as /var/lib/oracle/agent13c.
- Create a Named Credential for user oracle.
- Leave the root credential blank.
- Click Deploy Agent.
Note:
During the installation phase, you may see a message about sudo not being setup with visible password. Click Continue All Hosts. - Open a terminal window in the Audit Vault Server as root and run the following command:
./var/lib/oracle/agent13c/<agent_version>/root.sh
Manually Installing the EM Management Agent on an Audit Vault Server or a Database Firewall Appliance
Perform the following steps to install the EM Management Agent manually by pulling the agent files and configuring an agent on a Database Firewall Appliance 12.2.x or Audit Vault Server.
Be sure to perform the prerequisites detailed in Prerequisites to Installing Enterprise Manager Agent.
- Log in as the
root
user on the Audit Vault Server and run the following command to become theoracle
user:su - oracle
- Download the
AgentPull.sh
script as follows:cd /tmp curl "https://<OMS_HOST>:<OMS_PORT>/em/install/getAgentImage" -k -o AgentPull.sh
- Give execute permission to the
AgentPull.sh
script:chmod +x AgentPull.sh
- Run the
AgentPull.sh
script to download and install the Management Agent. TheLOGIN_USER
is the EM repository owner (SYSMAN
) and the password is the repository owner password (SYSMAN
password).:sh AgentPull.sh LOGIN_USER=<username> LOGIN_PASSWORD=password PLATFORM=<PLATFORM> AGENT_BASE_DIR=<EM agent install directory> AGENT_REGISTRATION_PASSWORD=password ORACLE_HOSTNAME=<ORACLE HOSTNAME>
Note:
ORACLE_HOSTNAME
is the fully qualified hostname of the Audit Vault Server or Database Firewall Appliance where the EM Management Agent is being installed.
The installation of the EM Management Agent starts automatically as soon as the download has finished. At the end of the installation, you will be prompted to run a script as root
.
After running that script, continue with Discovering the Oracle AVDF Target.
Manually Installing the EM Management Agent on a Database Firewall Appliance 20.x
Perform the following steps to install the EM Management Agent manually by pulling the agent files and configuring an agent on a Database Firewall Appliance 20.x.
Be sure to perform the prerequisites detailed in Prerequisites to Installing Enterprise Manager Agent.
-
As root user, add
oinstall
group, createoracle
user and add it to theoinstall
group:/usr/sbin/groupadd oinstall /usr/sbin/useradd -g oinstall oracle
-
As root user navigate to the
dbfw
directory:cd /var/dbfw
-
Create the
emagent
directory, change the user and group ownership of theemagent
directory:mkdir emagent chown oracle emagent chgrp oinstall emagent
-
Switch to the
oracle
user and navigate to theemagent
directory:su - oracle cd /var/dbfw/emagent
-
Transfer the Agent:
curl https://<OMS Host>:<Port>/em/install/getAgentImage --insecure -o AgentPull.sh chmod +x AgentPull.sh
-
Run the AgentPull.sh script to download and install the Management Agent. The
LOGIN_USER
is the EM repository owner (SYSMAN
) and the password is the repository owner password (SYSMAN
password).sh AgentPull.sh LOGIN_USER=<username> LOGIN_PASSWORD=password PLATFORM=<PLATFORM> AGENT_BASE_DIR=<EM agent install directory> AGENT_REGISTRATION_PASSWORD=password ORACLE_HOSTNAME=<ORACLE HOSTNAME>
Note:
ORACLE_HOSTNAME
is the fully qualified hostname of the Database Firewall Appliance where the EM Management Agent is being installed.
The installation of the EM Management Agent starts automatically as soon as the download has finished. At the end of the installation, you will be prompted to run a script as root
.
After running that script, continue with Discovering the Oracle AVDF Target.